through this guide we will be going over how to configure In-Band management for ACI: APIC, Leafs, and Spine switches step by step. The objective is to allow endpoints outside of ACI fabric to access the APIC, leafs, and spines using their In-Band Management IPs.
ACI vesion 4.2(2i)
CONFIGURING IN-BAND Fabric ACCESS POLICIES:
The first part of the In-Band Management configuration is the creation of all access policies for the leaf fabric interfaces that connect to your APICs. In my setup LEAF-1 and LEAF-2 are connected to APIC-1, APIC-2, and APIC-3 using interfaces Eth1/46-48 as shown in the previous topology.
1- Leaf Profile configuration:
Navigate to the following APIC web GUI path:
Fabric -> Access Policies -> Switches -> Leaf Switches -> Profiles
Right click Profiles and then Create Leaf Profile
Enter the name of the LEAF profile “Leaf-101-102_Inband_LeafProfile” and give a name for Leaf selector then chose the Leafs that will participate in this Leaf profile.
Click NEXT then finish , ignore interface association , we go back for it later.
2- Create Interface Profile:
Navigate to: Fabric -> Access Policies -> Interfaces -> Leaf Interfaces -> Profiles
Right click Profiles then Create Leaf Interface Profile:
In the Interface Selectors field , click on (+) sign to create inteface Selector, give it a name and chose interfaces id which are connected to APICs on Leaf1 and Leaf2.
According to our topology Leaf1 & 2 are connected to APICs through interfaces Eth1/46 (APIC-1), Eth1/47(APIC-2) and Eth1/48(APIC-3).
So, in interface IDs field we specify 1/46-48:
3- Create Interface Policy group:
Next, we create The Interface Policy group in which we define the specification of our ports. click on Interface Policy group and then select:
“Create Leaf Access port Policy Group”
We give our Interface policy group a name InBand-PolicyGroup then we create an LLDP Policy and an Attached Entity Profile (AAEP):
Now, we create LLD interface Policy: “LLDP ENABLE”
click submit then save:
Next step is to create the AEP:
4- Create AAEP:
To create the AAEP, navigate to the following APIC web GUI path:
Fabric -> Access Policies -> Policies -> Global -> Attachable Access Entity Profiles
Right-click on Attachable Access Entity Profiles and click “create Attachable Access Entity Profile“:
A pop-up will show, assign a name to the AEP:
5- Create Physical Domain:
Then, we create a physical domain:
click (+) sign to create it directly or navigate to the following APIC web GUI path:
Fabric -> Access Policies -> Physical and External Domains -> Physical Domains
We crate “InBand_PhysDomain”:
6- Create VLANPool:
navigate to the following APIC web GUI path:
Fabric -> Access Policies -> Pools -> VLAN
and right click create VLAN Pool.
give a name for the VLAN Pool “InBand_VLANPool”, and chose static allocation mode:
Chose the InBand vlan ID and static mode allocation , click Ok:
- Associate VLAN pool to physical Domain and chose the AAEP:
At this step, Access policies for the Inband management configuration are done, we pass to mgmt tenant configuration:
CONFIGURING MGMT TENANT POLICIES:
Navigate to : Tenant -> ALL TENANTS -> mgmt
click on Mgmt Tenant:
By default ACI will come with a Bridge Domain named inb which will be configured to use the inb VRF.Now we will define the subnet we want to use for In-Band Management in our inb Bridge Domain.
Navigate to : Tenants -> mgmt -> Networking -> Bridge Domains -> inb
In the right-hand panel we’ll select the Policy and L3 Configurations tab:
Now, we add the subnet for In-Band Management. To do so, click the (+) sign in the Subnets field:
Click Submit, save and apply your configuration
The next step in the mgmt tenant is to create our In-Band EPG.
Navigate: Tenant -> mgmt -> Node Management EPGs
Right-click on Node Management EPG, and click Create In-Band Management EPG
Create In-Band-EPG, chose encapsulation v-150 and bridge domain ‘inb’ and click submit.
Next, we will create the inband addresses for the APICs and Leafs.
Navigate to :
Tenants -> mgmt -> Node Management Addresses -> Static Node Management Addresses:
Right-click Static Node Management Addresses then click Create Static Node Management Address: