Practice Exams:
Home Blog Cisco ACI Interview Questions and Answers: A Deep Dive into Architecture, Terminologies, and Core Concepts

Cisco ACI Interview Questions and Answers: A Deep Dive into Architecture, Terminologies, and Core Concepts

Cisco Application Centric Infrastructure (ACI) is a next-generation data center and cloud networking solution that brings a software-defined approach to traditional hardware-centric environments. By focusing on applications instead of individual devices, ACI enables organizations to accelerate operations, automate workflows, and implement scalable, policy-driven infrastructure.

With ACI, network policies and services are defined centrally and applied uniformly across the entire fabric. This model delivers better control, operational simplicity, and adaptability to dynamic workload requirements.

Core Components of Cisco ACI

Cisco ACI is built around three key components that work in harmony:

  • Application Policy Infrastructure Controller (APIC) – Acts as the centralized controller for the ACI fabric, managing policies and configurations.

  • Leaf Switches – Serve as the access layer and connect to all endpoints like servers and firewalls.

  • Spine Switches – Provide interconnectivity between leaf switches; they never connect directly to endpoints.

This spine-leaf topology simplifies east-west traffic flow, optimizes performance, and scales horizontally without introducing bottlenecks.

What Makes ACI Different from Traditional Networks?

Traditional networks require manual, device-by-device configuration and maintenance. ACI, in contrast, is designed for automation, application awareness, and centralization. It abstracts the hardware and allows network administrators to define intent via policies that are automatically enforced throughout the infrastructure.

This shift from CLI-based configurations to policy-based models reduces complexity, minimizes errors, and shortens deployment times.

What is the Role of the APIC?

The Application Policy Infrastructure Controller (APIC) is the operational heart of the Cisco ACI architecture. It provides:

  • Centralized policy management

  • Fabric automation

  • Health monitoring

  • Integration APIs

Unlike traditional controllers that handle traffic forwarding, the APIC only handles orchestration and policy distribution. Traffic continues to flow through the spine-leaf switches, which are optimized for high-performance packet forwarding.

What is a Tenant in Cisco ACI?

A tenant is a logical segmentation construct within ACI that isolates policies, address spaces, and configurations. Each tenant can represent a different department, customer, or project, with its own:

  • Application profiles

  • Bridge domains

  • EPGs

  • Contracts

This structure allows multi-tenancy within the same physical infrastructure without compromising security or performance.

What is an Endpoint Group (EPG)?

Endpoint Groups (EPGs) are one of the most critical constructs in Cisco ACI. They logically group endpoints that require similar network policies. Examples of endpoints include virtual machines, bare-metal servers, or containers.

Within an EPG, communication is unrestricted. Communication between EPGs, however, must be explicitly allowed using contracts. EPGs simplify the application of security and forwarding policies across diverse endpoint types.

What is an Application Profile?

An Application Profile represents a logical container that defines how an application is structured within a tenant. It contains EPGs and specifies the communication policies (contracts) between them.

This model allows for centralized, repeatable policy definitions that match the architecture of actual applications (e.g., web tier, application tier, and database tier), making deployments easier and more consistent.

What is a Bridge Domain (BD)?

A Bridge Domain in ACI is a Layer 2 forwarding domain. It associates a subnet and provides settings for:

  • MAC address learning

  • Broadcast and unknown unicast flooding

  • ARP handling

A BD can be linked to one or multiple EPGs and operates within the scope of a Virtual Routing and Forwarding (VRF) instance. BDs are essential for isolating Layer 2 traffic within a tenant.

What is a VRF in Cisco ACI?

A Virtual Routing and Forwarding (VRF) instance allows multiple routing tables to coexist within the same fabric. In Cisco ACI, VRFs are used to isolate Layer 3 routing contexts among tenants.

Each tenant can have its own VRF, enabling overlapping IP addresses across different tenants without conflict. VRFs ensure secure and isolated communication paths.

What are Contracts in Cisco ACI?

Contracts define the rules for communication between EPGs. They include:

  • Filters: Define the type of traffic allowed (e.g., HTTP, HTTPS, SSH)

  • Subjects: Apply filters and additional policies

  • Actions: Permit, deny, or log traffic

Without a contract, EPGs cannot communicate, even if they reside in the same tenant. Contracts enforce security and service chaining by controlling what traffic is allowed and how it is handled.

How Does Policy Enforcement Work in ACI?

Policy enforcement in ACI is decentralized. While the APIC defines and distributes policies, enforcement occurs at the leaf switches. This ensures high performance and low latency by avoiding the need to backhaul traffic through a central controller.

Leaf switches match traffic to endpoint groups and apply the relevant policies, such as access control, quality of service, and service redirection.

What is the Importance of Policy-Based Automation in ACI?

Policy-based automation allows administrators to define intent—such as application connectivity, security, or service levels—and have the fabric automatically apply the necessary configurations. This eliminates the need for repetitive, error-prone manual tasks.

Benefits include:

  • Reduced operational overhead

  • Faster application deployment

  • Consistent policy enforcement

  • Improved agility and scalability

What is Fabric Discovery in Cisco ACI?

Fabric discovery is the initial process through which APIC learns about the physical switches and establishes control over them. It starts when an APIC is connected to a leaf switch. The APIC discovers:

  • Leaf switches

  • Connected spine switches

  • Fabric topology

Discovery uses Link Layer Discovery Protocol (LLDP) and automatically assigns unique IDs to switches. Once complete, the fabric is ready for policy deployment and endpoint integration.

What Protocols are Used in Cisco ACI Fabric?

Cisco ACI relies on several protocols:

  • ISIS: For fabric routing between leaf and spine switches

  • COOP (Council of Oracle Protocol): Maintains endpoint location mappings

  • MP-BGP EVPN: For Layer 2/Layer 3 overlay encapsulation

  • VXLAN: For tunneling endpoint traffic across the fabric

  • LLDP: For fabric discovery

These protocols work behind the scenes to ensure dynamic path selection, endpoint learning, and encapsulation without manual configuration.

How Does ACI Handle Endpoint Learning?

ACI uses distributed endpoint learning across leaf switches. When an endpoint connects to the fabric, the leaf switch learns its MAC and IP address, along with the associated EPG. This information is shared with other switches using the COOP protocol and stored in a central database managed by APIC.

This dynamic learning ensures that endpoint mobility is preserved and that policies are applied consistently, regardless of where the endpoint moves in the fabric.

What is the Role of VXLAN in ACI?

VXLAN (Virtual Extensible LAN) is the encapsulation protocol used by Cisco ACI to transport Layer 2 traffic across the Layer 3 spine-leaf fabric. Each EPG is assigned a VXLAN Network Identifier (VNID), which allows logical segmentation and isolation of traffic.

VXLAN provides the scalability required for large data centers, supporting thousands of isolated networks over a shared IP infrastructure.

What is an Access Policy in ACI?

Access policies are configurations related to how endpoints connect to the fabric. This includes:

  • Interface policies

  • Switch profiles

  • Interface selectors

  • AEP (Attachable Entity Profile)

Access policies are typically defined once and reused across multiple interfaces and deployments. They map physical or virtual interfaces to logical constructs like EPGs.

What is an Attachable Entity Profile (AEP)?

An AEP binds physical interfaces or ports to policies such as VLAN encapsulation and EPG association. It acts as a bridge between access policies and logical profiles and helps ensure that endpoints receive the correct configurations when connected to the fabric.

AEPs simplify operations by allowing bulk assignment of policy templates to interfaces based on how and where endpoints connect.

How are Fabric Policies Different from Access Policies?

Fabric policies control the internal behavior of the ACI fabric—things like routing protocols, multicast behavior, and system resources. Access policies, on the other hand, define how external devices (e.g., servers, VMs) connect to the ACI fabric.

This separation of concerns ensures clarity and modular configuration, making the network easier to manage and troubleshoot.

What is the Role of Filters in Contracts?

Filters are specific rules that define which traffic types are allowed between EPGs. For example, a filter might specify:

  • Protocol (TCP, UDP, ICMP)

  • Port numbers (e.g., 80 for HTTP, 443 for HTTPS)

These filters are applied within contracts to enforce access control and service policies.

What is the role of Logical Interfaces (LIFs) in Cisco ACI?

Logical Interfaces (LIFs) are software-defined interfaces used to manage how traffic flows across the fabric. A LIF acts as a termination point for the VXLAN tunnel on the leaf switch. When traffic enters the fabric, it is encapsulated and passed through the LIF, which ensures that policies such as segmentation and forwarding are applied consistently.

LIFs support both routed and bridged traffic and are central to the operation of ACI’s policy enforcement across distributed workloads.

How does Cisco ACI support Layer 4–7 service integration?

ACI integrates with external Layer 4–7 services like firewalls, load balancers, and IPS devices. These integrations are accomplished via service graphs, which define how traffic flows through these services.

ACI supports both manual and automated insertion of services:

  • Managed mode: APIC programs the device directly through plugins or APIs.

  • Unmanaged mode: External devices are configured manually but connected to the fabric.

This tight integration ensures traffic passes through required security or performance-enhancing functions while maintaining automation and visibility.

What is a Service Graph in Cisco ACI?

A Service Graph is a logical representation of how traffic should flow through one or more Layer 4–7 devices between EPGs. It defines:

  • Device nodes (e.g., firewalls, load balancers)

  • Paths (traffic direction)

  • Function chaining (order of devices)

For example, a three-tier web application might use a Service Graph to force incoming traffic through a firewall, then a load balancer, before reaching web servers. These graphs are policy-driven and programmable through APIC.

How does Cisco ACI support multi-site or hybrid deployments?

Cisco ACI offers multiple options for extending the fabric across geographically distributed locations:

  • ACI Multi-Site: Allows independent ACI fabrics to be connected and managed via a central controller called Multi-Site Orchestrator (MSO). Each site retains autonomy, but shared policies ensure consistency.

  • ACI Remote Leaf: Connects remote leaf switches back to a centralized spine.

  • ACI Stretched Fabric: Extends a single fabric across sites while maintaining a unified control plane.

These options support disaster recovery, workload mobility, and global policy enforcement.

What is the Cisco Multi-Site Orchestrator (MSO)?

MSO is a software solution that simplifies the management of multiple ACI sites. It provides:

  • Centralized policy definition across sites

  • Tenant and schema templates

  • Inter-site connectivity monitoring

MSO allows administrators to push consistent configurations and policies to all ACI sites, improving governance and reducing administrative overhead in large-scale environments.

How does ACI handle high availability and redundancy?

ACI is designed with redundancy at every level:

  • Spine-leaf topology ensures there’s no single point of failure in traffic forwarding.

  • APIC clusters use three or more controllers to ensure controller-level fault tolerance.

  • Redundant links and power in hardware support resilience.

If a leaf or spine switch fails, traffic is automatically rerouted. Similarly, if an APIC node fails, the remaining nodes maintain fabric operation and configuration management.

What are Fabric Access Policies and why are they important?

Fabric Access Policies define how physical interfaces on the ACI fabric are configured to connect to endpoints. They include:

  • Interface policies (e.g., speed, LLDP settings)

  • Interface selectors (range of ports)

  • Switch profiles (specific leaf switches)

  • AEPs (Attachable Entity Profiles)

These policies decouple physical configuration from logical behavior, enabling reuse across multiple deployments and interfaces. This modularity speeds up provisioning and reduces errors.

What is an AEP (Attachable Entity Profile)?

An AEP is a reusable template that maps physical interfaces to logical configurations. It acts as a glue between access policies and endpoint groups. For example, an AEP may specify VLAN encapsulation and associate interfaces with EPGs and domains.

Once an AEP is configured, it can be applied to multiple ports, enabling efficient provisioning and scalability.

What are Interface Selectors and Switch Profiles in ACI?

  • Interface Selector: Identifies one or more physical ports (e.g., Ethernet1/1 to Ethernet1/48) to which a policy will be applied.

  • Switch Profile: Associates specific leaf switches with interface selectors and their policies.

These constructs ensure that correct configurations are applied to the appropriate physical interfaces, streamlining the deployment process and improving maintainability.

What is a Policy Group in Cisco ACI?

A Policy Group is a collection of policies that define operational parameters for interfaces. Types include:

  • Access Port Policy Groups – For single port configurations.

  • Port Channel Policy Groups – For aggregating multiple links.

  • VPC Policy Groups – For virtual port channels.

Policy Groups make it easy to apply consistent configurations across interfaces, such as enabling CDP, LLDP, or setting MTU values.

How does Cisco ACI handle Quality of Service (QoS)?

Cisco ACI implements QoS by defining QoS Classes and Policies in the APIC. These configurations ensure that latency-sensitive traffic like voice or video is prioritized over less critical data. QoS in ACI allows:

  • Traffic classification

  • Rate limiting

  • Priority queuing

  • Traffic shaping

QoS policies are applied at the leaf switch level and ensure end-to-end service quality across the fabric.

How does ACI integrate with virtualization platforms?

ACI supports deep integration with major virtualization platforms like:

  • VMware vSphere and NSX

  • Microsoft Hyper-V

  • Red Hat OpenStack

  • Kubernetes

APIC can integrate with hypervisors to discover virtual machines, assign EPGs dynamically, and apply security policies automatically. This enables VM-level micro-segmentation and dynamic policy enforcement across virtual workloads.

What is Micro-Segmentation in ACI?

Micro-segmentation allows policies to be applied at the individual workload or VM level, even within the same subnet or EPG. It enhances security by restricting east-west traffic among endpoints based on attributes like:

  • VM name

  • Operating system

  • Tags or labels

This fine-grained control prevents lateral movement in the event of a compromise and enforces least-privilege access principles.

What are Domains in Cisco ACI?

Domains define the boundary between the ACI fabric and external entities. There are two main types:

  • Physical Domain: Represents bare-metal servers or appliances connected via Ethernet.

  • VMware Domain / VMM Domain: Used for integration with virtualization environments like VMware vCenter.

Domains allow for dynamic binding between EPGs and interfaces using AEPs, streamlining how endpoints are discovered and policy is applied.

What are External Routed Networks (L3Out)?

An L3Out is a logical representation of an external Layer 3 connection in ACI. It enables communication between internal ACI endpoints and external networks. Components of an L3Out include:

  • External EPGs

  • Routed interfaces

  • BGP or OSPF peering

  • Contracts for traffic control

L3Outs are essential for connecting to the internet, WAN, or legacy networks, and are configured with policies for route redistribution and access control.

What are Bridge Domains with ARP Flooding enabled?

In specific scenarios, such as with legacy applications or unknown endpoint discovery, administrators may enable ARP Flooding in Bridge Domains. This causes ARP requests to be broadcasted within the domain.

However, ARP Flooding is generally discouraged in modern ACI designs, as the fabric can handle ARP more efficiently through its distributed endpoint learning and proxy ARP mechanisms.

How does ACI handle Endpoint Mobility?

ACI supports seamless endpoint mobility, which allows endpoints to move within the fabric without requiring manual reconfiguration. This is possible because:

  • Endpoint information (MAC/IP bindings) is learned dynamically.

  • Policies are associated with EPGs rather than static IPs.

  • COOP protocol updates the endpoint location throughout the fabric.

This capability is ideal for dynamic environments like virtualized data centers and cloud-native workloads.

What is the Role of the COOP Protocol in Cisco ACI?

The Council of Oracle Protocol (COOP) is a distributed database protocol that runs between spine switches and the APIC. It keeps track of endpoint location mappings (e.g., which leaf switch a particular MAC or IP address is attached to).

When traffic destined for an endpoint enters the fabric, the spine switch uses COOP to identify the correct leaf switch. This eliminates flooding and speeds up convergence when endpoints move.

How is Traffic Encapsulated in Cisco ACI?

Cisco ACI uses VXLAN as its encapsulation protocol. Each EPG and tenant is assigned a unique VNID (VXLAN Network Identifier). When traffic enters the fabric, it is:

  1. Encapsulated with VXLAN headers

  2. Forwarded across the spine-leaf topology

  3. Decapsulated at the destination leaf switch

This process provides isolation between tenants and enables the creation of overlay networks on shared physical infrastructure.

How does Cisco ACI simplify network troubleshooting?

Cisco ACI provides multiple tools and features to make troubleshooting intuitive and proactive:

  • Health Scores: Real-time metrics across tenants, interfaces, applications, and fabric nodes help identify problem areas.

  • Faults and Events: Alerts generated automatically with severity levels and timestamps.

  • Atomic Counters: Track policy drops at the leaf level and help pinpoint policy enforcement issues.

  • Traceroute in APIC GUI: Visual representation of traffic paths between endpoints.

  • Endpoint Tracker: Displays endpoint history, location changes, and current leaf connectivity.

This centralized visibility, combined with policy-driven architecture, allows engineers to isolate and resolve issues faster than in traditional networks.

What is the purpose of Health Scores in Cisco ACI?

Health scores provide a real-time numerical representation (0–100) of the operational status of components within the ACI fabric. These components include:

  • Tenants

  • Application Profiles

  • EPGs

  • Interfaces

  • Switches

  • Services

A score below 100 indicates a deviation from optimal performance. This could be due to a link failure, misconfiguration, or policy conflict. Engineers use these scores to prioritize actions, perform root cause analysis, and maintain fabric stability.

What are Faults and Events in APIC?

Faults and events are automatically generated messages within the APIC system that alert administrators to abnormal behaviors or failures. They are categorized by severity (critical, major, minor, warning, info) and include:

  • Timestamp of occurrence

  • Affected object (e.g., interface, switch)

  • Suggested resolution

  • Lifecycle state (raised, cleared, acknowledged)

These logs are essential for proactive monitoring and serve as audit trails during troubleshooting and compliance checks.

How does Atomic Counters assist in troubleshooting traffic flow?

Atomic Counters are diagnostic tools in Cisco ACI that allow tracking of specific flows through the fabric. Engineers can configure them to:

  • Monitor inter-EPG traffic

  • Measure packet and byte counts

  • Detect policy drops

This is particularly useful when traffic is expected but not reaching its destination. Atomic Counters reveal whether a policy is blocking traffic, where it’s dropped, and what contract or filter may be causing the issue.

What is the significance of Contracts in troubleshooting inter-EPG communication?

Contracts define the communication permissions between Endpoint Groups. When endpoints within different EPGs cannot communicate:

  • First check if a contract exists between them.

  • Ensure the contract’s subject and filters permit the required traffic.

  • Confirm the contract is correctly applied and not denied or shadowed by a more restrictive policy.

Understanding the contract structure is crucial for troubleshooting Layer 2/3 communication within and across tenants.

How does Cisco ACI support Zero Trust architecture?

Cisco ACI supports Zero Trust principles by enforcing strict segmentation and verification policies:

  • All inter-EPG traffic is denied by default unless explicitly allowed via contracts.

  • Micro-segmentation allows control down to the workload level.

  • Policies can reference attributes such as tags, VM properties, or security groups.

  • Integration with identity providers and firewalls adds user and application context.

This architecture minimizes attack surfaces and enforces least-privilege access across workloads.

How does Cisco ACI integrate with Kubernetes and container platforms?

Cisco ACI supports native integration with Kubernetes using the ACI CNI (Container Network Interface) plugin. This enables:

  • Dynamic EPG assignment to pods

  • Integration with Kubernetes namespaces and labels

  • Policy-based communication between container workloads and traditional endpoints

ACI’s integration allows consistent policy enforcement across virtual machines, containers, and bare-metal servers. Engineers can define policies once and have them applied seamlessly across all platforms.

What are Bridge Domain forwarding options available in ACI?

ACI supports multiple forwarding behaviors within a Bridge Domain:

  1. Unicast Routing: Routes traffic across different subnets.

  2. Flooding (for ARP or unknown unicast): Can be enabled or disabled per requirement.

  3. Proxy ARP: Fabric replies on behalf of destination host to minimize flooding.

  4. Subnet Check: Ensures source and destination endpoints are in the same subnet for Layer 2 forwarding.

Understanding these options is essential to ensure application connectivity while maintaining control over broadcast domains.

How does ACI handle broadcast, multicast, and unknown unicast traffic?

ACI minimizes unnecessary traffic flooding by default but allows customization:

  • Broadcast: Limited using IGMP snooping and BD settings.

  • Multicast: Handled via PIM Sparse Mode for inter-subnet delivery.

  • Unknown Unicast: Suppressed using endpoint learning and forwarding tables.

These behaviors reduce noise, improve performance, and allow precise traffic control.

What is GOLF (Generic Overlay with Locator/ID Separation Protocol)?

GOLF is an ACI architecture extension that allows external routers (outside the fabric) to connect using LISP-based overlays, enabling ACI to serve as a controller without extending the entire fabric.

Use cases include:

  • Extending policies to legacy networks

  • Integrating remote data centers

  • Avoiding full mesh requirements of L3Outs

GOLF simplifies operations while maintaining policy-based connectivity.

What is the significance of EPG Static Binding vs. Dynamic Binding?

  • Static Binding: Maps an EPG to a specific physical port, VLAN, or interface. Often used for bare-metal servers or appliances.

  • Dynamic Binding: Automatically assigns EPGs to workloads based on hypervisor integration, VM attributes, or labels.

Dynamic binding enhances automation and scalability, while static binding is essential for non-virtualized environments.

What are Shadow EPGs and when are they used?

Shadow EPGs are automatically created by the fabric when an EPG from one tenant is referenced in another tenant (e.g., through a contract or shared service).

They help maintain a representation of the original EPG’s policy and attributes without duplicating its configuration. Shadow EPGs are crucial in multi-tenant deployments, especially for shared service models or provider-consumer designs.

How does Cisco ACI support Disaster Recovery and Business Continuity?

ACI’s Multi-Site and Stretched Fabric capabilities provide built-in support for:

  • Active/active or active/passive workloads

  • Policy consistency across sites

  • Seamless endpoint migration

  • Inter-site contracts

Backup and restore functions within APIC also ensure configuration snapshots and recovery options. This enables organizations to recover quickly during outages or planned migrations.

What are the key considerations when designing a Cisco ACI fabric?

When designing an ACI fabric, consider:

  • Scalability: Plan for leaf/spine port density, endpoint counts, and APIC cluster capacity.

  • Application Requirements: Understand traffic flows, segmentation needs, and SLAs.

  • Security: Design contracts, filters, and micro-segmentation from day one.

  • High Availability: Ensure redundant links, dual-homing, and backup power.

  • Integration Points: Consider VMware, Kubernetes, or L4-L7 service insertion early in the design.

Careful planning reduces the need for rework and ensures a smooth deployment lifecycle.

What tools are available for managing and automating Cisco ACI?

Cisco ACI supports extensive programmability and automation via:

  • REST APIs

  • Python SDK

  • Ansible modules

  • Terraform provider

  • Cisco ACI Toolkit

These tools allow integration with CI/CD pipelines, Infrastructure-as-Code (IaC) workflows, and third-party orchestration platforms, enabling DevOps-friendly operations.

What is the role of Tenant, VRF, and Bridge Domain hierarchy in policy design?

This hierarchy provides logical separation and policy inheritance:

  • Tenant: Logical container for isolation; policies and objects reside here.

  • VRF: Controls Layer 3 routing domains.

  • Bridge Domain: Manages Layer 2 communication.

Policies applied at the VRF or BD level propagate downward, allowing consistent enforcement and easier troubleshooting. A clear hierarchy helps simplify operational understanding and reduces policy conflicts.

What is the difference between Intra-EPG and Inter-EPG communication?

  • Intra-EPG: Endpoints in the same EPG can communicate without a contract.

  • Inter-EPG: Requires a defined contract to permit communication.

This model allows open access within trusted groups while enforcing strict control between separate application tiers or departments.

What is VMM Integration and how does it work?

Virtual Machine Manager (VMM) integration allows APIC to discover and interact with virtualization platforms like:

  • VMware vCenter

  • Microsoft SCVMM

  • OpenStack

With VMM integration, the APIC can:

  • Discover VMs and their network interfaces

  • Automate EPG assignments

  • Push port groups dynamically to virtual switches

This reduces manual steps and ensures consistent policy enforcement across hybrid infrastructures.

What are Preferred Groups in Cisco ACI?

Preferred Groups are a feature that allows multiple EPGs to communicate freely within a security group without needing explicit contracts. They simplify policies in scenarios where:

  • Multiple applications or services require unrestricted communication

  • Large groups of EPGs are tightly integrated

Preferred Groups reduce operational overhead while preserving segmentation.

How are policies applied to external networks in ACI?

External networks connect through L3Outs. Policies applied here include:

  • Contracts: Define permitted traffic between internal and external EPGs.

  • Route Control: Redistribute internal routes to external peers and vice versa.

  • Filters: Limit exposed services or protocols.

ACI treats external connectivity as part of the policy model, ensuring consistency and visibility across internal and external traffic flows.

What is the difference between L2Out and L3Out in Cisco ACI?

  • L2Out: Extends Layer 2 connectivity (e.g., for connecting to legacy switches or appliances in the same VLAN).

  • L3Out: Extends Layer 3 routing capabilities to external networks (e.g., for internet or WAN access).

Choosing between them depends on whether routing or bridging is required for the external connection.

How do you monitor endpoint movement in ACI?

ACI tracks endpoint movements automatically. The Endpoint Tracker tool in APIC shows:

  • MAC/IP bindings

  • Leaf switch location

  • Movement history

  • Associated EPGs

This is particularly useful for troubleshooting dynamic workloads, such as VMs moving due to DRS or HA events.

How is role-based access control (RBAC) implemented in ACI?

RBAC in ACI defines what users or API clients can do within the system. Roles can be:

  • Admin

  • Fabric Administrator

  • Tenant Administrator

  • Read-only

Custom roles can also be created to provide fine-grained permissions. This enhances operational security and ensures separation of duties.

Conclusion

Cisco ACI is not just a next-generation networking solution—it’s a powerful platform for automation, segmentation, and policy control across physical, virtual, and cloud environments. As enterprise networks become increasingly complex, the ability to articulate, implement, and troubleshoot ACI-based solutions will become a crucial skill.

From understanding the basics of EPGs and tenants to deploying service graphs and performing advanced troubleshooting with atomic counters, mastering Cisco ACI requires both conceptual clarity and hands-on experience. Preparing with real-world scenarios, architectural awareness, and policy design principles will significantly increase your success in ACI interviews and operational roles.

Related Posts