ACI Tenant: All You Need To Know About Tenants?

February 2, 2025 / By
BLOG Data Center Networking ACI ACI Tenant: All You Need To Know About Tenants?

In my recent engagement with a Cisco Business-Critical Services (BCS) project, I encountered a fascinating scenario that underscored the importance of ACI tenant understanding.

The client, operating in a non-service provider environment, had created a stunning 900+ tenants within their ACI fabric. This excessive number hinted at a potential misunderstanding of the purpose and function of ACI Tenants.

In this article, we will explore what ACI tenants are and their role within the ACI fabric.

In This Article
  1. What is a Tenant in ACI?
  2. What are the Tenant's Main Components?
  3. Cisco Default ACI Tenants
  4. How to Export and Import ACI Tenant Configuration
  5. Conclusion
  6. Need Comprehensive ACI Content?

What is a Tenant in ACI?


An ACI tenant refers to a set of configurations owned by a specific entity. This allows the management of those configurations to be kept separate from those of other tenants. Entities can be customers, departments, organizations, …etc.

  • Tenants separate management and data-processing functions inside ACI.
  • An ACI Tenant is a policy container analogous to a Sub-Org in Cisco UCS.
  • Tenants provide a data-plane isolation function using VRF instances (contexts) and bridge domains (BDs).
  • Resources such as L2 and L3 connections in and out of the fabric can be given to individual tenants, as well as access and control to L4-7 services.
  • The tenant object class in ACI is fvTenant.
  • The ACI tenant is abstracted from the ACI hardware infrastructure (see the figure below).

An ACI fabric with two spines and four leaf switches covered by three ACI tenants that are shown as layers: the infra tenant (overlay-1), the Testing Tenant and the production tenant. The image shows how ACI tenants are abstract from the infrastructure hardware.
Cisco ACI Tenants Abstraction from the Infrastructure Hardware

What are the Tenant’s Main Components?

The Tenant contains the following components, which we consider as tenant policies or logical policies:

The image shows the tenant components and their relationships. The tenant is in the top of the hierarchy and has the following components: - Application Profile (AP). - - Endpoint Group (EPG). - Bridge Domain (BD). - - Subnet. - VRF. - L3Out. - Contract. - - Subject. - Filter.
ACI Tenant Components and Relationships


Note: The figure above shows the relationships between the ACI components. For example, the EPG-to-Contract relationship is N-to-N, meaning a given EPG can have multiple contracts, and a given Contract can be used in multiple EPGs.

Virtual Routing and Forwarding (VRF)

  • Same concept as in regular NX-OS and IOS.
  • By default, there is no communication between VRFs.
  • Used to define a non-overlapping IP address space within the tenant. Furthermore, we can have overlapping IP space between VRFs but not within the same VRF.
  • We either need to create a new custom VRF in the tenant or refer to a VRF from the common tenant.
  • In ACI, each VRF has a unique VXLAN VNID value that we call Segment ID, which is a fabric-wide numerical representation of the VRF, and it is important for L3 forwarding.
  • The VRF object class in ACI is fvCtx.

Bridge Domains (BDs)

  • It is NOT a VLAN; it’s simply a layer-2 boundary and a container for IP subnets.
  • Used to define an L2 boundary (Flooding Domain) and impose additional constraints (such as no broadcast) within that L2 boundary.
  • For each bridge domain, we must link it to one VRF.
  • EPGs can only be members of a single BD.
  • A Bridge Domain (BD) can span across switch nodes, pods, or even sites.
  • MAC addresses must be unique within the Bridge Domain. Otherwise, ACI sees it as a MAC move (flapping).
  • In ACI, each BD has a unique VXLAN VNID value, which is a fabric-wide numerical representation of the VRF, and it is important for L2 forwarding.
  • The BD object class in ACI is fvBD.

Application Profiles (AP)

  • It is a container (Folder) for multiple EPGs. We use it to include all application-related configurations.
  • Each AP represents a customer application where we define a group of EPGs and their contracts (policies).
  • The AP object class in ACI is fvAP.

Endpoint Groups (EPG)

  • It is a logical entity that contains a collection of end-points with common policy requirements (treatment).
  • The ACI Fabric uses the encap VLANs (802.1Q tag) to represent the EPG. EPG is most commonly determined by ingress VLAN ID and switch port ID.
  • Objects in different EPGs cannot communicate with each other by default (require contracts).
  • The EPG object class in ACI fvAEPg.

IP Subnets

  • In ACI, subnets are the distributed Anycast layer-3 gateway. I.e., the Anycast default gateway for your servers (Pervasive Gateway).
  • Subnets automatically create SVIs on leaf nodes where endpoints appear.
  • Each subnet is a child of one bridge domain. However, a BD may have more than one subnet. (The DHCP relay only works on the primary subnet).
  • Subnets must have unique IP addresses within their context “VRF”.
  • Subnets can span multiple EPGs.
  • The Subnet object class in ACI fvSubnet.

Contracts, Subjects, & Filters

  • A contract is a policy definition that defines how an EPG communicates with other EPGs.
  • Contracts [vzBrCP] are groups of subjects that define communication between source and destination EPGs.
  • We use Subjects [vzSubj] to build definitions of contracts (ACLs) for communication between EPGs, containing Filters, actions, and optional labels.
  • Filters [vzFilter] are identifiers for a subject, i.e., the traffic you want to take action on. (e.g., TCP destination port 80).

Layer-3 Outside (L3Out)

  • An L3Out is simply a collection of policies configuring interfaces, IP addresses, routing protocols, etc., for connectivity to L3 devices outside the ACI fabric.
  • An L3Out connection is always associated with a VRF. Each L3Out connection is associated with one VRF instance only.
  • Leaf(s) that are associated with an L3Out called Border Leaf (BL).
  • The L3Out object class in ACI l3extOut.

Cisco Default ACI Tenants

Cisco ACI provides three default tenants that users cannot delete: the common, infra, and mgmt tenants. Let’s talk about them one by one.

Screenshot from the Cisco ACI user interface that shows the default ACI tenants: common, infra and mgmt.
Cisco ACI Default Tenants in the GUI

infra tenant

  • The infrastructure tenant is used for all internal fabric communications, such as tunnels and policy deployment, including switch-to-switch (leaf, spine, Application Virtual Edge (AVE), and switch-to-APIC communications.
  • The infra tenant is not exposed to the user space (tenants), and it has its own VRF and bridge domains.
  • Fabric discovery, image management, and DHCP for fabric functions are all handled within this tenant.

mgmt tenant

  • The management tenant provides a convenient means to configure access policies for fabric nodes.
  • Although fabric nodes are accessible and configurable through the APIC, they can also be accessed directly using in-band and out-of-band connections.
  • It is also used for connectivity to other management systems such as Syslog, SNMP, AAA …etc.

common tenant

  • A special tenant with the purpose of providing “common” services to other tenants in the ACI fabric.
  • Global reuse is a core principle in the common tenant.
  • Here are some examples of common services:
    • Shared L3out.
    • Private networks (VRF).
    • Bridge domains (BD).
    • Application services such as DNS, DHCP, and Active Directory.
    • L4-7 services.

How to Export and Import ACI Tenant Configuration

To export the ACI tenant configuration, navigate to the Tenant page and follow the below steps:

This image is a screenshot from the ACI user interface for Tenant1 page. To export Tenant1 configuration, Go to Tenant 1 > Right Click > Save as > Select the following: First: the content type (All Properties or Only Configuration). Second: the scope (Self or Subtree). Third: the export format (xml or json).
How to Export the ACI Tenant Configuration

To import the ACI tenant configuration, we need to create a new tenant with the same name as the imported tenant. Then navigate to the new tenant page and follow the below steps:

This image is a screenshot from the Cisco ACI user interface for Tenant1 tenant. To import Tenant1 configuration, Go to Tenant 1 > Right Click > Post > Select the File name > Then click Post.
How to Import the ACI Tenant Configuration

Conclusion

An ACI Tenant is the highest-level object within the ACI object model and can be seen as an administrative container. It encapsulates all objects that belong to a specific tenant, organization, or department. This includes VRFs, Endpoint Groups (EPGs), Bridge Domains (BDs), Subnets, L3Outs, and contracts.

Need Comprehensive ACI Content?

I hope this article was helpful. If you want comprehensive content about ACI, check out my Cisco Data Centers | ACI Core course on Udemy.

Related Posts

5 3 votes
Article Rating
Subscribe
Notify of
guest

1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Biswajit Sarkar
Biswajit Sarkar
1 year ago

Very Good Explanation!

0
Reply
Scroll to Top