Cisco Application Policy Infrastructure Controller, Release 2.1(2), Release Notes
Available Languages
Cisco Application Policy Infrastructure Controller Release Notes, Release 2.1(2)
This document describes the features, bugs, and limitations for the Cisco Application Policy Infrastructure Controller (APIC) software.
Note: Use this document in combination with the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 12.1(2), which you can view at the following location:
Additional product documentation is listed in the “Related Documentation” section.
Release notes are sometimes updated with new information about restrictions and bugs. See the following website for the most recent version of this document:
You can watch videos that demonstrate how to perform specific tasks in the APIC on the Cisco ACI YouTube channel:
https://www.youtube.com/c/CiscoACIchannel
Table 1 shows the online change history for this document.
Table 1 Online History Change
| Date |
Description |
| February 18, 2017 |
2.1(2e): Created the release notes for the 2.1(2e) release. |
| February 20, 2017 |
2.1(2e): In the Resolved Bugs section, added bug CSCvc23465. |
| February 28, 2017 |
In the Usage Guidelines section, added: If the communication between the APIC and vCenter is impaired, some functionality is adversely affected. The APIC relies on the pulling of inventory information, updating vDS configuration, and receiving event notifications from the vCenter for performing certain operations. |
| April 27, 2017 |
2.1(2g): Release 2.1(2g) became available. Added the resolved bugs for this release. |
| October 23, 2017 |
2.1(2k): Release 2.1(2k) became available; there are no changes to this document for this release. |
| November 20, 2017 |
In the Usage Guidelines section, changed a mention of “Virtual Private Cloud (VPC)” to “virtual port channel (vPC).” |
| April 11, 2018 |
In the Compatibilty Information section, changed the supported Cisco AVS release to 5.2(1)SV3(2.6). |
| August 5, 2019 |
2.1(2e): In the Resolved Bugs section, added bug CSCvb94260. |
| September 17, 2019 |
2.1(2e): In the Open Bugs section, added bug CSCuu17314. |
| October 4, 2019 |
In the Miscellaneous Guidelines section, added the following bullet: ■ When you create an access port selector in a leaf interface rofile, the fexId property is configured with a default value of 101 even though a FEX is not connected and the interface is not a FEX interface. The fexId property is only used when the port selector is associated with an infraFexBndlGrp managed object. |
Contents
This document includes the following sections:
■ Bugs
Introduction
The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment life cycle.
The Cisco Application Centric Infrastructure Fundamentals guide provides complete details about the ACI, including a glossary of terms that are used in the ACI.
Compatibility Information
This release supports the following Cisco APIC servers:
| Product ID |
Description |
| APIC-L1 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
| APIC-L2 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
| APIC-M1 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
| APIC-M2 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
The following list includes general compatibility information:
■ This release supports the hardware and software listed on the ACI Ecosystem Compatibility List document and the software listed as follows:
— Cisco NX-OS Release 12.1(2)
— Cisco AVS, Release 5.2(1)SV3(2.6)
For more information about the supported AVS releases, see the AVS software compatibility information in the Cisco Application Virtual Switch Release Notes at the following URL:
— Cisco UCS Manager software release 2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter
See the ACI Ecosystem Compatibility List document at the following URL:
■ The breakout of 40G ports to 4x10G on the N9332PQ switch is not supported in ACI-Mode.
■ To connect the N2348UPQ to ACI leaf switches, the following options are available:
— Directly connect the 40G FEX ports on the N2348UPQ to the 40G switch ports on the ACI leaf switches
— Break out the 40G FEX ports on the N2348UPQ to 4x10G ports and connect to the 10G ports on all other ACI leaf switches
Note: A fabric uplink port cannot be used as a FEX fabric port.
■ Connecting the APIC (the controller cluster) to the ACI fabric requires a 10G interface on the ACI leaf. You cannot connect the APIC directly to the N9332PQ ACI Leaf.
■ This release supports the following firmware:
— 1.5(4e) CIMC HUU iso
— 2.0(3i) CIMC HUU iso
— 2.0(9c) CIMC HUU iso (recommended)
■ Beginning with Cisco Application Virtual Switch (AVS) release 5.2(1)SV3(1.10), you can connect service virtual machines that are part of Layer 4 to Layer 7 service graphs to AVS. Layer 4 to Layer 7 service graphs for Cisco AVS can be configured for service virtual machines that are in VLAN mode. By using using an AVS VMM domain with both VLAN and VXLAN, you can have a virtual machine in VXLAN mode that is protected by service graphs that are using the service virtual machine in VLAN mode.
■ This release supports VMM Integration and VMware Distributed Virtual Switch (DVS) 6.x. For more information about guidelines for upgrading VMware DVS from 5.x to 6.x and VMM integration, see the Cisco ACI Virtualization Guide, Release 2.1(2) at the following URL:
■ This release supports the Microsoft System Center Virtual Machine Manager (SCVMM) Update Rollup 9 and 10 releases, and the Microsoft Windows Azure Pack Update Rollup 9 and 10 releases.
■ This release supports the partner packages specified in the L4-L7 Compatibility List Solution Overview document at the following URL:
https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/solution-overview-listing.html
■ This release supports Adaptive Security Appliance (ASA) device package version 1.2.5.5 or later.
■ If you are running a Cisco Adaptive Security Virtual Appliance (ASAv) version that is prior to version 9.3(2), you must configure SSL encryption as follows:
(config)# ssl encryption aes128-sha1
■ A known issue exists with the Safari browser and unsigned certificates, which applies when connecting to the APIC GUI. For more information, see the Cisco APIC Getting Started Guide.
■ For information about APIC compatibility with UCS Director, see the appropriate Cisco UCS Director Compatibility Matrix document at the following URL:
Usage Guidelines
This section lists usage guidelines for the APIC software.
■ The APIC GUI includes an online version of the Quick Start guide that includes video demonstrations.
■ The infrastructure IP address range must not overlap with other IP addresses used in the fabric for in-band and out-of-band networks.
■ The APIC does not provide IPAM services for tenant workloads.
■ To reach the APIC CLI from the GUI: select System > Controllers, highlight a controller, right-click and select "launch SSH". To get the list of commands, press the escape key twice.
■ In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30.
■ For the following services, use a DNS-based host name with out-of-band management connectivity. IP addresses can be used with both in-band and out-of-band management connectivity.
— Syslog server
— Call Home SMTP server
— Tech support export server
— Configuration export server
— Statistics export server
■ Both leaf and spine switches can be managed from any host that has IP connectivity to the fabric.
■ If an IP address is learned on one of two endpoints for which you are configuring an atomic counter policy, you should use an IP-based policy and not a client endpoint-based policy.
■ When configuring two Layer 3 external networks on the same node, the loopbacks need to be configured separately for both Layer 3 networks.
■ All endpoint groups (EPGs), including application EPGs and Layer 3 external EPGs, require a domain. Interface policy groups must also be associated with an Attach Entity Profile (AEP), and the AEP must be associated with domains. Based on the association of EPGs to domains and of the interface policy groups to domains, the ports and VLANs that the EPG uses are validated. This applies to all EPGs including bridged Layer 2 outside and routed Layer 3 outside EPGs. For more information, see the Cisco Fundamentals Guide and the KB: Creating Domains, Attach Entity Profiles, and VLANs to Deploy an EPG on a Specific Port article.
Note: When creating static paths for application EPGs or Layer 2/Layer 3 outside EPGs, the physical domain is not required. Upgrading without the physical domain will raise a fault on the EPG stating “invalid path configuration.”
■ An EPG can only associate with a contract interface in its own tenant.
■ User passwords must meet the following criteria:
— Minimum length is 8 characters
— Maximum length is 64 characters
— Fewer than three consecutive repeated characters
— At least three of the following character types: lowercase, uppercase, digit, symbol
— Cannot be easily guessed
— Cannot be the username or the reverse of the username
— Cannot be any variation of “cisco”, “isco”, or any permutation of these characters or variants obtained by changing the capitalization of letters therein
■ The power consumption statistics are not shown on leaf node slot 1. You must view the statistics from any other node.
■ For Layer 3 external networks created through the API or Advanced GUI and updated through the CLI, protocols need to be enabled globally on the external network through the API or Advanced GUI, and the node profile for all the participating nodes needs to be added through the API or Advanced GUI before doing any further updates through the CLI.
■ For Layer 3 external networks created through the Basic GUI or CLI, you should not to update them through the API. These external networks are identified by names starting with “__ui_”.
■ The output from "show" commands issued in the NX-OS-style CLI are subject to change in future software releases. Cisco does not recommend using the output from the show commands for automation.
■ The CLI is supported only for users with administrative login privileges.
■ Do not separate virtual private cloud (VPC) member nodes into different configuration zones. If the nodes are in different configuration zones, then the VPCs’ modes become mismatched if the interface policies are modified and deployed to only one of the VPC member nodes.
■ If you defined multiple login domains, you can choose the login domain that you want to use when logging in to an APIC. By default, the domain drop-down list is empty, and if you do not choose a domain, the DefaultAuth domain is used for authentication. This can result in login failure if the username is not in the DefaultAuth login domain. As such, you must enter the credentials based on the chosen login domain.
■ A firmware maintenance group should contain max of 80 nodes.
■ When contracts are not associated with an endpoint group, DSCP marking is not supported for a VRF with a vzAny contract. DSCP is sent to a leaf along with the actrl rule, but a vzAny contract does not have an actrl rule. Therefore, the DSCP value cannot be sent.
■ When creating a vPC domain between two leaf switches, both switches must be in the same switch generation. Switches not in the same generation are not compatible vPC peers. The generations are as follows:
o Generation 1—Cisco Nexus N9000K switches without “EX” on the end of the switch name; for example, N9K-9312TX
o Generation 2—Cisco Nexus N9K switches with “EX” on the end of the switch model name; for example, N9K-93108TC-EX
■ The Cisco Discovery Protocol (CDP) is not supported in policies that are used on FEX interfaces.
■ Cisco ACI does not support a class E address as a VTEP address.
■ In a multipod fabric, if a spine in POD1 uses the infra tenant L3extOut-1, the TORs of the other pods (POD2, POD3) cannot use the same infra L3extOut (L3extOut-1) for Layer 3 EVPN control plane connectivity. Each POD must use its own spine switch and infra L3extOut.
■ If the communication between the APIC and vCenter is impaired, some functionality is adversely affected. The APIC relies on the pulling of inventory information, updating vDS configuration, and receiving event notifications from the vCenter for performing certain operations.
■ When you create an access port selector in a leaf interface rofile, the fexId property is configured with a default value of 101 even though a FEX is not connected and the interface is not a FEX interface. The fexId property is only used when the port selector is associated with an infraFexBndlGrp managed object.
Verified Scalability Limits
For the verified scalability limits (except the CLI limits), see the Verified Scalability Guide for this release.
For the CLI verified scalability limits, see the Cisco NX-OS Style Command-Line Interface Configuration Guide for this release.
You can access these documents from the following website:
https://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html
New and Changed Information
This section lists the new and changed features in this release and includes the following topics:
New Software Features
This release supports no new software features.
New Hardware Features
For new hardware features, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 12.1(2) at the following location:
Changes in Behavior
There are no changes in behavior in this release.
■
Bugs
This section contains lists of open and resolved bugs and known behaviors.
Open Bugs
This section lists the open bugs. Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 2.1(2) releases in which the bug exists. A bug might also exist in releases other than the 2.1(2) releases.
Table 2 Open Bugs in the 2.1(2) Release
| Bug ID |
Description |
Exists in |
| CDP is not enabled on the management interfaces for the leaf switches and spine switches. |
2.1(2e) and later |
|
| When using the Advanced Encryption Standard (AES) encryption in the CLI, the passphrase displays in plain text. |
2.1(2e) and later |
|
| After upgrading to the 2.1(2) release from the 2.0(1) release, one IP of a vPC goes down. The IP comes back up due to a modify process, such as incrementing the IP on one leg and submitting, or due to deleting or adding the configuration on the logical interface profile of the L3Out. |
2.1(2e) and later |
|
| A fault gets raised when configuring PIM with SVI, and the fault does not get cleared even after removing the interface from SVI. |
2.1(2e) and later |
|
| LLDP/CDP adjacency faults get raised on the APIC for AVS, but the faults are not relevant for AVS. |
2.1(2e) and later |
|
| There are downgrade issues from the 2.1(2) release to the 2.0(2) release when the VMM and EPG are in different encapsulations. |
2.1(2e) and later |
|
| Adding an image to the repository fails intermittently, regardless if the image was added by downloading it using the GUI or API, or uploading it using the GUI or API. |
2.1(2e) and later |
|
| In the Edit VMM Domain Association dialog box, changing the VLAN mode and then clicking Cancel does not undo the VLAN mode change. |
2.1(2e) and later |
|
| If there are changes made in the RBAC policy prior to the upgrade from a 2.0 release to a 2.1 or later release, the process policy manager (policymgr) might continuously crash on the APIC. |
2.1(2e) and later |
|
| A message indicating a successful upgrade is seen within 20 minutes when upgrading a Cisco APIC. In comparison, upgrading a leaf switch with a large TCAM will take up to 90 minutes to bring up the port channels for use with compute or L3Outs. After successfully upgrading the first VPC leaf switch, if you start a peer upgrade, you will have traffic loss until the first leaf switch’s port channel comes up. |
2.1(2e) and later |
|
| A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. The vulnerability is due to insufficient security requirements during the Link Layer Discovery Protocol (LLDP) setup phase of the infrastructure VLAN. An attacker could exploit this vulnerability by sending a malicious LLDP packet on the adjacent subnet to the Cisco Nexus 9000 Series Switch in ACI mode. A successful exploit could allow the attacker to connect an unauthorized server to the infrastructure VLAN, which is highly privileged. With a connection to the infrastructure VLAN, the attacker can make unauthorized connections to Cisco Application Policy Infrastructure Controller (APIC) services or join other host endpoints. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass |
2.1(2e) and later |
Resolved Bugs
This section lists the resolved bugs. Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Fixed In" column of the table specifies whether the bug was resolved in the base release or a patch release.
Table 4 Resolved Bugs in the 2.1(2) Release
| Bug ID |
Description |
Fixed in |
| The Cisco Application Policy Infrastructure Controller (APIC) includes a version of OpenSSL that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0800 |
2.1(2e) |
|
| Symptom #1. For a three node APIC cluster, APIC2 or APIC3 or both may stuck at 75% waiting for lower nodes completing the upgrade, even after APIC1 has been upgraded successfully. However, the APIC2 and APIC3 "acidiag avread" output shows that APIC1's version is still the previous version. Symptom #2. All three APICs have been upgraded successfully and become fully fit. The "acidiag avread" output for the APICs shows that only the local APIC is running the newer version while the other two APICs are running the previous version. |
2.1(2e) |
|
| When creating a download task on the APIC over a WAN link, you see the following error: Operation too slow. Less than 1000000 bytes/sec transferred in the last 30 seconds |
2.1(2e) |
|
| If both OSPF and BGP are configured on the same L3Out, the expected behavior is that OSPF routes should not get redistributed into the MP-BGP session in the fabric. But, in some configuration sequences, OSPF routes are getting redistributed into BGP. When both OSPF and BGP are enabled, BGP is the main routing protocol. OSPF is used only to provide connectivity for the BGP session and thus OSPF routes only need to be local to the leaf switch and not be redistributed into the fabric. |
2.1(2e) |
|
| The following multipod FSM fault displays after receiving CDP neighbor info from IPN: F607666 - [FSM:FAILED]: Report fabric path group on external connected node <ip_address>(TASK:ifc:policyelem:LeqptLooseNodereportPathGrp) |
2.1(2e) |
|
| An EPG subnet is not being shown in the "show ip prefix-list" on the border leaf switch and the subnet is not being advertised externally. |
2.1(2e) |
|
| Changing the default route tag policy does not take effect, but creating a new route tag policy does take effect. |
2.1(2e) |
|
| Policy coreexp-default failed faults remain after the coreexp-default policy is deleted. The faults are similar to the following example: "Upload triggered at <date> <time> for policy coreexp-default failed . Check operational status for details." |
2.1(2e) |
|
| Incorrectly configured SVI IP addresses result in connectivity issues. |
2.1(2e) |
|
| When a node is decomissioned without a wipe and comissioned back, it does not join the fabric. It gets a different IP address than before it was decomissioned. |
2.1(2e) |
|
| A Cisco APIC out-of-band management endpoint group sometimes contains stale contract information. |
2.1(2e) |
|
| To run the CDP as a discovery protocol between the leaf switches and ESX, then you must enable CDP and disable LLDP. However, the CDP policy is not enabled on VDS. |
2.1(2e) |
|
| When viewing History > Audit Logs under Fabric > Inventory, the records continue to refresh, but do not increment the total count. |
2.1(2e) |
|
| The virtual machine name fields contain the MAC address instead of machine name after upgrading to 2.1(1h). |
2.1(2e) |
|
| The VMMmgr process crashes while retrieving inventory information, after which the process restarts. |
2.1(2e) |
|
| When run under a vPC context, the show running-config command outputs errors. |
2.1(2e) |
|
| The 1 Gigabit interface does not come up on an APIC-SIM-S2 appliance. |
2.1(2e) |
|
| In the Operations tab, use the troubleshooting tools, then click Start. Configure span and set the span destination to the Cisco APIC if the APIC has in-band management configured. But, if you are using BGP as the external connectivity for in-band management, after starting the span session, the in-band management subnet will no longer be advertised out, even after stopping the span session. |
2.1(2e) |
|
| The timezone for Istanbul needs to be updated to GMT +3. |
2.1(2e) |
|
| Syslog Remote Destination configuration changes are not deployed to ACI nodes. The configuration is submitted and saved, but the operating behavior does not exhiibit the configuration changes. |
2.1(2e) |
|
| The Cisco Application Policy Infrastructure Controller (APIC) includes a version of the Linux kernel that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-3153. |
2.1(2e) |
|
| The following error displays when deleting a VLAN pool though VMM and the endpoint group encapsulation is set to VXLAN: "Error:400 - Association of Vlan namespace cannot be modified when EPGs are associated with the Domain. Remove EPG association or add/delete encap-blocks under the namespace." |
2.1(2e) |
|
| The HyperV agent memory consumption slowly grows over time. |
2.1(2e) |
|
| The bridge domain subnet pervasive route remains in the old VRF after changing the bridge domain association to a new VRF. |
2.1(2e) |
|
| The policy element (PE) process or endpoint manager (EPM) process crashes when there is rapid movement of a large number endpoints within the fabric. |
2.1(2e) |
|
| The Cisco Application Policy Infrastructure Controller (APIC) includes a version of NTPD that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-9311, CVE-2016-9310, CVE-2016-7427, CVE-2016-7428, CVE-2016-9312, CVE-2016-7431, CVE-2016-7434, CVE-2016-7429, CVE-2016-7426, CVE-2016-7433 For more information, see the following document: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd |
2.1(2e) |
|
| After upgrading to Cisco APIC release 2.1(1h), leaf switches are unexpectedly rebooting and there are core files for eventmgr, confelem, dbgrelem, EPMC, and LLDP. |
2.1(2e) |
|
| Fault F0467 is raised on a dynamic path attach object after deleting related access policies, such as interface profiles or interface policy groups. |
2.1(2e) |
|
| The default route coming from L3Out (usually through OSPF) is not propagated to other nodes in the fabric. |
2.1(2e) |
|
| A policy is unable to deploy to an APIC and "show cores" shows several AE core files. |
2.1(2e) |
|
| Policy element (PE) process might incorrectly delete all remote tunnels during a process restart. |
2.1(2e) |
|
| VLAN encapsulations are reallocated after an upgrade, which means that EPGs might use different VLAN encapsulations after the upgrade. |
2.1(2e) |
|
| When creating a recurring snapshot in the GUI for all fabrics, the following error gets generated: unknown property value ull,, name targetDn, class configExportP [(Dn0)] Dn0=uni/fabric/configexp-defaultAuto |
2.1(2e) |
|
| While creating a DVS, the Firewall Mode option should not be seen, as this is supported only in AVS. |
2.1(2e) |
|
| When a VEM restarts, this event causes the ESXi host to enter the disconnect state from the vCenter, which causes the management connectivity to go down. After the VEM restarts, the OpFlex state is also up and there is no data traffic loss. However, the management port VMK0 and VMware vMotion ports VMK9 and VMK10 enter the blocking state. |
2.1(2e) |
|
| The regular expression for aaaPreLoginBanner.switchMessage allows parentheses. |
2.1(2e) |
|
| Cisco Virtual Machine Manager (VMM) missing event detection mechanism works incorrectly for certain types of events. This causes the VMM to pull and process previously processed events from the Cisco vCenter - on a periodic basis. |
2.1(2g) |
|
| Cisco APIC password is shown in clear text in the vsphere log file. |
2.1(2g) |
Known Behaviors
This section lists bugs that describe known behaviors. Click the Bug ID to access the Bug Search Tool and see additional information about the bug. The "Exists In" column of the table specifies the 2.1(2) releases in which the known behavior exists. A bug might also exist in releases other than the 2.1(2) releases.
Table 6 Known Behaviors in the 2.1(2) Release
| Bug ID |
Description |
Exists in |
| The APIC does not validate duplicate IP addresses that are assigned to two device clusters. The communication to devices or the configuration of service devices might be affected. |
2.1(2e) and later |
|
| In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30. |
2.1(2e) and later |
|
| The node ID policy can be replicated from an old appliance that is decommissioned when it joins a cluster. |
2.1(2e) and later |
|
| The DSCP value specified on an external endpoint group does not take effect on the filter rules on the leaf switch. |
2.1(2e) and later |
|
| The hostname resolution of the syslog server fails on leaf and spine switches over in-band connectivity. |
2.1(2e) and later |
|
| Following a FEX or switch reload, configured interface tags are no longer configured correctly. |
2.1(2e) and later |
|
| Switches can be downgraded to a 1.0(1x) version if the imported configuration consists of a firmware policy with a desired version set to 1.0(1x). |
2.1(2e) and later |
|
| If the APIC is rebooted using the CIMC power reboot, the system enters into fsck due to a corrupted disk. |
2.1(2e) and later |
|
| The Cisco APIC Service (ApicVMMService) shows as stopped in the Microsoft Service Manager (services.msc in control panel > admin tools > services). This happens when a domain account does not have the correct privilege in the domain to restart the service automatically. |
2.1(2e) and later |
|
| The traffic destined to a shared service provider endpoint group picks an incorrect class ID (PcTag) and gets dropped. |
2.1(2e) and later |
|
| Traffic from an external Layer 3 network is allowed when configured as part of a vzAny (a collection of endpoint groups within a context) consumer. |
2.1(2e) and later |
|
| Newly added microsegment EPG configurations must be removed before downgrading to a software release that does not support it. |
2.1(2e) and later |
|
| Downgrading the fabric starting with the leaf switch will cause faults such as policy-deployment-failed with fault code F1371. |
2.1(2e) and later |
|
| The OpenStack metadata feature cannot be used with ACI integration with the Juno release (or earlier) of OpenStack due to limitations with both OpenStack and Cisco’s ML2 driver. |
2.1(2e) and later |
|
| Creating or deleting a fabricSetupP policy results in an inconsistent state. |
2.1(2e) and later |
|
| After a pod is created and nodes are added in the pod, deleting the pod results in stale entries from the pod that are active in the fabric. This occurs because the APIC uses open source DHCP, which creates some resources that the APIC cannot delete when a pod is deleted. |
2.1(2e) and later |
|
| When an APIC cluster is upgrading, the APIC cluster might enter the minority status if there are any connectivity issues. In this case, user logins can fail until the majority of the APICs finish the upgrade and the cluster comes out of minority. |
2.1(2e) and later |
|
| When downgrading from a 2.1(2) release to a 2.0(1) release, the spines and its interfaces must be moved from infra L3out2 to infra L3out1. After infra L3out1 comes up, delete L3out2 and its related configuration, and then downgrade to a 2.0(1) release. |
2.1(2e) and later |
|
| No fault gets raised upon using the same encapsulation VLAN in a copy device in tenant common, even though a fault should get raised. |
2.1(2e) and later |
■ In a multipod configuration, before you make any changes to a spine switch, ensure that there is at least one operationally “up” external link that is participating in the multipod topology. Failure to do so could bring down the multipod connectivity. For more information about multipod, see the Cisco Application Centric Infrastructure Fundamentals document and the Cisco APIC Getting Started Guide.
Related Documentation
The Cisco Application Policy Infrastructure Controller (APIC) documentation can be accessed from the following website:
The documentation includes installation, upgrade, configuration, programming, and troubleshooting guides, technical references, release notes, and knowledge base (KB) articles, as well as other documentation. KB articles provide information about a specific use case or a specific topic.
By using the “Choose a topic” and “Choose a document type” fields of the APIC documentation website, you can narrow down the displayed documentation list to make it easier to find the desired document.
The following tables describe the core APIC documentation.
Note: Not every document has a new version for each release. Unless specified otherwise, the latest document version applies if the document was not revised for a specific release.
Table 7 Release Notes
| Document |
Description |
| Cisco ACI Simulator Release Notes, Release 2.1(2) |
Provides release information for the Cisco ACI Simulator product. |
| Cisco Application Policy Infrastructure Controller, Release 2.1(2), Release Notes |
This document. Provides release information for the Application Policy Infrastructure Controller (APIC) product. |
| Cisco Nexus 9000 Series ACI-Mode Switch FPGA/EPLD Upgrade Release Notes, Release 12.1(2) |
Provides release information for the Cisco Nexus 9000 series ACI-mode switch FPGA/EPLD product. |
| Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 12.1(2) |
Provides release information for the Cisco NX-OS for Cisco Nexus 9000 series ACI-mode switches product. |
Table 8 Installation, Upgrade, and Configuration Documentation
| Document |
Description |
| Cisco APIC Basic Configuration Guide |
Describes steps that you must perform to configure your ACI fabric. |
| Cisco APIC Getting Started Guide |
Describes the first things that you must do to use the APIC after you install the APIC software. |
| Cisco Nexus 93108TC-EX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 93180YC-EX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9332PQ ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9336PQ ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9372PX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9372TX and 9372-TX-E ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9396PX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9396TX ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9504 ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9508 ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco Nexus 9516 ACI-Mode Switch Hardware Installation Guide |
Describes how to install and start up the switch and how to replace modules. |
| Cisco APIC Management, Installation, Upgrade, and Downgrade Guide |
Describes how to upgrade or downgrade the APIC controller's appliance firmware and how to install the APIC software. This document also describes any limitations when upgrading or downgrading. |
| Minimum and Recommended Cisco ACI and APIC Releases |
Lists the minimum and recommended ACI and APIC software releases for both new and existing deployments. |
| Operating Cisco Application Centric Infrastructure |
Describes how to perform day-to-day operations with the ACI. |
| Verified Scalability Guide for Cisco ACI and Cisco Nexus 9000 Series ACI-Mode Switches |
Describes the maximum verified scalability limits for ACI parameters for the Cisco ACI and Cisco Nexus 9000 Series ACI-Mode Switches. |
Table 9 Interface Documentation
| Document |
Description |
| Cisco APIC NX-OS Style Command-Line Interface Configuration Guide |
Describes how to configure the APIC using the NX-OS-style CLI. |
| Cisco APIC REST API User Guide |
Describes how to use the APIC REST APIs. |
Table 10 Reference Documentation
| Document |
Description |
| Cisco Application Centric Infrastructure Fundamentals |
Provides a basic understanding of the capabilities of the ACI and APIC. |
Table 11 Layer 4 to Layer 7 Documentation
| Document |
Description |
| Cisco APIC Layer 4 to Layer 7 Device Package Development Guide |
Describes how to develop a device package for the Layer 4 to Layer 7 services. |
| Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide |
Describes how to deploy a Layer 4 to Layer 7 service graph in greater detail than the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide with common use cases. |
| Cisco APIC Layer 4 to Layer 7 Services Deployment Guide |
Describes how to deploy the Layer 4 to Layer 7 services using the APIC. |
Table 12 Virtualization Documentation
| Document |
Description |
| Cisco ACI Virtualization Guide |
Describes how to deploy ACI with virtualization solutions, such as Cisco AVS, VMware VDS, or Microsoft SCVMM. |
Table 13 ACI with OpenStack Documentation
| Document |
Description |
| Cisco ACI Installation Guide for Mirantis OpenStack |
Describes how to install the plugin that allows you to use Mirantis OpenStack with ACI. |
| Cisco ACI with OpenStack OpFlex Deployment Guide for Red Hat |
Describes how to deploy ACI with OpenStack OpFlex on the Red Hat platform. |
| Cisco ACI with OpenStack OpFlex Deployment Guide for Ubuntu |
Describes how to deploy ACI with OpenStack OpFlex on the Ubuntu platform. |
| Installing the Cisco APIC OpenStack Driver |
Describes how to install the APIC OpenStack driver. |
| OpenStack Group-Based Policy User Guide |
Describes how to use group-based policies. |
Table 14 Troubleshooting Documentation
| Document |
Description |
| Cisco APIC Troubleshooting Guide |
Describes how to troubleshoot common APIC issues. |
| Troubleshooting Cisco Application Centric Infrastructure |
Additional information about how to troubleshoot common APIC issues. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2017-2019 Cisco Systems, Inc. All rights reserved.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)