Configuring Cisco ACI Observer jobs
You use the Cisco ACI Observer when you have a Cisco ACI environment with Cisco Application Policy Infrastructure Controller (APIC) in your environment. The Observer interfaces with Cisco APIC and makes active REST calls to Cisco APIC in the Cisco ACI environment.
Before you begin
Important: The Cisco ACI Observer supports the on-premises Cisco ACI version 4.1.
Ensure you have the Cisco ACI service details to hand, such as the Cisco APIC username, Cisco APIC password, Cisco APIC SSL truststore and Cisco APIC URL.
Enabling access to the URL routes
To access the URL routes for the topology Swagger documentation, see the Enabling access to URL routes topic.
Optional: Install and configure a proxy
The Cisco ACI Observer can (optionally) connect to Cisco ACI through a proxy. See the Proxy Host and Proxy Port parameters listed in the table. A proxy can be used to create a tunnel to the target system.
Example: Squid proxy
-
Install the squid proxy:
sudo yum install squid -
Edit the /etc/squid/squid.conf file to add ACL for the source and target system. Example of a line added:
acl localnet src 1.2.3.0/19 # ASM Host -
Initialize the squid directories:
sudo squid -z -
Configure the squid proxy for auto-start:
sudo systemctl start squid sudo systemctl enable squid
For more information about the squid proxy, see http://www.squid-cache.org.
About this task
A Cisco ACI Observer job extracts Cisco ACI resources from Cisco APIC through REST, and then the observer loads and updates the resources and their relationships within the topology view.
You define and start the following jobs.
Restapi Load job
A transient (one-off) job that loads all requested topology data using Cisco APIC REST APIs to build a tenant logical construct topology or a fabric topology, and then exits.
A 'restapi' job loads initial topology data, and can resynchronize topology data from Cisco ACI when required.
You assign 'restapi' as the job type for /jobs/restapi observer endpoint.
By default, Load jobs are one-off, transient jobs that do a full upload of all requested topology data as soon as they are triggered.
You can also run these jobs (again) from the Observer UI, or schedule them to run at set times when configuring them.
WebSocket Listen job
A long-running job that listens for notifications from Cisco APIC to build the topology and runs until it is explicitly stopped, or until the observer is stopped.
A 'websocket' job monitors changes from Cisco APIC object notification and updates the topology.
You always run a 'websocket' job after running a 'restapi' job type.
You assign 'websocket' as the job type for /jobs/websocket observer endpoint.
Cisco ACI objects and relationships loaded
The Cisco ACI Observer loads the following Cisco ACI objects and their relationships into the topology service:
Tenant Logical construct
- fvTenant
- fvAp - A policy owner in the virtual fabric
- fvAEPg - A set of requirements for the application-level EPG instance
- fvAEpP - Abstract representation of an endpoint profile
- fvEpP - An endpoint profile
- fvBD - A bridge domain is a unique layer 2 forwarding domain that contains one or more subnets
- fvCtx - The private layer 3 network context that belongs to a specific tenant or is shared
- vzBrCP - A contract is a logical container for the subjects, which relate to the filters that govern the rules for communication between endpoint groups (EPGs)
- vzOOBBrCP - An out-of-band binary contract profile can only be provided by an out-of-band endpoint group and can only be used by the external prefix set
- vzSubj - A subject is a subapplication running behind an endpoint group (for example, an Exchange server). A subject is parented by the contract, which can encapsulate multiple subjects
- vzFilter - A filter policy is a group of resolvable filter entries
- fvSubnet - A subnet defines the IP address range that can be used within the bridge domain
- fvRsCons -The Consumer contract profile information and on Cisco ACI console the option to create this object is through Consumed Contract. Used to build relationship between fvAEPg and vzBrCP
- fvRsBd - A source relation to the bridge domain associated to this endpoint group. Used to build relationship between fvBD and fvAEPg
- fvRsCtx - A source relation to a private layer 3 network context that either belongs to a specific tenant or is shared. Used to build relationship between fvBD and fvCtx
- vzRsSubjFiltAtt - The filter for the subject of a service contract. Used to build relationship between vzSubj and vzFilter
Fabric Topology
- fabricInst - A container object for fabric policies
- fabricNode - The root node for the APIC
- polUni - Represents policy definition or resolution universe
- firmwareRunning - Information about leaf or spine switch firmware running on a node
- firmwareCtrlrRunning - Information about each controller firmware that is running
- eqptLCSlot - The slot for the module card
- eqptLC - A line card (IO card) contains IO ports
- eqptPsuSlot - The power supply slot
- eqptPsu - The power supply unit
- eqptFtSlot - A fan tray slot
- eqptFan - The fan in a fan tray
- topSystem - Used to retrieve fabric node Operational State
- cnwPhysIf - The physical interface that is assigned to the node cluster
- l1PhysIf - The object that represents the Layer 1 physical Ethernet interface information object
- mgmtMgmtIf - The management interface
- lldpAdjEp - The LLDP neighbors, which contains the information regarding the neighbors
- eqptRsIoPhysConf - A source relation to an L1 Ethernet interface. Used to build relationship between l1PhysIf and eqptLC
- mgmtRsOoBStNode - An object that contains management ip address of fabric spine switches and fabric leaf switches
Procedure
Define or edit the following parameters, then click Run job to save and run the job.
Encryption requirement: For more information, see the Configuring observer jobs security topic.
| Parameter | Action | Details |
|---|---|---|
| Unique ID | Enter a unique name for the job | Required |
| Tenant name | Use this to identify the tenant | Required. Set to admin if no specific tenant is referenced. Set to '' to load Fabric Topology resources. |
| Cisco APIC endpoint | Specify the API URL of the Cisco APIC endpoint | Required. Usually in the following format: https://[hostname or IP address]/api |
| Cisco APIC username | Specify the username to connect as, or listen to | Required |
| Cisco APIC password | Enter the password for Cisco APIC authentication | Required |
| HTTPS truststore file name | Specify the truststore file name | Required |
| HTTPS truststore file password | Specify the truststore password to decrypt the HTTPS truststore file | Required |
| Cisco APIC certificate | Specify a certificate by name to load into the truststore | Required. |
| Read timeout | Specify the read timeout in ms (default is 2000) | Optional |
| SSL Validation | Choose whether SSL validation is on or off. Turning SSL validation off will use HTTPS without host verification. | Optional |
| Connection timeout | Specify the connection timeout in ms (default is 5000) | Optional |
| Proxy Host | Specify the proxy host through which to connect | Optional |
| Proxy Port | Specify the proxy port, defaults to 8080 | Optional |
| Trust all certificates by bypassing certificate verification | Set to true to allow connection to target environment without verification. | Optional. The default is 'false'. |
| Access Scope | Optional CSV String listing values which can be used to provide a scope for the resources. These can be used to aid the mapping of alerts to resources when resources in different scopes share the same matchTokens. Example of scope include locations, project names and namespaces. | Optional |
| Generate debug support file | Set this parameter to 'True' in order to capture the output of the next scheduled job run as a file. This file will be stored with an observer's log files and can be used to debug observer issues, for example at the request of your designated Support team, or while using a test environment. For one-off jobs (that is, Load jobs), this parameter reverts to 'False' after the next completed run. To examine the output produced, you can load the generated debug file using the File Observer. | Optional |
| Job schedule | Specify when the job runs | Optional. Load jobs only. |
| Observer job description | Enter additional information to describe the job | Optional |