Networklearner

Monday, 4 August 2025

Static Binding Deployment Options in ACI - Immediate Vs On demand

🔧 Static Binding Deployment Options in ACI

When you statically bind an EPG to a port (interface), you’ll see a Deployment Immediacy setting. This determines when the configuration is pushed to the fabric.

1. Immediate

Definition: The configuration is deployed to the switch as soon as you save it.
Use Case: Use this when the endpoint is already connected or expected to connect soon.
Behavior: The policy is applied to the interface regardless of whether an endpoint is present.

2. On-Demand

Definition: The configuration is deployed only when an endpoint is detected on the interface.
Use Case: Useful for reducing unnecessary configuration on interfaces until needed.
Behavior: The policy is not pushed until the APIC sees a MAC address or IP on that port.

📌 Where You Set This

When creating a static binding in the APIC GUI:

Navigate to the EPG → Static Ports
Add a static port binding
Choose the Deployment Immediacy: Immediate or On-Demand

✅ Best Practices

Use Immediate for known, always-on devices (like servers).
Use On-Demand for dynamic environments (like user laptops or VMs that move).

Sunday, 3 August 2025

Peer Dead Interval vs Delay Restore Timer in Cisco ACI

⏱️ Peer Dead Interval vs Delay Restore Timer in Cisco ACI: Timing the Trust

In Cisco ACI, timing is everything — especially when it comes to maintaining stable vPC (Virtual Port Channel) peer relationships. Two critical timers help manage how ACI reacts to peer disruptions and recoveries: Peer Dead Interval and Delay Restore Timer. Though they sound similar, they serve very different purposes.

🔍 Peer Dead Interval: Watching for Silence

Think of the Peer Dead Interval as a watchdog timer. It defines how long a switch should wait before declaring its vPC peer as dead — meaning unreachable or non-responsive.

Purpose: Detect peer failure.
Trigger: Lack of heartbeat (keepalive) messages.
Default: Typically 3.5 seconds in ACI.
Impact: If the peer is declared dead, the switch may take over certain roles or shut down vPC member ports to avoid split-brain scenarios.

🧠 Analogy: It’s like waiting for a friend to reply to your message. If they don’t respond within a few seconds, you assume something’s wrong.

⏳ Delay Restore Timer: Holding Back the Comeback

The Delay Restore Timer is used after a peer recovers. It delays the reactivation of vPC member ports or SVIs (Switched Virtual Interfaces) on the recovering switch.

Purpose: Prevent flapping and ensure stable reconvergence.
Trigger: Peer switch reboot or recovery.
Default: 10 seconds (can be customized).
Impact: Gives time for control plane protocols (like STP, routing) to settle before data plane resumes.

🧠 Analogy: It’s like giving your friend a moment to catch their breath after they’ve returned from a sprint — before asking them to jump back into a conversation.

🔄 Why Both Matter

Together, these timers ensure that:

ACI doesn’t overreact to temporary glitches.
Recovery is graceful, avoiding packet loss or loops.
Network stability is maintained even during failures and reboots.

Forward Error Correction (FEC) in Cisco ACI

In Cisco ACI, Forward Error Correction (FEC) is a mechanism used to improve the reliability of high-speed data transmission across physical links, especially in environments using 25G, 40G, 100G, or 400G interfaces.

🔍 What Is Forward Error Correction?

FEC is a technique where the sender adds redundant data (parity bits) to each transmission. If some bits are corrupted during transit, the receiver can detect and correct those errors without needing a retransmission. Think of it like sending a puzzle with extra pieces so the receiver can still complete it even if a few pieces go missing.

🧠 How FEC Works in Cisco ACI

In ACI, FEC is negotiated between switches and endpoints during auto-negotiation. The devices advertise their supported FEC modes and agree on the best one. Common FEC modes include:

FC-FEC (Firecode FEC): Used for 25G links.
RS-FEC (Reed-Solomon FEC): Used for 25G, 100G, and 400G links.
CL91-RS-FEC and IEEE-RS-FEC: Advanced versions for higher speeds.
AUTO-FEC: Automatically selects the best FEC mode based on link capabilities.

⚙️ Why It Matters

FEC is especially important in Cisco ACI because:

High-speed links (like 25G or 100G) are more prone to bit errors.
Breakout ports (e.g., 4x25G from a 100G port) often require FEC to maintain link stability.
Copper DAC cables used in short-distance connections rely on FEC to compensate for signal degradation.

✅ Use Cases

Ensuring error-free transmission over high-speed links.
Supporting auto-negotiation on breakout ports.
Enhancing link reliability without increasing latency or requiring retransmissions.

Symmetric hashing in Cisco ACI

🔄 Symmetric Hashing in Cisco ACI: A Traffic Balancing Philosophy

Imagine a highway with multiple lanes, and cars (data packets) trying to reach their destination. Normally, each car chooses a lane based on its starting point and destination. But what if the return journey picks a different lane? That’s what happens with asymmetric hashing — the forward and reverse paths of a data flow may travel through different physical links.

In Cisco ACI, symmetric hashing is like a rule that says: “If you go out through lane 3, you must come back through lane 3.” It ensures that both directions of a traffic flow — from source to destination and back — follow the same physical path within a port channel.

This matters a lot when you're dealing with devices like firewalls, load balancers, or any system that tracks sessions. If traffic enters through one link and exits through another, it can confuse these devices, leading to dropped packets or broken connections.

Symmetric hashing is not supported on the following switches:

Cisco Nexus 93128TX
Cisco Nexus 9372PX
Cisco Nexus 9372PX-E
Cisco Nexus 9372TX
Cisco Nexus 9372TX-E
Cisco Nexus 9396PX
Cisco Nexus 9396TX

🧠 Why Cisco ACI Made It Optional

Cisco ACI’s default behavior is asymmetric — it spreads traffic across links based on a hash of various packet fields (IP, MAC, ports). This works well for general load balancing. But when precision and consistency are needed, ACI gives you the option to enable symmetric hashing in the port-channel policy.

Once enabled, you can choose the hashing algorithm — like using only IP addresses or including Layer 4 ports — to fine-tune how traffic is distributed.

✅ Use Cases That Benefit

Firewall clusters that expect consistent ingress/egress paths.
Load balancers that rely on session stickiness.
Troubleshooting scenarios where symmetric paths simplify packet tracing.

what “Multiple (with virtual MAC)” means in the context of “Treat as Virtual IP Address” in Cisco ACI.

🧩 What Does “Multiple (with virtual MAC)” Mean?

When you select “Treat as Virtual IP Address”, you're telling Cisco ACI that this IP address should be used as a shared gateway across multiple sites or pods. To make this work, ACI uses a Virtual MAC address.

🔹 Why a Virtual MAC?

In a multi-site or stretched fabric, the same IP address (e.g., 192.168.10.1) might be configured in multiple locations. But MAC addresses are normally unique to each site. If the same IP has different MACs in different sites, it can confuse endpoints and break mobility.

So, ACI allows you to assign a Virtual MAC to the VIP. This ensures:

All sites use the same IP and MAC for the gateway.
Endpoints can move between sites without needing to relearn the gateway MAC.
Traffic flows seamlessly, even across geographically separated data centers.

🧠 “Multiple” Refers To:

You can have multiple subnets in a BD marked as Virtual IPs.
Each of these VIPs can share the same Virtual MAC.
This setup supports multiple gateway IPs across sites, all behaving consistently.

📌 Example Scenario

Let’s say you have:

DC1 and DC2 connected via ACI Multi-Site.
A BD with subnet 10.1.1.1/24 used as the gateway in both sites.
You mark 10.1.1.1 as “Treat as Virtual IP Address” and assign a Virtual MAC like 00:11:22:33:44:55.

Now:

Both DC1 and DC2 advertise 10.1.1.1 with the same MAC.
VMs can move between sites without changing their gateway.
Network traffic remains stable and predictable.

Difference between “Treat as Virtual IP Address” and “Make this IP Address Primary” in Cisco ACI

🧠 Cisco ACI Demystified: “Treat as Virtual IP Address” vs “Make this IP Address Primary”

In the world of Cisco ACI, Bridge Domains (BDs) are the backbone of Layer 2 networking. But when configuring subnets within a BD, two deceptively similar options often confuse engineers:

✅ Make this IP Address Primary
🌐 Treat as Virtual IP Address

Let’s break down what each of these means, when to use them, and how they impact your ACI fabric.

🔹 What is “Make this IP Address Primary”?

This option is used to define the default gateway for endpoints within the Bridge Domain.

✅ Key Characteristics:

Only one primary IP per BD.
Used for routing traffic between subnets or to external networks.
Responds to ARP requests from endpoints.
Can be advertised externally if route advertisement is enabled.

📌 When to Use:

In single-site ACI deployments.
When you want the fabric to act as the default gateway for endpoints.
For standard BD configurations where no multi-site or stretched fabric is involved.

🔹 What is “Treat as Virtual IP Address”?

This option is designed for multi-site or stretched fabric deployments where you want a consistent gateway IP and MAC address across multiple locations.

🌐 Key Characteristics:

Requires a Virtual MAC address.
Enables Common Pervasive Gateway (CPG) functionality.
Ensures seamless endpoint mobility across sites.
Can coexist with a primary IP in the same BD.

📌 When to Use:

In multi-pod or multi-site ACI environments.
When you need Layer 3 gateway consistency across data centers.
For active-active data center designs.

🔁 Side-by-Side Comparison

Feature	Make this IP Primary	Treat as Virtual IP Address
Default Gateway Role	✅ Yes	✅ Yes (in multi-site)
Number per BD	One	Multiple (with virtual MAC)
Requires Virtual MAC	❌ No	✅ Yes
Use Case	Single-site routing	Multi-site gateway consistency
Supports Endpoint Mobility	❌ Limited	✅ Seamless
Route Advertisement	✅ Yes (if enabled)	✅ Yes (if enabled)

🧪 Real-World Example

Imagine you have two data centers—DC1 and DC2—connected via ACI Multi-Site. You want VMs to move between them without changing their default gateway.

You’d configure the same subnet in both sites.
Use “Treat as Virtual IP Address” with a shared virtual MAC.
This ensures the gateway IP and MAC remain consistent, avoiding disruptions.

🧩 Final Thoughts

Both options serve critical but distinct purposes. Choosing the right one depends on your ACI topology and traffic flow requirements. For most single-site deployments, “Make this IP Address Primary” is sufficient. But for advanced, distributed environments, “Treat as Virtual IP Address” is your go-to for seamless mobility and high availability.

Saturday, 2 August 2025

Deployment Scheme for SFP-10G-T-X Transceivers

Deployment Scheme for SFP-10G-T-X Transceivers

The following switches support SFP-10G-T-X transceivers with adjacency limitations:

N9K-C93180YC-EX
N9K-C93180YC-FX
N9K-C93240YC-FX2
N9K-C93360YC-FX2

Here’s a table with direct links to the official Cisco hardware installation guides for the specified Nexus switch models that support SFP-10G-T-X transceivers:

Cisco Nexus Model	Hardware Installation Guide Link
N9K-C93180YC-FX	View Guide
N9K-C93180YC-EX	View Guide
N9K-C93240YC-FX2	View Guide
N9K-C93360YC-FX2	View Guide

Note - Cisco Nexus FX3 series switches—such as the N9K-C93180YC-FX3—do not have the same adjacency restrictions for SFP-10G-T-X transceivers as seen in FX and FX2 models.

The following figure shows the maximum configuration density of SFP-10G-T-X SFP+ transceivers for this switch.

N9K-C93360YC-FX2

This guide outlines the configuration and power management strategy for deploying SFP-10G-T-X SFP+ transceivers on Cisco switches. The deployment scheme uses a color-coded system to manage port behavior and optimize power consumption.

93180YC-FX

🟨 Yellow Ports – Active with SFP-10G-T-X

Transceiver: SFP+ 10GBASE-T
Power Consumption: Up to 2.5W
Configuration Required:

NX-OS: media-type 10g-tx
ACI: Link Level Policy → Physical Media Type → SFP 10G TX

Behavior: Without configuration, these ports act as standard SFP+ ports.

🔵 Blue Ports – Adjacent to Yellow Ports

Condition: Adjacent to yellow ports (left, right, top, bottom)
Allowed Usage:

Passive Copper DAC cables only
Or left empty to conserve power

Power Consumption: Up to 0.1W
Behavior: Reverts to normal if the adjacent yellow port is deconfigured.

🟩 Green Ports – Standard Optics

Supported Optics: Cisco 1G/10G/25G (SFP, SFP+, SFP28)
Excludes SFP+ 10GBASE-T
Power Consumption: Up to 1.5W
Behavior: Not part of the SFP-10G-T-X scheme; behaves like regular ports.

🌸 Pink Ports – Uplink Ports

Port Type: QSFP+, QSFP28
Traffic: Supports 40G/100G
Behavior: Independent of the SFP-10G-T-X deployment scheme.

To ensure proper operation and speed negotiation when using SFP-10G-T-X transceivers on Cisco Nexus switches, you must configure the speed auto and media-type 10g-tx on each port where the transceiver is installed:

🔄 What This Does:

media-type 10g-tx: Enables the port to recognize and support the SFP-10G-T-X transceiver.
speed auto: Allows the transceiver to auto-negotiate between 1Gbps and 10Gbps, depending on the link partner's capabilities.

Sample -

int eth1/1

Switchport

switchport mode access

switchport acces vlan 10

speed auto

media-type 10g-tx

no shut