Use the Fabric Membership window to register the leaf and spine switches detected by the ACI fabric. You can also manually add leaf and spine switches to the fabric using the serial number listed on the box.

Note	We recommend registering at least two leaf switches and two spine switches. You must register at least one leaf switch and one spine switch in order to proceed through the First Time Setup wizard.

The Fabric Membership window contains two sections:

• Discovered: This section provides information on newly-discovered but unregistered switches. These nodes will have a node ID of 0 and will have no IP address.

• Registered: This section provides information on all of the registered switches in your ACI fabric.

You can register a switch using either of these methods:

• If the switch is shown in the Discovered section, click the Register button next to that switch to open the Create Fabric Node Member window. Note that the Pod ID and Serial Number fields will be automatically populated in the Create Fabric Node Member window in this case.

• If the switch is not shown in the Discovered section, click the Action icon ( ), then select Create Fabric Node Member from the drop-down list.

In the Create Fabric Node Member window, enter the following information:

Click Submit when you have completed the information in the Create Fabric Node Member window, then click Continue in the Fabric Membership to continue to the next window in the First Time Setup wizard.

Use the Out Of Band Management window to configure the management interface IP address for leaf switches, spine switches, and APIC nodes to connect to the Out of Band (OOB) network. Select several nodes to begin assigning IP addresses to them.

Note	The First Time Setup wizard helps with configuring nodes that have not already been configured for Out of Band management.

Type the address of the gateway in the following fields and an IP address is automatically suggested for each discovered node:

• IPv4 Gateway: The IPv4 default gateway address for communication to external networks using out-of-band management.

• IPv6 Gateway: The IPv6 default gateway address for communication to external networks using out-of-band management.

In the Filter by attributes area, you can filter the discovered nodes by their attributes. Click Edit if you want to change the nodes that you had selected to configure for Out of Band management.

Click Save to continue to the next window in the First Time Setup wizard.

Use the Setup - vPC Pairs window to explicitly configure member nodes of the group by using a Fabric policy node endpoint.

In the Filter by attributes area, you can filter the vPC pairs by their attributes. Click Edit if you want to change the vPC pairs that you had selected to configure the vPC pair.

In the vPC Pairs central pane, expand the Actions drop-down list, and choose Create vPC Leaf Switch Pair, Delete vPC Leaf Switch Pair, Download All, or Open in Object Store Browser.

Click Save to continue to the next window in the First Time Setup wizard.

Use the BGP window to configure ACI fabric route reflectors, which use multiprotocol BGP (MP-BGP) to distribute external routes within the fabric. Once you have enabled the route reflectors in the ACI fabric, you can configure connectivity to external networks.

Note

Select spine switches to configure as route reflectors. You must configure at least one route reflector in order to proceed through the First Time Setup wizard. If you do not see any spine switches in the table in this window, verify that the switch is registered with the correct type or has been discovered by APIC.

In the BGP window, check the box next to the spine switches that you want to use as route reflectors and enter the ASN for this spine switch in the Autonomous System Number field. Click Save and Continue to continue to the next window in the First Time Setup wizard.

Use the DNS window to configure DNS servers and search domains to allow leaf switches, spine switches and APIC nodes to query DNS names. The OOB connection will be used for DNS communication.

Note	The First Time Setup wizard configures DNS servers and DNS domains under the default DNS Policy.

To configure the DNS servers, click + in the DNS Servers area, then enter the following information:

• Address: Enter the provider address.

• Preferred: Check the check box if you want to have this address as the preferred provider.

• Status: Provides the status of the configuration request.

Click Update, then repeat this process to configure additional DNS servers, if necessary.

To configure the search domains, click + in the Search Domains area, then enter the following information:

• Name: Enter the domain name (cisco.com).

• Default: Check the check box to make this domain the default domain. You can have only one domain name as the default.

• Status: Provides the status of the configuration request.

Click Update, then repeat this process to configure additional search domains, if necessary.

To delete an entry either from the DNS Servers table or from the Search Domains table, select the entry that you would like to delete, then click the trash can icon in that table.

Click Save and Continue to continue to the next window in the First Time Setup wizard.

Use the NTP window to configure a timezone and assign NTP servers to synchronize leaf switches, spine switches, and APIC nodes to a valid time source. The OOB connection will be used for NTP communication.

Note	The First Time Setup wizard configures servers under the default NTP Policy.

In the Display Format area, click local to display the date and time in a local time zone format, or click utc to display the date and time in the UTC time zone format. The default is local.

If you selected local above, in the Time Zone area, click the drop-down arrow to choose the time zone for your domain. You can also type in the drop down menu area to filter the drop down options. The default is Coordinated Universal Time.

To configure the NTP servers, click + in the NTP Servers area, then enter the following information:

• Host Name/IPAddress: Enter the host name and IP address of the NTP server.

• Preferred: If you are creating multiple providers, check the Preferred check box for the most reliable NTP source.

• Status: Provides the status of the configuration request.

Click Update, then repeat this process to configure additional NTP servers, if necessary.

To delete an entry from the NTP Servers table, select the entry that you would like to delete, then click the trash can icon in that table.

Click Save and Continue to continue to the next window in the First Time Setup wizard.

Use the Global Configurations window to configure certain areas, which we recommend as best practices during the first time set up of your ACI fabric. Click Okay, Got it! when you are ready to configure these areas:

• Subnet Check

• Domain Validation

• Intermediate System to Intermediate System for redistributed routes

• IP Aging Administrative State

• Rogue EP Control

• COOP Group Policy

Note

Some settings in this window are configurable after the First Time Setup, such as the Subnet Check and Domain Validation settings, which can be configured in the Fabric Wide Setting Policy page (System > System Settings > Fabric-Wide Settings). However, configuring those settings after the First Time Setup might cause issues with other existing configurations. For example, enabling the Enforce Subnet Check and Enforce Domain Validation settings in the Fabric Wide Setting Policy page could break a configured L3Out connection without the proper policy chain in place for the interface or for a statically-assigned port to an EPG.

Subnet Check

This feature disables IP address learning outside of subnets configured in a VRF, for all other VRFs.

This feature enforces subnet checks at the VRF level, when the Cisco Application Centric Infrastructure (Cisco ACI) learns the IP address as an endpoint from the data plane. If you put a check in the box for this option, the fabric will not learn IP addresses from a subnet other than the one configured on the bridge domain. This feature prevents the fabric from learning endpoint information in this scenario.

Check the box next to Enforce to enable the subnet check feature, which is highly recommended.

Domain Validation

This feature enforces a validation check if a static path is added but no domain is associated to an EPG.

When enabled, a validation check is performed when a static path is added to an EPG, to determine if the path is part of a domain that is associated with the EPG. The scope of this policy is fabric-wide. After configuration, a policy is pushed to each leaf switch as it comes up.

Check the box next to Enforce to enable the domain validation feature, which is highly recommended.

Intermediate System to Intermediate System for redistributed routes

This is the IS-IS metric that is used for all imported routes into IS-IS. Configuring a metric lower than 64 (max) with this option, such as 63, allows ACI switches to prefer routes from stable spines until the routing convergence is achieved on a new spine.

Enter the appropriate value in the IS-IS metric field.

IP Aging Administrative State

Enabling this policy allows ACI to track each IP individually and age out unused IPs efficiently. Otherwise, unused IPs remain learned until the base MAC address ages out. This does not affect remote endpoints.

When enabled, the IP aging policy ages unused IPs on an endpoint. In this situation, the IP aging policy sends ARP requests (for IPv4) and neighbor solicitations (for IPv6) to track IPs on endpoints. If no response is given, the policy ages the unused IPs.

Following are the options for this field:

• Disabled: The default setting. APIC disregards the IP aging policy.

• Enabled: APIC observes the IP aging policy.

We highly recommend enabling this feature.

Rogue EP Control

A rogue endpoint can attack top of rack (ToR) switches through frequently, repeatedly injecting packets on different ToR ports and changing 802.1Q tags (emulating endpoint moves), resulting in IP and MAC addresses being learned rapidly in different EPGs and ports. Misconfigurations can also cause frequent IP and MAC address changes (moves).

The Rogue EP Control feature addresses this vulnerability. Enabling this policy allows ACI to detect and delete unauthorized endpoints.

Following are the options for this field:

• Disabled: The default setting. APIC disregards the Rogue EP Control policy.

• Enabled: APIC observes the Rogue EP Control policy.

We highly recommend enabling this feature.

Additional settings for Rogue EP Control, such as Rogue EP Detection Interval, Rogue EP Detection Multiplication Factor, and Hold Interval, are available through the Endpoint Controls panel. To access the Endpoint Controls panel, on the menu bar, click System > System Settings > Endpoint Controls, then click the Rogue EP Control tab.

Following are the valid and default settings for the fields in the Rogue EP Control tab in the Endpoint Controls window:

• Rogue EP Detection Interval: Valid values are from 0 to 65535 seconds. Default value is 60.

• Rogue EP Detection Multiplication Factor: Valid values are from 2 to 65535. Default value is 4.

• Hold Interval: Valid values are from 1800 to 3600 seconds. Default value is 1800.

COOP Group Policy

Council of Oracle Protocol (COOP) is used to communicate the mapping information (location and identity) to the spine proxy. A leaf switch forwards endpoint address information to the spine switch 'Oracle' using Zero Message Queue (ZMQ). COOP running on the spine nodes will ensure all spine nodes maintain a consistent copy of endpoints and location information in the mapping database.

COOP protocol supports two ZMQ authentication modes:

• Compatible Type: The default setting. COOP accepts both MD5 authenticated and non-authenticated ZMQ connections for message transportation.

  Note	The APIC manages the token used as MD5 password for COOP. This token is automatically rotated by APIC every hour. This token cannot be displayed.

• Strict Type: COOP allows MD5 authenticated ZMQ connections only.

We highly recommend the Strict Type setting for the COOP Group Policy.