Monday, 5 January 2026

Cisco ACI network architecture diagram & NOTES


A Physical Domain in Cisco ACI defines the scope within which a VLAN pool can be used for non-virtual (bare-metal or physical) connectivity. It serves as the logical link between a VLAN pool and an Attachable Access Entity Profile (AEP), enabling Endpoint Groups (EPGs) to be extended from the ACI fabric to external physical devices.
Definition of a Physical Domain
A Physical Domain is a policy construct configured in the APIC under:
Fabric → Access Policies → Physical and External Domains → Physical Domains.
It associates a specific VLAN pool with an AEP, thereby controlling which VLAN encapsulations are permitted on physical interfaces connected to the fabric.
Primary Use Cases
Directly connecting bare-metal servers, network appliances such as firewalls, load balancers, and storage systems, or other non-virtualized devices to leaf switch ports.
Extending Layer 2 VLANs from the ACI fabric to external switches for purposes such as data center migration or integration with an existing network infrastructure.
Role in the Access Policy Model
Within the ACI access policy framework, the Physical Domain establishes the relationship between:
VLAN Pool → AEP → Interface Policy Group → Leaf/Port.
This relationship allows EPGs associated with the Physical Domain to use VLANs from the defined pool on specific physical interfaces.
When an EPG is bound to a Physical Domain, the APIC enables static path binding, mapping the EPG to selected leaf interfaces or port channels with a specific VLAN encapsulation drawn from the domain’s VLAN pool.
Scenarios for Multiple Physical Domains
Multiple Physical Domains are typically created to:
Isolate VLAN pools across different environments, such as production and non-production, while using separate AEPs and interface assignments.
Enforce clear segmentation between different categories of physical devices (for example, firewall clusters versus bare-metal compute nodes) that must not share the same VLAN namespace.




No comments:

Post a Comment

🔥 The Hidden Risk of “Wide Open” Internal Policies — And How To Remove Them Safely

In one of my recent projects, I noticed a wide open internal traffic policy in place. Later, I was asked to work on this issue and remove th...