Showing results for 
Search instead for 
Did you mean: 

ACI network centric vs app centric

If you were asked to explain to a customer who wants to see the benefits of ACI and you had to explain the difference between Network and App centric how would you do this in the least amount of technical jargon included?




This is my non-technical way of presenting it:

Network centric = the configuration looks like one made by a network engineer (e.g. EPG VLAN100, VLAN200; Vlan100 communicates with Vlan200)

Application centric = the configuration looks like one made by a software engineer (e.g. EPG Web, App, DB; Web communicates with App, App with DB)





Hi stevenjwilliams0728,


  • Network-centric mode: A starting point for many customers, where groups and contracts are applied in a very open and basic way to replicate their current networking environment. Groups are implemented such that an EPG equals a VLAN. The network
    can be made to operate in trust-based mode, meaning you will not need to use contracts because security will be disabled. Or, if the network is left in zero-trust mode, the contracts used will be very open, allowing all communication between two groups. This allows customers to become familiar with ACI before consuming more advanced features. Customers also do not usually use service insertion in this mode. When enterprises are ready to move forward with more advanced features, they can pick individual devices or applications to apply advanced levels of security or features such as service insertion.

  • Hybrid mode: A mode that borrows features from network-centric and application-centric modes. Enterprises running in this mode are using additional features and levels of security. Your ACI network may be running in network-centric mode with the
    addition of integrated services and/or more granular contracts. You may be running some of your network in network-centric mode, and other parts where groups and contracts are defined on an application-by-application basis.

  • Application-centric mode: Application-centric mode gives ACI users the highest level of visibility and security. In this mode, we define groups and contracts based on the individual applications they service. In this mode, groups may contain an entire application, or we may break the applications up into tiers based on function.
    We can then secure communications by only allowing the traffic that should be allowed between certain tiers or devices. We also have the ability to insert services on a hop-by-hop or tier-by-tier basis. This is the zero-trust model that most enterprises
    are trying to take advantage of for some or all of their applications. This mode also offers us the ability to track application health and performance on an application-by-application basis.

Source :

Deploying ACI
The complete guide to planning, configuring, and managing Application Centric Infrastructure
Frank Dagenhardt, CCIE No. 42081,
Jose Moreno, CCIE No. 16601,
With contributions from
Bill Dufresne, CCIE No. 4375

I hope you find it helpful,





I am not an expert in ACI .. this is my understanding so far ..  

Network-centric: based on a topology that is seen as network segments. 1 BD = 1 EPG = 1 VLAN.

App-centric: based on EPG membership and relation, 1 or as few as possible BDs with 1 or more subnets.

a single BD can have multiple EPGs. Contracts allow/deny traffic between EPGs.