DCNM - Data Center Network management
Configuration Rollback-
This feature enables you to take a snapshot or checkpoint of the current
running configuration and re-apply it at any point without the need to
reload.
3 Types of Configuration rollback
Atomic - Implement only if there are no errors
Best-Effort - Implement a roll back and skip any errors
Stop-at-first-failure - Implement a roll back and stop at the first error.
Limitations-
10 snapshots per VDC
You can not use one snapshot made in one VDC and apply it to the
configuration of another VDC
You can not apply a snapshot in a non-default VDC if there is a change to
the global configuration
Filename 75 characters or less
You can not start the file name with AUTO or SUMMARY
A write erase and reload destroys the snapshot
To change which VDC you are in
#switchto vdc
To create a snapshot
#checkpoint <snapshot-filename>
To rollback to a checkpoint
#rollback running-config checkpoint <snapshot-filename>
If you do not have dual supervisors in the N7k, you cant use the ISSU
VDCs cant be shut down and restarted.
Steps needed to create a VDC and assign resources to it:
Note: VDC(s) are always created from the default admin VDC context (VDC 1)
#vdc <name of VDC>
Allocate interfaces to a VDC
#vdc <name>
#allocate interface ethernet1/17
#show vdc membership
Connectivity Management Processor-
Supports remote management and troubleshooting of the complete system.
This provides complete out-of-band management that is completely
independent independent from the primary OS. It has its own processor,
memory and bootflash and even a separate ethernet management port.
#attach cmp
Saturday, December 11, 2010
Friday, December 10, 2010
FCoE (Fiber-Channel over Ethernet)
Fiber-Channel Layers
5 Layers / 0 - 4 (FC0 - FC4)
Layer 0 - Physical Interface
Layer 1 - FC1 Encoding
Layer 2 - FC2 Framing & Flow Control
Layer 3 - FC3 Common Services
Layer 4 - FC4 Protocol Mapping Layer
FCoE (Fiber-Channel over Ethernet)
System MTU 2240 (Default)
Frame size (2112 Bytes) Baby Jumbo
FCoE ether type value 16 bits (0x8906)
____________________
Data Center Enhanced Ethernet
i) Priority Flow Control
5 Layers / 0 - 4 (FC0 - FC4)
Layer 0 - Physical Interface
Layer 1 - FC1 Encoding
Layer 2 - FC2 Framing & Flow Control
Layer 3 - FC3 Common Services
Layer 4 - FC4 Protocol Mapping Layer
FCoE (Fiber-Channel over Ethernet)
System MTU 2240 (Default)
Frame size (2112 Bytes) Baby Jumbo
FCoE ether type value 16 bits (0x8906)
____________________
Data Center Enhanced Ethernet
i) Priority Flow Control
Nexus Notes
The Nexus 7000 switch supports 4096 VLANs per Virtual Device Context (VDC) for a system total of ~16k VLANs. Some of these VLANs are used by system-level functions and are not user-configurable.
Bridge Assurance is a new feature that can eliminate issues caused by a malfunctioning bridge. With Bridge Assurance, all ports send and receive BPDUs on all VLANs regardless of their state.
This creates a bidirectional keepalive using BPDUs, and if a bridge stops receiving BPDUs, these ports are placed into an inconsistent state. This functionality can prevent loops that can be introduced as a result of a malfunctioning bridge. Bridge Assurance is enabled by default on any port that is configured with a spanningtree port type network but can be disabled globally with the following command:
(config)# no spanning-tree bridge assurance
To enable Bridge Assurance by setting the spanning-tree port type, enter the following commands:
(config)# int port-channel 1
(config-if)# spanning-tree port type network
An interesting side effect of Bridge Assurance is an automatic pruning function.
In the topology, if a VLAN is defined on but not on , Bridge Assurance puts that VLAN into a blocking state because it is not receiving BPDUs for that VLAN.
(config)# port-profile COMMUNITY1
(config-ppm)# switchport
(config-ppm)# switchport mode access
(config-ppm)# switchport private-vlan host-association 100 102
(config-ppm)# spanning-tree port type edge
(config-ppm)# spanning-tree bpdufilter enable
(config-ppm)# spanning-tree bpduguard enable
(config-ppm)# no shutdown
(config-ppm)# state enabled
(config)# interface ethernet 2/28
(config-if)# inherit port-profile COMMUNITY1
The vPC peer-keepalive link can be either 1 Gbps or 10 Gbps.
vPC peer link:Used to exchange state information between the vPC peers and also provides additional mechanisms that can detect and prevent split-brain scenarios.
Note:The mgmt0 interface can be used as the vPC peer-keepalive link but should be avoided if at all possible.
On the Nexus 7000, the mgmt0 is actually a logical interface representing the physical management port of the active supervisor.
During processes such as supervisor switchover during hardware failure or In-Service Software Upgrades (ISSU), the physical link
supporting the mgmt0 interface might change, causing a disruption of the keepalive messages. By using normal switch interfaces, additionallevels of redundnancy in the port-channels can be used.
If the mgmt0 interface is used as the peer-keepalive link, it is critical to ensure thatall physical management ports are connected to an external device, such as a management switch.
Create VRF for the VPC keepalive link:
(config-if)# vrf context vpc-keepalive
(config)# vrf context vpc-keepalive
(config)# int ethernet 2/47
(config-if)# vrf member vpc-keepalive
(config-if)# ip address 1.1.1.1 255.255.255.252
(config)# interface ethernet 2/48
(config-if)# no switchport
(config-if)# vrf member vpc-keepalive
(config-if)# ip address 1.1.1.2 255.255.255.252
(config-if)# vrf context vpc-keepalive
(config)# vrf context vpc-keepalive
(config)# vpc domain 1
(config-vpc-domain)# peer-keepalive destination 1.1.1.2 source 1.1.1.1 vrf vpckeepalive
(config)# vpc domain 1
(config-vpc-domain)# peer-keepalive destination 1.1.1.1 source 1.1.1.2 vrf vpc-keepalive
(config)# interface port-channel 100
(config-if)# vpc peer-link
Please note that spanning tree port type is changed to “network” port type on vPC peerlink. This will enable spanning tree Bridge Assurance on vPC peer-link provided the STP Bridge Assurance (which is enabled by default) is not disabled.
(config-if)# switchport mode trunk
(config)# interface port-channel 100
(config-if)# vpc peer-link
(config)# interface ethernet 2/1
(config-if)# channel-group 1 mode active
(config)# interface port-channel 1
(config-if)# switchport
(config-if)# switchport mode trunk
(config-if)# vpc 1
VPC Peer-Gateway
This feature is designed to enable certain storage, application servers or load balancers to implement fast-path functionality.
This causes nodes to send return traffic to a specific MAC address of the sender rather than HSRP address.
By default, this traffic might be dropped as VPC loop avoidance does not allow traffic received on a VPC peer-link to be forwarded out a VPC interface (loop avoidance).
A VPC Peer-Gateway enables the VPC peer device to forward packets destined for its peer router MAC locally. To enable the peer-gateway, enter the following command:
(config-vpc-domain)# peer-gateway
(config)# power redundancy-mode ?
combined Configure power supply redundancy mode as combined
insrc-redundant Configure power supply redundancy mode as grid/AC input source redundant
vPC Concepts
The following list defines critical vPC concepts:
vPC: vPC refers to the combined PortChannel between the vPC peer devices and the downstream device.
vPC peer switch: The vPC peer switch is one of a pair of switches that are connected to the special PortChannel known as the vPC peer link. One device will be selected as the primary device, and the other will be the secondary device.
vPC peer link: The vPC peer link is the link used to synchronize states between the vPC peer devices. The vPC peer link carries control traffic between two vPC switches and also multicast, broadcast data traffic. In some link failure scenarios, it also carries unicast traffic. You should have at least two 10 Gigabit Ethernet interfaces for peer links.
vPC domain: This domain includes both vPC peer devices, the vPC peer keepalive link, and all the PortChannels in the vPC connected to the downstream devices. It is also associated with the configuration mode that you must use to assign vPC global parameters.
vPC peer keepalive link: The peer keepalive link monitors the vitality of a vPC peer switch. The peer keepalive link sends periodic keepalive messages between vPC peer devices. The vPC peer keepalive link can be a management interface or switched virtual interface (SVI). No data or synchronization traffic moves over the vPC peer keepalive link; the only traffic on this link is a message that indicates that the originating switch is operating and running vPC.
vPC member port: vPC member ports are interfaces that belong to the vPCs.
Sunday, December 5, 2010
Misc Stuff
debug inter fa 0/0 ==> This enters into just debugging this interface
debug eigrp packet ==> This is the debug you want to see on the command above!
** undebug all
** undebug inter fa 0/0
debug ip error ==> This will tell you all the error's you are getting on anything.
Example: BGP peering, if the neighbors wont peer it will tell you its a hop count issue!
show ip traffic
*Feb 26 15:10:42.235: %OSPF-4-FLOOD_WAR: Process 1 re-originates LSA ID 141.34.25.0 type-3 adv-rtr 141.34.200.1 in area 0
This happens if there are 2 routers with the same router ID!!
______________________
UDLD, like Loop Guard, is used to prevent loops due to unidirectional links. The difference between the features is that Loop Guard uses STP BPDUs to detect these failures, while UDLD uses its own keepalive. UDLD is a Cisco proprietary feature in which peers discover each other by exchanging frames sent to the well-known MAC address 01:00:0C:CC:CC:CC
In "Normal" mode if the physical state of port (as reported by Layer 1) is still up UDLD marks this port as "Undetermined", but does NOT shut down or disable the port, and it continues to operate under its current STP status. This mode of operation is informational and potentially less disruptive (though it does not prevent STP loops).
If UDLD is set to "Aggressive" mode, once the switch loses its neighbor it actively tries to re-establish the relationship by sending a UDLD frames 8 times every 1 second. If the neighbor does not respond after that the port is considered to be unidirectional and sent to err-disable state.
______________________
access-list 1 permit 1.1.1.0 0.0.254.255
R 1.1.1.0 [120/1] via 10.1.1.1, 00:00:03, FastEthernet0/0
R 1.1.3.0 [120/1] via 10.1.1.1, 00:00:03, FastEthernet0/0
R 1.1.5.0 [120/1] via 10.1.1.1, 00:00:03, FastEthernet0/0
access-list 1 permit 1.1.0.0 0.0.254.255
R 1.1.2.0 [120/1] via 10.1.1.1, 00:00:00, FastEthernet0/0
R 1.1.4.0 [120/1] via 10.1.1.1, 00:00:00, FastEthernet0/0
R 1.1.6.0 [120/1] via 10.1.1.1, 00:00:00, FastEthernet0/0
______________________
You must nave AAA new-model turned on for this option to be available.
R1(config)#radius-server local
R1(config-radsrv)#?
Local RADIUS server configuration commands:
authentication supported authentication
eapfast EAP-FAST configurations
exit Exit from local radius server sub mode
group Configure client groups
nas Configure allowed Network Access Servers
no Negate a command or set its defaults
user Configure client usernames and passwords
R1(config-radsrv)#
You can configure a router as a "RADIUS-SERVER" and not just point it to one! It seems like a great way to test if your radius configuration is working without having a real radius server to point to!
______________________
- BPDU Guard > Used to enforce access layer security, when an erroneous BPDU is received on an access interface, by transitioning the interface to shutdown and err-disable state. > Err-disable recovery can be configured to bring the interface out of err-disable state automatically after configured interval. > The err-disable state can be seen with "sh interface status" > Configured globally with "spanning-tree portfast bpduguard default" > Interface configuration "spanning-tree bpduguard enable"
- BPDU Filter > Drops all inbound BDPU's and does not send BDPU's out of the interface. > Unlike BPDU guard, the interface does not go into err-disable state when violation occurs. > Other user traffic will still be forwarded. > If BPDU filter default is enabled with portfast, all interface will run in portfast mode except those which are receiving BPDU's. > Configured globally with "spanning-tree portfast bpdufilter default" > Interface configuration "spanning-tree bpdufilter enable"
- ROOT Guard > Similar to BDPU guard, but the difference is a root guard interface is only disabled if a superior BPDU is received,
placing the interface into ROOT_INCONSISTANT_STATE. > It should be enabled on a downstream interface, which should never become a root-port. > A superior BPDU indicates a better cost to the root bridge, than what is currently installed. > Interface configuration "spanning-tree guard root"
- LOOP Guard > Is used to prevent STP loops from occurring due to a unidirectional link. > Similar to UDLD but instead uses BDPU keepalive to determine unidirectional traffic. > If a blocked port transitions to forwarding state erroneously, a loop can occur. > Blocked ports will be transitioned into LOOP_INCONSISTANT_STATE to avoid loops. > Interface configuration "spanning-tree guard loop"
debug eigrp packet ==> This is the debug you want to see on the command above!
** undebug all
** undebug inter fa 0/0
debug ip error ==> This will tell you all the error's you are getting on anything.
Example: BGP peering, if the neighbors wont peer it will tell you its a hop count issue!
show ip traffic
*Feb 26 15:10:42.235: %OSPF-4-FLOOD_WAR: Process 1 re-originates LSA ID 141.34.25.0 type-3 adv-rtr 141.34.200.1 in area 0
This happens if there are 2 routers with the same router ID!!
______________________
UDLD, like Loop Guard, is used to prevent loops due to unidirectional links. The difference between the features is that Loop Guard uses STP BPDUs to detect these failures, while UDLD uses its own keepalive. UDLD is a Cisco proprietary feature in which peers discover each other by exchanging frames sent to the well-known MAC address 01:00:0C:CC:CC:CC
In "Normal" mode if the physical state of port (as reported by Layer 1) is still up UDLD marks this port as "Undetermined", but does NOT shut down or disable the port, and it continues to operate under its current STP status. This mode of operation is informational and potentially less disruptive (though it does not prevent STP loops).
If UDLD is set to "Aggressive" mode, once the switch loses its neighbor it actively tries to re-establish the relationship by sending a UDLD frames 8 times every 1 second. If the neighbor does not respond after that the port is considered to be unidirectional and sent to err-disable state.
______________________
access-list 1 permit 1.1.1.0 0.0.254.255
R 1.1.1.0 [120/1] via 10.1.1.1, 00:00:03, FastEthernet0/0
R 1.1.3.0 [120/1] via 10.1.1.1, 00:00:03, FastEthernet0/0
R 1.1.5.0 [120/1] via 10.1.1.1, 00:00:03, FastEthernet0/0
access-list 1 permit 1.1.0.0 0.0.254.255
R 1.1.2.0 [120/1] via 10.1.1.1, 00:00:00, FastEthernet0/0
R 1.1.4.0 [120/1] via 10.1.1.1, 00:00:00, FastEthernet0/0
R 1.1.6.0 [120/1] via 10.1.1.1, 00:00:00, FastEthernet0/0
______________________
You must nave AAA new-model turned on for this option to be available.
R1(config)#radius-server local
R1(config-radsrv)#?
Local RADIUS server configuration commands:
authentication supported authentication
eapfast EAP-FAST configurations
exit Exit from local radius server sub mode
group Configure client groups
nas Configure allowed Network Access Servers
no Negate a command or set its defaults
user Configure client usernames and passwords
R1(config-radsrv)#
You can configure a router as a "RADIUS-SERVER" and not just point it to one! It seems like a great way to test if your radius configuration is working without having a real radius server to point to!
______________________
- BPDU Guard > Used to enforce access layer security, when an erroneous BPDU is received on an access interface, by transitioning the interface to shutdown and err-disable state. > Err-disable recovery can be configured to bring the interface out of err-disable state automatically after configured interval. > The err-disable state can be seen with "sh interface status" > Configured globally with "spanning-tree portfast bpduguard default" > Interface configuration "spanning-tree bpduguard enable"
- BPDU Filter > Drops all inbound BDPU's and does not send BDPU's out of the interface. > Unlike BPDU guard, the interface does not go into err-disable state when violation occurs. > Other user traffic will still be forwarded. > If BPDU filter default is enabled with portfast, all interface will run in portfast mode except those which are receiving BPDU's. > Configured globally with "spanning-tree portfast bpdufilter default" > Interface configuration "spanning-tree bpdufilter enable"
- ROOT Guard > Similar to BDPU guard, but the difference is a root guard interface is only disabled if a superior BPDU is received,
placing the interface into ROOT_INCONSISTANT_STATE. > It should be enabled on a downstream interface, which should never become a root-port. > A superior BPDU indicates a better cost to the root bridge, than what is currently installed. > Interface configuration "spanning-tree guard root"
- LOOP Guard > Is used to prevent STP loops from occurring due to a unidirectional link. > Similar to UDLD but instead uses BDPU keepalive to determine unidirectional traffic. > If a blocked port transitions to forwarding state erroneously, a loop can occur. > Blocked ports will be transitioned into LOOP_INCONSISTANT_STATE to avoid loops. > Interface configuration "spanning-tree guard loop"
PPPoE (Point to Point Protocol Over Ethernet)
username R2 password pppoe-lab
int f0/0
pppoe-client dial-pool-number 1
int dialer 1
dialer-group 1
dialer pool 1
encapsulation ppp
ppp authentication chap
ip address dhcp
__________________________
username R1 password pppoe-lab
ip dhcp pool R1
network 192.168.1.0 /24
exit
interface virtual-template 1
ip address 192.168.1.2 255.255.255.0
encap ppp
ppp authentication chap
exit
bba-group pppoe global
virtual-template 1
int f0/0
pppoe enable group global
int f0/0
pppoe-client dial-pool-number 1
int dialer 1
dialer-group 1
dialer pool 1
encapsulation ppp
ppp authentication chap
ip address dhcp
__________________________
username R1 password pppoe-lab
ip dhcp pool R1
network 192.168.1.0 /24
exit
interface virtual-template 1
ip address 192.168.1.2 255.255.255.0
encap ppp
ppp authentication chap
exit
bba-group pppoe global
virtual-template 1
int f0/0
pppoe enable group global
PPP Host Routes
The output of the show ip route command might differ between PPP and HDLC encapsulations when IP unnumbered configuration is used on serial interfaces. PPP installs a host route to the IP address that is used on the serial interface at the other end as a directly connected network. If the same prefix is also learned through OSPF as in this configuration, it displays only as a connected route. This is because connected routes have a lower administrative distance than OSPF and are more preferred. You can change this behavior when you issue the "no peer neighbor-route" command under the serial interfaces which prevents a host route from being installed and treats it as an OSPF route.
This is not the case with HDLC because it does not install a host route. HDLC installs an OSPF route for the address on the other end when IP unnumbered is used.
Frame-Relay Traffic Shaping & Compression
Frame-Relay Traffic Shaping
interface ser 0/0/0
frame-relay traffic-shaping
frame-relay class "name"
frame-relay interface-dlci xxx
class "name"
map-class frame-relay "name"
frame-relay cir 64000
frame-relay mincir 32000
policy-map "name"
shape average "cir" "bc" "be"
shape adaptive "mincer"
map-class frame-relay "name"
service-policy output "name"
frame-relay interface-dlci xxx
class "name"
Frame-Relay Fragmentation
interface ser 0/0/0
frame-relay fragment "fragment size" end-to-end
Frame-Relay DE
frame-relay de-list 1 protocol ip gt 1500
frame-relay de-list 1 protocol ip tcp "port 80"
interface ser 0/0/0
frame-relay de-group 1 "dlci"
Frame-Relay Compression
R1(config)#int S0/0.12
R1(configif)#frame-relay payload-compression packet-by-packet
R1(config)#int S0/0.13
R1(configif)# frame-relay map ip 10.1.13.3 103 Cisco payload-compression packet-by-packet
R1(configif)#int S0/0.12
R1(configsubif)#frame-relay payloadcompression frf9 stac
R1(configsubif)#int S0/0.13
R1(configsubif)#frame-relay map ip 10.1.13.3 103 ietf payload-compression frf9 stac
Frame-Relay Header Compression
R1(config)#int S0/0.12
R1(configsubif)#framerelay ip tcp headercompression
R1(configsubif)#int S0/0.13
R1(configsubif)#framerelay map ip 10.1.13.3 103 Cisco tcp headercompression active
R2(config)#int S0/0.21
R2(configsubif)#framerelay ip tcp header-compression passive
R3(config)#int S0/0
R3(configif)#framerelay map ip 10.1.13.1 301 Cisco tcp header-compression passive
interface ser 0/0/0
frame-relay traffic-shaping
frame-relay class "name"
frame-relay interface-dlci xxx
class "name"
map-class frame-relay "name"
frame-relay cir 64000
frame-relay mincir 32000
policy-map "name"
shape average "cir" "bc" "be"
shape adaptive "mincer"
map-class frame-relay "name"
service-policy output "name"
frame-relay interface-dlci xxx
class "name"
Frame-Relay Fragmentation
interface ser 0/0/0
frame-relay fragment "fragment size" end-to-end
Frame-Relay DE
frame-relay de-list 1 protocol ip gt 1500
frame-relay de-list 1 protocol ip tcp "port 80"
interface ser 0/0/0
frame-relay de-group 1 "dlci"
Frame-Relay Compression
R1(config)#int S0/0.12
R1(configif)#frame-relay payload-compression packet-by-packet
R1(config)#int S0/0.13
R1(configif)# frame-relay map ip 10.1.13.3 103 Cisco payload-compression packet-by-packet
R1(configif)#int S0/0.12
R1(configsubif)#frame-relay payloadcompression frf9 stac
R1(configsubif)#int S0/0.13
R1(configsubif)#frame-relay map ip 10.1.13.3 103 ietf payload-compression frf9 stac
Frame-Relay Header Compression
R1(config)#int S0/0.12
R1(configsubif)#framerelay ip tcp headercompression
R1(configsubif)#int S0/0.13
R1(configsubif)#framerelay map ip 10.1.13.3 103 Cisco tcp headercompression active
R2(config)#int S0/0.21
R2(configsubif)#framerelay ip tcp header-compression passive
R3(config)#int S0/0
R3(configif)#framerelay map ip 10.1.13.1 301 Cisco tcp header-compression passive
POS - Packet over SONET
Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH)
OC - Optical Carrier
SONET offers an additional basic unit of transmission, the STS-1 (Synchronous Transport Signal 1) or OC-1, operating at 51.84 Mbit/s—exactly one third of an STM-1/STS-3c/OC-3c carrier.
So (3) STS-1 circuits = 155 Meg.
Subscribe to:
Posts (Atom)