Resolve ACI Access Policies: "parent is a system generated profile" Error
Available Languages
Contents
Introduction
This document describes the new interface configuration approach in ACI and provides steps to fix errors when modifying system-generated access policies tied to it.
Background Information
The 5.2.4 and later releases introduced the "per-port configuration" option (also called "interface configuration" or infraPortConfig) to simplify access policies.
Traditionally, ACI uses four objects (switch profile, switch selector, interface profile, and interface selector) to select a certain interface on a certain switch node.
This document refers to this mode of operations as the "profiles and selectors configuration." This image illustrates the configuration:
The interface configuration option presents the four objects as a single object. As a result, you do not need to use nor maintain switch profiles, switch selectors, interface profiles, and interface selectors.
The details are documented in the config guide. Please always reference the configuration guide for the latest updates.
https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/l2-configuration/cisco-apic-layer-2-networking-configuration-guide-60x/access-interfaces-60x.html
What is important to know is that when using the new "interface configuration" option, the Cisco APIC creates and maintains switch profiles and selectors and interface profiles and selectors as read-only with as few objects as possible.
These objects that the Cisco APIC creates automatically are called "system-generated profiles".
If you try to edit the system profile policy using any other way, you see an error. It is not possible to delete <> since the parent is a system-generated Profile or It is not possible to delete <> since it is a system-generated MO.
Specific error examples:
Error 1. Failed to delete object:
It is not possible to delete infraPortBlk uni/infra/accportprof-system-port-profile-node-600/hports-system-port-selector-accbundle-DstSymmpo-typ-range/portblk-portblock1 under infraAccPortP uni/infra/accportprof-system-port-profile-node-600 since the parent is a system generated profile.
Error 2. Error: 400:
It is not possible to modify infraPortBlk uni/infra/accportprof-system-port-profile-node-600/hports-system-port-selector-accbundle-DstSymmpo-typ-range/portblk-portblock1 under infraAccPortP uni/infra/accportprof-system-port-profile-node-600 since the parent is a system generated profile.
Error 3. Failed to delete object:
It is not possible to delete infraAccPortP uni/infra/accportprof-system-port-profile-node-600 since it is a system-generated MO.
Edit the System-generated Objects
The editing of these read-only switch profiles and selectors and interface profiles and selectors can be done only via the Fabric > Access Policies > Interface Configurations.
On a lab APIC running 6.0.2h, there are no system-defined profiles yet. A setup can be a green field deployment or you upgraded from an older release to 5.2.4 and later.
Configure Interface on Leaf 101
Assign interface e1/8 on leaf 101 to use a 10gig interface policy.
Either you can manually add the interface to an existing interface profile if one is already created or for this exercise, explore using the Quick Start Wizard as shown in the image.
Once the configuration is saved, you see different system policies are created as shown in this image.
You see that the previously mentioned step has been created:
1. Switch profile > system-node-profile-101
2. Interface Profile > system-port-profile-node-101
3. Port Selector > system-port-selector-accportgrp-10gig_policy
If you add one more interface E1/9 to the same policy using the Quick Start Wizard, then the system "system-port-selector-accportgrp-10gig_policy" blocks include E1/9 as well.
The difference between the policy created using the wizard and a user-defined policy is that the system policy is read-only.
You can right-click on a policy to view the object store browser and see the creator of the object as shown in the image.
How to Edit a System Profile Policy
As an example, if you try deleting the system port selector e1/8 from the system port profile, you see an error as shown in the image:
To modify a system-generated profile, navigate to Fabric > Access Policies > Interface Configuration.
Here you can clear or edit the configuration for E1/8.
Once you elect to clear the policy associated with port e1/8 on leaf 101, you are prompted for confirmation and then the system policy is updated accordingly.
API Approach to Add/Delete the Interface Configuration
Add Interface Policy "10gig_policy" to Leaf 101 - E1/8
echo '{"infraInfra":{"attributes":{},"children":[{"infraPortConfig":{"attributes":{"assocGrp":"uni/infra/funcprof/accportgrp-10gig_policy","description":"","node":"101","card":"1","port":"8","role":"leaf","brkoutMap":"none","connectedFex":"unspecified","pcMember":""},"children":[]}}]}}' > interfaceconfig.json
icurl -X POST http://localhost:7777/api/mo/uni/infra.json -d @interfaceconfig.jsonAdd Interface Policy "bcg1-3k" to Leaf 101 - E1/10
echo '{"infraInfra":{"attributes":{},"children":[{"infraPortConfig":{"attributes":{"assocGrp":"uni/infra/funcprof/accportgrp-bcg1-3k","description":"","node":"101","card":"1","port":"10","role":"leaf","brkoutMap":"none","connectedFex":"unspecified","pcMember":""},"children":[]}}]}}' > interfaceconfig1.json
icurl -X POST http://localhost:7777/api/mo/uni/infra.json -d @interfaceconfig1.jsonDelete Interface Configuration Associated with Leaf 101 - E1/10
echo '{"infraInfra":{"attributes":{},"children":[{"infraPortConfig":{"attributes":{"dn":"uni/infra/portconfnode-101-card-1-port-10-sub-0","status":"deleted"},"children":[]}}]}}' > interfaceconfig_delete1.json
icurl -X POST http://localhost:7777/api/mo/uni/infra.json -d @interfaceconfig_delete1.jsonAdd Interface Policy "bcg1-3k" to leaf 102 - E1/14
Prior to this add, there is no system node profile for switch 102 nor there is a system port profile. This post creates both of these policies.
echo '{"infraInfra":{"attributes":{},"children":[{"infraPortConfig":{"attributes":{"assocGrp":"uni/infra/funcprof/accportgrp-bcg1-3k","description":"","node":"102","card":"1","port":"14","role":"leaf","brkoutMap":"none","connectedFex":"unspecified","pcMember":""},"children":[]}}]}}' > interfaceconfig2.json
icurl -X POST http://localhost:7777/api/mo/uni/infra.json -d @interfaceconfig2.jsonSummary
The "per-port configuration" option can simplify managing access policies without having to create different profiles and selectors.
Known Issues/Bugs
Cisco bug ID CSCwd83295 - ACI: VLANs are indefinitely removed from leaf interfaces after migrating to infraPortConfig
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
24-Jul-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)