ACI is different. I know, this may come as a shock to any CCIE or Network Engineer who may have wondered into the APIC GUI to configure an interface, only to be met with terms like, “Physical Domain”, or “AAEP”. But, it is different, and different, I would argue, for more good than bad.
And, after working for ACI for almost 4 years, there are two things of which I am certain:
- There is purpose it’s design (the object model design)
- It can be very confusing to folks new to ACI, even seasoned CCIEs
For Point #1 – I’ll say this in defense of the Object Model; the ACI Object Model was designed with automation and orchestration in mind; the infinite flexibility you see today allows ACI Fabrics to be used from anything from a Network-Centric Datacenter fabric used primarily by Network Engineers, to a fully automated private Cloud, automated and configured by Openstack. Same Fabric, Same Switches, Same Object Model, but two vastly different purposes.
For Point #2 – It is confusing. Especially to new folks who aren’t used to the GUI. I acknowledge wholeheartedly that it can frustrating, at times, to understand the Object Model, and the GUI. From experience, this is overcome by repetition of configuration and building muscle memory, and by leaning on those who have gone before us and understand it better than we do 😉
With this post, I hope to de-mystify the infamous Fabric Access Policy section for CCIEs, Network Engineers, and anyone new to ACI.
The picture below gives a graphical “configuration” of a VPC, and the ACI Policy objects you would touch to bring the VPC to life.
- Switch Profiles allow us to select an ACI Fabric Node (i.e., a Leaf switch).
- Interface Profiles are a folder for Access Port Selectors. For example, if I had a Leaf Interface Profile called “Leaf201_IntProf”, the child objects of the interface profile would be 48 Access Port Selectors (i.e., Eth1_1 through Eth1_48).
- The aforementioned Access Port Selector allows us to select an Interface.
- The Policy Group is a collection of configuration to be applied to an interface or range of interfaces. Configuration parameters such as:
- speed, lacp mode
- Policy Groups come in three flavors; Access Port, Port-Channel, or VPC. In the example below, we have chosen VPC.
- The Infamous AAEP, or Attachable Access Entity Profile. This is the most misunderstood object in ACI. To keep things simple, the AAEP is the “glue” that binds Switches and Interfaces at the top, with Vlans on the bottom.
- The AAEP is analogous to the switchport trunk allowed command.
- The Domain (either Physical, External L3, or Dynamic) + the Vlan Pool act as the L2 Vlan database.
Finally, an important reminder; When working in the Fabric > Access Section of the GUI to configure your Switch Interfaces to allow Vlans to go across, there is a linkage of objects that must be maintained. Failure to do so will result in the Vlan not being available in your User Tenant. Use the diagram below as a reference of the most important Fabric Access Objects.
One thought on “ACI Fabric Access Policies for CCIEs”
I have always related the AAEP/Domain/Vlan pool to be more representative of just configuring the vlan globally on a switch and then dropping into the EPG to be more synonymous with the action of “switchport trunk allowed vlan xyz”. Also, people who have configured HP switches in the past typically grasp my explanation of “dropping a port into the EPG” better than Cisco folks do due to the nature of how you configure vlans on those devices and add the port to the vlan.
Regardless, I do think the methodology of “translating” knowledge for network engineers is the most useful way to initially grasp operating ACI. Once you have a handle on basic operations, I would suggest only then suggest the candidate going to a training course.