Skip to content

Cisco

ACI では Dynamic VLAN Pool に Infra VLAN ID を含めるとエラー

Cisco ACI では利用するポートを VLAN Pool として定義しますが、VLAN Pool に VLAN を割り当てる際は Static AllocationDynamic Allocation の、ふたつの方法があります。 一般的に「Physical Domain であれば Static AllocationVMM Domain であれば Dynamic Allocation」を利用することが多いように思います。 ですが、Static AllocationDynamic Allocation では指定可能な VLAN ID に微妙な差があるようです。 今回は ACI バージョン 6.0(1j) で検証しました。

ACI 5.x 系からは TLS 1.0 や 1.1 は非サポート

Cisco ACI は HTTPS で接続可能な TLS バージョンを FabricFabric PoliciesPoliciesPodManagement Access から設定可能です。 ACI バージョンにってサポートしている SSL/TLS バージョンが異なります。

TLS バージョン 4.x 系 5.x 系
TLS 1.0 X
TLS 1.1 X
TLS 1.2
TLS 1.3 X

ACI で非表示ポリシーを GUI 上に表示する

以前に ACI で「__ui」という設定名だと GUI には表示されない?? というメモを書きました。 このメモに書いた点を含みますが、__ui_ で始まる名前のポリシーは以下のように特別な特徴を持ちます。

  • GUI
  • GUI 上には表示されない
  • 設定を変更することで GUI 上に表示することも可能
  • 但し、GUI 上からは削除/変更出来ない
  • CLI
  • CLI 上には表示される
  • 但し ? で表示するヘルプ (候補) には表示されない
  • CLI 上からは削除/変更出来る

ThousandEyes の Web テストの User-Agent は公式ドキュメントが間違っている

ThousandEyes の Default User-Agent Strings によると HTTP Server Test の場合、User-Agent は User-Agent: curl/7.51.0-DEV だと記載されています。

file

ですが、実際にパケットをキャプチャすると下記になっています。

  • User-Agent: curl になっている (公式ドキュメントと異なる)
  • X-ThousandEyes-Agent: yes も付与される

デフォルト User-Agent のキャプチャ結果

tshark で実際にキャプチャした出力例は以下の通りです。 User-Agent: curl 及び X-ThousandEyes-Agent: yes になっていることが分かります。

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
# tshark -i eth0 -n -V -Y "http.request"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 27: 292 bytes on wire (2336 bits), 292 bytes captured (2336 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2022 05:45:51.296784160 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1662097551.296784160 seconds
    [Time delta from previous captured frame: 0.000056665 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 98.193993688 seconds]
    Frame Number: 27
    Frame Length: 292 bytes (2336 bits)
    Capture Length: 292 bytes (2336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a), Dst: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
    Destination: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        Address: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        Address: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 23.248.164.42 (23.248.164.42), Dst: 192.168.224.16 (192.168.224.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 278
    Identification: 0x8b7e (35710)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 42
    Protocol: TCP (6)
    Header checksum: 0x6788 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 23.248.164.42 (23.248.164.42)
    Destination: 192.168.224.16 (192.168.224.16)
Transmission Control Protocol, Src Port: 53264 (53264), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 226
    Source port: 53264 (53264)
    Destination port: 80 (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 227    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0xb38d [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 1657494759, TSecr 3271439425
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 1657494759
            Timestamp echo reply: 3271439425
    [SEQ/ACK analysis]
        [Bytes in flight: 226]
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [Message: GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: www.example.com\r\n
    User-Agent: curl\r\n
    Accept: */*\r\n
    Accept-Encoding: deflate, gzip\r\n
    Connection: Upgrade, HTTP2-Settings\r\n
    Upgrade: h2c\r\n
    HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA\r\n
    X-ThousandEyes-Agent: yes\r\n
    \r\n
    [Full request URI: http://www.example.com/]
    [HTTP request 1/1]

カスタム User-Agent のキャプチャ結果

User-Agent をカスタマイズする場合は Custom User-Agent Strings in a Web Test の手順に従います。 今回は以下のように CUSTOM-USER-AGENT と設定しました。

file

これをキャプチャした結果は以下の通りです。

  • User-Agent: CUSTOM-USER-AGENT に変更されている
  • X-ThousandEyes-Agent: yes も付与される
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
# tshark -i eth0 -n -V -Y "http.request"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 38: 305 bytes on wire (2440 bits), 305 bytes captured (2440 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2022 13:35:02.650728079 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1662125702.650728079 seconds
    [Time delta from previous captured frame: 0.000039499 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 150.788132120 seconds]
    Frame Number: 38
    Frame Length: 305 bytes (2440 bits)
    Capture Length: 305 bytes (2440 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a), Dst: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
    Destination: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        Address: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        Address: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 23.248.164.42 (23.248.164.42), Dst: 192.168.224.16 (192.168.224.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 291
    Identification: 0xc6aa (50858)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 42
    Protocol: TCP (6)
    Header checksum: 0x2c4f [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 23.248.164.42 (23.248.164.42)
    Destination: 192.168.224.16 (192.168.224.16)
Transmission Control Protocol, Src Port: 35316 (35316), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 239
    Source port: 35316 (35316)
    Destination port: 80 (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 240    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0xb668 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 1685646112, TSecr 3299590778
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 1685646112
            Timestamp echo reply: 3299590778
    [SEQ/ACK analysis]
        [Bytes in flight: 239]
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [Message: GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: www.example.com\r\n
    User-Agent: CUSTOM-USER-AGENT\r\n
    Accept: */*\r\n
    Accept-Encoding: deflate, gzip\r\n
    Connection: Upgrade, HTTP2-Settings\r\n
    Upgrade: h2c\r\n
    HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA\r\n
    X-ThousandEyes-Agent: yes\r\n
    \r\n
    [Full request URI: http://www.example.com/]
    [HTTP request 1/1]

ACI 6.x 系のパスワード要件

ACI のバージョン 6.x 系でローカルユーザのパスワード要件は APIC Local Users で以下のように記載されています。 基本的に以前のバージョンから変更はありません。

  • Minimum password length is 8 characters.
  • Maximum password length is 64 characters.
  • Has fewer than three consecutive repeated characters.
  • Must have characters from at least three of the following characters types: lowercase, uppercase, digit, symbol.
  • Does not use easily guessed passwords.
  • Cannot be the username or the reverse of the username.
  • Cannot be any variation of cisco, isco or any permutation of these characters or variants obtained by changing the capitalization of letters therein.