The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the features, issues, and deployment guidelines for Cisco Nexus Dashboard Orchestrator software.
Cisco Multi-Site is an architecture that allows you to interconnect separate Cisco APIC, Cloud APIC, and DCNM domains (fabrics) each representing a different region. This helps ensure multitenant Layer 2 and Layer 3 network connectivity across sites and extends the policy domain end-to-end across the entire system.
Cisco Nexus Dashboard Orchestrator is the intersite policy manager. It provides single-pane management that enables you to monitor the health of all the interconnected sites. It also allows you to centrally define the intersite configurations and policies that can then be pushed to the different Cisco APIC, Cloud APIC, or DCNM fabrics, which in term deploy them in those fabrics. This provides a high degree of control over when and where to deploy the configurations.
For more information, see the “Related Content” section of this document.
Note: The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.
Date |
Description |
October 4, 2021 |
Release 3.5(1e) became available |
This release adds the following new features:
Feature |
Description |
Cloud external connectivity from CSR using IPSec |
Nexus Dashboard Orchestrator now allows you to establish IPsec external connectivity between CSR1kv(s) in AWS/Azure cloud sites and external routers capable of terminating the IPSEC tunnel. The external routers can be branch, cloud, SDWAN edge, or on-premises data center. For more information, see Configuring External Connectivity from Cloud CSRs Using Nexus Dashboard Orchestrator. |
BGP underlay for intersite connectivity |
You can now use BGP IPv4 for inter-site underlay connectivity for on-premises sites in addition to previously available OSPF. We recommend using either BGP IPv4 or OSPF for deployments, however during migration from OSPF to BGP, both protocols can be enabled simultaneously for the migration period. For additional information, see Cisco Nexus Dashboard Orchestrator Configuration Guide for ACI Fabrics. |
There is no new hardware supported in this release.
The complete list of supported hardware is available in the “Deploying Nexus Dashboard Orchestrator” chapter of the Cisco Multi-Site Deployment Guide.
If you are upgrading to this release, you will see the following changes in behavior:
● For all new deployments, you must install the Nexus Dashboard Orchestrator services in Nexus Dashboard release 2.0.2h or later.
Note that the cloud Nexus Dashboard release 2.0.2h clusters support Cisco APIC and Cisco Cloud APIC site on-boarding only. If you want to use Nexus Dashboard Orchestrator service to manage Cisco DCNM sites, you will need to deploy one of the other form factors or Nexus Dashboard release 2.1.1, which supports all sites on all form factors.
● If you are upgrading your existing deployment from a release prior to Release 3.2(1), you must deploy a new Nexus Dashboard cluster and migrate your existing configuration.
The procedure is described in detail in Cisco Nexus Dashboard Orchestrator Deployment Guide.
● If you deploy in a virtual or cloud Nexus Dashboard, downgrading to releases prior to Release 3.3(1) is not supported.
● If you deploy in a physical Nexus Dashboard cluster, downgrading to releases prior to Release 3.2(1) is not supported.
● If you are migrating from an earlier release to Release 3.3(1) or later, you may need to resolve any configuration drifts in the object properties that are newly managed by MSO where the default values picked by MSO differ from the custom values set directly in the fabrics' controllers.
Any time Nexus Dashboard Orchestrator adds support for managing object properties that previously had to be managed directly in the APIC, it sets those properties to some default values for existing objects in MSO Schemas but does not push them to sites.
To resolve the configuration drifts, you will need to re-import these objects and their properties from the fabrics’ Controllers and then re-deploy the templates as described in the Cisco Nexus Dashboard Orchestrator Deployment Guide.
● Site management and on-boarding have moved to a centralized location in the Nexus Dashboard GUI.
When migrating from a release prior to Release 3.2(1), you will need to on-board the sites using the Nexus Dashboard GUI before restoring existing configuration. The procedure is described in detail in Cisco Nexus Dashboard Orchestrator Deployment Guide.
● User management and authentication have moved to a centralized location in the Nexus Dashboard GUI.
Existing local users defined in older Orchestrator clusters will be transferred to the Nexus Dashboard during configuration import.
For existing remote authentication users, you will need to add the remote authentication server to the Nexus Dashboard as described in the Nexus Dashboard User Guide.
● Starting with Release 3.3(1), the following API changes have been implemented:
PATCH API no longer returns the complete object that was modified, in contrast to prior releases where a complete object (such as schema) was returned by the API.
Because Site Management and User Management have moved to a central location on Nexus Dashboard, the following API changes have been implemented to the corresponding Nexus Dashboard Orchestrator APIs:
◦ User Management API v2 is introduced for querying the new user structures with original API changing to read-only mode (only GET operations are allowed, PUT/POST are removed).
The issue which caused the User Management API v1 to incorrectly return v2 structures in Release 3.2 has been resolved and the v1 API now returns the correct structure similar to Release 3.1.
◦ Site Management API v2 is introduced that allows setting a site to 'managed' or 'unmanaged' in NDO. Previous Site Management APIs are changed to read-only mode (GET operation only). Site onboarding moved to the Nexus Dashboard APIs.
You can no longer remove DHCP Relay and DHCP Option policies until they have been removed from all associated BDs.
● Starting with Release 3.4(1), local configuration backups have been deprecated.
If you are upgrading from a release prior to release 3.4(1) to release 3.4(1) or later, you must download any existing local configuration backups prior to the upgrade. You will then be able to import those configuration backups to a remote backup location you configure in the Nexus Dashboard Orchestrator. For more information, see the “Operations” chapter of the Cisco Nexus Dashboard Orchestrator Configuration Guide for ACI Fabrics or Cisco Nexus Dashboard Orchestrator Configuration Guide for DCNM Fabrics.
This section lists the open issues. Click the bug ID to access the Bug Search Tool and see additional information about the bug. The "Exists In" column of the table specifies the 3.5(1) releases in which the bug exists. A bug might also exist in releases other than the 3.5(1) releases.
Bug ID |
Description |
Exists in |
When service graphs or devices are created on Cloud APIC by using the API and custom names are specified for AbsTermNodeProv and AbsTermNodeCons, a brownfield import to the Nexus Dashboard Orchestrator will fail. |
3.5(1e) and later |
|
Contract is not created between shadow EPG and on-premises EPG when shared service is configured between Tenants. |
3.5(1e) and later |
|
Inter-site shared service between VRF instances across different tenants will not work, unless the tenant is stretched explicitly to the cloud site with the correct provider credentials. That is, there will be no implicit tenant stretch by Nexus Dashboard Orchestrator. |
3.5(1e) and later |
|
Deployment window may show more policies been modified than the actual config changed by the user in the Schema. |
3.5(1e) and later |
|
Deployment window may not show all the service graph related config values that have been modified. |
3.5(1e) and later |
|
Deployment window may not show all the cloud related config values that have been modified. |
3.5(1e) and later |
|
After brownfield import, the BD subnets are present in site local and not in the common template config |
3.5(1e) and later |
|
In shared services use case, if one VRF has preferred group enabled EPGs and another VRF has vzAny contracts, traffic drop is seen. |
3.5(1e) and later |
|
The REST API call "/api/v1/execute/schema/5e43523f1100007b012b0fcd/template/Template_11?undeploy=all" can fail if the template being deployed has a large object count |
3.5(1e) and later |
|
Shared service traffic drops from external EPG to EPG in case of EPG provider and L3Out vzAny consumer |
3.5(1e) and later |
|
Intersite L3Out traffic is impacted because of missing import RT for VPN routes |
3.5(1e) and later |
|
MSO will not update or delete VRF vzAny configuration which was directly created on APIC even though the VRF is managed by MSO. |
3.5(1e) and later |
|
When deploying fabric connectivity between on-premises and cloud sites, you may get a validation error stating that l3extSubnet/cloudTemplateBgpEvpn is already attached. |
3.5(1e) and later |
|
Two cloud sites (with Private IP for CSRs) with the same InfraVNETPool on both sites can be added to MSO without any infraVNETPool validation. |
3.5(1e) and later |
|
After a site is re-registered, MSO may have connectivity issues with APIC or CAPIC |
3.5(1e) and later |
|
Multiple Peering connections created for 2 set of cloud sites. |
3.5(1e) and later |
|
Random MSO APIs will return 500 errors for about 20 minutes, while the system is slowly detecting the node outage a relocating services. |
3.5(1e) and later |
|
Missing BD1/VRF1 in site S2 will impact the forwarding from EPG1 in site S1 to EPG1/EPG2 in site S2 |
3.5(1e) and later |
|
NSG rules on Cloud EPG are removed right after applying service graph between Cloud EPG and on-premises EPG, which breaks communication between Cloud and on-premises. |
3.5(1e) and later |
|
Route leak configuration for invalid Subnet may get accepted when Internal VRF is the hosted VRF. There would be fault raised in cAPIC. |
3.5(1e) and later |
This section lists the resolved issues. Click the bug ID to access the Bug Search tool and see additional information about the issue. The "Fixed In" column of the table specifies whether the bug was resolved in the base release or a patch release.
Bug ID |
Description |
Fixed in |
API POST/GET/PUT/DEL requests to MSO will be accepted, but system might return an internal_server_error with code 500 and message as "The token is expired since 2020-11-23T12:41:15Z?. |
3.5(1e) |
|
Some EPG/BD objects are deleted and get converted to shadows objects. This may appear as fvRemoteId getting deleted and then later not getting programmed which leads to traffic getting dropped. |
3.5(1e) |
|
NDO removes L3Out-BD association from sites after deleting even an unrelated L3Out in other templates. |
3.5(1e) |
|
While undeploying the stretched template from one of the sites, service graph instance used in the contracts in that template gets into failed-to-apply state on another site where template is still remained deployed. |
3.5(1e) |
|
|
|
|
This section lists known behaviors. Click the Bug ID to access the Bug Search Tool and see additional information about the issue.
Bug ID |
Description |
Unable to download Nexus Dashboard Orchestrator report and debug logs when database and server logs are selected |
|
Unicast traffic flow between Remote Leaf Site1 and Remote Leaf in Site2 may be enabled by default. This feature is not officially supported in this release. |
|
After downgrading from 2.1(1), preferred group traffic continues to work. You must disable the preferred group feature before downgrading to an earlier release. |
|
No validation is available for shared services scenarios |
|
The upstream server may time out when enabling audit log streaming |
|
For Cisco Multi-Site, Fabric IDs Must be the Same for All Sites, or the Querier IP address Must be Higher on One Site. The Cisco APIC fabric querier functions have a distributed architecture, where each leaf switch acts as a querier, and packets are flooded. A copy is also replicated to the fabric port. There is an Access Control List (ACL) configured on each TOR to drop this query packet coming from the fabric port. If the source MAC address is the fabric MAC address, unique per fabric, then the MAC address is derived from the fabric-id. The fabric ID is configured by users during initial bring up of a pod site. In the Cisco Multi-Site Stretched BD with Layer 2 Broadcast Extension use case, the query packets from each TOR get to the other sites and should be dropped. If the fabric-id is configured differently on the sites, it is not possible to drop them. To avoid this, configure the fabric IDs the same on each site, or the querier IP address on one of the sites should be higher than on the other sites. |
|
STP and "Flood in Encapsulation" Option are not Supported with Cisco Multi-Site. In Cisco Multi-Site topologies, regardless of whether EPGs are stretched between sites or localized, STP packets do not reach remote sites. Similarly, the "Flood in Encapsulation" option is not supported across sites. In both cases, packets are encapsulated using an FD VNID (fab-encap) of the access VLAN on the ingress TOR. It is a known issue that there is no capability to translate these IDs on the remote sites. |
|
If an infra L3Out that is being managed by Cisco Multi-Site is modified locally in a Cisco APIC, Cisco Multi-Site might delete the objects not managed by Cisco Multi-Site in an L3Out. |
|
"Phone Number" field is required in all releases prior to Release 2.2(1). Users with no phone number specified in Release 2.2(1) or later will not be able to log in to the GUI when Orchestrator is downgraded to an earlier release. |
|
Routes are not programmed on CSR and the contract config is not pushed to the Cloud site. |
|
Shadow of cloud VRF may be unexpectedly created or deleted on the on-premises site. |
|
Let's say APIC has EPGs with some contract relationships. If this EPG and the relationships are imported into MSO and then the relationship was removed and deployed to APIC, MSO doesn't delete the contract relationship on the APIC. |
This release supports the hardware listed in the “Prerequisites” section of the Cisco Nexus Dashboard Orchestrator Deployment Guide.
This release supports Nexus Dashboard Orchestrator deployments in Cisco Nexus Dashboard only.
When managing Cloud APIC sites, this Nexus Dashboard Orchestrator release supports Cisco Cloud APIC, Release 5.2(1) or later only.
When managing on-premises fabrics, this Nexus Dashboard Orchestrator release supports any on-premises Cisco APIC release that can be on-boarded to the Nexus Dashboard. For more information, see the Interoperability Support section in the “Infrastructure Management” chapter of the Cisco Nexus Dashboard Orchestrator Deployment Guide.
For Nexus Dashboard Orchestrator verified scalability limits, see Cisco Nexus Dashboard Orchestrator Verified Scalability Guide.
For Cisco ACI fabrics verified scalability limits, see Cisco ACI Verified Scalability Guides.
For Cisco DCNM fabrics verified scalability limits, see Cisco DCNM Verified Scalability Guides.
For DCNM fabrics, see the Cisco Data Center Manager (DCNM) page for a complete list of all documentation for DCNM fabrics.
For ACI fabrics, see the Cisco Application Policy Infrastructure Controller (APIC) page for a complete list of all documentation for ACI fabrics. On that page, you can use the "Choose a topic" and "Choose a document type" fields to narrow down the displayed documentation list and find a desired document.
The documentation includes installation, upgrade, configuration, programming, and troubleshooting guides, technical references, release notes, and knowledge base (KB) articles, and videos. KB articles provide information about a specific use cases or topics. The following table describes the core Nexus Dashboard Orchestrator documentation.
Document |
Description |
Provides release information for the Cisco Nexus Dashboard Orchestrator product. |
|
Describes how to install Cisco Nexus Dashboard Orchestrator and perform day-0 operations. |
|
Cisco Nexus Dashboard Orchestrator Configuration Guide for ACI Fabrics |
Describes Cisco Nexus Dashboard Orchestrator configuration options and procedures for fabrics managed by Cisco APIC. |
A series of documents that describe Cisco Nexus Dashboard Orchestrator configuration options and procedures for fabrics managed by Cisco Cloud APIC. |
|
Cisco Nexus Dashboard Orchestrator Configuration Guide for DCNM Fabrics |
Describes Cisco Nexus Dashboard Orchestrator configuration options and procedures for fabrics managed by Cisco DCNM. |
Cisco Nexus Dashboard Orchestrator REST API Configuration Guide |
Describes how to use Cisco Nexus Dashboard Orchestrator API. |
Contains the maximum verified scalability limits for this release of Cisco Nexus Dashboard Orchestrator. |
|
Contains the maximum verified scalability limits for Cisco ACI fabrics. |
|
Contains the maximum verified scalability limits for Cisco DCNM fabrics. |
|
Contains videos that demonstrate how to perform specific tasks in the Cisco Nexus Dashboard Orchestrator. |
To provide technical feedback on this document, or to report an error or omission, send your comments to mailto:apic-docfeedback@cisco.com. We appreciate your feedback.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2020 Cisco Systems, Inc. All rights reserved.