Audience
This guide is intended for network and systems administrators who configure and maintain the Application Centric Infrastructure fabric.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This guide is intended for network and systems administrators who configure and maintain the Application Centric Infrastructure fabric.
The following table provides an overview of the significant changes to this guide up to the current release. The table does not provide an exhaustive list of all changes made to the guide or of the new features up to this release.
Feature |
Description |
Where Documented |
---|---|---|
Smart Licensing | Smart Licensing is enabled in the Cisco ACI fabric and by extension in the Cisco APIC as a Cisco Smart Licensing-enabled product. | |
Layer 3 Routed and Sub-Interface Port Channels |
Support for layer 3 port channels is added. |
|
Fibre Channel NPV |
Support for FC traffic over the Fabric. |
|
802.1x enhancements |
Support for IP Phones |
|
Anycast Services |
Anycast services are supported in the Cisco ACI fabric. A typical use case is to support ASA firewalls in the pods of a multipod fabric, but Anycast could be used to enable other services, such as DNS servers or printing services. |
Configuring Anycast Services |
Rogue Endpoint Control |
Support is added for global Rogue Endpoint Detection, to detect unauthorized EPs. |
|
Enhanced Port Profile Support on N9K-C93180YC-FX Switches |
Support is added on the N9K-C93180YC-FX switch for port profiles to change ports from uplink to downlink or downlink to uplink. |
|
Enhanced Breakout Support on Profiled QSFP Ports on N9K-C93180YC-FX Switches |
Support is added for 100 Gigabit (Gb) (4X25Gb) and 40Gb (4X10Gb) dynamic breakouts on profiled QSFP ports on the N9K-C93180YC-FX switch (in ACI mode). |
|
Contract and Subject Exceptions |
Contracts between EPGs are enhanced to include exceptions to subjects or contracts. This enables a subset of EPGs to be excluded in contract filtering. For example, a provider EPG can communicate with all consumer EPGs except those that match criteria configured in a Subject Exception in the contract governing their communication. |
|
Mixing the NX-OS style CLI and the APIC GUI |
Cautions are added about mixing the two interfaces to configure the fabric. |
|
Forwarding Scale Profile Policy |
The High LPM scale option is added to the forwarding scale profile policy. High longest prefix match (LPM) provides scalability similar to the dual-stack policy, except that the LPM scale is 128,000 and the policy scale is 8,000. Scale improvements in the other forwarding scale options are also added in this release. |
|
Transit Routing |
Procedures to configure transit routing using the NX-OS-style CLI are added to the guide. |
|
Routed Connectivity to External Networks |
New procedures to configure L3Out connectivity to external networks are added to the guide. |
|
Feature |
Description |
Where Documented |
---|---|---|
Maximum MTU Increased |
Up to Cisco APIC Release 3.1(2), the range is 576 to 9000 bytes. From release 3.1(2), and later, the maximum MTU value is 9216. The default has not changed from 9000. |
Global Policies |
QoS for L3Out |
QoS policy enforcement on L3Out ingress traffic is enhanced. To configure QoS policies in an L3Out, the VRF must be set in egress mode (Policy Control Enforcement Direction = “egress”) with policy control enabled (Policy Control Enforcement Preference = “Enforced”). You must configure the QoS class priority or DSCP setting in the contract that governs the Layer 3 External network. |
Configuring Cisco ACI QoS |
Neighbor Discovery Router Advertisement on Layer 3 Out |
RS/RA packets are used for auto configuration and are configurable on Layer 3 interfaces including routed interface, Layer 3 sub interface, and SVI. |
Configuring Layer 3 External Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
Configuring Flood in Encapsulation |
Beginning with Cisco ACI Release 3.1(1) on the Cisco ACI switches with the Application Spine Engine (ASE), all protocols are flooded in encapsulation. Multiple EPGs are now supported under one bridge domain with an external switch. When two EPGs share the same BD and the Flood in Encapsulation option is turned on, the EPG flooding traffic does not reach the other EPG. It overcomes the challenges of using the Cisco ACI switches with the Virtual Connect (VC) tunnel network. |
Configuring Flood in Encapsulation |
CoPP per interface per protocol |
Support for configuring CoPP on a per interface per protocol basis. |
Configuring Control Plane Policing |
Remote Leaf Switches |
With an ACI fabric deployed, you can extend ACI services and APIC management to remote datacenters with Cisco ACI leaf switches that have no local spine switch or APIC attached. |
Remote Leaf Switches in Configuring Layer 3 External Connectivity |
New Hardware Support for Multipod and GOLF |
Multipod and GOLF are supported by all Cisco Nexus 9300 platform ACI-mode switches and all of the Cisco Nexus 9500 platform ACI-mode switch line cards and fabric modules. With Cisco APIC, release 3.1(x) and higher, this includes the N9K-C9364C switch. |
Cisco ACI GOLF and Multipod Fabric in Configuring Layer 3 External Connections |
MACsec |
MACsec provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. |
Configuring MACsec |
Using Shared GOLF Connections Between Multi-Site Sites |
Guidelines were added to avoid inter-VRF traffic issues for APIC Sites in a Multi-Site topology, if stretched VRFs share GOLF connections. |
Cisco ACI GOLF in Configuring Layer 3 External Connections |
SVI Auto State |
Allows for the SVI auto state Switch Virtual Interface behavior to be enabled. This allows the SVI state to be in the down state when all the ports in the VLAN go down. This feature is available in the APIC Release 2.2(3x) release and going forward with APIC Release 3.1(1). It is not supported in APIC Release 3.0(x). |
in Configuring Layer 3 External Connectivity |
BFD support for spine switch |
Support for Bidirectional Forwarding Detection (BFD) spine switch is added. |
Configuring Bi-Directional Route Forwarding (BFD) |
SNMP Trap Aggregation |
Enables SNMP traps from the SNMP Trap Aggregation fabric nodes to be delivered to one of the APICs in the cluster. |
Configuring SNMP |
Note |
The APIC Release 2.2(3x) feature is only available in this specific release. It is not supported in APIC Release 3.0(x) or Release 3.1(x). |
Feature |
Description |
Where Documented |
---|---|---|
SVI Auto State |
Allows for the SVI auto state Switch Virtual Interface behavior to be enabled. This allows the SVI state to be in the down state when all the ports in the VLAN go down. |
in Configuring Layer 3 External Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
Forwarding Scale Profile Policy |
The forwarding scale profile policy enables you to choose between Dual Stack (the default profile) and IPv4 Scale. A forwarding scale profile policy that is set to Dual Stack provides scalability of up to 6K endpoints for IPv6 configurations and up to 12K endpoints for IPv4 configurations. The IPv4 Scale option enables systems with no IPv6 configurations to increase scalability with up to 24K IPv4 endpoints. |
Configuring a Forwarding Scale Profile Policy |
Graceful Insertion and Removal (GIR) Mode |
The Graceful Insertion and Removal (GIR) mode or maintenance mode allows you to isolate a switch from the network with minimum service disruption. |
Removing a Switch to Maintenance Mode Using the CLI |
Q-in-Q Encapsulation Mapping for EPGs |
Using Cisco APIC, you can map double-tagged VLAN traffic ingressing on a regular interface, PC, or VPC to an EPG. When this feature is enabled, when double-tagged traffic enters the network for an EPG, both tags are processed individually in the fabric and restored to double-tags when egressing the ACI switch. Ingressing single-tagged and untagged traffic is dropped. |
Configuring Q-in-Q Encapsulation Mapping for EPGs in Configuring Layer 2 External Connectivity |
802.1x Port Authentication |
With this release, you can configure an 802.1x Port Authentication policy or 802.1x Node Authentication Policy. |
Configuring 802.1x Port Authentication Policy and Configuring 802.1x Node Authentication Policy in Configuring Layer 2 Connectivity |
First Hop Security |
Enables better IPv4 and IPv6 link security and management over the layer 2 links. |
Configuring First Hop Security in Configuring Security |
Precision Time Protocol |
Time synchronization protocol defined in IEEE 1588 for nodes distributed across the APIC. |
Configuring PTP in Configuring Global Policies |
Enforced Bridge Domain |
Enforced bridge domain is supported, in which an endpoint in a subject endpoint group (EPG) can only ping subnet gateways within the associated bridge domain. With this configuration enabled, you can create a global exception list of IP addresses which can ping any subnet gateway. |
Enforced Bridge Domain in Configuring Tenants |
Feature |
Description |
Where Documented |
---|---|---|
Cisco APIC Quota Management |
Creates, deletes, and updates a quota management configuration which enables the admin to limit what managed objects that can be added under a given tenant or globally across tenants. |
Creating Quota Management |
Contract Inheritance |
To streamline associating contracts to new EPGs, you can now enable an EPG to inherit all the (provided/consumed) contracts associated directly to another EPG in the same tenant. Contract inheritance can be configured for application, microsegmented, L2Out, and L3Out EPGs. Any changes you make to the EPG contract master’s contracts, are received by the inheriting EPG. |
See Contract Inheritance in Configuring Tenants |
802.1Q Tunnel Enhancements |
Now you can configure ports on core-switches for use in Dot1q Tunnels for multiple customers. You can also define access VLANs to distinguish between customers consuming the corePorts. You can also disable MAC learning on Dot1q Tunnels. |
Configuring Layer 2 External Connectivity |
Control Plane Policing |
Protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery. |
Configuring Security |
Encapsulation scope for SVI across Layer 3 Outside networks |
With this release you can configure the encapsulation scope for SVI across Layer 3 Outside networks. |
See Configuring Layer 3 External Connectivity |
Symmetric Hashing |
Symmetric hashing is now supported on port channels. |
See Configuring Port Channels in Leaf Nodes Using the NX-OS CLI |
Reflective relay (802.1Qbg) |
Reflective relay transfers switching for virtual machines out of the host server to an external network switch. It provides connectivity between VMs on the same physical server and the rest of the network. It allows policies that you configure on the Cisco APIC to apply to traffic between the VMs on the same server. |
See Configuring Fabric and Interfaces |
Microsegmentation for virtual switches |
Adds content for configuring microsegment EPGs on VMware VDS, Cisco AVS, and Microsoft vSwitch. |
See Configuring Microsegmentation on Virtual Switches |
Feature or Change |
Description |
Where Documented |
---|---|---|
Per VRF per node BGP timer |
With this release, you can define and associate BGP timers on a per VRF per node basis. |
Configuring Layer 3 External Connectivity |
Layer 3 Out to Layer 3 Out Inter-VRF Leaking |
With this release, shared Layer 3 Outs in different VRFs can communicate with each other using a contract. |
Configuring Layer 3 External Connectivity |
Multiple BGP communities assigned per route prefix |
With this release, multiple BGP communities can now be assigned per route prefix using the BGP protocol. |
Configuring Layer 3 External Connectivity |
Apply the show running config command output to another Cisco APIC |
Two new CLI commands, export config and import config, were added to enable running the output for the show running-config command on another Cisco APIC. |
About Import and Export Configurations in Applying the show running config Output to Another Cisco APIC |
Name change |
Changed name of "Layer 3 EVPN Services for Fabric WAN" to "Cisco ACI GOLF |
Cisco ACI GOLF and Multipod in Configuring Layer 3 External Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
802.1Q Tunnels |
You can configure 802.1Q tunnels to enable point-to-multi-point tunneling of Ethernet frames in the fabric, with Quality of Service (QoS) priority settings. |
Configuring 802.1Q Tunnels in Configuring Layer 2 External Connectivity |
APIC Cluster High Availability |
Support is added to operate the APICs in a cluster in an Active/Standby mode. In an APIC cluster, the designated active APICs share the load and the designated standby APICs can act as an replacement for any of the APICs in an active cluster. |
APIC High Availability |
Contract Preferred Groups |
Support is added for contract preferred groups that enable greater control of communication between EPGs in a VRF. If most of the EPGs in the VRF should have open communication, but a few should only have limited communication with the other EPGs, you can configure a combination of a contract preferred group and contracts with filters to control communication precisely. |
Configuring Contract Preferred Groups in Configuring Tenants |
Dynamic Breakout Ports |
Support is added for connecting a 40 Gigabit Ethernet (GE) leaf switch port to 4-10GE capable (downlink) devices (with Cisco 40-Gigabit to 4X10-Gigabit breakout cables). |
Configuring Dynamic Breakout Ports in Configuring Layer 2 External Connectivity |
FCoE over FEX |
You can now configure FCoE over FEX ports. |
Support Fibre Channel over Ethernet Traffic on the ACI Fabric |
CDP supported in policies on interfaces to FEX devices |
In this release, support is added for CDP on interfaces to FEX devices. |
Configuring Fabric and Interfaces |
HSRP |
Support is added for HSRP, a protocol that provides first-hop routing redundancy for IP hosts on Ethernet networks configured with a default router IP address. |
Configuring HSRP in Configuring Layer 3 External Connectivity |
NetFlow |
Support is added for NetFlow technology, which provides the metering base for a key set of applications, including network traffic accounting, usage-based network billing, network planning, as well as denial of services monitoring, network monitoring, outbound marketing, and data mining for both service providers and enterprise customers. |
Configuring NetFlow |
VLAN Domains |
Moved to Configuring Layer 2 External Connectivity |
Configuring VLAN Domains in Configuring Layer 2 External Connectivity |
Feature |
Description |
Where Documented |
---|---|---|
IP aging |
In this release, the IP aging, a policy for tracking and aging unused IPs on an endpoint, is supported. |
Configuring IP Aging |
Creating a route map/profile using explicit prefix list using a new match type. | In this release, the explicit prefix list is supported through a new match type that is called match route destination. | Creating a Route Map |
Configure FIPS | In this release, support for FIPS. FIPS specifies certain cryptographic algorithms as secure, and it also identifies which algorithms should be used for a module to be FIPS compliant. | Configuring FIPS for Cisco APIC |
Distribute EVPN Type-2 Host Routes |
In this release, for optimal traffic forwarding in an EVPN topology, you can enable fabric spines to advertise host routes using EVPN type-2 (MAC-IP) routes to the DCIG along with public BD subnets in the form of BGP EVPN type-5 (IP Prefix) routes. |
Enabling Distributing EVPN Type-2 Host Routes Using the NX-OS in Configuring Layer 3 EVPN Services over Fabric WAN |
Configure IGMP snoop layer 2 multicast support |
In this release, IGMP snoop support is implemented which allows a network switch to monitor IGMP traffic and filter multicasts from flooding layer 2 traffic. Among the features implemented is static port group configuration and access group configuration. |
Enabling IGMP Snoop Static Port Groups and Enabling IGMP Snoop Access Groups in Configuring Layer 2 IGMP Snoop Multicast |
Configuring network-based microsegmented EPGs in a bare-metal environment |
In this release you can configure microsegmented EPGs with IP address attributes or MAC address attributes for physical endpoint devices. |
Configuring Microsegmentation on Bare-Metall |
Translating QoS CoS Settings |
In this release, you can enable the ACI Fabric to classify the traffic for devices that classify the traffic based only on the CoS value. |
Translating QoS CoS Settings Using the NX-OS CLI |
Feature |
Description |
Where Documented |
---|---|---|
Proxy ARP |
Proxy ARP in Cisco ACI is added to enable endpoints within a network or subnet to communicate with other endpoints without knowing the real MAC address of the endpoints. |
|
Tetration Analytics |
Cisco Tetration Analytics agent configuration is added. |
|
Multipod QoS |
Support for Preserving CoS and DSCP settings is added for Multipod topologies. |
Preserving QoS Priority Settings in a Multipod Fabric |
Layer 3 EVPN Services Over Fabric WAN |
More detail was added on how to configure Layer 3 EVPN services. |
Configuration Tasks to Configure Cisco ACI GOLF Services Using the NX-OS Style CLI |
Release |
Feature |
Where |
---|---|---|
2.0(1) |
Port Security |
|
2.0(1) |
COOP Authentication |
About COOP Authentication |
2.0(1) |
Layer 3 Multicast |
|
2.0(1) |
Layer 3 EVPN Services Over Fabric WAN |
Cisco ACI GOLF |
2.0(1) |
Multipod Fabric |
About Multipod Fabric |
2.0(1) |
Verified Scalability Using the CLI |
Verified Scalability Using the CLI |
1.2(2) |
BFD |
|
Route Summarization |
||
Route Dampening |
||
Named Mode for configuring Layer 3 external connectivity |
||
IPv6 support |
||
1.2(1) |
Initial Release |
-- |
Command descriptions use the following conventions:
Convention | Description |
---|---|
bold |
Bold text indicates the commands and keywords that you enter literally as shown. |
Italic |
Italic text indicates arguments for which the user supplies the values. |
[x] |
Square brackets enclose an optional element (keyword or argument). |
[x | y] |
Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice. |
{x | y} |
Braces enclosing keywords or arguments separated by a vertical bar indicate a required choice. |
[x {y | z}] |
Nested set of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element. |
variable
|
Indicates a variable for which you supply values, in context where italics cannot be used. |
string | A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. |
Examples use the following conventions:
Convention | Description |
---|---|
screen font
|
Terminal sessions and information the switch displays are in screen font. |
boldface screen font
|
Information you must enter is in boldface screen font. |
italic screen font |
Arguments for which you supply values are in italic screen font. |
< > |
Nonprinting characters, such as passwords, are in angle brackets. |
[ ] |
Default responses to system prompts are in square brackets. |
!, # |
An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. |
This document uses the following conventions:
Note |
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual. |
Caution |
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. |
Warning |
IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. SAVE THESE INSTRUCTIONS |
The ACI documentation is available at the following URL: http://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html.
The Cisco ACI Simulator documentation is available at http://www.cisco.com/c/en/us/support/cloud-systems-management/application-centric-infrastructure-simulator/tsd-products-support-series-home.html.
The Cisco Nexus 9000 Series Switches documentation is available at http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/tsd-products-support-series-home.html.
The Cisco Application Virtual Switch (AVS) documentation is available at http://www.cisco.com/c/en/us/support/switches/application-virtual-switch/tsd-products-support-series-home.html.
Cisco ACI integration with OpenStack documentation is available at http://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html.
To provide technical feedback on this document, or to report an error or omission, please send your comments to apic-docfeedback@cisco.com. We appreciate your feedback.