Designing Cisco ACI Fabric Access Policies


This section applies to both direct port-channels as well as virtual port-channels. Port-channels are different than access ports as every port-channel is unique and as a result requires unique representation. For this use-case, the hostname and uplink number on the endpoint device is considered and used within the naming convention. You can substitute the “vpc” below for “dpc”. The main difference between the DPC and VPC will be within the interface profile. DPCs would only be applied to a single leaf switch while VPCs would straddle two leaf switches just like in traditional environments.

One thing to note is that you would typically not use VPCs for routers or Layer3 switches as some features are not supported (As of yet) such as multicast routing. Unless you don’t care for Layer 3 PIM Multicast, then you are good to go with VPC for these endpoints.

As far as the naming convention goes, if you have customers that already include the “type of device” as part of the hostname, then I suggest you get creative.

Port-channel Interface Access Policy Group Association Purpose
<Hostname>-BM-U<uplink#>-vpc_polgrp BM-Compute_aep Baremetal servers with
<Hostname>-VMM-U<uplink#>-vpc_polgrp VMM-Compute_aep Virtualized hosts or
upstream switches
(UCS FI or HP c7000)
with port-channels
<Hostname>-FW-U<uplink#>-vpc_polgrp Infra_aep Firewall with port-channel
<Hostname>-LB-U<uplink#>-vpc_polgrp   Load-balancer with port-channel
<Hostname>-RTR-U<uplink#>-dpc_polgrp   Router with port-channel
<Hostname>-SW-U<uplink#>-dpc_polgrp   Switch with port-channel
<Hostname>-WLC-U<uplink#>-vpc_polgrp   Wireless Controller with

Leave a Reply