The APIC GUI supports the following browsers:
Chrome version 59 (at minimum) on Mac and Windows
Firefox version 54 (at minimum) on Mac, Linux, and Windows
Internet Explorer version 11 (at minimum)
Safari 10(at minimum)
Restart your browser after upgrading to release
The APIC GUI includes an online version of the
Quick Start guide that includes video
The infrastructure IP address range must not
overlap with other IP addresses used in the fabric
for in-band and out-of-band networks.
The APIC does not provide IPAM services for
To reach the APIC CLI from the GUI: select
System > Controllers, highlight a controller,
right-click and select "launch SSH". To get the
list of commands, press the escape key twice.
In some of the 5-minute statistics data, the
count of ten-second samples is 29 instead of
For the following services, use a DNS-based
host name with out-of-band management
connectivity. IP addresses can be used with both
in-band and out-of-band management connectivity.
Both leaf and spine switches can be managed
from any host that has IP connectivity to the
When configuring an atomic counter policy
between two endpoints, and an IP is learned on one
of the two endpoints, it is recommended to use an
IP-based policy and not a client endpoint-based
When configuring two Layer 3 external networks
on the same node, the loopbacks need to be
configured separately for both Layer 3
All endpoint groups (EPGs), including
application EPGs and Layer 3 external EPGs,
require a domain. Interface policy groups must
also be associated with an Attach Entity Profile
(AEP), and the AEP must be associated with
domains. Based on the association of EPGs to
domains and of the interface policy groups to
domains, the ports and VLANs that the EPG uses are
validated. This applies to all EPGs including
bridged Layer 2 outside and routed Layer 3 outside
EPGs. For more information, see the Cisco
Fundamentals Guide and the KB: Creating Domains,
Attach Entity Profiles, and VLANs to Deploy an EPG
on a Specific Port article.
In the 1.0(4x) and earlier releases, when
creating static paths for application EPGs or
Layer 2/Layer 3 outside EPGs, the physical domain
was not required. In this release, it is required.
Upgrading without the physical domain will raise a
fault on the EPG stating “invalid path
An EPG can only associate with a contract
interface in its own tenant.
User passwords must meet the following
Minimum length is 8
Maximum length is 64
Fewer than three consecutive
At least three of the
following character types: lowercase, uppercase, digit, symbol
Cannot be easily guessed
Cannot be the username or the
reverse of the username
Cannot be any variation of
“cisco”, “isco”, or any permutation of these characters or variants obtained by
changing the capitalization of letters therein
The power consumption statistics are not shown on leaf switch node slot 1.
For Layer 3 external networks created through
the API or Advanced GUI and updated through the
CLI, protocols need to be enabled globally on the
external network through the API or Advanced GUI,
and the node profile for all the participating
nodes needs to be added through the API or
Advanced GUI before doing any further updates
through the CLI.
For Layer 3 external networks created through
the CLI, you should not to update them through the
API. These external networks are identified by
names starting with “__ui_”.
The output from "show" commands issued in the
NX-OS-style CLI are subject to change in future
software releases. Cisco does not recommend using
the output from the show commands for
In this software version, the CLI is supported
only for users with administrative login
Do not separate virtual private cloud (vPC)
member nodes into different configuration zones.
If the nodes are in different configuration zones,
then the vPCs’ modes become mismatched if the
interface policies are modified and deployed to
only one of the vPC member nodes.
If you defined multiple login domains, you can
choose the login domain that you want to use when
logging in to an APIC. By default, the domain
drop-down list is empty, and if you do not choose
a domain, the DefaultAuth domain is used for
authentication. This can result in login failure
if the username is not in the DefaultAuth login
domain. As such, you must enter the credentials
based on the chosen login domain.
A firmware maintenance group should contain max
of 80 nodes.
When contracts are not associated with an endpoint group, DSCP marking is not supported for a VRF with a vzAny contract. DSCP is sent to a leaf switch along with the actrl rule, but a vzAny contract does not have an actrl rule. Therefore, the DSCP value cannot be sent.