らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

Cisco ACI で追加されてきた機能一覧

これまでリリースされた Cisco ACI の Release Notes のうち、各バージョンで実装された新機能を一覧にしてみました。

4.2(2)

Feature Description Guidelines and Restrictions
Remote leaf switch failover In a multipod setup, if a remote leaf switch in a pod loses connectivity to the spine switch, the remote leaf switch now moves to another pod. This ensures that traffic continues to flow between endpoints of remote leaf switches that are connected to the original pod.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.2(x).
- Configure multipod in route reflector mode instead of full mesh mode.
- Enable direct traffic forwarding with a routable IP address on the remote leaf switches.
- Configure an external Border Gateway Protocol (BGP) route reflector.

4.2(1)

Feature Description Guidelines and Restrictions
Ability to pin EPGs to an uplink on a VMware DVS You can configure up to 32 uplinks for each instance of Cisco ACI Virtual Edge (in native switching mode) or VMware VDS. You also can rename the uplinks and configure failover for them within endpoint groups (EPGs) associated with the VMware VDS or Cisco ACI Virtual Edge. None.
avread CLI command Cisco APIC Release 4.2.(1) introduces the new avread command, which provides the same information as the acidiag avread command, but in a tabular format.
For more information, see the Cisco APIC Troubleshooting Guide, Release 4.2(x).
None.
BGP neighbor shutdown The BGP neighbor shutdown feature is similar to the neighbor shutdown command in NX-OS, which shuts down the corresponding BGP neighbor. Use this policy to disable and enable the BGP neighbor's admin state. Using this feature shuts down the BGP sessions without the need to delete the BGP peer configuration.
For more information, see the Cisco APIC and BGP Neighbor Shutdown and Soft Reset document.
None.
BGP neighbor soft reset The BGP neighbor soft reset feature provides automatic support for a dynamic soft reset of inbound and outbound BGP routing table updates that are not dependent upon stored routing table update information. Use this policy to enable the soft dynamic inbound reset and soft outbound reset.
For more information, see the Cisco APIC and BGP Neighbor Shutdown and Soft Reset document.
None.
Blocking ACI upgrades or downgrades if faults are present Beginning with release 4.2(1), when you attempt to trigger an upgrade or downgrade operation, the operation might be blocked if any faults on the fabric are detected, depending on the severity of the fault detected.
For more information, see the Cisco APIC Installation, Upgrade, and Downgrade Guide.
None.
cluster_health CLI command Cisco APIC Release 4.2.(1) introduces the new cluster_health command, which enables you to verify the Cisco APIC cluster status.
For more information, see the Cisco APIC Troubleshooting Guide, Release 4.2(x).
None.
fd_vlan mismatch enhancement If the same VLAN pool is being used on both a vPC and an orphan port, a fd_vlan mismatch will occur and a fault will be raised. None.
Floating Layer 3 Outside network connection You can configure a floating L3Out that allows a virtual router to move from under one leaf switch to another. The feature saves you from having to configure multiple L3Out interfaces to maintain routing when virtual machines move from one host to another. This feature is supported for VMware VDS. None.
IPv6 multicast support IPv6 multicast is now enabled with PIM6 protocol settings.
For more information, see the Cisco ACI Support for Layer 3 IPv6 Multicast document.
None.
Policy-based redirect backup policy This feature enables you to configure a backup node for a policy-based redirect (PBR) policy. If an active node goes down, traffic gets routed through the backup node instead of getting routed through one of the other active nodes. The backup node avoids a situation in which the connection could be reset if, for example, the data paths through another active node are traversing stateful firewalls.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.2(x).
- The backup policy option is supported only on new generation leaf switches, which are switch models with -EX, -FX, or -FX2 at the end of the switch name.
- Resilient hashing must be enabled.
- Only Layer 3 PBR destinations are supported.
- Multiple backup PBR destinations per backup policy can be configured.
For additional guidelines and restrictions, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.2(x).
Redistributing static routes to BGP with prefix list For Cisco APIC releases before release 4.2(1), you can configure a route map policy for the redistribution of static routes into BGP using the Create Route Map/Profile feature, which defines the route map for BGP dampening and route redistribution.
This feature is used to set attributes, such as community, on certain static routes on one border leaf switch, and then, based on these attributes, configure these routes on other border leaf switches
Beginning with Cisco APIC Release 4.2(1), this feature is extended for static routes. This allows you to configure a route map policy that will be applied while redistributing static routes into BGP.
For more information, see the Cisco APIC and Redistributing Static Routes to BGP With Prefix List document.
None.
Route control on an aggregator route during import/export When creating a subnet, the export route control subnet and import route control subnet allow Aggregate Export and Aggregate Import.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.2(x).
None.
Route control per BGP peer Route control policies determine what routes are advertised out to the external network (export) or allowed into the fabric (import).
For Cisco APIC releases before Release 4.2(1), you configure these policies at the L3Out level, under the L3Out profile (l3extInstP) or through the L3Out subnet under the L3Out (l3extSubnet), so those policies apply to protocols configured for all nodes or paths included in the L3Out. With this configuration, there could be multiple node profiles configured in the L3Out, and each could have multiple nodes or paths with the BGP neighbor specified. Because of this, there is no way to apply individual policies to each protocol entity.
Beginning with Cisco APIC Release 4.2(1), the route control per BGP peer feature is introduced to begin to address this situation, where more granularity in route export and import control is needed.
For more information, see the Cisco APIC and Route Control Per BGP Peer document.
- You must configure route profiles used per BGP peer under a tenant.
- The methods to configure route map match, set rule or route profile, and the behavior of each of those components, do not change from previous releases.
- The route profile for this feature can only be set to Match Routing Policy Only (global policy), where the route profile is the only source of information to generate the per BGP peer route map. You cannot set the route profile for this feature to Match Prefix and Routing Policy.
- In addition, you must explicitly specify the bridge domain subnets in the prefix list if you want them to be exported.
For additional guidelines and restrictions, see the Cisco APIC and Route Control Per BGP Peer document.
SDWAN integration enhancement This release adds support for enabling returning traffic from a remote site that is destined for the ACI data center to receive differentiated services over the WAN. After the tenant admin registers the Cisco APIC to vManage, the Cisco APIC pulls the WAN-SLA policies and the WAN-VPN from vManage. Then, the Cisco APIC assigns a DSCP to each WAN-SLA policy and pushes a prefix list. The prefix list, which is taken from the EPG if the contract between this EPG and L3Out has WAN-SLA configured, enables quality of service on the returning traffic. The WAN-SLA policy and WAN-VPN are both available in the tenant common. Tenant admins map the WAN-VPNs to VRF instances on remote sites.
For more information, see the Cisco ACI and SDWAN Integration KB article.
None.
Simplified ELAM output This release adds an option to the Embedded Logic Analyzer Module (ELAM) tool that changes the output to a human-readable format, which enables you to find key information quickly and more efficiently. In addition, hexadecimal values have been converted to decimal values in some instances for improved readability. For backward compatibility, the existing usage of ELAM is kept intact.
For more information, see the Cisco APIC Troubleshooting Guide, Release 4.2(x).
This feature is supported only on switch models with EX, FX, or FX2 at the end of the switch name.
Storm control SNMP traps This release supports triggering SNMP traps from Cisco ACI when storm control thresholds are met. - There are two actions associated with storm control: drop and shutdown. With the shutdown action, interface traps will be raised, but the storm control traps to indicate that the storm is active or clear is not determined by the shutdown action. Storm control traps with the shutdown action on the policy should therefore be ignored.
- If the ports flap with the storm control policy on, clear and active traps are seen together when the stats are collected. Clear and active traps are typically not seen together, but this is expected behavior in this case.
- This feature is not supported on Cisco Nexus C93128TX, C9396PX, C9396TX, C93120TX, C9332PQ, C9372PX, C9372TX, C9372PX-E, nor C9372TX-E switches.

4.1(2)

Feature Description Guidelines and Restrictions
Direct traffic forwarding between remote leaf switches in different remote locations You can enable direct traffic forwarding between remote leaf switches in different remote locations. This functionality offers redundancy and high availability in the connections between the remote locations.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.1(x).
None.
Support for Intersight Device Connector Intersight Device Connector provides a secure way for connected devices to send information and receive control instructions from the Cisco Intersight portal using a secure Internet connection.
For more information, see the Cisco Cisco APIC and Intersight Device Connector.
None.
Policy-based redirect bypass action You can now specify the bypass action option when configuring Layer 4 to Layer 7 policy-based redirect. With this option, in a multi-node policy-based redirect service graph, when one node crosses the low threshold, traffic is still able to proceed through the rest of the service chain that is either up or cannot be bypassed.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.1(x).
This feature is supported only on switch models with EX, FX, or FX2 at the end of the switch name.
This feature is not needed on a one-node service graph. If bypass is configured in such a case, the forwarding behavior is the same as the permit action.
L3Out EPGs and regular EPGs can be consumer or provider EPGs.
A service node that has NAT enabled cannot be bypassed, as that will break the traffic flow.
The bypass action option is not supported in the following cases:
- Layer 4 to Layer 7 service devices in one-arm mode
- Layer 1/Layer 2 PBR nodes
- Remote leaf switches
Do not use the same PBR policy in more than one service graph if the bypass action is enabled. APIC will reject configurations if the same PBR policy with bypass action is used in multiple service graphs. To avoid this, configure different PBR policies that use the same PBR destination IP address, MAC address, and Health Group.
Policy-based redirect with a Layer 3 Outside A uni-directional policy-based redirect with a Layer 3 Outside is now supported.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.1(x).
Use a specific L3Out EPG subnet if there are other L3Out EPGs in the same VRF instance; otherwise, you might use the other L3Outs by mistake.
Ensure that IP address translation occurs on the service node. If the SNAT is not properly done on the firewall, it could be classified to the L3Out internal and could cause a loop.
An L3Out is supported only on the provider side of the last node.
Remote leaf switches with Multi-Site Orchestrator The Multi-Site Orchestrator now supports APIC sites with remote leaf switches.
For additional information, see the Infrastructure Management chapter in the Cisco ACI Multi-Site Configuration Guide.
It is not supported to stretch a bridge domain (BD) between Remote Leaf (RL) nodes associated to a given site (APIC domain) and leaf nodes part of a separate site of a Multi-Site deployment (in both scenarios where those leaf nodes are local or remote) and a fault is generated on APIC to highlight this restriction. This applies independently from the fact that BUM flooding is enabled or disabled when configuring the stretched BD on the Multi-Site Orchestrator (MSO).
However, a BD can always be stretched (with BUM flooding enabled or disabled) between Remote Leaf nodes and Local Leaf nodes belonging to the same site (APIC domain).
Silent roll package upgrade Silent roll package upgrade (SR upgrade) enables you manually to perform an internal package upgrade for ACI switch hardware SDK, drivers, and so on, without upgrading the entire ACI switch software OS.
For more information, see the Cisco APIC Installation, Upgrade, and Downgrade Guide.
This feature supports the following switches:
- N9K-C93216TC-FX2
- N9K-C93360YC-FX2
Upgrade Group field enhancement You can now use the Upgrade Group field to select whether you are using an existing or new upgrade group when you are upgrading the leaf and spine switch software.
For more information, see the Cisco APIC Installation, Upgrade, and Downgrade Guide.
None.

4.1(1)

New Software Features—Fabric Infrastructure

Feature Description Guidelines and Restrictions
BGP multicast v4 address family support APIC now supports the BGP multicast v4 address family. None.
Cloud APIC This release includes the release of the Cisco Cloud APIC product, which enables you to extend a Cisco ACI Multi-Site fabric to Amazon Web Services (AWS) public clouds.
For more information, see the Cloud APIC documentation set:
https://www.cisco.com/c/en/us/support/cloud-systems-management/cloud-application-policy-infrastructure-controller/tsd-products-support-series-home.html
See the Cisco Cloud Application Policy Infrastructure Controller Release Notes, Release 4.1(1).
EPG Communication tab This release adds the EPG Communication tab. This tab enables you to create communication between two EPGs and to monitor which EPGs are communicating with one other through a contract and filters. Using this tab represents a simpler, faster way to set up a contract between the EPGs. None.
FC-NPV enhancements This release enhances FC NPV to support:
Having an FCoE host that uses FEX over an FC NPV link
32G Brocade interoperability
None.
Filter groups Support is now available for configuring filter groups, with flow entries that are used to filter the traffic, and associating them to SPAN source groups.
For more information, see the Cisco APIC Troubleshooting Guide, Release 4.1(x).
None.
IP SLA Internet protocol service level agreement (IP SLA) tracking is a common requirement in networks that allows a network administrator to collect information about network performance in real-time. With Cisco ACI IP SLA, you can track an IP address using ICMP and TCP probes. Tracking configurations can influence route tables, allowing for routes to be removed when tracking results come in negative and returning the route to the table when the results become positive again.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.1(x).
None.
Layer 1/Layer 2 policy-based redirect This feature allows you to configure policy-based redirect on Layer 1 or Layer 2 service devices.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.1(x).

- Active-active deployment is not supported.
- The two legs of the Layer 2 service device need to be configured on a different leaf switch to avoid packet loops. Per port VLAN is not supported.
- Shared bridge domain is not supported. A Layer 1/ Layer 2 device bridge domain cannot be shared with Layer 3 device or regular EPGs.
- Service node in managed mode is not supported.
- Layer 1/Layer 2 devices support physical domain only, VMM domain is not supported.
Local SPAN with port-channels as the destination Support is now available for local SPAN with port-channels as the destination.
For more information, see the Cisco APIC Troubleshooting Guide, Release 4.1(x).
Sources and the port-channel must be local on the same switch.
Mini ACI fabric with ACI Multi-Site topology You can now use mini ACI fabric with ACI Multi-Site topology on a single pod. None.
MLD snooping Support is now available for Multicast Listener Discovery (MLD) snooping.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.1(x).
None.
Multi-tier architecture You can create a multi-tier ACI fabric topology that corresponds to a Core-Aggregation-Access architecture found in many existing data centers. While providing all of the benefits of the ACI fabric, the multi-tier architecture enhancement also mitigates the need to upgrade costly components such as rack space or cabling. The addition of a tier-2 leaf layer makes this topology possible. The tier-2 leaf layer supports connectivity to hosts or servers on the downlink ports and connectivity to the leaf layer (aggregation) on the uplink ports.
For more information, see the Cisco APIC Getting Started Guide, Release 4.1(x).
None.
SSD monitoring The SSD monitoring feature enables you to override the preconfigured thresholds for the SSD lifetime parameters and raise faults when the SSD reaches some percentage of the configured thresholds. These faults allows network operators the capability to monitor and proactively replace any switch before the switch fails due to an SSD's lifetime parameter values becoming exceeded.
For more information, see the Cisco APIC SSD Monitoring KB article.
- This feature requires Micron M600 64 gb SSDs.
- You cannot configure this feature using the CLI.
Virtual Port Channel migration This feature allows the migration of nodes from non-EX, non-FX, and non-FX2 switch to an EX, FX, or FX2 switch.
For more information, see the Cisco Application Centric Infrastructure Fabric Hardware Installation Guide.
None.

New Software Features—Fabric Scale and Other Enhancements

Feature Description Guidelines and Restrictions
Bookmarks You can now bookmark almost any page, which enables you to go back to that page easily by choosing the bookmark from your list of bookmarks. In previous releases, this feature was represented as favorites (the star icon), and had less capability.
For more information, see the Cisco APIC Getting Started Guide, Release 4.1(x).
None.
Confirmation and summary screens Some of the wizards now include a confirmation screen and summary screen as the last steps. On the confirmation screen, you see a list of the policies that the wizard will create. You can change the names of the policies, if necessary. After the confirmation screen is the summary screen, which shows you the policies that the wizard created. You can no longer change the policies' names, but you can edit the properties of a policy. None.
Default tab This feature enables you to set a tab as the favorite on a page. Whenever you navigate to that page, that tab will be the default tab that is displayed. This feature is enabled only for the tabs in the Work pane.
For more information, see the Cisco APIC Getting Started Guide, Release 4.1(x).
None.
Error counter enhancement Physical interface configuration now includes error counter statistics information. None.
Export tech support configuration data enhancement This enhancement allows the user to export tech support data or configurations with read-only privileges.
For more information, see the Cisco ACI Configuration Files: Import and Export KB article.
None.
GTP load balancing This feature enables the Cisco APIC to perform fabric load balancing based on GTP TEID.
For more information, see the Cisco APIC Basic Configuration Guide, Release 4.1(x).
None.
Leaf switch uplink ports priority When the fabric is scaled with numerous bridge domains, endpoint groups, and so on, and each are allocated a VLAN, this causes VLAN resource contention. Reloading a leaf switch in this state causes the leaf-to-spine switch uplink to enter the disabled state (those links do not come up). In this release, the leaf-to-spine switch uplinks are given a higher priority with the VLAN resource that is allocated to them, so that reloading a leaf switch while the switch is in a VLAN resource contention state does not affect the leaf-to-spine switch uplinks (the links come up). None.
Multiple-context apps You can now run an app in multiple GUI screens, or contexts. For example, you can run the app while looking at a tenant's application profiles and while looking at the tenant's contracts. Prior to the 4.1 release, you could run an app only in one context; switching to a different context would close the app. None.
New alerts This release adds the following alerts:
Leaf x is Inactive: This alert warns you that a leaf switch became inactive, powered down, or disconnected.
New Switch Discovered: This informational alert informs you when a new switch is discovered.
Node Outage: Indicates that a node is either down or reloading.
Node x Must Be Reloaded: This alert warns you that an SSD must be reformatted and repartitioned.
OSPF Connectivity is Down: This alert warns you when OSPF connectivity is down. The alert lists the interfaces that have OSPF configured, but are not able to communicate with one another, and provides a ecommended troubleshooting action.
Process Crash: This alert warns you that a process has crashed.
Split-Fabric Detected: Indicates that the fabric is split and that the controller is operating in read-only mode.
None.
Scale changes This release includes the following scale changes:
Maximum number of remote leaf switches: 128 (single pod)
100 sub-interfaces per VRF and per L3Out
30,000 IPv4/IPv6 LPM prefixes on a border leaf switch (EX, FX, and FX2 platforms)
4,000 MAC address EPGs
None.
Object Store Browser improvements The Object Store Browser has the following improvements:
The Object Store Browser has a new, modernized look-and-feel.
You can now search by class, distinguished name, or URL, instead of only class and distinguished name. After you find an object, you can make the object a favorite, which enables you to go to your list of favorites and load the object from there.
You can now view the JSON response of your last query; previously you could only view the XML response.
The Object Store Browser by default displays all of the properties, even those that have no value. You can now hide the properties that do not have a value.
You can now navigate the distinguished name using the bread crumbs, which is simpler and easier to use.
You can now only view a distinguished name's stats, faults, or health if there is applicable data.
None.

New Software Features—Solution Integration

Feature Description Guidelines and Restrictions
Microsoft NLB Support is now available for Microsoft Network Load Balancing (NLB).
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.1(x).
None.

New Software Features—Virtualization

Feature Description Guidelines and Restrictions
Cisco ACI integration with Cisco's SD-WAN vManage integration enables tenant admins to apply preconfigured policies to specify the levels of packet loss, jitter, and latency for tenant traffic over the WAN. When a WAN SLA policy is applied to tenant traffic, the Cisco APIC sends the configured policies to a vManage controller. The vManage controller, which is configured as an external device manager that provides Cisco Software-Defined Wide Area Network (SD-WAN) capability, chooses the best possible WAN link that meets the loss, jitter, and latency parameters specified in the SLA policy.
For more information, see the Cisco ACI and SD-WAN Integration Guide.
None.
Cisco ACI with Cisco UCSM integration You can automate networking policies on Cisco UCS devices. To do so, you integrate Cisco UCSM into the Cisco Application Centric Infrastructure (ACI) fabric. Cisco APIC takes hypervisor NIC information from the Cisco UCSM and a virtual machine manager (VMM). The automation applies to all the devices that the Cisco UCSM manages.
For more information, see the chapter Cisco ACI with Cisco UCSM Integration in the Cisco ACI Virtualization Guide, Release 4.1(1).
- If you use Cisco Application Virtual Switch (AVS) or Microsoft System Center Virtual Machine Manager (SCVMM), you also must associate a switch manager with the VMM.
- If you use Cisco ACI Virtual Edge or VMware vSphere Distributed Switch (VDS), make the association if you do not use LLDP or CDP in your VMM domain.

4.0(3)

Feature Description Guidelines and Restrictions
Network Insights – Resources This NIR app release covers the following functionality:
1.Dashboard [Anomalies]
2.Resource utilization
a.Operational resources (such as MAC addresses and IP addresses)
b.Configuration resources (such as VRF instances, bridge domains, and EPGs)
c.Hardware resources (such as port usage and port bandwidth)
3.Environmental analytics
a.CPU
b.Memory
c.Temperature and fan utilization
d.Power supply
4.Event analytics
a.Audit logs
b.Events
c.Faults
None.

4.0(2)

Feature Description Guidelines and Restrictions
Cisco ACI Virtual Pod Cisco ACI Virtual Pod (vPod) enables you to extend the Cisco ACI fabric into bare-metal cloud environments and other remote locations. Cisco ACI vPod is supported as a vLeaf switch for Cisco APIC with the VMware ESXi hypervisor. It manages a data center defined by the VMware vCenter Server.
Cisco ACI vPod includes two types of virtual machine (VM) for the control planes: a virtual spine (vSpine) switch and a virtual leaf (vLeaf) switch. It also includes Cisco ACI Virtual Edge as the forwarding module on the compute node or host.
For more information, see the following documents:
- Cisco ACI Virtual Pod Release Notes
- Cisco ACI Virtual Pod Installation Guide
- Cisco ACI Virtual Pod Getting Started Guide
- Cisco ACI vPod is in general availability in Cisco APIC release 4.0(2)
- vPod can be deployed only on VMware environment in the cloud.
- Deploy each virtual spine (vSpine) and virtual leaf (vLeaf) pair on two separate hosts with one vSpine and one vLeaf on each host.
- Each instance of Cisco ACI vPod supports only two vSpine switches and two vLeafs—one vSpine and one vLeaf on each host.
- You can have up to 32 instances of Cisco ACI Virtual Edge in each Cisco ACI vPod.
Network Insights – Resources The Network Insights – Resources app includes the following functions:
- Event Analytics
- Resource Analytics
- Flow Analtyics
The Network Insights – Resources app is in limited availability in this release. Contact your Cisco account team if you want to download this app.
SAN boot support SAN boot is now supported through a FEX host interface (HIF) port vPC. None.

4.0(1)

New Software Features—Fabric Infrastructure

Feature Description Guidelines and Restrictions
Cisco ACI Virtual Pod Cisco ACI Virtual Pod (vPod) enables you to extend the Cisco ACI fabric into bare-metal cloud environments and other remote locations. Cisco ACI vPod is supported as a vLeaf switch for Cisco APIC with the VMware ESXi hypervisor. It manages a data center defined by the VMware vCenter Server.
Cisco ACI vPod includes two types of virtual machine (VM) for the control planes: a virtual spine (vSpine) switch and a virtual leaf (vLeaf) switch. It also includes Cisco ACI Virtual Edge as the forwarding module on the compute node or host.
For more information, see the following documents:
- Cisco ACI Virtual Pod Release Notes
- Cisco ACI Virtual Pod Installation Guide
- Cisco ACI Virtual Pod Getting Started Guide
- Cisco ACI vPod is in limited availability in Cisco APIC release 4.0(1). Contact your Cisco account team before using Cisco ACI vPod or Cisco ACI Virtual Edge as part of Cisco ACI vPod.
- The remote location must have at least two servers where you can run the VMware ESXi hypervisor.
- Deploy each virtual spine (vSpine) and virtual leaf (vLeaf) pair on two separate hosts with one vSpine and one vLeaf on each host.
- At initial release, each instance of Cisco ACI vPod supports only two vSpine switches and two vLeafs—one vSpine and one vLeaf on each host.
- You can have up to eight instances of Cisco ACI Virtual Edge in each Cisco ACI vPod.
Cisco APIC policy export without additional configuration and support for the RO admin When deployed and configured to do so, the Cisco Network Assurance Engine (NAE) creates export policies in the Cisco APIC for collecting data at timed intervals. You can identify a Cisco NAE export policy by its name, which is based on the assurance control configuration. If you delete a Cisco NAE export policy in the Cisco APIC, the Cisco NAE export policy will reappear in the Cisco APIC.
For more information, see the Cisco APIC Basic Configuration Guide, Release 4.0(1).
We recommend not deleting the Cisco NAE export policies.
Cisco APIC-X Cisco APIC-X is a dedicated Cisco APIC controller that is used specifically for running telemetry applications.
For more information, see the Cisco APIC-X document.
None
Configuration synchronization issue reporting If you encounter an issue with Cisco APIC, you can check the new Config Sync Issues link in the GUI to see if there are any transactions involving user-configurable objects that have yet to take effect. You can use information in the panel to help with debugging.
For more information, see the Cisco APIC Troubleshooting Guide, Release 4.0(1).
- Clicking the Config Sync Issues link displays results only if there are any pending transactions.
- Pending transactions are not configurable in the output table.
Fabric rendezvous point This feature enables you to configure a fabric rendezvous point (RP) on all leaf switches where PIM is enabled on the VRF instance, which is required for inter-VRF multicast.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.0(1).
- Fabric RP does not support the following features:
- Fast-convergence mode
- Auto-RP
- Bootstrap router (BSR)
- The fabric IP:
- Must be unique across all the static RP entries within the static RP and fabric RP.
- Cannot be one of the Layer 3 out router IDs
Fabric-wide CPU, memory utilization, and temperature dashboard CPU and memory utilization information is now available for the leaf switches and spine switches, provided at the fabric and pod levels. Temperature information is also available, where the temperature for the card with the highest temperature within the leaf switches or spine switches is displayed. None.
FCoE support enhancement The following capabilities are added:
- Virtual port channel (vPC) with SAN boot
- A virtual Fibre Channel (vFC) port can be bound to a member of a vPC
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide, Release 4.0(1).
None.
Mini ACI fabric and virtual APIC Cisco APIC now supports small scale deployments of Cisco APIC clusters with 2 of the 3 nodes installed inside VMware ESXi virtual machines.
For more information, see Cisco Mini ACI Fabric and Virtual APICs document.
For the small scale deployment scalability limits, see the Verified Scalability Guide for Cisco APIC, Release 4.0(1), Multi-Site, Release 2.0(1), and Cisco Nexus 9000 Series ACI-Mode Switches, Release 14.0(1).
Remote leaf switch enhancements The remote leaf switch feature now supports the following features:
- Endpoint tracker
- Layer 4 to Layer 7 services
- ILocal switching without a spine proxy
- MACsec
- Netflow
- Policy-based redirect for tracking service nodes using IP SLA monitoring
- Policy-based redirect resilient hashing
- Q-in-Q encapsulation mapping for EPGs
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.0(1).
Non

New Software Features—Fabric Scale and Other Enhancements

Feature Description Guidelines and Restrictions
Certificate-based authentication You can log in using certificate-based authentication.
For more information, see the Cisco APIC Security Configuration Guide, Release 4.0(1).
- Cisco ACI Multi-Site, VCPlugin, VRA, and SCVMM are not supported for certificate-based authentication.
- Only one certificate-based root can be active per pod.
- Certificate-based authentication must be disabled before downgrading from any releases to release 4.0(1).
- To terminate a certificate-based authentication session, you must log out and then remove the CAC card.
Dataplane IP learning per VRF While endpoint learning is identified as both IP and MAC and is specific to PBR-related configurations, dataplane IP learning is specific to IP addressing only in VRFs. In APIC, you can enable or disable dataplane IP learning at the VRF level.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.0(1).
- When dataplane IP learning per VRF is disabled, all the remote IP address entries in the tenant VRF are removed. The local IP entries are aged out and, subsequently, will not be re-learned through the dataplane, but can still be learned from the control plane.
- When dataplane IP learning per VRF is disabled, already learned local IP endpoints are retained and require control plane refreshes to be kept alive (assuming IP aging is also enabled). Data path L3 traffic will not keep IP endpoints alive.
- For Northstar/Donner-based ToRs, when dataplane IP learning per VRF is disabled, remote MAC addresses are not learned. Hardware Proxy mode on the corresponding BDs must be configured.
EPG shutdown A new checkbox has been added to Create Application EPG and the EPG window allowing you to shut down the selected EPG. When the EPG is in shutdown mode, the ACI policy configuration related to the EPG is removed from all switches.
For more information, see the online help.
None.
Fibre Channel NPV support enhancements The following capabilities are added:
- NPIV mode support
- Fibre Channel (FC) host (F) port connectivity in 4, 16, 32G and auto speed configurations
- Fibre Channel (FC) uplink (NP) port connectivity in 4, 8, 16, 32G and auto speed configurations
- Port-channel support on FC uplink ports
- Trunking support on FC uplink ports
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide, Release 4.0(1).
None.
GUI enhancement – single browser session When logged in to the Cisco APIC, you can open additional browser tabs or windows without additional logins.
For more information, see the Cisco APIC Getting Started Guide, Release 4.0(1).
None.
Host route support You can enable host-based routing on the bridge domain so that individual host routes (/32 prefixes) are advertised from the border leaf switches.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.0(1).
Border leaf switches along with the subnet advertise the individual endpoint (EP) prefixes. The route information is advertised only if the host is connected to the local POD. If the EP is moved away from the local POD or after the EP is removed from the EP database (even if the EP is attached to a remote leaf switch), the route advertisement is then withdrawn.
Inter-VRF multicast This feature enables the source VRF instance to perform the reverse path forwarding (RPF) lookup for a multicast route in the receiver VRF instance.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 4.0(1).
- All sources for a particular group must be in the same VRF instance (the source VRF instance).
- You must have a configured fabric rendezvous point (RP).
- Source VRF instance and source EPGs must be present on all leaf switches where there are receiver VRF instances.
- For ASM:
- The RP must be in the same VRF as the sources (the source VRF instance).
- The source VRF instance must be using fabric RP.
- The same RP address configuration must be applied under the source and all receiver VRF instances for the given group-range.
L3Out support in service graphs If a consumer or provider EPG is connected to an external routed network, the network can now be selected through the Service Graph wizard.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.0(1).
None.
Layer 3 destination (VIP) in the multi-tier application profile wizard Through the Multi-Tier Application Profile wizard, you can now terminate Layer 3 traffic on the connector.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.0(1).
This setting is not considered under the following conditions:
- Policy-based redirect is configured on the interface
- The redirect capability is not enabled on the service node
MACsec encryption support on remote leaf switches MACsec is now supported on remote leaf switches.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide, Release 4.0(1).
None.
Policy compression Identical filter rules can now share a single TCAM table entry on switches, increasing the number of rules that can be configured in the fabric.
For more information, see the Cisco APIC Basic Configuration Guide, Release 4.0(1).
None.
Preferred group support in service graphs EPGs created by service graphs can be included in contract preferred groups. A new policy (service EPG policy) is available for defining the preferred group membership type (include or exclude).
Once configured, it can be applied through the device selection policy or through the application of a service graph template.
For more information, see the Cisco APIC Basic Configuration Guide, Release 4.0(1) and Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.0(1).
None.
QoS enhancements The Cisco APIC now supports QoS levels 4, 5, and 6, and has configuration support for QoS L3Outs.
For more information, see the Cisco APIC QoS document.
- The number of classes that can be configured with the Strict priority still remains as 5.
- The 3 new classes are not supported with non-EX and non-FX switches.
- If traffic flows between non-EX or non-FX switches and EX or FX switches, the traffic will use QoS level 3.
- For communicating with FEX for new classes, the traffic carries a Layer 2 COS value of 0.
QoS for ROCEv2 Cisco APIC now supports remote DMA over converged Ethernet (RoCE) technology for data transfer. You can enable RoCEv2 functionality in your fabric by configuring specific QoS options for Layer 3 traffic.
For more information, see the Cisco APIC QoS document.
None.
SNMP trap support for BFD The following new traps were added:
- Rx/Tx High/Low Power Threshold
- Rx/Tx Power Recovery Threshold
- BFD Session Up
- BFD Session Down
For more information, see the Cisco ACI MIB Support List.
None.
Support for intra-EPG contracts in service graphs You can now create service graphs using intra-EPG contracts for single node, 1-ARM PBRs and single node copy services.
For more information, see the Cisco APIC Basic Configuration Guide, Release 4.0(1) and Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.0(1).
- Intra-EPG contracts are not supported in AVS, AVE and Microsoft domains. Setting Intra-EPG contracts to be enforced may cause the ports to go into a blocked state in these domains.
- Intra-EPG deny feature is not applicable for Service Graphs.

New Software Features—Solution Integration

Feature Description Guidelines and Restrictions
AppIQ AppIQ/AppDynamics work together to map each application to a recommended Cisco APIC endpoint, which gives you a visual guide of the running state of the configurations.
For more information, see the online help for this app.
None.
Cisco Tetration support for breakout interfaces Cisco Tetration now supports the breakout interfaces feature of Cisco switches, which allows a single high-bandwidth switch port to be split into multiple logical interfaces. None.
Cisco Tetration support for IP filtering on spine switches Cisco Tetration now supports the IP filtering feature on spine switches in addition to previously being supported on leaf switches. None.
Network Insights—Resources app The Network Insights – Resources app provides event analytics and license enhancements.
For more information, see the online help for this app.
The Network Insights – Resources app is released with limited availability in Cisco APIC release 4.0(1). Contact your Cisco account team before using this app.

New Software Features—Virtualization

Feature Description Guidelines and Restrictions
Enhanced LACP You can improve uplink load balancing by applying different Link Aggregation Control Protocol (LACP) policies to different distributed virtual switch (DVS) uplink port groups.
Cisco APIC now supports VMware's enhanced LACP feature, which is available for DVS 5.5 and later. Enhanced LACP is supported for VMware vSphere Distributed Switch (VDS) and Cisco ACI Virtual Edge.
For more information, see the Cisco ACI Virtualization Guide, Release 4.0(1) and the Cisco ACI Virtual Edge Configuration Guide.
Enhanced LACP supports only active and passive LACP modes.
Enhanced LACP is not available for Cisco ACI Virtual Edge when Cisco ACI Virtual Edge is part of Cisco ACI Virtual Pod.
If you want to use a Link Aggregation Control Protocol (LACP) port channel with VMware DVS 6.6 and later, you must create an enhanced LACP policy. See the Enhanced LACP Support section in the Cisco ACI Virtual Edge Configuration Guide and the Cisco ACI Virtualization Guide.
Exporting an existing VMware VDS to a ACI VMM domain You can import a VMware VDS configured in the VMware vCenter into a Cisco ACI VMM domain.
You can import the VDS if it resides under a network folder with the same name as the VDS. You import the VDS by creating a VDS domain in Cisco APIC with the same name as the VDS.
For more information, see the Cisco ACI Virtualization Guide, Release 4.0(1).
The VDS that you want to export from VMware vCenter must reside under a network folder with the same name as the VDS.
Promotion of VMM domains from read-only to fully managed Existing read-only VMM domains can now be promoted to fully managed read-write VMM domains, enabling Cisco APIC to manage the configuration of the VDS in the VMware vCenter for any created EPGs and policies.
For more information, see the Cisco ACI Virtualization Guide, Release 4.0(1).
None.
Service VM orchestration Service virtual machine (VM) orchestration is a policy-based feature that enables you to create and manage service VMs easily with Cisco APIC.
Service VM orchestration also streamlines the configuration of service VMs, also known as concrete devices (CDev) and groups them into a device cluster, also known as a logical device (LDev).
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 4.0(1).
Service VM orchestration is supported only for Cisco Adaptive Security Virtual Appliance (ASAv) and Palo Alto Networks devices.
vSphere proactive HA support for Cisco ACI Virtual Edge You can improve Cisco ACI Virtual Edge availability by using VMware vSphere Proactive HA in vCenter 6.5. Cisco APIC and VMware vCenter work together to detect a nonworking Cisco ACI Virtual Edge, isolate its host, and move its VMs to a functioning host, preserving network connectivity.
For more information, see the Cisco ACI Virtual Edge Installation Guide.
vSphere Proactive HA is not available for Cisco ACI Virtual Edge when it is part of Cisco ACI Virtual Pod.
VXLAN load-balancing and extra uplinks for Cisco ACI Virtual Edge VXLAN load balancing is now a built-in feature for Cisco ACI Virtual Edge. You do not need to do any configuration to enable VXLAN load balancing.
Extra uplinks also have been added to accommodate VXLAN load-balancing and improve overall performance.
For more information, see the Cisco ACI Virtual Edge Configuration Guide.
VXLAN load balancing and extra uplinks are not supported for Cisco ACI Virtual Edge when it is part of Cisco ACI Virtual Pod (vPod mode).

3.2(41)

Feature Description Guidelines and Restrictions
EIGRP authentication You can now use the EIGRP protocol for authentication. EIGRP authentication uses route-map's keychain infrastructure for MD5 authentication.
For more information, see the Cisco APIC Security Configuration Guide.
Only MD5 Authentication is supported.
When there is authentication mismatch between two EIGRP peers, then the neighborship flaps.
IP address-based filtering on spine switches You can now use IP address-based or subnet-based filtering on Cisco N9K-9348GC-FXP, N9K-9348GC-8U-FXP, N9K-93108TC-FX, and N9K-93180YC-FX switches and N9K-X9736C-FX line cards. Prior to this release, the spine switch always exported all traffic flows in the flow table. The ACL programming for each rule remains the same as it was in previous releases. Spine switches do not support VRF instance filtering, so any rules posted with the VRF instance filter will be programmed without the VRF instance key in the ACL.
You cannot use EX line cards with this feature.
SSD over-provisioning Over-provisioning on a flash-based SSD improves SSD performance and lifetime endurance.
Using Cisco APIC, SSD over-provisioning can be applied to a switch by following the action as described in the fault that was raised.
SSD over-provisioning is applied during a switch's boot sequence. SSD over-provisioning might take up to an hour per spine switch to complete, which includes reformating and repartitioning the SSD. This is a disruptive process that will result in all switch data on the SSD being deleted.
After the switch is discovered by the fabric, the Cisco APIC pushes the policies onto the switch.
If you do not perform SSD over-provisioning on Cisco N9K-C9364C and N9K-C9336C-FX2 switches, Cisco APIC raises fault F2972. SSD over-provisioning is applied automatically during the switch boot process after you respond to the fault. SSD over-provisioning might take up to an hour per spine switch to complete. After the switch reloads, you do not need to take any other action regarding the fault.

3.2(7)

Feature Description Guidelines and Restrictions
eBGP Multipath Relax The 3.2(7) release adds VRF-scoped node level support for modifying the Border Gateway Protocol (BGP) best path policy. You can modify the policy by using the External Border Gateway Protocol (eBGP) multipath relax option.
By default, BGP does not allow load balancing between multiple paths received from different autonomous system (AS) numbers. The multipath relax option changes this default behavior by relaxing the AS-PATH check and triggering multipathing across multiple eBGP peers. As a result, BGP will download multiple equal-cost multipath (ECMP) routing paths to the routing database.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 3.x and Earlier.
None.
Enhanced LACP You can improve uplink load balancing by applying different Link Aggregation Control Protocol (LACP) policies to different distributed virtual switch (DVS) uplink port groups.
Cisco APIC now supports VMware's enhanced LACP feature, which is available for DVS 5.5 and later. Enhanced LACP is supported for VMware vSphere Distributed Switch (VDS) and Cisco ACI Virtual Edge.
For more information, see the Cisco ACI Virtualization Guide, Release 3.2(7) and the Cisco ACI Virtual Edge Configuration Guide.
Enhanced LACP supports only active and passive LACP modes.
Enhanced LACP is not available for Cisco ACI Virtual Edge when Cisco ACI Virtual Edge is part of Cisco ACI Virtual Pod.
If you want to use a Link Aggregation Control Protocol (LACP) port channel with VMware DVS 6.6 and later, you must create an enhanced LACP policy. See the Enhanced LACP Support section in the Cisco ACI Virtual Edge Configuration Guide and the Cisco ACI Virtualization Guide.

3.2(6)

Feature Description Guidelines and Restrictions
Max IP address flow control The 3.2(6) release adds the max IP address flow control feature, which identifies endpoints that are misbehaving and flags them as rogue based on the number of learned IP addresses that are associated with a MAC address. The APIC supports a maximum of 4,000 IP addresses on a MAC address. If a leaf switch learns more than 4,000 IP addresses that are associated with a MAC address, then the MAC address and all of the IP addresses are classified as rogue. None.
Troubleshooting Wizard external IP to external IP session type The Troubleshooting Wizard is enhanced to enable you to choose the External IP to External IP session type. With this type, you can choose an external IP address for the source, and another external IP address for the destination.
For more information, see the Cisco APIC Troubleshooting Guide.
Non

3.2(5)

Feature Description Guidelines and Restrictions
Adjacency information base stats and threshold configuration This feature introduces an adjacency counter, which changes only if there is any update, add, or delete to the node adjacency. This keeps track of the number of times an adjacency has been modified (added, deleted, or updated).
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide, Release 3.x and Earlier.
You must have an L3Out configured to connect to an external network.
Flood in encapsulation support for VXLAN You can configure flood in encapsulation for endpoint groups (EPGs) with VXLAN encapsulation. Previously, only VLANs were supported for flood in encapsulation. Flood in encapsulation is used to limit flooding traffic inside a bridge domain to a single encapsulation. You configure flood in encapsulation when you create or modify a bridge domain or an EPG.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide, Release 3.x and Earlier.
DHCP relay must be configured if a DHCP server within the same bridge domain is providing IPv4 addresses to endpoints in different encapsulations.
SSD monitoring The SSD monitoring feature enables you to override the preconfigured thresholds for the SSD lifetime parameters and raise faults when the SSD reaches some percentage of the configured thresholds. These faults allows network operators the capability to monitor and proactively replace any switch before the switch fails due to an SSD's lifetime parameter values becoming exceeded.
For more information, see the Cisco APIC SSD Monitoring KB article.
This feature requires Micron M600 64 gb SSDs.
You cannot configure this feature using the CLI.
VM group quarantine protection You can ensure that virtual machine (VM) groups are moved out of Cisco ACI Virtual Edge hosts when the hosts stop working. The configuration overrides any affinity groups that would otherwise keep the VMs with particular hosts.
For more information, see the section VM Group Quarantine Protection in the Cisco ACI Virtual Edge Installation Guide.
None.

3.2(4)

Feature Description Guidelines and Restrictions
EIGRP authentication You can now use the EIGRP protocol for authentication. EIGRP authentication uses route-map's keychain infrastructure for MD5 authentication.
For more information, see the Cisco APIC Security Configuration Guide.
Only MD5 Authentication is supported.
When there is authentication mismatch between two EIGRP peers, then the neighborship flaps.
IP address-based filtering on spine switches You can now use IP address-based or subnet-based filtering on Cisco N9K-9348GC-FXP, N9K-9348GC-8U-FXP, N9K-93108TC-FX, and N9K-93180YC-FX switches and N9K-X9736C-FX line cards. Prior to this release, the spine switch always exported all traffic flows in the flow table. The ACL programming for each rule remains the same as it was in previous releases. Spine switches do not support VRF instance filtering, so any rules posted with the VRF instance filter will be programmed without the VRF instance key in the ACL.
You cannot use EX line cards with this feature.
SSD over-provisioning Over-provisioning on a flash-based SSD improves SSD performance and lifetime endurance. If you do not perform SSD over-provisioning on Cisco N9K-C9364C and N9K-C9336C-FX2 switches, Cisco APIC raises fault F2972. SSD over-provisioning is applied automatically during the switch boot process after you respond to the fault. SSD over-provisioning might take up to an hour per spine switch to complete. After the switch reloads, you do not need to take any other action regarding the fa
Using Cisco APIC, SSD over-provisioning can be applied to a switch by following the action as described in the fault that was raised.
SSD over-provisioning is applied during a switch's boot sequence. SSD over-provisioning might take up to an hour per spine switch to complete, which includes reformating and repartitioning the SSD. This is a disruptive process that will result in all switch data on the SSD being deleted.
After the switch is discovered by the fabric, the Cisco APIC pushes the policies onto the switch.

3.2(3)

Feature Description Guidelines and Restrictions
VMware vSphere proactive HA support for Cisco ACI Virtual Edge You can improve Cisco ACI Virtual Edge availability by using VMware vSphere Proactive HA in vCenter 6.5. Cisco APIC and VMware vCenter work together to detect a nonworking Cisco ACI Virtual Edge, isolate its host, and move its VMs to a functioning host, preserving network connectivity. vSphere Proactive HA is not available for Cisco ACI Virtual Edge when it is part of Cisco ACI Virtual Pod.
For more information, see the Cisco ACI Virtual Edge Installation Guide.

3.2(2)

Feature Description Guidelines and Restrictions
Custom attributes for Microsoft SCVMM microsegments Microsegmentation with Cisco ACI supports custom attributes for Microsoft SCVMM. To use a custom attribute, you first must add it as a custom property in Microsoft SCVMM. This enables you to select it while creating the microsegment in the Cisco APIC.
Updates to Traceroute Functionality The traceroute tool is used to discover the routes that packets actually take when traveling to their destination. With the 3.2(2) release, the following traceroute features are now available:
- External-IP-to-Endpoint traceroute policies
- External-IP-to- External-IP traceroute policies
- icmp6 as an additional IP protocol option
For more information, see the Cisco APIC Troubleshooting Guide.
None.
Validations on incoming configurations to a Cisco APIC cluster In certain situations, an incoming configuration to a Cisco APIC cluster will be validated against inconsistencies, where the validations involve only externally-visible configurations. For example, one level of validation might revolve around duplicate IP addresses, where an Invalid Configuration error message might appear for situations where a duplicate IP address is found with another address, such an l3extRsPathL3OutAtt address. None.
VMware vSphere 6.7 support for VMware VDS and Cisco ACI Virtual Edge VMware vSphere version 6.7 supports Cisco ACI Virtual Edge and VMware VDS. VMware vSphere version 6.7 includes vCenter 6.7, ESXi 6.7, and DVS 6.6. None.

3.2(1)

Feature Description Guidelines and Restrictions
802.1x multi-host mode and multi-auth mode This release adds the following 802.1x modes:
- Multi-host mode—Allows multiple hosts per port, but only the first one gets authenticated. The port is moved to the authorized state after the successful authorization of the first host. Subsequent hosts are not required to be authorized to gain network access once the port is in the authorized state. If the port becomes unauthorized when reauthentication fails or an EAPOL logoff message is received, all attached hosts are denied access to the network. The capability of the interface to shut down upon security association violation is disabled in multiple host mode. This mode is applicable for both switch-to-switch and host-to-switch topologies.
- Multi-auth mode—Allows multiple hosts and all hosts are authenticated separately. Each host must have the same EPG/VLAN information.
- Multi-domain mode—For separate data and voice domain. For use with IP phones.
For more information, see the Cisco APIC Security Configuration Guide.
None.
AAA external logging (TACACS) Terminal Access Controller Access Control System (TACACS) and Terminal Access Controller Access Control System Plus (TACACS+) are simple security protocols that provide centralized validation of users attempting to gain access to network devices. TACACS+ furthers this capability by separating the authentication, authorization, and accounting functions in modules, and encrypting all traffic between the NAS and the TACACS+ daemon.
TACACS external logging collects AAA data from a configured TACACS source (fabric-wide or tenant-only) and delivers it to one or more remote destination TACACS servers, as configured in a TACACS destination group. The collected data includes AAA session logs (SessionLR) such as log-ins, log-outs, and time ranges, for every Cisco Application Policy Infrastructure Controller (APIC) user, as well as AAA modifications (ModLR) such as the addition of a new user or a password change. Additionally, all configuration changes are logged and include the user ID and time stamp.
For more information, see the Cisco ACI TACACS External Logging KB article.
None.
Anycast services Anycast services are supported in the Cisco ACI fabric. A typical use case is to support ASA firewalls in the pods of a multipod fabric, but Anycast could be used to enable other services, such as DNS servers or printing services. In the ASA use case, a firewall is installed in every pod and Anycast is enabled, so that the firewall can be offered as an Anycast service. One instance of a firewall going down does not affect clients, as the requests are routed to the next, nearest instance available. You install ASA firewalls in each pod, then enable Anycast and configure the IP address and MAC address to be used.
The Cisco APIC pushes the configuration of the Anycast MAC and IP addresses to the leaf switches where the VRF is deployed or where there is a contract to allow an Anycast EPG.
For more information, see the Cisco APIC and Anycast Services KB article.
For guidelines and limitations, see the Cisco APIC and Anycast Services KB article.
Cisco ACI Virtual Edge health status Beginning in this release, Cisco ACI Virtual Edge faults are reported to assist in troubleshooting. The Cisco ACI Virtual Edge monitors states of objects—for example, an EPG, port, global policy, or Virtual Tunnel Endpoint (VTEP)—listed in a database. When an object undergoes a state change, that change is recorded.
For more information, see the Cisco ACI Virtual Edge Health Status KB article.
No action is required to configure the collection of data into a health score.
Cisco ACI Virtual Edge license consumption Beginning with this release, you can track the number of Cisco ACI Virtual Edge licenses on each host. You can use the Cisco APIC GUI or NX-OS-style CLI commands to view license information.
For more information, see Viewing Cisco ACI Virtual Edge Licenses using the GUI in the Cisco ACI Virtual Edge Installation Guide and Cisco ACI Smart Licensing KB article.
None.
Cisco ACI Virtual Edge: Layer 4 to Layer 7 service graphs This release adds support for Layer 4 to Layer 7 service graphs for Cisco ACI Virtual Edge. You use service graphs to identify the set of network service functions that an application requires.
For more information, see the section Layer 4 to Layer 7 Services in the Cisco ACI Virtual Edge Configuration Guide and the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
Layer 4 to Layer 7 services are supported only for routed mode; there is no support for transparent mode.
Cisco ACI Virtual Edge: remote storage deployment Beginning with this release, Cisco ACI Virtual Edge can be deployed on local storage or remote storage. None.
Cloning port configurations Support for cloning port configurations is added. After you configure a leaf switch port, you can copy the configuration and apply it to other ports.
For more information, see Access Interfaces in the Cisco APIC Layer 2 Networking Configuration Guide.
This is only supported in the Cisco APIC GUI (not in the NX-OS-style CLI).
Port cloning is used for small numbers of leaf switch ports (interfaces) that you deploy on multiple nodes in the fabric and that are individually configured, not for interfaces configured using fabric access policies.
Port cloning is only supported for Layer 2 configurations.
The following policies are not supported on a cloned port:
- Attachable Access Entity
- Storm Control
- DWDM
- MACsec
Contract and subject exceptions Contracts between EPGs are enhanced to include exceptions to subjects or contracts. This enables a subset of EPGs to be excluded in contract filtering. For example, a provider EPG can communicate with all consumer EPGs except those that match criteria configured in a subject exception in the contract governing their communication. Inter-EPG contracts and intra-EPG contracts are supported.
For more information, see Basic User Tenant Configuration in the Cisco APIC Basic Configuration Guide.
None.
Contract permit and deny log enhancements EPG information has been added to the output of contract Cisco ACI permit and deny logs.
For more information, see Using the Cisco APIC Troubleshooting Tools in Cisco APIC Troubleshooting Guide.
The feature is supported for traffic on Cisco Nexus 9000 series switches with part numbers that end in EX and FX, and later (for example, N9K-C93180LC-EX).
The following limitations apply:
- Depending on the position of the EPG in the network, EPG data may not be available for the logs.
- When configuration changes occur, log data may be out of date. In steady state, log data will be accurate.
- The most accurate EPG data in the permit and deny logs results when the logs are focussed on:
- Flows from EPG to EPG, where the ingress policy is installed at the ingress TOR and the egress policy is installed at the egress TOR
- Flows from EPG to L3Out, where one policy is applied on the BL TOR and the other policy is applied on a non-BL TOR
The feature is not supported for microsegmentation EPGs or EPGs used in shared services (including shared L3Outs).
Enhanced breakout support on profiled QSFP ports on N9K-C93180YC-FX switches Support is added for 100 Gigabit (Gb) (4X25Gb) and 40Gb (4X10Gb) dynamic breakouts on profiled QSFP ports on the N9K-C93180YC-FX switch (in ACI mode).
For more information, see Dynamic Breakout Ports in the Cisco APIC Layer 2 Networking Configuration Guide.
None.
EtherChannel support for 16 members EtherChannels now support 16 members. None.
Fibre Channel N-port virtualization A switch is in N-port virtualization (NPV) mode after enabling NPV. NPV mode applies to an entire switch. All end devices connected to a switch that are in NPV mode must log in as an N port to use this feature. All links from the edge switches (in NPV mode) to the NPV core switches are established as NP ports (not E ports), which are used for typical inter-switch links.
Fibre Channel N-port virtualization (FC NPV) provides the following benefits:
- Increased number of hosts that connect to the fabric without adding domain IDs in the fabric
- Connection of FC and FCoE hosts and targets to SAN fabrics using FC interfaces
- Automatic traffic mapping
- Static traffic mapping
- Disruptive automatic load balancing
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide.
For guidelines and limitations, see the Cisco APIC Layer 2 Networking Configuration Guide.
Forwarding scale profile policies enhancement The forwarding scale profile policy now includes the High LPM scale option. High longest prefix match (LPM) provides scalability similar to the dual-stack policy, except that the LPM scale is 128,000 and the policy scale is 8,000.
Scale improvements in the other forwarding scale options are also added in this release. For the scale information, see the Cisco APIC Forwarding Scale Profile Policy document.
None.
Krowten application The Krowten application takes a snapshot of the current Cisco APIC topology so that the user can get a comprehensive view of the EPG/VLAN distribution and mapping across the Fabric.
After the Krowten application is enabled, the snapshot is automatically created and you can display all the various existing topologies and their details.
None.
Layer 3 EPG SPAN configurations support This release adds support for configuring a Layer 3 EPG SPAN policy for external access.
For more information, see the Cisco APIC Troubleshooting Guide.
None.
Layer 3 routed and sub-interface port channels Previously, Cisco APIC supported only Layer 2 port channels. Starting with release 3.2(1), Cisco APIC now supports Layer 3 port channels. You can configure these Layer 3 port channels through the CLI, GUI, or REST API.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
Multi-node policy-based redirect Multi-node policy-based redirect (PBR) enhances PBR by supporting up to three nodes in a single service chain. You can configure which service node connector terminates the traffic and based on this configuration, the source and destination class IDs for the service chain are determined. In the multi-node PBR feature, policy-based redirection can be enabled on the consumer, provider, or both of the service node connectors. Multi-node PBR can also be configured for the forward or reverse directions. If the PBR policy is configured on a service node connector, then that connector does not terminate traffic.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 3.2(1).
Multi-node PBR supports up to three nodes in a service chain that can be configured for policy-based routing.
Multi-tier applications with a service graph The Multi-Tier Application with Service Graph Quick Start dialog provides a consolidated method of configuring service graph components such as bridge domains, EPGs, VRF instances, services, and contracts. As opposed to configuring each object in different locations in the Cisco APIC, the Quick Start dialog gathers the necessary configurations and combines them into a simple, organized step-by-step process.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 3.2(1).
None.
Optimize contract performance In this release, you can enable bidirectional standard contracts for more efficient hardware TCAM storage of contract data. With optimization enabled, contract statistics for both directions are aggregated. To configure efficient TCAM contract data storage, enable the following options:
- Contracts applied in both directions between the provider and consumer
- For filters with IP TCP or UDP protocols, enable the reverse port option.
- When adding the contract subjects, enable the no stats directive.
For more information, see Basic User Tenant Configuration in the Cisco APIC Basic Configuration Guide.
This feature is supported on Cisco Nexus 9000 series top of rack (TOR) switches with names ending with EX and FX, and later (for example, N9K-C93180LC-EX or N9K-C93180YC-FX).
Per leaf aggregate for the Data Plane Policer A clear semantic is given to the Data Plane Policer policy itself, as well as a new flag introducing the sharing-mode setting as presented in the CLI. Essentially, there is no longer an implicit behavior, which is different if the Data Plane Policer is applied to Layer 2 or Layer 3, or to a per-EPG case. Now, you have control of the behavior. If the sharing-mode is set to shared, then all the entities on the leaf referring to the same Data Plane Policer, will share the same HW policer. If the sharing-mode is set to dedicated then there would be a different HW policer allocated for each L2 or L3 or EPG member on the leaf. The policer is then dedicated to the entity that needs to be policed.
For more information, see the Cisco APIC Security Configuration Guide.
None.
Policy-based redirect and service graphs to Redirect All EPG-to-EPG traffic within the same VRF instance You can apply a service graph with a policy-based redirect policy that redirects traffic using the vzAny managed object. Such a policy enables all traffic from any endpoint group to be transmitted to any other endpoint group in the same VRF instance through a Layer 4 to Layer 7 device that is configured as one of the nodes in the service graph.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
For guidelines and limitations, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
Policy-based redirect resilient hashing In symmetric policy-based redirect (PBR), incoming and return user traffic uses the same PBR node. However, if one of the PBR nodes goes down or fails, the existing traffic flows are rehashed to another node. This can cause issues such as existing traffic on the functioning node being load balanced to other PBR nodes that do not have current connection information. If the traffic is traversing a stateful firewall, a node going down or failing can also lead to the connection being reset.
Policy-based redirect resilient hashing is the process of mapping traffic flows to physical nodes and avoiding the rehashing of any traffic other than the flows from the failed node. The traffic from the failed node is remapped to a backup node. The existing traffic on the backup node is not moved.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
Remote leaf switches enhancements Support is added for the following features with remote leaf switches:
- FEX devices connected to remote leaf switches
- TEP to TEP atomic counters between remote leaf switches or remote leaf switches and local leaf switches
- Cisco AVS with VLAN and Cisco AVS with VXLAN
- Cisco ACI Virtual Edge with VLAN and Cisco ACI Virtual Edge with VXLAN
For more information, see Remote Leaf Switches in the Cisco APIC Layer 3 Networking Configuration Guide.
None.
Rogue endpoint control policy The global rogue endpoint control policy for the fabric is introduced to detect unauthorized endpoints. A rogue endpoint attacks top of rack (ToR) switches through frequently and repeatedly injecting packets on different ToR ports and changing 802.1Q tags (thus, emulating endpoint moves), which causes learned sclass and EPG port changes. Misconfigurations can also cause frequent IP and MAC address changes (moves).
Such rapid movement in the fabric causes significant network instability, high CPU usage, and in rare instances, endpoint mapper (EPM) and EPM client (EPMC) crashes due to significant and prolonged messaging and transaction service (MTS) buffer consumption. Also, such frequent moves might result in the EPM and EPMC logs rolling over very quickly, hampering debugging for unrelated endpoints.
The rogue endpoint control feature addresses this vulnerability by quickly:
- Identifying such rapidly moving MAC and IP endpoints
- Stopping the movement by temporarily making endpoints static (thus, quarantining the endpoint)
- Keeping the endpoint static for the rogue EP detection interval and, after this time expires, deleting the rogue MAC or IP address
- Generating a host tracking packet to enable the system to re-learn the impacted MAC or IP address
- Raising a fault to enable corrective action
For more information, see Provisioning Core ACI Fabric Services in the Cisco APIC Basic Configuration Guide.
- Changing rogue endpoint control policy parameters will not affect existing rogue endpoints.
- If a rogue endpoint is enabled, loop detection and bridge domain move frequency will not take effect.
- Disabling the rogue endpoint feature clears all rogue endpoints.
- You must disable the rogue endpoint feature prior to upgrading or downgrading the Cisco APIC.
- The endpoint mapper (EPM) has value limits for rogue endpoint parameters. If you set the parameter values outside of this range, the Cisco APIC raises a fault for each mismatched parameter. For the valid ranges, see the Cisco APIC Basic Configuration Guide.
- The rogue endpoint feature can be used within each site of a Cisco ACI Multi-Site deployment to help with misconfigurations of servers that cause an endpoint to move within the site. The rogue endpoint feature is not designed for scenarios where the endpoint may move between sites.
Service graphs for contracts involving microsegmented EPGs Beginning with this release, Layer 4 to Layer 7 service graphs are supported for contracts between microsegmented EPGs and between microsegmented EPGs and regular EPGs. Service graphs enable you to refine the contracts by adding such services as a firewall or load-balancing.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 3.2(1).
None.
Simplified fabric external access policy configuration In this release, fabric external access policy creation is simplified in the Cisco APIC GUI.
For the policy configuration wizard for ports, Port Channels, Virtual Port Channels or Fibre Channels, navigate to Fabric > External Access Policies > Quick Start > Interfaces and Policies > Configure Interface.
None.
Smart Callhome Smart Callhome provides an email-based notification for critical system policies in a similar way as Callhome. However, Smart Callhome collects a more specific selection of faults to deliver in email messages.
The fault triggers that are typical of the Smart Callhome feature correspond to the kind of events that threaten to disrupt your network. Examples are:
- Temperature Faults: The temperature of a sensor exceeds a threshold.
- Fan/ Power Supply Faults: A fan or power supply unit goes offline.
- Disk Utilization Faults: The disk usage of a device exceeds a threshold.
Smart Callhome collects faults and emails them to a network support engineer, a Network Operations Center, or to Cisco Smart Callhome services to generate a case with the Technical Assistance Center (TAC).
For more information, see the Cisco ACI Smart Callhome KB article.
None.
Smart Licensing and Cisco ACI Starting with Cisco APIC release 3.2(1), Smart Licensing is enabled in the Cisco ACI fabric and by extension in the Cisco APIC as a Cisco Smart Licensing-enabled product. Cisco Smart Licensing is a unified management system that manages all of the software licenses across Cisco products.
For more information, see the Cisco ACI Smart Licensing KB article.
For guidelines and limitations, see the Cisco ACI Smart Licensing KB article.
Two-Way Active Measurement Protocol (TWAMP) The Two-Way Active Measurement Protocol (TWAMP) defines a standard (RFC 5357) for measuring round-trip network performance between any two devices that support the TWAMP protocols. The TWAMP Server/Reflector is supported as part of the IP SLA responder in NX-OS. Cisco APIC configures the TWAMP support for switch groups and provides the monitoring of the test sessions and connections.
For more information, see the Cisco ACI TWAMP KB article.
The devices must support the following TWAMP protocols:
- TWAMP-Control Protocol: Set up performance measurement sessions
- TWAMP-Test Protocol: Send and receive performance-measurement probes

The TWAMP client resides on an open-source third-party TWAMP utility application that must be reachable by any of the switch nodes through a management port, in-band management port, or L3Out interface.
VM folder attribute for microsegmentation with Cisco ACI This release adds support for the VM folder as an VM-based attribute for microsegmentation with Cisco ACI.
For more information, see the Microsegmentation with Cisco ACI chapter in the Cisco ACI Virtualization Guide, Release 3.2(1).
The VM folder attribute is supported for Cisco ACI Virtual Edge, Cisco AVS, and VMware VDS. The attribute is not supported for Microsoft vSwitch.

3.1(2)

Feature Description Guidelines and Restrictions
BGP external routed network with the autonomous system override The autonomous system override function replaces the autonomous system number from the originating router with the autonomous system number of the sending BGP router in the autonomous system path of the outbound routes.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
Cisco ACI Multi-Site support on the Cisco N9K-C9364C switch and N9K-C9508-FM-E2 and N9K-C9516-FM-E2 fabric modules Cisco ACI Multi-Site is now supported on the Cisco N9K-C9364C switch and N9K-C9508-FM-E2 and N9K-C9516-FM-E2 fabric modules. None.
Cloud Foundry Integration with Cisco ACI Beginning in this release, Cloud Foundry is integrated with Cisco Application Centric Infrastructure (ACI). This feature enables customers to use all Cisco ACI security and policy features with Cloud Foundry containers. Cloud Foundry is a platform as a service (PaaS) that uses Linux containers to deploy and manage applications.
For more information, see the Cisco ACI and Cloud Foundry Integration knowledge base article and the Cisco Application Policy Infrastructure Controller OpenStack and Container Plugins, Release Notes.
Cisco ACI integration applies to Cloud Foundry deployed on VMware vSphere where the Cisco ACI provides the network fabric for VMware vSphere.
Graceful Maintenance on switch maintenance groups In this release, when a user upgrades the Cisco ACI Fabric, there is now an option to enable Graceful Maintenance when upgrading the maintenance groups. When this option is enabled, the Cisco APIC will put the switches into the existing graceful insertion and removal (GIR) mode before reloading. This allows the switch to shut down all protocols gracefully before reloading for the upgrade. This feature can only be used when all nodes in the fabric are upgraded to release 3.1(2) or later. Using this feature to upgrade nodes on a version prior to 3.1(2) can result in unexpected traffic loss when the nodes are being upgraded.
LACP support on Layer 2/Layer 3 traffic diversion for the graceful insertion and removal mode The existing graceful insertion and removal (GIR) mode supports all Layer 3 traffic diversion. With LACP, all of the Layer 2 traffic is also diverted to the redundant node. After a node goes into maintenance mode, LACP running on the node immediately informs neighbors that it can no longer be aggregated as part of a port channel. All traffic is then diverted to the vPC peer node.
For more information, see the Cisco APIC Getting Started Guide.
None.
Neighbor discovery router advertisement on Layer 3 Outsides Router solicitation/router advertisement packets are used for auto-configuration and are configurable on Layer 3 interfaces, including routed interface, Layer 3 sub-interface, and SVI (external and pervasive).
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
QoS for Layer 3 Outsides In this release, QoS policy enforcement on L3Out ingress traffic is enhanced. To configure QoS policies in an L3Out, the VRF instance must be set in egress mode (Policy Control Enforcement Direction = "egress") with policy control enabled (Policy Control Enforcement Preference = "Enforced"). You must configure the QoS class priority or DSCP setting in the contract that governs the Layer 3 external network.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.

3.1(1)

Feature Description Guidelines and Restrictions
Active sessions This release adds support for monitoring GUI user active sessions. This feature is located under the System > Active Sessions tab.
See the Cisco APIC online help for more information.
None.
Additional NAT firewall public IP addresses for a VRF instance You can allocate additional public IP addresses for use with NAT rules. You can request this public IP address from any EPG where NAT is enabled, so it is available for all EPGs in the VRF instance. We recommend that the destination IP address of the NAT rule points only to an endpoint within the EPG and not somewhere else in the VRF instance.
BFD support on spine switches This release adds support for Bidirectional Forwarding Detection (BFD) on spine switch.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
Cisco Application Centric Infrastructure Virtual Edge This release supports Cisco ACI Virtual Edge, the next generation of the Application Virtual Switch (AVS) for Cisco ACI environments. Cisco ACI Virtual Edge is a hypervisor-agnostic distributed virtual switch that runs in the user space as a service VM. It operates as a virtual leaf switch and is managed by the Cisco Application Policy Infrastructure Controller (APIC).
If you use VMware VDS or Cisco AVS, you can migrate to Cisco ACI Virtual Edge and can also run Cisco ACI Virtual Edge on top of the existing VMware VDS. Decoupling the Cisco ACI Virtual Edge from the kernel space makes Cisco ACI Virtual Edge adaptable to different hypervisors. It also facilitates upgrades because Cisco ACI Virtual Edge is no longer tied to hypervisor upgrades.
For more information, see the Cisco ACI Virtual Edge Release Notes.

- Cisco ACI Virtual Edge is available only on the VMware hypervisor.
- Cisco ACI Virtual Edge is supported with the latest VMware vSphere 6.0 build and later releases.
- We you can install only one Cisco ACI Virtual Edge VM per host.
- You should deploy Cisco ACI Virtual Edge on a local disk on the host.
- VXLAN load-balancing will be supported after Cisco ACI Virtual Edge initial release.
- The Cisco ACI Virtual Edge management interface must have an IPv4 address. It can optionally have an additional IPv6 address, but you cannot configure it only with an IPv6 address.
Cisco Tetration Analytics support for network performance, monitoring, and diagnostic The Tetration platform uses rich dataplane telemetry from hardware sensors to provide network performance, monitoring, and diagnostics capability on a Cisco ACI fabric. The following features require Cisco Nexus 9300-FX switches and Cisco Nexus 9500 series switches with N9K-X9736C-FX linecards in the Cisco ACI mode:
- Per queue and per link aggregate stats on: bandwidth, packet drop indicators, average and max latency
- Maps flows to link topology and queue
- Network topology visualization and drill down
- End-to-end fabric view per flow
- Per hop view of a flow
- Time-series view for all the performance indicators including network topology
None.
Cisco Tetration Analytics support on the Cisco Nexus 9500-series switches with the N9K-X9736C-FX linecard Cisco Tetration Analytics telemetry is now supported on the Cisco Nexus 9500-series switches with the N9K-X9736C-FX linecard. None.
Cloud Foundry integration Cloud Foundry integration with Cisco ACI is a beta feature that is visible in the Cisco APIC GUI. This feature is not supported in this release. Contact Cisco for information about this feature.
Cloud Orchestrator Mode This feature Provides a Loadbalancer-as-a-Service (LBaaS) and a Firewall-as-a-Service (FWaaS) interface to enable a standard set of parameters that creates a unified interface for configuring load balancers and firewalls in a service graph.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
Configuring flood in encapsulation for all protocols and proxy ARP across encapsulations In this release, on the Cisco ACI switches with the Application Leaf Engine (ALE), all protocols are flooded in encapsulation. Multiple EPGs are now supported under one bridge domain with an external switch. When two EPGs share the same bridge domian and the Flood in Encapsulation option is turned on, the EPG flooding traffic does not reach the other EPG. It overcomes the challenges of using the Cisco ACI switches with the Virtual Connect (VC) tunnel network.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide.
None.
Control plane policing (CoPP) per interface per protocol A CoPP configuration is now supported on a per interface and per protocol basis. The protocols supported are ARP, ICMP, CDP, LLDP, LACP, BGP, STP, BFD, and OSPF.
For more information, see the Cisco APIC Security Configuration Guide.
None.
Control plane policing (CoPP) prefilter To protect against DDoS attacks, a CoPP prefilter profile is used on spine and leaf switches to filter access to authentication services based on specified sources and TCP ports. When the CoPP prefilter profile is deployed on a switch, the control plane traffic is denied by default. Only the traffic specified in the CoPP prefilter profile is permitted.
For more information, see the Cisco APIC Security Configuration Guide.
- Only Ethernet type IPv4 or IPv6 packets can be matched in the egress TCAM. ARP and ND packets are not matched.
- A total of 128 (wide key) entries can be included in the allowed list. However, some entries are reserved for internal use.
Converting uplink ports and downlink ports Uplink and downlink conversion is supported on Cisco Nexus 9000-series switches with names that end in EX or FX, such as the N9K-C93180YC-EX switch. A FEX can be connected to a converted downlink ports.
For more information, see the Cisco Application Centric Infrastructure Fundamentals document.
None.
EthType IPv4 and IPv6 support This release adds support for the IPv4 and IPv6 ARP security filter type. None.
Fast link failover policy A fast link failover policy is applicable to uplinks on Cisco N9K-C93180YC-EX and N9K-C93180YC-FX platforms only. The policy efficiently load balances the traffic based on the uplink MAC status. With this functionality, the switch performs Layer 2 or Layer 3 lookup and it provides an output Layer 2 interface (uplinks) based on the packet hash algorithm by considering the uplink status. This functionality reduces the data traffic convergence to less than 10 milliseconds. This feature is not support with port profiles nor remote leaf switches. When the Fast Link Failover policy is enabled, configuring SPAN on individual uplinks does not work.
Favorites You can now bookmark commonly-used GUI pages, which you can then access quickly from the Manage my profile > Favorites menu. You bookmark a page by clicking the star icon in the upper right of the page. Not all pages can be bookmarked.
FIPS SHA1 key support When Federal Information Processing Standards (FIPS) is enabled, SHA1 key is supported for NTP authentication. None.
First-hop security Starting with Cisco AVS release 5.2(1)SV3(3.20), the first-hop security (FHS) feature is supported. The FHS feature set provides improved management and IPv4 link security over the Layer 2 links. In a service provider environment, FHS controls address assignment and derived operations, such as duplicate address detection (DAD) and address resolution (AR). Cisco AVS is an FHS policy enforcer for virtual endpoints. FHS includes the following security features: IP address inspection, source guard, and ARP learning. - FHS enforcement is not supported for IPv6 address family on AVS.
- FHS is not supported with micro-segmentation.
- FHS endpoint entry is not retained when a port is detached and attached to VMware vCenter.
- Cisco AVS does not detect duplicate addresses across ESX hosts.
- A static virtual endpoint (vep) configuration is required when VMware fault tolerance is enabled for virtual machines with trust ports.
High dual stack The high dual stack option was added to the forwarding scale profile policy to provide scalability of up to 24k endpoints for IPv6 configurations and up to 64k endpoints for IPv4 configurations. This option also increases the LPM scale to 38K for both IPv4 and IPv6.
For more information, see the Cisco APIC Forwarding Scale Profile Policy document.
- The high dual stack profile reduces the policy scale to 8k.
- High dual stack does not support multicast.
- Switches configured with high dual stack must be manually reloaded to enable the profile.
ICMP tracking support TCP and ICMP protocol types are now used to track the Redirect Destination node.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
IP SLA monitoring support Switches internally use the Cisco IP SLA monitoring feature to support policy-based redirect (PBR) tracking.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
Launch Stats You can view the stats of a specific physical interface by going to the Fabric > Inventory tab, then navigating to pod_name > leaf_name > Interfaces. Click the button in the Stats column that corresponds to the desired interface. None.
Layer 3 multicast support for Fabric Extenders Multicast sources or receivers connected to Fabric Extender (FEX) ports are supported.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
LDAP group map The LDAP group map feature enables you to add LDAP configurations using active directory (AD) groups in place of Cisco attribute-value (AV) pairs.
For more information, see the Cisco APIC Security Configuration Guide.
This feature does not require making changes to the LDAP server for use with the Cisco APIC.
Location-aware policy-based redirect When you enable location-aware redirection and you specify Pod IDs, all of the redirect destinations in the Layer 4 to Layer 7 policy-based redirect policy will have pod awareness.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
MACsec support MACsec provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide.
None.
Multipod support on the Cisco N9K-C9364C switch and N9K-C9508-FM-E2 and N9K-C9516-FM-E2 fabric modules This release adds support for multipod on the Cisco N9K-C9364C switch and N9K-C9508-FM-E2 and N9K-C9516-FM-E2 fabric modules.
Note: Multipod and Cisco ACI Multi-Site together are currently not supported on the Cisco N9K-C9364C switch.
None.
Nesting in VMware for OpenShift and Kubernetes This release adds support for nesting in VMware for OpenShift and Kubernetes. None.
NTP Authentication support This release adds support for HMAC-NTP authentication.
For more information, see the Cisco APIC Basic Configuration Guide.
None.
NTP server This feature enables client switches to act as NTP servers to provide NTP time information to downstream clients.
For more information, see the Cisco APIC Basic Configuration Guide.
None.
OpenShift support for containers on Cisco ACI This release introduces native Cisco ACI support for container orchestration systems. This support includes the following features:
- Containers have direct access to the ACI policy model.
- Containers, VMs, and physical devices have seamless integration on a Cisco ACI fabric.
- Cisco APIC supports native policy semantics.
- Key network capabilities are provided to operate in this ecosystem. In particular, there is load balancing for both internal and external services.
None.
Policy-based redirect support for service nodes in consumer and provider bridge domains Bridge domains that contain a consumer or provider also support service nodes. Therefore, you are not required to provision separate service node bridge domains any longer.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
Port configuration improvements In the GUI, port configuration is improved to show operation and configuration. When you view a leaf switch within a pod under Fabric > Inventory, you can now click on a port to see information about that port.
See the Cisco APIC online help for more information.
None.
Quick Start workflows for setting up node, remote leaf switch, and multipod This release includes Quick Start workflows for setting up node, remote leaf switch, and multipod. You can now access the workflows by navigating to Fabric > Inventory, then expanding Quick Start.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
Read-Only Mode VMM Domain for VMware VDS This release adds support for creating a read-only mode VMM domain for VMware VDS. This enables you to view information about a DVS in VMware vCenter that is not managed by the Cisco APIC. You create a read-only VMM domain by setting the access mode when you create the domain. - If you want to create a read-only VMM domain, the domain must have the same name as the DVS in VMware vCenter, and the DVS must be inside a network folder with the same name.
- You can associate EPGs to a read-only VMM domain and apply policies to it. However, the policies are not pushed to the DVS in VMware vCenter.
- Faults are not raised for a read-only VMM domain.
Red Hat virtualization support This release supports Red Hat Virtualization (RHV) integration. RHV--formerly Red Hat Enterprise Virtualization--is an open-source virtualization solution. It is based on the Kernel-based Virtual Machine (KVM) hypervisor and the oVirt management platform. It includes the RHV host and the RHV manager (RHVM). The concept of endpoint groups in Cisco ACI is equivalent to a network in RHV.
We recommend that you use RHV release 4.1.6 or later.
Remote leaf switches With a Cisco ACI fabric deployed, you can extend Cisco ACI services and Cisco APIC management to remote data centers with Cisco ACI leaf switches that have no local spine switch or Cisco APIC attached. All policies deployed in the main data center are deployed on the remote switches, which behave like local leaf switches belonging to a pod.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
If you have remote leaf switches deployed, if you downgrade the Cisco APIC software from release 3.1(1) or later to an earlier release that does not support the remote leaf feature, you must decommission the nodes before downgrading.
For more information on decommissioning switches, see “Decommissioning and Recommissioning Switches” in the Cisco APIC Troubleshooting Guide.
Role-based access control integration for Cisco ACI VMware vCenter plug-in Starting with this release, the Cisco ACI VMware vCenter plug-in supports enhanced role-based access control (RBAC) based on Cisco APIC user roles and security domains. None.
RSA secure ID This feature provides token-based password authentication.
For more information, see the Cisco APIC Security Configuration Guide.
None.
Shared GOLF For Cisco APIC sites in a Cisco ACI Multi-Site topology, if stretched VRF instances share GOLF connections, guidelines are provided to avoid the risk of cross-VRF traffic issues.
For more information, see the “Cisco ACI GOLF” chapter in the Cisco APIC Layer 3 Networking Configuration Guide.
None.
SNMP Trap Aggregation The SNMP trap aggregation feature allows SNMP traps from the fabric nodes to be delivered to one of the Cisco APICs in the cluster and allows the forwarding of SNMP traps received from the fabric nodes to the external destination.
For more information, see the Cisco APIC Basic Configuration Guide.
If you decommission Cisco APICs, the trap forward server will receive redundant traps.
Support for the deny action and the relative ordering of entries in the OSPF import route map OSPF import route map has been enhanced to support the deny action in addition to the permit action. You can also create permit and deny entries in a specified order. None.
Switch Virtual Interface (SVI) auto state You can now enable the SVI auto state behavior. This allows the SVI state to be in the down state when all the ports in the VLAN go down. None.
Tracking service nodes with policy-based redirect and support for hashing algorithms The policy-based redirect feature (PBR) supports tracking service nodes and PBR also supports specific hashing algorithms.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
This feature is supported only on EX and FX switches.

3.0(2)

Feature Description Guidelines and Restrictions
Static Route in a Bridge Domain With Cisco APIC Release 3.0.2, support was added to configure a static route in a pervasive bridge domain to enable routes to virtual services behind firewalls.
This feature enables endpoint reachability to subnets and hosts that are not directly connected to the pervasive bridge domain, using regular EPGs.
When a static route is configured, the Cisco APIC deploys the route to all the leaf switches that use the bridge domain and all the leaf switches that have contracts associated to the bridge domain.
The subnet mask must be /32 (/128 for IPv6) pointing to one IP address or one endpoint. The mask is contained in the EPG associated with the pervasive bridge domain.
The feature is supported on Cisco Nexus 9000 and later series switches with names that end in EX, such as the Cisco Nexus N9K-C93180LC-EX.
Latency Monitoring with the Cisco Nexus N9K-93128TX, N9K-9396PX, N9K-9396TX, N9K-9372PX, N9K-9372TX, N9K-9332PQ and N9K-93180LC-EX switches Support for latency monitoring with the Cisco Nexus N9K-93128TX, N9K-9396PX, N9K-9396TX, N9K-9372PX, N9K-9372TX, N9K-9332PQ and N9K-93180LC-EX switches. None.

3.0(1)

Feature Description Guidelines and Restrictions
Cisco APIC with Cisco ACI Multi-Site As the newest advance on the Cisco ACI methods to interconnect networks, Cisco ACI Multi-Site is an architectural approach for interconnecting and managing multiple sites, each serving as a single fabric.
The Cisco ACI Multi-Site architecture has three main functional components:
- Two or more Cisco ACI fabrics built with Nexus 9000 switches deployed as leaf and spine nodes.
- One Cisco APIC cluster domain in each fabric.
- An inter-site Policy Manager, named Cisco ACI Multi-Site, which is used to manage the different fabrics and to define inter-site policies.
Cisco ACI Multi-Site has the following benefits:
- Complementary with Cisco APIC, in Multi-Site each site is an availability zone (Cisco APIC cluster domain), which can be configured to be a shared or isolated change-control zone.
- MP-BGP EVPN is used as the control plane between sites, with data-plane VXLAN encapsulation across sites.
- The Cisco ACI Multi-Site solution enables extending the policy domain end-to-end across fabrics.. You can create policies in the Cisco ACI Multi-Site GUI and push them to all sites or selected sites. Alternatively, you can import tenants and their policies from a single site and deploy them on other sites.
- Multi-Site enables a global view of site health.
- From the GUI of the Multi-Site policy manager, you can launch the site Cisco APICs.
- Cross-site namespace normalization is performed by the connecting spine switches. This function requires Cisco Nexus 9000 Series switches with EX on the end of the name (and later).
- Disaster recovery scenarios offering IP mobility across sites is one of the typical Cisco ACI Multi-Site use cases.
None.
Graceful Insertion and Removal (GIR) Mode The Graceful Insertion and Removal (GIR) mode or maintenance mode allows you to isolate a switch from the network with minimum service disruption. In the GIR mode you can perform real-time debugging without affecting traffic. None.
Ingress QoS Policing - per EPG per interface policing Allows you to police all the traffic entering the traffic from all the members of an Endpoint Group. You can control the amount of traffic entering the fabric from a group of endpoints. It does so by sharing access links at the cost of other endpoints. None.
802.1x support IEEE 802.1x is a port-based authentication mechanism to prevent unauthorized devices from gaining access to the network. None.
Enforced Bridge Domain An end point in a subject endpoint group (EPG) can only ping subnet gateways within the associated bridge domain. You can then create a global exception list of IP addresses which can ping any subnet gateway. None.
Application Quorum Application Quorum ensures that a certain number of nodes must be online for the APP cluster to continue running and helps in preventing the split-brain scenario. None.
Q-in-Q Encapsulation Mapping for EPGs Using Cisco APIC, you can map double-tagged VLAN traffic ingressing on a regular interface, PC, or VPC to an EPG. When this feature is enabled and double-tagged traffic enters the network for an EPG, both tags are processed individually in the fabric and restored to double-tags when egressing the Cisco ACI switch. Ingressing single-tagged and untagged traffic is dropped. EPGs can simultaneously be associated with other interfaces on a leaf switch, that are configured for single-tagged VLANs. This feature is only supported on Nexus 9300-FX platform switches. For configuration procedures and limitations, see Q-in-Q Encapsulation Mapping for EPGs in Cisco APIC Layer 2 Configuration Guide.
BGP Maximum Path Support Enables you to configure the maximum number of paths that BGP adds to the route table to invoke equal-cost multipath load balancing. None.
AS Path Prepend Allows for the change to the length of the autonomous system path in a BGP route to invoke best-path selection by a remote peer. None.
Kubernetes for baremetal servers Kubernetes is an open source system that automates the deployment, scaling, and managing containers in a network. You can integrate Kubernetes on baremetal servers into the Cisco Application Centric Infrastructure (ACI). None.
Intra-EPG contracts Intra-EPG contracts allow some communication and forbid other communication between endpoints in the same EPG. Otherwise, intra-EPG communication is unrestricted by default or barred completely. Intra-EPG contracts can be configured for application EPGs and uSeg EPG) on VMware VDS, Open vSwitch (OVS), and baremetal servers. For information, see the Cisco APIC Basic Configuration Guide. Intra-EPG contracts require that the leaf switch support proxy Address Resolution Protocol (ARP). They are supported on Cisco Nexus 9000 Series switches with EX or FX at the end of their model name or later models.
Endpoint Retention You can now delay the amount of time between when you detach an endpoint form a host and the time it is actually detached. Doing so can prevent drops in traffic when you use VMotion on VMware VDS or Cisco AVS. For information, see the Cisco ACI Virtualization Guide. None.
Intra-EPG isolation support for Microsoft vSwitch Intra-EPG Isolation is now supported for Microsoft vSwitch. By default, endpoint devices included in the same EPG are allowed to communicate with one another. However, Intra-EPG isolation enables you bar physical or virtual endpoint devices in the same base EPG or uSeg EPG from communicating with each other. None.
NetFlow support for Cisco AVS NetFlow technology is now supported for Cisco AVS. NetFlow provides the metering base for a key set of applications, including network traffic accounting, usage-based network billing, denial of services monitoring, network monitoring, and data mining. For information, see the Cisco ACI Virtualization Guide. None.
First Hop Security Enables a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations, such as Duplicate Address Detection (DAD) and Address Resolution (AR). Supported FHS features secure the protocols and help build a secure endpoint database on the fabric leaf switches, that are used to mitigate security threats such as MIM attacks and IP thefts. None.
Latency and PTP Latency is measured between endpoint groups, which requires all nodes in the fabric to be synchronized using the PTP protocol. None.
SAML Management and 2 Factor Authentication SAML is an XML-based open standard data format that uses security tokens containing assertions that pass information between an SAML identity provider and a SAML service provider. None.
Local User Authentication using OTP OTP is a one-time password that is valid for only one session. Once OTP is enabled, Cisco APIC generates a random human readable 16 binary octets that are base32 OTP Key. None.
Password Strength Allows configuration of user password parameters for security management. None.
vRealize Automation Event Broker vRealize Automation Event Broker is a workflow subscription service for vRealize Automation to call workflows from the vRealize Orchestrator under predefined conditions. A deployment of a single/multitier application is automatically subscribed to the Event Broker. Machine operations configured by the vRA trigger the Event Broker, which invokes the preconfigured operations to the Cisco APIC. None.
CoS Marking for Cisco AVS Class of service (COS) marking is supported for Cisco AVS. CoS marking enables you to mark priority for traffic based on endpoint groups. For information, see the section “Class of Service and Cisco AVS” in the Cisco Application Virtual Switch Configuration Guide. For Cisco Nexus 9000 Series switches with model names ending in EX or FX, be aware of the following:
If an egress data plane policer is already applied on a downlink from Cisco ACI, then Cisco AVS CoS cannot be preserved.
If the downlink interface is a Cisco Fabric Extender (FEX) port, then CoS in general cannot be preserved.
Forwarding Scale Profile Policy The forwarding scale profile policy feature enables you to choose between dual stack (the default profile) and IPv4 scale. A forwarding scale profile policy that is set to dual stack provides scalability of up to 12k endpoints for IPv6 configurations and up to 24K endpoints for IPv4 configurations. The IPv4 scale option enables systems with no IPv6 configurations to increase scalability with up to 48k IPv4 endpoints. The IPv4 option also increases the LPM scale up to 38k.
For more information, see the Cisco APIC Forwarding Scale Profile Policy document.
The IPv4 scale option is supported only on LSE platforms.
Switches that support the IPv4 scale profile policy will reload after the IPv4 scale profile policy is applied. Switches that do not support the IPv4 scale profile policy will be ignored.
For a list of supported switches, see the Cisco APIC Forwarding Scale Profile Policy document.
Cisco Tetration Analytics support on the Cisco N9K-C9348GC-FXP switch Cisco Tetration Analytics telemetry is now supported on the Cisco N9K-C9348GC-FXP switch. None.

2.3(1)

Feature Description Guidelines and Restrictions
Encapsulation Scope for SVI across Layer 3 Networks By default, the transit VLAN is different for each Layer 3 Out. You can now reduce the transit VLAN consumption by choosing an encapsulation scope setting such that the transit VLAN remains the same in all Layer 3 Outs in the same VRF instance for a given VLAN encapsulation in an SVI interface.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
None.
Symmetric Ether-channel hashing Symmetric Ether-channel hashing is now supported on the following switches:
- N9K-93108TC-FX
- N9K-93108YC-FX
- N9K-93180YC-EX
- N9K-C93108TC-EX
- N9K-C93180LC-EX
The following are restrictions for Symmetric Ether-channel hashing:
- Supported only for unicast IPv4/IPv6 data packets.
- Not supported on VPC.
- N9K-C93180YC-EX, N9K-C93108TC-EX, 9348GC-FXP, 93108TC-FX, and 93180YC-FX TORs support only one symmetric hashing configuration.
- Not supported on Cisco Nexus 2000 Series Fabric Extenders.
802.1Q tunnel core port functionality You can configure multiple 802.1Q tunnels on the same core port to carry double-tagged traffic from multiple customers, each distinguished with an access encapsulation configured for each 802.1Q tunnel. You can also disable MAC Address Learning on 802.1Q tunnels. Both edge ports and core ports can belong to an 802.1Q tunnel with access encapsulation and disabled MAC Address Learning. Both edge ports and core ports in Dot1q Tunnels are supported on third-generation Cisco Nexus 9000 series switches with FX on the end of the switch model name. None.
Hot Standby Router Protocol (HSRP) support – FX Support for HSRP is enabled on FX platforms. None.
DHCP Relay for Layer 3 (L3) Out Consumer This is an extension of the existing Tenant DHCP relay feature. With this new extension, you can now configure a L3 Port (ext-svi/sub-if/routed) as a DHCP relay interface. None.
Netflow on 9348GC-FXP, 93108TC-FX, and 93180YC-FX ToR switches The feature enables you to perform Netflow monitoring of the traffic flowing through the Cisco Application Centric Infrastructure (Cisco ACI) fabric.
Support is enabled in FX platforms.
None.
CDP on FEX support on 9348GC-FXP, 93108TC-FX, and 93180YC-FX ToR switches This feature enables Cisco Discovery Protocol (CDP) support on FEX connected to FX Platform switches. None.
Fibre Channel over Ethernet (FCOE) FEX support – FX This feature enables FCOE support on FEX connected to FX Platform switches. None.
Stretched Switched Virtual Interface (SVI) for Multipod (MPOD) This feature enables support for an L3 out-SVI to be configured (stretched) on Border leaf switches across multiple PODs in a Cisco ACI MPOD topology. Supported only on EX and FX platforms. None.
Reflective Relay (802.1Qbg) Reflective relay transfers switching for virtual machines out of the host server to an external network switch. This feature provides connectivity between virtual machines on the same physical server and the rest of the network. It allows policies that you configure on the Cisco APIC to apply to traffic between the virtual machines on the same server. Reflective relay is supported on physical ports, port channels (PCs), and virtual port channels (VPCs) on physical domains, only.
Reflective relay is supported on Cisco Nexus 9000 series switches with EX or FX at the end of the model name.
Cisco Fabric Extender (FEX) and blade servers are not supported.
Filtering for Virtual Machines Using More than one Attribute You can now filter for virtual machines by specifying more than one attribute. None.
Matching Attributes for a Microsegment EPG While Filtering for Virtual Machines You can now match any attribute or all attributes for a microsegment (uSeg) EPG while filtering for virtual machines. You cannot match all attributes when filtering for network-based attributes.
See the chapter “Microsegmentation with Cisco ACI” in the Cisco ACI Virtualization Guide.
Creating Block Statements When Defining Attributes for a uSeg EPG You can now create block statements when defining attributes for a uSeg EPG, enabling you to create precise multilevel filtering rules. You cannot have more than two sublevels within a block statement.
See the chapter “Microsegmentation with Cisco ACI” in the Cisco ACI Virtualization Guide.
EPG Match Precedence The EPG match precedence option enables you to override the default precedence rules when filtering for virtual machine-based attributes. EPG match precedence is not supported for network-based attributes.
Virtual Machine-Based Tag Attribute The virtual machine-based tag attribute enables you to define an attribute based on criteria that is not defined in other attributes. You must add the tag in VMware vCenter before you define a tag attribute for a uSeg EPG.
See the chapter “Microsegmentation with Cisco ACI” in the Cisco ACI Virtualization Guide.
Control Plane Policing Protects the control plane and separates it from the data plane, which ensures network stability,
reachability, and packet delivery.
None.
Traffic storm control unicast/multicast differentiation You can now configure storm control on each traffic type separately. Traffic storm control unicast/multicast differentiation is not supported on Cisco Nexus C93128TX, C9396PX, C9396TX, C93120TX, C9332PQ, C9372PX, C9372TX, C9372PX-E, or C9372TX-E switches.
Support for Deny Prefix Denying context rules for specific routes is now supported. None.
FIPs for Switches This release adds support for FIPs at the switch level. None.
CORS HTTP Access Control Sets the Access-Control-Allow-Credentials header in the web server responses. None.
Data Plane/Port Security Timeout Configuring delay time before MAC-learning is re-enabled is supported. None.
Cisco APIC Quota Management Starting in the Cisco Application Policy Infrastructure Controller (APIC) Release 2.3(1), there are admin can configure limits on number of objects a tenant admin can configure. This enables the admin to limit what managed objects that can be added under a given tenant or globally across tenants.
See the Cisco APIC Quota Management Configuration knowledge base article.
None.
Contract Inheritance To streamline associating contracts to new EPGs, you can now enable an EPG to inherit all the (provided/consumed) contracts associated directly to another EPG in the same tenant. Contract inheritance can be configured for application, microsegmented, L2Out, and L3Out EPGs. Any changes you make to the EPG contract master’s contracts, are received by the inheriting EPG. For more information, see “Basic User Tenant Configuration” in the Cisco APIC Basic Configuration Guide. None.
OpFlex Client Identity Detection To deploy GOLF or Linux Opflex clients in an environment where the identity of the client cannot be guaranteed by the network, you can now dynamically validate the client’s identity based on a client certificate. When you enable certificate enforcement, connectivity is disabled with any GOLF or Linux OpFlex client that does not support client authentication.
Cisco Tetration Analytics support on the Cisco N9K- 93180YC-FX, N9K-93108TC-FX switches Cisco Tetration Analytics telemetry is now supported on the Cisco N9K- 93180YC-FX, N9K-93108TC-FX switches. None.

2.2(4)

There are no new software features in this release.

2.2(3)

Feature Description Guidelines and Restrictions
SVI Auto State The default auto state behavior for SVI in Cisco APIC is that the SVI remains in the up state when the auto state value is disabled. This means that the SVI remains active even if no interfaces are operational in the corresponding VLANs. If the SVI auto state value is changed to enabled, then the SVI state depends on the port members in the associated VLANs. When a VLAN interface has multiple ports in the VLAN, the SVI goes to the down state when all of the ports in the VLAN go down. None.
Policy-Based Redirect and Tracking Service Nodes Policy-based redirect (PBR) feature now supports tracking service nodes. Both IPv4 and IPv6 addresses can be configured at the same time. None.
IP SLA Monitoring Switches internally use the Cisco IP SLA monitoring feature to support PBR tracking. None.

2.2(2)

Feature Description Guidelines and Restrictions
Enforce Subnet Check Global Knob Enabling the Enforce Subnet Check Global knob implicitly enforces subnet check at BD (configured BD subnets) for local IP learns and VRF (configured subnets under VRF) for Remote IP learns.
Note:
When enabling the knob, the following one-time operations are done in the Cisco ACI fabric:
- Flush all remote IPs in the fabric
- Flush all IPs outside the BD subnets for local learns
None.
BGP Timers per Layer 3 Out BGP timers can be defined and associated on a per VRF per node basis. None.
Layer 3 Out to Layer 3 Out Inter-VRF Leaking Shared Layer 3 Outs in different VRFs can communicate with each other using a contract. None.
Multiple BGP Communities Assigned per Route Prefix Multiple BGP communities can now be assigned per route prefix using the BGP protocol. None.
VMware vCenter 6.5 support for VMware VDS and Cisco AVS Beginning in this APIC release and in Cisco AVS Release 5.3(1)SV3(3.2), VMware VDS and Cisco AVS are supported in VMware vCenter 6.5. None.
Audit Fault Correlation Cisco APIC supports the health score evaluation to ignore acknowledged faults, such as those faults that can be safely ignored and prevent the health score from being degraded. You can modify the health score evaluation policy based on the penalty of the health score at the fault severity level. For more information about health score, see the Cisco Application Centric Infrastructure Best Practices Guide at the following location:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices.html
None.
Simplified Service Graph Integration with Windows Azure Pack Windows Azure Pack Service Graph Integration-Windows Azure Pack service graph integration enables you to automate the creation of service graph and to deploy services to Windows Azure Pack tenants. This feature also supports NAT integration, which enables tenant VRFs with private subnets to communicate with external networks. For more information, see the Cisco ACI Virtualization Guide, Release 2.2(1).
Windows Azure Pack Shared Services across Tenant VRFs-With this feature, tenants are responsible for ensuring that subnets are unique if the subnets are used for shared services across VRFs. If the shared service consumer is in a different VRF than the provider, route leaking between the VRFs automatically occurs to enable the communication. For more information, see the Cisco ACI Virtualization Guide, Release 2.2(1).
None.
VMware vCenter Plug-in Iupport for Cisco AVS Installation and Upgrade Beginning with Cisco AVS Release 5.2(1)SV3(3.1), you can install, uninstall, upgrade, and downgrade Cisco AVS using the VMware vCenter plug-in. None.
ACI App Center Beginning with Cisco APIC release 2.2(2), five levels of the Hierarchical Data Format (HDF) for API are supported. None.
Enable/Disable Remote IP Endpoint Learning With this release, you can enable or disable remote IP endpoint learning on VRFs with at least one interface (external SVI or external Layer 3 interface) and ingress policy enforcement enabled. The scope of this policy is fabric-wide. After configuration, the policy is pushed to each leaf switch as it comes up. Previously learned remote IP endpoints are flushed.
Note: Consult with your Technical Support representative before using this configuration option.
You should enable this policy in fabrics which include the Cisco Nexus 93128 TX, 9396 PX, or 9396 TX switches with the N9K-M12PQ uplink module, after all the nodes have been successfully upgraded to APIC Release 2.2(2e).When remote IP endpoint learning is disabled, and you make either of the following configuration changes, you may need to manually flush previously learned IP endpoints:
- You configure the VRF for ingress policy enforcement
- You add one Layer 3 interface in the VRF
To manually flush previously learned IP endpoints, enter the following command on both VPC peers:
vsh -c "clear system internal epm endpoint vrf <vrf-name> remote”
None.
Maximum Transmission Unit (MTU) With this release, you can create a Control Plane (CP) MTU policy that sets the global MTU size for control plane packets sent by the nodes (APIC and the switches) in the fabric.
In a multipod topology, the MTU setting for the fabric external ports must be greater than or equal to the CP MTU value set. Otherwise, the fabric external ports might drop the CP MTU packets.
If you change the Inter-Pod Network (IPN) or CP MTU, Cisco recommends changing the CP MTU value first, then changing the MTU value on the spine of the remote pod. This reduces the risk of losing connectivity between the pods due to MTU mismatch.
None.
Layer 4 to Layer 7 Service Graph Support for Virtual Appliances on an SCVMM Domain During Layer 4 to Layer 7 service graph deployment, a Cisco APIC automatically creates port groups for virtual appliances and updates the vNICs of the virtual appliance. In previous releases, this capability was supported only on a VMware VMM domain. In this release, this capability is also supported on a Microsoft SCVMM domain. The virtual appliance must be running on a VMware ESXi that uses a Cisco ACI vDS, or that uses a Microsoft Hyper-V with a Cisco ACI logical switch.
Fibre Channel over Ethernet support on N9K-C93180YC-FX and N9K-C93108TC-FX switches Fibre Channel over Ethernet (FCoE) is now supported on the Cisco Nexus C93180YC-FX and C93108TC-FX switches. None.
Cisco Tetration Analytics support on the Cisco N9K-93180YC-EX, N9K-93108TC-EX, and N9K-93180LC-EX switches Cisco Tetration Analytics telemetry is now supported on the following Cisco switches:
- Cisco N9K-93180YC-EX
- Cisco N9K-93108TC-EX
- Cisco N9K-93180LC-EX
None.

2.2(1)

Feature Description Guidelines and Restrictions
802.1Q Tunnels You can configure 802.1Q tunnels to enable point-to-multi-point tunneling of Ethernet frames in the fabric, with Quality of Service (QoS) priority settings.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide.
For the guidelines and restrictions of this feature, see the Cisco APIC Layer 2 Networking Configuration Guide.
Breakout Ports With this release, you can break out a 40 Gigabit Ethernet (GE) leaf switch port to be connected to 4-10GE-capable (downlink) devices that are connected with Cisco 40-Gigabit to 4X10-Gigabit breakout cables.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide.
This feature is supported only on the access facing ports of the N9K-C9332PQ switch.
Cisco ACI App Center The Cisco ACI App Center allows you to enable the capabilities of the Cisco APIC fully by writing applications that are running on the controller. Using the Cisco ACI App Center, customers, developers, and partners can build applications to simplify, enhance, and visualize their use cases. These applications are hosted and shared at the Cisco ACI App Center and installed in the Cisco APIC.
For more information, see the Cisco ACI App Center Developer Guide.
None.
HSRP Support HSRP is a first-hop redundancy protocol (FHRP) that allows a transparent failover of the first-hop IP router. HSRP provides first-hop routing redundancy for IP hosts on Ethernet networks configured with a default router IP address. You use HSRP in a group of routers for selecting an active router and a standby router. In a group of routers, the active router is the router that routes packets, and the standby router is the router that takes over when the active router fails or when preset conditions are met.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
For the guidelines and restrictions of this feature, see the Cisco APIC Layer 3 Networking Configuration Guide.
Cisco APIC High Availability Standby The high availability functionality for an APIC cluster enables you to operate the APICs in a cluster in an active/standby mode. In an APIC cluster, the designated active APICs share the load and the designated standby APICs can act as an replacement for any of the APICs in an active cluster.
For more information, see the Cisco APIC Management, Installation, Upgrade, and Downgrade Guide.
An admin user can set up the high availability functionality when the APIC is launched for the first time. We recommend that you have at least 3 active APICs in a cluster, and one or more standby APICs. An admin user must initiate the switch over to replace an active APIC with a standby APIC.
Contract Preferred Groups Support is added for contract preferred groups that enable greater control of communication between EPGs in a VRF. If most of the EPGs in the VRF should have open communication, but a few should only have limited communication with the other EPGs, you can configure a combination of a contract preferred group and contracts with filters to control communication precisely. None.
ICMP and UDP Flow Logging for Distributed Firewall Beginning with Cisco AVS release 5.2(1)SV3(2.8), Cisco AVS monitors ICMP and UDP flows as well as TCP flows by default when you enable Distributed Firewall. However, Cisco AVS does not deny ICMP and UDP flows as it does TCP flows.
For more information, see the Distributed Firewall section of the Cisco AVS chapter of the Cisco ACI Virtualization Guide, Release 2.2(1) and the Cisco AVS Troubleshooting Guide.
None.
NetFlow The NetFlow technology provides the metering base for a key set of applications, including network traffic accounting, usage-based network billing, network planning, as well as denial of services monitoring, network monitoring, outbound marketing, and data mining for both service providers and enterprise customers. Cisco provides a set of NetFlow applications to collect NetFlow export data, perform data volume reduction, perform post-processing, and provide end-user applications with easy access to NetFlow data. If you have enabled NetFlow monitoring of the traffic flowing through your datacenters, this feature enables you to perform the same level of monitoring of the traffic flowing through the Cisco ACI fabric.
For more information, see the Cisco ACI Virtualization Guide, Release 2.2(1).
This feature is supported only on EX switches.
For additional limitations, see the Cisco APIC and NetFlow document.
RBAC Change Remote User Role Remote users can now request a role change.
For more information see, Cisco ACI AAA RBAC Rules and Privileges document.
None.
Support for FCoE Configuration over FEX Ports You can now configure FCoE over FEX ports.
For more information, see the Cisco APIC Basic Configuration Guide, Release 2.2(1).
None.

2.1(4)

Feature Description Guidelines and Restrictions
Support for third-party Micron Solid State Drive (SSD) firmware auto update During the boot up sequence, the firmware is checked and updated, if needed, to the recommended firmware version as according to Micron SSD. None.

2.1(3)

Feature Description Guidelines and Restrictions
Support for third-party Micron Solid State Drive (SSD) firmware auto update During the boot up sequence, the firmware is checked and updated, if needed, to the recommended firmware version as according to Micron SSD. None.

2.1(2)

This release supports no new software features.

2.1(1)

Feature Description Guidelines and Restrictions
64-Way ECMP 64-way ECMP can be enabled on external links for the following switches:
- N9K-X9736C-EX
- N9K-X9732C-EX
- N9K-C9504-FM-E
- N9K-C9508-FM-E
None.
ACI Security Microsegmentation Closed Loop Feedback Solution with FirePOWER NGIPS for AVS, vDS, and Bare-Metal Workloads The FirePOWER Next-Generation Intrusion Prevention System (NGIPS) can be used for vulnerability detection, which then performs automatic microsegmentation of rogue endpoints in ACI fabric for Cisco Application Virtual Switch (AVS), VMware vSphere Distributed Switch (VDS), and Bare-Metal workloads. In the case of dynamic EPG deployment of ACI with DVS, this feature will only work on 9300-EX switches. This is because microsegmentation is only supported for DVS on 9300-EX switches. The host and virtual machine, which are the source of an external attack, must be connected to a 9300-EX switch.
Advertising EVPN Type 2 Host Routes For optimal traffic forwarding in an EVPN topology, you can enable fabric spines to advertise host routes using EVPN type 2 (MAC-IP) routes to the DCIG along with public bridge domain subnets in the form of BGP EVPN type 5 (IP prefix) routes. None.
Contract Permit Logging Support for Multipod The contract permit logging feature is now supported with multipod. This feature is supported only on 9300-EX switches.
Copy Services Support for Multipod The copy services feature is now supported with multipod. This feature is supported only on 9300-EX switches.
Explicit Prefix List Support for Route Maps/Profile Enhancement In the APIC, for public bridge domain subnets and external transit networks, inbound and outbound route controls are provided through an explicit prefix list. An explicit prefix list presents an alternate method of usage and is defined through a new match type that is called the “match route destination” (rtctrlMatchRtDest). The explicit prefix list is used for advertising bridge domain subnets through the bridge domain to the Layer 3 Outside relation and specifying a subnet in the l3extInstP with export/import route control for advertising transit and external networks.
None.
Federal Information Processing Standards Support The APIC can be configured the to use the Federal Information Processing Standards (FIPS) for cryptography. None.
Global Toggling Between In-band Management and Out-of-band Management A global toggle is implemented between in-band management connectivity and out-of-band management connectivity as the default connectivity mode between the APIC server and management devices external to the ACI fabric. None.
IGMP Snooping The APIC provides support for the following IGMP-related features:
- Static port group implementation—IGMP static port grouping enables you to pre-provision ports that are already statically-assigned to an application EPG as the switch ports to receive and process IGMP multicast traffic. This pre-provisioning prevents the flooding of all ports on a bridge domain with Layer 2 multicast traffic.
- Access group configuration for application EPGs—An access-group is used to control what streams can be joined behind a given port.
For more information, see the Cisco APIC Layer 3 Networking Configuration Guide.
Static group membership can be pre-provisioned only on static ports assigned to an application EPG.
For access groups, only route-map-based access groups are allowed.
IP Address-Based Microsegmented Endpoint Groups Configured as Shared Services IP address-based microsegmented endpoint groups can be configured as shared services, accessible by devices located on VRFs other than the one on which the endpoint group is located. This configuration can only be applied to unicast IP addresses with a 32-bit netmask. For example: 125.125.125.111/32.
IP Aging This feature tracks and ages unused IPs on an endpoint. For more information, see the Cisco APIC Layer 3 Networking Configuration Guide. None.
Layer 3 Multicast Support for Multipod Layer 3 multicast is now supported with multipod. For more information, see the Cisco APIC Layer 3 Networking Configuration Guide. None.
Network-Based Microsegmented Endpoint Group Support on Bare-Metal Environments Configuration of microsegmented endpoint groups based on MAC address or IP address attributes is now supported on physical as well as virtual environments. None.
Policy-Based Redirect Support for Multipod The policy-based redirect feature is now supported with multipod. None.
Port Security Support The port security feature is now supported on the 9300-EX switches. None.
Translating QoS Ingress Markings to Egress Markings The APIC enables translating the 802.1P Class of Service (CoS) field based on the ingress DSCP value. This functionality enables the ACI fabric to classify the traffic for devices that classify the traffic based only on the CoS value. The functionality also allows you to derive the dot1P CoS field based on the ingress dot1P value.
Trunk Port Group Trunk port groups can be used to aggregate the traffic of endpoint groups. For more information, see the Cisco ACI Virtualization Guide, Release 2.1(1) and Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 2.1(1). Supported only under a VMware domain.
User-Identity Microsegmentation with FirePOWER and ACI for Secure VDI You can now have a secure VDI deployment based on user-identity microsegmentation using FirePOWER and Active Directory integration. The solution works by applying an NAC policy to provide secure access to endpoints in a server endpoint group within the ACI fabric. None.
Windows Azure Pack Enhancements In the Windows Azure Pack tenant portal GUI, you can now add and provide a new context name while creating a bridge domain.
In the Windows Azure Pack tenant portal GUI for a virtual private cloud (VPC) plan, the tenant can now delete a context.
For more information, see the Cisco ACI Virtualization Guide, Release 2.1(1).
None.

2.0(2)

Feature Description Guidelines and Restrictions
Auto Route Target for Layer 3 eVPN Services over Fabric WAN When creating a routed outside for eVPN, you can now choose “automatic” for the route target type. This feature implements automatic BGP route-target filtering on VRFs associated with this routed outside configuration. None.
Mis-cabling Protocol Enhancement A new Mis-cabling Protocol (MCP) configuration mode allows you to configure MCP to operate in a mode in which MCP PDUs are sent in all endpoint group VLANs to which a physical port belongs. For more information, see the Cisco Application Centric Infrastructure Fundamentals document. None.
Multiple L3Outs in Multipods Starting with the 2.0(2) release, one infra L3Out per POD is supported. Each POD can have one infra L3Out with a different OSPF area ID assigned to it. None.
Multipod QoS Support for preserving CoS and DSCP settings was added for multipod topologies. For more information, see the Cisco APIC and Multipod QoS document. None.
Proxy ARP Proxy ARP enables endpoints within a network or subnet to communicate with other endpoints without knowing the real MAC address of the endpoints. Proxy ARP is aware of the location of the traffic destination, and offers its own MAC address as the final destination instead.
For more information, see the Cisco APIC Layer 2 Networking Configuration Guide
None.
Syslog in NX-OS-Style CLI Format You can change the default display of syslogs to NX-OS-style CLI format. By default the syslog format is RFC 5424 compliant. For more information, see the Cisco APIC Troubleshooting Guide. None.
Tetration Image Download You can download the Cisco Tetration Analytics sensor software for installation on the switches in the APIC cluster. None.

2.0(1)

Feature Description Guidelines and Restrictions
ACI vCenter Plugin for VMware vSphere Web Client The Cisco ACI vCenter plugin is a user interface that allows you to manage the ACI fabric from within the vSphere Web client.
For more information, see the Cisco ACI Virtualization Guide.
Only VMware vSphere Web Client 5.5 and later is supported.
AVS Health Status The Cisco ACI reports errors that occur on nodes in the fabric to the Cisco APIC as an aid to troubleshooting. Cisco AVS faults are now reported as well as faults for leaf and spine switches in the ACI fabric. None.
BGP Limit on the Maximum Autonomous System Numbers A control knob was added to the BGP timers policy that discards BGP routes that have a number of autonomous system path segments that exceed the specified limit. None.
Contract Permit Logging You can enable and view contract Layer 2 and Layer 3 permit log data to troubleshoot packets and flows that were allowed to be sent through contract permit rules. You can also enable and view taboo contract Layer 2 and Layer 3 logs for packets and flows that were dropped due to taboo contract deny rules. This feature is supported only on 9300-EX switches.
COOP Authentication COOP data path communication provides high priority transport using secured connections. COOP is enhanced to leverage the MD5 option to protect COOP messages from malicious traffic injection. The APIC controller and switches support COOP protocol authentication. None.
Copy Services Unlike SPAN that duplicates all the traffic, the Cisco Application Centric Infrastructure (ACI) contract copy feature enables selectively copying portions of the traffic between endpoint groups, according to the specifications of the contract. Broadcast, unknown unicast and multicast (BUM), and control plan traffic that are not covered by the contract are not copied. SPAN copies everything out of endpoint groups, access ports or uplink ports. Unlike SPAN, copy contracts do not add headers to the copied traffic. Copy contract traffic is managed internally in the switch to minimize impact on normal traffic forwarding.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
This feature is supported only on 9300-EX switches.
Difference Between Local Time and Unified Cluster Time This value is the calculated time difference, in milliseconds, between local time and unified cluster time.
Unified cluster time is an internal time that is used to time stamp changes within the cluster fabric. Unified cluster time is synchronized internally and cannot be changed by the user, and is used to identify the sequence of changes across different cluster nodes. Unified cluster time can be significantly different than the system time. The difference between local time and unified cluster time can be either a negative or positive value, which indicates whether the local time is ahead of or behind the unified cluster time.
None.
Digital Optical Monitoring In this release, you can enable and view digital optical monitoring (DOM) statistics to troubleshoot physical optical interfaces (on transceivers) for both leaf and spine nodes. The statistics include the number of alerts, Tx fault count, and Rx loss count, as well as the value and thresholds for temperature, voltage, electrical current, optical Tx power, and optical Rx power for the interface. None.
Distributed Firewall Permit Logging Cisco AVS now reports the flows that are permitted by Distributed Firewall to the system log (syslog) as well as flows that are denied. You can configure parameters for the flows in the CLI or REST API to assist with auditing network security. None.
EPG Delimiter When creating a vCenter domain or SCVMM domain, you can now specify a delimiter to use with the VMware port group name.
For more information, see the Cisco ACI Virtualization Guide.
None.
EPG Deployment Through AEP Attached entity profiles can be associated directly with application EPGs, which deploys the associated application EPGs to all of the ports that are associated with the attached entity profile. None.
FCoE N-Port Virtualization support ACI 2.0(1) supports Fibre Channel over Ethernet (FCoE) traffic through direct connections between hosts and F port-enabled interfaces and direct connections between the FCF device and an NP port-enabled interface on ACI leaf switches. This feature is supported only on 9300-EX switches.
FCoE host-to-F port or FEX-to-NP port connections through intervening FEX devices are not supported.
Static endpoints for an FCoE end host are not supported.
IGMP Snoop Policy Disable The IGMP snoop policy now supports the adminSt parameter, which can be used to disable IGMP snooping on ACI. None.
Layer 3 EVPN Services Over Fabric WAN The Layer 3 EVPN services over fabric WAN feature enables much more efficient and scalable ACI fabric WAN connectivity. It uses the BGP EVPN protocol over OSPF for WAN routers that are connected to spine switches. This feature is not supported on 9300-EX switches.
You cannot use this feature with the multipod feature.
Only a single Layer 3 EVPN Services Over Fabric WAN provider policy can be deployed on spine switch interfaces for the whole fabric.
Layer 3 Multicast Cisco APIC supports the Layer 3 multicast feature with multicast routing enabled using the Protocol Independent Multicast (PIM) protocol. Layer 3 multicast supports Any Source Multicast (ASM) and Source-Specific Multicast (SSM). This feature is supported only on 9300-EX switches.
Multipod Support Multipod enables provisioning a more fault tolerant fabric comprised of multiple pods with isolated control plane protocols. Also, multipod provides more flexibility with regard to the full mesh cabling between leaf and spine switches. For example, if leaf switches are spread across different floors or different buildings, multipod enables provisioning multiple pods per floor or building and providing connectivity between pods through spine switches. This feature is not supported on 9300-EX switches.
You cannot use this feature with the Layer 3 EVPN services over fabric WAN feature.
OSPF Inbound Route Controls Support is added for inbound route controls in Layer 3 Outside tenant networks, using OSPF. This includes aggregate import route controls using OSPF. None.
Policy-Based Redirect Cisco Application Centric Infrastructure (ACI) policy-based redirect (PBR) enables provisioning service appliances such as firewalls or load balancers as managed or unmanaged nodes without needing a Layer 4 to Layer 7 package. Typical use cases include provisioning service appliances that can be pooled, tailored to application profiles, scaled easily, and have reduced exposure to service outages. PBR simplifies the deployment of service appliances by enabling the provisioning consumer and provider endpoint groups all to be in the same VRF instance.
For more information, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
None.
Port Security The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. This feature support is available for physical ports, port channels, and virtual port channels. This feature is not supported on 9300-EX switches.
Support for Multiple vCenters per Fabric You can now have 50 vCenters per fabric. None.
VMware vRealize Integration Enhancements vRealize 7.0 and the vCenter plugin are now supported.
The following blueprints are now supported:- Generate and Add Certificate to APIC
- Add FW to Tenant Network - VPC Plan
For more information, see the Cisco ACI Virtualization Guide.
None.
vRealize Support for AVS Cisco AVS is now supported in VMware's products vRealize Automation (vRA) and vRealize Orchestrator (vRO), parts of the VMware vRealize Suite for building and managing multivendor hybrid cloud environments. None.