HTML
   HTML5
   CSS
   CSS3
   JavaScript
   jQuery
   AngularJS
   Articles
   Tech Articles
   Blog
Google News
logo
CISCO ACI Interview Questions
1 .
What is Cisco ACI?
Cisco ACI(Application Centric Infrastructure), the industry-leading Software-Defined Networking(SDN) solution, facilitates application agility and data center automation with two important concepts from Software-Defined Networking (SDN) solution, overlays and centralized control. ACI is a is a well defined architecture with centralised automation and policy-driven application profiles. ACI uses a centralised controller called the Application Policy Infrastructure Controller (APIC),It is the controller that creates application policies for the data center infrastructure.
2 .
How Does Cisco Application Centric Infrastructure (ACI) Work?
Cisco ACI is an SDN solution that defines its network infrastructure based upon network policies. To make this possible Cisco has created the ACI Fabric OS, which is run by all systems within the ACI network. This shared OS makes it possible for the various switches within the ACI network to translate policies into infrastructure designs.
3 .
What is Cisco Application Centric Infrastructure (ACI) Architecture?
Application Network Profile (ANP) : a collection of end-point groups (EPG), their connections, and the policies that define those connections
 
Application Policy Infrastructure Controller (APIC) : APIC is the SDN controller for Cisco ACI. It creates the policies that define the data center’s network infrastructure.
 
ACI fabric : This is connection of Spine and Leaf switches. In the ACI world Spine and Leaf are the Cisco Nexus 9000 Series Switches (N9k) , and they are act as Control and the Data plane of the ACI. It is running re written version of NX-OS in ACI mode.
 
All endpoints, including APICs, connect to the network via Leaf switches. These Leaf switches are connected together using Spine switches in the backend.
 
Using these components, ACI can be deployed under a variety of different models. This includes support for on-site, cloud-based (including public, private, and hybrid clouds), and SD-WAN edge environments. This enables organizations to use policy-based network management throughout their corporate WANs.
4 .
What about Cisco ACI benefits?
To keep up with the massive influx of data and the increased demands on the network for speed and agility, networking professionals are learning to broker, connect, build, and govern their networks not only in the data center, but also across a vast cloud landscape.
 
Cisco ACI was built to simplify the IT infrastructure and operations by automating the network, providing pervasive security, and helping accelerate businesses to move to a cloud or multicloud environment.
 
With Cisco ACI, customers can manage complexity, maximize business benefits, and deploy workloads in any location, small and large, on premises and remote locations, in private and public clouds, satellite data centers, and 5G-enabled telecom edges.
 
The main benefits of Cisco ACI include the following :
 
Accelerate network operations :
 
Cisco ACI provides a flexible and yet highly available network that allows agile application deployment within a site, across sites, and across global data centers while removing the need for complex Data Center Interconnect (DCI) infrastructure
 
●     Operational simplicity, with common policy, management, and operation models across application, network, and security resources
 
●     Centralized network management and visibility with full automation and real-time network health monitoring
 
●     Seamless integration of underlay and overlay networks
 
●     Open northbound APIs to provide flexibility for DevOps teams and ecosystem partner integration
 
●     A cloud-ready SDN solution
 
●     Common platform for managing physical and virtual environments
 
●     Automation of IT workflows and application deployment agility
 

Securely expand to multicloud :
 
●     Create business continuity and provide disaster recovery
 
●     Inherent security with a zero-trust allow-list model and innovative features in policy enforcement, microsegmentation, and analytics
 
●     Integrated security with Cisco security products and ecosystem partners
 
●     Consistent security posture at scale across a multicloud environment
 

Deliver superior application experience :
 
●     Single policy and seamless connectivity across any data center and public cloud
 
●     Through any hypervisor, for any workload, at any location, using any cloud
 
●     Cloud automation enabled by integration with VMware vRealize, Azure Pack, OpenStack, OpenShift, Kubernetes, and Cisco UCS® Director
 
●     Open APIs and a programmable SDN fabric, with 65+ ecosystem partners
5 .
How Cisco ACI Integrates with Other Products?
Cisco ACI is built using the Cisco ACI Open Ecosystem. This Open Ecosystem is designed to provide a number of different options for connecting third-party tools to Cisco ACI, including:
 
Open APIs : Cisco ACI’s APIs are open, enabling other products to connect and interact with a Cisco ACI environment.

Jointly-Certified Solutions : Cisco has partnered with over 65 technology providers to build an SDN ecosystem. These joint solutions are certified by each organization, and information is provided by both parties to ensure compatibility of pre-built solutions.

Service Chaining : Cisco ACI solutions support service chaining, enabling organizations to build the solutions that they need to meet their networking and security requirements.
6 .
How many Cisco ACI building blocks?
Cisco ACI and architectural solutions are built with the following two building blocks :
 
●     Cisco Application Policy Infrastructure Controller (APIC)
 
●     Cisco Nexus 9000 Series spine and leaf switches for Cisco ACI
7 .
What is Cisco Application Policy Infrastructure Controller (APIC)?
The infrastructure controller is the main architectural component of the Cisco ACI solution. It is the unified point of automation and management for the Cisco ACI fabric, policy enforcement, and health monitoring. The APIC appliance is a centralized, clustered controller that optimizes performance and unifies the operation of physical and virtual environments. The controller manages and operates a scalable multitenant Cisco ACI fabric.
 
The main features of the Cisco APIC include the following:
 
●     Application-centric network policies
 
●     Data-model-based declarative provisioning
 
●     Application and topology monitoring and troubleshooting
 
●     Third-party integration
 
â—¦    Layer-4 through Layer-7 (L4-L7) services
 
â—¦    VMware vCenter and vRealize
 
â—¦    Microsoft Hyper-V, Microsoft System Center Virtual Machine Manager (SCVMM), and Azure Pack
 
â—¦    Open vSwitch (OVS) and OpenStack
 
â—¦    Kubernetes
 
●     Image management (spine and leaf)
 
●     Cisco ACI inventory and configuration
 
●     Implementation of a distributed framework across a cluster of appliances
 
●     Health scores for critically managed objects (tenants, application profiles, switches, etc.)
 
●     Fault, event, and performance management
 

New features in Cisco ACI Release 6.0 (Cisco ACI 6) include the following :
 
●     Increased scalability in hardware and network pods per fabric
 
●     New innovations in remote leaf capabilities
 
●     Enhanced Precision Time Protocol and Sync-E support in ACI Leaf
 
●     Cisco ThousandEyes® integration
 
The controller framework enables broad ecosystem and industry interoperability with Cisco ACI. It enables interoperability between a Cisco ACI environment and management, orchestration, virtualization, and L4-L7 services from a broad range of vendors.
8 .
What is Cisco Nexus 9000 series spine and leaf switches for Cisco ACI?
Cisco Nexus 9300, 9500, and the new 9800 platform switches support Cisco ACI. Organizations can use them as spine or leaf switches to take full advantage of an automated, policy-based, systems-management approach.
 
Cisco Nexus 9000 Series Switches include modular and fixed 1 to 400 Gigabit Ethernet, and now 800 Gigabit Ethernet, switch configurations that are designed to operate either in NX-OS mode for compatibility and consistency with the current Cisco Nexus switches (using Cisco NX-OS Software) or in ACI mode to take full advantage of Cisco ACI application-policy-based services and infrastructure automation features. This dual-function capability provides customers with investment protection and ease of migration to Cisco ACI through a software upgrade.
9 .
Explain Cisco ACI deployment models.
Cisco ACI consists of the following architectural solutions:
 
* Cisco ACI Multi-Pod
* Hybrid and multicloud
* Cisco ACI physical remote leaf
* Cisco Mini ACI Fabric
 
Cisco ACI Multi-Pod : Cisco ACI Multi-Pod is part of the “single APIC cluster / single domain” family of solutions; a single APIC cluster is deployed to manage all the different ACI networks that are interconnected. These separate ACI networks are called “pods,” and each of them looks like a regular two-tier, spine-leaf topology. The same APIC cluster can manage several pods, and, to increase the resiliency of the solution, the various controller nodes that make up the cluster can be deployed across different pods.
 
Hybrid and multicloud : IT organizations approach their multicloud strategy by breaking it down into three pieces:
 
* First : Take stock and make a plan across their teams and technologies. Optimize what they have, adopt new skills, and modernize to meet new requirements. Establish the connections, security, and processes to create a highway for rapid change and delivery of new services.
 
* Second : Extend the data center where it needs to go. IT can become the one-stop-shop for private and public resources and to make them secure, consistent, and seamless for their environment.
 
* Third : Optimize, because “good multicloud starts at home.” For those workloads and data to land securely and efficiently on premises they need private and hybrid cloud platforms that offer self-service consumption and the ability to move workloads seamlessly from private cloud to public cloud and the edge.
 
How Cisco ACI can help : Cisco ACI occupies a unique position in a cloud ecosystem because clouds ultimately depend on the network that uses them. For cloud builders, we make complete automation with a software-defined physical infrastructure in ACI. ACI, as a multicloud software solution, puts people in control of their public and private cloud resources in a secure way using single pane of glass management. IT teams can easily connect and manage infrastructure anywhere from core-to-edge.
 
Expected outcomes :
* Increase value of IT team. DC I&O teams become builders and brokers of services that can offer the right mix of performance, security, cost, location to LOB stakeholders, on premises in the core DC or at remote sites, or in the public cloud. Developers and application architects can operate with a consistent development and run-time environment whether on premises or in the cloud.
 
* Accelerate change while protecting the business. The connections, security, and processes are established to create the highway for rapid change and agile delivery of new services.
 
* Multicloud continuity. Infrastructure resources are managed at any location at any scale to support new initiatives in IoT and mobility, and AI/ML technology is taken out of the equation so that application deployment is driven by business needs and cost considerations, not by technology limitations.
 
Cisco ACI physical remote leaf : With Cisco ACI physical remote leaf, customers can place a regular leaf switch in a remote or satellite location and connect back to the spine switch in the main (on-premises) location and, in turn, extend Cisco ACI policy into the remote or satellite location. By doing so, customers can also take advantage of all the benefits of the physical remote leaf, from diverse interfaces to superior performance, and scale and built-in encryption.
Cisco ACI physical remote leaf
Cisco Mini ACI Fabric : With the introduction of Cisco ACI Mini Fabric, customers can now leverage an optimized Cisco ACI solution for their small-scale deployments. This solution comprises APIC-CLUSTER-XS (one physical and two virtual controllers) along with two spines and a minimum of two and a maximum of four leaves.
10 .
How to Utilize Cisco Infrastructure-as-Code (IaC) integrated solutions with HashiCorp and Red Hat Ansible.
Infrastructure as Code (IaC) is an innovative approach to building application and software infrastructure with code. IaC enables automated provisioning and management of the full technology stack by translating manual, repetitive tasks into reusable, robust, and distributable code. IaC relies on practices that have been successfully used for years in software development, such as versioning, automated testing, release tagging, continuous delivery, etc.
 
Cisco Data Center Network (DCN) IaC solutions cover integrations with common third-party tools from HashiCorp and Red Hat Ansible. These solutions enable customers to empower application services to define network and security requirements at the infrastructure layer in an automated and fully synchronized manner. With this approach, you can embrace a DevOps model by accelerating applications deployment and optimize network compliance in a safe and predictable manner.
 
Benefits of IaC
 
* Scalability and reliability
* Automation and agility
* Higher ROI and lower TCO
11 .
Cisco ACI and Cisco SD-WAN integration
Cisco offers ACI and SD-WAN integration for branch offices (network edge). This is an integral component of customers’ cloud journey, which requires secure, policy-driven interconnects between the data center and branch offices that are a cost-efficient alternative to provisioning dedicated connections. Through this integration, customers can now automate a WAN path selection between the branch office and the on-premises data center based on application policy.
 
For example, traffic from a stock trader in a branch office in Chicago can be automatically sent over the fastest possible WAN link to access the trading application hosted in a data center in New York, based on the application policies and SLAs configured.
12 .
What is Cisco ACI and AppDynamics assurance integration?
Digital transformation is a complex team effort across business and IT, requiring end-to-end application management and awareness. AppDynamics® provides IT teams with the application-layer visibility and monitoring required in an intent-based architecture to validate that IT and business policies are being implemented across the network. Cisco ACI and AppDynamics integration provides dynamic correlation between application and network constructs. This combined solution provides high-quality application performance monitoring, a richer diagnostic capability for application and network performance, and faster root-cause analysis of problems, with fast triage, sent quickly to appropriate team members – for example, whether a given problem pertains to an application or to the network.
 
This integration does the following :
 
* Dynamically maps the application and service components to the Cisco ACI network elements, thus providing a shared view of the application and infrastructure across teams
* Provides a dynamic view of application use in the infrastructure for the network operations team
* Provides a cross-launch for application teams to correlate network and application fault and performance data
* Baselines application health status in AppDynamics by correlating the Cisco ACI network health and faults
 
Customers are on a continuous quest to correlate application service-level management with infrastructure monitoring. This new integration will significantly reduce the time it takes to identify and troubleshoot end-to-end application performance issues.
13 .
What about Cisco ACI and Kubernetes Anywhere.
Cisco ACI is designed to offer policy-based automation, security, mobility, and visibility for application workloads regardless of whether they run on bare-metal servers, hypervisors, or Linux containers. The Cisco ACI system-level approach extends the support for Linux containers by providing tight integration of Kubernetes, a popular container orchestration platform, and the Cisco ACI platform.
 
This integration allows Cisco ACI to provide a ready-to-use, secure networking environment for Kubernetes. The integration maintains the simplicity of the user experience in deploying, scaling, and managing containerized applications while still offering the controls, visibility, security, and isolation required by an enterprise.
 
The Cisco ACI and Kubernetes solution offers the following benefits :
 
* Flexible approach to policy
* Automated, integrated load-balancing services
* Secure multitenancy
* Visibility and telemetry information
14 .
Explain some Features of the Cisco ACI open ecosystem.
Feature Description

Third-party integration enabled by open APIs

Avoid vendor lock-in and expand choice and flexibility to build your own data center solution

Jointly certified software solutions with ecosystem partners

Employ a best-in-class SDN ecosystem with more than 65 technology partners, with partners publishing a certification matrix to guide customers to install and upgrade compatible software versions

L4-L7 service integration through service chaining

Deploy multivendor service graphs with a Cisco ACI integration mode of your choice to meet your operational and organizational needs.

These L4-L7 integrations are supported through NB REST API with respective ADC/firewall vendors or applications on Cisco ACI App Center

Cisco ACI App Center

Cisco ACI applications help you get the best applications for Cisco ACI in an efficient way. The Cisco ACI App Center:

●  Accelerates innovations related to the Cisco ACI open ecosystem
●  Enables Cisco internal partners, customers, and third-party developers to add value to Cisco ACI networks
●  Allows customers to efficiently extract value from their networking investments
15 .
What is Check Point CloudGuard and Cisco ACI?
Check Point CloudGuard Network Security provides consistent policy management and enforcement of advanced security protections, is automatically deployed and dynamically orchestrated into software-defined data center environments. CloudGuardfor Cisco ACIprovides industry-leading security for ACI environments. CloudGuard provides the following capabilities to improve customers’ Cisco ACI security:
 
Cloud Network Visibility and Visualization : CloudGuard implements microsegmentation for ACI environments, providing deep insight into both north-south and east-west traffic flows. This granular visibility aids in understanding data flows within a corporate network and enforcing corporate security policies.

Advanced Threat Prevention : CloudGuard’s advanced threat prevention capabilities combine a full security stack – including a firewall, intrusion prevention system (IPS), antivirus, and anti-bot protections – with secure remote access, threat extraction and sandbox-based threat emulation .

Automation and Orchestration : Cisco ACI enables network infrastructure to be defined based upon network policies. The integration between Check Point CloudGuard and Cisco ACI means that an organization can automatically insert and provision CloudGuard security gateways into ACI environments for security policy enforcement.

Policy and Compliance Enforcement : CloudGuard receives context from Cisco’s APIC, which enables policy information defined within the ACI environment to be used to quickly define security policies. These security policies can then be easily enforced in ACI using CloudGuard gateways.

Data Protection : CloudGuard’s integration with ACI enables it to apply data loss prevention (DLP) to ACI environments. This helps to protect an organization’s sensitive data from being lost or stolen.

Centralized Security Management : Using CloudGuard with ACI enables the security of the ACI ecosystem to be monitored and managed from the same console as the rest of an organization’s network infrastructure. This makes it easier for security analysts to detect and respond to potential threats within their public, private and on-prem networks.
16 .
What is Cisco Application Centric Infrastructure?
Cisco ACI is a software defined networking solution that works a little differently than other competitors. Instead of abstracting the intelligence from the network hardware, ACI network hardware is equipped with a new kind of intelligence.

Administrators can create, customize, and duplicate network policies. Then they can instruct the infrastructure to follow these rules for specific applications. In effect, it creates the same results as other SDN solutions like VMware NSX, but the intelligence is in the software within the infrastructure rather than an independent application.
 
ACI also includes a Cisco Application Policy Infrastructure Controller (APIC) as well. Through the APIC, administers have centralized access to their network management. They can adjust policy, view network health, and implement advanced capabilities like QoS and multi-tenant security.
17 .
What is Cisco DNA(Digital Network Architecture) Center?
Cisco ACI allows your environment to deploy new networks virtually, adjust application policies on the network, and gain greater network visibility. The Cisco DNA Center takes these ideas a step further and builds upon the achievements of Cisco ACI. The DNA Center is a centralized automation and management platform for the entire network, and it is actually powered by a new enterprise-scale version of the APIC called the APIC-EM.
 
Beyond the templated approach to application policy, the DNA Center can also automate IWAN deployment and management. In addition, it can provide business insight from your Cisco wireless infrastructure with CMX Cloud. Using presence and location information, the DNA Center can deliver customer behavior data to the network administrators.
18 .
How the different terms break down in ACI?
* Cisco ACI is an independent software-defined networking product.
* The Intuitive. is a set of solutions that utilizes some aspects of ACI and builds upon them.
* Cisco Digital Network Architecture is the network architecture upon which the Network. Intuitive. is built. Effectively, Cisco DNA is a technology. The Network. Intuitive. is more like a strategy or product grouping.
* Cisco DNA Center is an automation and management platform that uses the new Cisco APIC, which is also used in Cisco ACI.
* SD-Access is another grouping of products and tools within the Network. Intuitive. that includes the DNA Center among other solutions.
19 .
What about Cisco ACI Virtual Edge?
Beginning with the Cisco APIC Release 3.1(1), the Cisco Application Centric Infrastructure (ACI) supports the Cisco ACI Virtual Edge. Cisco ACI Virtual Edge is the next generation of the Application Virtual Switch (AVS) for Cisco ACI environments. Cisco ACI Virtual Edge is a hypervisor-independent distributed service VM that leverages the native distributed virtual switch that belongs to the hypervisor. Cisco ACI Virtual Edge runsin the userspace, operates as a virtual leaf, and is managed by the Cisco ApplicationPolicy Infrastructure Controller (APIC).
 
If you use Cisco AVS, you can migrate to Cisco ACI Virtual Edge; if you use VMware VDS, you can run Cisco ACI Virtual Edge on top of it. Decoupling the Cisco ACI Virtual Edge from the kernel space makes the solution adaptable to different hypervisors. It also facilitates simple upgrades as Cisco ACI Virtual Edge is not tied to hypervisor upgrades. Cisco ACI Virtual Edge implements the OpFlex protocol for control plane communication. It supports two modes of traffic forwarding: local switching and no local switching.
 
Cisco ACI Virtual Edge Release 1.1(1a) supports only the VMware hypervisor. It leverages the vSphere Distributed Switch (VDS), which is configured in private VLAN (PVLAN) mode.
 
When network administrators create a Cisco ACI Virtual Edge VMM domain on Cisco APIC, they must associate the domain with a range of VLANs to be used for PVLAN pair association of port groups on the DVS. Server administrators do not need to associate PVLANs to port groups on vCenter because Cisco APIC automatically associates PVLAN pairs with the endpoint groups (EPGs).
20 .
What is virtual ACI?
Cisco ACI Virtual Edge is a hypervisor-independent distributed service VM that leverages the native distributed virtual switch that belongs to the hypervisor. Cisco ACI Virtual Edge runs in the user space, operates as a virtual leaf, and is managed by the Cisco Application Policy Infrastructure Controller (APIC).
21 .
What are the benefits of the integrated solution of Cisco ACI and ServiceNow?
The Cisco ACI app for ServiceNow enabled us seamlessly integrate the two products to address our service management challenges. We were able to quickly deploy, operationalize, and easily upgrade this out-of-box solution, certified by Cisco and ServiceNow.
22 .
What is Cisco ACI VRF?
The VRF in ACI is identical to a VRF in traditional networking.  It contains layer 3 routing instances, tables, and IPs.  VRFs must have a unique within their tenant, but do not need to be globally unique.  VRF’s are joined to the tenant in which they are created and cannot be separated from their tenant.  A ‘show vrf’ command in the ACI CLI will show all of the VRFs and which tenant they are in.  If you are reviewing ACI documentation, keep in mind that VRFs were under different names in previous versions, such as “Contexts” or “Private Networks”.
23 .
What is Cisco ACI Bridge Domain?
The Bridge Domains are often referred to as being “like a VLAN” and this is close, but not entirely accurate.  They are like a VLAN in that they contain layer 2 broadcast domains or unique subnets.  However, the more accurate term for an ACI Bridge Domain is that it is a VXLAN VNID segment with an assigned multicast group.  You must populate a bridge domain with at least one IP subnet, but can add more than one subnet to a bridge domain.
24 .
What are the Endpoint Security Groups (ESGs) of ACI?
As per the configuration guide of ACI 5.0(x), the Endpoint Security Groups (ESGs) are a new security component in ACI. It will not replace the endpoint groups (EPGs) which are already here to group a set of endpoints, but to add a new layer of segmentation.
 
EPGs are associated to a single bridge domain (BD) and used to define security zones within a BD. EPGs define both forwarding and security segmentation at the same time. The direct relationship between the BD and an EPG limits the possibility of an EPG to spanning more than one BD.This limitation of EPGs is resolved by using the new ESG constructs because it will allow the relationship between endpoints from multiple BD / EPGs (but limited to a single VRF).
25 .
What is AEP in ACI?
An Attachable Entity Profile (AEP) represents a group of external entities with similar infrastructure policy requirements. The infrastructure policies consist of physical interface policies that configure various protocol options.
 
An AEP is required to deploy VLAN pools on leaf switches. Encapsulation blocks (and associated VLANs) are reusable across leaf switches. An AEP implicitly provides the scope of the VLAN pool to the physical infrastructure. 
26 .
What about SVI External Encapsulation Scope in Cisco ACI?
In the context of a Layer 3 Out configuration, a switch virtual interfaces (SVI), is configured to provide connectivity between the ACI leaf switch and a router.
 
By default, when a single Layer 3 Out is configured with SVI interfaces, the VLAN encapsulation spans multiple nodes within the fabric. This happens because the ACI fabric configures the same bridge domain (VXLAN VNI) across all the nodes in the fabric where the Layer 3 Out SVI is deployed as long as all SVI interfaces use the same external encapsulation (SVI) as shown in the figure.
 
However, when different Layer 3 Outs are deployed, the ACI fabric uses different bridge domains even if they use the same external encapsulation (SVI) as shown in the figure :
SVI
SVI
Starting with Cisco APIC release 2.3, it is now possible to choose the behavior when deploying two (or more) Layer 3 Outs using the same external encapsulation (SVI).
 
The encapsulation scope can now be configured as Local or VRF :
* Local scope (default): The example behavior is displayed in the figure titled Local Scope Encapsulation and Two Layer 3 Outs.
 
* VRF scope: The ACI fabric configures the same bridge domain (VXLAN VNI) across all the nodes and Layer 3 Out where the same external encapsulation (SVI) is deployed. See the example in the figure titled VRF Scope Encapsulation and Two Layer 3 Outs.
SVI
27 .
What is Bidirectional Forwarding Detection in ACI?
Cisco ACI Software Release 1.2(2g) added support for Bidirectional Forwarding Detection (BFD), which is a software feature used to provide fast failure detection and notification to decrease the convergence times experienced in a failure scenario. BFD is particularly useful in environments where Layer 3 routing protocols are running over shared Layer 2 connections, or where the physical media does not provide reliable failure detection mechanisms.
28 .
What is ARP flooding in ACI?
ARP Flooding : By default, ACI will convert ARP broadcast traffic into unicast traffic and send it to the correct leaf node. This option can be disabled if traditional ARP flooding is needed. For the Unicast ARP to work you need to enable IP routing because the mapping database must be populated with the IP addresses of the endpoints. Hardware proxy must be enabled too. The capability to disable ARP flooding depends on the configuration of hardware proxy and IP routing as follows: 
 
* If hardware proxy is turned off, then ARP flooding is on and cannot be turned off. 
* If hardware proxy is turned on but IP routing is turned off, ARP flooding is on and cannot be turned off. 
* If hardware proxy is turned on and IP routing is turned on, then you can disable ARP flooding. You may consider ARP flooding to be necessary because of silent hosts, but this is not completely true. It is true that disabling ARP flooding requires the mapping database to know the endpoint IP address, and for this IP routing must be turned on.

But even if the endpoint had been silent, Cisco ACI can resolve the endpoint IP address by sending ARP messages from the subnet IP address of the bridge domain. This feature is called ARP gleaning, and it requires the bridge domain to be configured with a subnet IP address.
29 .
What you mean by Tenant?
Basically a Tenant (fvTenant) is logical container for application policies to isolate switching and routing function. A tenant represents a unit of isolation from a policy perspective, but it does not represent a private network. Tenants can represent a customer in a service provider setting, an organisation or domain in an enterprise setting, or just a convenient grouping of policies.

There are Four types of Tenant available
 
* User
* Common
* Management
* Infra
30 .
Difference between management tenant and infrastructure tenant?
Management Tenant : Used for infrastructure discovery and also used for all communication/integration with virtual machine controllers. It has separate Out Of Band (OOB) address space for APIC to Fabric communication, it is using to connect all fabric management interfaces.

Infrastructure Tenant : It governs operation of fabric resources like allocating VXLAN overlays and allows fabric administrator to deploy selective shared services to tenants

Sources : Cisco, and more..