Cisco ACI Releases Changes in Behavior

March 11, 2024

This document was created.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base functionality

In case of failed login attempts, a detailed description of the reasons for failure are displayed under System > History > Session Logs in the Cisco APIC GUI. These details, along with the username, are also available on external servers, such as TACACS accounting or syslog servers (if external logging is configured).

N/A

There are no changes in behavior.

Security

This release uses the rsa-sha2-256 and rsa-sha2-512 SSH keys instead of ssh-rsa. If you are using a Microsoft Windows terminal software such as Teraterm, PuTTY, or WinSCP, upgrade the terminal software to the latest release. If you do not upgrade the terminal software, you might not be able to log into the Cisco APIC.

Upgrade/Downgrade

To upgrade to this release, you must perform the following procedure:

1.     Download the 6.0(3) Cisco APIC image and upgrade the APIC cluster to the 6.0(3) release. If you are upgrading from a release prior to 6.0(2), before this step is completed, DO NOT download the Cisco ACI-mode switch images to the APIC. 6.0(2) and later releases have both 32-bit and 64-bit switch images, but releases prior to 6.0(2) do not support 64-bit images. As a result, downloading the 64-bit images at this time might cause errors or unexpected results.

2.     Download both the 32-bit and 64-bit images to the Cisco APIC. Downloading only one of the images may result in errors during the upgrade process.

3.     Create the maintenance groups and trigger the upgrade procedure as usual. Cisco APIC automatically deploys the correct image to the respective switch during the upgrade process.

For more information, see the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.

Upgrade/Downgrade

A switch now determines which image to install (32-bit or 64-bit) from the Cisco APIC based on the available memory of the switch instead of based on a static mapping. If the available memory of the switch is less than or equal to 24 GB, the switch installs the 32-bit image. If the available memory of the switch is greater than or equal to 32 GB, the switch may be upgraded to the 32-bit image first, then upgrade again to the 64-bit image, which results in two reboots during the upgrade process. Modular spine switches install the 64-bit image regardless of the switch’s available memory. You must download both the 32-bit and 64-bit Cisco ACI-mode switch images to the Cisco APIC.

Base Functionality

The "Images" GUI page (Admin > Firmware > Images) now includes a "Platform Type" column, which specifies whether a switch image is 64-bit or 32-bit. This column does not apply to Cisco APIC images.

Ease of Use

On the "Interface Configuration" GUI page (Fabric > Access Policies > Interface Configuration), the node table now contains the following columns:

Ease of Use

The initial cluster set up and bootstrapping procedure has been simplified with the introduction of the APIC Cluster Bringup GUI. The APIC Cluster Bringup GUI supports virtual and physical APIC platforms.

Ease of Use

There is now a "Switch Configuration" GUI page (Fabric > Access Policies > Switch Configuration) that shows information about the leaf and spine switches controlled by the Cisco APIC. This page also enables you to modify a switch's configuration to create an access policy group and fabric policy group, or to remove the policy groups from 1 or more nodes. This page is similar to the "Interface Configuration" GUI page that existed previously, but is for switches.

Security

The Diffie-Hellman (DH) parameters are now dynamically determined during the communication handshake between the devices in the fabric.

Security

When you configure a custom certificate for Cisco ACI HTTPS access, you can now choose the elliptic-curve cryptography (ECC) key type. Prior to this release, RSA was the only key type.

Security

You can no longer use telnet to connect to the management IP address of a Cisco APIC or Cisco ACI-mode switch.

Upgrade/Downgrade

To upgrade to this release, you must perform the following procedure:

1.     Download the 6.0(2) Cisco APIC image and upgrade the APIC cluster to the 6.0(2) release. Before this step is completed, DO NOT download the Cisco ACI-mode switch images to the APIC. The 6.0(2) release has both 32-bit and 64-bit switch images, but releases prior to 6.0(2) do not support 64-bit images. As a result, downloading the 64-bit images at this time might cause errors or unexpected results.

2.     Download both the 32-bit and 64-bit images to the Cisco APIC. Downloading only one of the images may result in errors during the upgrade process.

3.     Create the maintenance groups and trigger the upgrade procedure as usual. Cisco APIC automatically deploys the correct image to the respective switch during the upgrade process.

For more information, see the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.

Base Functionality

You can now convert the Cisco N9K-C93180YC-FX3 and N9K-C93108TC-FX3P switches to be used as FEXes.

Base Functionality

Beginning with this release, the online help has been removed from the GUI. You can instead view the documentation by clicking the ? in the upper right of any GUI screen and choosing Help. The Help Center dialog that appears contains links to various Cisco APIC documentation.

Base Functionality

In the Cisco APIC GUI, On the "Welcome to Access Policies" page (Fabric > Access Policies > Quick Start), the work pane now contains the following choices:

Ease of Use

In the Cisco APIC GUI, on the "Interface Configuration" page (Fabric > Access Policies > Interface Configuration), the node table now contains the following columns:

Performance and Scalability

A leaf switch now supports only up to 56 uplinks. Prior to the 16.0(1) release, a leaf switch supported more than 56 uplinks. If your configuration has more than 56 uplinks, before you upgrade to the 16.0(1) release, reduce the number of uplinks to 56 or less otherwise you will lose any uplinks that are more than 56. If you upgrade to the 16.0(1) release and have more than 56 uplinks, Cisco APIC raises a fault similar to the following example:

[F2981][raised][portp-policy-limit-exceeded][warning][sys/ops/slot-lcslot-1/portpol-21/fault-F2981] PortP policy limit exceeded

Performance and Scalability

The hash result of symmetric EtherChannel could be different because of the fix for issue CSCwb93059. This change could cause asymmetric flow. For example, if the ingress leaf switch for the incoming traffic uses a prior release and the ingress leaf switch for the return traffic uses this release or later, the switches get different hash results for the incoming and return traffic.

Security

In the Cisco APIC GUI, the Admin > AAA pages have been modified. The Work panes of Authentication, Security, and Users have been enhanced for better functionality and ease of use.

Security

Transport Layer Security (TLS) version 1.0 and 1.1 are no longer supported.

Base Functionality

The Cisco N9K-C93120TX switch is no longer supported.

Performance and Scalability

A leaf switch now supports only up to 56 uplinks. Prior to the 16.0(1) release, a leaf switch supported more than 56 uplinks. If your configuration has more than 56 uplinks, before you upgrade to the 16.0(1) release, reduce the number of uplinks to 56 or less otherwise you will lose any uplinks that are more than 56. If you upgrade to the 16.0(1) release and have more than 56 uplinks, Cisco APIC raises a fault similar to the following example:

[F2981][raised][portp-policy-limit-exceeded][warning][sys/ops/slot-lcslot-1/portpol-21/fault-F2981] PortP policy limit exceeded

Base Functionality

In case of failed login attempts, a detailed description of the reasons for failure are displayed under System > History > Session Logs in the Cisco APIC GUI. These details, along with the username, are also available on external servers, such as syslog servers (if external logging is configured).

N/A

There are no changes in behavior.

Security

You can no longer use telnet to connect to the management IP address of a Cisco APIC or Cisco ACI-mode switch.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

On the "Interface Configuration" GUI page (Fabric > Access Policies > Interface Configuration), the node table now contains the following columns:

Base Functionality

On the "Welcome to Access Policies" GUI page (Fabric > Access Policies > Quick Start), work pane now contains the following choices:

Ease of Use

On the "Interface Configuration" GUI page (Fabric > Access Policies > Interface Configuration) and "Switch Configuration" page (Fabric > Access Policies > Switch Configuration), if you configured your switches in the Cisco APIC 5.2(5) release or earlier, the following warning message displays near the top of the page:

Some of the switches are still configured the old way. We can help you migrate them.

If you click "migrate them" and use the dialog that appears, the Cisco APIC converts the selected switches' configuration from the method used in the 4.2 and earlier releases to the newer method used in the 5.2 and later releases. The newer configuration is simplified. For example, the configurations no longer have policy selectors. After the conversion, each switch will have an access policy group and fabric policy group. You can expect to have a short duration of traffic loss during the migration.

Ease of Use

There is now a "Switch Configuration" GUI page (Fabric > Access Policies > Switch Configuration) that shows information about the leaf and spine switches controlled by the Cisco APIC. This page also enables you to modify a switch's configuration to create an access policy group and fabric policy group, or to remove the policy groups from 1 or more nodes. This page is similar to the "Interface Configuration" GUI page that existed previously, but is for switches.

N/A

There are no changes in behavior.

Base Functionality

Beginning with this release, the online help has been removed from the GUI. You can instead view the documentation by clicking the ? in the upper right of any GUI screen and choosing Help. The Help Center dialog that appears contains links to various Cisco APIC documentation. After you view any desired documentation, if you are unable to close the Help Center dialog, reload the Cisco APIC GUI page.

Base Functionality

The hash result of symmetric EtherChannel could be different because of the fix for issue CSCwb93059. This change could cause asymmetric flow. For example, if the ingress leaf switch for the incoming traffic uses a prior release and the ingress leaf switch for the return traffic uses this release or later, the switches get different hash results for the incoming and return traffic.

N/A

There are no changes in behavior.

Security

Transport Layer Security (TLS) version 1.0 and 1.1 are no longer supported.

Base Functionality

The default timer value and minimum timer value for bidirectional forwarding detection (BFD) over IS-IS are both now 250ms.

Base Functionality

The "Interfaces and Policies" GUI screen is now titled "Interface Configuration" (Fabric > Access Policies > Interface Configuration). On the screen, the node table now contains the following columns:

For more information, see the online help page for this screen.

Upgrade/Downgrade

When you upgrade to the 5.2(4) release, the Cisco APIC now creates the following interface policies automatically:

◦      system-cdp-disabled

◦      system-cdp-enabled

◦      system-lldp-disabled

◦      system-lldp-enabled

◦      system-static-on

◦      system-lacp-passive

◦      system-lacp-active

◦      system-link-level-100M-auto

◦      system-link-level-1G-auto

◦      system-link-level-10G-auto

◦      system-link-level-25G-auto

◦      system-link-level-40G-auto

◦      system-link-level-100G-auto

◦      system-link-level-400G-auto

◦      system-breakout-10g-4x

◦      system-breakout-25g-4x

◦      system-breakout-100g-4x

For caveats about these default policies if you upgrade to this release or downgrade from this release, see the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.

N/A

There are no changes in behavior.

Security

For increased security, the random key for a encrypting user-specific configuration and operational data in the SSD on both Cisco APIC and switch nodes is now generated in the hardware using a true random number generator (TRNG) instead of in the software.

Security

For increased security, the random key for a encrypting user-specific configuration and operational data in the SSD on both Cisco APIC and switch nodes is now generated in the hardware using a true random number generator (TRNG) instead of in the software.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

A minor fault is now raised if a line card or fabric module has the "err-pwr-down" or "failure" status, as shown by the show module command. This fault is cleared if the status changes to "ok" after the line card or fabric module is rebooted.

Base Functionality

A minor fault is now raised when you remove a line card or fabric module from the chassis. In previous releases, the Cisco APIC had an event notification, but no fault was raised. This same fault is cleared when you reinsert the line card or fabric module.

Base Functionality

When a line card or fabric module slot is empty on boot up, there is a fault raised for the missing slots, and the fault is cleared only on insertion. That is, in addition to physically removing the card scenario, there will be a fault raised if the box boots up with empty line card or fabric module slots.

Base Functionality

You can no longer create a new SNMP policy user with authType:MD5 and privType:DES. However, you can still import a SNMP policy user that has authType:MD5 and privType:DES.

Base Functionality

You now must specify a VRF instance with when using the nslookup command:

nslookup vrf <vrf_id> [-option] [name | -] [server]

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

ICMP now replies with the same Class of Service (CoS) value that was sent in the request.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

The SQL database is no longer persistent during ungraceful reloads of the switches. Examples of ungraceful reload include kernel panics and forced power cycles. In the event of an ungraceful reload, the switch will reboot as stateless and must re-download its policies from the Cisco APIC. Graceful reloads, such as manual reloads and hap-resets, are still stateful and the switch will maintain its database across the reload.

Base Functionality

When the same subnet is configured under both a bridge domain and an EPG, the scope such as "Advertised Externally" and "Shared between VRFs" must match. Configurations with a mismatched scope are rejected beginning in releases 4.2(6d) and 5.1(1).

Performance and Scalability

The "ip" attribute of the fvCEp class has been deprecated. IP addresses are now represented as fvIp children of fvCEp. This change provides better support for having multiple IP addresses on the same MAC address.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

A service endpoint group (EPG) in a service graph that has vzAny as the consumer and provider now has the PCTag get changed to the Global PCTag with EPGs and endpoint security groups.

Base Functionality

The hypervisor topology view has changed in this release. Leaf switches no longer appear in the topology diagram in the work pane when you choose a particular hypervisor in a virtual machine manager (VMM) domain. Also, virtual machines (VMs) attached to the hypervisor now appear as circles instead of squares.

Security

The implicit deny rules on a leaf switch are reordered and will prevent route leak traffic flows if the "Shared Security Import Subnet" option is not configured on the related L3Out external EPG subnet. For more information, see the "Scope and Aggregate Controls for Subnets" section in the Cisco APIC Layer 3 Networking Configuration Guide, Release 5.0(x).

Base Functionality

A minor fault is now raised if a line card or fabric module has the "err-pwr-down" or "failure" status, as shown by the show module command. This fault is cleared if the status changes to "ok" after the line card or fabric module is rebooted.

Base Functionality

A minor fault is now raised when you remove a line card or fabric module from the chassis. In previous releases, the Cisco APIC had an event notification, but no fault was raised. This same fault is cleared when you reinsert the line card or fabric module.

Base Functionality

When a line card or fabric module slot is empty on boot up, there is a fault raised for the missing slots, and the fault is cleared only on insertion. That is, in addition to physically removing the card scenario, there will be a fault raised if the box boots up with empty line card or fabric module slots.

Reliability

Cisco ACI uses a TCP session-based messaging queue (referred to as vPC ZMQ) to represent the peer-link status. Under rare circumstances, leaf nodes of a vPC pair may experience a vPC ZMQ down symptom, where the nodes fail to establish the vPC peer-link even though there is route reachability between the vPC nodes through the Cisco ACI infra. Unless explicitly mentioned about route reachability, the state of vPC ZMQ down in below context should be seen as one with valid route reachability. This release strengthens the handling of the following scenarios:

Reliability

Under rare circumstances, a leaf node of a vPC pair may lose COOP database connectivity with spine nodes. Starting in this release, a vPC node brings down its vPC ports if it lost the COOP database connectivity due to the risk of inconsistent endpoint learning information.

Base Functionality

The SQL database is no longer persistent during ungraceful reloads of the switches. Examples of ungraceful reload include kernel panics and forced power cycles. In the event of an ungraceful reload, the switch will reboot as stateless and must re-download its policies from the Cisco APIC. Graceful reloads, such as manual reloads and hap-resets, are still stateful and the switch will main-tain its database across the reload.

Base Functionality

The storm policer is now enforced for all forwarded control traffic in the leaf switch for the DHCP, ARP, ND, ICMP, HSRP, PIM, IGMP, and EIGRP protocols. This behavior change applies only to EX and later leaf switch switches.

In Cisco N9K-C93180LC-EX, N9K-93180YC-EX, and N9K-C93108TC-EX switches, you can configure both the supervisor policer and storm policer for one of the protocols. In this case, if the incoming traffic rate is greater than the supervisor policer rate, the switch will allow more storm traffic than the configured storm policer rate. If the incoming traffic rate is equal to or less than supervisor policer rate, then the switch will correctly allow the configured storm traffic rate. This behavior is applicable irrespective of the configured supervisor policer and storm policer rates.

One side effect of this change is that control traffic that gets forwarded in the leaf switch will now get subjected to storm policer drops. In previous releases, no such storm policer drops occur for the protocols that are affected by this change.

Base Functionality

When the same subnet is configured under both a bridge domain and an EPG, the scope such as "Advertised Externally" and "Shared between VRFs" must match. Configurations with a mismatched scope are rejected beginning in releases 4.2(6d) and 5.1(1).

N/A

There are no changes in behavior.

Base Functionality

For the Intersight Device Connector, the Auto Update option is now enabled by default. For more information, see the Cisco APIC and Intersight Device Connector document.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

The hypervisor topology view has changed in this release. Leaf switches no longer appear in the topology diagram in the work pane when you choose a particular hypervisor in a virtual machine manager (VMM) domain. Also, virtual machines (VMs) attached to the hypervisor now appear as circles instead of squares.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

IPv6 multicast is now enabled with PIMv6 protocol settings.

Base Functionality

The tech support file size is reduced by up to 25%, depending on the switch type and the configured features.

Base Functionality

When you create a bridge domain using the Cisco APIC GUI, the ARP flooding option is now enabled by default. The ARP flooding option is still disabled by default when you use the create a bridge domain using the CLI or REST API.

Base Functionality

You can now configure the Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) in the leaf and spine switch management interfaces.

Ease of Use

The default behavior of the Callhome email received by a user has been modified for clarity.

Performance and Scalability

Multi-node policy-based redirect now supports up to 5 nodes in a single service graph.

Security

When installing the Cisco ACI simulator virtual machine, you no longer need a challenge key nor an activation token. You still need the challenge key and activation token for earlier releases.

Upgrade/Downgrade

Cisco APIC and switch upgrades are now stopped if the scheduled time and date has already passed.

N/A

There are no changes in behavior.

Base Functionality

Cisco APIC-X is deprecated.

N/A

There are no changes in behavior.

Base Functionality

You no longer need to include the IP prefix of the Layer 3 interface when configuring source SPAN with Layer 3 interface filtering. For more information, see the Cisco APIC Troubleshooting Guide, Release 4.1(x).

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

The Capacity Dashboard (Operations > Capacity Dashboard) has been reorganized. In previous releases, the dashboard displayed all of its information on one screen. In this release, the information is split between the new Fabric Capacity tab and Leaf Capacity tab. In addition, the leaf switches listed in the Leaf Capacity tab have a Configure Profile link, which opens the Forward Scale Profile form. The form enables you to configure the scale profile of the switch, if the switch model supports multiple profiles.

Ease of Use

In the Apps tab, if you open an app, navigate to another menu tab, then navigate back to the Apps menu tab, the app now remains open. The app also continues to perform the operation that it was doing before you navigated away. In previous releases, the app would close if you navigated to a different menu tab, which also stopped the app's current operation.

Performance and Scalability

The data plane forwarding impact to endpoints is decreased because the front panel port bring up is delayed during reload scenarios. This enhancement allows the upstream protocols (VXLAN, MP-BGP, and COOP) to converge.

Upgrade/Downgrade

The procedures for upgrading the software using the GUI has changed. For more information, see the Cisco APIC Management, Installation, Upgrade, and Downgrade Guide.

Upgrade/Downgrade

You can no longer use Bash to upgrade the Cisco APIC and switch software. Use the NX-OS style CLI to upgrade the Cisco APIC and switch software instead. For more information, see the Cisco APIC Management, Installation, Upgrade, and Downgrade Guide.

Base Functionality

All dynamic packet prioritization (DPP)-prioritized traffic is now marked Class of Service (CoS) 3 regardless of a custom Quality of Service (QoS) configuration. When these packets ingress and egress the same leaf switch, the CoS value is retained, causing the frames to leave the fabric with the CoS 3 marking.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

The EIGRP metric is now carried over the BGP VPNv4 address family using extended communities.

N/A

There are no changes in behavior.

Base Functionality

The rogue endpoint control policy no longer drops traffic to and from the rogue endpoint.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

N/A

There are no changes in behavior.

Base Functionality

The catalog version no longer matches with the Cisco APIC version. The catalog uses a different versioning scheme beginning in this release.

Base Functionality

The EP tracker can now locate L3Out endpoints. The tracker results now have fields that are specific to L3Out endpoints. For more information, see the EP tracker online help.

N/A

There are no changes in behavior.

Base Functionality

The units of measure for bidirectional forwarding detection intervals are now in milliseconds.

N/A

There are no changes in behavior.