F Top 100 Most Asked Questions on Cisco ACI Infrastructure (2026 Complete Guide) - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / Cisco / Cisco ACI / Top 100 Most Asked Questions on Cisco ACI Infrastructure (2026 Complete Guide)

Top 100 Most Asked Questions on Cisco ACI Infrastructure (2026 Complete Guide)

May 04, 2026 ,

Top 100 Most Asked Questions on Cisco ACI Infrastructure (2026 Complete Guide)

Your Ultimate FAQ Resource for Cisco Application Centric Infrastructure — Architecture, APIC, Tenants, EPGs, Multi-Pod, Multi-Site, Troubleshooting, Certification & More.

Quick Summary: Cisco ACI (Application Centric Infrastructure) is Cisco's flagship Software-Defined Networking (SDN) solution for modern data centers. It uses a spine-leaf fabric managed by APIC controllers to deliver policy-based, automated, and secure networking. This article answers the top 100 questions network engineers, architects, and learners ask on Google and ChatGPT — covering basics, design, configuration, troubleshooting, certifications, and career.

Section 1: Cisco ACI Basics & Fundamentals (Q1–Q20)

1. What is Cisco ACI?

Cisco ACI (Application Centric Infrastructure) is a software-defined networking (SDN) solution for data centers that combines hardware (Nexus 9000 spine-leaf switches) and software (APIC controllers) to deliver a policy-driven, automated, and centrally managed fabric. It allows applications to define network requirements rather than the network dictating application behavior.

2. Who developed Cisco ACI and when was it launched?

Cisco developed ACI and launched it in November 2013 as part of its data center transformation strategy, following the acquisition of Insieme Networks.

3. What are the main components of Cisco ACI?

Cisco ACI consists of three main components: the APIC (Application Policy Infrastructure Controller), Spine switches (Nexus 9500/9300 series), and Leaf switches (Nexus 9300 series). Together they form the ACI fabric.

4. What is APIC in Cisco ACI?

APIC is the centralized management, policy, and automation controller of the ACI fabric. It is deployed as a cluster of three or more physical/virtual appliances and uses a distributed database (sharding) for high availability.

5. What is the difference between Spine and Leaf switches in ACI?

Leaf switches are the access layer where endpoints (servers, firewalls, load balancers) connect, and they enforce policy. Spine switches form the backbone, providing high-speed interconnection between leaf switches. Every leaf connects to every spine in a Clos topology.

6. Is Cisco ACI an SDN solution?

Yes, ACI is Cisco's intent-based, policy-driven SDN solution for data centers. Unlike pure overlay SDN, ACI integrates hardware and software for line-rate performance.

7. What protocol does Cisco ACI use in the underlay?

The ACI underlay uses IS-IS as the routing protocol and VXLAN as the data plane encapsulation. The control plane uses COOP (Council of Oracle Protocol) on spines and MP-BGP EVPN for multi-pod/multi-site.

8. What is VXLAN in Cisco ACI?

VXLAN (Virtual Extensible LAN) is the overlay encapsulation used in ACI to extend Layer 2 across a Layer 3 fabric, providing up to 16 million logical networks (VNIs) compared to 4096 VLANs.

9. What is the difference between ACI and traditional networking?

Traditional networking is box-by-box, CLI-driven, and VLAN-centric. ACI is policy-driven, centrally managed via APIC, automated, and uses application-centric constructs (EPGs, contracts) instead of VLANs and ACLs.

10. What is the difference between Cisco ACI and Cisco DNA Center?

ACI is for data center networking, while DNA Center (now Cisco Catalyst Center) is for campus and branch networking (SD-Access). Both are intent-based but target different domains.

11. What hardware is required for Cisco ACI?

You need Cisco Nexus 9000 series switches in ACI mode (spines and leaves) and at least three APIC controllers (physical or virtual).

12. Can Nexus 9000 run in both NX-OS and ACI mode?

Yes. Most Nexus 9000 switches support both standalone NX-OS mode and ACI mode, but the firmware (boot image) must be changed accordingly.

13. What is a Tenant in Cisco ACI?

A Tenant is a logical container for application policies that provides administrative isolation. Common built-in tenants are common, infra, and mgmt. Customer-created tenants hold VRFs, BDs, EPGs, and contracts.

14. What is a VRF in ACI?

A VRF (Virtual Routing and Forwarding) instance defines a unique Layer 3 routing domain within a tenant, equivalent to a private context with its own routing table.

15. What is a Bridge Domain (BD) in ACI?

A Bridge Domain is a Layer 2 forwarding construct within a tenant, representing a broadcast domain similar to a VLAN. It is associated with a VRF and can have one or more subnets.

16. What is an EPG (Endpoint Group)?

An EPG is a logical grouping of endpoints (VMs, bare metal servers, containers) that share the same security and policy requirements. EPGs replace traditional VLAN-based segmentation.

17. What is a Contract in Cisco ACI?

A Contract defines the communication rules between EPGs, specifying what traffic (filters/subjects) is allowed. It works like a stateless ACL but is policy-based and reusable.

18. What is an Application Profile in ACI?

An Application Profile is a logical container that groups EPGs belonging to the same application (e.g., web, app, DB tiers of a 3-tier app).

19. What is the ACI object hierarchy?

The hierarchy is: Tenant → VRF → Bridge Domain → Subnet, and Tenant → Application Profile → EPG → Endpoints, with Contracts binding EPGs.

20. What programming languages and APIs does ACI support?

ACI exposes REST APIs (XML/JSON), Python SDK (Cobra/ACI Toolkit), Ansible modules, Terraform providers, and PowerShell modules.

Section 2: ACI Architecture & Design (Q21–Q40)

21. What is a spine-leaf topology?

A spine-leaf (Clos) topology is a two-tier non-blocking architecture where every leaf switch connects to every spine switch, providing predictable latency and high east-west bandwidth.

22. How many APIC controllers are required?

A minimum of three APICs is required for a production cluster to ensure quorum and high availability. Larger fabrics support 5 or 7 APICs.

23. What is APIC sharding?

Sharding is the technique APIC uses to distribute its database across cluster nodes. Each shard has one leader and two replicas, ensuring redundancy and scale.

24. What is ACI Multi-Pod?

Multi-Pod is an architecture that connects multiple ACI pods (each with its own spine-leaf) under a single APIC cluster using an IPN (Inter-Pod Network), enabling geographic redundancy with a unified policy domain.

25. What is ACI Multi-Site?

Multi-Site is an architecture that connects multiple independent ACI fabrics (each with its own APIC cluster) using the Multi-Site Orchestrator (MSO/Nexus Dashboard Orchestrator) for centralized policy management across sites.

26. Multi-Pod vs Multi-Site — which to choose?

Choose Multi-Pod when sites are close (low-latency, <50 ms RTT) and need a single fabric. Choose Multi-Site for true site isolation, fault containment, and disaster recovery across regions.

27. What is IPN (Inter-Pod Network)?

The IPN is the Layer 3 backbone connecting ACI pods. It must support OSPF, DHCP relay, multicast (PIM Bidir), and a minimum MTU of 9150 bytes.

28. What is ISN (Inter-Site Network)?

The ISN is the Layer 3 network connecting ACI sites in a Multi-Site deployment. It uses MP-BGP EVPN for control plane and VXLAN for data plane.

29. What is Cisco Nexus Dashboard?

Nexus Dashboard is Cisco's unified data center operations platform that hosts services like Nexus Dashboard Orchestrator (NDO), Insights (NDI), and Fabric Controller (NDFC).

30. What is Nexus Dashboard Orchestrator (NDO)?

NDO (formerly MSO) is the centralized orchestrator for ACI Multi-Site, allowing schemas, templates, and policies to be deployed consistently across multiple ACI fabrics.

31. What is Cisco ACI Remote Leaf?

A Remote Leaf is an ACI leaf switch deployed in a remote location (e.g., colocation or branch DC) that connects back to the main fabric over an IP network, extending ACI policy to remote sites without a full pod.

32. What is Cisco ACI Mini ACI?

Mini ACI is a smaller-scale ACI deployment using one physical APIC and two virtual APICs, designed for small data centers or edge use cases.

33. What is Cisco Cloud ACI?

Cloud ACI extends ACI policies into public clouds (AWS, Azure, GCP) using cloud APICs, enabling consistent policy across on-prem and multi-cloud environments.

34. What is the maximum number of leaf switches per fabric?

A single ACI fabric supports up to 400 leaf switches (varies by APIC scale and software version). With Multi-Site, total scale grows significantly.

35. What is the role of TEP (Tunnel Endpoint) in ACI?

TEPs are IP addresses assigned to leaf and spine switches used to encapsulate/decapsulate VXLAN traffic across the fabric.

36. What is the infra tenant?

The infra tenant contains the underlying fabric infrastructure policies (TEP pool, VLAN pool for fabric, multicast configurations) and is reserved for system use.

37. What is the common tenant?

The common tenant hosts policies (BDs, contracts, L3Outs) that can be shared across multiple user tenants.

38. What is L3Out in ACI?

L3Out (Layer 3 Outside) is the construct used to connect the ACI fabric to external Layer 3 networks (WAN, internet, legacy DC) using protocols like OSPF, BGP, or static routes.

39. What is L2Out in ACI?

L2Out extends a bridge domain externally at Layer 2 to a non-ACI network, useful for migrations from legacy infrastructure.

40. What is micro segmentation in ACI?

Micro segmentation in ACI uses uSeg EPGs to dynamically classify endpoints based on attributes (VM name, IP, MAC, tags) into security groups, enforcing zero-trust policies.

Section 3: ACI Configuration & Operations (Q41–Q60)

41. How do you initially set up an ACI fabric?

You bring up APICs via console, run the setup wizard (fabric name, TEP pool, VLAN ID, BD multicast), then register leaf and spine nodes from the APIC GUI under Fabric > Inventory > Fabric Membership.

42. What is fabric discovery in ACI?

Fabric discovery is the automatic process where APIC discovers and registers spine/leaf switches via LLDP and DHCP, assigning TEP IPs and pushing the fabric image.

43. How do you add a new leaf to ACI?

Connect the new leaf to spines, ensure it's in ACI mode, and approve it under Fabric Membership in the APIC. The fabric handles the rest automatically.

44. What are Access Policies in ACI?

Access Policies define the physical configuration of leaf interfaces — switch profiles, interface profiles, interface policy groups, VLAN pools, AAEPs, and physical/VMM domains.

45. What is an AAEP (Attachable Access Entity Profile)?

AAEP is the glue object that ties physical/VMM domains to interface policy groups, defining what VLANs/EPGs can be deployed on a given interface.

46. What is a VMM Domain?

A VMM (Virtual Machine Manager) Domain is the integration between ACI and hypervisors (VMware vCenter, Microsoft SCVMM, OpenStack, Kubernetes) to dynamically create port groups and policies.

47. How does ACI integrate with VMware vSphere?

ACI integrates with vCenter via VMM Domain integration, automatically creating distributed virtual switches (DVS or AVE) and port groups corresponding to EPGs.

48. What is Cisco AVS and AVE?

AVS (Application Virtual Switch) was Cisco's earlier virtual switch for ACI. It has been replaced by AVE (ACI Virtual Edge), which provides advanced features like microsegmentation in software.

49. How do you configure a contract in ACI?

Create filters (e.g., HTTP, HTTPS), add them to subjects, define a contract, then apply the contract as provided on one EPG and consumed on another.

50. What is a vzAny contract?

vzAny is a special construct that represents all EPGs within a VRF, allowing a contract to apply to every EPG, simplifying policy at scale.

51. What is a Taboo Contract?

A Taboo Contract explicitly denies specific traffic, overriding allowed contracts. Note: Cisco recommends using regular contracts with deny actions instead of taboos in modern ACI.

52. What is preferred group in ACI?

Preferred Group allows EPGs within a VRF to communicate freely without contracts, useful during migrations or simpler deployments.

53. How does ACI handle multicast?

ACI uses head-end replication or PIM-based multicast in the fabric. For tenant multicast, PIM/IGMP can be enabled per BD/VRF and integrated with external rendezvous points.

54. How do you back up APIC configuration?

Use the Configuration Export policy under Admin > Import/Export. Backups can be scheduled, encrypted, and pushed to remote SCP/SFTP servers.

55. How do you upgrade Cisco ACI?

Upgrades are performed via the APIC GUI: upload images for APIC and switches, upgrade APIC cluster first, then upgrade switches in maintenance groups.

56. What is Cisco ACI firmware management?

Firmware management in ACI is centralized in APIC and supports image repositories, maintenance groups, and orchestrated upgrades for the entire fabric.

57. How is RBAC implemented in ACI?

ACI supports role-based access control with built-in roles (admin, read-only, tenant-admin) and custom roles, integrated with TACACS+, RADIUS, LDAP, and SAML.

58. How does ACI integrate with firewalls and load balancers?

Through Service Graphs and PBR (Policy-Based Redirect), ACI inserts L4-L7 services (Cisco ASA/FTD, F5, Citrix, Palo Alto) into traffic flows between EPGs.

59. What is a Service Graph in ACI?

A Service Graph is a logical representation of how traffic flows through service devices (firewall, load balancer) between EPGs, enabling automated insertion and chaining.

60. What is PBR (Policy-Based Redirect) in ACI?

PBR redirects traffic between EPGs through a service node (firewall/LB) based on contract policy, without requiring routing changes.

Section 4: ACI Troubleshooting (Q61–Q75)

61. How do you troubleshoot endpoint connectivity in ACI?

Use Endpoint Tracker in APIC, verify EPG/BD configuration, check contracts, and use the Visibility & Troubleshooting tool to trace flows between endpoints.

62. What is the COOP database?

COOP (Council of Oracle Protocol) is the control plane that maintains a global endpoint database on spines. Use show coop internal info ip-db to verify endpoints.

63. How do you check fabric health in APIC?

Check the Fabric Dashboard, system health score, faults panel, and run show controller and acidiag fnvread from APIC CLI.

64. What is acidiag command?

acidiag is a powerful APIC CLI utility for cluster diagnostics, including acidiag fnvread (fabric nodes), acidiag avread (APIC cluster), and acidiag rebuild.

65. How do you troubleshoot APIC cluster issues?

Use acidiag avread to check cluster state, ensure all APICs are fully fit, verify connectivity between APICs, and check for shard leader/replica health.

66. What are common ACI faults?

Common faults include F0467 (EPG deployment), F1394 (port down), F0103 (interface errors), F606391 (SSL certificate), and F1298 (fabric link issues). Each has a unique fault code documented by Cisco.

67. How do you capture packets in ACI?

Use SPAN (local, remote, or ERSPAN), ELAM (Embedded Logic Analyzer Module) on switches, and tcpdump on APIC for control plane captures.

68. What is ELAM in ACI?

ELAM is a hardware-level packet capture tool on Nexus 9000 switches used to inspect packet forwarding decisions at the ASIC level — invaluable for deep troubleshooting.

69. How do you troubleshoot contract issues?

Verify scope (VRF, tenant, global), check that filters match traffic, use the Contracts dashboard to see drops, and use Tetration/Secure Workload or visibility tools.

70. How do you check leaf-to-spine connectivity?

Run show fabric link, show isis adjacency, and show interface on switches; verify in APIC under Fabric > Inventory > Topology.

71. What is Nexus Dashboard Insights (NDI)?

NDI is Cisco's day-2 operations and assurance tool that provides telemetry, anomaly detection, compliance checks, and predictive analytics for ACI and NX-OS fabrics.

72. How do you troubleshoot L3Out issues?

Verify routing protocol adjacency (OSPF/BGP), check the L3Out logical/physical config, route-maps, contracts on the External EPG, and ensure subnets are advertised correctly.

73. Why is endpoint flapping happening in ACI?

Common causes: duplicate IP/MAC, server NIC teaming misconfiguration, vMotion across BDs, or BD without proper unicast routing/L2 unknown unicast settings.

74. How do you reset an ACI fabric?

Use acidiag touch clean followed by acidiag reboot on each APIC, and setup-clean-config.sh + reload on switches. Caution: this wipes everything.

75. How do you decommission a node in ACI?

Go to Fabric > Inventory > Unreachable Nodes (or Membership), right-click the node, and select Decommission. Then physically remove and clean the switch with setup-clean-config.sh.

Section 5: Automation, Security & Integration (Q76–Q90)

76. How do you automate ACI with Ansible?

Cisco provides the cisco.aci Ansible collection with hundreds of modules to manage tenants, EPGs, BDs, contracts, and policies declaratively via YAML playbooks.

77. Can Terraform manage Cisco ACI?

Yes. Cisco maintains an official Terraform provider (CiscoDevNet/aci) supporting full lifecycle management of ACI objects as Infrastructure-as-Code.

78. What is the ACI REST API?

ACI's REST API exposes every object via URLs like https://apic/api/mo/uni/tn-Tenant1.json, supporting GET, POST, DELETE with XML or JSON payloads.

79. What is the Cobra SDK?

Cobra SDK is Cisco's Python SDK for ACI, providing a complete object model for programmatic configuration and automation.

80. How does ACI integrate with Kubernetes?

Through the ACI CNI plugin, Kubernetes pods become first-class endpoints in ACI, with policies enforced via EPGs and contracts. Integrations exist for vanilla K8s, OpenShift, and Rancher.

81. How does ACI integrate with OpenStack?

The ACI ML2 plugin for OpenStack Neutron maps tenants, networks, and security groups to ACI EPGs and contracts automatically.

82. What security features does ACI provide?

Whitelist policy model (deny-by-default), microsegmentation, contracts, FVS endpoint security, integration with Cisco Secure Workload (Tetration), and L4-L7 service insertion.

83. What is Cisco Secure Workload (Tetration) integration with ACI?

Secure Workload provides application dependency mapping and policy recommendations that can be enforced through ACI contracts, delivering zero-trust microsegmentation.

84. How does ACI handle QoS?

ACI supports six user-defined QoS classes plus three reserved classes, with DSCP marking, queueing, and CoS preservation across the fabric.

85. Does ACI support IPv6?

Yes. ACI fully supports IPv6 for tenant traffic (BD subnets, L3Out, EPGs), and the underlay/management can also operate with IPv6 in newer releases.

86. What is ACI Anywhere?

ACI Anywhere is Cisco's vision of extending ACI policy across on-prem data centers, remote locations (Remote Leaf), and public clouds (Cloud ACI) under unified orchestration.

87. Can ACI work with non-Cisco switches?

The ACI fabric itself requires Cisco Nexus 9000 switches, but it interconnects with any vendor's network at the edges via L3Out, L2Out, and standard protocols (BGP, OSPF, VXLAN EVPN).

88. How does ACI integrate with SD-WAN?

ACI integrates with Cisco SD-WAN (Catalyst SD-WAN/Viptela) using SDA-Transit and APIs to extend application-aware policies from data center to branch.

89. What is Day-0, Day-1, Day-2 in ACI?

Day-0 is initial fabric bring-up, Day-1 is policy and tenant configuration, and Day-2 is ongoing operations, monitoring, and optimization (typically using Nexus Dashboard Insights).

90. How does ACI support DevOps?

Through APIs, SDKs, Ansible, Terraform, Git-based pipelines, and CI/CD integration, ACI enables network-as-code and self-service consumption by application teams.

Section 6: Career, Certification & Future (Q91–Q100)

91. Which Cisco certification covers ACI?

The CCNP Data Center (300-620 DCACI) and CCIE Data Center certifications cover ACI in depth. The DCACI exam is dedicated to ACI implementation.

92. What is the DCACI exam?

DCACI (300-620) — Implementing Cisco Application Centric Infrastructure — is a CCNP Data Center concentration exam covering ACI fabric, policy, integration, and management.

93. How long does it take to learn Cisco ACI?

With prior CCNP-level networking knowledge, you can grasp ACI fundamentals in 4–6 weeks and gain hands-on proficiency in 3–6 months with lab practice.

94. Is Cisco ACI in demand in 2026?

Yes. ACI remains widely deployed in enterprise and service provider data centers globally, and skilled ACI engineers continue to be in strong demand, especially for migrations, automation, and multi-cloud projects.

95. What is the average salary of an ACI engineer?

In the US, ACI engineers earn between $110,000 and $180,000 annually depending on experience; in India, salaries range from ₹10–35 LPA. Senior ACI/CCIE-DC professionals command premium rates.

96. How do I practice ACI without hardware?

Use Cisco dCloud, Cisco Modeling Labs (CML), ACI Simulator (Sandbox), or DevNet learning labs — all provide hands-on ACI practice without physical gear.

97. What is the future of Cisco ACI?

Cisco continues to invest in ACI through Nexus Dashboard, Cloud ACI, AI-driven assurance (NDI), and tighter integration with Kubernetes and multi-cloud. ACI is also evolving alongside Cisco's broader Nexus Hyperfabric and AI fabric strategies.

98. Is Cisco ACI being replaced by VXLAN EVPN?

No, but VXLAN EVPN (in NX-OS standalone mode, often managed by NDFC) is a popular alternative for customers who want open standards without ACI's policy model. Cisco supports both and lets customers choose based on requirements.

99. ACI vs NSX — which is better?

ACI is hardware-integrated, policy-driven, and ideal for physical + virtual workloads. VMware NSX is a software-only overlay strong in pure virtualized/multi-hypervisor environments. The choice depends on the existing ecosystem, scale, and operations model.

100. What are the best resources to learn Cisco ACI?

Top resources include Cisco DevNet, Cisco Live sessions on YouTube, Cisco ACI design guides (cisco.com), CCIE Data Center workbooks (INE, CBT Nuggets, Orhan Ergun), and the official book "Deploying ACI" by Frank Dagenhardt, Jose Moreno, and Bill Dufresne.

Final Thoughts

Cisco ACI continues to be a cornerstone of enterprise data center networking in 2026. Whether you're a beginner exploring SDN concepts, a network engineer preparing for the DCACI or CCIE Data Center exam, or an architect designing multi-site fabrics, mastering these 100 questions will give you a solid foundation. The shift from box-by-box CLI to policy-driven, intent-based, automated networking is here to stay — and ACI remains one of the most mature platforms enabling that transformation.

Pair your ACI knowledge with skills in Ansible, Terraform, Python, Kubernetes, and Nexus Dashboard, and you'll be future-ready for any modern data center role.

💡 Pro Tip: Bookmark this page and revisit before interviews or lab sessions. If you found this helpful, share it with your networking team — and let us know in the comments which ACI topic you'd like covered next!

Frequently Searched Keywords (For SEO & Reference)

Cisco ACI tutorial, Cisco ACI architecture, what is APIC, ACI vs NSX, Cisco ACI multi-site, Cisco ACI multi-pod, Cisco ACI EPG contract, Cisco ACI tenant VRF bridge domain, ACI L3Out configuration, Cisco ACI troubleshooting, DCACI 300-620, CCIE Data Center, Cisco Nexus Dashboard, Cisco Cloud ACI, ACI Ansible automation, ACI Terraform, ACI REST API, Cisco ACI interview questions 2026, ACI vs VXLAN EVPN, Cisco ACI training.

📘 Published: 2026 | Author: ThenetworkDNA | Topic: Cisco ACI Infrastructure FAQ