Solved: APIC release and switch version compatibility

irenof · ‎09-27-2024

Hi all,

I am looking for a site, or compatibility matrix between APIC release and switches version. When I upgrade the APIC release have I always to also upgrade the switches version (example version 5.2(5) requires 15.2(5) only?)

I have been asked to update only the APIC cluster, but I wonder if this is wrong.

Thanks

Robert Burns · ‎09-27-2024

The general guidelines are as follows:

Controllers must always be running the same or higher version than the switches.
All controllers in a cluster will always run the same version
While it's supported to run the fabric with mixed version (APICs in Version v2, and Switches running version v1), it's recommended to try and keep them the same version whenver possible. The mixed version support is primarily to support upgrades across maintenance windows, but not for long-term operation. New features may be exposed to the controller, but may not be (yet) supported on switches if they're running older versions.
VPC switch pairs should always be upgraded in the same maintenance window (just not simultaneously)
There should be no issues running up to a 2-major version difference between Controllers & Switches, but I wouldn't push it more than that. Ex. Controllers running 6.x and Switches running 4.x.

Regards,
Robert

View solution in original post

M02@rt37 · ‎09-27-2024

Hello @irenof

Is it what you looking for ?

https://www.cisco.com/c/en/us/td/docs/Website/datacenter/acihwsupport/index.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Robert Burns · ‎09-27-2024

The general guidelines are as follows:

Controllers must always be running the same or higher version than the switches.
All controllers in a cluster will always run the same version
While it's supported to run the fabric with mixed version (APICs in Version v2, and Switches running version v1), it's recommended to try and keep them the same version whenver possible. The mixed version support is primarily to support upgrades across maintenance windows, but not for long-term operation. New features may be exposed to the controller, but may not be (yet) supported on switches if they're running older versions.
VPC switch pairs should always be upgraded in the same maintenance window (just not simultaneously)
There should be no issues running up to a 2-major version difference between Controllers & Switches, but I wouldn't push it more than that. Ex. Controllers running 6.x and Switches running 4.x.

Regards,
Robert

irenof · ‎09-28-2024

Hi @Robert Burns, thank you for the detailed answer. When you refer to Switches runninx 4x, do you you refer to 14.x NX-OX ACI version?

My actual situation is:
APIC 4.2(4i) and Switches 14.2(4i)

According to your answer it is safe to upgrade only the APIC to 4.2(7l)?

Thanks

RedNectar · ‎09-27-2024

Hi @irenof ,

Mostly I agree with @Robert Burns 's reply, but there is at least one case where I know upgrading the APICs before the switches can create a profound security issue.

I really don't know why this isn't in the release notes, but with the following condiditons:

if you have filters based on port numbers,
and those filters have contracts that are implemented in switches
and Cisco decides to change the port numbers to more readable text (e.g. port 22 to SSH)

THEN YOU HAVE A PROBLEM UPGRADING THE APICS WITHOUT THE SWICH UPGRADE

This is what happened in my case, upgrading from 4.x to 5.0 where Cisco decided that any filter that had port 22 in its definition would be changed to SSH - it goes like this:

When the APIC running v4 pushes the contact to the switch running v14, it uses the numeric 22 in the filter, which the switch software interprets as a filter for port 22

When the APIC running v5 pushes the contact to the switch running v14, it uses the textual SSH in the filter, which the switch software interprets as a filter for any port

So any contracts which previously allowed only port 22 for attached devices now suddenly have ALL TRAFFIC allowed.

I had thought I'd written about this on this forum but neither the search on this forum or Google could find it. But I did do a short video (https://www.youtube.com/watch?v=KCKj-eGBR5Y), wrote a blog post about it (https://rednectar.net/2020/09/05/aci-version-mismatch-alert-dont-use-v5-on-apic-and-v14-on-leaves/) and posted on Facebook (https://www.facebook.com/groups/1028679983855301/permalink/3549697478420193/) where @dpita pointed out the problem to me.

I have no idea if or when Cisco will repeat this with say port 3306 and turn it into MySQL for instance - but if they do, I expect the same problem will occur.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

irenof · ‎09-28-2024

Hi @RedNectar, this is what I am afraid of. I have not so deep experience in ACI, so I am not confident in upgrading API without also upgrade the switches.

My options, without also upgrade the switches are:

1) from APIC 4.2(4i) and NX-OS ACI 14.2(4i) ----> APIC 4.2(7) and NX-OS ACI 14.2(4i)

2) from APIC 4.2(4i) and NX-OS ACI 14.2(4i) ----> APIC 5.2(5) and NX-OS ACI 14.2(4i)

Are both options possible?

According to your answer I should be very careful and do an assestment on the conf and policies befor upgrade to 5.2(5)...

Thanks

RedNectar · ‎09-28-2024

Hi @irenof ,

Ditto to @Robert Burns APIC 4.2 with NXOS 14.2 = good

APIC 5.2 with NXOS 14.2 = definitely check if there are any filters that specify port 22, and ideally run in this mode as a transition

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Robert Burns · ‎09-28-2024

ACI Switch images are the same as the APIC version just x10 so 14.2(1) woudl be paired with 4.2(1).

From above both are supported. There would be less risk IMO with Option 1 - which doesn't cross a major version (4.x > 5.x), but depending how long you intend to run mixed mode, both are options.

Robert