Choosing the Right Cisco 10G SFP+: A Simple Comparison Guide

🟢 Standard Modules

These are full-featured and support everything (including FCoE, OTN, etc.).

• SFP-10G-SR: Short range (up to 400m on multimode fiber)
• SFP-10G-LR: Long range (up to 10km on single-mode fiber)
• SFP-10G-ER: Extended range (up to 40km)
• SFP-10G-ZR: Ultra-long range (up to 80km)

✅ Supports all protocols
✅ TAA compliant
✅ Good for enterprise/data center use

---

🔵 S-Class Modules (e.g., SFP-10G-SR-S, LR-S, ER-S, ZR-S)

These are cost-effective versions of standard modules.

• Same distance and fiber type as standard ones
• ❌ No FCoE support
• ❌ Not TAA compliant
• ✅ Cheaper

Use these if you don’t need advanced features like Fibre Channel over Ethernet.

---

🟠 Special Environment Modules

For harsh or non-standard environments:

• SFP-10G-SR-X: Extended temperature (-5°C to 85°C)
• SFP-10G-SR-I: Industrial temperature (-40°C to 85°C)
• SFP-10G-T-X: Copper (RJ-45), up to 30m at 10G

 

Taboo vs vzAny Contract

 

Aspect	Taboo Contract	vzAny Contract
Purpose	Used to explicitly deny certain types of traffic for an EPG	Used to apply contracts to all EPGs within a VRF in a simplified manner
Functionality	Acts as a deny filter for specific traffic (e.g., block port 80 or 23)	Acts as a wildcard to apply contracts to all EPGs in a VRF
Application Scope	Applied to individual EPGs to block traffic	Applied to entire VRF, affecting all EPGs within it
Use Case	Prevent specific traffic types (e.g., cleartext communication)	Enable free intra-VRF communication or many-to-one service consumption
Configuration Complexity	Requires manual filter creation and careful application	Simplifies configuration by automating contract relationships
TCAM Usage	May consume more TCAM entries depending on filter granularity	Optimizes TCAM usage by reducing entries to a single group-level contract
Best Practices	Generally discouraged unless absolutely necessary 1	Recommended for efficient policy management in large-scale environments 2 3
Limitations	Not suitable for inter-EPG communication control	Must follow strict guidelines to avoid unintended traffic leaks 2 3

What is a Taboo Contract?

 In Cisco ACI (Application Centric Infrastructure), a taboo contract is a special type of contract used to explicitly deny specific types of traffic between endpoint groups (EPGs), even if other contracts would otherwise allow it.

🔍 What is a Taboo Contract?

• Purpose: Taboo contracts are designed to block traffic that matches certain filters. They override any other contracts that might permit that traffic.
• Application: Unlike standard contracts which are applied between EPGs (one consuming and one providing), taboo contracts are applied to an entire EPG. This means they affect all traffic originating from or destined to that EPG 

• Use Case: For example, if you want to ensure that an EPG never uses insecure protocols like HTTP (port 80) or Telnet (port 23), you can apply a taboo contract with filters for those ports 

🛑 Key Characteristics

• Deny Action: Taboo contracts only support the "deny" action. They are used to block traffic, not to permit it.
• Logging: Optionally, taboo contracts can also log the denied traffic for auditing or troubleshooting purposes 
• Priority: They take precedence over regular contracts. If a packet matches a taboo filter, it is dropped—even if a regular contract would otherwise allow it 

⚠️ Best Practices & Cautions

• Many experts recommend avoiding taboo contracts unless absolutely necessary. Instead, it's often better to design your standard contracts carefully to only permit the desired traffic 
• Taboo contracts can add complexity and may lead to unintended traffic drops if not managed properly

 

Cisco ACI - Flood in Encapsulation

🧠 What Is "Flood in Encapsulation"?

Flood in encapsulation is a setting in Cisco ACI that controls how broadcast or unknown traffic is handled within a bridge domain when multiple EPGs use different VLANs.

---

📦 Example Scenario

Let’s say:

• EPG1 uses VLAN X
• EPG2 uses VLAN Y
• Both EPGs are part of the same bridge domain

If flood in encapsulation is enabled, then:

• Broadcast or unknown traffic from EPG1 will only flood within VLAN X
• It won’t reach EPG2 (VLAN Y), even though they share the same bridge domain

---

✅ Why Use It?

This helps limit unnecessary traffic between EPGs and improves security and performance by keeping flooding local to each VLAN.

 

vPC EPG Deployment Rule

 When deploying an EPG on a vPC, both leaf switch ports (on each leg of the vPC) must be associated with the same domain and use the same VLAN pool. This ensures consistent VLAN encapsulation and proper traffic forwarding across the vPC pair.

Can VLAN numbers previously used for EPGs be reused on the same leaf switch?

Yes, VLAN numbers can be reused for different EPGs on different ports of the same leaf switch, provided the configuration is done carefully to avoid disruption. 

You previously used VLANs 20–100 for EPGs on a leaf switch port. Now, you want to reuse VLANs 30-40 for new EPGs on different ports of the same leaf switch.

1. Create a new VLAN pool with the required VLAN range (e.g., 30-40).
2. Set up a new physical domain.
3. Link the VLAN pool to the new physical domain.
4. Set VLAN scope to portLocal on the leaf port to isolate VLAN usage.
5. Associate new EPGs with the physical domain.
6. Deploy the EPGs on the target leaf ports.

Recovering and Reinitializing a Standby APIC to active APIC in Cisco ACI

 Recovering and Reinitializing a Standby APIC in Cisco ACI

If you're working with a standby APIC and need to verify access or promote it to an active role, here’s a practical approach to follow.

---

🔐 Step 1: Accessing the Standby APIC

You can attempt to log in using the rescue-user account. This account is specifically designed for emergency access to standby controllers.

• Try using your standard APIC admin password first.
• If the standby APIC is in sync with the cluster, this should work.
• If not, attempt login without a password — some configurations allow password-less access for rescue-user in isolated standby mode.

---

🔄 Step 2: Reinitializing the Standby APIC as Active

If you need to promote a standby APIC (e.g., APIC3) to an active role, it's best to wipe and reconfigure it from scratch. Ensure you have KVM access to the APIC before proceeding.

Run the following commands in sequence:

1. Clean the existing configuration.
2. Trigger the setup script on next boot.
3. Reboot the APIC to begin the reinitialization process.

These commands will:

• acidiag touch clean
• acidiag touch setup
• acidiag reboot

Once rebooted, the APIC will prompt you to configure it as part of the active cluster.

---

🧠 Pro Tip

Always ensure that the APIC you’re reinitializing is physically connected to the fabric and that you have console or KVM access. This process is irreversible and should only be done when you're certain the APIC is no longer needed in standby mode.

 

 Cold Standby APIC – Key Characteristics

• Supported in both single-pod and multi-pod ACI deployments.
• Can be connected to any leaf switch in any pod, restoring edit capabilities in minority scenarios.
• Automatically receives firmware updates to stay in sync with the active APIC cluster.
• During upgrades, once all active APICs are updated, the standby APIC is upgraded automatically.
• Assigned temporary node IDs; a new ID is issued when promoted to active.
• Admin login is disabled on standby APICs.
• Troubleshooting is done via SSH using the rescue-user account.
• During switchover, the replaced active APIC is powered down to avoid dual connectivity.
• Standby APICs do not participate in policy configuration or fabric management.
• Cisco recommends placing standby APICs in the same pod as the active ones they may replace.
• No configuration or credential data is replicated to standby APICs — only rescue-user access is available.