ACI APIC Network-As-Code interface configuration

Geir Sand-Strand · ‎04-17-2025

Hi, I have difficulties configuring vpc port to a couple of leaf-switches.
I'm using Network As Code trying to do this. (https://netascode.cisco.com/data_model/apic/interface_policies/new_interface_config)
But I'm not able to understand how to do it.

I have 2 files with NAC. One that creates the vpc policy group (L601..602:1:1_VPCIPG_TEST), and that works fine.
The other file is meant to configure the interface, like you do in GUI (Location in GUI: Fabric » Access Policies » Interface Configuration).
Here I want to configure vpc for leaf 601 and 602 with eth1/1 and the L601..602:1:1_VPCIPG_TEST as the policy group.
But I'm not able to understand how to do this. Anyone have any tip on how to do this?

bigevilbeard · ‎04-17-2025

I am not sure what learning platform this is, they have some examples here https://github.com/orgs/netascode/repositories

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

mfr-6 · ‎04-21-2025

Hi @Geir Sand-Strand

If you want to use new interface configuration (using interface policies) you need to set new_interface_configuration to "true", otherwise this part of configuration would be ignored.

Please provide me your configuration you've prepared so far, I'll try to assist you on this (including your terraform code where you set up your NAC module).

Usually, you need to configure Policy Group first: https://netascode.cisco.com/data_model/apic/access_policies/ap_leaf_interface_policy_group - here you'll set a type to "vpc" to have desired result.

then - https://netascode.cisco.com/data_model/apic/interface_policies/new_interface_config/ - under interface, where policy group is required - you need to select policy group previously created.

If this is not clear enough for you - please provide me your configuration that you tried to apply. If you can't go through this - that's completely fine, I'll guide you step by step what you need to do, but It would be easier for you to explain things on something you tried to implement.

Looking forward to hearing from you!

Mateusz Frak NetDevOps | DevNet | Automation DevNet Expert #20240068
Please mark this post as helpful if it solves your issue, to make this visible for other users, thank you!

Geir Sand-Strand · ‎04-22-2025

I tried this in my *.nac.yaml file:

apic:
access_policies:
leaf_interface_policy_groups:
- name: TEST_All_PG
type: access
aaep: All_Domains-AEP
cdp_policy: CDP_Enable

new_interface_configuration: true
interface_policies:
nodes:
- id: 601
interfaces:
- port: 1
policy_group: TEST_All_PG
description: 601_TEST_All_PG

But this doesn't create the interface configuration. The main.tf is set to true:
manage_access_policies = true
manage_fabric_policies = true
manage_pod_policies = true
manage_node_policies = true
manage_interface_policies = true
manage_tenants = true

This is a test environment so no problem doing some testing.
I have tried to modify an exsisting interface configuration, and also a different interface. No luck in doing any interface configuration.

Creating vcp, pc or access port under policy group is working fine.

Br Geir

Geir Sand-Strand · ‎04-25-2025

Since this enviroment is not a total greenfield with NAC, the nodes exists already.
But I did a test "creating" the node_policies, and the tried the interface configuration. It worked.
But is it really necessesary to create the node policies first?

mfr-6 · ‎04-28-2025

hi @Geir Sand-Strand

I just tested your setup and just like you said (I didn't see your last response, sorry) - the missing bit was leaf node policy not defined.

Yes, this is mandatory, because NAC Module looks up for all nodes defined in a datamodel and iterates through them and then through inner "interface_policies" list, to create interface policies for each interface defined as long as "new_interface_configuration" option is set to "true".

That said - if node is not defined under "node_policies", then the code would never reach the state where interface_policies are created. Leaf node policy and interface_policy has a hard relationship, where interface policy cannot live without node policy (composition in a programming).

If you have a brownfield fabric, then you should consider importing node_policies into your terraform setup so those are controlled by TF + Nexus as Code, so you can later manage interface_policies for all leafs in your fabric.

I hope that helps. If you have more questions - feel free to ask!

Mateusz Frak NetDevOps | DevNet | Automation DevNet Expert #20240068
Please mark this post as helpful if it solves your issue, to make this visible for other users, thank you!