ACI Fabric Access Policies are used to configure parameters which relate to access INTO the fabric, (i.e., configuring ports on a Leaf switches for servers, firewalls, network switches, and other devices). In addition, Fabric Access Policies are used to configure other parameters like SPEED, Enabling LLDP or CDP, LACP and more.
I assume that you have configured nothing in your Fabric Access Policies (i.e., no Switch Profiles, no Interface Profiles, no AAEP, no VPC domain).
What are we trying to accomplish?
Scenario 1 – Configuring L3out interfaces
We want to configure (2) interfaces (Leaf201 E1/3 and Leaf202 E1/3) and make them ready to be used with an L3out. For this scenario, we will be using routed interfaces, so this means from an ACI perspective, we will configure Leaf 201/202 E1/3 as access ports.
How will we accomplish this?
The most important thing to remember when configuring Fabric Access Policies, is that each policy has a reference (or pointer) to the next; if you forget to connect your Switch Profile to you Interface Profiles, or if you forget to tie your Interface Policy Group to your AAEP, the configuration will not be pushed correctly to the appropriate switch interface.
- Create Vlan Pools (which will belong to a External Routed Domain – Why External Routed Domain? – This is required for every L3out, even routed ports)
- Create a External Routed Domain (which defines the scope of the resources – in this case, external routers).
- Create an AAEP – This is the “glue” that connects our domains (i.e., Physical, VMM and External routed Domains) and our Vlan Pool to Switches and Switch Interfaces.
- Create a VPC domain for our Leaf Switches (optional)
- Configure Policies (CDP enable, LLDP enable, Speed)
- Configure Policy Group(s) – This is a grouping of policies (LLDP, CDP, AAEP, LACP, etc)
- Select Interfaces (which interfaces will connect from the ACI fabric to the external device?)
- Select Switches (which switches will connect from the ACI fabric to the external device?)
- Creating a Vlan Pool – Go to Fabric > Access Policies > Pools > VLAN
Create a Vlan Pool which will be used by your External Routed Domain. Enter a name for your Vlan pool, select a static allocation mode, and enter the range of Vlans to be allocated to the pool.
2. Create an External Routed Domain – Go to Fabric > Access Policies > Physical and External Domains > External Routed Domains
Create an External Routed Domain to associate with your Vlan Pool. Enter a name for your External Routed Domain, and select your Vlan Pool. Leave the Attachable Access Entity Profile (AAEP) blank.
3. Create an AAEP – Go to Fabric > Access Policies > Global Policies > Attachable Access Entity Profile
This is the “glue” that connects our domains (i.e., Physical, VMM and External routed Domains) and our Vlan Pool to Switches and Switch Interfaces. For the AAEP, we will configure the name of the AAEP, and select the domain to attach to it, in this case, the External Routed Domain.
4. Create VPC Domain (NOTE – This is optional for this scenario, but included as you should always have your VPC domain configured and pair up your leaf switches). Go to Fabric > Access Policies > Switch Policies > Policies > VPC Port Channel default > Create VPC Explicit Protection Group
Provide a name, an ID (unique for each Leaf VPC Pair), select the default VPC Domain policy, and select your two VPC switches.
5. Configure Policies – Go to Fabric > Access Policies > Interface Policies > Policies.
Use the GUI or other methods, such as XML posts, to configure a set of policies that will be used (and re-used) to configure our interfaces. At a minimum, configure Speed, CDP enable, and LLDP enable.
6. Interface Policy Group – Go to Fabric > Access Policies > Interface Policies > Policy Groups > Leaf Policy Groups > Create Access Port Policy Group. A policy group is a grouping of policies (LLDP, CDP, SPEED) that will be used to configure a switch interface or interfaces.
Enter a name for your Access Port Policy Group. For Access Policy groups, you can either RE-USE the Policy group for multiple interfaces, or create a separate Access Policy group for each and every port. Creating a shared Access Policy group will save time, however, it also means that you can impact multiple interfaces if you modify it incorrectly or delete it.
7. Select interfaces – Next, we will select the interfaces to apply the configuration to; in this case Ethernet1/3. Go to Fabric > Access Policies > Interface Policies > Leaf Profiles > Create Leaf Interface Profile.
Name your Interface Profile (NOTE – I recommend naming your Interface Profile after your Leaf switch name, to make linking it with your Switch Profiles easy to remember). Next, select the interface to be used. Finally, select the access policy group that you created in Step 6.
8. Select switches – Finally, we create the Switch Profiles (which will allow us to select our switches where configuration will be pushed) and associate it with our Interface Profiles that we just created. If this seems backwards, please remember, you can technically configure these policies in any order; the important thing is to ensure that all of the policies are connected. To configure your Switch, go to Fabric > Access Policies > Switch Policies > Profiles > Leaf Profiles > Create Leaf Profile. NOTE – It is recommended to name the Switch Leaf Profile after your Leaf switch.
6 thoughts on “Configuring ACI Fabric Access Policies”