Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2905
Views
30
Helpful
4
Replies

"Enforce Subnet Check" and "IP Aging" are disabled by default

a12288
Level 3
Level 3

‎09-20-2021 08:48 AM

Good day, community members.

We started ACI from 2.x and now are running 4.2 through a number of successful upgrades. I realized that our ACI setting of "Enforce Subnet Check" and "IP Aging" are disabled and I don't think we have ever changed such system level default settings.

My questions are:

  • If there is anyone running ACI 4.2 or 5.2 from Green Field, what are your settings of those 2?
  • By reading the document appears those 2 features will improve the ACI operation overall, so will it be any drawbacks if I enable both of them?

Thanks.

Leo

Labels:
4 Replies 4

AJ Cruz
Level 3
Level 3

‎09-24-2021 09:23 AM

Both are disabled by default on 5.1(4c)

IP Aging should be pretty safe to enable, I've never seen it but I suppose you could have a scenario where an endpoint has multiple MACs and/or IP addresses and one of them is "silent." In that scenario IP Aging might break access to the silent address.

For enforce subnet check you can check the operational status of all your BDs to determine if there are any subnets learned outside the BD and whether or not removing them from the endpoint db will cause any problems.

 

It probably goes without saying, but even if you're certain the risk is low I'd always recommend a thorough testing process after any changes so that you can catch any problems during the maintenance window instead of after.

Ali Aghababaei
Level 1
Level 1

‎09-24-2021 01:11 PM

Hi @a12288 

Hope you are doing well:

Answers are: 

1- Beginning with APIC Releases 2.3(1e) and 3.0(1k), Enforce Subnet Check is enabled by default with the following enhancement:

CSCvb16668: Enforce Subnet Check should be enabled by default.

IP Aging is a default setting for Cisco ACI Release 2.1(1h) and later.

 

2 - I can refer you to Cisco's document at this link: 
https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739989.html

 

For second-generation leaf switches, the following configurations are recommended for optimal endpoint update and forwarding behavior:

● Fabric-level configurations

◦ IP Aging Policy

◦ Disable Remote EP Learn (on border leaf)

◦ Prior to Cisco ACI Release 3.0(2h), the prerequisite is to set Tenant > Networking > VRFs > Policy Control Enforcement to Ingress on your VRF instances

◦ Only on APIC release prior to the enhancement for endpoint announce (CSCvj17665)

◦ Enforce Subnet Check



Regards,
Ali


 

a12288
Level 3
Level 3
In response to Ali Aghababaei

‎09-24-2021 05:38 PM

Hi, Ali.

 

I was reading the same white paper and found out those 2 recommendations, can you post the content of CSCvb16668 here as I cannot open it?

 

We adopted ACI since 2.x and now is running 4.2, both of them are disabled.

 

Leo

a12288
Level 3
Level 3
In response to Ali Aghababaei

‎09-24-2021 05:43 PM

One more questions Ali.

 

Do you have them enabled in your ACI environment? Any hiccups? 

 

Leo

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License