Nexus Configuration Simple Guide

目录

Nexu7000缺省端口配置... 2

CMP连接管理处理器配置... 3

带外管理VRF. 4

划分Nexus 7010 VDC. 5

基于EthernetChannel的vPC. 7

割裂的vPC:HSRP和STP. 12

vPC的细部配置... 12

Nexus的SPAN.. 14

VDC的MGMT接口... 14

DOWN的VLAN端口... 14

Nexus的路由... 15

Nexus上的NLB. 16

标识一个部件... 16

Nexus7000基本配置汇总... 17

Cisco NX-OS/IOS Configuration Fundamentals Comparison. 17

Cisco NX-OS/IOS Interface Comparison. 25

Cisco NX-OS/IOS Port-Channel Comparison. 31

Cisco NX-OS/IOS HSRP Comparison. 35

Cisco NX-OS/IOS STP Comparison. 40

Cisco NX-OS/IOS SPAN Comparison. 45

Cisco NX-OS/IOS OSPF Comparison. 49

Cisco NX-OS/IOS Layer-3 Virtualization Comparison. 55

vPC Role and Priority. 61

vPC Domain ID.. 62

vPC Peer Link. 62

Configuration for single 10 GigE Card. 63

CFSoE. 64

vPC Peer Keepalive or FT Link. 64

vPC Ports. 65

Orphan Ports with non-vPC VLANs. 66

HSRP. 66

HSRP Configuration and Best Practices for vPC. 66

Advertising the Subnet. 67

L3 Link Between vPC Peers. 68

Cisco NX-OS/IOS TACACS+, RADIUS, and AAA Comparison. 68

Nexus5000的配置同步... 74

初始化Nexus 2000 Fabric Module. 75

Nexu7000缺省端口配置

缺省时所有端口是关闭的

no system default switchport shutdown

copy running-config startup-config vdc-all 存配置

dir bootflash:

dir bootflash://sup-standby/

dir bootflash://sup-remote

show role

show inventory显示系统详细目录,或称为存货清单,可以看到各组件产品编号以及序列号

show hardware 显示系统硬件详细信息

show sprom backplane 1 显示交换机序列号

show environment power 显示电源信息

power redundancy-mode ps-redundant 如果没有双电网供电则使用此模式

power redundancy-mode insrc-redundant 如果有双电网供电则使用此模式

show module 检验各模块状态

attach module slot_number

dir bootflash dir slot0:查看ACTIVE引擎的FLASH空间

如果查看备份引擎的FLASH空间呢?首先attach module command to attach to the module number, and then use the dir bootflash: or dir slot0:

out-of-service module slot Shutting Down a Supervisor or I/O Module

 

out-of-service xbar slot Shutting Down a Fabric Module

 
show environment 
show environment temperature
 
show environment fan
banner motd #Welcome to the switch# 

clock timezone

clock set

reload 重启交换机
reload module number
 
switchto VDC切换至某VDC管理界面
 
switchback

poweroff module slot_number

no poweroff module slot_number

poweroff xbar slot_number

CMP连接管理处理器配置

CMP配置:

You should also configure three IP addresses—one for each cmp-mgmt interface and one that is shared between the active and standby supervisor mgmt 0 interfaces.

attach cmp 进入CMP

命令输入后自动存盘,不需要copy run start

通过NX-OS CLI来配置CMP

1. configure terminal

2. interface cmp-mgmt module slot 通过module 槽号分别为5/6来实现主备引擎上的CMP配置

3. ip address ipv4-address/length

4. ip default-gateway ipv4-address

5. show running-config cmp

通过CMP CLI来配置CMP

1. attach cmp

2. configure terminal

3. ip default-gateway ipv4-address

4. interface cmp-mgmt

5. ip address ipv4-address/length

6. show running-config

在CMP上可执行的动作:

show cp state

reload cp

attach cp

monitor cp

ping or traceroute 192.0.2.15

reload system To reload the complete system, including the CMPs

带外管理VRF

Management VRF and Basic Connectivity

The management interface is, by default, part of the management VRF. The management

interface “mgmt0” is the only interface allowed to be part of this VRF.

The philosophy beyond Management VRF is to provide total isolation for the management traffic

from the rest of the traffic flowing through the box by confining the former to its own forwarding

table.

In this step we will:

- Verify that only the mgmt0 interface is part of the management VRF

- Verify that no other interface can be part of the management VRF

- Verify that the default gateway is reachable only using the management VRF

如果想Ping 带外网管的网关等地址必须在Ping命令后面加上vrf management

ping 10.2.8.1 vrf management

划分Nexus 7010 VDC

VDC是Nexus7000系列的特色功能。通过将物理机箱划分为多个逻辑交换机,核心交换机区域将可以获得多台物理隔离的高性能交换机。VDC具有完全隔离的路由表,VRF和接口,因此可以获得真实交换机属性的配置。

VDC的资源是占用全局机箱的,因此在必要的时候,需要通过调整VDC资源配置来进行VDC功能和性能的调整。所有进入VDC的接口和资源都不能被其他VDC或者缺省VDC使用。

VDC配置

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/virtual_device_context/quick/guide/Cisco_Nexus_7000_Series_NX-OS_Virtual_Device_Context_Quick_Start__Release_5.x_chapter1.html

vdc MyVDC 创建VDC

allocate interface ethernet 2/11-1 分配接口

switchto vdc MyVDC Switch to the new VDC and enter the VDC admin user account password切换至一个VDC

switchback

setup 根据安装向导配置VDC

show vdc membership

show vdc current-vdc

When interfaces in different VDCs share the same port ASIC, reloading the VDC (with the reload vdc command) or provisioning interfaces to the VDC (with the allocate interface command) might cause short traffic disruptions (of 1 to 2 seconds) for these interfaces. If such behavior is undesirable, make sure to allocate all interfaces on the same port ASIC to the same VDC.

To see how the interfaces are mapping to the port ASIC, use this command:

slot slot_number show hardware internal dev-port-map 这个命令没有帮助,需盲打

copy running-config startup-config vdc-all

VDC资源清单:

vdc vdc2_1 id 2

allocate interface Ethernet1/13-24

allocate interface Ethernet2/1-3

boot-order 1

limit-resource vlan minimum 16 maximum 4094

limit-resource monitor-session minimum 0 maximum 2

limit-resource monitor-session-erspan-dst minimum 0 maximum 23

limit-resource vrf minimum 2 maximum 1000

limit-resource port-channel minimum 0 maximum 768

limit-resource u4route-mem minimum 8 maximum 8

limit-resource u6route-mem minimum 4 maximum 4

limit-resource m4route-mem minimum 8 maximum 8

limit-resource m6route-mem minimum 2 maximum 2

通过命令可以查看当前VDC的数量和状态。系统机箱本身默认为VDC1,最多可以建立3个另外的VDC。登录到系统默认的VDC1下,可以通过switchto vdc命令在不同的VDC之间跳转,并可以通过重启VDC1来重启其他所有的VDC。

switch# switchto vdc vdc2_1

Last login: Thu Nov 25 16:40:19 UTC 2010 on ttyS0

Last login: Thu Nov 25 17:06:47 on ttyS0

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

switch-vdc2_1#

位于其他VDC当中,无法通过switchto vdc的方式进行VDC的跳转。系统保存配置和reload都有针对单独VDC的配置。

不同VDC的名称,除了在vpc命令中直接指定,还可以进入到VDC配置界面后,直接用hostname命令进行更改。

基于EthernetChannel的vPC

vPC是Cisco NX-OS由于解决STP Block端口而使用的技术。通过将两台设备虚拟成一台设备,使得系统可以使用两套冗余链路转发数据。

vPC完全基于EthernetChannel技术,所有成员组都必须在EthernetChannel当中,除了peer-link keepalive。vPC仅仅能作用在二层Trunk结构下,完全不兼容任何L3环境。vPC使用连接设备的peer-link必须使用10G以太网接口,而peer-link keepalive必须是路由接口。配置手册推荐使用单独的VRF来隔离,以便于减小地址管理压力。

首先,配置L3端口,保证双方可以ping通:

vrf context vpc

interface Ethernet1/25

vrf member vpc

ip address 172.16.0.1/24

no shutdown

vPC结构当中,应当尽可能保证所有peer-link链路的可靠性,不可靠的keepalive链路将会导致一些vPC Domain重新收敛。具体情况请见后面描述。

其次,进行完L3配置后,配置vPC Domain。一台设备属于且只能属于一个vPC Domain,一个vPC Domain有且只能拥有两个成员。Domain的配置当中,需要指定vPC对端设备的IP地址,如果这个设备的地址不在default VRF当中的时候,需要指定源地址:

vpc domain 1000

peer-keepalive destination 172.16.0.2 source 172.16.0.1 vrf vpc

完成这一步配置,将可以保证vPC组可以通过peer-link keepalive来检测和通告对端状态。

再次,配置peer-link。Peer-link是vPC转发机箱间流量的链路,因此链路只能使用10G以太网,配置手册推荐使用至少2条10G以太网电缆进行捆绑:

interface Ethernet2/5

switchport

switchport mode trunk

channel-group 56

no shutdown

interface Ethernet2/6

switchport

switchport mode trunk

channel-group 56

no shutdown

interface port-channel56

switchport

switchport mode trunk

spanning-tree port type network //自动生成的配置

vpc peer-link

最后,将一段设备连接到两侧设备链路推入各自的EthernetChannel的组,并且将参加配置的EthernetChannel加入vPC组,保证对应的EthernetChannel在相同的转发vPC当中,便完成该配置:

interface Ethernet1/17

fex associate 100 //这条命令是nexus5000上的配置,N7K不需要

switchport mode fex-fabric //这条命令是nexus5000上的配置,N7K不需要

channel-group 17

interface Ethernet1/18

fex associate 101

switchport mode fex-fabric

channel-group 18

interface port-channel17

switchport mode fex-fabric

vpc 17

fex associate 100

interface port-channel18

switchport mode fex-fabric

vpc 18

fex associate 101

CAUTION

在配置当中,vpc的数字和port-channel的数字必须相同,并且这两个数字必须和Domain的数字不同。否则,将会导致vpc无法启动的问题。

vPC配置的两端都必须是相容的Trunk配置,例如LACP或者no protocol。

LACP System priority的一致,有利于vPC状态下LARP的收敛,手册推荐配置为vPC成员设备拥有相同的值。配置需要再全局和vPC配置模式下使用。

如果在配置中发现如下现象,则应当首先检查vPC中,成员EthernetChannel配置是否正常:

RTS35_7010_VDC1_1-RTS35_7010_VDC3_1# show port-chann summ

Flags: D - Down P - Up in port-channel (members)

I - Individual H - Hot-standby (LACP only)

s - Suspended r - Module-removed

S - Switched R - Routed

U - Up (port-channel)

M - Not in use. Min-links not met

--------------------------------------------------------------------------------

Group Port- Type Protocol Member Ports

Channel

--------------------------------------------------------------------------------

7 Po7(SU) Eth LACP Eth2/7(P) Eth2/8(P)

200 Po200(SU) Eth LACP Eth2/5(P) Eth2/6(s)

RTS35_7010_VDC1_1-RTS35_7010_VDC3_1#

注记:

对于不同的设备和不同的拓扑形态,vPC的具体配置也会有所不同。

1. 对于简单的downstream设备

如图所示:

对于简单的downstream设备,两台Nexus设备使用标准的vPC配置方法。两台设备之间配置peer-link和peer-link keepalive链路,在完成vPC配置之后,将于downstream连接的接口划入一个EthernetChannel,即便是该EthernetChannel也无妨,然偶将这个EthernetChannel接口划入到对应的vpc中,完成虚拟转发。

2.对于Nexus推荐的域环境

如图所示:

在Nexus5k和Nexus7k当中,使用fullmesh的结构来连接。通过vPC技术,中间这四条链路可以保持全活的状态,结合vPC形成的虚拟拓扑,实际上相当于单台Nexus5k和Nexus7k之间连接了一条40G的链路, 从而极大的提高了转发能力。

在这种配置实例当中,Nexus5k和Nexus7k需要单独配置自己的vPC Domain,在各自的vPC Domain正常建立后,将交叉的线路绑定成EthernetChannel,绑定协议不限于LACP或者no protocol。

下面的配置仅列出了左侧5k和7k的相关配置。

5k configuration //E1/5-6作为与7K互联的端口

interface Ethernet1/15

switchport mode trunk

channel-group 56

interface Ethernet1/16

switchport mode trunk

channel-group 56

interface port-channel56

switchport mode trunk

vpc 56

speed 10000

7k configuration //E2/4、8作为与7K互联的端口

interface Ethernet2/4

switchport

switchport mode trunk

channel-group 48

no shutdown

interface Ethernet2/8

switchport

switchport mode trunk

channel-group 48

no shutdown

interface port-channel48

switchport

switchport mode trunk

vpc 48

通过将同一台设备的两条链路捆绑成EthernetChannel,并将其放入相同的vPC转发组,来完成双向的配置。

CAUTION

配置当中,并需保持vPC两侧配置的同步,即,两侧的VLAN,接口,VDC配置应当一致,若配置不一致,则会导致vPC工作不正常。

所有的EthernetChannel必须工作在Trunk模式下,需要用Switchport mode trunk方式和做显式的指派,否则会导致vPC工作不正常。

割裂的vPC:HSRP和STP

vPC处于割裂状态时,vPC Domain成员的状态取决于当前的系统角色(system role)。

当vPC Peer-link Keepalive链路中断时,所有的数据转发都不会受到影响;当vPC Peer-link链路中断时,处于Secondary角色的设备,所有处于vPC成员组的EthernetChannel都会被置为Down状态,使得该设备从vPC管理域中离线,从而停止数据转发,直到链路被修复。

当vPC Domain成员都处在正常工作状态时,对于vPC Peer-link和vPC Peer-link Keepalive的中断都不会终止系统的数据转发,只是vPC收敛可能会导致丢失1~2个数据包。

但是处于下列情况,会导致vPC Domain出现数据转发问题:

保证vPC Domain正常工作,将两台设备中间的链路全部中断,然后在两侧都配置reload restore命令情况下, 重启两侧vPC Domain成员,在经过240s后,两侧设备都会处于双活状态,从而导致数据转发环路。从得到的消息看,应该是STP导致的二层环路所致。使用vPC配置命令:peer-switch也许可以解决这个问题。

该问题必须经由严格的操作时序才可重现。

vPC上的HSRP进行了特殊的修正,HSRP的Active负责相应ARP请求,但是standby角色也可以转发带有目的地为HSRP组虚拟MAC地址的数据包,这样就实现了HSRP的Load-Balance。

和HSRP一样,GLBP也是vPC所支持的热备份网关协议,但是GLBP通过AVG相应不同的ARP请求,并回应给不同AVF的MAC地址的方式来进行负载均衡。但是HSRP在vPC环境中,收敛速度比GLBP更快。

在vPC当中,所有HSRP、GLPB或者VRRP的,处于Active角色设备,都必须配置在vPC的Primary设备上;同样的,STP配置中,关于VLAN的根桥,也必须和Primary设备保持一致。

HSRP在两侧应当拥有相同的HSRP组号,并且同一组号在单一VDC上不能重复。基于vPC的HSRP不能使用USE-BIA参数。

vPC的细部配置

role priority

vPC在没有role priority配置的情况下,由桥MAC来决定谁是primary设备,MAC绝对值较小的会当选,如果配置了role priority的,则该项配置值相对较小的会当选。但是要shut peer-link一次,才能完成更改。

System-priority

这是vPC当中对于LACP的配置。如果该值不配置,则不影响,但是如果配置了,则vPC Domain中设备的system-priority值必须相同,如果不匹配,vPC启动可能会遇到麻烦。

Reload restore

该命令用于帮助Nexus启动后,找不到vPC对端时仍能激活vPC的功能。

缺省情况,如果vPC成员设备启动后无法找到对端,会导致所有vPC功能端口出于down状态,不能转发数据。配置了这个命令后,该单独启动的设备会在最少240s后,将vPC成员端口转变为up状态,并且开始转发数据。

CAUTION

在vPC成员设备间所有电缆,包括peer-link和peer-link keepalive电缆中断的情况下,并且两侧vPC全部配置reload restore,将会在两端设备重新启动完成后,存在vPC双活,Nexus将会与上层转发设备之间形成数据环路。

该情况仅出现在Nexus推荐的域环境中,并且要严格遵循步骤,才能出现。

Peer-switch

Peer-switch命令用于将vPC Domain成员设备虚拟成一个STP的根,从而实现生成树结构的优化,减少Primary设备失败后的STP重算时间。

vPC配置成功后的清单:

Nexus5010down# show vpc

Legend:

(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 500

Peer status : peer adjacency formed ok

vPC keep-alive status : peer is alive

Configuration consistency status: success

Type-2 consistency status : success

vPC role : secondary

Number of vPCs configured : 99

Peer Gateway : Disabled

Dual-active excluded VLANs : -

vPC Peer-link status

---------------------------------------------------------------------

id Port Status Active vlans

-- ---- ------ --------------------------------------------------

1 Po56 up 1,100-105

vPC status

----------------------------------------------------------------------------

id Port Status Consistency Reason Active vlans

------ ----------- ------ ----------- -------------------------- -----------

17 Po17 up success success -

18 Po18 up success success -

200 Po200 up success success 1,100-105

101376 Eth100/1/1 down* failed Consistency Check Not -

Performed

101377 Eth100/1/2 down* failed Consistency Check Not -

Performed

Nexus的SPAN

Nexus支持SPAN,ESPAN和ERSPAN。

SPAN方式被称为本地SPAN,用于本地交换机接口作为源和目的;ESPAN用于将SPAN流量的目的设定为某个VLAN,并通过Trunk实现远程的SPAN;ERSPAN用于将SPAN流量封装在GRE中,通过路由方式进行远端的SPAN。

Nexus7000最大可以存在48个Session,但是只能有两个在工作;Fex端口只能做SPAN的源,不能做span的目的;EthernetChannel成员不能当span的源,nexus5K上连接fex接口不能当span的源;Nexus5K仅支持SPAN,而Nexus7K则支持所有的SPAN类型。

VDC的MGMT接口

MGMT接口在所有VDC当中共享。在非VDC1中,show interface status 不显示,但是使用命令interface mgmt 0仍然可以将地址进行配置。所有VDC的MGMT接口地址应当在同一个子网内。

DOWN的VLAN端口

在基于vPC的配置中,如果vPC Domain成员交换机关于VLAN配置不一致,就会导致VLAN接口总是处于DOWN的状态,而无法被激活。

Nexus7K中,VLAN的配置和Interface VLAN的配置是相分离的,仅有Interface VLAN而没有VLAN,是会导致VLAN接口在两侧的配置不同,从而导致L3VLAN接口处于DOWN的状态。缺省情况下,L3VLAN接口被shutdown,需要使用no命令激活。

可以尝试使用VTP来避免配置上的错误。

RTS36_7010_VDC1_2-RTS36_7010_VDC3_2(config)# show inter status

--------------------------------------------------------------------------------

Port Name Status Vlan Duplex Speed Type

--------------------------------------------------------------------------------

mgmt0 -- connected routed full 1000 --

Eth1/25 -- disabled trunk full auto 10/100/1000

Eth1/26 -- disabled trunk full auto 10/100/1000

Eth1/27 -- disabled trunk full auto 10/100/1000

Eth1/28 -- disabled trunk full auto 10/100/1000

Eth1/29 -- disabled trunk full auto 10/100/1000

Eth1/30 -- disabled routed full auto 10/100/1000

Eth1/31 -- disabled routed full auto 10/100/1000

Eth1/32 -- disabled routed full auto 10/100/1000

Eth1/33 -- disabled routed full auto 10/100/1000

Eth1/34 -- disabled routed full auto 10/100/1000

Eth1/35 -- disabled routed full auto 10/100/1000

Eth1/36 VPC keepalive connected routed full 1000 10/100/1000

Eth2/4 connect to RTS36_7 connected routed full 10G 10GBASE-SR

Eth2/5 -- connected trunk full 10G 10GBASE-SR

Eth2/6 -- connected trunk full 10G 10GBASE-SR

Eth2/7 connect to RTS35_7 connected trunk full 10G 10GBASE-SR

Eth2/8 connect to RTS35_7 connected trunk full 10G 10GBASE-SR

Po7 connect to RTS35_7 connected trunk full 10G --

Po200 -- connected trunk full 10G --

Lo0 -- connected routed auto auto --

Vlan1 -- connected routed auto auto --

Vlan11 -- connected routed auto auto --

Vlan12 -- connected routed auto auto --

Vlan15 -- connected routed auto auto --

Vlan16 -- connected routed auto auto --

Vlan188 -- connected routed auto auto --

Nexus的路由

Nexus的OSPF

在Nexus当中,OSPF的带宽计算参考值已经从原来的100Mbps更改为40Gbps,并设定为默认值。

RTS35_7010_VDC1_1-RTS35_7010_VDC3_1(config-router)# auto-cost reference-bandwidth ?

<1-4000000> Rate in Mbps (bandwidth) (Default)

*Default value is 40000

<1-4000> Rate in Gbps (bandwidth)

*Default value is 40

Nexus的OSPF已经不允许在OSPF进程下进行网络的宣告,所有对于OSPF的网络宣告都要在接口下进行。

RTS35_7010_VDC1_1-RTS35_7010_VDC3_1# show run int vlan 11

!Command: show running-config interface Vlan11

!Time: Wed Dec 1 07:11:42 2010

version 5.1(1)

interface Vlan11

no shutdown

ip address 10.225.1.253/24

ip router ospf 100 area 0.0.0.0

ip ospf passive-interface

hsrp 11

preempt

priority 200

timers 1 3

ip 10.225.1.254

Nexus上的NLB

基于Windows Server系列操作系统的NLB,实验确认可以被支持。

标识一个部件

Nexus常常由很多部件构成,例如Fabric Module,或者xBAR等等,使用下面的命令可以激活面板上的Identification灯,从而标识出需要更换或者处理的模块。

locator-led {chassis | fan f-number | module slot | powersupply ps-number | xbar x-number}

no locator-led{chassis | fan f-number | module slot | powersupply ps-number | xbar x-number}

这个命令模板是基于Nexus7k的,在Nexus5k上有些参数不能用,但是有fex参数用来标识Fabric Module

光纤的类型

对于使用SFP的Nexus5010而言,需要考虑跨机房连接时的光纤类型。系统提示的信息如下:

RTS39_5010# show int e1/17 transceiver

Ethernet1/17

transceiver is present

type is 10Gbase-SR

name is CISCO-AVAGO

part number is SFBR-7702SDZ

revision is G2.3

serial number is AGA143164B3

nominal bitrate is 10300 MBit/sec

Link length supported for 50/125um fiber is 80 m

Link length supported for 50/125um fiber is 300 m

Link length supported for 62.5/125um fiber is 20 m

cisco id is --

cisco extended id number is 4

Nexus7000基本配置汇总

Cisco NX-OS/IOS Configuration Fundamentals Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences for the configuration fundamentals between the Cisco NX-OS software and the Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software to illustrate some the differences after the first system startup. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

Cisco NX-OS Overview

The Cisco NX-OS is a data center class operating system designed for maximum scalability and application availability. The CLI interface for the NX-OS is very similar to Cisco IOS, so if you understand the Cisco IOS you can easily adapt to the Cisco NX-OS. However, a few key differences should be understood prior to working with the Cisco NX-OS.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

When you first log into the NX-OS, you go directly into EXEC mode.

Role Based Access Control (RBAC) determines a user’s permissions by default. NX-OS 5.0(2a) introduced privilege levels and two-stage authentication using an enable secret that can be enabled with the global feature privilege configuration command.

By default, the admin user has network-admin rights that allow full read/write access. Additional users can be created with very granular rights to permit or deny specific CLI commands.

The Cisco NX-OS has a Setup Utility that allows a user to specify the system defaults, perform basic configuration, and apply a pre-defined Control Plane Policing (CoPP) security policy.

The Cisco NX-OS uses a feature based license model. An Enterprise or Advanced Services license is required depending on the features required. Additional licenses may be required in the future.

A 120 day license grace period is supported for testing, but features are automatically removed from the running configuration after the expiration date is reached.

The Cisco NX-OS has the ability to enable and disable features such as OSPF, BGP, etc… using the feature configuration command. Configuration and verification commands are not available until you enable the specific feature.

Interfaces are labeled in the configuration as Ethernet. There aren’t any speed designations.

The Cisco NX-OS supports Virtual Device Contexts (VDCs), which allow a physical device to be partitioned into logical devices. When you log in for the first time You are in the default VDC (VDC 1).

The Cisco NX-OS has two preconfigured VRF instances by default (management, default). The management VRF is applied to the supervisor module out-of-band Ethernet port (mgmt0), and the default VRF instance is applied to all other I/O module Ethernet ports.

SSHv2 server/client functionality is enabled by default. TELNET server functionality is disabled by default. (The TELNET client is enabled by default and cannot be disabled.)

VTY and Auxiliary port configurations do not show up in the default configuration unless a parameter is modified (The Console port is included in the default configuration). The VTY port supports 32 simultaneous sessions and the timeout is disabled by default for all three port types.

Things You Should Know

The following list provides some additional Cisco NX-OS information that should be helpful when configuring and maintaining the Cisco NX-OS.

The default administer user is predefined as admin. An admin user password has to be specified when the system is powered up for the first time, or if the running configuration is erased with the write erase command and system is repowered.

If you remove a feature with the global no feature configuration command, all relevant commands related to that feature are removed from the running configuration.

The NX-OS uses a kickstart image and a system image. Both images are identified in the configuration file as the kickstart and system boot variables. The boot variables determine what version of NX-OS is loaded when the system is powered on. (The kickstart and system boot variables have to be configured for the same NX-OS version.)

The show running-config command accepts several options, such as OSPF, BGP, etc… that will display the runtime configuration for a specific feature.

The show tech command accepts several options that will display information for a specific feature.

Configuration Comparison

The following sample code show similarities and differences between the Cisco NX-OS software and the Cisco IOS Software CLI.

Cisco IOS CLI

Cisco NX-OS CLI

Default User Prompt

 

c6500>

n7000#

Entering Configuration Mode

c6500# configure terminal

n7000# configure terminal

Saving the Running Config to the Startup Config (nvram)

c6500# write memory

or

c6500# copy running-config startup-config

n7000# copy running-config startup-config

Erasing the startup config (nvram)

c6500# write erase

n7000# write erase

Installing a License

Cisco IOS Software does not require a license file installation.

n7000# install license bootflash:license_file.lic

Interface Naming Convention

interface Ethernet 1/1

interface FastEthernet 1/1

interface GigabitEthernet 1/1

interface TenGigabitEthernet 1/1

interface Ethernet 1/1

Default VRF Configuration (management)

Cisco IOS Software doesn’t enable VRFs by default.

vrf context management

Configuring the Software Image Boot Variables

boot system flash sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXH1.bin

boot kickstart bootflash:/n7000-s1-kickstart.4.0.4.bin sup-1

boot system bootflash:/n7000-s1-dk9.4.0.4.bin sup-1

boot kickstart bootflash:/n7000-s1-kickstart.4.0.4.bin sup-2

boot system bootflash:/n7000-s1-dk9.4.0.4.bin sup-2

Enabling Features

Cisco IOS Software does not have the functionality to enable or disable features.

feature ospf

Enabling TELNET (SSHv2 is recommended)

Cisco IOS Software enables TELNET by default.

feature telnet

Configuring the VTY Timeout and Session Limit

 

line vty 0 9

exec-timeout 15 0

login

line vty

session-limit 10

exec-timeout 15

Verification Command Comparison

The following table compares some useful show commands for verifying the initial system startup and running configuration.

Cisco NX-OS

Cisco IOS Software

Command Description

show running-config

show running-config

Displays the running configuration

show startup-config

show startup-config

Displays the startup configuration

-

-

-

show interface

show interface

Displays the status for all of the interfaces

show interface ethernet

show interface >

Displays the status for a specific interface

-

-

-

show boot

show boot

Displays the current boot variables

-

-

-

show clock

show clock

Displays the system clock and time zone configuration

show clock detail

show clock detail

Displays the summer-time configuration

-

-

-

show environment

show environment

Displays all environment parameters

show environment clock

show environment status clock

Displays clock status for A/B and active clock

show environment fan

show environment cooling fan-tray

Displays fan status

show environment power

show power

Displays power budget

show environment temperature

show environment temperature

Displays environment data

-

-

-

show log logfile

show log

Displays the local log

show log nvram

-

Displays persistent log messages (severity 0-2) stored in NVRAM

show module

show module

Displays installed modules and their status

show module uptime

-

Displays how long each module has be powered up

show module fabric

-

Displays fabric modules and their current status

show platform fabric-utilization

show fabric utilization

Displays the % of fabric utilized per module

show process cpu

show process cpu

Displays the processes running on the CPU

show process cpu history

show process cpu history

Displays the process history of the CPU in chart form

show process cpu sorted

show process cpu sorted

Displays sorted processes running on the CPU

-

-

-

show system cores

-

Displays the core dump files if present

show system exception-info

show exception

Displays last exception log

show system redundancy status

show redundancy

Displays the supervisors High Availability status

show system resources

show process cpu

Displays CPU and memory usage data

show system uptime

-

Displays system and kernel start time (Displays active supervisor uptime)

-

-

-

show tech-support

show tech-support

Displays system technical information for Cisco TAC

show tech-support

show tech-support

Displays feature specific technical information for Cisco TAC

-

-

-

show version

show version

Displays running software version, basic hardware, CMP status and system uptime

-

-

-

show line

show line

Displays console and auxiliary port information

show line com1

-

Displays auxiliary port information

show line console

show line console 0

Displays console port information

show line console connected

-

States if the console port is physically connected

show terminal

show terminal

Displays terminal settings

show users

show users

Displays current virtual terminal settings

-

-

-

show vrf

show ip vrf

Displays a list of all configured VRFs

show vrf

show ip vrf

Displays an specified VRF

show vrf detail

show vrf detail

Displays details for a specified

show vrf interface

-

Displays interface assignment for a specified VRF

show vrf default

-

Displays a summary of the default VRF

show vrf detail

show vrf detail

Displays details for all VRF's

show vrf interface

show ip vrf interface

Displays VRF interface assignment

show vrf management

-

Displays a summary of the management VRF

-

-

-

show license

-

Displays all license file information

show license brief

-

Displays the license file names installed

show license file

-

Displays license contents based on a specified name

show license host-id

-

Displays the chassis Host-ID used for creating a license

show license usage

-

Displays all licenses used by the system

show license usage

-

Displays all licenses used by the system per type

show license usage vdc-all

-

Displays all licenses used by the system for all VDCs

-

-

-

show vdc

-

Displays a list of the configured VDC's

show vdc

-

Displays a summary of the individual VDC

show vdc detail

-

Displays configuration details for a specific VDC

show vdc membership

-

Displays interface membership for a specific VDC

show vdc resource

-

Displays resource allocation for a specific VDC

show vdc current-vdc

-

Displays the VDC that the user is currently in

show vdc detail

-

Displays details information for all VDCs

show vdc membership

-

Displays interface membership for all VDCs

show vdc resources

-

Displays resource allocation for all VDCs

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Configuration_Fundamentals_Comparison"

Cisco NX-OS/IOS Interface Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in interface support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

Interface Configuration Overview

The NX-OS supports different physical and virtual interface types to meet various network connectivity requirements. The different interface types include: layer-2 switched (access or trunk), layer-3 routed, layer-3 routed (sub-interface trunk), switched virtual interface (SVI), port-channel, loopback, and tunnel interfaces. Port-channel interfaces are documented in the Cisco NX-OS/IOS Port-Channel ComparisonTech-Note.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

SVI command-line interface (CLI) configuration and verification commands are not available until you enable the SVI feature with the feature interface-vlan command.

Tunnel interface command-line interface (CLI) configuration and verification commands are not available until you enable the Tunnel feature with the feature tunnel command.

Interfaces support stateful and stateless restarts after a supervisor switchover for high availability.

Only 802.1q trunks are supported, so the encapsulation command isn't necessary when configuring a layer-2 switched trunk interface. (Cisco ISL is not supported)

An IP subnet mask can be applied using /xx or xxx.xxx.xxx.xxx notation when configuring an IP address on a layer-3 interface.

The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2)

The out-of-band management ethernet port located on the supervisor module is configured with the interface mgmt 0 CLI command.

Things You Should Know

The following list provides some additional facts about the Cisco NX-OS that should be helpful when configuring interfaces.

An interface can only be configured in 1 VDC at a time.

All 4 interfaces in a port group must be assigned to the same VDC when assigning interfaces on the 32 port 10GE module. There are not any restrictions for the 48 port 1GE modules.

10 GE interfaces can be configured in dedicated mode using the rate-mode dedicated interface CLI command.

The default port type is configurable for L3 routed or L2 switched in the setup startup script. (L3 is the default port type prior to running the script)

A layer-2 switched trunk port sends and receives traffic for all VLANs by default (This is the same as Cisco IOS Software). Use the switchport trunk allowed vlan interface CLI command to specify the VLANs allowed on the trunk.

The clear counters interface ethernet x/x CLI command resets the counters for a specific interface.

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS Software.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring a Routed Interface

 

interface gigabitethernet 1/1

ip address 192.168.1.1 255.255.255.0

no shutdown

interface ethernet 1/1

ip address 192.168.1.1/24

no shutdown

Configuring a Switched Interface (VLAN 10)

vlan 10


interface gigabitethernet 1/1

switchport

switchport mode access

switchport access vlan 10

no shutdown

vlan 10


interface ethernet 1/1

switchport

switchport mode access

switchport access vlan 10

no shutdown

Configuring a Switched Virtual Interface (SVI)

Cisco IOS Software does not have the ability to enable or disable SVI interfaces using the feature command.


interface vlan 10

ip address 192.168.1.1 255.255.255.0

no shutdown

feature interface-vlan


interface vlan 10

ip address 192.168.1.1./24

no shutdown

Configuring a Switched Trunk Interface

interface GigabitEthernet 1/1

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 2

switchport trunk allowed vlan 10,20

switchport mode trunk

no shutdown

interface ethernet 1/1

switchport mode trunk

switchport trunk allowed vlan 10,20

switchport trunk native vlan 2

no shutdown

Configuring a Routed Trunk Sub-Interface

interface gigabitethernet 1/1

no switchport

no shutdown

interface gigabitethernet1/1.10

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.0

no shutdown

interface ethernet 1/1

no switchport

no shutdown


interface ethernet 1/1.10

encapsulation dot1q 10

ip address 192.168.1.1/24

no shutdown

Configuring a Loopback Interface

 

interface loopback 1

ip address 192.168.1.1 255.255.255.255

no shutdown

interface loopback 1

ip address 192.168.1.1/32

no shutdown

Configuring a Tunnel Interface

Cisco IOS Software does not have the ability to enable or disable Tunnel interfaces using the feature command.


interface Tunnel 1

ip address 192.168.1.1 255.255.255.0

tunnel source 172.16.1.1

tunnel destination 172.16.2.1

no shutdown

feature tunnel


interface tunnel 1

ip address 192.168.1.1/24

tunnel source 172.16.1.1

tunnel destination 172.16.2.1

no shutdown

Configuring an Interface Description

 

interface gigabitethernet 1/1

description Test Interface

interface ethernet 1/1

description Test Interface

Configuring Jumbo Frames

 

interface gigabitethernet 1/1

mtu 9216

interface ethernet 1/1

mtu 9216

Configuring Multiple Interfaces (Examples)

 

interface range gigabitethernet 1/1-2

or

interface range gigabitethernet 1/1, gigabitethernet 2/1

interface ethernet 1/1-1

or

interface ethernet 1/1, ethernet 2/1

Verification Command Comparison

The following table lists some useful show commands for verifying the status and troubleshooting an interface.

Cisco NX-OS Interface

Cisco IOS Software Interface

Command Description

show interface

show interface

Displays the status and statistics for all interfaces or a specific interface

show interface brief

-

Displays a brief list of the interfaces (type, mode, status, speed, MTU)

show interface capabilities

show interface capabilities

Displays interface capabilities

show interface counters

show interface counters

Displays interface counters (input/output unicast, multicast & broadcast)

show interface debounce

-

Displays the de-bounce status and time in ms for all interfaces

show interface description

-

Displays all interfaces with configured descriptions

show interface ethernet

show interface interface-type

Displays status and statistics for a specific interface

show interface flowcontrol

show interface flowcontrol

Displays Flow Control (802.1p) status and state for all interfaces

show interface loopback

show interface loopback

Displays status and statistics for a specific loopback interface

show interface mac-address

-

Displays all interfaces and their associated MAC Addresses

show interface mgmt

-

Displays status and statistics for the management interface located on the supervisor

show interface port-channel

show interface port-channel

Displays status and statistics for a specific port-channel

show interface status

show interface status

Displays all interfaces and their current status

show interface switchport

show interface switchport

Displays a list of all interfaces that are configured as switchports

show interface transceiver

show interface transceiver

Displays a list of all interfaces and optic information (calibrations, details)

show interface trunk

show interface trunk

Displays a list of all interfaces configured as trunks

show interface tunnel <#>

show interface tunnel <#>

Displays status and statistics for a specific tunnel interface

show interface vlan <#>

show interface vlan <#>

Displays status and statistics for a specific VLAN interface

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Interface_Comparison"

Cisco NX-OS/IOS Port-Channel Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in Port-Channel support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

Port-Channel Overview

Port-Channels provide a mechanism for aggregating multiple physical Ethernet links into a single logical Ethernet link. Port-Channels are typically used to increase availability and bandwidth, while simplifying the network topology. Port-Channels can be configured in Static Mode (no protocol) or in conjunction with a protocol such as LaCP defined in IEEE 802.3ad or PaGP for dynamic negotiations and keep-alive detection for failover.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

256 Port-Channels are supported per chassis

LaCP and Static Mode Port-Channels are supported (PaGP is not supported in Cisco NX-OS Software).

LaCP command-line interface (CLI) configuration and verification commands are not available until you enable the LaCP feature with the feature lacp command.

The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2)

A Port-Channel can be converted between a layer-2 and layer-3 Port-Channel without removing the member ports.

The force keyword can be used when adding an interface to an existing Port-Channel to force the new interface to inherit all of the existing Port-Channel compatibility parameters.

Things You Should Know

The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network using Port-Channels.

A single Port-Channel cannot connect to two different VDCs in the same chassis.

You cannot disable LaCP with the no feature lacp command if LaCP is configured for a Port-Channel. LaCP must be disabled on all Port-Channels prior to disabling LaCP globally.

The show port-channel compatibility-parameters CLI command is very useful for verifying interface parameters when configuring Port-Channels.

The show port-channel load-balance forwarding-path CLI command can be used to determine the individual link a flow traverses over a specific Port-Channel.

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS. Cisco NX-OS does not use the range keyword when specifying multiple interfaces. Cisco NX-OS also has the ability to force an interface to inherit existing Port-Channel compatibility parameters using the force keyword.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the LaCP Feature

 

Cisco IOS Software does not have the ability to enable or disable LaCP.

feature lacp

Configuring LACP Active Mode

interface range gigabitethernet 1/1-2

channel-group 1 mode active

interface ethernet 1/1-2

channel-group 1 mode active

Configuring LaCP Passive Mode

interface range gigabitethernet 1/1-2

channel-group 1 mode passive

interface ethernet 1/1-2

channel-group 1 mode passive

Configuring Static Mode (no protocol)

interface range gigabitethernet 1/1-2

channel-group 1 mode on

interface ethernet 1/1-2

channel-group 1 mode on

Enabling a Port Channel

interface port-channel 1

no shutdown

interface port-channel 1

no shutdown

Layer-2 Port-Channel Example

interface range gigabitethernet 1/1-2

switchport

channel-group 1 mode active


interface port-channel 1

no shutdown

interface ethernet 1/1-1

switchport

channel-group 1 mode active


interface port-channel 1

no shutdown

Layer-3 Port-Channel Example

interface range gigabitethernet 1/1-2

no switchport

channel-group 1 mode active


interface port-channel 1

ip address 192.168.1.1 255.255.255.0

no shutdown

interface ethernet 1/1-1

no switchport

channel-group 1 mode active


interface port-channel 1

ip address 192.168.1.1/32

no shutdown

Adding an Interface to an Existing Port-Channel

Cisco IOS Software does not have the force option, so all interface parameters have to be compatible prior to adding the interface to an existing Port-Channel.


interface range gigabitethernet 1/3

no switchport

channel-group 1 mode active[

interface ethernet 1/3

channel-group 1 force mode active

Configuring the System Load-Balance Algorithm

port-channel load-balance dst-mac

port-channel load-balance ethernet destination-mac

Configuring the Load-Balance Algorithm per Module

port-channel per-module load-balance

port-channel load-balance dst-mac module 1

port-channel load-balance ethernet destination-mac module 1

Verification Command Comparison

The following table lists some useful show commands for verifying and troubleshooting a Port-Channel configuration.

Cisco NX-OS Port-Channels

Cisco IOS Software Port-Channels

Command Description

show interface

show interface

Displays statistics all interfaces or a specific interface

show interface port-channel <#>

show interface port-channel <#>

Displays statistics for a specific port-channel

-

-

-

show port-channel capacity

-

Displays port-channel resources (total, used, free)

show port-channel compatibility-parameters

-

Displays the compatibility-parameters (IE: speed, duplex, etc)

show port-channel database

-

Displays the aggregation state for one or more port-channels

show port-channel load-balance

show etherchannel load-balance

Displays the load-balancing algorithm (hash) configured

show port-channel load-balance forwarding-path

show etherchannel load-balance hash-result

Displays packet forwarding information

show port-channel summary

show etherchannel summary

Displays a summarized list of all port-channels

show port-channel traffic

-

Displays the load per link in a port-channel (Based in interface counters)

show port-channel usage

-

Displays the range of used and unused port-channel numbers

-

-

-

show lacp counters

show lacp counters

Displays the LaCP PDU and error counters

show lacp interface

-

Displays detailed LaCP information per interface

show lacp neighbors

show lacp neighbors

Displays detailed LaCP information per neighbor

show lacp port-channel

show lacp

Displays the port-channel LaCP configuration

show lacp system-identifier

show lacp sys-id

Displays the LaCP system ID (Priority / MAC address)

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Port-Channel_Comparison"

http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_HSRP_Comparison

Cisco NX-OS/IOS HSRP Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in Hot Standby Routing Protocol (HSRP) (IPv4) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

HSRP Overview

HSRP is a Cisco proprietary First Hop Redundancy Protocol (FHRP) designed to allow transparent failover for an IP client’s default gateway (first-hop router).

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

HSRP command-line interface (CLI) configuration and verification commands are not available until you enable the HSRP feature with the feature hsrp command.

HSRP is hierarchical. All related commands for an HSRP group are configured under the group number.

The HSRP configuration commands use the format hsrp instead of standby .

The HSRP verification commands use the format show hsrp instead of show standby .

HSRP supports stateful process restart by default.

The hello and hold-time timer ranges for the millisecond options are different. In Cisco NX-OS, hello = 250 to 999 milliseconds, and hold time = 750 to 3000 milliseconds. In Cisco IOS Software, hello = 15 to 999 milliseconds, and hold time = 50 to 3000 milliseconds.

Things You Should Know

The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining HSRP-enabled networks.

If you remove the feature hsrp command, all relevant HSRP configuration information is also removed.

HSRPv1 is enabled by default (HSRPv2 can be enabled per interface).

HSRPv1 supports 256 group numbers (0 to 255). HSRPv2 supports 4096 group numbers (0 to 4095).

HSRPv1 and HSRPv2 are not compatible. However, a device can be configured to run a different version on different interfaces.

The show running-config hsrp command displays the current HSRP configuration.

Configuration of more than one FHRP on an interface is not recommended.

Object tracking is supported. Tracking can be configured for an interface’s line protocol state, IP address state, and for IP route reachability (determining whether a route is available in the routing table).

An interface can track multiple objects.

Secondary IP addresses are supported in the same or a different group as the interface’s primary IP address.

Load sharing can be accomplished by using multiple HSRP groups per interface.

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS uses a hierarchical configuration, and it uses the hsrp keyword instead of the standby keyword for configuration and verification commands. Both enhancements make the configuration easier to read.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the HSRP Feature

 

Cisco IOS Software does not have the ability to enable or disable HSRP.

feature hsrp

Configuring HSRP on an Interface

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby 0 ip 192.168.10.1

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp 0

ip 192.168.10.1

Configuring the priority and preempt Options

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby 0 ip 192.168.10.1

standby 0 priority 110

standby 0 preempt

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp 0

preempt

priority 110

ip 192.168.10.1

Modifying the Hello and Holdtime Timers (Seconds)

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby 0 ip 192.168.10.1

standby 0 timers 1 3

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp 0

timers 1 3

ip 192.168.10.1

Modifying the Hello and Holdtime Timers (Milliseconds)

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby 0 ip 192.168.10.1

standby 0 timers msec 250 msec 750

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp 0

timers msec 250 msec 750

ip 192.168.10.1

Configuring MD5 Authentication

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby 0 ip 192.168.10.1

standby 0 authentication md5 key-string cisco123

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp 0

authentication md5 key-string cisco123

ip 192.168.10.1

Configuring HSRP Version 2 on an Interface

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby version 2

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp version 2

Configuring Minimum and Reload Initialization Delay

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby delay minimum 5 reload 10

interface Ethernet2/1

ip address 192.168.10.2/24

hsrp delay minimum 5 reload 10

Configuring Object Tracking (Interface Line-Protocol)

track 1 interface Ethernet2/2 line-protocol


interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

standby 0 ip 192.168.10.1

standby 0 track 1 decrement 20

track 1 interface ethernet 2/2 line-protocol


interface Ethernet2/1

ip address 192.168.10.2/24

hsrp 0

track 1 decrement 20

ip 192.168.10.1

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting an HSRP configuration.

Cisco NX-OS HSRP

Cisco IOS Software HSRP

Command Description

show hsrp

show standby <#>

Displays detailed information for all HSRP groups

show hsrp active

-

Displays all of the groups in the “active” state

show hsrp brief

show standby brief

Displays a summary of all the HSRP groups

show hsrp delay

-

Displays minimum and maximum delay times for preempting

show hsrp group

-

Displays detailed information for a specified group

show hsrp init

-

Displays all the groups in the "init" state

show hsrp interface

-

Displays detailed information for a specific interface

show hsrp learn

-

Displays all the groups in the "learn" state

show hsrp listen

-

Displays all the groups in the "listen" state

show hsrp speak

-

Displays all the groups in the "speak" state

show hsrp standby

-

Displays all the groups in the "standby" state

show hsrp summary

-

Displays summary information for HSRP groups

-

-

-

show track

show track

Displays the configured tracked objects

show track brief

show track brief

Displays a brief list of tracked objects

show track interface

show track interface

Displays the status of tracked interfaces

show track ip

show track ip

Displays the IP protocol objects that are tracked

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_HSRP_Comparison"

Cisco NX-OS/IOS STP Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in Spanning-Tree Protocol (STP) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

STP Overview

STP is a standards based link-layer protocol originally defined in IEEE 802.1d that runs on switches to prevent forwarding loops when using redundant layer-2 network topologies. Newer variants of STP have been developed called Rapid Spanning Tree protocol (RSTP) defined in IEEE 802.1w and Multiple Spanning Tree protocol (MST) defined in IEEE 802.1s that are enhanced for better scalability and converge faster than the original version.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

Rapid-PVST+ and the MST protocols are supported.

Rapid-PVST+ is enabled by default.

High availability is achieved with stateful switchover when two supervisors are installed in a chassis.

The STP port types are identified with the port type designation as opposed to the portfast designation in Cisco IOS Software.

Things You Should Know

The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network configured with the STP.

Rapid-PVST+ is interoperable with the 802.1d STP.

Rapid-PVST+ is interoperable with MST. (This is enabled by default)

Only one STP can be enabled per VDC.

Bridge Assurance is enabled globally by default, but is disabled on an interface by default.

Bridge Assurance can be enabled for an interface using the spanning-tree port type network interface command.

The clear spanning-tree counters command clears the counters for an STP interface or a VLAN.

STP enhancements such as BPDU Guard, Loop Guard, Root Guard, and BPDU Filtering are supported.

Spanning-Tree best practices are applicable to both Cisco NX-OS and Cisco IOS Software

Do not disable STP. Even if the layer-2 topology does not require STP, it should always be enabled as a safeguard for configuration and/or cabling errors.

Changing the STP mode can disrupt traffic.

Enabling Bridge Assurance is recommended. However, only enable Bridge Assurance on layer-2 links if both devices on each end of the link support it.

Typically the core/backbone devices should be configured as the primary and secondary root bridges.

The default bridge priority is 32,768 (plus the VLAN #). The lower the value, the more likely it will become the root bridge.

Configure 802.1q trunk ports as edge trunk port type when connecting to L3 hosts such as firewalls, load-balancers, or servers for faster convergence.

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is identical with the exception of the port type terminology. The Cisco IOS uses the portfast designation, whereas Cisco NX-OS uses the port type designation.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring VLANs

 

vlan 10,20

vlan 10,20

Configuring Rapid PVST+

spanning-tree mode rapid-pvst

Rapid-PVST is enabled by default.

spanning-tree mode rapid-pvst

Configuring the Rapid-PVST+ Bridge Priority

spanning-tree vlan 10 root primary

spanning-tree vlan 20 root secondary

spanning-tree vlan 10 root primary

spanning-tree vlan 20 root secondary

Configuring MST

spanning-tree mode mst

spanning-tree mode mst

Configuring a MST Instance

spanning-tree mst configuration

instance 1 vlan 10

instance 2 vlan 20

spanning-tree mst configuration

instance 1 vlan 10

instance 2 vlan 20

Configuring the MST Bridge Priority

spanning-tree mst 1 root primary

spanning-tree mst 2 root secondary

spanning-tree mst 1 root primary

spanning-tree mst 2 root secondary

Configuring STP Port Types Globally

spanning-tree portfast edge default

or

spanning-tree portfast network default

spanning-tree port type edge default

or

spanning-tree port type network default

Configuring STP Port Types per Interface

interface GigabitEthernet1/1

switchport

spanning-tree portfast edge

or

spanning-tree portfast network

or

spanning-tree portfast disable

interface ethernet 1/1

switchport ----必须定义为交换口才能应用下面的edge命令

spanning-tree port type edge

or

spanning-tree port type network

or

spanning-tree port type normal

Configuring a Trunk as an Edge Port Type

interface GigabitEthernet1/1

switchport

spanning-tree portfast edge trunk

interface ethernet 1/1

switchport

spanning-tree port type edge trunk

Disabling PVST Simulation Globally

no spanning-tree mst simulate pvst global

no spanning-tree mst simulate pvst global

Disabling PVST Simulation per Port

interface GigabitEthernet1/1

switchport

spanning-tree mst simulate pvst disable

interface ethernet 1/1

switchport

spanning-tree mst simulate pvst disable

Verification Command Comparison

The following table lists some useful show commands for verifying and troubleshooting a STP network configuration. The show commands are identical for Cisco IOS and Cisco NX-OS Software.

Cisco NX-OS STP

Cisco IOS Software STP

Command Description

show spanning-tree

show spanning-tree

Displays high level STP process information

show spanning-tree active

show spanning-tree active

Displays all ports in the active state

show spanning-tree blockedports

show spanning-tree blockedports

Displays all ports in the blocked state

show spanning-tree detail

show spanning-tree detail

Displays detailed information per STP instance

show spanning-tree interface

show spanning-tree interface

Displays detailed STP information for a specific interface

show spanning-tree mst

show spanning-tree mst

Displays high-level MST configuration

show spanning-tree mst configuration

show spanning-tree mst configuration

Displays the MST instance configuration

show spanning-tree mst detail

show spanning-tree mst detail

Displays detailed MST information

show spanning-tree root

show spanning-tree root

Displays STP root information

show spanning-tree summary

show spanning-tree summary

Displays STP summary information

show spanning-tree vlan

show spanning-tree vlan

Displays per VLAN STP information

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_STP_Comparison"

Cisco NX-OS/IOS SPAN Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in the Switched Port Analyzer (SPAN) between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

SPAN Overview

The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

Only Local SPAN is supported.

Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources.

18 monitor sessions can be configured. Only two sessions can be active simultaneously.

Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software Release 12.2(18)SXH and later.

A single SPAN session can include mixed sources (Ethernet ports, Ethernet Port-Channels, RSPAN sources, VLANs, and the CPU control-plane interface).

Destination SPAN ports must be configured as Layer 2 ports with the switchport command.

Destination SPAN ports require the switchport monitor interface configuration command.

The SPAN feature supports stateful and stateless process restarts.

Things You Should Know

The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature.

Two active SPAN sessions are supported for all virtual device contexts (VDCs).

Monitor sessions are disabled by default. They can be enabled with the no shut command.

The source traffic direction can be configured as rx, tx, or both. The default is both.

When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the specified VLAN are sent to the destination.

The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All VDC traffic is visible.)

By default, SPAN does not copy the IEEE 802.1q tag from trunk sources.

A destination port can be configured in switchport access or trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.)

A destination port does not participate in a spanning-tree instance.

A destination port can be configured in only one SPAN session at a time.

A port cannot be configured as both a source and destination port.

128 source interfaces can be configured per session.

32 source VLANs can be configured per session.

2 destination interfaces can be configured per session.

Configuration Comparison

The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat configuration.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring the Destination Switchport Mode

 

Cisco IOS Software does not require any destination port configuration.

interface Ethernet2/2

switchport

switchport monitor

Configuring Destination Port Ingress Forwarding and Learning

monitor session 1 type local

destination interface Gi2/2 ingress learning

interface Ethernet2/2

switchport

switchport monitor ingress learning

Configuring a SPAN Monitor (Ethernet Source and Destination)

monitor session 1 type local

source interface Gi2/1

destination interface Gi2/2

monitor session 1

source interface Ethernet2/1 both

destination interface Ethernet2/2

no shut

Configuring a SPAN Monitor (VLAN Source)

monitor session 1 type local

source vlan 10 , 20

destination interface Gi2/2

monitor session 1

source vlan 10,20 both

destination interface Ethernet2/2

no shut

Filtering VLANs for IEEE 802.1q Trunk Sources

interface GigabitEthernet2/1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10-20

switchport mode trunk


monitor session 1 type local

filter vlan 15 - 20

source interface Gi2/1

destination interface Gi2/1

no shutdown

interface Ethernet2/1

switchport

switchport mode trunk

switchport trunk allowed vlan 10-20


monitor session 1

source interface Ethernet2/1 both

destination interface Ethernet2/2

filter vlan 15-20

no shut

Configuring a SPAN Monitor (CPU Source)

monitor session 1 type local

source cpu rp rx

destination interface Gi2/2

no shutdown

monitor session 1

source interface sup-eth0 rx

destination interface Ethernet2/2

no shut

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.

Cisco NX-OS SPAN

Cisco IOS Software SPAN

Command Description

show interface

show interface

Displays destination port characteristics

-

-

-

show monitor session <#>

show monitor session <#>

Displays a specific SPAN and monitor session

show monitor session all

show monitor session all

Displays all SPAN and monitor sessions

show monitor range <#-#>

show monitor range <#-#>

Displays a range of specified SPAN sessions

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_SPAN_Comparison"

Cisco NX-OS/IOS OSPF Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in Open Shortest Path First Version 2 (OSPFv2) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

OSPF Overview

OSPFv2 is an IETF (RFC 2328) standards-based dynamic link-state routing protocol used to exchange network reachability within an autonomous system.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

OSPF command-line interface (CLI) configuration and verification commands are not available until you enable the OSPF feature with the feature ospf command.

The OSPF protocol requires the Enterprise Services license.

The OSPF instance can consists of 20 characters, whereas the IOS supports numbers 1 – 65536.

Eight equal-cost paths are supported by default. You can configure up to sixteen.

The default reference bandwidth used in the OSPF cost calculation is 40 Gbps.

Networks and interfaces are added to an OSPF instance under the interface configuration mode.

An OSPF area can be configured using decimal or decimal dotted notation, but it is always displayed in decimal dotted notation in the configuration and in the show command output.

Passive interfaces are applied to the interface as opposed to under the OSPF router instance.

If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration.

Neighbor adjacency changes are not logged by default. The log-adjacency-changes CLI command is required under the OSPF instance.

When interface authentication is configured, the OSPF key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command.

When you rollover an OSPF authentication key in a combined Cisco NX-OS/Cisco IOS network, you should configure both keys on the Cisco NX-OS router to ensure that there is sufficient overlap between the old key and the new key for a smooth transition to the new key. You should configure the new key as a valid accept key on all the NX-OS and IOS routers before the new key becomes a valid generation key in the keychain. During the overlap period, Cisco NX-OS transmits the new OSPF key and accepts OSPF authenticated packets from both the old key and the new key.

The NX-OS does not support distribute-lists used to remove OSPF routes from the routing table. The NX-OS does support inter-area LSA/route filtering using the filter-list command configured under the OSPF routing instance.

Things You Should Know

The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an OSPF network.

Four OSPF instances can be configured per virtual device context (VDC).

Numerous Virtual Route Forwarding (VRF) instances can be associated to an OSPF instance.

If you remove the feature ospf command, all relevant OSPF configuration information is also removed.

The shutdown command under the OSPF process can be used to disable OSPF while retaining the configuration. Similar functionality can also be applied per interface with the ip ospf shutdown command.

The show running-config ospf command displays the current OSPF configuration.

An OSPF instance can be restarted with the restart ospf command.

Graceful Restart (RFC 3623) is enabled by default.

OSPF supports stateful process restarts if two supervisors are present.

You cannot configure multiple OSPF instances on the same interface.

An interface can support multi-area adjacencies using the multi-area option with the ip router ospf interface command.

Secondary IP addresses are advertised by default, but can be suppressed per interface with the ip router ospf area <#> secondaries none interface command.

By default all loopback IP address subnet masks are advertised in an LSA as a /32. The loopback interface command ip ospf advertise-subnet can be configured to advertise the primary IP address subnet mask. (This command does not apply to secondary IP addresses. They will still be advertised as a /32.)

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS allows OSPF to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the OSPF Feature

 

Cisco IOS Software does not have the ability to enable or disable OSPF.

feature ospf

Configuring an OSPF Instance and Router ID

router ospf 10

router-id 192.168.1.1

router ospf 10

router-id 192.168.1.1

Associating a Network with an OSPF Instance and Area

router ospf 10

network 192.168.1.0 0.0.0.255 area 1

interface Ethernet2/1

ip address 192.168.10.1/24

ip router ospf 10 area 1

Configuring a Passive Interface

router ospf 10

passive-interface GigabitEthernet2/1

network 192.168.1.0 0.0.0.255 area 1

interface Ethernet2/1

ip address 192.168.11.1/24

ip ospf passive-interface

ip router ospf 10 area 0

Configuring Interface Authentication (MD5)

interface GigabitEthernet2/1

ip address 192.168.10.1 255.255.255.0

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 cisco123

interface Ethernet2/1

ip address 192.168.10.1/24

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 3 a667d47acc18ea6b

ip router ospf 10 area 1

Configuring a Stub Area with the no summary Option

router ospf 10

area 2 stub no-summary

router ospf 10

area 2 stub no-summary

Creating a Not-So-Stubby Area (NSSA) and Generating a Default Route

router ospf 10

area 3 nssa default-information-originate

router ospf 10

area 3 nssa default-information-originate

Configuring Inter-Area and External Summarization

router ospf 10

area 0 range 159.142.0.0 255.255.0.0 summary-address 172.16.0.0 255.255.0.0

router ospf 10

area 0 range 159.142.0.0/16 summary-address 172.16.0.0/16

Generating a Default Route (Conditional)

router ospf 10

default-information originate

router ospf 10

default-information originate

Generating a Maximum Metric (Max-Metric) Value

router ospf 10

max-metric router-lsa

router ospf 10

max-metric router-lsa

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting an OSPFv2 network configuration.

Cisco NX-OS OSPFv2

Cisco IOS Software OSPFv2

Command Description

show ip ospf

show ip ospf

Displays the running configuration

show ip ospf border-routers

show ip ospf border-routers

Displays a list of border routers

show ip ospf database

show ip ospf database

Displays OSPF database information

show ip ospf interface

show ip ospf interface <int type>

Displays OSPF database information

show ip ospf interface detail

-

Displays additional packet statistics for each interface

show ip ospf memory

-

Displays the memory allocated for OSPF

show ip ospf neighbor

show ip ospf neighbors

Displays neighbor-specific information

show ip ospf neighbor detail

show ip ospf neighbor detail

Displays details for each OSPF neighbor

show ip ospf policy statistics

-

Displays redistribution statistics for a specified protocol

show ip ospf request list

show ip ospf request list

Displays a list of link-state advertisements (LSAs) that have been requested

show ip ospf retransmission list

show module

Displays installed modules and their status

show ip ospf route

-

Displays all routes learned through OSPF

show ip ospf statistics

show ip ospf statistics

Displays OSPF LSA statistics

show ip ospf summary-address

show ip ospf summary-address

Displays OSPF-summarized networks

show ip ospf traffic

show ip ospf traffic

Displays OSPF-related packet counters

show ip ospf vrf

-

Displays information for a specified OSPF VRF instance

Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_OSPF_Comparison"

Cisco NX-OS/IOS Layer-3 Virtualization Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in Layer 3 virtualization support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

Virtualization Routing and Forwarding Overview

Virtual Routing and Forwarding (VRF) provides an additional layer of network virtualization on top of virtual device contexts (VDCs). VRF provides separate unicast and multicast address space and associated routing protocols that make independent forwarding decisions. All unicast and multicast protocols support VRF.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

Cisco NX-OS supports 200 VRF instances per VDC.

Two VRF instances are configured by default. The management port on the supervisor module is assigned to the management VRF, and all I/O module ports are assigned to the default VRF.

The default VRF is the default routing context for all show commands.

VRF instances can be enabled without any command-line interface (CLI) prerequisites. Cisco IOS Software requires ip cef to be enabled globally before VRF instances can be configured.

Multicast routing/forwarding can be configured per VRF instance without having to globally enable the VRF instance for multicast . Cisco IOS Software requires the global ip multicast-routing vrf command per VRF instance.

The CLI for enabling VRF routing for a protocol is consistent for all routing protocols, whereas Cisco IOS Software uses address families for Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Enhanced Interior Gateway Routing Protocol (EIGRP) and requires unique routing process IDs per VRF for Integrated Intermediate System-to-Intermediate System (ISIS) and Open Shortest Path First (OSPF).

In Cisco NX-OS, numerous VRF instances can be assigned to a single routing protocol instance.

IP static routes are configured under the specified vrf context. In Cisco IOS Software, all static routes are configured in global configuration mode with the vrf option.

A VRF instance can be manually disabled with the shutdown command. Cisco IOS Software does not have the CLI capability to manually disable a VRF instance.

If a VRF context is removed with the no vrf context configuration command, the VRF context commands will be removed from the running configuration making the VRF non-functional, but all non context related VRF commands will remain in the running configuration. When a VRF is removed in Cisco IOS Software, the VRF instance and all related VRF commands are automatically removed from the running configuration, including any interface IP addresses previously associated to the VRF.

Things You Should Know

The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining VRF instances.

When you assign a VRF instance to an interface with an IP address previously configured, the interface IP address is automatically removed.

Static routes or dynamic routing protocols can be configured for routing in a VRF instance (BGP, EIGRP, ISIS, OSPF, static routes, and RIPv2).

IP troubleshooting tools such as ping and traceroute are VRF aware and require the name of a specific VRF instance if testing in the default VRF instance is not desired.

The routing-context vrf command can be executed in EXEC mode to change the routing context to a non-default VRF instance. For example, typing routing-context vrf management changes the routing context, so all VRF related commands are executed in the management VRF as opposed to the default VRF.

Network management–related services such as authentication, authorization and accounting (AAA), Call Home, Domain Name System (DNS), FTP, HTTP, NetFlow Network Time Protocol (NTP), RADIUS, Simple Network Management Protocol (SNMP), SSH, syslog, TACACS+, Telnet, Trivial File Transfer Protocol (TFTP), and XML are VRF aware.

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. Sample code is provided only to illustrate how to enable VRF routing. The Cisco NX-OS CLI is simpler and more consistent since it allows multiple VRF instances to be assigned to a single routing protocol instance, whereas Cisco IOS Software uses different techniques depending on the routing protocol.

Cisco IOS CLI

Cisco NX-OS CLI

Creating a VRF

 

ip cef

ip vrf vrf-1

vrf context vrf-1

Assigning an Interface to a VRF

interface Ethernet2/1

ip vrf forwarding vrf-1

ip address 192.168.10.1 255.255.255.0

interface Ethernet2/1

vrf member vrf-1

ip address 192.168.10.1/24

Enabling BGP in a VRF

router bgp 10


address-family ipv4 vrf vrf-1

neighbor 192.168.10.2 remote-as 20

neighbor 192.168.10.2 activate

network 192.168.1.1 mask 255.255.255.255

exit-address-family

router bgp 10

vrf vrf-1

address-family ipv4 unicast

network 192.168.1.1/32

neighbor 192.168.10.2 remote-as 20

address-family ipv4 unicast

Enabling EIGRP in a VRF

router eigrp 10


address-family ipv4 vrf vrf-1

network 192.168.10.0

auto-summary

autonomous-system 10

exit-address-family!

interface Ethernet2/1

vrf member vrf-1

ip address 192.168.10.1/24

ip router eigrp 10


router eigrp 10

vrf vrf-1

Enabling ISIS in a VRF

interface Ethernet2/1

ip vrf forwarding vrf-1

ip address 192.168.10.1 255.255.255.0

ip router isis 10

router isis 10

vrf vrf-1

net 49.0001.0000.0001.00

interface Ethernet2/1

vrf member vrf-1

ip address 192.168.10.1/24

ip router isis 10


router isis 10

vrf vrf-1

net 49.0001.0000.0001.00

Enabling OSPF in a VRF

interface Ethernet2/1

ip vrf forwarding vrf-1

ip address 192.168.10.1 255.255.255.0


router ospf 10 vrf vrf-1

network 192.168.10.0 0.0.0.255 area 0

interface Ethernet2/1

vrf member vrf-1

ip address 192.168.10.1/24


ip router ospf 10

router ospf 10

vrf vrf-1

Enabling RIPv2 in a VRF

interface Ethernet2/1

ip vrf forwarding vrf-1

ip address 192.168.10.1 255.255.255.0


router rip

address-family ipv4 vrf vrf-1

network 192.168.10.0

version 2

exit-address-family

interface Ethernet2/1

vrf member vrf-1

ip address 192.168.10.1/24

ip router rip 10


router rip 10

vrf vrf-1

Configuring Static Routes in a VRF

ip route vrf vrf-1 192.168.2.0 255.255.255.0 192.168.10.2

vrf context vrf-1

ip route 192.168.2.0/24 192.168.10.2

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting VRF instances.

Cisco NX-OS VRF

Cisco IOS Software VRF

Command Description

show vrf

show ip vrf

Displays a list of all configured VRF instances

show vrf

show ip vrf

Displays a specific VRF instance

show vrf detail

show ip vrf detail

Displays details for a specific VRF instance

show vrf interface

-

Displays the interface assignment for a specific VRF instance

show vrf default

-

Displays a summary of the default VRF instance

show vrf detail

show ip vrf detail

Displays details for all VRF instances

show vrf interface

show ip vrf interface

Displays VRF interface assignments

show vrf management

-

Displays a summary of the management VRF instance

-

-

-

show ip route vrf all

-

Displays routes for all VRF instances

show ip route vrf default

-

Displays routes for the default VRF instance

show ip route vrf management

-

Displays routes for the management VRF instance

show ip route vrf

show ip route vrf

Displays routes for a specific VRF instance

-

-

-

show ip arp vrf

show ip arp vrf

Displays Address Resolution Protocol (ARP) entries for a specific VRF instance

-

-

-

show ip bgp vrf

show ip bgp ***v4 vrf

Displays BGP commands for a specific VRF instance

show ip eigrp vrf

show ip eigrp vrf

Displays EIGRP information for specific VRF instance

show ip isis vrf

show isis <#>

Displays ISIS commands for a specific VRF instance

show ip ospf vrf

show ip ospf <#>

Displays OSPF information for a specific VRF instance

show ip rip vrf

show ip rip database vrf

Displays RIP information for a specific VRF instance

show ip static-route vrf

-

Displays static routes for a specific VRF instance

-

-

-

show forwarding vrf

show ip cef vrf

Displays FIB information for a specific VRF (multiple sub-options)

-

-

-

show routing vrf

-

Displays a subset of the show vrf commands

show routing-context

-

Displays the current routing context

vPC Role and Priority

Within the VDC the following configurations are required.

vPC needs to be enabled:

agg(config)# feature vpc

A domain needs to be defined and priorities to define primary and secondary roles in the vPC configuration. The lower number has higher priority, and it wins.

Note also that the role is non-preemptive, so a device may be operationally primary, but secondary from a configuration perspective. Because spanning tree is preemptive, this may result in a mismatch between the spanning tree root and the vPC operational primary.

agg(config)# vpc domain 1

agg1(config-vpc-domain)# role priority 100

agg2(config-vpc-domain)# role priority 110

There are no functional issues when the STP root and vPC primary node do not match. This can only cause some sub-optimal convergence time due to STP resynchronization when the peer-link is flapped or a vPC device is reloaded.
Because of this, in case you want to restore the original mapping between Spanning-tree root and vpc primary you can follow this procedure on the secondary, operational primary device.

· Enter the vPC domain configuration, vpc domain (same vPC domain you are using).

· Reset the vPC role priority with the command.... vpc role priority (re-entering the same priority would be OK).

· Perform a shut/no shut over the peer-link

Or you can create a script (which you should customize):
7k-1(config)# cli alias name vpcpreempt conf t ; vpc domain  ; role priority 32767 ; int po 10 ; shut ; no sh
7k-1(config)# show cli alias

CLI alias commands
==================
alias       :show cli alias
vpcpreempt  :conf t ; vpc domain  10 ; role priority 32767 ; int po 10 ; shut ; no sh

vPC Domain ID

When configuring the vPC domain ID, make sure it’s different from the one used by a neighboring vPC-capable device with which you plan to configure vPC.也就是说N7K与N5K不要相同

As a result, in a back-to-back vPC configuration, if the neighboring switches use the same domain ID, there’s a risk of conflicting system-id in the LACP negotiation that could lead to an unsuccessful LACP negotiation.

vPC Peer Link

This port channel should be configured on dedicated-mode 10-GigE interfaces across two different 10-Gigabit linecards.

agg(config)# interface port-channel10

agg(config-if)# vpc peer-link

agg(config-if)# switchport trunk allowed vlan

Configuration for single 10 GigE Card

Using a single 10 Gigabit Ethernet card on the Nexus 7000 for both core connectivity as well as the peer link is possible, but not the most desirable option. If you lose the 10 Gigabit card on the vpc primary, you lose not only core connectivity, but also the peer link. As a result, ports will be shut down on the peer vpc device, isolating the servers completely.

A picture helps explaining:

In this topology, the failure of the10 GigE card that provides both peer-link connectivity and core connectivity, causes the vPC secondary to thus down the vPC member ports, so that traffic flows to the vPC primary. The vPC primary doesn’t have any core connectivity though, so traffic gets blackholed with a single failure.

The best solution is naturally to have two 10 GigE linecards, but alternatively you can use the object tracking functionality.

The objects being tracked are the uplinks to the core and the peer-link.

If these links are lost vPCs local to the switch are brought down so that traffic can continue on the vPC peer.

This feature is configured by using the following command syntax:

! Track the vpc peer link
track 1 interface port-channel110 line-protocol

! Track the uplinks to the core
track 2 interface Ethernet7/9 line-protocol
! Combine all tracked objects into one.
! “OR” means if ALL object are down, this object will go down
! --> we have lost all connectivity to the core and the peer link

track 10 list boolean OR
object 1
object 2
! If object 10 goes down on the primary vPC peer,
! system will switch over to other vPC peer and disable all local vPCs
vpc domain 1
track 10

CFSoE

Cisco Fabric Services over Ethernet (CFSoE) provides several infrastructure services for vPC, including MAC synchronization, configuration verification for potential mismatch in the configurations, and locking of the configuration while a vPC peer is being upgraded.

The CFSoE configuration does not need to be specifically enabled, but just as a reference, the configuration appears automatically when you enable vPC, and it looks like this:

agg1(config)#cfs region 10

agg1(config-cfs-region)# vpc

agg1(config)#cfs ethernet distribute

vPC Peer Keepalive or FT Link

Finally, a dual-active detection configuration needs to be put in place. The keepalive that is used to resolve dual-active scenarios can be carried over a routed infrastructure; it doesn’t need to be a direct point-to-point link. The keepalives are sent every two seconds.

The following configuration illustrates the use of a dedicated GigE interface for this purpose.

vrf context vpc-keepalive

interface Ethernet8/16

description tc-nexus7k02-vdc2 - vPC Heartbeat Link

vrf member vpc-keepalive

ip address 192.168.1.1/24

no shutdown

vpc domain 1

peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive

vPC Ports

Port channels are configured by bundling Layer 2 ports (switchports) on each Nexus switch via the command vpc. The system issues an error message if the port channel wasn’t previously configured as a switchport.

agg1(config)#interface ethernet2/9

agg1(config-if)# channel-group 51 mode active

agg1(config)#interface Port-channel 51

agg1(config-if)# switchport

agg1(config-if)# vpc 51

!

agg2(config)#interface ethernet2/9

agg2(config-if)# channel-group 51 mode active

agg2(config)#interface Port-channel 51

agg2(config-if)#switchport

agg2(config-if)# vpc 51

You can verify the success of the configuration by issuing the command:

agg1#show vpc brief

tc-nexus7k02-vdc2# show vpc br

[…]

vPC status

----------------------------------------------------------------------

id Port Status Consistency Reason Active vlans

-- ---- ------ ----------- -------------------------- ------------

51 Po51 down* failed vPC type-1 configuration -

incompatible - STP

interface port type

inconsistent

If the Consistency check doesn’t show Success, it is recommended that you verify the Consistency Parameters. Typical reasons for the vPC not to form include: the vLAN that is defined in the trunk doesn’t exist, or it is not defined on the peer link.

tc-nexus7k01-vdc2# show vpc consistency-parameters global

tc-nexus7k01-vdc2# show vpc consistency-parameters int port-channel 51

Legend:

Type 1 : vPC will be suspended in case of mismatch

Name Type Local Value Peer Value

------------- ---- ---------------------- -----------------------

STP Port Type 1 Default Default

STP Port Guard 1 None None

STP MST Simulate PVST 1 Default Default

Allowed VLANs - 10-14,21-24,50,60 10-14,21-24,50,60

After a port is defined as part of a vPC, any further configurations, such as enabling or disabling bridge assurance or trunking mode, etc, are performed under the interface port channel configuration mode. Trying to configure spanning tree properties for the physical interface instead of the port channel will result in an error message.

Orphan Ports with non-vPC VLANs

As described in chapter 3, when the peer link is lost, vPC shuts down the SVI on the secondary switch and, as a result, orphan ports on the operational secondary may become isolated. For this reason you may either trunk the non-vPC vLANs on a different link, or, you should remove the non-vPC VLANs from this behavior as described here.

First you may want to execute the following command to learn which ports are considered orphan ports from the Nexus 7000 perspective:

Nexus7000#show vpc orphan-ports

Second you can remove the non-vPC VLANs in the vpc domain configuration:

vpc domain 1

role priority 100

dual-active exclude interface-vlan

peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive

HSRP

The use of HSRP in the context of vPC doesn’t require any special configuration. With vPC, only the active HSRP interface answers ARP requests, but both HSRP interfaces (active and standby) can forward traffic.

If an ARP request coming from a server arrives on the secondary HSRP device, then it is forwarded to the active HSRP device via the peer link.

HSRP Configuration and Best Practices for vPC

The configuration on the Primary Nexus 7000 looks like this:

interface Vlan50

no shutdown

ip address 10.50.0.251/24

hsrp 50

preempt delay minimum 180

priority 150

timers 1 3

ip 10.50.0.1

The configuration on the Secondary Nexus 7000 looks as follows:

interface Vlan50

no shutdown

ip address 10.50.0.252/24

hsrp 50

preempt delay minimum 180

priority 130

timers 1 3

ip 10.50.0.1

The most significant difference between the HSRP implementation of a non-vPC configuration compared with a vPC configuration is that the HSRP MAC addresses of a vPC configuration are programmed with the G (gateway) flag on both systems, compared with a non-vPC configuration where only the active HSRP interface can program the MAC address with the G flag.

Thanks to this, routable traffic can be forwarded by both the vPC primary (where HSRP is pimrary) and the vPC secondary device (where HSRP is secondary) without having to send this traffic to the HSRP primary device.

Without this flag traffic hitting the MAC would not be routed.

vPC HSRP On Active:

G - 0000.0c07.ac01 static

vPC HSRP On Standby:

G - 0000.0c07.ac01 static

In non-vPC environment the HSRP MAC looks as follows:

· On Active: G - 0000.0c07.ac01 static

· On Standby: * - 0000.0c07.ac01 static

In order to verify that the HSRP configuration is functioning correctly, you may want to issue the following command and verify that the Active and Standby roles are clearly converged:

agg1#show hsrp brief

If some standby groups show as Unknown, then you may have forgotten to trunk the VLAN on the peer link from both Nexus 7000 vPc peers.

Advertising the Subnet

The configuration is completed by including the subnet in the routing advertisements and making sure that the vLANs used for server connectivity are not used to create neighbor relationship between the aggregation layer devices.

interface Vlan50

no shutdown

ip address 10.50.0.251/24

ip ospf passive-interface

ip router ospf 1 area 0.0.0.0

hsrp 50

preempt delay minimum 180

priority 150

timers 1 3

ip 10.50.0.1

L3 Link Between vPC Peers

In vPC designs you should make sure to include a L3 link/vLAN between the Nexus 7000s so that the routing areas can be adjacent. You may also consider HSRP tracking in non-vPC design, but not in vPC designs.

You should, therefore, create a L3 path on the peer link between the routing engine on Agg2 and Agg1 instead of using HSRP tracking.

tc-nexus7k01-vdc2(config)# vlan 3

tc-nexus7k01-vdc2(config-vlan)# name l3_vlan

tc-nexus7k01-vdc2(config-vlan)# exit

tc-nexus7k02-vdc2(config)# int vlan 3

tc-nexus7k02-vdc2(config-if)# ip address 10.3.0.2 255.255.255.252

tc-nexus7k02-vdc2(config-if)# ip router ospf 1 area 0.0.0.0

tc-nexus7k02-vdc2(config-if)# no shut

tc-nexus7k01-vdc2(config)# int Port-channel 10

tc-nexus7k01-vdc2(config-if)# switchport trunk allowed vlan add 3

You can then verify that the Nexus 7000 are OSPF neighbors by issuing the following command.

tc-nexus7k01-vdc2# show ip ospf neigh

OSPF Process ID 1 VRF default

Total number of neighbors: 3

Neighbor ID Pri State Up Time Address Interface

128.0.0.3 1 FULL/DR 01:03:05 10.51.35.126 Vlan10

Cisco NX-OS/IOS TACACS+, RADIUS, and AAA Comparison

From DocWiki

Jump to: navigation, search

Objective

This tech note outlines the main differences in TACACS+, RADIUS, and authentication, authorization and accounting (AAA) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

AAA Overview

AAA used in combination with TACACS+ or RADIUS provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify network management because they use a central security database rather than local databases.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the TACACS+ feature with the feature tacacs+ command.

The aaa new-model command is not required to enable AAA authentication, authorization, or accounting.

The RADIUS vendor-specific attributes (VSA) feature is enabled by default.

Local command authorization can be performed when using role-based access control (RBAC) without a AAA server. User roles can be associated with users configured on the AAA server using VSAs. Remote command authorization can be performed on a AAA server when using AAA with TACACS+.

If no AAA server is available for authentication, the local database is automatically used for device access.

The TACACS+ and RADIUS host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.

Things You Should Know

The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining TACACS+, RADIUS, and AAA services.

Different AAA, TACACS+, and RADIUS policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC.

If you remove the feature tacacs+ command, all relevant TACACS+ configuration information is also removed.

64 TACACS+ and 64 RADIUS servers can be configured per device.

AAA server groups are associated with the default Virtual Route Forwarding (VRF) instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor or if the AAA server is in a non default VRF instance.

An IP source interface can be associated with AAA server groups.

TACACS+ and RADIUS server keys can be specified for a group of servers or per individual server.

By default, TACACS+ uses TCP port 49, and RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting).

Directed server requests are enabled by default for TACACS+ and RADIUS.

The local option can be used with AAA authorization to fallback to RBAC in the event a AAA server is not available for command authorization.

Use the show running-config command with the aaa, tacacs+, or radius option to display the current AAA configuration.

Configuration Comparison

The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling TACACS+

 

Cisco IOS Software does not have the ability to enable or disable TACACS+.

feature tacacs+

Configuring a TACACS+ Server with a Key

tacacs-server host 192.168.1.1 key cisco123

tacacs-server host 192.168.1.1 key 7 "fewhg123"

Specifying a Nondefualt TACACS+ TCP Port

tacacs-server host 192.168.1.1 port 85

tacacs-server host 192.168.1.1 port 85

Specifying the TACACS+ Timeout Value (Global)

tacacs-server timeout 10

tacacs-server timeout 10

Configuring a RADIUS Server with a Key

radius-server host 192.168.1.1 key cisco123

radius-server host 192.168.1.1 key 7 "fewhg123"

Specifying Nondefualt RADIUS UDP Ports

radius-server host 192.16.1.1 auth-port 1645 acct-port 1646

radius-server 192.168.1.1 auth-port 1645 acct-port 1646

Specifying the RADIUS Timeout Value (Global)

radius-server host 192.168.1.1 timeout 10

radius-server timeout 10

Configuring an AAA Server Group (TACACS+)

aaa group server tacacs+ AAA-Servers

server 192.168.1.1

aaa group server tacacs+ AAA-Servers

server 192.168.1.1

Configuring an AAA Server Group (RADIUS)

aaa group server radius AAA-Servers

server 192.168.1.1

aaa group server radius AAA-Servers

server 192.168.1.1

Configuring an AAA Server Group for a VRF Instance (RADIUS)

aaa group server radius AAA-Servers

server 192.168.1.1

ip vrf forwarding management

aaa group server radius AAA-Servers

server 192.168.1.1

use-vrf management

Configuring the AAA Server Group Dead Time (RADIUS)

aaa group server radius AAA-Servers

deadtime 5

aaa group server radius AAA-Servers

deadtime 5

Enabling AAA Authentication with an AAA Server Group

aaa new-model

aaa authentication login default group AAA-Servers

aaa authentication login default group AAA-Servers

Enabling AAA Authorization with an AAA Server Group

aaa new-model

aaa authorization config-commands

aaa authorization commands 1 default group AAA-Servers

aaa authorization config-commands default group AAA-Servers

aaa authorization commands default group AAA-Servers

Enabling AAA Accounting with an AAA Server Group

aaa new-model

aaa accounting exec default start-stop group AAA-Servers

aaa accounting default group AAA-Servers

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting AAA, TACACS+, and RADIUS.

Cisco NX-OS AAA

Cisco IOS Software AAA

Command Description

show tacacs

show tacacs

Displays the TACACS+ server configuration for all servers

show tacacs

-

Displays a specific TACACS+ server configuration

show tacacs server directed-request

-

Displays the status of the directed-request feature (enabled or disabled)

show tacacs server groups

-

Displays TACACS+ server groups

show tacacs statistics

-

Displays TACACS+ statistics for a specific server

-

-

-

show radius

-

Displays the RADIUS server configuration for all servers

show radius

-

Displays a specific RADIUS server configuration

show radius server directed-request

-

Displays the status of the directed-request feature (enabled or disabled)

show radius server groups

show radius server-group

Displays RADIUS server groups

show radius statistics

show radius statistics

Displays RADIUS statistics for a specific server

-

-

-

show aaa accounting

-

Displays the status of AAA accounting

show aaa authentication

-

Displays the default and console login methods

show aaa authentication login error-enable

-

Displays the login error message status (enabled or disabled)

show aaa authentication login mschap

-

Displays the status of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP; enabled or disabled)

show aaa authorization

-

Displays the AAA authorization configuration

show aaa groups

-

Displays the AAA groups that are configured

-

-

-

show user-account

-

Displays a list of locally configured users

show users

show users

Displays the users who are logged in

Nexus5010down(config-if)# switchport mode fex-fabric

Nexus5010down(config-if)# channel-group 17 mode active

Fabric port-channel in LACP mode is not supported

Nexus5010down(config-if)#

Nexus5010down(config-if)# interface Ethernet1/18

Nexus5010down(config-if)# fex associate 101

Nexus5010down(config-if)# switchport mode fex-fabric

Nexus5010down(config-if)# channel-group 18 mode active

Fabric port-channel in LACP mode is not supportedRetrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_TACACS%2B%2C_RADIUS%2C_and_AAA_Comparison"

Nexus5000的配置同步

Nexus5000配置同步可以节省配置时间。

配置同步需要在Nexus5000的Config Sync模式下进行配置;配置的同时,要求vPC工作正常。

Config sync是Nexus5000 5.0版本提供的新级别,级别下有的命令如下:

RTS39_5010(config)# conf sync

RTS39_5010(config-sync)# ?

no Negate a command or set its defaults

resync-database Re-synchronize switch-profile database

switch-profile Enter switch-profile configuration mode

end Go to exec mode

exit Exit from command interpreter

pop Pop mode from stack or restore from name

push Push current mode to stack or save it under name

where Shows the cli context you are in

配置同步需要遵循以下步骤:

RTS39_5010(config)#cfs ipv4 distribute //确认CFS的IPV4模式启动

RTS39_5010(config)#vpc domain 50 ……. //确认vPC正常工作

…………

RTS39_5010(config)#config sync

RTS39_5010(config-sync)# switch-profile cisco

RTS39_5010(config-sync-sp)# sync-peers destination 10.225.248.6 //设定同步对端

同步配置的配置方法:

同步配置需要在switch-profile方式下配置,然后推送到对端。

RTS39_5010(config-sync)# switch-profile cisco

Switch-Profile started, Profile ID is 1

RTS39_5010(config-sync-sp)# vlan 555

RTS39_5010(config-sync-sp-vlan)# int e103/1/48

RTS39_5010(config-sync-sp-if)# switchport mode access

配置完成后,进行配置的检验,检验成功的,就可以commit了

Switch-Profile started, Profile ID is 1

RTS39_5010(config-sync-sp)# vlan 555

RTS39_5010(config-sync-sp-vlan)# int e103/1/48

RTS39_5010(config-sync-sp-if)# switchport mode access

RTS39_5010(config-sync-sp-if)# exit

RTS39_5010(config-sync-sp)# verify

Verification Successful

RTS39_5010(config-sync-sp)# commit

如果在verify过程当中出现错误提示的,一般应首先检查实际配置和将要发放的配置是不是有相互矛盾的地方,比较接口角色冲突。如果没有明显错误,仍然提示校验失败的,则应当按照下面的配置,进行一次数据库的同步。

RTS39_5010(config-sync)# resync-database

Re-synchronization of switch-profile db takes a few minutes...

Re-synchronize switch-profile db completed successfully.

RTS39_5010(config-sync)# switch-profile cisco

Switch-Profile started, Profile ID is 1

RTS39_5010(config-sync-sp)# int e103/1/48

RTS39_5010(config-sync-sp-if)# sw acc vlan 11

RTS39_5010(config-sync-sp-if)# exit

RTS39_5010(config-sync-sp)# verify

Verification Successful

初始化Nexus 2000 Fabric Module

Nexus 2000缺省不带任何的NX-OS以及配置,每次启动的时候,都会与上层交换机(Nexus5000或者Nexus7000)比对NX-OS版本和配置。如果版本和配置有变化,则强制与上级交换机同步。

与Nexus2000连接的交换机使用10GE接口相连,交换机接口需要进行如下配置,以便上层交换机可以识别:

interface Ethernet1/17

fex associate 100 //指定关联的Fabric Module成为第100个关联的模块

switchport mode fex-fabric //指定接口的功能用于驳接Fabric Module

通过一段时间的监测,上层交换机就可以发现并且配置Fabric Module。由于在上层交换机上看到的端口都是本地端口,所以这个具有fex-fabric角色的端口算是一个功能很特殊的Trunk。

同步完成之后,将可看到如下信息:

N5Kup(config-if)# show fex

FEX FEX FEX FEX

Number Description State Model Serial

------------------------------------------------------------------------

100 FEX0100 Online N2K-C2248TP-1GE JAF1438DRAG

101 FEX0101 Online N2K-C2248TP-1GE JAF1438BGBF

一个Fabric Module可以被出于vPC形态的多个上层交换机所识别,可以被两侧同时配置和管理。但是为了保证Fabric Module在系统切换时保持正确的形态,我们需要在两侧的上层交换机上同步配置。