Introduction to Cisco NX-OS

The following sections will be covered in this chapter:

• NX-OS Overview
• NX-OS User Modes
• Management Interfaces
• Managing System Files

NX-OS Overview

Cisco built the next-generation data center-class operating system designed for maximum scalability and application availability. The NX-OS data center-class operating system was built with modularity, resiliency, and serviceability at its foundation. NX-OS is based on the industry-proven Cisco Storage Area Network Operating System (SAN-OS) Software and helps ensure continuous availability to set the standard for mission-critical data center environments. The self-healing and highly modular design of Cisco NX-OS enables for operational excellence increasing the service levels and enabling exceptional operational flexibility. Several advantages of Cisco NX-OS include the following:

• Unified data center operating system
• Robust and rich feature set with a variety of Cisco innovations
• Flexibility and scalability
• Modularity
• Virtualization
• Resiliency
• IPv4 and IPv6 IP routing and multicast features
• Comprehensive security, availability, serviceability, and management features

Key features and benefits of NX-OS include

• Virtual device contexts (VDC): Cisco Nexus 7000 Series switches can be segmented into virtual devices based on customer requirements. VDCs offer several benefits such as fault isolation, administration plane, separation of data traffic, and enhanced security.
• Virtual Port Channels (vPC): Enables a server or switch to use an EtherChannel across two upstream switches without an STP-blocked port to enable use of all available uplink bandwidth.
• Continuous system operation: Maintenance, upgrades, and software certification can be performed without service interruptions due to the modular nature of NX-OS and features such as In-Service Software Upgrade (ISSU) and the capability for processes to restart dynamically.
• Security: Cisco NX-OS provides outstanding data confidentiality and integrity, supporting standard IEEE 802.1AE link-layer cryptography with 128-bit Advanced Encryption Standard (AES) cryptography. In addition to CTS, there are many additional security features such as access control lists (ACL) and port-security, for example.
• Base services: The default license that ships with NX-OS covers Layer 2 protocols including such features such as Spanning Tree, virtual LANs (VLAN), Private VLANS, and Unidirectional Link Detection (UDLD).
• Enterprise Services Package: Provides Layer 3 protocols such as Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Intermediate System-to-Intermediate System (ISIS), Enhanced Interior Gateway Routing Protocol (EIGRP), Policy-Based Routing (PBR), Protocol Independent Multicast (PIM), and Generic Routing Encapsulation (GRE).
• Advanced Services Package: Provides Virtual Device Contexts (VDC), Cisco Trustsec (CTS), and Overlay Transport Virtualization (OTV).
• Transport Services License: Provides Overlay Transport Virtualization (OTV) and Multiprotocol Label Switching (MPLS) (when available).

Example 1-1 shows the simplicity of installing the NX-OS license file.

Example 1-1. Displaying and Installing the NX-OS License File

! Once a license file is obtained from Cisco.com and copied to flash, it can be in-
stalled for the chassis.                                                           
! Displaying the host-id for License File Creation on Cisco.com:                   
congo# show license host-id
License hostid: VDH=TBM14404807
! Installing a License File:
congo# install license bootflash:license_file.lic
Installing license ..done
congo#

congo(config)# license grace-period

Using the grace period enables customers to test, configure, and fully operate a feature without the need for a license to be purchased. This is particularly helpful for testing a feature prior to purchasing a license.

NX-OS Supported Platforms

NX-OS data center-class operating system, designed for maximum scalability and application availability, has a wide variety of platform support, including the following:

• Nexus 7000
• Nexus 5000
• Nexus 2000
• Nexus 1000V
• Cisco MDS 9000
• Cisco Unified Computing System (UCS)
• Nexus 4000

Cisco NX-OS and Cisco IOS Comparison

If you are familiar with traditional Cisco IOS command-line interface (CLI), the CLI for NX-OS is similar to Cisco IOS. There are key differences that should be understood prior to working with NX-OS, however:

• When you first log into NX-OS, you go directly into EXEC mode.
• NX-OS has a setup utility that enables a user to specify the system defaults, perform basic configuration, and apply a predefined Control Plane Policing (CoPP) security policy.
• NX-OS uses a feature-based license model. An Enterprise or Advanced Services license is required depending on the features required.
• A 120-day license grace period is supported for testing, but features are automatically removed from the configuration after the expiration date is reached.
• NX-OS has the capability to enable and disable features such as OSPF, BGP, and so on via the feature configuration command. Configuration and verification commands are not available until you enable the specific feature.
• Interfaces are labeled in the configuration as Ethernet. There aren't any speed designations in the interface name. Interface speed is dynamically learned and reflected in the appropriate show commands and interface metrics.
• NX-OS supports Virtual Device Contexts (VDC), which enable a physical device to be partitioned into logical devices. When you log in for the first time, you are in the default VDC.
• The Cisco NX-OS has two preconfigured instances of VPN Routing Forwarding (VRF) by default (management, default). By default, all Layer 3 interfaces and routing protocols exist in the default VRF. The mgmt0 interface exists in the management VRF and is accessible from any VDC. If VDCs are configured, each VDC has a unique IP address for the mgmt0 interface.
• Secure Shell version 2 (SSHv2) is enabled by default. (Telnet is disabled by default.)
• Default login administrator user is predefined as admin; a password has to be specified when the system is first powered up. With NX-OS, you must enter a username and password; you cannot disable the username and password login. In contrast, in IOS you can simply type a password; you can optionally set the login to require the use of a username.
• NX-OS uses a kickstart image and a system image. Both images are identified in the configuration file as the kickstart and system boot variables; this is the same as the Cisco Multilayer Director Switch (MDS) Fibre Channel switches running SAN-OS.
• NX-OS removed the write memory command; use the copy running-config startup-config; there is also the alias command syntax.
• The default Spanning Tree mode in NX-OS is Rapid-PVST+.

For example, when configuring vty timeouts and session limits, consider Example 1-2, which illustrates the difference between IOS and NX-OS syntax.

Example 1-2. vty Configurations and Session Limits, Comparing the Differences Between Traditional IOS and NX-OS

! IOS:
congo#
congo(config)# line vty 0 9
congo(config)# exec-timeout 15 0
congo(config)# login
congo# copy running-config startup-config
-----------------------------------------------------------------
! NX-OS:
congo(config)# line vty
congo(config)# session-limit 10
congo(config)# exec-timeout 15

congo# copy running-config startup-config

NX-OS User Modes

Cisco NX-OS CLI is divided into command modes, which define the actions available to the user. Command modes are "nested" and must be accessed in sequence. As you navigate from one command mode to another, an increasingly larger set of commands become available. All commands in a higher command mode are accessible from lower command modes. For example, the show commands are available from any configuration command mode. Figure 1-1 shows how command access builds from EXEC mode to global configuration mode.

Figure 1-1 NX-OS Command Access from EXEC Mode to Global Configuration Mode

EXEC Command Mode

When you first log in, Cisco NX-OS Software places you in EXEC mode. As demonstrated in Example 1-3, the commands available in EXEC mode include the show commands that display device status and configuration information, the clear commands, and other commands that perform actions that you do not save in the device configuration.

Example 1-3. Cisco NX-OS EXEC Mode

Congo# show interface ethernet 1/15
Ethernet1/15 is down (SFP not inserted)
  Hardware: 10000 Ethernet, address: 001b.54c2.bbc1 (bia 001b.54c1.e4da)
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA
  auto-duplex, auto-speed
  Beacon is turned off
  Auto-Negotiation is turned off
  Input flow-control is off, output flow-control is off
  Switchport monitor is off
  Last link flapped never
  Last clearing of "show interface" counters never
  30 seconds input rate 0 bits/sec, 0 packets/sec
  30 seconds output rate 0 bits/sec, 0 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
  L3 in Switched:
    ucast: 0 pkts, 0 bytes - mcast: 0 pkts, 0 bytes
  L3 out Switched:
    ucast: 0 pkts, 0 bytes - mcast: 0 pkts, 0 bytes
! Output omitted for brevity

Congo#

Global Configuration Command Mode

Global configuration mode provides access to the broadest range of commands. The term global indicates characteristics or features that affect the device as a whole. You can enter commands in global configuration mode to configure your device globally or enter more specific configuration modes to configure specific elements such as interfaces or protocols as demonstrated here:

Nx7000# conf t
Nx7000(config)# interface ethernet 1/15

Interface Configuration Command Mode

One example of a specific configuration mode that you enter from global configuration mode is interface configuration mode. To configure interfaces on your device, you must specify the interface and enter interface configuration mode.

You must enable many features on a per-interface basis. Interface configuration commands modify the operation of the interfaces on the device, such as Ethernet interfaces or management interfaces (mgmt 0).

Example 1-4 demonstrates moving between the different command modes in NX-OS.

Example 1-4. Interface Ethernet1/5 Is a 10Gigabit Ethernet Interface—Show How the Interface Is Designated at Ethernet and Not Interface Ten1/15.

congo# conf t
congo(config)# interface ethernet 1/15
congo(config-if)# exit
Congo# show interface ethernet 1/15
Ethernet1/15 is down (SFP not inserted)
  Hardware: 10000 Ethernet, address: 001b.54c2.bbc1 (bia 001b.54c1.e4da)
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA
  auto-duplex, auto-speed
  Beacon is turned off
  Auto-Negotiation is turned off
  Input flow-control is off, output flow-control is off
  Switchport monitor is off
  Last link flapped never
  Last clearing of "show interface" counters never
  30 seconds input rate 0 bits/sec, 0 packets/sec
  30 seconds output rate 0 bits/sec, 0 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
  L3 in Switched:
    ucast: 0 pkts, 0 bytes - mcast: 0 pkts, 0 bytes
  L3 out Switched:
    ucast: 0 pkts, 0 bytes - mcast: 0 pkts, 0 bytes

Congo#

NX-OS supports different Ethernet interface types such as Gigabit Ethernet and 10-Gigabit Ethernet interfaces. All interfaces are referred to Ethernet; NX-OS does not designate Gigabit or 10-Gigabit Ethernet interfaces. In Example 1-4, interface 1/15 is a 10-Gigabit Ethernet interface.

Management Interfaces

NX-OS has many different type of management interfaces, all of which the following section covers:

• Controller Processor (CP)/Supervisor: Has both the management plane and control plane and is critical to the operation of the network.
• Connectivity Management Processor (CMP): Provides a second network interface to the device for use even when the CP is not reachable. The CMP interface is used for out-of-band management and monitoring; the CMP interface is independent from the primary operating system.
• MGMT0: Provides true out-of-band management through a dedicated interface and VRF to ensure 100 percent isolation from either control plane or data plane. MGMT0 enables you to manage the devices by the IPv4 or IPv6 address on the MGMT0 interface; the mgmt0 interface is a 10/100/1000 Ethernet interface. When implementing Virtual port-channel (vPC), a best practice is to use the MGMT0 interface for the VPC keepalive link.
• Telnet: Provides an unsecure management connection to the NX-OS device.
• SSH: Provides a secure management connection to the NX-OS device.
• Extended Markup Language (XML) management interfaces: Use the XML-based Network Configuration Protocol (NETCONF) that enables management, monitoring, and communication over the interface with an XML management tool or program.
• Simple Network Management Protocol (SNMP): Used by management systems to monitor and configure devices via a set of standards for communication over the TCP/IP protocol.

Controller Processor (Supervisor Module)

The Cisco Nexus 7000 series supervisor module is designed to deliver scalable control plane and management functions for the Cisco Nexus 7000 Series chassis. The Nexus 7000 supervisor module is based on an Intel dual-core processor that enables a scalable control plane. The supervisor modules controls the Layer 2 and Layer 3 services, redundancy capabilities, configuration management, status monitoring, power, and environmental management. The supervisor module also provides centralized arbitration to the system fabric for all line cards. The fully distributed forwarding architecture enables the supervisor to support transparent upgrades to higher forwarding capacity-capable I/O and fabric modules. Two supervisors are required for a fully redundant system, with one supervisor module running as the active device and the other in hot standby mode, providing exceptional high-availability features in data center-class products. Additional features and benefits of the Nexus 7000 supervisor modules to meet demanding data center requirements follow:

• Active and standby supervisor.
• In-Service Software Upgrade (ISSU) with dual supervisor modules.
• Virtual output queuing (VoQ), which is a quality of service (QoS)-aware lossless fabric, avoids the problems associated with head-of-line blocking.
• USB interfaces that enable access to USB flash memory devices for software image loading and recovery.
• Central arbitration that provides symmetrical control of the flow of traffic through the switch fabric helps ensure transparent switchover with no losses.
• Segmented and redundant out-of-band provisioning and management paths.
• Virtualization of the management plane via Virtual Device Contexts (vDC).
• Integrated diagnostics and protocol decoding with an embedded control plane packet analyzer; this is based on the Wireshark open source. (No additional licenses are required.)
• Fully decoupled control plane and data plane with no hardware forwarding on the module.
• Distributed forwarding architecture, enabling independent upgrades of the supervisor and fabric.
• With Central arbitration and VoQ, this enables for Unified Fabric.
• Transparent upgrade capacity and capability; designed to support 40-Gigabit and 100-Gigabit Ethernet.
• System locator and beacon LEDs for simplified operations.
• Dedicated out-of-band management processor for "lights out" management.

Connectivity Management Processor (CMP)

The supervisor incorporates an innovative dedicated connectivity management processor (CMP) to support remote management and troubleshooting of the complete system. The CMP provides a complete out-of-band management and monitoring capability independent from the primary operating system. The CMP enables lights out management of the supervisor module, all modules, and the Cisco Nexus 7000 Series system without the need for separate terminal servers with the associated additional complexity and cost. The CMP delivers the remote control through its own dedicated processor, memory, and boot flash memory and a separate Ethernet management port. The CMP can reset all system components, including power supplies; it can also reset the host supervisor module to which it is attached, enabling a complete system restart.

The CMP offer many benefits, including the following:

• Dedicated processor and memory, and boot flash.
• The CMP interface can reset all the system components, which include power, supervisor module, and system restart.
• An independent remote system management and monitoring capability enables lights out management of the system.
• Remote monitoring of supervisor status and initiation of resets that removes the need for separate terminal server devices for out-of-band management.
• System reset while retaining out-of-band Ethernet connectivity, which reduces the need for onsite support during system maintenance.
• Capability to remotely view boot-time messages during the entire boot process.
• Capability to initiate a complete system power shutdown and restart, which eliminates the need for local operator intervention to reset power for devices.
• Login authentication, which provides secure access to the out-of-band management environment.
• Access to supervisor logs that enables rapid detection and prevention of potential system problems.
• Capability to take full console control of the supervisor.
• Complete control is delivered to the operating environment.

Example 1-5 shows how to connect to the CMP interface and the available show commands available from the CMP interface. Also, note the escape sequence of "~," to get back to the main NX-OS interface. You can also connect from the CMP back to the CP module.

Example 1-5. Connecting to the CMP Interface, Displaying Available show Commands

N7010-1# attach cmp
Connected
Escape character is '~,' [tilde comma]

N7010-1-cmp5 login: admin
Password:
Last login: Tue Aug 11 23:58:12 2009 on ttyS1

N7010-1-cmp5# attach cp
This command will disconnect the front-panel console on this supervisor, and will
clear all console attach sessions on the CP - proceed(y/n)? y
N7010-1#

N7010-1# attach cmp
Connected
Escape character is '~,' [tilda comma]

N7010-1-cmp5 login: admin
Password:
Last login: Wed Aug 12 00:06:12 2009 on ttyS1
N7010-1-cmp5# show ?
  attach          Serial attach/monitor processes
  clock           Display current date
  cores           Show all core dumps for CMP
  cp              Show CP status information
  hardware        Show cmp hardware information
  interface       Display interface information
  line            Show cmp line information
  logging         Show logging configuration and contents of logfile
  logs            Show all log files for CMP
  processes       Show cmp processes information
  running-config  Current operating configuration
  sprom           Show SPROM contents
  ssh             SSH information
  system          Show system information
  users           Show the current users logged in the system
  version         Show cmp boot information

Telnet

NX-OS enables for Telnet server and client. The Telnet protocol enables TCP/IP terminal connections to a host. Telnet enables a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.

The Telnet server is disabled by default on an NX-OS device. Example 1-6 demonstrates how to enable a Telnet server in NX-OS.

Example 1-6. Enabling a Telnet Server in NX-OS

N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# feature telnet
N7010-1(config)# show telnet server
telnet service enabled
N7010-1(config)# copy running-config startup-config
[########################################] 100%

SSH

NX-OS supports SSH Server and SSH Client. Use SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device; SSH uses strong encryption for authentication. The SSH server in Cisco NX-OS Software can interoperate with publicly and commercially available SSH clients. The user authentication mechanisms supported for SSH are Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), and the use of locally stored usernames and passwords.

The SSH client application enables the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server.

SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options:

• SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
• SSH version 2 using the Digital System Algorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before allowing the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

• The dsa option generates the DSA key-pair for the SSH version 2 protocol.
• The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, Cisco NX-OS Software generates an RSA key using 1024 bits.

SSH supports the following public key formats:

• OpenSSH
• IETF Secure Shell (SECSH)

Example 1-7 demonstrates how to enable SSH server and configure the SSH server keys.

Example 1-7. Enabling SSH Server and Configuring SSH Server Keys

N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
N7010-1(config)# ssh key rsa 2048
generating rsa key(2048 bits).....
..
generated rsa key
N7010-1(config)# feature ssh
N7010-1(config)# exit
N7010-1# show ssh key
**************************************
rsa Keys generated:Thu Aug 13 23:33:41 2009
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlc
Aa6fjJCGdHuf3kJox/hjgPDChJOdkUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/
ssCzoj6jVG41tGmfPip4pr3dqsMzR21DXSKK/tdj7bipWKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA
0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80CCJg7vmn+8RqIOQ5jNAPNeb9kFw9nsPj/r5xFC1RcS
KeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftgu0uM97VCOxZPQ==

bitcount:2048
fingerprint:
1f:b7:a3:3b:f5:ca:a6:36:19:93:98:c7:37:ba:27:db
**************************************
could not retrieve dsa key information
**************************************
N7010-1# show ssh server
ssh version 2 is enabled
N7010-1(config)# username nxos-admin password C1sc0123!

N7010-1(config)# username nxos-admin sshkey ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlcAa6fjJCGdHu
f3kJox/hjgP
DChJOd-
kUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/ssCzoj6jVG41tGmfPip4pr3dqsMzR21
DXSKK/tdj7b
ip-
WKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80CCJg7vmn+
8RqIOQ5jNAP
Neb9kFw9nsPj/r5xFC1RcSKeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftgu0uM97VCOxZPQ==
N7010-1(config)# show user-account
user:admin
        this user account has no expiry date
        roles:network-admin
user:nxos-admin
        this user account has no expiry date
        roles:network-operator
        ssh public key: ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlcAa6fjJCGdHu
f3kJox/hjgP
DChJOd-
kUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/ssCzoj6jVG41tGmfPip4pr3dqsMzR21
DXSKK/tdj7b
ip-
WKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80CCJg7vmn+
8RqIOQ5jNAP
Neb9kFw9nsPj/r5xFC1RcSKeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftgu0uM97VCOxZPQ==
N7010-1(config)#
N7010-1# copy running-config startup-config
[########################################] 100%
N7010-1#

XML

NX-OS has a robust XML management interface, which can be used to configure the entire switch. The interface uses the XML-based Network Configuration Protocol (NETCONF) that enables you to manage devices and communicate over the interface with an XML management tool or a program. NETCONF is based on RFC 4741 and the NX-OS implementation requires you to use a Secure Shell (SSH) session for communication with the device.

NETCONF is implemented with an XML Schema (XSD) that enables you to enclose device configuration elements within a remote procedure call (RPC) message. From within an RPC message, you select one of the NETCONF operations that matches the type of command that you want the device to execute. You can configure the entire set of CLI commands on the device with NETCONF.

The XML management interface does not require any additional licensing. XML management is included with no additional charge.

XML/NETCONF can be enabled via a web2.0/ajax browser application that uses XML/NETCONF to pull all statistics off all interfaces on the Nexus 7000 running NX-OS in a dynamically updating table.

Figures 1-2, 1-3, and 1-4 demonstrate sample output from the XML/NETCONF interface.

Figure 1-2 Obtaining NX-OS Real-Time Interface Statistics via NETCONF/XML. The IP Address Entered Is the NX-OS mgmt0 Interface.

Figure 1-3 Login Results to the NX-OS Devices via NETCONF/XML

Figure 1-4 Results of the Selected Attributes, Such as Speed, Duplex, Errors, Counters, MAC Address. The Page Refreshes Every 10 Seconds.

SNMP

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.

SNMP has different versions such as SNMPv1, v2, and v3. Each SNMP version has different security models or levels. Most Enterprise customers are looking to implement SNMPv3 because it offers encryption to pass management information (or traffic) across the network. The security level determines if an SNMP message needs to be protected and authenticated. Various security levels exist within a security model:

• noAuthNoPriv: Security level that does not provide authentication or encryption.
• authNoPriv: Security level that provides authentication but does not provide encryption.
• authPriv: Security level that provides both authentication and encryption.

Cisco NX-OS supports the following SNMP standards:

• SNMPv1: Simple community-string based access.
• SNMPv2c: RFC 2575-based group access that can be tied into RBAC model.
• SNMPv3: Enables for two independent security mechanisms, authentication (Hashed Message Authentication leveraging either Secure Hash Algorithm [SHA-1] or Message Digest 5 [MD5] algorithms) and encryption (Data Encryption Standard [DES] as the default and Advanced Encryption Standard [AES]) to ensure secure communication between NMS station and N7K/NX-OS. Both mechanisms are implemented as demonstrated in Example 1-8.

As NX-OS is truly modular and highly available, the NX-OS implementation of SNMP supports stateless restarts for SNMP. NX-OS has also implemented virtualization support for SNMP; NX-OS supports one instance of SNMP per virtual device context (VDC). SNMP is also VRF-aware, which allows you to configure SNMP to use a particular VRF to reach the network management host.

Example 1-8 demonstrates how to enable SNMPv3 on NX-OS.

Example 1-8. Enabling SNMPv3 on NX-OS

N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# snmp-server user NMS auth sha Cisc0123! priv Cisc0123! engineID
00:00:00:63:00:01:00:10:20:15:10:03
N7010-1(config)# snmp-server host 10.100.22.254 informs version 3 auth NMS
N7010-1(config)# snmp-server community public ro
N7010-1(config)# snmp-server community nxos rw
N7010-1(config)# show snmp
sys contact:
sys location:
0 SNMP packets input
        0 Bad SNMP versions
        0 Unknown community name
        0 Illegal operation for community name supplied
        0 Encoding errors
        0 Number of requested variables
        0 Number of altered variables
        0 Get-request PDUs
        0 Get-next PDUs
        0 Set-request PDUs
        0 No such name PDU
        0 Bad value PDU
        0 Read Only PDU
        0 General errors
        0 Get Responses
45 SNMP packets output
        45 Trap PDU
        0 Too big errors
        0 No such name errors
        0 Bad values errors
        0 General errors
        0 Get Requests
        0 Get Next Requests
        0 Set Requests
        0 Get Responses
        0 Silent drops
Community            Group / Access      context    acl_filter
---------            --------------      -------    ----------
nxos                  network-admin
public                network-operator
______________________________________________________________
                  SNMP USERS
______________________________________________________________
User                          Auth  Priv(enforce) Groups
____                          ____  _____________ ______
admin                         md5   des(no)       network-admin
nxos-admin                    sha   des(no)       network-operator
______________________________________________________________
 NOTIFICATION TARGET USERS (configured  for sending V3 Inform)
______________________________________________________________
User                          Auth  Priv
____                          ____  ____
NMS                           sha   des
(EngineID 0:0:0:63:0:1:0:10:20:15:10:3)
SNMP Tcp Authentication Flag : Enabled.
-----------------------------------------------------------------------------------
Port Monitor : enabled
-----------------------------------------------------------------------------------
Policy Name  : default
Admin status : Not Active
Oper status  : Not Active
Port type    : All Ports
-----------------------------------------------------------------------------------
Counter          Threshold  Interval Rising Threshold event Falling Threshold
event In Use
-------          ---------  -------- ---------------- ----- ------------------ --
Link Loss        Delta      60       5                4     1                  4
Yes
Sync Loss        Delta      60       5                4     1                  4
Yes
Protocol Error   Delta      60       1                4     0                  4
Yes
Signal Loss      Delta      60       5                4     1                  4
Yes
Invalid Words    Delta      60       1                4     0                  4
Yes
Invalid CRC's    Delta      60       5                4     1                  4
Yes
RX Performance   Delta      60       2147483648       4     524288000          4
Yes
TX Performance   Delta      60       2147483648       4     524288000          4
Yes
-----------------------------------------------------------------------------------
SNMP protocol : Enabled
-------------------------------------------------------------------
Context                          [Protocol instance, VRF, Topology]

N7010-1# show snmp user
______________________________________________________________
                  SNMP USERS
______________________________________________________________

User                          Auth  Priv(enforce) Groups
____                          ____  _____________ ______
admin                         md5   des(no)       network-admin

nxos-admin                    sha   des(no)       network-operator

______________________________________________________________
 NOTIFICATION TARGET USERS (configured  for sending V3 Inform)
______________________________________________________________

User                          Auth  Priv
____                          ____  ____
NMS                           sha   des
(EngineID 0:0:0:63:0:1:0:10:20:15:10:3)
N7010-1(config)# exit
N7010-1# copy running-config  startup-config
[########################################] 100%
N7010-1#

DCNM

Cisco Data Center Network Manager (DCNM) is a management solution that supports NX-OS devices. DCNM maximizes the overall data center infrastructure uptime and reliability, which improves service levels. Focused on the operational management requirements of the data center, DCNM provides a robust framework and rich feature set that fulfills the switching, application, automation, provisioning, and services needs of today's data centers and tomorrow's data center requirements.

DCNM is a client-server application supporting a Java-based client-server application. The DCNM client communicates with the DCNM server only, never directly with managed Cisco NX-OS devices. The DCNM server uses the XML management interface of Cisco NX-OS devices to manage and monitor them. The XML management interface is a programmatic method based on the NETCONF protocol that complements the CLI functionality.

DCNM has a robust configuration and feature support on the NX-OS platform. The following features can be configured, provisioned, and monitored through DCNM enterprise management:

• Physical ports
• Port channels and virtual port channels (vPC)
• Loopback and management interfaces
• VLAN network interfaces (sometimes referred to as switched virtual interfaces [SVI])
• VLAN and private VLAN (PVLAN)
• Spanning Tree Protocol, including Rapid Spanning Tree (RST) and Multi-Instance Spanning Tree Protocol (MST)
• Virtual Device Contexts
• Gateway Load Balancing Protocol (GLBP) and object tracking
• Hot Standby Router Protocol (HSRP)
• Access control lists
• IEEE 802.1X
• Authentication, authorization, and accounting (AAA)
• Role-based access control
• Dynamic Host Configuration Protocol (DHCP) snooping
• Dynamic Address Resolution Protocol (ARP) inspection
• IP Source Guard
• Traffic storm control
• Port security
• Hardware resource utilization with Ternary Content Addressable Memory (TCAM) statistics
• Switched Port Analyzer (SPAN)

DCNM also includes end-end enterprise visibility including topology views, event browsers, configuration change management, device operating system management, hardware asset inventory, logging, and statistical data collection management.

Managing System Files

Directories can be created on bootflash: and external flash memory (slot0:, usb1:, and usb2:); you can also navigate through these directories and use them for files. Files can be created and accessed on bootflash:, volatile:, slot0:, usb1:, and usb2: file systems. Files can be accessed only on the system: file systems. Debug file system can be used for debug log files specified in the debug logfile command. System image files, from remote servers using FTP, Secure Copy (SCP), Secure Shell FTP (SFTP), and TFTP can also be downloaded.

File Systems

Table 1-1 outlines the parameters for the syntax for specifying a local file system, which is:

filesystem:[//module/]

Table 1-1. Syntax for Specifying a Local File System

Example 1-9 demonstrates some file system commands and how to copy a file.

Example 1-9. File System Commands/Copying a File

N7010-1# dir bootflash:
        311     Jun 20 05:15:05 2009  MDS20090619155920643.lic
        309     Jun 20 05:15:56 2009  MDS20090619155929839.lic
    2470887     Aug 01 08:13:35 2009  dp42
    8533440     Apr 17 23:17:14 2009  lacp_tech_all.log
     308249     Aug 01 09:08:39 2009  libcmd.so
        134     Jun 19 23:06:53 2009  libglbp.log
        175     Jun 20 04:14:22 2009  libotm.log
      49152     Jun 19 22:50:53 2009  lost+found/
   87081184     Jan 02 06:21:20 2008  congo-s1-dk9.4.0.2.bin
   87755113     Dec 11 13:35:25 2008  congo-s1-dk9.4.0.4.bin
   92000595     Apr 16 21:55:19 2009  congo-s1-dk9.4.1.4.bin
   92645614     Apr 08 06:08:35 2009  congo-s1-dk9.4.1.5.bin
   92004757     Jun 02 04:29:19 2009  congo-s1-dk9.4.1.5E2.bin
   99851395     Aug 03 05:17:46 2009  congo-s1-dk9.4.2.0.601.bin
  100122301     Aug 12 04:42:13 2009  congo-s1-dk9.4.2.1.bin
    9905740     Jan 02 06:21:29 2008  congo-s1-epld.4.0.2.img
    9730124     Dec 11 13:42:30 2008  congo-s1-epld.4.0.4.img
   23584768     Jan 02 06:21:26 2008  congo-s1-kickstart.4.0.2.bin
   23785984     Dec 11 13:34:37 2008  congo-s1-kickstart.4.0.4.bin
   24718848     Apr 16 21:52:40 2009  congo-s1-kickstart.4.1.4.bin
   25173504     Apr 08 06:00:57 2009  congo-s1-kickstart.4.1.5.bin
   23936512     Aug 03 05:03:13 2009  congo-s1-kickstart.4.1.5E2.bin
   25333248     Aug 03 05:18:37 2009  congo-s1-kickstart.4.2.0.601.bin
   25234944     Aug 12 04:40:52 2009  congo-s1-kickstart.4.2.1.bin
      12558     Aug 01 08:51:22 2009  shrun
     916893     Apr 17 23:23:03 2009  stp_tech.og
       4096     Dec 11 14:04:50 2008  vdc_2/
       4096     Dec 11 14:04:50 2008  vdc_3/
       4096     Dec 11 14:04:50 2008  vdc_4/
     592649     Apr 17 23:18:16 2009  vpc_tech.log
        942     Jul 10 09:45:27 2009  wireshark
Usage for bootflash://sup-local
  982306816 bytes used
  827592704 bytes free
 1809899520 bytes total
N7010-1# dir bootflash://sup-remote
      12349     Dec 05 02:15:33 2008  7k-1-vdc-all.run
       4096     Apr 04 06:45:28 2009  eem/
      18180     Apr 02 23:47:26 2009  eem_script.cfg
   99851395     Aug 03 05:20:20 2009  congo-s1-dk9.4.2.0.601.bin
  100122301     Aug 12 04:46:18 2009  congo-s1-dk9.4.2.1.bin
      19021     Apr 03 21:04:50 2009  eem_script_counters.cfg
      19781     Apr 05 23:30:51 2009  eem_script_iptrack.cfg
      29104     Jun 19 22:44:51 2009  ethpm_act_logs.log
          0     Jun 19 22:44:51 2009  ethpm_syslogs.log
        175     Jun 20 04:14:37 2009  libotm.log
      49152     Jun 19 22:38:45 2009  lost+found/
   87755113     Apr 07 23:54:07 2009  congo-s1-dk9.4.0.4.bin
   92000595     Apr 16 21:55:19 2009  congo-s1-dk9.4.1.4.bin
   92645614     Apr 08 06:08:35 2009  congo-s1-dk9.4.1.5.bin
   92004757     Jun 02 04:29:19 2009  congo-s1-dk9.4.1.5E2.bin
   10993389     Mar 22 04:55:13 2009  congo-s1-epld.4.1.3.33.img
   23785984     Apr 07 23:47:43 2009  congo-s1-kickstart.4.0.4.bin
   24718848     Apr 16 21:52:40 2009  congo-s1-kickstart.4.1.4.bin
   25173504     Apr 08 06:00:57 2009  congo-s1-kickstart.4.1.5.bin
   23936512     Jun 02 04:26:35 2009  congo-s1-kickstart.4.1.5E2.bin
   25333248     Aug 03 05:19:26 2009  congo-s1-kickstart.4.2.0.601.bin
   25234944     Aug 12 04:45:24 2009  congo-s1-kickstart.4.2.1.bin
        310     Sep 19 03:58:55 2008  n7k-rhs-1.lic
      12699     Jan 23 14:02:52 2009  run_vpc_jan22
      11562     Mar 13 07:52:42 2009  startup-robert-cfg
      16008     Mar 12 02:02:40 2009  startup-vss-cfg
      17315     Mar 19 06:24:32 2009  startup-vss-cfg_roberto_mar18
         99     Apr 04 06:51:15 2009  test1
       9991     Jun 19 23:12:48 2009  vdc.cfg
       4096     Jan 22 13:37:57 2009  vdc_2/
       4096     Jan 22 00:40:57 2009  vdc_3/

       4096     Sep 11 12:54:10 2008  vdc_4/
     111096     Dec 20 04:40:17 2008  vpc.cap
          0     Feb 03 08:02:14 2009  vpc_hw_check_disable
      18166     Apr 03 03:24:22 2009  vpc_vss_apr02
      18223     Apr 02 22:40:57 2009  vss_vpc_apr2

Usage for bootflash://sup-remote
  863535104 bytes used
  946364416 bytes free
 1809899520 bytes total
N7010-1# copy bootflash://sup
bootflash://sup-1/        bootflash://sup-active/   bootflash://sup-remote/
bootflash://sup-2/        bootflash://sup-local/    bootflash://sup-standby/

N7010-1# copy bootflash://sup-local/congo-s1-epld.4.0.4.img bootflash://sup-
remote/congo-s1-epld.4.0.4.img
N7010-1# dir bootflash://sup-remote
      12349     Dec 05 02:15:33 2008  7k-1-vdc-all.run
       4096     Apr 04 06:45:28 2009  eem/
      18180     Apr 02 23:47:26 2009  eem_script.cfg
      19021     Apr 03 21:04:50 2009  eem_script_counters.cfg
      19781     Apr 05 23:30:51 2009  eem_script_iptrack.cfg
      29104     Jun 19 22:44:51 2009  ethpm_act_logs.log
          0     Jun 19 22:44:51 2009  ethpm_syslogs.log
        175     Jun 20 04:14:37 2009  libotm.log
      49152     Jun 19 22:38:45 2009  lost+found/
   87755113     Apr 07 23:54:07 2009  congo-s1-dk9.4.0.4.bin
   92000595     Apr 16 21:55:19 2009  congo-s1-dk9.4.1.4.bin
   92645614     Apr 08 06:08:35 2009  congo-s1-dk9.4.1.5.bin
   92004757     Jun 02 04:29:19 2009  congo-s1-dk9.4.1.5E2.bin
   99851395     Aug 03 05:20:20 2009  congo-s1-dk9.4.2.0.601.bin
  100122301     Aug 12 04:46:18 2009  congo-s1-dk9.4.2.1.bin
    9730124     Aug 12 22:02:57 2009  congo-s1-epld.4.0.4.img
   10993389     Mar 22 04:55:13 2009  congo-s1-epld.4.1.3.33.img
   23785984     Apr 07 23:47:43 2009  congo-s1-kickstart.4.0.4.bin
   24718848     Apr 16 21:52:40 2009  congo-s1-kickstart.4.1.4.bin
   25173504     Apr 08 06:00:57 2009  congo-s1-kickstart.4.1.5.bin
   23936512     Jun 02 04:26:35 2009  congo-s1-kickstart.4.1.5E2.bin
   25333248     Aug 03 05:19:26 2009  congo-s1-kickstart.4.2.0.601.bin
   25234944     Aug 12 04:45:24 2009  congo-s1-kickstart.4.2.1.bin
        310     Sep 19 03:58:55 2008  n7k-rhs-1.lic
      12699     Jan 23 14:02:52 2009  run_vpc_jan22
      11562     Mar 13 07:52:42 2009  startup-robert-cfg
      16008     Mar 12 02:02:40 2009  startup-vss-cfg
      17315     Mar 19 06:24:32 2009  startup-vss-cfg_roberto_mar18
         99     Apr 04 06:51:15 2009  test1

       9991     Jun 19 23:12:48 2009  vdc.cfg
       4096     Jan 22 13:37:57 2009  vdc_2/
       4096     Jan 22 00:40:57 2009  vdc_3/
       4096     Sep 11 12:54:10 2008  vdc_4/
     111096     Dec 20 04:40:17 2008  vpc.cap
          0     Feb 03 08:02:14 2009  vpc_hw_check_disable
      18166     Apr 03 03:24:22 2009  vpc_vss_apr02
      18223     Apr 02 22:40:57 2009  vss_vpc_apr2

Usage for bootflash://sup-remote
  873283584 bytes used
  936615936 bytes free
 1809899520 bytes total
N7010-1#

Configuration Files: Configuration Rollback

The configuration rollback feature enables you to take a snapshot, or checkpoint, of the Cisco NX-OS configuration and then reapply that configuration to your device at any point without having to reload the device. Rollback allows any authorized administrator to apply this checkpoint configuration without requiring expert knowledge of the features configured in the checkpoint.

You can create a checkpoint copy of the current running configuration at any time. Cisco NX-OS saves this checkpoint as an ASCII file that you can use to roll back the running configuration to the checkpoint configuration at a future time. You can create multiple checkpoints to save different versions of your running configuration.

When you roll back the running configuration, you can trigger the following rollback types:

• Atomic: Implement the rollback only if no errors occur. This is the default rollback type.
• Best-effort: Implement a rollback and skip any errors.
• Stop-at-first-failure: Implement a rollback that stops if an error occurs.

When you are ready to roll back to a checkpoint configuration, you can view the changes that will be applied to your current running configuration before committing to the rollback operation. If an error occurs during the rollback operation, you can choose to cancel the operation or ignore the error and proceed with the rollback. If you cancel the operation, Cisco NX-OS provides a list of changes already applied before the error occurred. You need to clean up these changes manually.

Configuration rollback limitations are as follows:

• Allowed to create up to ten checkpoint copies per VDC.
• You are not allowed to apply a checkpoint file of one VDC into another VDC.
• You are not allowed to apply a checkpoint configuration in a nondefault VDC if there is a change in the global configuration portion of the running configuration compared to the checkpoint configuration.
• The checkpoint filenames must be 75 characters or less.
• You are not allowed to start a checkpoint filename with the word auto.
• You cannot name a checkpoint file with summary or any abbreviation of the word summary.
• Only one user can perform a checkpoint, rollback, or copy the running configuration to the startup configuration at the same time in a VDC.
• After execution of write erase and reload commands, checkpoints are deleted. You can use the clear checkpoint database command to clear out all checkpoint files.
• Rollback fails for NetFlow if during rollback you try to modify a record that is programmed in the hardware.
• Although rollback is not supported for checkpoints across software versions, users can perform rollback at their own discretion and can use the best-effort mode to recover from errors.
• When checkpoints are created on bootflash, differences with the running-system configuration cannot be performed before performing the rollback, and the system reports "No Changes."

Example 1-10 demonstrates how to create a configuration rollback.

Example 1-10. Creating a Configuration Rollback

N7010-1# checkpoint changes
...........Done
N7010-1# show diff rollback-patch checkpoint changes running-config
Collecting Running-Config
Generating Rollback Patch
Rollback Patch is Empty
N7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# no snmp-server user nxos-admin
N7010-1(config)# exit
N7010-1# show diff rollback-patch checkpoint changes running-config
Collecting Running-Config
Generating Rollback Patch
!!
no username nxos-admin sshkey ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA6+TdX+ABH/mq1gQbfhhsjBmm65ksgfQb3Mb3qbwUbNlcAa6fjJCGdHu
f3kJ
ox/hjgPDChJOd-
kUXHjESlV59OhZP/NHlBrBq0TGRr+hfdAssD3wG5oPkywgM4+bR/ssCzoj6jVG41tGmfPip4pr3dqsMzR21
DXSK
K/tdj7bipWKy1wSkYQzZwatIVPIXRqTJY7L9a+JqVIJEA0QlJM1l0wZ5YbxccB2GKNKCM2x2BZl4okVgl80
CCJg
7vmn+8RqIOQ5jNAPNeb9kFw9nsPj/r5xFC1RcSKeQbdYAjItU6cX1TslRnKjlWewCgIa26dEaGdawMVuftg
u0uM
97VCOxZPQ==
no username nxos-admin
N7010-1# rollback running-config checkpoint changes
Note: Applying config in parallel may fail Rollback verification
Collecting Running-Config
Generating Rollback Patch
Executing Rollback Patch
Generating Running-config for verification
Generating Patch for verification
N7010-1# show snmp user nxos-admin
______________________________________________________________
                  SNMP USER
______________________________________________________________

User                          Auth  Priv(enforce) Groups
____                          ____  _____________ ______
nxos-admin                    sha   des(no)       network-operator

You can also enable specific SNMP traps:
N7010-1(config)# snmp-server enable traps eigrp
N7010-1(config)# snmp-server enable traps callhome
N7010-1(config)# snmp-server enable traps link
N7010-1(config)# exit
N7010-1#

Operating System Files

Cisco NX-OS Software consists of three images:

• The kickstart image, contains the Linux kernel, basic drivers, and initial file system.
• The system image contains the system software, infrastructure, Layers 4 through 7.
• The Erasable Programmable Logic Device (EPLD) image: EPLDs are found on the Nexus 7000 currently shipping I/O modules. EPLD images are not released frequently,\; even if an EPLD image is released, the network administrator is not forced to upgrade to the new image. EPLD image upgrades for I/O modules disrupt traffic going through the I/O module. The I/O module powers down briefly during the upgrade. The EPLD image upgrades are performed one module at a time.

On the Nexus 7000 with dual-supervisor modules installed, NX-OS supports in-service software upgrades (ISSU). NX-OS ISSU upgrades are performed without disrupting data traffic. If the upgrade requires EPLD to be installed onto the line cards that causes a disruption of data traffic, the NX-OS software warns you before proceeding so that you can stop the upgrade and reschedule it to a time that minimizes the impact on your network.

NX-OS ISSU updates the following images:

• Kickstart image
• System image
• Supervisor module BIOS
• Data module image
• Data module BIOS
• Connectivity management processor (CMP) image
• CMP BIOS

The ISSU process performs a certain sequence of events, as outlined here:

1. Step 1. Upgrade the BIOS on the active and standby supervisor modules and the line cards (data cards/nonsupervisor modules).
2. Step 2. Bring up the standby supervisor module with the new kickstart and system images.
3. Step 3. Switch over from the active supervisor module to the upgraded standby supervisor module.
4. Step 4. Bring up the old active supervisor module with the new kickstart image and the new system image.
5. Step 5. Upgrade the CMP on both supervisor modules.
6. Step 6. Perform nondisruptive image upgrade for line card (data cards/nonsupervisor modules), one at a time.
7. Step 7. ISSU upgrade is complete.

Virtual Device Contexts (VDCs)

The Nexus 7000 NX-OS software supports Virtual Device Contexts (VDCs), VDC(s) allow the partitioning of a single physical Nexus 7000 device into multiple logical devices. This logical separation provides the following benefits:

• Administrative and management separation
• Change and failure domain isolation from other VDCs
• Address, VLAN, VRF, and vPC isolation

Each VDC appears as a unique device and allows for separate Roles-Based Access Control Management (RBAC) per VDC. This enables VDCs to be administered by different administrators while still maintaining a rich, granular RBAC capability. With this functionalit, each administrator can define virtual routing and forwarding instance (VRF) names and VLAN IDs independent of those used in other VDCs safely with the knowledge that VDCs maintain their own unique software processes, configuration, and data-plane forwarding tables.

Each VDC also maintains an individual high-availability (HA) policy that defines the action that the system will take when a failure occurs within a VDC. Depending on the hardware configuration of the system, there are various actions that can be performed. In a single supervisor system, the VDC can be shut down, restarted, or the supervisor can be reloaded. In a redundant supervisor configuration, the VDC can be shut down, restarted, or a supervisor switchover can be initiated.

There are components that are shared between VDC(s), which include the following:

• A single instance of the kernel which supports all of the processes and VDCs.
• Supervisor modules
• Fabric modules
• Power supplies
• Fan trays
• System fan trays
• CMP
• CoPP
• Hardware SPAN resources

Figure 1-5 shows the logical segmentation with VDCs on the Nexus 7000. A common use case is horizontal consolidation to reduce the quantity of physical switches at the data center aggregation layer. In Figure 1-5, there are two physical Nexus 7000 chassis; the logical VDC layout is also shown.

Figure 1-5 Logical Segmentation with VDCs on the Nexus 7000

VDC Configuration

This section shows the required steps to creating a VDC; once the VDC is created, you will assign resources to the VDC. VDC(s) are always created from the default admin VDC context, VDC context 1.

Example 1-11 shows how to configure the VDC core on Egypt.

Example 1-11. Creating VDC "core" on Egypt

egypt(config)# vdc core
Note:  Creating VDC, one moment please ...
egypt# show vdc
vdc_id  vdc_name                          state               mac
------  --------                          -----               ----------
1       egypt                             active         00:1b:54:c2:38:c1
2       core                               active        00:1b:54:c2:38:c2

egypt# show vdc core detail
vdc id: 2
vdc name: core
vdc state: active
vdc mac address: 00:1b:54:c2:38:c2
vdc ha policy: RESTART
vdc dual-sup ha policy: SWITCHOVER
vdc boot Order: 2
vdc create time: Mon Feb 22 13:11:59 2010
vdc reload count: 1
vdc restart count: 0
egypt#

Once the VDC is created, you now have to assign physical interfaces to the VDC. Depending on the Ethernet modules installed in the switch, interface allocation is supported as follows:

The 32-port 10-Gigabit Ethernet Module (N7K-M132XP-12), interfaces can be allocated on a per port-group basis; there are eight port-groups. For example, port-group 1 are interfaces e1, e3, e5, e7; port-group 2 are interfaces e2, e4, e6, e8.

The 48-port 10/100/1000 I/O Module (N7K-M148GT-11) can be allocated on a per-port basis.

The 48-port 1000BaseX I/O Module (N7K-M148GS-11) can be allocated on a per-port basis.

A future module, N7K-D132XP-15, interfaces will be allocated per 2 ports per VDC.

Example 1-12 demonstrates how to allocate interfaces to a VDC.

Example 1-12. Allocating Interfaces to a VDC

egypt(config)# vdc core
eqypt(config-vdc)# allocate interface Ethernet1/17
egypt(config-vdc)# allocate interface Ethernet1/18

To verify the interfaces allocation, enter the show vdc membership command as demonstrated in Example 1-13.

Example 1-13. Verifying Interface Allocation to a VDC

egypt(config-vdc)# show vdc membership

vdc_id: 1 vdc_name: egypt interfaces:
        Ethernet1/26          Ethernet1/28          Ethernet1/30
        Ethernet1/32          Ethernet2/2           Ethernet2/4
        Ethernet2/6           Ethernet2/8           Ethernet2/26
        Ethernet2/28          Ethernet2/30          Ethernet2/32
        Ethernet3/4           Ethernet3/5           Ethernet3/6
        Ethernet3/7           Ethernet3/8           Ethernet3/9
        Ethernet3/11          Ethernet3/12          Ethernet3/13
        Ethernet3/14          Ethernet3/15          Ethernet3/16
        Ethernet3/17          Ethernet3/18          Ethernet3/19
        Ethernet3/20          Ethernet3/21          Ethernet3/22
        Ethernet3/23          Ethernet3/24          Ethernet3/25
        Ethernet3/26          Ethernet3/27          Ethernet3/28
        Ethernet3/29          Ethernet3/30          Ethernet3/31
        Ethernet3/32          Ethernet3/33          Ethernet3/34
        Ethernet3/35          Ethernet3/36          Ethernet3/39
        Ethernet3/40          Ethernet3/41          Ethernet3/42
        Ethernet3/43          Ethernet3/44          Ethernet3/45
        Ethernet3/46          Ethernet3/47          Ethernet3/48

vdc_id: 2 vdc_name: core interfaces:
        Ethernet1/17          Ethernet1/18          Ethernet1/19
        Ethernet1/20          Ethernet1/21          Ethernet1/22
        Ethernet1/23          Ethernet1/24          Ethernet1/25
        Ethernet1/27          Ethernet1/29          Ethernet1/31
        Ethernet2/17          Ethernet2/18          Ethernet2/19
        Ethernet2/20          Ethernet2/21          Ethernet2/22
        Ethernet2/23          Ethernet2/24          Ethernet2/25
        Ethernet2/27          Ethernet2/29          Ethernet2/31
        Ethernet3/1           Ethernet3/2           Ethernet3/3
        Ethernet3/10

In addition to interfaces, other physical resources can be allocated to an individual VDC, including IPv4 route memory, IPv6 route memory, port-channels, and SPAN sessions. Configuring these values prevents a single VDC from monopolizing system resources. Example 1-14 demonstrates how to accomplish this.

Example 1-14. Allocating System Resources

egypt(config)# vdc core
egypt(config-vdc)# limit-resource port-channel minimum 32 maximum equal-to-min
egypt(config-vdc)# limit-resource u4route-mem minimum 32 maximum equal-to-min
egypt(config-vdc)# limit-resource u6route-mem minimum 32 maximum equal-to-min
egypt(config-vdc)# limit-resource vlan minimum 32 maximum equal-to-min
egypt(config-vdc)# limit-resource vrf minimum 32 maximum equal-to-min

Defining the VDC HA policy is also done within the VDC configuration sub-mode. Use the ha-policy command to define the HA policy for a VDC as demonstrated in Example 1-15.

Example 1-15. Changing the HA Policy for a VDC

egypt(config)# vdc core
eqypt(config-vdc)# ha-policy dual-sup bringdown

The HA policy will depend based on the use-case or VDC role. For example, if you have dual-supervisor modules in the Nexus 7000 chassis or if the VDC role is development/test, the VDC HA policy may be to just shut down the VDC. If the VDC role is for the core and aggregation use case the HA policy would be switchover.

Troubleshooting

The troubleshooting sections introduce basic concepts, methodology, and general troubleshooting guidelines for problems that might occur when configuring and using Cisco NX-OS.

show Commands

Table 1-2 lists sample EXEC commands showing the differences between IOS and NX-OS.

Table 1-2. Sample EXEC Commands Showing the Differences Between IOS and NX-OS

debug Commands

Cisco NX-OS supports an extensive debugging feature set for actively troubleshooting a network. Using the CLI, you can enable debugging modes for each feature and view a real-time updated activity log of the control protocol exchanges. Each log entry has a timestamp and is listed chronologically. You can limit access to the debug feature through the CLI roles mechanism to partition access on a per-role basis. Although the debug commands show real-time information, you can use the show commands to list historical and real-time information.

By using the ? option, you can see the options that are available for any feature. A log entry is created for each entered command in addition to the actual debug output. The debug output shows a timestamped account of the activity that occurred between the local device and other adjacent devices.

You can use the debug facility to track events, internal messages, and protocol errors. However, you should be careful when using the debug utility in a production environment because some options might prevent access to the device by generating too many messages to the console or creating CPU-intensive events that could seriously affect network performance.

You can filter out unwanted debug information by using the debug-filter command. The debug-filter command enables you to limit the debug information produced by related debug commands.

Example 1-16 limits EIGRP hello packet debug information to Ethernet interface 1/1.

Example 1-16. Filtering debug Information

switch# debug-filter ip eigrp interface ethernet 1/1
switch# debug eigrp packets hello</code>

Topology

Throughout the book, you see a common topology for demonstration purposes. Figure 1-6 depicts the physical topology.

Figure 1-6 Physical Topology for Book Demonstration Purposes

Further Reading

• NX-OS Feature Navigator: http://tinyurl.com/2btvax
• NX-OS Nexus 7000 Supported MIB List: http://tinyurl.com/pzh4gg
• NX-OS Nexus 5000 Supported MIB List: http://tinyurl.com/q4pqp5
• NX-OS Nexus 1000V Supported MIB List: http://tinyurl.com/nu22mx