cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ACI Domain Validation and Snapshots

1239
Views
5
Helpful
2
Comments
RedNectar
Advocate

There is a Global ACI option (SYSTEM > SYSTEM SETTINGS >> Fabric Wide Setting | Enforce Domain Validation) that forces ACI to check that an EPG is linked to a Domain. The Cisco Application Centric Infrastructure Design Guide White Paper recommends that this option be turned on, but it is a once-only option.  Once it is turned on, you can't turn it off.

And that includes turning it off by restoring a snapshot that was taken before the option was turned on.

So the point of this post is to warn anyone who turns this option on (and I recommend that you do), you should do so as the very first configuration action you take with a new Fabric, BEFORE you take any snapshots.

If you try to restore a snopshot taken before the option was enabled you will receive the following error:

Failed to apply tree: Asking for domain validation is a one time operation. No further changes allowed

Domain Validation Error.jpg

RedNectar
aka Chris Welsh

 

2 Comments
pille1234
Participant

Hi Red, 

 

thanks for the advice. 

Could you expand on what exactly this funtionality is actually doing? I have it enabled in a lab setup but was unable to determine the difference. 

Without this checkbox enabled, I get an "invalid path error" if the domain is not attached to the EPG. What is different with the fuction enabled?

 

 

RedNectar
Advocate

Hi @pille1234 ,

You have pretty much answered your own question:

What is different with the fuction enabled?

with your comment:

Without this checkbox enabled, I get an "invalid path error" if the domain is not attached to the EPG.

And this error is telling you that your Access Policy Chain has a gap or mis-configuration.  Since I LIKE to be told when there is a problem, I always check the "Enforce Validation" global configuration checkbox.

Now, if you don't check it, you may still have a problem, and the EPG may not work, but you won't see the error.

As the Cisco Application Centric Infrastructure Design Guide White Paper puts it:

Cisco ACI has a feature that verifies whether the VLAN used in an EPG matches the AEP configured, that there are no overlaps, and so on.