Cisco Application Policy Infrastructure Controller Release Notes, Release 2.0(1)
This document describes the features, bugs, and limitations for the Cisco Application Policy Infrastructure Controller (APIC) software.
Note: Use this document in combination with the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 12.0(1), which you can view at the following location:
Additional product documentation is listed in the "Related Documentation" section.
Release notes are sometimes updated with new information about restrictions and bugs. See the following website for the most recent version of this document:
You can watch videos that demonstrate how to perform specific tasks in the APIC on the Cisco ACI YouTube channel:
https://www.youtube.com/c/CiscoACIchannel
Table 1 shows the online change history for this document.
Table 1 Online History Change
Date |
Description |
July 2, 2016 |
2.0(1m): Release 2.0(1m) became available. |
July 5, 2016 |
2.0(1m): Corrected the guidelines and restrictions for the ACI vCenter Plugin for VMware vSphere Web Client new software feature. |
July 8, 2016 |
2.0(1m): Changed "policy-based routing" to the more appropriate name of "policy-based redirect". |
July 9, 2016 |
2.0(1n): Added the content for release 2.0(1n). In the Related Documentation section and New Documentation section, added Cisco Nexus 93108TC-EX ACI-Mode Switch Hardware Installation Guide. |
July 25, 2016 |
2.0(1o): Release 2.0(1o) became available; there are no changes to this document for this release. See the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 12.0(1) document for changes in this release. |
August 9, 2016 |
2.0(1p): Release 2.0(1p) became available. Added the resolved bugs for this release. |
August 10, 2016 |
2.0(1m): In the Open Bugs section, added bug CSCva54489. |
August 16, 2016 |
2.0(1p): In the Resolved Bugs section, added bug CSCva61926. |
August 24, 2016 |
2.0(1m): Added the Changes in Behavior section and specified the new location of the GUI Idle Timeout property. |
August 26, 2016 |
2.0(1q): Release 2.0(1q) became available. Added the resolved bugs for release 2.0(1q). |
October 20, 2016 |
In the Usage Guidelines section, added "ACI does not support a class E address as a VTEP address." |
October 26, 2016 |
2.0(1q): In the Open Bugs section, added bug CSCvb87120. |
November 10, 2016 |
2.0(1m): For the Multipod feature and Layer 3 EVPN Services Over Fabric WAN feature, specified that the features are not supported on 9300-EX switches. |
December 6, 2016 |
In the Compatibility Information section, added information about a known issue when using the Safari browser to connect to the APIC. |
December 12, 2016 |
In the New Software Features section, corrected the Port Security row to indicate that the feature is not supported on 9300-EX switches. |
February 10, 2017 |
In the Compatibility Information section, changed the following sentence: You cannot connect the APIC directly to the N9332PQ ACI leaf switch. To: You cannot connect the APIC directly to the N9332PQ ACI leaf switch, unless you use a 40G to 10G converter (part number CVR-QSFP-SFP10G), in which case the port on the N9332PQ switch will auto-negotiate to 10G without requiring any manual configuration. |
February 23, 2017 |
In the Changes in Behavior section, added the following bullet: Under the Admin > Firmware tab, on the Fabric Node Firmware screen, the Default Firmware Version drop-down list is deprecated and cannot be used. |
February 28, 2017 |
In the Usage Guidelines section, added: If the communication between the APIC and vCenter is impaired, some functionality is adversely affected. The APIC relies on the pulling of inventory information, updating vDS configuration, and receiving event notifications from the vCenter for performing certain operations. |
August 7, 2017 |
In the Usage Guidelines section, added: The Cisco Discovery Protocol (CDP) is not supported in policies that are used on FEX interfaces. |
In the Usage Guidelines section, changed a mention of "Virtual Private Cloud (VPC)" to "virtual port channel (vPC)." |
|
August 5, 2019 |
2.0(1m): In the Open Bugs section, added bug CSCvb94260. |
September 17, 2019 |
2.0(1m): In the Open Bugs section, added bug CSCuu17314. |
October 4, 2019 |
In the Miscellaneous Guidelines section, added the following bullet: ■ When you create an access port selector in a leaf interface rofile, the fexId property is configured with a default value of 101 even though a FEX is not connected and the interface is not a FEX interface. The fexId property is only used when the port selector is associated with an infraFexBndlGrp managed object. |
This document includes the following sections:
■ Bugs
The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment life cycle.
The Cisco Application Centric Infrastructure Fundamentals guide provides complete details about the ACI, including a glossary of terms that are used in the ACI.
This release supports the following Cisco APIC servers:
Product ID |
Description |
APIC-L1 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
APIC-L2 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
APIC-M1 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
APIC-M2 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
The following list includes general compatibility information:
■ This release supports the hardware and software listed on the ACI Ecosystem Compatibility List document and the software listed as follows:
— Cisco NX-OS Release 12.0(1)
— Cisco AVS, Release 5.2(1)SV3(2.1)
For more information about the supported AVS releases, see the AVS software compatibility information in the Cisco Application Virtual Switch Release Notes at the following URL:
— Cisco UCS Manager software release 2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter
See the ACI Ecosystem Compatibility List document at the following URL:
■ The breakout of 40G ports to 4x10G on the N9332PQ switch is not supported in ACI-Mode.
■ To connect the N2348UPQ to ACI leaf switches, the following options are available:
— Directly connect the 40G FEX ports on the N2348UPQ to the 40G switch ports on the N9332PQ switch
— Break out the 40G FEX ports on the N2348UPQ to 4x10G ports and connect to the N9396PX or N9372PX switches
■ Connecting the APIC (the controller cluster) to the ACI fabric requires a 10G interface on the ACI leaf. You cannot connect the APIC directly to the N9332PQ ACI leaf switch, unless you use a 40G to 10G converter (part number CVR-QSFP-SFP10G), in which case the port on the N9332PQ switch will auto-negotiate to 10G without requiring any manual configuration.
■ This release supports the following firmware:
— 1.5(4e) CIMC HUU iso
— 2.0(3i) CIMC HUU iso (recommended)
■ Beginning with Cisco Application Virtual Switch (AVS) release 5.2(1)SV3(1.10), you can connect service virtual machines that are part of Layer 4 to Layer 7 service graphs to AVS. Layer 4 to Layer 7 service graphs for Cisco AVS can be configured for service virtual machines that are in VLAN mode. By using two AVS VMM domains (one with VLAN and one with VXLAN), you can have a virtual machine in VXLAN mode that is protected by service graphs that are using the service virtual machine in VLAN mode.
■ This release supports VMM Integration and VMware Distributed Virtual Switch (DVS) 6.x. For more information about guidelines for upgrading VMware DVS from 5.x to 6.x and VMM integration, see the Cisco ACI Virtualization Guide, Release 2.0(1) at the following URL:
■ This release supports the Microsoft System Center Virtual Machine Manager (SCVMM) Update Rollup 9 and 10 releases, and the Microsoft Windows Azure Pack Update Rollup 9 and 10 releases.
■ This release supports the partner packages specified in the L4-L7 Compatibility List Solution Overview document at the following URL:
https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/solution-overview-listing.html
■ This release supports Adaptive Security Appliance (ASA) device package version 1.2.5.5 or later.
■ If you are running a Cisco Adaptive Security Virtual Appliance (ASAv) version that is prior to version 9.3(2), you must configure SSL encryption as follows:
(config)# ssl encryption aes128-sha1
■ A known issue exists with the Safari browser and unsigned certificates, which applies when connecting to the APIC GUI. For more information, see the Cisco APIC Getting Started Guide.
■ For information about APIC compatibility with UCS Director, see the appropriate Cisco UCS Director Compatibility Matrix document at the following URL:
This section lists usage guidelines for the APIC software.
■ The APIC GUI includes an online version of the Quick Start guide that includes video demonstrations.
■ The infrastructure IP address range must not overlap with other IP addresses used in the fabric for in-band and out-of-band networks.
■ The APIC does not provide IPAM services for tenant workloads.
■ To reach the APIC CLI from the GUI: select System > Controllers, highlight a controller, right-click and select "launch SSH". To get the list of commands, press the escape key twice.
■ In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30.
■ For the following services, use a DNS-based host name with out-of-band management connectivity. IP addresses can be used with both in-band and out-of-band management connectivity.
— Syslog server
— Call Home SMTP server
— Tech support export server
— Configuration export server
— Statistics export server
■ Both leaf and spine switches can be managed from any host that has IP connectivity to the fabric.
■ When configuring an atomic counter policy between two endpoints, and an IP is learned on one of the two endpoints, it is recommended to use an IP-based policy and not a client endpoint-based policy.
■ When configuring two Layer 3 external networks on the same node, the loopbacks need to be configured separately for both Layer 3 networks.
■ All endpoint groups (EPGs), including application EPGs and Layer 3 external EPGs, require a domain. Interface policy groups must also be associated with an Attach Entity Profile (AEP), and the AEP must be associated with domains. Based on the association of EPGs to domains and of the interface policy groups to domains, the ports and VLANs that the EPG uses are validated. This applies to all EPGs including bridged Layer 2 outside and routed Layer 3 outside EPGs. For more information, see the Cisco Fundamentals Guide and the KB: Creating Domains, Attach Entity Profiles, and VLANs to Deploy an EPG on a Specific Port article.
Note: In the 1.0(4x) and earlier releases, when creating static paths for application EPGs or Layer 2/Layer 3 outside EPGs, the physical domain was not required. In this release, it is required. Upgrading without the physical domain will raise a fault on the EPG stating "invalid path configuration."
■ An EPG can only associate with a contract interface in its own tenant.
■ User passwords must meet the following criteria:
— Minimum length is 8 characters
— Maximum length is 64 characters
— Fewer than three consecutive repeated characters
— At least three of the following character types: lowercase, uppercase, digit, symbol
— Cannot be easily guessed
— Cannot be the username or the reverse of the username
— Cannot be any variation of "cisco", "isco", or any permutation of these characters or variants obtained by changing the capitalization of letters therein
■ The power consumption statistics are not shown on leaf node slot 1.
■ For Layer 3 external networks created through the API or Advanced GUI and updated through the CLI, protocols need to be enabled globally on the external network through the API or Advanced GUI, and the node profile for all the participating nodes needs to be added through the API or Advanced GUI before doing any further updates through the CLI.
■ For Layer 3 external networks created through the CLI, you should not to update them through the API. These external networks are identified by names starting with "__ui_".
■ The output from "show" commands issued in the NX-OS-style CLI are subject to change in future software releases. Cisco does not recommend using the output from the show commands for automation.
■ In this software version, the CLI is supported only for users with administrative login privileges.
■ Do not separate virtual private cloud (vPC) member nodes into different configuration zones. If the nodes are in different configuration zones, then the vPCs’ modes become mismatched if the interface policies are modified and deployed to only one of the vPC member nodes.
■ If you defined multiple login domains, you can choose the login domain that you want to use when logging in to an APIC. By default, the domain drop-down list is empty, and if you do not choose a domain, the DefaultAuth domain is used for authentication. This can result in login failure if the username is not in the DefaultAuth login domain. As such, you must enter the credentials based on the chosen login domain.
■ A firmware maintenance group should contain max of 80 nodes.
■ When contracts are not associated with an endpoint group, DSCP marking is not supported for a VRF with a vzAny contract. DSCP is sent to a leaf along with the actrl rule, but a vzAny contract does not have an actrl rule. Therefore, the DSCP value cannot be sent.
■ ACI does not support a class E address as a VTEP address.
■ If the communication between the APIC and vCenter is impaired, some functionality is adversely affected. The APIC relies on the pulling of inventory information, updating vDS configuration, and receiving event notifications from the vCenter for performing certain operations.
■ The Cisco Discovery Protocol (CDP) is not supported in policies that are used on FEX interfaces.
■ When you create an access port selector in a leaf interface rofile, the fexId property is configured with a default value of 101 even though a FEX is not connected and the interface is not a FEX interface. The fexId property is only used when the port selector is associated with an infraFexBndlGrp managed object.
For the verified scalability limits (except the CLI limits), see the Verified Scalability Guide for this release.
For the CLI verified scalability limits, see the Cisco NX-OS Style Command-Line Interface Configuration Guide for this release.
You can access these documents from the following website:
https://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html
This section lists the new and changed features in this release and includes the following topics:
Table 2 lists the new software features in this release:
Table 2 New Software Features, Guidelines, and Restrictions
Feature |
Description |
Guidelines and Restrictions |
ACI vCenter Plugin for VMware vSphere Web Client |
The Cisco ACI vCenter plugin is a user interface that allows you to manage the ACI fabric from within the vSphere Web client. For more information, see the Cisco ACI Virtualization Guide. |
Only VMware vSphere Web Client 5.5 and later is supported. |
AVS Health Status |
The Cisco ACI reports errors that occur on nodes in the fabric to the Cisco APIC as an aid to troubleshooting. Cisco AVS faults are now reported as well as faults for leaf and spine switches in the ACI fabric. |
None. |
BGP Limit on the Maximum Autonomous System Numbers |
A control knob was added to the BGP timers policy that discards BGP routes that have a number of autonomous system path segments that exceed the specified limit. |
None. |
Contract Permit Logging |
You can enable and view contract Layer 2 and Layer 3 permit log data to troubleshoot packets and flows that were allowed to be sent through contract permit rules. You can also enable and view taboo contract Layer 2 and Layer 3 logs for packets and flows that were dropped due to taboo contract deny rules. |
This feature is supported only on 9300-EX switches. |
COOP Authentication |
COOP data path communication provides high priority transport using secured connections. COOP is enhanced to leverage the MD5 option to protect COOP messages from malicious traffic injection. The APIC controller and switches support COOP protocol authentication. |
None. |
Copy Services |
Unlike SPAN that duplicates all the traffic, the Cisco Application Centric Infrastructure (ACI) contract copy feature enables selectively copying portions of the traffic between endpoint groups, according to the specifications of the contract. Broadcast, unknown unicast and multicast (BUM), and control plan traffic that are not covered by the contract are not copied. SPAN copies everything out of endpoint groups, access ports or uplink ports. Unlike SPAN, copy contracts do not add headers to the copied traffic. Copy contract traffic is managed internally in the switch to minimize impact on normal traffic forwarding. For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide. |
This feature is supported only on 9300-EX switches. |
Difference Between Local Time and Unified Cluster Time |
This value is the calculated time difference, in milliseconds, between local time and unified cluster time. Unified cluster time is an internal time that is used to time stamp changes within the cluster fabric. Unified cluster time is synchronized internally and cannot be changed by the user, and is used to identify the sequence of changes across different cluster nodes. Unified cluster time can be significantly different than the system time. The difference between local time and unified cluster time can be either a negative or positive value, which indicates whether the local time is ahead of or behind the unified cluster time. |
None. |
Digital Optical Monitoring |
In this release, you can enable and view digital optical monitoring (DOM) statistics to troubleshoot physical optical interfaces (on transceivers) for both leaf and spine nodes. The statistics include the number of alerts, Tx fault count, and Rx loss count, as well as the value and thresholds for temperature, voltage, electrical current, optical Tx power, and optical Rx power for the interface. |
None. |
Distributed Firewall Permit Logging |
Cisco AVS now reports the flows that are permitted by Distributed Firewall to the system log (syslog) as well as flows that are denied. You can configure parameters for the flows in the CLI or REST API to assist with auditing network security. |
None. |
EPG Delimiter |
When creating a vCenter domain or SCVMM domain, you can now specify a delimiter to use with the VMware port group name. For more information, see the Cisco ACI Virtualization Guide. |
None. |
EPG Deployment Through AEP |
Attached entity profiles can be associated directly with application EPGs, which deploys the associated application EPGs to all of the ports that are associated with the attached entity profile. |
None. |
FCoE N-Port Virtualization support |
ACI 2.0(1) supports Fibre Channel over Ethernet (FCoE) traffic through direct connections between hosts and F port-enabled interfaces and direct connections between the FCF device and an NP port-enabled interface on ACI leaf switches. |
This feature is supported only on 9300-EX switches. FCoE host-to-F port or FEX-to-NP port connections through intervening FEX devices are not supported. Static endpoints for an FCoE end host are not supported. |
IGMP Snoop Policy Disable |
The IGMP snoop policy now supports the adminSt parameter, which can be used to disable IGMP snooping on ACI. |
None. |
Layer 3 EVPN Services Over Fabric WAN |
The Layer 3 EVPN services over fabric WAN feature enables much more efficient and scalable ACI fabric WAN connectivity. It uses the BGP EVPN protocol over OSPF for WAN routers that are connected to spine switches. |
This feature is not supported on 9300-EX switches. You cannot use this feature with the multipod feature. Only a single Layer 3 EVPN Services Over Fabric WAN provider policy can be deployed on spine switch interfaces for the whole fabric. |
Layer 3 Multicast |
Cisco APIC supports the Layer 3 multicast feature with multicast routing enabled using the Protocol Independent Multicast (PIM) protocol. Layer 3 multicast supports Any Source Multicast (ASM) and Source-Specific Multicast (SSM). |
This feature is supported only on 9300-EX switches. |
Multipod Support |
Multipod enables provisioning a more fault tolerant fabric comprised of multiple pods with isolated control plane protocols. Also, multipod provides more flexibility with regard to the full mesh cabling between leaf and spine switches. For example, if leaf switches are spread across different floors or different buildings, multipod enables provisioning multiple pods per floor or building and providing connectivity between pods through spine switches. |
This feature is not supported on 9300-EX switches. You cannot use this feature with the Layer 3 EVPN services over fabric WAN feature. |
OSPF Inbound Route Controls |
Support is added for inbound route controls in Layer 3 Outside tenant networks, using OSPF. This includes aggregate import route controls using OSPF. |
None. |
Policy-Based Redirect |
Cisco Application Centric Infrastructure (ACI) policy-based redirect (PBR) enables provisioning service appliances such as firewalls or load balancers as managed or unmanaged nodes without needing a Layer 4 to Layer 7 package. Typical use cases include provisioning service appliances that can be pooled, tailored to application profiles, scaled easily, and have reduced exposure to service outages. PBR simplifies the deployment of service appliances by enabling the provisioning consumer and provider endpoint groups all to be in the same VRF instance. For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide. |
None. |
Port Security |
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. This feature support is available for physical ports, port channels, and virtual port channels. |
This feature is not supported on 9300-EX switches. |
Support for Multiple vCenters per Fabric |
You can now have 50 vCenters per fabric. |
None. |
VMware vRealize Integration Enhancements |
vRealize 7.0 and the vCenter plugin are now supported. The following blueprints are now supported: · Generate and Add Certificate to APIC · Add FW to Tenant Network - VPC Plan For more information, see the Cisco ACI Virtualization Guide. |
None. |
vRealize Support for AVS |
Cisco AVS is now supported in VMware's products vRealize Automation (vRA) and vRealize Orchestrator (vRO), parts of the VMware vRealize Suite for building and managing multivendor hybrid cloud environments. |
None. |
For new hardware features, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 12.0(1) at the following location:
This section lists changes in behavior in this release.
■ The GUI Idle Timeout property is now found under the Admin > AAA tab, in the Security Management properties.
■ Under the Admin > Firmware tab, on the Fabric Node Firmware screen, the Default Firmware Version drop-down list is deprecated and cannot be used.
This section contains lists of open and resolved bugs and known behaviors.
This section lists the open bugs. Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 2.0(1) releases in which the bug exists. A bug might also exist in releases other than the 2.0(1) releases.
Table 3 Open Bugs in the 2.0(1) Release
Bug ID |
Description |
Exists in |
CDP is not enabled on the management interfaces for the leaf switches and spine switches. |
2.0(1m) and later |
|
The server virtual Fibre Channel interface state changes to "port reinit limit reached" when an NP link is shut down. |
2.0(1m) and later |
|
The IFC does not clear the faults after the endpoint group deployment is delivered. |
2.0(1m) and later |
|
The "BD type" option is missing in the "Specify Bridge Domain for the VRF" page of the "Create Bridge Domain" dialog. |
2.0(1m) and later |
|
If a node or interface is added to the Out of Service policy, APIC honors the policy whenever node ID matches, ignoring the POD ID in this case. |
2.0(1m) and later |
|
After upgrading to the 2.0(1m) release, the following fault occurs: "F608160 [FSM:FAILED]: Task for updating pool (TASK:ifc::dhcpd:DhcpPoolUpdatePool)". Under the policymgr logs, there are DHCP entries with an error description of "Parent not present to create PoolDef". This issue occurs if the VTEP pool is greater than or equal to /23. In this case, the fabricSetupP managed object is not created, which means that no default pod policy object is created and the ASN/Route Reflector configuration is removed. As a result, all L3out routes received on a border leaf switch will not be redistributed to a non-border leaf switch, and all L3Out traffic is dropped on the non-border leaf switch. |
2.0(1m) and later |
|
Symptom #1. For a three node APIC cluster, APIC2 or APIC3 or both may stuck at 75% waiting for lower nodes completing the upgrade, even after APIC1 has been upgraded successfully. However, the APIC2 and APIC3 "acidiag avread" output shows that APIC1's version is still the previous version. Symptom #2. All three APICs have been upgraded successfully and become fully fit. The "acidiag avread" output for the APICs shows that only the local APIC is running the newer version while the other two APICs are running the previous version. |
2.0(1m) and later |
|
A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. The vulnerability is due to insufficient security requirements during the Link Layer Discovery Protocol (LLDP) setup phase of the infrastructure VLAN. An attacker could exploit this vulnerability by sending a malicious LLDP packet on the adjacent subnet to the Cisco Nexus 9000 Series Switch in ACI mode. A successful exploit could allow the attacker to connect an unauthorized server to the infrastructure VLAN, which is highly privileged. With a connection to the infrastructure VLAN, the attacker can make unauthorized connections to Cisco Application Policy Infrastructure Controller (APIC) services or join other host endpoints. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass |
2.0(1m) and later |
|
If the identity of a node is changed when a cluster is split, the changes are not synchronized across all APICs even after the cluster becomes fully fit. |
2.0(1q) and later |
This section lists the resolved bugs. Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Fixed In" column of the table specifies whether the bug was resolved in the base release or a patch release.
Table 4 Resolved Bugs in the 2.0(1) Release
Bug ID |
Description |
Fixed in |
After importing an exported configuration, graph instances are not created and Layer 4 to Layer 7 packages are missing in the system. |
2.0(1m) |
|
Because of the MTU setting on the APIC interface (1500 B), packets bigger than 1476 bytes (+50 bytes for encap) get dropped. |
2.0(1m) |
|
NGINX dumps a core after generating the following error message: "stimulus (envelope 0x2000000000004) will be dropped!" |
2.0(1m) |
|
The APIC cluster fails due to the clock time being set to a time range outside of the certificate valid time. |
2.0(1m) |
|
The APIC GUI treats the "Primary VLAN" encapsulation field as mandatory if the static VLAN mode is chosen in the "Create VMM Domain association" GUI wizard. As a workaround, specify a valid value in the "Primary VLAN" field in the GUI. This issue is not present when an EPG is deployed through the APIC REST interface, or when using the APIC CLI. |
2.0(1m) |
|
After upgrading a vPC pair of leaf switches, when one of the switches comes back online, there is a disruption for a period of time. |
2.0(1m) |
|
When a kernel core occurs on the APIC, the standard admin user cannot transfer the file to be exported. As such, faults and errors appear in the GUI. |
2.0(1m) |
|
After adding a static endpoint under the default EPG in the infra tenant, the APIC cluster becomes diverged and devices utlizing the infra VLAN become unreachable. This configuration causes the encapsulation for the infra:default EPG to be changed to the encapsulation that is configured with the static endpoint. |
2.0(1m) |
|
While using the APIC, the GUI is very slow and some policies are not deployed on the switches. When you SSH to the APIC and run the "top" command, you see very high CPU utilization on the "policymgr" and "eventmgr". |
2.0(1m) |
|
APIC might fail to boot due to an invalid grub boot configuration after upgrade. The following output is displayed on the APIC console: Press any key to enter the menu Booting Insieme Fabric Controller 1.2.3c on /rfs1 in 0 seconds... Error 15: File not found Press any key to continue... |
2.0(1m) |
|
Not all policies get pushed to the Layer 4 to Layer 7 device. This issue occurs when the message size has been exceeded and the message is dropped. As a result, some policies are not pushed to ASA, which can include a configuration change. Any future messages stated that there are not additional changes, and as such the config is never updated. |
2.0(1m) |
|
Sometimes the APIC becomes unreachable through the GUI, Rest APIs, and SSH. When accessing APIC through the rescue-user, the cluster shows as diverged and the policy-manager (service 6) shows one or more shards in down state. |
2.0(1m) |
|
Multi-destination frames are not being flooded in the fabric. If you have a source on 1 leaf switch and a destination on another leaf switch, the frame that gets sent from the source never makes it to the destination when you have bridge domain settings set to flood. |
2.0(1p) |
|
An outage occurs when interconnecting two ACI fabrics back-to-back. The leaf and spine nodes might drop out of the fabric and links might move out of service due to Infra VLAN mismatch faults. |
2.0(1p) |
|
After upgraded from a 1.2(3) release, all AVS (VXLAN/LS) become disconnected from the OpFlex channel. Some virtual machine ports become blocked, and the issue spread across the entire DVS environment. This resulted in an Odev certification mismatch between the APIC and the switches. |
2.0(1q) |
This section lists bugs that describe known behaviors. Click the Bug ID to access the Bug Search Tool and see additional information about the bug. The "Exists In" column of the table specifies the 2.0(1) releases in which the known behavior exists. A bug might also exist in releases other than the 2.0(1) releases.
Table 6 Known Behaviors in the 2.0(1) Release
Bug ID |
Description |
Exists in |
The APIC does not validate duplicate IP addresses that are assigned to two device clusters. The communication to devices or the configuration of service devices might be affected. |
2.0(1m) and later |
|
In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30. |
2.0(1m) and later |
|
The node ID policy can be replicated from an old appliance that is decommissioned when it joins a cluster. |
2.0(1m) and later |
|
The DSCP value specified on an external endpoint group does not take effect on the filter rules on the leaf switch. |
2.0(1m) and later |
|
The hostname resolution of the syslog server fails on leaf and spine switches over in-band connectivity. |
2.0(1m) and later |
|
Following a FEX or switch reload, configured interface tags are no longer configured correctly. |
2.0(1m) and later |
|
Switches can be downgraded to a 1.0(1x) version if the imported configuration consists of a firmware policy with a desired version set to 1.0(1x). |
2.0(1m) and later |
|
If the APIC is rebooted using the CIMC power reboot, the system enters into fsck due to a corrupted disk. |
2.0(1m) and later |
|
The Cisco APIC Service (ApicVMMService) shows as stopped in the Microsoft Service Manager (services.msc in control panel > admin tools > services). This happens when a domain account does not have the correct privilege in the domain to restart the service automatically. |
2.0(1m) and later |
|
The traffic destined to a shared service provider endpoint group picks an incorrect class ID (PcTag) and gets dropped. |
2.0(1m) and later |
|
Traffic from an external Layer 3 network is allowed when configured as part of a vzAny (a collection of endpoint groups within a context) consumer. |
2.0(1m) and later |
|
Newly added microsegment EPG configurations must be removed before downgrading to a software release that does not support it. |
2.0(1m) and later |
|
Downgrading the fabric starting with the leaf will cause faults such as policy-deployment-failed with fault code F1371. |
2.0(1m) and later |
|
The OpenStack metadata feature cannot be used with ACI integration with the Juno release (or earlier) of OpenStack due to limitations with both OpenStack and Cisco’s ML2 driver. |
2.0(1m) and later |
|
Downgrading an APIC configured with Intra-EPG deny configuration from the 1.2(2) release to an earlier release is not supported. The Intra-EPG deny configuration must be manually cleaned up before downgrading. |
2.0(1m) and later |
|
Creating or deleting a fabricSetupP policy results in an inconsistent state. |
2.0(1m) and later |
§ In a multipod configuration, before you make any changes to a spine switch, ensure that there is at least one operationally "up" external link that is participating in the multipod topology. Failure to do so could bring down the multipod connectivity. For more information about multipod, see the Cisco Application Centric Infrastructure Fundamentals document and the Cisco APIC Getting Started Guide.
The Cisco Application Policy Infrastructure Controller (APIC) documentation can be accessed from the following website:
The documentation includes installation, upgrade, configuration, programming, and troubleshooting guides, technical references, release notes, and knowledge base (KB) articles, as well as other documentation. KB articles provide information about a specific use case or a specific topic.
By using the "Choose a topic" and "Choose a document type" fields of the APIC documentation website, you can narrow down the displayed documentation list to make it easier to find the desired document.
The following tables describe the core APIC documentation.
Note: Not every document has a new version for each release. Unless specified otherwise, the latest document version applies if the document was not revised for this release.
Table 7 Installation, Upgrade, and Configuration Documentation
Document |
Description |
Cisco APIC Basic Configuration Guide |
Describes steps that you must perform to configure your ACI fabric. Note: This document was formerly known as the Cisco ACI Basic Configuration Guide. |
Cisco APIC Getting Started Guide |
Describes the first things that you must do to use the APIC after you install the APIC software. |
Cisco Nexus 93108TC-EX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 93180YC-EX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9332PQ ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9336PQ ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9372PX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9372TX and 9372-TX-E ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9396PX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9396TX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9504 ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9508 ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Cisco Nexus 9516 ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
Managing ACI Fabric Upgrades and Downgrades |
Describes how to upgrade or downgrade the APIC controller's appliance firmware and how to install the APIC software. This document also describes any limitations when upgrading or downgrading. Note: This document replaces both the Cisco APIC Controller and Switch Upgrade and Downgrade Guide and the Cisco Application Policy Infrastructure Controller (APIC) Installation Guide. |
Minimum and Recommended Cisco ACI and APIC Releases |
Lists the minimum and recommended ACI and APIC software releases for both new and existing deployments. |
Operating Cisco Application Centric Infrastructure |
Describes how to perform day-to-day operations with the ACI. |
Verified Scalability Guide for Cisco ACI and Cisco Nexus 9000 Series ACI-Mode Switches |
Describes the maximum verified scalability limits for ACI parameters for the Cisco ACI and Cisco Nexus 9000 Series ACI-Mode Switches. |
Table 8 Interface Documentation
Document |
Description |
Cisco APIC NX-OS Style Command-Line Interface Configuration Guide |
Describes how to configure the APIC using the NX-OS-style CLI. |
Cisco APIC REST API User Guide |
Describes how to use the APIC REST APIs. |
Table 9 Reference Documentation
Document |
Description |
Cisco Application Centric Infrastructure Fundamentals |
Provides a basic understanding of the capabilities of the ACI and APIC. |
Table 10 Layer 4 to Layer 7 Documentation
Document |
Description |
Cisco APIC Layer 4 to Layer 7 Device Package Development Guide |
Describes how to develop a device package for the Layer 4 to Layer 7 services. |
Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide |
Describes how to deploy a Layer 4 to Layer 7 service graph in greater detail than the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide with common use cases. |
Cisco APIC Layer 4 to Layer 7 Services Deployment Guide |
Describes how to deploy the Layer 4 to Layer 7 services using the APIC. |
Table 11 Virtualization Documentation
Document |
Description |
Cisco ACI Virtualization Guide |
Describes how to deploy ACI with virtualization solutions, such as Cisco AVS, VMware VDS, or Microsoft SCVMM. |
Table 12 ACI with OpenStack Documentation
Document |
Description |
Cisco ACI Installation Guide for Mirantis OpenStack |
Describes how to install the plugin that allows you to use Mirantis OpenStack with ACI. |
Cisco ACI with OpenStack OpFlex Deployment Guide for Red Hat |
Describes how to deploy ACI with OpenStack OpFlex on the Red Hat platform. |
Cisco ACI with OpenStack OpFlex Deployment Guide for Ubuntu |
Describes how to deploy ACI with OpenStack OpFlex on the Ubuntu platform. |
Installing the Cisco APIC OpenStack Driver |
Describes how to install the APIC OpenStack driver. |
OpenStack Group-Based Policy User Guide |
Describes how to use group-based policies. |
Table 13 Troubleshooting Documentation
Document |
Description |
Cisco APIC Troubleshooting Guide |
Describes how to troubleshoot common APIC issues. |
Troubleshooting Cisco Application Centric Infrastructure |
Additional information about how to troubleshoot common APIC issues. |
This section lists the new Cisco APIC product documents for this release.
■ Cisco ACI Simulator Getting Started Guide, Release 2.0(1)
■ Cisco ACI Virtualization Guide, Release 2.0(1)
■ Cisco APIC Basic Configuration Guide, Release 2.0(1)
■ Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 2.0(1)
■ Cisco APIC NX-OS Style CLI Command Reference, Release 2.0(1)
■ Cisco Nexus 93108TC-EX ACI-Mode Switch Hardware Installation Guide
■ KB: Council of Oracle Protocol Authentication
■ Managing ACI Fabric Upgrades and Downgrades
■ Using Layer 3 Multicast with Cisco ACI
■ Using Port Security and Cisco ACI
■ Verified Scalability Guide for Cisco ACI, Release 2.0(1) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 12.0(1)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2016-2019 Cisco Systems, Inc. All rights reserved.