Cisco Application Policy Infrastructure Controller Release Notes, Release 3.2(10)
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- US/Canada 800-553-2447
- Worldwide Support Phone Numbers
- All Tools
Feedback
Feedback
Introduction
The Cisco Application Centric Infrastructure (ACI) is an architecture that allows the application to define the networking requirements in a programmatic way. This architecture simplifies, optimizes, and accelerates the entire application deployment lifecycle. Cisco Application Policy Infrastructure Controller (APIC) is the software, or operating system, that acts as the controller.
This document describes the features, issues, and limitations for the Cisco APIC software. For the features, issues, and limitations for the Cisco NX-OS software for the Cisco Nexus 9000 series switches, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10).
For more information about this product, see "Related Content."
| Date |
Description |
| May 1, 2024 |
In the Miscellaneous Compatibility Information section, removed the older CIMC releases to reduce the clutter. |
| August 1, 2022 |
In the Miscellaneous Compatibility Information section, added:
● 4.2(2a) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(2k) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)
|
| July 8, 2022 |
Release 3.2(10g) became available; there are no changes to this document for this release. See the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10) for the changes in this release. |
| April 4, 2022 |
In the Open Issues section, added bug CSCvy47145. |
| March 21, 2022 |
In the Miscellaneous Compatibility Information section, added:
● 4.1(3f) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
|
| February 23, 2022 |
In the Miscellaneous Compatibility Information section, added:
● 4.1(2g) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)
|
| November 2, 2021 |
In the Miscellaneous Compatibility Information section, added:
● 4.1(3d) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
|
| August 6, 2021 |
Release 3.2(10f) became available. Added a resolved issue for this release. |
| August 4, 2021 |
In the Open Issues section, added bug CSCvy30453. |
| July 26, 2021 |
In the Miscellaneous Compatibility Information section, the CIMC 4.1(3c) release is now recommended for UCS C220/C240 M5 (APIC-L3/M3). |
| March 11, 2021 |
In the Miscellaneous Compatibility Information section, for CIMC HUU ISO, added:
● 4.1(3b) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
Changed:
● 4.1(2b) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2) and M5 (APIC-L3/M3)
To:
● 4.1(2b) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2
|
| February 27, 2021 |
Release 3.2(10e) became available. |
| Feature |
Description |
| N/A |
There are no new features in this release. |
For the new hardware features, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10).
Changes in Behavior
For the changes in behavior, see the Cisco ACI Releases Changes in Behavior document.
Open Issues
Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 3.2(10) releases in which the bug exists. A bug might also exist in releases other than the 3.2(10) releases.
| Bug ID |
Description |
Exists in |
| CDP is not enabled on the management interfaces for the leaf switches and spine switches. |
3.2(10e) and later |
|
| The stats for a given leaf switch rule cannot be viewed if a rule is double-clicked. |
3.2(10e) and later |
|
| The Port ID LLDP Neighbors panel displays the port ID when the interface does not have a description. Example: Ethernet 1/5, but if the interface has description, the Port ID property shows the Interface description instead of the port ID. |
3.2(10e) and later |
|
| A service cannot be reached by using the APIC out-of-band management that exists within the 172.17.0.0/16 subnet. |
3.2(10e) and later |
|
| This enhancement is to change the name of "Limit IP Learning To Subnet" under the bridge domains to be more self-explanatory. Original : Limit IP Learning To Subnet: [check box] Suggestion : Limit Local IP Learning To BD/EPG Subnet(s): [check box] |
3.2(10e) and later |
|
| A tenant's flows/packets information cannot be exported. |
3.2(10e) and later |
|
| Requesting an enhancement to allow exporting a contract by right clicking the contract itself and choosing "Export Contract" from the right click context menu. The current implementation of needing to right click the Contract folder hierarchy to export a contract is not intuitive. |
3.2(10e) and later |
|
| When configuring an L3Out under a user tenant that is associated with a VRF instance that is under the common tenant, a customized BGP timer policy that is attached to the VRF instance is not applied to the L3Out (BGP peer) in the user tenant. |
3.2(10e) and later |
|
| For strict security requirements, customers require custom certificates that have RSA key lengths of 3072 and 4096. |
3.2(10e) and later |
|
| This is an enhancement to allow for text-based banners for the Cisco APIC GUI login screen. |
3.2(10e) and later |
|
| For a client (browser or ssh client) that is using IPv6, the Cisco APIC aaaSessionLR audit log shows "0.0.0.0" or some bogus value. |
3.2(10e) and later |
|
| When a VRF table is configured to receive leaked external routes from multiple VRF tables, the Shared Route Control scope to specify the external routes to leak will be applied to all VRF tables. This results in an unintended external route leaking. This is an enhancement to ensure the Shared Route Control scope in each VRF table should be used to leak external routes only from the given VRF table. |
3.2(10e) and later |
|
| When authenticating with the Cisco APIC using ISE (TACACS), all logins over 31 characters fail. |
3.2(10e) and later |
|
| On modifying a service parameter, the Cisco APIC sends 2 posts to the backend. The first post deletes all of the folders and parameters. The second post adds all of the remaining modified folders and parameters to the backend. These 2 posts will disrupt the running traffic. |
3.2(10e) and later |
|
| The actrlRule is has the wrong destination. |
3.2(10e) and later |
|
| The connectivity filter configuration of an access policy group is deprecated and should be removed from GUI. |
3.2(10e) and later |
|
| There is no record of who acknowledged a fault in the Cisco APIC, nor when the acknowledgement occurred. |
3.2(10e) and later |
|
| The action named 'Launch SSH' is disabled when a user with read-only access logs into the Cisco APIC. |
3.2(10e) and later |
|
| Support for local user (admin) maximum tries and login delay configuration. |
3.2(10e) and later |
|
| There is a VLAN overlapping scenario. After configuring new static ports and a physical domain under an existing EPG, there is a Layer 2 loop. This issue is due to an FD VLAN encapsulation mismatch on two leaf switches. |
3.2(10e) and later |
|
| Permament License Reservation (PLR) fails after upgrading to a Cisco APIC 4.0 release. |
3.2(10e) and later |
|
| Fault delegates are raised on the Cisco APIC, but the original fault instance is already gone because the affected node has been removed from the fabric. |
3.2(10e) and later |
|
| Access policy resolutions reveal unexpected results due to the existence of connectivity filters that are hidden from the UI. Depending on the VLANs tied to the AEPs/domains, this can result in unexpected outages as VLANs are pulled and 'invalid path' faults are flagged. |
3.2(10e) and later |
|
| The Nginx process generates cores on the switches and the process will restart automatically. The core file from the switches gets collected and moved to the APIC, which drains the memory. You might need to remove the collected core files manually from the APIC to free up space. |
3.2(10e) and later |
|
| A leaf switch gets upgraded when a previously-configured maintenance policy is triggered. |
3.2(10e) and later |
|
| New port groups in VMware vCenter may be delayed when pushed from the Cisco APIC. |
3.2(10e) and later |
|
| Specific operating system and browser version combinations cannot be used to log in to the APIC GUI. Some browsers that are known to have this issue include (but might not be limited to) Google Chrome version 75.0.3770.90 and Apple Safari version 12.0.3 (13606.4.5.3.1). |
3.2(10e) and later |
|
| In a RedHat OpenStack platform deployment running the Cisco ACI Unified Neutron ML2 Plugin and with the CompHosts running OVS in VLAN mode, when toggling the resolution immediacy on the EPG<->VMM domain association (fvRsDomAtt.resImedcy) from Pre-Provision to On-Demand, the encap VLANs (vlanCktEp mo's) are NOT programmed on the leaf switches. This problem surfaces sporadically, meaning that it might take several resImedcy toggles between PreProv and OnDemand to reproduce the issue. |
3.2(10e) and later |
|
| Disabling dataplane learning is only required to support a policy-based redirect (PBR) use case on pre-"EX" leaf switches. There are few other reasons otherwise this feature should be disabled. There currently is no confirmation/warning of the potential impact that can be caused by disabling dataplane learning. |
3.2(10e) and later |
|
| When making a configuration change to an L3Out (such as contract removal or addition), the BGP peer flaps or the bgpPeerP object is deleted from the leaf switch. In the leaf switch policy-element traces, 'isClassic = 0, wasClassic =1' is set post-update from the Cisco APIC. |
3.2(10e) and later |
|
| A previously-working traffic is policy dropped after the subject is modified to have the "no stats" directive. |
3.2(10e) and later |
|
| This is an enhancement request for allowing DVS MTU to be configured from a VMM domain policy and be independent of fabricMTU. |
3.2(10e) and later |
|
| When configuring local SPAN in access mode using the GUI or CLI and then running the "show running-config monitor access session<session>" command, the output does not include all source span interfaces. |
3.2(10e) and later |
|
| vmmPLInf objects are created with epgKey's and DN's that have truncated EPG names ( truncated at "."). |
3.2(10e) and later |
|
| Descending option will not work for the Static Ports table. Even when the user clicks descending, the sort defaults to ascending. |
3.2(10e) and later |
|
| When using AVE with Cisco APIC, fault F0214 gets raised, but there is no noticeable impact on AVE operation: descr: Fault delegate: Operational issues detected for OpFlex device: ..., error: [Inventory not available on the node at this time] |
3.2(10e) and later |
|
| When trying to track an AVE endpoint IP address, running the "show endpoint ip x.x.x.x" command in the Cisco APIC CLI to see the IP address and checking the IP address on the EP endpoint in the GUI shows incorrect or multiple VPC names. |
3.2(10e) and later |
|
| There is a minor memory leak in svc_ifc_policydist when performing various tenant configuration removals and additions. |
3.2(10e) and later |
|
| Configuring a static endpoint through the Cisco APIC CLI fails with the following error: Error: Unable to process the query, result dataset is too big Command execution failed. |
3.2(10e) and later |
|
| When migrating an AVS VMM domain to Cisco ACI Virtual Edge, the Cisco ACI Virtual Edge that gets deployed is configured in VLAN mode rather than VXLAN Mode. Because of this, you will see faults for the EPGs with the following error message: "No valid encapsulation identifier allocated for the epg" |
3.2(10e) and later |
|
| While configuring a logical node profile in any L3Out, the static routes do not have a description. |
3.2(10e) and later |
|
| An error is raised while building an ACI container image because of a conflict with the /opt/ciscoaci-tripleo-heat-templates/tools/build_openstack_aci_containers.py package. |
3.2(10e) and later |
|
| An endpoint is unreachable from the leaf node because the static pervasive route (toward the remote bridge domain subnet) is missing. |
3.2(10e) and later |
|
| Randomly, the Cisco APIC GUI alert list shows an incorrect license expiry time.Sometimes it is correct, while at others times it is incorrect. |
3.2(10e) and later |
|
| For a DVS with a controller, if another controller is created in that DVS using the same host name, the following fault gets generated: "hostname or IP address conflicts same controller creating controller with same name DVS". |
3.2(10e) and later |
|
| When logging into the Cisco APIC using "apic#fallback\\user", the "Error: list index out of range" log message displays and the lastlogin command fails. There is no operational impact. |
3.2(10e) and later |
|
| In Cisco ACI Virtual Edge, there are faults related to VMNICs. On the Cisco ACI Virtual Edge domain, there are faults related to the HpNic, such as "Fault F2843 reported for AVE | Uplink portgroup marked as invalid". |
3.2(10e) and later |
|
| The plgnhandler process crashes on the Cisco APIC, which causes the cluster to enter a data layer partially diverged state. |
3.2(10e) and later |
|
| When physical domains and external routed domains are attached to a security domain, these domains are mapped as associated tenants instead of associated objects under Admin > AAA > security management > Security domains. |
3.2(10e) and later |
|
| A Cisco ACI leaf switch does not have MP-BGP route reflector peers in the output of "show bgp session vrf overlay-1". As a result, the switch is not able to install dynamic routes that are normally advertised by MP-BGP route reflectors. However, the spine switch route reflectors are configured in the affected leaf switch's pod, and pod policies have been correctly defined to deploy the route reflectors to the leaf switch. Additionally, the bgpPeer managed objects are missing from the leaf switch's local MIT. |
3.2(10e) and later |
|
| In a GOLF configuration, when an L3Out is deleted, the bridge domains stop getting advertised to the GOLF router even though another L3Out is still active. |
3.2(10e) and later |
|
| The CLI command "show interface x/x switchport" shows VLANs configured and allowed through a port. However, when going to the GUI under Fabric > Inventory > node_name > Interfaces > Physical Interfaces > Interface x/x > VLANs, the VLANs do not show. |
3.2(10e) and later |
|
| The tmpfs file system that is mounted on /data/log becomes 100% utilized. |
3.2(10e) and later |
|
| The policy manager (PM) may crash when use testapi to delete MO from policymgr db. |
3.2(10e) and later |
|
| The Cisco APIC PSU voltage and amperage values are zero. |
3.2(10e) and later |
|
| SNMP does not respond to GETs or sending traps on one or more Cisco APICs despite previously working properly. |
3.2(10e) and later |
|
| The policymgr DME process can crash because of an OOM issue, and there are many pcons.DelRef managed objects in the DB. |
3.2(10e) and later |
|
| The eventmgr database size may grow to be very large (up to 7GB). With that size, the Cisco APIC upgrade will take 1 hour for the Cisco APIC node that contains the eventmgr database. In rare cases, this could lead to a failed upgrade process, as it times out while working on the large database file of the specified controller. |
3.2(10e) and later |
|
| VPC protection created in prior to the 2.2(2e) release may not to recover the original virtual IP address after fabric ID recovery. Instead, some of vPC groups get a new vIP allocated, which does not get pushed to the leaf switch. The impact to the dataplane does not come until the leaf switch had a clean reboot/upgrade, because the rebooted leaf switch gets a new virtual IP that is not matched with a vPC peer. As a result, both sides bring down the virtual port channels, then the hosts behind the vPC become unreachable. |
3.2(10e) and later |
|
| Updating the interface policy group breaks LACP if eLACP is enabled on a VMM domain. If eLACP was enabled on the domain, Creating, updating, or removing an interface policy group with the VMM AEP deletes the basic LACP that is used by the domain. |
3.2(10e) and later |
|
| When migrating an EPG from one VRF table to a new VRF table, and the EPG keeps the contract relation with other EPGs in the original VRF table. Some bridge domain subnets in the original VRF table get leaked to the new VRF table due to the contract relation, even though the contract does not have the global scope and the bridge domain subnet is not configured as shared between VRF tables. The leaked static route is not deleted even if the contract relation is removed. |
3.2(10e) and later |
|
| The login history of local users is not updated in Admin > AAA > Users > (double click on local user) Operational > Session. |
3.2(10e) and later |
|
| In the Cisco APIC GUI, after removing the Fabric Policy Group from "System > Controllers > Controller Policies > show usage", the option to select the policy disappears, and there is no way in the GUI to re-add the policy. |
3.2(10e) and later |
|
| SSD lifetime can be exhausted prematurely if unused Standby slot exists |
3.2(10e) and later |
|
| The per feature container for techsupport "objectstore_debug_info" fails to collect on spines due to invalid filepath. Given filepath: more /debug/leaf/nginx/objstore*/mo | cat Correct filepath: more /debug/spine/nginx/objstore*/mo | cat TAC uses this file/data to collect information about excessive DME writes. |
3.2(10e) and later |
|
| The MD5 checksum for the downloaded Cisco APIC images is not verified before adding it to the image repository. |
3.2(10e) and later |
|
| AVE is not getting the VTEP IP address from the Cisco APIC. The logs show a "pending pool" and "no free leases". |
3.2(10e) and later |
|
| Protocol information is not shown in the GUI when a VRF table from the common tenant is being used in any user tenant. |
3.2(10e) and later |
|
| The following error is encountered when accessing the Infrastructure page in the ACI vCenter plugin after inputting vCenter credentials. "The Automation SDK is not authenticated" VMware vCenter plug-in is installed using powerCLI. The following log entry is also seen in vsphere_client_virgo.log on the VMware vCenter: /var/log/vmware/vsphere-client/log/vsphere_client_virgo.log [ERROR] http-bio-9090-exec-3314 com.cisco.aciPluginServices.core.Operation sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed |
3.2(10e) and later |
|
| A tunnel endpoint doesn't receive a DHCP lease. This occurs with a newly deployed or upgraded Cisco ACI Virtual Edge. |
3.2(10e) and later |
|
| When trying to assign a description to a FEX downlink/host port using the Config tab in the Cisco APIC GUI, the description will get applied to the GUI, but it will not propagate to the actual interface when queried using the CLI or GUI. |
3.2(10e) and later |
|
| For an EPG containing a static leaf node configuration, the Cisco APIC GUI returns the following error when clicking the health of Fabric Location: Invalid DN topology/pod-X/node-Y/local/svc-policyelem-id-0/ObservedEthIf, wrong rn prefix ObservedEthIf at position 63 |
3.2(10e) and later |
|
| There is a BootMgr memory leak on a standby Cisco APIC. If the BootMgr process crashes due to being out of memory, it continues to crash, but system will not be rebooted. After the standby Cisco APIC is rebooted by hand, such as by power cycling the host using CIMC, the login prompt of the Cisco APIC will be changed to localhost and you will not be able to log into the standby Cisco APIC. |
3.2(10e) and later |
|
| After a delete/add of a Cisco ACI-managed DVS, dynamic paths are not programmed on the leaf switch and the compRsDlPol managed object has a missing target. The tDn property references the old DVS OID instead of the latest value.# moquery -c compRsDlPol |
3.2(10e) and later |
|
| A leaf switch reloads due to an out-of-memory condition after changing the contract scope to global. |
3.2(10e) and later |
|
| For a Cisco ACI fabric that is configured with fabricId=1, if APIC3 is replaced from scratch with an incorrect fabricId of "2," APIC3's DHCPd will set the nodeRole property to "0" (unsupported) for all dhcpClient managed objects. This will be propagated to the appliance director process for all of the Cisco APICs. The process then stops sending the AV/FNV update for any unknown switch types (switches that are not spine nor leaf switches). In this scenario, commissioning/decommissioning of the Cisco APICs will not be propagated to the switches, which causes new Cisco APICs to be blocked out of the fabric. |
3.2(10e) and later |
|
| A leaf switch experiences an SDKHAL crash when a summary route is added that is a host IP address in the subnet instead of the actual subnet boundary. Example: 10.10.10.1/24 summary address is entered instead of 10.10.10.0/24. This summary route is added after a policy prefix for the actual subnet (10.10.10.0/24) is created. The SDK hal crash will also result in other DME/process crashes for ipfib, epmc, aclqos, and eltmc. A Cisco ACI leaf switch will install the subnet IP address as shown below, but it will not advertise this to the peer. A proper subnet is advertised to the peer router. 10.10.10.1/24, ubest/mbest: 1/0 *via , null0, [220/0], 00:02:38, ospf-default, discard, tag 4294967295 |
3.2(10e) and later |
|
| Installation fails with versions releases earlier than 3.2(10) if the SSD is larger than 490G. |
3.2(10e) and later |
Resolved Issues
| Bug ID |
Description |
Fixed in |
| Installation fails with versions releases earlier than 3.2(10) if the SSD is larger than 490G. |
3.2(10f) |
|
| Deleting a vPC does not clean up the allocated IP address from DHCPD DME. |
3.2(10e) |
|
| When the VTEP IP address is changed on Cisco ACI Virtual Edge, a new ODev object gets created, but the old ODev is not deleted and the old ODev becomes stale. Due to this, the endpoints are still shown under the stale ODev. As a result, the traffic is impacted for those endpoints that are under the stale ODev. Also, if a new Cisco ACI Virtual Edge comes up and happens to have the same VTEP IP address as the old ODev, the traffic will also be impacted behind the new Cisco ACI Virtual Edge. This is because the stale VTEP entry still exists on the leaf switch, and the leaf switch will reject the traffic saying "tunnel IP already exists" (bounce entry). |
3.2(10e) |
|
| Configuring a static endpoint through the Cisco APIC CLI fails with the following error: Error: Unable to process the query, result dataset is too big Command execution failed. |
3.2(10e) |
|
| The Cisco APIC cluster gets diverged. |
3.2(10e) |
|
| The plgnhandler process crashes on the Cisco APIC, which causes the cluster to enter a data layer partially diverged state. |
3.2(10e) |
|
| When the SSD file system (used by the Cisco APIC database) becomes read-only, the upgrade utility should catch such issues and abort the upgrade. This would allow the user to see the upgrade failure and triage the issue. Currently, upgrade utility continues the data conversion and eventually reboots, which causes all configurations to be lost. |
3.2(10e) |
|
| The VMM endpoint data plane verification function does not work well when a blade switch is in the middle. This might cause an unexpected DVS detach, or the VMM EPG VLAN might be removed on the leaf switch interface. |
3.2(10e) |
|
| After a Cisco APIC upgrade from a pre-4.0 release to a post-4.0 release, connectivity issues occur for devices behind Cisco Application Virtual Edge Switches running on VMWare. |
3.2(10e) |
|
| There is a potential traffic loss for a virtual machine that is migrated using the Encrypted vMotion functionality. |
3.2(10e) |
Known Issues
Click the bug ID to access the Bug Search tool and see additional information about the bug. The "Exists In" column of the table specifies the 3.2(10) releases in which the bug exists. A bug might also exist in releases other than the 3.2(10) releases.
| Bug ID |
Description |
Exists in |
| The Cisco APIC does not validate duplicate IP addresses that are assigned to two device clusters. The communication to devices or the configuration of service devices might be affected. |
3.2(10e) and later |
|
| In some of the 5-minute statistics data, the count of ten-second samples is 29 instead of 30. |
3.2(10e) and later |
|
| The node ID policy can be replicated from an old appliance that is decommissioned when it joins a cluster. |
3.2(10e) and later |
|
| The DSCP value specified on an external endpoint group does not take effect on the filter rules on the leaf switch. |
3.2(10e) and later |
|
| The hostname resolution of the syslog server fails on leaf and spine switches over in-band connectivity. |
3.2(10e) and later |
|
| Following a FEX or switch reload, configured interface tags are no longer configured correctly. |
3.2(10e) and later |
|
| Switches can be downgraded to a 1.0(1) version if the imported configuration consists of a firmware policy with a desired version set to 1.0(1). |
3.2(10e) and later |
|
| If the Cisco APIC is rebooted using the CIMC power reboot, the system enters into fsck due to a corrupted disk. |
3.2(10e) and later |
|
| The Cisco APIC Service (ApicVMMService) shows as stopped in the Microsoft Service Manager (services.msc in control panel > admin tools > services). This happens when a domain account does not have the correct privilege in the domain to restart the service automatically. |
3.2(10e) and later |
|
| The traffic destined to a shared service provider endpoint group picks an incorrect class ID (PcTag) and gets dropped. |
3.2(10e) and later |
|
| Traffic from an external Layer 3 network is allowed when configured as part of a vzAny (a collection of endpoint groups within a context) consumer. |
3.2(10e) and later |
|
| Newly added microsegment EPG configurations must be removed before downgrading to a software release that does not support it. |
3.2(10e) and later |
|
| Downgrading the fabric starting with the leaf switch will cause faults such as policy-deployment-failed with fault code F1371. |
3.2(10e) and later |
|
| Creating or deleting a fabricSetupP policy results in an inconsistent state. |
3.2(10e) and later |
|
| After a pod is created and nodes are added in the pod, deleting the pod results in stale entries from the pod that are active in the fabric. This occurs because the Cisco APIC uses open source DHCP, which creates some resources that the Cisco APIC cannot delete when a pod is deleted. |
3.2(10e) and later |
|
| When a Cisco APIC cluster is upgrading, the Cisco APIC cluster might enter the minority status if there are any connectivity issues. In this case, user logins can fail until the majority of the Cisco APICs finish the upgrade and the cluster comes out of minority. |
3.2(10e) and later |
|
| When downgrading to a 2.0(1) release, the spines and its interfaces must be moved from infra L3out2 to infra L3out1. After infra L3out1 comes up, delete L3out2 and its related configuration, and then downgrade to a 2.0(1) release. |
3.2(10e) and later |
|
| No fault gets raised upon using the same encapsulation VLAN in a copy device in tenant common, even though a fault should get raised. |
3.2(10e) and later |
|
| In the leaf mode, the command "template route group <group-name> tenant <tenant-name>" fails, declaring that the tenant passed is invalid. |
3.2(10e) and later |
|
| When First hop security is enabled on a bridge domain, traffic is disrupted. |
3.2(10e) and later |
|
| Cisco ACI Multi-Site Orchestrator BGP peers are down and a fault is raised for a conflicting rtrId on the fvRtdEpP managed object during L3extOut configuration. |
3.2(10e) and later |
|
| The PSU SPROM details might not be shown in the CLI upon removal and insertion from the switch. |
3.2(10e) and later |
|
| If two intra-EPG deny rules are programmed—one with the class-eq-deny priority and one with the class-eq-filter priority—changing the action of the second rule to "deny" causes the second rule to be redundant and have no effect. The traffic still gets denied, as expected. |
3.2(10e) and later |
|
| With a uniform distribution of EPs and traffic flows, a fabric module in slot 25 sometimes reports far less than 50% of the traffic compared to the traffic on fabric modules in non-FM25 slots. |
3.2(10e) and later |
|
| When you click Restart for the Microsoft System Center Virtual Machine Manager (SCVMM) agent on a scaled-out setup, the service may stop. You can restart the agent by clicking Start. |
3.2(10e) and later |
|
| The CiscoAVS_4.10-5.2.1.SV3.4.10-pkg package has signature issues during installation. |
3.2(10e) and later |
|
| N/A |
In a multipod configuration, before you make any changes to a spine switch, ensure that there is at least one operationally "up" external link that is participating in the multipod topology. Failure to do so could bring down the multipod connectivity. For more information about multipod, see the Cisco Application Centric Infrastructure Fundamentals document and the Cisco APIC Getting Started Guide. |
3.2(10e) and later |
| N/A |
With a non-english SCVMM 2012 R2 or SCVMM 2016 setup and where the virtual machine names are specified in non-english characters, if the host is removed and re-added to the host group, the GUID for all the virtual machines under that host changes. Therefore, if a user has created a micro segmentation endpoint group using "VM name" attribute specifying the GUID of respective virtual machine, then that micro segmentation endpoint group will not work if the host (hosting the virtual machines) is removed and re-added to the host group, as the GUID for all the virtual machines would have changed. This does not happen if the virtual name has name specified in all english characters. |
3.2(10e) and later |
| N/A |
A query of a configurable policy that does not have a subscription goes to the policy distributor. However, a query of a configurable policy that has a subscription goes to the policy manager. As a result, if the policy propagation from the policy distributor to the policy manager takes a prolonged amount of time, then in such cases the query with the subscription might not return the policy simply because it has not reached policy manager yet. |
3.2(10e) and later |
| N/A |
Cisco ACI vCenter Plug-in: Uninstall is not working; remains present in the GUI. After you uninstall the Cisco ACI vCenter Plug-in, it remains visible in the VMware vCenter UI. Restart the VMware vCenter Server to update the UI. |
3.2(10e) and later |
| N/A |
When there are silent hosts across sites, ARP glean messages might not be forwarded to remote sites if a 1st generation ToR switch (switch models without -EX or -FX in the name) happens to be in the transit path and the VRF is deployed on that ToR switch, the switch does not forward the ARP glean packet back into the fabric to reach the remote site. This issue is specific to 1st generation transit ToR switches and does not affect 2nd generation ToR switches (switch models with -EX or -FX in the name). This issue breaks the capability of discovering silent hosts. |
3.2(10e) and later |
Virtualization Compatibility Information
This section lists virtualization compatibility information for the Cisco APIC software.
· For a table that shows the supported virtualization products, see the ACI Virtualization Compatibility Matrix.
· For information about Cisco APIC compatibility with Cisco UCS Director, see the appropriate Cisco UCS Director Compatibility Matrix document.
· If you use Microsoft vSwitch and want to downgrade to Cisco APIC Release 2.3(1) from a later release, you first must delete any microsegment EPGs configured with the Match All filter.
· This release supports the following additional virtualization products:
| Product |
Supported Release |
Information Location |
| Microsoft Hyper-V |
2016 Update Rollup 1, 2, 2.1, and 3 |
N/A |
| VMM Integration and VMware Distributed Virtual Switch (DVS) |
6.5 and 6.7 |
Hardware Compatibility Information
This release supports the following Cisco APIC servers:
| Product ID |
Description |
| APIC-L1 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
| APIC-L2 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1000 edge ports) |
| APIC-L3 |
Cisco APIC with large CPU, hard drive, and memory configurations (more than 1200 edge ports) |
| APIC-M1 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
| APIC-M2 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1000 edge ports) |
| APIC-M3 |
Cisco APIC with medium-size CPU, hard drive, and memory configurations (up to 1200 edge ports) |
The following list includes general hardware compatibility information:
· For the supported hardware, see the Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10).
· Contracts using matchDscp filters are only supported on switches with "EX" on the end of the switch name. For example, N9K-93108TC-EX.
· When the fabric node switch (spine or leaf) is out-of-fabric, the environmental sensor values, such as Current Temperature, Power Draw, and Power Consumption, might be reported as "N/A." A status might be reported as "Normal" even when the Current Temperature is "N/A."
· Switches without -EX or a later designation in the product ID do not support Contract filters with match type "IPv4" or "IPv6." Only match type "IP" is supported. Because of this, a contract will match both IPv4 and IPv6 traffic when the match type of "IP" is used.
The following table provides compatibility information for specific hardware:
| Product ID |
Description |
| N2348UPQ |
To connect the N2348UPQ to Cisco ACI leaf switches, the following options are available: · Directly connect the 40G FEX ports on the N2348UPQ to the 40G switch ports on the Cisco ACI leaf switches · Break out the 40G FEX ports on the N2348UPQ to 4x10G ports and connect to the 10G ports on all other Cisco ACI leaf switches. Note: A fabric uplink port cannot be used as a FEX fabric port. |
| N9K-C9348GC-FXP |
This switch does not read SPROM information if the PSU is in a shut state. You might see an empty string in the Cisco APIC output. |
| N9K-C9364C-FX |
Ports 49-64 do not supporFut 1G SFPs with QSA. |
| N9K-C9508-FM-E |
The Cisco N9K-C9508-FM-E2 and N9K-C9508-FM-E fabric modules in the mixed mode configuration are not supported on the same spine switch. |
| N9K-C9508-FM-E2 |
The Cisco N9K-C9508-FM-E2 and N9K-C9508-FM-E fabric modules in the mixed mode configuration are not supported on the same spine switch. The locator LED enable/disable feature is supported in the GUI and not supported in the Cisco ACI NX-OS switch CLI. |
| N9K-C9508-FM-E2 |
This fabric module must be physically removed before downgrading to releases earlier than Cisco APIC 3.0(1). |
| N9K-X9736C-FX |
The locator LED enable/disable feature is supported in the GUI and not supported in the Cisco ACI NX-OS Switch CLI. |
| N9K-X9736C-FX |
Ports 29 to 36 do not support 1G SFPs with QSA. |
Adaptive Security Appliance (ASA) Compatibility Information
This section lists ASA compatibility information for the Cisco APIC software.
· This release supports Adaptive Security Appliance (ASA) device package version 1.2.5.5 or later.
· If you are running a Cisco Adaptive Security Virtual Appliance (ASA) version that is prior to version 9.3(2), you must configure SSL encryption as follows:
(config)# ssl encryption aes128-sha1
Miscellaneous Compatibility Information
This release supports the following products:
| Product |
Supported Release |
| Cisco NX-OS |
13.2(10) |
| Cisco AVS |
5.2(1)SV3(3.31) For more information about the supported AVS releases, see the AVS software compatibility information in the Cisco Application Virtual Switch Release Notes, Release 5.2(1)SV3(3.31). |
| Cisco UCS Manager |
2.2(1c) or later is required for the Cisco UCS Fabric Interconnect and other components, including the BIOS, CIMC, and the adapter. |
| CIMC HUU ISO |
● 4.2(3e) CIMC HUU ISO (recommended) for UCS C220/C240 M5 (APIC-L3/M3)
● 4.2(3b) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.2(2a) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3m) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3f) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3d) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(3c) CIMC HUU ISO for UCS C220/C240 M5 (APIC-L3/M3)
● 4.1(2m) CIMC HUU ISO (recommended) for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(2k) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(2g) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(2b) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 4.1(1g) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2) and M5 (APIC-L3/M3)
● 4.1(1f) CIMC HUU ISO for UCS C220 M4 (APIC-L2/M2) (deferred release)
● 4.1(1d) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
● 4.1(1c) CIMC HUU ISO for UCS C220 M4 (APIC-L2/M2)
● 4.0(4e) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
● 4.0(2g) CIMC HUU ISO for UCS C220/C240 M4 and M5 (APIC-L2/M2 and APIC-L3/M3)
● 4.0(1a) CIMC HUU ISO for UCS C220 M5 (APIC-L3/M3)
● 3.0(4d) CIMC HUU ISO for UCS C220/C240 M3 and M4 (APIC-L2/M2)
● 3.0(3f) CIMC HUU ISO for UCS C220/C240 M4 (APIC-L2/M2)
● 2.0(13i) CIMC HUU ISO
● 2.0(9c) CIMC HUU ISO
● 2.0(3i) CIMC HUU ISO
|
| Network Insights Base, Network Insights Advisor, and Network Insights for Resources |
For the release information, documentation, and download links, see the Cisco Network Insights for Data Center page. For the supported releases, see the Cisco Data Center Networking Applications Compatibility Matrix. |
· This release supports the partner packages specified in the L4-L7 Compatibility List Solution Overview document.
· A known issue exists with the Safari browser and unsigned certificates, which applies when connecting to the Cisco APIC GUI. For more information, see the Cisco APIC Getting Started Guide, Release 3.x.
· For compatibility with Day-2 Operations apps, see the Cisco Data Center Networking Applications Compatibility Matrix.
Related Content
See the Cisco Application Policy Infrastructure Controller (APIC) page for the documentation.
The documentation includes installation, upgrade, configuration, programming, and troubleshooting guides, technical references, release notes, and knowledge base (KB) articles, as well as other documentation. KB articles provide information about a specific use case or a specific topic.
By using the "Choose a topic" and "Choose a document type" fields of the APIC documentation website, you can narrow down the displayed documentation list to make it easier to find the desired document.
You can watch videos that demonstrate how to perform specific tasks in the Cisco APIC on the Cisco Data Center Networking YouTube channel.
Temporary licenses with an expiry date are available for evaluation and lab use purposes. They are strictly not allowed to be used in production. Use a permanent or subscription license that has been purchased through Cisco for production purposes. For more information, go to Cisco Data Center Networking Software Subscriptions.
The following table provides links to the release notes, verified scalability documentation, and new documentation:
| Document |
Description |
| Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 13.2(10) |
The release notes for Cisco NX-OS for Cisco Nexus 9000 Series ACI-Mode Switches. |
| This guide contains the maximum verified scalability limits for Cisco Application Centric Infrastructure (ACI) parameters for Cisco APIC, Cisco ACI Multi-Site, and Cisco Nexus 9000 Series ACI-Mode Switches. |
Documentation Feedback
To provide technical feedback on this document, or to report an error or omission, send your comments to apic-docfeedback@cisco.com. We appreciate your feedback.
Legal Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2021-2024 Cisco Systems, Inc. All rights reserved.