Cisco¶

December 1, 2022
in Cisco
1 min read

ACI では Dynamic VLAN Pool に Infra VLAN ID を含めるとエラー

Cisco ACI では利用するポートを VLAN Pool として定義しますが、VLAN Pool に VLAN を割り当てる際は Static Allocation と Dynamic Allocation の、ふたつの方法があります。一般的に「Physical Domain であれば Static Allocation、VMM Domain であれば Dynamic Allocation」を利用することが多いように思います。ですが、Static Allocation と Dynamic Allocation では指定可能な VLAN ID に微妙な差があるようです。今回は ACI バージョン 6.0(1j) で検証しました。

November 11, 2022
in Cisco
1 min read

Cisco Webex では「見た目」と「実際のリンク先」が異なる Markdown は投稿出来ない

Cisco Webex では Markdown を有効化し、Markdown 書式を記載することが出来ます。

Webex アプリ | メッセージの形式

Markdown 記法では「表示」と「実際のリンク先」が異なるものを記載することが出来ます。例えば以下のような書き方です。

September 3, 2022
in Cisco
1 min read

ACI 5.x 系からは TLS 1.0 や 1.1 は非サポート

Cisco ACI は HTTPS で接続可能な TLS バージョンを Fabric → Fabric Policies → Policies → Pod → Management Access から設定可能です。 ACI バージョンにってサポートしている SSL/TLS バージョンが異なります。

TLS バージョン	4.x 系	5.x 系
TLS 1.0	○	X
TLS 1.1	○	X
TLS 1.2	○	○
TLS 1.3	X	○

August 31, 2022
in Cisco, Terraform
1 min read

Cisco ACI の設定を Terraform でインポートする

ACI 用の Terraform Provider を利用すれば Terraform から ACI の構成管理 (設定/設定削除) することが出来ます。 ACI の場合も他 Provider と同様に設定を tfstate にインポートすることが可能です。例えば Tenant-1 というテナントをインポートする場合、以下のような .tf ファイルを用意します。

August 28, 2022
in Cisco
4 min read

ACI の Annotation とは

Cisco ACI には Annotation という機能があります。今回は Annotation 機能の概要についてメモしておきます。

August 27, 2022
in Cisco, Terraform
2 min read

Terraform で ACI に vzAny を設定する

Terraform を使い、ACI で vzAny を設定する .tf ファイル例をメモしておきます。以下の環境で動作確認しました。

ACI 6.0(1g)
Terraform 1.2.9
ACI Provider 2.5.2

August 26, 2022
in Cisco
2 min read

ACI でポリシー名に利用可能な文字数/文字種のルールを調べる

ACI のポリシー名で利用可能な文字数/文字種は Cloud APIC & APIC Object Model Documentation や実機上の Object Browser で調べることが出来ます。今回は Cloud APIC & APIC Object Model Documentation から調べる方法をメモしておきます。尚、今回は ACI 5.x 系を対象にしています。

August 24, 2022
in Cisco
2 min read

ACI で非表示ポリシーを GUI 上に表示する

以前に ACI で「__ui」という設定名だと GUI には表示されない?? というメモを書きました。このメモに書いた点を含みますが、__ui_ で始まる名前のポリシーは以下のように特別な特徴を持ちます。

GUI
GUI 上には表示されない
設定を変更することで GUI 上に表示することも可能
但し、GUI 上からは削除/変更出来ない
CLI
CLI 上には表示される
但し ? で表示するヘルプ (候補) には表示されない
CLI 上からは削除/変更出来る

August 21, 2022
in Cisco
7 min read

ThousandEyes の Web テストの User-Agent は公式ドキュメントが間違っている

ThousandEyes の Default User-Agent Strings によると HTTP Server Test の場合、User-Agent は User-Agent: curl/7.51.0-DEV だと記載されています。

file

ですが、実際にパケットをキャプチャすると下記になっています。

User-Agent: curl になっている (公式ドキュメントと異なる)
X-ThousandEyes-Agent: yes も付与される

デフォルト User-Agent のキャプチャ結果

tshark で実際にキャプチャした出力例は以下の通りです。 User-Agent: curl 及び X-ThousandEyes-Agent: yes になっていることが分かります。

# tshark -i eth0 -n -V -Y "http.request"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 27: 292 bytes on wire (2336 bits), 292 bytes captured (2336 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2022 05:45:51.296784160 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1662097551.296784160 seconds
    [Time delta from previous captured frame: 0.000056665 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 98.193993688 seconds]
    Frame Number: 27
    Frame Length: 292 bytes (2336 bits)
    Capture Length: 292 bytes (2336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a), Dst: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
    Destination: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        Address: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        Address: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 23.248.164.42 (23.248.164.42), Dst: 192.168.224.16 (192.168.224.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 278
    Identification: 0x8b7e (35710)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 42
    Protocol: TCP (6)
    Header checksum: 0x6788 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 23.248.164.42 (23.248.164.42)
    Destination: 192.168.224.16 (192.168.224.16)
Transmission Control Protocol, Src Port: 53264 (53264), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 226
    Source port: 53264 (53264)
    Destination port: 80 (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 227    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0xb38d [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 1657494759, TSecr 3271439425
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 1657494759
            Timestamp echo reply: 3271439425
    [SEQ/ACK analysis]
        [Bytes in flight: 226]
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [Message: GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: www.example.com\r\n
    User-Agent: curl\r\n
    Accept: */*\r\n
    Accept-Encoding: deflate, gzip\r\n
    Connection: Upgrade, HTTP2-Settings\r\n
    Upgrade: h2c\r\n
    HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA\r\n
    X-ThousandEyes-Agent: yes\r\n
    \r\n
    [Full request URI: http://www.example.com/]
    [HTTP request 1/1]

カスタム User-Agent のキャプチャ結果

User-Agent をカスタマイズする場合は Custom User-Agent Strings in a Web Test の手順に従います。今回は以下のように CUSTOM-USER-AGENT と設定しました。

file

これをキャプチャした結果は以下の通りです。

User-Agent: CUSTOM-USER-AGENT に変更されている
X-ThousandEyes-Agent: yes も付与される

# tshark -i eth0 -n -V -Y "http.request"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 38: 305 bytes on wire (2440 bits), 305 bytes captured (2440 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2022 13:35:02.650728079 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1662125702.650728079 seconds
    [Time delta from previous captured frame: 0.000039499 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 150.788132120 seconds]
    Frame Number: 38
    Frame Length: 305 bytes (2440 bits)
    Capture Length: 305 bytes (2440 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a), Dst: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
    Destination: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        Address: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        Address: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 23.248.164.42 (23.248.164.42), Dst: 192.168.224.16 (192.168.224.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 291
    Identification: 0xc6aa (50858)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 42
    Protocol: TCP (6)
    Header checksum: 0x2c4f [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 23.248.164.42 (23.248.164.42)
    Destination: 192.168.224.16 (192.168.224.16)
Transmission Control Protocol, Src Port: 35316 (35316), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 239
    Source port: 35316 (35316)
    Destination port: 80 (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 240    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0xb668 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 1685646112, TSecr 3299590778
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 1685646112
            Timestamp echo reply: 3299590778
    [SEQ/ACK analysis]
        [Bytes in flight: 239]
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [Message: GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: www.example.com\r\n
    User-Agent: CUSTOM-USER-AGENT\r\n
    Accept: */*\r\n
    Accept-Encoding: deflate, gzip\r\n
    Connection: Upgrade, HTTP2-Settings\r\n
    Upgrade: h2c\r\n
    HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA\r\n
    X-ThousandEyes-Agent: yes\r\n
    \r\n
    [Full request URI: http://www.example.com/]
    [HTTP request 1/1]

August 20, 2022
in Cisco
1 min read

ACI 6.x 系のパスワード要件

ACI のバージョン 6.x 系でローカルユーザのパスワード要件は APIC Local Users で以下のように記載されています。基本的に以前のバージョンから変更はありません。

Minimum password length is 8 characters.
Maximum password length is 64 characters.
Has fewer than three consecutive repeated characters.
Must have characters from at least three of the following characters types: lowercase, uppercase, digit, symbol.
Does not use easily guessed passwords.
Cannot be the username or the reverse of the username.
Cannot be any variation of cisco, isco or any permutation of these characters or variants obtained by changing the capitalization of letters therein.