In-Band Management Configuration in ACI

High-Level Objective

The goal is to enable APICs, leaf switches, and spine switches to:

• Use in-band management IP addresses

• Carry management traffic over the ACI fabric data plane

• Reach external management services such as DNS, NTP, TACACS, Syslog, and monitoring systems

To achieve this, Cisco ACI requires three mandatory building blocks, exactly as defined in the official documentation:

1. Access policies to carry the In-Band VLAN

2. In-Band management IP addressing within the mgmt tenant

3. Route leakage via an In-Band L3Out

All three components are required. Omitting any one of them results in partial or nonfunctional in-band management.

Part 1 — Carry the In-Band VLAN on Leaf Interfaces (Access Policy)

This section is mandatory. Without it, in-band traffic never leaves the APIC’s physical NIC.

Step 1.1 — Create a Static VLAN Pool

Purpose

• The In-Band VLAN must be explicitly permitted on leaf interfaces

• VLAN allocation must be static, as this is management traffic

GUI Path

Fabric > Access Policies > Pools > VLAN

Key Settings

• Allocation Mode: Static

• VLAN Range: e.g., vlan-10

Step 1.2 — Create a Physical Domain

Purpose

• Domains bind VLAN pools to EPGs

GUI Path

Fabric > Access Policies > Physical and External Domains > Physical Domains

Action

• Associate the previously created VLAN pool

Step 1.3 — Create an Attachable Access Entity Profile (AEP)

Purpose

• The AEP binds physical domains to interfaces

GUI Path

Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles

Key Points

• Associate the Physical Domain

• Do not auto-attach interfaces yet

Step 1.4 — Create a Leaf Access Port Policy Group

Purpose

• Defines the behavior of APIC-facing leaf ports

GUI Path

Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy Groups

Important Requirement

• LLDP must be enabled

Step 1.5 — Create a Leaf Interface Profile

Purpose

• Identifies the exact leaf interfaces connected to APICs

GUI Path

Fabric > Access Policies > Interfaces > Leaf Interfaces > Profiles

Configuration

• Specify interface IDs (e.g., Eth1/47, Eth1/48)

• Attach the previously created policy group

Step 1.6 — Apply the Interface Profile to a Leaf Switch Profile

Purpose

• Pushes configuration to the physical leaf switches

GUI Path

Fabric > Access Policies > Switches > Leaf Switches > Profiles

Outcome of Part 1

• APIC-facing leaf interfaces now carry the In-Band VLAN

Part 2 — Configure In-Band IPs in the mgmt Tenant

Step 2.1 — Create an In-Band Bridge Domain

Purpose

• In-Band IPs must reside within a Bridge Domain and VRF

GUI Path

Tenants > mgmt > Networking > Bridge Domains

Critical Settings

• Subnet: e.g., 192.168.6.0/24

• Gateway: e.g., 192.168.6.254

• Scope: Advertised Externally

This explicitly allows the subnet to be leaked outside the fabric.

Step 2.2 — Create an In-Band Management EPG

GUI Path

Tenants > mgmt > Node Management EPGs > Create In-Band Management EPG

Key Settings

• VLAN: from the In-Band VLAN pool (e.g., vlan-10)

• Bridge Domain: In-Band BD

Step 2.3 — Assign In-Band IP Addresses to Nodes

GUI Path

Tenants > mgmt > Node Management Addresses

Result

• APICs, leafs, and spines receive:

  • IP address

  • Gateway

  • VLAN binding

📌 At this stage:

• Nodes can communicate within the In-Band subnet

• ❌ No external connectivity exists yet

Part 3 — Create the In-Band L3Out

Why an In-Band L3Out Is Required ?

“You can share the In-Band subnet to other networks through any route leakage method. The In-Band EPG is regarded as a special EPG, but there is no difference from a normal EPG when configuring route leakage.”

Translated plainly:

• The In-Band EPG behaves like a normal EPG

• External connectivity requires an L3Out

• No L3Out means no routed connectivity

Step 3.1 — Create an L3Out in the mgmt Tenant

GUI Path

Tenants > mgmt > Networking > L3Outs

Key Settings

• VRF: mgmt:inb

• Routing Protocol: OSPF, BGP, or Static

• Configure border leaf interfaces

This L3Out connects the management VRF to the external network and exchanges routes.

Step 3.2 — Associate the In-Band Bridge Domain to the L3Out

Purpose

• Enables routing of the In-Band subnet

GUI Path

Tenants > mgmt > Networking > Bridge Domains > inb

Step 3.3 — Create a Contract

Purpose

• ACI does not forward traffic without contracts

GUI Path

Tenants > mgmt > Contracts

Note

• Management environments often use broad permits (apply carefully)

Step 3.4 — Apply the Contract to the In-Band EPG

• Provide and Consume the contract

Step 3.5 — Apply the Contract to the L3Out External EPG

• Provide and Consume the contract

Outcome of Part 3

• The In-Band subnet is routable

• External management services are reachable

What Happens If the In-Band L3Out Is Missing?

This behavior is commonly observed in real TAC cases.

1. Local Connectivity Only

• Nodes can ping each other

• Gateway responds

• Anything beyond the subnet fails

2. External Management Services Fail

3. APIC Prefers In-Band Management

When In-Band management is configured, APIC always prefers In-Band traffic, even if Out-of-Band management exists.

If the In-Band L3Out is missing, this preference leads to silent and confusing failures.

Memorize

In-Band IP ≠ External ReachabilityExternal Reachability = L3Out + Contracts

Useful TAC Verification Commands

On leaf switches

show vrf mgmt:inb
show ip route vrf mgmt:inb

On APIC

show inband-mgmt
ip route show