Latest

Cisco ACI: 9 Best Practices while configuring Cisco ACI in your environment

Today we will talk about the best practices when configuring Cisco ACI in your environment. There are so many features which we can enable and disable while configuring Cisco ACI.

What is Cisco ACI ?
Cisco Application Centric Infrastructure (ACI) is a Next generation SDN solution and is designed for data centers spine-leaf architecture for the policy-driven solution. Cisco ACI provides application agility and data center automation with simplified operations.

Fig 1.1- Cisco ACI Spine-Leaf Architecture

We wrote some of the past articles on Cisco ACI solution and the key features around Cisco ACI, You can have the look on these articles below

Cisco ACI 2.0 details  
Cisco ACI 3.0 details
Cisco ACI 4.1 details

1. Enforce Subnet Check: I would recommend to enable this feature. This feature helps to prevents mis-learning of IP addresses that may not belong to the fabric. You can enable this feature as shown below

Fig 1.2- Enforce Subnet Check

2. Port Tracking : I would recommend to on this feature. When this feature is enabled and the number of operational fabric ports on a given leaf node is decreased to the configured threshold or lower, the downlink ports of the leaf node will be brought down so that external devices can switch over to other healthy leaf nodes.

Fig 1.3- Fabric Port Tracking State

3. Mis-Cabling Protocol (MCP) : I would recommend to enable this feature. Mis-Cabling Protocol (MCP) detects loops from external sources and will err-disable the interface on which ACI receives its own packet. Enabling this feature is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device.

Fig 1.4- Enable MCP in Cisco ACI

4. IP aging : I would recommend to on this feature. The IP aging policy tracks and ages unused IPs on an endpoint. Tracking is performed using the endpoint retention policy configured for the BD to send ARP requests (for IPv4) and neighbor solicitations (for IPv6) at 75% of the local endpoint aging interval. When no response is received from an IP, that IP is aged out.

Fig 1.5- IP-Aging

5. Rogue EP Control : I would recommend to enable this feature. Rogue EP Control detects endpoints that move frequently and disables endpoint learning for the endpoints only

Fig 1.6- Rogue EP control

6. Enable Strict COOP Policy : I would recommend to enable Strict COOP Policy. COOP data path communication provides high priority to transport using secured connections. COOP is enhanced to leverage the MD5 option to protect COOP messages from malicious traffic injection. COOP is used to communicate the mapping information (location and identity) to the spine proxy.

Fig 1.7- COOP Policy

7. Enable BFD on Internal Fabric Interfaces : I would recommend to enable BFD on internal Fabric interfaces. Use Bidirectional Forwarding Detection (BFD) to provide sub-second failure detection times in the forwarding path between ACI fabric border leaf switches configured to support peering router connections.

Fig 1.8- Enable BFD in Cisco ACI

8. Reduce IS-IS metric : It is recommend to change or reduce the IS-IS metric for redistributed routes to lower than the default value of 63. This is to ensure that when a spine switch is rebooting because of an upgrade, the switch is not in the path to external destinations until the entire configuration of the spine switch is completed, at which point the metric is set to the lower metric, such as 32.

Fig 1.9 - ISIS metric in Cisco ACI

9. Enable DOT1P Preservation : It is recommend to enable DOT1P Preservation feature. APIC enables translating the 802.1P CoS field (Class of Service) based on the ingress DSCP value. 802.1P CoS translation is supported only if DSCP is present in the IP packet and dot1P is present in the Ethernet frames.

Fig 1.10 - Cisco ACI -Dot1P

These 9 things you should take care as recommended when configuring Cisco ACI in your environment. We will come up with more important and interesting facts about Cisco ACI and the best practices with you guys.