Introduction
In Cisco ACI environments, switch lifecycle management is a critical operational task. Whether you are performing a node ID change, replacing hardware, or decommissioning a switch permanently, understanding the differences between Decommission Only, Decommission & Remove, and Decommission & Secure Remove is essential.
Many engineers misunderstand these options, especially when it comes to switch behavior, APIC interaction, and management IP handling, which can lead to unexpected outages or onboarding failures.
In this detailed guide, we will break down each option with real-world behavior, management IP impact, and best-use scenarios.
What Happens During Decommission in Cisco ACI
Decommissioning in ACI involves three key components:
- Switch (Leaf/Spine) behavior
- APIC database behavior
- Fabric identity and configuration handling
Each decommission option treats these components differently.
1. Decommission Only (Reset but Keep Identity)
Behavior
- Switch is wiped and reloaded
- Node ID and serial number mapping is retained in APIC
- APIC retains configuration for that node
After Reload
- Switch boots in clean state
- Automatically rejoins the fabric
- No manual intervention required
Management IP Behavior
- OOB Management IP (mgmt0):
- Retained and reused
- No need to reconfigure
- TEP IP:
- Re-established automatically
Key Advantage
- Fast recovery without reconfiguration
Use Case
- Fixing switch issues without changing node identity
- Restarting node cleanly
- Troubleshooting fabric inconsistencies
Important Insight
This is the only mode where the switch auto-rejoins the fabric without manual setup.
2. Decommission & Remove (Reset + Remove Identity)
Behavior
- Switch is wiped and reloaded
- Node registration is removed from APIC
- APIC retains logical configuration (policies, tenants)
After Reload
- Switch appears as:
- Unregistered node
- Requires manual onboarding via:
- Fabric → Inventory → Node Setup
Management IP Behavior
- OOB Management IP (mgmt0):
- Not retained logically in APIC
- Needs to be re-entered or reconfigured
- TEP IP:
- Reassigned during recommission
Key Advantage
- Allows fresh onboarding of the same hardware
Use Case
- Node ID change
- Recommissioning switch
- Hardware replacement (same fabric)
- Moving switch within fabric design
Critical Step
You must perform:
run bash
setup-clean-config.sh
reload
Practical Risk
If you skip cleanup:
- Residual configs may remain
- Fabric join issues can occur
3. Decommission & Secure Remove (Full Secure Wipe)
Behavior
- Switch is:
- Securely wiped (deep erase)
- Reloaded
- Removes:
- Configuration
- Certificates
- Encryption keys
- Fabric identity
After Reload
- Switch becomes:
- Factory-like device
- Cannot join fabric directly
Management IP Behavior
- OOB Management IP:
- Completely erased
- TEP IP:
- Fully removed
Key Requirement
- Requires:
- ACI image validation/reload (if removed)
- Complete day-0 onboarding
Key Advantage
- Ensures zero residual data
Use Case
- Device disposal
- RMA return
- Moving switch to a different customer/fabric
- Security compliance requirements
Side-by-Side Comparison
| Feature | Decommission Only | Decommission & Remove | Secure Remove |
|---|---|---|---|
| Switch Reload | Yes | Yes | Yes |
| Config Wipe | Yes (normal) | Yes (normal) | Full secure wipe |
| Node ID Retained | Yes | No | No |
| Auto Rejoin Fabric | Yes | No | No |
| Manual Recommission | No | Yes | Yes |
| Mgmt IP (OOB) | Retained | Needs reconfig | Fully erased |
| TEP IP | Auto restored | Reassigned | Removed |
| Secure Data Erase | No | No | Yes |
Real-World Decision Guide
Use Decommission Only When:
- You want quick reset
- You are not changing Node ID
- You want automatic fabric rejoin
Use Decommission & Remove When:
- You are:
- Changing Node ID
- Rebuilding switch
- Replacing hardware
- You are okay with manual recommission
Use Secure Remove When:
- Device is leaving environment
- Security wipe is required
- Moving to new fabric/customer
Common Mistakes to Avoid
1. Assuming “Remove” wipes everything
It does not remove all residual configs. Always run cleanup script.
2. Forgetting Management IP
- After Decommission & Remove:
- Mgmt IP must be planned and reconfigured
- After Secure Remove:
- Completely lost
3. Using Decommission Only for Node ID Change
This will fail because:
- Node identity is preserved
- APIC will not allow new ID
Pro Tip (Very Important for Production)
Before any decommission:
✅ Note down:
- Node ID
- Serial number
- Management IP
- TEP pool
✅ Ensure:
- Console access is available
✅ Plan:
- Multiple reload windows
Conclusion
Understanding the differences between Decommission Only, Decommission & Remove, and Secure Remove is crucial for smooth Cisco ACI operations.
- Decommission Only keeps identity and allows auto-rejoin
- Decommission & Remove resets switch and requires manual setup
- Secure Remove completely wipes the device for disposal or reuse
The biggest differentiator in real environments is management IP behavior and node identity retention, which directly impacts how the switch rejoins the fabric.
No comments:
Post a Comment