Access Leaf Interface Policy Group
Location in GUI: Fabric » Access Policies » Interfaces » Leaf Interfaces » Policy Groups
Diagram
Section titled “Diagram”Classes
Section titled “Classes”access_policies (apic)
Section titled “access_policies (apic)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| leaf_interface_policy_groups | List | [leaf_interface_policy_groups] | No |
leaf_interface_policy_groups (apic.access_policies)
Section titled “leaf_interface_policy_groups (apic.access_policies)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| description | String | Regex: ^[a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]{1,128}$ | No | |
| type | Choice | access, vpc, pc, breakout | Yes | |
| map | Choice | none, 10g-4x, 25g-4x, 100g-2x, 50g-8, 100g-4x | No | none |
| link_level_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| cdp_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| lldp_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| spanning_tree_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| mcp_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| l2_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| port_channel_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| port_channel_member_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| storm_control_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| aaep | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| netflow_monitor_policies | List | [netflow_monitor_policies] | No | |
| macsec_interface_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| ingress_data_plane_policing_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| egress_data_plane_policing_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No |
netflow_monitor_policies (apic.access_policies.leaf_interface_policy_groups)
Section titled “netflow_monitor_policies (apic.access_policies.leaf_interface_policy_groups)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| ip_filter_type | Choice | ipv4, ipv6, ce, unspecified | No | ipv4 |
Examples
Section titled “Examples”Example-1: This example configures a basic access (single link) IPG named SERVER1, defining the essential properties of link_level_policy to be 10G (a user-defined policy), the cdp_policy being set to CDP-ENABLED, the lldp_policy being set to LLDP-ENABLED, and associating to the aaep named AAEP1. The AAEP association is critical since it allows ACI to validate which VLAN pools are allowed on which interface policy groups, linking the access policies configuration chain.
apic: access_policies: leaf_interface_policy_groups: - name: SERVER1 type: access link_level_policy: 10G cdp_policy: CDP-ENABLED lldp_policy: LLDP-ENABLED aaep: AAEP1Example-2: This example configures a pair of bundle (PC or vPC) interface policy group, typically seen for HA devices such as firewalls, load balancers, etc. The IPGs in this case are for Palo-Alto-FW-01 and Palo-Alto-FW-02, with each device connecting to a pair of leafs using vPC. Since this is a bundle IPG, the bundle name must be unique per PC/vPC since all interfaces associated to it will become members of the same bundle. It is identified as a bundle IPG since its type is configured as vpc. Since the two IPGs are for identical devices, they are identical in configuration. This example makes use of system defined policies, where the cdp_policy is set to system-cdp-disabled since these are non-Cisco devices, the lldp_policy is set to system-lldp-enabled, and the link_level_policy is configured to system-link-level-40G-auto (40G with auto-negotiation on). The IPGs are associated to the relevant AAEP named AAEP1.
apic: access_policies: leaf_interface_policy_groups: - name: Palo-Alto-FW-01 type: vpc link_level_policy: system-link-level-40G-auto cdp_policy: system-cdp-disabled lldp_policy: system-lldp-enabled aaep: AAEP1 port_channel_policy: system-lacp-active - name: Palo-Alto-FW-02 type: vpc link_level_policy: system-link-level-40G-auto cdp_policy: system-cdp-disabled lldp_policy: system-lldp-enabled aaep: AAEP1 port_channel_policy: system-lacp-activeExample-3: This example demonstrates an IPG for an HPE Synergy blade server chassis, connecting to ACI via its ToR Virtual Connect switches. The IPG is named HPE-Synergy, and it builds on the previous examples in that it shows some L2 hardening configuration, which may be required during the migration phase to ensure such a ToR switch does not misbehave (e.g. by causing a loop or participating in STP unexpectedly for example). To achieve this, in addition to the configuration outlined in example-2, this IPG adds an mcp_policy using the system-mcp-enabled system policy, a storm_control_policy named 10P to apply storm control, and an STP policy named BPDU-FILTER to discard any unwanted BPDUs.
apic: access_policies: leaf_interface_policy_groups: - name: HPE-Synergy type: vpc link_level_policy: system-link-level-40G-auto cdp_policy: system-cdp-disabled lldp_policy: system-lldp-enabled aaep: AAEP1 port_channel_policy: system-lacp-active mcp_policy: system-mcp-enabled storm_control_policy: 10P spanning_tree_policy: BPDU-FILTERExample-4: Full example
apic: access_policies: leaf_interface_policy_groups: - name: SERVER1 description: "Server1" type: access link_level_policy: 10G cdp_policy: CDP-ENABLED lldp_policy: LLDP-ENABLED spanning_tree_policy: BPDU-FILTER mcp_policy: MCP-ENABLED l2_policy: PORT-LOCAL storm_control_policy: 10P port_channel_policy: LACP-ACTIVE port_channel_member_policy: FAST ingress_data_plane_policing_policy: DPP1 egress_data_plane_policing_policy: DPP2 aaep: AAEP1 netflow_monitor_policies: - name: MONITOR1 ip_filter_type: ipv6 macsec_interface_policy: MACSEC_INT1