Solved: Re: ACI apply MACSEC policy to interface

andy!doesnt!like!uucp · ‎11-22-2022

Gents

not a big issue but during live verification of subject how-to i've found that there is lack of its documentation, or i miss something just in front of me :0)

long story short, according to only document i've found in Inet one applies created "MACSEC interface policy" either to a Fabric Leaf |Spine Port Policy Group or to a Pod Policy Group via Fabric>Fabric Policies>Interfaces><Leaf|Spine> Interfaces>Policy Groups or Fabric>Fabric Policies>Pods>Policy Group correspondingly.

Cisco APIC Layer 2 Networking Configuration Guide, Release 6.0(x) - MACsec [Cisco Application Policy Infrastructure Controller (APIC)] - Cisco

But in my case those sections are empty & MACSEC interface policy is applied via Fabric>Inventory>Pod>Spine>Interface>Physical Interfaces><Port> Operational workpane by popping up Policy Group dialbox by clicking on uni/infra/funcprof/spaccportgrp-<IPG> where MACsec Policy drop-box can be found.

is it just another configuration approach i was not able to find how-to in ACI documentation?

Sergiu.Daniluk · ‎11-22-2022

Ah I see. You are looking in the "Fabric Policies" tab, when instead you should search for the spine interface policies in "Access Policies" tab.

Fabric -> Access Policies -> Interfaces -> Spine Interfaces -> Policy groups

The "Fabric Policies" you configure the fabric links (the one between Leafs and Spines), while in the "Access Policies" you configure the access ports (the ones where you connect servers and IPN/ISN routers).

Take care,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎11-22-2022

I think you are making a confusion, so let's break it down once again:

1. if you want to configure MACsec for fabric links you will use the procedure from " Configuring MACsec for Fabric links:

Step1: go to Fabric > Fabric policies > etc

Step2: (A/N while still on Fabric > Fabric policies) go to Interfaces > Spine interfaces > etc

2. if you want to configure MACsec on leaf access ports or IPN/ISN facing spine ports you use the procedure from "Configuring MACsec for Access links":

Step1: go to Fabric > Access policies > etc

Step2: (A/N while still on Fabric > Access policies) go to Interfaces > Spine interfaces > etc

You will never jump from Fabric policies to Access policies to configure something back in Fabric policies...

Hope it more clear now

Take care,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎11-22-2022

Hi @andy!doesnt!like!uucp

I think the documentation refers to this:

Cheers,

Sergiu

andy!doesnt!like!uucp · ‎11-22-2022

Hi Sergiu
yes, according to official docu it must be there. But i have it empty:

& instead, i've found MACsec policy applied in Fabric>Inventory

Sergiu.Daniluk · ‎11-22-2022

Ah I see. You are looking in the "Fabric Policies" tab, when instead you should search for the spine interface policies in "Access Policies" tab.

Fabric -> Access Policies -> Interfaces -> Spine Interfaces -> Policy groups

The "Fabric Policies" you configure the fabric links (the one between Leafs and Spines), while in the "Access Policies" you configure the access ports (the ones where you connect servers and IPN/ISN routers).

Take care,

Sergiu

andy!doesnt!like!uucp · ‎11-22-2022

looks like 3rd pretty place to achieve the same goal from :0D
unfortunately ACI docu only lists approach i've mentioned 1st.

tnx

Sergiu.Daniluk · ‎11-22-2022

Actually the documentation shows both fabric and access policies config:

andy!doesnt!like!uucp · ‎11-22-2022

as for me it's totally unclear in the step 2 as we can find Interfaces > Leaf/Spine Interfaces in several places like

Having notion "switch to Fabric > Access Policies" in Step 2 would be enough.

Sergiu.Daniluk · ‎11-22-2022

I think you are making a confusion, so let's break it down once again:

1. if you want to configure MACsec for fabric links you will use the procedure from " Configuring MACsec for Fabric links:

Step1: go to Fabric > Fabric policies > etc

Step2: (A/N while still on Fabric > Fabric policies) go to Interfaces > Spine interfaces > etc

2. if you want to configure MACsec on leaf access ports or IPN/ISN facing spine ports you use the procedure from "Configuring MACsec for Access links":

Step1: go to Fabric > Access policies > etc

Step2: (A/N while still on Fabric > Access policies) go to Interfaces > Spine interfaces > etc

You will never jump from Fabric policies to Access policies to configure something back in Fabric policies...

Hope it more clear now

Take care,

Sergiu

andy!doesnt!like!uucp · ‎11-22-2022

looks like this is what official docu lacks