Cisco ACI – Best Practices

 This post provides a list of configuration options in Cisco ACI (Application Centric Infrastructure) that are recommended for most users. These configurations enhance the functionality and performance of Cisco ACI. 

Endpoint Learning Settings

Enforce Subnet Check:

  • Location: Fabric > Access Policies > Global Policies > Fabric Wide Setting Policy
  • Best practice: Enable this option.
  • Function: Prevents unnecessary or unintended endpoint learnings based on the subnets configured in the bridge domains under each VRF instance.

Endpoint IP Aging:

  • Location: System > System Settings > Endpoint Controls > IP Aging
  • Best practice: Enable this option.
  • Function: Enables each IP address associated with an endpoint to have its aging timer, allowing individual IP addresses to age independently.

Loop Mitigation Settings

Enable MCP (per VLAN):

  • Location: Fabric > Access Policies > Global Policies > MCP Instance Policy default
  • Best practice: Enable this option on leaf node ports connected to external Layer 2 networks that may introduce loops.
  • Function: MisCabling Protocol (MCP) detects loops from external sources and err-disables the interface on which Cisco ACI receives its packet.

EP Loop Protection or Rogue Endpoint Control

  • EP Loop Protection:
    • Location: Fabric > Access Policies > Global Policies > EP Loop Protection Policy
    • Best practice: Choose either EP Loop Protection or Rogue Endpoint Control after understanding the pros and cons of each option.
    • Function: Detects loops by monitoring endpoint movements and takes actions to prevent further loop occurrence.
  • Rogue Endpoint Control:
    • Location: System > System Settings > Endpoint Controls > Rogue EP Control
    • Best practice: Enable Rogue Endpoint Control, which acts per endpoint instead of per port or bridge domain.
    • Function: Identifies misbehaving rogue endpoints and pins them down to the interface on which they were last learned.

Bridge Domain Settings

Unicast Routing:

  • Location: Tenant > Networking > Bridge Domains > Policy > L3 Configurations
  • Best practice: Do not enable this option when the default gateway for endpoints is not the bridge domain SVI.
  • Function: Enables the bridge domain to route traffic and learn endpoint IP addresses.

L2 Unknown Unicast:

  • Location: Tenant > Networking > Bridge Domains > Policy > General
  • Best practice: Set this option to Flood in scenarios where unicast routing is disabled or when using non-Cisco ACI switches for layer 2 extension.
  • Function: Determines whether the bridge domain floods packets destined to unknown MAC addresses or sends them to a spine node for COOP database lookup.

ARP Flooding:

  • Location: Tenant > Networking > Bridge Domains > Policy > General
  • Best practice: Enable this option when clustered servers, firewalls, or load balancers require GARP flooding.
  • Function: Decides whether the bridge domain should flood ARP requests all the time or perform unicast routing based on the target IP address in the ARP header.

QoS Settings

DSCP Translation:

  • Location: Tenant > infra > Policies > Protocol > DSCP class-CoS translation policy for L3 traffic
  • Best practice: Enable DSCP Translation and assign DSCP classes that are not used in IPN/ISN to Cisco ACI QoS classes.
  • Function: Translates Cisco ACI QoS classes into DSCP in the outer IP address header of VXLAN packets to preserve QoS classes during traffic traversal.

Other Settings

Fabric Port Tracking:

  • Location: System > System Settings > Port Tracking
  • Best practice: Enable this option with zero active fabric ports threshold.
  • Function: Monitors the number of operational fabric ports on a leaf node and brings down downlink ports if the threshold is reached, ensuring external devices switch over to healthy leaf nodes.

Global AES Encryption:

  • Location: Admin > AAA > AES Encryption Passphrase and Keys for Config Export (and Import); OR: System > System Settings > Global AES Passphrase Encryption Settings
  • Best practice: Enable this option to encrypt passwords in the configuration export.
  • Function: Encrypts passwords and includes them in the configuration export, ensuring configurations with passwords work correctly after import.

VLAN Pool:

  • Location: Fabric > Access Policies > Pools > VLAN
  • Best practice: Configure a minimum number of VLAN pools to avoid overlapping VLAN ranges.
  • Function: Determines the VXLAN ID (VNID) assigned to each VLAN in the fabric.

ISIS Redistribution Metric:

  • Location: Fabric > Fabric Policies > Policies > Pod > ISIS Policy Default > ISIS metric for redistributed routes; OR: System > System Settings > ISIS Policy > ISIS metric for redistributed routes
  • Best practice: Set the ISIS Redistribution Metric to 62 or lower for better convergence times in a Cisco ACI Multi-Pod deployment.
  • Function: Sets the Cisco ACI infra TEP routes metric when redistributing from a routing protocol into ISIS.

COOP Group:

  • Location: System > System Settings > COOP Group
  • Best practice: Set COOP Group to Strict for MD5 authentication in COOP communication between Cisco ACI switch nodes.
  • Function: Ensures that COOP database information is exchanged only between switches in the same fabric.


APIC Connectivity:

  • Best practice: Connect each APIC to two different leaf nodes for redundancy, ensuring reachability even when one leaf node is down.
  • Function: APICs use these connections to manage the fabric’s ACI switch nodes and other APICs.

Switch Connectivity:

  • Best practice: Establish full-mesh cable connectivity between spine and leaf nodes.
  • Function: Forms the spine-leaf topology, which is the foundation of the Cisco ACI fabric.

These recommended configurations aim to optimize the performance, stability, and security of Cisco ACI deployments.