Nexus Configuration Simple Guide
目录
Nexu7000缺省端口配置... 2
CMP连接管理处理器配置... 3
带外管理VRF. 4
划分Nexus 7010 VDC. 5
基于EthernetChannel的vPC. 7
割裂的vPC:HSRP和STP. 12
vPC的细部配置... 12
Nexus的SPAN.. 14
VDC的MGMT接口... 14
DOWN的VLAN端口... 14
Nexus的路由... 15
Nexus上的NLB. 16
标识一个部件... 16
Nexus7000基本配置汇总... 17
Cisco NX-OS/IOS Configuration Fundamentals Comparison. 17
Cisco NX-OS/IOS Interface Comparison. 25
Cisco NX-OS/IOS Port-Channel Comparison. 31
Cisco NX-OS/IOS HSRP Comparison. 35
Cisco NX-OS/IOS STP Comparison. 40
Cisco NX-OS/IOS SPAN Comparison. 45
Cisco NX-OS/IOS OSPF Comparison. 49
Cisco NX-OS/IOS Layer-3 Virtualization Comparison. 55
vPC Role and Priority. 61
vPC Domain ID.. 62
vPC Peer Link. 62
Configuration for single 10 GigE Card. 63
CFSoE. 64
vPC Peer Keepalive or FT Link. 64
vPC Ports. 65
Orphan Ports with non-vPC VLANs. 66
HSRP. 66
HSRP Configuration and Best Practices for vPC. 66
Advertising the Subnet. 67
L3 Link Between vPC Peers. 68
Cisco NX-OS/IOS TACACS+, RADIUS, and AAA Comparison. 68
Nexus5000的配置同步... 74
初始化Nexus 2000 Fabric Module. 75
Nexu7000缺省端口配置
缺省时所有端口是关闭的
no system default switchport shutdown
copy running-config startup-config vdc-all 存配置
dir bootflash:
dir bootflash://sup-standby/
dir bootflash://sup-remote
show role
show inventory显示系统详细目录,或称为存货清单,可以看到各组件产品编号以及序列号
show hardware 显示系统硬件详细信息
show sprom backplane 1 显示交换机序列号
show environment power 显示电源信息
power redundancy-mode ps-redundant 如果没有双电网供电则使用此模式
power redundancy-mode insrc-redundant 如果有双电网供电则使用此模式
show module 检验各模块状态
attach module slot_number
dir bootflash dir slot0:查看ACTIVE引擎的FLASH空间
如果查看备份引擎的FLASH空间呢?首先attach module command to attach to the module number, and then use the dir bootflash: or dir slot0:
out-of-service module slot Shutting Down a Supervisor or I/O Module
out-of-service xbar slot Shutting Down a Fabric Module
show environment
show environment temperature
show environment fan
banner motd #Welcome to the switch#
clock timezone
clock set
reload 重启交换机
reload module number
switchto VDC切换至某VDC管理界面
switchback
poweroff module slot_number
no poweroff module slot_number
poweroff xbar slot_number
CMP连接管理处理器配置
CMP配置:
You should also configure three IP addresses—one for each cmp-mgmt interface and one that is shared between the active and standby supervisor mgmt 0 interfaces.
attach cmp 进入CMP
命令输入后自动存盘,不需要copy run start
通过NX-OS CLI来配置CMP
1. configure terminal
2. interface cmp-mgmt module slot 通过module 槽号分别为5/6来实现主备引擎上的CMP配置
3. ip address ipv4-address/length
4. ip default-gateway ipv4-address
5. show running-config cmp
通过CMP CLI来配置CMP
1. attach cmp
2. configure terminal
3. ip default-gateway ipv4-address
4. interface cmp-mgmt
5. ip address ipv4-address/length
6. show running-config
在CMP上可执行的动作:
show cp state
reload cp
attach cp
monitor cp
ping or traceroute 192.0.2.15
reload system To reload the complete system, including the CMPs
带外管理VRF
Management VRF and Basic Connectivity
The management interface is, by default, part of the management VRF. The management
interface “mgmt0” is the only interface allowed to be part of this VRF.
The philosophy beyond Management VRF is to provide total isolation for the management traffic
from the rest of the traffic flowing through the box by confining the former to its own forwarding
table.
In this step we will:
- Verify that only the mgmt0 interface is part of the management VRF
- Verify that no other interface can be part of the management VRF
- Verify that the default gateway is reachable only using the management VRF
如果想Ping 带外网管的网关等地址必须在Ping命令后面加上vrf management
ping 10.2.8.1 vrf management
划分Nexus 7010 VDC
VDC是Nexus7000系列的特色功能。通过将物理机箱划分为多个逻辑交换机,核心交换机区域将可以获得多台物理隔离的高性能交换机。VDC具有完全隔离的路由表,VRF和接口,因此可以获得真实交换机属性的配置。
VDC的资源是占用全局机箱的,因此在必要的时候,需要通过调整VDC资源配置来进行VDC功能和性能的调整。所有进入VDC的接口和资源都不能被其他VDC或者缺省VDC使用。
VDC配置
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/virtual_device_context/quick/guide/Cisco_Nexus_7000_Series_NX-OS_Virtual_Device_Context_Quick_Start__Release_5.x_chapter1.html
vdc MyVDC 创建VDC
allocate interface ethernet 2/11-1 分配接口
switchto vdc MyVDC Switch to the new VDC and enter the VDC admin user account password切换至一个VDC
switchback
setup 根据安装向导配置VDC
show vdc membership
show vdc current-vdc
When interfaces in different VDCs share the same port ASIC, reloading the VDC (with the reload vdc command) or provisioning interfaces to the VDC (with the allocate interface command) might cause short traffic disruptions (of 1 to 2 seconds) for these interfaces. If such behavior is undesirable, make sure to allocate all interfaces on the same port ASIC to the same VDC.
To see how the interfaces are mapping to the port ASIC, use this command:
slot slot_number show hardware internal dev-port-map 这个命令没有帮助,需盲打
copy running-config startup-config vdc-all
VDC资源清单:
vdc vdc2_1 id 2 allocate interface Ethernet1/13-24 allocate interface Ethernet2/1-3 boot-order 1 limit-resource vlan minimum 16 maximum 4094 limit-resource monitor-session minimum 0 maximum 2 limit-resource monitor-session-erspan-dst minimum 0 maximum 23 limit-resource vrf minimum 2 maximum 1000 limit-resource port-channel minimum 0 maximum 768 limit-resource u4route-mem minimum 8 maximum 8 limit-resource u6route-mem minimum 4 maximum 4 limit-resource m4route-mem minimum 8 maximum 8 limit-resource m6route-mem minimum 2 maximum 2 |
通过命令可以查看当前VDC的数量和状态。系统机箱本身默认为VDC1,最多可以建立3个另外的VDC。登录到系统默认的VDC1下,可以通过switchto vdc命令在不同的VDC之间跳转,并可以通过重启VDC1来重启其他所有的VDC。
switch# switchto vdc vdc2_1 Last login: Thu Nov 25 16:40:19 UTC 2010 on ttyS0 Last login: Thu Nov 25 17:06:47 on ttyS0 Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php switch-vdc2_1# |
位于其他VDC当中,无法通过switchto vdc的方式进行VDC的跳转。系统保存配置和reload都有针对单独VDC的配置。
不同VDC的名称,除了在vpc命令中直接指定,还可以进入到VDC配置界面后,直接用hostname命令进行更改。
基于EthernetChannel的vPC
vPC是Cisco NX-OS由于解决STP Block端口而使用的技术。通过将两台设备虚拟成一台设备,使得系统可以使用两套冗余链路转发数据。
vPC完全基于EthernetChannel技术,所有成员组都必须在EthernetChannel当中,除了peer-link keepalive。vPC仅仅能作用在二层Trunk结构下,完全不兼容任何L3环境。vPC使用连接设备的peer-link必须使用10G以太网接口,而peer-link keepalive必须是路由接口。配置手册推荐使用单独的VRF来隔离,以便于减小地址管理压力。
首先,配置L3端口,保证双方可以ping通:
vrf context vpc interface Ethernet1/25 vrf member vpc ip address 172.16.0.1/24 no shutdown |
vPC结构当中,应当尽可能保证所有peer-link链路的可靠性,不可靠的keepalive链路将会导致一些vPC Domain重新收敛。具体情况请见后面描述。
其次,进行完L3配置后,配置vPC Domain。一台设备属于且只能属于一个vPC Domain,一个vPC Domain有且只能拥有两个成员。Domain的配置当中,需要指定vPC对端设备的IP地址,如果这个设备的地址不在default VRF当中的时候,需要指定源地址:
vpc domain 1000 peer-keepalive destination 172.16.0.2 source 172.16.0.1 vrf vpc |
完成这一步配置,将可以保证vPC组可以通过peer-link keepalive来检测和通告对端状态。
再次,配置peer-link。Peer-link是vPC转发机箱间流量的链路,因此链路只能使用10G以太网,配置手册推荐使用至少2条10G以太网电缆进行捆绑:
interface Ethernet2/5 switchport switchport mode trunk channel-group 56 no shutdown interface Ethernet2/6 switchport switchport mode trunk channel-group 56 no shutdown interface port-channel56 switchport switchport mode trunk spanning-tree port type network //自动生成的配置 vpc peer-link |
最后,将一段设备连接到两侧设备链路推入各自的EthernetChannel的组,并且将参加配置的EthernetChannel加入vPC组,保证对应的EthernetChannel在相同的转发vPC当中,便完成该配置:
interface Ethernet1/17 fex associate 100 //这条命令是nexus5000上的配置,N7K不需要 switchport mode fex-fabric //这条命令是nexus5000上的配置,N7K不需要 channel-group 17 interface Ethernet1/18 fex associate 101 switchport mode fex-fabric channel-group 18 interface port-channel17 switchport mode fex-fabric vpc 17 fex associate 100 interface port-channel18 switchport mode fex-fabric vpc 18 fex associate 101 |
CAUTION
在配置当中,vpc的数字和port-channel的数字必须相同,并且这两个数字必须和Domain的数字不同。否则,将会导致vpc无法启动的问题。
vPC配置的两端都必须是相容的Trunk配置,例如LACP或者no protocol。
LACP System priority的一致,有利于vPC状态下LARP的收敛,手册推荐配置为vPC成员设备拥有相同的值。配置需要再全局和vPC配置模式下使用。
如果在配置中发现如下现象,则应当首先检查vPC中,成员EthernetChannel配置是否正常:
RTS35_7010_VDC1_1-RTS35_7010_VDC3_1# show port-chann summ Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) M - Not in use. Min-links not met -------------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------------- 7 Po7(SU) Eth LACP Eth2/7(P) Eth2/8(P) 200 Po200(SU) Eth LACP Eth2/5(P) Eth2/6(s) RTS35_7010_VDC1_1-RTS35_7010_VDC3_1# |
注记:
对于不同的设备和不同的拓扑形态,vPC的具体配置也会有所不同。
1. 对于简单的downstream设备
如图所示:
对于简单的downstream设备,两台Nexus设备使用标准的vPC配置方法。两台设备之间配置peer-link和peer-link keepalive链路,在完成vPC配置之后,将于downstream连接的接口划入一个EthernetChannel,即便是该EthernetChannel也无妨,然偶将这个EthernetChannel接口划入到对应的vpc中,完成虚拟转发。
2.对于Nexus推荐的域环境
如图所示:
在Nexus5k和Nexus7k当中,使用fullmesh的结构来连接。通过vPC技术,中间这四条链路可以保持全活的状态,结合vPC形成的虚拟拓扑,实际上相当于单台Nexus5k和Nexus7k之间连接了一条40G的链路, 从而极大的提高了转发能力。
在这种配置实例当中,Nexus5k和Nexus7k需要单独配置自己的vPC Domain,在各自的vPC Domain正常建立后,将交叉的线路绑定成EthernetChannel,绑定协议不限于LACP或者no protocol。
下面的配置仅列出了左侧5k和7k的相关配置。
5k configuration //E1/5-6作为与7K互联的端口 interface Ethernet1/15 switchport mode trunk channel-group 56 interface Ethernet1/16 switchport mode trunk channel-group 56 interface port-channel56 switchport mode trunk vpc 56 speed 10000 7k configuration //E2/4、8作为与7K互联的端口 interface Ethernet2/4 switchport switchport mode trunk channel-group 48 no shutdown interface Ethernet2/8 switchport switchport mode trunk channel-group 48 no shutdown interface port-channel48 switchport switchport mode trunk vpc 48 |
通过将同一台设备的两条链路捆绑成EthernetChannel,并将其放入相同的vPC转发组,来完成双向的配置。
CAUTION
配置当中,并需保持vPC两侧配置的同步,即,两侧的VLAN,接口,VDC配置应当一致,若配置不一致,则会导致vPC工作不正常。
所有的EthernetChannel必须工作在Trunk模式下,需要用Switchport mode trunk方式和做显式的指派,否则会导致vPC工作不正常。
割裂的vPC:HSRP和STP
vPC处于割裂状态时,vPC Domain成员的状态取决于当前的系统角色(system role)。
当vPC Peer-link Keepalive链路中断时,所有的数据转发都不会受到影响;当vPC Peer-link链路中断时,处于Secondary角色的设备,所有处于vPC成员组的EthernetChannel都会被置为Down状态,使得该设备从vPC管理域中离线,从而停止数据转发,直到链路被修复。
当vPC Domain成员都处在正常工作状态时,对于vPC Peer-link和vPC Peer-link Keepalive的中断都不会终止系统的数据转发,只是vPC收敛可能会导致丢失1~2个数据包。
但是处于下列情况,会导致vPC Domain出现数据转发问题:
保证vPC Domain正常工作,将两台设备中间的链路全部中断,然后在两侧都配置reload restore命令情况下, 重启两侧vPC Domain成员,在经过240s后,两侧设备都会处于双活状态,从而导致数据转发环路。从得到的消息看,应该是STP导致的二层环路所致。使用vPC配置命令:peer-switch也许可以解决这个问题。
该问题必须经由严格的操作时序才可重现。
vPC上的HSRP进行了特殊的修正,HSRP的Active负责相应ARP请求,但是standby角色也可以转发带有目的地为HSRP组虚拟MAC地址的数据包,这样就实现了HSRP的Load-Balance。
和HSRP一样,GLBP也是vPC所支持的热备份网关协议,但是GLBP通过AVG相应不同的ARP请求,并回应给不同AVF的MAC地址的方式来进行负载均衡。但是HSRP在vPC环境中,收敛速度比GLBP更快。
在vPC当中,所有HSRP、GLPB或者VRRP的,处于Active角色设备,都必须配置在vPC的Primary设备上;同样的,STP配置中,关于VLAN的根桥,也必须和Primary设备保持一致。
HSRP在两侧应当拥有相同的HSRP组号,并且同一组号在单一VDC上不能重复。基于vPC的HSRP不能使用USE-BIA参数。
vPC的细部配置
role priority
vPC在没有role priority配置的情况下,由桥MAC来决定谁是primary设备,MAC绝对值较小的会当选,如果配置了role priority的,则该项配置值相对较小的会当选。但是要shut peer-link一次,才能完成更改。
System-priority
这是vPC当中对于LACP的配置。如果该值不配置,则不影响,但是如果配置了,则vPC Domain中设备的system-priority值必须相同,如果不匹配,vPC启动可能会遇到麻烦。
Reload restore
该命令用于帮助Nexus启动后,找不到vPC对端时仍能激活vPC的功能。
缺省情况,如果vPC成员设备启动后无法找到对端,会导致所有vPC功能端口出于down状态,不能转发数据。配置了这个命令后,该单独启动的设备会在最少240s后,将vPC成员端口转变为up状态,并且开始转发数据。
CAUTION
在vPC成员设备间所有电缆,包括peer-link和peer-link keepalive电缆中断的情况下,并且两侧vPC全部配置reload restore,将会在两端设备重新启动完成后,存在vPC双活,Nexus将会与上层转发设备之间形成数据环路。
该情况仅出现在Nexus推荐的域环境中,并且要严格遵循步骤,才能出现。
Peer-switch
Peer-switch命令用于将vPC Domain成员设备虚拟成一个STP的根,从而实现生成树结构的优化,减少Primary设备失败后的STP重算时间。
vPC配置成功后的清单:
Nexus5010down# show vpc Legend: (*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 500 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status: success Type-2 consistency status : success vPC role : secondary Number of vPCs configured : 99 Peer Gateway : Disabled Dual-active excluded VLANs : - vPC Peer-link status --------------------------------------------------------------------- id Port Status Active vlans -- ---- ------ -------------------------------------------------- 1 Po56 up 1,100-105 vPC status ---------------------------------------------------------------------------- id Port Status Consistency Reason Active vlans ------ ----------- ------ ----------- -------------------------- ----------- 17 Po17 up success success - 18 Po18 up success success - 200 Po200 up success success 1,100-105 101376 Eth100/1/1 down* failed Consistency Check Not - Performed 101377 Eth100/1/2 down* failed Consistency Check Not - Performed |
Nexus的SPAN
Nexus支持SPAN,ESPAN和ERSPAN。
SPAN方式被称为本地SPAN,用于本地交换机接口作为源和目的;ESPAN用于将SPAN流量的目的设定为某个VLAN,并通过Trunk实现远程的SPAN;ERSPAN用于将SPAN流量封装在GRE中,通过路由方式进行远端的SPAN。
Nexus7000最大可以存在48个Session,但是只能有两个在工作;Fex端口只能做SPAN的源,不能做span的目的;EthernetChannel成员不能当span的源,nexus5K上连接fex接口不能当span的源;Nexus5K仅支持SPAN,而Nexus7K则支持所有的SPAN类型。
VDC的MGMT接口
MGMT接口在所有VDC当中共享。在非VDC1中,show interface status 不显示,但是使用命令interface mgmt 0仍然可以将地址进行配置。所有VDC的MGMT接口地址应当在同一个子网内。
DOWN的VLAN端口
在基于vPC的配置中,如果vPC Domain成员交换机关于VLAN配置不一致,就会导致VLAN接口总是处于DOWN的状态,而无法被激活。
Nexus7K中,VLAN的配置和Interface VLAN的配置是相分离的,仅有Interface VLAN而没有VLAN,是会导致VLAN接口在两侧的配置不同,从而导致L3VLAN接口处于DOWN的状态。缺省情况下,L3VLAN接口被shutdown,需要使用no命令激活。
可以尝试使用VTP来避免配置上的错误。
RTS36_7010_VDC1_2-RTS36_7010_VDC3_2(config)# show inter status -------------------------------------------------------------------------------- Port Name Status Vlan Duplex Speed Type -------------------------------------------------------------------------------- mgmt0 -- connected routed full 1000 -- Eth1/25 -- disabled trunk full auto 10/100/1000 Eth1/26 -- disabled trunk full auto 10/100/1000 Eth1/27 -- disabled trunk full auto 10/100/1000 Eth1/28 -- disabled trunk full auto 10/100/1000 Eth1/29 -- disabled trunk full auto 10/100/1000 Eth1/30 -- disabled routed full auto 10/100/1000 Eth1/31 -- disabled routed full auto 10/100/1000 Eth1/32 -- disabled routed full auto 10/100/1000 Eth1/33 -- disabled routed full auto 10/100/1000 Eth1/34 -- disabled routed full auto 10/100/1000 Eth1/35 -- disabled routed full auto 10/100/1000 Eth1/36 VPC keepalive connected routed full 1000 10/100/1000 Eth2/4 connect to RTS36_7 connected routed full 10G 10GBASE-SR Eth2/5 -- connected trunk full 10G 10GBASE-SR Eth2/6 -- connected trunk full 10G 10GBASE-SR Eth2/7 connect to RTS35_7 connected trunk full 10G 10GBASE-SR Eth2/8 connect to RTS35_7 connected trunk full 10G 10GBASE-SR Po7 connect to RTS35_7 connected trunk full 10G -- Po200 -- connected trunk full 10G -- Lo0 -- connected routed auto auto -- Vlan1 -- connected routed auto auto -- Vlan11 -- connected routed auto auto -- Vlan12 -- connected routed auto auto -- Vlan15 -- connected routed auto auto -- Vlan16 -- connected routed auto auto -- Vlan188 -- connected routed auto auto -- |
Nexus的路由
Nexus的OSPF
在Nexus当中,OSPF的带宽计算参考值已经从原来的100Mbps更改为40Gbps,并设定为默认值。
RTS35_7010_VDC1_1-RTS35_7010_VDC3_1(config-router)# auto-cost reference-bandwidth ? <1-4000000> Rate in Mbps (bandwidth) (Default) *Default value is 40000 <1-4000> Rate in Gbps (bandwidth) *Default value is 40 |
Nexus的OSPF已经不允许在OSPF进程下进行网络的宣告,所有对于OSPF的网络宣告都要在接口下进行。
RTS35_7010_VDC1_1-RTS35_7010_VDC3_1# show run int vlan 11 !Command: show running-config interface Vlan11 !Time: Wed Dec 1 07:11:42 2010 version 5.1(1) interface Vlan11 no shutdown ip address 10.225.1.253/24 ip router ospf 100 area 0.0.0.0 ip ospf passive-interface hsrp 11 preempt priority 200 timers 1 3 ip 10.225.1.254 |
Nexus上的NLB
基于Windows Server系列操作系统的NLB,实验确认可以被支持。
标识一个部件
Nexus常常由很多部件构成,例如Fabric Module,或者xBAR等等,使用下面的命令可以激活面板上的Identification灯,从而标识出需要更换或者处理的模块。
locator-led {chassis | fan f-number | module slot | powersupply ps-number | xbar x-number}
no locator-led{chassis | fan f-number | module slot | powersupply ps-number | xbar x-number}
这个命令模板是基于Nexus7k的,在Nexus5k上有些参数不能用,但是有fex参数用来标识Fabric Module
光纤的类型
对于使用SFP的Nexus5010而言,需要考虑跨机房连接时的光纤类型。系统提示的信息如下:
RTS39_5010# show int e1/17 transceiver Ethernet1/17 transceiver is present type is 10Gbase-SR name is CISCO-AVAGO part number is SFBR-7702SDZ revision is G2.3 serial number is AGA143164B3 nominal bitrate is 10300 MBit/sec Link length supported for 50/125um fiber is 80 m Link length supported for 50/125um fiber is 300 m Link length supported for 62.5/125um fiber is 20 m cisco id is -- cisco extended id number is 4 |
Nexus7000基本配置汇总
Cisco NX-OS/IOS Configuration Fundamentals Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences for the configuration fundamentals between the Cisco NX-OS software and the Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software to illustrate some the differences after the first system startup. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
Cisco NX-OS Overview
The Cisco NX-OS is a data center class operating system designed for maximum scalability and application availability. The CLI interface for the NX-OS is very similar to Cisco IOS, so if you understand the Cisco IOS you can easily adapt to the Cisco NX-OS. However, a few key differences should be understood prior to working with the Cisco NX-OS.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
When you first log into the NX-OS, you go directly into EXEC mode.
Role Based Access Control (RBAC) determines a user’s permissions by default. NX-OS 5.0(2a) introduced privilege levels and two-stage authentication using an enable secret that can be enabled with the global feature privilege configuration command.
By default, the admin user has network-admin rights that allow full read/write access. Additional users can be created with very granular rights to permit or deny specific CLI commands.
The Cisco NX-OS has a Setup Utility that allows a user to specify the system defaults, perform basic configuration, and apply a pre-defined Control Plane Policing (CoPP) security policy.
The Cisco NX-OS uses a feature based license model. An Enterprise or Advanced Services license is required depending on the features required. Additional licenses may be required in the future.
A 120 day license grace period is supported for testing, but features are automatically removed from the running configuration after the expiration date is reached.
The Cisco NX-OS has the ability to enable and disable features such as OSPF, BGP, etc… using the feature configuration command. Configuration and verification commands are not available until you enable the specific feature.
Interfaces are labeled in the configuration as Ethernet. There aren’t any speed designations.
The Cisco NX-OS supports Virtual Device Contexts (VDCs), which allow a physical device to be partitioned into logical devices. When you log in for the first time You are in the default VDC (VDC 1).
The Cisco NX-OS has two preconfigured VRF instances by default (management, default). The management VRF is applied to the supervisor module out-of-band Ethernet port (mgmt0), and the default VRF instance is applied to all other I/O module Ethernet ports.
SSHv2 server/client functionality is enabled by default. TELNET server functionality is disabled by default. (The TELNET client is enabled by default and cannot be disabled.)
VTY and Auxiliary port configurations do not show up in the default configuration unless a parameter is modified (The Console port is included in the default configuration). The VTY port supports 32 simultaneous sessions and the timeout is disabled by default for all three port types.
Things You Should Know
The following list provides some additional Cisco NX-OS information that should be helpful when configuring and maintaining the Cisco NX-OS.
The default administer user is predefined as admin. An admin user password has to be specified when the system is powered up for the first time, or if the running configuration is erased with the write erase command and system is repowered.
If you remove a feature with the global no feature configuration command, all relevant commands related to that feature are removed from the running configuration.
The NX-OS uses a kickstart image and a system image. Both images are identified in the configuration file as the kickstart and system boot variables. The boot variables determine what version of NX-OS is loaded when the system is powered on. (The kickstart and system boot variables have to be configured for the same NX-OS version.)
The show running-config command accepts several options, such as OSPF, BGP, etc… that will display the runtime configuration for a specific feature.
The show tech command accepts several options that will display information for a specific feature.
Configuration Comparison
The following sample code show similarities and differences between the Cisco NX-OS software and the Cisco IOS Software CLI.
Cisco IOS CLI |
Cisco NX-OS CLI |
Default User Prompt |
c6500> |
n7000# |
Entering Configuration Mode |
c6500# configure terminal |
n7000# configure terminal |
Saving the Running Config to the Startup Config (nvram) |
c6500# write memory or c6500# copy running-config startup-config |
n7000# copy running-config startup-config |
Erasing the startup config (nvram) |
c6500# write erase |
n7000# write erase |
Installing a License |
Cisco IOS Software does not require a license file installation. |
n7000# install license bootflash:license_file.lic |
Interface Naming Convention |
interface Ethernet 1/1 interface FastEthernet 1/1 interface GigabitEthernet 1/1 interface TenGigabitEthernet 1/1 |
interface Ethernet 1/1 |
Default VRF Configuration (management) |
Cisco IOS Software doesn’t enable VRFs by default. |
vrf context management |
Configuring the Software Image Boot Variables |
boot system flash sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXH1.bin |
boot kickstart bootflash:/n7000-s1-kickstart.4.0.4.bin sup-1 boot system bootflash:/n7000-s1-dk9.4.0.4.bin sup-1 boot kickstart bootflash:/n7000-s1-kickstart.4.0.4.bin sup-2 boot system bootflash:/n7000-s1-dk9.4.0.4.bin sup-2 |
Enabling Features |
Cisco IOS Software does not have the functionality to enable or disable features. |
feature ospf |
Enabling TELNET (SSHv2 is recommended) |
Cisco IOS Software enables TELNET by default. |
feature telnet |
Configuring the VTY Timeout and Session Limit |
line vty 0 9 exec-timeout 15 0 login |
line vty session-limit 10 exec-timeout 15 |
Verification Command Comparison
The following table compares some useful show commands for verifying the initial system startup and running configuration.
Cisco NX-OS |
Cisco IOS Software |
Command Description |
show running-config |
show running-config |
Displays the running configuration |
show startup-config |
show startup-config |
Displays the startup configuration |
- |
- |
- |
show interface |
show interface |
Displays the status for all of the interfaces |
show interface ethernet |
show interface |
Displays the status for a specific interface |
- |
- |
- |
show boot |
show boot |
Displays the current boot variables |
- |
- |
- |
show clock |
show clock |
Displays the system clock and time zone configuration |
show clock detail |
show clock detail |
Displays the summer-time configuration |
- |
- |
- |
show environment |
show environment |
Displays all environment parameters |
show environment clock |
show environment status clock |
Displays clock status for A/B and active clock |
show environment fan |
show environment cooling fan-tray |
Displays fan status |
show environment power |
show power |
Displays power budget |
show environment temperature |
show environment temperature |
Displays environment data |
- |
- |
- |
show log logfile |
show log |
Displays the local log |
show log nvram |
- |
Displays persistent log messages (severity 0-2) stored in NVRAM |
show module |
show module |
Displays installed modules and their status |
show module uptime |
- |
Displays how long each module has be powered up |
show module fabric |
- |
Displays fabric modules and their current status |
show platform fabric-utilization |
show fabric utilization |
Displays the % of fabric utilized per module |
show process cpu |
show process cpu |
Displays the processes running on the CPU |
show process cpu history |
show process cpu history |
Displays the process history of the CPU in chart form |
show process cpu sorted |
show process cpu sorted |
Displays sorted processes running on the CPU |
- |
- |
- |
show system cores |
- |
Displays the core dump files if present |
show system exception-info |
show exception |
Displays last exception log |
show system redundancy status |
show redundancy |
Displays the supervisors High Availability status |
show system resources |
show process cpu |
Displays CPU and memory usage data |
show system uptime |
- |
Displays system and kernel start time (Displays active supervisor uptime) |
- |
- |
- |
show tech-support |
show tech-support |
Displays system technical information for Cisco TAC |
show tech-support |
show tech-support |
Displays feature specific technical information for Cisco TAC |
- |
- |
- |
show version |
show version |
Displays running software version, basic hardware, CMP status and system uptime |
- |
- |
- |
show line |
show line |
Displays console and auxiliary port information |
show line com1 |
- |
Displays auxiliary port information |
show line console |
show line console 0 |
Displays console port information |
show line console connected |
- |
States if the console port is physically connected |
show terminal |
show terminal |
Displays terminal settings |
show users |
show users |
Displays current virtual terminal settings |
- |
- |
- |
show vrf |
show ip vrf |
Displays a list of all configured VRFs |
show vrf |
show ip vrf |
Displays an specified VRF |
show vrf |
show vrf detail |
Displays details for a specified |
show vrf |
- |
Displays interface assignment for a specified VRF |
show vrf default |
- |
Displays a summary of the default VRF |
show vrf detail |
show vrf detail |
Displays details for all VRF's |
show vrf interface |
show ip vrf interface |
Displays VRF interface assignment |
show vrf management |
- |
Displays a summary of the management VRF |
- |
- |
- |
show license |
- |
Displays all license file information |
show license brief |
- |
Displays the license file names installed |
show license file |
- |
Displays license contents based on a specified name |
show license host-id |
- |
Displays the chassis Host-ID used for creating a license |
show license usage |
- |
Displays all licenses used by the system |
show license usage |
- |
Displays all licenses used by the system per type |
show license usage vdc-all |
- |
Displays all licenses used by the system for all VDCs |
- |
- |
- |
show vdc |
- |
Displays a list of the configured VDC's |
show vdc |
- |
Displays a summary of the individual VDC |
show vdc |
- |
Displays configuration details for a specific VDC |
show vdc |
- |
Displays interface membership for a specific VDC |
show vdc |
- |
Displays resource allocation for a specific VDC |
show vdc current-vdc |
- |
Displays the VDC that the user is currently in |
show vdc detail |
- |
Displays details information for all VDCs |
show vdc membership |
- |
Displays interface membership for all VDCs |
show vdc resources |
- |
Displays resource allocation for all VDCs |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Configuration_Fundamentals_Comparison"
Cisco NX-OS/IOS Interface Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in interface support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
Interface Configuration Overview
The NX-OS supports different physical and virtual interface types to meet various network connectivity requirements. The different interface types include: layer-2 switched (access or trunk), layer-3 routed, layer-3 routed (sub-interface trunk), switched virtual interface (SVI), port-channel, loopback, and tunnel interfaces. Port-channel interfaces are documented in the Cisco NX-OS/IOS Port-Channel ComparisonTech-Note.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
SVI command-line interface (CLI) configuration and verification commands are not available until you enable the SVI feature with the feature interface-vlan command.
Tunnel interface command-line interface (CLI) configuration and verification commands are not available until you enable the Tunnel feature with the feature tunnel command.
Interfaces support stateful and stateless restarts after a supervisor switchover for high availability.
Only 802.1q trunks are supported, so the encapsulation command isn't necessary when configuring a layer-2 switched trunk interface. (Cisco ISL is not supported)
An IP subnet mask can be applied using /xx or xxx.xxx.xxx.xxx notation when configuring an IP address on a layer-3 interface.
The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2)
The out-of-band management ethernet port located on the supervisor module is configured with the interface mgmt 0 CLI command.
Things You Should Know
The following list provides some additional facts about the Cisco NX-OS that should be helpful when configuring interfaces.
An interface can only be configured in 1 VDC at a time.
All 4 interfaces in a port group must be assigned to the same VDC when assigning interfaces on the 32 port 10GE module. There are not any restrictions for the 48 port 1GE modules.
10 GE interfaces can be configured in dedicated mode using the rate-mode dedicated interface CLI command.
The default port type is configurable for L3 routed or L2 switched in the setup startup script. (L3 is the default port type prior to running the script)
A layer-2 switched trunk port sends and receives traffic for all VLANs by default (This is the same as Cisco IOS Software). Use the switchport trunk allowed vlan interface CLI command to specify the VLANs allowed on the trunk.
The clear counters interface ethernet x/x CLI command resets the counters for a specific interface.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS Software.
Cisco IOS CLI |
Cisco NX-OS CLI |
Configuring a Routed Interface |
interface gigabitethernet 1/1 ip address 192.168.1.1 255.255.255.0 no shutdown |
interface ethernet 1/1 ip address 192.168.1.1/24 no shutdown |
Configuring a Switched Interface (VLAN 10) |
vlan 10 switchport switchport mode access switchport access vlan 10 no shutdown |
vlan 10 switchport switchport mode access switchport access vlan 10 no shutdown |
Configuring a Switched Virtual Interface (SVI) |
Cisco IOS Software does not have the ability to enable or disable SVI interfaces using the feature command. ip address 192.168.1.1 255.255.255.0 no shutdown |
feature interface-vlan ip address 192.168.1.1./24 no shutdown |
Configuring a Switched Trunk Interface |
interface GigabitEthernet 1/1 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport trunk allowed vlan 10,20 switchport mode trunk no shutdown |
interface ethernet 1/1 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 2 no shutdown |
Configuring a Routed Trunk Sub-Interface |
interface gigabitethernet 1/1 no switchport no shutdown
interface gigabitethernet1/1.10 encapsulation dot1Q 10 ip address 192.168.1.1 255.255.255.0 no shutdown |
interface ethernet 1/1 no switchport no shutdown encapsulation dot1q 10 ip address 192.168.1.1/24 no shutdown |
Configuring a Loopback Interface |
interface loopback 1 ip address 192.168.1.1 255.255.255.255 no shutdown |
interface loopback 1 ip address 192.168.1.1/32 no shutdown |
Configuring a Tunnel Interface |
Cisco IOS Software does not have the ability to enable or disable Tunnel interfaces using the feature command. ip address 192.168.1.1 255.255.255.0 tunnel source 172.16.1.1 tunnel destination 172.16.2.1 no shutdown |
feature tunnel ip address 192.168.1.1/24 tunnel source 172.16.1.1 tunnel destination 172.16.2.1 no shutdown |
Configuring an Interface Description |
|
interface gigabitethernet 1/1 description Test Interface |
interface ethernet 1/1 description Test Interface |
Configuring Jumbo Frames |
|
interface gigabitethernet 1/1 mtu 9216 |
interface ethernet 1/1 mtu 9216 |
Configuring Multiple Interfaces (Examples) |
|
interface range gigabitethernet 1/1-2 or interface range gigabitethernet 1/1, gigabitethernet 2/1 |
interface ethernet 1/1-1 or interface ethernet 1/1, ethernet 2/1 |
Verification Command Comparison
The following table lists some useful show commands for verifying the status and troubleshooting an interface.
Cisco NX-OS Interface |
Cisco IOS Software Interface |
Command Description |
show interface |
show interface |
Displays the status and statistics for all interfaces or a specific interface |
show interface brief |
- |
Displays a brief list of the interfaces (type, mode, status, speed, MTU) |
show interface capabilities |
show interface capabilities |
Displays interface capabilities |
show interface counters |
show interface counters |
Displays interface counters (input/output unicast, multicast & broadcast) |
show interface debounce |
- |
Displays the de-bounce status and time in ms for all interfaces |
show interface description |
- |
Displays all interfaces with configured descriptions |
show interface ethernet |
show interface interface-type |
Displays status and statistics for a specific interface |
show interface flowcontrol |
show interface flowcontrol |
Displays Flow Control (802.1p) status and state for all interfaces |
show interface loopback |
show interface loopback |
Displays status and statistics for a specific loopback interface |
show interface mac-address |
- |
Displays all interfaces and their associated MAC Addresses |
show interface mgmt |
- |
Displays status and statistics for the management interface located on the supervisor |
show interface port-channel |
show interface port-channel |
Displays status and statistics for a specific port-channel |
show interface status |
show interface status |
Displays all interfaces and their current status |
show interface switchport |
show interface switchport |
Displays a list of all interfaces that are configured as switchports |
show interface transceiver |
show interface transceiver |
Displays a list of all interfaces and optic information (calibrations, details) |
show interface trunk |
show interface trunk |
Displays a list of all interfaces configured as trunks |
show interface tunnel <#> |
show interface tunnel <#> |
Displays status and statistics for a specific tunnel interface |
show interface vlan <#> |
show interface vlan <#> |
Displays status and statistics for a specific VLAN interface |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Interface_Comparison"
Cisco NX-OS/IOS Port-Channel Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in Port-Channel support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
Port-Channel Overview
Port-Channels provide a mechanism for aggregating multiple physical Ethernet links into a single logical Ethernet link. Port-Channels are typically used to increase availability and bandwidth, while simplifying the network topology. Port-Channels can be configured in Static Mode (no protocol) or in conjunction with a protocol such as LaCP defined in IEEE 802.3ad or PaGP for dynamic negotiations and keep-alive detection for failover.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
256 Port-Channels are supported per chassis
LaCP and Static Mode Port-Channels are supported (PaGP is not supported in Cisco NX-OS Software).
LaCP command-line interface (CLI) configuration and verification commands are not available until you enable the LaCP feature with the feature lacp command.
The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2)
A Port-Channel can be converted between a layer-2 and layer-3 Port-Channel without removing the member ports.
The force keyword can be used when adding an interface to an existing Port-Channel to force the new interface to inherit all of the existing Port-Channel compatibility parameters.
Things You Should Know
The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network using Port-Channels.
A single Port-Channel cannot connect to two different VDCs in the same chassis.
You cannot disable LaCP with the no feature lacp command if LaCP is configured for a Port-Channel. LaCP must be disabled on all Port-Channels prior to disabling LaCP globally.
The show port-channel compatibility-parameters CLI command is very useful for verifying interface parameters when configuring Port-Channels.
The show port-channel load-balance forwarding-path CLI command can be used to determine the individual link a flow traverses over a specific Port-Channel.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS. Cisco NX-OS does not use the range keyword when specifying multiple interfaces. Cisco NX-OS also has the ability to force an interface to inherit existing Port-Channel compatibility parameters using the force keyword.
Cisco IOS CLI |
Cisco NX-OS CLI |
Enabling the LaCP Feature |
Cisco IOS Software does not have the ability to enable or disable LaCP. |
feature lacp |
Configuring LACP Active Mode |
interface range gigabitethernet 1/1-2 channel-group 1 mode active |
interface ethernet 1/1-2 channel-group 1 mode active |
Configuring LaCP Passive Mode |
interface range gigabitethernet 1/1-2 channel-group 1 mode passive |
interface ethernet 1/1-2 channel-group 1 mode passive |
Configuring Static Mode (no protocol) |
interface range gigabitethernet 1/1-2 channel-group 1 mode on |
interface ethernet 1/1-2 channel-group 1 mode on |
Enabling a Port Channel |
interface port-channel 1 no shutdown |
interface port-channel 1 no shutdown |
Layer-2 Port-Channel Example |
interface range gigabitethernet 1/1-2 switchport channel-group 1 mode active no shutdown |
interface ethernet 1/1-1 switchport channel-group 1 mode active no shutdown |
Layer-3 Port-Channel Example |
interface range gigabitethernet 1/1-2 no switchport channel-group 1 mode active ip address 192.168.1.1 255.255.255.0 no shutdown |
interface ethernet 1/1-1 no switchport channel-group 1 mode active ip address 192.168.1.1/32 no shutdown |
Adding an Interface to an Existing Port-Channel |
Cisco IOS Software does not have the force option, so all interface parameters have to be compatible prior to adding the interface to an existing Port-Channel. no switchport channel-group 1 mode active[ |
interface ethernet 1/3 channel-group 1 force mode active |
Configuring the System Load-Balance Algorithm |
port-channel load-balance dst-mac |
port-channel load-balance ethernet destination-mac |
Configuring the Load-Balance Algorithm per Module |
port-channel per-module load-balance port-channel load-balance dst-mac module 1 |
port-channel load-balance ethernet destination-mac module 1 |
Verification Command Comparison
The following table lists some useful show commands for verifying and troubleshooting a Port-Channel configuration.
Cisco NX-OS Port-Channels |
Cisco IOS Software Port-Channels |
Command Description |
show interface |
show interface |
Displays statistics all interfaces or a specific interface |
show interface port-channel <#> |
show interface port-channel <#> |
Displays statistics for a specific port-channel |
- |
- |
- |
show port-channel capacity |
- |
Displays port-channel resources (total, used, free) |
show port-channel compatibility-parameters |
- |
Displays the compatibility-parameters (IE: speed, duplex, etc) |
show port-channel database |
- |
Displays the aggregation state for one or more port-channels |
show port-channel load-balance |
show etherchannel load-balance |
Displays the load-balancing algorithm (hash) configured |
show port-channel load-balance forwarding-path |
show etherchannel load-balance hash-result |
Displays packet forwarding information |
show port-channel summary |
show etherchannel summary |
Displays a summarized list of all port-channels |
show port-channel traffic |
- |
Displays the load per link in a port-channel (Based in interface counters) |
show port-channel usage |
- |
Displays the range of used and unused port-channel numbers |
- |
- |
- |
show lacp counters |
show lacp counters |
Displays the LaCP PDU and error counters |
show lacp interface |
- |
Displays detailed LaCP information per interface |
show lacp neighbors |
show lacp neighbors |
Displays detailed LaCP information per neighbor |
show lacp port-channel |
show lacp |
Displays the port-channel LaCP configuration |
show lacp system-identifier |
show lacp sys-id |
Displays the LaCP system ID (Priority / MAC address) |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Port-Channel_Comparison"
http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_HSRP_Comparison
Cisco NX-OS/IOS HSRP Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in Hot Standby Routing Protocol (HSRP) (IPv4) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
HSRP Overview
HSRP is a Cisco proprietary First Hop Redundancy Protocol (FHRP) designed to allow transparent failover for an IP client’s default gateway (first-hop router).
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
HSRP command-line interface (CLI) configuration and verification commands are not available until you enable the HSRP feature with the feature hsrp command.
HSRP is hierarchical. All related commands for an HSRP group are configured under the group number.
The HSRP configuration commands use the format hsrp instead of standby .
The HSRP verification commands use the format show hsrp instead of show standby .
HSRP supports stateful process restart by default.
The hello and hold-time timer ranges for the millisecond options are different. In Cisco NX-OS, hello = 250 to 999 milliseconds, and hold time = 750 to 3000 milliseconds. In Cisco IOS Software, hello = 15 to 999 milliseconds, and hold time = 50 to 3000 milliseconds.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining HSRP-enabled networks.
If you remove the feature hsrp command, all relevant HSRP configuration information is also removed.
HSRPv1 is enabled by default (HSRPv2 can be enabled per interface).
HSRPv1 supports 256 group numbers (0 to 255). HSRPv2 supports 4096 group numbers (0 to 4095).
HSRPv1 and HSRPv2 are not compatible. However, a device can be configured to run a different version on different interfaces.
The show running-config hsrp command displays the current HSRP configuration.
Configuration of more than one FHRP on an interface is not recommended.
Object tracking is supported. Tracking can be configured for an interface’s line protocol state, IP address state, and for IP route reachability (determining whether a route is available in the routing table).
An interface can track multiple objects.
Secondary IP addresses are supported in the same or a different group as the interface’s primary IP address.
Load sharing can be accomplished by using multiple HSRP groups per interface.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS uses a hierarchical configuration, and it uses the hsrp keyword instead of the standby keyword for configuration and verification commands. Both enhancements make the configuration easier to read.
Cisco IOS CLI |
Cisco NX-OS CLI |
Enabling the HSRP Feature |
Cisco IOS Software does not have the ability to enable or disable HSRP. |
feature hsrp |
Configuring HSRP on an Interface |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 ip 192.168.10.1 |
Configuring the priority and preempt Options |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 priority 110 standby 0 preempt |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 preempt priority 110 ip 192.168.10.1 |
Modifying the Hello and Holdtime Timers (Seconds) |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 timers 1 3 |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 timers 1 3 ip 192.168.10.1 |
Modifying the Hello and Holdtime Timers (Milliseconds) |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 timers msec 250 msec 750 |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 timers msec 250 msec 750 ip 192.168.10.1 |
Configuring MD5 Authentication |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 authentication md5 key-string cisco123 |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 authentication md5 key-string cisco123 ip 192.168.10.1 |
Configuring HSRP Version 2 on an Interface |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby version 2 |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp version 2 |
Configuring Minimum and Reload Initialization Delay |
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby delay minimum 5 reload 10 |
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp delay minimum 5 reload 10 |
Configuring Object Tracking (Interface Line-Protocol) |
track 1 interface Ethernet2/2 line-protocol ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 track 1 decrement 20 |
track 1 interface ethernet 2/2 line-protocol ip address 192.168.10.2/24 hsrp 0 track 1 decrement 20 ip 192.168.10.1 |
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting an HSRP configuration.
Cisco NX-OS HSRP |
Cisco IOS Software HSRP |
Command Description |
show hsrp |
show standby <#> |
Displays detailed information for all HSRP groups |
show hsrp active |
- |
Displays all of the groups in the “active” state |
show hsrp brief |
show standby brief |
Displays a summary of all the HSRP groups |
show hsrp delay |
- |
Displays minimum and maximum delay times for preempting |
show hsrp group |
- |
Displays detailed information for a specified group |
show hsrp init |
- |
Displays all the groups in the "init" state |
show hsrp interface |
- |
Displays detailed information for a specific interface |
show hsrp learn |
- |
Displays all the groups in the "learn" state |
show hsrp listen |
- |
Displays all the groups in the "listen" state |
show hsrp speak |
- |
Displays all the groups in the "speak" state |
show hsrp standby |
- |
Displays all the groups in the "standby" state |
show hsrp summary |
- |
Displays summary information for HSRP groups |
- |
- |
- |
show track |
show track |
Displays the configured tracked objects |
show track brief |
show track brief |
Displays a brief list of tracked objects |
show track interface |
show track interface |
Displays the status of tracked interfaces |
show track ip |
show track ip |
Displays the IP protocol objects that are tracked |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_HSRP_Comparison"
Cisco NX-OS/IOS STP Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in Spanning-Tree Protocol (STP) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
STP Overview
STP is a standards based link-layer protocol originally defined in IEEE 802.1d that runs on switches to prevent forwarding loops when using redundant layer-2 network topologies. Newer variants of STP have been developed called Rapid Spanning Tree protocol (RSTP) defined in IEEE 802.1w and Multiple Spanning Tree protocol (MST) defined in IEEE 802.1s that are enhanced for better scalability and converge faster than the original version.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
Rapid-PVST+ and the MST protocols are supported.
Rapid-PVST+ is enabled by default.
High availability is achieved with stateful switchover when two supervisors are installed in a chassis.
The STP port types are identified with the port type designation as opposed to the portfast designation in Cisco IOS Software.
Things You Should Know
The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network configured with the STP.
Rapid-PVST+ is interoperable with the 802.1d STP.
Rapid-PVST+ is interoperable with MST. (This is enabled by default)
Only one STP can be enabled per VDC.
Bridge Assurance is enabled globally by default, but is disabled on an interface by default.
Bridge Assurance can be enabled for an interface using the spanning-tree port type network interface command.
The clear spanning-tree counters command clears the counters for an STP interface or a VLAN.
STP enhancements such as BPDU Guard, Loop Guard, Root Guard, and BPDU Filtering are supported.
Spanning-Tree best practices are applicable to both Cisco NX-OS and Cisco IOS Software
Do not disable STP. Even if the layer-2 topology does not require STP, it should always be enabled as a safeguard for configuration and/or cabling errors.
Changing the STP mode can disrupt traffic.
Enabling Bridge Assurance is recommended. However, only enable Bridge Assurance on layer-2 links if both devices on each end of the link support it.
Typically the core/backbone devices should be configured as the primary and secondary root bridges.
The default bridge priority is 32,768 (plus the VLAN #). The lower the value, the more likely it will become the root bridge.
Configure 802.1q trunk ports as edge trunk port type when connecting to L3 hosts such as firewalls, load-balancers, or servers for faster convergence.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is identical with the exception of the port type terminology. The Cisco IOS uses the portfast designation, whereas Cisco NX-OS uses the port type designation.
Cisco IOS CLI |
Cisco NX-OS CLI |
Configuring VLANs |
vlan 10,20 |
vlan 10,20 |
Configuring Rapid PVST+ |
spanning-tree mode rapid-pvst |
Rapid-PVST is enabled by default. spanning-tree mode rapid-pvst |
Configuring the Rapid-PVST+ Bridge Priority |
spanning-tree vlan 10 root primary spanning-tree vlan 20 root secondary |
spanning-tree vlan 10 root primary spanning-tree vlan 20 root secondary |
Configuring MST |
spanning-tree mode mst |
spanning-tree mode mst |
Configuring a MST Instance |
spanning-tree mst configuration instance 1 vlan 10 instance 2 vlan 20 |
spanning-tree mst configuration instance 1 vlan 10 instance 2 vlan 20 |
Configuring the MST Bridge Priority |
spanning-tree mst 1 root primary spanning-tree mst 2 root secondary |
spanning-tree mst 1 root primary spanning-tree mst 2 root secondary |
Configuring STP Port Types Globally |
spanning-tree portfast edge default or spanning-tree portfast network default |
spanning-tree port type edge default or spanning-tree port type network default |
Configuring STP Port Types per Interface |
interface GigabitEthernet1/1 switchport spanning-tree portfast edge or spanning-tree portfast network or spanning-tree portfast disable |
interface ethernet 1/1 switchport ----必须定义为交换口才能应用下面的edge命令 spanning-tree port type edge or spanning-tree port type network or spanning-tree port type normal |
Configuring a Trunk as an Edge Port Type |
interface GigabitEthernet1/1 switchport spanning-tree portfast edge trunk |
interface ethernet 1/1 switchport spanning-tree port type edge trunk |
Disabling PVST Simulation Globally |
no spanning-tree mst simulate pvst global |
no spanning-tree mst simulate pvst global |
Disabling PVST Simulation per Port |
interface GigabitEthernet1/1 switchport spanning-tree mst simulate pvst disable |
interface ethernet 1/1 switchport spanning-tree mst simulate pvst disable |
Verification Command Comparison
The following table lists some useful show commands for verifying and troubleshooting a STP network configuration. The show commands are identical for Cisco IOS and Cisco NX-OS Software.
Cisco NX-OS STP |
Cisco IOS Software STP |
Command Description |
show spanning-tree |
show spanning-tree |
Displays high level STP process information |
show spanning-tree active |
show spanning-tree active |
Displays all ports in the active state |
show spanning-tree blockedports |
show spanning-tree blockedports |
Displays all ports in the blocked state |
show spanning-tree detail |
show spanning-tree detail |
Displays detailed information per STP instance |
show spanning-tree interface |
show spanning-tree interface |
Displays detailed STP information for a specific interface |
show spanning-tree mst |
show spanning-tree mst |
Displays high-level MST configuration |
show spanning-tree mst configuration |
show spanning-tree mst configuration |
Displays the MST instance configuration |
show spanning-tree mst detail |
show spanning-tree mst detail |
Displays detailed MST information |
show spanning-tree root |
show spanning-tree root |
Displays STP root information |
show spanning-tree summary |
show spanning-tree summary |
Displays STP summary information |
show spanning-tree vlan |
show spanning-tree vlan |
Displays per VLAN STP information |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_STP_Comparison"
Cisco NX-OS/IOS SPAN Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in the Switched Port Analyzer (SPAN) between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
SPAN Overview
The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
Only Local SPAN is supported.
Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources.
18 monitor sessions can be configured. Only two sessions can be active simultaneously.
Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software Release 12.2(18)SXH and later.
A single SPAN session can include mixed sources (Ethernet ports, Ethernet Port-Channels, RSPAN sources, VLANs, and the CPU control-plane interface).
Destination SPAN ports must be configured as Layer 2 ports with the switchport command.
Destination SPAN ports require the switchport monitor interface configuration command.
The SPAN feature supports stateful and stateless process restarts.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature.
Two active SPAN sessions are supported for all virtual device contexts (VDCs).
Monitor sessions are disabled by default. They can be enabled with the no shut command.
The source traffic direction can be configured as rx, tx, or both. The default is both.
When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the specified VLAN are sent to the destination.
The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All VDC traffic is visible.)
By default, SPAN does not copy the IEEE 802.1q tag from trunk sources.
A destination port can be configured in switchport access or trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.)
A destination port does not participate in a spanning-tree instance.
A destination port can be configured in only one SPAN session at a time.
A port cannot be configured as both a source and destination port.
128 source interfaces can be configured per session.
32 source VLANs can be configured per session.
2 destination interfaces can be configured per session.
Configuration Comparison
The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat configuration.
Cisco IOS CLI |
Cisco NX-OS CLI |
Configuring the Destination Switchport Mode |
Cisco IOS Software does not require any destination port configuration. |
interface Ethernet2/2 switchport switchport monitor |
Configuring Destination Port Ingress Forwarding and Learning |
monitor session 1 type local destination interface Gi2/2 ingress learning |
interface Ethernet2/2 switchport switchport monitor ingress learning |
Configuring a SPAN Monitor (Ethernet Source and Destination) |
monitor session 1 type local source interface Gi2/1 destination interface Gi2/2 |
monitor session 1 source interface Ethernet2/1 both destination interface Ethernet2/2 no shut |
Configuring a SPAN Monitor (VLAN Source) |
monitor session 1 type local source vlan 10 , 20 destination interface Gi2/2 |
monitor session 1 source vlan 10,20 both destination interface Ethernet2/2 no shut |
Filtering VLANs for IEEE 802.1q Trunk Sources |
interface GigabitEthernet2/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10-20 switchport mode trunk filter vlan 15 - 20 source interface Gi2/1 destination interface Gi2/1 no shutdown |
interface Ethernet2/1 switchport switchport mode trunk switchport trunk allowed vlan 10-20 source interface Ethernet2/1 both destination interface Ethernet2/2 filter vlan 15-20 no shut |
Configuring a SPAN Monitor (CPU Source) |
monitor session 1 type local source cpu rp rx destination interface Gi2/2 no shutdown |
monitor session 1 source interface sup-eth0 rx destination interface Ethernet2/2 no shut |
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.
Cisco NX-OS SPAN |
Cisco IOS Software SPAN |
Command Description |
show interface |
show interface |
Displays destination port characteristics |
- |
- |
- |
show monitor session <#> |
show monitor session <#> |
Displays a specific SPAN and monitor session |
show monitor session all |
show monitor session all |
Displays all SPAN and monitor sessions |
show monitor range <#-#> |
show monitor range <#-#> |
Displays a range of specified SPAN sessions |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_SPAN_Comparison"
Cisco NX-OS/IOS OSPF Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in Open Shortest Path First Version 2 (OSPFv2) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
OSPF Overview
OSPFv2 is an IETF (RFC 2328) standards-based dynamic link-state routing protocol used to exchange network reachability within an autonomous system.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
OSPF command-line interface (CLI) configuration and verification commands are not available until you enable the OSPF feature with the feature ospf command.
The OSPF protocol requires the Enterprise Services license.
The OSPF instance can consists of 20 characters, whereas the IOS supports numbers 1 – 65536.
Eight equal-cost paths are supported by default. You can configure up to sixteen.
The default reference bandwidth used in the OSPF cost calculation is 40 Gbps.
Networks and interfaces are added to an OSPF instance under the interface configuration mode.
An OSPF area can be configured using decimal or decimal dotted notation, but it is always displayed in decimal dotted notation in the configuration and in the show command output.
Passive interfaces are applied to the interface as opposed to under the OSPF router instance.
If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration.
Neighbor adjacency changes are not logged by default. The log-adjacency-changes CLI command is required under the OSPF instance.
When interface authentication is configured, the OSPF key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command.
When you rollover an OSPF authentication key in a combined Cisco NX-OS/Cisco IOS network, you should configure both keys on the Cisco NX-OS router to ensure that there is sufficient overlap between the old key and the new key for a smooth transition to the new key. You should configure the new key as a valid accept key on all the NX-OS and IOS routers before the new key becomes a valid generation key in the keychain. During the overlap period, Cisco NX-OS transmits the new OSPF key and accepts OSPF authenticated packets from both the old key and the new key.
The NX-OS does not support distribute-lists used to remove OSPF routes from the routing table. The NX-OS does support inter-area LSA/route filtering using the filter-list command configured under the OSPF routing instance.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an OSPF network.
Four OSPF instances can be configured per virtual device context (VDC).
Numerous Virtual Route Forwarding (VRF) instances can be associated to an OSPF instance.
If you remove the feature ospf command, all relevant OSPF configuration information is also removed.
The shutdown command under the OSPF process can be used to disable OSPF while retaining the configuration. Similar functionality can also be applied per interface with the ip ospf shutdown command.
The show running-config ospf command displays the current OSPF configuration.
An OSPF instance can be restarted with the restart ospf
Graceful Restart (RFC 3623) is enabled by default.
OSPF supports stateful process restarts if two supervisors are present.
You cannot configure multiple OSPF instances on the same interface.
An interface can support multi-area adjacencies using the multi-area option with the ip router ospf interface command.
Secondary IP addresses are advertised by default, but can be suppressed per interface with the ip router ospf
By default all loopback IP address subnet masks are advertised in an LSA as a /32. The loopback interface command ip ospf advertise-subnet can be configured to advertise the primary IP address subnet mask. (This command does not apply to secondary IP addresses. They will still be advertised as a /32.)
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS allows OSPF to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read.
Cisco IOS CLI |
Cisco NX-OS CLI |
Enabling the OSPF Feature |
Cisco IOS Software does not have the ability to enable or disable OSPF. |
feature ospf |
Configuring an OSPF Instance and Router ID |
router ospf 10 router-id 192.168.1.1 |
router ospf 10 router-id 192.168.1.1 |
Associating a Network with an OSPF Instance and Area |
router ospf 10 network 192.168.1.0 0.0.0.255 area 1 |
interface Ethernet2/1 ip address 192.168.10.1/24 ip router ospf 10 area 1 |
Configuring a Passive Interface |
router ospf 10 passive-interface GigabitEthernet2/1 network 192.168.1.0 0.0.0.255 area 1 |
interface Ethernet2/1 ip address 192.168.11.1/24 ip ospf passive-interface ip router ospf 10 area 0 |
Configuring Interface Authentication (MD5) |
interface GigabitEthernet2/1 ip address 192.168.10.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco123 |
interface Ethernet2/1 ip address 192.168.10.1/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 a667d47acc18ea6b ip router ospf 10 area 1 |
Configuring a Stub Area with the no summary Option |
router ospf 10 area 2 stub no-summary |
router ospf 10 area 2 stub no-summary |
Creating a Not-So-Stubby Area (NSSA) and Generating a Default Route |
router ospf 10 area 3 nssa default-information-originate |
router ospf 10 area 3 nssa default-information-originate |
Configuring Inter-Area and External Summarization |
router ospf 10 area 0 range 159.142.0.0 255.255.0.0 summary-address 172.16.0.0 255.255.0.0 |
router ospf 10 area 0 range 159.142.0.0/16 summary-address 172.16.0.0/16 |
Generating a Default Route (Conditional) |
router ospf 10 default-information originate |
router ospf 10 default-information originate |
Generating a Maximum Metric (Max-Metric) Value |
router ospf 10 max-metric router-lsa |
router ospf 10 max-metric router-lsa |
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting an OSPFv2 network configuration.
Cisco NX-OS OSPFv2 |
Cisco IOS Software OSPFv2 |
Command Description |
show ip ospf |
show ip ospf |
Displays the running configuration |
show ip ospf border-routers |
show ip ospf border-routers |
Displays a list of border routers |
show ip ospf database |
show ip ospf database |
Displays OSPF database information |
show ip ospf interface |
show ip ospf interface <int type> |
Displays OSPF database information |
show ip ospf interface detail |
- |
Displays additional packet statistics for each interface |
show ip ospf memory |
- |
Displays the memory allocated for OSPF |
show ip ospf neighbor |
show ip ospf neighbors |
Displays neighbor-specific information |
show ip ospf neighbor detail |
show ip ospf neighbor detail |
Displays details for each OSPF neighbor |
show ip ospf policy statistics |
- |
Displays redistribution statistics for a specified protocol |
show ip ospf request list |
show ip ospf request list |
Displays a list of link-state advertisements (LSAs) that have been requested |
show ip ospf retransmission list |
show module |
Displays installed modules and their status |
show ip ospf route |
- |
Displays all routes learned through OSPF |
show ip ospf statistics |
show ip ospf statistics |
Displays OSPF LSA statistics |
show ip ospf summary-address |
show ip ospf summary-address |
Displays OSPF-summarized networks |
show ip ospf traffic |
show ip ospf traffic |
Displays OSPF-related packet counters |
show ip ospf vrf |
- |
Displays information for a specified OSPF VRF instance |
Retrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_OSPF_Comparison"
Cisco NX-OS/IOS Layer-3 Virtualization Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in Layer 3 virtualization support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
Virtualization Routing and Forwarding Overview
Virtual Routing and Forwarding (VRF) provides an additional layer of network virtualization on top of virtual device contexts (VDCs). VRF provides separate unicast and multicast address space and associated routing protocols that make independent forwarding decisions. All unicast and multicast protocols support VRF.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
Cisco NX-OS supports 200 VRF instances per VDC.
Two VRF instances are configured by default. The management port on the supervisor module is assigned to the management VRF, and all I/O module ports are assigned to the default VRF.
The default VRF is the default routing context for all show commands.
VRF instances can be enabled without any command-line interface (CLI) prerequisites. Cisco IOS Software requires ip cef to be enabled globally before VRF instances can be configured.
Multicast routing/forwarding can be configured per VRF instance without having to globally enable the VRF instance for multicast . Cisco IOS Software requires the global ip multicast-routing vrf
The CLI for enabling VRF routing for a protocol is consistent for all routing protocols, whereas Cisco IOS Software uses address families for Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Enhanced Interior Gateway Routing Protocol (EIGRP) and requires unique routing process IDs per VRF for Integrated Intermediate System-to-Intermediate System (ISIS) and Open Shortest Path First (OSPF).
In Cisco NX-OS, numerous VRF instances can be assigned to a single routing protocol instance.
IP static routes are configured under the specified vrf context. In Cisco IOS Software, all static routes are configured in global configuration mode with the vrf option.
A VRF instance can be manually disabled with the shutdown command. Cisco IOS Software does not have the CLI capability to manually disable a VRF instance.
If a VRF context is removed with the no vrf context
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining VRF instances.
When you assign a VRF instance to an interface with an IP address previously configured, the interface IP address is automatically removed.
Static routes or dynamic routing protocols can be configured for routing in a VRF instance (BGP, EIGRP, ISIS, OSPF, static routes, and RIPv2).
IP troubleshooting tools such as ping and traceroute are VRF aware and require the name of a specific VRF instance if testing in the default VRF instance is not desired.
The routing-context vrf command can be executed in EXEC mode to change the routing context to a non-default VRF instance. For example, typing routing-context vrf management changes the routing context, so all VRF related commands are executed in the management VRF as opposed to the default VRF.
Network management–related services such as authentication, authorization and accounting (AAA), Call Home, Domain Name System (DNS), FTP, HTTP, NetFlow Network Time Protocol (NTP), RADIUS, Simple Network Management Protocol (SNMP), SSH, syslog, TACACS+, Telnet, Trivial File Transfer Protocol (TFTP), and XML are VRF aware.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. Sample code is provided only to illustrate how to enable VRF routing. The Cisco NX-OS CLI is simpler and more consistent since it allows multiple VRF instances to be assigned to a single routing protocol instance, whereas Cisco IOS Software uses different techniques depending on the routing protocol.
Cisco IOS CLI |
Cisco NX-OS CLI |
Creating a VRF |
ip cef ip vrf vrf-1 |
vrf context vrf-1 |
Assigning an Interface to a VRF |
interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 |
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 |
Enabling BGP in a VRF |
router bgp 10 neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 activate network 192.168.1.1 mask 255.255.255.255 exit-address-family |
router bgp 10 vrf vrf-1 address-family ipv4 unicast network 192.168.1.1/32 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast |
Enabling EIGRP in a VRF |
router eigrp 10 network 192.168.10.0 auto-summary autonomous-system 10 exit-address-family! |
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router eigrp 10 vrf vrf-1 |
Enabling ISIS in a VRF |
interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 ip router isis 10
router isis 10 vrf vrf-1 net 49.0001.0000.0001.00 |
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router isis 10 vrf vrf-1 net 49.0001.0000.0001.00 |
Enabling OSPF in a VRF |
interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 network 192.168.10.0 0.0.0.255 area 0 |
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 router ospf 10 vrf vrf-1 |
Enabling RIPv2 in a VRF |
interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 address-family ipv4 vrf vrf-1 network 192.168.10.0 version 2 exit-address-family |
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router rip 10 vrf vrf-1 |
Configuring Static Routes in a VRF |
ip route vrf vrf-1 192.168.2.0 255.255.255.0 192.168.10.2 |
vrf context vrf-1 ip route 192.168.2.0/24 192.168.10.2 |
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting VRF instances.
Cisco NX-OS VRF |
Cisco IOS Software VRF |
Command Description |
show vrf |
show ip vrf |
Displays a list of all configured VRF instances |
show vrf |
show ip vrf |
Displays a specific VRF instance |
show vrf |
show ip vrf detail |
Displays details for a specific VRF instance |
show vrf |
- |
Displays the interface assignment for a specific VRF instance |
show vrf default |
- |
Displays a summary of the default VRF instance |
show vrf detail |
show ip vrf detail |
Displays details for all VRF instances |
show vrf interface |
show ip vrf interface |
Displays VRF interface assignments |
show vrf management |
- |
Displays a summary of the management VRF instance |
- |
- |
- |
show ip route vrf all |
- |
Displays routes for all VRF instances |
show ip route vrf default |
- |
Displays routes for the default VRF instance |
show ip route vrf management |
- |
Displays routes for the management VRF instance |
show ip route vrf |
show ip route vrf |
Displays routes for a specific VRF instance |
- |
- |
- |
show ip arp vrf |
show ip arp vrf |
Displays Address Resolution Protocol (ARP) entries for a specific VRF instance |
- |
- |
- |
show ip bgp vrf |
show ip bgp ***v4 vrf |
Displays BGP commands for a specific VRF instance |
show ip eigrp vrf |
show ip eigrp vrf |
Displays EIGRP information for specific VRF instance |
show ip isis vrf |
show isis <#> |
Displays ISIS commands for a specific VRF instance |
show ip ospf vrf |
show ip ospf <#> |
Displays OSPF information for a specific VRF instance |
show ip rip vrf |
show ip rip database vrf |
Displays RIP information for a specific VRF instance |
show ip static-route vrf |
- |
Displays static routes for a specific VRF instance |
- |
- |
- |
show forwarding vrf |
show ip cef vrf |
Displays FIB information for a specific VRF (multiple sub-options) |
- |
- |
- |
show routing vrf |
- |
Displays a subset of the show vrf commands |
show routing-context |
- |
Displays the current routing context |
vPC Role and Priority
Within the VDC the following configurations are required.
vPC needs to be enabled:
agg(config)# feature vpc
A domain needs to be defined and priorities to define primary and secondary roles in the vPC configuration. The lower number has higher priority, and it wins.
Note also that the role is non-preemptive, so a device may be operationally primary, but secondary from a configuration perspective. Because spanning tree is preemptive, this may result in a mismatch between the spanning tree root and the vPC operational primary.
agg(config)# vpc domain 1
agg1(config-vpc-domain)# role priority 100
agg2(config-vpc-domain)# role priority 110
There are no functional issues when the STP root and vPC primary node do not match. This can only cause some sub-optimal convergence time due to STP resynchronization when the peer-link is flapped or a vPC device is reloaded.
Because of this, in case you want to restore the original mapping between Spanning-tree root and vpc primary you can follow this procedure on the secondary, operational primary device.
· Enter the vPC domain configuration, vpc domain
· Reset the vPC role priority with the command.... vpc role priority
· Perform a shut/no shut over the peer-link
Or you can create a script (which you should customize):
7k-1(config)# cli alias name vpcpreempt conf t ; vpc domain
7k-1(config)# show cli alias
CLI alias commands
==================
alias :show cli alias
vpcpreempt :conf t ; vpc domain 10 ; role priority 32767 ; int po 10 ; shut ; no sh
vPC Domain ID
When configuring the vPC domain ID, make sure it’s different from the one used by a neighboring vPC-capable device with which you plan to configure vPC.也就是说N7K与N5K不要相同
As a result, in a back-to-back vPC configuration, if the neighboring switches use the same domain ID, there’s a risk of conflicting system-id in the LACP negotiation that could lead to an unsuccessful LACP negotiation.
vPC Peer Link
This port channel should be configured on dedicated-mode 10-GigE interfaces across two different 10-Gigabit linecards.
agg(config)# interface port-channel10
agg(config-if)# vpc peer-link
agg(config-if)# switchport trunk allowed vlan
Configuration for single 10 GigE Card
Using a single 10 Gigabit Ethernet card on the Nexus 7000 for both core connectivity as well as the peer link is possible, but not the most desirable option. If you lose the 10 Gigabit card on the vpc primary, you lose not only core connectivity, but also the peer link. As a result, ports will be shut down on the peer vpc device, isolating the servers completely.
A picture helps explaining:
In this topology, the failure of the10 GigE card that provides both peer-link connectivity and core connectivity, causes the vPC secondary to thus down the vPC member ports, so that traffic flows to the vPC primary. The vPC primary doesn’t have any core connectivity though, so traffic gets blackholed with a single failure.
The best solution is naturally to have two 10 GigE linecards, but alternatively you can use the object tracking functionality.
The objects being tracked are the uplinks to the core and the peer-link.
If these links are lost vPCs local to the switch are brought down so that traffic can continue on the vPC peer.
This feature is configured by using the following command syntax:
! Track the vpc peer link
track 1 interface port-channel110 line-protocol
! Track the uplinks to the core
track 2 interface Ethernet7/9 line-protocol
! Combine all tracked objects into one.
! “OR” means if ALL object are down, this object will go down
! --> we have lost all connectivity to the core and the peer link
track 10 list boolean OR
object 1
object 2
! If object 10 goes down on the primary vPC peer,
! system will switch over to other vPC peer and disable all local vPCs
vpc domain 1
track 10
CFSoE
Cisco Fabric Services over Ethernet (CFSoE) provides several infrastructure services for vPC, including MAC synchronization, configuration verification for potential mismatch in the configurations, and locking of the configuration while a vPC peer is being upgraded.
The CFSoE configuration does not need to be specifically enabled, but just as a reference, the configuration appears automatically when you enable vPC, and it looks like this:
agg1(config)#cfs region 10
agg1(config-cfs-region)# vpc
agg1(config)#cfs ethernet distribute
vPC Peer Keepalive or FT Link
Finally, a dual-active detection configuration needs to be put in place. The keepalive that is used to resolve dual-active scenarios can be carried over a routed infrastructure; it doesn’t need to be a direct point-to-point link. The keepalives are sent every two seconds.
The following configuration illustrates the use of a dedicated GigE interface for this purpose.
vrf context vpc-keepalive
interface Ethernet8/16
description tc-nexus7k02-vdc2 - vPC Heartbeat Link
vrf member vpc-keepalive
ip address 192.168.1.1/24
no shutdown
vpc domain 1
peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive
vPC Ports
Port channels are configured by bundling Layer 2 ports (switchports) on each Nexus switch via the command vpc. The system issues an error message if the port channel wasn’t previously configured as a switchport.
agg1(config)#interface ethernet2/9
agg1(config-if)# channel-group 51 mode active
agg1(config)#interface Port-channel 51
agg1(config-if)# switchport
agg1(config-if)# vpc 51
!
agg2(config)#interface ethernet2/9
agg2(config-if)# channel-group 51 mode active
agg2(config)#interface Port-channel 51
agg2(config-if)#switchport
agg2(config-if)# vpc 51
You can verify the success of the configuration by issuing the command:
agg1#show vpc brief
tc-nexus7k02-vdc2# show vpc br
[…]
vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- -------------------------- ------------
51 Po51 down* failed vPC type-1 configuration -
incompatible - STP
interface port type
inconsistent
If the Consistency check doesn’t show Success, it is recommended that you verify the Consistency Parameters. Typical reasons for the vPC not to form include: the vLAN that is defined in the trunk doesn’t exist, or it is not defined on the peer link.
tc-nexus7k01-vdc2# show vpc consistency-parameters global
tc-nexus7k01-vdc2# show vpc consistency-parameters int port-channel 51
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
------------- ---- ---------------------- -----------------------
STP Port Type 1 Default Default
STP Port Guard 1 None None
STP MST Simulate PVST 1 Default Default
Allowed VLANs - 10-14,21-24,50,60 10-14,21-24,50,60
After a port is defined as part of a vPC, any further configurations, such as enabling or disabling bridge assurance or trunking mode, etc, are performed under the interface port channel configuration mode. Trying to configure spanning tree properties for the physical interface instead of the port channel will result in an error message.
Orphan Ports with non-vPC VLANs
As described in chapter 3, when the peer link is lost, vPC shuts down the SVI on the secondary switch and, as a result, orphan ports on the operational secondary may become isolated. For this reason you may either trunk the non-vPC vLANs on a different link, or, you should remove the non-vPC VLANs from this behavior as described here.
First you may want to execute the following command to learn which ports are considered orphan ports from the Nexus 7000 perspective:
Nexus7000#show vpc orphan-ports
Second you can remove the non-vPC VLANs in the vpc domain configuration:
vpc domain 1
role priority 100
dual-active exclude interface-vlan
peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive
HSRP
The use of HSRP in the context of vPC doesn’t require any special configuration. With vPC, only the active HSRP interface answers ARP requests, but both HSRP interfaces (active and standby) can forward traffic.
If an ARP request coming from a server arrives on the secondary HSRP device, then it is forwarded to the active HSRP device via the peer link.
HSRP Configuration and Best Practices for vPC
The configuration on the Primary Nexus 7000 looks like this:
interface Vlan50
no shutdown
ip address 10.50.0.251/24
hsrp 50
preempt delay minimum 180
priority 150
timers 1 3
ip 10.50.0.1
The configuration on the Secondary Nexus 7000 looks as follows:
interface Vlan50
no shutdown
ip address 10.50.0.252/24
hsrp 50
preempt delay minimum 180
priority 130
timers 1 3
ip 10.50.0.1
The most significant difference between the HSRP implementation of a non-vPC configuration compared with a vPC configuration is that the HSRP MAC addresses of a vPC configuration are programmed with the G (gateway) flag on both systems, compared with a non-vPC configuration where only the active HSRP interface can program the MAC address with the G flag.
Thanks to this, routable traffic can be forwarded by both the vPC primary (where HSRP is pimrary) and the vPC secondary device (where HSRP is secondary) without having to send this traffic to the HSRP primary device.
Without this flag traffic hitting the MAC would not be routed.
vPC HSRP On Active:
G - 0000.0c07.ac01 static
vPC HSRP On Standby:
G - 0000.0c07.ac01 static
In non-vPC environment the HSRP MAC looks as follows:
· On Active: G - 0000.0c07.ac01 static
· On Standby: * - 0000.0c07.ac01 static
In order to verify that the HSRP configuration is functioning correctly, you may want to issue the following command and verify that the Active and Standby roles are clearly converged:
agg1#show hsrp brief
If some standby groups show as Unknown, then you may have forgotten to trunk the VLAN on the peer link from both Nexus 7000 vPc peers.
Advertising the Subnet
The configuration is completed by including the subnet in the routing advertisements and making sure that the vLANs used for server connectivity are not used to create neighbor relationship between the aggregation layer devices.
interface Vlan50
no shutdown
ip address 10.50.0.251/24
ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
hsrp 50
preempt delay minimum 180
priority 150
timers 1 3
ip 10.50.0.1
L3 Link Between vPC Peers
In vPC designs you should make sure to include a L3 link/vLAN between the Nexus 7000s so that the routing areas can be adjacent. You may also consider HSRP tracking in non-vPC design, but not in vPC designs.
You should, therefore, create a L3 path on the peer link between the routing engine on Agg2 and Agg1 instead of using HSRP tracking.
tc-nexus7k01-vdc2(config)# vlan 3
tc-nexus7k01-vdc2(config-vlan)# name l3_vlan
tc-nexus7k01-vdc2(config-vlan)# exit
tc-nexus7k02-vdc2(config)# int vlan 3
tc-nexus7k02-vdc2(config-if)# ip address 10.3.0.2 255.255.255.252
tc-nexus7k02-vdc2(config-if)# ip router ospf 1 area 0.0.0.0
tc-nexus7k02-vdc2(config-if)# no shut
tc-nexus7k01-vdc2(config)# int Port-channel 10
tc-nexus7k01-vdc2(config-if)# switchport trunk allowed vlan add 3
You can then verify that the Nexus 7000 are OSPF neighbors by issuing the following command.
tc-nexus7k01-vdc2# show ip ospf neigh
OSPF Process ID 1 VRF default
Total number of neighbors: 3
Neighbor ID Pri State Up Time Address Interface
128.0.0.3 1 FULL/DR 01:03:05 10.51.35.126 Vlan10
Cisco NX-OS/IOS TACACS+, RADIUS, and AAA Comparison
From DocWiki
Jump to: navigation, search
Objective
This tech note outlines the main differences in TACACS+, RADIUS, and authentication, authorization and accounting (AAA) support between Cisco? NX-OS Software and Cisco IOS? Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
AAA Overview
AAA used in combination with TACACS+ or RADIUS provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify network management because they use a central security database rather than local databases.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the TACACS+ feature with the feature tacacs+ command.
The aaa new-model command is not required to enable AAA authentication, authorization, or accounting.
The RADIUS vendor-specific attributes (VSA) feature is enabled by default.
Local command authorization can be performed when using role-based access control (RBAC) without a AAA server. User roles can be associated with users configured on the AAA server using VSAs. Remote command authorization can be performed on a AAA server when using AAA with TACACS+.
If no AAA server is available for authentication, the local database is automatically used for device access.
The TACACS+ and RADIUS host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining TACACS+, RADIUS, and AAA services.
Different AAA, TACACS+, and RADIUS policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC.
If you remove the feature tacacs+ command, all relevant TACACS+ configuration information is also removed.
64 TACACS+ and 64 RADIUS servers can be configured per device.
AAA server groups are associated with the default Virtual Route Forwarding (VRF) instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor or if the AAA server is in a non default VRF instance.
An IP source interface can be associated with AAA server groups.
TACACS+ and RADIUS server keys can be specified for a group of servers or per individual server.
By default, TACACS+ uses TCP port 49, and RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting).
Directed server requests are enabled by default for TACACS+ and RADIUS.
The local option can be used with AAA authorization to fallback to RBAC in the event a AAA server is not available for command authorization.
Use the show running-config command with the aaa, tacacs+, or radius option to display the current AAA configuration.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.
Cisco IOS CLI |
Cisco NX-OS CLI |
Enabling TACACS+ |
Cisco IOS Software does not have the ability to enable or disable TACACS+. |
feature tacacs+ |
Configuring a TACACS+ Server with a Key |
tacacs-server host 192.168.1.1 key cisco123 |
tacacs-server host 192.168.1.1 key 7 "fewhg123" |
Specifying a Nondefualt TACACS+ TCP Port |
tacacs-server host 192.168.1.1 port 85 |
tacacs-server host 192.168.1.1 port 85 |
Specifying the TACACS+ Timeout Value (Global) |
tacacs-server timeout 10 |
tacacs-server timeout 10 |
Configuring a RADIUS Server with a Key |
radius-server host 192.168.1.1 key cisco123 |
radius-server host 192.168.1.1 key 7 "fewhg123" |
Specifying Nondefualt RADIUS UDP Ports |
radius-server host 192.16.1.1 auth-port 1645 acct-port 1646 |
radius-server 192.168.1.1 auth-port 1645 acct-port 1646 |
Specifying the RADIUS Timeout Value (Global) |
radius-server host 192.168.1.1 timeout 10 |
radius-server timeout 10 |
Configuring an AAA Server Group (TACACS+) |
aaa group server tacacs+ AAA-Servers server 192.168.1.1 |
aaa group server tacacs+ AAA-Servers server 192.168.1.1 |
Configuring an AAA Server Group (RADIUS) |
aaa group server radius AAA-Servers server 192.168.1.1 |
aaa group server radius AAA-Servers server 192.168.1.1 |
Configuring an AAA Server Group for a VRF Instance (RADIUS) |
aaa group server radius AAA-Servers server 192.168.1.1 ip vrf forwarding management |
aaa group server radius AAA-Servers server 192.168.1.1 use-vrf management |
Configuring the AAA Server Group Dead Time (RADIUS) |
aaa group server radius AAA-Servers deadtime 5 |
aaa group server radius AAA-Servers deadtime 5 |
Enabling AAA Authentication with an AAA Server Group |
aaa new-model aaa authentication login default group AAA-Servers |
aaa authentication login default group AAA-Servers |
Enabling AAA Authorization with an AAA Server Group |
aaa new-model aaa authorization config-commands aaa authorization commands 1 default group AAA-Servers |
aaa authorization config-commands default group AAA-Servers aaa authorization commands default group AAA-Servers |
Enabling AAA Accounting with an AAA Server Group |
aaa new-model aaa accounting exec default start-stop group AAA-Servers |
aaa accounting default group AAA-Servers |
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting AAA, TACACS+, and RADIUS.
Cisco NX-OS AAA |
Cisco IOS Software AAA |
Command Description |
show tacacs |
show tacacs |
Displays the TACACS+ server configuration for all servers |
show tacacs |
- |
Displays a specific TACACS+ server configuration |
show tacacs server directed-request |
- |
Displays the status of the directed-request feature (enabled or disabled) |
show tacacs server groups |
- |
Displays TACACS+ server groups |
show tacacs statistics |
- |
Displays TACACS+ statistics for a specific server |
- |
- |
- |
show radius |
- |
Displays the RADIUS server configuration for all servers |
show radius |
- |
Displays a specific RADIUS server configuration |
show radius server directed-request |
- |
Displays the status of the directed-request feature (enabled or disabled) |
show radius server groups |
show radius server-group |
Displays RADIUS server groups |
show radius statistics |
show radius statistics |
Displays RADIUS statistics for a specific server |
- |
- |
- |
show aaa accounting |
- |
Displays the status of AAA accounting |
show aaa authentication |
- |
Displays the default and console login methods |
show aaa authentication login error-enable |
- |
Displays the login error message status (enabled or disabled) |
show aaa authentication login mschap |
- |
Displays the status of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP; enabled or disabled) |
show aaa authorization |
- |
Displays the AAA authorization configuration |
show aaa groups |
- |
Displays the AAA groups that are configured |
- |
- |
- |
show user-account |
- |
Displays a list of locally configured users |
show users |
show users |
Displays the users who are logged in |
Nexus5010down(config-if)# switchport mode fex-fabric
Nexus5010down(config-if)# channel-group 17 mode active
Fabric port-channel in LACP mode is not supported
Nexus5010down(config-if)#
Nexus5010down(config-if)# interface Ethernet1/18
Nexus5010down(config-if)# fex associate 101
Nexus5010down(config-if)# switchport mode fex-fabric
Nexus5010down(config-if)# channel-group 18 mode active
Fabric port-channel in LACP mode is not supportedRetrieved from "http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_TACACS%2B%2C_RADIUS%2C_and_AAA_Comparison"
Nexus5000的配置同步
Nexus5000配置同步可以节省配置时间。
配置同步需要在Nexus5000的Config Sync模式下进行配置;配置的同时,要求vPC工作正常。
Config sync是Nexus5000 5.0版本提供的新级别,级别下有的命令如下:
RTS39_5010(config)# conf sync RTS39_5010(config-sync)# ? no Negate a command or set its defaults resync-database Re-synchronize switch-profile database switch-profile Enter switch-profile configuration mode end Go to exec mode exit Exit from command interpreter pop Pop mode from stack or restore from name push Push current mode to stack or save it under name where Shows the cli context you are in |
配置同步需要遵循以下步骤:
RTS39_5010(config)#cfs ipv4 distribute //确认CFS的IPV4模式启动 RTS39_5010(config)#vpc domain 50 ……. //确认vPC正常工作 ………… RTS39_5010(config)#config sync RTS39_5010(config-sync)# switch-profile cisco RTS39_5010(config-sync-sp)# sync-peers destination 10.225.248.6 //设定同步对端 |
同步配置的配置方法:
同步配置需要在switch-profile方式下配置,然后推送到对端。
RTS39_5010(config-sync)# switch-profile cisco Switch-Profile started, Profile ID is 1 RTS39_5010(config-sync-sp)# vlan 555 RTS39_5010(config-sync-sp-vlan)# int e103/1/48 RTS39_5010(config-sync-sp-if)# switchport mode access |
配置完成后,进行配置的检验,检验成功的,就可以commit了
Switch-Profile started, Profile ID is 1 RTS39_5010(config-sync-sp)# vlan 555 RTS39_5010(config-sync-sp-vlan)# int e103/1/48 RTS39_5010(config-sync-sp-if)# switchport mode access RTS39_5010(config-sync-sp-if)# exit RTS39_5010(config-sync-sp)# verify Verification Successful RTS39_5010(config-sync-sp)# commit |
如果在verify过程当中出现错误提示的,一般应首先检查实际配置和将要发放的配置是不是有相互矛盾的地方,比较接口角色冲突。如果没有明显错误,仍然提示校验失败的,则应当按照下面的配置,进行一次数据库的同步。
RTS39_5010(config-sync)# resync-database Re-synchronization of switch-profile db takes a few minutes... Re-synchronize switch-profile db completed successfully. RTS39_5010(config-sync)# switch-profile cisco Switch-Profile started, Profile ID is 1 RTS39_5010(config-sync-sp)# int e103/1/48 RTS39_5010(config-sync-sp-if)# sw acc vlan 11 RTS39_5010(config-sync-sp-if)# exit RTS39_5010(config-sync-sp)# verify Verification Successful |
初始化Nexus 2000 Fabric Module
Nexus 2000缺省不带任何的NX-OS以及配置,每次启动的时候,都会与上层交换机(Nexus5000或者Nexus7000)比对NX-OS版本和配置。如果版本和配置有变化,则强制与上级交换机同步。
与Nexus2000连接的交换机使用10GE接口相连,交换机接口需要进行如下配置,以便上层交换机可以识别:
interface Ethernet1/17 fex associate 100 //指定关联的Fabric Module成为第100个关联的模块 switchport mode fex-fabric //指定接口的功能用于驳接Fabric Module |
通过一段时间的监测,上层交换机就可以发现并且配置Fabric Module。由于在上层交换机上看到的端口都是本地端口,所以这个具有fex-fabric角色的端口算是一个功能很特殊的Trunk。
同步完成之后,将可看到如下信息:
N5Kup(config-if)# show fex FEX FEX FEX FEX Number Description State Model Serial ------------------------------------------------------------------------ 100 FEX0100 Online N2K-C2248TP-1GE JAF1438DRAG 101 FEX0101 Online N2K-C2248TP-1GE JAF1438BGBF |
一个Fabric Module可以被出于vPC形态的多个上层交换机所识别,可以被两侧同时配置和管理。但是为了保证Fabric Module在系统切换时保持正确的形态,我们需要在两侧的上层交换机上同步配置。