Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 2
“giving us enough
rope to hang
ourselves”
2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 3
Adam RaffeNetwork Consulting Engineer
Cisco Advanced Services
Paul HorrocksSolutions Architect
Cisco Advanced Services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 4
What’s the Goal of This Session?
“To provide design guidance and leading practice to
network architects and administrators who have deployed
or are considering deploying the Nexus 7000 into the Data
Centre”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 5
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a 'non-smoking' venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 6
Agenda
Implementation & Leading PracticesNexus 7000 Data Centre Designs
Common DC Designs
Virtual Port Channels (vPC)
Virtual Device Contexts (VDC)
Installation & Maintenance
Layer 2 Features
Virtual Port Channel (vPC)
Fabric Extenders
Access Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 7
Agenda
Implementation & Leading PracticesNexus 7000 Data Centre Designs
Common DC Designs
Virtual Port Channels (vPC)
Virtual Device Contexts (VDC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 8
Data Centre Design Example
Nexus 7000 typically in core and aggregation
Nexus 5000 / Nexus 2000 in access layer
Virtual Port Channel between aggregation / access
L2L3
L3L2 Channel
L3 link
L2 link
L3 Channel
Access
Core
Aggregation
……..VPCVPC
VPC VPC
active standby active active
Active/Standby
Core2Core1
aggNa aggNbagg1a agg1b
vPC vPC
vPC
Active/Standby
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 9
Virtual Port-Channel (vPC)
Access Switch
Eliminates blocked portsUses all available uplink bandwidth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 10
vPC: independent control planes, consistent configuration
Catalyst 6500 - VSS Nexus 7000 - vPC
L2SiSi
Non-VSS VSS
SiSi SiSi
Non-VPC vPC
L2
VSS: single control plane, single configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 11
Virtual Device Contexts (VDCs)
VDC 1 VDC 2 VDC 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 12
Virtual Device Contexts (VDCs)What can we use them for?
VDC2
Secure
VDC3Non-
Secure
VDC2Prod
VDC3Dev
VDC3Agg
VDC4Access
VDC2Core
VDC4Test
Consolidate multiple
business units,
departments, and
networks
Provide network
segmentation to
meet security
compliance
requirements
Implement logical
tier design
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 13
Data Centre Design Leveraging VDCs
Large Data Centre utilizing 3-Tier DC design
Nexus 7000s in Core and Aggregation
Utilize VDCs in aggregation layer to create a non-secured zone and a secured zone
L2
L3
L3
L2
L2 Channel
L3 link
L2 link
L3 ChannelCore
Aggregation
Access
SW-2b
VDC3
SW-2a
VDC3SW-2a
VDC2SW-2b
VDC2
SW-1a
VDC3SW-1b
VDC3
SW-1a
VDC2
SW-1b
VDC2
Core2Core1
vPC vPC
active activeactive standbyactive activeactive standby
vPCvPC vPCvPC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 14
Agenda
Implementation & Leading PracticesNexus 7000 Data Centre Designs
Installation & Maintenance
Layer 2 Features
Virtual Port Channel (vPC)
Fabric Extenders
Access Control
15© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951
Implementation and Leading Practices
Installation and Maintenance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 16
Chassis Installation
Use standard four-post, 19-inch Electronic Industries Alliance (EIA) Data Centre rack
Cabinet can be leveraged to convert 7018 to front-to-back air cooling
When installing 7018:
Reserve 11” space on both sides of the rack to allow for side-to-side airflow
Route cables on front side of the rack to clear the rear side for airflow
Always perform chassis / system grounding 7010 chassis
7018 chassis
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 17
Power Considerations
Configure power redundancy mode
System default is PS redundant, N+1
Connect PS input sources to two
different power grids
Power redundancy mode Full
Set max fabric modules per system -
allows the system to release some of
the reserved power (supported in NX-
OS 5.0)
By default system reserves enough power
for five fabric modules
220V
Grid 1 Grid 2
220V
Nexus7K(config)#
power redundancy-mode redundant
Nexus7K(config)#
hardware fabrics max 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 18
VDC Leading Practices
VDC2Agg1
VDC4Test
VDC1Admin
VDC3Acc1
Nexus7K(config-vdc)# ha-policy dual-sup <policy> single-sup <policy>
Nexus7K(config-vdc)# limit-resource vlan minimum <#> maximum <#>
Customize VDC HA policy and resource configurations as necessary
Dual-sup default is switchover and single-sup default is restart
Only non-default VDCs can be suspended, resumed, reloaded, or restarted Nexus7K(config)# vdc <name> suspend Nexus7K# reload vdc <name>
Reserve VDC 1 (default) as the administrative VDC
On VDC 1, assign accounts with minimum privileges necessary to accomplish operational tasks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 19
Assign I/O modules to VDCs such that TCAM resources are shared effectively
All ports in the same port group on the 32 port 10GE I/O modules must be allocated to the same VDC
Nexus7K(config-vdc)#allocate interface e2/1,e2/3,e2/5,e2/7
Allocate entire I/O module to a VDC if possible
Linecard 1 Linecard 2 Linecard 3 Linecard 4 Linecard 5 Linecard 6 Linecard 7 Linecard 8
64K 64K 64K 64K 64K 64K 64K 64K
128K 128K 128K 128K 128K 128K 128K 128K
FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM
ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 20
Out-of-Band Management Network
Use the management VRF on the Nexus 7000 for all management system connectivity
VDC2Agg1
VDC3Agg2
VDC1Admin
VDC2Agg1
VDC3Agg3
VDC1Admin
Mgmt0 Mgmt0
OOB MgmtNetwork
Sys Mgmt server
Separate physical infrastructure is
ideal
Mgmt0 Mgmt0
Mgmt0 x2 Mgmt0 x2
Agg1a Agg1b
Acc1 Acc2
Core2Core1
OOB MgmtDist
L3
CMP x2 CMP x2
Mgmt0 x2Mgmt0 x2
mgmt1 mgmt2
Management VRF
Default VRF
Use mgmt0 or Connectivity Management
Processor (CMP) ports…or both!
Mgmt0 IP address for default and non-
default VDCs must be from same subnet
Assign different IP address for redundant
CMP (same IP address for redundant
mgmt0 interface)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 21
Software Licensing
License is tied to chassis serial number
• License is stored in dual redundant NVRAM modules on chassis backplane
• If chassis is replaced, work with Cisco TAC to re-key the license
• If supervisor is replaced, license should be re-installed (although features still work)
License installation is non-disruptive to features already running under the grace period
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 22
Software Licensing (cont.)License PAK
PAK +
chassis serial #
<xml...
licA ...>
license
file
Nexu7K# install license bootflash:<license_file.lic>
………
Nexu7K# copy bootflash:<license_file.lic> tftp:….
…………
Nexu7K# show license usage
Feature Ins Lic Status Expiry Date Comments
Count---------------------------------------------------------------------------------------------------------------
LAN_ADVANCED_SERVICES_PKG Yes - In use Never -
LAN_ENTERPRISE_SERVICES_PKG Yes - Unused Never -
Follow the steps to manually install the licenses:
Nexu7K# show license host-id
License hostid: VDH=TBM########
2) Obtain the license key file from http://www.cisco.com/go/license
1) Identify chassis serial number and PAK (Product Activation Key)
3) Install licenses and copy to bootflash & external location
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 23
Software UpgradeCold Start Upgrade
Cold start upgrade procedure – recommended for Pre-Production
Synchronise the Kickstart image and the System image
Nexu7K(config)#
boot system bootflash:<system-image> sup-1 sup-2
boot kickstart bootflash:<kickstart-image> sup-1 sup-2
Nexus7K# copy run startup-config
Nexus-3# sh boot
---deleted---
Boot Variables on next reload:
sup-1
kickstart variable = bootflash:/<kickstart-image>
system variable = bootflash:/<system-image>
sup-2
kickstart variable = bootflash:/<kickstart-image>
system variable = bootflash:/<system-image>
No module boot variable set
Nexus7K# reload
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 24
In-Service Software Upgrade (ISSU)
Show commands can be used to determine any potential impact prior to performing ISSU
Nexus7K# show install all impact kickstart bootflash:<kickstart> system bootflash:<system>
Nexus7K# show incompatibility-all system bootflash:<system-image>
The following configurations on active are incompatible with the system image
1) Service : vpc , Capability : CAP_FEATURE_VPC_RELOAD_RESTORE
---deleted---
Nexus7K# install all kickstart bootflash:<kickstart-image> system bootflash:<system-image>
Nexus7K# show install all status
Determine impact of upgrade:
If downgrading, use “show incompatibility-all” to determine if any features
need to be disabled:
“install all” command used to kick-off the upgrade:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 25
What Happens During an ISSU?
Verify and validate the image
Check image compatibility
Provide descriptive upgrade information and option to cancel
Sync images to standby sup
Upgrade and switchover standby sup
Upgrade previous active sup and I/O modules
Load new image to CMP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 26
Your network needs to be stable for ISSU to work properly!!
STP topology changes, routing instability, module removal, power interruption, etc
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 27
ISSU – Routing Protocol Timers
Tuned routing protocol timers may interfere with ISSU
In most cases, tuned timers are not necessary due to point-to-point L3 links
Keep OSPF, EIGRP, BGP hello / dead timers at default levels if possible
If shared L2 segment is in use, look at Bidirectional Forwarding Detection (BFD) instead
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 28
EPLD Upgrade
EPLDs (Electronic Programmable Logical Devices) upgrade is used to enhance hardware functionality or to resolve known issues
Performed on all the field replaceable modules (fan trays, fabric modules, I/O modules, and supervisor)
It is recommended to upgrade to the latest EPLD image only when directed to do so by TAC or AS
EPLD upgrade is a separate and independent process from ISSU and is typically not required
Check EPLD module versions using “show install all impact epld”
Nexus7K# show install all impact epld bootflash:<EPLD_image_name>
Nexus7K# install all epld bootflash:<EPLD_image_name>
Nexus7K# show version <type> <mod #> epld
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 29
Nexus7K# checkpoint checkpt1
Processing the Request... Please Wait
Nexus7K# show diff rollback-patch running-config checkpoint checkpt1
Processing the Request... Please Wait
Nexus7K# rollback running-config checkpoint checkpt1……..
Checkpoint / Configuration Rollback –Use It!!
Rollback allows users to take a configuration snapshot and reapply the config at any point
Create up to 10 checkpoints per VDC
Nexus7K(config)# no feature ospf
Nexus7K(config)# sh checkpoint all
----------------------------------------------
Name: system-fm-__inst_1__ospf
The rollback changes can be viewed before committing to the rollback operation
Auto-checkpoint is invoked upon feature removal and license expiration
30© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951
Implementation and Leading Practices
Layer-2 Features
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 31
VLAN Trunking Protocol (VTP)
VTP “OFF” mode is recommended
Switches do not participate in VTP and all VTP advertisements are not forwarded
Nexus7K(config)# feature vtpNexus7K(config)# vtp domain <name>
Nexus7K(config)# no feature vtp
VTP server VTP client
Transparent
VTP
packets
Acc2
agg1bagg1a
Acc1
Transparent
Off
Acc2
agg1bagg1a
Acc1
Must allow
VLAN1
Utilize VTP transparent mode if VTP domain needs to extend across Nexus 7000 switches
VTP client / server mode introduced in NX-OS 5.1
VLANs 3968 - 4047, 4094 are reserved
Catalyst 6500 reserved VLANs 1002 -1005
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 32
Unidirectional Link Detection (UDLD)
Enable UDLD feature to configure UDLD normal mode on all fiber interfaces
Nexus7K(config)# feature udld
Nexus7K(config-if-range)# udld aggressive
UDLD aggressive on port-channel member ports is optional
Enables UDLD Normal Mode on all Fibre
interfaces
Interface config supersedes the global
UDLD setting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 33
What About CAM / ARP Timers? Do I Need to Tweak Them?
Not required
Other platforms require CAM / ARP timers tweaking to avoid Unicastflooding
Default NX-OS CAM aging timer is 1800s and ARP timeout is 1500s
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 34
Basic L2 Leading Practices Still Apply!
Assign unused VLAN as native VLAN (consistent across the same L2)
Clear native VLAN from the trunk
Configure native VLAN tagging on trunks
Nexus7K(config)# vlan dot1Q tag native
Nexus7K# show interface status err-disabled
Nexus7K(config)# errdisable recovery cause <cause>
Nexus7K(config)# errdisable recovery interval <time>
Implement storm-control to prevent disruptions caused by broadcast and multicast storms
Error Disable Recovery is disabled by default – leave it this way if possible!
Nexus7K(config-if)# storm-control broadbcast level 40
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 35
Port Channels
Use LACP to negotiate both L2 and L3 port-channels
Nexus7K(config)# feature lacp
Nexus7K(config)# int e<mod>/<port>
Nexus7K(config-if)# channel-group <#> mode active
Implement port channels with 2, 4 or 8 members for optimal traffic distribution
OSPF Cost
50 100
50
Access
Aggr1a Aggr1b
Core1 Core-2 Understand port-channel failure
behaviour
BW and IGP cost for L3 channel are recalculated when physical member fails
STP cost for L2 channels does not recalculate when physical member fails
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 36
Spanning-Tree Protocol (STP): Which Mode?
Implement consistent STP mode in the same L2 domain
RPVST+ is the default and is backward compatible with PVST
Nexus7K# sh spanning-tree active | i PeerPo11 Desg FWD 12 128.4106 P2p Peer(STP)
Nexus7K# show spanning-tree summary total
----deleted----
Name Blocking Listening Learning Forwarding STP Active
---------- -------- --------- -------- --------- ---------
9 vlans 0 0 0 18 18
Total number of
logical ports
Utilize MST for larger scale L2 network
MST supports 75K logical ports (90K in NX-OS 5.0) and RPVST+ supports 16K logical ports
MST introduces some complexity and requires detailed planning
3 msts 2 0 0 8 10 MST ports
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 37
Spanning-Tree Leading Practices
Aggregation switches should be STP root and secondary root
BPDU-
guard
Bridge Assurance
Loop-Guard
Port Type Edge / Edge Trunk
Root/ Backup
Root
agg1a agg1b
Access2
Access1
L3 FWL3 FW
Configure host ports as port type “edge” or port type “edge trunk”
Enable STP BPDU-guard globally
Nexus7K(config-if)#spanning-tree port type edge trunk
Nexus7K(config)#spanning-tree port type edge bpduguard default
Use “spanning-tree pathcost method long”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 38
What is Bridge Assurance?
BPDUs sent in both directions
Enabled by default globally
Active only on interfaces configured as port type “network”
Nexus7K(config-if)# spanning-tree port type network
Root BPDUs
Network
Network Network
Network
BPDUs
EdgeEdge
Network
BPDUs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 39
What is Bridge Assurance?
OK, but where should I enable it? Root BPDUs
Network
Network Network
Network
BPDUs
EdgeEdge
Network
BPDUs
- Generally, BA should be enabled on all inter-switch links which support it (i.e. Nexus to Nexus)
- Exception: not on vPC member links
- If it‟s not supported at both ends, then use Loop Guard instead
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 40
Port ProfilesUseful for enforcing consistent configuration, not necessarily a Layer 2 feature - can also be applied to Layer 3
Create Port ProfileNexus7K(config)#port-profile type ethernet trunk-port
state enable
switchport
switchport mode trunk
switchport trunk native vlan <vlan>
spanning-tree port type network
no shut
Nexus7K(config-if)#
switchportinherit port-profile trunk-port
switchport trunk allow vlan <vlans>
Warning: Port-Profiles are live profiles (modifying or deleting
port-profiles will be reflected on the assigned interfaces)
Configure port parameters once
Apply to multiple ports
41© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951
Implementation and Leading Practices
Virtual Port-Channel (vPC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 42
Virtual Port-Channel (vPC) Terminology
Access Switch
vPC PeervPC Peer
vPC Peer-Link – used to sync state between peers
vPC Peer-Keepalive – detect status of vPC peer devices
vPC Member PortvPC Member Port
vPC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 43
Virtual Port-Channel (vPC) Terminology
Access Switch
vPC VLAN: Any VLAN which is carried over the peer-link…even if it isn‟t trunked on a vPC!
Cisco Fabric Services over Ethernet (CFSoE): used for state sync and config validation between vPC peers
Under normal conditions, traffic received on the peer link cannot be forwarded
on a vPC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 44
What Happens to vPC When Failures Occur?
Access Switch Access Switch Access Switch Access Switch
Traffic re-hashed to existing vPCmember
Traffic re-hashed to peer
Traffic may traverse peer-link & egress on a vPC if the correspondent peer vPC instance is down (peer-link used as backup)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 45
What if the Peer Link Fails?
Access Switch Access Switch
1) Secondary checks to see if primary is up (using Peer-Keepalive)
?Primary Secondary
2) If primary is still up, secondary shuts local vPC ports
This server is single homed – what happens to him? He is isolated!!!
The moral: don’t single home devices to a vPC peer!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 46
What if the Peer Link Fails?
Access Switch Access Switch
Primary Secondary
If you have no choice:
Connect the single attached device to primary vPC peer
Use „dual-active exclude interface-vlan‟ to avoid SVI shutdown
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 47
vPC Leading Practices
Use a dedicated link for Peer-Keepalive and assign to a separate VRF
• If mgmt0 is used, it should be connected to an OOB mgmt network
• Back-to-back mgmt0 connection should only be used in single supervisor implementation
• Don’t use SVI interface over vPC peer-link as vPC keepalive link!!
agg1bagg1avPC_PL
vPC_PKLMgmt0
X 2Mgmt0
X 2
Mgmt
Network
Use diverse 10GE modules to form Peer-Link
Use „dedicated mode‟ for Peer-Link ports
Shared mode is supported but not recommended
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 48
vPC Leading Practices (cont)
Assign unique vPC domain-ID for each pair of vPC peer devices in the same “L2 domain”
LACP negotiation (LAGID)
Try to match vPC ID to the port-channel number for easier management
Primary Secondary
Primary Secondary
vPC domain 10
vPC domain 20
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 49
vPC Peer-Gateway Feature
Access Switch
Some devices send traffic to senders MAC address rather than HSRP virtual MAC
HSRP
In that case, traffic may cross the Peer-Link to reach the SVI, but will get dropped if exiting through another vPC
Other vPCEnable „peer-gateway‟ to enable devices to act as gateway for packets destined to other peer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 50
vPC Peer-Gateway Feature (cont)
Nexus7K(config)# vpc domain <domain-id>
Nexus7K(config-vpc-domain)# peer-gateway
Note: Disable IP redirects on all interface-vlans of this vPC domain for correct operation of this feature!
interface vlan <vlan x>, vlan <vlan y>
no ip redirects
Disable IP redirects on all SVIs of the vPC VLANs to avoid generating IP redirect messages if “peer-gateway” is configured (default in later versions)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 51
vPC Peer-Switch Feature
Access Switch
Allows vPC peer devices to act as single STP root
Improves STP convergence during switch failure
BPDUsBPDUs
Nexus7K-1a(config-vpc-domain)#
peer-switch
Nexus7K-1a(config)#
Spanning-tree vlan 1-4094 pri 8192
Nexus7K-1b(config-vpc-domain)#
peer-switch
Nexus7K-1b(config)#
Spanning-tree vlan 1-4094 pri 8192
Nexus7K-1a# show spanning-tree summary | i peer
vPC peer-switch is enabled (operational)
Nexus7K-1b# show spanning-tree summary | i peer
vPC peer-switch is enabled (operational)
Nexus7K-1a# sh spanning vlan 1
---deleted---
Root ID Priority 8193
Address 0023.04ee.be01
This bridge is the root
---deleted---
Po1 Desg FWD 1 128.4096(vPC peer-link) Network P2p
Nexus7K-1a# sh spanning vlan 1
---deleted---
Root ID Priority 8193
Address 0023.04ee.be01
This bridge is the root
---deleted---
Po1 Root FWD 1 128.4096 (vPC peer-link) Network P2p
STP Root STP Root
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 52
vPC ARP Synchronisation
CLI enabled on each vPC device
After the peer-link comes up following reload, perform an ARP bulk sync to the peer switch
Improves convergence for Layer 3 flows
Primary vPC
Secondary vPCS
P
P S
ARP TABLE
IP1 MAC1 VLAN 100
IP2 MAC2 VLAN 200
ARP TABLE
IP1 MAC1 VLAN 100
IP2 MAC2 VLAN 200
IP1 MAC1 IP2 MAC2
SVIs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 53
vPC and Layer 3 Routing Adjacencies
When connect layer 3 routing devices to a vPC domain, do not form routing adjacency with peer devices over vPC member links
L3 “adjacency”
R1
7K-1
R3R2
R1
7K-2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 54
vPC & L3 – Supported Designs
R1R1
7K-1 VDC1
VDC2
7K-2
7K-1 7K-2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 55
vPC & Single 10GE Modules: What Happens if Single 10GE Module Fails?
Access Switch Access Switch
1) 10GE module fails – takes down vPC Peer-Link and Core Links
2) Secondary sees Peer-Link has failed, however Peer-Keepalive link shows Peer 1 is alive
To Core
?
3) Secondary peer disables its own vPC links
Result: Complete Isolation!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 56
Nexus7K-1a# show int po 11
port-channel11 is down (suspended by vpc)
Nexus7K-1a# show int vlan 11
Vlan11 is down, line protocol is down
vPC & Single 10GE Modules: What’s the Solution?
Access Switch Access Switch
To CoreEnable vPC object tracking to prevent traffic black-hole (supported in NX-OS 4.2)
Nexus7K-1a(config)#
track 1 interface port-channel1 line-protocol
track 2 interface ethernet1/25 line-protocol
track 3 interface ethernet1/26 line-protocol!
track 10 list boolean or
object 1
object 2
object 3!
vpc domain 1
track 10
Nexus7K-1a# show track 10
Track 10
List Boolean or
Boolean or is DOWN
6 changes, last change 00:11:12
Track List Members:
object 3 DOWN
object 2 DOWN
object 1 DOWN
Tracked by:
vPCM
Primary, operational secondary
Secondary, operational primary
Preferred solution: use multiple 10GE modules
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 57
vPC configuration
vPC Role priority for primary and secondary device (default is 32667) *no preempt
Best Practice to make common STP root-bridge, HSRPActive Peer
vPC id MUST match across both peers
Port Channel SHOULD match across both peers (mgmt ease)
feature vpc
vpc domain 101
ip arp synchronize
peer-switch
role priority 10
peer-keepalive destination 10.1.1.2 source
10.1.1.1 vrf VPC_KAL
peer-gateway
interface port-channel11
vpc peer-link
interface port-channel301
vpc 101
feature vpc
vpc domain 101
ip arp synchronize
peer-switch
role priority 20
peer-keepalive destination 10.1.1.1 source
10.1.1.2 vrf VPC_KAL
peer-gateway
interface port-channel11
vpc peer-link
interface port-channel301
vpc 101
58© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951
Implementation and Leading Practices
Nexus 7000 and Nexus 2248TP (Fabric Extender)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 59
The Nexus 2000: a Remote Linecard
The Nexus 2000 (aka Fabric Extender or FEX) can be viewed as a remote linecard for the Nexus 7000:
No local switching
Benefit from the feature set of the parent switch
From the network perspective, a device attached to a Nexus 2000 behaves as if it was directly attached to the parent switch.
Physical view Logical view
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 60
Nexus 7000 with Fabric Extenders
Combines benefits of Top of Rack (ToR) & End of Row (EoR) network architectures• Physically resides on the top of each server rack
• Logically acts like anend of access rowdevice
•Scales in a manner that enables collapsing ofAgg + Access layers inmany networks
2 x N2248 per server rack
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 61
Data Centre Designs with Nexus 7000 & 2000
Core
Aggregation +Access
FEX
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 62
Data Centre Designs with Nexus 7000 & 2000
Core +Aggregation +Access
FEX
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 63
Nexus 7000 / 2000: Supported Topologies
standbyactive activeactive
Single-attached Standard NIC teaming* Active / Active with MAC Pinning (Nexus 1000V, etc)
* Be aware of impact of Peer-Link failure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 64
Coming Soon!
Port-Channel from Host
vPC from Host to Fabric Extender
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 65
Nexus 7000/ 2248 Connectivity Rules
Port channel between a Nexus 2248 and a single Nexus 7000 (no vPC)
The port channel can span several I/O Modules for redundancy
Up to 32 Nexus 2248 attached to a single Nexus 7000
N7K-M132XP-12 and N7K-M132XP-12XL linecards only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 66
Fabric Extender Configuration
Nexus7000# show run interface 1/3
interface Ethernet1/3
switchport mode fex-fabric
fex associate 100
channel-group 1
Nexus7000# show interface brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth100/1/1 100 eth access up none auto(D) --
Eth100/1/2 1 eth access up none 1000(D) --
Eth100/1/3 100 eth access up none 1000(D) --
Eth100/1/4 100 eth access down Link not connected 1000(D) --
Eth100/1/5 100 eth access down Link not connected 1000(D) --
Eth100/1/6 100 eth access down Link not connected 1000(D) --
Eth100/1/7 1 eth access down Link not connected 1000(D) --
Edge + BPDU guard
Must not send BPDUs
Host ok
67© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951
Implementation and Leading Practices
Access Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 68
Nexus7K(config)#
no feature telnet
!
vrf context management
ip route 0.0.0.0/0 <IP address>
!
ip access-list <ACL-name>
10 remark allow specific ssh
11 permit tcp <addr>/24 any eq 22
12 permit tcp any eq 22 <addr>/24
13 deny tcp any any eq 22
14 deny tcp any eq 22 any
20 remark allow specific snmp
21 permit udp <addr>/24 any eq snmp
………..
50 permit ip any any
!
interface mgmt0
ip address <ip address>/<mask>
ip access-group <ACL-name> in
!
line vty
exec-timeout <time>
session-limit <session#>
line console
exec-timeout <time>
!
int cmp-mgmt module <module>
ip address <addr>/<mask>
ip default-gateway <IP addr>
Network Access
Allow only SSH remote access (default)
If telnet is required, “feature telnet”
If telnet access to CMP is required, “telnet server enable” needs to be configured on the CMP
Secure interface mgmt0 with ACL
CoPP does not protect interface mgmt0
ACL with the logging option is supported in NX-OS 5.0
ACL is not supported on VTY
CoPP can be leveraged to secure VTY access
Configure exec-timeout for VTY and console access
Nexus7K-cmp10(config)#
telnet server enable
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 69
Control Plane Policing (CoPP)
Implement strict control plane policing (default)
If default policy is required, run “setup” command to reapply the default policy after software upgrade between major releases
Any non-default CoPP policies need to be reapplied after setup
Future software release will generate syslog on CoPP policy changes
Tune default CoPP policy according to needs
The configured setting is per line card and not per system. If high number of I/O modules are installed, the conform rate may need to be tuned down
Future enhancement to generate syslog messages if drops exceed user configured threshold
Nexus7K# show policy-map interface control-plane | inc violated
violated 59 bytes; action: drop
Nexus7K# setup
----deleted----
Configure best practices CoPP profile (strict/moderate/lenient/none) [strict]:
per module statistics
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 70
Packet Sanity Checks
The Intrusion Detection System (IDS) check performs sanity checks on the IP headers to protect the network and the system (enabled by default)
In NX-OS 5.0, the system generates syslogs on IDS drops (max is one every 30 min)
It is recommended to disable fragment IDS check since some applications sends IP packets with DF bit and fragment offset
Fragment IDS check is disabled by default in NX-OS 5.0
Disable individual IDS checks as required
Ex. If BFD is configured, disable “address identical” IDS checkNexus7K# show hardware forwarding ip verify
IPv4 and v6 IDS Checks Status Packets Failed
-----------------------------+---------+------------------
---deleted---
address identical Enabled 0
---deleted---
fragment Enabled 0
---deleted---
Nexus7K(config)# no hardware ip verify fragment
Nexus7K(config)# no hardware ip verify address identical
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 71
“giving us enough
rope to hang
ourselves”
71
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 73
Recommended Reading
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2951 74
We value your feedback - don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Networkers 20th Anniversary t-shirt.
All surveys can be found on our onsite portal and mobile website: www.ciscoliveeurope.com/connect/mobi/login.ww
You can also access our mobile site and complete your evaluation from your mobile phone:
1. Scan the Access Code(See http://tinyurl.com/qrmelist for software,
alternatively type in the access URL)
2. Login
3. Complete and Submit the evaluation
Please complete your Session Survey