Introduction to ACI

February 12th 2018


Introduction to CISCO ACI

Over the past two years, BestPath have been doing plenty of interesting work with Cisco’s leading Datacenter fabric technology, which is known as:

“Cisco Application Centric Infrastructure (ACI)”

For those of you that don’t know, Cisco ACI is Cisco’s next generation datacenter VXLAN switching technology that offers multi-tenancy capabilities and is designed upon a modular framework.

There are a few essential components to an ACI fabric. There are additional optional components that may also be required depending on the design but we will cover those off in other articles.

A standard ACI fabric will consist of:

  • Cisco Application Policy Infrastructure Controllers (APICs)
  • Spine Switches
  • Leaf Switches

The Leaf and Spine switches are interconnected in a Clos topology whereby every switch is connected to every spine. As a rule, a Leaf switch should never be connected to another Leaf switch, and a Spine switch should never connected to another Spine switch. The APIC cluster is connected across different Leaf switches, and once the APICs have been provisioned the switches are discovered and provisioned through a boot strap sequence using DHCP, LLDP, and ISIS protocols enabling the switch to participate within the VXLAN overlay VRF.

ACI offers a large number of benefits but we’d like to identify and expand on a few of them to make the benefits a little more obvious.

Automation and Agility

In the past, we network engineers have programmed the network infrastructure box by box, change by change. Not only is this excessively time consuming but this method can also be extremely error prone. Even experienced engineers can fall foul to copy and paste errors.

Cisco ACI gives its customers the ability to configure the fabric through a single pane of glass (APIC), and depending on the device type (for example, ESX compute), apply that to every leaf switch that has a requirement to offer that connectivity.

The real benefit comes from leveraging the APIC via its northbound “RESTful” API through automation and orchestration tools. This method allows us to instantiate our intended configuration without even having to touch the controllers directly.

The leaf and spine nodes within the fabric are programmed with the configurations by the APIC on demand using the southbound “OPFLEX” protocol and store a local copy of the policy in case communications with the APIC are lost, allowing them to continuously perform data-plane forwarding.

Security and Analytics

Traditionally, network separation within the datacenter has been implemented using firewalls on a subnet by subnet basis. Over time we have all seen that some subnets get a little more access than they should and people prefer to put new servers in these network segments to guarantee access to their services.

This is often referred to as over provisioning.

Cisco ACI’s ethos is the grouping of endpoints all requiring or providing the same application ports and services into a common container called an “End Point Group (EPG)”, essentially providing security on a more granular approach. Depending on your design, an EPG may not be exclusively bound to a subnet.

"For example, Host A with an IP address of can reside in a different EPG to Host B with an IP address of"

This approach is often referred to as ‘segmentation’; because these two servers reside in separate EPGs, they now have the ability to inherit different security policy. ACI provides a number of attributes that can be used to bind endpoints to an EPG.

With the ability to provision connectivity through a single pane of glass, Cisco ACI also provides you with the ability to recover data for analysis from that same pane of glass for your entire fabric.

Workload Mobility

The standard building blocks for networks has been the age old, ‘Core’, ‘Distribution’, and ‘Access’ blocks. Those of you that have been in the field for a while will know all too well, that vlans/subnets were/are constrained to the distribution block to which the access switches connect; unless your brave and want to extend your Layer 2 topology through your ‘Core’. We’ve seen this done both accidentally and also intentionally as a result of organic growth to achieve ‘Workload Mobility’.

What do we mean by ‘Workload Mobility’? I hear you ask.

Well, it depends on which side of the fence you sit on, server teams will complain that by containing hosts to specific distribution blocks you are restricting their ability to fully utilise their compute resources, whilst the network teams see this as providing suitable fault domain isolation.

Cisco ACI removes those boundaries (as long as you have configured it in this manner). The endpoint (workload) can reside ‘anywhere’ within the fabric; both intra and inter data center depending on your deployment. This allows the network team to continue to ensure fault domain isolation and the server team to make better use of previously restricted compute resources.

Datacenter Ecosystem

Up to now, firewalls, switches, load balancers have all been managed on an individual basis.

Cisco are working hard with many vendors to offer the ability to incorporate third party devices into the datacenter ecosystem, offering you the ability to configure them from the APIC at the same time as provisioning your network connectivity.

This feature is often referred to as either ‘Service Graphs’ or ‘L4-L7 Device Integration’.


As network engineers, we have all had to deal with configuration standards for the on-boarding of traditional IOS/NXOS devices. Configurations often vary from device to device and over time the supposed standard configuration drifts from the initial deployment. Company standards very rarely get retrospectively applied to older devices which can result in a number of non-compliant configurations and a tedious clean up job.

Imagine being able to plug a new device into the network without the need to find IP addressing information for uplinks, static routing for management access, and having to figure out how to transfer a file from your corporate computer to a laptop plugged into a management switch in the datacenter (yes, we have all been there!)

Cisco ACI overcomes most of those time-consuming tasks. It allows you scale your fabric sideways (up to 400 leaf switches depending on your deployment topology) simply by plugging a new device in and registering it within the APIC, where a consistent baseline configuration is applied. You haven’t even got to configure it within an ‘IP address’. Although don’t ditch your console cables and USB adaptors just yet, there are still some devices that will need them.

Cisco refer to the collection of these benefits as “Intent-Based Networking’. Enabling businesses to capture and translate their intent into the network whilst ensuring it is continuously applied and adjusted on demand allowing them move faster and with confidence.

We hope you enjoyed the article. Look out for our next new article coming soon.