A funny thing happened in the ACI lab today…


I had a Tenant with a statically configured bare metal hosts attached to interface 1/16 on both leaf 101 and leaf 102, but came up with a “invalid-path;invalid-vlan” error on the faults page for the EPG that was being configured for leaf 102. The host attached to Leaf 101 was working, had no errors and was configured in exactly the same way!

I checked:
In the tenant, the EPG had been linked to the correct Physical Domain
In the tenant, the EPG had been linked to the correct leaf/port/vlan

In the Fabric Policies;
The Leaf Profile defined the correct leaf, and was linked to the correct Interface Profile
The Interface Profile had an Access Port Selector for to the correct port (1/16), and the Access Port Selector was linked to an Access Port Policy Group
The Access Port Policy Group was linked to the correct Attachable Access Entity Profile
The Attachable Access Entity Profile was linked to the same Physical Domain as the EPG showing the error
The Physical Domain was linked to a VLAN Pool that included the VLAN ID being used in the EPG for the static mapping.

So I was stumped.  I have never seen an  “invalid-path;invalid-vlan” error before that could be solved by checking the above, so in desperation I checked thing from the CLI:

apic1# show run leaf 102 interface ethernet 1/16
# Command: show running-config leaf 102 interface ethernet 1/16
# Time: Wed Mar  1 04:17:41 2017
  leaf 102
    interface ethernet 1/16
      # Policy-group configured from leaf-profile ['T5:L102-LeafProf'], leaf-interface-profile T5:L102-IntProf
      # policy-group T5:1G.CDP.LLDP-APPG
      lldp receive
      lldp transmit
      cdp enable
      vlan-domain member T5:MappedVLANs-PhysDom type phys
      switchport access vlan 2050 tenant Tenant5 application 2Tier-AP epg WebServers-EPG
      speed 1G
      negotiate auto
      link debounce time 100
      exit
    exit

“That looks a bit strange”, I thought.  “I don’t normally see the lldp and cdp policies etc”.  But there was nothing in the config that was wrong, none the less, I thought I’d compare with the same port on the other leaf.

apic1# show run leaf 101 interface ethernet 1/16
# Command: show running-config leaf 101 interface ethernet 1/16
# Time: Wed Mar  1 04:18:02 2017
  leaf 101
    interface ethernet 1/16
      # Policy-group configured from leaf-profile ['T5:L101-LeafProf'], leaf-interface-profile T5:L101-IntProf
      # policy-group T5:1G.CDP.LLDP-APPG
      switchport access vlan 2050 tenant Tenant5 application 2Tier-AP epg AppServer-EPG
      exit
    exit

Now this looks much like I expect. And at this stage, this is the only indication that the configuration on 102/1/16 is not quite “normal”. So what I tried next was to see if I could remove the “extra” lines of config on leaf 101. Since there is no default interface command in ACI-NX-OS, I tried manually removing the cdp, lldp etc config:

apic1(config)# leaf 102
apic1(config-leaf)# default ?
apic1(config-leaf)# default inter
Command entered is not APIC NX-OS style CLI.Trying shell command…

apic1(config-leaf)# interface ethernet 1/16
apic1(config-leaf-if)# shut
apic1(config-leaf-if)# no lldp receive
apic1(config-leaf-if)# no lldp transmit
apic1(config-leaf-if)# no cdp  enable
apic1(config-leaf-if)# no vlan-domain member T5:MappedVLANs-PhysDom type phys
apic1(config-leaf-if)# no speed 1G
apic1(config-leaf-if)# no negotiate auto
apic1(config-leaf-if)# no link debounce time 100
apic1(config-leaf-if)# no shutdown

Better see if that worked!

apic1(config-leaf-if)# show run leaf 102 interface ethernet 1/16
# Command: show running-config leaf 102 interface ethernet 1/16
# Time: Wed Mar  1 04:28:16 2017
  leaf 102
    interface ethernet 1/16
      no lldp receive
      no lldp transmit
      no cdp enable
      speed auto
      no negotiate auto
      link debounce time 100
      exit
    exit

Clearly that didn’t work as intended. And by now I’d removed the interface selector for interface 1/16 from the interface profile for Leaf 102 as well, so there should have been no association with any lldp, cdp etc – except for one thing – I’d forgotten that when you do anything in the CLI, it automatically starts creating pesky objects with names beginning with __ui and I could see these in the GUI – but I knew how to get rid of those thanks to this post.

Note:RedPoint Unless Daniel has updated his blog, you will see that one command I used was different to the one in the link above: Daniel’s blog says to use a moconfig delete command, when in fact it should be moconfig commit

And that’s what I did!

apic1# for i in `find *__ui*`
for> do
for> echo "removing $i"
for> modelete $i
for> done
removing attentp-__ui_l102_eth1--16
This command is being deprecated on APIC controller, please use NXOS-style equivalent command
removing attentp-__ui_l102_eth1--16/mo
This command is being deprecated on APIC controller, please use NXOS-style equivalent command
...<snip>....

apic1# moconfig commit
This command is being deprecated on APIC controller, please use NXOS-style equivalent command
Committing mo 'uni/infra/lldpIfP-__ui_l102_eth1--16'
Committing mo 'uni/infra/hintfpol-__ui_l102_eth1--16'
Committing mo 'uni/infra/cdpIfP-__ui_l102_eth1--16'
Committing mo 'uni/infra/attentp-__ui_l102_eth1--16'

All mos committed successfully.

Re-checking the CLI config showed:

apic1(config-leaf-if)# show run leaf 102 interface ethernet 1/16
# Command: show running-config leaf 102 interface ethernet 1/16
# Time: Wed Mar 1 04:42:46 2017
 leaf 102
 interface ethernet 1/16
 exit
 exit

Brilliant! It certainly looks “correct” although I have no idea why this config should be any more “correct” than what I saw earlier, except…
… when I re-created the Interface Selector for access port 1/16 on leaf 102, and reassigned the same interface to the EPG in the tenant config (in other words restored the previous config) – all errors disappeared and the config worked!

Now it could have been that running the script to remove the pesky __ui items actually removed some other junk that was causing a problem, but whatever caused the error is a mystery!

One of the strangest mysteries I have encountered in the ACI lab so far.

RedNectar

Advertisements

About RedNectar Chris Welsh

Professional IT Instructor. All things TCP/IP, Cisco or VoIP
This entry was posted in Access Policies, ACI, ACI configuration, APIC, Data Center, Data Centre and tagged , , , , , , . Bookmark the permalink.