Cisco ACI - Access Policies - Part1

Do you have a brand new Cisco ACI Fabric and don’t know where to start? Read this blog post and take action! 😉

Prerequisites

You must have a Cisco ACI Fabric up and running, if you don’t have it here are some posts that could be useful for you:

Cisco ACI sandbox

If you don’t have a Cisco ACI fabric, you can use the public sandbox to do some of the following tasks, here are the login details:

Before changing something consider that this is a lab environment used by thousand of engineers 😉 be respectful and careful

Out Of Band and InBand IP addresses

After the discovery phase (completed in the previous blog posts), you probably would like to add an IP address to each fabric devices in order to check fabric details, switch information and more. To do that, you must configure one or more IP addresses to your devices:

  • OOB: The Out-Of-Band IP address will be configured in the mgmt0 interface of the devices (usually it’s the physical interface near the console port). This interface shoul be attached to your Out-Of-Band network infrastructure
  • InBand: The InBand IP address will be configured in a separate VRF called “inb” (configured by the system during the bootstrap, it’s inside the “mgmt” tenant)

Configuration Path:
Tenants -> mgmt -> Node Management Addresses -> Static Node Management Addresses

Right click on the “Static Node Management Addresses” and create it: 05

The system will ask you the node range, here you should add the Leaves/Spines range to configure sequentially the IP Addresses 06

I.E.

  • Node range: 111-124
  • Config: Check OOB and/or In-Band addresses

Fill the fields with your values and the check the result: 07

As you can see, the APIC will assign an IP address to all the devices in the range, starting from the lowest Node ID.

vPC Configuration

Before, let’s check the vPC status on both leaves, Access the CLI of the leaves through the OOB IP addresses that you configured in the previous task: 03

As you can see, the vPC is not configured! Let’s do it and move to the APIC GUI. Configuration Path:
Fabric -> Access Policies -> Policies -> Switch -> Virtual Port Channel default

Now that you are here, click on “+” in order to create a new vPC Pair 01

Here you have to fill some information in the relative fields:

  • Name: The name of the policy. Here is my standard: “Leaves-ID1-ID2_vPCDom” –> i.e. “Leaves-161-162_vPCDom”
  • ID: The vPC Domain ID. Usually I put the lowest ID of the Nexus ID peers –> Leaf 161 and Leaf 162, the ID will be 161
  • VPC Domain Policy: Leave the default one
  • Switch 1: Select the ID of the Peer1
  • Switch 2: Select the ID of the Peer2

Here an example: 02

Check the vPC status on Leaf 161 and Leaf 162: 04

Perfect, you’ve successfully configured a vPC Domain!

Leaf Interfaces Profile

An interface profile is a policy that contains a port selector. The port selector is used to specify a particular port number. (Note that you are not yet specifying which leaf node you want to apply the policy to; that happens in the next step).
Create a Leaf Interface Profile, Configuration Path:
Fabric -> Access Policies -> Interfaces -> Leaf Interfaces -> Profiles

From here, right click on “Profiles” and then create it. Here you’ll need to fill only the “Name” field, you can ignore other fields. Here is my logic:

  • Interface Profile for a Single Leaf (vPC Peer1): Leaf-161_IntProf
  • Interface Profile for a Single Leaf (vPC Peer2): Leaf-162_IntProf
  • Interface Profile for a vPC Domain: Leaf-161-162_IntProf

08

Leaf Switches Policy Group

Create a Leaf Switch Policy Group, which includes all the Policies related to all the Leaves.
Configuration Path:
Fabric -> Access Policies -> Switches -> Leaf Switches -> Policy Groups

From here, right click on “Policy Groups” and then create it:

13

Name: AllLeaves_PolGrp

If you want to add specific policies for all the Leaves, you can configure them. In out scenario, we’ll not change the default configuration.

Leaf Switches Profile

Create a Leaf Switch Profile, which will allow you to to select your switches where configuration will be pushed and with Leaf Interface Profile will be associated.
Configuration Path:
Fabric -> Access Policies -> Switches -> Leaf Switches -> Profiles

From here, right click on “Profiles” and then create it. Here are the configuration details:

12

Step 1: Profile - Name:

  • Switch Profile for a Single Leaf (vPC Peer1): Leaf-161_LeafProf
  • Switch Profile for a Single Leaf (vPC Peer2): Leaf-162_LeafProf
  • Switch Profile for a vPC Domain: Leaf-161-162_LeafProf

Step 1: Leaf Selectors Name:

  • Switch Selector for a Single Leaf (vPC Peer1): Leaf-161_SwSel
  • Switch Selector for a Single Leaf (vPC Peer2): Leaf-162_SwProf
  • Switch Selector for a vPC Domain: Leaf-161-162_SwProf

Step 1: Leaf Selectors Blocks:

  • Switch Blocks for a Single Leaf (vPC Peer1): 161
  • Switch Blocks for a Single Leaf (vPC Peer2): 162
  • Switch Blocks for a vPC Domain: 161-162

Step 1: Leaf Policy Group:

  • Leaf Policy Group for all the scenarios: AllLeaves_PolGrp

09

Step 2: Interface Selector Profiles:

  • Interface Profile for a Single Leaf (vPC Peer1): Leaf-161_IntProf
  • Interface Profile for a Single Leaf (vPC Peer2): Leaf-162_IntProf
  • Interface Profile for a vPC Domain: Leaf-161-162_IntProf

10

Final Result:

11

Perfect! Now scale to all the necessary Nodes 😊

Small recap

Here are two common tables in order to map and document all the previous data:

vPC Domains:

vPC_Domain_Name vPC_ID vPC_Switch1_ID vPC_Switch2_ID
Leaves-101-102_vPCDom 101 101 102
Leaves-111-112_vPCDom 111 111 112
Leaves-113-114_vPCDom 113 113 114
Leaves-115-116_vPCDom 115 115 116
Leaves-117-118_vPCDom 117 117 118
Leaves-119-120_vPCDom 119 119 120
Leaves-121-122_vPCDom 121 121 122
Leaves-123-124_vPCDom 123 123 124
Leaves-161-162_vPCDom 161 161 162

Leaf Profiles:

Leaf_Interface_Profile Leaf_Switch_Profile Leaf_Switch_Selector Leaf_Selector_Blocks
Leaf-101_IntProf Leaf-101_LeafProf Leaf-101_SwSel 101
Leaf-102_IntProf Leaf-102_LeafProf Leaf-102_SwSel 102
Leaf-101-102_IntProf Leaf-101-102_LeafProf Leaf-101-102_SwSel 101-102
Leaf-111_IntProf Leaf-111_LeafProf Leaf-111_SwSel 111
Leaf-112_IntProf Leaf-112_LeafProf Leaf-112_SwSel 112
Leaf-111-112_IntProf Leaf-111-112_LeafProf Leaf-111-112_SwSel 111-112
Leaf-113_IntProf Leaf-113_LeafProf Leaf-113_SwSel 113
Leaf-114_IntProf Leaf-114_LeafProf Leaf-114_SwSel 114
Leaf-113-114_IntProf Leaf-113-114_LeafProf Leaf-113-114_SwSel 113-114
Leaf-115_IntProf Leaf-115_LeafProf Leaf-115_SwSel 115
Leaf-116_IntProf Leaf-116_LeafProf Leaf-116_SwSel 116
Leaf-115-116_IntProf Leaf-115-116_LeafProf Leaf-115-116_SwSel 115-116
Leaf-117_IntProf Leaf-117_LeafProf Leaf-117_SwSel 117
Leaf-118_IntProf Leaf-118_LeafProf Leaf-118_SwSel 118
Leaf-117-118_IntProf Leaf-117-118_LeafProf Leaf-117-118_SwSel 117-118
Leaf-119_IntProf Leaf-119_LeafProf Leaf-119_SwSel 119
Leaf-120_IntProf Leaf-120_LeafProf Leaf-120_SwSel 120
Leaf-119-120_IntProf Leaf-119-120_LeafProf Leaf-119-120_SwSel 119-120
Leaf-121_IntProf Leaf-121_LeafProf Leaf-121_SwSel 121
Leaf-122_IntProf Leaf-122_LeafProf Leaf-122_SwSel 122
Leaf-121-122_IntProf Leaf-121-122_LeafProf Leaf-121-122_SwSel 121-122
Leaf-123_IntProf Leaf-123_LeafProf Leaf-123_SwSel 123
Leaf-124_IntProf Leaf-124_LeafProf Leaf-124_SwSel 124
Leaf-123-124_IntProf Leaf-123-124_LeafProf Leaf-123-124_SwSel 123-124
Leaf-161_IntProf Leaf-161_LeafProf Leaf-161_SwSel 161
Leaf-162_IntProf Leaf-162_LeafProf Leaf-162_SwSel 162
Leaf-161-162_IntProf Leaf-161-162_LeafProf Leaf-161-162_SwSel 161-162

Automation

Now that you understand the logic, you should start automating these tasks. They are repetitive and annoying if you have to do them for hundreds of leaves! 😉
In this GitHub repository you will find some Ansible Playbooks that help you in provisioning the Access Policies.

For the tasks that we have seen in this blog post, please refer to the following folders:

  • vPC_Domains
  • Leaf_Interface_Profile
  • Leaf_Switch_Profile

Each folder has 5 files:

  • credentials.yml: Put here your fabric credentials (URL, Username and Password)
  • main.yml: This is the code, you don’t need to change it
  • simple.csv: Here you can find how to complete the “data.csv” file, which is the file that the ansible playbook will use to import the information
  • data.csv: This is the file that you should modify with your leaves/spines/fabric information
  • README.md: Contains the playbook instructions

So, you should modify only 2 files: data.csv and credentials.yml

Thanks for your time I hope that you’re enjoying my blog!
If you have some questions, please drop me a message through social networks!😊
👈 You can find the relative icons here on the left of the page

Riccardo