Cisco ACI
Cisco Application Centric Infrastructure (ACI) is a software-defined networking solution that provides centralized automation and policy-driven application profiles for data center environments. This integration enables visibility into your ACI fabric topology, tenants, networking constructs (VRFs, Bridge Domains), application profiles, endpoint groups, and discovered endpoints with their IP and MAC addresses.
- Installation
- Data Model
- Types
Installation
Prerequisites in Cisco ACI
The JupiterOne Cisco ACI integration requires read-only access to the APIC (Application Policy Infrastructure Controller) REST API. You will need to create a local user account with appropriate permissions.
Creating a Local User Account
-
Log in to the APIC GUI with administrator credentials.
-
Navigate to Admin > AAA > Users.
-
Select the Local Users tab.
-
Click Create Local User and configure the following:
- Login ID: A unique username for the integration (e.g.,
jupiterone-readonly) - Password: A strong password meeting APIC requirements (minimum 8 characters, including at least three character types: lowercase, uppercase, digits, or symbols)
- Login ID: A unique username for the integration (e.g.,
-
In the Security section:
- Security Domain: Select
allto allow access to all tenants, or select specific tenant domains if you want to limit the integration's scope
- Security Domain: Select
-
In the Roles section, assign the following role:
- Role:
read-all - Privilege Type:
Read
infoThe
read-allrole with Read privilege provides read-only access to tenant configurations, fabric topology, and endpoint information without the ability to modify any settings. - Role:
-
Click Submit to create the user.
Network Requirements
- The JupiterOne integration must be able to reach the APIC controller over HTTPS (port 443)
- If using a self-signed certificate on the APIC, you may need to configure TLS verification settings accordingly
- For on-premises deployments, ensure the JupiterOne Collector has network access to the APIC URL
Configuration in JupiterOne
To install the Cisco ACI integration in JupiterOne, navigate to the Integrations tab and select Cisco ACI. Click New Instance to begin configuring your integration.
Authentication Settings
-
APIC URL: The URL of your Cisco ACI APIC controller (e.g.,
https://apic.example.com). This should be the management IP or hostname of your primary APIC. -
Username: The username of the read-only APIC user created for JupiterOne.
-
Password: The password for the APIC user.
General Settings
-
Account Name: Used to identify the Cisco ACI account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen the Account Name toggle is enabled. -
Description: Optional description to help identify the integration instance.
-
Polling Interval: Select the frequency for data synchronization. You may leave this as
DISABLEDand manually execute the integration.
Data Sources
The integration provides granular control over what data is ingested. You can enable or disable specific ingestion sources:
| Data Source | Description | Entities Created |
|---|---|---|
| Fabric & Controllers | ACI fabric topology and APIC controllers | cisco_aci_fabric, cisco_aci_controller |
| Tenants | ACI tenants (logical containers for policies) | cisco_aci_tenant |
| Networking | VRFs (Virtual Routing and Forwarding contexts) and Bridge Domains | cisco_aci_vrf, cisco_aci_bridge_domain |
| Applications | Application Profiles and Endpoint Groups (EPGs) | cisco_aci_application_profile, cisco_aci_epg |
| Endpoints | Discovered client endpoints with IP/MAC addresses and DNS records | cisco_aci_endpoint, cisco_aci_dns_record |
Click Create once all values are provided to finalize the integration.
Using a JupiterOne Collector
For on-premises Cisco ACI deployments that are not accessible from the internet, you can use a JupiterOne Collector to run the integration within your network:
- Deploy a JupiterOne Collector in your network with access to the APIC controller
- When configuring the integration instance, select the appropriate Collector
- The Collector will execute the integration locally and securely upload data to JupiterOne
Next Steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue to our Instance management guide to learn more about working with and editing integration instances.
Additional Resources
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Cisco ACI Account | cisco_aci_account | Account |
| Cisco ACI Application Profile | cisco_aci_application_profile | Application |
| Cisco ACI Bridge Domain | cisco_aci_bridge_domain | Network |
| Cisco ACI Controller | cisco_aci_controller | Device |
| Cisco ACI DNS Record | cisco_aci_dns_record | DomainRecord |
| Cisco ACI Endpoint | cisco_aci_endpoint | NetworkEndpoint |
| Cisco ACI Endpoint Group | cisco_aci_epg | Group |
| Cisco ACI Fabric | cisco_aci_fabric | Site |
| Cisco ACI Tenant | cisco_aci_tenant | Account |
| Cisco ACI VRF | cisco_aci_vrf | Network |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
cisco_aci_account | HAS | cisco_aci_fabric |
cisco_aci_account | HAS | cisco_aci_tenant |
cisco_aci_application_profile | HAS | cisco_aci_epg |
cisco_aci_bridge_domain | USES | cisco_aci_vrf |
cisco_aci_endpoint | ASSIGNED | cisco_aci_epg |
cisco_aci_endpoint | HAS | cisco_aci_dns_record |
cisco_aci_epg | USES | cisco_aci_bridge_domain |
cisco_aci_fabric | HAS | cisco_aci_controller |
cisco_aci_tenant | HAS | cisco_aci_vrf |
cisco_aci_tenant | HAS | cisco_aci_bridge_domain |
cisco_aci_tenant | HAS | cisco_aci_application_profile |
Cisco Aci Account
cisco_aci_account inherits from Account
Cisco Aci Application Profile
cisco_aci_application_profile inherits from Application
| Property | Type | Description | Specifications |
|---|---|---|---|
qosPriority | string | ||
tenantName | string |
Cisco Aci Bridge Domain
cisco_aci_bridge_domain inherits from Network
| Property | Type | Description | Specifications |
|---|---|---|---|
arpFlood | boolean | ||
limitIpLearnToSubnets | boolean | ||
multiDestinationPacketAction | string | ||
subnets | array of strings | ||
tenantName | string | ||
unicastRoute | boolean | ||
unknownMacUnicastAction | string | ||
unknownMulticastAction | string | ||
vrfName | string |
Cisco Aci Controller
cisco_aci_controller inherits from Device
| Property | Type | Description | Specifications |
|---|---|---|---|
role | string |
Cisco Aci Dns Record
cisco_aci_dns_record inherits from DomainRecord
| Property | Type | Description | Specifications |
|---|---|---|---|
value | string |
Cisco Aci Endpoint
cisco_aci_endpoint inherits from NetworkEndpoint
| Property | Type | Description | Specifications |
|---|---|---|---|
applicationProfileName | string | ||
encapsulation | string | ||
endpointGroupName | string | ||
ipAddresses | array of strings | ||
lifecycleClass | string | ||
macAddress | string | ||
tenantName | string |
Cisco Aci Epg
cisco_aci_epg inherits from Group
| Property | Type | Description | Specifications |
|---|---|---|---|
applicationProfileName | string | ||
bridgeDomainName | string | ||
encapsulations | array of strings | ||
floodOnEncapsulation | string | ||
policyEnforcementPreference | string | ||
preferredGroupMembership | string | ||
qosPriority | string | ||
tenantName | string |
Cisco Aci Fabric
cisco_aci_fabric inherits from Site
Cisco Aci Tenant
cisco_aci_tenant inherits from Account
Cisco Aci Vrf
cisco_aci_vrf inherits from Network
| Property | Type | Description | Specifications |
|---|---|---|---|
dataPlaneLearning | string | ||
policyEnforcementDirection | string | ||
policyEnforcementPreference | string | ||
tenantName | string |