~45 min read · updated 2026-05-16

Lab 1: three-tier tenant

Build the first ACI Simulator lab: a lab-prod tenant with VRF, bridge domain, three EPGs, filters, and contracts.

This is the first real lab in the ACI Simulator track. The goal is not packet forwarding yet. The goal is to build a clean APIC policy model that you can inspect, delete, recreate, and later automate.

Target topology

What you will create

ObjectName or value
Tenantlab-prod
VRFprod-vrf
Bridge domainprod-bd
Subnet10.10.10.1/24
Application profilethree-tier-app
EPGsweb, app, db
Filterapp-tcp-8080, TCP destination port 8080
Filterpostgres, TCP destination port 5432
Contractweb-to-app
Contractapp-to-db

Policy relationships

ConsumerContractProvider
webweb-to-appapp
appapp-to-dbdb

All three EPGs use bridge domain prod-bd. The bridge domain uses VRF prod-vrf.

Build it in the APIC GUI

Use the APIC UI first. The point of Lab 1 is to understand the object relationships before hiding them behind automation.

  1. Create tenant lab-prod.
  2. Inside the tenant, create VRF prod-vrf.
  3. Create bridge domain prod-bd.
  4. Associate prod-bd with prod-vrf.
  5. Add subnet 10.10.10.1/24 to prod-bd.
  6. Create application profile three-tier-app.
  7. Create EPGs web, app, and db.
  8. Associate each EPG with bridge domain prod-bd.
  9. Create filter app-tcp-8080 for TCP destination port 8080.
  10. Create filter postgres for TCP destination port 5432.
  11. Create contract web-to-app using filter app-tcp-8080.
  12. Create contract app-to-db using filter postgres.
  13. Make web consume web-to-app.
  14. Make app provide web-to-app.
  15. Make app consume app-to-db.
  16. Make db provide app-to-db.

Verify it

In APIC, check:

  • Tenant lab-prod exists.
  • VRF prod-vrf exists under the tenant.
  • Bridge domain prod-bd points to prod-vrf.
  • Bridge domain prod-bd has subnet 10.10.10.1/24.
  • Application profile three-tier-app contains EPGs web, app, and db.
  • web consumes contract web-to-app.
  • app provides web-to-app and consumes app-to-db.
  • db provides app-to-db.
  • The tenant has no obvious APIC faults.

Reproduce it with automation

In the private lab automation repository, this lab is also represented by an idempotent APIC API script:

./scripts/configure-aci-first-lab.sh

The script reads APIC connection details from the local secret store, applies the tenant model, and verifies the expected objects through the APIC API. It should return ready: true when the lab is healthy.

Do not put APIC credentials, session cookies, or private secret files into the blog or into Git.

What this lab teaches

You should leave Lab 1 understanding:

  • A tenant is the policy boundary.
  • A VRF is the routing table.
  • A bridge domain is the subnet and layer-2 boundary.
  • An EPG is a policy group for similar endpoints.
  • A contract is the allowed relationship between EPGs.
  • A filter is the protocol and port match used by a contract.

This is the minimum ACI vocabulary you need before moving into access policies, static path bindings, L3Outs, and real endpoint traffic.