Cisco ACI Tenant


Cisco ACI Tenant

Basically for understanding Cisco ACI, is a policy based fabric meaning that the whole environment is modelled in objects. Within Cisco Application Centric Infrastructure, the tenant policy model is one of the most important parts of ACI and is the top level object on its tab. It contains several areas, but the two most critical at the moment are networking and application profile. The networking section is where you create VRFs (which also called contexts), Bridge domains (which contain a subnet and define flooding boundaries), L3 out parameters and L2 out parameters. In addition, the application profile defines your endpoint groups which is a VLAN matches switch, interfaces and more, and how they consume infrastructure resources for their application.

ACI Tenant
Cisco ACI Tenant

Overall, a tenant is a logical container for application policies and it includes one or more virtual routing and forwarding (VRF) instances or contexts which can be associated with multiple bridge domains. This concept is very similar to the Private VLAN which is being used in traditional networking.

In ACI Tenant policy model within the ACI network, Bridge domains act like a primary VLAN while EPGs behave like the secondary VLANs. However, as there are two types of encapsulations in ACI, VXLAN and IEEE VLAN, and it is not about VLANs anymore, whole architecture and parameters are changed.  In addition, the VXLAN can be categorized in two types in ACI, iVXLAN which is the encapsulation that is used inside of the fabric and it would never leave the fabric. ACI is also capable of dealing with standard IETF VXLAN which is the standardized VXLAN that all the vendors are using.

Cisco ACI
Cisco ACI Tenant

Within the ACI, a tenant is an administrative boundary and at least three tenants are available. First, a Common Tenant. Inside the common tenant everything such as VRFs, EPGs and etc., is accessible by other tenants and it’s a place that ACI configuration can lay off. Objects created inside the common tenant are available to other tenants. Second, the Infra Tenant. The infra tenant is used to expand the infrastructure. Plus, Multi-Pod and Multi-Site fabrics use the infra tenant to connect the pods or sites to each other. Third, the Mgmt Tenant. In this tenant, most of the management configuration can be performed and Used to configure In-Band and Out-of-Band policies to reach the fabric nodes such as spine (Nexus 9500 switches), leaves (Nexus 9300 switches) and Cisco APICs.


Within a tenant you will need at least one Context (also called VRF) to contain layer 3 domains. The context directly maps to the VRF (lite) concept in classical networks. So, this means that a Context is a separate layer 3 domain. It also means that within VRFs IP’s must be unique, but between two VRFs they might overlap.

Bridge Domain

The bridge domain is the layer two domain in ACI. Everything in a BD is layer two adjacent. A bridge domain is a member of a VRF, even if there is no IP configuration on the bridge domain. The BD behaves like a primary private VLAN in a classic switching infrastructure.


The EPG is the most important construct in ACI which stands for End Point Group. an EPG is a grouping of servers that are related to each other for policies and always is member of a Bridge Domain. Generally, to the outside world, they are a combination of interface encapsulation and encapsulation.  It should be noted; EPGs are similar to the secondary VLANs in the Private VLAN concept. Plus, an EPG could be attached to a distributed virtual switch, just a regular V switch in VMware, physical host or containers. Similar to secondary private VLANs, the communication between EPGs is blocked by default.


A subnet is what it says it is. This can be configured under the BD. A bridge domain can have zero or more subnets, but it needs to have at least one subnet if it is to perform routing for the hosts residing in the BD. There are several types of Subnets:

  • Private: These subnets are local to the VRF and will not be advertised outside of the fabric.
  • Public: These subnets are available for advertisement outside of the fabric.
  • Shared: These subnets will be shared between VRFs inside of the fabric.


A contract is the object which is used to enable communication between two EPG’s. In that regard it is like an ACL. Whereas by default EPG’s can’t communicate with each other the contracts enable certain types of traffic. A contract needs to be provided by an EPG and consumed by another EPG to allow traffic and has to contain a subject and filters.


A filter is a group of rules that define the traffic on which to match. A filter can consist of one or more entries which can be configured to be stateful. This means that the fabric will monitor for the 3-way handshake in TCP sessions to establish correct filtering and session setup.


Another layer of abstraction available on ACI are subjects that can build complex contracts. These subjects allow you to apply the filters and to choose whether you apply them in both directions or not.

Application Profile

An EPG is part of an Application Profile. If you’re working in a network centric environment, the application profile is, in fact, just a container for EPGs. AP enables you to monitor the health of the various components within the ACI fabric which are part of the application. You can also define specific monitoring policies or QoS policies per application profile. Finally, you can find the differences between a network centric and application centric infrastructure in the last figure:

Cisco ACI Tenant

Leave a Reply

Related Post
error: Alert: Content is protected !!