ACI best practices - Traffic Impact of enabling features

YHam · ‎05-23-2022

Hello everyone,
I was going through a best practices document and found a few recommended settings below which are not currently implemented in our fabric. Could anyone tell what will be the impact if I enable following options in pod?
1) enabling encryption under system > System Settings > Global AES Passphrase Encryption setting so that credentials in backups are encrypted. We currently don't have this enabled
2) enabling Fabric Port Track. We currently don't have this enabled
3) Changing COOP authentication mode from compatible to strict. current mode is compatible
4) enable MCP globally. MCP is enabled on all interfaces by default but disable globally
I need to know if enabling above mentioned features will have traffic disruption.

Thank you all.

Robert Burns · ‎05-25-2022

Generally, anytime you make any Global fabric changes, its best to do so during a maintenance window. Maintenance windows aren't just for known outages, but more importantly they're to protect against unexpected ones.

That being said, here's my feedback.

Options 1, 2 and 3 have little to no chance of impact when enabling. AES encryption simply applies only to subsequent Config Export/Import tasks. Port Tracking applies only when uplinks aren't available between Leaf & Spines - so just be sure when configuring it you have the min. # of links (set in the policy) operational between all Leafs/Spines before enabling. For COOP auth, we've tested changing COOP auth multiple times in the lab with no disruption to the fabric.

Options 4: For MCP there's slightly higher risk as you have this enabled on all your policies, but its not yet active until you enable this globally - thereby making this feature active on all your policy groups. You should be mindful with MCP will err disable an interface if a Leaf receives a packet from the fabric directly (which should never happen under normal circumstances). So this does create the possibility to cause impact.

Robert

YHam · ‎05-26-2022

Hello Robert,

Thanks for your input.

For Option 1,2 and 3, can we say that there will NOT be any traffic disruption assuming I will set proper minimum links for Fabric Port Track (backup encryption and COOP authentication are just binary changes so not much involved).

For MCP, there is a check box in MCP global configuration 'Loop Protection Action' and 'Port Disable' is checked. So from my understanding if it uncheck this option and then enable MCP globally, after its running, it will send alert if detects a loop but will not bring down the port. So perhaps i should enable MCP in two steps as follows 1) Enable MCP globally with 'Loop Protection Action Port Disable' = unchecked and then observe health and alerts of access ports 2) Check 'Loop Protection Action Port Disable' if not loop is detect or remediate loop and then enable it. What are your thoughts?

Thanks again

Robert Burns · ‎05-26-2022

Yes that would further reduce risk by changing the action notify only.

Robert

YHam · ‎05-29-2022

Thank you, Robert
Can you please also comment on my follow-up question on Options 1, 2 and 3 as below? You previously stated "Options 1, 2 and 3 have little to no chance of impact when enabling " so I'm curious which of them have possibility of little impact?

"For Options 1,2 and 3, can we say that there will NOT be any traffic disruption assuming I will set proper minimum links for Fabric Port Track (backup encryption and COOP authentication are just binary changes so not much involved)?"

Thanks again

Robert Burns · ‎05-29-2022

"For Options 1,2 and 3, can we say that there will NOT be any traffic disruption assuming I will set proper minimum links for Fabric Port Track (backup encryption and COOP authentication are just binary changes so not much involved)?"

In normal situations that is correct. Always error on the side of caution though. Expect the best, but plan for the worst.

Robert