The ACI Simulator

Learning by doing is in most of the time the best practice approach in IT. Even the best training slides won’t deliver the same experience when using an environment you are interested to get used to.

But – for ACI – this will require quite a lot of stuff – and a basic environment is quite expensive just for learning. That’s why Cisco is offering for certain parties a simulator environment.

Cisco is offering quite a lot of sandbox environments, too.

https://developer.cisco.com/docs/sandbox/#%21data-center/overview

Part of this is the ACI (Ver. 4.0) available via this link.

sandboxapicdc.cisco.com

username: admin
password: ciscopsdt

There is a download available to build up your own lab system.

This consists of a spine, two leafs and an APIC, all in a single VM (identical setup to that one from sandboxapicde).

Software (you do need an account with the proper provisioning) can be downloaded at

https://www.cisco.com/c/en/us/products/cloud-systems-management/application-centric-infrastructure-simulator/index.html

At the time of this writing the latest version is 5.0 – consisting of five parts, each part is about 10 GB.

Please check as well the release notes for further details:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/5-x/release-notes/cisco-aci-simulator-release-notes-501.html

and as well

https://www.cisco.com/c/en/us/support/cloud-systems-management/application-centric-infrastructure-simulator/series.html

First step after downloading – put the five parts together into one file.

On the linux/unix console it is:

cat part1 part2 part3 part4 part5 > aci.ova

and similar in Windows within the command window.

type part1 part2 part3 part4 part5 > aci.ova

Just replace part1 etc. with the names of the downloaded ova parts. The order has to be kept.

To run this ova file, it is possible to use all hypervisors being able to use OVA file format like VMware Workstation or VMware ESXi.

This tutorial is about deploying the simulator on ESXi. This will require some extra steps, as the traditional approach (uploading of the ova file via the webinterface) won’t work due to the size of the ova file (50 GB).

But – this is not a problem. A closer look shows the nature of an .ova file. It is just a tar archive with the ending .ova.

# tar tvf aci.ova

-rw-r--r-- someone/64     5600 2020-05-15 03:03 acisim-5.0-1k.ovf

-rw-r--r-- someone/64      211 2020-05-15 03:03 acisim-5.0-1k.mf

-rw-r--r-- someone/64 4019572736 2020-05-15 03:03 acisim-5.0-1k-file1.bin

-rw-r--r-- someone/64 48823041536 2020-05-15 03:51 acisim-5.0-1k-disk1.vmdk

This technote describes how to deploy an .ova file on ESXi.

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.html.hostclient.doc/GUID-8ABDB2E1-DDBF-40E3-8ED6-DC857783E3E3.html

Sizing of the VM is crucial – please calculate at least 16 GB or better 24 GB RAM.

As said – it is possible to use VMware Workstation on a PC as well, but RAM requirements are the same.

In your Vsphere webclient right-click on your host inventory and select „Create/register VM“ (my screenshots are in german, but quite easy to find the same in your local language).


Now choose a name – and – as already mentioned – for smaller OVA files you’d be able to drag-and-drop, but this is limited to 1 GB.


Now select a datastore where the upload will be placed



and a network.



That’s it. Now a little more patience is required – the upload of the disk container will take some time.


After the successful upload you’ll be able to boot the VM.

IMPORTANT : The simulator has to be reconfigured after each boot – the configuration isn’t persistent.

Ok – we’ll just use the default values except for the local network details (in this case 192.168.140.40/24).







Using the account „admin“ and the password you’ve provided you’ll be able to login.



To get access from the outside world you’ve to set


for the virtual switches promiscuous-mode to accept, as well as for mac address changes and forged transits.

After those changes you’ll be able to logon from the „outside“ world.


Lets begin now with the base configuration.

The simulator delivers four entities in one „pod“:

Lets go now through the basics of a fully working APIC setup.

Fabric Membership

Login to your web-based console and click on „Fabric“ -> Inventory -> Fabric-Membership (within the left-pane)

You’ll see there the first leaf – With serial number TEP-1-101. Right click on this one, and select register.

Chose a name and just wait a while.

After some time the spine node will be discovered.


It will be added as well that way.



After adding all three nodes, the status should be active.

If you go now to

Fabric -> Inventory -> Topology -> Pane „Topology“ you’ll see your lab setup.

And it will explain the discovery path.

  1. APIC sees leaf-101 – and adds to inventory
  2. Now APIC will discover spine-201 – add to inventory
  3. If spine-201 is active – leaf-102 will be discovered

The Fabric -> Inventory -> Pod 1 -> leaf101 -> Sub Tab Interface will display the „physical“ connections to this leaf switch (port 41 and 49 in green).

Same for leaf-102 (port 49)


and the spine201 (port 01 and 02).

Maybe best to go through the quick start guide first.


Next step

BGP

Out Of Band Management

This takes care of the connectivity to the outside world. The GUI auto-assigns IP-addresses you’ve entered in the field „IPv4 Starting Address“ to the nodes of your simulator setup.


After setting those IP-addresses – you’ll be able to login from your remote system to the components.

DNS

NTP-Servers


If you want to change it later – you’ll find the configuration via:

-> Fabric -> Fabric Policies -> Policies -> Pod -> Date and Time -> Policy Default

And as a last step

Additional configuration

based on Cisco best practices.


After this you’ll see in the overview:


SNMP Configuration

We’ll just choose a very simple setup, with the well-known public community string, and do ignore those more strict v3 login features.

Cisco ACI

Traditional datacentre setups do lack features to meet the requirements as being application centric, supporting automated deployment and a single control instance to ensure a comprehensive view on the given assets.

Based on VxLAN – a protocol standard to encapsulate all network traffic

https://en.wikipedia.org/wiki/Virtual_Extensible_LAN

within a given Cisco ACI environment.

Cisco is delivering a wealth of documents – we’re going to maintain a list of links pointing to those.

There are as well lots of other online portals available, as an example we’d like to mention

https://unofficialaciguide.com/

Another nice site – https://www.twistedit.com/ – Jason is a very skilled guy, and has published quite a lot of trainings videos on youtube, I’ll put in a reference per topic in this blog.

Data mining – with GNU R and a bunch of other tools

A while ago I’ve been asked to analyse a given piece of software and to bring it to life on a new platform. It was the typical sad story, no documentation, no scripts, all hard coded, no central data store (all based on excel sheets) and in the end – being fit for this single purpose – and thus I’ve recommended the customer to think of a rewrite of the entire code and to look into other options (the code was based on Python with lots of nice (but undocumented) libraries

As he asked me, if I’m able to do this, I’ve did some research on options. As I’ve used so many programming languages in the past (just make a list, and I’ll add checkmarks to the languages 🙂 ) I had a look around, which would fit best.

Some of my criterias:

  • Open Source
  • Web Based
  • Widely in use
  • Capable of database interface
  • Interpreter or compiler capable
  • OS – preferable Linux (as this is our preferred OS)
  • Web-Based IDE (Integrated Development Environment)
  • Integration into GIT possible
  • Possible to integrate into automated deployment software
  • Modular concept, especially for graphic libraries
  • list not complete – we’ll see later

As Open Source heavily depends on sharing back, I’ve decided to show the interested crowd how I’ve build up my entire development stack, some examples to get this all running. And I’m happy, if that way others will get into this fantastic solution without the additional efforts to find out, how to build up. So – this series of articles will show you:

  • Required infrastructure
  • Configuration of all components
  • some examples

Feedback and comments are greatly appreciated!

When searching the net (by using my preferred search engine provider https://swisscows.ch) I’ve found various solutions, including the very impressive Tableau or similar solutions offered by e.g. Microsoft. But those got out of the game, no open source and quite expensive depending on your requirements.

That way I’ve found

GNU R

To get a first impression of the language capabilities – have a look here:

https://cran.r-project.org/doc/manuals/r-release/R-intro.html

available as PDF as well:

https://cran.r-project.org/doc/manuals/R-intro.pdf

By the way – GNU R is being integrated into Oracle’s data mining suite as well – interesting to read this PDF with a comprehensive overview

https://www.oracle.com/assets/media/oraclertechnologies-2188877.pdf

First attempts to use this for my project have been quite promising, but I’d like to have an environment, which is running via a web based interface.

RStudio

(being available in both OpenSource as well as subscription model) is another important piece.

https://rstudio.com/products/rstudio/#rstudio-server

But now – let’s start with the first part – installation of GNU R.

GNU R – Installation and First Steps

You will notice during all my installations, I’m preferring a Linux distribution – CentOS. All the configuration can be done on all those other ones, it is just historical, that I’m quite used CentOS. I’m aware of all the Pros and Cons – it depends on your personal preference, shouldn’t be a big deal to configure this on Debian, Ubuntu, SuSe, and all those others. in most cases it is just done by replacing yum by the package manager commands of the distribution of your choice.

In ancient times software installation was time consuming, maybe some of you are recalling those „configure; make; make install“ sequences – finding out – some library is missing, some include file as well. Took eventually days to get a simple piece of software up and running – gave you a very detailed insight how all of this is working – but the price – your time. With the actual package based distributions those installations can be done in minutes – literally.

Some words on the general design. We’ll build during this series of articles:

  • The nginx layer to take care of SSL offloading, and the forwarding to involved systems
  • RStudio and Shiny (we’ll come later to this one)
  • Database setup (based on MariaDB)
  • gitlab server
  • GoCD

I’ve got a quite large ESXi server, where I’m running all those instances as dedicated containers. All of this could be done on one single box, but I like to separate those. Especially as I’ve had some experience when e.g. the update requirements for one system conflicts with the another one. As CentOS is free, and you only need round about 8 GB per instance plus some storage – it is not a big deal to separate that.

Ok – on a standard installed CentOS we’ll start with the first step.

Install GNU R

As this is part of the standard CentOS distribution – this is a no-brainer.

By using the magic command

# yum install R

CentOS will start to check for all the required packages – don’t be surprised, it it ends up with over 50 packages consisting of several hundred megabytes – GNU R is huge, and requires a lot of add packages (remember my comment on the „configure; make; make install“ cycles 🙂 )

Depending on internet access and the performance of your system this will take a while.

After completion of the installation cycle, just enter the simple command „R“.

# R

R version 3.6.0 (2019-04-26) -- "Planting of a Tree"
Copyright (C) 2019 The R Foundation for Statistical Computing
Platform: x86_64-redhat-linux-gnu (64-bit)

As always – please create a non-privileged user to develop your code. It is alluring to use the root user – we all know.

At this stage you can do some testing and fiddling around, but a pure text based interface is .. kind of boring with the sixties feeling of a terminal interface.

There are quite a lot of tutorials (should be replace by „huge amount“ or „incredible amount“) available – the R primer is a good example, but if you enter „R tutorial“ or „R examples“ – you’ll get a lot of results.

This site (sponsored by lots of ad links) gives a good introduction (I’m not affiliated with them) – but there are many, many others. And – always a good idea – just buy some books on R coding.

https://www.tutorialspoint.com/r/index.htm

But we shouldn’t spend too much time on the text interface – next step – RStudio – this will make your life as R coder much, much easier.

RStudio – the perfect R IDE

RStudio installation isn’t a big deal as well, some few commands and configuration steps – can be done in couple of minutes.

First login as root user on the box you’ve prepared to run the rstudio server.

Please check, if you’ve enabled as well the epel (extra packages for enterprise linux).

# yum install epel-release

After this step please download via wget the latest rstudio-package from this location.

https://rstudio.com/products/rstudio/download-server/

At time of this writing the latest package will be downloaded by:

# wget https://download2.rstudio.org/server/centos6/x86_64/rstudio-server-rhel-1.2.5042-x86_64.rpm

and after this a 

# yum install rstudio-server-rhel-1.2.5042-x86_64.rpm

will install all required parts on your system.

Please don’t forget to issue a

# systemctl enable rstudio-server

By this command the rstudio-server will come up after a reboot automatically.

And now – the big moment – you are able to access rstudio on port 8787 on your server.

Which user ? Quite simple – the user you’ve just created to run R. If you haven’t done so far:


# adduser myrstudio
# passwd myrstudio

Using your credential you will know be presented the RStudio interface.



I’ve entered some test lines in the text console – they are captured in the session log, and now you are able to see the output as well of the plot command.

On RStudio there are as well so many information resources available.

As I’ve configured my Rstudio system in a private IP network range, I’ve configured on our internet facing nginx instance a https forwarding.

Quite simple as well (nginx is configured in a couple of minutes).

nginx as SSL offloader

If you plan to use Rstudio outside of your internal network (or even from an external hosted server) it is best to use nginx as a proxy, and even better by implementing valid certificates.

To configure nginx there are some good tutorials online available – this one

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7

describes pretty well what has to be done. letsencrypt is delivering trusted certificates – they have to be renewed every three months, but this can be automated (described in the article above as well).

If you follow the steps above, request and implementation of a SSL protected setup for your rstudio setup (and later one shiny) is quite simple.

# certbot certonly --standalone --preferred-challenges http --http-01-port 8080 -d rstudio.7o9.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for rstudio.7o9.de

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rstudio.7o9.de/fullchain.pem

As we’ve got now our certificates, we are ready to configure the SSL setup for our rstudio access.

########### SSL config for rstudio.7o9.de                                                                                                                                                                     

server {

# SSL only                                                                                                                                                                                                    

    listen       443 ssl http2;

    server_name  rstudio.7o9.de;

# Location of letsencrypt certificates                                                                                                                                                                        

        ssl_certificate /etc/letsencrypt/live/rstudio.7o9.de/fullchain.pem;

        ssl_certificate_key /etc/letsencrypt/live/rstudio.7o9.de/privkey.pem;

# Optimized SSL session cache                                                                                                                                                                                 

#    ssl_session_cache shared:SSL:40m;                                                                                                                                                                        

#    ssl_session_timeout  4h;                                                                                                                                                                                 

# Enable session tickets (as an alternative to ssl session cache)                                                                                                                                             

  ssl_session_tickets on;

# Only support the latest SSL protocol                                                                                                                                                                        

    ssl_protocols  TLSv1 TLSV1.1 TLSv1.2;

# Strict Transport security                                                                                                                                                                                   

    add_header Strict-Transport-Security "max-age=31536000; preload" always;

# Supported SSL ciphers                                                                                                                                                                                       

    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

# OCSP stapling                                                                                                                                                                                               

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem;

    ssl_prefer_server_ciphers   on;

# Forward to rstudio host                                                                                                                                                                                     

    location / {

                       proxy_pass http://192.168.140.225:8787;

            proxy_set_header X-Real-IP  $remote_addr;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header X-Forwarded-Proto https;

            proxy_set_header X-Forwarded-Port 443;

            proxy_set_header Host $host;

# Required to enable upload of larger files                                                                                                                                                                   

            client_max_body_size 128m;

# for  web socket support                                                                                                                                                                                     

            proxy_redirect http://localhost:8787/ $scheme://$host/;

            proxy_http_version 1.1;

            proxy_set_header Upgrade $http_upgrade;

            proxy_read_timeout 20d;

            proxy_buffering off;

    }

}

########## end of rstudio.7o9.de config

To check if your setup is fine, just enter your URL here:

https://www.ssllabs.com/ssltest/analyze.html?d=rstudio.7o9.de

Yeah – Grade A+ – that’s nice.

and Chrome and all others are happy as well.

Again – don’t use easy to guess passwords for your rstudio account. Part of the rstudio is a fully web based console – all the ubiquitous password crawlers are more than happy to find another „test/test“ login. And they will crawl your site for sure. 100% guaranteed!