diff --git a/cluster/defaults.go b/cluster/defaults.go
index 2bab5860..95186106 100644
--- a/cluster/defaults.go
+++ b/cluster/defaults.go
@@ -71,6 +71,36 @@ const (
 
 	DefaultCanalFlexVolPluginDirectory = "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds"
 
+	DefaultAciApicRefreshTime          = "1200"
+	DefaultAciOVSMemoryLimit           = "1Gi"
+	DefaultAciImagePullPolicy          = "Always"
+	DefaultAciServiceMonitorInterval   = "5"
+	DefaultAciPBRTrackingNonSnat       = "false"
+	DefaultAciInstallIstio             = "false"
+	DefaultAciIstioProfile             = "demo"
+	DefaultAciDropLogEnable            = "true"
+	DefaultAciControllerLogLevel       = "info"
+	DefaultAciHostAgentLogLevel        = "info"
+	DefaultAciOpflexAgentLogLevel      = "info"
+	DefaultAciUseAciCniPriorityClass   = "false"
+	DefaultAciNoPriorityClass          = "false"
+	DefaultAciMaxNodesSvcGraph         = "32"
+	DefaultAciSnatContractScope        = "global"
+	DefaultAciSnatNamespace            = "aci-containers-system"
+	DefaultAciCApic                    = "false"
+	DefaultAciPodSubnetChunkSize       = "32"
+	DefaultAciSnatPortRangeStart       = "5000"
+	DefaultAciSnatPortRangeEnd         = "65000"
+	DefaultAciSnatPortsPerNode         = "3000"
+	DefaultAciUseHostNetnsVolume       = "false"
+	DefaultAciRunGbpContainer          = "false"
+	DefaultAciRunOpflexServerContainer = "false"
+	DefaultAciUseAciAnywhereCRD        = "false"
+	DefaultAciEnableEndpointSlice      = "false"
+	DefaultAciOpflexClientSSL          = "true"
+	DefaultAciUsePrivilegedContainer   = "false"
+	DefaultAciUseOpflexServerVolume    = "false"
+
 	KubeAPIArgAdmissionControlConfigFile             = "admission-control-config-file"
 	DefaultKubeAPIArgAdmissionControlConfigFileValue = "/etc/kubernetes/admission.yaml"
 
@@ -477,6 +507,15 @@ func (c *Cluster) setClusterImageDefaults() error {
 		&c.SystemImages.IngressBackend:            d(imageDefaults.IngressBackend, privRegURL),
 		&c.SystemImages.MetricsServer:             d(imageDefaults.MetricsServer, privRegURL),
 		&c.SystemImages.Nodelocal:                 d(imageDefaults.Nodelocal, privRegURL),
+		&c.SystemImages.AciCniDeployContainer:     d(imageDefaults.AciCniDeployContainer, privRegURL),
+		&c.SystemImages.AciHostContainer:          d(imageDefaults.AciHostContainer, privRegURL),
+		&c.SystemImages.AciOpflexContainer:        d(imageDefaults.AciOpflexContainer, privRegURL),
+		&c.SystemImages.AciMcastContainer:         d(imageDefaults.AciMcastContainer, privRegURL),
+		&c.SystemImages.AciOpenvSwitchContainer:   d(imageDefaults.AciOpenvSwitchContainer, privRegURL),
+		&c.SystemImages.AciControllerContainer:    d(imageDefaults.AciControllerContainer, privRegURL),
+		&c.SystemImages.AciOpflexServerContainer:  d(imageDefaults.AciOpflexServerContainer, privRegURL),
+		&c.SystemImages.AciGbpServerContainer:     d(imageDefaults.AciGbpServerContainer, privRegURL),
+
 		// this's a stopgap, we could drop this after https://github.com/kubernetes/kubernetes/pull/75618 merged
 		&c.SystemImages.WindowsPodInfraContainer: d(imageDefaults.WindowsPodInfraContainer, privRegURL),
 	}
@@ -544,6 +583,38 @@ func (c *Cluster) setClusterNetworkDefaults() {
 			CanalFlannelBackendVxLanNetworkIdentify: DefaultFlannelBackendVxLanVNI,
 			CanalFlexVolPluginDirectory:             DefaultCanalFlexVolPluginDirectory,
 		}
+	case AciNetworkPlugin:
+		networkPluginConfigDefaultsMap = map[string]string{
+			AciOVSMemoryLimit:           DefaultAciOVSMemoryLimit,
+			AciImagePullPolicy:          DefaultAciImagePullPolicy,
+			AciPBRTrackingNonSnat:       DefaultAciPBRTrackingNonSnat,
+			AciInstallIstio:             DefaultAciInstallIstio,
+			AciIstioProfile:             DefaultAciIstioProfile,
+			AciDropLogEnable:            DefaultAciDropLogEnable,
+			AciControllerLogLevel:       DefaultAciControllerLogLevel,
+			AciHostAgentLogLevel:        DefaultAciHostAgentLogLevel,
+			AciOpflexAgentLogLevel:      DefaultAciOpflexAgentLogLevel,
+			AciApicRefreshTime:          DefaultAciApicRefreshTime,
+			AciServiceMonitorInterval:   DefaultAciServiceMonitorInterval,
+			AciUseAciCniPriorityClass:   DefaultAciUseAciCniPriorityClass,
+			AciNoPriorityClass:          DefaultAciNoPriorityClass,
+			AciMaxNodesSvcGraph:         DefaultAciMaxNodesSvcGraph,
+			AciSnatContractScope:        DefaultAciSnatContractScope,
+			AciPodSubnetChunkSize:       DefaultAciPodSubnetChunkSize,
+			AciEnableEndpointSlice:      DefaultAciEnableEndpointSlice,
+			AciSnatNamespace:            DefaultAciSnatNamespace,
+			AciSnatPortRangeStart:       DefaultAciSnatPortRangeStart,
+			AciSnatPortRangeEnd:         DefaultAciSnatPortRangeEnd,
+			AciSnatPortsPerNode:         DefaultAciSnatPortsPerNode,
+			AciOpflexClientSSL:          DefaultAciOpflexClientSSL,
+			AciUsePrivilegedContainer:   DefaultAciUsePrivilegedContainer,
+			AciUseOpflexServerVolume:    DefaultAciUseOpflexServerVolume,
+			AciUseHostNetnsVolume:       DefaultAciUseHostNetnsVolume,
+			AciCApic:                    DefaultAciCApic,
+			AciUseAciAnywhereCRD:        DefaultAciUseAciAnywhereCRD,
+			AciRunGbpContainer:          DefaultAciRunGbpContainer,
+			AciRunOpflexServerContainer: DefaultAciRunOpflexServerContainer,
+		}
 	}
 	if c.Network.CalicoNetworkProvider != nil {
 		setDefaultIfEmpty(&c.Network.CalicoNetworkProvider.CloudProvider, DefaultNetworkCloudProvider)
@@ -559,6 +630,97 @@ func (c *Cluster) setClusterNetworkDefaults() {
 	if c.Network.WeaveNetworkProvider != nil {
 		networkPluginConfigDefaultsMap[WeavePassword] = c.Network.WeaveNetworkProvider.Password
 	}
+	if c.Network.AciNetworkProvider != nil {
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.OVSMemoryLimit, DefaultAciOVSMemoryLimit)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.ImagePullPolicy, DefaultAciImagePullPolicy)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.PBRTrackingNonSnat, DefaultAciPBRTrackingNonSnat)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.InstallIstio, DefaultAciInstallIstio)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.IstioProfile, DefaultAciIstioProfile)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.DropLogEnable, DefaultAciDropLogEnable)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.ControllerLogLevel, DefaultAciControllerLogLevel)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.HostAgentLogLevel, DefaultAciHostAgentLogLevel)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.OpflexAgentLogLevel, DefaultAciOpflexAgentLogLevel)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.ApicRefreshTime, DefaultAciApicRefreshTime)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.ServiceMonitorInterval, DefaultAciServiceMonitorInterval)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.NoPriorityClass, DefaultAciNoPriorityClass)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.MaxNodesSvcGraph, DefaultAciMaxNodesSvcGraph)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.SnatContractScope, DefaultAciSnatContractScope)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.PodSubnetChunkSize, DefaultAciPodSubnetChunkSize)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.EnableEndpointSlice, DefaultAciEnableEndpointSlice)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.SnatNamespace, DefaultAciSnatNamespace)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.SnatPortRangeStart, DefaultAciSnatPortRangeStart)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.SnatPortRangeEnd, DefaultAciSnatPortRangeEnd)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.SnatPortsPerNode, DefaultAciSnatPortsPerNode)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.OpflexClientSSL, DefaultAciOpflexClientSSL)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.UsePrivilegedContainer, DefaultAciUsePrivilegedContainer)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.UseOpflexServerVolume, DefaultAciUseOpflexServerVolume)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.UseHostNetnsVolume, DefaultAciUseHostNetnsVolume)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.CApic, DefaultAciCApic)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.UseAciAnywhereCRD, DefaultAciUseAciAnywhereCRD)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.RunGbpContainer, DefaultAciRunGbpContainer)
+		setDefaultIfEmpty(&c.Network.AciNetworkProvider.RunOpflexServerContainer, DefaultAciRunOpflexServerContainer)
+		networkPluginConfigDefaultsMap[AciOVSMemoryLimit] = c.Network.AciNetworkProvider.OVSMemoryLimit
+		networkPluginConfigDefaultsMap[AciImagePullPolicy] = c.Network.AciNetworkProvider.ImagePullPolicy
+		networkPluginConfigDefaultsMap[AciPBRTrackingNonSnat] = c.Network.AciNetworkProvider.PBRTrackingNonSnat
+		networkPluginConfigDefaultsMap[AciInstallIstio] = c.Network.AciNetworkProvider.InstallIstio
+		networkPluginConfigDefaultsMap[AciIstioProfile] = c.Network.AciNetworkProvider.IstioProfile
+		networkPluginConfigDefaultsMap[AciDropLogEnable] = c.Network.AciNetworkProvider.DropLogEnable
+		networkPluginConfigDefaultsMap[AciControllerLogLevel] = c.Network.AciNetworkProvider.ControllerLogLevel
+		networkPluginConfigDefaultsMap[AciHostAgentLogLevel] = c.Network.AciNetworkProvider.HostAgentLogLevel
+		networkPluginConfigDefaultsMap[AciOpflexAgentLogLevel] = c.Network.AciNetworkProvider.OpflexAgentLogLevel
+		networkPluginConfigDefaultsMap[AciApicRefreshTime] = c.Network.AciNetworkProvider.ApicRefreshTime
+		networkPluginConfigDefaultsMap[AciServiceMonitorInterval] = c.Network.AciNetworkProvider.ServiceMonitorInterval
+		networkPluginConfigDefaultsMap[AciNoPriorityClass] = c.Network.AciNetworkProvider.NoPriorityClass
+		networkPluginConfigDefaultsMap[AciMaxNodesSvcGraph] = c.Network.AciNetworkProvider.MaxNodesSvcGraph
+		networkPluginConfigDefaultsMap[AciSnatContractScope] = c.Network.AciNetworkProvider.SnatContractScope
+		networkPluginConfigDefaultsMap[AciPodSubnetChunkSize] = c.Network.AciNetworkProvider.PodSubnetChunkSize
+		networkPluginConfigDefaultsMap[AciEnableEndpointSlice] = c.Network.AciNetworkProvider.EnableEndpointSlice
+		networkPluginConfigDefaultsMap[AciSnatNamespace] = c.Network.AciNetworkProvider.SnatNamespace
+		networkPluginConfigDefaultsMap[AciSnatPortRangeStart] = c.Network.AciNetworkProvider.SnatPortRangeStart
+		networkPluginConfigDefaultsMap[AciSnatPortRangeEnd] = c.Network.AciNetworkProvider.SnatPortRangeEnd
+		networkPluginConfigDefaultsMap[AciSnatPortsPerNode] = c.Network.AciNetworkProvider.SnatPortsPerNode
+		networkPluginConfigDefaultsMap[AciOpflexClientSSL] = c.Network.AciNetworkProvider.OpflexClientSSL
+		networkPluginConfigDefaultsMap[AciUsePrivilegedContainer] = c.Network.AciNetworkProvider.UsePrivilegedContainer
+		networkPluginConfigDefaultsMap[AciUseOpflexServerVolume] = c.Network.AciNetworkProvider.UseOpflexServerVolume
+		networkPluginConfigDefaultsMap[AciUseHostNetnsVolume] = c.Network.AciNetworkProvider.UseHostNetnsVolume
+		networkPluginConfigDefaultsMap[AciCApic] = c.Network.AciNetworkProvider.CApic
+		networkPluginConfigDefaultsMap[AciUseAciAnywhereCRD] = c.Network.AciNetworkProvider.UseAciAnywhereCRD
+		networkPluginConfigDefaultsMap[AciRunGbpContainer] = c.Network.AciNetworkProvider.RunGbpContainer
+		networkPluginConfigDefaultsMap[AciRunOpflexServerContainer] = c.Network.AciNetworkProvider.RunOpflexServerContainer
+		networkPluginConfigDefaultsMap[AciSystemIdentifier] = c.Network.AciNetworkProvider.SystemIdentifier
+		networkPluginConfigDefaultsMap[AciToken] = c.Network.AciNetworkProvider.Token
+		networkPluginConfigDefaultsMap[AciApicUserName] = c.Network.AciNetworkProvider.ApicUserName
+		networkPluginConfigDefaultsMap[AciApicUserKey] = c.Network.AciNetworkProvider.ApicUserKey
+		networkPluginConfigDefaultsMap[AciApicUserCrt] = c.Network.AciNetworkProvider.ApicUserCrt
+		networkPluginConfigDefaultsMap[AciApicRefreshTime] = c.Network.AciNetworkProvider.ApicRefreshTime
+		networkPluginConfigDefaultsMap[AciVmmDomain] = c.Network.AciNetworkProvider.VmmDomain
+		networkPluginConfigDefaultsMap[AciVmmController] = c.Network.AciNetworkProvider.VmmController
+		networkPluginConfigDefaultsMap[AciEncapType] = c.Network.AciNetworkProvider.EncapType
+		networkPluginConfigDefaultsMap[AciMcastRangeStart] = c.Network.AciNetworkProvider.McastRangeStart
+		networkPluginConfigDefaultsMap[AciMcastRangeEnd] = c.Network.AciNetworkProvider.McastRangeEnd
+		networkPluginConfigDefaultsMap[AciNodeSubnet] = c.Network.AciNetworkProvider.NodeSubnet
+		networkPluginConfigDefaultsMap[AciAEP] = c.Network.AciNetworkProvider.AEP
+		networkPluginConfigDefaultsMap[AciVRFName] = c.Network.AciNetworkProvider.VRFName
+		networkPluginConfigDefaultsMap[AciVRFTenant] = c.Network.AciNetworkProvider.VRFTenant
+		networkPluginConfigDefaultsMap[AciL3Out] = c.Network.AciNetworkProvider.L3Out
+		networkPluginConfigDefaultsMap[AciDynamicExternalSubnet] = c.Network.AciNetworkProvider.DynamicExternalSubnet
+		networkPluginConfigDefaultsMap[AciStaticExternalSubnet] = c.Network.AciNetworkProvider.StaticExternalSubnet
+		networkPluginConfigDefaultsMap[AciServiceGraphSubnet] = c.Network.AciNetworkProvider.ServiceGraphSubnet
+		networkPluginConfigDefaultsMap[AciKubeAPIVlan] = c.Network.AciNetworkProvider.KubeAPIVlan
+		networkPluginConfigDefaultsMap[AciServiceVlan] = c.Network.AciNetworkProvider.ServiceVlan
+		networkPluginConfigDefaultsMap[AciInfraVlan] = c.Network.AciNetworkProvider.InfraVlan
+		networkPluginConfigDefaultsMap[AciImagePullPolicy] = c.Network.AciNetworkProvider.ImagePullPolicy
+		networkPluginConfigDefaultsMap[AciImagePullSecret] = c.Network.AciNetworkProvider.ImagePullSecret
+		networkPluginConfigDefaultsMap[AciTenant] = c.Network.AciNetworkProvider.Tenant
+		networkPluginConfigDefaultsMap[AciKafkaClientCrt] = c.Network.AciNetworkProvider.KafkaClientCrt
+		networkPluginConfigDefaultsMap[AciKafkaClientKey] = c.Network.AciNetworkProvider.KafkaClientKey
+		networkPluginConfigDefaultsMap[AciSubnetDomainName] = c.Network.AciNetworkProvider.SubnetDomainName
+		networkPluginConfigDefaultsMap[AciEpRegistry] = c.Network.AciNetworkProvider.EpRegistry
+		networkPluginConfigDefaultsMap[AciOpflexMode] = c.Network.AciNetworkProvider.OpflexMode
+		networkPluginConfigDefaultsMap[AciOverlayVRFName] = c.Network.AciNetworkProvider.OverlayVRFName
+		networkPluginConfigDefaultsMap[AciGbpPodSubnet] = c.Network.AciNetworkProvider.GbpPodSubnet
+		networkPluginConfigDefaultsMap[AciOpflexServerPort] = c.Network.AciNetworkProvider.OpflexServerPort
+	}
 	for k, v := range networkPluginConfigDefaultsMap {
 		setDefaultIfEmptyMapValue(c.Network.Options, k, v)
 	}
diff --git a/cluster/network.go b/cluster/network.go
index e53f6afd..bce989ae 100644
--- a/cluster/network.go
+++ b/cluster/network.go
@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"strings"
 
+	cidr "github.com/apparentlymart/go-cidr/cidr"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
 	"github.com/rancher/rke/docker"
@@ -70,6 +71,68 @@ const (
 
 	WeaveNetworkPlugin  = "weave"
 	WeaveNetworkAppName = "weave-net"
+
+	AciNetworkPlugin            = "aci"
+	AciOVSMemoryLimit           = "aci_ovs_memory_limit"
+	AciImagePullPolicy          = "aci_image_pull_policy"
+	AciPBRTrackingNonSnat       = "aci_pbr_tracking_non_snat"
+	AciInstallIstio             = "aci_install_istio"
+	AciIstioProfile             = "aci_istio_profile"
+	AciDropLogEnable            = "aci_drop_log_enable"
+	AciControllerLogLevel       = "aci_controller_log_level"
+	AciHostAgentLogLevel        = "aci_host_agent_log_level"
+	AciOpflexAgentLogLevel      = "aci_opflex_agent_log_level"
+	AciApicRefreshTime          = "aci_apic_refresh_time"
+	AciServiceMonitorInterval   = "aci_server_monitor_interval"
+	AciSystemIdentifier         = "aci_system_identifier"
+	AciToken                    = "aci_token"
+	AciApicUserName             = "aci_apic_user_name"
+	AciApicUserKey              = "aci_apic_user_key"
+	AciApicUserCrt              = "aci_apic_user_crt"
+	AciVmmDomain                = "aci_vmm_domain"
+	AciVmmController            = "aci_vmm_controller"
+	AciEncapType                = "aci_encap_type"
+	AciAEP                      = "aci_aep"
+	AciVRFName                  = "aci_vrf_name"
+	AciVRFTenant                = "aci_vrf_tenant"
+	AciL3Out                    = "aci_l3out"
+	AciDynamicExternalSubnet    = "aci_dynamic_external_subnet"
+	AciStaticExternalSubnet     = "aci_static_external_subnet"
+	AciServiceGraphSubnet       = "aci_service_graph_subnet"
+	AciKubeAPIVlan              = "aci_kubeapi_vlan"
+	AciServiceVlan              = "aci_service_vlan"
+	AciInfraVlan                = "aci_infra_vlan"
+	AciImagePullSecret          = "aci_image_pull_secret"
+	AciTenant                   = "aci_tenant"
+	AciNodeSubnet               = "aci_node_subnet"
+	AciMcastRangeStart          = "aci_mcast_range_start"
+	AciMcastRangeEnd            = "aci_mcast_range_end"
+	AciUseAciCniPriorityClass   = "aci_use_aci_cni_priority_class"
+	AciNoPriorityClass          = "aci_no_priority_class"
+	AciMaxNodesSvcGraph         = "aci_max_nodes_svc_graph"
+	AciSnatContractScope        = "aci_snat_contract_scope"
+	AciPodSubnetChunkSize       = "aci_pod_subnet_chunk_size"
+	AciEnableEndpointSlice      = "aci_enable_endpoint_slice"
+	AciSnatNamespace            = "aci_snat_namespace"
+	AciEpRegistry               = "aci_ep_registry"
+	AciOpflexMode               = "aci_opflex_mode"
+	AciSnatPortRangeStart       = "aci_snat_port_range_start"
+	AciSnatPortRangeEnd         = "aci_snat_port_range_end"
+	AciSnatPortsPerNode         = "aci_snat_ports_per_node"
+	AciOpflexClientSSL          = "aci_opflex_client_ssl"
+	AciUsePrivilegedContainer   = "aci_use_privileged_container"
+	AciUseHostNetnsVolume       = "aci_use_host_netns_volume"
+	AciUseOpflexServerVolume    = "aci_use_opflex_server_volume"
+	AciKafkaClientCrt           = "aci_kafka_client_crt"
+	AciKafkaClientKey           = "aci_kafka_client_key"
+	AciSubnetDomainName         = "aci_subnet_domain_name"
+	AciCApic                    = "aci_capic"
+	AciUseAciAnywhereCRD        = "aci_use_aci_anywhere_crd"
+	AciOverlayVRFName           = "aci_overlay_vrf_name"
+	AciGbpPodSubnet             = "aci_gbp_pod_subnet"
+	AciRunGbpContainer          = "aci_run_gbp_container"
+	AciRunOpflexServerContainer = "aci_run_opflex_server_container"
+	AciOpflexServerPort         = "aci_opflex_server_port"
 	// List of map keys to be used with network templates
 
 	// EtcdEndpoints is the server address for Etcd, used by calico
@@ -104,17 +167,96 @@ const (
 
 	Calicoctl = "Calicoctl"
 
-	FlannelInterface = "FlannelInterface"
-	FlannelBackend   = "FlannelBackend"
-	CanalInterface   = "CanalInterface"
-	FlexVolPluginDir = "FlexVolPluginDir"
-	WeavePassword    = "WeavePassword"
-	MTU              = "MTU"
-	RBACConfig       = "RBACConfig"
-	ClusterVersion   = "ClusterVersion"
-
-	NodeSelector   = "NodeSelector"
-	UpdateStrategy = "UpdateStrategy"
+	FlannelInterface         = "FlannelInterface"
+	FlannelBackend           = "FlannelBackend"
+	CanalInterface           = "CanalInterface"
+	FlexVolPluginDir         = "FlexVolPluginDir"
+	WeavePassword            = "WeavePassword"
+	MTU                      = "MTU"
+	RBACConfig               = "RBACConfig"
+	ClusterVersion           = "ClusterVersion"
+	SystemIdentifier         = "SystemIdentifier"
+	ApicHosts                = "ApicHosts"
+	Token                    = "Token"
+	ApicUserName             = "ApicUserName"
+	ApicUserKey              = "ApicUserKey"
+	ApicUserCrt              = "ApicUserCrt"
+	ApicRefreshTime          = "ApicRefreshTime"
+	VmmDomain                = "VmmDomain"
+	VmmController            = "VmmController"
+	EncapType                = "EncapType"
+	McastRangeStart          = "McastRangeStart"
+	McastRangeEnd            = "McastRangeEnd"
+	AEP                      = "AEP"
+	VRFName                  = "VRFName"
+	VRFTenant                = "VRFTenant"
+	L3Out                    = "L3Out"
+	L3OutExternalNetworks    = "L3OutExternalNetworks"
+	DynamicExternalSubnet    = "DynamicExternalSubnet"
+	StaticExternalSubnet     = "StaticExternalSubnet"
+	ServiceGraphSubnet       = "ServiceGraphSubnet"
+	KubeAPIVlan              = "KubeAPIVlan"
+	ServiceVlan              = "ServiceVlan"
+	InfraVlan                = "InfraVlan"
+	ImagePullPolicy          = "ImagePullPolicy"
+	ImagePullSecret          = "ImagePullSecret"
+	Tenant                   = "Tenant"
+	ServiceMonitorInterval   = "ServiceMonitorInterval"
+	PBRTrackingNonSnat       = "PBRTrackingNonSnat"
+	InstallIstio             = "InstallIstio"
+	IstioProfile             = "IstioProfile"
+	DropLogEnable            = "DropLogEnable"
+	ControllerLogLevel       = "ControllerLogLevel"
+	HostAgentLogLevel        = "HostAgentLogLevel"
+	OpflexAgentLogLevel      = "OpflexAgentLogLevel"
+	AciCniDeployContainer    = "AciCniDeployContainer"
+	AciHostContainer         = "AciHostContainer"
+	AciOpflexContainer       = "AciOpflexContainer"
+	AciMcastContainer        = "AciMcastContainer"
+	AciOpenvSwitchContainer  = "AciOpenvSwitchContainer"
+	AciControllerContainer   = "AciControllerContainer"
+	AciGbpServerContainer    = "AciGbpServerContainer"
+	AciOpflexServerContainer = "AciOpflexServerContainer"
+	StaticServiceIPStart     = "StaticServiceIPStart"
+	StaticServiceIPEnd       = "StaticServiceIPEnd"
+	PodGateway               = "PodGateway"
+	PodIPStart               = "PodIPStart"
+	PodIPEnd                 = "PodIPEnd"
+	NodeServiceIPStart       = "NodeServiceIPStart"
+	NodeServiceIPEnd         = "NodeServiceIPEnd"
+	ServiceIPStart           = "ServiceIPStart"
+	ServiceIPEnd             = "ServiceIPEnd"
+	UseAciCniPriorityClass   = "UseAciCniPriorityClass"
+	NoPriorityClass          = "NoPriorityClass"
+	MaxNodesSvcGraph         = "MaxNodesSvcGraph"
+	SnatContractScope        = "SnatContractScope"
+	PodSubnetChunkSize       = "PodSubnetChunkSize"
+	EnableEndpointSlice      = "EnableEndpointSlice"
+	SnatNamespace            = "SnatNamespace"
+	EpRegistry               = "EpRegistry"
+	OpflexMode               = "OpflexMode"
+	SnatPortRangeStart       = "SnatPortRangeStart"
+	SnatPortRangeEnd         = "SnatPortRangeEnd"
+	SnatPortsPerNode         = "SnatPortsPerNode"
+	OpflexClientSSL          = "OpflexClientSSL"
+	UsePrivilegedContainer   = "UsePrivilegedContainer"
+	UseHostNetnsVolume       = "UseHostNetnsVolume"
+	UseOpflexServerVolume    = "UseOpflexServerVolume"
+	KafkaBrokers             = "KafkaBrokers"
+	KafkaClientCrt           = "KafkaClientCrt"
+	KafkaClientKey           = "KafkaClientKey"
+	SubnetDomainName         = "SubnetDomainName"
+	CApic                    = "CApic"
+	UseAciAnywhereCRD        = "UseAciAnywhereCRD"
+	OverlayVRFName           = "OverlayVRFName"
+	GbpPodSubnet             = "GbpPodSubnet"
+	RunGbpContainer          = "RunGbpContainer"
+	RunOpflexServerContainer = "RunOpflexServerContainer"
+	OpflexServerPort         = "OpflexServerPort"
+	OVSMemoryLimit           = "OVSMemoryLimit"
+	NodeSubnet               = "NodeSubnet"
+	NodeSelector             = "NodeSelector"
+	UpdateStrategy           = "UpdateStrategy"
 )
 
 var EtcdPortList = []string{
@@ -147,6 +289,8 @@ func (c *Cluster) deployNetworkPlugin(ctx context.Context, data map[string]inter
 		return c.doCanalDeploy(ctx, data)
 	case WeaveNetworkPlugin:
 		return c.doWeaveDeploy(ctx, data)
+	case AciNetworkPlugin:
+		return c.doAciDeploy(ctx, data)
 	case NoNetworkPlugin:
 		log.Infof(ctx, "[network] Not deploying a cluster network, expecting custom CNI")
 		return nil
@@ -285,9 +429,123 @@ func (c *Cluster) doWeaveDeploy(ctx context.Context, data map[string]interface{}
 	return c.doAddonDeploy(ctx, pluginYaml, NetworkPluginResourceName, true)
 }
 
+func (c *Cluster) doAciDeploy(ctx context.Context, data map[string]interface{}) error {
+	_, clusterCIDR, err := net.ParseCIDR(c.ClusterCIDR)
+	if err != nil {
+		return err
+	}
+	podIPStart, podIPEnd := cidr.AddressRange(clusterCIDR)
+	_, staticExternalSubnet, err := net.ParseCIDR(c.Network.Options[AciStaticExternalSubnet])
+	staticServiceIPStart, staticServiceIPEnd := cidr.AddressRange(staticExternalSubnet)
+	_, svcGraphSubnet, err := net.ParseCIDR(c.Network.Options[AciServiceGraphSubnet])
+	if err != nil {
+		return err
+	}
+	nodeServiceIPStart, nodeServiceIPEnd := cidr.AddressRange(svcGraphSubnet)
+	_, dynamicExternalSubnet, err := net.ParseCIDR(c.Network.Options[AciDynamicExternalSubnet])
+	if err != nil {
+		return err
+	}
+	serviceIPStart, serviceIPEnd := cidr.AddressRange(dynamicExternalSubnet)
+	if c.Network.Options[AciTenant] == "" {
+		c.Network.Options[AciTenant] = c.Network.Options[AciSystemIdentifier]
+	}
+
+	AciConfig := map[string]interface{}{
+		SystemIdentifier:         c.Network.Options[AciSystemIdentifier],
+		ApicHosts:                c.Network.AciNetworkProvider.ApicHosts,
+		Token:                    c.Network.Options[AciToken],
+		ApicUserName:             c.Network.Options[AciApicUserName],
+		ApicUserKey:              c.Network.Options[AciApicUserKey],
+		ApicUserCrt:              c.Network.Options[AciApicUserCrt],
+		ApicRefreshTime:          c.Network.Options[AciApicRefreshTime],
+		VmmDomain:                c.Network.Options[AciVmmDomain],
+		VmmController:            c.Network.Options[AciVmmController],
+		EncapType:                c.Network.Options[AciEncapType],
+		McastRangeStart:          c.Network.Options[AciMcastRangeStart],
+		McastRangeEnd:            c.Network.Options[AciMcastRangeEnd],
+		NodeSubnet:               c.Network.Options[AciNodeSubnet],
+		AEP:                      c.Network.Options[AciAEP],
+		VRFName:                  c.Network.Options[AciVRFName],
+		VRFTenant:                c.Network.Options[AciVRFTenant],
+		L3Out:                    c.Network.Options[AciL3Out],
+		L3OutExternalNetworks:    c.Network.AciNetworkProvider.L3OutExternalNetworks,
+		DynamicExternalSubnet:    c.Network.Options[AciDynamicExternalSubnet],
+		StaticExternalSubnet:     c.Network.Options[AciStaticExternalSubnet],
+		ServiceGraphSubnet:       c.Network.Options[AciServiceGraphSubnet],
+		KubeAPIVlan:              c.Network.Options[AciKubeAPIVlan],
+		ServiceVlan:              c.Network.Options[AciServiceVlan],
+		InfraVlan:                c.Network.Options[AciInfraVlan],
+		ImagePullPolicy:          c.Network.Options[AciImagePullPolicy],
+		ImagePullSecret:          c.Network.Options[AciImagePullSecret],
+		Tenant:                   c.Network.Options[AciTenant],
+		ServiceMonitorInterval:   c.Network.Options[AciServiceMonitorInterval],
+		PBRTrackingNonSnat:       c.Network.Options[AciPBRTrackingNonSnat],
+		InstallIstio:             c.Network.Options[AciInstallIstio],
+		IstioProfile:             c.Network.Options[AciIstioProfile],
+		DropLogEnable:            c.Network.Options[AciDropLogEnable],
+		ControllerLogLevel:       c.Network.Options[AciControllerLogLevel],
+		HostAgentLogLevel:        c.Network.Options[AciHostAgentLogLevel],
+		OpflexAgentLogLevel:      c.Network.Options[AciOpflexAgentLogLevel],
+		OVSMemoryLimit:           c.Network.Options[AciOVSMemoryLimit],
+		ClusterCIDR:              c.ClusterCIDR,
+		StaticServiceIPStart:     cidr.Inc(cidr.Inc(staticServiceIPStart)),
+		StaticServiceIPEnd:       cidr.Dec(staticServiceIPEnd),
+		PodGateway:               cidr.Inc(podIPStart),
+		PodIPStart:               cidr.Inc(cidr.Inc(podIPStart)),
+		PodIPEnd:                 cidr.Dec(podIPEnd),
+		NodeServiceIPStart:       cidr.Inc(cidr.Inc(nodeServiceIPStart)),
+		NodeServiceIPEnd:         cidr.Dec(nodeServiceIPEnd),
+		ServiceIPStart:           cidr.Inc(cidr.Inc(serviceIPStart)),
+		ServiceIPEnd:             cidr.Dec(serviceIPEnd),
+		UseAciCniPriorityClass:   c.Network.Options[AciUseAciCniPriorityClass],
+		NoPriorityClass:          c.Network.Options[AciNoPriorityClass],
+		MaxNodesSvcGraph:         c.Network.Options[AciMaxNodesSvcGraph],
+		SnatContractScope:        c.Network.Options[AciSnatContractScope],
+		PodSubnetChunkSize:       c.Network.Options[AciPodSubnetChunkSize],
+		EnableEndpointSlice:      c.Network.Options[AciEnableEndpointSlice],
+		SnatNamespace:            c.Network.Options[AciSnatNamespace],
+		EpRegistry:               c.Network.Options[AciEpRegistry],
+		OpflexMode:               c.Network.Options[AciOpflexMode],
+		SnatPortRangeStart:       c.Network.Options[AciSnatPortRangeStart],
+		SnatPortRangeEnd:         c.Network.Options[AciSnatPortRangeEnd],
+		SnatPortsPerNode:         c.Network.Options[AciSnatPortsPerNode],
+		OpflexClientSSL:          c.Network.Options[AciOpflexClientSSL],
+		UsePrivilegedContainer:   c.Network.Options[AciUsePrivilegedContainer],
+		UseHostNetnsVolume:       c.Network.Options[AciUseHostNetnsVolume],
+		UseOpflexServerVolume:    c.Network.Options[AciUseOpflexServerVolume],
+		KafkaBrokers:             c.Network.AciNetworkProvider.KafkaBrokers,
+		KafkaClientCrt:           c.Network.Options[AciKafkaClientCrt],
+		KafkaClientKey:           c.Network.Options[AciKafkaClientKey],
+		SubnetDomainName:         c.Network.Options[AciSubnetDomainName],
+		CApic:                    c.Network.Options[AciCApic],
+		UseAciAnywhereCRD:        c.Network.Options[AciUseAciAnywhereCRD],
+		OverlayVRFName:           c.Network.Options[AciOverlayVRFName],
+		GbpPodSubnet:             c.Network.Options[AciGbpPodSubnet],
+		RunGbpContainer:          c.Network.Options[AciRunGbpContainer],
+		RunOpflexServerContainer: c.Network.Options[AciRunOpflexServerContainer],
+		OpflexServerPort:         c.Network.Options[AciOpflexServerPort],
+		AciCniDeployContainer:    c.SystemImages.AciCniDeployContainer,
+		AciHostContainer:         c.SystemImages.AciHostContainer,
+		AciOpflexContainer:       c.SystemImages.AciOpflexContainer,
+		AciMcastContainer:        c.SystemImages.AciMcastContainer,
+		AciOpenvSwitchContainer:  c.SystemImages.AciOpenvSwitchContainer,
+		AciControllerContainer:   c.SystemImages.AciControllerContainer,
+		AciGbpServerContainer:    c.SystemImages.AciGbpServerContainer,
+		AciOpflexServerContainer: c.SystemImages.AciOpflexServerContainer,
+		MTU:                      c.Network.MTU,
+	}
+
+	pluginYaml, err := c.getNetworkPluginManifest(AciConfig, data)
+	if err != nil {
+		return err
+	}
+	return c.doAddonDeploy(ctx, pluginYaml, NetworkPluginResourceName, true)
+}
+
 func (c *Cluster) getNetworkPluginManifest(pluginConfig, data map[string]interface{}) (string, error) {
 	switch c.Network.Plugin {
-	case CanalNetworkPlugin, FlannelNetworkPlugin, CalicoNetworkPlugin, WeaveNetworkPlugin:
+	case CanalNetworkPlugin, FlannelNetworkPlugin, CalicoNetworkPlugin, WeaveNetworkPlugin, AciNetworkPlugin:
 		tmplt, err := templates.GetVersionedTemplates(c.Network.Plugin, data, c.Version)
 		if err != nil {
 			return "", err
diff --git a/cluster/validation.go b/cluster/validation.go
index a739a11f..f3457166 100644
--- a/cluster/validation.go
+++ b/cluster/validation.go
@@ -67,13 +67,184 @@ func validateAuthOptions(c *Cluster) error {
 	return nil
 }
 
+func transformAciNetworkOption(option string) (string, string) {
+	var description string
+	switch option {
+	case AciSystemIdentifier:
+		option = "system_id"
+		description = "unique suffix for all cluster related objects in aci"
+	case AciServiceGraphSubnet:
+		option = "node_svc_subnet"
+		description = "Subnet to use for service graph endpoints on aci"
+	case AciStaticExternalSubnet:
+		option = "extern_static"
+		description = "Subnet to use for static external IPs on aci"
+	case AciDynamicExternalSubnet:
+		option = "extern_dynamic"
+		description = "Subnet to use for dynamic external IPs on aci"
+	case AciToken:
+		description = "UUID for this version of the input configuration"
+	case AciApicUserName:
+		description = "User name for aci apic"
+	case AciApicUserKey:
+		description = "Base64 encoded private key for aci apic user"
+	case AciApicUserCrt:
+		description = "Base64 encoded certificate for aci apic user"
+	case AciEncapType:
+		description = "One of the supported encap types for aci(vlan/vxlan)"
+	case AciMcastRangeStart:
+		description = "Mcast range start address for endpoint groups on aci"
+	case AciMcastRangeEnd:
+		description = "Mcast range end address for endpoint groups on aci"
+	case AciNodeSubnet:
+		description = "Kubernetes node address subnet"
+	case AciAEP:
+		description = "Attachment entity profile name on aci"
+	case AciVRFName:
+		description = "VRF Name on aci"
+	case AciVRFTenant:
+		description = "Tenant for VRF on aci"
+	case AciL3Out:
+		description = "L3Out on aci"
+	case AciKubeAPIVlan:
+		description = "Vlan for node network on aci"
+	case AciServiceVlan:
+		description = "Vlan for service graph nodes on aci"
+	case AciInfraVlan:
+		description = "Vlan for infra network on aci"
+	}
+	return option, description
+}
+
+func validateAciCloudOptionsDisabled(option string, value string) (string, string, bool) {
+	var description string
+	ok := false
+	switch option {
+	case AciUseOpflexServerVolume:
+		if value == DefaultAciUseOpflexServerVolume {
+			ok = true
+		}
+		description = "Use mounted volume for opflex server"
+	case AciUseHostNetnsVolume:
+		if value == DefaultAciUseHostNetnsVolume {
+			ok = true
+		}
+		description = "Mount host netns for opflex server"
+	case AciCApic:
+		if value == DefaultAciCApic {
+			ok = true
+		}
+		description = "Provision cloud apic"
+	case AciUseAciAnywhereCRD:
+		if value == DefaultAciUseAciAnywhereCRD {
+			ok = true
+		}
+		description = "Use Aci anywhere CRD"
+	case AciRunGbpContainer:
+		if value == DefaultAciRunGbpContainer {
+			ok = true
+		}
+		description = "Run Gbp Server"
+	case AciRunOpflexServerContainer:
+		if value == DefaultAciRunOpflexServerContainer {
+			ok = true
+		}
+		description = "Run Opflex Server"
+	case AciEpRegistry:
+		if value == "" {
+			ok = true
+		}
+		description = "Registry for Ep whether CRD or MODB"
+	case AciOpflexMode:
+		if value == "" {
+			ok = true
+		}
+		description = "Opflex overlay mode or on-prem"
+	case AciSubnetDomainName:
+		if value == "" {
+			ok = true
+		}
+		description = "Subnet domain name"
+	case AciKafkaClientCrt:
+		if value == "" {
+			ok = true
+		}
+		description = "CApic Kafka client certificate"
+	case AciKafkaClientKey:
+		if value == "" {
+			ok = true
+		}
+		description = "CApic Kafka client key"
+	case AciOverlayVRFName:
+		if value == "" {
+			ok = true
+		}
+		description = "Overlay VRF name"
+	case AciGbpPodSubnet:
+		if value == "" {
+			ok = true
+		}
+		description = "Gbp pod subnet"
+	case AciOpflexServerPort:
+		if value == "" {
+			ok = true
+		}
+		description = "Opflex server port"
+	}
+	return option, description, ok
+}
+
 func validateNetworkOptions(c *Cluster) error {
-	if c.Network.Plugin != NoNetworkPlugin && c.Network.Plugin != FlannelNetworkPlugin && c.Network.Plugin != CalicoNetworkPlugin && c.Network.Plugin != CanalNetworkPlugin && c.Network.Plugin != WeaveNetworkPlugin {
+	if c.Network.Plugin != NoNetworkPlugin && c.Network.Plugin != FlannelNetworkPlugin && c.Network.Plugin != CalicoNetworkPlugin && c.Network.Plugin != CanalNetworkPlugin && c.Network.Plugin != WeaveNetworkPlugin && c.Network.Plugin != AciNetworkPlugin {
 		return fmt.Errorf("Network plugin [%s] is not supported", c.Network.Plugin)
 	}
 	if c.Network.Plugin == FlannelNetworkPlugin && c.Network.MTU != 0 {
 		return fmt.Errorf("Network plugin [%s] does not support configuring MTU", FlannelNetworkPlugin)
 	}
+	if c.Network.Plugin == AciNetworkPlugin {
+		//Skip cloud options and throw an error.
+		cloudOptionsList := []string{AciEpRegistry, AciOpflexMode, AciUseHostNetnsVolume, AciUseOpflexServerVolume,
+			AciSubnetDomainName, AciKafkaClientCrt, AciKafkaClientKey, AciCApic, UseAciAnywhereCRD,
+			AciOverlayVRFName, AciGbpPodSubnet, AciRunGbpContainer, AciRunOpflexServerContainer, AciOpflexServerPort}
+		for _, v := range cloudOptionsList {
+			val, ok := c.Network.Options[v]
+			_, _, disabled := validateAciCloudOptionsDisabled(v, val)
+			if ok && !disabled {
+				return fmt.Errorf("Network plugin aci: %s = %s is provided,but cloud options are not allowed in this release", v, val)
+			}
+		}
+
+		networkOptionsList := []string{AciSystemIdentifier, AciToken, AciApicUserName, AciApicUserKey,
+			AciApicUserCrt, AciEncapType, AciMcastRangeStart, AciMcastRangeEnd,
+			AciNodeSubnet, AciAEP, AciVRFName, AciVRFTenant, AciL3Out, AciDynamicExternalSubnet,
+			AciStaticExternalSubnet, AciServiceGraphSubnet, AciKubeAPIVlan, AciServiceVlan, AciInfraVlan,
+			AciNodeSubnet}
+		for _, v := range networkOptionsList {
+			val, ok := c.Network.Options[v]
+			if !ok || val == "" {
+				var description string
+				v, description = transformAciNetworkOption(v)
+				return fmt.Errorf("Network plugin aci: %s(%s) under aci_network_provider is not provided", strings.TrimPrefix(v, "aci_"), description)
+			}
+		}
+		if c.Network.AciNetworkProvider != nil {
+			if c.Network.AciNetworkProvider.ApicHosts == nil {
+				return fmt.Errorf("Network plugin aci: %s(address of aci apic hosts) under aci_network_provider is not provided", "apic_hosts")
+			}
+			if c.Network.AciNetworkProvider.L3OutExternalNetworks == nil {
+				return fmt.Errorf("Network plugin aci: %s(external network name/s on aci) under aci_network_provider is not provided", "l3out_external_networks")
+			}
+		} else {
+			var requiredArgs []string
+			for _, v := range networkOptionsList {
+				v, _ = transformAciNetworkOption(v)
+				requiredArgs = append(requiredArgs, fmt.Sprintf(" %s", strings.TrimPrefix("aci_", v)))
+			}
+			requiredArgs = append(requiredArgs, fmt.Sprintf(" %s", ApicHosts))
+			requiredArgs = append(requiredArgs, fmt.Sprintf(" %s", L3OutExternalNetworks))
+			return fmt.Errorf("Network plugin aci: multiple parameters under aci_network_provider are not provided: %s", requiredArgs)
+		}
+	}
 	return nil
 }
 
@@ -335,6 +506,28 @@ func validateNetworkImages(c *Cluster) error {
 		if len(c.SystemImages.WeaveNode) == 0 {
 			return errors.New("weave image is not populated")
 		}
+	} else if c.Network.Plugin == AciNetworkPlugin {
+		if len(c.SystemImages.AciCniDeployContainer) == 0 {
+			return errors.New("aci cnideploy image is not populated")
+		}
+		if len(c.SystemImages.AciHostContainer) == 0 {
+			return errors.New("aci host container image is not populated")
+		}
+		if len(c.SystemImages.AciOpflexContainer) == 0 {
+			return errors.New("aci opflex agent image is not populated")
+		}
+		if len(c.SystemImages.AciMcastContainer) == 0 {
+			return errors.New("aci mcast container image is not populated")
+		}
+		if len(c.SystemImages.AciOpenvSwitchContainer) == 0 {
+			return errors.New("aci openvswitch image is not populated")
+		}
+		if len(c.SystemImages.AciControllerContainer) == 0 {
+			return errors.New("aci controller image is not populated")
+		}
+		//Skipping Cloud image validation.
+		//c.SystemImages.AciOpflexServerContainer
+		//c.SystemImages.AciGbpServerContainer
 	}
 	return nil
 }
diff --git a/cmd/config.go b/cmd/config.go
index 7a64532c..cf06a2b8 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -380,7 +380,7 @@ func getAuthzConfig(reader *bufio.Reader) (*v3.AuthzConfig, error) {
 func getNetworkConfig(reader *bufio.Reader) (*v3.NetworkConfig, error) {
 	networkConfig := v3.NetworkConfig{}
 
-	networkPlugin, err := getConfig(reader, "Network Plugin Type (flannel, calico, weave, canal)", cluster.DefaultNetworkPlugin)
+	networkPlugin, err := getConfig(reader, "Network Plugin Type (flannel, calico, weave, canal, aci)", cluster.DefaultNetworkPlugin)
 	if err != nil {
 		return nil, err
 	}
diff --git a/go.mod b/go.mod
index eb38cd89..fd04edcc 100644
--- a/go.mod
+++ b/go.mod
@@ -11,6 +11,7 @@ replace (
 require (
 	github.com/Masterminds/sprig/v3 v3.0.0
 	github.com/Microsoft/hcsshim v0.8.9 // indirect
+	github.com/apparentlymart/go-cidr v1.0.1
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe // indirect
 	github.com/coreos/bbolt v1.3.1-coreos.6 // indirect
diff --git a/go.sum b/go.sum
index ebdbd376..ae9da2d8 100644
--- a/go.sum
+++ b/go.sum
@@ -39,6 +39,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
+github.com/apparentlymart/go-cidr v1.0.1 h1:NmIwLZ/KdsjIUlhf+/Np40atNXm/+lZ5txfTJ/SpF+U=
+github.com/apparentlymart/go-cidr v1.0.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
diff --git a/types/kdm/kdm.go b/types/kdm/kdm.go
index 772092da..9bb2c7e4 100644
--- a/types/kdm/kdm.go
+++ b/types/kdm/kdm.go
@@ -11,6 +11,7 @@ const (
 	Canal         = "canal"
 	Flannel       = "flannel"
 	Weave         = "weave"
+	Aci           = "aci"
 	CoreDNS       = "coreDNS"
 	KubeDNS       = "kubeDNS"
 	MetricsServer = "metricsServer"
diff --git a/types/rke_types.go b/types/rke_types.go
index 9b718b91..bc235500 100644
--- a/types/rke_types.go
+++ b/types/rke_types.go
@@ -171,6 +171,22 @@ type RKESystemImages struct {
 	MetricsServer string `yaml:"metrics_server" json:"metricsServer,omitempty"`
 	// Pod infra container image for Windows
 	WindowsPodInfraContainer string `yaml:"windows_pod_infra_container" json:"windowsPodInfraContainer,omitempty"`
+	// Cni deployer container image for Cisco ACI
+	AciCniDeployContainer string `yaml:"aci_cni_deploy_container" json:"aciCniDeployContainer,omitempty"`
+	// host container image for Cisco ACI
+	AciHostContainer string `yaml:"aci_host_container" json:"aciHostContainer,omitempty"`
+	// opflex agent container image for Cisco ACI
+	AciOpflexContainer string `yaml:"aci_opflex_container" json:"aciOpflexContainer,omitempty"`
+	// mcast daemon container image for Cisco ACI
+	AciMcastContainer string `yaml:"aci_mcast_container" json:"aciMcastContainer,omitempty"`
+	// OpenvSwitch container image for Cisco ACI
+	AciOpenvSwitchContainer string `yaml:"aci_ovs_container" json:"aciOvsContainer,omitempty"`
+	// Controller container image for Cisco ACI
+	AciControllerContainer string `yaml:"aci_controller_container" json:"aciControllerContainer,omitempty"`
+	// GBP Server container image for Cisco ACI
+	AciGbpServerContainer string `yaml:"aci_gbp_server_container" json:"aciGbpServerContainer,omitempty"`
+	// Opflex Server container image for Cisco ACI
+	AciOpflexServerContainer string `yaml:"aci_opflex_server_container" json:"aciOpflexServerContainer,omitempty"`
 }
 
 type RKEConfigNode struct {
@@ -367,6 +383,8 @@ type NetworkConfig struct {
 	FlannelNetworkProvider *FlannelNetworkProvider `yaml:"flannel_network_provider,omitempty" json:"flannelNetworkProvider,omitempty"`
 	// WeaveNetworkProvider
 	WeaveNetworkProvider *WeaveNetworkProvider `yaml:"weave_network_provider,omitempty" json:"weaveNetworkProvider,omitempty"`
+	// AciNetworkProvider
+	AciNetworkProvider *AciNetworkProvider `yaml:"aci_network_provider,omitempty" json:"aciNetworkProvider,omitempty"`
 	// NodeSelector key pair
 	NodeSelector map[string]string `yaml:"node_selector" json:"nodeSelector,omitempty"`
 	// Network plugin daemonset upgrade strategy
@@ -539,6 +557,72 @@ type WeaveNetworkProvider struct {
 	Password string `yaml:"password,omitempty" json:"password,omitempty" norman:"type=password"`
 }
 
+type AciNetworkProvider struct {
+	SystemIdentifier         string   `yaml:"system_id,omitempty" json:"systemId,omitempty"`
+	ApicHosts                []string `yaml:"apic_hosts" json:"apicHosts,omitempty"`
+	Token                    string   `yaml:"token,omitempty" json:"token,omitempty"`
+	ApicUserName             string   `yaml:"apic_user_name,omitempty" json:"apicUserName,omitempty"`
+	ApicUserKey              string   `yaml:"apic_user_key,omitempty" json:"apicUserKey,omitempty"`
+	ApicUserCrt              string   `yaml:"apic_user_crt,omitempty" json:"apicUserCrt,omitempty"`
+	ApicRefreshTime          string   `yaml:"apic_refresh_time,omitempty" json:"apicRefreshTime,omitempty" norman:"default=1200"`
+	VmmDomain                string   `yaml:"vmm_domain,omitempty" json:"vmmDomain,omitempty"`
+	VmmController            string   `yaml:"vmm_controller,omitempty" json:"vmmController,omitempty"`
+	EncapType                string   `yaml:"encap_type,omitempty" json:"encapType,omitempty"`
+	NodeSubnet               string   `yaml:"node_subnet,omitempty" json:"nodeSubnet,omitempty"`
+	McastRangeStart          string   `yaml:"mcast_range_start,omitempty" json:"mcastRangeStart,omitempty"`
+	McastRangeEnd            string   `yaml:"mcast_range_end,omitempty" json:"mcastRangeEnd,omitempty"`
+	AEP                      string   `yaml:"aep,omitempty" json:"aep,omitempty"`
+	VRFName                  string   `yaml:"vrf_name,omitempty" json:"vrfName,omitempty"`
+	VRFTenant                string   `yaml:"vrf_tenant,omitempty" json:"vrfTenant,omitempty"`
+	L3Out                    string   `yaml:"l3out,omitempty" json:"l3Out,omitempty"`
+	L3OutExternalNetworks    []string `yaml:"l3out_external_networks" json:"l3OutExternalNetworks,omitempty"`
+	DynamicExternalSubnet    string   `yaml:"extern_dynamic,omitempty" json:"externDynamic,omitempty"`
+	StaticExternalSubnet     string   `yaml:"extern_static,omitempty" json:"externStatic,omitempty"`
+	ServiceGraphSubnet       string   `yaml:"node_svc_subnet,omitempty" json:"nodeSvcSubnet,omitempty"`
+	KubeAPIVlan              string   `yaml:"kube_api_vlan,omitempty" json:"kubeAPIVlan,omitempty"`
+	ServiceVlan              string   `yaml:"service_vlan,omitempty" json:"serviceVlan,omitempty"`
+	InfraVlan                string   `yaml:"infra_vlan,omitempty" json:"infraVlan,omitempty"`
+	Tenant                   string   `yaml:"tenant,omitempty" json:"tenant,omitempty"`
+	OVSMemoryLimit           string   `yaml:"ovs_memory_limit,omitempty" json:"ovsMemoryLimit,omitempty"`
+	ImagePullPolicy          string   `yaml:"image_pull_policy,omitempty" json:"imagePullPolicy,omitempty"`
+	ImagePullSecret          string   `yaml:"image_pull_secret,omitempty" json:"imagePullSecret,omitempty"`
+	ServiceMonitorInterval   string   `yaml:"service_monitor_interval,omitempty" json:"serviceMonitorInterval,omitempty"`
+	PBRTrackingNonSnat       string   `yaml:"pbr_tracking_non_snat,omitempty" json:"pbrTrackingNonSnat,omitempty"`
+	InstallIstio             string   `yaml:"install_istio,omitempty" json:"installIstio,omitempty"`
+	IstioProfile             string   `yaml:"istio_profile,omitempty" json:"istioProfile,omitempty"`
+	DropLogEnable            string   `yaml:"drop_log_enable,omitempty" json:"dropLogEnable,omitempty"`
+	ControllerLogLevel       string   `yaml:"controller_log_level,omitempty" json:"controllerLogLevel,omitempty"`
+	HostAgentLogLevel        string   `yaml:"host_agent_log_level,omitempty" json:"hostAgentLogLevel,omitempty"`
+	OpflexAgentLogLevel      string   `yaml:"opflex_log_level,omitempty" json:"opflexLogLevel,omitempty"`
+	UseAciCniPriorityClass   string   `yaml:"use_aci_cni_priority_class,omitempty" json:"useAciCniPriorityClass,omitempty"`
+	NoPriorityClass          string   `yaml:"no_priority_class,omitempty" json:"noPriorityClass,omitempty"`
+	MaxNodesSvcGraph         string   `yaml:"max_nodes_svc_graph,omitempty" json:"maxNodesSvcGraph,omitempty"`
+	SnatContractScope        string   `yaml:"snat_contract_scope,omitempty" json:"snatContractScope,omitempty"`
+	PodSubnetChunkSize       string   `yaml:"pod_subnet_chunk_size,omitempty" json:"podSubnetChunkSize,omitempty"`
+	EnableEndpointSlice      string   `yaml:"enable_endpoint_slice,omitempty" json:"enableEndpointSlice,omitempty"`
+	SnatNamespace            string   `yaml:"snat_namespace,omitempty" json:"snatNamespace,omitempty"`
+	EpRegistry               string   `yaml:"ep_registry,omitempty" json:"epRegistry,omitempty"`
+	OpflexMode               string   `yaml:"opflex_mode,omitempty" json:"opflexMode,omitempty"`
+	SnatPortRangeStart       string   `yaml:"snat_port_range_start,omitempty" json:"snatPortRangeStart,omitempty"`
+	SnatPortRangeEnd         string   `yaml:"snat_port_range_end,omitempty" json:"snatPortRangeEnd,omitempty"`
+	SnatPortsPerNode         string   `yaml:"snat_ports_per_node,omitempty" json:"snatPortsPerNode,omitempty"`
+	OpflexClientSSL          string   `yaml:"opflex_client_ssl,omitempty" json:"opflexClientSSL,omitempty"`
+	UsePrivilegedContainer   string   `yaml:"use_privileged_container,omitempty" json:"usePrivilegedContainer,omitempty"`
+	UseHostNetnsVolume       string   `yaml:"use_host_netns_volume,omitempty" json:"useHostNetnsVolume,omitempty"`
+	UseOpflexServerVolume    string   `yaml:"use_opflex_server_volume,omitempty" json:"useOpflexServerVolume,omitempty"`
+	SubnetDomainName         string   `yaml:"subnet_domain_name,omitempty" json:"subnetDomainName,omitempty"`
+	KafkaBrokers             []string `yaml:"kafka_brokers,omitempty" json:"kafkaBrokers,omitempty"`
+	KafkaClientCrt           string   `yaml:"kafka_client_crt,omitempty" json:"kafkaClientCrt,omitempty"`
+	KafkaClientKey           string   `yaml:"kafka_client_key,omitempty" json:"kafkaClientKey,omitempty"`
+	CApic                    string   `yaml:"capic,omitempty" json:"cApic,omitempty"`
+	UseAciAnywhereCRD        string   `yaml:"use_aci_anywhere_crd,omitempty" json:"useAciAnywhereCRD,omitempty"`
+	OverlayVRFName           string   `yaml:"overlay_vrf_name,omitempty" json:"overlayVRFName,omitempty"`
+	GbpPodSubnet             string   `yaml:"gbp_pod_subnet,omitempty" json:"gbpPodSubnet,omitempty"`
+	RunGbpContainer          string   `yaml:"run_gbp_container,omitempty" json:"runGbpContainer,omitempty"`
+	RunOpflexServerContainer string   `yaml:"run_opflex_server_container,omitempty" json:"runOpflexServerContainer,omitempty"`
+	OpflexServerPort         string   `yaml:"opflex_server_port,omitempty" json:"opflexServerPort,omitempty"`
+}
+
 type KubernetesServicesOptions struct {
 	// Additional options passed to Etcd
 	Etcd map[string]string `json:"etcd"`