A Cisco ACI analyzer for APIC and Nexus Dashboard.
SAMURAI is a self-hosted Cisco ACI analyzer and monitoring platform that reads APIC and Nexus Dashboard Orchestrator (NDO) directly: tenants, EPGs, bridge domains, contracts, endpoints, and fabric health, with configuration change tracking and admin attribution. It sits in the same dashboard as your firewalls, routers, switches, ISE, and vCenter — so ACI fabric policy is one query away from everything around it.
Updated June 2026
What it reads from your ACI fabric
Tenants, EPGs & contracts
APIC tenants, application profiles, EPGs, bridge domains, and the contracts between them — searchable, so you can answer "what talks to what" on the fabric.
Endpoint visibility
Fabric endpoints (fvCEp) correlated with MAC, IP, and the leaf and port they live on, joined to the wider endpoint table across switches and routers.
NDO multi-site
Nexus Dashboard Orchestrator schemas and templates for multi-site fabrics, so cross-site policy is visible alongside the per-site APIC state.
APIC clustering with auto-failover
Track the APIC cluster per site; if the primary controller fails repeatedly, SAMURAI fails over to a healthy member automatically and keeps syncing.
Change tracking with attribution
ACI configuration changes detected from real fabric state, grouped by transaction (txId) and attributed to the admin — with timezone-aware timestamps, no reliance on audit logs.
Fabric in full context
ACI sits beside Palo Alto, FortiGate, Cisco FMC/FTD, routers, switches, ISE, and vCenter: nine device types, one searchable dashboard.
How it fits next to APIC
APIC is the controller — the source of truth for configuring the fabric. SAMURAI does not replace it; it reads from it, adds cross-fabric search, change history with attribution, and a single view that also covers the firewalls and servers the fabric connects.
Role
SAMURAI
Read-only monitoring, search, and change history across fabrics
APIC alone
The fabric controller and configuration source of truth
Scope
SAMURAI
ACI plus firewalls, routers, switches, ISE, and vCenter in one view
APIC alone
The ACI fabric it controls
Change history
SAMURAI
Cross-fabric change timeline, transaction-grouped, admin-attributed
APIC alone
Per-controller audit log
Deployment
SAMURAI
Single self-hosted Docker container, air-gap friendly
APIC alone
Part of the ACI fabric
Keep APIC as your controller. Add SAMURAI when you want fabric-wide search, a readable change history with attribution, and ACI in the same pane of glass as the firewalls, switches, and servers around it.
Frequently asked questions
How does SAMURAI connect to Cisco ACI?
Read-only to the APIC REST API, and to Nexus Dashboard Orchestrator (NDO) for multi-site fabrics. It reads tenants, EPGs, bridge domains, contracts, endpoints, and fabric state — it does not push configuration.
Does it support APIC clustering?
Yes. SAMURAI tracks the APIC cluster per site and, after a configurable number of consecutive failures, fails over to a healthy controller automatically with a cooldown, so monitoring continues if the primary is unavailable.
Can it track who changed ACI configuration?
Yes. Changes are detected from real fabric state, grouped by APIC transaction (txId), and attributed to the admin, with timezone-aware timestamps — so you get a readable change history without parsing the raw audit log.
Does it cover multi-site ACI?
Yes, via Nexus Dashboard Orchestrator (NDO): schemas and templates are read alongside the per-site APIC state, so cross-site policy is visible in the same dashboard.
Is there a free version?
Yes. A free test license ships with the SAMURAI Docker image on Docker Hub, no email required, so you can point it at your own APIC before talking to anyone.
How do I deploy it?
A single docker run on a VM that can reach your APIC (and NDO, if used). A typical deployment is serving data in about five minutes.