nx.os.and.cisco.nexus.switching.2nd.edition.1587143046

Recommendations

Info

Chapter 5. Security This chapter covers the following topics: • Configuring RADIUS • Configuring TACACS+ • Configuring SSH • Configuring Cisco TrustSec • Configuring IP ACLs • Configuring MAC ACLs • Configuring VLAN ACLs • Configuring Port Security • Configuring DHCP Snooping • Configuring Dynamic ARP Inspection • Configuring IP Source Guard • Configuring Keychain Management • Configuring Traffic Storm Control • Configuring Unicast RPF • Configuring Control Plane policing • Configuring Rate Limits • SNMPv3 Security is a common discussion and concern. Cisco NX-OS Software supports a pervasive security feature set that protects NX-OS switches, protects the network against network degradation, protects the network against failure, and protects against data loss or compromise resulting from intentional attacks. This chapter discusses several security features to address a defense in-depth approach to provide a scaleable, robust, and secure data center solution set. Configuring RADIUS Authentication, Authorization, and Accounting (AAA) services enable verification of identity, granting of access, and tracking the actions of users managing a Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control device Plus (TACACS+) protocols. Based on the user ID and password combination provided, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Cisco NX-OS device and AAA servers. A common secret key can be configured for all AAA servers or for a specific AAA server. AAA security provides the following services:
• Authentication: Identifies users, including login and password dialog; challenge and response; messaging support; and, depending on the security protocol selected, encryption. Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices enable local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers). • Authorization: Provides access control. AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS Software is provided by attributes downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. • Accounting: Provides the method for collecting information; logging the information locally; and sending the information to the AAA server for billing, auditing, and reporting. The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. The logs can be used to generate reports for troubleshooting and auditing purposes. The accounting log can be stored locally or sent to remote AAA servers. AAA services provide several benefits such as flexibility and control of access configuration; scalability; and centralized or distributed authentication methods, such as RADIUS and TACACS+. Successful deployment of AAA services includes several prerequisites: • Verification that the RADIUS or TACACS+ server is reachable through IP, such as a simple ping test. • Verification that the Cisco NX-OS device is configured as a client of the AAA servers. • Configuration of a secret key on the Cisco NX-OS device and the remote AAA servers. • Verification that the remote server responds to AAA requests from the Cisco NX-OS device by specifying the correct source interface. The TACACS+ protocol provides centralized validation of users attempting to gain access to a Cisco NX-OS device. TACACS+ services are maintained in a database on a TACACS+ daemon running on a Cisco ACS Linux appliance. TACACS+ provides for separate authentication, authorization, and accounting facilities. The TACACS+ protocol uses TCP port 49 for transport communication. RADIUS is a client/server protocol through which remote access servers communicate with a central server to authenticate users and authorize their access to the requested system or service. RADIUS maintains user profiles in a central database that all remote servers can
Page 2 and 3:
NX-OS and Cisco Nexus Switching Nex
Page 4 and 5:
For sales outside of the U.S. pleas
Page 6 and 7:
About the Authors Ron Fuller, CCIE
Page 8 and 9:
Dedications Ron Fuller: This book i
Page 10 and 11:
We need to find another heavy conce
Page 12 and 13:
Contents at a Glance Foreword Intro
Page 14 and 15:
Interface Allocation: N7K-M108X2-12
Page 16 and 17:
OSPF OSPFv2 Configuration OSPF Summ
Page 18 and 19:
Cisco TrustSec Configuring AAA for
Page 20 and 21:
Chapter 8 Unified Fabric Unified Fa
Page 22 and 23:
OTV Control Plane Multicast-Enabled
Page 24 and 25:
Icons Used in This Book
Page 26 and 27:
Foreword With more than 30,000 cust
Page 28 and 29:
Chapters 1 through 14 cover the fol
Page 30 and 31:
• Security: Cisco NX-OS provides
Page 32 and 33:
Fibre Channel, Ethernet, and FCoE i
Page 34 and 35:
• Nexus 2224: FEX, 24 100/1000Bas
Page 36 and 37:
Nexus 3000 Learned Routes), EIGRP-S
Page 38 and 39:
• NX-OS supports VDCs, which enab
Page 40 and 41:
Click here to view code image Congo
Page 42 and 43:
NX-OS has many different types of m
Page 44 and 45:
module to which it is attached, ena
Page 46 and 47:
Example 1-6. Enabling a Telnet Serv
Page 48 and 49:
user:admin this user account has no
Page 50 and 51:
SNMP Figure 1-4. Results of the Sel
Page 52 and 53:
___________________________________
Page 54 and 55:
User Auth Priv ____ ____ ____ NMS s
Page 56 and 57:
Managing System Files Directories c
Page 58 and 59:
309 Mar 21 15:43:51 2011 dc1-fp.lic
Page 60 and 61:
active/ bootflash://sup-remote/ boo
Page 62 and 63:
will be applied to your current run
Page 64 and 65:
N7010-1(config)# snmp-server enable
Page 66 and 67:
vrf 2 1000 3 0 portchannel 0 768 1
Page 68 and 69:
• Independent processes started f
Page 70 and 71:
Figure 1-6. Shared Interface Concep
Page 72 and 73:
Example 1-14. Creating a VDC Core o
Page 74 and 75:
Figure 1-13. Nexus 7000 F2e 48-Port
Page 76 and 77:
• After a port has been assigned
Page 78 and 79:
Figure 1-20. N7K-M148GS-11 and L Mo
Page 80 and 81:
Figure 1-22. N7K-M224XP-23L I/O Mod
Page 82 and 83:
Interface Allocation on M2 Modules
Page 84 and 85:
egypt(config)# vdc core egypt(confi
Page 86 and 87:
Further Reading Figure 1-25. Physic
Page 88 and 89:
Chapter 2. Layer 2 Support and Conf
Page 90 and 91:
connectivity. One of the most appar
Page 92 and 93:
1GE JAF1318AALS NX5000# show fex 10
Page 94 and 95:
- down 1 full 1000 -- Eth100/1/9 -
Page 96 and 97:
Eth100/1/11 Eth100/1/3 Eth100/1/2 E
Page 98 and 99:
Eth100/1/2 Up Po100 Po100 Eth100/1/
Page 100 and 101:
N7K-1(config)# mac address-table ag
Page 102 and 103:
Congo# show vlan internal usage VLA
Page 104 and 105:
the requirements of the devices con
Page 106 and 107:
14 VLAN0014 active Eth2/11, Eth2/12
Page 108 and 109:
• Host6(192.168.100.26): Sends tr
Page 110 and 111:
Kenya(config-if)# switchport mode p
Page 112 and 113:
used to provide a much simpler conf
Page 114 and 115:
Congo# conf t Enter configuration c
Page 116 and 117:
Eth2/11 Root FWD 4 128.267 Network
Page 118 and 119:
Example 2-29 demonstrates how the d
Page 120 and 121:
Example 2-31. MST Verification Clic
Page 122 and 123:
Click here to view code image Egypt
Page 124 and 125:
Example 2-38 shows the root ports o
Page 126 and 127:
- ---------------- VLAN0001 4097 00
Page 128 and 129:
001b.54c2.bbc2 4 2 12 9 Ethernet2/1
Page 130 and 131:
intervention to enable ports that h
Page 132 and 133:
Congo# Example 2-51 shows how to re
Page 134 and 135:
After the VLAN is defined on Egypt,
Page 136 and 137:
Configuring Layer 2 Interfaces Now
Page 138 and 139:
!Time: Fri Oct 30 08:52:29 2009 ver
Page 140 and 141:
aggregation protocol information is
Page 142 and 143:
Members must have same Ethernet Lay
Page 144 and 145:
---------------------- Po100 on on
Page 146 and 147:
oth devices are online, and also to
Page 148 and 149:
Congo(config-if)# no shutdown Congo
Page 150 and 151:
link. This will enable spanning tre
Page 152 and 153:
00- 103 00-103 Allowed VLANs - 40-4
Page 154 and 155:
spanning tree domain to the entire
Page 156 and 157:
Current operational state: advertis
Page 158 and 159:
FabricPath IS-IS adjacencies are th
Page 160 and 161:
Figure 2-9. FabricPath Topology As
Page 162 and 163:
Figure 2-10. FabricPath Interface C
Page 164 and 165:
D - Static Adjacencies attached to
Page 166 and 167:
• Enable the vPC feature. • Def
Page 168 and 169:
Performed vPC role : none establish
Page 170 and 171:
Figure 2-12. vPC+ Interface Configu
Page 172 and 173:
VLAN MAC Address Type age Secure NT
Page 174 and 175:
called the Diffusing Update Algorit
Page 176 and 177:
Example 3-4 shows an alphanumeric s
Page 178 and 179:
Interface Peers Un/Reliable SRTT Un
Page 180 and 181:
Note Mixing standard and wide metri
Page 182 and 183:
Example 3-14. Summarizing Networks
Page 184 and 185:
GigabitEthernet1/48 10.0.0.0/24 is
Page 186 and 187:
Congo# show ip eigrp neighbor detai
Page 188 and 189:
complex routing scenarios with a fi
Page 190 and 191:
edistributed. Example 3-24. Definin
Page 192 and 193:
D 10.10.10.0 [90/3072] via 192.168.
Page 194 and 195:
total) With the output in Example 3
Page 196 and 197:
Figure 3-5. Network Topology for OS
Page 198 and 199:
Congo# config t Enter configuration
Page 200 and 201:
Libya# show ip ospf neighbor detail
Page 202 and 203:
CNTL/Z. Congo(config)# router ospf
Page 204 and 205:
*via 192.168.1.1, Lo0, [0/0], 01:02
Page 206 and 207:
as Type 7 LSAs. Although not common
Page 208 and 209:
Number of LSAs: 6, checksum sum 0x3
Page 210 and 211:
Securing OSPF Area ranges are 192.1
Page 212 and 213:
Example 3-55. Verification of OSPF
Page 214 and 215:
Congo(config-route-map)# match ip a
Page 216 and 217:
default-metric 100 The process begi
Page 218 and 219:
D - EIGRP, EX - EIGRP external, O -
Page 220 and 221:
Example 3-67. This information is e
Page 222 and 223:
extremely valuable when troubleshoo
Page 224 and 225:
1. Enable IS-IS. 2. Configure the I
Page 226 and 227:
Level-1 Designated IS: Congo Level-
Page 228 and 229:
Congo(config-if)# sh isis adj IS-IS
Page 230 and 231:
Figure 3-10. Network Topology for B
Page 232 and 233:
feature bgp router bgp 65000.65088
Page 234 and 235:
BGP version 4, remote router ID 192
Page 236 and 237:
Received 4 messages, 0 notification
Page 238 and 239:
Neighbor capabilities: Dynamic capa
Page 240 and 241:
queue Sent 6689 messages, 1 notific
Page 242 and 243:
S 172.26.2.0/23 [1/0] via 172.26.32
Page 244 and 245:
o - ODR, P - periodic downloaded st
Page 246 and 247:
*>r192.168.1.40/30 0.0.0.0 44 2500
Page 248 and 249:
version 4.2(2a) feature hsrp Simila
Page 250 and 251:
Virtual IP address is 10.10.100.1 (
Page 252 and 253:
Vlan100 - Group 100 (HSRP-V1) (IPv4
Page 254 and 255:
VRRP 2 state changes, last state ch
Page 256 and 257: implementation in IOS, a device wit
Page 258 and 259: You can see the addition of authent
Page 260 and 261: Figure 3-13. HSRP/VRRP Interaction
Page 262 and 263: Figure 3-15 illustrates the topolog
Page 264 and 265: Verifying GLBP Configuration A quic
Page 266 and 267: Active is local Standby is 10.10.10
Page 268 and 269: emaining) Active is local, weightin
Page 270 and 271: Chapter 4. IP Multicast Configurati
Page 272 and 273: eferred to as the RP tree or RPT. F
Page 274 and 275: In general, PIM can operate in two
Page 276 and 277: Due to this behavior, it is not nec
Page 278 and 279: N7K-1-Core1# config Enter configura
Page 280 and 281: priority: 0, RP-source: (local), gr
Page 282 and 283: Auto-RP Announce policy: None Auto-
Page 284 and 285: N7K-2-Core# config Enter configurat
Page 286 and 287: Auto-RP RPA: 10.1.0.1, uptime: 00:0
Page 288 and 289: BSR RP Candidate policy: None BSR R
Page 290 and 291: PIM Group-Range Configuration for V
Page 292 and 293: The Nexus 7000 is a Layer 3 switch
Page 294 and 295: Vlan100, Interface status: protocol
Page 296 and 297: Switch-querier disabled IGMPv3 Expl
Page 298 and 299: CMHLAB-DC2-VSM1# show ip igmp snoop
Page 300 and 301: Figure 4-9. Network Topology for MS
Page 302 and 303: 238.102.1.1/32 238.101.1.1/32 238.1
Page 304 and 305: PIM configured DR priority: 1 PIM b
Page 308 and 309: share. This model provides security
Page 310 and 311: distribution, use the following com
Page 312 and 313: deadtime value:0 source interface:l
Page 314 and 315: or Offline Click here to view code
Page 316 and 317: Figure 5-3. Adding a User to the Ci
Page 318 and 319: Click here to view code image Egypt
Page 320 and 321: pending pending-diff Egypt(config)#
Page 322 and 323: Example 5-16. Verifying TACACS+ CFS
Page 324 and 325: configuration required in NX-OS. Ex
Page 326 and 327: Figure 5-7. Adding Redundant NX-OS
Page 328 and 329: Note • Be sure to have an SSH Ser
Page 330 and 331: Tx 7653 output packets 6642 unicast
Page 332 and 333: Figure 5-9. Cisco TrustSec Example
Page 334 and 335: NX7k-SGA # conf t NX7k-SGA (config)
Page 336 and 337: Figure 5-12. The Required Fields to
Page 338 and 339: Click here to view code image NX7K-
Page 340 and 341: Example 5-32 shows the successful d
Page 342 and 343: • PCI 3 (decimal) / 0003 (hex)
Page 344 and 345: Figure 5-20. The ISE Compares Its S
Page 346 and 347: NX7K-SGA(config)# cts refresh role-
Page 348 and 349: Egypt# show run cts feature dot1x f
Page 350 and 351: Egypt# show runn cts !Command: show
Page 352 and 353: Example 5-42 confirms the VLAN used
Page 354 and 355: Total Length: 84 Identification: 0x
Page 356 and 357:
To improve the scalability of ACL m
Page 358 and 359:
0001 ip access-list TCP1 0002 permi
Page 360 and 361:
Example 5-53 shows how to change th
Page 362 and 363:
Port security enables you to config
Page 364 and 365:
Click here to view code image Egypt
Page 366 and 367:
A maximum number of MAC addresses c
Page 368 and 369:
Note Enable DHCP snooping globally
Page 370 and 371:
Egypt# Example 5-67 shows how to ve
Page 372 and 373:
Note By default, all interfaces are
Page 374 and 375:
Vlan : 1 ----------- Configuration
Page 376 and 377:
!Command: show running-config dhcp
Page 378 and 379:
network performance. The traffic st
Page 380 and 381:
Egypt(config-if)# Example 5-84 veri
Page 382 and 383:
Unicast packets : 0/0/0/0/0 Unicast
Page 384 and 385:
permit eigrp any any ipv6 access-li
Page 386 and 387:
permit pim any ff02::d/128 permit u
Page 388 and 389:
match access-group name copp-system
Page 390 and 391:
class copp-system-p-class-critical
Page 392 and 393:
| glean | mtu | multicast {directly
Page 394 and 395:
Example 5-90. Configuring Rate Limi
Page 396 and 397:
copy Config : 30000 Allowed : 26346
Page 398 and 399:
User ____ Auth Priv ____ ____ Examp
Page 400 and 401:
Role: vdc-operator Description: Pre
Page 402 and 403:
-----------------------------------
Page 404 and 405:
entity : entity_power_status_change
Page 406 and 407:
entity : entity_power_status_change
Page 408 and 409:
Chapter 6. High Availability This c
Page 410 and 411:
edundant Configure power supply red
Page 412 and 413:
• Cisco Nexus 7010 Series system
Page 414 and 415:
2 QEng1Sn3(s20) 115 105 46 2 QEng1S
Page 416 and 417:
not be prolonged because of the ina
Page 418 and 419:
--- -------------- ------ 1 NA 1.0
Page 420 and 421:
Example 6-7. Supervisor Runtime Dia
Page 422 and 423:
Congo# show diagnostic description
Page 424 and 425:
L/* - Exclusively run this test / N
Page 426 and 427:
***N******A 00:30:00 9) SecondaryBo
Page 428 and 429:
These software features combine to
Page 430 and 431:
N7k-1(config)# install feature-set
Page 432 and 433:
Other supervisor (sup-5) ----------
Page 434 and 435:
! The impact of the software upgrad
Page 436 and 437:
5 bios v3.22.0(02/20/10): v3.22.0(0
Page 438 and 439:
Kernel uptime is 128 day(s), 7 hour
Page 440 and 441:
1 yes non-disruptive rolling 2 yes
Page 442 and 443:
ios/loader/bootrom. Warning: please
Page 444 and 445:
http://www.opensource.org/licenses/
Page 446 and 447:
In addition to the NX-OS operating
Page 448 and 449:
features such as stateful process r
Page 450 and 451:
it to the destination. SPANning tra
Page 452 and 453:
Jealousy(config-if)# switchport mon
Page 454 and 455:
Example 7-5. Displaying a Monitor S
Page 456 and 457:
Example 7-7. Displaying a Virtual S
Page 458 and 459:
Figure 7-3. Nexus 5x00 SPAN Topolog
Page 460 and 461:
Click here to view code image CMHLA
Page 462 and 463:
state : up source intf : rx : vfc10
Page 464 and 465:
Note The Nexus 1000V does not suppo
Page 466 and 467:
CMHLAB-DC2-VSM1# config t CMHLAB-DC
Page 468 and 469:
Figure 7-6. Create a vmk Port Using
Page 470 and 471:
Figure 7-8. Create a vmk Port Using
Page 472 and 473:
CMHLAB-DC2-VSM1(config-erspan-src)#
Page 474 and 475:
N7K-2(config-erspan-src)# no shut N
Page 476 and 477:
Legend: l = learning enabled f = fo
Page 478 and 479:
Legend: l = learning enabled f = fo
Page 480 and 481:
Note The Nexus 5500 series switches
Page 482 and 483:
cmhlab-dc2-tor2(config-erspan-src)#
Page 484 and 485:
802.1Q Virtual LAN 000. .... .... .
Page 486 and 487:
.... 10.. = Port Role: Root (2) ...
Page 488 and 489:
Frame Length: 57 bytes Capture Leng
Page 490 and 491:
...0 .... .... .... = CFI: 0 .... 0
Page 492 and 493:
..1. .... = Forwarding: Yes ...1 ..
Page 497 and 498:
Note You can add more show commands
Page 499 and 500:
Data Center Jealousy(config-callhom
Page 501 and 502:
neighbor If the email transport opt
Page 503 and 504:
Example 7-35. System-Generated Chec
Page 505 and 506:
After a review of the differences,
Page 507 and 508:
Checkpoints can be given a name and
Page 509 and 510:
Rollback Patch is Empty Note: Apply
Page 511 and 512:
Jealousy(config-flow-record)# end J
Page 513 and 514:
Layer 2 NetFlow cannot be applied i
Page 515 and 516:
packets CMHLAB-DC2-VSM1(config-flow
Page 517 and 518:
where NTP runs in multiple VDCs, th
Page 519 and 520:
Local clock time:Sun May 6 03:21:16
Page 521 and 522:
2. A DHCP request is sent and repli
Page 523 and 524:
if protocol == "telnet": c = "/isan
Page 525 and 526:
scLogFileName + ".*100%", \ pexpect
Page 527 and 528:
print "Failed connecting to " + hos
Page 529 and 530:
• Higher availability: Quite simp
Page 531 and 532:
eaping the benefits of a Unified I/
Page 533 and 534:
Figure 8-4. FIP Process FIP can be
Page 535 and 536:
Multhop Fibre Channel over Ethernet
Page 537 and 538:
to Cisco NX-OS,” and the focus in
Page 539 and 540:
switch as a Fabric Port (F-port) an
Page 541 and 542:
-----------------------------------
Page 543 and 544:
Restarting system. Single-Hop FCoE
Page 545 and 546:
1 minute output rate 0 bits/sec, 0
Page 547 and 548:
Port Native Status Port Vlan Channe
Page 549 and 550:
Click here to view code image N5K-1
Page 551 and 552:
N5K-1# A similar configuration must
Page 553 and 554:
N7K-1# config Enter configuration c
Page 555 and 556:
Click here to view code image N7K-1
Page 557 and 558:
2000 2000 Operational N7K-1-FCoE# N
Page 559 and 560:
version 5.2(2a) interface Ethernet3
Page 561 and 562:
Note If all the shared ASIC ports a
Page 563 and 564:
Figure 8-14. FCoE Topology Example
Page 565 and 566:
could fail. By taking advantage of
Page 567 and 568:
VSM in an active-standby pair; and
Page 569 and 570:
Figure 9-2. Nexus 1000V Topology Th
Page 571 and 572:
The VEM differentiates between the
Page 573 and 574:
Figure 9-3. VEM Loop Prevention Not
Page 575 and 576:
login as: admin Nexus 1010 Using ke
Page 577 and 578:
VsbEthernet1/1 control 0 up up VsbE
Page 579 and 580:
vsm login: admin Password: Cisco Ne
Page 581 and 582:
Click here to view code image vsm#
Page 583 and 584:
Figure 9-6. Selecting the Plug-Ins
Page 585 and 586:
Figure 9-9. Registering the Plug-In
Page 587 and 588:
such license is available at http:/
Page 589 and 590:
sync status: Complete version: VMwa
Page 591 and 592:
Figure 9-14. Entering the VMWare vC
Page 593 and 594:
Figure 9-16. The OVA File and VSM R
Page 595 and 596:
Figure 9-18. Configuring the Networ
Page 597 and 598:
Figure 9-20. VSM Configuration Attr
Page 599 and 600:
Figure 9-22. VSM Installation Proce
Page 601 and 602:
Figure 9-24. VSM Installation Summa
Page 603 and 604:
1000v Management Center. Note For t
Page 605 and 606:
Figure 9-28. Entering the Nexus 100
Page 607 and 608:
Figure 9-30. VEM Configuration Summ
Page 609 and 610:
Figure 9-32. Configuring the Nexus
Page 611 and 612:
Reboot Required: false VIBs Install
Page 613 and 614:
vsm(config-port-prof)# no shutdown
Page 615 and 616:
Figure 9-34. Adding the VEM Through
Page 617 and 618:
Figure 9-36. Selecting the ESX Host
Page 619 and 620:
Figure 9-38. Selecting the VM to Mi
Page 621 and 622:
Figure 9-40. Verifying That the ESX
Page 623 and 624:
--- -------------------------------
Page 625 and 626:
vsm# Note There is a 60-day evaluat
Page 627 and 628:
Figure 9-41. 1000V-Topology Example
Page 629 and 630:
vsm(config)# Example 9-11 shows how
Page 631 and 632:
Figure 9-43. Selecting the vmkernel
Page 633 and 634:
2012 Aug 23 22:29:33 vsm %VIM-5-IF_
Page 635 and 636:
• VLAN configuration • VMware m
Page 637 and 638:
vsm(config-port-prof)# no shutdown
Page 639 and 640:
HR-APPS Veth3 Net Adapter 1 Demo-Te
Page 641 and 642:
Figure 9-46. Verifying the Port-Pro
Page 643 and 644:
Click here to view code image Sampl
Page 645 and 646:
(vASA) to deploy virtualized servic
Page 647 and 648:
Figure 9-49. Verifying the OVF Depl
Page 649 and 650:
Figure 9-51. Specifying the Data Ce
Page 651 and 652:
Figure 9-53. Specifying the Specifi
Page 653 and 654:
Figure 9-55. Specifying the Datasto
Page 655 and 656:
Figure 9-57. Specifying the IP Addr
Page 657 and 658:
Figure 9-59. Verifying the Informat
Page 659 and 660:
Figure 9-63. Displaying the VNMC Vi
Page 661 and 662:
Figure 9-65. Browse to the VNMC Man
Page 663 and 664:
Figure 9-68. Install the Extension
Page 665 and 666:
8. Add vCenter VM Manager in VNMC (
Page 667 and 668:
Figure 9-75. Display vCenter ESX Ho
Page 669 and 670:
workloads. Deployment of virtualize
Page 671 and 672:
Figure 9-77. VSG System Component C
Page 673 and 674:
ootflash:/repository Directory Clic
Page 675 and 676:
Configuring the Cisco VNMC Policy-A
Page 677 and 678:
Creating a Tenant in VMMC Figure 9-
Page 679 and 680:
Figure 9-83. Creating a Virtual Dat
Page 681 and 682:
Figure 9-87. Create a Security Prof
Page 683 and 684:
Figure 9-89. Creating a Security Pr
Page 685 and 686:
Figure 9-92 shows how to assign the
Page 687 and 688:
Figure 9-95. Adding a Policy in VNM
Page 689 and 690:
demonstrated in Example 9-30. Examp
Page 691 and 692:
profile Employee state enabled vsm(
Page 693 and 694:
Click here to view code image vsm#
Page 695 and 696:
Figure 9-100. Create a vmk Interfac
Page 697 and 698:
Example 9-39. Verify the vPath Info
Page 699 and 700:
Flow Lookup Hit 229 Flow Lookup Mis
Page 701 and 702:
Destroy 8 L4 TCP Flow Create 0 L4 T
Page 703 and 704:
Rcvd 0 L2-Frag Coalesced 0 Encap ex
Page 705 and 706:
Encap Err 0 0 0 All- Drops 38 1 Flo
Page 707 and 708:
DV Port : 161 DVS uuid : ed 5d 0b 5
Page 709 and 710:
Figure 9-103 shows the VXLAN topolo
Page 711 and 712:
Enter configuration commands, one p
Page 713 and 714:
Figure 9-105. Assigning vmknic 10.1
Page 715 and 716:
Figure 9-108. Assigning the VxLAN-V
Page 717 and 718:
Figure 9-110. The VMs and ESX Host
Page 719 and 720:
Figure 9-112. Verifying the VM IP A
Page 721 and 722:
Segment BD Error: 0 Dest Mcast IP n
Page 723 and 724:
Pinning Failed on Decap: 0 Can't ge
Page 725 and 726:
75 Multicast Packets 1801 Broadcast
Page 727 and 728:
0 Input Packet Drops 0 Output Packe
Page 729 and 730:
2 Eth3/3 3 182 0013.21cb.eb94 dynam
Page 731 and 732:
105 0050.568b.1c32 dynamic 47 Eth4/
Page 733 and 734:
username admin password 5 $1$Sx5LsG
Page 735 and 736:
switchport access vlan 182 no shutd
Page 737 and 738:
capability l3-vn-service vmware dvp
Page 739 and 740:
ip ttl 64 ip prec 0 ip dscp 0 mtu 1
Page 741 and 742:
VM version 7. VM type Other Linux 6
Page 743 and 744:
Figure 9-116. Option to Install the
Page 745 and 746:
Figure 9-118. Login Prompt After Bo
Page 747 and 748:
session 1 --------------- type : er
Page 749 and 750:
Figure 9-121. Selecting or Changing
Page 751 and 752:
Figure 9-124. Defining the Subnet I
Page 753 and 754:
Figure 9-126. Monitoring and Traffi
Page 755 and 756:
1000v.VSG1.3.1a.iso 246831104 Aug 0
Page 757 and 758:
Chapter 10. Quality of Service (QoS
Page 759 and 760:
Nexus devices enable class maps to
Page 761 and 762:
switch to offer lossless services o
Page 763 and 764:
============================ policy
Page 765 and 766:
The queues are hardware components
Page 767 and 768:
queue-limit percent 16 queue droppe
Page 769 and 770:
the remaining queues to schedule tr
Page 771 and 772:
default-4q-8e-out- Service-policy (
Page 773 and 774:
N7K-2(config-pmap-que)# class type
Page 775 and 776:
Class-map (queuing): 1p7q4t-out-q3
Page 777 and 778:
fex port interface: Ethernet101/1/1
Page 779 and 780:
FCoE is defined by default, it is g
Page 781 and 782:
Service-policy (queuing) output: de
Page 783 and 784:
Service-policy (queuing) input: voi
Page 785 and 786:
QoS on Nexus 1000V The Nexus 1000V
Page 787 and 788:
Click here to view code image demol
Page 789 and 790:
demolab-vsm1(config-cmap-que)# exit
Page 791 and 792:
the overlay; this enables data cent
Page 793 and 794:
• OTV join-interface: The OTV joi
Page 795 and 796:
identifier is mandatory to configur
Page 797 and 798:
AED)Overlay1 59* otv- 1 active Over
Page 799 and 800:
Stale routes during non-graceful co
Page 801 and 802:
57 0050.5692.48d1 42 1w4d overlay o
Page 803 and 804:
59 0050.569c.2902 1 4d00h site port
Page 805 and 806:
channel1002 61 00e0.81c2.4a74 42 1w
Page 807 and 808:
and preventing unicast-flooding in
Page 809 and 810:
ip pim rp-address 40.10.10.50 group
Page 811 and 812:
Example 11-14. Sample Configuration
Page 813 and 814:
102-103, 106, 116, 120, 122 (Total:
Page 815 and 816:
For the Layer 2 multicast communica
Page 817 and 818:
MAC_ vlan vlan-name interface OTV-i
Page 819 and 820:
Example 11-19 shows the OTV ARP Cac
Page 821 and 822:
! mac access-list ALL_MACs 10 permi
Page 823 and 824:
methods are discussed from a high-l
Page 825 and 826:
ip route 10.1.64.128/25 Null0 250 r
Page 827 and 828:
• VRF-Aware Telnet • VRF-Aware
Page 829 and 830:
Ethernet10/22 default 1 - - Etherne
Page 831 and 832:
for any subsequent show or EXEC com
Page 833 and 834:
N7k-1(config)# feature isis N7k-1(c
Page 835 and 836:
Paths: (1 available, best #1) Flags
Page 837 and 838:
• Label Switching Router (LSR): A
Page 839 and 840:
N7k-1(config)# install feature-set
Page 841 and 842:
192.168.0.2 2.2.2.2 From a CE to PE
Page 843 and 844:
Click here to view code image N7k-1
Page 845 and 846:
license be installed first. The Nex
Page 847 and 848:
• EID addresses: The IP addresses
Page 849 and 850:
Note Consult the following link to
Page 851 and 852:
destination of 172.20.40.0 /24. LIS
Page 853 and 854:
infrastructure, destined to one of
Page 855 and 856:
13-3. Example 13-3. Define the Glob
Page 857 and 858:
Layer 3 SVI interface. Note The mul
Page 859 and 860:
authentication-key 3 9125d59c18a9b0
Page 861 and 862:
Click here to view code image N7K1#
Page 863 and 864:
Who last registered: 1.1.1.13 Routi
Page 865 and 866:
connects the xTR to the L3 domain o
Page 867 and 868:
Design Goals Figure 14-1. Existing
Page 869 and 870:
must go smoothly. With this in mind
Page 871 and 872:
10.255.255.2 vrf VPCKA peer-gateway
Page 873 and 874:
dove(config-if)# shutdown dove(conf
Page 875 and 876:
Click here to view code image bluej
Page 877 and 878:
outed full 10G 10g Po2 to CS1 (BLUE
Page 879 and 880:
with previous steps, these port-cha
Page 881 and 882:
scotland(config-if)# switchport sco
Page 883 and 884:
Design Note Care has been given to
Page 885 and 886:
w - waiting to be aggregated Number
Page 887 and 888:
0023.04ee.be01 0 2 20 15 This bridg
Page 889 and 890:
denmark# show run interface Vlan26
Page 891 and 892:
! We want this to be an undesirable
Page 893 and 894:
egypt(config-if)# shutdown egypt(co
Page 895 and 896:
egypt# conf t Enter configuration c
Page 897 and 898:
TenGigabitEthernet4/3 D 10.198.57.0
Page 899 and 900:
egypt(config-if-hsrp)# interface vl
Page 901 and 902:
Standby 10.198.208.4 local 10.198.2
Page 903 and 904:
0023.04ee.be01 3 2 20 15 Po100 VLAN
Page 905 and 906:
Figure 14-4. Migrated Topology One
Page 907 and 908:
Figure 14-5. Topology with 5K/2K De
Page 909 and 910:
Example 14-52. vPC Configuration on
Page 911 and 912:
channel-group 101 interface Etherne
Page 913 and 914:
stub routing, 146 summarization, 14
Page 915 and 916:
oadcast storms, traffic storm contr
Page 917 and 918:
multicasts, 253 CP (Control Process
Page 919 and 920:
Nexus 7000, 386-392 overview of, 38
Page 921 and 922:
authentication, 174-203 configuring
Page 923 and 924:
stateful switchovers, 368-369 Unifi
Page 925 and 926:
isolated VLAN (Virtual Local Area N
Page 927 and 928:
Rapid-PVST, 80-87 RootGuard, 96-97
Page 929 and 930:
LSP, 719 LSR, 719 managing, 725 Nex
Page 931 and 932:
LoopGuard, 97-98 Loose Unicast RPF
Page 933 and 934:
defining, 719 enabling, 721-722 ope
Page 935 and 936:
Atomic mode, 434 Best-Effort mode,
Page 937 and 938:
Nexus 1000v NX-OS licensing, 9 NX-O
Page 939 and 940:
FCoE installation, 478-479 MDS FCoE
Page 941 and 942:
network advertisements, 157 passive
Page 943 and 944:
topology of, 155, 170 VRF configura
Page 945 and 946:
ARP synchronization, 117 flow contr
Page 947 and 948:
FEX, 661-662 forwarding architectur
Page 949 and 950:
HSRP, 174-203 IP Source Guard, 321-
Page 951 and 952:
snooping DHCP snooping, 313-316 IGM
Page 953 and 954:
configuration files, 33-35 file sys
Page 955 and 956:
enabling FCoE, 468 enabling NPV mod
Page 957 and 958:
Single-Hop FCoE configuration, 471-
Page 959:
port profile creation, 545-546 port
show all

nx.os.and.cisco.nexus.switching.2nd.edition.1587143046

Create successful ePaper yourself

Delete template?

Save as template?