Deploying the Cisco APIC-EM •InformationabouttheCiscoAPIC-EMDeployment,onpage1 •Pre-DeploymentChecklists,onpage1 •VerifyingtheCiscoISOImage,onpage4 •InstallingtheCiscoISOImage,onpage5 •CiscoAPIC-EMConfigurationWizardParameters,onpage6 •ConfiguringCiscoAPIC-EMasaSingleHostUsingtheWizard,onpage9 •ConfiguringCiscoAPIC-EMasaMulti-HostClusterUsingtheWizard,onpage15 •PoweringDownandPoweringUpaSingleHostorMulti-HostCluster,onpage20 •PoweringDownandPoweringUpaSingleHostWithinaMulti-HostCluster,onpage22 •UninstallingtheCiscoAPIC-EM,onpage23 Information about the Cisco APIC-EM Deployment YoucandeploytheCiscoAPIC-EMoneitheraserver(bare-metalhardware)orwithinavirtualmachinein aVMwarevSphereenvironment.YoucanalsodeploytheCiscoAPIC-EMaseitherasinglehostorina multi-hostenvironment. Note WerecommendthatyoudeploytheCiscoAPIC-EMinamulti-hostenvironmentforenhancedscalability andredundancy. Pre-Deployment Checklists Single Host Checklists Reviewthefollowingchecklistsbeforebeginningyoursingle-hostCiscoAPIC-EMdeployment. DeployingtheCiscoAPIC-EM 1 DeployingtheCiscoAPIC-EM Multi-HostChecklists Note AhostisdefinedasphysicalserverorvirtualmachinewithinstancesofaGrapevinerootandclientsrunning. TheGrapevinerootislocatedinthehostOSandtheclientsarelocatedwithinLinuxcontainers.Theclients runtheserviceswithintheLinuxcontainers.Youcansetupeitherasinglehostdeploymentormulti-host deployment(2or3hosts)foryournetwork.Forhighavailabilityandscale,yourmulti-hostdeploymentmust containthreehosts.AllinboundtraffictothecontrollerinasinglehostdeploymentisthroughthehostIP addressthatyouconfigureusingtheconfigurationwizard.Allinboundtraffictothecontrollerinamulti-host deploymentisthroughaVirtualIPthatyouconfigureusingtheconfigurationwizard. NetworkingRequirements ThisCiscoAPIC-EMdeploymentrequiresthatthenetworkadapters(NICs)onthehost(physicalorvirtual) areconnectedtothefollowingnetworks: •Internet(networkaccessrequiredforMakeAWishrequestsandtelemetrycollection) •NetworkwithNTPserver(s) •NetworkwithdevicesthataretobemanagedbytheCiscoAPIC-EM Note TheCiscoAPIC-EMshouldneverbedirectlyconnectedtotheInternet.Itshouldnotbedeployedoutsideof aNATconfiguredorprotecteddatacenterenvironment. IPAddressRequirements EnsurethatyouhaveavailableatleastoneIPaddressforthenetworkadapter(NIC)onthehost. TheIPaddressisusedasfollows: •DirectaccesstotheGrapevineroot •DirectaccesstotheCiscoAPIC-EMcontroller(forGUIaccess) Note Ifyourhosthas2NICs,thenyoumightwanttohavetwoIPaddressesavailableandconfigureoneIPaddress foreachNIC. Multi-Host Checklists Reviewthefollowingchecklistbeforebeginningyourmulti-hostCiscoAPIC-EMdeployment. •Youmustsatisfytherequirementsforthesinglehostdeploymentasdescribedintheprevioussection foreachhost. •Additionally,youmustestablishanetworkconnectionbetweeneachofthehostsusingeitheraswitch orarouter.Eachhostmustberoutablewiththeothertwohosts. •YoumustconfigureavirtualIP(VIP). DeployingtheCiscoAPIC-EM 2 DeployingtheCiscoAPIC-EM Multi-HostDeploymentVirtualIP YouconfigureoneormoreNICsoneachhostusingtheconfigurationwizard.EachNICthatyouconfigure mustpointtoanon-routablenetwork(ifallyournetworksareroutable,thenyouonlyneedoneNIC). AVIPisrequiredpernon-routablenetwork.Forexample,ifyouconfigure2NICsonall3hostsina multi-hostclusterandeachNICpointstoaseparate,non-routablenetwork,thenyouneedtoconfigure 2VIPs.TheVIPprovidesaninterfaceredundancyfeatureforyourmulti-hostdeployment.WithaVIP, theIPaddresscanfloatbetweenthehosts. Whendeployingthecontrollerinamulti-hostconfiguration: •YouprovideaVIPaddresswhenconfiguringthecontrollerusingthewizard. •Onstartup,thecontrollerwillbringuptheVIPononeofthehosts. •AllinboundrequestsintocontrollerfromtheexternalnetworkaremadeviathisVIP(insteadofthe hostIPaddress),andtherequestsareroutedtotheservicesrunningondifferenthostsviathe reverse-proxyservice. •IfthehostonwhichhastheVIPfails,thenGrapevinewillbringuptheVIPononeoftheremaining twohosts. •TheVIPmustresideinthesamesubnetasthethreehosts. •Ifyouareplanningtoobtainacertificateissuedforamulti-hostenvironment,thenitisimportant togetthecertificateissuedagainstthevirtualIPorthehostnameresolvabletothevirtualIP. Multi-Host Deployment Virtual IP Amulti-hostdeploymenthasthreephysicalIPaddressesandonevirtualIPthatfloatsacrosstheIPaddresses bydesigninordertoprovidehighavailability.ThiscapabilitytofloatalsomeansthatanySSHclientthat wantstoconnecttothevirtualIPaddresswillseedifferenthost-identitypublicSSHkeyseachtimethevirtual IPmovesitsresidencefromonehosttoanotherhost.MostSSHclientswillcomplainthatthenewhostisnot trusted,sinceanentryalreadyexists(asyoumighthaveacceptedthekeyearlierfortheolderhostwhich ownedthatvirtualIPaddressbefore).Topreventthisinconvenience,youmaywanttoaddthehostkeysof allthethreehoststoyourknownhostslistasdescribedbelow. ForexampleonaLinuxorAppleMacOSclientmachine,runthessh-keyscan commandoneachofthe threehostphysicalIPaddressesasfollows: $ ssh-keyscan -t rsa 209.165.200.30 # 209.165.200.30 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 209.165.200.30 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA1B6/1JpKPFOmG3S82eE8OKZkGYmRd SYnuCHfDiY5Pptt3BmaPgC6OlER4wwDL8VP2Rx2kxj3diIzFpUOyDqTbFxIRKVzlwtHHZdhO6G93MyLLGsWq XSMWs4xVcqpembKeCrdjakPaPAXqiAeKW9oimdv..... $ ssh-keyscan -t rsa 209.165.200.31 # 209.165.200.31 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 209.165.200.31 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF57F90z2His86tEj4s75pTc7h0nfzF 2c3QweHCNN2ov474HJJcPrnWTw4DAoPpPCU6zWvR0QLxunURDb+pMeZrIIyd49xn9+OBSmBpzrnety7UB2uP XzL1RvVxayw8mkXkj779LhFh9vkXR4DtX7XLjg..... $ ssh-keyscan -t rsa 209.165.200.32 # 209.165.200.32 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 209.165.200.32 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9kwzodGzGkh/UFXVa9fptGe+sa3CBR 6SNerXxpCmfT9AOXH8xuk3/CBX+DDUQgGJVmqw6maCYKOy0RtAhGxdsNdPL6ETTKzxYB5uzw3KhcDJ6D6ob6 DeployingtheCiscoAPIC-EM 3 DeployingtheCiscoAPIC-EM VerifyingtheCiscoISOImage jdzkR6yRuXVFi2OE+u1Aqs7J8GO66FfdavU8..... Next,changetheIPaddressintheSSHkeylineofeachoutputtothevirtualIPaddressofthefollowingand appendallthreekeylinestothe~/.ssh/known_hostsfileandsaveit. Assumingthat209.165.200.33isthevirtualIPaddressintheabovemulti-hostexample,youwouldaddthree linesinthe~/.ssh/known_hostsfileofyourclientmachineasfollows: 209.165.200.33 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA1B6/1JpKPFOmG3S82eE8OKZkGYmRdSYnuCHfDiY5Pptt3BmaPgC6OlER4 wwDL8VP2Rx2kxj3diIzFpUOyDqTbFxIRKVzlwtHHZdhO6G93MyLLGsWqXSMWs4xVcqpembKeCrdjakPaPAXqiAeKW9 oimdvPbrQPua7Zg9oblDxaBPn0Fqj00YDjKqTkp/IkZHEfHbDM996GLEbWlOvoHeCCqeZ1nWgFIqzAF+ty8+X5Z/fh hmGe+w2tQlMfrs9pcZDaEEmq/w1W+uRohxLKs+OHnHYAbMzC6O+5fLEr2BwaZf8W016eo1WpPsxUVK6StbXBOQZrcH0 bPsUbIjKJkzafpft9Dp73pSd/vwaoB3DrvNec/PiEJYk+R..... Aftertheabovechange,theclientwillhavenotroubleperforminguninterruptedSSHintothevirtualIP addressofthehostsevenwiththeIPaddressfloating. Verifying the Cisco ISO Image PriortodeployingtheCiscoAPIC-EM,youcanverifythattheISOimagethatyoudownloadedisagenuine Ciscoimage. Note IfyouaredeployingtheCiscoAPIC-EMfromanISOimagethatyoudownloaded,thenperformthisprocedure. Thisprocedureisnotrequired,ifdeployingthecontrollerwiththeCiscoAPIC-EMControllerAppliance (CiscoAPIC-EMISOimagepre-installedandtested). Beforeyoubegin YoumusthavereceivednotificationofthelocationoftheCiscoAPIC-EMISOimageorcontactedCisco supportforthelocationoftheCiscoAPIC-EMISOimage. Step1 DownloadtheISOimagefromthelocationspecifiedbyCisco. Step2 DownloadtheCiscopublickeyforsignatureverificationfromthelocationspecifiedbyCisco. TheCiscopublickeyisnamed: cisco_image_verification_key.pub Step3 Downloadthesecurehashalgorithm(SHA512)checksumfilefortheISOimagefromthelocationspecifiedbyCisco. Step4 ObtainthespecificreleaseISOimage'ssignaturefilefromCiscosupportviaemailorbydownloadfromthesecureCisco website(ifavailable). Forexample,apic-em-CA-0.8.2.4704-0.1.0.15.dev1300-gaafbb68.sig. Step5 (Optional)PerformaSHAverificationtodeterminewhethertheISOimagewascorruptedduetoapartialdownload. Forexample,runoneofthefollowingcommands(dependinguponyouroperatingsystem): DeployingtheCiscoAPIC-EM 4 DeployingtheCiscoAPIC-EM InstallingtheCiscoISOImage •OnasystemrunningMACOSXversion: shasum -a 512 apic-em-CA-0.8.2.4704-0.1.0.15.dev1300-gaafbb68.iso •OnaLinuxsystem: sha512sum apic-em-CA-0.8.2.4704-0.1.0.15.dev1300-gaafbb68.iso MicrosoftWindowsdoesnotincludeabuilt-inchecksumutility,butyoucaninstallautilityfromMicrosoftatthislink: http://www.microsoft.com/en-us/download/details.aspx?id=11533 Comparetheoutputoftheabovecommand(orMicrosoftWindowsutility)totheSHA512checksumfiledownloaded earlierinstep3.Ifthecommandoutputfailstomatch,downloadtheISOimageagainandruntheappropriatecommand asecondtime.Iftheoutputstillfailstomatch,contactCiscosupport. Step6 VerifythattheISOimageisgenuineandfromCiscobyverifyingthesignature.RunthefollowingcommandontheISO image: openssl dgst -sha512 -verify cisco_image_verification_key.pub -signature apic-em-CA-0.8.2.4704-0.1.0.15.dev1300-gaafbb68.sig apic-em-CA-0.8.2.4704-0.1.0.15.dev1300-gaafbb68.iso IftheISOimageisgenuine,thenrunningthiscommandshouldresultinaVerifiedOKmessage.Ifthismessagefails toappear,thendonotinstalltheISOimageandcontactCiscosupport. Note Theimagenameandthesignaturenamesusedhereareonlyexamples.Usetheexactnamesofthesefilesthat youdownloadedfromtheCiscowebsite. ThiscommandwillworkinbothMACandLinuxenvironments.ForWindows,youneedtodownloadandimplement OpenSSLfromwww.openssl.org,ifyouhavenotalreadydoneso. Whattodonext AfteryouverifythattheISOimageisgenuineandfromCisco,installtheCiscoISOimage. Installing the Cisco ISO Image PerformthestepsinthefollowingproceduretoinstalltheCiscoISOimageonthehost(serverorvirtual machine). Note IfyouaredeployingtheCiscoAPIC-EMfromanISOimagethatyoudownloaded,thenperformthisprocedure. Thisprocedureisnotrequired,ifdeployingthecontrollerwiththeCiscoAPIC-EMControllerAppliance (CiscoAPIC-EMISOimagepre-installedandtested). Beforeyoubegin Youmustreviewthesystemrequirementsbeforebeginningthisprocedure. YoumustreviewtheCiscoAPIC-EMpre-deploymentchecklistbeforebeginningthisprocedure. YoumusthavedownloadedandverifiedtheCiscoISOimagebyperformingthetasksinthepreviousprocedure. DeployingtheCiscoAPIC-EM 5 DeployingtheCiscoAPIC-EM CiscoAPIC-EMConfigurationWizardParameters ForinstallingtheCiscoAPIC-EMISOimageintoavirtualmachineusingVMware,youmustcreateanempty virtualmachinethatyouwillattachtheCiscoAPIC-EMISOimagetoandthenbootup.Whencreatingthis virtualmachine,donotaccepttheVMwaredefaultsettingsbutconfigurethesettingsasperthesystem requirementspreviouslylistedinthisguide. Note SeetheVMwaredocumentationforinformationaboutcreatingandconfiguringnewvirtualmachines. Performoneofthefollowingprocedures: •ForinstallingtheCiscoAPIC-EMISOimageonaserverandfromlocalmedia: •BurntheISOimageontoaDVDorabootableUSBflashdrive. •InserttheDVDintotheDVDdriveofthephysicalappliance. IfyourphysicalappliancedoesnotcomewithaDVDdrive,youcanconnectanexternalUSBDVDdriveto theapplianceandinsertthediskintothatexternaldrive. •YoucanalsoconnectabootableUSBflashdrivewhereyouburnttheISOimagetointotheappliance. Note CiscoUCSserversprovideanadditionalmethodofinstallingaremoteISOusingaVirtualKVM console.SeeyourCiscoUCSserverdocumentationforinformationaboutthisprocedure.Notethat installingtheISOimageusingaVirtualKVMconsolemaytakelongerthantheabovemethods. •ForinstallingtheCiscoAPIC-EMISOimageonavirtualmachine: •UploadtheCiscoAPIC-EMISOimagedirectlytothevirtualmachine'sdatastore. •AttachtheCiscoAPIC-EMISOimageasavirtualCD-ROMdriveofthevirtualmachine. Whattodonext Bootupthehost(serverorvirtualmachine)andrunthewizardtoconfiguretheCiscoAPIC-EM. Cisco APIC-EM Configuration Wizard Parameters WhentheCiscoAPIC-EMsoftwareconfigurationbegins,aninteractiveconfigurationwizardpromptsyou toenterrequiredparameterstoconfigurethecontroller. Note EnsurethattheDNSandNTPserversarereachablebeforeyouruntheconfigurationwizardandwhenever aCiscoAPIC-EMhostrebootsinthedeployment. DeployingtheCiscoAPIC-EM 6 DeployingtheCiscoAPIC-EM CiscoAPIC-EMConfigurationWizardParameters Table1:CiscoAPIC-EMConfigurationWizardParameters ConfigurationWizardPrompt Description Example HostIPaddress MustbeavalidIPv4addressfor 10.0.0.12 thehost. ThisIPaddressisusedforthe networkadapter(eth0)onthehost andconnectstotheexternal networkornetworks.Formultiple networkadapters,haveseveralIP addressesavailable. (Optional)VirtualIPaddress MustbeavalidIPv4address. 10.12.13.14 ThisvirtualIPaddressisusedfor thenetworkadapter(eth0)onthe host.Youshouldonlyconfigurea virtualIPaddress,ifyouaresetting upamulti-hostdeployment. NetmaskIPaddress MustbeavalidIPv4netmask. 255.255.255.0 DefaultGatewayIPaddress MustbeavalidIPv4addressfor 10.12.13.1 thedefaultgateway. Primaryserver MustbeavalidIPv4addressfor 10.15.20.25 theprimaryserver. Note EntereitherasingleIP addressforasingle primaryserver,or multipleIPaddresses separatedbyspacesfor DNSservers. PrimaryNTPserver MustbeavalidIPv4addressor 10.12.13.10 hostnameofaNetworkTime EntereitherasingleIPaddressfor Protocol(NTP)server. asingleNTPprimaryserver,or multipleIPaddressesseparatedby spacesforseveralNTPservers.We recommendthatyouconfigure threeNTPserversforyour deployment. Add/EditanotherNTPserver MustbeavalidNTPdomain. 10.12.13.11 Allowsyoutoconfiguremultiple NTPservers. Note Werecommendthatyou configurethreeNTP serversforyour deployment. DeployingtheCiscoAPIC-EM 7 DeployingtheCiscoAPIC-EM CiscoAPIC-EMConfigurationWizardParameters ConfigurationWizardPrompt Description Example HTTPSproxyserver MustbeavalidIPv4addressfor https://209.165.200.11:3128 theHTTPSproxywithport number. AdminUsername Identifiestheadministrative admin2780 usernameusedforGUIaccessto theCiscoAPIC-EMcontroller. Werecommendthattheusername bethreetoeightcharactersin lengthandbecomposedofvalid alphanumericcharacters(A–Z,a–z, or0–9). AdminPassword Identifiestheadministrative MyIseYPass2 passwordthatisusedforGUI accesstotheCiscoAPIC-EM controller.Youmustcreatethis passwordbecausethereisno default.Thepasswordmeetthe followingrequirements: •Eightcharacterminimum length. •DoesNOTcontainatabora linebreak. •Doescontaincharactersfrom atleastthreeofthefollowing categories: •Uppercasealphabet •Lowercasealphabet •Numeral •Specialcharacters(for example,!or#) LinuxUsername IdentifiestheLinux(Grapevine) Thedefaultis'grapevine'and usernameusedforCLIaccessto cannotbechanged. theGrapevinerootandclients. DeployingtheCiscoAPIC-EM 8 DeployingtheCiscoAPIC-EM ConfiguringCiscoAPIC-EMasaSingleHostUsingtheWizard ConfigurationWizardPrompt Description Example LinuxPassword IdentifiestheLinux(Grapevine) MyGVPass01 passwordthatisusedforCLI accesstotheGrapevinerootsand clients.Youmustcreatethis passwordbecausethereisno default.Thepasswordmeetthe followingrequirements: •Eightcharacterminimum length. •DoesNOTcontainatabora linebreak. •Doescontaincharactersfrom atleastthreeofthefollowing categories: •Uppercasealphabet •Lowercasealphabet •Numeral •Specialcharacters(for example,!or#) Configuring Cisco APIC-EM as a Single Host Using the Wizard PerformthestepsinthefollowingproceduretoconfigureCiscoAPIC-EMasasinglehostusingthewizard. Beforeyoubegin YoumusthaveeitherreceivedtheCiscoAPIC-EMControllerAppliancewiththeCiscoAPIC-EMpre-installed oryoumusthavedownloaded,verified,andinstalledtheCiscoISOimageontoaserverorvirtualmachine asdescribedinthepreviousprocedures. Step1 Bootupthehost. Step2 ReviewtheAPIC-EMLicenseAgreementscreenthatappearsandchooseeither<viewlicenseagreement>toreview thelicenseagreementoraccept>>toacceptthelicenseagreementandproceed. Note Youwillnotbeabletoproceedwithoutacceptingthelicenseagreement. Afteracceptingthelicenseagreement,youarethenpromptedtoselectaconfigurationoption. Step3 ReviewtheWelcometotheAPIC-EMConfigurationWizard!screenandchoosetheCreateanewAPIC-EM clusteroptiontobegin. YouarethenpromptedtoentervaluesfortheNETWORKADAPTER#1(eth0). DeployingtheCiscoAPIC-EM 9 DeployingtheCiscoAPIC-EM ConfiguringCiscoAPIC-EMasaSingleHostUsingtheWizard Step4 EnterconfigurationvaluesfortheNETWORKADAPTER#1(eth0)onthehost. Theconfigurationwizarddiscoversandpromptsyoutoconfirmvaluesforthenetworkadapteroradaptersonyour host.Forexample,ifyourhosthasthreenetworkadaptersyouarepromptedtoconfirmconfigurationvaluesfornetwork adapter#1(eth0),networkadapter#2(eth1),andnetworkadapter#3(eth2)respectively. Note Theprimaryinterfaceforthecontrolleriseth0anditisbestpracticetoensurethatthisinterfaceismade highlyavailable. OnCiscoUCSservers,theNIClabeledwithnumber1wouldbethephysicalNIC.TheNIClabeledwiththenumber 2wouldbeeth1. HostIPaddress EnterthehostIPaddresstouseforthenetworkadapter. ThishostIPaddress(andnetworkadapter)connectstothe externalnetworkornetworks. Theseexternalnetwork(s)consistsofthenetworkdevices, NTPservers,aswellasprovidingaccesstothenorthbound RESTAPIs.Theexternalnetwork(s)alsoprovidesaccess tothecontrollerGUI. Note Theconfigurationwizardvalidatesthevalue enteredandissuesanerrormessageifincorrect. IfyoureceiveanerrormessageforthehostIP address,thenchecktoensurethateth0(ethernet interface)isconnectedtothecorrectnetwork adapter. VirtualIP (Optional)EnteravirtualIPaddresstouseforthisnetwork adapter.YoushouldonlyconfigureavirtualIPaddress, ifyouaresettingupamulti-hostdeployment. Note ForadditionalinformationaboutvirtualIP,see Multi-HostDeploymentVirtualIP,onpage3 Netmask Enterthenetmaskforthenetworkadapter'sIPaddress. DefaultGatewayIPaddress EnteradefaultgatewayIPaddresstouseforthenetwork adapter. Note Ifnootherroutesmatchthetraffic,trafficwill beroutedthroughthisIPaddress. DNSServers EntertheDNSserverorserversIPaddresses(separated byspaces)forthenetworkadapter. DeployingtheCiscoAPIC-EM 10