09-20-2021 08:48 AM
Good day, community members.
We started ACI from 2.x and now are running 4.2 through a number of successful upgrades. I realized that our ACI setting of "Enforce Subnet Check" and "IP Aging" are disabled and I don't think we have ever changed such system level default settings.
My questions are:
Thanks.
Leo
09-24-2021 09:23 AM
Both are disabled by default on 5.1(4c)
IP Aging should be pretty safe to enable, I've never seen it but I suppose you could have a scenario where an endpoint has multiple MACs and/or IP addresses and one of them is "silent." In that scenario IP Aging might break access to the silent address.
For enforce subnet check you can check the operational status of all your BDs to determine if there are any subnets learned outside the BD and whether or not removing them from the endpoint db will cause any problems.
It probably goes without saying, but even if you're certain the risk is low I'd always recommend a thorough testing process after any changes so that you can catch any problems during the maintenance window instead of after.
09-24-2021 01:11 PM
Hi @a12288
Hope you are doing well:
Answers are:
1- Beginning with APIC Releases 2.3(1e) and 3.0(1k), Enforce Subnet Check is enabled by default with the following enhancement:
CSCvb16668: Enforce Subnet Check should be enabled by default.
IP Aging is a default setting for Cisco ACI Release 2.1(1h) and later.
2 - I can refer you to Cisco's document at this link:
https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739989.html
For second-generation leaf switches, the following configurations are recommended for optimal endpoint update and forwarding behavior:
● Fabric-level configurations
◦ IP Aging Policy
◦ Disable Remote EP Learn (on border leaf)
◦ Prior to Cisco ACI Release 3.0(2h), the prerequisite is to set Tenant > Networking > VRFs > Policy Control Enforcement to Ingress on your VRF instances
◦ Only on APIC release prior to the enhancement for endpoint announce (CSCvj17665)
◦ Enforce Subnet Check
Regards,
Ali
09-24-2021 05:38 PM
Hi, Ali.
I was reading the same white paper and found out those 2 recommendations, can you post the content of CSCvb16668 here as I cannot open it?
We adopted ACI since 2.x and now is running 4.2, both of them are disabled.
Leo
09-24-2021 05:43 PM
One more questions Ali.
Do you have them enabled in your ACI environment? Any hiccups?
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide