ACI / APIC Software Guidance

Screen Shot 2018-04-03 at 2.58.16 PM.png

DISCLAIMER – This post is not meant to take the place of a software recommendation process.  Customers should still perform their own due diligence before selecting a software version for their own ACI Fabric. This post is meant to summarize the available ACI Software features, by release, and be used as a quick reference guide. I’ll offer up my favorite version as well, but as all good consultants know, when asked “what version should I run”, the answer is always “It Depends”. 😉

It depends. As someone who has been in a consulting role for more almost 15 years, this is my go-to answer. Although I do use this statement whenever I am in doubt of an answer, I just as often use It depends even if I feel I know the answer. This is especially true when it comes to providing Software Guidance for ACI. While I have a preferred “go-to” software version that I start with, a lot depends on the customer, the features they are running in their environment, the hardware, and where they are going in the near future. Take a look at the versions below. I’ve tried to keep it as straight forward as possible, including where Hardware and Software features were first supported. I’ve also included a few versions never to run, based on my own experience.

My Guidance – 2.2(4) is the current release I always start off with when customers ask where they should start. Here are my reasons why:
  • It is a Long-lived Supported APIC/ACI Code Release.
  • This version has two critical Endpoint Learning Features, Enforce Subnet Check and Disable Remote EP Learning. Every fabric should have these enabled. If you want to learn more about these features, check out the Endpoint Learning Whitepaper on CCO.
  • MultiPod is supported
  • Vmware Vsphere 6.5 VMM support is present
Now that I’ve given you a starting point, take a look at the table below and determine what works best for you and your ACI Fabric.

APIC 1.0

1.X (any 1.x release) – This version is end of life. If you are running a 1.X release of any kind, you should consider moving to a 2.x release. Check out the link below to help determine which versions you can upgrade to and from:

In addition, here are the end-of-life announcements for all 1.x APIC Software.

Do you need help upgrading your Fabric? Check out this post on Upgrading your ACI Fabric.

1.3 (Bronx)

  • New Hardware Supported
    • N9K-C93180YC-EX (Leaf)
    • N9K-X9732C-EX (Spine LC)
    • N9K-C9504-FM-E (Spine Fabric Module)
    • N9K-C9508-FM-E (Spine Fabric Module)

APIC – 2.0

2.0(2) (Congo)

  • New Software Features
    • VMM – VMware VCenter 6.0 is supported
    • Contract Permit Logging
    • MultiPod – MultiPod support introduced
    • Copy Services
    • EPG deployment via AAEP
    • L3 multicast support (requires at least -EX based Leaf)
    • Policy-based redirect
    • Syslog in NXOS Style CLI Format
    • Proxy ARP
    • Per-EPG MCP
  • New Hardware Supported
    • N9K-C93108TC-EX

2.1 (Crystal)

  • New Software Features
    • MultiPod – Copy Services Support for MultiPod
    • MultiPod – Golf support for -EX based switches
    • FIPs Support
    • IP Aging (Endpoint Learning Best Practice)
  • New Hardware Supported
    • QSA support for N9500 Spine Linecards and -EX-based Leafs

2.2 (Danube)

  • 2.2(4) – Long Lived Release and General Recommendation for customers (unless new features warrant newer version)
  • Recommendation – Latest 2.2(4) release.
  • You can upgrade directly from 2.2(4) to 3.2(2) (which is the next long-lived release for ACI). For more information on long-lived releases, check out this link on CCO.
  • New Software Features
    • VMM – VMware VCenter 6.5 is supported
    • Critical Best Practice Endpoint Learning Options are available
      • Enforce Subnet Check
      • Disable Remote EP Learning
    • MultiPod – Active/Standby FW support across Pods (MultiPod) without vPC (physical link or local port-channel only)
    • Cisco ACI App Center
    • Standby APIC
    • Contract Preferred Groups
    • Netflow for -EX based Leaf Switches
    • Control Plane MTU Setting (for use with MultiPod)
    • Q-in-Q Tunneling BD
  • New Hardware Supported
    • N9K-93180LC-EX (40Gig EX-based Leaf)
    • Breakout support for 9332
    • N9K-C93180YC-FX – 2.2(2)
    • N9K-C93108TC-FX – 2.2(2)

2.3 (Drava)

  • Not a long-lived train; Enforce Subnet Check (Endpoint Learning BP) is not available for any 2.3 code version.
  • If needed, use latest 2.3 release on CCO.
  • New Software Features
    • MultiPod – Active/Standby FW support across Pods (MultiPod) with vPC
    • Attribute based uSeg (Microsegmentation)
    • Contract Inheritance
    • Tetration Analytics support for FX-based Leaf Switches
  • New Hardware Supported
    • N9K-SUP-A+, N9K-SUP-B+

APIC 3.0

3.0 (Ebro)

  • If needed, use latest 3.0 release. Do not use 3.0(1k) or 3.0(2h) due to CSCvg38918 – DHCPv6 related memory leak (you do not have to have IPv6 enabled on the fabric for this issue to affect you!)
  • Other bugs to be aware of:
    • Endpoint Learning Bug – CSCvi11291 – XR learn on BL even with “Disabled remote EP learn” for BGP packets (tcp port 179).This bug is first fixed in 3.2(1). This issue is most commonly seen when you have external security port-scanners (or other devices generating tcp-179 packets) that are sent to endpoints on the ACI fabric. When this occurs, Remote (XR) Stale entries can pop up. This issue is resolved in 2.2(4m) and 3.2(1).
  • New Software Features
    • MultiSite – MultiSite is first supported; (N9K-X9732C-EX Spine Linecards are required)
    • VMM – Kubernetes for bare-metal server support
    • Intra-EPG Contracts
    • Tetration Analytics support for N9K-C9348GC-FXP switch
  • New Hardware Supported
    • N9K-9364C (no MultiSite support for 3.0)
    • N9K-C9348GC-FXP (1 RU, fixed port 48port 10/100/1000)
    • N9K-C9508-FM-E2 (Spine FM)
    • N9K-C9736-FX Spine LC

3.1 (Euphrates)

  • If needed, do not use 3.1(1i) due to CSCvh29461 – DSCP-cos translation policy may break MultiPod BGP. 
  • Other bugs to be aware of:
    • Endpoint Learning Bug – CSCvi11291 – XR learn on BL even with “Disabled remote EP learn” for BGP packets (tcp port 179).This bug is first fixed in 3.2(1). This issue is most commonly seen when you have external security port-scanners (or other devices generating tcp-179 packets) that are sent to endpoints on the ACI fabric. When this occurs, Remote (XR) Stale entries can pop up. This issue is resolved in 2.2(4m) and 3.2(1).
  • New Software Features
    • Monitor Active GUI Sessions
    • BFD support for Spine switches
    • Cisco AVE (Next-Gen AVS)
    • L4-7 Cloud Orchestrator Mode
    • Flooding is limited to Encapsulation (Flood-in-Encap)
    • Downlink support for Uplink ports on EX-based and FX-based Leaf switches.
    • OpenShift Container support
    • Remote Leaf Switches
    • MultiSite – N9K-C9364C Spine Switch is now available for MultiSite

3.2 (Fraser)

  • If needed, do not use 3.2(1l) due to CSCvj65274 – Switch crash possible during upgrade to 3.2(1). Switches with Call Home Inventory Policies enabled and applied to switches may encounter a switch crash with the eventmgr service.
  • Other bugs/enhancements to be aware of:
    • CSCvm12554 – Contract Preferred group l3out prefix not deployed on ingress VPC; this bug was re-introduced to 3.2 affects all available versions of 3.2.
    • Endpoint Learning bug – CSCvi11291 – Remote Learn on Border Leaf even with Disabled Remote EP learn with pkt with src/dst of 179. This issue is most commonly seen when you have external security port-scanners (or other devices generating tcp-179 packets) that are sent to endpoints on the ACI fabric. When this occurs, Remote (XR) Stale entries can pop up. This bug is first fixed in 3.2(1).
    • Endpoint Learning Enhancement – CSCvj17665 – EP announce support for stale IP XR EPs – This enhancement improves endpoint learning functionality by allowing a new EP Announce delete message to be sent to all leafs within the site on the expiration of Bounce IP XR Entries. This enhancement is available beginning with 3.2(2).
    • CSCvj90443 – Preconfigured VPC can lead to duplicate VIP/TEP IP assignment – This issue is resolved in 3.2(2o) and later.
  • 3.2 is a long-lived code train starting with 3.2(2); see the link here.
  • New Software Features
    • Layer-3 routed and sub-interface port-channel for L3out
    • SPAN on L3out
    • Multi-Site + Multi-Pod Support
    • Multi-Site Back-to-Back Spine
    • VMM – VMware VCenter 6.7 is supported beginning with 3.2(2)
    • MCP Aggressive timer support
    • Remote Leaf – Orphan Port support
    • UI Enhancements
    • Fibre Channel N-port virtualization
    • Rogue Endpoint Control Policy
  • New Hardware Supported
    • Enhanced breakout support on profiled QSFP ports on N9KC93180YC-FX switches
    • The Cisco N9K-C9336C-FX2 switch now supports breakout, 18-port downlink/uplink, and MACsec.

APIC 4.0

4.0 (Ganga)

  • New Software Features
    • EPG Shutdown
    • Disable IP Dataplane Learning (VRF Level)
    • Multi-Site – L4-7 Service integration
    • Multi-Site – CloudSec
    • Multi-Site – L3 Multicast
    • RP in the Fabric
    • QOS for ROCEv2
    • Additional QOS classes (3 additional levels)
    • MACsec encryption support on remote leaf switches
    • TCAM Policy Compression for identical filter rules
    • Preferred Group support for service-groups
    • Inter-VRF Multicast
    • ACI vPOD (limited availability)
    • ACI Host-based Routing advertisement via L3out
    • L3out Supported in service-graphs
    • Fabric-wide CPU, memory utilization and temperature dashboard
    • VMM read-only domain promotion to fully managed
    • AVE Uplink VxLAN Load-balancing
    • Fibre-Channel enhancements
      • FCoE enhancements
        • vPC with SAN boot
        • vFC ports can now be a member of a vPC
      • NPV support enhancements
        • NPIV mode support
          • Host – 4G/16G/32G/Auto speed options
          • Uplink – 4G/8G/16G/32G/Auto speed options
          • Port-channel support on FC uplink ports
          • Trunking support on FC uplinks ports
  • New Hardware Supported
    • Mini ACI
    • Virtual APIC (vAPIC)
    • Cisco APIC-X
    • N9K-C9332C – 32 port 40/100G (Baby Spine)
    • N9K-C93240YC-FX2 – 48 port – 10/25G + 12 40/100G uplink ports

5 thoughts on “ACI / APIC Software Guidance

  1. Hey Jody, I see you’ve been writing a lot of cool articles in this blog lately, super useful in every possible way. Please keep it going 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.