Cisco ACI - Access Policies - Part2

• Sun, Jun 30, 2024
• 5-minute read

In the last few blog posts we saw how to configure basic Access Policies in a Cisco ACI Fabric, now let’s delve into them! 😊

Prerequisites

You must have a Cisco ACI Fabric up and running, if you don’t have it here are some posts that could be useful for you:

• Cisco ACI - Fabric Deployment 5.x
• Cisco ACI - Fabric Deployment 6.x
• Cisco ACI - Access Policies - Part1

Cisco ACI sandbox

If you don’t have a Cisco ACI fabric, you can use the public sandbox to do some of the following tasks, here are the login details:

• URL: https://sandboxapicdc.cisco.com/
• USERNAME: admin
• PASSWORD (updated 05/03/2024): !v3G@!4@Y

Before changing something consider that this is a lab environment used by thousand of engineers 😉 be respectful and careful.

VLAN POOL

Although there are bridge domains and VXLAN inside the ACI fabric, it’s important to use regular VLANs on the link between a leaf node port and the host or device that connects to it. The first thing you need to do as part of your access policy configuration is to define a range of VLANs that are available for this purpose on any given leaf node.

Notice that the “allocation mode” option can be set to either “static” or “dynamic.” Which one should you choose?

• Static VLAN allocation mode should be used if the VLAN pool in question will be used for bare metal hosts or other non-virtualized devices. Later, when you create EPGs, you will manually assign a VLAN from the static pool to the EPG and port.
• Dynamic allocation mode is used when connecting VMs into the fabric, specifically when using VMM integration with the hypervisor management system. In that case, a VLAN will be dynamically assigned to the port group that gets created on the Distributed Virtual Switch

To create a VLAN Pool, go to:
Fabric -> Access Policies -> Pools -> VLAN

Right click on VLAN and then “Create VLAN Pool”:

• Name: Physical_Static_VLPool
• Allocation Mode: Static Allocation
• Encap Blocks: Here you should add the VLAN that will be used by your workload. i.e. 2 - 3000

Usually, you would like to create 3 VLAN Pools:

1. Physical_Static_VLPool: Static Allocation Mode. It will contains the VLAN ranges that will be used by your workload. i.e. 2 - 3000
2. L3Out_StaticVLPool: Static Allocation Mode. It will contains the VLAN ranges used for point-to-point/SVI in the L3Out configuration (logical connections to a remote L3 Domain). i.e. 3001 - 3499 –> When you’ll create a L3Out, use the first available VLAN of this range to create the ptp or the SVI
3. IBMgmt_StaticVLPool: Static Allocation Mode. It will contains the VLAN dedicated to InBand mgmt. i.e. 3500

Remember that you can expand the VLAN by adding new ranges to the VLAN Pools.
Here is an example of three VLAN Pools and the relative VLAN Ranges (as you can see you can add more VLAN Ranges into a single VLAN Pool):

Physical/L3 Domain

A domain defines the “scope” of a VLAN pool, (i.e. where that pool will be applied). A domain could be physical, virtual, or external (either bridged or routed). When you configure a domain, you reference the VLAN pool you created earlier.

To create a Physical/L3 Domains, go to:
Fabric -> Access Policies -> Physical and External Domains -> Physical Domains

or

Fabric -> Access Policies -> Physical and External Domains -> L3 Domains

Physical Domains Usually, you would like to create 2 Physical domains:

1. Physical_PhysDom: Attach the “Physical_StaticVLPool” VLAN Pool that you created in the previous step
2. IBMgmt_PhysDom: Attach the “IBMgmt_StaticVLPool” VLAN Pool that you created in the previous step

Here is the Physical_PhysDom configuration preview, do the same for IBMgmt_PhysDom:

L3 Domains Usually, you would like to create 1 L3 Domain:

1. L3Out_ExtRoutedDom: Attach the “L3Out_StaticVLPool” VLAN Pool that you created in the previous step

Here is the L3Out_ExtRoutedDom configuration preview:

In this phase, do not attach or create any AAEP, we’ll do it in the next step 😉

Attachable Access Entity Profile

The AAEP is a way of grouping together multiple domains that may need to be associated with an interface.

To create an Attachable Access Entity Profile, go to:
Fabric -> Access Policies -> Policies -> Global -> Attachable Access Entity Profile

Usually, you would like to create 2 Attachable Access Entity Profile:

1. Physical_AAEP: Attach the “Physical_PhysDom” and “L3Out_ExtRoutedDom” domains
2. IBMgmt_AAEP: Attach the “IBMgmt_PhysDom” domain

Disable the “Association to Interfaces” while creating the AAEP, add the Domains and click “Finish”:

Small recap

Here is a common table in order to map and document all the previous data:

Vlan Pool Name	Vlan Range	Description	Allocation mode	Associated Domain	AAEP
IBMgmt_StaticVLPool	3500	IB mgmt	static	IBMgmt_PhysDom	IBMgmt_AAEP
L3Out_StaticVLPool	3001 - 3499	Transit Service Appliance p2p	static	L3Out_ExtRoutedDom	Physical_AAEP
Physical_StaticVLPool	2 - 3000	Endpoint (EPG)	static	Physical_PhysDom	Physical_AAEP

Perfect, now move on with some general System Settings configuration! 😊

Global Configuration

Moreover, there are some common settings that you would like to configure when deploying a Cisco ACI Fabric. You can find almost all the necessary information to Cisco Website (Credit: Cisco).

Thanks for your time I hope that you’re enjoying my blog!
If you have some questions, please drop me a message through social networks!😊
👈 You can find the relative icons here on the left of the page

Riccardo