Contents

ACI Fabric & Access Policies .......................................................................................................................... 2

The cabling: ............................................................................................................................................... 2
APIC initialization: ..................................................................................................................................... 2
Discovering the fabric ............................................................................................................................... 3
Provisioning Access Policies ...................................................................................................................... 3
Provisioning interface policies .................................................................................................................. 4
Provisioning switch policies ...................................................................................................................... 5
Provisioning policy groups ........................................................................................................................ 5
Provisioning Interface Profiles .................................................................................................................. 5
Provisioning Switch Profiles ...................................................................................................................... 5
Creating a VLAN Pool ................................................................................................................................ 6
Creating a Domain .................................................................................................................................... 6
Creating an AAEP ...................................................................................................................................... 6
ACI Tenants ................................................................................................................................................... 7
Creating Tenants ........................................................................................................................................... 7
Configuring Tenants .................................................................................................................................. 7
Configuring Bare Metal Tenants ............................................................................................................... 8
Creating L2out Tenant .............................................................................................................................. 9
Creating L3out Tenant .............................................................................................................................. 9
Creating Contracts ...................................................................................................................................... 10
Using Contracts in Application Profile EPGs ........................................................................................... 11
Using Contracts in L2Out networks. ....................................................................................................... 11
Using Contracts in L3Out networks. ....................................................................................................... 11
Virtual Networking ...................................................................................................................................... 12
Adding L4-L7 Services to a Tenant (aka. Service Graph or Service Insertion) ........................................ 12
Several types of domains can connect to the ACI network. In the above sample diagram, you
can see Virtual Machine Managers, storage networks, L4-L7 appliances, bridged external
network, and L3 external networks are interacting with the ACI fabric and can be managed by
Cisco APIC.
This workbook gives step-by-step procedures to configure each one of them.

ACI Fabric & Access Policies

The cabling:
• The leaf switches often are installed on top of racks and the spines occupy a separate
rack.
• A spine can only connect to a leaf and a leaf can only connect to a spine.
• A leaf connects to all spines and a spine connect to all leaves.
• APICs usually connect to two leaves.

APIC initialization:
• Connect to APIC using the serial port.
• Open a console and start answering the configuration questions one by one. You need
to have devised the following information:
o Management IP address for the APIC
o Management gateway IP address
o VTEP address space
o Multicast address space
 o VLAN number used for infra
o The number of APICs and the number assigned to the APIC being configured
• After entering all the information, the APIC will restart and can be connected to using a
web browser using the management IP address.

Discovering the fabric

• Go to Fabric > inventory > Fabric Membership. The first leaf should have been
discovered and present in the Pending Nodes tab (using LLDP protocol which is on by
default).
• Right click on it and click on Register the node. You should enter an ID and a name for
the node.
• The node will be discovered and after a while will be presented as Active in the
inventory list.
• Now spines will be there in the Pending Nodes tab. Do the same to register them as
well.
• Finally, the rest of the leaves will be shown in the Pending Nodes tab and can be
registered through the above procedure.

Provisioning Access Policies

You can use the following diagram to understand the process of creating policies.

The ACI policy workflow is as depicted in the following diagram.

The overall access policy flow is as follows:
1. Create interface policies
2. Create interface policy groups
3. Create an interface profile by selecting interfaces
4. Create a switch profile by selecting leaf switches and assigning the interfaces selected in
the interface profile
5. Create a VLAN pool
6. Create a domain (based on the entity connecting to the fabric)
7. Attach the domain to the interface profile using AAEP

Provisioning interface policies

• Go to Fabric > Access Policies > Policies > Interface.
• There are more than 18 different policies that can be provisioned and used in interface
policy groups.
• Select a specific policy, for example CDP.
• Create a policy by right clicking on the policy and clicking on Create ….
• For the settings, use the desired settings and enter a descriptive name for the policy, for
example CDP_ON.
• Create policies for other settings of the same policy, for example CDP_OFF by changing
the settings inside the policy and giving it a descriptive name.
• Optionally, do as above for all the policies in the interface category and create a
combination of policies which will be used later in interface policy groups.
Provisioning switch policies
• Go to Fabric > Access Policies > Policies > Switch.
• There are more than 20 different policies that can be provisioned and used in switch
policy groups.
• Select a specific policy, for example BFD.
• Create a policy by right clicking on the policy and clicking on Create ….
• Follow the same guidelines you used for creating interface policies.

Provisioning policy groups

• Go to Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy Group.
• Right-click on the relevant category of policies to create a new policy group. The most
common ones are:
o Leaf Access Ports
o PC interface for port-channels
o VPC interface for virtual port-channel
• Select a descriptive name for the group and select the policies you will need for the
ports using this policy group.

Provisioning Interface Profiles

• Go to Fabric > Access Policies > Interfaces > Leaf Interfaces > Profiles.
• Right-click on the profiles and click Create ….
• Assign a descriptive name to the group of interfaces (for example E11-13)
• From Interface Selector, click on plus symbol
• Type a name for the selector and in interface IDs type in the id or ids of the interfaces
(for example e1/11-13 or e1/11, e1/15)
• Optionally select the IPG you want to assign to this group of interfaces in the next drop-
down list and click OK and then Submit.

Provisioning Switch Profiles

• Go to Fabric > Access Policies > Switches > Leaf Switches > Profiles.
• Right-click on Profiles an select Create ….
• Select a descriptive name and click on the Plus sign to select switches.
• In the new row, add a name for the leaf switch and from the next drop-down list, put a
check next to the relevant switch and then click Update.
 • Click Next and in the next page, from interface selector, add the interface profile you
have created to the list of switches and click Finish.

Creating a VLAN Pool

• Go to Fabric > Access Policies > Pools > VLAN.
• Right-click on the VLAN and click Create ….
• Give the pool a descriptive name and select Dynamic … if you are creating the VLAN pool
for VMM, otherwise select Static ….
• Click on the plus sign and in the new page type in a beginning and an end number for
the VLANs. You don not need to worry about the overlapping VLAN numbers as long a
they are in a separate bridge domain.
• Click OK and then Submit.

Creating a Domain
• Go to Fabric > Access Policies > Physical and External Domain.
• Based on the need, select a type of domain and right-click to create:
o A physical domain if you are connected to VMM or bare-metal servers
o External Bridged domain if you are connected to a legacy bridged network
o L3 domain if you are connected to an external routed network (e.g., the internet)
• Give the domain a descriptive name and select a VLAN pool from the drop-down list.
• Click Submit.

Creating an AAEP
This will be the final step in creating a policy. This step glues the domain with the interface
profile and assigns the policies to the interface.

• Go to Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles and
right-click to create ….
• Give it a descriptive name and from the Domains list click on plus sign.
• In the new entry, select a Domain Profile, click Update and click Next.
• In the Interface Group List, locate the desired list of interfaces and then select All
Interfaces and click Finish.
• This will activate the policies for the interfaces.
ACI Tenants

Creating Tenants
Tenants are entities connected to the fabric and they can be of different types. The most
important types are Bare Metal (servers with or without VMMs), L2out (a legacy switched
network), and L3out (a routed network, internet, …)
To create a tenant:

• Go to Tenants tab and click on Add Tenant

• Add a name for the tenant and click on Submit.

Configuring Tenants
• Go to Tenants tab and on the list of tenants, double click on the tenant you just created.
This will take you to the specific tenant tab.
 • Open the tenant name and under that you will find a series of options, of which, 2 are
important.
• Open Networking and click on VRFs. At least one VRF should be created for a tenant.
• Right click on VRFs and select Create VRF.
• In the wizard type in a descriptive name. make sure that Create a Bridge Domain is
checked and click Next.
• In the next page, type in a descriptive name for the bridge domain and click Finish. A
VRF will be created and listed in the VRFs page. The segment number is the VNI for the
bridge domain.

Configuring Bare Metal Tenants

• For a bare metal tenant, you need to decide which ports are connected to the servers. If
this is not a VMM, then, each port would be considered part of an EPG. Otherwise,
VMM integration must be configured for the vSwitch or Virtual Distributed Switch (VDC)
so that each virtual port or a combination of virtual ports will be part of an EPG.
o An EPG, normally is created for a bunch of servers, a VLAN, or an IP subnet to
separate servers in them based on their role.
• Right-click Application profiles and select Create ….
• Give the profile a descriptive name (e.g. Company_LoB_APP for the company line of
business app) and click Submit.
• Now, open the profile that you just created and right-click Application EPGs and select
Create.
• Give it a descriptive name (like CLIENT_APP) and in Bridge Domain drop-down list, select
the name of the bridge domain that was created during VRF creation. Click Finish.
• Repeat the previous steps for more EPGs per your need (e.g., web server).
• Open the EPG and then right-click Subnets and select Create Subnet.
• A gateway address with a subnet mask should be assigned to the subnet. Normally this
is a VLAN interface on the leaf. Click Submit. In case, there are multiple VLANs, then
assign more gateways in different subnets.
• Right-click Static Ports and select Deploy Static EPG …
• Based on the type of connection, select Port, Port-Channel, or VPC
o If Port is selected, then you need to select the leaf, the port on that leaf, and the
VLAN id.
o If port-channel or VPC is selected then Path and VLAN id should be selected.
• For a bare metal server, select Access (untagged). For VMM, select Trunk.
• Click Next and then Finish.
Creating L2out Tenant
L2out tenants are for backward compatibility with an existing switched network.

• To create an L2out network, open tenant and go to Networking.

• Right-click L2Outs and select create.
• Give it a descriptive name.
• In Bridge Domain, select an existing bridge domain or create a new one.
• From encapsulation, select VLAN and type a VLAN number for the port.
• For the port connecting to the bridged network you have the option to add port(s), port-
channel or VPC. Select one or more of each one you have already connected to the
bridged network and click Add.
• Click Next and then Finish.
• Open the network you just added and right-click External EPGs and select Create.
• Type in a descriptive name and click Submit.
• Each VLAN in your network could be a separate EPG, so you should repeat the previous
steps once for every VLAN you have. For example VLAN 10 for clients and VLAN 11 for
web servers.

Creating L3out Tenant

Every subnet in an L3Out network could represent an EPG. L3Out networks always exist in an
ACI environment. One usage would be to connect to the internet.

• To create a L3out network, open networking for the tenant you would like to connect to
its subnets, right-click on L3outs and select Create.
• Type in a descriptive name for it.
• Select an existing VRF or create a new one for it.
• Select an L3 domain or create a new one for it.
• You could create a neighborship with the L3out network router or L3 switch with BGP,
EIGRP or OSPF. For this example, we select OSPF.
• Select the Area ID for example area 1 if you are adjacent with area 1 of the L3 network.
• Based on the type of area you are connecting, select regular, NSSA or stub.
• Based on the type of area you are connecting, you could select to have redistributed
LSAs or summary LSAs.
• Add the link cost based on the bandwidth and then click Next.
• In the next page, select the node that is connecting to L3out network. A router-id would
be automatically assigned for the node but you could add an IP address for a loopback
interface.
• Add an IP address for the port connecting to the L3out network with a subnet mask
represented in slash notation (e.g., 10.10.22.251/24).
 • Click Next and then Finish.
• Open the L3out network you just created and right-click External EPGs.
• For every subnet you can create an EPG. Type in a descriptive name and click on plus
sign to add the subnet.
• In the new page, type in an IP address with a subnet mask represented in slash notation
(e.g., 10.10.50.0/24).
• Click Submit and Submit again.

Creating Contracts
Contracts are necessary for governing the relationship between EPGs. A contract is a
standalone object and has a subject (an intent) and a series of filters.
A contract can be provided or consumed or both.
A contract can be created once and used many times in multiple contexts.

• To create a contract, go to a tenant and open contracts. Then right-click Standard

Contracts and select Create Contract.
• Give the contract a descriptive name.
• You can select the scope of the contract to be VRF, Tenant, or Global.
• Click on the plus sign to add a subject.
• Give the subject a descriptive name (e.g., WEB_ACCESS).
• Click on the plus sign to add a new filter. In this example an HTTP and HTTPS filter would
be created for WEB_ACCESS subject.
• In the filter name, select a predefined filter, or click on the plus sign to add a new filter.
In this example we click the plus sign.
• In the filter page, type in a name (e.g., WEB_TRAFFIC).
• Click on the plus sign and add an entry. Each entry is analogous to an entry in an access-
list.
• Give the entry a name (e.g., HTTP) and select an ether type (for HTTP, select IP).
• Select an IP protocol based on the filter you are creating (for HTTP, select TCP).
• Select a source and destination port. For most traffics, source port is random and should
be undefined here but the destination port is a well-known port and should be
specified. The destination port can be types or selected in the drop-down list (for HTTP,
select http for the FROM and TO section).
• Click update and repeat the previous steps for a new entry for HTTPS. Click Submit and
then Update. Select an action (permit in this case) and click Update and then OK and
Submit.
Using Contracts in Application Profile EPGs
If you have an application profile defined, then for each EPG you can add a provided or
consumed (or both) contract.

• Open the application profile and open Application EPGs.

• Open an EPG and right-click Contacts and select Add Provided Contract if this EPG is
providing a service, or Add Consumed Contract if this EPG is consuming a service. In case
an EPG both provides and consumes a contract (or different contracts), you should
repeat the following steps for every contract you are adding.
• Select the contract from the list and click submit.
• Repeat this step for more contracts if necessary.

Using Contracts in L2Out networks.

In L2Out networks, you can consider each VLAN a separate EPG.

• To add contracts to L2Out network, open the tenant > Networking > L2Outs > External
EPGs.
• Click on the EPG you want to add the contract to.
• On the right pane, select Contracts tab.
• Click the plus sign for provided contracts or/and consumed contracts.
• In the drop-down list, select the desired contract and click Update.

Using Contracts in L3Out networks.

In L3Out networks, you can consider each subnet a separate EPG.

• To add contracts to L3Out network, open the tenant > Networking > L3Outs > External
EPGs.
• Click on the EPG you want to add the contract to.
• On the right pane, select Contracts tab.
• Click the tools icon on the right and select Add Provided Contracts or/and Consumed
Contracts.
• In the page that opens, in the drop-down list, select the desired contract and click
Submit.
Virtual Networking
Cisco ACI can control and manage VMMs created by VMware, Microsoft Hyper-V, RedHat KVM,
and other vendors if you install their plugins. In this example a VMware domain will be added
to the ACI fabric.

• Go to Virtual Networking tab and select VMware.

• Right-click on VMware and select Create vCenter Domain.
• Type in a descriptive name for the virtual switch which will be created by VMware.
• Select VMware vSphere Distributed Switch.
• Select an Attachable Entity Profile (AAEP) from the drop-down list. If you have not
created one, you can select Create ….
• Select Read Write Mode for Access Mode.
• Select a VLAN pool from the VLAN Pool drop-down list or create one if you have not
created a VLAN pool before.
• Click plus sign to add vCenter credential. This will be used for the ACI to login to VMware
vCenter and create the vSwitch. You can receive the username and password for
vCenter from your virtualization administrator. Type in a name and the relevant
credentials and click Submit.
• Click plus sign to add vCenter Controller information. Type in a descriptive name, the
host name or IP address, the datacenter name (which must be the same as the name in
the vCenter panel), the management EPG (optional), and the credential name that you
added in the previous step and click Submit.
• In case you have connected using a port-channel to connect to the VMM, select the
relevant port-channel mode from the drop-down list (most of the time you choose
LACP).
• For vSwitch policy, select LLDP, CDP or none based on your policies in place.
• Click submit. After a while, you should see a virtual switch created in VMM manager
panel.
• Port-groups will be created inside vCenter panel and they will appear in ACI. You can
create EPGs based on those port-groups and assign contracts to them.

Adding L4-L7 Services to a Tenant (aka. Service Graph or Service Insertion)

L4-L7 services can be inserted between EPGs to inspect the traffic. You can have a virtual
machine with ASAv firewall installed on it and add it to your tenant.

• To add an L4-L7 service device, go to Tenants tab and select your tenant > Services > L4-
L7.
• Right-click Devices and select Create L4-L7 devices.
• In the page that opens, type in a descriptive name.
• In the Service Type drop-down list, select Firewall (for an ASAv firewall).
• In the Physical Domain, select the domain you have already created or choose to create
one.
• On the right pane. Click on the plus sign to add an interface (which has connected the
leaf to the firewall). Type in a descriptive name and select the node/interface and click
Update and Submit.
• Click Submit.
• Right-click on Service Graph Template and select Create ….
• Drag the firewall that you have created from the left to the middle of the top pane
between Consumer and Provider.
• Type in a name and then click Submit.