ACI Physical Constructs Overview

Physical Constructs in Cisco ACI

Physical constructs in Cisco ACI enable switch- and interface-level configurations within the logical model. These constructs define how the underlying hardware resources are prepared to support higher-level abstractions.

A domain serves as a container that bundles interfaces and VLANs, making them available for use by Endpoint Groups (EPGs) associated with that domain. This binding ensures that logical policies defined at the EPG level can be realized consistently across the physical infrastructure.

The following figure illustrates the physical constructs within the Cisco ACI fabric and their relationship to logical policies.

Switch Profiles, Interface Policies, and Domains in Cisco ACI

Switch profiles allow administrators to select one or more leaf switches and associate interface profiles to configure the ports on those specific nodes. This provides a structured way to apply consistent port configurations across the fabric.

Interface policy groups act as reusable templates that define port behavior. These policy groups are linked to an Attachable Access Entity Profile (AAEP), also referred to as an AEP, which serves as the binding point between logical constructs and physical interfaces.

The domain bridges the physical and logical layers of the ACI fabric:

• The Fabric tab in the APIC GUI represents the physical world (switches and interfaces).
• The Tenant tab represents the logical world (network policies and application communication).

Cisco ACI supports three types of domains:

• Physical domains – used for static VLAN assignments.
• VMM domains – used for dynamic VLANs with Virtual Machine Manager (VMM) orchestration.
• External domains – represent external Layer 2 networks (with static VLANs) and external Layer 3 networks (with static VLANs) outside the control of the ACI fabric.

Optimizing Operations and Troubleshooting in Cisco ACI

To streamline daily operations and simplify troubleshooting, Cisco ACI recommends the following design practices:

• Physical domains for bare-metal servers: Create one physical domain per tenant for servers without hypervisor integration that require similar treatment.
• Physical domains for external connectivity: Create one physical domain per tenant dedicated to external connections.
• Shared VMM domains: If a Virtual Machine Manager (VMM) domain must be used across multiple tenants, a single VMM domain can be created and associated with all leaf ports—for example, where VMware ESXi servers are connected.
• Domain-to-AEP associations: Multiple domains can be linked to a single Attachable Access Entity Profile (AAEP/AEP) for simplicity. In some cases, multiple AEPs may be required—for instance, to enable the infrastructure VLAN or to limit VLAN scope across the fabric.