Category Archives: ACI

Application Centric Infrastructure

ACI Training Videos

ACI Training Videos

ACI Training Videos help you understand how to deliver software flexibility to modern IT consumption models and ensure agile Data Center network environments. The ACI development team and senior ACI leaders share their experiences and knowledge about the challenges and best practices to maximize the power of scalable centralized automation solutions and policy-driven application profiles within your network environment.

ACI Stretch Fabric Design

  1. Cisco recommend a minimum of 3 APIC Server?
    • Is this per site or possible to have distributive setup which installed on different site? -“We only allow a single APIC in lab/test environments where redundancy is not required.” So meaning you can still use a single server to control the devices? But in this statement “When the connection between two sites is lost, the site with one APIC controller will be in the minority (site 2 in the figure above). When a controller is in the minority, it cannot be the leader for any shards. This limits the controller in site 2 to read only operations; administrators cannot make any configuration changes through the controller in site 2”

So meaning I cannot use a singe APIC server to control the infrastructure?

  1. Split brain condition?
    • What does split brain condition means? Is it for 2 APIC server or This is for multiple sites with distributed APICS?
    • Can give simple scenario that split brain occur?



APIC/Fabric Discovery Process II

In this discovery process, a fabric node is considered active when the APIC and node can exchange heartbeats through the Intra-Fabric Messaging (IFM) process. The IFM process is also used by the APIC to push policy to the fabric leaf nodes.

Fabric discovery happens in three stages. The leaf node directly connected to the APIC is discovered in the first stage. The second stage of discovery brings in the spines connected to that initial seed leaf. Then the third stage processes the discovery of the other leaf nodes and APICs in the cluster.

The diagram below illustrates the discovery process for switches that are directly connected to the APIC. Coverage of specific verification for other parts of the process will be presented later in the chapter.

The steps are:

Link Layer Discovery Protocol (LLDP) Neighbor Discovery
Tunnel End Point (TEP) IP address assignment to the node
Node software upgraded if necessary
Policy Element IFM Setup


During fabric registration and initialization a port might transition to an “out-of-service” state. Once a port has transitioned to an out-of-service status, only DHCP and CDP/LLDP protocols are allowed to be transmitted. Below is a description of each out-of-service issue that may be encountered:

fabric-domain-mismatch – Adjacent node belongs to a different fabric
ctrlr-uuid-mismatch – APIC UUID mismatch (duplicate APIC ID)
wiring-mismatch – Invalid connection (Leaf to Leaf, Spine to non-leaf, Leaf fabric port to non-spine etc.)
adjaceny-not-detected – No LLDP adjacency on fabric port
Ports can go out-of-service due to wiring issues. Wiring Issues get reported through the lldpIf object information on this object can be browsed at the following object location in the MIT: /mit/sys/lldp/inst/if-[eth1/1]/summary.

APIC/Fabric Discovery Process I

When you connect your ACI environment.
– Connect Spine to leaf and Leaf to Spine.
– We do not connect spine(S-S) and leaf(L-L) to each other.
– Plug-In your APIC Controller.

Then you can now connect to APIC(WEB) and start the discovery process. This is a zero touch fabric, Which mean we don’t need any configuration of the switches in environment. The controller does it all for us.

When APIC discovered the first device.
– Give a name
– Give a number
– Make it part of the fabric

Actual Administrative Console

1. Connect via Https and Login.

2. Discover Devices (Fabric > Fabric Membership).
(First discovered device)

3. Adding the device to the network/fabric (Double-click the first device).
Give name and number then update.

The device then create secure connection to the leaf and do all the configuration like L3, L2, Assign IP address on the network(Leaf obtains IP Address from APIC using DHCP), Add to topology, start pulling event information. As you update and add additional leaf and spine during the discovery process the system will continue to configure those device.

System is automatically documenting the topology of the network (Fabric > Topology).

Application Centric Infrastructure

ACI provides the ability to create a stateless definition of application requirements. Application architects think in terms of application components and interactions between such components; not necessarily thinking about networks, firewalls and other services. By abstracting away the infrastructure, application architects can build stateless policies and define not only the application, but also Layer 4 through 7 services and interactions within applications. Abstraction also means that the policy defining application requirements is no longer tied to traditional network constructs, and thus removes dependencies on the infrastructure and increases the portability of applications.

The application policy model defines application requirements, and based on the specified requirements, each device will instantiate a set of required changes. IP addresses become fully portable within the fabric, while security and forwarding are decoupled from any physical or virtual network attributes. Devices autonomously and consistently update the state of the network based on the configured policy requirements set within the application profile definitions.

What is Cisco Application Centric Infrastructure ACI?

It is SDN solution from Cisco for Data Centers, simply ACI is a Network policy based automation model

The end goal of this solution is about enabling software control of the network and how it operates, so that software can automate and change the network based on current conditions in the network.

ACI uses a concept of endpoints and policies. The endpoints are the VMs (or even traditional servers with the OS running directly on the hardware). Because several endpoints have the same needs, you group them together into aptly named endpoint groups. Then policies can be defined about which endpoint groups can communicate with whom—for instance, a group of web servers may need to communicate with a group of application servers. The policy also defines other key parameters, like which endpoint groups can access each other (or not), as well as QoS parameters and other services.

ACI uses a centralized controller called the Application Policy Infrastructure Controller (APIC),It is the controller that creates application policies for the data center infrastructure…..this is your SDN controller for Data Center.

ACI uses a partially centralized control plane, RESTful and native APIs, and OpFlex as an SBI. The NBIs allow software control from outside the controller. The controller communicates with the switches connected to the endpoints, and asks those switches to then create the correct flows to be added to the switches. Interestingly.

ACI has three main components: Nexus 9000 switches, APIC and ecosystem

Converting from Cisco NX-OS to ACI Boot Mode

Before You Begin
Verify whether your switch hardware is supported in ACI boot mode by checking the “Supported Hardware” section of the Release Notes for Cisco Nexus 9000 Series ACI-Mode Switches. For example, line cards are not compatible between Cisco NX-OS and ACI boot mode. Remove or turn off any unsupported modules (using the poweroff module module command). Otherwise,the software uses a recovery/retry mechanism before powering down the unsupported modules, which can
cause delays in the conversion process.For dual-supervisorsystems, use the show module command to make sure that the standby supervisor module
is in the ha-standby state.

Verify that the ApplicationPolicy Infrastructure Controller (APIC) is running Release 1.0(2j) or a later release.Make sure that the ACI image is 11.0(2x) or a later release.

Use the show install all impact epld epld-image-name command to verify that the switch does not require any EPLD image upgrades. If any upgrades are required, follow the instructions in the Cisco Nexus 9000 Series FPGA/EPLD Upgrade Release Notes.

Click to access converting_from___cisco_nx_os_to_aci_boot_mode.pdf