LEARN WORK IT

INFORMATION TECHNOLO GY (NE T WORK )

C I S C O ACI BLO GS VMWARE N SX BLO G S CISCO ROUT ING B LO G

C I S CO SW ITCHIN G BLO G IT INS TITU TES CONTACT US

TERMS & CONDIT ION

8. ACI Access &

Fabric Policies
 APRIL 8, 2021  LEAVE A COMMENT

ACI Access &

Fabric Policies
ACI Fabric Access Policies are used to con�gure
parameters that relate to access into the fabric (i.e.,
con�guring ports on leaf switches for servers, �rewalls,
network switches, and other devices). In addition,
Fabric Access Policies are used to con�gure other
parameters like SPEED, Enabling LLDP or CDP, LACP and
more.

The most important thing to remember when

con�guring Fabric Access Policies is that each policy
has a reference (or pointer) to the next. If you forget to
connect your Switch Pro�le to you Interface Pro�les, or
if you forget to tie your Interface Policy Group to your
AAEP, the con�guration will not be pushed correctly to
the appropriate switch interface.

Access Policies Workflow

STEPS
 1. Create Vlan Pools.
2. Create Domain (Physical, VMM, etc)
3. Create an AAEP – This is the “glue” that connects our
domains (i.e., Physical, VMM and External routed
Domains) and our Vlan Pool to Switches and Switch
Interfaces.
4. Create a VPC domain for our Leaf Switches (optional)
5. Con�gure Policies (CDP enable, LLDP enable, Speed)
6. Con�gure Policy Group(s) – This is a grouping of
policies (LLDP, CDP, AAEP, LACP, etc).
7. Select Interfaces (Which interfaces will connect
from the ACI fabric to the external device?)
8. Select Switches (Which switches will connect from
the ACI fabric to the external device?)

Access Policies

The �rst step in con�guring the integration is setting up

the acccess policies of the ACI fabric for the uplink
interfaces of the compute hosts. So what is the purpose
of acccess policies in ACI?

Access Policies in ACI can be explained as the

mechanism to de�ne how a port is going to behave. In
access policies you de�ne parameters such as Speed (
1GB, 10GB, 25GB, 40GB,100GB, etc), link aggregation
protocol, Spanning Tree Protocol, CDP or LLDP, etc, and
others.

Under access policies, we also create some constructs

that are unique to ACI. These are AEP ( Attached
Entity Profile ), VLAN Pools and Domains. These
three are very important to understand for the ACI
fabric to function.

Access bullet points

•Consist of named selectors and pro�les for the:
•Switches where a device is connected
•Interface on that switch where the device is connected
•L1 and L2 con�guration for that interface such as:
•CDP, LLDP, LACP
•Attachable Access Entity Pro�le(AAEP) to tie the
switch and interface to a set of VLANs and the Domain
used to reference the set under the Tenant. Represents a
group of external entities with similar infrastructure
policy requirements.
•VLAN Pool to describe the group of possible VLANs the
device will possibly use at some point
•A Domain to tie the VLANs and switch/interface
together as well as give the Tenant something to
reference and validate the con�guration is correct.

• Domains
You can think of these as giving the ACI fabric the
“how” it needs to attach a device into the fabric.
There are four distinct domains in the fabric:
Physical Domains, External Bridge Domains,
External Routed Domains, and VMM Domains.
◦ Physical Domains
Generally used for bare metal servers without
any VMM integration
◦ External Bridge Domains
These are used for Layer2 external connectivity
that is not very popular.
◦ External Routed Domains
These are used for Layer3 external routed
domains and are required for all ACI Layer3
external connections
◦ VMM Domains
These are built by integration tools and provide a
linkage between an external VMM domain and
the fabric policies that rule how to connect to
them.
 • VLAN Pools
These provide the ACI fabric the knowledge of what
VLAN tagged packets will be arriving on speci�c
ports. VLANs in ACI are used as classi�ers to EPG
and the fabric needs to know what VLAN it is
expected to receive on a port. Think of this
as switchport trunk allowed vlan [range].
• AEP ( Attachable Entity Pro�le )
Think of AEP as the connection between what an
interface con�guration can do and the role it will
take ( physical server, VMM port ) in the ACI fabric.

ACI does not allow to put VLAN on any interface, and in

the multi-tenant environment, a VLAN range is
allocated to the tenant.
Fabric and Access policies must be con�gured before
tenants con�guration

Fabric Policies

Following are the Fabric Policies that are mostly

con�gured :
Profiles
S w i t c h : specify which switches to con�gure with call
home or power supply redundancy feature
M o d u l e : specify which spine switch modules to
con�gure and associate monitoring policy
I n t e r f a c e : specify which fabric interfaces to con�gure
and associate monitoring policy
G l o b a l p o l i c i e s : specify DNS, fabric MTU default,
multicast tree, and global LLDP settings
P o d p r o f i l e s : specify date and time, SNMP,
managements access protocols, COOP nodes and type,
IS-IS, and BGP route re�ector policies Monitoring and
troubleshooting policies: specify what to monitor and
how to handle faults and logs.
Following �ow is used to con�gure Fabric policies:

G l o b a l p o l i c i e s : Include DHCP, QoS, and AAEPs

Physical and external Layer 2/Layer 3 domains contain
the port and VLAN IDs
Following are the �ow used to create Access policies:

VLANs con�guration of Port

VLANs are de�ned in the VLAN pools and in the case of
multitenancy each tenant gets its own pool of VLANs
reserved to them. For common interfaces, the VLAN
pools should not have overlapping ranges and for such
interfaces, special attention is needed. Such
con�gurations, when VLANs on the same interface
overlap the con�guration of the �rst tenant, will be
successful while on all others will not.

Physical domain policies contain a VLAN pool and are

then referred to the physical interface. This Vlan is also
used by the endpoint group.
An attachable entity pro�le (AEP) serves as a glue
between physical interface con�guration on one side
and VLAN pool de�nition on the other side. With the
complete con�guration as presented in the picture,
interfaces have Layer 1 and Layer 2 con�guration
together with allowed VLAN range.

Explained Step by Step

Access Policies

. De�ne Endpoint Connectivity

. Separate Logical VS Physical Polices
. Policies are reusable
. Pro�les describe something

Pools

. Range of VLANs that can potentially be used by a

Tenant/EPG.
. Tied to a Domain and AAEP, only interfaces on that
AAEP can use this rannge of VLANs.
Domains

.Bind Resource Pools & AAEPs together.

.Connection from Access Policies to Tenant Policies,
speci�cally EPGs.
.De�ne the type of device connected to the fabric.

Interface Policies

.Pro�les group one or more Access Port Selectors

together and act as the binding policy to speci�c
switches.
.Access Port Selectors de�ne individual/range of
interfaces.
.Policies de�ne the lowest level con�guration properties
(CDP,Speed/Duplex,MACsec).
AAEP- Attachable Access Entity Pro�les

.Connect VLAN Policies with Physical Interfaces

.De�ne “where” devices are connected and tie them to
one or more domains.

Switch Policies

.Con�guration of switches in the fabric.

.De�ne vPC domains.
.Switch Pro�les are binding points for Interface Pro�les.