nexus 手册
2014-11-19 22:29
537 查看
NexusConfigurationSimpleGuide
目录
Nexu7000缺省端口配置...2
CMP连接管理处理器配置...3
带外管理VRF.4
划分Nexus7010VDC.5
基于EthernetChannel的vPC.7
割裂的vPC:HSRP和STP.12
vPC的细部配置...12
Nexus的SPAN..14
VDC的MGMT接口...14
DOWN的VLAN端口...14
Nexus的路由...15
Nexus上的NLB.16
标识一个部件...16
Nexus7000基本配置汇总...17
CiscoNX-OS/IOSConfigurationFundamentalsComparison.17
CiscoNX-OS/IOSInterfaceComparison.25
CiscoNX-OS/IOSPort-ChannelComparison.31
CiscoNX-OS/IOSHSRPComparison.35
CiscoNX-OS/IOSSTPComparison.40
CiscoNX-OS/IOSSPANComparison.45
CiscoNX-OS/IOSOSPFComparison.49
CiscoNX-OS/IOSLayer-3VirtualizationComparison.55
vPCRoleandPriority.61
vPCDomainID..62
vPCPeerLink.62
Configurationforsingle10GigECard.63
CFSoE.64
vPCPeerKeepaliveorFTLink.64
vPCPorts.65
OrphanPortswithnon-vPCVLANs.66
HSRP.66
HSRPConfigurationandBestPracticesforvPC.66
AdvertisingtheSubnet.67
L3LinkBetweenvPCPeers.68
CiscoNX-OS/IOSTACACS+,RADIUS,andAAAComparison.68
Nexus5000的配置同步...74
初始化Nexus2000FabricModule.75
nosystemdefaultswitchportshutdown
copyrunning-configstartup-configvdc-all存配置
dirbootflash:
dirbootflash://sup-standby/
dirbootflash://sup-remote
showrole
showinventory显示系统详细目录,或称为存货清单,可以看到各组件产品编号以及序列号
showhardware显示系统硬件详细信息
showsprombackplane1显示交换机序列号
showenvironmentpower显示电源信息
powerredundancy-modeps-redundant如果没有双电网供电则使用此模式
powerredundancy-modeinsrc-redundant如果有双电网供电则使用此模式
showmodule检验各模块状态
attachmoduleslot_number
dirbootflashdirslot0:查看ACTIVE引擎的FLASH空间
如果查看备份引擎的FLASH空间呢?首先attachmodulecommandtoattachtothemodulenumber,andthenusethedirbootflash:ordirslot0:
out-of-servicemoduleslotShuttingDownaSupervisororI/OModule
out-of-servicexbarslotShuttingDownaFabricModule
clocktimezone
clockset
poweroffmoduleslot_number
nopoweroffmoduleslot_number
poweroffxbarslot_number
YoushouldalsoconfigurethreeIPaddresses—oneforeachcmp-mgmtinterfaceandonethatissharedbetweentheactiveandstandbysupervisormgmt0interfaces.
attachcmp进入CMP
命令输入后自动存盘,不需要copyrunstart
通过NX-OSCLI来配置CMP
1.configureterminal
2.interfacecmp-mgmtmoduleslot通过module槽号分别为5/6来实现主备引擎上的CMP配置
3.ipaddressipv4-address/length
4.ipdefault-gatewayipv4-address
5.showrunning-configcmp
通过CMPCLI来配置CMP
1.attachcmp
2.configureterminal
3.ipdefault-gatewayipv4-address
4.interfacecmp-mgmt
5.ipaddressipv4-address/length
6.showrunning-config
在CMP上可执行的动作:
showcpstate
reloadcp
attachcp
monitorcp
pingortraceroute192.0.2.15
reloadsystemToreloadthecompletesystem,includingtheCMPs
Themanagementinterfaceis,bydefault,partofthemanagementVRF.Themanagement
interface“mgmt0”istheonlyinterfaceallowedtobepartofthisVRF.
ThephilosophybeyondManagementVRFistoprovidetotalisolationforthemanagementtraffic
fromtherestofthetrafficflowingthroughtheboxbyconfiningtheformertoitsownforwarding
table.
Inthisstepwewill:
-Verifythatonlythemgmt0interfaceispartofthemanagementVRF
-VerifythatnootherinterfacecanbepartofthemanagementVRF
-VerifythatthedefaultgatewayisreachableonlyusingthemanagementVRF
如果想Ping带外网管的网关等地址必须在Ping命令后面加上vrfmanagement
ping10.2.8.1vrfmanagement
VDC的资源是占用全局机箱的,因此在必要的时候,需要通过调整VDC资源配置来进行VDC功能和性能的调整。所有进入VDC的接口和资源都不能被其他VDC或者缺省VDC使用。
VDC配置
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/virtual_device_context/quick/guide/Cisco_Nexus_7000_Series_NX-OS_Virtual_Device_Context_Quick_Start__Release_5.x_chapter1.html
vdcMyVDC创建VDC
allocateinterfaceethernet2/11-1分配接口
switchtovdcMyVDCSwitchtothenewVDCandentertheVDCadminuseraccountpassword切换至一个VDC
switchback
setup根据安装向导配置VDC
showvdcmembership
showvdccurrent-vdc
WheninterfacesindifferentVDCssharethesameportASIC,reloadingtheVDC(withthereloadvdccommand)orprovisioninginterfacestotheVDC(withtheallocateinterfacecommand)mightcauseshorttrafficdisruptions(of1to2seconds)fortheseinterfaces.Ifsuchbehaviorisundesirable,makesuretoallocateallinterfacesonthesameportASICtothesameVDC.
ToseehowtheinterfacesaremappingtotheportASIC,usethiscommand:
slotslot_numbershowhardwareinternaldev-port-map这个命令没有帮助,需盲打
copyrunning-configstartup-configvdc-all
VDC资源清单:
通过命令可以查看当前VDC的数量和状态。系统机箱本身默认为VDC1,最多可以建立3个另外的VDC。登录到系统默认的VDC1下,可以通过switchtovdc命令在不同的VDC之间跳转,并可以通过重启VDC1来重启其他所有的VDC。
位于其他VDC当中,无法通过switchtovdc的方式进行VDC的跳转。系统保存配置和reload都有针对单独VDC的配置。
不同VDC的名称,除了在vpc命令中直接指定,还可以进入到VDC配置界面后,直接用hostname命令进行更改。
vPC完全基于EthernetChannel技术,所有成员组都必须在EthernetChannel当中,除了peer-linkkeepalive。vPC仅仅能作用在二层Trunk结构下,完全不兼容任何L3环境。vPC使用连接设备的peer-link必须使用10G以太网接口,而peer-linkkeepalive必须是路由接口。配置手册推荐使用单独的VRF来隔离,以便于减小地址管理压力。
首先,配置L3端口,保证双方可以ping通:
vPC结构当中,应当尽可能保证所有peer-link链路的可靠性,不可靠的keepalive链路将会导致一些vPCDomain重新收敛。具体情况请见后面描述。
其次,进行完L3配置后,配置vPCDomain。一台设备属于且只能属于一个vPCDomain,一个vPCDomain有且只能拥有两个成员。Domain的配置当中,需要指定vPC对端设备的IP地址,如果这个设备的地址不在defaultVRF当中的时候,需要指定源地址:
完成这一步配置,将可以保证vPC组可以通过peer-linkkeepalive来检测和通告对端状态。
再次,配置peer-link。Peer-link是vPC转发机箱间流量的链路,因此链路只能使用10G以太网,配置手册推荐使用至少2条10G以太网电缆进行捆绑:
最后,将一段设备连接到两侧设备链路推入各自的EthernetChannel的组,并且将参加配置的EthernetChannel加入vPC组,保证对应的EthernetChannel在相同的转发vPC当中,便完成该配置:
CAUTION
在配置当中,vpc的数字和port-channel的数字必须相同,并且这两个数字必须和Domain的数字不同。否则,将会导致vpc无法启动的问题。
vPC配置的两端都必须是相容的Trunk配置,例如LACP或者noprotocol。
LACPSystempriority的一致,有利于vPC状态下LARP的收敛,手册推荐配置为vPC成员设备拥有相同的值。配置需要再全局和vPC配置模式下使用。
如果在配置中发现如下现象,则应当首先检查vPC中,成员EthernetChannel配置是否正常:
注记:
对于不同的设备和不同的拓扑形态,vPC的具体配置也会有所不同。
1.对于简单的downstream设备
如图所示:
对于简单的downstream设备,两台Nexus设备使用标准的vPC配置方法。两台设备之间配置peer-link和peer-linkkeepalive链路,在完成vPC配置之后,将于downstream连接的接口划入一个EthernetChannel,即便是该EthernetChannel也无妨,然偶将这个EthernetChannel接口划入到对应的vpc中,完成虚拟转发。
2.对于Nexus推荐的域环境
如图所示:
在Nexus5k和Nexus7k当中,使用fullmesh的结构来连接。通过vPC技术,中间这四条链路可以保持全活的状态,结合vPC形成的虚拟拓扑,实际上相当于单台Nexus5k和Nexus7k之间连接了一条40G的链路,从而极大的提高了转发能力。
在这种配置实例当中,Nexus5k和Nexus7k需要单独配置自己的vPCDomain,在各自的vPCDomain正常建立后,将交叉的线路绑定成EthernetChannel,绑定协议不限于LACP或者noprotocol。
下面的配置仅列出了左侧5k和7k的相关配置。
通过将同一台设备的两条链路捆绑成EthernetChannel,并将其放入相同的vPC转发组,来完成双向的配置。
CAUTION
配置当中,并需保持vPC两侧配置的同步,即,两侧的VLAN,接口,VDC配置应当一致,若配置不一致,则会导致vPC工作不正常。
所有的EthernetChannel必须工作在Trunk模式下,需要用Switchportmodetrunk方式和做显式的指派,否则会导致vPC工作不正常。
当vPCPeer-linkKeepalive链路中断时,所有的数据转发都不会受到影响;当vPCPeer-link链路中断时,处于Secondary角色的设备,所有处于vPC成员组的EthernetChannel都会被置为Down状态,使得该设备从vPC管理域中离线,从而停止数据转发,直到链路被修复。
当vPCDomain成员都处在正常工作状态时,对于vPCPeer-link和vPCPeer-linkKeepalive的中断都不会终止系统的数据转发,只是vPC收敛可能会导致丢失1~2个数据包。
但是处于下列情况,会导致vPCDomain出现数据转发问题:
保证vPCDomain正常工作,将两台设备中间的链路全部中断,然后在两侧都配置reloadrestore命令情况下,重启两侧vPCDomain成员,在经过240s后,两侧设备都会处于双活状态,从而导致数据转发环路。从得到的消息看,应该是STP导致的二层环路所致。使用vPC配置命令:peer-switch也许可以解决这个问题。
该问题必须经由严格的操作时序才可重现。
vPC上的HSRP进行了特殊的修正,HSRP的Active负责相应ARP请求,但是standby角色也可以转发带有目的地为HSRP组虚拟MAC地址的数据包,这样就实现了HSRP的Load-Balance。
和HSRP一样,GLBP也是vPC所支持的热备份网关协议,但是GLBP通过AVG相应不同的ARP请求,并回应给不同AVF的MAC地址的方式来进行负载均衡。但是HSRP在vPC环境中,收敛速度比GLBP更快。
在vPC当中,所有HSRP、GLPB或者VRRP的,处于Active角色设备,都必须配置在vPC的Primary设备上;同样的,STP配置中,关于VLAN的根桥,也必须和Primary设备保持一致。
HSRP在两侧应当拥有相同的HSRP组号,并且同一组号在单一VDC上不能重复。基于vPC的HSRP不能使用USE-BIA参数。
vPC在没有rolepriority配置的情况下,由桥MAC来决定谁是primary设备,MAC绝对值较小的会当选,如果配置了rolepriority的,则该项配置值相对较小的会当选。但是要shutpeer-link一次,才能完成更改。
System-priority
这是vPC当中对于LACP的配置。如果该值不配置,则不影响,但是如果配置了,则vPCDomain中设备的system-priority值必须相同,如果不匹配,vPC启动可能会遇到麻烦。
Reloadrestore
该命令用于帮助Nexus启动后,找不到vPC对端时仍能激活vPC的功能。
缺省情况,如果vPC成员设备启动后无法找到对端,会导致所有vPC功能端口出于down状态,不能转发数据。配置了这个命令后,该单独启动的设备会在最少240s后,将vPC成员端口转变为up状态,并且开始转发数据。
CAUTION
在vPC成员设备间所有电缆,包括peer-link和peer-linkkeepalive电缆中断的情况下,并且两侧vPC全部配置reloadrestore,将会在两端设备重新启动完成后,存在vPC双活,Nexus将会与上层转发设备之间形成数据环路。
该情况仅出现在Nexus推荐的域环境中,并且要严格遵循步骤,才能出现。
Peer-switch
Peer-switch命令用于将vPCDomain成员设备虚拟成一个STP的根,从而实现生成树结构的优化,减少Primary设备失败后的STP重算时间。
vPC配置成功后的清单:
SPAN方式被称为本地SPAN,用于本地交换机接口作为源和目的;ESPAN用于将SPAN流量的目的设定为某个VLAN,并通过Trunk实现远程的SPAN;ERSPAN用于将SPAN流量封装在GRE中,通过路由方式进行远端的SPAN。
Nexus7000最大可以存在48个Session,但是只能有两个在工作;Fex端口只能做SPAN的源,不能做span的目的;EthernetChannel成员不能当span的源,nexus5K上连接fex接口不能当span的源;Nexus5K仅支持SPAN,而Nexus7K则支持所有的SPAN类型。
Nexus7K中,VLAN的配置和InterfaceVLAN的配置是相分离的,仅有InterfaceVLAN而没有VLAN,是会导致VLAN接口在两侧的配置不同,从而导致L3VLAN接口处于DOWN的状态。缺省情况下,L3VLAN接口被shutdown,需要使用no命令激活。
可以尝试使用VTP来避免配置上的错误。
在Nexus当中,OSPF的带宽计算参考值已经从原来的100Mbps更改为40Gbps,并设定为默认值。
Nexus的OSPF已经不允许在OSPF进程下进行网络的宣告,所有对于OSPF的网络宣告都要在接口下进行。
locator-led{chassis|fanf-number|moduleslot|powersupplyps-number|xbarx-number}
nolocator-led{chassis|fanf-number|moduleslot|powersupplyps-number|xbarx-number}
这个命令模板是基于Nexus7k的,在Nexus5k上有些参数不能用,但是有fex参数用来标识FabricModule
光纤的类型
对于使用SFP的Nexus5010而言,需要考虑跨机房连接时的光纤类型。系统提示的信息如下:
FromDocWiki
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesfortheconfigurationfundamentalsbetweentheCiscoNX-OSsoftwareandtheCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwaretoillustratesomethedifferencesafterthefirstsystemstartup.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
CiscoNX-OSOverview
TheCiscoNX-OSisadatacenterclassoperatingsystemdesignedformaximumscalabilityandapplicationavailability.TheCLIinterfacefortheNX-OSisverysimilartoCiscoIOS,soifyouunderstandtheCiscoIOSyoucaneasilyadapttotheCiscoNX-OS.However,afewkeydifferencesshouldbeunderstoodpriortoworkingwiththeCiscoNX-OS.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
WhenyoufirstlogintotheNX-OS,yougodirectlyintoEXECmode.
RoleBasedAccessControl(RBAC)determinesauser’spermissionsbydefault.NX-OS5.0(2a)introducedprivilegelevelsandtwo-stageauthenticationusinganenablesecretthatcanbeenabledwiththeglobalfeatureprivilegeconfigurationcommand.
Bydefault,theadminuserhasnetwork-adminrightsthatallowfullread/writeaccess.AdditionaluserscanbecreatedwithverygranularrightstopermitordenyspecificCLIcommands.
TheCiscoNX-OShasaSetupUtilitythatallowsausertospecifythesystemdefaults,performbasicconfiguration,andapplyapre-definedControlPlanePolicing(CoPP)securitypolicy.
TheCiscoNX-OSusesafeaturebasedlicensemodel.AnEnterpriseorAdvancedServiceslicenseisrequireddependingonthefeaturesrequired.Additionallicensesmayberequiredinthefuture.
A120daylicensegraceperiodissupportedfortesting,butfeaturesareautomaticallyremovedfromtherunningconfigurationaftertheexpirationdateisreached.
TheCiscoNX-OShastheabilitytoenableanddisablefeaturessuchasOSPF,BGP,etc…usingthefeatureconfigurationcommand.Configurationandverificationcommandsarenotavailableuntilyouenablethespecificfeature.
InterfacesarelabeledintheconfigurationasEthernet.Therearen’tanyspeeddesignations.
TheCiscoNX-OSsupportsVirtualDeviceContexts(VDCs),whichallowaphysicaldevicetobepartitionedintologicaldevices.WhenyouloginforthefirsttimeYouareinthedefaultVDC(VDC1).
TheCiscoNX-OShastwopreconfiguredVRFinstancesbydefault(management,default).ThemanagementVRFisappliedtothesupervisormoduleout-of-bandEthernetport(mgmt0),andthedefaultVRFinstanceisappliedtoallotherI/OmoduleEthernetports.
SSHv2server/clientfunctionalityisenabledbydefault.TELNETserverfunctionalityisdisabledbydefault.(TheTELNETclientisenabledbydefaultandcannotbedisabled.)
VTYandAuxiliaryportconfigurationsdonotshowupinthedefaultconfigurationunlessaparameterismodified(TheConsoleportisincludedinthedefaultconfiguration).TheVTYportsupports32simultaneoussessionsandthetimeoutisdisabledbydefaultforallthreeporttypes.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalCiscoNX-OSinformationthatshouldbehelpfulwhenconfiguringandmaintainingtheCiscoNX-OS.
Thedefaultadministeruserispredefinedasadmin.Anadminuserpasswordhastobespecifiedwhenthesystemispoweredupforthefirsttime,oriftherunningconfigurationiserasedwiththewriteerasecommandandsystemisrepowered.
Ifyouremoveafeaturewiththeglobalnofeatureconfigurationcommand,allrelevantcommandsrelatedtothatfeatureareremovedfromtherunningconfiguration.
TheNX-OSusesakickstartimageandasystemimage.Bothimagesareidentifiedintheconfigurationfileasthekickstartandsystembootvariables.ThebootvariablesdeterminewhatversionofNX-OSisloadedwhenthesystemispoweredon.(ThekickstartandsystembootvariableshavetobeconfiguredforthesameNX-OSversion.)
Theshowrunning-configcommandacceptsseveraloptions,suchasOSPF,BGP,etc…thatwilldisplaytheruntimeconfigurationforaspecificfeature.
Theshowtechcommandacceptsseveraloptionsthatwilldisplayinformationforaspecificfeature.
ConfigurationComparison
ThefollowingsamplecodeshowsimilaritiesanddifferencesbetweentheCiscoNX-OSsoftwareandtheCiscoIOSSoftwareCLI.
VerificationCommandComparison
Thefollowingtablecomparessomeusefulshowcommandsforverifyingtheinitialsystemstartupandrunningconfiguration.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Configuration_Fundamentals_Comparison"
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesininterfacesupportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
InterfaceConfigurationOverview
TheNX-OSsupportsdifferentphysicalandvirtualinterfacetypestomeetvariousnetworkconnectivityrequirements.Thedifferentinterfacetypesinclude:layer-2switched(accessortrunk),layer-3routed,layer-3routed(sub-interfacetrunk),switchedvirtualinterface(SVI),port-channel,loopback,andtunnelinterfaces.Port-channelinterfacesaredocumentedintheCiscoNX-OS/IOSPort-ChannelComparisonTech-Note.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
SVIcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheSVIfeaturewiththefeatureinterface-vlancommand.
Tunnelinterfacecommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheTunnelfeaturewiththefeaturetunnelcommand.
Interfacessupportstatefulandstatelessrestartsafterasupervisorswitchoverforhighavailability.
Only802.1qtrunksaresupported,sotheencapsulationcommandisn'tnecessarywhenconfiguringalayer-2switchedtrunkinterface.(CiscoISLisnotsupported)
AnIPsubnetmaskcanbeappliedusing/xxorxxx.xxx.xxx.xxxnotationwhenconfiguringanIPaddressonalayer-3interface.
TheCLIsyntaxforspecifyingmultipleinterfacesisdifferentinCiscoNX-OSSoftware.Therangekeywordhasbeenomittedfromthesyntax(IE:interfaceethernet1/1-2)
Theout-of-bandmanagementethernetportlocatedonthesupervisormoduleisconfiguredwiththeinterfacemgmt0CLIcommand.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsabouttheCiscoNX-OSthatshouldbehelpfulwhenconfiguringinterfaces.
Aninterfacecanonlybeconfiguredin1VDCatatime.
All4interfacesinaportgroupmustbeassignedtothesameVDCwhenassigninginterfacesonthe32port10GEmodule.Therearenotanyrestrictionsforthe48port1GEmodules.
10GEinterfacescanbeconfiguredindedicatedmodeusingtherate-modededicatedinterfaceCLIcommand.
ThedefaultporttypeisconfigurableforL3routedorL2switchedinthesetupstartupscript.(L3isthedefaultporttypepriortorunningthescript)
Alayer-2switchedtrunkportsendsandreceivestrafficforallVLANsbydefault(ThisisthesameasCiscoIOSSoftware).UsetheswitchporttrunkallowedvlaninterfaceCLIcommandtospecifytheVLANsallowedonthetrunk.
Theclearcountersinterfaceethernetx/xCLIcommandresetsthecountersforaspecificinterface.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.TheCLIisverysimilarbetweenCiscoIOSandCiscoNX-OSSoftware.
VerificationCommandComparison
Thefollowingtablelistssomeusefulshowcommandsforverifyingthestatusandtroubleshootinganinterface.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Interface_Comparison"
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesinPort-ChannelsupportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
Port-ChannelOverview
Port-ChannelsprovideamechanismforaggregatingmultiplephysicalEthernetlinksintoasinglelogicalEthernetlink.Port-Channelsaretypicallyusedtoincreaseavailabilityandbandwidth,whilesimplifyingthenetworktopology.Port-ChannelscanbeconfiguredinStaticMode(noprotocol)orinconjunctionwithaprotocolsuchasLaCPdefinedinIEEE802.3adorPaGPfordynamicnegotiationsandkeep-alivedetectionforfailover.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
256Port-Channelsaresupportedperchassis
LaCPandStaticModePort-Channelsaresupported(PaGPisnotsupportedinCiscoNX-OSSoftware).
LaCPcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheLaCPfeaturewiththefeaturelacpcommand.
TheCLIsyntaxforspecifyingmultipleinterfacesisdifferentinCiscoNX-OSSoftware.Therangekeywordhasbeenomittedfromthesyntax(IE:interfaceethernet1/1-2)
APort-Channelcanbeconvertedbetweenalayer-2andlayer-3Port-Channelwithoutremovingthememberports.
TheforcekeywordcanbeusedwhenaddinganinterfacetoanexistingPort-ChanneltoforcethenewinterfacetoinheritalloftheexistingPort-Channelcompatibilityparameters.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsabouttheCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintaininganetworkusingPort-Channels.
AsinglePort-ChannelcannotconnecttotwodifferentVDCsinthesamechassis.
YoucannotdisableLaCPwiththenofeaturelacpcommandifLaCPisconfiguredforaPort-Channel.LaCPmustbedisabledonallPort-ChannelspriortodisablingLaCPglobally.
Theshowport-channelcompatibility-parametersCLIcommandisveryusefulforverifyinginterfaceparameterswhenconfiguringPort-Channels.
Theshowport-channelload-balanceforwarding-pathCLIcommandcanbeusedtodeterminetheindividuallinkaflowtraversesoveraspecificPort-Channel.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.TheCLIisverysimilarbetweenCiscoIOSandCiscoNX-OS.CiscoNX-OSdoesnotusetherangekeywordwhenspecifyingmultipleinterfaces.CiscoNX-OSalsohastheabilitytoforceaninterfacetoinheritexistingPort-Channelcompatibilityparametersusingtheforcekeyword.
VerificationCommandComparison
ThefollowingtablelistssomeusefulshowcommandsforverifyingandtroubleshootingaPort-Channelconfiguration.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Port-Channel_Comparison"
http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_HSRP_Comparison
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesinHotStandbyRoutingProtocol(HSRP)(IPv4)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
HSRPOverview
HSRPisaCiscoproprietaryFirstHopRedundancyProtocol(FHRP)designedtoallowtransparentfailoverforanIPclient’sdefaultgateway(first-hoprouter).
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
HSRPcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheHSRPfeaturewiththefeaturehsrpcommand.
HSRPishierarchical.AllrelatedcommandsforanHSRPgroupareconfiguredunderthegroupnumber.
TheHSRPconfigurationcommandsusetheformathsrp<option>insteadofstandby<option>.
TheHSRPverificationcommandsusetheformatshowhsrp<option>insteadofshowstandby<option>.
HSRPsupportsstatefulprocessrestartbydefault.
Thehelloandhold-timetimerrangesforthemillisecondoptionsaredifferent.InCiscoNX-OS,hello=250to999milliseconds,andholdtime=750to3000milliseconds.InCiscoIOSSoftware,hello=15to999milliseconds,andholdtime=50to3000milliseconds.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintainingHSRP-enablednetworks.
Ifyouremovethefeaturehsrpcommand,allrelevantHSRPconfigurationinformationisalsoremoved.
HSRPv1isenabledbydefault(HSRPv2canbeenabledperinterface).
HSRPv1supports256groupnumbers(0to255).HSRPv2supports4096groupnumbers(0to4095).
HSRPv1andHSRPv2arenotcompatible.However,adevicecanbeconfiguredtorunadifferentversionondifferentinterfaces.
Theshowrunning-confighsrpcommanddisplaysthecurrentHSRPconfiguration.
ConfigurationofmorethanoneFHRPonaninterfaceisnotrecommended.
Objecttrackingissupported.Trackingcanbeconfiguredforaninterface’slineprotocolstate,IPaddressstate,andforIProutereachability(determiningwhetherarouteisavailableintheroutingtable).
Aninterfacecantrackmultipleobjects.
SecondaryIPaddressesaresupportedinthesameoradifferentgroupastheinterface’sprimaryIPaddress.
LoadsharingcanbeaccomplishedbyusingmultipleHSRPgroupsperinterface.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.Therearetwosignificantdifferences:CiscoNX-OSusesahierarchicalconfiguration,anditusesthehsrpkeywordinsteadofthestandbykeywordforconfigurationandverificationcommands.Bothenhancementsmaketheconfigurationeasiertoread.
VerificationCommandComparison
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootinganHSRPconfiguration.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_HSRP_Comparison"
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesinSpanning-TreeProtocol(STP)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
STPOverview
STPisastandardsbasedlink-layerprotocoloriginallydefinedinIEEE802.1dthatrunsonswitchestopreventforwardingloopswhenusingredundantlayer-2networktopologies.NewervariantsofSTPhavebeendevelopedcalledRapidSpanningTreeprotocol(RSTP)definedinIEEE802.1wandMultipleSpanningTreeprotocol(MST)definedinIEEE802.1sthatareenhancedforbetterscalabilityandconvergefasterthantheoriginalversion.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
Rapid-PVST+andtheMSTprotocolsaresupported.
Rapid-PVST+isenabledbydefault.
Highavailabilityisachievedwithstatefulswitchoverwhentwosupervisorsareinstalledinachassis.
TheSTPporttypesareidentifiedwiththeporttypedesignationasopposedtotheportfastdesignationinCiscoIOSSoftware.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsabouttheCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintaininganetworkconfiguredwiththeSTP.
Rapid-PVST+isinteroperablewiththe802.1dSTP.
Rapid-PVST+isinteroperablewithMST.(Thisisenabledbydefault)
OnlyoneSTPcanbeenabledperVDC.
BridgeAssuranceisenabledgloballybydefault,butisdisabledonaninterfacebydefault.
BridgeAssurancecanbeenabledforaninterfaceusingthespanning-treeporttypenetworkinterfacecommand.
Theclearspanning-treecounterscommandclearsthecountersforanSTPinterfaceoraVLAN.
STPenhancementssuchasBPDUGuard,LoopGuard,RootGuard,andBPDUFilteringaresupported.
Spanning-TreebestpracticesareapplicabletobothCiscoNX-OSandCiscoIOSSoftware
DonotdisableSTP.Evenifthelayer-2topologydoesnotrequireSTP,itshouldalwaysbeenabledasasafeguardforconfigurationand/orcablingerrors.
ChangingtheSTPmodecandisrupttraffic.
EnablingBridgeAssuranceisrecommended.However,onlyenableBridgeAssuranceonlayer-2linksifbothdevicesoneachendofthelinksupportit.
Typicallythecore/backbonedevicesshouldbeconfiguredastheprimaryandsecondaryrootbridges.
Thedefaultbridgepriorityis32,768(plustheVLAN#).Thelowerthevalue,themorelikelyitwillbecometherootbridge.
Configure802.1qtrunkportsasedgetrunkporttypewhenconnectingtoL3hostssuchasfirewalls,load-balancers,orserversforfasterconvergence.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.TheCLIisidenticalwiththeexceptionoftheporttypeterminology.TheCiscoIOSusestheportfastdesignation,whereasCiscoNX-OSusestheporttypedesignation.
VerificationCommandComparison
ThefollowingtablelistssomeusefulshowcommandsforverifyingandtroubleshootingaSTPnetworkconfiguration.TheshowcommandsareidenticalforCiscoIOSandCiscoNX-OSSoftware.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_STP_Comparison"
CiscoNX-OS/IOSSPANComparison
FromDocWiki
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesintheSwitchedPortAnalyzer(SPAN)betweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
SPANOverview
TheSPANfeatureallowstraffictobemirroredfromwithinaswitchfromasourceporttoadestinationport.Thisfeatureistypicallyusedwhendetailedpacketinformationisrequiredfortroubleshooting,trafficanalysis,andsecurity-threatprevention.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
OnlyLocalSPANissupported.
RemoteSPAN(RSPAN)VLANscanbeconfiguredonlyasSPANsources.
18monitorsessionscanbeconfigured.Onlytwosessionscanbeactivesimultaneously.
CiscoNX-OSusesahierarchicalconfigurationbasedonthemonitorsession<#>command,whereasCiscoIOSSoftwarehastheoptionforflatforhierarchicalconfigurationinCiscoIOSSoftwareRelease12.2(18)SXHandlater.
AsingleSPANsessioncanincludemixedsources(Ethernetports,EthernetPort-Channels,RSPANsources,VLANs,andtheCPUcontrol-planeinterface).
DestinationSPANportsmustbeconfiguredasLayer2portswiththeswitchportcommand.
DestinationSPANportsrequiretheswitchportmonitorinterfaceconfigurationcommand.
TheSPANfeaturesupportsstatefulandstatelessprocessrestarts.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhenconfiguringtheSPANfeature.
TwoactiveSPANsessionsaresupportedforallvirtualdevicecontexts(VDCs).
Monitorsessionsaredisabledbydefault.Theycanbeenabledwiththenoshutcommand.
Thesourcetrafficdirectioncanbeconfiguredasrx,tx,orboth.Thedefaultisboth.
WhenaVLANisspecifiedasthesource,traffictoandfromtheLayer2portsinthespecifiedVLANaresenttothedestination.
Thein-bandcontrol-planeinterfacetotheCPUcanbemonitoredonlyfromthedefaultVDC.(AllVDCtrafficisvisible.)
Bydefault,SPANdoesnotcopytheIEEE802.1qtagfromtrunksources.
Adestinationportcanbeconfiguredinswitchportaccessortrunkmode.(TrunkmodeallowsyoutotagtraffictowardadestinationortoperformdestinationVLANfiltering.)
Adestinationportdoesnotparticipateinaspanning-treeinstance.
AdestinationportcanbeconfiguredinonlyoneSPANsessionatatime.
Aportcannotbeconfiguredasbothasourceanddestinationport.
128sourceinterfacescanbeconfiguredpersession.
32sourceVLANscanbeconfiguredpersession.
2destinationinterfacescanbeconfiguredpersession.
ConfigurationComparison
ThefollowingsamplecodeshowstheconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwarecommand-lineinterfaces(CLIs).TheCiscoIOSSoftwaresyntaxshownhereisfromCiscoIOSSoftwareRelease12.2(18)SXH,soitshierarchyissimilartothatofastheCiscoNX-OS.OlderversionsofCiscoIOSSoftwaresupportonlyaflatconfiguration.
VerificationCommandComparison
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootingtheSPANfeature.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_SPAN_Comparison"
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesinOpenShortestPathFirstVersion2(OSPFv2)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
OSPFOverview
OSPFv2isanIETF(RFC2328)standards-baseddynamiclink-stateroutingprotocolusedtoexchangenetworkreachabilitywithinanautonomoussystem.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
OSPFcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheOSPFfeaturewiththefeatureospfcommand.
TheOSPFprotocolrequirestheEnterpriseServiceslicense.
TheOSPFinstancecanconsistsof20characters,whereastheIOSsupportsnumbers1–65536.
Eightequal-costpathsaresupportedbydefault.Youcanconfigureuptosixteen.
ThedefaultreferencebandwidthusedintheOSPFcostcalculationis40Gbps.
NetworksandinterfacesareaddedtoanOSPFinstanceundertheinterfaceconfigurationmode.
AnOSPFareacanbeconfiguredusingdecimalordecimaldottednotation,butitisalwaysdisplayedindecimaldottednotationintheconfigurationandintheshowcommandoutput.
PassiveinterfacesareappliedtotheinterfaceasopposedtoundertheOSPFrouterinstance.
IfarouterIDisnotmanuallyconfigured,theloopback0IPaddressisalwayspreferred.Ifloopback0doesnotexist,CiscoNX-OSselectstheIPaddressforthefirstloopbackinterfaceintheconfiguration.Ifnoloopbackinterfacesexist,CiscoNX-OSselectstheIPaddressforthefirstphysicalinterfaceintheconfiguration.
Neighboradjacencychangesarenotloggedbydefault.Thelog-adjacency-changesCLIcommandisrequiredundertheOSPFinstance.
Wheninterfaceauthenticationisconfigured,theOSPFkeyisencryptedwithDataEncryptionStandard3(3DES)intheconfiguration.CiscoIOSSoftwarerequirestheservicepasswordcommand.
WhenyourolloveranOSPFauthenticationkeyinacombinedCiscoNX-OS/CiscoIOSnetwork,youshouldconfigurebothkeysontheCiscoNX-OSroutertoensurethatthereissufficientoverlapbetweentheoldkeyandthenewkeyforasmoothtransitiontothenewkey.YoushouldconfigurethenewkeyasavalidacceptkeyonalltheNX-OSandIOSroutersbeforethenewkeybecomesavalidgenerationkeyinthekeychain.Duringtheoverlapperiod,CiscoNX-OStransmitsthenewOSPFkeyandacceptsOSPFauthenticatedpacketsfromboththeoldkeyandthenewkey.
TheNX-OSdoesnotsupportdistribute-listsusedtoremoveOSPFroutesfromtheroutingtable.TheNX-OSdoessupportinter-areaLSA/routefilteringusingthefilter-listcommandconfiguredundertheOSPFroutinginstance.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintaininganOSPFnetwork.
FourOSPFinstancescanbeconfiguredpervirtualdevicecontext(VDC).
NumerousVirtualRouteForwarding(VRF)instancescanbeassociatedtoanOSPFinstance.
Ifyouremovethefeatureospfcommand,allrelevantOSPFconfigurationinformationisalsoremoved.
TheshutdowncommandundertheOSPFprocesscanbeusedtodisableOSPFwhileretainingtheconfiguration.Similarfunctionalitycanalsobeappliedperinterfacewiththeipospfshutdowncommand.
Theshowrunning-configospfcommanddisplaysthecurrentOSPFconfiguration.
AnOSPFinstancecanberestartedwiththerestartospf<instance#>command.
GracefulRestart(RFC3623)isenabledbydefault.
OSPFsupportsstatefulprocessrestartsiftwosupervisorsarepresent.
YoucannotconfiguremultipleOSPFinstancesonthesameinterface.
Aninterfacecansupportmulti-areaadjacenciesusingthemulti-areaoptionwiththeiprouterospfinterfacecommand.
SecondaryIPaddressesareadvertisedbydefault,butcanbesuppressedperinterfacewiththeiprouterospf<instance>area<#>secondariesnoneinterfacecommand.
BydefaultallloopbackIPaddresssubnetmasksareadvertisedinanLSAasa/32.Theloopbackinterfacecommandipospfadvertise-subnetcanbeconfiguredtoadvertisetheprimaryIPaddresssubnetmask.(ThiscommanddoesnotapplytosecondaryIPaddresses.Theywillstillbeadvertisedasa/32.)
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.Therearetwosignificantdifferences:CiscoNX-OSallowsOSPFtobeenabledanddisabledglobally,andithasamoreinterface-centricconfigurationthatmakesiteasiertoread.
VerificationCommandComparison
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootinganOSPFv2networkconfiguration.
Retrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_OSPF_Comparison"
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesinLayer3virtualizationsupportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
VirtualizationRoutingandForwardingOverview
VirtualRoutingandForwarding(VRF)providesanadditionallayerofnetworkvirtualizationontopofvirtualdevicecontexts(VDCs).VRFprovidesseparateunicastandmulticastaddressspaceandassociatedroutingprotocolsthatmakeindependentforwardingdecisions.AllunicastandmulticastprotocolssupportVRF.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
CiscoNX-OSsupports200VRFinstancesperVDC.
TwoVRFinstancesareconfiguredbydefault.ThemanagementportonthesupervisormoduleisassignedtothemanagementVRF,andallI/OmoduleportsareassignedtothedefaultVRF.
ThedefaultVRFisthedefaultroutingcontextforallshowcommands.
VRFinstancescanbeenabledwithoutanycommand-lineinterface(CLI)prerequisites.CiscoIOSSoftwarerequiresipceftobeenabledgloballybeforeVRFinstancescanbeconfigured.
Multicastrouting/forwardingcanbeconfiguredperVRFinstancewithouthavingtogloballyenabletheVRFinstanceformulticast.CiscoIOSSoftwarerequirestheglobalipmulticast-routingvrf<name>commandperVRFinstance.
TheCLIforenablingVRFroutingforaprotocolisconsistentforallroutingprotocols,whereasCiscoIOSSoftwareusesaddressfamiliesforBorderGatewayProtocol(BGP),RoutingInformationProtocol(RIP),andEnhancedInteriorGatewayRoutingProtocol(EIGRP)andrequiresuniqueroutingprocessIDsperVRFforIntegratedIntermediateSystem-to-IntermediateSystem(ISIS)andOpenShortestPathFirst(OSPF).
InCiscoNX-OS,numerousVRFinstancescanbeassignedtoasingleroutingprotocolinstance.
IPstaticroutesareconfiguredunderthespecifiedvrfcontext.InCiscoIOSSoftware,allstaticroutesareconfiguredinglobalconfigurationmodewiththevrfoption.
AVRFinstancecanbemanuallydisabledwiththeshutdowncommand.CiscoIOSSoftwaredoesnothavetheCLIcapabilitytomanuallydisableaVRFinstance.
IfaVRFcontextisremovedwiththenovrfcontext<name>configurationcommand,theVRFcontextcommandswillberemovedfromtherunningconfigurationmakingtheVRFnon-functional,butallnoncontextrelatedVRFcommandswillremainintherunningconfiguration.WhenaVRFisremovedinCiscoIOSSoftware,theVRFinstanceandallrelatedVRFcommandsareautomaticallyremovedfromtherunningconfiguration,includinganyinterfaceIPaddressespreviouslyassociatedtotheVRF.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhenconfiguringandmaintainingVRFinstances.
WhenyouassignaVRFinstancetoaninterfacewithanIPaddresspreviouslyconfigured,theinterfaceIPaddressisautomaticallyremoved.
StaticroutesordynamicroutingprotocolscanbeconfiguredforroutinginaVRFinstance(BGP,EIGRP,ISIS,OSPF,staticroutes,andRIPv2).
IPtroubleshootingtoolssuchaspingandtracerouteareVRFawareandrequirethenameofaspecificVRFinstanceiftestinginthedefaultVRFinstanceisnotdesired.
Therouting-contextvrfcommandcanbeexecutedinEXECmodetochangetheroutingcontexttoanon-defaultVRFinstance.Forexample,typingrouting-contextvrfmanagementchangestheroutingcontext,soallVRFrelatedcommandsareexecutedinthemanagementVRFasopposedtothedefaultVRF.
Networkmanagement–relatedservicessuchasauthentication,authorizationandaccounting(AAA),CallHome,DomainNameSystem(DNS),FTP,HTTP,NetFlowNetworkTimeProtocol(NTP),RADIUS,SimpleNetworkManagementProtocol(SNMP),SSH,syslog,TACACS+,Telnet,TrivialFileTransferProtocol(TFTP),andXMLareVRFaware.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.SamplecodeisprovidedonlytoillustratehowtoenableVRFrouting.TheCiscoNX-OSCLIissimplerandmoreconsistentsinceitallowsmultipleVRFinstancestobeassignedtoasingleroutingprotocolinstance,whereasCiscoIOSSoftwareusesdifferenttechniquesdependingontheroutingprotocol.
VerificationCommandComparison
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootingVRFinstances.
vPCRoleandPriority
WithintheVDCthefollowingconfigurationsarerequired.
vPCneedstobeenabled:
agg(config)#featurevpc
AdomainneedstobedefinedandprioritiestodefineprimaryandsecondaryrolesinthevPCconfiguration.Thelowernumberhashigherpriority,anditwins.
Notealsothattheroleisnon-preemptive,soadevicemaybeoperationallyprimary,butsecondaryfromaconfigurationperspective.Becausespanningtreeispreemptive,thismayresultinamismatchbetweenthespanningtreerootandthevPCoperationalprimary.
agg(config)#vpcdomain1
agg1(config-vpc-domain)#rolepriority100
agg2(config-vpc-domain)#rolepriority110
TherearenofunctionalissueswhentheSTProotandvPCprimarynodedonotmatch.Thiscanonlycausesomesub-optimalconvergencetimeduetoSTPresynchronizationwhenthepeer-linkisflappedoravPCdeviceisreloaded.
Becauseofthis,incaseyouwanttorestoretheoriginalmappingbetweenSpanning-treerootandvpcprimaryyoucanfollowthisprocedureonthesecondary,operationalprimarydevice.
·EnterthevPCdomainconfiguration,vpcdomain<domain_id>(samevPCdomainyouareusing).
·ResetthevPCroleprioritywiththecommand....vpcrolepriority<priority_number>(re-enteringthesameprioritywouldbeOK).
·Performashut/noshutoverthepeer-link
Oryoucancreateascript(whichyoushouldcustomize):
7k-1(config)#clialiasnamevpcpreemptconft;vpcdomain<number>;rolepriority32767;intpo10;shut;nosh
7k-1(config)#showclialias
CLIaliascommands
==================
alias:showclialias
vpcpreempt:conft;vpcdomain10;rolepriority32767;intpo10;shut;nosh
vPCDomainID
WhenconfiguringthevPCdomainID,makesureit’sdifferentfromtheoneusedbyaneighboringvPC-capabledevicewithwhichyouplantoconfigurevPC.也就是说N7K与N5K不要相同
Asaresult,inaback-to-backvPCconfiguration,iftheneighboringswitchesusethesamedomainID,there’sariskofconflictingsystem-idintheLACPnegotiationthatcouldleadtoanunsuccessfulLACPnegotiation.
agg(config)#interfaceport-channel10
agg(config-if)#vpcpeer-link
agg(config-if)#switchporttrunkallowedvlan<allaccessvlans>
Configurationforsingle10GigECard
Usingasingle10GigabitEthernetcardontheNexus7000forbothcoreconnectivityaswellasthepeerlinkispossible,butnotthemostdesirableoption.Ifyoulosethe10Gigabitcardonthevpcprimary,youlosenotonlycoreconnectivity,butalsothepeerlink.Asaresult,portswillbeshutdownonthepeervpcdevice,isolatingtheserverscompletely.
Apicturehelpsexplaining:
Inthistopology,thefailureofthe10GigEcardthatprovidesbothpeer-linkconnectivityandcoreconnectivity,causesthevPCsecondarytothusdownthevPCmemberports,sothattrafficflowstothevPCprimary.ThevPCprimarydoesn’thaveanycoreconnectivitythough,sotrafficgetsblackholedwithasinglefailure.
Thebestsolutionisnaturallytohavetwo10GigElinecards,butalternativelyyoucanusetheobjecttrackingfunctionality.
Theobjectsbeingtrackedaretheuplinkstothecoreandthepeer-link.
IftheselinksarelostvPCslocaltotheswitcharebroughtdownsothattrafficcancontinueonthevPCpeer.
Thisfeatureisconfiguredbyusingthefollowingcommandsyntax:
!Trackthevpcpeerlink
track1interfaceport-channel110line-protocol
!Tracktheuplinkstothecore
track2interfaceEthernet7/9line-protocol
!Combinealltrackedobjectsintoone.
!“OR”meansifALLobjectaredown,thisobjectwillgodown
!-->wehavelostallconnectivitytothecoreandthepeerlink
track10listbooleanOR
object1
object2
!Ifobject10goesdownontheprimaryvPCpeer,
!systemwillswitchovertoothervPCpeeranddisablealllocalvPCs
vpcdomain1
track10
CFSoE
CiscoFabricServicesoverEthernet(CFSoE)providesseveralinfrastructureservicesforvPC,includingMACsynchronization,configurationverificationforpotentialmismatchintheconfigurations,andlockingoftheconfigurationwhileavPCpeerisbeingupgraded.
TheCFSoEconfigurationdoesnotneedtobespecificallyenabled,butjustasareference,theconfigurationappearsautomaticallywhenyouenablevPC,anditlookslikethis:
agg1(config)#cfsregion10
agg1(config-cfs-region)#vpc
agg1(config)#cfsethernetdistribute
ThefollowingconfigurationillustratestheuseofadedicatedGigEinterfaceforthispurpose.
vrfcontextvpc-keepalive
interfaceEthernet8/16
descriptiontc-nexus7k02-vdc2-vPCHeartbeatLink
vrfmembervpc-keepalive
ipaddress192.168.1.1/24
noshutdown
vpcdomain1
peer-keepalivedestination192.168.1.2source192.168.1.1vrfvpc-keepalive
agg1(config)#interfaceethernet2/9
agg1(config-if)#channel-group51modeactive
agg1(config)#interfacePort-channel51
agg1(config-if)#switchport
agg1(config-if)#vpc51
!
agg2(config)#interfaceethernet2/9
agg2(config-if)#channel-group51modeactive
agg2(config)#interfacePort-channel51
agg2(config-if)#switchport
agg2(config-if)#vpc51
Youcanverifythesuccessoftheconfigurationbyissuingthecommand:
agg1#showvpcbrief
tc-nexus7k02-vdc2#showvpcbr
[…]
vPCstatus
----------------------------------------------------------------------
idPortStatusConsistencyReasonActivevlans
-------------------------------------------------------------
51Po51down*failedvPCtype-1configuration-
incompatible-STP
interfaceporttype
inconsistent
IftheConsistencycheckdoesn’tshowSuccess,itisrecommendedthatyouverifytheConsistencyParameters.TypicalreasonsforthevPCnottoforminclude:thevLANthatisdefinedinthetrunkdoesn’texist,oritisnotdefinedonthepeerlink.
tc-nexus7k01-vdc2#showvpcconsistency-parametersglobal
tc-nexus7k01-vdc2#showvpcconsistency-parametersintport-channel51
Legend:
Type1:vPCwillbesuspendedincaseofmismatch
NameTypeLocalValuePeerValue
--------------------------------------------------------------
STPPortType1DefaultDefault
STPPortGuard1NoneNone
STPMSTSimulatePVST1DefaultDefault
AllowedVLANs-10-14,21-24,50,6010-14,21-24,50,60
AfteraportisdefinedaspartofavPC,anyfurtherconfigurations,suchasenablingordisablingbridgeassuranceortrunkingmode,etc,areperformedundertheinterfaceportchannelconfigurationmode.Tryingtoconfigurespanningtreepropertiesforthephysicalinterfaceinsteadoftheportchannelwillresultinanerrormessage.
OrphanPortswithnon-vPCVLANs
Asdescribedinchapter3,whenthepeerlinkislost,vPCshutsdowntheSVIonthesecondaryswitchand,asaresult,orphanportsontheoperationalsecondarymaybecomeisolated.Forthisreasonyoumayeithertrunkthenon-vPCvLANsonadifferentlink,or,youshouldremovethenon-vPCVLANsfromthisbehaviorasdescribedhere.
FirstyoumaywanttoexecutethefollowingcommandtolearnwhichportsareconsideredorphanportsfromtheNexus7000perspective:
Nexus7000#showvpcorphan-ports
Secondyoucanremovethenon-vPCVLANsinthevpcdomainconfiguration:
vpcdomain1
rolepriority100
dual-activeexcludeinterface-vlan<non-vPCVLANs>
peer-keepalivedestination192.168.1.2source192.168.1.1vrfvpc-keepalive
IfanARPrequestcomingfromaserverarrivesonthesecondaryHSRPdevice,thenitisforwardedtotheactiveHSRPdeviceviathepeerlink.
HSRPConfigurationandBestPracticesforvPC
TheconfigurationonthePrimaryNexus7000lookslikethis:
interfaceVlan50
noshutdown
ipaddress10.50.0.251/24
hsrp50
preemptdelayminimum180
priority150
timers13
ip10.50.0.1
TheconfigurationontheSecondaryNexus7000looksasfollows:
interfaceVlan50
noshutdown
ipaddress10.50.0.252/24
hsrp50
preemptdelayminimum180
priority130
timers13
ip10.50.0.1
ThemostsignificantdifferencebetweentheHSRPimplementationofanon-vPCconfigurationcomparedwithavPCconfigurationisthattheHSRPMACaddressesofavPCconfigurationareprogrammedwiththeG(gateway)flagonbothsystems,comparedwithanon-vPCconfigurationwhereonlytheactiveHSRPinterfacecanprogramtheMACaddresswiththeGflag.
Thankstothis,routabletrafficcanbeforwardedbyboththevPCprimary(whereHSRPispimrary)andthevPCsecondarydevice(whereHSRPissecondary)withouthavingtosendthistraffictotheHSRPprimarydevice.
WithoutthisflagtraffichittingtheMACwouldnotberouted.
vPCHSRPOnActive:
G-0000.0c07.ac01static
vPCHSRPOnStandby:
G-0000.0c07.ac01static
Innon-vPCenvironmenttheHSRPMAClooksasfollows:
·OnActive:G-0000.0c07.ac01static
·OnStandby:*-0000.0c07.ac01static
InordertoverifythattheHSRPconfigurationisfunctioningcorrectly,youmaywanttoissuethefollowingcommandandverifythattheActiveandStandbyrolesareclearlyconverged:
agg1#showhsrpbrief
IfsomestandbygroupsshowasUnknown,thenyoumayhaveforgottentotrunktheVLANonthepeerlinkfrombothNexus7000vPcpeers.
AdvertisingtheSubnet
TheconfigurationiscompletedbyincludingthesubnetintheroutingadvertisementsandmakingsurethatthevLANsusedforserverconnectivityarenotusedtocreateneighborrelationshipbetweentheaggregationlayerdevices.
interfaceVlan50
noshutdown
ipaddress10.50.0.251/24
ipospfpassive-interface
iprouterospf1area0.0.0.0
hsrp50
preemptdelayminimum180
priority150
timers13
ip10.50.0.1
L3LinkBetweenvPCPeers
InvPCdesignsyoushouldmakesuretoincludeaL3link/vLANbetweentheNexus7000ssothattheroutingareascanbeadjacent.YoumayalsoconsiderHSRPtrackinginnon-vPCdesign,butnotinvPCdesigns.
Youshould,therefore,createaL3pathonthepeerlinkbetweentheroutingengineonAgg2andAgg1insteadofusingHSRPtracking.
tc-nexus7k01-vdc2(config)#vlan3
tc-nexus7k01-vdc2(config-vlan)#namel3_vlan
tc-nexus7k01-vdc2(config-vlan)#exit
tc-nexus7k02-vdc2(config)#intvlan3
tc-nexus7k02-vdc2(config-if)#ipaddress10.3.0.2255.255.255.252
tc-nexus7k02-vdc2(config-if)#iprouterospf1area0.0.0.0
tc-nexus7k02-vdc2(config-if)#noshut
tc-nexus7k01-vdc2(config)#intPort-channel10
tc-nexus7k01-vdc2(config-if)#switchporttrunkallowedvlanadd3
YoucanthenverifythattheNexus7000areOSPFneighborsbyissuingthefollowingcommand.
tc-nexus7k01-vdc2#showipospfneigh
OSPFProcessID1VRFdefault
Totalnumberofneighbors:3
NeighborIDPriStateUpTimeAddressInterface
128.0.0.31FULL/DR01:03:0510.51.35.126Vlan10
Jumpto:navigation,search
Objective
ThistechnoteoutlinesthemaindifferencesinTACACS+,RADIUS,andauthentication,authorizationandaccounting(AAA)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.PleaserefertotheNX-OSdocumentationonCisco.comforacompletelistofsupportedfeatures.
AAAOverview
AAAusedincombinationwithTACACS+orRADIUSprovidesremoteauthentication,authorizationandaccountingsecurityservicesforcentralizedsystemmanagement.AAAservicesimprovescalabilityandsimplifynetworkmanagementbecausetheyuseacentralsecuritydatabaseratherthanlocaldatabases.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
TACACS+command-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheTACACS+featurewiththefeaturetacacs+command.
Theaaanew-modelcommandisnotrequiredtoenableAAAauthentication,authorization,oraccounting.
TheRADIUSvendor-specificattributes(VSA)featureisenabledbydefault.
Localcommandauthorizationcanbeperformedwhenusingrole-basedaccesscontrol(RBAC)withoutaAAAserver.UserrolescanbeassociatedwithusersconfiguredontheAAAserverusingVSAs.RemotecommandauthorizationcanbeperformedonaAAAserverwhenusingAAAwithTACACS+.
IfnoAAAserverisavailableforauthentication,thelocaldatabaseisautomaticallyusedfordeviceaccess.
TheTACACS+andRADIUShostkeysareTripleDataEncryptionStandard(3DES)encryptedintheconfiguration.CiscoIOSSoftwarerequirestheservicepasswordcommand.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhenconfiguringandmaintainingTACACS+,RADIUS,andAAAservices.
DifferentAAA,TACACS+,andRADIUSpoliciescanbeappliedpervirtualdevicecontext(VDC).However,theconsoleloginpolicyonlyappliestothedefaultVDC.
Ifyouremovethefeaturetacacs+command,allrelevantTACACS+configurationinformationisalsoremoved.
64TACACS+and64RADIUSserverscanbeconfiguredperdevice.
AAAservergroupsareassociatedwiththedefaultVirtualRouteForwarding(VRF)instancebydefault.AssociatetheproperVRFinstancewiththeAAAservergroupifyouareusingthemanagementportonthesupervisororiftheAAAserverisinanondefaultVRFinstance.
AnIPsourceinterfacecanbeassociatedwithAAAservergroups.
TACACS+andRADIUSserverkeyscanbespecifiedforagroupofserversorperindividualserver.
Bydefault,TACACS+usesTCPport49,andRADIUSusesUDPports1812(authentication)and1813(accounting).
DirectedserverrequestsareenabledbydefaultforTACACS+andRADIUS.
ThelocaloptioncanbeusedwithAAAauthorizationtofallbacktoRBACintheeventaAAAserverisnotavailableforcommandauthorization.
Usetheshowrunning-configcommandwiththeaaa,tacacs+,orradiusoptiontodisplaythecurrentAAAconfiguration.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.Theconfigurationsforthetwooperatingsystemsareverysimilar.
VerificationCommandComparison
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootingAAA,TACACS+,andRADIUS.
Nexus5010down(config-if)#switchportmodefex-fabric
Nexus5010down(config-if)#channel-group17modeactive
Fabricport-channelinLACPmodeisnotsupported
Nexus5010down(config-if)#
Nexus5010down(config-if)#interfaceEthernet1/18
Nexus5010down(config-if)#fexassociate101
Nexus5010down(config-if)#switchportmodefex-fabric
Nexus5010down(config-if)#channel-group18modeactive
Fabricport-channelinLACPmodeisnotsupportedRetrievedfrom"http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_TACACS%2B%2C_RADIUS%2C_and_AAA_Comparison"
配置同步需要在Nexus5000的ConfigSync模式下进行配置;配置的同时,要求vPC工作正常。
Configsync是Nexus50005.0版本提供的新级别,级别下有的命令如下:
配置同步需要遵循以下步骤:
同步配置的配置方法:
同步配置需要在switch-profile方式下配置,然后推送到对端。
配置完成后,进行配置的检验,检验成功的,就可以commit了
如果在verify过程当中出现错误提示的,一般应首先检查实际配置和将要发放的配置是不是有相互矛盾的地方,比较接口角色冲突。如果没有明显错误,仍然提示校验失败的,则应当按照下面的配置,进行一次数据库的同步。
与Nexus2000连接的交换机使用10GE接口相连,交换机接口需要进行如下配置,以便上层交换机可以识别:
通过一段时间的监测,上层交换机就可以发现并且配置FabricModule。由于在上层交换机上看到的端口都是本地端口,所以这个具有fex-fabric角色的端口算是一个功能很特殊的Trunk。
同步完成之后,将可看到如下信息:
一个FabricModule可以被出于vPC形态的多个上层交换机所识别,可以被两侧同时配置和管理。但是为了保证FabricModule在系统切换时保持正确的形态,我们需要在两侧的上层交换机上同步配置。
目录
Nexu7000缺省端口配置
缺省时所有端口是关闭的nosystemdefaultswitchportshutdown
copyrunning-configstartup-configvdc-all存配置
dirbootflash:
dirbootflash://sup-standby/
dirbootflash://sup-remote
showrole
showinventory显示系统详细目录,或称为存货清单,可以看到各组件产品编号以及序列号
showhardware显示系统硬件详细信息
showsprombackplane1显示交换机序列号
showenvironmentpower显示电源信息
powerredundancy-modeps-redundant如果没有双电网供电则使用此模式
powerredundancy-modeinsrc-redundant如果有双电网供电则使用此模式
showmodule检验各模块状态
attachmoduleslot_number
dirbootflashdirslot0:查看ACTIVE引擎的FLASH空间
如果查看备份引擎的FLASH空间呢?首先attachmodulecommandtoattachtothemodulenumber,andthenusethedirbootflash:ordirslot0:
out-of-servicemoduleslotShuttingDownaSupervisororI/OModule
out-of-servicexbarslotShuttingDownaFabricModule
showenvironment
showenvironmenttemperature
showenvironmentfan
bannermotd#Welcometotheswitch#
clocktimezone
clockset
reload重启交换机
reloadmodulenumber
switchtoVDC切换至某VDC管理界面
switchback
poweroffmoduleslot_number
nopoweroffmoduleslot_number
poweroffxbarslot_number
CMP连接管理处理器配置
CMP配置:
YoushouldalsoconfigurethreeIPaddresses—oneforeachcmp-mgmtinterfaceandonethatissharedbetweentheactiveandstandbysupervisormgmt0interfaces.
attachcmp进入CMP
命令输入后自动存盘,不需要copyrunstart
通过NX-OSCLI来配置CMP
1.configureterminal
2.interfacecmp-mgmtmoduleslot通过module槽号分别为5/6来实现主备引擎上的CMP配置
3.ipaddressipv4-address/length
4.ipdefault-gatewayipv4-address
5.showrunning-configcmp
通过CMPCLI来配置CMP
1.attachcmp
2.configureterminal
3.ipdefault-gatewayipv4-address
4.interfacecmp-mgmt
5.ipaddressipv4-address/length
6.showrunning-config
在CMP上可执行的动作:
showcpstate
reloadcp
attachcp
monitorcp
pingortraceroute192.0.2.15
reloadsystemToreloadthecompletesystem,includingtheCMPs
带外管理VRF
ManagementVRFandBasicConnectivityThemanagementinterfaceis,bydefault,partofthemanagementVRF.Themanagement
interface“mgmt0”istheonlyinterfaceallowedtobepartofthisVRF.
ThephilosophybeyondManagementVRFistoprovidetotalisolationforthemanagementtraffic
fromtherestofthetrafficflowingthroughtheboxbyconfiningtheformertoitsownforwarding
table.
Inthisstepwewill:
-Verifythatonlythemgmt0interfaceispartofthemanagementVRF
-VerifythatnootherinterfacecanbepartofthemanagementVRF
-VerifythatthedefaultgatewayisreachableonlyusingthemanagementVRF
如果想Ping带外网管的网关等地址必须在Ping命令后面加上vrfmanagement
ping10.2.8.1vrfmanagement
划分Nexus7010VDC
VDC是Nexus7000系列的特色功能。通过将物理机箱划分为多个逻辑交换机,核心交换机区域将可以获得多台物理隔离的高性能交换机。VDC具有完全隔离的路由表,VRF和接口,因此可以获得真实交换机属性的配置。VDC的资源是占用全局机箱的,因此在必要的时候,需要通过调整VDC资源配置来进行VDC功能和性能的调整。所有进入VDC的接口和资源都不能被其他VDC或者缺省VDC使用。
VDC配置
vdcMyVDC创建VDC
allocateinterfaceethernet2/11-1分配接口
switchtovdcMyVDCSwitchtothenewVDCandentertheVDCadminuseraccountpassword切换至一个VDC
switchback
setup根据安装向导配置VDC
showvdcmembership
showvdccurrent-vdc
WheninterfacesindifferentVDCssharethesameportASIC,reloadingtheVDC(withthereloadvdccommand)orprovisioninginterfacestotheVDC(withtheallocateinterfacecommand)mightcauseshorttrafficdisruptions(of1to2seconds)fortheseinterfaces.Ifsuchbehaviorisundesirable,makesuretoallocateallinterfacesonthesameportASICtothesameVDC.
ToseehowtheinterfacesaremappingtotheportASIC,usethiscommand:
slotslot_numbershowhardwareinternaldev-port-map这个命令没有帮助,需盲打
copyrunning-configstartup-configvdc-all
VDC资源清单:
| vdcvdc2_1id2 allocateinterfaceEthernet1/13-24 allocateinterfaceEthernet2/1-3 boot-order1 limit-resourcevlanminimum16maximum4094 limit-resourcemonitor-sessionminimum0maximum2 limit-resourcemonitor-session-erspan-dstminimum0maximum23 limit-resourcevrfminimum2maximum1000 limit-resourceport-channelminimum0maximum768 limit-resourceu4route-memminimum8maximum8 limit-resourceu6route-memminimum4maximum4 limit-resourcem4route-memminimum8maximum8 limit-resourcem6route-memminimum2maximum2 |
| switch#switchtovdcvdc2_1 Lastlogin:ThuNov2516:40:19UTC2010onttyS0 Lastlogin:ThuNov2517:06:47onttyS0 CiscoNexusOperatingSystem(NX-OS)Software TACsupport: Copyright(c)2002-2010,CiscoSystems,Inc.Allrightsreserved. Thecopyrightstocertainworkscontainedinthissoftwareare ownedbyotherthirdpartiesandusedanddistributedunder license.Certaincomponentsofthissoftwarearelicensedunder theGNUGeneralPublicLicense(GPL)version2.0ortheGNU LesserGeneralPublicLicense(LGPL)Version2.1.Acopyofeach suchlicenseisavailableat switch-vdc2_1# |
不同VDC的名称,除了在vpc命令中直接指定,还可以进入到VDC配置界面后,直接用hostname命令进行更改。
基于EthernetChannel的vPC
vPC是CiscoNX-OS由于解决STPBlock端口而使用的技术。通过将两台设备虚拟成一台设备,使得系统可以使用两套冗余链路转发数据。vPC完全基于EthernetChannel技术,所有成员组都必须在EthernetChannel当中,除了peer-linkkeepalive。vPC仅仅能作用在二层Trunk结构下,完全不兼容任何L3环境。vPC使用连接设备的peer-link必须使用10G以太网接口,而peer-linkkeepalive必须是路由接口。配置手册推荐使用单独的VRF来隔离,以便于减小地址管理压力。
首先,配置L3端口,保证双方可以ping通:
| vrfcontextvpc interfaceEthernet1/25 vrfmembervpc ipaddress172.16.0.1/24 noshutdown |
其次,进行完L3配置后,配置vPCDomain。一台设备属于且只能属于一个vPCDomain,一个vPCDomain有且只能拥有两个成员。Domain的配置当中,需要指定vPC对端设备的IP地址,如果这个设备的地址不在defaultVRF当中的时候,需要指定源地址:
| vpcdomain1000 peer-keepalivedestination172.16.0.2source172.16.0.1vrfvpc |
再次,配置peer-link。Peer-link是vPC转发机箱间流量的链路,因此链路只能使用10G以太网,配置手册推荐使用至少2条10G以太网电缆进行捆绑:
| interfaceEthernet2/5 switchport switchportmodetrunk channel-group56 noshutdown interfaceEthernet2/6 switchport switchportmodetrunk channel-group56 noshutdown interfaceport-channel56 switchport switchportmodetrunk spanning-treeporttypenetwork//自动生成的配置 vpcpeer-link |
| interfaceEthernet1/17 fexassociate100//这条命令是nexus5000上的配置,N7K不需要 switchportmodefex-fabric//这条命令是nexus5000上的配置,N7K不需要 channel-group17 interfaceEthernet1/18 fexassociate101 switchportmodefex-fabric channel-group18 interfaceport-channel17 switchportmodefex-fabric vpc17 fexassociate100 interfaceport-channel18 switchportmodefex-fabric vpc18 fexassociate101 |
在配置当中,vpc的数字和port-channel的数字必须相同,并且这两个数字必须和Domain的数字不同。否则,将会导致vpc无法启动的问题。
vPC配置的两端都必须是相容的Trunk配置,例如LACP或者noprotocol。
LACPSystempriority的一致,有利于vPC状态下LARP的收敛,手册推荐配置为vPC成员设备拥有相同的值。配置需要再全局和vPC配置模式下使用。
如果在配置中发现如下现象,则应当首先检查vPC中,成员EthernetChannel配置是否正常:
| RTS35_7010_VDC1_1-RTS35_7010_VDC3_1#showport-channsumm Flags:D-DownP-Upinport-channel(members) I-IndividualH-Hot-standby(LACPonly) s-Suspendedr-Module-removed S-SwitchedR-Routed U-Up(port-channel) M-Notinuse.Min-linksnotmet -------------------------------------------------------------------------------- GroupPort-TypeProtocolMemberPorts Channel -------------------------------------------------------------------------------- 7Po7(SU)EthLACPEth2/7(P)Eth2/8(P) 200Po200(SU)EthLACPEth2/5(P)Eth2/6(s) RTS35_7010_VDC1_1-RTS35_7010_VDC3_1# |
对于不同的设备和不同的拓扑形态,vPC的具体配置也会有所不同。
1.对于简单的downstream设备
如图所示:
对于简单的downstream设备,两台Nexus设备使用标准的vPC配置方法。两台设备之间配置peer-link和peer-linkkeepalive链路,在完成vPC配置之后,将于downstream连接的接口划入一个EthernetChannel,即便是该EthernetChannel也无妨,然偶将这个EthernetChannel接口划入到对应的vpc中,完成虚拟转发。
2.对于Nexus推荐的域环境
如图所示:
在Nexus5k和Nexus7k当中,使用fullmesh的结构来连接。通过vPC技术,中间这四条链路可以保持全活的状态,结合vPC形成的虚拟拓扑,实际上相当于单台Nexus5k和Nexus7k之间连接了一条40G的链路,从而极大的提高了转发能力。
在这种配置实例当中,Nexus5k和Nexus7k需要单独配置自己的vPCDomain,在各自的vPCDomain正常建立后,将交叉的线路绑定成EthernetChannel,绑定协议不限于LACP或者noprotocol。
下面的配置仅列出了左侧5k和7k的相关配置。
| 5kconfiguration//E1/5-6作为与7K互联的端口 interfaceEthernet1/15 switchportmodetrunk channel-group56 interfaceEthernet1/16 switchportmodetrunk channel-group56 interfaceport-channel56 switchportmodetrunk vpc56 speed10000 7kconfiguration//E2/4、8作为与7K互联的端口 interfaceEthernet2/4 switchport switchportmodetrunk channel-group48 noshutdown interfaceEthernet2/8 switchport switchportmodetrunk channel-group48 noshutdown interfaceport-channel48 switchport switchportmodetrunk vpc48 |
CAUTION
配置当中,并需保持vPC两侧配置的同步,即,两侧的VLAN,接口,VDC配置应当一致,若配置不一致,则会导致vPC工作不正常。
所有的EthernetChannel必须工作在Trunk模式下,需要用Switchportmodetrunk方式和做显式的指派,否则会导致vPC工作不正常。
割裂的vPC:HSRP和STP
vPC处于割裂状态时,vPCDomain成员的状态取决于当前的系统角色(systemrole)。当vPCPeer-linkKeepalive链路中断时,所有的数据转发都不会受到影响;当vPCPeer-link链路中断时,处于Secondary角色的设备,所有处于vPC成员组的EthernetChannel都会被置为Down状态,使得该设备从vPC管理域中离线,从而停止数据转发,直到链路被修复。
当vPCDomain成员都处在正常工作状态时,对于vPCPeer-link和vPCPeer-linkKeepalive的中断都不会终止系统的数据转发,只是vPC收敛可能会导致丢失1~2个数据包。
但是处于下列情况,会导致vPCDomain出现数据转发问题:
保证vPCDomain正常工作,将两台设备中间的链路全部中断,然后在两侧都配置reloadrestore命令情况下,重启两侧vPCDomain成员,在经过240s后,两侧设备都会处于双活状态,从而导致数据转发环路。从得到的消息看,应该是STP导致的二层环路所致。使用vPC配置命令:peer-switch也许可以解决这个问题。
该问题必须经由严格的操作时序才可重现。
vPC上的HSRP进行了特殊的修正,HSRP的Active负责相应ARP请求,但是standby角色也可以转发带有目的地为HSRP组虚拟MAC地址的数据包,这样就实现了HSRP的Load-Balance。
和HSRP一样,GLBP也是vPC所支持的热备份网关协议,但是GLBP通过AVG相应不同的ARP请求,并回应给不同AVF的MAC地址的方式来进行负载均衡。但是HSRP在vPC环境中,收敛速度比GLBP更快。
在vPC当中,所有HSRP、GLPB或者VRRP的,处于Active角色设备,都必须配置在vPC的Primary设备上;同样的,STP配置中,关于VLAN的根桥,也必须和Primary设备保持一致。
HSRP在两侧应当拥有相同的HSRP组号,并且同一组号在单一VDC上不能重复。基于vPC的HSRP不能使用USE-BIA参数。
vPC的细部配置
rolepriorityvPC在没有rolepriority配置的情况下,由桥MAC来决定谁是primary设备,MAC绝对值较小的会当选,如果配置了rolepriority的,则该项配置值相对较小的会当选。但是要shutpeer-link一次,才能完成更改。
System-priority
这是vPC当中对于LACP的配置。如果该值不配置,则不影响,但是如果配置了,则vPCDomain中设备的system-priority值必须相同,如果不匹配,vPC启动可能会遇到麻烦。
Reloadrestore
该命令用于帮助Nexus启动后,找不到vPC对端时仍能激活vPC的功能。
缺省情况,如果vPC成员设备启动后无法找到对端,会导致所有vPC功能端口出于down状态,不能转发数据。配置了这个命令后,该单独启动的设备会在最少240s后,将vPC成员端口转变为up状态,并且开始转发数据。
CAUTION
在vPC成员设备间所有电缆,包括peer-link和peer-linkkeepalive电缆中断的情况下,并且两侧vPC全部配置reloadrestore,将会在两端设备重新启动完成后,存在vPC双活,Nexus将会与上层转发设备之间形成数据环路。
该情况仅出现在Nexus推荐的域环境中,并且要严格遵循步骤,才能出现。
Peer-switch
Peer-switch命令用于将vPCDomain成员设备虚拟成一个STP的根,从而实现生成树结构的优化,减少Primary设备失败后的STP重算时间。
vPC配置成功后的清单:
| Nexus5010down#showvpc Legend: (*)-localvPCisdown,forwardingviavPCpeer-link vPCdomainid:500 Peerstatus:peeradjacencyformedok vPCkeep-alivestatus:peerisalive Configurationconsistencystatus:success Type-2consistencystatus:success vPCrole:secondary NumberofvPCsconfigured:99 PeerGateway:Disabled Dual-activeexcludedVLANs:- vPCPeer-linkstatus --------------------------------------------------------------------- idPortStatusActivevlans -------------------------------------------------------------- 1Po56up1,100-105 vPCstatus ---------------------------------------------------------------------------- idPortStatusConsistencyReasonActivevlans ----------------------------------------------------------------------- 17Po17upsuccesssuccess- 18Po18upsuccesssuccess- 200Po200upsuccesssuccess1,100-105 101376Eth100/1/1down*failedConsistencyCheckNot- Performed 101377Eth100/1/2down*failedConsistencyCheckNot- Performed |
Nexus的SPAN
Nexus支持SPAN,ESPAN和ERSPAN。SPAN方式被称为本地SPAN,用于本地交换机接口作为源和目的;ESPAN用于将SPAN流量的目的设定为某个VLAN,并通过Trunk实现远程的SPAN;ERSPAN用于将SPAN流量封装在GRE中,通过路由方式进行远端的SPAN。
Nexus7000最大可以存在48个Session,但是只能有两个在工作;Fex端口只能做SPAN的源,不能做span的目的;EthernetChannel成员不能当span的源,nexus5K上连接fex接口不能当span的源;Nexus5K仅支持SPAN,而Nexus7K则支持所有的SPAN类型。
VDC的MGMT接口
MGMT接口在所有VDC当中共享。在非VDC1中,showinterfacestatus不显示,但是使用命令interfacemgmt0仍然可以将地址进行配置。所有VDC的MGMT接口地址应当在同一个子网内。DOWN的VLAN端口
在基于vPC的配置中,如果vPCDomain成员交换机关于VLAN配置不一致,就会导致VLAN接口总是处于DOWN的状态,而无法被激活。Nexus7K中,VLAN的配置和InterfaceVLAN的配置是相分离的,仅有InterfaceVLAN而没有VLAN,是会导致VLAN接口在两侧的配置不同,从而导致L3VLAN接口处于DOWN的状态。缺省情况下,L3VLAN接口被shutdown,需要使用no命令激活。
可以尝试使用VTP来避免配置上的错误。
| RTS36_7010_VDC1_2-RTS36_7010_VDC3_2(config)#showinterstatus -------------------------------------------------------------------------------- PortNameStatusVlanDuplexSpeedType -------------------------------------------------------------------------------- mgmt0--connectedroutedfull1000-- Eth1/25--disabledtrunkfullauto10/100/1000 Eth1/26--disabledtrunkfullauto10/100/1000 Eth1/27--disabledtrunkfullauto10/100/1000 Eth1/28--disabledtrunkfullauto10/100/1000 Eth1/29--disabledtrunkfullauto10/100/1000 Eth1/30--disabledroutedfullauto10/100/1000 Eth1/31--disabledroutedfullauto10/100/1000 Eth1/32--disabledroutedfullauto10/100/1000 Eth1/33--disabledroutedfullauto10/100/1000 Eth1/34--disabledroutedfullauto10/100/1000 Eth1/35--disabledroutedfullauto10/100/1000 Eth1/36VPCkeepaliveconnectedroutedfull100010/100/1000 Eth2/4connecttoRTS36_7connectedroutedfull10G10GBASE-SR Eth2/5--connectedtrunkfull10G10GBASE-SR Eth2/6--connectedtrunkfull10G10GBASE-SR Eth2/7connecttoRTS35_7connectedtrunkfull10G10GBASE-SR Eth2/8connecttoRTS35_7connectedtrunkfull10G10GBASE-SR Po7connecttoRTS35_7connectedtrunkfull10G-- Po200--connectedtrunkfull10G-- Lo0--connectedroutedautoauto-- Vlan1--connectedroutedautoauto-- Vlan11--connectedroutedautoauto-- Vlan12--connectedroutedautoauto-- Vlan15--connectedroutedautoauto-- Vlan16--connectedroutedautoauto-- Vlan188--connectedroutedautoauto-- |
Nexus的路由
Nexus的OSPF在Nexus当中,OSPF的带宽计算参考值已经从原来的100Mbps更改为40Gbps,并设定为默认值。
| RTS35_7010_VDC1_1-RTS35_7010_VDC3_1(config-router)#auto-costreference-bandwidth? <1-4000000>RateinMbps(bandwidth)(Default) *Defaultvalueis40000 <1-4000>RateinGbps(bandwidth) *Defaultvalueis40 |
| RTS35_7010_VDC1_1-RTS35_7010_VDC3_1#showrunintvlan11 !Command:showrunning-configinterfaceVlan11 !Time:WedDec107:11:422010 version5.1(1) interfaceVlan11 noshutdown ipaddress10.225.1.253/24 iprouterospf100area0.0.0.0 ipospfpassive-interface hsrp11 preempt priority200 timers13 ip10.225.1.254 |
Nexus上的NLB
基于WindowsServer系列操作系统的NLB,实验确认可以被支持。标识一个部件
Nexus常常由很多部件构成,例如FabricModule,或者xBAR等等,使用下面的命令可以激活面板上的Identification灯,从而标识出需要更换或者处理的模块。locator-led{chassis|fanf-number|moduleslot|powersupplyps-number|xbarx-number}
nolocator-led{chassis|fanf-number|moduleslot|powersupplyps-number|xbarx-number}
这个命令模板是基于Nexus7k的,在Nexus5k上有些参数不能用,但是有fex参数用来标识FabricModule
光纤的类型
对于使用SFP的Nexus5010而言,需要考虑跨机房连接时的光纤类型。系统提示的信息如下:
| RTS39_5010#showinte1/17transceiver Ethernet1/17 transceiverispresent typeis10Gbase-SR nameisCISCO-AVAGO partnumberisSFBR-7702SDZ revisionisG2.3 serialnumberisAGA143164B3 nominalbitrateis10300MBit/sec Linklengthsupportedfor50/125umfiberis80m Linklengthsupportedfor50/125umfiberis300m Linklengthsupportedfor62.5/125umfiberis20m ciscoidis-- ciscoextendedidnumberis4 |
Nexus7000基本配置汇总
CiscoNX-OS/IOSConfigurationFundamentalsComparisonFromDocWiki
Jumpto:
Objective
ThistechnoteoutlinesthemaindifferencesfortheconfigurationfundamentalsbetweentheCiscoNX-OSsoftwareandtheCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwaretoillustratesomethedifferencesafterthefirstsystemstartup.Pleaserefertothe
CiscoNX-OSOverview
TheCiscoNX-OSisadatacenterclassoperatingsystemdesignedformaximumscalabilityandapplicationavailability.TheCLIinterfacefortheNX-OSisverysimilartoCiscoIOS,soifyouunderstandtheCiscoIOSyoucaneasilyadapttotheCiscoNX-OS.However,afewkeydifferencesshouldbeunderstoodpriortoworkingwiththeCiscoNX-OS.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
WhenyoufirstlogintotheNX-OS,yougodirectlyintoEXECmode.
RoleBasedAccessControl(RBAC)determinesauser’spermissionsbydefault.NX-OS5.0(2a)introducedprivilegelevelsandtwo-stageauthenticationusinganenablesecretthatcanbeenabledwiththeglobalfeatureprivilegeconfigurationcommand.
Bydefault,theadminuserhasnetwork-adminrightsthatallowfullread/writeaccess.AdditionaluserscanbecreatedwithverygranularrightstopermitordenyspecificCLIcommands.
TheCiscoNX-OShasaSetupUtilitythatallowsausertospecifythesystemdefaults,performbasicconfiguration,andapplyapre-definedControlPlanePolicing(CoPP)securitypolicy.
TheCiscoNX-OSusesafeaturebasedlicensemodel.AnEnterpriseorAdvancedServiceslicenseisrequireddependingonthefeaturesrequired.Additionallicensesmayberequiredinthefuture.
A120daylicensegraceperiodissupportedfortesting,butfeaturesareautomaticallyremovedfromtherunningconfigurationaftertheexpirationdateisreached.
TheCiscoNX-OShastheabilitytoenableanddisablefeaturessuchasOSPF,BGP,etc…usingthefeatureconfigurationcommand.Configurationandverificationcommandsarenotavailableuntilyouenablethespecificfeature.
InterfacesarelabeledintheconfigurationasEthernet.Therearen’tanyspeeddesignations.
TheCiscoNX-OSsupportsVirtualDeviceContexts(VDCs),whichallowaphysicaldevicetobepartitionedintologicaldevices.WhenyouloginforthefirsttimeYouareinthedefaultVDC(VDC1).
TheCiscoNX-OShastwopreconfiguredVRFinstancesbydefault(management,default).ThemanagementVRFisappliedtothesupervisormoduleout-of-bandEthernetport(mgmt0),andthedefaultVRFinstanceisappliedtoallotherI/OmoduleEthernetports.
SSHv2server/clientfunctionalityisenabledbydefault.TELNETserverfunctionalityisdisabledbydefault.(TheTELNETclientisenabledbydefaultandcannotbedisabled.)
VTYandAuxiliaryportconfigurationsdonotshowupinthedefaultconfigurationunlessaparameterismodified(TheConsoleportisincludedinthedefaultconfiguration).TheVTYportsupports32simultaneoussessionsandthetimeoutisdisabledbydefaultforallthreeporttypes.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalCiscoNX-OSinformationthatshouldbehelpfulwhenconfiguringandmaintainingtheCiscoNX-OS.
Thedefaultadministeruserispredefinedasadmin.Anadminuserpasswordhastobespecifiedwhenthesystemispoweredupforthefirsttime,oriftherunningconfigurationiserasedwiththewriteerasecommandandsystemisrepowered.
Ifyouremoveafeaturewiththeglobalnofeatureconfigurationcommand,allrelevantcommandsrelatedtothatfeatureareremovedfromtherunningconfiguration.
TheNX-OSusesakickstartimageandasystemimage.Bothimagesareidentifiedintheconfigurationfileasthekickstartandsystembootvariables.ThebootvariablesdeterminewhatversionofNX-OSisloadedwhenthesystemispoweredon.(ThekickstartandsystembootvariableshavetobeconfiguredforthesameNX-OSversion.)
Theshowrunning-configcommandacceptsseveraloptions,suchasOSPF,BGP,etc…thatwilldisplaytheruntimeconfigurationforaspecificfeature.
Theshowtechcommandacceptsseveraloptionsthatwilldisplayinformationforaspecificfeature.
ConfigurationComparison
ThefollowingsamplecodeshowsimilaritiesanddifferencesbetweentheCiscoNX-OSsoftwareandtheCiscoIOSSoftwareCLI.
| CiscoIOSCLI | CiscoNX-OSCLI |
| DefaultUserPrompt |
| c6500> | n7000# |
| EnteringConfigurationMode |
| c6500#configureterminal | n7000#configureterminal |
| SavingtheRunningConfigtotheStartupConfig(nvram) |
| c6500#writememory or c6500#copyrunning-configstartup-config | n7000#copyrunning-configstartup-config |
| Erasingthestartupconfig(nvram) |
| c6500#writeerase | n7000#writeerase |
| InstallingaLicense |
| CiscoIOSSoftwaredoesnotrequirealicensefileinstallation. | n7000#installlicensebootflash:license_file.lic |
| InterfaceNamingConvention |
| interfaceEthernet1/1 interfaceFastEthernet1/1 interfaceGigabitEthernet1/1 interfaceTenGigabitEthernet1/1 | interfaceEthernet1/1 |
| DefaultVRFConfiguration(management) |
| CiscoIOSSoftwaredoesn’tenableVRFsbydefault. | vrfcontextmanagement |
| ConfiguringtheSoftwareImageBootVariables |
| bootsystemflashsup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXH1.bin | bootkickstartbootflash:/n7000-s1-kickstart.4.0.4.binsup-1 bootsystembootflash:/n7000-s1-dk9.4.0.4.binsup-1 bootkickstartbootflash:/n7000-s1-kickstart.4.0.4.binsup-2 bootsystembootflash:/n7000-s1-dk9.4.0.4.binsup-2 |
| EnablingFeatures |
| CiscoIOSSoftwaredoesnothavethefunctionalitytoenableordisablefeatures. | featureospf |
| EnablingTELNET(SSHv2isrecommended) |
| CiscoIOSSoftwareenablesTELNETbydefault. | featuretelnet |
| ConfiguringtheVTYTimeoutandSessionLimit |
| linevty09 exec-timeout150 login | linevty session-limit10 exec-timeout15 |
Thefollowingtablecomparessomeusefulshowcommandsforverifyingtheinitialsystemstartupandrunningconfiguration.
| CiscoNX-OS | CiscoIOSSoftware | CommandDescription |
| showrunning-config | showrunning-config | Displaystherunningconfiguration |
| showstartup-config | showstartup-config | Displaysthestartupconfiguration |
| - | - | - |
| showinterface | showinterface | Displaysthestatusforalloftheinterfaces |
| showinterfaceethernet<x/x> | showinterface<inttype> | Displaysthestatusforaspecificinterface |
| - | - | - |
| showboot | showboot | Displaysthecurrentbootvariables |
| - | - | - |
| showclock | showclock | Displaysthesystemclockandtimezoneconfiguration |
| showclockdetail | showclockdetail | Displaysthesummer-timeconfiguration |
| - | - | - |
| showenvironment | showenvironment | Displaysallenvironmentparameters |
| showenvironmentclock | showenvironmentstatusclock | DisplaysclockstatusforA/Bandactiveclock |
| showenvironmentfan | showenvironmentcoolingfan-tray | Displaysfanstatus |
| showenvironmentpower | showpower | Displayspowerbudget |
| showenvironmenttemperature | showenvironmenttemperature | Displaysenvironmentdata |
| - | - | - |
| showloglogfile | showlog | Displaysthelocallog |
| showlognvram | - | Displayspersistentlogmessages(severity0-2)storedinNVRAM |
| showmodule | showmodule | Displaysinstalledmodulesandtheirstatus |
| showmoduleuptime | - | Displayshowlongeachmodulehasbepoweredup |
| showmodulefabric | - | Displaysfabricmodulesandtheircurrentstatus |
| showplatformfabric-utilization | showfabricutilization | Displaysthe%offabricutilizedpermodule |
| showprocesscpu | showprocesscpu | DisplaystheprocessesrunningontheCPU |
| showprocesscpuhistory | showprocesscpuhistory | DisplaystheprocesshistoryoftheCPUinchartform |
| showprocesscpusorted | showprocesscpusorted | DisplayssortedprocessesrunningontheCPU |
| - | - | - |
| showsystemcores | - | Displaysthecoredumpfilesifpresent |
| showsystemexception-info | showexception | Displayslastexceptionlog |
| showsystemredundancystatus | showredundancy | DisplaysthesupervisorsHighAvailabilitystatus |
| showsystemresources | showprocesscpu | DisplaysCPUandmemoryusagedata |
| showsystemuptime | - | Displayssystemandkernelstarttime(Displaysactivesupervisoruptime) |
| - | - | - |
| showtech-support | showtech-support | DisplayssystemtechnicalinformationforCiscoTAC |
| showtech-support<name> | showtech-support<name> | DisplaysfeaturespecifictechnicalinformationforCiscoTAC |
| - | - | - |
| showversion | showversion | Displaysrunningsoftwareversion,basichardware,CMPstatusandsystemuptime |
| - | - | - |
| showline | showline | Displaysconsoleandauxiliaryportinformation |
| showlinecom1 | - | Displaysauxiliaryportinformation |
| showlineconsole | showlineconsole0 | Displaysconsoleportinformation |
| showlineconsoleconnected | - | Statesiftheconsoleportisphysicallyconnected |
| showterminal | showterminal | Displaysterminalsettings |
| showusers | showusers | Displayscurrentvirtualterminalsettings |
| - | - | - |
| showvrf | showipvrf | DisplaysalistofallconfiguredVRFs |
| showvrf<name> | showipvrf<name> | DisplaysanspecifiedVRF |
| showvrf<name>detail | showvrfdetail<name> | Displaysdetailsforaspecified |
| showvrf<name>interface | - | DisplaysinterfaceassignmentforaspecifiedVRF |
| showvrfdefault | - | DisplaysasummaryofthedefaultVRF |
| showvrfdetail | showvrfdetail | DisplaysdetailsforallVRF's |
| showvrfinterface | showipvrfinterface | DisplaysVRFinterfaceassignment |
| showvrfmanagement | - | DisplaysasummaryofthemanagementVRF |
| - | - | - |
| showlicense | - | Displaysalllicensefileinformation |
| showlicensebrief | - | Displaysthelicensefilenamesinstalled |
| showlicensefile<name> | - | Displayslicensecontentsbasedonaspecifiedname |
| showlicensehost-id | - | DisplaysthechassisHost-IDusedforcreatingalicense |
| showlicenseusage | - | Displaysalllicensesusedbythesystem |
| showlicenseusage<license-type> | - | Displaysalllicensesusedbythesystempertype |
| showlicenseusagevdc-all | - | DisplaysalllicensesusedbythesystemforallVDCs |
| - | - | - |
| showvdc | - | DisplaysalistoftheconfiguredVDC's |
| showvdc<name> | - | DisplaysasummaryoftheindividualVDC |
| showvdc<name>detail | - | DisplaysconfigurationdetailsforaspecificVDC |
| showvdc<name>membership | - | DisplaysinterfacemembershipforaspecificVDC |
| showvdc<name>resource | - | DisplaysresourceallocationforaspecificVDC |
| showvdccurrent-vdc | - | DisplaystheVDCthattheuseriscurrentlyin |
| showvdcdetail | - | DisplaysdetailsinformationforallVDCs |
| showvdcmembership | - | DisplaysinterfacemembershipforallVDCs |
| showvdcresources | - | DisplaysresourceallocationforallVDCs |
CiscoNX-OS/IOSInterfaceComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesininterfacesupportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
InterfaceConfigurationOverview
TheNX-OSsupportsdifferentphysicalandvirtualinterfacetypestomeetvariousnetworkconnectivityrequirements.Thedifferentinterfacetypesinclude:layer-2switched(accessortrunk),layer-3routed,layer-3routed(sub-interfacetrunk),switchedvirtualinterface(SVI),port-channel,loopback,andtunnelinterfaces.Port-channelinterfacesaredocumentedinthe
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
SVIcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheSVIfeaturewiththefeatureinterface-vlancommand.
Tunnelinterfacecommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheTunnelfeaturewiththefeaturetunnelcommand.
Interfacessupportstatefulandstatelessrestartsafterasupervisorswitchoverforhighavailability.
Only802.1qtrunksaresupported,sotheencapsulationcommandisn'tnecessarywhenconfiguringalayer-2switchedtrunkinterface.(CiscoISLisnotsupported)
AnIPsubnetmaskcanbeappliedusing/xxorxxx.xxx.xxx.xxxnotationwhenconfiguringanIPaddressonalayer-3interface.
TheCLIsyntaxforspecifyingmultipleinterfacesisdifferentinCiscoNX-OSSoftware.Therangekeywordhasbeenomittedfromthesyntax(IE:interfaceethernet1/1-2)
Theout-of-bandmanagementethernetportlocatedonthesupervisormoduleisconfiguredwiththeinterfacemgmt0CLIcommand.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsabouttheCiscoNX-OSthatshouldbehelpfulwhenconfiguringinterfaces.
Aninterfacecanonlybeconfiguredin1VDCatatime.
All4interfacesinaportgroupmustbeassignedtothesameVDCwhenassigninginterfacesonthe32port10GEmodule.Therearenotanyrestrictionsforthe48port1GEmodules.
10GEinterfacescanbeconfiguredindedicatedmodeusingtherate-modededicatedinterfaceCLIcommand.
ThedefaultporttypeisconfigurableforL3routedorL2switchedinthesetupstartupscript.(L3isthedefaultporttypepriortorunningthescript)
Alayer-2switchedtrunkportsendsandreceivestrafficforallVLANsbydefault(ThisisthesameasCiscoIOSSoftware).UsetheswitchporttrunkallowedvlaninterfaceCLIcommandtospecifytheVLANsallowedonthetrunk.
Theclearcountersinterfaceethernetx/xCLIcommandresetsthecountersforaspecificinterface.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.TheCLIisverysimilarbetweenCiscoIOSandCiscoNX-OSSoftware.
| CiscoIOSCLI | CiscoNX-OSCLI |
| ConfiguringaRoutedInterface |
| interfacegigabitethernet1/1 ipaddress192.168.1.1255.255.255.0 noshutdown | interfaceethernet1/1 ipaddress192.168.1.1/24 noshutdown |
| ConfiguringaSwitchedInterface(VLAN10) |
| vlan10 interfacegigabitethernet1/1 switchport switchportmodeaccess switchportaccessvlan10 noshutdown | vlan10 interfaceethernet1/1 switchport switchportmodeaccess switchportaccessvlan10 noshutdown |
| ConfiguringaSwitchedVirtualInterface(SVI) |
| CiscoIOSSoftwaredoesnothavetheabilitytoenableordisableSVIinterfacesusingthefeaturecommand. interfacevlan10 ipaddress192.168.1.1255.255.255.0 noshutdown | featureinterface-vlan interfacevlan10 ipaddress192.168.1.1./24 noshutdown |
| ConfiguringaSwitchedTrunkInterface |
| interfaceGigabitEthernet1/1 switchport switchporttrunkencapsulationdot1q switchporttrunknativevlan2 switchporttrunkallowedvlan10,20 switchportmodetrunk noshutdown | interfaceethernet1/1 switchportmodetrunk switchporttrunkallowedvlan10,20 switchporttrunknativevlan2 noshutdown |
| ConfiguringaRoutedTrunkSub-Interface |
| interfacegigabitethernet1/1 noswitchport noshutdown interfacegigabitethernet1/1.10 encapsulationdot1Q10 ipaddress192.168.1.1255.255.255.0 noshutdown | interfaceethernet1/1 noswitchport noshutdown interfaceethernet1/1.10 encapsulationdot1q10 ipaddress192.168.1.1/24 noshutdown |
| ConfiguringaLoopbackInterface |
| interfaceloopback1 ipaddress192.168.1.1255.255.255.255 noshutdown | interfaceloopback1 ipaddress192.168.1.1/32 noshutdown |
| ConfiguringaTunnelInterface |
| CiscoIOSSoftwaredoesnothavetheabilitytoenableordisableTunnelinterfacesusingthefeaturecommand. interfaceTunnel1 ipaddress192.168.1.1255.255.255.0 tunnelsource172.16.1.1 tunneldestination172.16.2.1 noshutdown | featuretunnel interfacetunnel1 ipaddress192.168.1.1/24 tunnelsource172.16.1.1 tunneldestination172.16.2.1 noshutdown |
| ConfiguringanInterfaceDescription | |
| interfacegigabitethernet1/1 descriptionTestInterface | interfaceethernet1/1 descriptionTestInterface |
| ConfiguringJumboFrames | |
| interfacegigabitethernet1/1 mtu9216 | interfaceethernet1/1 mtu9216 |
| ConfiguringMultipleInterfaces(Examples) | |
| interfacerangegigabitethernet1/1-2 or interfacerangegigabitethernet1/1,gigabitethernet2/1 | interfaceethernet1/1-1 or interfaceethernet1/1,ethernet2/1 |
Thefollowingtablelistssomeusefulshowcommandsforverifyingthestatusandtroubleshootinganinterface.
| CiscoNX-OSInterface | CiscoIOSSoftwareInterface | CommandDescription |
| showinterface | showinterface | Displaysthestatusandstatisticsforallinterfacesoraspecificinterface |
| showinterfacebrief | - | Displaysabrieflistoftheinterfaces(type,mode,status,speed,MTU) |
| showinterfacecapabilities | showinterfacecapabilities | Displaysinterfacecapabilities |
| showinterfacecounters | showinterfacecounters | Displaysinterfacecounters(input/outputunicast,multicast&broadcast) |
| showinterfacedebounce | - | Displaysthede-bouncestatusandtimeinmsforallinterfaces |
| showinterfacedescription | - | Displaysallinterfaceswithconfigureddescriptions |
| showinterfaceethernet | showinterfaceinterface-type | Displaysstatusandstatisticsforaspecificinterface |
| showinterfaceflowcontrol | showinterfaceflowcontrol | DisplaysFlowControl(802.1p)statusandstateforallinterfaces |
| showinterfaceloopback | showinterfaceloopback | Displaysstatusandstatisticsforaspecificloopbackinterface |
| showinterfacemac-address | - | DisplaysallinterfacesandtheirassociatedMACAddresses |
| showinterfacemgmt | - | Displaysstatusandstatisticsforthemanagementinterfacelocatedonthesupervisor |
| showinterfaceport-channel | showinterfaceport-channel | Displaysstatusandstatisticsforaspecificport-channel |
| showinterfacestatus | showinterfacestatus | Displaysallinterfacesandtheircurrentstatus |
| showinterfaceswitchport | showinterfaceswitchport | Displaysalistofallinterfacesthatareconfiguredasswitchports |
| showinterfacetransceiver | showinterfacetransceiver | Displaysalistofallinterfacesandopticinformation(calibrations,details) |
| showinterfacetrunk | showinterfacetrunk | Displaysalistofallinterfacesconfiguredastrunks |
| showinterfacetunnel<#> | showinterfacetunnel<#> | Displaysstatusandstatisticsforaspecifictunnelinterface |
| showinterfacevlan<#> | showinterfacevlan<#> | DisplaysstatusandstatisticsforaspecificVLANinterface |
CiscoNX-OS/IOSPort-ChannelComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesinPort-ChannelsupportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
Port-ChannelOverview
Port-ChannelsprovideamechanismforaggregatingmultiplephysicalEthernetlinksintoasinglelogicalEthernetlink.Port-Channelsaretypicallyusedtoincreaseavailabilityandbandwidth,whilesimplifyingthenetworktopology.Port-ChannelscanbeconfiguredinStaticMode(noprotocol)orinconjunctionwithaprotocolsuchasLaCPdefinedinIEEE802.3adorPaGPfordynamicnegotiationsandkeep-alivedetectionforfailover.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
256Port-Channelsaresupportedperchassis
LaCPandStaticModePort-Channelsaresupported(PaGPisnotsupportedinCiscoNX-OSSoftware).
LaCPcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheLaCPfeaturewiththefeaturelacpcommand.
TheCLIsyntaxforspecifyingmultipleinterfacesisdifferentinCiscoNX-OSSoftware.Therangekeywordhasbeenomittedfromthesyntax(IE:interfaceethernet1/1-2)
APort-Channelcanbeconvertedbetweenalayer-2andlayer-3Port-Channelwithoutremovingthememberports.
TheforcekeywordcanbeusedwhenaddinganinterfacetoanexistingPort-ChanneltoforcethenewinterfacetoinheritalloftheexistingPort-Channelcompatibilityparameters.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsabouttheCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintaininganetworkusingPort-Channels.
AsinglePort-ChannelcannotconnecttotwodifferentVDCsinthesamechassis.
YoucannotdisableLaCPwiththenofeaturelacpcommandifLaCPisconfiguredforaPort-Channel.LaCPmustbedisabledonallPort-ChannelspriortodisablingLaCPglobally.
Theshowport-channelcompatibility-parametersCLIcommandisveryusefulforverifyinginterfaceparameterswhenconfiguringPort-Channels.
Theshowport-channelload-balanceforwarding-pathCLIcommandcanbeusedtodeterminetheindividuallinkaflowtraversesoveraspecificPort-Channel.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.TheCLIisverysimilarbetweenCiscoIOSandCiscoNX-OS.CiscoNX-OSdoesnotusetherangekeywordwhenspecifyingmultipleinterfaces.CiscoNX-OSalsohastheabilitytoforceaninterfacetoinheritexistingPort-Channelcompatibilityparametersusingtheforcekeyword.
| CiscoIOSCLI | CiscoNX-OSCLI |
| EnablingtheLaCPFeature |
| CiscoIOSSoftwaredoesnothavetheabilitytoenableordisableLaCP. | featurelacp |
| ConfiguringLACPActiveMode |
| interfacerangegigabitethernet1/1-2 channel-group1modeactive | interfaceethernet1/1-2 channel-group1modeactive |
| ConfiguringLaCPPassiveMode |
| interfacerangegigabitethernet1/1-2 channel-group1modepassive | interfaceethernet1/1-2 channel-group1modepassive |
| ConfiguringStaticMode(noprotocol) |
| interfacerangegigabitethernet1/1-2 channel-group1modeon | interfaceethernet1/1-2 channel-group1modeon |
| EnablingaPortChannel |
| interfaceport-channel1 noshutdown | interfaceport-channel1 noshutdown |
| Layer-2Port-ChannelExample |
| interfacerangegigabitethernet1/1-2 switchport channel-group1modeactive interfaceport-channel1 noshutdown | interfaceethernet1/1-1 switchport channel-group1modeactive interfaceport-channel1 noshutdown |
| Layer-3Port-ChannelExample |
| interfacerangegigabitethernet1/1-2 noswitchport channel-group1modeactive interfaceport-channel1 ipaddress192.168.1.1255.255.255.0 noshutdown | interfaceethernet1/1-1 noswitchport channel-group1modeactive interfaceport-channel1 ipaddress192.168.1.1/32 noshutdown |
| AddinganInterfacetoanExistingPort-Channel |
| CiscoIOSSoftwaredoesnothavetheforceoption,soallinterfaceparametershavetobecompatiblepriortoaddingtheinterfacetoanexistingPort-Channel. interfacerangegigabitethernet1/3 noswitchport channel-group1modeactive[ | interfaceethernet1/3 channel-group1forcemodeactive |
| ConfiguringtheSystemLoad-BalanceAlgorithm |
| port-channelload-balancedst-mac | port-channelload-balanceethernetdestination-mac |
| ConfiguringtheLoad-BalanceAlgorithmperModule |
| port-channelper-moduleload-balance port-channelload-balancedst-macmodule1 | port-channelload-balanceethernetdestination-macmodule1 |
ThefollowingtablelistssomeusefulshowcommandsforverifyingandtroubleshootingaPort-Channelconfiguration.
| CiscoNX-OSPort-Channels | CiscoIOSSoftwarePort-Channels | CommandDescription |
| showinterface | showinterface | Displaysstatisticsallinterfacesoraspecificinterface |
| showinterfaceport-channel<#> | showinterfaceport-channel<#> | Displaysstatisticsforaspecificport-channel |
| - | - | - |
| showport-channelcapacity | - | Displaysport-channelresources(total,used,free) |
| showport-channelcompatibility-parameters | - | Displaysthecompatibility-parameters(IE:speed,duplex,etc) |
| showport-channeldatabase | - | Displaystheaggregationstateforoneormoreport-channels |
| showport-channelload-balance | showetherchannelload-balance | Displaystheload-balancingalgorithm(hash)configured |
| showport-channelload-balanceforwarding-path | showetherchannelload-balancehash-result | Displayspacketforwardinginformation |
| showport-channelsummary | showetherchannelsummary | Displaysasummarizedlistofallport-channels |
| showport-channeltraffic | - | Displaystheloadperlinkinaport-channel(Basedininterfacecounters) |
| showport-channelusage | - | Displaystherangeofusedandunusedport-channelnumbers |
| - | - | - |
| showlacpcounters | showlacpcounters | DisplaystheLaCPPDUanderrorcounters |
| showlacpinterface | - | DisplaysdetailedLaCPinformationperinterface |
| showlacpneighbors | showlacpneighbors | DisplaysdetailedLaCPinformationperneighbor |
| showlacpport-channel | showlacp<port-channel-#> | Displaystheport-channelLaCPconfiguration |
| showlacpsystem-identifier | showlacpsys-id | DisplaystheLaCPsystemID(Priority/MACaddress) |
CiscoNX-OS/IOSHSRPComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesinHotStandbyRoutingProtocol(HSRP)(IPv4)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
HSRPOverview
HSRPisaCiscoproprietaryFirstHopRedundancyProtocol(FHRP)designedtoallowtransparentfailoverforanIPclient’sdefaultgateway(first-hoprouter).
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
HSRPcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheHSRPfeaturewiththefeaturehsrpcommand.
HSRPishierarchical.AllrelatedcommandsforanHSRPgroupareconfiguredunderthegroupnumber.
TheHSRPconfigurationcommandsusetheformathsrp<option>insteadofstandby<option>.
TheHSRPverificationcommandsusetheformatshowhsrp<option>insteadofshowstandby<option>.
HSRPsupportsstatefulprocessrestartbydefault.
Thehelloandhold-timetimerrangesforthemillisecondoptionsaredifferent.InCiscoNX-OS,hello=250to999milliseconds,andholdtime=750to3000milliseconds.InCiscoIOSSoftware,hello=15to999milliseconds,andholdtime=50to3000milliseconds.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintainingHSRP-enablednetworks.
Ifyouremovethefeaturehsrpcommand,allrelevantHSRPconfigurationinformationisalsoremoved.
HSRPv1isenabledbydefault(HSRPv2canbeenabledperinterface).
HSRPv1supports256groupnumbers(0to255).HSRPv2supports4096groupnumbers(0to4095).
HSRPv1andHSRPv2arenotcompatible.However,adevicecanbeconfiguredtorunadifferentversionondifferentinterfaces.
Theshowrunning-confighsrpcommanddisplaysthecurrentHSRPconfiguration.
ConfigurationofmorethanoneFHRPonaninterfaceisnotrecommended.
Objecttrackingissupported.Trackingcanbeconfiguredforaninterface’slineprotocolstate,IPaddressstate,andforIProutereachability(determiningwhetherarouteisavailableintheroutingtable).
Aninterfacecantrackmultipleobjects.
SecondaryIPaddressesaresupportedinthesameoradifferentgroupastheinterface’sprimaryIPaddress.
LoadsharingcanbeaccomplishedbyusingmultipleHSRPgroupsperinterface.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.Therearetwosignificantdifferences:CiscoNX-OSusesahierarchicalconfiguration,anditusesthehsrpkeywordinsteadofthestandbykeywordforconfigurationandverificationcommands.Bothenhancementsmaketheconfigurationeasiertoread.
| CiscoIOSCLI | CiscoNX-OSCLI |
| EnablingtheHSRPFeature |
| CiscoIOSSoftwaredoesnothavetheabilitytoenableordisableHSRP. | featurehsrp |
| ConfiguringHSRPonanInterface |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standby0ip192.168.10.1 | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrp0 ip192.168.10.1 |
| ConfiguringthepriorityandpreemptOptions |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standby0ip192.168.10.1 standby0priority110 standby0preempt | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrp0 preempt priority110 ip192.168.10.1 |
| ModifyingtheHelloandHoldtimeTimers(Seconds) |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standby0ip192.168.10.1 standby0timers13 | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrp0 timers13 ip192.168.10.1 |
| ModifyingtheHelloandHoldtimeTimers(Milliseconds) |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standby0ip192.168.10.1 standby0timersmsec250msec750 | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrp0 timersmsec250msec750 ip192.168.10.1 |
| ConfiguringMD5Authentication |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standby0ip192.168.10.1 standby0authenticationmd5key-stringcisco123 | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrp0 authenticationmd5key-stringcisco123 ip192.168.10.1 |
| ConfiguringHSRPVersion2onanInterface |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standbyversion2 | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrpversion2 |
| ConfiguringMinimumandReloadInitializationDelay |
| interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standbydelayminimum5reload10 | interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrpdelayminimum5reload10 |
| ConfiguringObjectTracking(InterfaceLine-Protocol) |
| track1interfaceEthernet2/2line-protocol interfaceEthernet2/1 ipaddress192.168.10.2255.255.255.0 standby0ip192.168.10.1 standby0track1decrement20 | track1interfaceethernet2/2line-protocol interfaceEthernet2/1 ipaddress192.168.10.2/24 hsrp0 track1decrement20 ip192.168.10.1 |
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootinganHSRPconfiguration.
| CiscoNX-OSHSRP | CiscoIOSSoftwareHSRP | CommandDescription |
| showhsrp | showstandby<#> | DisplaysdetailedinformationforallHSRPgroups |
| showhsrpactive | - | Displaysallofthegroupsinthe“active”state |
| showhsrpbrief | showstandbybrief | DisplaysasummaryofalltheHSRPgroups |
| showhsrpdelay | - | Displaysminimumandmaximumdelaytimesforpreempting |
| showhsrpgroup | - | Displaysdetailedinformationforaspecifiedgroup |
| showhsrpinit | - | Displaysallthegroupsinthe"init"state |
| showhsrpinterface | - | Displaysdetailedinformationforaspecificinterface |
| showhsrplearn | - | Displaysallthegroupsinthe"learn"state |
| showhsrplisten | - | Displaysallthegroupsinthe"listen"state |
| showhsrpspeak | - | Displaysallthegroupsinthe"speak"state |
| showhsrpstandby | - | Displaysallthegroupsinthe"standby"state |
| showhsrpsummary | - | DisplayssummaryinformationforHSRPgroups |
| - | - | - |
| showtrack | showtrack | Displaystheconfiguredtrackedobjects |
| showtrackbrief | showtrackbrief | Displaysabrieflistoftrackedobjects |
| showtrackinterface | showtrackinterface | Displaysthestatusoftrackedinterfaces |
| showtrackip | showtrackip | DisplaystheIPprotocolobjectsthataretracked |
CiscoNX-OS/IOSSTPComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesinSpanning-TreeProtocol(STP)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
STPOverview
STPisastandardsbasedlink-layerprotocoloriginallydefinedinIEEE802.1dthatrunsonswitchestopreventforwardingloopswhenusingredundantlayer-2networktopologies.NewervariantsofSTPhavebeendevelopedcalledRapidSpanningTreeprotocol(RSTP)definedinIEEE802.1wandMultipleSpanningTreeprotocol(MST)definedinIEEE802.1sthatareenhancedforbetterscalabilityandconvergefasterthantheoriginalversion.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
Rapid-PVST+andtheMSTprotocolsaresupported.
Rapid-PVST+isenabledbydefault.
Highavailabilityisachievedwithstatefulswitchoverwhentwosupervisorsareinstalledinachassis.
TheSTPporttypesareidentifiedwiththeporttypedesignationasopposedtotheportfastdesignationinCiscoIOSSoftware.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsabouttheCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintaininganetworkconfiguredwiththeSTP.
Rapid-PVST+isinteroperablewiththe802.1dSTP.
Rapid-PVST+isinteroperablewithMST.(Thisisenabledbydefault)
OnlyoneSTPcanbeenabledperVDC.
BridgeAssuranceisenabledgloballybydefault,butisdisabledonaninterfacebydefault.
BridgeAssurancecanbeenabledforaninterfaceusingthespanning-treeporttypenetworkinterfacecommand.
Theclearspanning-treecounterscommandclearsthecountersforanSTPinterfaceoraVLAN.
STPenhancementssuchasBPDUGuard,LoopGuard,RootGuard,andBPDUFilteringaresupported.
Spanning-TreebestpracticesareapplicabletobothCiscoNX-OSandCiscoIOSSoftware
DonotdisableSTP.Evenifthelayer-2topologydoesnotrequireSTP,itshouldalwaysbeenabledasasafeguardforconfigurationand/orcablingerrors.
ChangingtheSTPmodecandisrupttraffic.
EnablingBridgeAssuranceisrecommended.However,onlyenableBridgeAssuranceonlayer-2linksifbothdevicesoneachendofthelinksupportit.
Typicallythecore/backbonedevicesshouldbeconfiguredastheprimaryandsecondaryrootbridges.
Thedefaultbridgepriorityis32,768(plustheVLAN#).Thelowerthevalue,themorelikelyitwillbecometherootbridge.
Configure802.1qtrunkportsasedgetrunkporttypewhenconnectingtoL3hostssuchasfirewalls,load-balancers,orserversforfasterconvergence.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.TheCLIisidenticalwiththeexceptionoftheporttypeterminology.TheCiscoIOSusestheportfastdesignation,whereasCiscoNX-OSusestheporttypedesignation.
| CiscoIOSCLI | CiscoNX-OSCLI |
| ConfiguringVLANs |
| vlan10,20 | vlan10,20 |
| ConfiguringRapidPVST+ |
| spanning-treemoderapid-pvst | Rapid-PVSTisenabledbydefault. spanning-treemoderapid-pvst |
| ConfiguringtheRapid-PVST+BridgePriority |
| spanning-treevlan10rootprimary spanning-treevlan20rootsecondary | spanning-treevlan10rootprimary spanning-treevlan20rootsecondary |
| ConfiguringMST |
| spanning-treemodemst | spanning-treemodemst |
| ConfiguringaMSTInstance |
| spanning-treemstconfiguration instance1vlan10 instance2vlan20 | spanning-treemstconfiguration instance1vlan10 instance2vlan20 |
| ConfiguringtheMSTBridgePriority |
| spanning-treemst1rootprimary spanning-treemst2rootsecondary | spanning-treemst1rootprimary spanning-treemst2rootsecondary |
| ConfiguringSTPPortTypesGlobally |
| spanning-treeportfastedgedefault or spanning-treeportfastnetworkdefault | spanning-treeporttypeedgedefault or spanning-treeporttypenetworkdefault |
| ConfiguringSTPPortTypesperInterface |
| interfaceGigabitEthernet1/1 switchport spanning-treeportfastedge or spanning-treeportfastnetwork or spanning-treeportfastdisable | interfaceethernet1/1 switchport----必须定义为交换口才能应用下面的edge命令 spanning-treeporttypeedge or spanning-treeporttypenetwork or spanning-treeporttypenormal |
| ConfiguringaTrunkasanEdgePortType |
| interfaceGigabitEthernet1/1 switchport spanning-treeportfastedgetrunk | interfaceethernet1/1 switchport spanning-treeporttypeedgetrunk |
| DisablingPVSTSimulationGlobally |
| nospanning-treemstsimulatepvstglobal | nospanning-treemstsimulatepvstglobal |
| DisablingPVSTSimulationperPort |
| interfaceGigabitEthernet1/1 switchport spanning-treemstsimulatepvstdisable | interfaceethernet1/1 switchport spanning-treemstsimulatepvstdisable |
ThefollowingtablelistssomeusefulshowcommandsforverifyingandtroubleshootingaSTPnetworkconfiguration.TheshowcommandsareidenticalforCiscoIOSandCiscoNX-OSSoftware.
| CiscoNX-OSSTP | CiscoIOSSoftwareSTP | CommandDescription |
| showspanning-tree | showspanning-tree | DisplayshighlevelSTPprocessinformation |
| showspanning-treeactive | showspanning-treeactive | Displaysallportsintheactivestate |
| showspanning-treeblockedports | showspanning-treeblockedports | Displaysallportsintheblockedstate |
| showspanning-treedetail | showspanning-treedetail | DisplaysdetailedinformationperSTPinstance |
| showspanning-treeinterface | showspanning-treeinterface | DisplaysdetailedSTPinformationforaspecificinterface |
| showspanning-treemst | showspanning-treemst | Displayshigh-levelMSTconfiguration |
| showspanning-treemstconfiguration | showspanning-treemstconfiguration | DisplaystheMSTinstanceconfiguration |
| showspanning-treemstdetail | showspanning-treemstdetail | DisplaysdetailedMSTinformation |
| showspanning-treeroot | showspanning-treeroot | DisplaysSTProotinformation |
| showspanning-treesummary | showspanning-treesummary | DisplaysSTPsummaryinformation |
| showspanning-treevlan | showspanning-treevlan | DisplaysperVLANSTPinformation |
CiscoNX-OS/IOSSPANComparison
FromDocWiki
Jumpto:
Objective
ThistechnoteoutlinesthemaindifferencesintheSwitchedPortAnalyzer(SPAN)betweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
SPANOverview
TheSPANfeatureallowstraffictobemirroredfromwithinaswitchfromasourceporttoadestinationport.Thisfeatureistypicallyusedwhendetailedpacketinformationisrequiredfortroubleshooting,trafficanalysis,andsecurity-threatprevention.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
OnlyLocalSPANissupported.
RemoteSPAN(RSPAN)VLANscanbeconfiguredonlyasSPANsources.
18monitorsessionscanbeconfigured.Onlytwosessionscanbeactivesimultaneously.
CiscoNX-OSusesahierarchicalconfigurationbasedonthemonitorsession<#>command,whereasCiscoIOSSoftwarehastheoptionforflatforhierarchicalconfigurationinCiscoIOSSoftwareRelease12.2(18)SXHandlater.
AsingleSPANsessioncanincludemixedsources(Ethernetports,EthernetPort-Channels,RSPANsources,VLANs,andtheCPUcontrol-planeinterface).
DestinationSPANportsmustbeconfiguredasLayer2portswiththeswitchportcommand.
DestinationSPANportsrequiretheswitchportmonitorinterfaceconfigurationcommand.
TheSPANfeaturesupportsstatefulandstatelessprocessrestarts.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhenconfiguringtheSPANfeature.
TwoactiveSPANsessionsaresupportedforallvirtualdevicecontexts(VDCs).
Monitorsessionsaredisabledbydefault.Theycanbeenabledwiththenoshutcommand.
Thesourcetrafficdirectioncanbeconfiguredasrx,tx,orboth.Thedefaultisboth.
WhenaVLANisspecifiedasthesource,traffictoandfromtheLayer2portsinthespecifiedVLANaresenttothedestination.
Thein-bandcontrol-planeinterfacetotheCPUcanbemonitoredonlyfromthedefaultVDC.(AllVDCtrafficisvisible.)
Bydefault,SPANdoesnotcopytheIEEE802.1qtagfromtrunksources.
Adestinationportcanbeconfiguredinswitchportaccessortrunkmode.(TrunkmodeallowsyoutotagtraffictowardadestinationortoperformdestinationVLANfiltering.)
Adestinationportdoesnotparticipateinaspanning-treeinstance.
AdestinationportcanbeconfiguredinonlyoneSPANsessionatatime.
Aportcannotbeconfiguredasbothasourceanddestinationport.
128sourceinterfacescanbeconfiguredpersession.
32sourceVLANscanbeconfiguredpersession.
2destinationinterfacescanbeconfiguredpersession.
ConfigurationComparison
ThefollowingsamplecodeshowstheconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwarecommand-lineinterfaces(CLIs).TheCiscoIOSSoftwaresyntaxshownhereisfromCiscoIOSSoftwareRelease12.2(18)SXH,soitshierarchyissimilartothatofastheCiscoNX-OS.OlderversionsofCiscoIOSSoftwaresupportonlyaflatconfiguration.
| CiscoIOSCLI | CiscoNX-OSCLI |
| ConfiguringtheDestinationSwitchportMode |
| CiscoIOSSoftwaredoesnotrequireanydestinationportconfiguration. | interfaceEthernet2/2 switchport switchportmonitor |
| ConfiguringDestinationPortIngressForwardingandLearning |
| monitorsession1typelocal destinationinterfaceGi2/2ingresslearning | interfaceEthernet2/2 switchport switchportmonitoringresslearning |
| ConfiguringaSPANMonitor(EthernetSourceandDestination) |
| monitorsession1typelocal sourceinterfaceGi2/1 destinationinterfaceGi2/2 | monitorsession1 sourceinterfaceEthernet2/1both destinationinterfaceEthernet2/2 noshut |
| ConfiguringaSPANMonitor(VLANSource) |
| monitorsession1typelocal sourcevlan10,20 destinationinterfaceGi2/2 | monitorsession1 sourcevlan10,20both destinationinterfaceEthernet2/2 noshut |
| FilteringVLANsforIEEE802.1qTrunkSources |
| interfaceGigabitEthernet2/1 switchport switchporttrunkencapsulationdot1q switchporttrunkallowedvlan10-20 switchportmodetrunk monitorsession1typelocal filtervlan15-20 sourceinterfaceGi2/1 destinationinterfaceGi2/1 noshutdown | interfaceEthernet2/1 switchport switchportmodetrunk switchporttrunkallowedvlan10-20 monitorsession1 sourceinterfaceEthernet2/1both destinationinterfaceEthernet2/2 filtervlan15-20 noshut |
| ConfiguringaSPANMonitor(CPUSource) |
| monitorsession1typelocal sourcecpurprx destinationinterfaceGi2/2 noshutdown | monitorsession1 sourceinterfacesup-eth0rx destinationinterfaceEthernet2/2 noshut |
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootingtheSPANfeature.
| CiscoNX-OSSPAN | CiscoIOSSoftwareSPAN | CommandDescription |
| showinterface | showinterface | Displaysdestinationportcharacteristics |
| - | - | - |
| showmonitorsession<#> | showmonitorsession<#> | DisplaysaspecificSPANandmonitorsession |
| showmonitorsessionall | showmonitorsessionall | DisplaysallSPANandmonitorsessions |
| showmonitorrange<#-#> | showmonitorrange<#-#> | DisplaysarangeofspecifiedSPANsessions |
CiscoNX-OS/IOSOSPFComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesinOpenShortestPathFirstVersion2(OSPFv2)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
OSPFOverview
OSPFv2isanIETF(
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
OSPFcommand-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheOSPFfeaturewiththefeatureospfcommand.
TheOSPFprotocolrequirestheEnterpriseServiceslicense.
TheOSPFinstancecanconsistsof20characters,whereastheIOSsupportsnumbers1–65536.
Eightequal-costpathsaresupportedbydefault.Youcanconfigureuptosixteen.
ThedefaultreferencebandwidthusedintheOSPFcostcalculationis40Gbps.
NetworksandinterfacesareaddedtoanOSPFinstanceundertheinterfaceconfigurationmode.
AnOSPFareacanbeconfiguredusingdecimalordecimaldottednotation,butitisalwaysdisplayedindecimaldottednotationintheconfigurationandintheshowcommandoutput.
PassiveinterfacesareappliedtotheinterfaceasopposedtoundertheOSPFrouterinstance.
IfarouterIDisnotmanuallyconfigured,theloopback0IPaddressisalwayspreferred.Ifloopback0doesnotexist,CiscoNX-OSselectstheIPaddressforthefirstloopbackinterfaceintheconfiguration.Ifnoloopbackinterfacesexist,CiscoNX-OSselectstheIPaddressforthefirstphysicalinterfaceintheconfiguration.
Neighboradjacencychangesarenotloggedbydefault.Thelog-adjacency-changesCLIcommandisrequiredundertheOSPFinstance.
Wheninterfaceauthenticationisconfigured,theOSPFkeyisencryptedwithDataEncryptionStandard3(3DES)intheconfiguration.CiscoIOSSoftwarerequirestheservicepasswordcommand.
WhenyourolloveranOSPFauthenticationkeyinacombinedCiscoNX-OS/CiscoIOSnetwork,youshouldconfigurebothkeysontheCiscoNX-OSroutertoensurethatthereissufficientoverlapbetweentheoldkeyandthenewkeyforasmoothtransitiontothenewkey.YoushouldconfigurethenewkeyasavalidacceptkeyonalltheNX-OSandIOSroutersbeforethenewkeybecomesavalidgenerationkeyinthekeychain.Duringtheoverlapperiod,CiscoNX-OStransmitsthenewOSPFkeyandacceptsOSPFauthenticatedpacketsfromboththeoldkeyandthenewkey.
TheNX-OSdoesnotsupportdistribute-listsusedtoremoveOSPFroutesfromtheroutingtable.TheNX-OSdoessupportinter-areaLSA/routefilteringusingthefilter-listcommandconfiguredundertheOSPFroutinginstance.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhendesigning,configuring,andmaintaininganOSPFnetwork.
FourOSPFinstancescanbeconfiguredpervirtualdevicecontext(VDC).
NumerousVirtualRouteForwarding(VRF)instancescanbeassociatedtoanOSPFinstance.
Ifyouremovethefeatureospfcommand,allrelevantOSPFconfigurationinformationisalsoremoved.
TheshutdowncommandundertheOSPFprocesscanbeusedtodisableOSPFwhileretainingtheconfiguration.Similarfunctionalitycanalsobeappliedperinterfacewiththeipospfshutdowncommand.
Theshowrunning-configospfcommanddisplaysthecurrentOSPFconfiguration.
AnOSPFinstancecanberestartedwiththerestartospf<instance#>command.
GracefulRestart(
OSPFsupportsstatefulprocessrestartsiftwosupervisorsarepresent.
YoucannotconfiguremultipleOSPFinstancesonthesameinterface.
Aninterfacecansupportmulti-areaadjacenciesusingthemulti-areaoptionwiththeiprouterospfinterfacecommand.
SecondaryIPaddressesareadvertisedbydefault,butcanbesuppressedperinterfacewiththeiprouterospf<instance>area<#>secondariesnoneinterfacecommand.
BydefaultallloopbackIPaddresssubnetmasksareadvertisedinanLSAasa/32.Theloopbackinterfacecommandipospfadvertise-subnetcanbeconfiguredtoadvertisetheprimaryIPaddresssubnetmask.(ThiscommanddoesnotapplytosecondaryIPaddresses.Theywillstillbeadvertisedasa/32.)
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.Therearetwosignificantdifferences:CiscoNX-OSallowsOSPFtobeenabledanddisabledglobally,andithasamoreinterface-centricconfigurationthatmakesiteasiertoread.
| CiscoIOSCLI | CiscoNX-OSCLI |
| EnablingtheOSPFFeature |
| CiscoIOSSoftwaredoesnothavetheabilitytoenableordisableOSPF. | featureospf |
| ConfiguringanOSPFInstanceandRouterID |
| routerospf10 router-id192.168.1.1 | routerospf10 router-id192.168.1.1 |
| AssociatingaNetworkwithanOSPFInstanceandArea |
| routerospf10 network192.168.1.00.0.0.255area1 | interfaceEthernet2/1 ipaddress192.168.10.1/24 iprouterospf10area1 |
| ConfiguringaPassiveInterface |
| routerospf10 passive-interfaceGigabitEthernet2/1 network192.168.1.00.0.0.255area1 | interfaceEthernet2/1 ipaddress192.168.11.1/24 ipospfpassive-interface iprouterospf10area0 |
| ConfiguringInterfaceAuthentication(MD5) |
| interfaceGigabitEthernet2/1 ipaddress192.168.10.1255.255.255.0 ipospfauthenticationmessage-digest ipospfmessage-digest-key1md5cisco123 | interfaceEthernet2/1 ipaddress192.168.10.1/24 ipospfauthenticationmessage-digest ipospfmessage-digest-key1md53a667d47acc18ea6b iprouterospf10area1 |
| ConfiguringaStubAreawiththenosummaryOption |
| routerospf10 area2stubno-summary | routerospf10 area2stubno-summary |
| CreatingaNot-So-StubbyArea(NSSA)andGeneratingaDefaultRoute |
| routerospf10 area3nssadefault-information-originate | routerospf10 area3nssadefault-information-originate |
| ConfiguringInter-AreaandExternalSummarization |
| routerospf10 area0range159.142.0.0255.255.0.0summary-address172.16.0.0255.255.0.0 | routerospf10 area0range159.142.0.0/16summary-address172.16.0.0/16 |
| GeneratingaDefaultRoute(Conditional) |
| routerospf10 default-informationoriginate | routerospf10 default-informationoriginate |
| GeneratingaMaximumMetric(Max-Metric)Value |
| routerospf10 max-metricrouter-lsa | routerospf10 max-metricrouter-lsa |
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootinganOSPFv2networkconfiguration.
| CiscoNX-OSOSPFv2 | CiscoIOSSoftwareOSPFv2 | CommandDescription |
| showipospf | showipospf | Displaystherunningconfiguration |
| showipospfborder-routers | showipospfborder-routers | Displaysalistofborderrouters |
| showipospfdatabase | showipospfdatabase | DisplaysOSPFdatabaseinformation |
| showipospfinterface | showipospfinterface<inttype> | DisplaysOSPFdatabaseinformation |
| showipospfinterfacedetail | - | Displaysadditionalpacketstatisticsforeachinterface |
| showipospfmemory | - | DisplaysthememoryallocatedforOSPF |
| showipospfneighbor | showipospfneighbors | Displaysneighbor-specificinformation |
| showipospfneighbordetail | showipospfneighbordetail | DisplaysdetailsforeachOSPFneighbor |
| showipospfpolicystatistics | - | Displaysredistributionstatisticsforaspecifiedprotocol |
| showipospfrequestlist | showipospfrequestlist | Displaysalistoflink-stateadvertisements(LSAs)thathavebeenrequested |
| showipospfretransmissionlist | showmodule | Displaysinstalledmodulesandtheirstatus |
| showipospfroute | - | DisplaysallrouteslearnedthroughOSPF |
| showipospfstatistics | showipospfstatistics | DisplaysOSPFLSAstatistics |
| showipospfsummary-address | showipospfsummary-address | DisplaysOSPF-summarizednetworks |
| showipospftraffic | showipospftraffic | DisplaysOSPF-relatedpacketcounters |
| showipospfvrf | - | DisplaysinformationforaspecifiedOSPFVRFinstance |
CiscoNX-OS/IOSLayer-3VirtualizationComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesinLayer3virtualizationsupportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
VirtualizationRoutingandForwardingOverview
VirtualRoutingandForwarding(VRF)providesanadditionallayerofnetworkvirtualizationontopofvirtualdevicecontexts(VDCs).VRFprovidesseparateunicastandmulticastaddressspaceandassociatedroutingprotocolsthatmakeindependentforwardingdecisions.AllunicastandmulticastprotocolssupportVRF.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
CiscoNX-OSsupports200VRFinstancesperVDC.
TwoVRFinstancesareconfiguredbydefault.ThemanagementportonthesupervisormoduleisassignedtothemanagementVRF,andallI/OmoduleportsareassignedtothedefaultVRF.
ThedefaultVRFisthedefaultroutingcontextforallshowcommands.
VRFinstancescanbeenabledwithoutanycommand-lineinterface(CLI)prerequisites.CiscoIOSSoftwarerequiresipceftobeenabledgloballybeforeVRFinstancescanbeconfigured.
Multicastrouting/forwardingcanbeconfiguredperVRFinstancewithouthavingtogloballyenabletheVRFinstanceformulticast.CiscoIOSSoftwarerequirestheglobalipmulticast-routingvrf<name>commandperVRFinstance.
TheCLIforenablingVRFroutingforaprotocolisconsistentforallroutingprotocols,whereasCiscoIOSSoftwareusesaddressfamiliesforBorderGatewayProtocol(BGP),RoutingInformationProtocol(RIP),andEnhancedInteriorGatewayRoutingProtocol(EIGRP)andrequiresuniqueroutingprocessIDsperVRFforIntegratedIntermediateSystem-to-IntermediateSystem(ISIS)andOpenShortestPathFirst(OSPF).
InCiscoNX-OS,numerousVRFinstancescanbeassignedtoasingleroutingprotocolinstance.
IPstaticroutesareconfiguredunderthespecifiedvrfcontext.InCiscoIOSSoftware,allstaticroutesareconfiguredinglobalconfigurationmodewiththevrfoption.
AVRFinstancecanbemanuallydisabledwiththeshutdowncommand.CiscoIOSSoftwaredoesnothavetheCLIcapabilitytomanuallydisableaVRFinstance.
IfaVRFcontextisremovedwiththenovrfcontext<name>configurationcommand,theVRFcontextcommandswillberemovedfromtherunningconfigurationmakingtheVRFnon-functional,butallnoncontextrelatedVRFcommandswillremainintherunningconfiguration.WhenaVRFisremovedinCiscoIOSSoftware,theVRFinstanceandallrelatedVRFcommandsareautomaticallyremovedfromtherunningconfiguration,includinganyinterfaceIPaddressespreviouslyassociatedtotheVRF.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhenconfiguringandmaintainingVRFinstances.
WhenyouassignaVRFinstancetoaninterfacewithanIPaddresspreviouslyconfigured,theinterfaceIPaddressisautomaticallyremoved.
StaticroutesordynamicroutingprotocolscanbeconfiguredforroutinginaVRFinstance(BGP,EIGRP,ISIS,OSPF,staticroutes,andRIPv2).
IPtroubleshootingtoolssuchaspingandtracerouteareVRFawareandrequirethenameofaspecificVRFinstanceiftestinginthedefaultVRFinstanceisnotdesired.
Therouting-contextvrfcommandcanbeexecutedinEXECmodetochangetheroutingcontexttoanon-defaultVRFinstance.Forexample,typingrouting-contextvrfmanagementchangestheroutingcontext,soallVRFrelatedcommandsareexecutedinthemanagementVRFasopposedtothedefaultVRF.
Networkmanagement–relatedservicessuchasauthentication,authorizationandaccounting(AAA),CallHome,DomainNameSystem(DNS),FTP,HTTP,NetFlowNetworkTimeProtocol(NTP),RADIUS,SimpleNetworkManagementProtocol(SNMP),SSH,syslog,TACACS+,Telnet,TrivialFileTransferProtocol(TFTP),andXMLareVRFaware.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.SamplecodeisprovidedonlytoillustratehowtoenableVRFrouting.TheCiscoNX-OSCLIissimplerandmoreconsistentsinceitallowsmultipleVRFinstancestobeassignedtoasingleroutingprotocolinstance,whereasCiscoIOSSoftwareusesdifferenttechniquesdependingontheroutingprotocol.
| CiscoIOSCLI | CiscoNX-OSCLI |
| CreatingaVRF |
| ipcef ipvrfvrf-1 | vrfcontextvrf-1 |
| AssigninganInterfacetoaVRF |
| interfaceEthernet2/1 ipvrfforwardingvrf-1 ipaddress192.168.10.1255.255.255.0 | interfaceEthernet2/1 vrfmembervrf-1 ipaddress192.168.10.1/24 |
| EnablingBGPinaVRF |
| routerbgp10 address-familyipv4vrfvrf-1 neighbor192.168.10.2remote-as20 neighbor192.168.10.2activate network192.168.1.1mask255.255.255.255 exit-address-family | routerbgp10 vrfvrf-1 address-familyipv4unicast network192.168.1.1/32 neighbor192.168.10.2remote-as20 address-familyipv4unicast |
| EnablingEIGRPinaVRF |
| routereigrp10 address-familyipv4vrfvrf-1 network192.168.10.0 auto-summary autonomous-system10 exit-address-family! | interfaceEthernet2/1 vrfmembervrf-1 ipaddress192.168.10.1/24 iproutereigrp10 routereigrp10 vrfvrf-1 |
| EnablingISISinaVRF |
| interfaceEthernet2/1 ipvrfforwardingvrf-1 ipaddress192.168.10.1255.255.255.0 iprouterisis10 routerisis10 vrfvrf-1 net49.0001.0000.0001.00 | interfaceEthernet2/1 vrfmembervrf-1 ipaddress192.168.10.1/24 iprouterisis10 routerisis10 vrfvrf-1 net49.0001.0000.0001.00 |
| EnablingOSPFinaVRF |
| interfaceEthernet2/1 ipvrfforwardingvrf-1 ipaddress192.168.10.1255.255.255.0 routerospf10vrfvrf-1 network192.168.10.00.0.0.255area0 | interfaceEthernet2/1 vrfmembervrf-1 ipaddress192.168.10.1/24 iprouterospf10 routerospf10 vrfvrf-1 |
| EnablingRIPv2inaVRF |
| interfaceEthernet2/1 ipvrfforwardingvrf-1 ipaddress192.168.10.1255.255.255.0 routerrip address-familyipv4vrfvrf-1 network192.168.10.0 version2 exit-address-family | interfaceEthernet2/1 vrfmembervrf-1 ipaddress192.168.10.1/24 iprouterrip10 routerrip10 vrfvrf-1 |
| ConfiguringStaticRoutesinaVRF |
| iproutevrfvrf-1192.168.2.0255.255.255.0192.168.10.2 | vrfcontextvrf-1 iproute192.168.2.0/24192.168.10.2 |
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootingVRFinstances.
| CiscoNX-OSVRF | CiscoIOSSoftwareVRF | CommandDescription |
| showvrf | showipvrf | DisplaysalistofallconfiguredVRFinstances |
| showvrf<name> | showipvrf<name> | DisplaysaspecificVRFinstance |
| showvrf<name>detail | showipvrfdetail<name> | DisplaysdetailsforaspecificVRFinstance |
| showvrf<name>interface | - | DisplaystheinterfaceassignmentforaspecificVRFinstance |
| showvrfdefault | - | DisplaysasummaryofthedefaultVRFinstance |
| showvrfdetail | showipvrfdetail | DisplaysdetailsforallVRFinstances |
| showvrfinterface | showipvrfinterface | DisplaysVRFinterfaceassignments |
| showvrfmanagement | - | DisplaysasummaryofthemanagementVRFinstance |
| - | - | - |
| showiproutevrfall | - | DisplaysroutesforallVRFinstances |
| showiproutevrfdefault | - | DisplaysroutesforthedefaultVRFinstance |
| showiproutevrfmanagement | - | DisplaysroutesforthemanagementVRFinstance |
| showiproutevrf<name> | showiproutevrf<name> | DisplaysroutesforaspecificVRFinstance |
| - | - | - |
| showiparpvrf<name> | showiparpvrf<name> | DisplaysAddressResolutionProtocol(ARP)entriesforaspecificVRFinstance |
| - | - | - |
| showipbgpvrf<name> | showipbgp***v4vrf<name> | DisplaysBGPcommandsforaspecificVRFinstance |
| showipeigrpvrf<name> | showipeigrpvrf<name> | DisplaysEIGRPinformationforspecificVRFinstance |
| showipisisvrf<name> | showisis<#> | DisplaysISIScommandsforaspecificVRFinstance |
| showipospfvrf<name> | showipospf<#> | DisplaysOSPFinformationforaspecificVRFinstance |
| showipripvrf<name> | showipripdatabasevrf<name> | DisplaysRIPinformationforaspecificVRFinstance |
| showipstatic-routevrf<name> | - | DisplaysstaticroutesforaspecificVRFinstance |
| - | - | - |
| showforwardingvrf<name> | showipcefvrf<name> | DisplaysFIBinformationforaspecificVRF(multiplesub-options) |
| - | - | - |
| showroutingvrf | - | Displaysasubsetoftheshowvrfcommands |
| showrouting-context | - | Displaysthecurrentroutingcontext |
WithintheVDCthefollowingconfigurationsarerequired.
vPCneedstobeenabled:
agg(config)#featurevpc
AdomainneedstobedefinedandprioritiestodefineprimaryandsecondaryrolesinthevPCconfiguration.Thelowernumberhashigherpriority,anditwins.
Notealsothattheroleisnon-preemptive,soadevicemaybeoperationallyprimary,butsecondaryfromaconfigurationperspective.Becausespanningtreeispreemptive,thismayresultinamismatchbetweenthespanningtreerootandthevPCoperationalprimary.
agg(config)#vpcdomain1
agg1(config-vpc-domain)#rolepriority100
agg2(config-vpc-domain)#rolepriority110
TherearenofunctionalissueswhentheSTProotandvPCprimarynodedonotmatch.Thiscanonlycausesomesub-optimalconvergencetimeduetoSTPresynchronizationwhenthepeer-linkisflappedoravPCdeviceisreloaded.
Becauseofthis,incaseyouwanttorestoretheoriginalmappingbetweenSpanning-treerootandvpcprimaryyoucanfollowthisprocedureonthesecondary,operationalprimarydevice.
·EnterthevPCdomainconfiguration,vpcdomain<domain_id>(samevPCdomainyouareusing).
·ResetthevPCroleprioritywiththecommand....vpcrolepriority<priority_number>(re-enteringthesameprioritywouldbeOK).
·Performashut/noshutoverthepeer-link
Oryoucancreateascript(whichyoushouldcustomize):
7k-1(config)#clialiasnamevpcpreemptconft;vpcdomain<number>;rolepriority32767;intpo10;shut;nosh
7k-1(config)#showclialias
CLIaliascommands
==================
alias:showclialias
vpcpreempt:conft;vpcdomain10;rolepriority32767;intpo10;shut;nosh
vPCDomainID
WhenconfiguringthevPCdomainID,makesureit’sdifferentfromtheoneusedbyaneighboringvPC-capabledevicewithwhichyouplantoconfigurevPC.也就是说N7K与N5K不要相同
Asaresult,inaback-to-backvPCconfiguration,iftheneighboringswitchesusethesamedomainID,there’sariskofconflictingsystem-idintheLACPnegotiationthatcouldleadtoanunsuccessfulLACPnegotiation.
vPCPeerLink
Thisportchannelshouldbeconfiguredondedicated-mode10-GigEinterfacesacrosstwodifferent10-Gigabitlinecards.agg(config)#interfaceport-channel10
agg(config-if)#vpcpeer-link
agg(config-if)#switchporttrunkallowedvlan<allaccessvlans>
Configurationforsingle10GigECard
Usingasingle10GigabitEthernetcardontheNexus7000forbothcoreconnectivityaswellasthepeerlinkispossible,butnotthemostdesirableoption.Ifyoulosethe10Gigabitcardonthevpcprimary,youlosenotonlycoreconnectivity,butalsothepeerlink.Asaresult,portswillbeshutdownonthepeervpcdevice,isolatingtheserverscompletely.
Apicturehelpsexplaining:
Inthistopology,thefailureofthe10GigEcardthatprovidesbothpeer-linkconnectivityandcoreconnectivity,causesthevPCsecondarytothusdownthevPCmemberports,sothattrafficflowstothevPCprimary.ThevPCprimarydoesn’thaveanycoreconnectivitythough,sotrafficgetsblackholedwithasinglefailure.
Thebestsolutionisnaturallytohavetwo10GigElinecards,butalternativelyyoucanusetheobjecttrackingfunctionality.
Theobjectsbeingtrackedaretheuplinkstothecoreandthepeer-link.
IftheselinksarelostvPCslocaltotheswitcharebroughtdownsothattrafficcancontinueonthevPCpeer.
Thisfeatureisconfiguredbyusingthefollowingcommandsyntax:
!Trackthevpcpeerlink
track1interfaceport-channel110line-protocol
!Tracktheuplinkstothecore
track2interfaceEthernet7/9line-protocol
!Combinealltrackedobjectsintoone.
!“OR”meansifALLobjectaredown,thisobjectwillgodown
!-->wehavelostallconnectivitytothecoreandthepeerlink
track10listbooleanOR
object1
object2
!Ifobject10goesdownontheprimaryvPCpeer,
!systemwillswitchovertoothervPCpeeranddisablealllocalvPCs
vpcdomain1
track10
CFSoE
CiscoFabricServicesoverEthernet(CFSoE)providesseveralinfrastructureservicesforvPC,includingMACsynchronization,configurationverificationforpotentialmismatchintheconfigurations,andlockingoftheconfigurationwhileavPCpeerisbeingupgraded.
TheCFSoEconfigurationdoesnotneedtobespecificallyenabled,butjustasareference,theconfigurationappearsautomaticallywhenyouenablevPC,anditlookslikethis:
agg1(config)#cfsregion10
agg1(config-cfs-region)#vpc
agg1(config)#cfsethernetdistribute
vPCPeerKeepaliveorFTLink
Finally,adual-activedetectionconfigurationneedstobeputinplace.Thekeepalivethatisusedtoresolvedual-activescenarioscanbecarriedoveraroutedinfrastructure;itdoesn’tneedtobeadirectpoint-to-pointlink.Thekeepalivesaresenteverytwoseconds.ThefollowingconfigurationillustratestheuseofadedicatedGigEinterfaceforthispurpose.
vrfcontextvpc-keepalive
interfaceEthernet8/16
descriptiontc-nexus7k02-vdc2-vPCHeartbeatLink
vrfmembervpc-keepalive
ipaddress192.168.1.1/24
noshutdown
vpcdomain1
peer-keepalivedestination192.168.1.2source192.168.1.1vrfvpc-keepalive
vPCPorts
PortchannelsareconfiguredbybundlingLayer2ports(switchports)oneachNexusswitchviathecommandvpc.Thesystemissuesanerrormessageiftheportchannelwasn’tpreviouslyconfiguredasaswitchport.agg1(config)#interfaceethernet2/9
agg1(config-if)#channel-group51modeactive
agg1(config)#interfacePort-channel51
agg1(config-if)#switchport
agg1(config-if)#vpc51
!
agg2(config)#interfaceethernet2/9
agg2(config-if)#channel-group51modeactive
agg2(config)#interfacePort-channel51
agg2(config-if)#switchport
agg2(config-if)#vpc51
Youcanverifythesuccessoftheconfigurationbyissuingthecommand:
agg1#showvpcbrief
tc-nexus7k02-vdc2#showvpcbr
[…]
vPCstatus
----------------------------------------------------------------------
idPortStatusConsistencyReasonActivevlans
-------------------------------------------------------------
51Po51down*failedvPCtype-1configuration-
incompatible-STP
interfaceporttype
inconsistent
IftheConsistencycheckdoesn’tshowSuccess,itisrecommendedthatyouverifytheConsistencyParameters.TypicalreasonsforthevPCnottoforminclude:thevLANthatisdefinedinthetrunkdoesn’texist,oritisnotdefinedonthepeerlink.
tc-nexus7k01-vdc2#showvpcconsistency-parametersglobal
tc-nexus7k01-vdc2#showvpcconsistency-parametersintport-channel51
Legend:
Type1:vPCwillbesuspendedincaseofmismatch
NameTypeLocalValuePeerValue
--------------------------------------------------------------
STPPortType1DefaultDefault
STPPortGuard1NoneNone
STPMSTSimulatePVST1DefaultDefault
AllowedVLANs-10-14,21-24,50,6010-14,21-24,50,60
AfteraportisdefinedaspartofavPC,anyfurtherconfigurations,suchasenablingordisablingbridgeassuranceortrunkingmode,etc,areperformedundertheinterfaceportchannelconfigurationmode.Tryingtoconfigurespanningtreepropertiesforthephysicalinterfaceinsteadoftheportchannelwillresultinanerrormessage.
OrphanPortswithnon-vPCVLANs
Asdescribedinchapter3,whenthepeerlinkislost,vPCshutsdowntheSVIonthesecondaryswitchand,asaresult,orphanportsontheoperationalsecondarymaybecomeisolated.Forthisreasonyoumayeithertrunkthenon-vPCvLANsonadifferentlink,or,youshouldremovethenon-vPCVLANsfromthisbehaviorasdescribedhere.
FirstyoumaywanttoexecutethefollowingcommandtolearnwhichportsareconsideredorphanportsfromtheNexus7000perspective:
Nexus7000#showvpcorphan-ports
Secondyoucanremovethenon-vPCVLANsinthevpcdomainconfiguration:
vpcdomain1
rolepriority100
dual-activeexcludeinterface-vlan<non-vPCVLANs>
peer-keepalivedestination192.168.1.2source192.168.1.1vrfvpc-keepalive
HSRP
TheuseofHSRPinthecontextofvPCdoesn’trequireanyspecialconfiguration.WithvPC,onlytheactiveHSRPinterfaceanswersARPrequests,butbothHSRPinterfaces(activeandstandby)canforwardtraffic.IfanARPrequestcomingfromaserverarrivesonthesecondaryHSRPdevice,thenitisforwardedtotheactiveHSRPdeviceviathepeerlink.
HSRPConfigurationandBestPracticesforvPC
TheconfigurationonthePrimaryNexus7000lookslikethis:
interfaceVlan50
noshutdown
ipaddress10.50.0.251/24
hsrp50
preemptdelayminimum180
priority150
timers13
ip10.50.0.1
TheconfigurationontheSecondaryNexus7000looksasfollows:
interfaceVlan50
noshutdown
ipaddress10.50.0.252/24
hsrp50
preemptdelayminimum180
priority130
timers13
ip10.50.0.1
ThemostsignificantdifferencebetweentheHSRPimplementationofanon-vPCconfigurationcomparedwithavPCconfigurationisthattheHSRPMACaddressesofavPCconfigurationareprogrammedwiththeG(gateway)flagonbothsystems,comparedwithanon-vPCconfigurationwhereonlytheactiveHSRPinterfacecanprogramtheMACaddresswiththeGflag.
Thankstothis,routabletrafficcanbeforwardedbyboththevPCprimary(whereHSRPispimrary)andthevPCsecondarydevice(whereHSRPissecondary)withouthavingtosendthistraffictotheHSRPprimarydevice.
WithoutthisflagtraffichittingtheMACwouldnotberouted.
vPCHSRPOnActive:
G-0000.0c07.ac01static
vPCHSRPOnStandby:
G-0000.0c07.ac01static
Innon-vPCenvironmenttheHSRPMAClooksasfollows:
·OnActive:G-0000.0c07.ac01static
·OnStandby:*-0000.0c07.ac01static
InordertoverifythattheHSRPconfigurationisfunctioningcorrectly,youmaywanttoissuethefollowingcommandandverifythattheActiveandStandbyrolesareclearlyconverged:
agg1#showhsrpbrief
IfsomestandbygroupsshowasUnknown,thenyoumayhaveforgottentotrunktheVLANonthepeerlinkfrombothNexus7000vPcpeers.
AdvertisingtheSubnet
TheconfigurationiscompletedbyincludingthesubnetintheroutingadvertisementsandmakingsurethatthevLANsusedforserverconnectivityarenotusedtocreateneighborrelationshipbetweentheaggregationlayerdevices.
interfaceVlan50
noshutdown
ipaddress10.50.0.251/24
ipospfpassive-interface
iprouterospf1area0.0.0.0
hsrp50
preemptdelayminimum180
priority150
timers13
ip10.50.0.1
L3LinkBetweenvPCPeers
InvPCdesignsyoushouldmakesuretoincludeaL3link/vLANbetweentheNexus7000ssothattheroutingareascanbeadjacent.YoumayalsoconsiderHSRPtrackinginnon-vPCdesign,butnotinvPCdesigns.
Youshould,therefore,createaL3pathonthepeerlinkbetweentheroutingengineonAgg2andAgg1insteadofusingHSRPtracking.
tc-nexus7k01-vdc2(config)#vlan3
tc-nexus7k01-vdc2(config-vlan)#namel3_vlan
tc-nexus7k01-vdc2(config-vlan)#exit
tc-nexus7k02-vdc2(config)#intvlan3
tc-nexus7k02-vdc2(config-if)#ipaddress10.3.0.2255.255.255.252
tc-nexus7k02-vdc2(config-if)#iprouterospf1area0.0.0.0
tc-nexus7k02-vdc2(config-if)#noshut
tc-nexus7k01-vdc2(config)#intPort-channel10
tc-nexus7k01-vdc2(config-if)#switchporttrunkallowedvlanadd3
YoucanthenverifythattheNexus7000areOSPFneighborsbyissuingthefollowingcommand.
tc-nexus7k01-vdc2#showipospfneigh
OSPFProcessID1VRFdefault
Totalnumberofneighbors:3
NeighborIDPriStateUpTimeAddressInterface
128.0.0.31FULL/DR01:03:0510.51.35.126Vlan10
CiscoNX-OS/IOSTACACS+,RADIUS,andAAAComparison
FromDocWikiJumpto:
Objective
ThistechnoteoutlinesthemaindifferencesinTACACS+,RADIUS,andauthentication,authorizationandaccounting(AAA)supportbetweenCisco?NX-OSSoftwareandCiscoIOS?Software.SampleconfigurationsareincludedforCiscoNX-OSandCiscoIOSSoftwareforsomecommonfeaturestodemonstratethesimilaritiesanddifferences.Pleaserefertothe
AAAOverview
AAAusedincombinationwithTACACS+orRADIUSprovidesremoteauthentication,authorizationandaccountingsecurityservicesforcentralizedsystemmanagement.AAAservicesimprovescalabilityandsimplifynetworkmanagementbecausetheyuseacentralsecuritydatabaseratherthanlocaldatabases.
ImportantCiscoNX-OSandCiscoIOSSoftwareDifferences
InCiscoNX-OS:
TACACS+command-lineinterface(CLI)configurationandverificationcommandsarenotavailableuntilyouenabletheTACACS+featurewiththefeaturetacacs+command.
Theaaanew-modelcommandisnotrequiredtoenableAAAauthentication,authorization,oraccounting.
TheRADIUSvendor-specificattributes(VSA)featureisenabledbydefault.
Localcommandauthorizationcanbeperformedwhenusingrole-basedaccesscontrol(RBAC)withoutaAAAserver.UserrolescanbeassociatedwithusersconfiguredontheAAAserverusingVSAs.RemotecommandauthorizationcanbeperformedonaAAAserverwhenusingAAAwithTACACS+.
IfnoAAAserverisavailableforauthentication,thelocaldatabaseisautomaticallyusedfordeviceaccess.
TheTACACS+andRADIUShostkeysareTripleDataEncryptionStandard(3DES)encryptedintheconfiguration.CiscoIOSSoftwarerequirestheservicepasswordcommand.
ThingsYouShouldKnow
ThefollowinglistprovidessomeadditionalfactsaboutCiscoNX-OSthatshouldbehelpfulwhenconfiguringandmaintainingTACACS+,RADIUS,andAAAservices.
DifferentAAA,TACACS+,andRADIUSpoliciescanbeappliedpervirtualdevicecontext(VDC).However,theconsoleloginpolicyonlyappliestothedefaultVDC.
Ifyouremovethefeaturetacacs+command,allrelevantTACACS+configurationinformationisalsoremoved.
64TACACS+and64RADIUSserverscanbeconfiguredperdevice.
AAAservergroupsareassociatedwiththedefaultVirtualRouteForwarding(VRF)instancebydefault.AssociatetheproperVRFinstancewiththeAAAservergroupifyouareusingthemanagementportonthesupervisororiftheAAAserverisinanondefaultVRFinstance.
AnIPsourceinterfacecanbeassociatedwithAAAservergroups.
TACACS+andRADIUSserverkeyscanbespecifiedforagroupofserversorperindividualserver.
Bydefault,TACACS+usesTCPport49,andRADIUSusesUDPports1812(authentication)and1813(accounting).
DirectedserverrequestsareenabledbydefaultforTACACS+andRADIUS.
ThelocaloptioncanbeusedwithAAAauthorizationtofallbacktoRBACintheeventaAAAserverisnotavailableforcommandauthorization.
Usetheshowrunning-configcommandwiththeaaa,tacacs+,orradiusoptiontodisplaythecurrentAAAconfiguration.
ConfigurationComparison
ThefollowingsamplecodeshowsconfigurationsimilaritiesanddifferencesbetweentheCiscoNX-OSandCiscoIOSSoftwareCLIs.Theconfigurationsforthetwooperatingsystemsareverysimilar.
| CiscoIOSCLI | CiscoNX-OSCLI |
| EnablingTACACS+ |
| CiscoIOSSoftwaredoesnothavetheabilitytoenableordisableTACACS+. | featuretacacs+ |
| ConfiguringaTACACS+ServerwithaKey |
| tacacs-serverhost192.168.1.1keycisco123 | tacacs-serverhost192.168.1.1key7"fewhg123" |
| SpecifyingaNondefualtTACACS+TCPPort |
| tacacs-serverhost192.168.1.1port85 | tacacs-serverhost192.168.1.1port85 |
| SpecifyingtheTACACS+TimeoutValue(Global) |
| tacacs-servertimeout10 | tacacs-servertimeout10 |
| ConfiguringaRADIUSServerwithaKey |
| radius-serverhost192.168.1.1keycisco123 | radius-serverhost192.168.1.1key7"fewhg123" |
| SpecifyingNondefualtRADIUSUDPPorts |
| radius-serverhost192.16.1.1auth-port1645acct-port1646 | radius-server192.168.1.1auth-port1645acct-port1646 |
| SpecifyingtheRADIUSTimeoutValue(Global) |
| radius-serverhost192.168.1.1timeout10 | radius-servertimeout10 |
| ConfiguringanAAAServerGroup(TACACS+) |
| aaagroupservertacacs+AAA-Servers server192.168.1.1 | aaagroupservertacacs+AAA-Servers server192.168.1.1 |
| ConfiguringanAAAServerGroup(RADIUS) |
| aaagroupserverradiusAAA-Servers server192.168.1.1 | aaagroupserverradiusAAA-Servers server192.168.1.1 |
| ConfiguringanAAAServerGroupforaVRFInstance(RADIUS) |
| aaagroupserverradiusAAA-Servers server192.168.1.1 ipvrfforwardingmanagement | aaagroupserverradiusAAA-Servers server192.168.1.1 use-vrfmanagement |
| ConfiguringtheAAAServerGroupDeadTime(RADIUS) |
| aaagroupserverradiusAAA-Servers deadtime5 | aaagroupserverradiusAAA-Servers deadtime5 |
| EnablingAAAAuthenticationwithanAAAServerGroup |
| aaanew-model aaaauthenticationlogindefaultgroupAAA-Servers | aaaauthenticationlogindefaultgroupAAA-Servers |
| EnablingAAAAuthorizationwithanAAAServerGroup |
| aaanew-model aaaauthorizationconfig-commands aaaauthorizationcommands1defaultgroupAAA-Servers | aaaauthorizationconfig-commandsdefaultgroupAAA-Servers aaaauthorizationcommandsdefaultgroupAAA-Servers |
| EnablingAAAAccountingwithanAAAServerGroup |
| aaanew-model aaaaccountingexecdefaultstart-stopgroupAAA-Servers | aaaaccountingdefaultgroupAAA-Servers |
ThefollowingtablecomparessomeusefulshowcommandsforverifyingandtroubleshootingAAA,TACACS+,andRADIUS.
| CiscoNX-OSAAA | CiscoIOSSoftwareAAA | CommandDescription |
| showtacacs | showtacacs | DisplaystheTACACS+serverconfigurationforallservers |
| showtacacs<x.x.x.x> | - | DisplaysaspecificTACACS+serverconfiguration |
| showtacacsserverdirected-request | - | Displaysthestatusofthedirected-requestfeature(enabledordisabled) |
| showtacacsservergroups | - | DisplaysTACACS+servergroups |
| showtacacsstatistics<x.x.x.x> | - | DisplaysTACACS+statisticsforaspecificserver |
| - | - | - |
| showradius | - | DisplaystheRADIUSserverconfigurationforallservers |
| showradius<x.x.x.x> | - | DisplaysaspecificRADIUSserverconfiguration |
| showradiusserverdirected-request | - | Displaysthestatusofthedirected-requestfeature(enabledordisabled) |
| showradiusservergroups | showradiusserver-group | DisplaysRADIUSservergroups |
| showradiusstatistics<x.x.x.x> | showradiusstatistics | DisplaysRADIUSstatisticsforaspecificserver |
| - | - | - |
| showaaaaccounting | - | DisplaysthestatusofAAAaccounting |
| showaaaauthentication | - | Displaysthedefaultandconsoleloginmethods |
| showaaaauthenticationloginerror-enable | - | Displaystheloginerrormessagestatus(enabledordisabled) |
| showaaaauthenticationloginmschap | - | DisplaysthestatusoftheMicrosoftChallengeHandshakeAuthenticationProtocol(MS-CHAP;enabledordisabled) |
| showaaaauthorization | - | DisplaystheAAAauthorizationconfiguration |
| showaaagroups | - | DisplaystheAAAgroupsthatareconfigured |
| - | - | - |
| showuser-account | - | Displaysalistoflocallyconfiguredusers |
| showusers | showusers | Displaystheuserswhoareloggedin |
Nexus5010down(config-if)#channel-group17modeactive
Fabricport-channelinLACPmodeisnotsupported
Nexus5010down(config-if)#
Nexus5010down(config-if)#interfaceEthernet1/18
Nexus5010down(config-if)#fexassociate101
Nexus5010down(config-if)#switchportmodefex-fabric
Nexus5010down(config-if)#channel-group18modeactive
Fabricport-channelinLACPmodeisnotsupportedRetrievedfrom"
Nexus5000的配置同步
Nexus5000配置同步可以节省配置时间。配置同步需要在Nexus5000的ConfigSync模式下进行配置;配置的同时,要求vPC工作正常。
Configsync是Nexus50005.0版本提供的新级别,级别下有的命令如下:
| RTS39_5010(config)#confsync RTS39_5010(config-sync)#? noNegateacommandorsetitsdefaults resync-databaseRe-synchronizeswitch-profiledatabase switch-profileEnterswitch-profileconfigurationmode endGotoexecmode exitExitfromcommandinterpreter popPopmodefromstackorrestorefromname pushPushcurrentmodetostackorsaveitundername whereShowstheclicontextyouarein |
| RTS39_5010(config)#cfsipv4distribute//确认CFS的IPV4模式启动 RTS39_5010(config)#vpcdomain50…….//确认vPC正常工作 ………… RTS39_5010(config)#configsync RTS39_5010(config-sync)#switch-profilecisco RTS39_5010(config-sync-sp)#sync-peersdestination10.225.248.6//设定同步对端 |
同步配置需要在switch-profile方式下配置,然后推送到对端。
| RTS39_5010(config-sync)#switch-profilecisco Switch-Profilestarted,ProfileIDis1 RTS39_5010(config-sync-sp)#vlan555 RTS39_5010(config-sync-sp-vlan)#inte103/1/48 RTS39_5010(config-sync-sp-if)#switchportmodeaccess |
| Switch-Profilestarted,ProfileIDis1 RTS39_5010(config-sync-sp)#vlan555 RTS39_5010(config-sync-sp-vlan)#inte103/1/48 RTS39_5010(config-sync-sp-if)#switchportmodeaccess RTS39_5010(config-sync-sp-if)#exit RTS39_5010(config-sync-sp)#verify VerificationSuccessful RTS39_5010(config-sync-sp)#commit |
| RTS39_5010(config-sync)#resync-database Re-synchronizationofswitch-profiledbtakesafewminutes... Re-synchronizeswitch-profiledbcompletedsuccessfully. RTS39_5010(config-sync)#switch-profilecisco Switch-Profilestarted,ProfileIDis1 RTS39_5010(config-sync-sp)#inte103/1/48 RTS39_5010(config-sync-sp-if)#swaccvlan11 RTS39_5010(config-sync-sp-if)#exit RTS39_5010(config-sync-sp)#verify VerificationSuccessful |
初始化Nexus2000FabricModule
Nexus2000缺省不带任何的NX-OS以及配置,每次启动的时候,都会与上层交换机(Nexus5000或者Nexus7000)比对NX-OS版本和配置。如果版本和配置有变化,则强制与上级交换机同步。与Nexus2000连接的交换机使用10GE接口相连,交换机接口需要进行如下配置,以便上层交换机可以识别:
| interfaceEthernet1/17 fexassociate100//指定关联的FabricModule成为第100个关联的模块 switchportmodefex-fabric//指定接口的功能用于驳接FabricModule |
同步完成之后,将可看到如下信息:
| N5Kup(config-if)#showfex FEXFEXFEXFEX NumberDescriptionStateModelSerial ------------------------------------------------------------------------ 100FEX0100OnlineN2K-C2248TP-1GEJAF1438DRAG 101FEX0101OnlineN2K-C2248TP-1GEJAF1438BGBF |
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Nexus+Maven安装配置手册
- AndroidStudio之Nexus使用手册
- MySQL 4.1.0 中文参考手册 --- 6.4 数据操纵:SELECT, INSERT, UPDATE, DELETE
- 学习手册之从MySQL得到最大的性能
- Linux配置手册(四)Linux 下vsftp的搭建与各种配置
- Maven仓库管理-Nexus
- 入门指引 - PHP手册笔记
- 手机 SMS PDU 格式参考手册
- 树莓派RPi.GPIO使用手册
- InnoDB 中文参考手册 --- 3 建立一个 InnoDB 数据库
- 中文参考手册--8.MySQL教程--8.6以批处理模式使用mysql
- 软件开发人员的作战手册――让程序员活的久一点
- leaks 使用手册
- 丢掉鼠标-Mac神软Alfred使用手册
- nexus 社区版3.0.2部署、访问
- Linux下安装nexus私服
- 我收藏的Transact_SQL小手册,适合初学者
- 4.1.0中文参考手册---6.3用于SELECT和WHERE子句的函数(2)
- Linux Heartbeat 2.1.3安装手册
- Linux管理员手册