Embed Size (px)
Citation preview
www.vce.com
VCE Vblock® Systems Upgrade Guidefrom Cisco Nexus 1000V SwitchRelease4.2(1)SV2(2.1a) to 5.2(1)SV3(1.2)
Document revision 1.5
October 2015
Revision history
Date Documentrevision
Description of changes
October 2015 1.5 Added updates information about upgrading the Cisco Nexus 1000V SwitchVSM from 2-GB HDD to a 3-GB HDD.
June 2015 1.4 Added support for upgrading from Cisco Nexus software release4.2(1)SV2(2.1a) to 5.2(1)SV3(1.2).
April 2015 1.3 Added content to the section “Converting the Cisco Nexus 1000V Switchfrom Layer 2 to Layer 3 mode.”
March 2015 1.2 Added support for Vblock System 540 and 740 and Vblock System Release5.0.
February 2015 1.1 Added support for the Vblock System 200 Series.
Added minimum RCM release information to the Software prerequisitessection.
January 2015 1.0 Initial release.
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Revision history
2© 2015 VCE Company, LLC.
All Rights Reserved.
Contents
Introduction.................................................................................................................................................4
Accessing VCE documentation.................................................................................................................5
Upgrade overview.......................................................................................................................................6
Upgrade prerequisites................................................................................................................................7Software prerequisites............................................................................................................................7Configuration prerequisites.................................................................................................................... 7
Converting the Cisco Nexus 1000V Switch from Layer 2 to Layer 3 mode..................................... 8Upgrading the Cisco Nexus 1000V Switch VSM from 2-GB HDD to a 3-GB HDD........................12
Prerequisite tasks.................................................................................................................................14
Estimating the upgrade time....................................................................................................................16
Installing Cisco Virtual Switch Update Manager....................................................................................17
Upgrading the Cisco Nexus 1000V Switch ............................................................................................18
Setting security configuration options...................................................................................................19
Enabling Layer 3 security........................................................................................................................ 20
Enabling port security..............................................................................................................................21
Additional references............................................................................................................................... 23
Contents VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
3© 2015 VCE Company, LLC.
All Rights Reserved.
IntroductionThis document describes how to upgrade an existing Cisco Nexus 1000V Switch running version4.2(1)SV2(2.1a) to the software release 5.2(1)SV3(1.2).
These upgrade instructions apply to the following Vblock Systems:
• Vblock System 700 Series
• Vblock System 540
• Vblock System 300 Series
• Vblock System 200 Series
The VCE Glossary provides terms, definitions, and acronyms that are related to Vblock Systems.
To suggest documentation changes and provide feedback on this book, send an email message to [email protected]. Include the name of this book and the topic name where your comment applies.
When to use this guide
Use this guide to upgrade an existing Cisco Nexus 1000V Switch running version 4.2(1)SV2(2.1a) to thesoftware release 5.2(1)SV3(1.2).
For information about upgrading Refer to
From one Vblock System release to another VCE Vblock System Upgrade Roadmap
From one VMware vSphere release to another VCE Vblock System Upgrade Roadmap
VCE Vision™ Intelligent Operations software VCE Vision Intelligent Operations Upgrade Guide
Related information
Accessing VCE documentation (see page 5)
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Introduction
4© 2015 VCE Company, LLC.
All Rights Reserved.
Accessing VCE documentationSelect the documentation resource that applies to your role.
Role Resource
Customer support.vce.com
A valid username and password are required. Click VCE Download Center to access thetechnical documentation.
VCE Partner partner.vce.com
A valid username and password are required.
Cisco, EMC, VCE, orVMware employee
portal.vce.com
VCE employee sales.vce.com/saleslibrary
or
vblockproductdocs.ent.vce.com
Accessing VCE documentation VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
5© 2015 VCE Company, LLC.
All Rights Reserved.
Upgrade overviewThe Cisco Nexus 1000V release 3.1 introduces the Cisco Virtual Switch Update Manager (VSUM), whichis a graphical user interface to upgrade the Cisco Nexus 1000V switch components, such as VirtualSupervisor Modules (VSMs) and Virtual Ethernet Modules (VEMs) on VMware ESXi hosts. VCErecommends using the Cisco VSUM to perform the Cisco Nexus 1000V Switch upgrades on VblockSystems.
Note: If the Cisco Nexus 1000V switch does not meet the hardware CPU requirements listed in theSystem Requirements topic of the Installing Cisco Virtual Switch Update Manager section in the Cisco Virtual Switch Update Manager Getting Started Guide for Cisco Nexus 1000V, you can usethe CLI to upgrade the Cisco Nexus 1000V switch without the VSUM.
This guide contains information on installing and upgrading the Cisco Nexus 1000V Switch using theVSUM and CLI methods as per the standard VCE configuration.
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Upgrade overview
6© 2015 VCE Company, LLC.
All Rights Reserved.
Upgrade prerequisites
Software prerequisites• As part of the upgrade procedure, the Cisco Nexus 1000V Switch must be running release
4.2(1)SV2(2.1a) to upgrade to the 5.2(1)SV3(1.2) release using this upgrade guide.
• VMware ESXi version must be at 5.5U1, 5.1U2, or later releases before upgrading to CiscoNexus 1000V 5.2(1)SV3(1.2).
• Refer to the VCE Vblock System Release Certification Matrix for supported releases.
• The following table shows the minimum RCM releases needed for this upgrade:
Vblock System RCM branch Minimum RCM release required to upgrade to5.2(1)SV3(1.2)
Vblock 540, 740 5.0.x 5.0.x
Vblock 200, 300, 320, 700LX,700MX, 720
4.0.x 4.0.14
Vblock 340 4.0.x 4.0.15
Vblock 200, 240, 300, 320, 340,700LX, 700MX, 720
4.5.x 4.5.6
Vblock 300, 320, 340, 700LX,700MX, 720
4.8.x 4.8.0
Configuration prerequisites• Configure the Cisco Nexus 1000V Switch in Layer 3 mode before proceeding with the release 3.1
upgrade. Refer to the following section to configure an existing Cisco Nexus 1000V switch inLayer 3 mode according to VCE standard configuration.
• Starting Release 3.1, the Cisco Nexus 1000V Switch requires a minimum of 3-GB of hard diskdrive (HDD) space. Refer to the section to Upgrading the Cisco Nexus 1000V Switch VSM from2-GB HDD to a 3-GB HDD .
• Upgrading the Cisco Nexus 1000V Switch using Cisco VSUM requires an additional IP addresson the Vblock System VMware ESXi Management network (same as the Cisco Nexus 1000VVSMs) and a system name for the VSUM virtual machine.
Upgrade prerequisites VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
7© 2015 VCE Company, LLC.
All Rights Reserved.
Converting the Cisco Nexus 1000V Switch from Layer 2 to Layer 3mode
A VCE standard configuration requires the Cisco Nexus 1000V switch to be configured in Layer 3 mode.Layer 3 mode is used for VSM-VEM communication over the Layer 3 control network VLAN. Use thefollowing procedure to convert the Cisco Nexus 1000V switch from Layer 2 to Layer 3 mode.
Note: This procedure applies only to the Vblock System 300 Series and Vblock System 700 Series, andVblock System 540. Vblock System 200 Series is supported only in Layer 3 mode.
Note: VLAN names and numbers are VCE standard and can be replaced with customer-specific values.
Before you begin
Note: VLAN names and numbers are VCE standard and can be replaced with customer-specific values.
1 Create a new Layer 3 mode VLAN on the Cisco UCS, Cisco Nexus 1000V switch, and networkswitches:
vblock_n1k_l3control (116)
Note: Add this VLAN to all instances of configuration on network switches that contain theexisting Layer 2 packet and control VLAN (111-112) information. The VLAN 111-112configuration will be removed after the migration.
2 Create the following Virtual Machine port group on vSwitch0 of each Management host in theManagement vCenter on the AMP or AMP-2:
vblock_n1k_l3control (VLAN ID 116)
Procedure
1 Configure the Layer 3 interface.
a The VSM control0 interface will be used as the Layer 3 interface for VSM-VEMcommunication over the vblock_n1k_l3control network (116). Using SSH, connect to the VSMmanagement IP address. Enter the following commands:
configure terminalinterface control 0 ip address 192.168.116.50 255.255.255.0vrf context defaultip route 0.0.0.0/0 192.168.116.1copy run startshow running-config interface control 0
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Upgrade prerequisites
8© 2015 VCE Company, LLC.
All Rights Reserved.
2 Create a data port-profile with Layer 3 control capability.
a Create the following vEthernet type port profile for the VSM-VEM Layer 3 control traffic. TheSystem VLAN is important to ensure that the VLAN is always forwarding. Using SSH,connect to the VSM management IP address. Enter the following commands:
port-profile type vethernet N1K_L3_Controlvmware port-groupswitchport mode accessswitchport access vlan 116 /* Replace '116' with vblock_n1k_l3control VLAN */no shutdownpinning id 0capability l3controlsystem vlan 116 /* Replace '116' with vblock_n1k_l3control VLAN */
state enabledcopy run start
b Verify the port group in VMware vCenter. You should now be able to view the (VM-facing)port group. The green icon represents UPLINK, and the blue icon represents the VM-facingport groups.
3 Add the Layer 3 Control VLAN to the UPLINK port-profile.
Note: For Disjoint Layer 2 deployments, add this VLAN to the Disjoint-L2_UPLINK port-profile.
Using SSH, connect to the VSM management IP address. Enter the following commands:
port-profile type ethernet DATA-UPLINKswitchport trunk allowed vlan add 116system vlan <ESX mgmt vlan number>, <vMotion vlan number>, <ESX NFS vlan number>, <N1K_L3_Control VLAN number> /* Replace with vblock_n1k_l3control VLAN */copy run start
4 Create the VMKernel port-group for the Cisco Nexus 1000V Switch Layer 3 control traffic onVMware ESXi hosts, using the following steps:
a Log in to the VMware vCenter Server and select Home > Inventory > Hosts and Clusters.
b Click the VMware ESXi host, select the Configuration tab, and highlight Networking.
c Click Manage Virtual Adapters on vSphere Distributed Switch, click Add.
d Select New Virtual Adapter and select VMkernel adapter type. Click Next.
e Select N1K_L3_Control (the port-profile you created in the step 2) from the Port-groupmenu. Click Next.
f Enter the IP address configuration information (choose an IP address from the Layer 3control network 116). Click Next.
g Click Finish.
Upgrade prerequisites VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
9© 2015 VCE Company, LLC.
All Rights Reserved.
h Repeat these steps for each VMware ESXi host connected to the Cisco Nexus 1000V switch.
i Verify connectivity from the VSM default VRF to the VMK IP address using network ping.
5 Reconfigure the SVS-Domain in the VSM to use control0 as the Layer 3 control interface andupdate the network adapters on the primary and secondary VSM VMs to use thevblock_n1k_l3control port-group on vSW0. Use SSH to connect to the VSM management IPaddress.
a Disconnect the VSM-to-vCenter server connection:
configure terminalsvs connection <vCenter>no connectexit
b Remove the control and packet VLAN configuration:
svs-domainno control vlanno packet vlan
c Change the SVS mode from Layer 2 to Layer 3 with control0 interface as the L3 Controlinterface:
svs mode l3 interface control0exitcopy run start
d Update the VSM virtual machines' network adapters to use the new vblock_n1k_l3controlport-group on vSW0.
i Right click the VSM Virtual Machine and click Edit Settings.
ii Choose Network Adapter 1 and in the right pane, change Network Label fromvblock_n1k_control to vblock_n1k_l3control.
iii Choose Network Adapter 3 and in the right pane change Network Label fromvblock_n1k_packet to vblock_n1k_l3control.
iv Close the window.
v Repeat these steps for the secondary VSM.
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Upgrade prerequisites
10© 2015 VCE Company, LLC.
All Rights Reserved.
e Restore the VSM-to-vCenter server connection from the VSM CLI:
svs connection <vCenter>connectend
Note: After entering the commands, the module is detached and reattached in Layer 3mode. If this connection delay is more than six seconds, a module flap occurs. Thisdoes not affect the data traffic.
f Verify the SVS-Domain configuration:
show svs domainSVS domain config: Domain id: 3185 Control vlan: 1 Packet vlan: 1 L2/L3 Control mode: L3 L3 control interface: control0 Status: Config push to VC successful.
6 (Optional) Clean up the Layer 2 mode configuration by removing all configuration instances of theLayer 2 packet and control VLANs from the following components:
a Cisco Nexus 1000V VSM: The L2 packet and control VLANs are configured as systemVLANs. To remove these from the Cisco Nexus 1000V, create a new Ethernet port-profileidentical to the existing one, without the L2 system VLANs. Then migrate each host to thenewly created port-profile, which incurs a brief traffic interruption.
b Network switches: Remove instances of the Cisco Nexus 1000V L2 VLANs from the port-channel and interface configuration for AMP and FI links. Then remove the VLANs from theswitch.
interface port-channel <PoC>switchport trunk allowed vlan remove <L2 Packet & Control VLAN ID>no vlan <L2 Packet & Control VLAN ID>
c Cisco UCS: Remove the L2 packet and control VLANs from the port-channel and VLANconfiguration of the Fabric Interconnects under the LAN tab of the Cisco UCS Manager.
d VMware vSwitch: Remove the unused VM port-groups for the L2 packet and control VLANsfrom vSW0 using the VMware vSphere client.
7 Save all configuration changes on the Cisco Nexus 1000V Switch and network switches byrunning the following command:
copy run start
Upgrade prerequisites VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
11© 2015 VCE Company, LLC.
All Rights Reserved.
8 Verify VSM-VEM communication by running the following commands from the VSM CLI:
show moduleshow module vemshow module vem mappingshow module vem missing
9 Test HA Failover for the VSMs by running the following commands from the primary VSM CLI:
show system redundancy statussystem switchover
Upgrading the Cisco Nexus 1000V Switch VSM from 2-GB HDD to a 3-GB HDD
About this task
Starting Release 3.1, the Cisco Nexus 1000V Switch requires a minimum of 3-GB of hard disk drive(HDD) space. When upgrading from a previous release SV2.2.1a to Release SV3.1.2, if you have a 2-GBHDD, you must upgrade to a 3-GB HDD using the procedure below.
Before you begin
• Verify the primary VSM is in Active HA status and the secondary VSM is in standby mode usingthe command show system redundancy status from the VSM CLI.
• Obtain the ISO image for the release that is being upgraded (4.2(1)SV2(2.1a)).
• Save and back up the current configuration.
Procedure
1 From the VMware vCenter vSphere Client, power off the secondary VSM Virtual Machine.
2 From the virtual machine Edit Settings menu, delete the VM Hard disk 1 from the secondaryVSM. Do not delete the entire Virtual Machine.
3 Create a new 3-GB Thick Provisioned Lazy Zeroed virtual disk on the secondary VSM VM. Leavethe default LSI Logic Parallel adapter.
4 Power on the secondary VSM Virtual Machine and open the console.
5 Mount the SV2.2.1a ISO to the secondary VSM Virtual Machine.
Note: You may have to disconnect the vApp ISO first.
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Upgrade prerequisites
12© 2015 VCE Company, LLC.
All Rights Reserved.
6 Reboot the secondary VSM VM using Ctrl+Alt+Delete from the VM Console. Select InstallNexus 1000V and bring up the new image or wait for it to automatically boot after 20 seconds.
7 Disconnect the ISO when the secondary VSM becomes available and asks for the administrativepassword.
8 Enter the following information in the configuration window:
a Enter the same administrative password as the primary VSM.
b Enter the secondary role for HA.
c Select Yes for secondary VSM to reboot.
d Enter the same Domain ID as the primary VSM.
Note: You can enter the command show svs domain on the primary VSM to verify thedomain ID.
9 After the secondary VSM reboots and joins the HA cluster in stand-by mode, verify HA status onprimary VSM by enter the show system redundancy status command.
10 Log on to secondary VSM from the VM console and enter the command show systeminternal flash to verify the new partition sizes, as shown in the following illustration:
Note: The number of blocks allocated to the /mnt/cfg/0, /mnt/cfg/1, /mnt/pss, and /bootflashpartitions must equal at least 3 GB.
11 Log on to the primary VSM. Verify HA status and confirm the status Redundancy ModeOperational: HA.
Upgrade prerequisites VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
13© 2015 VCE Company, LLC.
All Rights Reserved.
12 Enter the command system switchover from the primary VSM to make the secondary Active,which causes the primary VSM to reboot. Wait for Redundancy mode to show HA and verify theoutput of the show system redundancy status command .
13 Make sure the Primary VSM is in Stand-by mode. Then power off the primary VSM VM.
14 From the VM Edit Settings menu, uncheck Connect at power on for management and controlnetwork adapters.
15 Repeat Steps 2 through 7 for the primary VSM and enter the following information in theconfiguration window:
a Enter the same administrative password as previously configured.
b Enter Primary role for HA.
c Enter the same Domain ID as previously configured.
d Enter No for entering the configuration dialog.
16 Power off the primary VSM VM. From the VM Edit Settings menu, check Connect at power onfor management and control network adapters.
17 Power on the primary VSM VM and verify that it boots up as the standby HA.
18 Log on to the primary VSM from the VM console and enter the command show systeminternal flash to verify the new partition sizes.
Note: The number of blocks allocated to the /mnt/cfg/0, /mnt/cfg/1, /mnt/pss, and /bootflashpartitions must equal at least 3 GB.
19 Log on to the primary VSM and verify that the HA status is Redundancy Mode Operational =HA.
20 Enter the system switchover command from the secondary VSM to make the primary Active.Wait for Redundancy mode to show HA and verify the show system redundancy statuscommand output once the secondary VSM boots up.
21 Make sure Primary is Active and Secondary is in Stand-by HA mode. The VSMs are now readyfor an in-service software upgrade to Release 3.1, once all other remaining perquisite tasks havebeen successfully completed.
Prerequisite tasks• Review the Cisco Nexus 1000V release notes and complete any required actions.
• Schedule the upgrade when your network is stable and steady.
• Calculate the upgrade time.
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Upgrade prerequisites
14© 2015 VCE Company, LLC.
All Rights Reserved.
• Schedule adequate downtime for system maintenance.
• Avoid power interruptions to the hosts that run the VSM and VSUM VMs during any installationprocedure.
• Confirm that all components are in a ready state with no alarms.
• Save all changes in the running configuration to the startup configuration. Save a backup copy ofthe VSM running configuration in the external storage.
• Do not change the switch configuration during the upgrade.
Upgrade prerequisites VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
15© 2015 VCE Company, LLC.
All Rights Reserved.
Estimating the upgrade timeThis task allows you to estimate the amount of time you need to perform the upgrade.
Plan your upgrade using the minimum time that it takes to upgrade the software on each component. Theminimum time estimates do not include the time for preparation, configuration, VM migration, backup, anddownload.
Use the following table to calculate the total time to upgrade each component. Record the total upgradetime in the Total time column:
Order Component Software and firmwareupgrade time
Total time
1. Cisco VSUM (new installation) 30 minutes
2. Cisco Nexus 1000V Switch (VSM + VEM using VSUM)
or
Cisco Nexus 1000V Switch (manual installation usingCLI)
30 minutes
or
1 hour
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Estimating the upgrade time
16© 2015 VCE Company, LLC.
All Rights Reserved.
Installing Cisco Virtual Switch Update ManagerTo install the Cisco VSUM on Vblock Systems use the following procedure.
Note: If the Cisco Nexus 1000V switch does not meet the hardware CPU requirements listed in theSystem Requirements topic of the Installing Cisco Virtual Switch Update Manager section in the Cisco Virtual Switch Update Manager Getting Started Guide for Cisco Nexus 1000V, you can usethe CLI to upgrade the Cisco Nexus 1000V switch without the VSUM.
Before you begin
• Download the latest Cisco Virtual Switch Update Manager installation package. Consult theappropriate VCE Vblock System Release Certification Matrix for the VSUM release.
• Record the IP address, subnet mask, gateway and system name for the Cisco VSUM virtualmachine. This IP address will reside on the same VLAN/subnet as the Cisco Nexus 1000V VSMs(Vblock VMware ESXi Management network).
• Record the VMware ESXi host on which the VSUM will be installed. This will be a Vblock SystemAMP host and is also where the VSMs reside.
• Record the Vblock VMware vCenter server (production) IP address and login credentials. TheVSUM must be registered to this VMware vCenter server. (The virtual machine must be installedon the AMP vCenter/vCSA.)
• Read the Cisco Virtual Switch Update Manager release notes and the applicable VCE VblockSystem release certification matrices for the Cisco Nexus 1000V Switch on your Vblock System.
Procedure
Install the Cisco VSUM on the Vblock AMP VMware ESXi server using the Cisco Virtual Switch UpdateManager Getting Started Guide for Cisco Nexus 1000V.
Note: Use the production Vblock VMware vCenter server information during the VSUM installation forproper registration.
What to do next
Proceed to the next section to upgrade the Cisco Nexus 1000V Switch.
Installing Cisco Virtual Switch Update Manager VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
17© 2015 VCE Company, LLC.
All Rights Reserved.
Upgrading the Cisco Nexus 1000V SwitchTo upgrade the Cisco Nexus 1000V Switch, use the following procedure.
Before you begin
• Determine whether to use the VSUM or manual upgrade method of the Cisco Nexus 1000VSwitch, based on the system requirements of the Cisco Nexus 1000V Switch.
• Read the applicable Vblock System release certification matrices and release notes.
Note: To support the new Cisco Nexus 1000V Release 3.1 software scalability limits, increase thenumber of vCPUs to 2 and memory to 4GB on the VSM per your system hardware resourceavailability. See the topic "Reserving the Memory and CPU on the Virtual Supervisor ModuleVirtual Machine" in the Cisco Nexus 1000V Installation and Upgrade Guide
Procedure
Upgrade the Cisco Nexus 1000V Switch VSMs on the AMP or AMP-2 and the VEMs on the VblockSystem, using of the following methods:
Cisco VSUM See the Cisco Virtual Switch Update Manager Getting Started Guide for Cisco Nexus 1000V
Manually (CLI) See the Cisco Nexus 1000V Installation and Upgrade Guide
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Upgrading the Cisco Nexus 1000V Switch
18© 2015 VCE Company, LLC.
All Rights Reserved.
Setting security configuration optionsLayer 3 security and port security are included in VCE Vblock System security configuration bestpractices for the Cisco Nexus 1000V Switch starting from release 3.1. Upon completion of the switchupgrade, you must enable Layer 3 security and port security on the Cisco Nexus 1000V Switch. See thefollowing sections for information.
Setting security configuration options VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
19© 2015 VCE Company, LLC.
All Rights Reserved.
Enabling Layer 3 securityLayer 3 Security (L3Sec) is a framework that secures the internal control plane communications (controland packet traffic) between Cisco Nexus 1000V VSM and VEM modules in a more robust way than inprevious releases.
Note: L3Sec operates only in Layer 3 control mode. It is enabled by default on new Cisco Nexus 1000Vrelease 3.1 installations. For switches that are upgraded to this release, the L3 setting prior to theupgrade is carried over, so this setting is disabled by default.
Before you begin
• Verify that VSM is configured in L3 control mode.
• Log in to the VSM CLI via SSH and enter EXEC mode.
Procedure
1 switch# configure terminal
2 switch(config)# show system vem feature level
3 To review the available feature levels, enter the following command:
switch(config)# system update vem feature level
4 Select the feature level to match the current version of the VEM. Usually level 3 and up is for 3.1.
switch(config)#system update vem feature level <level>
5 switch(config)# svs-domain
6 switch(config-svs-domain)# enable l3sec
7 Type yes when you see the following message:
Enabling L3sec enables stronger security for VSM-VEM communication. But all VEMs will be disconnected and connect back. Do you really want to proceed (yes/no)? [no] yes
8 switch(config-svs-domain)# show running-config
9 switch(config-svs-domain)# copy run start
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Enabling Layer 3 security
20© 2015 VCE Company, LLC.
All Rights Reserved.
Enabling port securityPort security allows you to configure Layer 2 interfaces that permit inbound traffic from a restricted,secured set of MAC addresses.
About this task
Traffic from secured MAC addresses is not allowed on another interface within the same VLAN. Thenumber of MAC addresses that can be secured is configured per interface. Beginning with Cisco Nexus1000V release 3.1, the maximum number of secure MAC addresses per port is limited to 10, and theMAC move detection and violation feature is local to VEM.
The following table lists the default settings for port security:
Parameters Default
Interface Disabled
MAC address learning method Dynamic
Interface maximum number of secure MAC addresses 1
Security violation action Shutdown
The VCE configuration option for port security uses the default dynamic MAC address learning methodand a security violation action of Restrict. These settings drop ingress traffic from non-secure MACaddresses once the maximum is reached and cause the security violation counter to increment.
Enable port security on the Layer 2 virtual Ethernet interfaces of the VEM according to customerrequirements using the following guidelines.
Procedure
1 Log in to the VSM CLI via SSH and enter EXEC mode.
2 switch# configure terminal
3 switch(config)# interface <type> <number>
4 switch(config-if)# switchport port-security
5 switch(config-if)# switchport port-security maximum <number> vlan<vlan-id>
6 switch(config-if)# switchport port-security violation restrict
7 switch(config-if)# show port-security interface <type> <number>
8 switch(config-if)# show port-security address interface <type> <number>
9 switch(config-if)# copy run start
Enabling port security VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
21© 2015 VCE Company, LLC.
All Rights Reserved.
10 Enable the following optional settings:
— switch(config-if)# interface <type> <number>
— switch(config-if)# switchport port-security aging time <minutes>
— switch(config-if)# switchport port-security aging type {absolute|inactivity}
— switch(config-if)# switchport port-security mac-address sticky
— switch(config-if)# switchport port-security mac-address <address>
— switch(config-if)# no switchport port-security
VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch Enabling port security
22© 2015 VCE Company, LLC.
All Rights Reserved.
Additional referencesFor more information about the Cisco Nexus 1000V, see the following documents:
• Cisco Nexus 1000V Install and Upgrade Guides
• Cisco Nexus 1000V Security Configuration Guide
• Cisco Nexus 1000V Release Notes
To download Cisco Nexus 1000V software, see the Cisco Software Download Center.
Additional references VCE Vblock® Systems Upgrade Guide for Cisco 1000V Switch
23© 2015 VCE Company, LLC.
All Rights Reserved.
www.vce.com
About VCE
VCE, an EMC Federation Company, is the world market leader in converged infrastructure and converged solutions. VCEaccelerates the adoption of converged infrastructure and cloud-based computing models that reduce IT costs whileimproving time to market. VCE delivers the industry's only fully integrated and virtualized cloud infrastructuresystems, allowing customers to focus on business innovation instead of integrating, validating, and managing ITinfrastructure. VCE solutions are available through an extensive partner network, and cover horizontal applications, verticalindustry offerings, and application development environments, allowing customers to focus on business innovation insteadof integrating, validating, and managing IT infrastructure.
For more information, go to http://www.vce.com.
Copyright 2015 VCE Company, LLC. All rights reserved. VCE, VCE Vision, VCE Vscale, Vblock, VxBlock, VxRack, and theVCE logo are registered trademarks or trademarks of VCE Company LLC. All other trademarks used herein are theproperty of their respective owners.
24© 2015 VCE Company, LLC.
All Rights Reserved.
