Cisco ACI 6.0(5h)M リリース

Cisco ACi 6.0(5h)M がリリースされました。 5.3 系としては 5.3(1d) と 5.3(2a) に続く、みっつ目のリリースです。変更点は Resolved Issues の追加のみのようです。

ダウンロードページ
- Application Policy Infrastructure Controller (APIC) Release 6.0(5h) M
リリースノート
- Cisco Application Policy Infrastructure Controller Release Notes, Release 6.0(5)
- Cisco Nexus 9000 ACI-Mode Switches Release Notes, Release 16.0(5)

Controller¶

Resolved Issues¶

CSCwh77307 ¶

After rebooting all Cisco APICs at the same time, none of the apps are running and fault F3254 displays in the system. Nomad status output shows "no servers".

CSCwi25781 ¶

Cisco APIC apps container processes gets restarted on a vAPIC platform due to OOM during some triggers on a scale setup. Note: This does not affect DMEs or any core APIC functionality.

CSCwi26092 ¶

Starting from a Cisco ACI fabric running release 4.2(7w) or earlier with UCSM integration configured and functional, upgrading to a release after 5.2 and re-enabling the UCSM integration application triggers the inventory sync and the VLANs that were programmed are removed.

CSCwi46135 ¶

None of the apps run in a Cisco APIC cluster. The F1419 fault (Service consul failed) displays in the system and the consul service does not run.

CSCwi46433 ¶

Cluster formation fails after cleaning up cleanActiveApicList on APIC1 and clean rebooting the APIC after doing an RMA of APIC1.

Known Issues¶

CSCvj26666 ¶

The "show run leaf|spine " command might produce an error for scaled up configurations.

CSCvj90385 ¶

With a uniform distribution of EPs and traffic flows, a fabric module in slot 25 sometimes reports far less than 50% of the traffic compared to the traffic on fabric modules in non-FM25 slots.

CSCvq39764 ¶

When you click Restart for the Microsoft System Center Virtual Machine Manager (SCVMM) agent on a scaled-out setup, the service may stop. You can restart the agent by clicking Start.

CSCvq58953 ¶

One of the following symptoms occurs:

App installation/enable/disable takes a long time and does not complete.

Nomad leadership is lost. The output of the acidiag scheduler logs members command contains the following error:

Error querying node status: Unexpected response code: 500 (rpc error: No cluster leader)

CSCvr89603 ¶

The CRC and stomped CRC error values do not match when seen from the APIC CLI compared to the APIC GUI. This is expected behavior. The GUI values are from the history data, whereas the CLI values are from the current data.

CSCvs19322 ¶

Upgrading Cisco APIC from a 3.x release to a 4.x release causes Smart Licensing to lose its registration. Registering Smart Licensing again will clear the fault.

CSCvs77929 ¶

In the 4.x and later releases, if a firmware policy is created with different name than the maintenance policy, the firmware policy will be deleted and a new firmware policy gets created with the same name, which causes the upgrade process to fail.

CSCvx75380 ¶

svcredirDestmon objects get programmed in all of the leaf switches where the service L3Out is deployed, even though the service node may not be connected to some of the leaf switch.

There is no impact to traffic.

CSCvx78018 ¶

A remote leaf switch has momentary traffic loss for flushed endpoints as the traffic goes through the tglean path and does not directly go through the spine switch proxy path.

CSCvy07935 ¶

xR IP flush for all endpoints under the bridge domain subnets of the EPG being migrated to ESG. This will lead to a temporary traffic loss on remote leaf switch for all EPGs in the bridge domain. Traffic is expected to recover.

CSCvy10946 ¶

With the floating L3Out multipath recursive feature, if a static route with multipath is configured, not all paths are installed at the non-border leaf switch/non-anchor nodes.

CSCvy34357 ¶

Starting with the 6.0(5) release, the following apps built with the following non-compliant Docker versions cannot be installed nor run:

ConnectivityCompliance 1.2

SevOneAciMonitor 1.0

CSCvy45358 ¶

The file size mentioned in the status managed object for techsupport "dbgexpTechSupStatus" is wrong if the file size is larger than 4GB.

CSCvz06118 ¶

In the "Visibility and Troubleshooting Wizard," ERSPAN support for IPv6 traffic is not available.

CSCvz84444 ¶

While navigating to the last records in the various History sub tabs, it is possible to not see any results. The first, previous, next, and last buttons will then stop working too.

CSCvz85579 ¶

VMMmgr process experiences a very high load for an extended period of time that impacts other operations that involve it.

The process may consume excessive amount of memory and get aborted. This can be confirmed with the command "dmesg -T | grep oom_reaper" if messages such as the following are reported:
1
     oom_reaper: reaped process 5578 (svc_ifc_vmmmgr.)

CSCwa78573 ¶

When the "BGP" branch is expanded in the Fabric > Inventory > POD 1 > Leaf > Protocols > BGP navigation path, the GUI freezes and you cannot navigate to any other page.

This occurs because the APIC gets large set of data in response, which cannot be handled by the browser for parts of the GUI that do not have the pagination.

CSCwe18213 ¶

The logical switch created for the EPG remains in the NSX-T manager after the EPG is disassociated from the domain, or the logical switch does not get created when the EPG is associated with the domain.

CSCwf71934 ¶

Multiple duplicate subnets are created on Nutanix for the same EPG.

CSCwh63412 ¶

Audit logs under System > History > Audit Logs are limited to the current logged in user. Only the user with the username admin can see the audit logs from all users, but other users despite having admin privileges cannot see the audit logs from other users. The audit logs under Tenants are visible to every user.

CSCwh92539 ¶

After upgrading a Cisco APIC from a release before 5.2(8) to release 6.0(5) or later, there is a loss of out-of-band management connectivity over IPv6 if the APIC has dual stack out-of-band management. However, IPv4 connectivity remains intact. This issue does not occur if the out-of-band management is only IPv4 or only IPv6.

N/A¶

Beginning in Cisco APIC release 4.1(1), the IP SLA monitor policy validates the IP SLA port value. Because of the validation, when TCP is configured as the IP SLA type, Cisco APIC no longer accepts an IP SLA port value of 0, which was allowed in previous releases. An IP SLA monitor policy from a previous release that has an IP SLA port value of 0 becomes invalid if the Cisco APIC is upgraded to release 4.1(1) or later. This results in a failure for the configuration import or snapshot rollback.

The workaround is to configure a non-zero IP SLA port value before upgrading the Cisco APIC, and use the snapshot and configuration export that was taken after the IP SLA port change.

N/A¶

If you use the REST API to upgrade an app, you must create a new firmware.OSource to be able to download a new app image.

N/A¶

In a multipod configuration, before you make any changes to a spine switch, ensure that there is at least one operationally "up" external link that is participating in the multipod topology. Failure to do so could bring down the multipod connectivity. For more information about multipod, see the Cisco Application Centric Infrastructure Fundamentals document and the Cisco APIC Getting Started Guide.

N/A¶

With a non-english SCVMM 2012 R2 or SCVMM 2016 setup and where the virtual machine names are specified in non-english characters, if the host is removed and re-added to the host group, the GUID for all the virtual machines under that host changes. Therefore, if a user has created a micro segmentation endpoint group using "VM name" attribute specifying the GUID of respective virtual machine, then that micro segmentation endpoint group will not work if the host (hosting the virtual machines) is removed and re-added to the host group, as the GUID for all the virtual machines would have changed. This does not happen if the virtual name has name specified in all english characters.

N/A¶

A query of a configurable policy that does not have a subscription goes to the policy distributor. However, a query of a configurable policy that has a subscription goes to the policy manager. As a result, if the policy propagation from the policy distributor to the policy manager takes a prolonged amount of time, then in such cases the query with the subscription might not return the policy simply because it has not reached policy manager yet.

N/A¶

When there are silent hosts across sites, ARP glean messages might not be forwarded to remote sites if a leaf switch without -EX or a later designation in the product ID happens to be in the transit path and the VRF is deployed on that leaf switch, the switch does not forward the ARP glean packet back into the fabric to reach the remote site. This issue is specific to transit leaf switches without -EX or a later designation in the product ID and does not affect leaf switches that have -EX or a later designation in the product ID. This issue breaks the capability of discovering silent hosts.

N/A¶

Typically, faults are generally raised based on the presence of the BGP route target profile under the VRF table. However, if a BGP route target profile is configured without actual route targets (that is, the profile has empty policies), a fault will not be raised in this situation.

N/A¶

MPLS interface statistics shown in a switch's CLI get cleared after an admin or operational down event.

N/A¶

MPLS interface statistics in a switch's CLI are reported every 10 seconds. If, for example, an interface goes down 3 seconds after the collection of the statistics, the CLI reports only 3 seconds of the statistics and clears all of the other statistics.

Switch¶

Open Issues¶

CSCvg85886 ¶

When an ARP request is generated from one endpoint to another endpoint in an isolated EPG, an ARP glean request is generated for the first endpoint.

CSCvw89840 ¶

Traffic originating from a vPC TEP is dropped for Layer 2 multicast and unknown unicast traffic when pod redundancy is triggered.

CSCvy31805 ¶

The PBR destination group for bypass action is not properly programmed with PBR service graph for service devices behind l3out and with "bypass" action enabled to redirect to another service node in the graph.Now on bypass switchover, the traffic doesn't get redirected to the next service node in the chain.

CSCwc61780 ¶

N9K-C9408 ASIC SFP+ ports on N9K-C9400-SUP-A card are not supported.

CSCwd64518 ¶

A virtual machine has connectivity loss when the destination virtual machine is migrated using vMotion. This issue happens only if microsegmentation is enabled on the EPG.

CSCwd89607 ¶

When endpoint rogue detection or endpoint loop control is enabled with first hop security, the fabric might flag incorrect endpoint moves. This might lead to loss of traffic or the disabling of bridge domain learning.

CSCwe33967 ¶

After deleting or adding a VRF instance, the BGP peer session picks up the default timer values instead of the configured values. This is evidenced by the holdIntvl and kaIntvl values in the bgpPeerEntry managed object in the policy engine. The issue happens intermittently.

CSCwf45328 ¶

BGP generates a core after deleting and restoring an SR MPLS infra L3Out node profile. This issue occurred with a scale configuration (800 VRF instances).

CSCwf74167 ¶

An endpoint does not receive a DHCP response when First-Hop Security (FHS) is enabled.

CSCwf80004 ¶

Upon upgrade to the 16.0(3) release from an earlier release, using SSH to connect to the switch does not succeed.

The SSH client end displays the "connection refused" message.

CSCwf80004 ¶

Upon upgrade to the 16.0(5) release from an earlier release, using SSH to connect to the switch does not succeed. The SSH client end displays the "connection refused" message.

CSCwf87280 ¶

All the conditions for priority flow control (PFC) are met, such as consistent congestion or PFC frames received. But, PFC frames are not generated on the front panel interface to slow down the sender.

CSCwf90351 ¶

With the rogue endpoint feature, a MAC address gets flagged as rogue. A leaf switch ignores any further moves of the rogue endpoint for 15 minutes, which can cause an outage. Traffic coming from a FEX vPC carries the Physical Tunnel Endpoint (PTEP) as the source IP address of the outer header (SIPo) instead of the FEX vPC Tunnel Endpoint (TEP).

CSCwf93802 ¶

Traffic loss is observed because an endpoint is not synced from leaf1 to leaf2.

CSCwh15088 ¶

4X25G-CU (<=3m) links do not come on certain ports of GX2 platforms with AN on-enforce.

When auto-negotiation is enabled on 25G speed on GX2 retimer ports, the link does not come up.

CSCwh19426 ¶

On a Cisco ACI NPV leaf switch, when a san-port-channel has more than one member and the leaf switch is reloaded, sometimes one or more san-port-channel member interfaces fail to come up and stay in the "down" state.

Resolved Issues¶

CSCwd65255 ¶

If an EPLD update is triggered on an affected SUP, the SUP will not automatically boot. The supervisor's STS LED may be blinking yellow and console may not be responsive.

CSCwe90254 ¶

When a TechSupport file for a 9500 chassis with FM-E2 fabric modules is collected, the CLI commands needed to be run for the NX-OS TechSupport are wrong.

CSCwf15461 ¶

Whenever an EPG is configured with multiple physical domains using overlapping VLAN pools, following some configuration such as deleting/adding a pool to a domain or adding/removing a domain in an EPG, the fabric encapsulation (VXLAN ID used for VLAN encapsulation) might be mismatched.

F3274 will be seen and traffic to a vPC server might be impacted in that EPG.

CSCwf53105 ¶

"vsh" process generates multiple core files on switches after starting OnDemand Techsupport collection for leaf switches.

CSCwf57396 ¶

The 30 second input rate and 30 second output rate show values beyond 30 seconds for an interface that is disabled.

CSCwf58246 ¶

In the case of large network instability with a lot of flaps, the APIC may disable hardware learning and disable COOP to endpoint notification on a leaf switch. This can lead to a COOP entry on a spine switch pointing to a "wrong" location. This is a very rare scenario.

CSCwf88948 ¶

After a system controller switchover, there is no ping/ssh response from the spine switch in-band management for several minutes. It seems that there is an issue with path between SUP and linecard.

CSCwf92861 ¶

EVPN type 5 routes get stuck at the overlay-1 EVPN table with a refcount of 1. Because of this, the cleanup thread cannot clean up the VRF instance and remains stuck at deletion.

CSCwf95702 ¶

The vsh -c 'show ntp peer-status' command may show an already-deleted NTP server entry. Sometimes, it may cause issue with NTP getting synced to the latest added server. This behavior is not consistent.

CSCwh03684 ¶

HAL has high CPU utilization.

CSCwh07391 ¶

Traffic coming from ISN or IPN may get misclassified as iTraceroute or will not preserve CoS correctly. On any FM that was reloaded, dot1p preserve may have not been set correctly post reload.

CSCwh13845 ¶

After a spine switch stateful reload/upgrade, you may observe traffic drops in the ACI fabric. In case there are remote leaf switches, you may see remote leaf switches not forming a tunnel with the spine switches. On the upgraded/stateful reloaded spine switches, check the output of "show coop internal info global". If you observe the "Local Adjacency" as "Citizen", then you have hit this defect.

CSCwh15691 ¶

fvL3EpDef is not removed after adjacency gets updated.

CSCwh18633 ¶

Multicast convergence is slower than expected. Applications that use multicast for time sensitive tasks, for example, keep alive for HA, will be impacted and cause subsequent service impact.

CSCwh19186 ¶

Configuring a MAC address of "FF:FF:FF:FF:FF:FF" under the L3Out SVI MAC Exception Group causes all MAC addresses learned in the associated external bridge domain to be excluded from rogue endpoint control.

All MAC addresses from such SVIs will be marked as rogue for 30 seconds only if they move 3,000 times in 10 minutes.

CSCwh21375 ¶

When an SNMP GET is sent with the OID "iso.3.6.1.2.1.1.2.0" on a leaf/spine switch, the leaf/spine switch reponds with the faulty value 1.3.6.1.4.1.9.12.3.1.3.1570.

CSCwh21417 ¶

A switch's power supply is functioning properly even though the following error message persists:

LOG_LOCAL0-2-SYSTEM_MSG [E4204936][transition][critical][sys] %PLATFORM-2-PS_UNSUPPORTED: Detected an unsupported power supply 2 Unknown for CISCO Multilayer Switch (Serial number LIT233023Z5 )

CSCwh26304 ¶

++ The temperature data measured by the sensors are not displayed in GUI correctly for PID: N9K-C9364C-GX.

++ the customer wants to see the temperature data under the next menu item: ../Fabric/Inventory/PodN/Node-XXX/Chassis/Supervisor Modules/Slot1/Equipment Sensors/1..5/Stats

++ Show Topology view does not show anything! (Normalized Temperature, Current Temperature) as per the images attached to the case by comparing them with another model where there are no issues.

++ Show Table View shows the data (Normalized Temperature, Current Temperature), but the Timestamp field does not show a meaningful value: 0NaN/NaN/NaN NaN:NaN:NaN

CSCwh29782 ¶

A Cisco Nexus 9000 switch in the ACI-mode cannot negotiate on a 1G link due to the "Remote Fault seen" error.

CSCwh46624 ¶

There is a Layer 1 connectivity issue between a N9K-C93180YC-FX3 device and Dell Power Edge FX2s server chassis. The servers have an Intel X710 NIC. The 10G ports fail to come when the Dell side I/O module is flapped. This issue is not specific to port/SFP/speed and may happen with 25G or other port types with other remote devices.

CSCwh46885 ¶

When the fabric nodes are using ACI release 15.2(7g), the N9K-C9348 switch fails during the POAP DHCP discover phase.

CSCwh48737 ¶

Bounce entry for an endpoint may point to wrong TEP address, leading to connectivity failures.

CSCwh54161 ¶

The endpoint is getting tagged with the incorrect Encap VLAN.

AAEP aaep-policy-name is associated to eth1/39 under Access Policies.

AAEP aaep-policy-name binds EPG-VLAN203 with VLAN 203 as Access (Untagged).

After upgrading leaf node from 5.2.4 to 6.0.2h we can see that VLAN-707 is using same port 1/39 as well.

Both VLANS 203 and 707 are programmed on eth1/39 on node-101 on eltmc. Only VLAN 203 should be programmed here.

CSCwh60203 ¶

There is unexpected behavior with the DHCP relay when using DHCP relay with the "DHCP server preference" feature. The issue is triggered by deleting one of the bridge domains that use the DHCP relay label. This causes the Cisco APIC to remove the DHCP server's SVI from all switches involved in the change, which means that all other bridge domains on those switches can no longer do DHCP relay.

CSCwh64732 ¶

The hardware is DOM-capable (Y), but DOM information is not showing up for the command: "show int ethernet 1/X transceiver details"

CSCwh67412 ¶

ACI displays fan speed percentage incorrectly.

CSCwh71704 ¶

When one of the vPC peers reloads and comes up, the non-reloaded peer is seen to be suspending the vPC interfaces.

CSCwh72876 ¶

The EPM process crashed when there was no disk space was available at /var/sysmgr/tmp_logs/.

CSCwh73346 ¶

After removing service graph association from a shared L3Out contract, traffic will be dropped on the border leaf switch.

CSCwh73782 ¶

Traffic that is forwarded by a spine switch toward a leaf switch is dropped by one of the spine switch's fabric modules. On this fabric module where packets are dropped, the TEP of the destination leaf switch is not programmed in FIB and HAL.

CSCwh75559 ¶

tcpdump on the tahoe0 interface randomly has incorrect time stamps (sometimes an old time stamp).

CSCwh76977 ¶

The device reloaded unexpectedly because of "sdkhal hap reset" after the "show platform internal hal l3 intfdb" command was executed in command-line interface in vsh_lc mode.

CSCwh76996 ¶

While inserting or reloading a leaf switch, its vPC peer will try to bring up the vPC when the peer IP is 0.0.0.0.

CSCwh77467 ¶

SDKHAL crashes are seen on an ACI spine N9K-C9364D-GX2A switch running 15.2(7g). A core file is also generated.

CSCwh77567 ¶

If there is a single endpoint move local-to-remote or remote-to-local within the detection interval, then the move count is not reset. This may lead to an endpoint being incorrectly marked as rogue on the node.

CSCwh78987 ¶

Breakout ports configured as port channel members are no longer part of the port channel post clean reload.

CSCwh79632 ¶

Uplink ports flap frequently on leaf switch. Eth1/51 may be observed to flap more frequently than other ports.

CSCwh81430 ¶

After reloading a Cisco 93108TC-FX3P switch that was upgraded to a release earlier than 5.2(8h), random copper/RJ45 interfaces might not come up. This can occur for port 1/48 on multiple leaf switches in the fabric. A fault F0532 is raised for these ports on the APIC GUI, with the reason being shown as "not-connected".

CSCwh84746 ¶

An endpoint moves between POD1 and POD2. On POD3, the endpoint is going to the FREEZE state and on POD1 and POD2 its not moving to the FREEZE state after the move stops.

CSCwh91351 ¶

There is an issue with FX3 switches and the following scenario:

Leaf 207-208 on a vPC.

The source and destination are connected to these pairs through a vPC.

The source and destination are on different VRF instances. So, VRF leaking is in place to communicate with these two endpoints. When return traffic hits leaf switch 207, communication is successful. When return traffic hits leaf switch 208, communication is dropped. When communication is dropped, it hits rule 5048.

CSCwh92659 ¶

An endpoint may become out of sync between spine switches in different pods. Each spine switch may point to a local pod TEP as the tunnel next hop for the leaf switches. The issue does not get cleared until the incorrect pod spine switches age/delete their COOP entry.

CSCwi04853 ¶

While configuring the "Spine Supervisor Module On-Demand Diag" from the APIC GUI, the spine switch will unexpectedly reboot due to a device_test hap reset. After the switch reboots, F0404 will be raised for each diagnostic.

CSCwi05613 ¶

This issue can be seen when BGP L3Outs have import or export route maps configured using match statements based on regular expressions (for example matching of regex: (65[2-3]01:102..). If BGP regex communities are configured, both the deny and permit statements are not always honored and there are unexpected results.From the BGP and routing table perspective, routes come in with an extended community value that are being permitted incorrectly or denied incorrectly based on the ACI route map that is configured.

CSCwi17513 ¶

This issue occurs when a border leaf switch reboots and rejoins the fabric after reloading. At this point, both port tracking and PIM overload timers are active, preventing the rebooted border leaf switch from sending PIM hellos.After the PIM overload timer expires, the border leaf switch starts sending PIM hello through the fabric tunnel interface and stripe-winners on other border leaf switches are recalculated. If at this point the L3Out is still down due to port tracking, it can happen that for some VRF instances, the PIM join over the fabric tunnel interface to the other border leaf switch is not sent. This leads to a multicast traffic loss until the next PIM join is sent.

CSCwi18214 ¶

A leaf switch repeatedly reloads due to policyelem abnormal exit and HAP reset.

CSCwi21299 ¶

When there is an FCOE interface flap or speed change due to inserting an SFP, this affects the dataplane of other FCOE interfaces that share the same MAC address.

CSCwi31656 ¶

SPAN traffic does not go out from the destination SPAN port after the peer interface flaps.

MAC credit goes to zero for the SPAN destination port after the peer interface flaps.

You also might see the native interface that is part of same MAC address hardware in which the SPAN destination port is configured stop sending control plane packets because the CPU buffer is exhausted by the SPAN destination port.

Known Issues¶

CSCuo37016 ¶

When configuring the output span on a FEX Hif interface, all the layer 3 switched packets going out of that FEX Hif interface are not spanned. Only layer 2 switched packets going out of that FEX Hif are spanned.

CSCup65586 ¶

The show interface command shows the tunnel's Rx/Tx counters as 0.

CSCup82908 ¶

The show vpc brief command displays the wire-encap VLAN Ids and the show interface .. trunk command displays the internal/hardware VLAN IDs. Both VLAN IDs are allocated and used differently, so there is no correlation between them.

CSCup92534 ¶

Continuous "threshold exceeded" messages are generated from the fabric.

CSCuq39829 ¶

Switch rescue user ("admin") can log into fabric switches even when TACACS is selected as the default login realm.

CSCuq46369 ¶

An extra 4 bytes is added to the untagged packet with Egress local and remote SPAN.

CSCuq77095 ¶

When the command show ip ospf vrf is run from bash on the border leaf switch, the checksum field in the output always shows a zero value.

CSCuq92447 ¶

When modifying the L2Unknown Unicast parameter on a Bridge Domain (BD), interfaces on externally connected devices may bounce. Additionally, the endpoint cache for the BD is flushed and all endpoints will have to be re-learned.

CSCur81822 ¶

The access-port operational status is always "trunk".

CSCus18541 ¶

An MSTP topology change notification (TCN) on a flood domain (FD) VLAN may not flush endpoints learned as remote where the FD is not deployed.

CSCus43167 ¶

Any TCAM that is full, or nearly full, will raise the usage threshold fault. Because the faults for all TCAMs on leaf switches are grouped together, the fault will appear even on those with low usage.

Workaround: Review the leaf switch scale and reduce the TCAM usage. Contact TAC to isolate further which TCAM is full.

CSCut59020 ¶

If Backbone and NSSA areas are on the same leaf switch, and default route leak is enabled, Type-5 LSAs cannot be redistributed to the Backbone area.

CSCuu66310 ¶

If a bridge domain "Multi Destination Flood" mode is configured as "Drop", the ISIS PDU from the tenant space will get dropped in the fabric.

CSCuv57302 ¶

Atomic counters on the border leaf switch do not increment for traffic from an endpoint group going to the Layer 3 out interface.

CSCuv57315 ¶

Atomic counters on the border leaf switch do not increment for traffic from the Layer 3 out interface to an internal remote endpoint group.

CSCuv57316 ¶

TEP counters from the border leaf switch to remote leaf switch nodes do not increment.

CSCux97329 ¶

With the common pervasive gateway, only the packet destination to the virtual MAC is being properly Layer 3 forwarded. The packet destination to the bridge domain custom MAC fails to be forwarded. This is causing issues with certain appliances that rely on the incoming packets’ source MAC to set the return packet destination MAC.

CSCuy02543 ¶

Bidirectional Forwarding Detection (BFD) echo mode is not supported on IPv6 BFD sessions carrying link-local as the source and destination IP address. BFD echo mode also is not supported on IPv4 BFD sessions over multihop or VPC peer links.

CSCuy06749 ¶

Traffic is dropped between two isolated EPGs.

CSCuy22288 ¶

The iping command’s replies get dropped by the QOS ingress policer.

CSCuy61018 ¶

The default minimum bandwidth is used if the BW parameter is set to "0", and so traffic will still flow.

CSCuz13529 ¶

With the N9K-C93180YC-EX switch, drop packets, such as MTU or storm control drops, are not accounted for in the input rate calculation.

CSCuz47058 ¶

SAN boot over a virtual port channel or traditional port channel does not work.

CSCvb39965 ¶

Slow drain is not supported on FEX Host Interface (HIF) ports.

CSCvd11146 ¶

Bridge domain subnet routes advertised out of the Cisco ACI fabric through an OSPF L3Out can be relearned in another node belonging to another OSPF L3Out on a different area.

CSCvn94400 ¶

There is a traffic blackhole that lasts anywhere from a few seconds to a few mins after a border leaf switch is restored.

CSCvp04772 ¶

During an upgrade on a dual-SUP system, the standby SUP may go into a failed state.

CSCvq71034 ¶

There is a policy drop that occurs with L3Out transit cases.

CSCvr12912 ¶

A switch reloads due to a sysmgr heartbeat failure and sysmgr HAP reset.

CSCvr61096 ¶

In a port group that has ports of mixed speeds, the first port in the port group that has valid optics present and is not in the admin down state is processed. The ports that come up later are brought up if they are using the same speed; otherwise, they are put in the hw-disabled state.

For example, if ports 14 and 15 are up and are using the 100G speed, then if ports 13 and 16 are using the 40G speed, these ports will be put in the hw-disabled state. After reloading or upgrading, you might not have the same interfaces in the port group in the UP state and in the hw-disabled state as you did before the reload or upgrade.

CSCvt61851 ¶

When MPLS VRF stats (egress) is compared with Layer 2 interface egress stats, we can find that the packet count matches for both while there could be a discrepancy with the bytes count.

CSCvu02371 ¶

The DEI value in a Layer 2 header of spanned Tx packets from an MPLS interface might not have the same value as the actual data path packet.

CSCvu42069 ¶

The event log shows VTEP tunnel down and up events. The down time and up time are the same, and there is no fault message.

CSCvx62362 ¶

When a service device is connected behind an L3Out in 2-arm mode with both legs on the same leaf switch, tracking packets get dropped.

CSCvy06135 ¶

The leaf switch techsupport with a specified time range fails when the space "/mnt/ifc/log" gets filled up by more than 80%.

CSCvy71586 ¶

400G port is automatically broken out into 4 breakout ports. After performing online insertion and removal (OIR) of a 400G transceiver, one of the breakout ports has the "SFP not inserted" or "SFP missing" state.

CSCvz84284 ¶

Upon deletion of a VRF instance that has a micro-BFD port channel in the "up" state, all the member ports of the port channel that were in the "up" state prior to the VRF instance deletion go to the "down" state. The micro-BFD port channels never transition back to the "up" state.

CSCwa78857 ¶

Cisco APIC allows you to configure any number of DHCP relay addresses. However, the maximum number of relay address that can be supported is 16 from a switch. If a 17th DHCP provider is added to the DHCP label, it will not be used even if one of first 16 DHCP providers is removed.

CSCwd95467 ¶

With N9K-X9400-16W LEM, a pair of odd and even number ports such as port 1/1 and 1/2 must work as the same link type: downlink or fabric link because of CSCwd95467. This consideration is not applicable to N9K-X9400-8D.

CSCwe08179 ¶

A peer vPC leg goes down after swapping a 16 port LEM with an 8 port LEM. The following error shows in the "show vpc" output: "Peer does not have corresponding vPC". The leg on the peer switch immediately comes up, but traffic is still disrupted.

CSCwe41508 ¶

As a result of new features, certain PIDs running ACI release 6.0(5) software in 32-bit architecture will see increase in memory consumption and their process virtual address space.

This particular issue is seen with a trigger of 500 bridge domain (BD) deletions and addition in a scale configuration of 64k fvrspath scale, 1980 BDs along with 123k policycam entries. In release 6.0(5) with a 32-bit image, process memory could run close to the limit of 4GB.”

In this scenario, EPM is running at 3.9GB. During the vlan creation as part of the above trigger, EPM attempts to retrieve sclass corresponding to the vlan through DME and DME access is failing. Memory map failures are seen through the instance of EPM.

The DME failure may be due to mmap failures.

CSCwe97510 ¶

When AN On-Enforce is enabled on QDD-4ZQ100G-COPPER breakouts on switches with -GX or -GX2 in the product ID, the links do not come up.

CSCwf88389 ¶

After an SVI member port flap, ECMP hashing no longer uses the flapped SVI's path and instead uses other SVI paths.

N/A¶

Load balancers and servers must be Layer 2 adjacent. Layer 3 direct server return is not supported. If a load balancer and servers are Layer 3 adjacent, then they have to be placed behind the Layer 3 out, which works without a specific direct server return virtual IP address configuration.

N/A¶

IPN should preserve the CoS and DSCP values of a packet that enters IPN from the ACI spine switches. If there is a default policy on these nodes that change the CoS value based on the DSCP value or by any other mechanism, you must apply a policy to prevent the CoS value from being changed. At the minimum, the remarked CoS value should not be 4, 5, 6, or 7. If CoS is changed in the IPN, you must configure a DSCP-CoS translation policy in the APIC for the pod that translates queuing class information of the packet into the DSCP value in the outer header of the iVXLAN packet. You can also embed CoS by enabling CoS preservation. For more information, see the Cisco APIC and QoS KB article.

N/A¶

The following properties within a QoS class under "Global QoS Class policies" should not be changed from their default value and is only used for debugging purposes:

MTU (default – 9216 bytes)

Queue Control Method (default – Dynamic)

Queue Limit (default – 1522 bytes)

Minimum Buffers (default – 0)

N/A¶

The modular chassis Cisco ACI spine nodes, such as the Cisco Nexus 9508, support warm (stateless) standby where the state is not synched between the active and the standby supervisor modules. For an online insertion and removal (OIR) or reload of the active supervisor module, the standby supervisor module becomes active, but all modules in the switch are reset because the switchover is stateless. In the output of the show system redundancy status command, warm standby indicates stateless mode.

N/A¶

When a recommissioned APIC controller rejoins the cluster, GUI and CLI commands can time out while the cluster expands to include the recommissioned APIC controller.

N/A¶

If connectivity to the APIC cluster is lost while a switch is being decommissioned, the decommissioned switch may not complete a clean reboot. In this case, the fabric administrator should manually complete a clean reboot of the decommissioned switch.

N/A¶

Before expanding the APIC cluster with a recommissioned controller, remove any decommissioned switches from the fabric by powering down and disconnecting them. Doing so will ensure that the recommissioned APIC controller will not attempt to discover and recommission the switch.

N/A¶

Multicast router functionality is not supported when IGMP queries are received with VxLAN encapsulation.

N/A¶

IGMP Querier election across multiple Endpoint Groups (EPGs) or Layer 2 outsides (External Bridged Network) in a given bridge domain is not supported. Only one EPG or Layer 2 outside for a given bridge domain should be extended to multiple multicast routers if any.

N/A¶

The rate of the number of IGMP reports sent to a leaf switch should be limited to 1000 reports per second.

N/A¶

Unknown IP multicast packets are flooded on ingress leaf switches and border leaf switches, unless "unknown multicast flooding" is set to "Optimized Flood" in a bridge domain. This knob can be set to "Optimized Flood" only for a maximum of 50 bridge domains per leaf switch.

If "Optimized Flood" is enabled for more than the supported number of bridge domains on a leaf switch, follow these configuration steps to recover:

Set "unknown multicast flooding" to "Flood" for all bridge domains mapped to a leaf switch.

Set "unknown multicast flooding" to "Optimized Flood" on needed bridge domains.

N/A¶

Traffic destined to Static Route EP VIPs sourced from N9000 switches (switches with names that end in -EX) might not function properly because proxy route is not programmed.

N/A¶

An iVXLAN header of 50 bytes is added for traffic ingressing into the fabric. A bandwidth allowance of (50/50 + ingress_packet_size) needs to be made to prevent oversubscription from happening. If the allowance is not made, oversubscription might happen resulting in buffer drops.

N/A¶

An IP/MAC Ckt endpoint configuration is not supported in combination with static endpoint configurations.

N/A¶

An IP/MAC Ckt endpoint configuration is not supported with Layer 2-only bridge domains. Such a configuration will not be blocked, but the configuration will not take effect as there is no Layer 3 learning in these bridge domains.

N/A¶

An IP/MAC Ckt endpoint configuration is not supported with external and infra bridge domains because there is no Layer 3 learning in these bridge domains.

N/A¶

An IP/MAC Ckt endpoint configuration is not supported with a shared services provider configuration. The same or overlapping prefix cannot be used for a shared services provider and IP Ckt endpoint. However, this configuration can be applied in bridge domains having shared services consumer endpoint groups.

N/A¶

An IP/MAC Ckt endpoint configuration is not supported with dynamic endpoint groups. Only static endpoint groups are supported.

N/A¶

No fault will be raised if the IP/MAC Ckt endpoint prefix configured is outside of the bridge domain subnet range. This is because a user can configure bridge domain subnet and IP/MAC Ckt endpoint in any order and so this is not error condition. If the final configuration is such that a configured IP/MAC Ckt endpoint prefix is outside all bridge domain subnets, the configuration has no impact and is not an error condition.

N/A¶

Dynamic deployment of contracts based on instrImmedcy set to onDemand/lazy not supported; only immediate mode is supported.

N/A¶

When a server and load balancer are on the same endpoint group, make sure that the Server does not generate ARP/GARP/ND request/response/solicits. This will lead to learning of LB virtual IP (VIP) towards the Server and defeat the purpose of DSR support.

N/A¶

Direct server return is not supported for shared services. Direct server return endpoints cannot be spread around different virtual routing and forwarding (VRF) contexts.

N/A¶

Configurations for a virtual IP address can only be /32 or /128 prefix.

N/A¶

Client to virtual IP address (load balancer) traffic always will go through proxy-spine because fabric data-path learning of a virtual IP address does not occur.

N/A¶

GARP learning of a virtual IP address must be explicitly enabled. A load balancer can send GARP when it switches over from active-to-standby (MAC changes).

N/A¶

Learning through GARP will work only in ARP Flood Mode.