πŸ—οΈ Cisco ACI Lab Environment

Building Your Software-Defined Data Center

🎯 Welcome to Cisco ACI Lab Environment

Welcome to this comprehensive hands-on lab guide for building a complete Cisco Application Centric Infrastructure (ACI) environment. This lab will take you through the entire deployment process, from initial setup to a fully functional multi-tenant data center fabric.

πŸŽ“ What You'll Learn:
  • Understanding ACI architecture and component roles (APIC, Spine, Leaf switches)
  • Performing fabric discovery and initialization procedures
  • Configuring APIC cluster for high availability
  • Creating and managing tenants, VRFs, bridge domains, and EPGs
  • Implementing application network profiles and contracts
  • Integrating external layer 3 connectivity with L3Outs
  • Deploying VMM integration with VMware vCenter

🏒 Lab Environment Description

This lab simulates a production-grade ACI fabric deployment with the following components:

  • APIC Cluster: 3x APIC controllers for high availability
  • Spine Layer: 2x Spine switches (redundant backbone)
  • Leaf Layer: 4x Leaf switches (access layer)
  • Compute: VMware vCenter integration
  • Network: External L3 connectivity for north-south traffic

πŸ’‘ Key Learning Point

ACI Philosophy: Unlike traditional networking where you configure each switch individually, ACI uses a centralized policy model. The APIC controllers are the single source of truth, and all configuration is pushed to the fabric. Think of it as "Infrastructure as Code" for your data center - you declare the desired state, and ACI makes it happen.

⏱️ Time Requirement: This lab typically takes 3-4 hours to complete thoroughly. Plan accordingly and save your progress regularly through the APIC interface.
Begin Lab Setup β†’

πŸ—ΊοΈ ACI Fabric Topology

                    External Network
                         |
                    [ Border Leaf ]
                         |
    ═══════════════════════════════════════════════════
                    SPINE LAYER
    ═══════════════════════════════════════════════════
           |                              |
      [Spine-1]                      [Spine-2]
      10.0.0.1                       10.0.0.2
           |                              |
    ═══════════════════════════════════════════════════
                     LEAF LAYER
    ═══════════════════════════════════════════════════
       |         |         |                |
   [Leaf-101] [Leaf-102] [Leaf-103]    [Leaf-104]
   10.0.0.101 10.0.0.102 10.0.0.103    10.0.0.104
       |         |         |                |
    ═══════════════════════════════════════════════════
                  APIC CLUSTER
    ═══════════════════════════════════════════════════
    [APIC-1]     [APIC-2]     [APIC-3]
    10.1.1.1     10.1.1.2     10.1.1.3
       |            |            |
    ════════════════════════════════════════════════════
              Compute & Storage Resources
                   VMware vCenter
              ESXi-01, ESXi-02, ESXi-03

πŸ“Š Component Details

Component Hostname Management IP Role
APIC Controller 1 apic1 10.1.1.1/24 Primary Controller
APIC Controller 2 apic2 10.1.1.2/24 Secondary Controller
APIC Controller 3 apic3 10.1.1.3/24 Tertiary Controller
Spine Switch 1 spine-1 10.0.0.1/32 Backbone Fabric
Spine Switch 2 spine-2 10.0.0.2/32 Backbone Fabric
Leaf Switch 101 leaf-101 10.0.0.101/32 Access Layer - APIC Connectivity
Leaf Switch 102 leaf-102 10.0.0.102/32 Access Layer - Compute
Leaf Switch 103 leaf-103 10.0.0.103/32 Access Layer - Compute
Leaf Switch 104 leaf-104 10.0.0.104/32 Border Leaf - External Connectivity

πŸ’‘ Key Learning Point

Spine-Leaf Architecture: ACI uses a non-blocking Clos topology where every Leaf connects to every Spine. This provides equal-cost paths and eliminates bottlenecks. Traffic between any two Leaf switches is only 2 hops (Leaf→Spine→Leaf). Never connect Leaf-to-Leaf or Spine-to-Spine directly!

πŸ“‹ Prerequisites and Planning

πŸ”§ Hardware Requirements

Component Model Minimum Version Quantity
APIC Controllers M3 or later 5.2(4e) or later 3
Spine Switches N9K-C9332C or better 15.2(4e) or later 2
Leaf Switches N9K-C93180YC-EX or better 15.2(4e) or later 4

πŸ“Š IP Address Planning

1

Management Network (Out-of-Band)

  • Network: 10.1.1.0/24
  • Gateway: 10.1.1.254
  • APIC Cluster: 10.1.1.1-3
  • DNS Servers: 8.8.8.8, 8.8.4.4
  • NTP Server: pool.ntp.org
⚠️ Complete these tasks before beginning fabric initialization:
  • ☐ All switches powered on and passing POST
  • ☐ Physical cabling completed per topology diagram
  • ☐ Management network configured and accessible
  • ☐ DNS and NTP servers accessible from management network
  • ☐ Required licenses available

πŸš€ Fabric Initialization

⚠️ Critical: The initialization steps must be performed in the exact order shown. Do not skip steps or deviate from the sequence.
1

Power On First APIC Controller

Connect to APIC-1 via console cable. The system will boot and present the initial setup wizard.

# Fabric Name Enter the fabric name: ACI-FABRIC # Number of controllers in the cluster Enter the number of controllers in the fabric (1-9) [3]: 3 # POD ID Enter the POD ID (1-9) [1]: 1 # Controller ID Enter the controller ID (1-3) [1]: 1 # Controller name Enter the controller name [apic1]: apic1 # TEP address pool for the fabric Enter address pool for TEP addresses [10.0.0.0/16]: 10.0.0.0/16 # Infrastructure VLAN ID Enter the VLAN ID for infra network (2-4094) [3967]: 3967
2

Configure Management Network

# Out-of-band management IP Enter the IP address for out-of-band management: 10.1.1.1/24 # Default gateway Enter the IP address of the default gateway [None]: 10.1.1.254 # Admin password Enter the password for admin: YourSecureP@ssw0rd! Confirm the password for admin: YourSecureP@ssw0rd!
πŸ” Password Requirements: The admin password must be at least 8 characters and include uppercase letters, lowercase letters, numbers, and special characters.
βœ… Progress: The APIC will now initialize. This takes approximately 10-15 minutes. You can access the GUI at https://10.1.1.1 once complete.

βš™οΈ Tenant and Application Configuration

GUI-Based Configuration

1

Create Production Tenant

Navigate to: Tenants β†’ Add Tenant

  1. Click the + icon to add a new tenant
  2. Name: Production
  3. Description: Production Application Tenant
  4. Click Submit
2

Create VRF (Private Network)

Navigate to: Tenants β†’ Production β†’ Networking β†’ VRFs

  1. Right-click on VRFs and select Create VRF
  2. Name: Prod-VRF
  3. Policy Control Enforcement Preference: Enforced
  4. Click Submit

πŸ’‘ Key Learning Point

Think Applications, Not VLANs: In traditional networking, you think "I need VLAN 100 for web servers." In ACI, you think "I have a web application with database and web tiers that need to communicate." The EPGs represent your application components, and contracts define allowed communication.

REST API Configuration

1

Authenticate to APIC

# Login and obtain authentication token POST https://10.1.1.1/api/aaaLogin.json # Request body: { "aaaUser": { "attributes": { "name": "admin", "pwd": "YourSecureP@ssw0rd!" } } }

πŸ”§ Troubleshooting Common Issues

1

Issue: Fabric Discovery Fails

❌ Symptom: Switch appears in "Undiscovered" state but won't register.

Root Causes:

  • Physical connectivity issues
  • Wrong discovery order (must discover leaf before spine)
  • Time synchronization issues
# Verify physical connectivity show interface eth1/49 show interface eth1/50 # Check LLDP neighbors show lldp neighbors # Check fabric discovery status show system internal epm info leaf all
2

Issue: Contract Not Permitting Traffic

❌ Symptom: Traffic between EPGs is blocked even though a contract is configured.

Resolution: Verify provider/consumer roles are correctly assigned and filter entries match the required traffic.

βœ… Verification and Testing

1

Verify APIC Cluster Health

Navigate to: System β†’ Controllers

Expected Results

  • All three APICs show status: Fully Fit
  • Health score: 100
  • Cluster size: 3
# CLI verification from APIC acidiag cluster # Expected output: Cluster is HEALTHY Node | IP | Health | Status | Role ------|-----------|--------|--------|---------- 1 | 10.1.1.1 | 100 | Active | Primary 2 | 10.1.1.2 | 100 | Active | Secondary 3 | 10.1.1.3 | 100 | Active | Secondary
🎊 Congratulations! Your ACI fabric is fully operational and ready for production workloads.

πŸ“ Knowledge Check

Test your understanding of Cisco ACI deployment and configuration.

1. In ACI architecture, what is the primary role of the Spine switches?
2. What is the minimum number of APIC controllers required for a production ACI deployment?
3. In ACI contracts, which EPG role represents the service provider (server)?
4. What is the purpose of a Bridge Domain (BD) in ACI?
5. When deploying EPG static port bindings, what does the "encapsulation VLAN" represent?
6. What happens when VRF Policy Control Enforcement is set to "Enforced"?
7. Why must Leaf switches be discovered before Spine switches in the ACI fabric?