• For hardware installation instructions, see the Cisco ACI Fabric Hardware Installation Guide .

• Always back up your Cisco APIC configuration prior to installing or upgrading to this release. Single Cisco APIC clusters, which should not be run in production, can lose their configuration if database corruption occurs during the installation or upgrade.

• For initial access instructions to Cisco APIC for the first time, see the Cisco APIC Getting Started Guide .

• Cisco ACI with Microsoft System Center Virtual Machine Manager (SCVMM) or Microsoft Windows Azure Pack only supports ASCII characters. Non-ASCII characters are not supported. Ensure that English is set in the System Locale settings for Windows, otherwise Cisco ACI with SCVMM and Windows Azure Pack will not install. In addition, if the System Locale is later modified to a non-English Locale after the installation, the integration components might fail when communicating with the Cisco APIC and the Cisco ACI fabric.

• For the Cisco APIC Python SDK documentation, including installation instructions, see the Cisco APIC Python SDK Documentation .

  The SDK egg file that is needed for installation is included in the package. The SDK egg filename follows the format: acicobra- A . B _ CD -py2.7.egg , with A as major release, B as minor, C as maintenance, and D as patch letter (lowercase).

  For example, the egg filename for the 5.2(4d) release is as follows:

  acicobra-5.2_4d-py2.7.egg

• To install the SDK with SSL support on Unix/Linux and Mac OS X requires a compiler. For a Windows installation, you can install the compiled shared objects for the SDK dependencies using wheel packages.

• Install the SDK package before installing the model package, as the model package depends on the SDK package.

• From APIC 6.0(2), ECDSA certificate support is enabled. Downgrading to earlier APIC versions after deploying an ECDSA certificate requires switching to an RSA certificate first; otherwise, the web server will not function. You must update your Cisco APIC web server to use a RSA-based certificate before downgrading to a version lower than Cisco APIC 6.0 (2).

• APIC 6.1(2) and later require Global AES Encryption to be enabled before upgrading. A prevalidation check ensures this setting is enabled prior to upgrade.

• The Cisco APIC GUI supports the following browsers:

  • Chrome version 59 (at minimum) on Mac and Windows

  • Firefox version 54 (at minimum) on Mac, Linux, and Windows

  • Internet Explorer version 11 (at minimum)

  • Safari 10(at minimum)

    Note	Restart your browser after upgrading to release 1.3(1).

• The Cisco APIC GUI includes an online version of the Quick Start guide that includes video demonstrations.

• The infrastructure IP address range must not overlap with other IP addresses used in the fabric for in-band and out-of-band networks.

• The Cisco APIC does not provide IPAM services for tenant workloads.

• To reach the Cisco APIC CLI from the GUI: select System > Controllers, highlight a controller, right-click and select "launch SSH". To get the list of commands, press the escape key twice.

• In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30.

• For the following services, use a DNS-based host name with out-of-band management connectivity. IP addresses can be used with both in-band and out-of-band management connectivity.

  • Syslog server

  • Call Home SMTP server

  • Tech support export server

  • Configuration export server

  • Statistics export server

• Both leaf and spine switches can be managed from any host that has IP connectivity to the fabric.

• When configuring an atomic counter policy between two endpoints, and an IP is learned on one of the two endpoints, it is recommended to use an IP-based policy and not a client endpoint-based policy.

• When configuring two Layer 3 external networks on the same node, the loopbacks need to be configured separately for both Layer 3 networks.

• All endpoint groups (EPGs), including application EPGs and Layer 3 external EPGs, require a domain. Interface policy groups must also be associated with an Attach Entity Profile (AEP), and the AEP must be associated with domains. Based on the association of EPGs to domains and of the interface policy groups to domains, the ports and VLANs that the EPG uses are validated. This applies to all EPGs including bridged Layer 2 outside and routed Layer 3 outside EPGs. For more information, see the Cisco Fundamentals Guide and the KB: Creating Domains, Attach Entity Profiles, and VLANs to Deploy an EPG on a Specific Port article.

  Note	In the 1.0(4x) and earlier releases, when creating static paths for application EPGs or Layer 2/Layer 3 outside EPGs, the physical domain was not required. In this release, it is required. Upgrading without the physical domain will raise a fault on the EPG stating “invalid path configuration.”

• The only place to associate an EPG with a contract interface is within its own tenant.

• User passwords must meet the following criteria:

  • Minimum length is 8 characters

  • Maximum length is 64 characters

  • Fewer than three consecutive repeated characters

  • At least three of the following character types: lowercase, uppercase, digit, symbol

  • Cannot be easily guessed

  • Cannot be the username or the reverse of the username

  • Cannot be any variation of “cisco”, “isco”, or any permutation of these characters or variants obtained by changing the capitalization of letters therein

• The power consumption statistics are not shown on leaf switch node slot 1.

• For Layer 3 external networks created through the API or Advanced GUI and updated through the CLI, protocols need to be enabled globally on the external network through the API or Advanced GUI, and the node profile for all the participating nodes needs to be added through the API or Advanced GUI before doing any further updates through the CLI.

• For Layer 3 external networks created through the CLI, you should not to update them through the API. These external networks are identified by names starting with “__ui_”.

• The output from "show" commands issued in the NX-OS-style CLI are subject to change in future software releases. Cisco does not recommend using the output from the show commands for automation.

• In this software version, the CLI is supported only for users with administrative login privileges.

• Do not separate virtual private cloud (vPC) member nodes into different configuration zones. If the nodes are in different configuration zones, then the vPCs’ modes become mismatched if the interface policies are modified and deployed to only one of the vPC member nodes.

• If you defined multiple login domains, you can choose the login domain that you want to use when logging in to a Cisco APIC . By default, the domain drop-down list is empty, and if you do not choose a domain, the DefaultAuth domain is used for authentication. This can result in login failure if the username is not in the DefaultAuth login domain. As such, you must enter the credentials based on the chosen login domain.

• A firmware maintenance group should contain a maximum of 80 nodes.

• When contracts are not associated with an endpoint group, DSCP marking is not supported for a VRF with a vzAny contract. DSCP is sent to a leaf switch along with the actrl rule, but a vzAny contract does not have an actrl rule. Therefore, the DSCP value cannot be sent.

• We recommend that you should not use a leaf switch as a NTP server for the Cisco ACI fabric.

Ensure that you have the following software installed on your system:

sudo apt install -y dnsmasq lighttpd syslinux-common pxelinux

DNSMasq Configuration

To create a new dnsmasq configuration, run the following command:

$ sudo systemctl stop dnsmasq
                $ sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
                $ sudo mkdir -p /srv/tftp

In the following code snippet, you must enter the IP details of your HTTP server that is hosting ISO and then configure a DHCP subnet range for clients which must be able to reach the HTTP server's IP. After you save your configuration file with the changes, run the following command:

sudo systemct restart dnsmasq

interface=*
                bind-interfaces
                enable-tftp
                tftp-root=/srv/tftp
                port=0
                log-dhcp
                dhcp-no-override
                dhcp-match=x86PC,  option:client-arch, 0  # matches legacy BIOS x86
                dhcp-match=BC_EFI, option:client-arch, 7  # matches UEFI x86-64
                # Load different PXE boot image depending on client architecture
                pxe-service=tag:x86PC,X86PC,   "Install Linux on x86 BIOS",    pxelinux.0
                pxe-service=tag:BC_EFI,BC_EFI, "Install Linux on x86-64 UEFI", bootx64.efi
                # Set bootfile name only when tag is "bios" or "uefi"
                dhcp-boot=tag:x86PC,pxelinux.0      # for Legacy BIOS detected by dhcp-match above
                dhcp-boot=tag:BC_EFI,bootx64.efi    # for UEFI arch detected by dhcp-match above
                # Enable PXELinux client options
                dhcp-option=tag:x86PC,208,f1:00:74:7e  # pxelinux.magic string
                # set boot params, note the ip/network is tied to the netplan config in this layer
                dhcp-option-force=129,"atxi.wipe=true atomix.isourl=http://<IP of your HTTP server>/atomix.iso"
                # an example IPV4 subnet range
                dhcp-range=192.168.41.3,192.168.41.50,12h
                dhcp-lease-max=25
            

HTTP Configuration

The default lighttpd configuration file will work as it is with no changes required as it listens on all interfaces for port 80.

Note	The name of the file must match the /etc/dnsmasq.conf value in the dhcp-option-force=129 setting. This value is passed into the machine through the DHCP settings and will use the URL to download the iso file. Copy the installer iso file to following path: /var/www/html/<ISONAME.iso>

PXELINUX Configuration

Systems that reboot through BIOS/Legacy uses pxelinux to acquire the installer. Ensure that the tftp location in the DNSMasq configuration file above is used to copy these files and configurations or adjust the commands as needed.

sudo mkdir -p /srv/tftp
                sudo cp -av /usr/lib/PXELINUX/* /srv/tftp/
                sudo cp /usr/lib/syslinux/modules/bios/* /srv/tftp/
                sudo mkdir -p /srv/tftp/pxelinux.cfg
            

Copy the following configuration to this /srv/tftp/pxelinux.cfg/default location and modify the HTTP URL to match the HTTP server’s IP and path to the ISO.

DEFAULT atomix-install
                label atomix-install
                kernel vmlinuz
                append initrd=initrd.img ro verbose debug console=tty0 console=ttyS0,115200n8 atomix.isourl=http://<HTTP_IP>/<ISO NAME>
                sysappend 3

Extracting content from ISO

Once you’ve acquired the ISO, you need to extract some files from the ISO and place them in certain directories, as shown below:

$ sudo mkdir /mnt/iso /mnt/efi
                $ sudo mount -oloop /var/www/html/<ISO filename> /mnt/iso
                $ sudo mount -t vfat /mnt/iso/images/efiboot.img /mnt/efi
                $ cp -av /mnt/efi/EFI/BOOT/BOOTX64.efi /srv/tftp/bootx64.efi
                $ cp -av /mnt/efi/EFI/BOOT/GRUBX64.efi /srv/tftp/grubx64.efi
                $ cp -av /mnt/iso/isolinux/vmlinuz /srv/tftp/vmlinuz
                $ cp -av /mnt/iso/isolinux/initrd.img /srv/tftp/initrd.img
                $ sudo umount /mnt/efi
                $ sudo umount /mnt/iso

Testing

Once you apply the configuration, your test systems must boot into the installer and configure the networking settings and download the ISO through HTTP to the system and proceed with the install.

On the PXE server, you can use the following dnsmasq service:

sudo journalctl --follow -u dnsmasq

Note

Some of the dnsmasq log entries may display an error as shown below. However, these errors are not fatal and the UEFI PXE clients in the firmware will try again. Feb 17 01:01:25 ubuntu dnsmasq-dhcp[1201]: 1836224829 sent size: 10 option: 43 vendor-encap 06:01:08:0a:04:00:50:58:45:ff Feb 17 01:01:25 ubuntu dnsmasq-tftp[1201]: error 8 User aborted the transfer received from 192.168.41.3 Feb 17 01:01:25 ubuntu dnsmasq-tftp[1201]: failed sending /srv/tftp/bootx64.efi to 192.168.41.3 Feb 17 01:01:25 ubuntu dnsmasq-tftp[1201]: sent /srv/tftp/bootx64.efi to 192.168.41.3 Feb 17 01:01:47 ubuntu dnsmasq-tftp[1201]: error 3 User provided memory block is too small received from 192.168.41.3 Feb 17 01:01:47 ubuntu dnsmasq-tftp[1201]: failed sending /srv/tftp/grubx64.efi to 192.168.41.3 Feb 17 01:02:09 ubuntu dnsmasq-tftp[1201]: sent /srv/tftp/grubx64.efi to 192.168.41.3

On the PXE client, the serial console output shows the install and in particular displays how it acquires the ISO.

This is part of the installer output that displays how it acquires the installer iso file.

++ cmdline=' BOOT_IMAGE=vmlinuz initrd=initrd.img ro verbose debug console=tty0 console=ttyS0,115200n8 atomix.isourl=http://192.168.41.2/atomix.iso ip=192.168.41.41:192.'
                ++ case "$cmdline" in
                ++ val='http://192.168.41.2/atomix.iso ip=192.168.41.41:192.168.41.2:192.168.41.2:255.255.255.0 BOOTIF=01-52-54-00-12-34-56 '
                ++ val=http://192.168.41.2/atomix.iso
                ++ echo http://192.168.41.2/atomix.iso
                + ksurl=http://192.168.41.2/atomix.iso
                + '[' -z http://192.168.41.2/atomix.iso ']'
                + '[' -n http://192.168.41.2/atomix.iso ']'
                + '[' -z '' ']'
                + dhclient
                [    3.573160] 8021q: adding VLAN 0 to HW filter on device ens4
                + tmpiso=/tmp/atomix.iso
                ++ seq 1 3
                + for count in $(seq 1 3)
                + '[' http: = https ']'
                + busybox wget --output-document=/tmp/atomix.iso http://192.168.41.2/atomix.iso
                Connecting to 192.168.41.2 (192.168.41.2:80)
                atomix.iso           100% |********************************|  842M  0:00:00 ETA
                + break
                + mkdir -p /cdrom
                + mount -o loop,ro /tmp/atomix.iso /cdrom
                [    4.896038] ISO 9660 Extensions: RRIP_1991A
                + echo 'Found install image through PXE'
                Found install image through PXE
                ...