This post exposes my study notes on ACI Policies. We first distinguish the types of policies in ACI. Then we learn the different fabric access policies.

Tenant Policies

  • define the behaviour of an application whenever traffic hits the fabric.
  • trigger the access policies.

Fabric Policies

  • necessary for the internal working of the fabric.
  • example: NTP.

Access Policies

  • perform the configuration of the physical interfaces.
  • are not active on the ports until triggered by a tenant policy.

The chronological order of configuring access policies is:

  1. VLAN Pools
  2. Domains
  3. AEP
  4. Interface policies
  5. Interface policy groups
  6. Interface profiles
  7. Switch profiles

Interface Policies

  • An Interface policy sets the value of a procotol state.
  • The Interface policy is later used in the interface policy group.
  • There are default interface policies there preconfigured on APIC. Do not overwrite them but rather leverage them (copy and save as…).

Configuring an Interface Policy

Let us take a basic example: CDP.

We create one interface policy with CDP on, and one with CDP off. Set Admi State to Enabled on the first one, and to Disabled on the second one.

Interface Policy Groups

  • As their name implies, interface policy groups assemble interface policies together in a group. In this way you can create a variety of combination of protocol values and later invoke them depending on the desired output.
  • ACI offers the possibility to create spine interface policy groups and leaf interface policy groups.
  • Assign one and only one Interface Policy Group to a port Channel or vPC  (that’s called 1:1 mapping)

Whether it is a spine or a leaf interface policy group, we have the following options

  • an Access Port policy group: this policy group is assignable later to one or more individual ports, on one or more switches at the same time.
  • a Port Channel (PC) policy group: this policy group is assignable later to ports that are member of a normal Port Channel.
  • a Virtual Port Channel policy group: this policy group is assignable later to ports that are member of a Virtual Port Channel (VPC)
  • An Interface Policy Group is usable by an only one AAEP: when you try to link to an Interface Policy Group that is already being used, you get the following error message:

When I said “is assignable to” I meant that the ACI administrator will have the choice to invoke one of the abovementioned Interface Policy Groups, when creating Interface Profiles, depending on whether he wants to configure switch ports als standalone, port channel or VPC.

Configuring an Interface Policy Group

Configuring an Interface Policy Group for an Access Port

We configure an interface policy group for a single leaf interface:

Within the interface policy group I assign the CDP interface policy I created before.

Configuring an Interface Policy Group for vPC Interface

To create a VPC Interface Policy Group on a leaf switch, go to Fabric –> Access Policies –> Interfaces –> Leaf Interfaces –> Policy Groups –> VPC Interface. Right-click on Create VPC Interface Policy Group:

Interface Profiles

  • aka Interface Selector Profiles
  • contain one or more Access Port Selectors. An Access Port Selector is a logical block that defines:
    • either a single physical port, or
    • a range of physical ports, whether they are consecutive or selected.
  • We can define Interface Profiles on either leafs or spines. That is why we find on the ACI GUI both options:

In this blog article we focus only on Leaf Interface Profiles.

  • Interface Profiles select interfaces on one or more switches, without instructing the fabric which switches they are. We ideally use an interface profile naming convention that gives us a hint as to where this interface profile will be deployed. For example: Interface Profile LIP_104_106:
  • an interface profile is only an interface selector; i.e it does not configure interfaces.

Configuring Interface Profiles

As a requirement you should have already created an interface policy group.

Creating interface profiles takes place under Leaf Interfaces -> Profiles menu:

I chose to include “103_104” into the name of the leaf Interface Profile as a quick reminder that this interface profile “is destined” to be associated with leaf switches 103 and 104. Remeber, this is only a naming choice, and ACI fabric up to this point does not know (is not yet programmed) from which switch(es) it should select the interface(s). ACI fabric will know which switches as soon as you associate the Interface Profile to a Switch Profile.

Now create the Interface Profile:

Notice I’ve named the Interface Profile with a prefix of “LIP”. That helps me avoid the naming confusion between Leaf Interface Profiles and Leaf Switch Profiles.

Near Interface Selectors click the + sign and chose which interfaces are part of this Interface Profile.

The Interface ID must be in the format {Module/port number}. With fix-chassis leafs:

  • Start the Name in the format “1:”
  • start the Interface ID in the format “1/”.

Associate an Interfac Policy Group to the Leaf Interface Profile.

We can define as many Access Selectors in a same Interface Profile as we want:

Configure an Interface Profile for a vPC Interface

In a vPC Interface Profile, make sure:

  • to have in its name the pair of leaf IDs
  • to attach a vPC Interface Policy Group to the Access Port Selector:

Switch Profiles

  • A Switch Profile selects one or more switches from which the ports will be configured and invokes an Interface Profile. That is one of the beautiful traits of ACI; you can select a range of interface on a range of switches, unlike the CLI “interface range” command which limits you on a single switch.
  • A Switch Profile does not configure switches. Remember: no leaf port is configured until an associated tenant policy is activated.
  • said in another form: Switch Profile = Switch selector + Interface Profile
  • Like Interface Profiles, there are:
    • Leaf Switch Profiles, and
    • Spine Switch Profiles

We focus on this blog article solely on Leaf Switch Profiles.

Configuring Leaf Switch Profile

Method 1: Using the Regular GUI

Under Create Leaf Profile menu:

  • insert a significant name and description that can help you later by a troubleshooting session.
  • next to Leaf Selectors, click the + sign. Name and Blocks are text fields.
    • give a name to the Leaf or group of leafs
    • in Blocks:
      • enter the leaf ID if you select one switch
      • enter a range of leaf IDs separated by a dash, if you want to select more than one switch at the same time
  • click Update

In our below example we create a Leaf Switch Profile consisting of leafs 103 and 104:

  • Press the Next button to set up the association between this Switch Profile and one or more Interface Profile(s):
  • from the scrollable list, select the desired Interface Profile and click Finish. This step is optional because we can associate an Interface Profile to the Switch Profile later.

Et voila! Leaf Switch Profile named 103_104 contains leafs 103 and 104, and is associated with Interface Profile LIP_103_104.

We can leverage our example of Leaf Switch Profile for normal access ports, as well as for vPC interfaces since it includes 2 leafs (but this requires us to attach a vPC Interface Profile to the Leaf Profile)

Sometimes you get an error message telling that the interface selector ranges are already used in another Interface Profile. In my below example the interface Eth1/9 is being used elsewhere. And you can see which “overlapping” Interface Profile it is:

Method 2: Using the Quick Start Guide

Go to Fabric –> Access Policies –> Quick Start

Then in both of the following menus you can create a Leaf Switch Profile:

Click on the plus sign to define a Switch Profile.

You select the switches:

And it will automatically generate a Switch Profile:

Determining the Leaf Interface Profile and the Interface Policy Group Associated to a Leaf Switch Profile

At any point, starting from the Leaf Switch Profile, we can determine:

  • which Leaf Interface Profile is being used
  • which Interface Policy Group is being used.

For this, you need a couple of double clicks:

  • In our example, double-click on the Leaf Switch Profile 103_104
  • Scroll down to Associated Leaf Selector Profiles and double-click on the already associated Leaf Interface Profile:
  • The menu changes to “Leaf Interface Profile”:
  • From there you can also read the Interface Policy Group being associated to it:

General note: use a naming convention that is consistent across the fabric(s).

ACI Physical and External Domains


Learning the fabric access policies is a daunting task at first. Here is a nice diagram I found on that glues all access policies together:


Click here to read the rest of my Cisco ACI study notes.

Categories: Cisco DCACI

Keyboard Banger

Keyboard Banger is a network engineer from Africa. He has been working in network support and administration since 2008. He started writing study notes about certification exams and technology topics a couple of years ago. When he's not writing articles, he can be found wandering on technical forums.


Leave a Reply

Your email address will not be published. Required fields are marked *