Logical Constructs Overview

Logical Constructs Overview 

Cisco ACI provides a policy-driven approach to building data centers, aligning network behavior with business intent and application requirements. Its proactive model enforces continuous compliance with security policies and enables rapid fault resolution through real-time telemetry. Troubleshooting within ACI leverages both manual and automated tools, supporting structured root-cause analysis and remediation.

Cisco Application Policy Infrastructure Controller (APIC)

The APIC is the centralized automation and management point for the ACI fabric. It delivers:

• Policy programming
• Application deployment
• Health monitoring

When administrators define policies in APIC, they are reflected in the logical model. The ACI fabric operating system on switch nodes translates these logical policies into a concrete model, which is then applied across the physical infrastructure. Each switch node maintains a complete copy of the concrete model, ensuring consistency and reliability throughout the fabric.

Logical and Physical Constructs

• Tenant Tab (Logical Constructs)
  Used to configure abstractions such as VLANs and VRFs, defining how applications communicate across the network.
• Fabric Tab (Physical Constructs)
  Used to configure interface-level elements such as port-channels and LLDP, preparing the physical infrastructure to support tenant policies.

This separation provides a clear abstraction: tenants define the logical view of the network, while the fabric enforces it at the switch and interface level. Endpoints—whether physical hosts or hypervisors—connect through this logical-to-physical mapping.

The ACI policy model manages the entire fabric, including the infrastructure, authentication, security, services, applications, and diagnostics. Logical constructs in the policy model define how the ACI fabric meets the needs of any of the functions of the fabric.

In the logical constructs hierarchy, the top is represented by the root (or universe), as shown in the following figure.

Tenant Hierarchy in Cisco ACI

Within the Cisco ACI fabric, the next level of hierarchical separation is the tenant. A fabric can host multiple tenants, each serving as an isolated unit from a policy perspective. This isolation may be implemented for reasons such as automation boundaries, administrative control, or organizational requirements.

A tenant can contain one or more private Layer 3 networks. In this model, forwarding constructs (such as routing domains) are distinctly separated from connectivity constructs (such as interface configurations) by both security policies and location constraints. This separation ensures clear boundaries between how traffic is forwarded and how endpoints connect, maintaining both scalability and security across the fabric.

Virtual Routing and Forwarding (VRF) in Cisco ACI

A Virtual Routing and Forwarding (VRF) instance is the largest network construct within a tenant. It provides an independent IP address space and Layer 3 forwarding domain, functioning much like a traditional router. Each tenant maintains its own VRFs, and all tenant components—such as endpoints—must reside within a VRF belonging to that same tenant, with the exception of the common tenant, which can be shared across multiple tenants.