The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment life cycle.
The Cisco Application Policy Infrastructure Controller (APIC) enables applications to directly connect with a secure, shared, high-performance resource pool that includes networking and Layer 4 through 7 services.
The key features of the APIC include the following:
Application centric network policies
Data model-based declarative provisioning
Application, topology monitoring, and troubleshooting
Third-party integration (Layer 4 through 7 services, vCenter, vShield)
Image management (spine and leaf)
Cisco ACI inventory and configuration
Implementation on a distributed framework across a cluster of appliances
Health Scores for key Managed Objects (tenants, application profiles, switches, etc)
Fault, event and performance management
Cisco Application Virtual Switch (AVS) that can be used as a virtual leaf for the Cisco APIC
ACI Fabric and Switches
A clustered replicated APIC appliance manages the ACI fabric. Cisco Nexus 9000 Series switches can run with the ACI-compatible software to run in the leaf/spine fabric mode. These switches form a “fat-tree” network by connecting each leaf node to each spine node; all other devices connect to the leaf nodes.
Figure 1 shows the ACI Fabric with Cisco Nexus 9508, Cisco Nexus 9300 Series leaf switches, and the APIC.
Figure 1 ACI Fabric with Spine and Leaf Switches, and the APIC,
This file includes the Python packages that model the Cisco ACI Management Information Tree.
Both files are required.
Note Installation of the SDK with SSL support on Unix/Linux and Mac OS X requires a compiler. For a Windows installation, you can install the compiled shared objects for the SDK dependencies using wheel packages.
Note The model package depends on the SDK package; be sure to install the SDK package first.
Follow this procedure when upgrading from a 1.0(2x) release to a 1.0(3x) release:
1. Upgrade the APIC controller software image.
2. After all APICs in the cluster are successfully upgraded, upgrade all the switches in the fabric.
Note The switches may need to be rebooted after upgrading (See CSCut32029).
Follow this procedure when downgrading from a 1.0(3x) release to a 1.0(2x) release:
1. Downgrade the APIC controller software image.
2. After all APICs in the cluster are successfully downgraded, downgrade all the switches in the fabric.
Note Switch models N9K-C9372PX, N9K-C9332PQ, and N9K-C9372TX are not supported for downgrading in the APIC 1.0(2x) or the Cisco Nexus 9000 11.0(2x) releases. If your fabric has these models, do not downgrade.
– Cisco UCS Manager software Release 2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter
The breakout of 40G ports to 4x10G on the N9332PQ switch is not supported in ACI-Mode.
To connect the APIC (the controller cluster) to the ACI fabric, it is required to have a 10G interface on the ACI leaf. You cannot connect the APIC directly to the N9332PQ ACI Leaf.
Cisco APIC Release 1.0(3f) supports the following firmware:
– 1.5(4e) CIMC HUU iso
– 2.0(3i) CIMC HUU iso
This section lists usage guidelines for the APIC software.
The APIC GUI supports the following browsers:
– Chrome version 35 (at minimum) on Mac and Windows
– Firefox version 26 (at minimum) on Mac, Linux, and Windows
– Internet Explorer version 11(at minimum)
– Safari 7.0.3 (at minimum)
Note Restart your browser after upgrading to 1.0(3f).
A known issue exists with the Safari browser and unsigned certificates. Read the information presented here before accepting an unsigned certificate for use with WebSockets.
When you access the HTTPS site, the following message appears:
“Safari can’t verify the identity of the website APIC. The certificate for this website is invalid. You might be connecting to a website that is pretending to be an APIC, which could put your confidential information at risk. Would you like to connect to the website anyway?”
To ensure that WebSockets can connect, you must do the following:
Always Trust in the three drop-down lists that appear.
If you do not follow these steps above, WebSockets will not be able to connect.
The APIC GUI includes an online version of the Quick Start guide that includes video demonstrations.
The infrastructure IP address range must not overlap with other IP addresses used in the fabric for inband and out-of-band networks.
The APIC does not provide an IPAM solution, so ensure that IP addresses are unique within a private network/ context.
Press the Escape key twice (<Esc> <Esc>) to display APIC CLI command options.
In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30.
For the following services, use a DNS-based host name with out-of-band management connectivity. IP addresses can be used with both inband and out-of-band management connectivity.
– Syslog server
– Call Home SMTP server
– Tech support export server
– Configuration export server
– Statistics export server
Inband management connectivity to the spine switches is possible from any host that is connected to the leaf switches of the Fabric, and leaf switches can be managed from any host that has IP connectivity to the fabric.
When configuring an AC (atomic counter) policy between two endpoints, and an IP is learned on one of the two endpoints, it is recommended to use an IP-based policy, and not a client endpoint based policy.
Verified Scalability Limits
Table 2 contains the maximum verified scale limits for a subset of ACI parameters for the Cisco ACI Release 1.0(3f) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 11.0(3f). These values are based on a profile where each feature was scaled to the numbers specified in the table. The numbers in this table do not represent the theoretically possible ACI fabric scale.
Please contact your Cisco account representative to discuss your use-case or other ACI scale parameters that are not listed here.
Table 2 Verified Scalability Limits
Maximum Limits for Fabric
Maximum Limits for Leaf Switches
Maximum Limits per Spine Switches
Layer 3 contexts (VRF contexts or private networks)
1,000 contracts, 10,000 filters
4,000 TCAM entries (specific to N9K-M12PQ)
16,000 tested TCAM entries (specific to N9K-M6PQ)
Note TCAM entries are used for filters. A filter consisting of more than 1 port (for example, a range of ports) may consume more than 1 entry.
12,000 IPv4 hosts
EPG=BD is 3,500 and Multicast Groups < 5,000
EPG+BD <= 3,500 and Multicast Groups < 6,750
External EPGs per Layer 3 Out
2 per layer 3 outside policy
Dynamic route peering sessions
Layer 3 outside policies
1 per VRF
Number or routes (longest prefix matches [LPMs]) on border leaf switches
Tenant SPAN sessions
Fabric SPAN sessions
8 per line card
Number of parallel user sessions
New and Changed Information
This section lists the new and changed features in Release 1.0(3f), and includes the following topics:
New Software Features in Cisco Application Policy Infrastructure Controller Release 1.0(3f)
The Cisco Application Policy Infrastructure Controller Release 1.0(3f) supports the following new software features:
Stretched Fabric - This feature allows for each leaf and all spines that participate in creating a fabric to be located up to 30 KMs apart and removes the restriction for every leaf to be connected to all spines.
For more information about the stretched fabric feature, see the KB: ACI Stretched Fabric Design knowledge base article:
When attempting to log into an LDAP provider configured in Strict SSL mode, and the system is not configured with the CA certificate for that LDAP SSL server, the nginx daemon will gracefully restart itself to attempt to work around an openldap library SSL certificate caching bug.
For an endpoint group (EPG) mapped to a bridge domain (BD) in legacy mode, if the encap specified at the static path attachment of a port to an EPG is different from the encap mentioned at the BD level, no fault is raised in the current release.
When the clock between nodes gets re-synched, atomic counters to and from the node shows incorrect drops or incorrect excess packet counts for the first couple of minutes. The suspect flag in the counters is also not set. The condition gets fixed after couple of seconds.
This document is to be used in conjunction with the documents listed in the
“Known Behaviors” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.