Solved: Re: Access port on ACI LEAF

cdrowe · ‎07-08-2024

Is there any easy way to create an access port for a bare-metal server (linux) on ACI? I need to reconfigure a trunk VPC port, that was connected to a VMware ESXI server, to an access port for a single server. I've found documents that start in the fabric and configure a new AAEP/profiles/policies, similar to what I had to do to create the trunk lines, but came across a thread that say to just use static paths. I created a static path under tenant/application profile/EPG/static ports but it doesn't seem to do anything. Thinking old profiles may be messing me up. Anyone have any documentation on creating static paths from scratch? I'm missing my traditional network as all I needed was two command lines for this task.

Any helps or leads would be greatly appreciated.

RedNectar · ‎07-09-2024

Hi @cdrowe ,

So now need to figure out what I missed to cause that error. I have checked and double-checked and can't seem to find what I'm missing to cause that invalid path.

I once wrote a pretty foolproof method for checking that: https://rednectar.net/2022/08/26/foolproof-validation-of-the-aci-access-policy-chain/

Disclosure: The link above is my blog

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎07-08-2024

Hi @cdrowe ,

Welcome to the forum.

To reconfigure a VPC will require an Access Port Policy Group at least - possibly you can re-use an existing Access Port Policy Group if it is connected to the right AAEP that is connected to the right Physical Domain that is connected to the right VLAN pool.

Or you can create a new Access Port Policy Group and link it to

an existing AAEP that is
connected to the Physical Domain that is
connected to the VLAN Pool that has the VLAN ID(s) of the VLAN you want to use for this single server

You will also have to remove any existing association the physical port has with the VPC Interface Policy group:

in ACI v5.2(7g) and later,
- navigate to Fabric > Access Policies >> Interface Configuration and click the Actions menu in the workspace and choose Configure Interfaces and select your interface, then link it to the Access Port Policy Group mentioned above
  - If the interface is already configured, you'll be informed that you are overriding an existing configuration (i.e. the VPC config)
Prior to ACI v5.2(7g) - or anyone who has not yet converted existing configs to the new improved method, you'll have to:
- navigate to Fabric > Access Policies >> Interfaces > Leaf Interfaces > Profiles and locate the Leaf Profile used for the VPC (good luck if you have multiple Leaf Profiles for the same leaf). Hopefully there is one leaf profile for both leaves of the VPC
- Locate the Access Port Selector for the VPC within the Leaf Profile and delete it
- If there is only one leaf in the leaf profile, rinse and repeat for the other leaf
- now navigate to Fabric > Access Policies >> Interfaces > Leaf Interfaces > Profiles and locate the Leaf Profile you wish to use for the single server
- Add and Access Port Selector for the relevant interface and make sure you link it to the Access Port Policy Group mentioned above

Then deal with the Tenant/EPG config, which you appear to have already done - but check

Did you link the EPG to the correct Physical Domain (the one mentioned above that has the right VLAN)?
When you did the static mapping, did you specify an Access Port or Trunk port? (trunk is the default)
Validate by navigating the EPG, and in the work pane, select the [Operational] >| [Configured Access Policies] tab and verify that you see the target port in the Path Endpoint column

So there's the short story. Perhaps a little harder than two commands like your old system!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

cdrowe · ‎07-09-2024

First of all. Thank you so much for taking the time to help me on this. I very much appreciate it. I created a new Access port policy and followed those steps. Verified the physical domain in the EPG. Recreated the static mapping ( selected untagged access port). When I check the EPG workplane/Operational/Configured access Policies I don't see the port there. I know I'm missing something.

cdrowe · ‎07-09-2024

Update: Under the EPG history I have a configuration failed due to invalid path configuration. There is no domain, associated with both EPG and Port, that has required vlan. I have verified the physical domain is linked to the EPG.

cdrowe · ‎07-09-2024

So now need to figure out what I missed to cause that error. I have checked and double-checked and can't seem to find what I'm missing to cause that invalid path.

RedNectar · ‎07-09-2024

Hi @cdrowe ,

So now need to figure out what I missed to cause that error. I have checked and double-checked and can't seem to find what I'm missing to cause that invalid path.

I once wrote a pretty foolproof method for checking that: https://rednectar.net/2022/08/26/foolproof-validation-of-the-aci-access-policy-chain/

Disclosure: The link above is my blog

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

AshSe · ‎07-10-2024

Hi @cdrowe

The link shared by @RedNectar above gives you a fair idea of how sequentially you need to create Fabric > Access Policy. Screen shot below can be used if you want to understand the flow in analogical form with respect to CLI way in legacy switches:

Once Access Policy configuration is done; you need to configure Logical Setup using:

Tenant > VRF > BD > AP > EPG and then need to do Static Port binding with respect to the Leaf and the correct port on the Leaf to the Server.

HTH

cdrowe · ‎07-10-2024

Thank you everyone who helped on this. I followed RedNectar's steps to create the static port. I couldn't get the straight up access port working but did create a VPC port, trunked it and then had the SysAd add a vlan tag on server interface.