Lab 2: access policies + static path binding

Build the ACI Simulator access policy chain for Lab 1 EPGs using VLAN pool, physical domain, AEP, access port policy group, and static path bindings.

Lab 2 extends the Lab 1 tenant model into the ACI access policy chain. Lab 1 created lab-prod, three-tier-app, and the web, app, and db EPGs. This lab makes those EPGs eligible to attach to leaf/interface paths through VLAN encapsulation.

The important simulator caveat: these are simulated fabric nodes and paths. They are useful for APIC policy, inventory, static path, and fault learning, but they do not prove real endpoint packet forwarding. Use EVE-NG or physical gear when you need packets, captures, and dataplane troubleshooting.

Target model

VLAN pool lab-vlan-pool VLANs 110-130

Physical domain lab-phys

AEP lab-aep

Access port policy group lab-access-pg

Leaf/interface path selection

Tenant lab-prod

Application profile three-tier-app

EPG web

EPG app

EPG db

What you will create

Object	Name or value
VLAN pool	`lab-vlan-pool`
VLAN range	`110-130`
Domain	Physical domain `lab-phys`
AEP	`lab-aep`
Access port policy group	`lab-access-pg`
Path selection	Simulated leaf1 paths `eth1/10`, `eth1/11`, and `eth1/12`
EPG domain association	Associate `web`, `app`, and `db` with `lab-phys`
Static path binding	`web` to leaf1 `eth1/10`, VLAN `110`
Static path binding	`app` to leaf1 `eth1/11`, VLAN `120`
Static path binding	`db` to leaf1 `eth1/12`, VLAN `130`

Build the reusable access policy chain

The infrastructure objects are reusable. Build them before touching the EPG bindings.

Create VLAN pool lab-vlan-pool.
Add VLAN range 110-130 to the pool.
Create physical domain lab-phys.
Associate lab-phys with VLAN pool lab-vlan-pool.
Create AEP lab-aep.
Associate lab-aep with physical domain lab-phys.
Create access port policy group lab-access-pg.
Attach lab-aep to lab-access-pg.

At this point, the access policy chain should read:

Chain step	Lab object
VLAN allocation	`lab-vlan-pool`, VLANs `110-130`
Attachment type	Physical domain `lab-phys`
Access entity	AEP `lab-aep`
Interface behavior	Access port policy group `lab-access-pg`

Select the leaf/interface paths

Use a leaf and interface path that exists in your APIC Simulator inventory. The exact node and interface can vary by simulator version and discovered fabric inventory, so choose a valid path from the GUI rather than typing a made-up path.

In the current lab, the built-in simulated switches are registered and APIC exposes path endpoints. Use these beginner-safe paths:

EPG	Path
`web`	`topology/pod-1/paths-101/pathep-[eth1/10]`
`app`	`topology/pod-1/paths-101/pathep-[eth1/11]`
`db`	`topology/pod-1/paths-101/pathep-[eth1/12]`

For each selected access port:

Confirm the leaf appears in the simulator fabric inventory.
Confirm the interface appears as a selectable path.
Apply or select the access port policy group lab-access-pg through the access policy profile workflow.
Avoid reusing a path that already has an unrelated lab binding unless you are intentionally replacing that lab.

Associate the EPGs with the physical domain

Before static path bindings can work cleanly, each EPG must know that it is allowed to use the physical domain.

In tenant lab-prod, application profile three-tier-app:

Open EPG web.
Associate physical domain lab-phys.
Repeat for EPG app.
Repeat for EPG db.

If you skip this step, APIC can show domain or deployment faults when you bind the EPG to a physical path.

Add static path bindings

Bind each EPG to the selected leaf/interface path with a different VLAN encapsulation.

EPG	Encapsulation
`web`	VLAN `110`
`app`	VLAN `120`
`db`	VLAN `130`

Use the same path only if the simulator workflow allows it and you are modeling a trunk-style learning exercise. For a cleaner beginner lab, use separate available interfaces for the three EPGs when possible.

For each EPG:

Open the EPG static path binding workflow.
Select the leaf/interface path from inventory.
Set the encapsulation VLAN.
Use the physical domain association already added to the EPG.
Submit the change and check faults before moving to the next EPG.

Verification checklist

Check these in APIC before calling the lab complete:

VLAN pool lab-vlan-pool exists.
VLAN pool lab-vlan-pool includes VLANs 110-130.
Physical domain lab-phys points to lab-vlan-pool.
AEP lab-aep is associated with lab-phys.
Access port policy group lab-access-pg uses lab-aep.
EPG web is associated with lab-phys.
EPG app is associated with lab-phys.
EPG db is associated with lab-phys.
The tenant and access policy objects have no obvious APIC faults.
The selected leaf/interface path exists in simulator inventory.
EPG web has a static path binding with VLAN 110.
EPG app has a static path binding with VLAN 120.
EPG db has a static path binding with VLAN 130.

In the current lab automation run, verification returned ready: true, tenant_fault_count: 0, fabric_path_endpoint_count: 504, and static_bindings_skipped: 0.

What this lab teaches

You should leave Lab 2 understanding:

VLAN pools define which VLAN IDs APIC can allocate or validate.
A physical domain makes that VLAN pool usable for bare-metal or non-VMM attachments.
An AEP connects the domain side of policy to interface policy groups.
Access port policy groups describe how a set of ports should behave.
EPG domain association says an application policy object may use that physical domain.
Static path binding maps an EPG to a specific leaf/interface path and VLAN encapsulation.

This is still policy modeling. The simulator can show object health and dependency problems, but it is not proof that real hosts can pass traffic.