Network Centric to ACI Centric Migration

The vast majority of ACI customers do not start out with an Application Centric deployment of ACI; mainly because they do not have a clear understanding of their applications and the vast amount of interdependencies. However, with the advent of Tetration and other 3rd party analytics tools, the knowledge about how your applications are connected is increasing and customers are looking to migrate some apps from the “Network-Centric approach (Vlan=EPG=BD) to a full ACI-Centric model.

Let me be clear; The Network-Centric model serves many customers well; it allows them to migrate their existing compute/applications/network into ACI in a way that is familiar and well understood. Customers operating their fabrics in a Network-Centric model continue to gain numerous benefits from ACI, such as Single Pane of Glass management from the UI, elimination of box-by-box mgmt of the entire data center, the ability to upgrade the entire fabric (APICS+Switches) from one location with ease, decreased time to resolution during issues due to the availability of consolidated faults and health scores, etc.

However, for those customers who want to take their ACI deployment to the next level, moving applications into an ACI-Centric Model is one of the next logical steps. Below, we will discuss a sample methodology for moving applications into an ACI-Centric Model.


  • This document assumes that the customer has the data needed to build out the application profiles for their ACI-Centric application.
    • This data can be obtained in several manners, such as:
      • Application Dependency mapping via Cisco Tetration Analytics
      • Cisco Advanced Services ANP Analysis Service
      • Customer knowledge of applications
      • 3rd party tools
  • Network Centric Mode is currently used (Network-centric means 1 vlan = 1 bd = 1 epg)
    • All legacy vlans that will be a part migrated to the ACI-Centric application exist on the fabric (or will be operational prior to the migration to aci-centric implementation).
    • All legacy vlans exist on the L2 trunk between the Legacy network and ACI fabric
    • New ACI-Centric Vlans will live exclusively inside of ACI (do not extend the ACI-centric vlans outside of ACI)
  • VMM Integration to the ACI Fabric must be completed before moving VMs from the Legacy network to the ACI Fabric. Pre-work includes, but not limited to, installation of additional connectivity from FIs to the ACI Fabric, configuration of ESXi vnics, and OOB connectivity.
  • L2 connectivity traffic between the ACI Fabric and Legacy network should be monitored before, during and after migration.
  • All L3GW functionality for applications will migrate from the Legacy network to the ACI Fabric prior to activation of ACI-Centric EPGs.
  • EPG to EPG communication is a permit any. << Highly recommended; Contracts for ACI Centric-mode should be configured last
  • DHCP Labels are created prior to migration

Generic Migration Guidelines

The following guidelines will be followed when migrating applications to the ACI Fabric

  1. Map existing Vlans into ACI in Network-Centric Mode (L2 only – no contracts) – Create legacy EPGs and BDs on the ACI Fabric. BDs will be initially created as L2. L3GW functionality will remain on the legacy network until after L3GW Migration.
    1. L2 BD configurations – For each of your bridge domains, it is recommended that they are configured with the following:
      1. IP Subnet check is enabled
      2. Flood is enabled (for migration)
      3. ARP flooding is enabled (for migration)
      4. BD is associated with respective VRF and L3out
      5. Unicast Routing is DISABLED at the BD level
      6. IP address and VMAC are configured on the BD
    2. Create static bindings for the Legacy EPGs on the L2 trunk between the ACI Fabric and Legacy network
    3. Identify list of servers (both bare-metal and VMs) present in the legacy network that will be migrated to ACI.
  2. Create L3out for Tenant and establish routing availability from ACI to legacy environment
  3. Migrate L3GWs for legacy Vlans into ACI Fabric
    1. Validate routing from inside the ACI Fabric and outside of the ACI Fabric.
  4. Create New Application Profile and EPGs from application data analysis
    1. Associate New EPGs with the proper BDs
    2. Associate new EPGs with the proper VMM Domains for VMs
    3. Configure static bindings for Physical devices
  5. Migrate Servers – Servers associated with the various application will move to the ACI Fabric and be associated with the specific EPG designated based on the output of the data analysis.
    1. Bare Metal
    2. VMs
  6. Deploy ACI-centric contracts (optional)
  7. Perform Cleanup
    1. Remove unneeded EPGs
    2. Remove L2 connections to legacy environments (once all migration of services is completed)

Sample Migration of application “NewApp” to an ACI-Centric Model

The diagrams below represent a “story-board” approach of how we would migrate an application into ACI.

Network-Centric Mode

In general, I would recommend the “crawl/walk/run” approach to ACI deployments. For the application below, there are different components spread across (3) different Vlans, vlan 5, 6, and 7. So the first step (crawl) is to migrate these Vlans in the ACI-fabric in a network-centric approach, meaning that we will implement an approach where Vlan=EPG=BD.

Screen Shot 2017-09-08 at 9.52.31 AM

L3GW Migration

Once we have all of the L2 Vlans available on ACI (EPG/BDs are created, and an L2 trunk is configured between ACI and the Legacy environment), we can then migrate the L3GW services to ACI. This involves creating a L3out (External Routed Network) from ACI to the outside network, and then migrating each Vlan/Subnet to ACI, one at a time.

Screen Shot 2017-09-08 at 9.53.49 AM

ACI-Centric component creation

Now that we have L3GW functionality, we are fully operating in a Network-Centric model for our Vlans. Next, assuming we have the data that shows us how to deploy our application in ACI-Centric mode, we will take that data and configure our new Application Profiles, EPGs, and Contracts (to be used later) into ACI.

Screen Shot 2017-09-08 at 9.54.58 AM


Server Migration into new ACI-Centric EPGs

Now that we have EPGs built for our ACI-Centric Application, we can begin moving servers (both bare-metal and virtual) into the EPGs. This also serves as an opportunity to determine if we need to remove unneeded EPGs (i.e., EPGs with no endpoints) from the fabric.

Screen Shot 2017-09-08 at 9.55.48 AM

Decommission of Legacy components

Once all endpoints have been removed from a legacy network-centric EPG, such as Vlan5_EPG, it can be deleted. Additionally, once all servers have been migrated off of the legacy infrastructure, the L2 trunk between ACI and the Legacy network can be decommissioned.

Screen Shot 2017-09-08 at 9.56.35 AM

Caveats – Gotchas

  • DHCP relay is only available on the primary subnet for a BD; if multiple subnets are needed on a BD, keep this in mind, as DHCP relay will only be forwarded to a DHCP server on the primary subnet
  • Do not combine multiple external Vlans into one ACI BD and extend those vlans outside of ACI. Consider the case where you have two legacy Vlans (Vlan 11 and Vlan 12) with HSRP configured, and L3GW functionality on the non-ACI equipment. The HSRP hellos from both Vlan 11 and Vlan 12 would be visible to each and result in problems.

7 thoughts on “Network Centric to ACI Centric Migration

  1. I came here while researching application centric and was disappointed to see this is the exact same document that Cisco has published. Disappointing.

    1. Eric – Thanks for checking us out! The document in question that Cisco published was a copy and paste of this article by the CX organization. To be clear, I am a also Cisco employee and gave permission for the article to be used by them for their CX Onboarding process. Hope that clears it up.

      1. I understand them wanting to use your materials! It’s very easy to understand from this site. Sorry for the misunderstanding. Keep up the great material.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.