New and Changed Information
The following table provides an overview of the significant changes to this guide for this current release. The table does not provide an exhaustive list of all changes made to the guide or of the new features in this release.
Feature |
Description |
Where Documented |
---|---|---|
Contract and subject exceptions |
Contracts between EPGs are enhanced to include exceptions to subjects or contracts. This enables a subset of EPGs to be excluded in contract filtering. For example, a provider EPG can communicate with all consumer EPGs except those that match criteria configured in a Subject Exception in the contract governing their communication. |
|
Optimize contract storage in hardware |
Bidirectional standard contracts support more efficient hardware TCAM usage for contract data. The feature is supported on Nexus 9000 Series TOR switches with names ending with EX and FX, and later (for example, N9K-C93180LC-EX or N9K-C93180YC-FX). With optimization enabled, contract statistics for both directions are aggregated. |
|
Anycast Services |
Anycast services are supported in the Cisco ACI fabric. A typical use case is to support ASA firewalls in the pods of a multipod fabric, but Anycast could be used to enable other services, such as DNS servers or printing services. |
|
Enhanced Breakout Support on Profiled QSFP Ports on N9K-C93180YC-FX Switches |
Support is added for 100 Gigabit (Gb) (4X25Gb) and 40Gb (4X10Gb) dynamic breakouts on profiled QSFP ports on the N9K-C93180YC-FX switch (in ACI mode). |
|
Enhanced Port Profile Support on N9K-C93180YC-FX Switches |
Support is added on the N9K-C93180YC-FX switch for port profiles to change ports from uplink to downlink or downlink to uplink. |
|
Rogue Endpoint Control Policy |
Support is added for global Rogue Endpoint Control to detect and delete unauthorized endpoints. |
|
Remote Leaf Switch enhancements |
New features and options are supported. |
|
Flood in encapsulation enhancements |
Information is added about protocols supporting the Flood in Encapsulationoption for bridge domains or EPGs. |
Feature |
Description |
Where Documented |
---|---|---|
QoS for L3Outs |
In this release, QoS policy enforcement on L3Out ingress traffic is enhanced. |
Cisco ACI QoS |
Maximum MTU Increased |
To enable setting the MTU used in communicating with the external network to 9216, the maximum MTU has been increased from 9000 to 9216 bytes. |
Networking and Management Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
Configuring Port Profiles |
Conversion from uplink port to downlink port and vice versa is now supported on Cisco ACI leaf switches. |
Fabric Provisioning |
Configuring Fast Link Failover Policy |
Fast Link Failover policy is applicable to uplinks on Cisco N9K-C93180YC-EX and N9K-C93180YC-FX platforms only. It efficiently load balances the traffic based on the uplink MAC status. This functionality reduces the data traffic convergence to less than 10 Milliseconds. |
Fabric Provisioning |
Remote Leaf Switches |
With an ACI fabric deployed, you can extend ACI services and APIC management to remote datacenters with Cisco ACI leaf switches that have no local spine switch or APIC attached. |
Remote Leaf Switches in Network and Management Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
Q-in-Q Encapsulation Mapping for EPGs |
Using Cisco APIC, you can map double-tagged VLAN traffic ingressing on a regular interface, PC, or VPC to an EPG. When this feature is enabled, when double-tagged traffic enters the network for an EPG, both tags are processed individually in the fabric and restored to double-tags when egressing the ACI switch. Ingressing single-tagged and untagged traffic is dropped. |
Fabric Provisioning |
Graceful Insertion and Removal (GIR) Mode |
The Graceful Insertion and Removal (GIR) mode or maintenance mode allows you to isolate a switch from the network with minimum service disruption. |
Fabric Provisioning |
Local User Authentication using OTP |
OTP is a one-time password that is valid for only one session. Once OTP is enabled, APIC generates a random human readable 16 binary octets that are base32 OTP Key. |
User Access, Authentication, and Accounting |
Password Strength |
Allows configuration of user password parameters for security management. |
User Access, Authentication, and Accounting |
Feature |
Description |
Where Documented |
---|---|---|
Cisco APIC Quota Management |
Creates, deletes, and updates a quota management configuration which enables the admin to limit what managed objects that can be added under a given tenant or globally across tenants. |
About APIC Quota Management Configuration For more information, see the Cisco APIC Quota Management Configuration knowledge base article. |
Contract Inheritance |
To streamline associating contracts to new EPGs, you can now enable an EPG to inherit all the (provided/consumed) contracts associated directly to another EPG in the same tenant. Contract inheritance can be configured for application, microsegmented, L2Out, and L3Out EPGs. Any changes you make to the EPG contract master’s contracts, are received by the inheriting EPG. |
ACI Policy Model |
802.1Q Tunnel Enhancements |
Now you can configure ports on core-switches for use in Dot1q Tunnels for multiple customers. You can also define access VLANs to distinguish between customers consuming the corePorts. You can also disable MAC learning on Dot1q Tunnels. |
Fabric Provisioning |
Feature or Change |
Description |
Where Documented |
---|---|---|
Name Change |
Name of "Layer 3 EVPN Services for Fabric WAN" changed to "Cisco ACI GOLF." |
Cisco ACI GOLF and Multipod in Networking and Management Connectivity |
Layer 3 Out to Layer 3 Out Inter-VRF Leaking |
With this release, shared Layer 3 Outs in different VRFs can communicate with each other using a contract. |
Networking and Management Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
Cisco ACI App Center |
The Cisco ACI App Center allows you to fully enable the capabilities of the APIC by writing applications running on the controller. |
Cisco ACI App Center Developer Guide and Cisco ACI App Center User Guide |
802.1 Q Tunnels |
You can now configure 802.1Q tunnels to enable point-to-multi-point tunneling of Ethernet frames in the fabric, with Quality of Service (QoS) priority settings. |
802.1Q Tunnels in Network and Management Connectivity |
APIC Cluster Cold Standby |
Support is added to operate the APICs in a cluster in an Active/Standby mode. In an APIC cluster, the designated active APICs share the load and the designated standby APICs can act as an replacement for any of the APICs in an active cluster. |
APIC Cluster Management in Fabric Provisioning |
Contract Preferred Groups |
Support is added for contract preferred groups that enable greater control of communication between EPGs in a VRF. If most of the EPGs in the VRF should have open communication, but a few should only have limited communication with the other EPGs, you can configure a combination of a contract preferred group and contracts with filters to control communication precisely. |
Contracts in ACI Policy Model |
Dynamic Breakout Ports |
Support is added for connecting a 40 Gigabit Ethernet (GE) leaf switch port to 4-10GE capable (downlink) devices (with Cisco 40-Gigabit to 4X10-Gigabit breakout cables). |
Dynamic Breakout Ports in Network and Management Connectivity |
FCoE Supported over FEX |
You can now configure FCoE over FEX ports. |
Supporting Fibre Channel over Ethernet Traffic on the ACI Fabric in Fabric Provisioning |
CDP supported in policies on interfaces to FEX devices |
In this release, support is added for CDP on interfaces to FEX devices. |
Fabric Provisioning |
HSRP |
Support is added for HSRP, a protocol that provides first-hop routing redundancy for IP hosts on Ethernet networks configured with a default router IP address. |
HSRP in Networking and Management Connectivity |
NetFlow |
Support is added for NetFlow technology, which provides the metering base for a key set of applications, including network traffic accounting, usage-based network billing, network planning, as well as denial of services monitoring, network monitoring, outbound marketing, and data mining for both service providers and enterprise customers. |
NetFlow in Monitoring |
Feature |
Description |
Where Documented |
---|---|---|
Distribute EVPN Type-2 Host Routes |
In this release, for optimal traffic forwarding in an EVPN topology, you can enable fabric spines to advertise host routes using EVPN type-2 (MAC-IP) routes to the DCIG along with public BD subnets in the form of BGP EVPN type-5 (IP Prefix) routes. |
Distributing BGP EVPN Type-2 Host Routes in Configuring Layer 3 EVPN Services over Fabric WAN |
Feature |
Description |
Where Documented |
---|---|---|
Proxy ARP |
Proxy ARP in Cisco ACI is added to enable endpoints within a network or subnet to communicate with other endpoints without knowing the real MAC address of the endpoints. |
|
Install Tetration Analytics |
Cisco Tetration Analytics agent installation is added. |
|
Route Target Filtering |
Route Target Filtering is added, to optimize BGP routing tables by filtering the routes that are stored on them. |
|
Multipod QoS |
Support for Preserving CoS and DSCP settings is added for Multipod topologies. |
Feature |
Description |
Where Documented |
---|---|---|
-- Policy Based Routing |
Cisco ACI policy based routing (PBR) enables provisioning service appliances such as firewalls or load balancers as managed or unmanaged nodes without needing an L4-L7 package. Typical use cases include provisioning service appliances that can be pooled, tailored to application profiles, scale easily, and reduce exposure to service outages. |
|
-- Copy Services |
-- Unlike SPAN that duplicates all of the traffic, the Cisco Application Centric Infrastructure (ACI) copy services feature enables selectively copying portions of the traffic between endpoint groups, according to the specifications of the contract. |
|
-- L3 Multicast |
Border leafs run the full Protocol Independent Multicast (PIM) protocol. Non-border leaf switches run PIM in a passive mode on the interfaces. They do not peer with any other PIM routers. The border leafs peer with other PIM routers connected to them over L3 outs and also with each other. |
|
-- Layer 3 EVPN Services Over Fabric WAN |
The Layer 3 EVPN services over fabric WAN feature enables much more efficient and scalable ACI fabric WAN connectivity. It uses EVPN over OSPF for WAN routers that are connected to spine switches. |
|
-- Multipod |
Multipod enables provisioning a more fault tolerant fabric comprised of multiple pods with isolated control plane protocols. Also, multipod provides more flexibility with regard to the full mesh cabling between leaf and spine switches. For example, if leaf switches are spread across different floors or different buildings, multipod enables provisioning multiple pods per floor or building and providing connectivity between pods through spine switches. |
--Multipod |
-- EPG Deployment through AEP |
Attached entity profiles can be associated directly with application EPGs, which deploys the associated application EPGs to all those ports associated with the attached entity profile. |
|
-- Fibre Channel over Ethernet (FCoE) |
Fibre Channel over Ethernet (FCoE) ssupport. |
--Supporting Fibre Channel over Ethernet Traffic on the ACI Fabric |
-- Configuration Zone Supported Policies |
Updated list of policies are supported for configuration zones. |
|
-- Port Security |
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels. |
Feature |
Description |
Where Documented |
---|---|---|
-- Microsegmentation |
Microsegmentation associates endpoints from multiple EPGs into a microsegmented EPG according to virtual machine attributes, IP address, or MAC address. Virtual machine attributes include: VNic domain name, VM identifier, VM name, hypervisor identifier, VMM domain, datacenter, operating system, or custom attribute. When combined with intra-EPG isolation for bare metal and VM endpoints, microsegmentation can provide policy driven automated complete endpoint isolation within application tiers. |
|
-- Bug fixes |
Updates to tagged EPG topic |
Feature |
Description |
Where Documented |
---|---|---|
-- Intra-EPG deny |
Intra-EPG deny policies provide full isolation for virtual or physical endpoints; no communication is allowed between endpoints in an EPG that is operating in full isolation mode. |
|
-- Data plane policing |
Use data plane policing (DPP) to manage bandwidth consumption on ACI fabric access interfaces. |
|
--Set BGP attributes |
The route control context specifies what to match, and the scope specifies what is set. |
--Route Import and Export, Route Summarization, and Route Community Match |
--BGP and OSPF summarization |
Route summarization policies enable routes to be shared efficiently among border leaf switches and their neighbor leaf switches. |
|
-- EIGRPv6 |
Support for EIGRPv6 is now enabled. |
|
--DSCP marking |
Previously, DSCP marking could only be set on a L3Out but now can be set on the following: Contract; Subject; In Term; Out Term. |
|
--Bidirectional forwarding detection |
Use Bidirectional Forwarding Detection (BFD) to provide sub-second failure detection times in the forwarding path between ACI fabric border leaf switches configured to support peering router connections. |
|
--IPv6 support for management interfaces |
Unrestricted IPv6 support for all ACI fabric and APIC interfaces; IPv4, or IPv6, or dual stack configurations are supported. The requirement to allow only IPv4 addresses on management interfaces no longer applies. |
|
--BGP dynamic neighbors, route dampening, weight attribute, remove-private-as --OSPF name lookup, prefix suppression, and type 7 translation |
Expanded support for BGP and OSPF options. |
|
--Configuration zones |
Configuration zones divide the ACI fabric into different zones that can be updated with configuration changes at different times. This limits the risk of deploying a faulty fabric-wide configuration that might disrupt traffic or even bring the fabric down. |
|
--Port Tracking Policy for Uplink Failure Detection |
Upon detection of uplink failure from a leaf switch to one or more spine switches, fabric link state tracking notifies an access port connected device that the link is down. |
Feature |
Description |
Where Documented |
---|---|---|
--IP based EPG |
IP-based EPGs are suitable in settings where there is a need for large numbers of EPGs that cannot be supported by Longest Prefix Match (LPM) classification. |
|
-- Support for Public Subnets under EPG |
An EPG that provides a shared service must have its subnet configured under that EPG (not under a bridge domain), and its scope must be set to advertised externally, and shared between VRFs. |
|
--Shared Layer 3 Out |
A shared Layer 3 Out configuration provides routed connectivity to external networks as a shared service. An l3extInstP EPG provides routed connectivity to external networks. It can be can be provisioned as a shared service in any tenant (user, common, infra, or mgmt.). |
|
--Bug fix |
Improved explanations of the subnet route export and route import configuration options. |
--Route Import and Export, Route Summarization, and Route Community Match |
-- Stats on Layer 3 routes interfaces for Billing |
The APIC can
be configured to collect byte count and packet count billing statistics from a
port configured for routed connectivity to external networks (an
|
--Routed Connectivity to External Networks as a Shared Service Billing and Statistics |
--Configure maximum prefixes |
Tenant networking protocol policies for BGP l3extOut connections can be configured with a maximum prefix limit that enables monitoring and restricting the number of route prefixes received from a peer. |
|
--Ingress policy enforcement for L3Out scale |
Ingress based policy enforcement enables defining policy enforcement for Layer 3 Out traffic with regard to egress and ingress directions. Direct server return (DSR), and attribute EPGs require ingress based policy enforcement. |
|
--Static route with weights |
Static route preference within the ACI fabric is carried in MP-BGP using cost extended community. |
|
--Common pervasive gateway for IPv4 and secondary IP address for IPv4 |
Multiple ACI fabrics can be configured with an IPv4 common gateway on a per bridge domain basis. |
|
--Fabric secure mode |
Fabric secure mode prevents parties with physical access to the fabric equipment from adding a switch or APIC controller to the fabric without manual authorization by an administrator. |
|
--CoS (802.1p) |
The ACI fabric enables preserving 802.1p class of service (CoS) within the fabric. Enable the fabric global QoS policy dot1p-preserve option to guarantee that the 802.1p value in packets which enter and transit the ACI fabric is preserved. |
Feature |
Description |
Where Documented |
---|---|---|
--AES Encryption of APIC configuration files |
The ACI fabric supports AES encryption of the secure properties in configuration export/import files. |
|
--Updates and bug fixes |
Label matching update. Added retention policy guidelines. Update regarding support for advertising tenant bridge domain public subnet though an L3extOut in tenant common. |
Feature |
Description |
Where Documented |
---|---|---|
--IPv6 support |
The ACI fabric supports IPv6 for tenant addressing, contracts, shared services, routing, Layer 4 - Layer 7 services, and troubleshooting. ACI fabric interfaces can be configured with link local, global unicast and Multicast IPv6 addresses. |
|
--Transit routing |
The ACI fabric supports transit routing, including the necessary EIGRP, eBGP, and OSPF protocol support, which enables border routers to perform bidirectional redistribution with other routing domains. |
|
--EIGRP |
The ACI fabric supports EIGRP protocol in L3 outside for IPv4 only. |
|
--EBGP |
The ACI fabric supports eBGP in L3 outside for both IPv4/IPv6. |
|
--Host vPC FEX |
The ACI fabric supports Cisco Fabric Extender (FEX) server-side virtual port channels (VPC), also known as FEX straight-through VPC. |
|
--Per bridge domain multicast/broadcast packet control |
An administrator can control the behavior of these packets per bridge domain. |
|
--Route peering with service appliances |
Route Peering is used to configure OSPF/BGP peering on the L4-L7 service device so that it can exchange routes with the ACI leaf node to which it is connected. |
See also Configuring L4-L7 Route Peering in Managing Layer 4 to Layer 7 Services in Cisco APIC REST API Configuration Guide. |
--Per port VLAN. |
Allows configuration of the same VLAN ID across different EPGs (on different bridge domains) on different ports on the same leaf switch. An administrator can now configure the same VLAN ID on every port on the same switch. |
|
--Loop detection. |
The ACI fabric can now detect loops in Layer 2 network segments that are connected to leaf switch access ports. |
|
--Atomic counters path mode for scale topologies |
||
--Various updates and bug fixes |
Added vzAny introduction. Accounting. Default policies. Contract scope. Networking domains. VMM domain concepts updated and procedures moved to new expanded ACI Virtualization Guide. |
--Cisco ACI VM Networking Support for Virtual Machine Managers |
Feature |
Description |
Where Documented |
---|---|---|
--Multi-site Stretched Fabric |
Implements support for multi-site stretched fabric. |
|
--Update to the Endpoint Retention topic |
Clarifies behavior of Bridge Domain flooding that updated the location of endpoints within an EPG subnet that spans multiple leaf switches within the BD. |
|
--Update to the Filters topic |
Provides
best practice guidelines when using the filter
|
--Labels, Filters, Aliases, and Subjects Govern EPG Communications |
--Storm Control |
Implements Layer 2 storm control. |
|
--AAA VMM Domain tags |
VMM domains can be tagged as security domains so that they become visible to the users contained in the security domain. |
|
--Atomic counters endpoint to IP address option |
Enables selecting either the target MAC address or IP address. |
|
--Delete VMM domain guidelines |
Identifies recommended workflow sequence. |
--See the Guidelines for Deleting VMM Domains topic in the Virtual Machine Manager Domains Chapter. |
--Custom RBAC Rules |
Identifies use case scenarios and guidelines for developing custom RBAC rules. |
Custom RBAC Rules See Sample RBAC Rules in Configuring Security in Cisco APIC REST API Configuration Guide |
--Health Score calculations |
Identifies how system, pod, tenant, and MO level health scores are calculated. |
|
--Multinode SPAN ERSPAN guidelines and header types |
Identifies ERSPAN header types and guidelines for using ERSPAN. |
|
--EPG untagged and tagged VLAN headers |
Provides guidelines and limitations for using ungtagged EPG VLANS. |
|
--Bridge Domain legacy mode |
Provides guidelines for configuring legacy mode bridge domains. |
|
--Updates to AAA LDAP and TCACS+ configurations with examples |
Adds AAA LDAP and TCACS+ configuration examples. |
|
--Updates to configuration import/export best effort, atomic, merge, and replace options |
Describes enhancements to configuration import/export policies. |
|
--Update to the decommission with wipe option |
Provides guidelines for using the decommission leaf switch with wipe option. |
|
--Update to the DHCP Relay topic |
Provides guidelines regarding the requirement to configure a single bridge domain with a single sublet when establishing a relation with a DHCP relay. |
|
--Various text edits to improve readability and a correction to a misspelled word in an image |
Readability improvements and additional details in several topics. |
See the Fundamentals, Provisioning, and Networking chapters. |