ACI Simulator lab roadmap
The APIC-policy-only lab sequence for continuing the ACI Simulator track without EVE-NG dependencies.
This roadmap is only for ACI Simulator labs.
It excludes:
EVE-NG labs
physical switching labs
packet captures
firewall dataplane insertionThe simulator track is for learning the APIC policy model safely. When a lab references real VM traffic, the packets are carried by the outside virtualization lab, not by ACI Simulator. Every APIC object model should be reproducible through automation and easy to inspect in the APIC GUI.
Completed
| Lab | Name | What it teaches |
|---|---|---|
| 1 | Three-tier tenant | Tenant, VRF, bridge domain, subnet, app profile, EPGs |
| 2 | Access policies and static paths | VLAN pool, physical domain, AEP, policy group, static path binding |
| 3 | Contracts and filters | Provider/consumer contracts, subjects, filters |
| 4 | L3Out model | External EPG, external subnet, external contract model |
| 5 | vzAny shared services | VRF-wide DNS/NTP contract consumption |
| 6 | Preferred group trust zone | Trusted EPG group with database excluded |
| 7 | Multi-tenant isolation | lab-prod and lab-dev as separate policy namespaces |
| 8 | Cross-tenant shared services | Shared-services tenant with explicit approved consumers |
| 9 | Common tenant reusable policy | Reusable common filters/contracts with narrow approved consumers |
| Bridge | ACI Morpheus setup lab | Mirror ACI EPG/VLAN intent into HPE Morpheus VM Essentials and KVM networks |
Next sequence
| Lab | Name | Goal |
|---|---|---|
| 10 | Contract scope comparison | Compare app-profile, VRF/context, tenant, and broader contract scopes |
| 11 | Tenant-specific L3Out models | Give production and development separate external policy models |
| 12 | Shared L3Out governance | Model shared external connectivity with narrow consumers |
| 13 | Service graph concept model | Build firewall-style service graph policy objects without dataplane tests |
| 14 | Quarantine EPG | Create a restricted EPG for isolated or remediation-only systems |
| 15 | RBAC and operator roles | Model read-only, tenant operator, and network operator access |
| 16 | Fault-driven troubleshooting | Create a safe policy error, inspect faults, and repair it |
| 17 | APIC audit and change review | Tie APIC audit events back to automation changes |
| 18 | Policy export and backup | Export tenant policy snapshots for restore practice |
| 19 | Clean rebuild rehearsal | Replay all simulator labs in order |
| 20 | Capstone | Combine tenants, shared services, external policy, RBAC, audit, and backup |
Execution rule
For every new lab:
- create a dedicated script in the lab repo
- keep the script idempotent
- verify through the APIC REST API
- return a clear
ready: trueresult - keep APIC credentials outside Git
- create a dedicated learning portal page
- update the durable lab memory
- commit and push after validation
Lab 10 starting point
Lab 10 should compare contract scope choices:
| Object | Name |
|---|---|
| Contracts | scoped examples with clearly named blast radius |
| Scope choices | application-profile, VRF/context, tenant, and broader patterns |
| Consumers | approved EPGs only |
| Verification | no accidental broad scope or unexpected consumers |
The important lesson is blast radius. Contract scope is not just a field in the GUI; it decides how far a policy can reach.