Server Infrastructure Required

This lab can be completed if you have access to the server infrastructure in a private lab or if you are at an event such as Cisco Live!

ACI 101: APIC Interfaces

Learning Objectives

After completing this module you will be able to:

  • Identify the main interfaces to the APIC controller
  • Execute basic commands to the APIC controller using the Command Line Interface
  • Execute basic commands to the APIC controller using the Application Program Interface
  • Understand how the Graphic User Interface communicates with the controller

ACI Interfaces

Application Centric Infrastructure (ACI) provides a centralized approach to network fabric operation. All components of the fabric - the spine and leaf switches - as well as network services and certain VM management features can be provisioned and managed solely from the Application Policy Infrastructure Controller (APIC). While operators can connect to individual fabric nodes, one of the key features of ACI is to provide a single access point via the APIC controller for status, provisioning, configuration and troubleshooting, greatly simplifying network management.

There are three primary ways for users to access the APIC controller:

  • Command Line Interface (CLI)
  • Application Program Interface (API)
  • Graphic User Interface (GUI)

Note that while there are three ways to access the APIC, there are actually only two interfaces, the CLI and API. The GUI is actually a separate Web-based application hosted on the APIC which leverages the API to interface with the internal data model housed in the controller. We’ll discuss both the CLI and API this module but focus on the API going forward.


Command Line Interface

Network Engineers have a great deal of experience in using CLI to interact with network equipment. While the commands and features of ACI differ from traditional switch operating systems, such as IOS or NX-OS, the method of interaction is the same.

To highlight this interface, we will log into the APIC and create a new VRF instance. In ACI, VRF’s are known as ‘Private Networks’ and they are contained within a Tenant. Tenants in ACI define a logically separate space for networks and network administration. Each tenant contains its own networks on a separate Virtual Routing Forwarding instance. At this time we’ll just create an empty VRF inside a tenant to showcase the use of CLI.

NOTE: The CLI interaction discussed in this session applies to ACI versions prior to release 1.2. With ACI release 1.2 and later, a new NX-OS-style CLI is included on the controller. The new CLI allows network engineers to troubleshoot and provision ACI using a familiar and well-understood interface. The following CLI commands are not part of the new NX-OS-Style CLI but may still be used by toggling the APIC back to traditional CLI mode. For releases prior to 1.2, the following commands examples showcase the primary CLI in the APIC.

Open an SSH client, such as Putty, and establish an SSH session with one of the IP addresses in the APIC cluster. Be sure to modify the SSH port if necessary:


Provide the Username and Password for your APIC (e.g. admin/cisco123) and once logged in you will see the command prompt for the APIC:


First, we’ll create a new tenant called ‘ExampleCliTenant’. To do so, we'll navigate to the tenant's directory on the APIC. Once in the folder we'll create this tenant as a new managed object and commit this configuration. We’ll discuss managed objects in more detail in the next module, for now we'll just focus on the interfaces.

cd /aci/tenants
mocreate ExampleCliTenant
moconfig commit


Now that the tenant has been created in the APIC, we will change directories in the APIC to the private-network folder where we'll create a new private network (or VRF). Just as with the tenant, we will create it as a managed object and commit this configuration to the controller.

cd ExampleCliTenant/networking/private-networks/
mocreate myVRF
moconfig commit


We can confirm the tenant has been created using the following:

    show tenant

Issuing this command in the SSH client, we see that we are actually just using the Linux command to view the contents of the Tenants directory in the APIC.


So, we can also very easily confirm that our ‘myVRF’ private-network was created with the following:

    ls /aci/tenants/ExampleCliTenant/networking/private-networks/

Take a look at the file path where this Private Network was created. It is actually a subfolder of our new Tenant. This is expected since the Tenant 'contains' all the components of our network in ACI.