cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2315
Views
40
Helpful
8
Replies

ACI apply MACSEC policy to interface

Gents

not a big issue but during live verification of subject how-to i've found that there is lack of its documentation, or i miss something just in front of me :0)

long story short, according to only document i've found in Inet one applies created "MACSEC interface policy" either to a Fabric Leaf |Spine Port Policy Group or to a Pod Policy Group via Fabric>Fabric Policies>Interfaces><Leaf|Spine> Interfaces>Policy Groups or Fabric>Fabric Policies>Pods>Policy Group correspondingly.

Cisco APIC Layer 2 Networking Configuration Guide, Release 6.0(x) - MACsec [Cisco Application Policy Infrastructure Controller (APIC)] - Cisco

But in my case those sections are empty & MACSEC interface policy is applied via Fabric>Inventory>Pod>Spine>Interface>Physical Interfaces><Port> Operational workpane by popping up Policy Group dialbox by clicking on uni/infra/funcprof/spaccportgrp-<IPG> where MACsec Policy drop-box can be found.

is it just another configuration approach i was not able to find how-to in ACI documentation?

2 Accepted Solutions

Accepted Solutions

Ah I see. You are looking in the "Fabric Policies" tab, when instead you should search for the spine interface policies in "Access Policies" tab.

Fabric -> Access Policies -> Interfaces -> Spine Interfaces -> Policy groups

The "Fabric Policies" you configure the fabric links (the one between Leafs and Spines), while in the "Access Policies" you configure the access ports (the ones where you connect servers and IPN/ISN routers).

 

Take care,

Sergiu

View solution in original post

I think you are making a confusion, so let's break it down once again:

1.  if you want to configure MACsec for fabric links you will use the procedure from " Configuring MACsec for Fabric links:

Step1:  go to Fabric > Fabric policies > etc

Step2:  (A/N while still on Fabric > Fabric policies) go to Interfaces > Spine interfaces > etc

 

2.  if you want to configure MACsec on leaf access ports or IPN/ISN facing spine ports  you use the procedure from "Configuring MACsec for Access links":

Step1:  go to Fabric > Access policies > etc

Step2:  (A/N while still on Fabric > Access policies) go to Interfaces > Spine interfaces > etc

 

You will never jump from Fabric policies to Access policies to configure something back in Fabric policies...

Hope it more clear now

 

Take care,

Sergiu

 

View solution in original post

8 Replies 8

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @andy!doesnt!like!uucp 

I think the documentation refers to this:

SergiuDaniluk_0-1669117814718.png

 

Cheers,

Sergiu

 

Hi Sergiu
yes, according to official docu it must be there. But i have it empty:

andydoesntlikeuucp_0-1669118198625.png

& instead, i've found MACsec policy applied in Fabric>Inventory

andydoesntlikeuucp_1-1669118378539.png

 

Ah I see. You are looking in the "Fabric Policies" tab, when instead you should search for the spine interface policies in "Access Policies" tab.

Fabric -> Access Policies -> Interfaces -> Spine Interfaces -> Policy groups

The "Fabric Policies" you configure the fabric links (the one between Leafs and Spines), while in the "Access Policies" you configure the access ports (the ones where you connect servers and IPN/ISN routers).

 

Take care,

Sergiu

looks like 3rd pretty place to achieve the same goal from :0D
unfortunately ACI docu only lists approach i've mentioned 1st.

tnx

Actually the documentation shows both fabric and access policies config:

SergiuDaniluk_0-1669124653657.png

 

as for me it's totally unclear in the step 2 as we can find Interfaces > Leaf/Spine Interfaces in several places like

andydoesntlikeuucp_0-1669125035217.png

Having notion "switch to Fabric > Access Policies" in Step 2 would be enough. 

I think you are making a confusion, so let's break it down once again:

1.  if you want to configure MACsec for fabric links you will use the procedure from " Configuring MACsec for Fabric links:

Step1:  go to Fabric > Fabric policies > etc

Step2:  (A/N while still on Fabric > Fabric policies) go to Interfaces > Spine interfaces > etc

 

2.  if you want to configure MACsec on leaf access ports or IPN/ISN facing spine ports  you use the procedure from "Configuring MACsec for Access links":

Step1:  go to Fabric > Access policies > etc

Step2:  (A/N while still on Fabric > Access policies) go to Interfaces > Spine interfaces > etc

 

You will never jump from Fabric policies to Access policies to configure something back in Fabric policies...

Hope it more clear now

 

Take care,

Sergiu

 

looks like this is what official docu lacks

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License