Deploying Nexus 7000 in Data Centre Networksd2zmdbbm9feqrf.cloudfront.net/2011/eur/pdf/BRKDCT-2951.pdf · 2012-02-22 · Nexus 5000 / Nexus 2000 in access layer Virtual Port Channel

BRKDCT-2951

Deploying Nexus 7000 in Data Centre Networks

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 2

“giving us enough

rope to hang

ourselves”

2


Adam RaffeNetwork Consulting Engineer

Cisco Advanced Services

Paul HorrocksSolutions Architect

Cisco Advanced Services


What’s the Goal of This Session?

“To provide design guidance and leading practice to

network architects and administrators who have deployed

or are considering deploying the Nexus 7000 into the Data

Centre”


Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times


Agenda

Implementation & Leading PracticesNexus 7000 Data Centre Designs

Common DC Designs

Virtual Port Channels (vPC)

Virtual Device Contexts (VDC)

Installation & Maintenance

Layer 2 Features

Virtual Port Channel (vPC)

Fabric Extenders

Access Control


Agenda


Common DC Designs

Virtual Port Channels (vPC)

Virtual Device Contexts (VDC)


Data Centre Design Example

Nexus 7000 typically in core and aggregation

Nexus 5000 / Nexus 2000 in access layer

Virtual Port Channel between aggregation / access

L2L3

L3L2 Channel

L3 link

L2 link

L3 Channel

Access

Core

Aggregation

……..VPCVPC

VPC VPC

active standby active active

Active/Standby

Core2Core1

aggNa aggNbagg1a agg1b

vPC vPC

vPC

Active/Standby


Virtual Port-Channel (vPC)

Access Switch

Eliminates blocked portsUses all available uplink bandwidth


vPC: independent control planes, consistent configuration

Catalyst 6500 - VSS Nexus 7000 - vPC

L2SiSi

Non-VSS VSS

SiSi SiSi

Non-VPC vPC

L2

VSS: single control plane, single configuration


Virtual Device Contexts (VDCs)

VDC 1 VDC 2 VDC 3


Virtual Device Contexts (VDCs)What can we use them for?

VDC2

Secure

VDC3Non-

Secure

VDC2Prod

VDC3Dev

VDC3Agg

VDC4Access

VDC2Core

VDC4Test

Consolidate multiple

business units,

departments, and

networks

Provide network

segmentation to

meet security

compliance

requirements

Implement logical

tier design


Data Centre Design Leveraging VDCs

Large Data Centre utilizing 3-Tier DC design

Nexus 7000s in Core and Aggregation

Utilize VDCs in aggregation layer to create a non-secured zone and a secured zone

L2

L3

L3

L2

L2 Channel

L3 link

L2 link

L3 ChannelCore

Aggregation

Access

SW-2b

VDC3

SW-2a

VDC3SW-2a

VDC2SW-2b

VDC2

SW-1a

VDC3SW-1b

VDC3

SW-1a

VDC2

SW-1b

VDC2

Core2Core1

vPC vPC

active activeactive standbyactive activeactive standby

vPCvPC vPCvPC


Agenda


Installation & Maintenance

Layer 2 Features

Virtual Port Channel (vPC)

Fabric Extenders

Access Control

15© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951

Implementation and Leading Practices

Installation and Maintenance


Chassis Installation

Use standard four-post, 19-inch Electronic Industries Alliance (EIA) Data Centre rack

Cabinet can be leveraged to convert 7018 to front-to-back air cooling

When installing 7018:

Reserve 11” space on both sides of the rack to allow for side-to-side airflow

Route cables on front side of the rack to clear the rear side for airflow

Always perform chassis / system grounding 7010 chassis

7018 chassis


Power Considerations

Configure power redundancy mode

System default is PS redundant, N+1

Connect PS input sources to two

different power grids

Power redundancy mode Full

Set max fabric modules per system -

allows the system to release some of

the reserved power (supported in NX-

OS 5.0)

By default system reserves enough power

for five fabric modules

220V

Grid 1 Grid 2

220V

Nexus7K(config)#

power redundancy-mode redundant

Nexus7K(config)#

hardware fabrics max 3


VDC Leading Practices

VDC2Agg1

VDC4Test

VDC1Admin

VDC3Acc1

Nexus7K(config-vdc)# ha-policy dual-sup <policy> single-sup <policy>

Nexus7K(config-vdc)# limit-resource vlan minimum <#> maximum <#>

Customize VDC HA policy and resource configurations as necessary

Dual-sup default is switchover and single-sup default is restart

Only non-default VDCs can be suspended, resumed, reloaded, or restarted Nexus7K(config)# vdc <name> suspend Nexus7K# reload vdc <name>

Reserve VDC 1 (default) as the administrative VDC

On VDC 1, assign accounts with minimum privileges necessary to accomplish operational tasks


Assign I/O modules to VDCs such that TCAM resources are shared effectively

All ports in the same port group on the 32 port 10GE I/O modules must be allocated to the same VDC

Nexus7K(config-vdc)#allocate interface e2/1,e2/3,e2/5,e2/7

Allocate entire I/O module to a VDC if possible

Linecard 1 Linecard 2 Linecard 3 Linecard 4 Linecard 5 Linecard 6 Linecard 7 Linecard 8

64K 64K 64K 64K 64K 64K 64K 64K

128K 128K 128K 128K 128K 128K 128K 128K

FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM

ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM


Out-of-Band Management Network

Use the management VRF on the Nexus 7000 for all management system connectivity

VDC2Agg1

VDC3Agg2

VDC1Admin

VDC2Agg1

VDC3Agg3

VDC1Admin

Mgmt0 Mgmt0

OOB MgmtNetwork

Sys Mgmt server

Separate physical infrastructure is

ideal

Mgmt0 Mgmt0

Mgmt0 x2 Mgmt0 x2

Agg1a Agg1b

Acc1 Acc2

Core2Core1

OOB MgmtDist

L3

CMP x2 CMP x2

Mgmt0 x2Mgmt0 x2

mgmt1 mgmt2

Management VRF

Default VRF

Use mgmt0 or Connectivity Management

Processor (CMP) ports…or both!

Mgmt0 IP address for default and non-

default VDCs must be from same subnet

Assign different IP address for redundant

CMP (same IP address for redundant

mgmt0 interface)


Software Licensing

License is tied to chassis serial number

• License is stored in dual redundant NVRAM modules on chassis backplane

• If chassis is replaced, work with Cisco TAC to re-key the license

• If supervisor is replaced, license should be re-installed (although features still work)

License installation is non-disruptive to features already running under the grace period


Software Licensing (cont.)License PAK

PAK +

chassis serial #

<xml...

licA ...>

license

file

Nexu7K# install license bootflash:<license_file.lic>

………

Nexu7K# copy bootflash:<license_file.lic> tftp:….

…………

Nexu7K# show license usage

Feature Ins Lic Status Expiry Date Comments

Count---------------------------------------------------------------------------------------------------------------

LAN_ADVANCED_SERVICES_PKG Yes - In use Never -

LAN_ENTERPRISE_SERVICES_PKG Yes - Unused Never -

Follow the steps to manually install the licenses:

Nexu7K# show license host-id

License hostid: VDH=TBM########

2) Obtain the license key file from http://www.cisco.com/go/license

1) Identify chassis serial number and PAK (Product Activation Key)

3) Install licenses and copy to bootflash & external location

http://www.cisco.com/go/license


Software UpgradeCold Start Upgrade

Cold start upgrade procedure – recommended for Pre-Production

Synchronise the Kickstart image and the System image

Nexu7K(config)#

boot system bootflash:<system-image> sup-1 sup-2

boot kickstart bootflash:<kickstart-image> sup-1 sup-2

Nexus7K# copy run startup-config

Nexus-3# sh boot

---deleted---

Boot Variables on next reload:

sup-1

kickstart variable = bootflash:/<kickstart-image>

system variable = bootflash:/<system-image>

sup-2

kickstart variable = bootflash:/<kickstart-image>

system variable = bootflash:/<system-image>

No module boot variable set

Nexus7K# reload


In-Service Software Upgrade (ISSU)

Show commands can be used to determine any potential impact prior to performing ISSU

Nexus7K# show install all impact kickstart bootflash:<kickstart> system bootflash:<system>

Nexus7K# show incompatibility-all system bootflash:<system-image>

The following configurations on active are incompatible with the system image

1) Service : vpc , Capability : CAP_FEATURE_VPC_RELOAD_RESTORE

---deleted---

Nexus7K# install all kickstart bootflash:<kickstart-image> system bootflash:<system-image>

Nexus7K# show install all status

Determine impact of upgrade:

If downgrading, use “show incompatibility-all” to determine if any features

need to be disabled:

“install all” command used to kick-off the upgrade:


What Happens During an ISSU?

Verify and validate the image

Check image compatibility

Provide descriptive upgrade information and option to cancel

Sync images to standby sup

Upgrade and switchover standby sup

Upgrade previous active sup and I/O modules

Load new image to CMP


Your network needs to be stable for ISSU to work properly!!

STP topology changes, routing instability, module removal, power interruption, etc


ISSU – Routing Protocol Timers

Tuned routing protocol timers may interfere with ISSU

In most cases, tuned timers are not necessary due to point-to-point L3 links

Keep OSPF, EIGRP, BGP hello / dead timers at default levels if possible

If shared L2 segment is in use, look at Bidirectional Forwarding Detection (BFD) instead


EPLD Upgrade

EPLDs (Electronic Programmable Logical Devices) upgrade is used to enhance hardware functionality or to resolve known issues

Performed on all the field replaceable modules (fan trays, fabric modules, I/O modules, and supervisor)

It is recommended to upgrade to the latest EPLD image only when directed to do so by TAC or AS

EPLD upgrade is a separate and independent process from ISSU and is typically not required

Check EPLD module versions using “show install all impact epld”

Nexus7K# show install all impact epld bootflash:<EPLD_image_name>

Nexus7K# install all epld bootflash:<EPLD_image_name>

Nexus7K# show version <type> <mod #> epld


Nexus7K# checkpoint checkpt1

Processing the Request... Please Wait

Nexus7K# show diff rollback-patch running-config checkpoint checkpt1

Processing the Request... Please Wait

Nexus7K# rollback running-config checkpoint checkpt1……..

Checkpoint / Configuration Rollback –Use It!!

Rollback allows users to take a configuration snapshot and reapply the config at any point

Create up to 10 checkpoints per VDC

Nexus7K(config)# no feature ospf

Nexus7K(config)# sh checkpoint all

----------------------------------------------

Name: system-fm-__inst_1__ospf

The rollback changes can be viewed before committing to the rollback operation

Auto-checkpoint is invoked upon feature removal and license expiration



Layer-2 Features


VLAN Trunking Protocol (VTP)

VTP “OFF” mode is recommended

Switches do not participate in VTP and all VTP advertisements are not forwarded

Nexus7K(config)# feature vtpNexus7K(config)# vtp domain <name>

Nexus7K(config)# no feature vtp

VTP server VTP client

Transparent

VTP

packets

Acc2

agg1bagg1a

Acc1

Transparent

Off

Acc2

agg1bagg1a

Acc1

Must allow

VLAN1

Utilize VTP transparent mode if VTP domain needs to extend across Nexus 7000 switches

VTP client / server mode introduced in NX-OS 5.1

VLANs 3968 - 4047, 4094 are reserved

Catalyst 6500 reserved VLANs 1002 -1005


Unidirectional Link Detection (UDLD)

Enable UDLD feature to configure UDLD normal mode on all fiber interfaces

Nexus7K(config)# feature udld

Nexus7K(config-if-range)# udld aggressive

UDLD aggressive on port-channel member ports is optional

Enables UDLD Normal Mode on all Fibre

interfaces

Interface config supersedes the global

UDLD setting


What About CAM / ARP Timers? Do I Need to Tweak Them?

Not required

Other platforms require CAM / ARP timers tweaking to avoid Unicastflooding

Default NX-OS CAM aging timer is 1800s and ARP timeout is 1500s


Basic L2 Leading Practices Still Apply!

Assign unused VLAN as native VLAN (consistent across the same L2)

Clear native VLAN from the trunk

Configure native VLAN tagging on trunks

Nexus7K(config)# vlan dot1Q tag native

Nexus7K# show interface status err-disabled

Nexus7K(config)# errdisable recovery cause <cause>

Nexus7K(config)# errdisable recovery interval <time>

Implement storm-control to prevent disruptions caused by broadcast and multicast storms

Error Disable Recovery is disabled by default – leave it this way if possible!

Nexus7K(config-if)# storm-control broadbcast level 40


Port Channels

Use LACP to negotiate both L2 and L3 port-channels

Nexus7K(config)# feature lacp

Nexus7K(config)# int e<mod>/<port>

Nexus7K(config-if)# channel-group <#> mode active

Implement port channels with 2, 4 or 8 members for optimal traffic distribution

OSPF Cost

50 100

50

Access

Aggr1a Aggr1b

Core1 Core-2 Understand port-channel failure

behaviour

BW and IGP cost for L3 channel are recalculated when physical member fails

STP cost for L2 channels does not recalculate when physical member fails


Spanning-Tree Protocol (STP): Which Mode?

Implement consistent STP mode in the same L2 domain

RPVST+ is the default and is backward compatible with PVST

Nexus7K# sh spanning-tree active | i PeerPo11 Desg FWD 12 128.4106 P2p Peer(STP)

Nexus7K# show spanning-tree summary total

----deleted----

Name Blocking Listening Learning Forwarding STP Active

---------- -------- --------- -------- --------- ---------

9 vlans 0 0 0 18 18

Total number of

logical ports

Utilize MST for larger scale L2 network

MST supports 75K logical ports (90K in NX-OS 5.0) and RPVST+ supports 16K logical ports

MST introduces some complexity and requires detailed planning

3 msts 2 0 0 8 10 MST ports


Spanning-Tree Leading Practices

Aggregation switches should be STP root and secondary root

BPDU-

guard

Bridge Assurance

Loop-Guard

Port Type Edge / Edge Trunk

Root/ Backup

Root

agg1a agg1b

Access2

Access1

L3 FWL3 FW

Configure host ports as port type “edge” or port type “edge trunk”

Enable STP BPDU-guard globally

Nexus7K(config-if)#spanning-tree port type edge trunk

Nexus7K(config)#spanning-tree port type edge bpduguard default

Use “spanning-tree pathcost method long”


What is Bridge Assurance?

BPDUs sent in both directions

Enabled by default globally

Active only on interfaces configured as port type “network”

Nexus7K(config-if)# spanning-tree port type network

Root BPDUs

Network

Network Network

Network

BPDUs

EdgeEdge

Network

BPDUs


What is Bridge Assurance?

OK, but where should I enable it? Root BPDUs

Network

Network Network

Network

BPDUs

EdgeEdge

Network

BPDUs

- Generally, BA should be enabled on all inter-switch links which support it (i.e. Nexus to Nexus)

- Exception: not on vPC member links

- If it‟s not supported at both ends, then use Loop Guard instead


Port ProfilesUseful for enforcing consistent configuration, not necessarily a Layer 2 feature - can also be applied to Layer 3

Create Port ProfileNexus7K(config)#port-profile type ethernet trunk-port

state enable

switchport

switchport mode trunk

switchport trunk native vlan <vlan>

spanning-tree port type network

no shut

Nexus7K(config-if)#

switchportinherit port-profile trunk-port

switchport trunk allow vlan <vlans>

Warning: Port-Profiles are live profiles (modifying or deleting

port-profiles will be reflected on the assigned interfaces)

Configure port parameters once

Apply to multiple ports



Virtual Port-Channel (vPC)


Virtual Port-Channel (vPC) Terminology

Access Switch

vPC PeervPC Peer

vPC Peer-Link – used to sync state between peers

vPC Peer-Keepalive – detect status of vPC peer devices

vPC Member PortvPC Member Port

vPC


Virtual Port-Channel (vPC) Terminology

Access Switch

vPC VLAN: Any VLAN which is carried over the peer-link…even if it isn‟t trunked on a vPC!

Cisco Fabric Services over Ethernet (CFSoE): used for state sync and config validation between vPC peers

Under normal conditions, traffic received on the peer link cannot be forwarded

on a vPC


What Happens to vPC When Failures Occur?

Access Switch Access Switch Access Switch Access Switch

Traffic re-hashed to existing vPCmember

Traffic re-hashed to peer

Traffic may traverse peer-link & egress on a vPC if the correspondent peer vPC instance is down (peer-link used as backup)


What if the Peer Link Fails?

Access Switch Access Switch

1) Secondary checks to see if primary is up (using Peer-Keepalive)

?Primary Secondary

2) If primary is still up, secondary shuts local vPC ports

This server is single homed – what happens to him? He is isolated!!!

The moral: don’t single home devices to a vPC peer!


What if the Peer Link Fails?


Primary Secondary

If you have no choice:

Connect the single attached device to primary vPC peer

Use „dual-active exclude interface-vlan‟ to avoid SVI shutdown


vPC Leading Practices

Use a dedicated link for Peer-Keepalive and assign to a separate VRF

• If mgmt0 is used, it should be connected to an OOB mgmt network

• Back-to-back mgmt0 connection should only be used in single supervisor implementation

• Don’t use SVI interface over vPC peer-link as vPC keepalive link!!

agg1bagg1avPC_PL

vPC_PKLMgmt0

X 2Mgmt0

X 2

Mgmt

Network

Use diverse 10GE modules to form Peer-Link

Use „dedicated mode‟ for Peer-Link ports

Shared mode is supported but not recommended


vPC Leading Practices (cont)

Assign unique vPC domain-ID for each pair of vPC peer devices in the same “L2 domain”

LACP negotiation (LAGID)

Try to match vPC ID to the port-channel number for easier management

Primary Secondary

Primary Secondary

vPC domain 10

vPC domain 20


vPC Peer-Gateway Feature

Access Switch

Some devices send traffic to senders MAC address rather than HSRP virtual MAC

HSRP

In that case, traffic may cross the Peer-Link to reach the SVI, but will get dropped if exiting through another vPC

Other vPCEnable „peer-gateway‟ to enable devices to act as gateway for packets destined to other peer


vPC Peer-Gateway Feature (cont)

Nexus7K(config)# vpc domain <domain-id>

Nexus7K(config-vpc-domain)# peer-gateway

Note: Disable IP redirects on all interface-vlans of this vPC domain for correct operation of this feature!

interface vlan <vlan x>, vlan <vlan y>

no ip redirects

Disable IP redirects on all SVIs of the vPC VLANs to avoid generating IP redirect messages if “peer-gateway” is configured (default in later versions)


vPC Peer-Switch Feature

Access Switch

Allows vPC peer devices to act as single STP root

Improves STP convergence during switch failure

BPDUsBPDUs

Nexus7K-1a(config-vpc-domain)#

peer-switch

Nexus7K-1a(config)#

Spanning-tree vlan 1-4094 pri 8192

Nexus7K-1b(config-vpc-domain)#

peer-switch

Nexus7K-1b(config)#

Spanning-tree vlan 1-4094 pri 8192

Nexus7K-1a# show spanning-tree summary | i peer

vPC peer-switch is enabled (operational)

Nexus7K-1b# show spanning-tree summary | i peer

vPC peer-switch is enabled (operational)

Nexus7K-1a# sh spanning vlan 1

---deleted---

Root ID Priority 8193

Address 0023.04ee.be01

This bridge is the root

---deleted---

Po1 Desg FWD 1 128.4096(vPC peer-link) Network P2p

Nexus7K-1a# sh spanning vlan 1

---deleted---

Root ID Priority 8193

Address 0023.04ee.be01

This bridge is the root

---deleted---

Po1 Root FWD 1 128.4096 (vPC peer-link) Network P2p

STP Root STP Root


vPC ARP Synchronisation

CLI enabled on each vPC device

After the peer-link comes up following reload, perform an ARP bulk sync to the peer switch

Improves convergence for Layer 3 flows

Primary vPC

Secondary vPCS

P

P S

ARP TABLE

IP1 MAC1 VLAN 100

IP2 MAC2 VLAN 200

ARP TABLE

IP1 MAC1 VLAN 100

IP2 MAC2 VLAN 200

IP1 MAC1 IP2 MAC2

SVIs


vPC and Layer 3 Routing Adjacencies

When connect layer 3 routing devices to a vPC domain, do not form routing adjacency with peer devices over vPC member links

L3 “adjacency”

R1

7K-1

R3R2

R1

7K-2


vPC & L3 – Supported Designs

R1R1

7K-1 VDC1

VDC2

7K-2

7K-1 7K-2


vPC & Single 10GE Modules: What Happens if Single 10GE Module Fails?


1) 10GE module fails – takes down vPC Peer-Link and Core Links

2) Secondary sees Peer-Link has failed, however Peer-Keepalive link shows Peer 1 is alive

To Core

?

3) Secondary peer disables its own vPC links

Result: Complete Isolation!


Nexus7K-1a# show int po 11

port-channel11 is down (suspended by vpc)

Nexus7K-1a# show int vlan 11

Vlan11 is down, line protocol is down

vPC & Single 10GE Modules: What’s the Solution?


To CoreEnable vPC object tracking to prevent traffic black-hole (supported in NX-OS 4.2)

Nexus7K-1a(config)#

track 1 interface port-channel1 line-protocol

track 2 interface ethernet1/25 line-protocol

track 3 interface ethernet1/26 line-protocol!

track 10 list boolean or

object 1

object 2

object 3!

vpc domain 1

track 10

Nexus7K-1a# show track 10

Track 10

List Boolean or

Boolean or is DOWN

6 changes, last change 00:11:12

Track List Members:

object 3 DOWN

object 2 DOWN

object 1 DOWN

Tracked by:

vPCM

Primary, operational secondary

Secondary, operational primary

Preferred solution: use multiple 10GE modules


vPC configuration

vPC Role priority for primary and secondary device (default is 32667) *no preempt

Best Practice to make common STP root-bridge, HSRPActive Peer

vPC id MUST match across both peers

Port Channel SHOULD match across both peers (mgmt ease)

feature vpc

vpc domain 101

ip arp synchronize

peer-switch

role priority 10

peer-keepalive destination 10.1.1.2 source

10.1.1.1 vrf VPC_KAL

peer-gateway

interface port-channel11

vpc peer-link


vpc 101

feature vpc

vpc domain 101

ip arp synchronize

peer-switch

role priority 20

peer-keepalive destination 10.1.1.1 source

10.1.1.2 vrf VPC_KAL

peer-gateway


vpc peer-link


vpc 101



Nexus 7000 and Nexus 2248TP (Fabric Extender)


The Nexus 2000: a Remote Linecard

The Nexus 2000 (aka Fabric Extender or FEX) can be viewed as a remote linecard for the Nexus 7000:

No local switching

Benefit from the feature set of the parent switch

From the network perspective, a device attached to a Nexus 2000 behaves as if it was directly attached to the parent switch.

Physical view Logical view


Nexus 7000 with Fabric Extenders

Combines benefits of Top of Rack (ToR) & End of Row (EoR) network architectures• Physically resides on the top of each server rack

• Logically acts like anend of access rowdevice

•Scales in a manner that enables collapsing ofAgg + Access layers inmany networks

2 x N2248 per server rack


Data Centre Designs with Nexus 7000 & 2000

Core

Aggregation +Access

FEX


Data Centre Designs with Nexus 7000 & 2000

Core +Aggregation +Access

FEX


Nexus 7000 / 2000: Supported Topologies

standbyactive activeactive

Single-attached Standard NIC teaming* Active / Active with MAC Pinning (Nexus 1000V, etc)

* Be aware of impact of Peer-Link failure


Coming Soon!

Port-Channel from Host

vPC from Host to Fabric Extender


Nexus 7000/ 2248 Connectivity Rules

Port channel between a Nexus 2248 and a single Nexus 7000 (no vPC)

The port channel can span several I/O Modules for redundancy

Up to 32 Nexus 2248 attached to a single Nexus 7000

N7K-M132XP-12 and N7K-M132XP-12XL linecards only


Fabric Extender Configuration

Nexus7000# show run interface 1/3

interface Ethernet1/3

switchport mode fex-fabric

fex associate 100

channel-group 1

Nexus7000# show interface brief

--------------------------------------------------------------------------------

Ethernet VLAN Type Mode Status Reason Speed Port

Interface Ch #

--------------------------------------------------------------------------------

Eth100/1/1 100 eth access up none auto(D) --

Eth100/1/2 1 eth access up none 1000(D) --

Eth100/1/3 100 eth access up none 1000(D) --

Eth100/1/4 100 eth access down Link not connected 1000(D) --




Edge + BPDU guard

Must not send BPDUs

Host ok



Access Control


Nexus7K(config)#

no feature telnet

!

vrf context management

ip route 0.0.0.0/0 <IP address>

!

ip access-list <ACL-name>

10 remark allow specific ssh

11 permit tcp <addr>/24 any eq 22

12 permit tcp any eq 22 <addr>/24

13 deny tcp any any eq 22

14 deny tcp any eq 22 any

20 remark allow specific snmp

21 permit udp <addr>/24 any eq snmp

………..

50 permit ip any any

!

interface mgmt0

ip address <ip address>/<mask>

ip access-group <ACL-name> in

!

line vty

exec-timeout <time>

session-limit <session#>

line console

exec-timeout <time>

!

int cmp-mgmt module <module>

ip address <addr>/<mask>

ip default-gateway <IP addr>

Network Access

Allow only SSH remote access (default)

If telnet is required, “feature telnet”

If telnet access to CMP is required, “telnet server enable” needs to be configured on the CMP

Secure interface mgmt0 with ACL

CoPP does not protect interface mgmt0

ACL with the logging option is supported in NX-OS 5.0

ACL is not supported on VTY

CoPP can be leveraged to secure VTY access

Configure exec-timeout for VTY and console access

Nexus7K-cmp10(config)#

telnet server enable


Control Plane Policing (CoPP)

Implement strict control plane policing (default)

If default policy is required, run “setup” command to reapply the default policy after software upgrade between major releases

Any non-default CoPP policies need to be reapplied after setup

Future software release will generate syslog on CoPP policy changes

Tune default CoPP policy according to needs

The configured setting is per line card and not per system. If high number of I/O modules are installed, the conform rate may need to be tuned down

Future enhancement to generate syslog messages if drops exceed user configured threshold

Nexus7K# show policy-map interface control-plane | inc violated

violated 59 bytes; action: drop

Nexus7K# setup

----deleted----

Configure best practices CoPP profile (strict/moderate/lenient/none) [strict]:

per module statistics


Packet Sanity Checks

The Intrusion Detection System (IDS) check performs sanity checks on the IP headers to protect the network and the system (enabled by default)

In NX-OS 5.0, the system generates syslogs on IDS drops (max is one every 30 min)

It is recommended to disable fragment IDS check since some applications sends IP packets with DF bit and fragment offset

Fragment IDS check is disabled by default in NX-OS 5.0

Disable individual IDS checks as required

Ex. If BFD is configured, disable “address identical” IDS checkNexus7K# show hardware forwarding ip verify

IPv4 and v6 IDS Checks Status Packets Failed

-----------------------------+---------+------------------

---deleted---

address identical Enabled 0

---deleted---

fragment Enabled 0

---deleted---

Nexus7K(config)# no hardware ip verify fragment

Nexus7K(config)# no hardware ip verify address identical


“giving us enough

rope to hang

ourselves”

71



Recommended Reading


We value your feedback - don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Networkers 20th Anniversary t-shirt.

All surveys can be found on our onsite portal and mobile website: www.ciscoliveeurope.com/connect/mobi/login.ww

You can also access our mobile site and complete your evaluation from your mobile phone:

1. Scan the Access Code(See http://tinyurl.com/qrmelist for software,

alternatively type in the access URL)

2. Login

3. Complete and Submit the evaluation

Please complete your Session Survey

http://www.ciscoliveeurope.com/connect/mobi/login.ww

http://tinyurl.com/qrmelist


Documents

Deploying Nexus 7000 in Data Centre Networksd2zmdbbm9feqrf.cloudfront.net/2011/eur/pdf/BRKDCT-2951.pdf · 2012-02-22 · Nexus 5000 / Nexus 2000 in access layer Virtual Port Channel