Hi Mathris,
I would like to share with you a simple flow to understand and remember fabric access policies to on-board any physical server. Go to Fabric tab -> Access Policies and look at the options on left pane from bottom. Never start from top.
Below are the config steps with GUI path navigation details. However, I am pretty sure just reading them won’t make sense and it would really help only if you actually try out those steps on your APIC.
Fabric Side Config:
- Create a static VLAN Pool
So basically you define what vlan id you will be using on your interface to onboard the server.
Fabric -> Access Policies -> Pools -> VLAN -- Right click and Create Vlan Pool
- Create Physical Domain and bind Vlan Pool to the domain
Fabric -> Access Policies -> Physical and External Domains -> Physical Domains – Right click and Create Physical Domain
Just give name for the physical domain and attach the Vlan pool created in step 1. Leave the Associated Attachable Entity Profile option blank, we will do that in next step.
- Create AAEP and bind domain to the AAEP
Fabric -> Access Policies -> Global Policies -> Attachable Access Entity Profile – Create Attachable Access Entity Profile and just attach your physical domain created in step 2 here.
- Create Interface Policies – These are nothing but generic configs that you would want on your interface like cdp on, lldp off, speed, duplex, bpdu filter etc. Policies created here is an one time process and are reused extensively in future while onboarding new servers.
Fabric -> Access Policies -> Interface Policies ->Policies – Expand this and you will find all different parameters and their possible attributes. Select whatever is applicable for your servers. Common ones are cdp, link level, lldp, Port-Channel(LACP modes).
- Create Interface Policy Group -- Select what all policies created in step 4 need to be activated on the interface
Fabric -> Access Policies -> Interface Policies -> Leaf Policy Group – Right click and create policy group based on interface type(PC, VPC or access). You can select policies through drop down menu here. This is the place where you also attach the AAEP created in step 3.
- Create Leaf Profiles – So here you select the interfaces and attach policy group created in step 5
Fabric -> Access Policies -> Interface Policies ->Profiles -> Leaf Profiles – Right Click and create leaf interface profile, create interface selector (where you define interface name and attach interface policy group)
- Create Switch Profile – So finally, you select the switches here, where exactly the servers are connected. Everything done till step 6 is just an abstract and when you bind leaf interface profile created in step 6 to the switch profile then the config is actually completed and makes sense.
Fabric -> Access Policies ->Switch Policies -> Profiles – Right click and create leaf profile, select leaf switches (keep the policy group option empty), then move to the associated interface selector profiles and select the leaf interface profile created in leaf selector option and attach the interface policy group.
Phew!!! That completes your switch interface configuration required to on-board the server. But since we are in ACI, there are few more things to do before we are done.
Any server (physical or virtual) we on-board in ACI has to part of an application EPG, as everything is policy driven in ACI and to write policies you need to have classification of services.
Tenant Side Config:
So we need to go to respective tenant where that sever belongs and do following things:
- Create a VRF in Networking Tab
- Create a BD in Networking Tab (you need to associate your BD with the VRF) and create the subnet (which will be the distributed gateway)
- Create Application Profile
- Create an Application EPG -- Inside that application profile, create an application EPG ( you will have to associate BD while creating EPG). Keep remaining options as default.
- When you expand that application EPG, you would see Domains option on left pane, that’s the place you need to attach your Physical domain option created in Step 2.
- Static port binding in EPG – You need to statically bind the configured interfaces to the EPG. Also need to specify the vlan encap id from the vlan pool created in Step 1.
This completes your server on-boarding configuration. With this your server should be able to ping the gateway. However, to communication with services hosted in other EPG or External network it would need contracts and additional configurations.
In addition to this, please also refer below sessions from Cisco Live which would help you understand ACI in depth:
1. ACI Under the Hood - How Your Configuration is Deployed - BRKACI-3101
https://ciscolive.cisco.com/on-demand-library/?search=aci&search.event=ciscoliveus2018#/session/1509501653465001PRkT
2. How to setup an ACI fabric from scratch - BRKACI-2004
https://ciscolive.cisco.com/on-demand-library/?search=aci&search.event=ciscoliveus2018#/session/1509501634778001Pfqx
Regards,
Jayesh
Rate all post that are helpful. Mark it as a solution if it solves your problem, it might help other users who have the same query.
