Nexus 7000 Lab Guide

1

Nexus 7000 Lab Guide

To have a successful E-Learning lab, it is important to go through page 1 – 4 before starting lab exercise!!!

System Verification

Identify Your Pod Number: Pod number can be found on the left upper corner Nexus7k_elearning – Nexus-7000-X , where X is your pod number. Make a note of your pod number on a paper.

Note: In this doc, the interfaces referred in most of the output shown in these steps refer to Pod5. If you are on a different pod, please refer to the next session, Accounts and Password.

2

Accounts and Password Once your pod number is identified, locate the Login/Password for your pod. Make a note of the credential and interfaces assigned to your pod on a paper for your pod. Don’t try to ping these IP addresses, the system are in a DMZ that doesn’t allow ping.

Table 1 POD Information and Access Account

POD Information Login/Password Assigned

Interfaces

POD 5 N7K-1 N7K-2 admin/pod5nxos 9/1-8

10/1-5 CAT 6K n/a 6/1-2


10/13-17 CAT 6K n/a 6/1-2


10/25-29 CAT 6K n/a 6/1-2


10/37-41 CAT 6K n/a 6/1-2

3

Lab Topology and Access Lab Topology The diagram below represents the logical lab setup 0the diagram shows only your POD for simplicity)

Lab Access Nexus 7000 requires console access to perform the initial configuration of the system. After performing the initial configuration, the system can be completely managed from the management interface. To Access Nexus 7000, click on the device icon and select Telnet.

4

For Cat6K, click on the device icon and select ClearLine first to make sure the line is cleared for Telnet.

Once the line is cleared, you will see “Clear Line success” message.

5

Lab Exercise N7K-C1-1-pod5# show module

Mod Ports Module-Type Model Status --- ----- -------------------------------- ------------------ ------------ 5 0 Supervisor module-1X N7K-SUP1 active * 9 32 10 Gbps Ethernet Module N7K-M132XP-12 ok 10 48 10/100/1000 Mbps Ethernet Module N7K-M148GT-11 ok Mod Sw Hw --- -------------- ------ 5 4.1(5) 0.904 9 4.1(5) 1.3 10 4.1(5) 0.903 Mod MAC-Address(es) Serial-Num --- -------------------------------------- ---------- 5 00-1b-54-c1-20-58 to 00-1b-54-c1-20-60 JAB115200YK 9 00-22-55-77-63-bc to 00-22-55-77-63-e0 JAB122400HY 10 00-1b-54-c1-29-40 to 00-1b-54-c1-29-74 JAB115101BV Mod Online Diag Status --- ------------------ 5 Pass 9 Pass 10 Pass Xbar Ports Module-Type Model Status --- ----- -------------------------------- ------------------ ------------ 1 0 Fabric Module 1 N7K-C7010-FAB-1 ok 2 0 Fabric Module 1 N7K-C7010-FAB-1 ok Xbar Sw Hw --- -------------- ------ 1 NA 0.405 2 NA 0.405 Xbar MAC-Address(es) Serial-Num --- -------------------------------------- ---------- 1 NA JAB11520127 2 NA JAB1152012X Letʼs check now the software the system is running.

N7K-C1-1-pod5# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each

6

such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php Software BIOS: version 3.14.0 loader: version N/A kickstart: version 4.1(5) [gdb] system: version 4.1(5) [gdb] BIOS compile time: 01/31/08 kickstart image file is: bootflash:/n7000-s1-kickstart.4.1.5-labops.gbin kickstart compile time: 3/21/2009 12:00:00 [04/09/2009 08:01:41] system image file is: bootflash:/n7000-s1-dk9.4.1.5-labops.gbin system compile time: 3/21/2009 12:00:00 [04/09/2009 09:06:08] Hardware cisco Nexus7000 C7010 (10 Slot) Chassis ("Supervisor module-1X") Intel(R) Xeon(R) CPU with 4135600 kB of memory. Processor Board ID JAB115200YK Device name: N7K-C1-1 bootflash: 2030616 kB slot0: 0 kB (expansion flash) Kernel uptime is 0 day(s), 0 hour(s), 21 minute(s), 4 second(s) Last reset at 493509 usecs after Sat Apr 18 23:03:39 2009 Reason: Reset Requested by CLI command reload System version: 4.1(5) Service: plugin Core Plugin, Ethernet Plugin

Note: NX-OS is composed by two images: a kickstart image that contains the Linux Kernel and a system image that contain most of the NX-OS software components. They both show up in the configuration.

Note: In future release we will be adding other plug-ins, like the “Storage” plug-in for FCoE

Letʼs now take a look at the running configuration.

N7K-C1-1-pod5# show running-config

version 4.1(5) <omitted config> vrf context management vlan 1-4 interface Ethernet9/1

NX-OS Version

These are the interfaces available to your Pod (Virtual Device Context)

Storage Devices

Images Location

CPU

Active Plug-in

7

interface Ethernet9/2 <omitted interface config> interface Ethernet2/16 interface mgmt0 ip address 128.107.221.105/26

Note: This is the configuration of the first Pod. As explained earlier each Pod runs within a Virtual Device Context (VDC). By using the VDC feature, we can segment the physical Nexus 7000 in multiple logical switches each of which runs in a separate memory space and has visibility only of the hardware resources that it owns, providing total isolation between the VDCs.

The “show running-config” has been improved. One of the improvements consists in the ability to not only look at the running-config but to also at the defaults values, which do not show up in the base config. The keyword to be used is “all”.

N7K-C1-1-pod5# show running-config all | begin mgmt0 interface mgmt0 cdp enable description speed auto duplex auto no shutdown ip address 128.107.221.105/26 ip redirects ip port-unreachable ip arp gratuitous update ip arp gratuitous request line vty session-limit 32 no exec-timeout line console no exec-timeout terminal length 24 terminal width 80 cfs distribute no cfs eth distribute cfs ipv4 mcast-address 239.255.70.83 cfs ipv6 mcast-address ff15::efff:4653 no cfs ipv4 distribute no cfs ipv6 distribute ip source-route <omitted output>

Management Interface Config

8

2. Management VRF and Basic Connectivity The management interface is, by default, part of the management VRF. The management interface “mgmt0” is the only interface allowed to be part of this VRF. The philosophy beyond Management VRF is to provide total isolation for the management traffic from the rest of the traffic flowing through the box by confining the former to its own forwarding table.

In this step we will: - Verify that only the mgmt0 interface is part of the management VRF - Verify that no other interface can be part of the management VRF - Verify that the default gateway is reachable only using the management VRF N7K-C1-1-pod5# show vrf VRF-Name VRF-ID State Reason default 1 Up -- management 2 Up --

N7K-C1-1-pod5# show vrf interface

Interface VRF-Name VRF-ID mgmt0 management 2 Ethernet1/1 default 1 Ethernet1/2 default 1 Ethernet1/3 default 1 Ethernet1/4 default 1 Ethernet1/5 default 1 <omitted output>

N7K-C1-1-pod5# show vrf management interface

Interface VRF-Name VRF-ID mgmt0 management 2

Note: The management VRF interface is part of the default configuration and the management interface “mgmt0” is the only interface that can be made member of this VRF. Letʼs verify it.

N7K-C1-1-pod5# conf t N7K-C1-1-pod5(config)# interface ethernet 9/1 N7K-C1-1-pod5(config-if)# vrf member management % VRF management is reserved only for mgmt0

N7K-C1-1-pod5(config-if)# show int mgmt0

mgmt0 is up Hardware: GigabitEthernet, address: 0022.5577.5e50 (bia 0022.5577.5e50) Internet Address is 128.107.221.105/26 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA full-duplex, 1000 Mb/s

FastEthernet? GigabitEthernet?... no, just “ethernet” interfaces

Pod6 = 9/9, Pod7 = 9/17, Pod8 = 9/25

9

Auto-Negotiation is turned on 1 minute input rate 1264 bits/sec, 1 packets/sec 1 minute output rate 1136 bits/sec, 0 packets/sec Rx 743 input packets 679 unicast packets 60 multicast packets 4 broadcast packets 70900 bytes Tx 567 output packets 542 unicast packets 23 multicast packets 2 broadcast packets 66407 bytes

Try to reach the out-of-bound management networkʼs default gateway with a ping.

N7K-C1-1-pod5(config-if)# ping 128.107.221.65

PING 128.107.221.65 (128.107.221.65): 56 data bytes ping: sendto 128.107.221.65 64 chars, No route to host Request 0 timed out ping: sendto 128.107.221.65 64 chars, No route to host Request 1 timed out ping: sendto 128.107.221.65 64 chars, No route to host Request 2 timed out ping: sendto 128.107.221.65 64 chars, No route to host Request 3 timed out ping: sendto 128.107.221.65 64 chars, No route to host Request 4 timed out --- 128.107.221.65 ping statistics --- 5 packets transmitted, 0 packets received, 100.00% packet loss N7K-C1-1-pod5(config-if)#

Note: The ping fails because we are trying to reach a system on the out-of-band management network without specifying the correct VRF.

N7K-C1-1-pod5# ping 128.107.221.65 vrf management

PING 128.107.221.65 (128.107.221.65): 56 data bytes Request 0 timed out 64 bytes from 128.107.221.65: icmp_seq=1 ttl=254 time=0.887 ms 64 bytes from 128.107.221.65: icmp_seq=2 ttl=254 time=0.816 ms 64 bytes from 128.107.221.65: icmp_seq=3 ttl=254 time=0.943 ms 64 bytes from 128.107.221.65: icmp_seq=4 ttl=254 time=0.848 ms --- 128.107.221.65 ping statistics --- 5 packets transmitted, 4 packets received, 20.00% packet loss round-trip min/avg/max = 0.816/0.873/0.943 ms N7K-C1-1-pod5#

Linux-like output

10

3. CLI Familiarization NX-OS CLI is very IOS-like. As you may have already noticed, when configuring the system, NX-OS gives the user a very IOS look and feel sensation. However there are differences, which we consider improvements. One of the main differences consists in NX-OS implementing a hierarchy independent CLI.

Every command can in fact be issued from anywhere in the configuration. In this step we will: - Verify the CLI hierarchy independence by issuing a ping from different places in the chain - Verify the CLI piping functionality

N7K-C1-1-pod5# conf t N7K-C1-1-pod5(config)# ping ? *** No matches in current mode, matching in (exec) mode *** <CR> A.B.C.D or Hostname IP address of remote system WORD Enter Hostname multicast Multicast ping

N7K-C1-1-pod5(config)# ping 128.107.221.65 vrf management

PING 128.107.221.65 (128.107.221.65): 56 data bytes 64 bytes from 128.107.221.65: icmp_seq=0 ttl=254 time=0.874 ms 64 bytes from 128.107.221.65: icmp_seq=1 ttl=254 time=0.733 ms <omitted output> --- 128.107.221.65 ping statistics --- 4 packets transmitted, 4 packets received, 0.00% packet loss round-trip min/avg/max = 0.733/0.787/0.874 ms N7K-C1-1-pod5(config)# int e9/1

N7K-C1-1-pod5(config-if)# ping ?

*** No matches in current mode, matching in (exec) mode ***

<CR> A.B.C.D or Hostname IP address of remote system WORD Enter Hostname multicast Multicast ping N7K-C1-1-pod5(config-if)# ping 128.107.221.65 vrf management

PING 128.107.221.65 (128.107.221.65): 56 data bytes 64 bytes from 128.107.221.65: icmp_seq=0 ttl=254 time=0.943 ms <omitted output> N7K-C1-1-pod5(config-if)#

Note: You can use the up-arrow and get the command history from the exec mode

CLI Hierarchy Independent

CLI Hierarchy Independent

Pod6 = 9/9, Pod7 = 9/17, Pod8 = 9/25

11

Note: Any command can be issued from anywhere within the configuration

The output piping has also been improved and itʼs now very similar to the one on Linux machines. N7K-C1-1-pod5# show running-config | ?

cut Print selected parts of lines. egrep Egrep - print lines matching a pattern grep Grep - print lines matching a pattern head Display first lines last Display last lines less Filter for paging no-more Turn-off pagination for command output sed Stream Editor sort Stream Sorter tr Translate, squeeze, and/or delete characters uniq Discard all but one of successive identical lines vsh The shell than understands cli command wc Count words, lines, characters begin Begin with the line that matches count Count number of lines end End with the line that matches exclude Exclude lines that match include Include lines that match

N7K-C1-1-pod5# sh running-config | grep ?

WORD Search for the expression count Print a total count of matching lines only ignore-case Ignore case difference when comparing strings invert-match Print only lines that contain no matches for <expr> line-exp Print only lines where the match is a whole line line-number Print each match preceded by its line number next Print <num> lines of context after every matching line prev Print <num> lines of context before every matching line word-exp Print only lines where the match is a complete word

The following command will grab the instance of a line with “mgmt0” and print the following 3 lines after that match. N7K-C1-1-pod5# sh running-config | grep next 3 mgmt0

interface mgmt0 ip address 128.107.221.105/26 N7K-C1-1-pod5# conf t N7K-C1-1-pod5(config)# int mgmt 0 N7K-C1-1-pod5(config-if)# [TAB] cdp exit no shutdown description ip pop vrf end ipv6 push where

Note: The [TAB] does not only complete the command, but also it shows the available keywords.

N7K-C1-1-pod5(config-if)# ?

cdp Configure CDP interface parameters description Enter description of maximum 80 characters end Go to exec mode exit Exit from command interpreter

Improved CLI Piping

12

ip Configure IP features ipv6 Configure IPv6 features no Negate a command or set its defaults pop Pop mode from stack or restore from name push Push current mode to stack or save it under name shutdown Enable/disable an interface vrf Configure VRF parameters where Shows the cli context you are in If you want to know the CLI context you are in use the “where” command.

N7K-C1-1-pod5(config-if)# where

conf; interface mgmt0 admin@N7K-C1-1-pod5%default

4. Role Based Access Control (RBAC) RBAC stands for “Role Based Access Control”. Upon login, every user gets assigned a “role” that defines the privileges of the user that gained access to system. NX-OS, through the RABC feature, provides a very flexible and powerful framework to create ad hoc roles for any type of user. The roles are groups of rules that permit or deny a set of operations on NX-OS components. In this step we will: - Display the default roles - Display the features and the feature-groups that can be used as part of the role - Create a new role and apply the role to a newly created user - Display the newly created role - Test the role NX-OS implements 4 default roles for the default VDC. Since the students are logged into a non-default VDC, only the two VDC default roles will be visible. For completeness the CLI output below shows all of them but on the studentsʼ Pods only the last two (in bold here) will be visible. N7K-C1-1-pod5# show role

role: network-admin description: Predefined network admin role has access to all commands on the switch attribute: global ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write role: network-operator description: Predefined network operator role has access to all read commands on the switch attribute: global -------------------------------------------------------------------

Not visible on your Pod

Not visible on your Pod

13

Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read role: vdc-admin description: Predefined vdc admin role has access to all commands within a VDC instance attribute: local ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write role: vdc-operator description: Predefined vdc operator role has access to all read commands within a VDC instance attribute: local ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read N7K-C1-1-pod5#

Step 4a. Feature and Feature-groups. All users when they login are associated to a particular role. It can be one of the default pre-configured roles or a user-made role. A role is a set of rules that define what operations the user can perform on individual CLI commands, features and feature-groups basis. Feature-groups are essentially groups of related features, such as the “L3” feature group (defined by default). You can group features in feature-groups and assign read/read-write permission to the whole group of features. To see the set of features and the feature groups available to be defined as part of a role, issue the following commands.

N7K-C1-1-pod5# show role feature

feature: aaa feature: access-list feature: arp feature: callhome feature: cdp <omitted output> N7K-C1-1-pod5# sh role feature-group

feature group: L3 feature: router-bgp feature: router-eigrp feature: router-isis feature: router-ospf feature: router-rip N7K-C1-1-pod5#

Step 4b. Create a new role. Creating a role is very easy. We will create a new role that is allowed to issue all the “show” commands, to check basic connectivity using “ping” and to configure just the Cisco Discovery Protocol: “cdp”. After creating the role we will define a new user and associate the role to the newly created user.

Very granular access control, up to the single CLI command! Ability to deny access to interfaces

Super-user within the Pod

Only show commands for the vdc-operator

14

N7K-C1-1-pod5# config t N7K-C1-1-pod5(config)# role name nxos N7K-C1-1-pod5(config-role)# ? description Add a description for the role end Go to exec mode exit Exit from command interpreter interface Configure the interface policy for this role no Negate a command or set its defaults pop Pop mode from stack or restore from name push Push current mode to stack or save it under name rule Enter the rule number vlan Configure the vlan policy for this role vrf Configure the vrf policy for this role where Shows the cli context you are in N7K-C1-1-pod5(config-role)# rule 1 permit read N7K-C1-1-pod5(config-role)# rule 2 permit read-write feature cdp N7K-C1-1-pod5(config-role)# rule 3 permit command ping * N7K-C1-1-pod5(config-role)# rule 4 permit command conf t ; interface *

Note: The rules are applied in descending order.

Note: A role can also specify what resources in terms of Interfaces, VLANs and VRFs the user is entitled to access. Letʼs exercise the interface restriction.

N7K-C1-1-pod5(config-role)# interface ? policy Configure the interface policy for this role N7K-C1-1-pod5(config-role)# interface policy deny N7K-C1-1-pod5(config-role-interface)# permit interface ethernet 9/1

Note: Letʼs verify the role and create a user to who attach the role.

N7K-C1-1-pod5# show role name nxos role: test description: new role vlan policy: permit (default) interface policy: deny permitted interface Ethernet2/1 vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 4 permit command conf t ; interface * 3 permit command ping * 2 permit read-write feature cdp 1 permit read Step4c. Attach the role. Create a new user and attach the role. After that, please log out and login as the rbac user and test the RBAC configuration. N7K-C1-1-pod5# conf t

Pod6 = 9/9, Pod7 = 9/17, Pod8 = 9/25

15

N7K-C1-1-pod5(config)#username rbac password rbac role nxos N7K-C1-1-pod5(config)#end N7K-C1-1-pod5# exit Step4d. Itʼs now time to login as the “rbac” user, click again on the the system icon in the “Topology” tab. Login: rbac Password: rbac Cisco Data Center Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac <omitted output> N7K-C1-1-pod5# ? clear Reset functions configure Enter configuration mode debug Debugging functions debug Debugging function end Go to exec mode exit Exit from command interpreter ping Test network reachability show Show running system information

Note: Most of the commands are missing. Letʼs check the commands this user has been allowed to use.

N7K-C1-1-pod5# ping 128.107.221.65 vrf management

PING 128.107.221.65 (128.107.221.65): 56 data bytes 64 bytes from 128.107.221.65: icmp_seq=0 ttl=127 time=1.387 ms 64 bytes from 128.107.221.65: icmp_seq=1 ttl=127 time=0.935 ms 64 bytes from 128.107.221.65: icmp_seq=2 ttl=127 time=0.899 ms 64 bytes from 128.107.221.65: icmp_seq=3 ttl=127 time=0.927 ms 64 bytes from 128.107.221.65: icmp_seq=4 ttl=127 time=0.897 ms --- 128.107.221.65 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.897/1.008/1.387 ms N7K-C1-1-pod5# debug ? cdp Configure CDP debugging

Note: Only the CDP debug is actually available.

N7K-C1-1-pod5# conf t N7K-C1-1-pod5(config)# ? cdp CDP Configuration parameters end Exit configuration mode exit Exit from command interpreter interface Configure Interfaces

Note: Only the “cdp” commands are available.

16

N7K-C1-1-pod5(config)# cdp ?

advertise Highest CDP version supported on the switch enable Enable/disable CDP on all interfaces format Device ID format for CDP holdtime CDP hold time advertised (in seconds) timer CDP refresh time interval (in seconds)

Note: Letʼs try to access an interface for which we donʼt have the permission. -------

N7K-C1-1-pod5(config)# interface ethernet 9/2 % Interface permission denied N7K-C1-1-pod5(config)# interface ethernet 9/1 N7K-C1-1-pod5(config-if)# no shut N7K-C1-1-pod5(config-if)# The step is completed you can now close the terminal you were just using.

5. Configuration Rollback NX-OS fully supports Configuration Rollback. This functionality allows you to revert to a previous configuration state, effectively rolling back configuration changes. Letʼs verify its functionality within NX-OS. In this step we will: - Create a checkpoint for the current configuration - Modify the configuration for an interface - Rollback the configuration - Verify the interface configuration

N7K-C1-1-pod5# checkpoint ? <CR> WORD Checkpoint name (Max Size 75) file Create configuration rollback checkpoint to file N7K-C1-1-pod5# checkpoint nxos

Note: Processing the Request... Please Wait ........Done N7K-C1-1-pod5# N7K-C1-1-pod5# show checkpoint summary Checkpoint Summary

--------------------------------------------------------------------------- 1) nxos: Created by admin Created at Wed, 01:04:48 31 March 2009 Size is 7,021 bytes

Pod6 = 9/9, Pod7 = 9/17, Pod8 = 9/25

Pod6 = 9/9, Pod7 = 9/17, Pod8 = 9/25

17

Letʼs now modify the configuration of an interface. N7K-C1-1-pod5# conf t N7K-C1-1-pod5(config)# interface e9/1 N7K-C1-1-pod5(config-if)# ip address 1.1.1.1/24 N7K-C1-1-pod5(config-if)# no ip redirects N7K-C1-1-pod5(config-if)# ip proxy-arp N7K-C1-1-pod5(config-if)# no shutdown N7K-C1-1-pod5(config-if)# end

N7K-C1-1-pod5# sh running-config int e9/1 version 4.1(5) interface Ethernet9/1 ip address 1.1.1.1/24 no ip redirects ip proxy-arp no shutdown

N7K-C1-1-pod5# Letʼs check the difference between the current configuration and the checkpoint we created before. N7K-C1-1-pod5# show diff rollback-patch checkpoint nxos ?

checkpoint Use checkpoint as destination configuration running-config Use running configuration as destination startup-config Use startup configuration as destination N7K-C1-1-pod5# show diff rollback-patch checkpoint nxos running-config Processing the Request... Please Wait !! ! interface Ethernet9/1 ip address 1.1.1.1/24 no ip redirects ip proxy-arp no shutdown Letʼs now rollback the configuration… N7K-C1-1-pod5# rollback running-config checkpoint nxos

Processing the Request... Please Wait Generating the Rollbackpatch... Please Wait Executing the patch... Please Wait `conf t` `interface Ethernet9/1` `shutdown` `no ip proxy-arp` `ip redirects` `no ip address 1.1.1.1/24` N7K-C1-1-pod5# sh running-config int e9/1 version 4.1(5)

interface Ethernet9/1

During the rollback process the CLI commands are undone and shown to the user

Finally the slash notation

Pod6 = 9/9, Pod7 = 9/17, Pod8 = 9/25

18

6. Links up with Spanning Tree

It is time to bring up the interfaces and configure the Spanning Tree Protocol. Rapid Spanning Tree Protocol (RSTP) is standardized in IEEE 802.1w. Cisco's implementation of RSTP in both NX-OS and IOS provides a separate spanning tree instance for each active VLAN, which permits greater flexibility of Layer 2 topologies in conjunction with IEEE 802.1Q trunking. This implementation is also referred to as Rapid Per-VLAN Spanning Tree (Rapid-PVST). Rapid-PVST is the default spanning tree mode for NX-OS, so it does not need to be explicitly enabled.

Best practices dictate controlling the placement of the spanning tree root switch in the network for each VLAN to ensure that it does not inadvertently end up by the election process on a small switch in the access layer that creates a sub-optimal topology or may be more prone to failure.

We will bring up few port-channels so we first need to enable the service for the LACP protocol.

N7K-C1-1-pod5(config)# feature lacp

Note: NX-OS is a fully modular operating system; most software modules donʼt run unless the correspondent service is enabled. We refer to these features that need to be specifically enabled as “conditional services”. Once the service is enabled, the CLI becomes visible and the feature can be used and configured.

N7K-C1-1-pod5(config)# vlan 1-4 N7K-C1-1-pod5(config)# spanning-tree vlan 1-4 priority <..> N7K-C1-1-pod5(config)# int po 10 N7K-C1-1-pod5(config-if)# switchport N7K-C1-1-pod5(config-if)# switchport mode trunk N7K-C1-1-pod5(config-if)# switchport trunk allowed vlan 1-4 N7K-C1-1-pod5(config-if)# spanning-tree port type network N7K-C1-1-pod5(config-if)# description link to the other Nexus7000 N7K-C1-1-pod5(config-if)# no shutdown

Note: The “spanning-tree port type network” command enables Bridge Assurance on that link. Bridge assurance causes the switch to send BPDUs on all operational ports that carry a port type setting of “network”, including alternate and backup ports for each hello time period. If a neighbor port stops receiving BPDUs, the port is moved into the blocking state. If the blocked port begins receiving BPDUs again, it is removed from bridge assurance blocking, and goes through normal Rapid-PVST transition. This bidirectional hello mechanism helps prevent looping conditions caused by unidirectional links or a malfunctioning switch

N7K-C1-1-pod5(config-if)# int e9/1-2 N7K-C1-1-pod3(config-if-range)# rate-mode dedicated N7K-C1-1-pod5(config-if-range)# switchport N7K-C1-1-pod5(config-if-range)# switchport mode trunk N7K-C1-1-pod5(config-if-range)# switchport trunk allowed vlan 1-4 N7K-C1-1-pod5(config-if-range)# no shutdown

4096 for N7K1 (Student 1) 8192 for N7K2 (Student 2)

LACP is a conditional service

9/9-10 for Pod6 9/17-18 for Pod7 9/25-26 for Pod8

19

N7K-C1-1-pod5(config-if-range)# channel-group 10 mode active

Check the status of the port-channel… N7K-C1-1-pod5(config-if-range)# show port-channel summary

Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) --------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel --------------------------------------------------------------------------- 10 Po10(SU) Eth LACP Eth2/1(P) Eth2/2(P)

Bring up the interfaces facing the Access Layer…

N7K-C1-1-pod5(config-if-range)# int e10/2 N7K-C1-1-pod5(config-if# switchport N7K-C1-1-pod5(config-if)# switchport mode trunk N7K-C1-1-pod5(config-if)# switchport trunk allowed vlan 1-4 N7K-C1-1-pod5(config-if)# no shutdown

Check the spanning-tree from both the Nexus 7000 and the Catalyst 6500.

N7K-C1-1-pod5(config-if)# show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol rstp Root ID Priority 4099 Address 001b.54c2.2944 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4099 (priority 4096 sys-id-ext 3) Address 001b.54c2.2944 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Po10 Desg FWD 1 128.4105 Network P2p Eth10/2 Desg FWD 19 128.1306 P2p Peer(STP)

Cat6K-1# show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol rstp Root ID Priority 4099 Address 0022.5579.d2c2 Cost 2 Port 129 (Ethernet1/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32771 (priority 32768 sys-id-ext 3) Address 000d.eca4.0081 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

10/14 for Pod6 10/26 for Pod7 10/38 for Pod8

20

Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ----------------------------- Eth2/1 Root FWD 2 128.129 P2p Eth2/2 Altn BLK 2 128.130 P2p 7. HSRP

To provide redundancy for the IP default gateway services, several protocols exist, which are commonly referred to together as First Hop Redundancy Protocols (FHRPs). Cisco NX-OS supports implementations of multiple FHRPs: Hot Standby Router Protocol (HSRP), Gateway Load Balancing Protocol (GLBP), and Virtual Router Redundancy Protocol (VRRP). You will configure HSRP in this step. Letʼs create an SVI for VLAN 2 and VLAN 3 and configure HSRP: N7K-C1-1-pod5(config)# feature interface-vlan N7K-C1-1-pod5(config)# feature hsrp

Note: Both the SVI service and the service for the HSRP protocol are “conditional”. Their code does not run unless the feature is explicitly enabled with the “feature” command.

N7K-C1-1-pod5(config)# int vlan 2 N7K-C1-1-pod5(config-if)# ip address 192.168.202.<Student #>/24 N7K-C1-1-pod5(config-if)# no shutdown N7K-C1-1-pod5(config-if)# N7K-C1-1-pod5(config-if)# hsrp 1 N7K-C1-1-pod5(config-if-hsrp)# preempt delay minimum 180 N7K-C1-1-pod5(config-if-hsrp)# priority <...> N7K-C1-1-pod5(config-if-hsrp)# timers 1 3 N7K-C1-1-pod5(config-if-hsrp)# ip 192.168.202.3 N7K-C1-1-pod5(config-if-hsrp)# int vlan 3 N7K-C1-1-pod5(config-if)# ip address 192.168.203.<Student #>/24 N7K-C1-1-pod5(config-if)# no shutdown N7K-C1-1-pod5(config-if)# N7K-C1-1-pod5(config-if)# hsrp 1 N7K-C1-1-pod5(config-if-hsrp)# preempt delay minimum 180 N7K-C1-1-pod5(config-if-hsrp)# priority <...> N7K-C1-1-pod5(config-if-hsrp)# timers 1 3 N7K-C1-1-pod5(config-if-hsrp)# ip 192.168.203.3 N7K-C1-1-pod5# show hsrp brief P indicates configured to preempt. | Interface Grp Prio P State Active addr Standby addr Group addr Vlan2 1 40 P Active local 192.168.202.2 192.168.202.3 Vlan3 1 40 P Active local 192.168.203.2 192.168.203.3

The link between the Cat6K and the N7K-2 is blocked as expected



21

8. Moving the Topology from STP-based to vPC-based The “virtual Port Channel” (vPC) functionality provides the following benefits:

• Allows a single device to use a port channel across two upstream devices

• Eliminates Spanning Tree Protocol (STP) blocked ports

• Provides a loop-free topology

• Uses all available uplink bandwidth

• Provides fast convergence if either the link or a device fails

• Provides link-level resiliency

• Assures high availability

The topology will change as follow:

The terminology used for vPCs is as follows:

• vPC — The combined port channel between the vPC peer devices and the downstream device.

• vPC peer device — One of a pair of devices that are connected with the special port channel known as the vPC peer link.

• vPC peer link — The link used to synchronize states between the vPC peer devices. Both ends must be on 10-Gigabit Ethernet interfaces.

• vPC domain — This domain is formed by the two vPC peer link devices. It is also a configuration mode for configuring some of the vPC peer link parameters.

• vPC peer keep-alive link — The peer keep-alive link is a Layer3 link between the vPC peer devices used to ensure that both devices are up. The fault-tolerant link sends configurable, periodic keepalive messages between devices connected by the vPC peer link on an out-of-band link.

• vPC member port — Interfaces that belong to the vPCs.

22

During this step you will: - Enable the vPC - Create the vPC domain - Configure the peer-link port channel, and place it in vpc peer-link mode - Configure the access layer facing port channels, and place them in vPC mode N7K-C1-1-pod5# conf t

N7K-C1-1-pod5(config)# feature vpc

Next weʼll enable the vPC domain. This domain ID is used to differentiate multiple vPC tiers, allowing for an L2 unique Link Aggregation ID for LACP based configuration. We will also configure the “role” so that the primary vPC device is the same device which is also the STP root and the HSRP primary device. This is the recommended configuration

N7K-C1-1-pod5(config)# vpc domain 1 N7K-C1-1-pod5(config-vpc-domain)# role priority <...>

The lower priority wins. First thing to setup is the fault-tolerant link connection. For the fault-tolerant link we recommend a separate port, preferably 1GigE, between the vPC peer devices (it does NOT need to be a direct link). This port should belong to a separate VRF.

Another alternative is to use the Out-of-Band management network through the Supervisorʼs management interface and this is what weʼll do in this lab.

N7K-C1-1-pod5(config-vpc-domain)#

peer-keepalive dest 128.107.221.<...> source 128.107.221.<...>

Letʼs check the status of the fault-tolerant link (peer-keepalive). N7K-C1-1-pod5(config-vpc-domain)# show vpc peer-keepalive

vPC keep-alive status : peer is alive --Send status : Success --Last send at : 2009.04.19 20:49:43 584 ms --Sent on interface : mgmt0 --Receive status : Success --Last receive at : 2009.04.19 20:49:43 767 ms --Received on interface : mgmt0 --Last update from peer : (0) seconds, (568) msec vPC Keep-alive parameters --Destination : 128.107.221.116 --Keepalive interval : 1000 msec --Keepalive timeout : 5 seconds --Keepalive hold timeout : 3 seconds --Keepalive vrf : management

Enter your partner’s mgmt0 IP address

1000 for Student 1 2000 for Student 2

Enter your mgmt0 IP address

23

--Keepalive udp port : 3200 --Keepalive tos : 192 Now that the base vPC domain is configured, we can configure the peer-link, and then we can validate that the base vPC infrastructure is running (assuming your Partner has done the same configuration steps on the other Nexus7000 in your Pod). N7K-C1-1-pod5(config-int)# int port-channel 10 N7K-C1-1-pod5(config-int)# vpc peer-link N7K-C1-1-pod5(config-int)# show vpc brief

Legend: (*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 1 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status: success vPC role : primary vPC Peer-link status --------------------------------------------------------------------- id Port Status Active vlans -- ---- ------ -------------------------------------------------- 1 Po10 up 1-4 The STP status hasnʼt changed on the Catalyst 6500. Cat6K-1# show spanning-tree vlan 3

VLAN0003 Spanning tree enabled protocol rstp Root ID Priority 4099 Address 001b.54c2.b1c2 Cost 2 Port 129 (Ethernet1/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32771 (priority 32768 sys-id-ext 3) Address 000d.eca4.0481 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ---------------------------- Eth2/1 Root FWD 2 128.129 P2p Eth2/2 Altn BLK 2 128.130 P2p Now that the peer-link is running and the vPC is up, we can add in the access facing “vPC” links. N7K-C1-1-pod5(config)# int po 20 N7K-C1-1-pod5(config-int)# switchport N7K-C1-1-pod5(config-int)# switchport mode trunk N7K-C1-1-pod5(config-int)# switchport trunk allowed vlan 1-4 N7K-C1-1-pod5(config-int)# no sh N7K-C1-1-pod5(config-int)# vpc 20

24

Letʼs now add the port facing the Access Layer (Catalyst 6500) to the port-channel.

N7K-C1-1-pod5(config-int)# int e10/2 N7K-C1-1-pod5(config-int)# channel-group 20 mode active Letʼs check the vPC status.

N7K-C1-1-pod5(config-if)# show vpc brief

Legend: (*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 1 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status: success vPC role : primary vPC Peer-link status --------------------------------------------------------------------- id Port Status Active vlans -- ---- ------ -------------------------------------------------- 1 Po10 up 1-4 vPC status ---------------------------------------------------------------------- id Port Status Consistency Reason Active vlans -- ---- ------ ----------- -------------------------- ------------ 20 Po20 down* success success -

The vPC status is “down” because we havenʼt configured the port-channel on the Catalyst 6500 yet; in fact the port is in “individual” state from a LACP prospective.

N7K-C1-1-pod5(config-if)# sh port-channel summary

Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) ------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------- 10 Po10(SU) Eth LACP Eth9/1(P) Eth9/2(D) 20 Po20(SD) Eth LACP Eth10/2(I)

If your teammate has reached this point as well, one of you can go on the Catalyst 6500 and configure the port-channel.

Cat6K-1(config-if)# int range f2/1 - 2


25

Cat6K-1(config-if-range)# channel-group 20 mode active Letʼs check the STP and the port-channel status. Cat6K-1(config-if-range)# show spanning-tree vlan 3

VLAN0003 Spanning tree enabled protocol rstp Root ID Priority 4099 Address 001b.54c2.b1c2 Cost 1 Port 4115 (port-channel20) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32771 (priority 32768 sys-id-ext 3) Address 000d.eca4.0481 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ---------------------------- Po20 Root FWD 1 128.4115 P2p

Cat6K-1(config-if-range)# show port-channel summary

Flags: D - down U - up in port-channel I - Individual S - suspended H - Hot-standby (LACP only) R - Module-removed -------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------- 20 Po20(U) Eth LACP Eth6/1(U) Eth6/2(U)

The Catalyst 6500 has now a port-channel connected to two different upstream devices.

Letʼs check the status of the vPC and the STP on the Nexus7000. N7K-C1-1-pod5(config-if)# sh vpc brief Legend: (*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 1 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status: success vPC role : primary vPC Peer-link status --------------------------------------------------------------------- id Port Status Active vlans -- ---- ------ -------------------------------------------------- 1 Po10 up 1-4 vPC status ---------------------------------------------------------------------- id Port Status Consistency Reason Active vlans -- ---- ------ ----------- -------------------------- ------------ 20 Po20 up success success 1-4

26

N7K-C1-1-pod5(config-if)# show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol rstp Root ID Priority 4099 Address 001b.54c2.b1c2 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4099 (priority 4096 sys-id-ext 3) Address 001b.54c2.b1c2 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ---------------------------- Po10 Desg FWD 1 128.4105 (vPC peer-link) Network P2p Po20 Desg FWD 1 128.4115 (vPC) P2p Eth2/10 Desg FWD 2 128.266 P2p The vPC topology is now up and running!

9. vPC Failure Scenario One of the advantages of the vPC approach to loop management is that failure recovery on a link or of an entire switch relies on port-channel failover rather than on STP re-learning the entire network. With port-channel failover, recovery is often sub-second. This alone is a key reason why vPC provides an efficient scaling mechanism relative to STP managed Layer 2 topologies. In this step we will bring down the vPC peer-link. In the unlikely case that both ports and line cards in the peer-link fail (being that two ports on two different line cards are the recommended minimum for the peer-link) the vPC software will look to the fault-tolerant link (the keep-alive link) to determine if the failure is a link level failure (perhaps a UDLD failure of some nature), or if in fact the remote peer has failed entirely.

In the case that the remote peer is still alive (peer-keepalive messages are still being received), to avoid loops the vPC secondary switch will disable its vPC member ports and any Layer 3 interfaces attached to a vPC associated VLAN.

We will bring down the peer-link interfaces on the vPC primary device and observe what happens on the vPC secondary and on the Access device. N7K-C1-1-pod5# conf t N7K-C1-1-pod5(config)# int e9/1-2 N7K-C1-1-pod5(config-if-range)# shutdown


27

On the Catalyst 6500 we can see how the port-channel port got suspended.

Cat6K-1(config-if-range)# show port-channel summary

Flags: D - down U - up in port-channel I - Individual S - suspended H - Hot-standby (LACP only) R - Module-removed -------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------- 20 Po20(U) Eth LACP Eth6/1(U) Eth6/2(D) 30 Po30(D) Eth NONE --

While on the vPC secondary you should see the following:

%VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary

N7K-C1-2-pod5(config-if)# show int vlan 2

Vlan2 is down, line protocol is down Hardware is EtherSVI, address is 001b.54c2.af42 Internet Address is 192.168.202.2/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, <omitted output>

N7K-C1-2-pod5(config-if)# show port-channel summary

Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) ------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel ------------------------------------------------------------------------- 10 Po10(SD) Eth LACP Eth9/1(D) Eth9/2(D) 20 Po20(SD) Eth LACP Eth10/2(D) We can now bring the peer-link interfaces on the vPC primary back up and check again the Catalyst 6500. N7K-C1-1-pod5(config)# int e9/1-2 N7K-C1-1-pod5(config-if-range)# no shutdown After few seconds you should see, the link back up: Cat6K-1(config-if-range)# show port-channel summary Flags: D - down U - up in port-channel I - Individual S - suspended H - Hot-standby (LACP only) R - Module-removed ------------------------------------------------------------------------- Group Port- Type Protocol Member Ports


28

Channel ------------------------------------------------------------------------- 20 Po20(U) Eth LACP Eth6/1(U) Eth6/2(U)

Also on the vPC secondary the SVIs are back up: N7K-C1-2-pod5(config-if)# show int vlan 2 Vlan2 is up, line protocol is up <omitted output>

Before continuing letʼs remove the port-channel on the Catalyst 6500, so that it can be used in the next session:

Cat6K-1(config)# int range f2/1 - 2 Cat6K-1(config-if-range)# no channel-group 20 mode active 10. OSPF Configuration OSPF is fully implemented in NX-OS as part of the “Enterprise” License (however you can use the feature leveraging the grace-period mode for 120 days). In this step we will configure OSPFv2 and we will see how the configuration is interface centric vs. the network centric IOS based OSPF configuration.

Since we donʼt have a Core device in the topology we will modify the currents links and configure them from Layer2 to Layer3 together with removing some of the features we have configured in the previous steps.

This step will consist of a very simple configuration of OSPF between the Nexus 7000 and the Catalyst 6500 just to give the students a first experience with the protocol and to set the stage for the “Stateful Process Restart” step which will follow this one.

These are the steps for this exercise:

- Turn the OSPFv2 service on

- Configure the Loopback interfaces

- Instantiate an OSPF process

- Verify OSPF configuration by issuing few show command N7K-C1-1-pod5(config)# interface loopback0 N7K-C1-1-pod5(config-if)# ip address 10.1.255.<Student #>/32 N7K-C1-1-pod5(config-if)# feature ospf N7K-C1-1-pod5(config)# router ospf 1 N7K-C1-1-pod5(config-router)# log-adjacency-changes N7K-C1-1-pod5(config-router)# auto-cost reference-bandwidth 1000000

Note: As you may have noticed the “network x.x.x.x area y” configuration lines are not present. This is a big different from IOS. OSPF, as well as other IGP protocols, are interface centric, as we will see with the next few commands.

29

Letʼs now configure the interfaces. N7K-C1-1-pod5(config)# int e10/1 N7K-C1-1-pod5(config-if)# description OSPF link to the N7K N7K-C1-1-pod5(config-if)# ip address 192.168.1.<Student #>/30 N7K-C1-1-pod5(config-if)# ip ospf hello-interval 2 N7K-C1-1-pod5(config-if)# ip ospf dead-interval 6 N7K-C1-1-pod5(config-if)# ip ospf network point-to-point N7K-C1-1-pod5(config-if)# ip router ospf 1 area 0 N7K-C1-1-pod5(config-if)# no shutdown N7K-C1-1-pod5(config-if)#

Note: In the NX-OS the OSPF configuration is interface centric. The membership to an OSPF area is specified at the interface configuration level. This approach is more intuitive and manageable.

Now we can check the OSPF configuration we have been working on.

N7K-C1-1-pod5(config-if)# sh running-config ?

<CR> > Redirect it to a file aaa Display aaa configuration all Current operating configuration with defaults am Display am information arp Display arp information bgp Display bgp information <snip> l3vm Display l3vm information license Display licensing configuration msdp Display msdp information netflow Show NetFlow configuration ospf Display ospf information ospfv3 Display ospfv3 information pim Display pim information pim6 Display pim6 information <snip> N7K-C1-1-pod5(config-if)# sh running-config ospf

version 4.1(5) feature ospf router ospf 1 log-adjacency-changes auto-cost reference-bandwidth 1000000 interface Ethernet10/1 ip ospf dead-interval 6 ip ospf hello-interval 2 ip ospf network point-to-point ip router ospf 1 area 0.0.0.0

Letʼs check now the complete OSPF configuration with its default values.

N7K-C1-1-pod5# sh running-config ospf all

version 4.1(5) feature ospf


30

snmp-server enable traps ospf rate-limit 10 7 snmp-server enable traps ospf 1 rate-limit 10 7 router ospf 1 graceful-restart graceful-restart grace-period 60 timers lsa-arrival 1000 distance 110 maximum-paths 8 auto-cost reference-bandwidth 1000000 ip ospf event-history size small ip ospf event-history cli size small ip ospf event-history redistribution size small ip ospf event-history spf size small ip ospf event-history lsa size small ip ospf event-history flooding size small ip ospf event-history ha size small ip ospf event-history event size small ip ospf event-history adjacency size small interface Ethernet10/2 ip ospf dead-interval 6 ip ospf hello-interval 2 ip ospf network point-to-point ip ospf priority 1 ip ospf retransmit-interval 5 ip ospf transmit-delay 1 ip router ospf 1 area 0.0.0.0

N7K-C1-1-pod5# sh ip ospf neighbors

OSPF Process ID 1 VRF default Total number of neighbors: 1 Neighbor ID Pri State Up Time Address Interface 10.1.255.2 1 FULL/ - 00:08:58 192.168.1.2 Eth10/1 N7K-C1-1-pod5#

11. Stateful Process Restart NX-OS is a modern operating system. NX-OS continuously checks the health of each software module making sure that if a process crashes or hangs the right action is taken to allow service continuity and availability. NX-OS has been designed around the concept of zero service destruction. All Layer2 protocols (STP, CDP, LACP etc) and OSPF support the State-full Process Restart leveraging our PSS (Persistent Storage Service) architecture. With this exercise we will see how the system recovers from an OSPF crash in a seamless way. You will see how the connected Cat6K wonʼt even realize that the process crashed and restarted. These are the steps for this exercise: - Display the OSPF process ID - Kill the OSPF process - Verify that the OSPF process has been restarted with a new process ID

31

- Check the Cat6K screen N7K-C1-1-pod5(config)# logging level ospf 7 N7K-C1-1-pod5(config)# logging monitor 7 N7K-C1-1-pod5(config)# terminal monitor This step should be performed only on one of the Nexus 7000. Both students can look at the same telnet session.

Just to show that the OSPF adjacency goes down as expected, when shutting down the link on the N7K N7K-C1-1-pod5(config)# int e10/1 N7K-C1-1-pod5(config-if)# shutdown

As you can see on the the link and the OSPF adjacency went down.

Now bring the interface back up on the Nexus 7000. N7K-C1-1-pod5(config-if)# no shutdown

The interface is now up and the OSPF adjacency is back up. Now letʼs kill OSPF. N7K-C1-1-pod5# show process | inc ospf

1959 S 778f727b 1 - ospf - NR - 0 - ospfv3 - NR - 0 - ospf - NR - 0 - ospfv3 - NR - 0 - ospf

Notice the PID on the left (you will need it in the killing process) and the number of restarts (bold and blu). N7K-C1-1-pod5# N7K-C1-1-pod5# copy bootflash:proc.res p N7K-C1-1-pod5# load p load_isanimg: entry load_isanimg: uri_info:0x809ba90 load_isanimg: type:0x8 Loading plugin version 4.1(5) ############################################################### Warning: debug-plugin is for engineering internal use only! For security reason, plugin image has been deleted. ############################################################### Successfully loaded service restart debug-plugin!!! Commands Available: help kill <pid> exit Enter Commands: kill <ospf pid> killing … 2008 May 12 21:22:35 N7K-C1-1-pod5 %SYSMGR-2-SERVICE_CRASHED: Service "__inst_001__ospf" (PID 19700) hasn't caught signal 9 (no core).


32

exit N7K-C1-1-pod5# sh process | inc ospf 16066 S 778f727b 2 - ospf - NR - 0 - ospfv3 - NR - 0 - ospf - NR - 0 - ospfv3 - NR - 0 - ospf - NR - 0 - ospfv3 - NR - 0 - ospf - NR - 0 - ospfv3 Notice how the OSPF process has now a new process ID and how, looking at the other Nexus 7000 terminal, the neighbor didnʼt even realized that our OSPF process was killed and restarted.

12. Configuration Session NX-OS offers a new way of configuring Security ACLs: the “Configuration Session” mode. This new mode allows to “dry-run” the configuration against the system resources availability. For “dry-run” we mean a process that allows the user to check whether the hardware resources are available without actually perform on them any modification. As today NX-OS supports “Configuration Session” only for configuration related to Security ACLs and QoS, however the goal in the future is to support every feature within this programming mode. In this exercise the students will get familiar with the new configuration session process by configuring an ACL for a particular interface. These are the steps for this exercise: - Create a new configuration session - Create a simple access-list and apply the access list to an interface - “Verify” the configuration - “Commit”” the configuration N7K-C1-1-pod5# configure session ?

WORD Enter the name of the session

N7K-C1-1-pod5# configure session nxos

Config Session started, Session ID is 1

N7K-C1-1-pod5(config-s)# ?

Note: Note the “s” that indicates that the user is in configuration session.

abort Abort the current configuration session access-list Configure access control list parameters arp ARP access-list configuration commands commit Commit the current configuration session end Exit configuration mode errdisable Error disable

Up to 32 active sessions within each VDC

33

exit Exit from command interpreter interface Configure interfaces ip Configure IP features logging Modify message logging facilities mac MAC configuration commands object-group Configure ACL object groups resequence Resequence a list with sequence numbers save Save the current configuration session to uri time-range Define time range entries verify Verify the current configuration session vlan Vlan commands

N7K-C1-1-pod5(config-s)# ip access-list nxos ?

<CR>

Note: NX-OS introduces some ACL syntax improvements for better usability and manageability.

Note: The slash notation for IP addresses.

Note: You can have use either a number or string of characters or a mix of them when naming an ACL, NX-OS will treat them seamlessly just as a name

N7K-C1-1-pod5(config-s)# ip access-list nxos N7K-C1-1-pod5(config-s-acl)# permit tcp 111.1.1.0/24 any N7K-C1-1-pod5(config-s-acl)# permit tcp 112.2.2.0/24 any N7K-C1-1-pod5(config-s-acl)# permit tcp 113.3.3.0/24 any N7K-C1-1-pod5(config-s-acl)# exit Letʼs now attach the access-group to an interface.

N7K-C1-1-pod5(config-s)# int e10/2

N7K-C1-1-pod5(config-s-if)# ip access-group nxos in

The access-list hasnʼt been programmed into the hardware yet. Letʼs see our configuration within the config session.

N7K-C1-1-pod5(config-s-if)# show configuration session

config session nxos

0001 ip access-list 1

0002 permit tcp 111.1.1.0/24 any

0003 permit tcp 112.2.2.0/24 any

0004 permit tcp 113.3.3.0/24 any 0005 interface Ethernet10/2

0006 ip access-group nxos in

No “standard/extended/named/numbered” ACL… just ACL

34

Number of active configuration sessions = 1

Letʼs now verify our configuration. During the verification process the system checks the configuration against the hardware and software resources for their availability. N7K-C1-1-pod5(config-s-if)# verify

Verification Successful

N7K-C1-1-pod5(config-s-if)# show running-config int e10/2

version 4.1(5)


The configuration can fit in the hardware table. Again, till this point the ACL TCAM has not been touched yet. We are now ready to commit the configuration. If the commit process will succeed the session will be considered completed and will be terminated. N7K-C1-1-pod5(config-s-if)# commit

Commit Successful

N7K-C1-1-pod5# show running-config int e10/2

version 4.1(5)


ip access-group nxos in

N7K-C1-1-pod5# show configuration session

There are no active configuration sessions

N7K-C1-1-pod5#

Before continuing, letʼs remove the the ACL from the interface. N7K-C1-1-pod5# conf t

N7K-C1-1-pod5(config)# interface e10/2 N7K-C1-1-pod5(config-if)# no ip access-group nxos in

N7K-C1-1-pod5(config-if)#

13. NetFlow Nexus7000 offers a very powerful implementation of NetFlow. Some of the most important aspects on Nexus7000 NetFlow are scalability, effective hardware based sampling, support for TCP flags, support for NetFlow v9, etc.

The ACL TCAM hasn’t been modified yet… but we now know that the hardware resources are enough to accommodate the new/modified ACL.

The ACL shows up in the running config only after the “commit” has been performed.

35

In terms of NetFlow configuration, NX-OS follows the Cisco IOS Flexible NetFlow conventions. NetFlow is a conditional service and it needs to be enabled for its CLI to be active and the feature to be configurable.

These are the steps for this exercise: - Configure a flow record - Configure a flow export - Configure a flow monitor - Attach the monitor to the interface - Verify the NetFlow configuration

N7K-C1-1-pod5# conf t

N7K-C1-1-pod5(config)# feature netflow

Note: Also NetFlow is a conditional service which must be enabled in order to configure the feature.

Letʼs start by configuring a “flow record”. A “flow record” defines what information NetFlow will track. The “match” keyword defines on which fields the flow creation is based, while the “collect” keyword defines the information that will be exported together with the flow. A “flow record” translates in a hardware NetFlow profile and mask, similar to the Cat6K concept of “flow mask”.

N7K-C1-1-pod5(config)# flow record nxos-rec

N7K-C1-1-pod5(config-flow-record)# ?

collect Specify a non-key field description Provide a description for this Flow Record end Go to exec mode exit Exit from command interpreter match Specify a key field no Negate a command or set its defaults pop Pop mode from stack or restore from name push Push current mode to stack or save it under name where Shows the cli context you are in

N7K-C1-1-pod5(config-flow-record)# match ?

ip IP attributes ipv4 IPv4 attributes ipv6 IPv6 attributes transport Transport layer fields N7K-C1-1-pod5(config-flow-record)# match ipv4 destination address N7K-C1-1-pod5(config-flow-record)# match ipv4 source address N7K-C1-1-pod5(config-flow-record)# match ip protocol N7K-C1-1-pod5(config-flow-record)# collect ? counter Counters to collect flow Flow identifying fields routing Routing attributes timestamp Timestamp fields

36

transport Transport layer fields

N7K-C1-1-pod5(config-flow-record)# collect transport tcp flags

Note: The TCP flags can now be exported together with the other flow information. They are very useful in the auditing and forensic, as well as when analyzing the client-server comunications.

N7K-C1-1-pod5(config-flow-record)# collect counter packets

After we have configured the “flow record” that defines what information NetFlow will track and export, letʼs now configure the “flow exporter” that defines where and how to export this information. The NetFlow exporter includes the destination address of the reporting server, the type of transport (ie: UDP only for now), and the export format (ie: version 9). N7K-C1-1-pod5(config-flow-record)# flow exporter nxos-exp

N7K-C1-1-pod5(config-flow-exporter)# ?

description Provide a description for this Flow Exporter destination Specify the destination address dscp Optional DSCP end Go to exec mode exit Exit from command interpreter no Negate a command or set its defaults pop Pop mode from stack or restore from name push Push current mode to stack or save it under name source Source Interface for this destination transport Transport Destination Port version Specify the export version where Shows the cli context you are in

N7K-C1-1-pod5(config-flow-exporter)# description to the NetFlow collector X N7K-C1-1-pod5(config-flow-exporter)# destination 3.3.3.3 ? <CR> use-vrf Optional VRF label

Note: The user can also set the VRF to be used when exporting the NetFlow statistics.

N7K-C1-1-pod5(config-flow-exporter)# destination 3.3.3.3 N7K-C1-1-pod5(config-flow-exporter)# source loopback0 N7K-C1-1-pod5(config-flow-exporter)# transport udp 9999 N7K-C1-1-pod5(config-flow-exporter)# version 9

After configuring the “flow record” and the “flow exporter”, we can now put these two pieces together into an object called “flow monitor” and attach the “flow monitor” to an interface. This will enable NetFlow on the interface. On NX-OS you can enable NetFlow on per interface basis.

37

N7K-C1-1-pod5(config)# flow monitor nxos-mon N7K-C1-1-pod5(config-flow-monitor)# record nxos-rec N7K-C1-1-pod5(config-flow-monitor)# exporter nxos-exp N7K-C1-1-pod5(config-flow-monitor)# int vlan2 N7K-C1-1-pod5(config-if)# ip flow monitor nxos-mon ? input Apply Flow Monitor on input traffic output Apply Flow Monitor on output traffic N7K-C1-1-pod5(config-if)# ip flow monitor nxos-mon input N7K-C1-1-pod5(config-if)# ip flow monitor nxos-mon output N7K-C1-1-pod5(config-if)# end N7K-C1-1-pod5# sh running-config netflow version 4.0(3) feature netflow flow exporter nxos-exp description to the NetFlow collector X destination 3.3.3.3 transport udp 12002 source loopback0 version 9 flow record nxos-rec match ipv4 source address match ipv4 destination address match ip protocol collect counter packets collect transport tcp flags flow monitor nxos-mon record nxos-rec exporter nxos-exp interface Vlan 2 ip flow monitor nxos-mon input ip flow monitor nxos-mon output N7K-C1-1-pod5#

N7K-C1-1-pod5# ping 192.168.202.<...>

PING 10.1.20.2 (10.1.20.2): 56 data bytes 64 bytes from 10.1.20.2: icmp_seq=0 ttl=254 time=1.062 ms 64 bytes from 10.1.20.2: icmp_seq=1 ttl=254 time=220.883 ms 64 bytes from 10.1.20.2: icmp_seq=2 ttl=254 time=2.366 ms 64 bytes from 10.1.20.2: icmp_seq=3 ttl=254 time=1.045 ms 64 bytes from 10.1.20.2: icmp_seq=4 ttl=254 time=0.967 ms --- 10.1.55.2 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.967/45.264/220.883 ms N7K-C1-1-pod5# show hardware flow ip module 9 D - Direction; L4 Info - Protocol:Source Port:Destination Port IF - Interface: ()ethernet, (S)vi, (V)lan, (P)ortchannel, (T)unnel TCP Flags: Ack, Flush, Push, Reset, Syn, Urgent

.2 for Student1

.1 for Student2

38

D IF SrcAddr DstAddr L4 Info PktCnt TCP Flags -+-----+---------------+---------------+---------------+----------+----------- I S2 192.168.202.002 224.000.000.002 017:00000:00000 0000000534 . . . . . . I S2 192.168.202.002 192.168.202.001 001:00000:00000 0000000005 . . . . . . N7K-C1-1-pod3(config-if)#

Congratulations!!! The lab is now complete!

The next two steps belong to the old lab and they have been kept here just for reference. The following steps cannot be performed in the current lab.

39

Virtual Device Contexts

NX-OS introduces support for the Virtual Device Contexts (VDCs), which allow the Nexus7000 to be virtualized at the device level. Each configured VDC presents itself as a unique device to connected users within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator. This lab has used the VDC concept to allow multiple PODs to work on a single switch. These are the steps for this exercise:

- Delete the VDC you were working on. - Create a new VDC and allocate resources to it. - “switchto” the newly created VDC and perform the initial configuration script You need to be in the “default-VDC” N7K-1# show vdc

vdc_id vdc_name state mac ------ -------- ----- ---------- 1 N7K-1 active 00:22:55:79:c4:41 2 pod5-S1 active 00:22:55:79:c4:42 3 pod2-S1 active 00:22:55:79:c4:43 You will now delete the Pod (that is VDC) you were working on. N7K-1# conf t

N7K-1(config)# no vdc pod< y >-S< x > where “y” is your Pod number and ”x” is “1” for Student1, “2” for Student2

Deleting this vdc will remove its config. Continue deleting this vdc? [no] yes

Note: Deleting VDC, one moment please ...

N7K-1(config)#

2009 Jan 8 07:43:34 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 2 is now offline

Now create a new VDC and allocate the following interfaces N7K-1(config)# vdc pod< y >-S< x > where “y” is your Pod number and ”x” is

“1” for Student1, “2” for Student2

Note: Creating VDC, one moment please ...

2009 Jan 8 07:44:17 N7K-1 %VDC_MGR-2-VDC_LIC_WARN: Service using grace period will be shutdown in 30 day(s)

2009 Jan 8 07:44:34 N7K-9 %VDC_MGR-2-VDC_ONLINE: vdc 2 has come online

40

N7K-1(config-vdc)# ?

allocate Assign interfaces to vdc

end Go to exec mode exit Exit from command interpreter ha-policy Change HA policy for this VDC limit-resource Resource configuration no Negate a command or set its defaults pop Pop mode from stack or restore from name push Push current mode to stack or save it under name template Change the template for this vdc where Shows the cli context you are in

N7K-1(config-vdc)# allocate interface ethernet <check the table above>

Moving ports will cause all config associated to them in source vdc to be removed. Are you sure you want to move the ports? [yes] yes

Should a control plane failure occur, the administrator has a set of options that can be configured on a per-VDC basis defining what action will be taken regarding that VDC.

There are three actions that can be configured: restart, bringdown, and reset.

The restart option will delete the VDC and then re-create it with the running configuration. This configured action will occur regardless of whether there are dual supervisors or a single supervisor present in the chassis.

The bringdown option will simply delete the VDC.

The reset option will issue a reset for the active supervisor when there is only a single supervisor in the chassis. If dual supervisors are present, the reset option will force a supervisor switchover.

The default VDC always has a high-availability option of reset assigned to it. Subsequent VDCs created will have a default value of bringdown assigned to them. This value can be changed under configuration control.

N7K-1(config-vdc)# ha-policy single-sup restart dual-sup restart N7K-1(config-vdc)# limit-resource ? m4route-mem Set ipv4 route memory limits m6route-mem Set ipv6 route memory limits monitor-session Monitor local session port-channel Set port-channel limits u4route-mem Set ipv4 route memory limits u6route-mem Set ipv6 route memory limits vlan Set VLAN limits vrf Set vrf resource limits

N7K-1(config-vdc)# limit-resource vrf minimum 16 maximum 20

N7K-1(config-vdc)# show vdc pod< y >-S< x > detail vdc id: 2 vdc name: pod5-S1 vdc state: active vdc mac address: 00:1b:54:c2:29:42 vdc ha policy: RESTART vdc dual-sup ha policy: RESTART vdc create time: Thu Aug 7 10:15:46 2008 vdc restart count: 0

41

N7K-1(config-vdc)# show vdc pod< y >-S< x > membership vdc_id: 2 vdc_name: student1 interfaces: Ethernet1/1 Ethernet1/2 Ethernet1/3 Ethernet1/5 Ethernet1/5 Ethernet1/6 Ethernet1/7 Ethernet1/8 Ethernet1/9 Ethernet1/10 Ethernet1/11 Ethernet1/12 Ethernet1/13 Ethernet1/14 Ethernet1/15 Ethernet1/16 N7K-1(config-vdc)# exit

Itʼs now time to “switchto” the newly created VDC. You will go through the initial script configuration, which is similar to the one you would go through on a first time-booted Nexus7000. N7K-1# switchto vdc pod< y >-S< x > ---- System Admin Account Setup ---- Do you want to enforce secure password standard (yes/no): no Enter the password for "admin": Test Confirm the password for "admin": Test ---- Basic System Configuration Dialog VDC: 2 ---- This setup utility will guide you through the basic configuration of the system. Setup configures only enough connectivity for management of the system. Please register Cisco Nexus7000 Family devices promptly with your supplier. Failure to register may affect response times for initial service calls. DC3 devices must be registered to receive entitled support services. Press Enter at anytime to skip a dialog. Use ctrl-c at anytime to skip the remaining dialogs. Would you like to enter the basic configuration dialog (yes/no): yes Create another login account (yes/no) [n]: Configure read-only SNMP community string (yes/no) [n]: Configure read-write SNMP community string (yes/no) [n]: Enter the switch name : pod< y >-S< x >

Continue with Out-of-band (mgmt0) management configuration? (yes/no) [y]: Mgmt0 IPv4 address : 192.168.100.<...> Mgmt0 IPv4 netmask : 255.255.255.0 Configure the default gateway? (yes/no) [y]: IPv4 address of the default gateway : 192.168.100.1

20 for Odd Pods – Student1 22 for Odd Pods – Student2 21 for Even Pods – Student1 23 for Even Pods – Student2

42

Configure advanced IP options? (yes/no) [n]: Enable the telnet service? (yes/no) [y]: Enable the ssh service? (yes/no) [n]: Configure the ntp server? (yes/no) [n]: Configure default interface layer (L3/L2) [L3]: Configure default switchport interface state (shut/noshut) [shut]: Configure default switchport trunk mode (on/off/auto) [on]: The following configuration will be applied: switchname pod5nxos interface mgmt0 ip address 192.168.100.20 255.255.255.0 no shutdown vrf context management ip route 0.0.0.0/0 192.168.100.1 exit telnet server enable no ssh server enable no system default switchport system default switchport shutdown Would you like to edit the configuration? (yes/no) [n]: Use this configuration and save it? (yes/no) [y]: y

N7K-1-pod5# N7K-1<x>nxos# sh running-config version 4.0(3) username admin password 5 $1$XpvaHAKS$OhTkzciBdKkE4FOM0epik/ role vdc-admin telnet server enable ssh key rsa 1024 force no ssh server enable snmp-server user admin vdc-admin auth md5 0x77306315bd719b5d121cdeb6f0a9d697 priv 0x77306315bd719b5d121cdeb6f0a9d697 localizedkey vrf context management ip route 0.0.0.0/0 192.168.100.1 switchname pod5nxos <omitting interface config> interface mgmt0 ip address 192.168.100.20/26 N7K-1-pod5# ping 128.107.221.65 vrf management PING 128.107.221.65 (128.107.221.65): 56 data bytes 64 bytes from 128.107.221.65: icmp_seq=0 ttl=255 time=0.927 ms 64 bytes from 128.107.221.65: icmp_seq=1 ttl=255 time=0.452 ms 64 bytes from 128.107.221.65: icmp_seq=2 ttl=255 time=0.504 ms 64 bytes from 128.107.221.65: icmp_seq=3 ttl=255 time=0.692 ms 64 bytes from 128.107.221.65: icmp_seq=4 ttl=255 time=0.596 ms --- 128.107.221.65 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.452/0.634/0.927 ms

43

Wireshark Wireshark used to be known as Ethereal®. Wireshark® is the world's foremost network protocol analyzer and is the de facto (and often de jure) standard across many industries and educational institutions. NX-OS offers an integrated packet capture tool for packets directed to the control plane. This packet analyzer is built on top of Wireshark and it is called Ethanalyzer. The primary function of this protocol analyzer is to be able to capture and analyze control packets, but it can also be leveraged to look at data traffic in its “acl-log” mode. When analyzing data traffic, such traffic will reach the Supervisor after being rate limited in hardware.

During this step we will capture regular control traffic, and then we will set up an ACL just to show the procedure for capturing data-plane traffic, we wonʼt actually capture data traffic during this lab. Ethanalyzer can be used only from the default-VDC.

To start access the default-VDC by opening the “Device Access” folder located in the “My Documents” folder and double click on the “N7K# default” ssh connection, where # is 1 for Student1 and 2 for Student 2. N7K-1# ethanalyzer local interface ? inband Inband/Outband interface mgmt Management interface N7K-1# ethanalyzer local interface inband ? <CR> > Redirect it to a file >> Redirect it to a file in append mode brief Display only protocol summary capture-filter Filter on ethanalyzer capture decode-internal Include internal system header decoding display-filter Display filter on frames captured limit-captured-frames Maximum number of frames to be captured (default is 100) limit-frame-size Capture only a subset of a frame write Filename to save capture to | Pipe command output to filter

The “brief” option will show one-liner info. N7K-1# ethanalyzer local interface inband brief capture-filter "udp" limit-captured-frames 10 Capturing on eth0 10 packets captured 2009-01-08 07:09:45.84 192.168.203.2 -> 224.0.0.2 HSRP Hello (state Standby) 2009-01-08 07:09:45.87 192.168.202.2 -> 224.0.0.2 HSRP Hello (state Standby) 2009-01-08 07:09:45.89 192.168.202.1 -> 224.0.0.2 HSRP Hello (state Active) 2009-01-08 07:09:45.89 192.168.203.1 -> 224.0.0.2 HSRP Hello (state Active) 2009-01-08 07:09:46.89 192.168.203.2 -> 224.0.0.2 HSRP Hello (state Standby) 2009-01-08 07:09:46.89 192.168.202.2 -> 224.0.0.2 HSRP Hello (state Standby) 2009-01-08 07:09:46.89 192.168.202.1 -> 224.0.0.2 HSRP Hello (state Active) 2009-01-08 07:09:46.90 192.168.203.1 -> 224.0.0.2 HSRP Hello (state Active) 2009-01-08 07:09:47.90 192.168.202.1 -> 224.0.0.2 HSRP Hello (state Active) 2009-01-08 07:09:47.90 192.168.203.1 -> 224.0.0.2 HSRP Hello (state Active)

44

N7K-1#

To see the entire packet remove the “brief” keyword. N7K-1# ethanalyzer local interface inband capture-filter "udp" limit-captured-frames 1 | no-more Capturing on eth0 1 packets captured Frame 1 (62 bytes on wire, 62 bytes captured) Arrival Time: Nov 19, 2008 01:06:08.834050000 [Time delta from previous captured frame: 1227056768.834050000 seconds] [Time delta from previous displayed frame: 1227056768.834050000 seconds] [Time since reference or first frame: 1227056768.834050000 seconds] Frame Number: 1 Frame Length: 62 bytes Capture Length: 62 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:hsrp] Ethernet II, Src: 00:22:55:79:be:42 (00:22:55:79:be:42), Dst: 01:00:5e:00:00:02 (01:00:5e:0 0:00:02) Destination: 01:00:5e:00:00:02 (01:00:5e:00:00:02) Address: 01:00:5e:00:00:02 (01:00:5e:00:00:02) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 00:22:55:79:be:42 (00:22:55:79:be:42) Address: 00:22:55:79:be:42 (00:22:55:79:be:42) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) <IP Header Omitted> Cisco Hot Standby Router Protocol Version: 0 Op Code: Hello (0) State: Standby (8) Hellotime: Non-Default (1) Holdtime: Non-Default (3) Priority: 20 Group: 1 Reserved: 0 Authentication Data: Default (cisco) Virtual IP Address: 192.168.202.3 (192.168.202.3) N7K-1# Let’s capture and store the file on the bootflash, so we can copy it over and look at it on our Windows machine. N7K-1# ethanalyzer local interface inband limit-captured-frames 30 write bootflash:capture Now the capture is on your Desktop, launch Wireshark using the icon and load the file.

45

The following portion of the Wireshark step is optional... if you are running out of time jump to Step 13 “Virtual Device Context”!!! Ethanalyzer can capture data traffic as well, so that network administrators can have an embedded and easy to use tool for on the fly capture. Ethanalyzer gives network administrators more visibility into applications behavior with few simple steps:

1. Identify the application characteristics

2. Create ad hoc ACL to match (and permit) the application flow between two servers

3. Use the “log” keyword to punt copies of matching packets to supervisor CPU

4. The original traffic gets forwarded with no impact

5. The copies sent to CPU are subjected to hardware rate limiter (100 pps by default)

6. These copies can be captured by our Ethanalyzer (Wireshark a.k.a Ethereal)

7. Ethanalyzer can output to screen or dump to file on flash which can be copied to PC for GUI analysis

Letʼs suppose to have an application using TCP port 5600 between the server 1.1.1.24 and the client 1.1.1.16. Letʼs now create the ad hoc ACL and letʼs apply it to the interface. We wonʼt actually capture traffic in this example and you do NOT need to run this part of the config: N7K-1(config)# ip access-list etha N7K-1(config-acl)# statistics per-entry N7K-1(config-acl)# permit tcp host 1.1.1.24 host 1.1.1.16 eq 5600 log N7K-1(config-acl)# show ip access-lists etha IP access list etha statistics per-entry 10 permit tcp 1.1.1.24/32 1.1.1.16/32 eq 5600 log N7K-1(config)# int e1/1 N7K-1(config-if)# ip access-group etha in N7K-2-pod5(config-if)# end

We can now capture selectively these packets and save the capture to the usb1 (so we could use our laptop with the nice wireshark graphical interface):

N7K-1# ethanalyzer loc interf inband capture-filter "tcp port 5600" write bootflash:cap_acl_log

46

Recommended Reading

Cisco Nexus 7000 Series Switches:

www.cisco.com/en/US/products/ps9402/index.html

Cisco NX-OS Feature Navigator:

www.cisco.com/go/nxosnav

Cisco NX-OS Home Page:

www.cisco.com/go/nxos

Complete Your Online Session Evaluation Cisco values your input. Give us your feedback! We read and carefully consider your scores and comments, and incorporate them into the content program year after year

Go to the Internet stations located throughout the Convention Center to complete your session evaluations

Thank you!

Nexus 7000 Lab Guide

Documents

Transcript of Nexus 7000 Lab Guide