Cisco Nexus 5000 Series Switch CLI Software Configuration Guide First Published: 07/17/2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS New and Changed Information for the Cisco Nexus 5000 Series 41 Preface xliii Audience xliii Document Organization xliii Document Conventions xliv Related Documentation xlv Obtaining Documentation and Submitting a Service Request xlvi Overview 1 Information About Cisco Nexus 5000 Series Switches 1 New Technologies in the Cisco Nexus 5000 Series 1 Fibre Channel over Ethernet 1 Data Center I/O Consolidation 2 Virtual Interfaces 3 Cisco Nexus 5000 Series Switch Hardware 4 Chassis 4 Expansion Modules 4
Contents Call Home 6 Online Diagnostics 7 Switch Management 7 Simple Network Management Protocol 7 Role-Based Access Control 7 Configuration Methods 7 Configuring with CLI, XML Management Interface, or SNMP 7 Configuring with Cisco Data Center Network Manager 7 Configuring with Cisco MDS Fabric Manager 7 Network Security Features 8 Virtual Device Contexts 8 Licensing 8 Typical Deployment Topologies 8 Ethernet TOR Switch Topology 8 Fabric Extender Deployment Topology 10 Data Center I/O Consolidation Topolog
Contents User-Defined Persistent CLI Variables 25 Using Command Aliases 26 Defining Command Aliases 26 Command Scripts 26 Executing Commands Specified in a Script 26 Using CLI Variables in Scripts 27 Setting the Delay Time 28 Initial Switch Configuration 29 Configuring the Switch 29 Image Files on the Switch 29 Starting the Switch 29 Boot Sequence 30 Console Settings 31 Upgrading the Switch Software 31 Downgrading from a Higher Release 33 Initial Configuration 35 Configuration Prerequisites 35 Initial Setu
Contents Discarding NTP Configuration Changes 46 Releasing Fabric Session Lock 46 Database Merge Guidelines 46 NTP Session Status Verification 46 Management Interface Configuration 47 About the mgmt0 Interface 47 Configuring the Management Interface 47 Displaying Management Interface Configuration 48 Shutting Down the Management Interface 48 Managing the Switch Configuration 48 Displaying the Switch Configuration 48 Saving a Configuration 49 Clearing a Configuration 49 Using Switch File Systems 49 Setting
Contents Uninstalling Licenses 58 Updating Licenses 59 Grace Period Alerts 60 License Transfers Between Switches 61 Verifying the License Configuration 61 LAN Switching 63 Configuring Ethernet Interfaces 65 Information About Ethernet Interfaces 65 About the Interface Command 65 About the Unidirectional Link Detection Parameter 66 UDLD Overview 66 Default UDLD Configuration 67 UDLD Aggressive and Nonaggressive Modes 67 About Interface Speed 68 About the Cisco Discovery Protocol 68 Default CDP Configuration
Contents Configuring a VLAN 82 Creating and Deleting a VLAN 82 Entering the VLAN Submode and Configuring the VLAN 83 Adding Ports to a VLAN 84 Verifying VLAN Configuration 84 Configuring Private VLANs 87 Information About Private VLANs 87 Primary and Secondary VLANs in Private VLANs 88 Private VLAN Ports 88 Primary, Isolated, and Community Private VLANs 89 Associating Primary and Secondary VLANs 90 Private VLAN Promiscuous Trunks 91 Private VLAN Isolated Trunks 91 Broadcast Traffic in Private VLANs 92 Priv
Contents Configuring Access and Trunk Interfaces 105 Configuring a LAN Interface as an Ethernet Access Port 105 Configuring Access Host Ports 105 Configuring Trunk Ports 106 Configuring the Native VLAN for 802.1Q Trunking Ports 107 Configuring the Allowed VLANs for Trunking Ports 107 Configuring Native 802.
Contents Cisco Nexus 5000 Series Switch vPC Topology 126 Single Homed Fabric Extender vPC Topology 126 Dual Homed Fabric Extender vPC Topology 127 vPC Domain 128 Peer-Keepalive Link and Messages 128 Compatibility Parameters for vPC Peer Links 129 Configuration Parameters That Must Be Identical 129 Configuration Parameters That Should Be Identical 130 vPC Peer Links 131 vPC Peer Link Overview 131 Manually Configured vPC Features 132 vPC Number 133 vPC Interactions with Other Features 133 vPC and LACP 133 vP
Contents Information About Rapid PVST+ 149 Understanding STP 150 STP Overview 150 Understanding How a Topology is Created 150 Understanding the Bridge ID 150 Bridge Priority Value 151 Extended System ID 151 STP MAC Address Allocation 151 Understanding BPDUs 152 Election of the Root Bridge 153 Creating the Spanning Tree Topology 153 Understanding Rapid PVST+ 154 Rapid PVST+ Overview 154 Rapid PVST+ BPDUs 156 Proposal and Agreement Handshake 157 Protocol Timers 158 Port Roles 158 Port States 159 Rapid PVST+
Contents Enabling Rapid PVST+ per VLAN 166 Configuring the Root Bridge ID 167 Configuring a Secondary Root Bridge 168 Configuring the Rapid PVST+ Port Priority 168 Configuring the Rapid PVST+ Pathcost Method and Port Cost 169 Configuring the Rapid PVST+ Bridge Priority of a VLAN 170 Configuring the Rapid PVST+ Hello Time for a VLAN 170 Configuring the Rapid PVST+ Forward Delay Time for a VLAN 171 Configuring the Rapid PVST+ Maximum Age Time for a VLAN 171 Specifying the Link Type 172 Restarting the Protoco
Contents Specifying the Configuration on an MST Region 186 Mapping and Unmapping VLANs to MST Instances 187 Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs 188 Configuring the Root Bridge 189 Configuring a Secondary Root Bridge 190 Configuring the Port Priority 190 Configuring the Port Cost 191 Configuring the Switch Priority 192 Configuring the Hello Time 193 Configuring the Forwarding-Delay Time 193 Configuring the Maximum-Aging Time 194 Configuring the Maximum-Hop Count 194 Confi
Contents Enabling BPDU Guard on Specified Interfaces 206 Enabling BPDU Filtering Globally 207 Enabling BPDU Filtering on Specified Interfaces 208 Enabling Loop Guard Globally 209 Enabling Loop Guard or Root Guard on Specified Interfaces 210 Verifying STP Extension Configuration 210 Configuring the MAC Address Table 211 Information About MAC Addresses 211 Configuring MAC Addresses 211 Configuring a Static MAC Address 211 Configuring the Aging Time for the MAC Table 212 Clearing Dynamic Addresses from the MA
Contents AAA Service Configuration Options 229 Authentication and Authorization Process for User Login 230 Prerequisites for Remote AAA 231 Information about AAA Guidelines and Limitations 232 Configuring AAA 232 Configuring Console Login Authentication Methods 232 Configuring Default Login Authentication Methods 233 Enabling Login Authentication Failure Messages 234 Enabling MSCHAP Authentication 235 Configuring AAA Accounting Default Methods 236 Using AAA Server VSAs 237 About VSAs 237 VSA Format 237 Spe
Contents Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server 249 Configuring Accounting and Authentication Attributes for RADIUS Servers 250 Configuring Periodic RADIUS Server Monitoring 251 Configuring the Dead-Time Interval 252 Manually Monitoring RADIUS Servers or Groups 252 Verifying RADIUS Configuration 253 Displaying RADIUS Server Statistics 253 Example RADIUS Configuration 254 Default RADIUS Settings 254 Configuring TACACS+ 255 About Configuring TACACS+ 255 Information
Contents Verifying TACACS+ Configuration 267 Example TACACS+ Configuration 267 Default TACACS+ Settings 267 Configuring SSH and Telnet 269 Configuring SSH and Telnet 269 Information About SSH and Telnet 269 SSH Server 269 SSH Client 269 SSH Server Keys 269 Telnet Server 270 Guidelines and Limitations for SSH 270 Configuring SSH 270 Generating SSH Server Keys 270 Specifying the SSH Public Keys for User Accounts 271 Specifying the SSH Public Keys in Open SSH Format 271 Specifying the SSH Public Keys in IETF
Contents Rules 280 Source and Destination 280 Protocols 280 Implicit Rules 280 Additional Filtering Options 281 Sequence Numbers 281 Logical Operators and Logical Operation Units 282 Configuring IP ACLs 283 Creating an IP ACL 283 Changing an IP ACL 283 Removing an IP ACL 284 Changing Sequence Numbers in an IP ACL 285 Applying an IP ACL as a Port ACL 285 Verifying IP ACL Configurations 286 Displaying and Clearing IP ACL Statistics 286 Configuring MAC ACLs 287 Creating a MAC ACL 287 Changing a MAC ACL 288 Re
Contents Default ACL Settings 295 System Management 297 Using Cisco Fabric Services 299 Using Cisco Fabric Services 299 Information About CFS 299 CFS Distribution 300 CFS Distribution Modes 300 Uncoordinated Distribution 300 Coordinated Distribution 300 Unrestricted Uncoordinated Distributions 301 Disabling or Enabling CFS Distribution on a Switch 301 Verifying CFS Distribution Status 301 CFS Distribution over IP 301 CFS Distribution over Fibre Channel 303 CFS Distribution Scopes 303 CFS Merge Support 303
Contents Configuring CFS over IP 309 Enabling CFS over IPv4 309 Enabling CFS over IPv6 310 Verifying the CFS Over IP Configuration 310 Configuring IP Multicast Address for CFS over IP 310 Configuring IPv4 Multicast Address for CFS 311 Configuring IPv6 Multicast Address for CFS 311 Verifying IP Multicast Address Configuration for CFS over IP 311 Displaying CFS Distribution Information 312 Default CFS Settings 314 Configuring User Accounts and RBAC 315 Configuring User Accounts and RBAC 315 Information About
Contents Verifying a Session 327 Committing a Session 327 Saving a Session 327 Discarding a Session 327 Session Manager Example Configuration 327 Verifying Session Manager Configuration 327 Configuring Online Diagnostics 329 Information About Online Diagnostics 329 Online Diagnostics Overview 329 Bootup Diagnostics 329 Health Monitoring Diagnostics 330 Expansion Module Diagnostics 331 Configuring Online Diagnostics 332 Verifying Online Diagnostics Configuration 332 Default GOLD Settings 332 Configuring Sys
Contents Call Home Message Levels 352 Obtaining Smart Call Home 353 Prerequisites for Call Home 353 Configuration Guidelines and Limitations 354 Configuring Call Home 354 Procedures for Configuring Call Home 354 Configuring Contact Information 354 Creating a Destination Profile 355 Modifying a Destination Profile 356 Associating an Alert Group with a Destination Profile 357 Adding show Commands to an Alert Group 358 Configuring E-Mail 359 Configuring Periodic Inventory Notification 360 Disabling Duplicate
Contents Assigning SNMPv3 Users to Multiple Roles 380 Creating SNMP Communities 380 Configuring SNMP Notification Receivers 380 Configuring the Notification Target User 381 Enabling SNMP Notifications 382 Configuring Link Notifications 383 Disabling Link Notifications on an Interface 384 Enabling One-Time Authentication for SNMP over TCP 384 Assigning SNMP Switch Contact and Location Information 385 Configuring the Context to Network Entity Mapping 385 Verifying SNMP Configuration 386 Default SNMP Settings
Contents DCBX Feature Negotiation 396 Lossless Ethernet 397 Logical Link Up/Down 397 Converged Network Adapters 397 FCoE Topologies 398 Directly Connected CNA Topology 398 Remotely Connected CNA Topology 399 FCoE Best Practices 400 Directly Connected CNA Best Practice 400 Remotely Connected CNA Best Practice 402 Licensing Requirements for FCoE 403 Configuring FCoE 403 Enabling FCoE 403 Disabling FCoE 404 Disabling LAN Traffic on an FCoE Link 405 Configuring the FC-Map 405 Configuring the Fabric Priority 40
Contents System Classes 422 Default System Classes 423 Policy Types 423 Link-Level Flow Control 425 Priority Flow Control 425 MTU 426 Trust Boundaries 426 Ingress Queuing Policies 427 Ingress Classification Policies 427 Egress Queuing Policies 427 QoS for Multicast Traffic 428 Policy for Fibre Channel Interfaces 428 QoS for Traffic Directed to the CPU 429 QoS Configuration Guidelines and Limitations 429 Configuring System Classes 429 Configuring Class Maps 429 Configuring ACL Classification 430 Configuring
Contents Configuring Priority Flow Control 447 Configuring Link-Level Flow Control 447 Verifying QoS Configuration 448 Example QoS Configurations 454 QoS Example 1 454 QoS Example 2 455 QoS Example 3 457 SAN Switching 459 Configuring Fibre Channel Interfaces 461 Configuring Fibre Channel Interfaces 461 Information About Fibre Channel Interfaces 461 Licensing Requirements for Fibre Channel 461 Physical Fibre Channel Interfaces 461 Virtual Fibre Channel Interfaces 462 Interface Modes 462 E Port 463 F Port 46
Contents Configuring Receive Data Field Size 471 Understanding Bit Error Thresholds 471 Configuring Buffer-to-Buffer Credits 472 Configuring Global Attributes for Fibre Channel Interfaces 473 Configuring Switch Port Attribute Default Values 473 About N Port Identifier Virtualization 473 Enabling N Port Identifier Virtualization 474 Verifying Fibre Channel Interfaces 474 Verifying SFP Transmitter Types 474 Verifying Interface Information 474 Verifying BB_Credit Information 476 Default Fibre Channel Interfac
Contents Locking the Fabric 488 Committing Changes 489 Discarding Changes 489 Clearing a Fabric Lock 489 Displaying CFS Distribution Status 489 Displaying Pending Changes 490 Displaying Session Status 490 About Contiguous Domain ID Assignments 490 Enabling Contiguous Domain ID Assignments 490 FC IDs 491 About Persistent FC IDs 491 Enabling the Persistent FC ID Feature 492 Persistent FC ID Configuration Guidelines 492 Configuring Persistent FC IDs 492 About Unique Area FC IDs for HBAs 493 Configuring Unique
Contents Enabling NPV 502 Configuring NPV Interfaces 502 Configuring an NP Interface 502 Configuring a Server Interface 503 Configuring NPV Traffic Management 503 Configuring NPV Traffic Maps 503 Enabling Disruptive Load Balancing 503 Verifying NPV 504 Verifying NPV Examples 504 Verifying NPV Traffic Management 505 Configuring VSAN Trunking 507 Configuring VSAN Trunking 507 Information About VSAN Trunking 507 VSAN Trunking Mismatches 508 VSAN Trunking Protocol 508 Configuring VSAN Trunking 509 Guidelines a
Contents Deleting SAN Port Channels 522 Interfaces in a SAN Port Channel 522 About Interface Addition to a SAN Port Channel 522 Compatibility Check 522 Suspended and Isolated States 523 Adding an Interface to a SAN Port Channel 523 Forcing an Interface Addition 523 About Interface Deletion from a SAN Port Channel 524 Deleting an Interface from a SAN Port Channel 524 SAN Port Channel Protocol 524 About Channel Group Creation 525 Autocreation Guidelines 526 Enabling and Configuring Autocreation 527 About Man
Contents About Load Balancing 540 Configuring Load Balancing 540 About Interop Mode 541 Displaying Static VSAN Configuration 541 Default VSAN Settings 541 Configuring and Managing Zones 543 Configuring and Managing Zones 543 Information About Zoning 543 Zoning Features 543 Zoning Example 545 Zone Implementation 545 Active and Full Zone Set Configuration Guidelines 546 Configuring Zones 549 Configuring Zones Example 549 Zone Sets 550 Activating a Zone Set 551 About the Default Zone 551 Configuring the Defau
Contents About Enhanced Zoning 560 Changing from Basic Zoning to Enhanced Zoning 561 Changing from Enhanced Zoning to Basic Zoning 561 Enabling Enhanced Zoning 561 Modifying the Zone Database 562 Releasing Zone Database Locks 562 Merging the Database 563 Configuring Zone Merge Control Policies 564 Default Zone Policies 564 Configuring System Default Zoning Settings 564 Verifying Enhanced Zone Information 565 Compacting the Zone Database 565 Zone and Zone Set Analysis 565 Default Basic Zone Settings 566 Dis
Contents Default Device Alias Settings 575 Configuring Fibre Channel Routing Services and Protocols 577 Configuring Fibre Channel Routing Services and Protocols 577 Information About FSPF 577 FSPF Examples 578 Fault Tolerant Fabric Example 578 Redundant Link Example 578 FSPF Global Configuration 579 About SPF Computational Hold Times 579 About Link State Records 579 Configuring FSPF on a VSAN 580 Resetting FSPF to the Default Configuration 580 Enabling or Disabling FSPF 581 Clearing FSPF Counters for the V
Contents Displaying the In-Order Delivery Status 589 Configuring the Drop Latency Time 589 Displaying Latency Information 589 Flow Statistics Configuration 590 About Flow Statistics 590 Counting Aggregated Flow Statistics 590 Counting Individual Flow Statistics 590 Clearing FIB Statistics 591 Displaying Flow Statistics 591 Default FSPF Settings 591 Managing FLOGI, Name Server, FDMI, and RSCN Databases 593 Managing FLOGI, Name Server, FDMI, and RSCN Databases 593 Information About Fabric Login 593 Name Serv
Contents Discarding the RSCN Timer Configuration Changes 600 Clearing a Locked Session 600 Displaying RSCN Configuration Distribution Information 600 Default RSCN Settings 601 Discovering SCSI Targets 603 Discovering SCSI Targets 603 Information About SCSI LUN Discovery 603 About Starting SCSI LUN Discovery 603 Starting SCSI LUN Discovery 603 About Initiating Customized Discovery 604 Initiating Customized Discovery 604 Displaying SCSI LUN Information 604 Advanced Fibre Channel Features and Concepts 607 Adv
Contents Default Settings for Advanced Features 623 Configuring FC-SP and DHCHAP 625 Configuring FC-SP and DHCHAP 625 Information About Fabric Authentication 625 DHCHAP 626 DHCHAP Compatibility with Fibre Channel Features 627 About Enabling DHCHAP 627 Enabling DHCHAP 627 About DHCHAP Authentication Modes 628 Configuring the DHCHAP Mode 628 About the DHCHAP Hash Algorithm 629 Configuring the DHCHAP Hash Algorithm 629 About the DHCHAP Group Settings 630 Configuring the DHCHAP Group Settings 630 About the DHC
Contents Port Security Activation 639 Activating Port Security 639 Database Activation Rejection 639 Forcing Port Security Activation 639 Database Reactivation 640 Auto-Learning 641 About Enabling Auto-Learning 641 Enabling Auto-Learning 641 Disabling Auto-Learning 641 Auto-Learning Device Authorization 641 Authorization Scenario 642 Port Security Manual Configuration 644 WWN Identification Guidelines 644 Adding Authorized Port Pairs 644 Port Security Configuration Distribution 645 Enabling Port Security D
Contents Configuring Fabric Binding 654 Enabling Fabric Binding 655 About Switch WWN Lists 655 Configuring Switch WWN List 655 About Fabric Binding Activation and Deactivation 656 Activating Fabric Binding 656 Forcing Fabric Binding Activation 657 Copying Fabric Binding Configurations 657 Clearing the Fabric Binding Statistics 657 Deleting the Fabric Binding Database 658 Verifying Fabric Binding Information 658 Default Fabric Binding Settings 659 Configuring Fabric Configuration Servers 661 Configuring Fab
Contents Configuring SPAN 673 Configuring SPAN 673 SPAN Sources 673 Characteristics of Source Ports 673 SPAN Destinations 674 Characteristics of Destination Ports 674 Configuring SPAN 675 Creating and Deleting a SPAN Session 675 Configuring the Destination Port 675 Configuring an Ethernet Destination Port 675 Configuring Fibre Channel Destination Port 676 Configuring Source Ports 676 Configuring Source Port Channels, VLANs, or VSANs 677 Configuring the Description of a SPAN Session 677 Activating a SPAN Se
Contents Cisco Nexus 5000 Series Switch CLI Software Configuration Guide xl OL-16597-01
New and Changed Information for the Cisco Nexus 5000 Series This chapter provides release specific information for each new and changed feature in the Cisco Nexus 5000 Series Switch CLI Software Configuration Guide . To check for additional information about Cisco NX-OS Release 4.1(3)N1(1), see the Cisco Nexus 5000 Series and Cisco Nexus 2000 Series Release Notes, 31/July/2009 available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html.
New and Changed Information for the Cisco Nexus 5000 Series Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 42 OL-16597-01
Preface This preface describes the audience, organization, and conventions of the . It also provides information on how to obtain related documentation. • Audience, page xliii • Document Organization, page xliii • Document Conventions, page xliv • Related Documentation, page xlv Audience This guide is for experienced network administrators who are responsible for configuring and maintaining n5k switches.
Preface Document Conventions Part or Chapter Description System Management, page 297 Describes how to configure CFS, RBAC, System Message Logging, Call Home, SNMP, RMON, network management interfaces, storm control, and SPAN. Fibre Channel over Ethernet, page 391 Describes how to configure FCoE and virtual interfaces. Quality of Service, page 419 Describes how to configure QoS.
Preface Related Documentation Convention Description string A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. Screen examples use the following conventions: Convention Description screen font Terminal sessions and information the switch displays are in screen font. boldface screen font Information you must enter is in boldface screen font. italic screen font Arguments for which you supply values are in italic screen font.
Obtaining Documentation and Submitting a Service Request Related Documentation Cisco Nexus 2000 Series Fabric Extender Hardware Installation Guide Cisco MDS 9000 and Nexus 5000 Series Fabric Manager Software Configuration Guide, Cisco Fabric Manager Release 4.
CHAPTER 1 Overview This chapter describes the Cisco Nexus 5000 Series switches.
Data Center I/O Consolidation New Technologies in the Cisco Nexus 5000 Series a lossless transport layer; as a data storage protocol, it is unacceptable to lose a single data packet. Native Fibre Channel implements a lossless service at the transport layer using a buffer-to-buffer credit system. For FCoE traffic, the Ethernet link must provide a lossless service.
Virtual Interfaces New Technologies in the Cisco Nexus 5000 Series The server OS is not aware of the FCoE encapsulation (see the following figure). At the switch, the incoming Ethernet port separates the Ethernet and Fibre Channel traffic (using EtherType to differentiate the frames). Ethernet frames and Fibre Channel frames are switched to their respective network-side interfaces.
Chassis Cisco Nexus 5000 Series Switch Hardware Cisco Nexus 5000 Series Switch Hardware Chassis The Cisco Nexus 5000 Series includes the Cisco Nexus 5010 and Cisco Nexus 5020 switches. The Cisco Nexus 5010 switch is a 1 RU chassis and the Cisco Nexus 5020 switch is a 2 RU chassis designed for rack mounting. The chassis supports redundant fans and power supplies. The Cisco Nexus 5000 Series switching fabric is low latency, nonblocking, and supports Ethernet frame sizes from 64 to 9216 bytes.
Fibre Channel Interfaces Cisco Nexus 5000 Series Switch Software All of the 10-Gigabit Ethernet ports support FCoE. Each port can be used as a downlink (connected to a server) or as an uplink (to the data center LAN). Fibre Channel Interfaces Fibre Channel ports are optional on the Cisco Nexus 5000 Series switch. When you use expansion modules up to 8 Fibre Channel ports are available on the Cisco Nexus 5010 switch and up to 16 Fibre Channel ports are available on the Cisco Nexus 5020 switch.
QoS Switched Port Analyzer • Distributed device alias service • SAN port channels QoS Cisco Nexus 5000 Series switches provide quality of service (QoS) capabilities such as traffic prioritization and bandwidth allocation on egress interfaces. The default QoS configuration on the switch provides lossless service for Fibre Channel and FCoE traffic. QoS can be configured to provide additional classes of service for Ethernet traffic.
Switch Management Online Diagnostics Online Diagnostics Cisco generic online diagnostics (GOLD) is a suite of diagnostic facilities to verify that hardware and internal data paths are operating as designed. Boot-time diagnostics, continuous monitoring, and on-demand and scheduled tests are part of the Cisco GOLD feature set. GOLD allows rapid fault isolation and continuous system monitoring.
Network Security Features Typical Deployment Topologies Network Security Features Cisco NX-OS Release 4.1 includes the following security features: • Authentication, authorization, and accounting (AAA) and TACACS+ • RADIUS • Secure Shell (SSH) Protocol Version 2 • Simple Network Management Protocol Version 3 (SNMPv3) • MAC ACLs and IP ACLs, including port-based ACLs (PACLs) and VLAN-based ACLs (VACLs).
Overview Typical Deployment Topologies In the example configuration, the Cisco Nexus 5000 Series switch has Ethernet uplinks to two Catalyst switches. If STP is enabled in the data center LAN, the links to one of the switches will be STP active and the links to the other switch will be STP blocked. Figure 2: Ethernet TOR Switch Topology All of the server-side ports on the Cisco Nexus 5000 Series switch are running standard Ethernet.
Fabric Extender Deployment Topology Typical Deployment Topologies Fabric Extender Deployment Topology The following figure shows a simplfied configuration using the Cisco Nexus 2000 Series Fabric Extender in combination with the Cisco Nexus 5000 Series switch to provide a simplified and cost-effective 1-Gigabit TOR solution. Figure 3: Fabric Extender Deployment Topology In the example configuration, the Fabric Extender top-of-rack units provide 1-Gigabit host interfaces connected to the servers.
Data Center I/O Consolidation Topology Supported Standards Data Center I/O Consolidation Topology The following figure shows a typical I/O consolidation scenario for the Cisco Nexus 5000 Series switch. Figure 4: I/O Consolidation Topology The Cisco Nexus 5000 Series switch connects to the server ports using FCoE. Ports on the server require converged network adapters. For redundancy, each server connects to both switches. Dual-port CNA adapters can be used for this purpose.
Overview Supported Standards Table 2: IEEE Compliance Standard Description 802.1D MAC Bridges 802.1s Multiple Spanning Tree Protocol 802.1w Rapid Spanning Tree Protocol 802.3ad Link aggregation with LACP 802.3ae 10-Gigabit Ethernet 802.1Q VLAN Tagging 802.
PART I Configuration Fundamentals • Using the Command-Line Interface, page 15 • Initial Switch Configuration, page 29 • Managing Licenses, page 53
CHAPTER 2 Using the Command-Line Interface This chapter describes how to use the command-line interface of the Cisco Nexus 5000 Series switch.
Accessing the Command Line Interface SSH Connection Step 2 At the switch login prompt, enter your username and password. The Cisco Nexus 5000 Series switch initiates authentication. Note Step 3 If no password has been configured, press Return. Exit the session when finished. switch# exit This example shows how to make a Telnet connection to a switch: host$ telnet 10.0.13.42 Trying 10.0.13.42... Connected to 10.0.13.42 Escape character is '^]'. switch Login: admin Password: password ...
Using the CLI Using CLI Command Modes Using the CLI Using CLI Command Modes Switches in the Cisco Nexus 5000 Series have two main command modes: user EXEC mode and configuration mode. The commands available to you depend on the mode you are in. To obtain a list of available commands in either mode, type a question mark (?) at the system prompt. The following table lists and describes the two commonly used modes, how to enter the modes, and the resulting system prompts.
Using the CLI Listing the Commands Used with Each Command Mode Listing the Commands Used with Each Command Mode You can display the commands available in any command mode by typing a question mark (?) at the switch prompt. CLI Command Hierarchy CLI commands are organized hierarchically, with commands that perform similar functions grouped under the same level.
Using the CLI EXEC Mode Commands The following commands are available in EXEC mode: switch# ? attach callhome cd check clear cli clock configure copy debug debug-filter delete dir discover echo end ethanalyzer exit fcping fctrace fex find format gunzip gzip install license mkdir move no ntp ping ping6 purge pwd reload rmdir routing-context run-script san-port-channel send session setup show sleep ssh ssh6 system tac-pac tail telnet telnet6 terminal terminate test traceroute traceroute6 undebug unmount upda
Using the CLI Configuration Mode Commands Configuration Mode Commands Configuration mode allows you to make changes to the existing configuration. When you save the configuration, these commands are saved across switch reboots. Once you are in configuration mode, you can enter interface configuration mode, zone configuration mode, and a variety of protocol-specific modes. Configuration mode is the starting point for all configuration commands.
Using the CLI Configuration Mode Commands The following commands are available in configuration mode: switch# configure terminal switch(config)# ? aaa Configure aaa functions banner Configure banner message boot Configure boot variables callhome Enter the callhome configuration mode cdp Configure CDP parameters cfs CFS configuration commands class-map Configure class-map cli Configure CLI aliases clock Configure time-of-day clock device-alias Device-alias configuration commands diagnostic Diagnostic comman
Using Commands Listing Commands and Syntax track trunk username vlan vrf vsan wwn xml zone zoneset Object tracking configuration commands Configure Switch wide trunk protocol Configure user information.
Using Commands Using Keyboard Shortcuts If you enter the zone member command, you can undo the results: switch(config)# zone name test vsan 1 switch(config-zone)# member pwwn 12:12:12:12:12:12:12:12 switch(config-zone)# no member pwwn 12:12:12:12:12:12:12:12 WARNING: Zone is empty. Deleting zone test. Exit the submode. switch(config-zone)# • Delete a created facility.
Using CLI Variables Using Keyboard Shortcuts Command Description Ctrl-G Exit Ctrl-Z End Ctrl-L Clear session The following table describes the commonly used configuration submodes.
Using CLI Variables User-Defined Persistent CLI Variables The variables defined in the parent shell are available for use in the child run-script command process. • Passed as command line arguments to the run-script command. CLI variables have the following characteristics: • You cannot reference a variable through another variable using nested references. • You can define persistent variables that are available across switch reloads.
Using Command Aliases Executing Commands Specified in a Script Using Command Aliases Command alias support has the following characteristics: • Command aliases are global for all user sessions. • Command aliases are saved across reboots. • Commands being aliased must be typed in full without abbreviation. • Command alias translation always takes precedence over any keyword in any configuration mode or submode. • Command alias support is only available on the supervisor module, not the switching modules.
Command Scripts Using CLI Variables in Scripts Note You cannot create the script file at the switch prompt. You can create the script file on an external machine and copy it to the bootflash: directory. This section assumes that the script file resides in the bootflash: directory. The syntax for this command is run-script filename. This example displays the CLI commands specified in a test file that resides in the bootflash: directory.
Command Scripts Setting the Delay Time The following example shows how to use CLI session variables in a script file used by the run-script command: switch# cli var name testinterface fc 1/1 switch# show file bootflash:test1.vsh show interface $(testvar) switch# run-script bootflash:test1.
CHAPTER 3 Initial Switch Configuration This chapter describes the command-line interface (CLI) and CLI command modes of Cisco Nexus 5000 Series switches.
Configuring the Switch Boot Sequence Boot Sequence When the switch boots, the golden BIOS validates the checksum of the upgradeable BIOS. If the checksum is valid, then control is transferred to the upgradeable BIOS image. The upgradeable BIOS launches the kickstart image, which then launches the system image. If the checksum of the upgradeable BIOS is not valid, then the golden BIOS launches the kickstart image, which then launches the system image.
Configuring the Switch Console Settings Related Topics • Troubleshooting, page 681 Console Settings The loader, kickstart, and system images have the following factory default console settings: • Speed—9600 baud • Databits—8 bits per byte • Stopbits—1 bit • Parity—none These settings are stored on the switch, and all three images use the stored console settings. To change a console setting, use the line console command in configuration mode.
Configuring the Switch Upgrading the Switch Software Example: switch# dir bootflash: 4681 Nov 24 02:43:52 2008 13176836 Nov 24 07:19:36 2008 49152 Jan 12 18:38:36 2009 310556 Dec 23 02:53:28 2008 20058112 Nov 07 02:35:22 2008 20217856 Jan 12 18:26:54 2009 76930262 Nov 07 02:35:22 2008 103484727 Jan 12 18:29:08 2009 config gdb.1 lost+found/ n1 n5000-uk9-kickstart.4.0.1a.N1.0.62.bin n5000-uk9-kickstart.4.0.1a.N2.0.140.bin n5000-uk9.4.0.1a.N1.0.62.bin n5000-uk9.4.0.1a.N2.0.140.
Configuring the Switch Downgrading from a Higher Release Example: switch# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html.
Configuring the Switch Downgrading from a Higher Release Procedure Step 1 Locate the image files you will use for the downgrade by entering the dir bootflash: command. If the image files are not stored on the bootflash memory, download the files from Cisco.com: a) Log in to Cisco.com to access the Software Download Center. To log in to Cisco.com, go to the URL http://www.cisco.com/ and click Log In at the top of the page. Enter your Cisco username and password. Note Unregistered Cisco.
Configuring the Switch Initial Configuration Initial Configuration Configuration Prerequisites The following procedure is a review of the tasks you should have completed during hardware installation. These tasks must be completed before you can configure the switch.
Configuring the Switch Default Login Note If a password is weak (short, easy-to-decipher), your password configuration is rejected. Be sure to configure a strong password. • If you are using an IPv4 address for the management interface, you need the following information: ◦ IPv4 subnet mask for the switch’s management interface. ◦ IPv4 address of the default gateway (optional). • SSH service on the switch (optional).
Configuring the Switch Configuring the Switch Tip If you do not want to answer a previously configured question, or if you want to skip answers to any questions, press Enter. If a default answer is not available (for example, switch name), the switch uses what was previously configured and skips to the next question. To configure the switch for first time, follow these steps: Procedure Step 1 Step 2 Ensure that the switch is on. Switches in the Cisco Nexus 5000 Series boot automatically.
Configuring the Switch Configuring the Switch Example: Enter the password for user_name: user-password Step 6 Enter yes (yes is the default) to create an SNMP read-only community string. Example: Configure read-only SNMP community string (yes/no) [n]:yes SNMP community string: snmp_community Step 7 Enter a name for the switch. Note The switch name is limited to 32 alphanumeric characters. The default name is "switch".
Configuring the Switch Configuring the Switch Example: Configure NTP server? (yes/no) [n]: yes NTP server IP address: ntp_server_IP_address Step 13 Enter yes (yes is the default) to configure basic Fibre Channel configurations. Example: Enter basic FC configurations (yes/no) [n]: yes Step 14 Enter shut (shut is the default) to configure the default Fibre Channel switch port interface to the shut (disabled) state.
Configuring the Switch Changing the Initial Configuration Step 19 Enter yes (yes is default) to use and save this configuration: Example: Use this configuration and save it? (yes/no) [y]: yes Caution If you do not save the configuration at this point, none of your changes are updated the next time the switch is rebooted. Type yes to save the new configuration. This operation ensures that the kickstart and system images are also automatically configured.
Configuring the Switch Configuring Date and Time Note This guide refers to a switch in the Cisco Nexus 5000 Series switch as switch , and it uses the switch# prompt. To change the name of the switch, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# [no] switchname name Changes the switch name prompt to the specified name. The no command reverts the switch name prompt to its default.
Configuring the Switch Adjusting for Daylight Saving Time or Summer Time Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# clock timezone timezone hours_offset minutes_offset Sets the time zone. timezone is the three letter time zone (PST for Pacific Standard), the hours offset from UTC (-8 for the PST offset), and minutes offset (needed for time zones such as Newfoundland Standard (NST) or India Standard (IST)).
Configuring the Switch NTP Configuration Command or Action Purpose Step 4 switch(config)# exit Returns to EXEC mode. Step 5 switch# show running-config | include Verifies the time zone configuration. summer-time The following example adjusts the daylight savings time for the U.S. Pacific daylight time by 60 minutes starting the second Sunday in March at 2 a.m. and ending the first Sunday in November at 2 a.
Configuring the Switch Configuring NTP server. You would configure peer association between these two sets, which forces the clock to be more reliable. • If you only have one server, it is better for all the switches to have a client association with that server. Not even a server down time will affect well-configured switches in the network. The following figure displays a network with two NTP stratum 2 servers and two switches.
Configuring the Switch NTP CFS Distribution Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# ntp server {ip-address | ipv6-address | dns-name} Forms an association with a server. Step 3 switch(config)# ntp peer {ip-address | ipv6-address | dns-name} Forms an association with a peer. You can specify multiple associations. Step 4 switch# copy running-config startup-config (Optional) Saves your configuration changes to NVRAM.
Configuring the Switch Discarding NTP Configuration Changes commit the NTP configuration changes without implementing the session feature, the NTP configurations are distributed to all the switches in the fabric. To commit the NTP configuration changes, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# ntp commit Distributes the NTP configuration changes to all switches in the fabric and releases the lock.
Configuring the Switch Management Interface Configuration Management Interface Configuration The management interface on the switch allows multiple simultaneous Telnet, SSH, or SNMP sessions. You can remotely configure the switch through the management interface (mgmt0), but first you must configure some IP parameters so that the switch is reachable. You can manually configure the management interface from the CLI through the console port.
Configuring the Switch Displaying Management Interface Configuration b) switch(config-vrf)# ipv6 route ipv6-prefix[/ length] ipv6-nexthop-address Configures the IPv6 address of the next hop. Step 8 switch(config-vrf)# exit Returns to EXEC mode. Step 9 (Optional) switch# copy running-config startup-config Saves your configuration changes to the file system. In some cases, a switch interface might be administratively shut down.
Configuring the Switch Saving a Configuration from the startup configuration, enter the show startup-config command to view the ASCII version of the current startup configuration that was used to boot the switch if a copy running-config startup-config command was not entered after the reboot. Use the show startup-config command to view the contents of the current startup configuration. You can also gather specific information on the entire switch configuration by entering the relevant show commands.
Configuring the Switch Listing the Files in a Directory Listing the Files in a Directory The dir command displays the contents of the current directory or the specified directory. The syntax for this command is dir directory or dir filename.
Configuring the Switch Copying Files This example moves a file from the current directory level: switch# move samplefile mystorage/samplefile If the current directory is bootflash:mydir, this command moves bootflash:mydir/samplefile to bootflash:mydir/mystorage/samplefile. Copying Files The copy command copies a file between file systems within a switch. Note Use the dir command to ensure that enough space is available in the target file system.
Configuring the Switch Compressing and Uncompressing Files Compressing and Uncompressing Files The gzip command compresses (zips) the specified file using LZ77 coding. This example directs the output of the show tech-support command to a file (Samplefile), and then zips the file and displays the difference in the space used up in the volatile directory: switch# show tech-support > Samplefile Building Configuration ...
CHAPTER 4 Managing Licenses This chapter describes how to manage licenses on Cisco Nexus 5000 Series switches.
Licensing Model • License enforcement—A mechanism that prevents a feature from being used without first obtaining a license. • Node-locked license—A license that can only be used on a particular switch using the switch’s unique host ID. • Host IDs—A unique chassis serial number that is specific to each switch. • Proof of purchase—A document entitling its rightful owner to use licensed features on one switch as described in that document.
Licence Installation Obtaining a Factory-Installed License Feature License Features N5000-AS and system features, except features explicitly listed in the Storage Services Package.
Obtaining the License Key File Performing a Manual Installation Performing a Manual Installation All Cisco Nexus 5000 Series licenses are factory-installed. Manual installation is not required. Obtaining the License Key File To obtain new or updated license key files, perform this task: Procedure Step 1 Use the show license host-id command to obtain the serial number for your switch. The host ID is also referred to as the switch serial number.
Backing Up License Files Performing a Manual Installation Procedure Step 1 Step 2 Log into the switch through the console port. Perform the installation by entering the install license command from the switch console. switch# install license bootflash:license_file.lic Installing license ..done If you provide a target name for the license key file, the file is installed with the specified name. Otherwise, the filename specified in the license key file is used to install the license.
Identifying License Features in Use Performing a Manual Installation Tip Caution We recommend backing up your license files immediately after installing them and just before running a write erasecommand. If you erase any existing licenses, you can only install them using the install license command. Identifying License Features in Use When a Cisco NX-OS software feature is enabled, it can activate a license grace period.
Updating Licenses Performing a Manual Installation Procedure Step 1 Save your running configuration to a remote server using the copy command Step 2 Enter the show license brief command in EXEC mode to view a list of all installed license key files and identify the file to be uninstalled. In this example, the file to be uninstalled is the FibreChannel.lic file. switch# show license brief Enterprise.lic FibreChannel.lic Step 3 Disable the features provided by the license to be uninstalled.
Grace Period Alerts Performing a Manual Installation c) Get the product authorization key (PAK) from either the claim certificate or the proof of purchase document. d) Locate the website URL from either the claim certificate or the proof of purchase document. e) Access the specified URL that applies to your switch and enter the switch serial number and the PAK. The license key file is sent to you by e-mail. The license key file is digitally signed to only authorize use on the requested switch.
License Transfers Between Switches Performing a Manual Installation countdown for a license package, you must disable every feature in that license package. Use the show license usage license-name command to determine which applications to disable. switch# show license usage FC_FEATURES_PKG Application ----------PFM ----------- The Cisco NX-OS license counter keeps track of all licenses on a switch.
Verifying the License Configuration Performing a Manual Installation Displays information for all installed license files. Step 2 switch# show license file Displays information for a specific license file. Step 3 switch# show license host-id Displays the host ID for the physical switch. Step 4 switch# show license usage Displays the usage information for installed licenses.
PART II LAN Switching • Configuring Ethernet Interfaces, page 65 • Configuring VLANs, page 79 • Configuring Private VLANs, page 87 • Configuring Access and Trunk Interfaces, page 101 • Configuring EtherChannels, page 111 • Configuring Virtual Port Channels, page 123 • Configuring Rapid PVST+, page 149 • Configuring Multiple Spanning Tree, page 175 • Configuring STP Extensions, page 199 • Configuring the MAC Address Table, page 211 • Configuring IGMP Snooping, page 215 • Configuring Traffic Storm Control,
CHAPTER 5 Configuring Ethernet Interfaces This section describes the configuration of the Ethernet interfaces on a Cisco Nexus 5000 Series switch. It contains the following sections: • Information About Ethernet Interfaces, page 65 • Configuring Ethernet Interfaces, page 69 • Displaying Interface Information, page 74 Information About Ethernet Interfaces The Ethernet ports can operate as standard Ethernet interfaces connected to servers or to a LAN.
Information About Ethernet Interfaces About the Unidirectional Link Detection Parameter switch(config)# interface ethernet [chassis/]slot/port • Chassis ID is an optional entry to address the ports of a connected Fabric Extender. The chassis ID is configured on a physical Ethernet or EtherChannel interface on the switch to identify the Fabric Extender discovered via the interface. The chassis ID ranges from 100 to 199.
Information About Ethernet Interfaces Default UDLD Configuration The following figure shows an example of a unidirectional link condition. Device B successfully receives traffic from Device A on the port. However, Device A does not receive traffic from Device B on the same port. UDLD detects the problem and disables the port. Figure 7: Unidirectional Link Default UDLD Configuration The following table shows the default UDLD configuration.
Information About Ethernet Interfaces About Interface Speed • One side of a link remains up while the other side of the link is down In these cases, the UDLD aggressive mode disables one of the ports on the link, which prevents traffic from being discarded. About Interface Speed A Cisco Nexus 5000 Series switch has a number of fixed 10-Gigabit ports, each equipped with SFP+ interface adapters.
Configuring Ethernet Interfaces About MTU Configuration You can enable the debounce timer for each interface and specify the delay time in milliseconds. Caution When you enable the port debounce timer the link up and link down detections are delayed, resulting in a loss of traffic during the debounce period. This situation might affect the convergence and reconvergence of some protocols. About MTU Configuration The Cisco Nexus 5000 Series switch is a Layer 2 device.
Configuring Ethernet Interfaces Configuring Interface Speed Command or Action Purpose Step 5 switch(config)# interface type slot/port Specifies an interface to configure, and enters interface configuration mode. Step 6 switch(config-if)# udld {enable | disable Enables the normal UDLD mode, disables UDLD, or enables the aggressive UDLD mode. | aggressive} Step 7 switch(config-if)# show udld interface Displays the UDLD status for the interface.
Configuring Ethernet Interfaces Configuring the Cisco Discovery Protocol The following example shows how to set the speed for a 1-Gigabit Ethernet port: switch# configure terminal switch(config)# interface ethernet 1/4 switch(config-if)# speed 1000 This command can only be applied to a physical Ethernet interface. Note If the interface and transceiver speed is mismatched, the SFP validation failed message is displayed when you enter the show interface ethernet slot/port command.
Configuring Ethernet Interfaces Enabling or Disabling CDP Step 5 Command or Action Purpose switch(config)# [no] cdp timer seconds (Optional) Sets the transmission frequency of CDP updates in seconds. The range is 5 to 254; the default is 60 seconds. Use the no form of the command to return to its default setting.
Configuring Ethernet Interfaces Configuring the Description Parameter Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Enters interface configuration mode for the specified interface. Step 3 switch(config-if)# link debounce time Enables the debounce timer for the amount of time (1 to 5000 milliseconds) specified. milliseconds Disables the debounce timer if you specify 0 milliseconds.
Displaying Interface Information Disabling and Restarting Ethernet Interfaces network servers through all dynamic routing protocols. When shut down, the interface is not included in any routing updates. To disable an interface, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Enters interface configuration mode for the specified interface.
Displaying Interface Information Disabling and Restarting Ethernet Interfaces The show interface command is invoked from EXEC mode and displays the interface configurations. Without any arguments, this command displays the information for all the configured interfaces in the switch. The following example shows how to display the physical Ethernet interface: switch# show interface ethernet 1/1 Ethernet1/1 is up Hardware is 1000/10000 Ethernet, address is 000d.eca3.5f08 (bia 000d.eca3.
Displaying Interface Information Disabling and Restarting Ethernet Interfaces The following example shows how to display the physical Ethernet transceiver: switch# show interface ethernet 1/1 transceiver Ethernet1/1 sfp is present name is CISCO-EXCELIGHT part number is SPP5101SR-C1 revision is A serial number is ECL120901AV nominal bitrate is 10300 MBits/sec Link length supported for 50/125mm fiber is 82 m(s) Link length supported for 62.
Displaying Interface Information Default Physical Ethernet Settings Default Physical Ethernet Settings The following table lists the default settings for all physical Ethernet interfaces: Parameter Default Setting Debounce Enable, 100 milliseconds Duplex Auto (full-duplex) Encapsulation ARPA MTU2 1500 bytes Port Mode Access Speed Auto (10000) 2 MTU cannot be changed per-physical Ethernet interface. You modify MTU by selecting maps of QoS classes.
Displaying Interface Information Default Physical Ethernet Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 78 OL-16597-01
CHAPTER 6 Configuring VLANs This chapter describes how to configure VLANs on the Cisco Nexus 5000 Series switch. It contains the following sections: • Configuring VLANs, page 79 Configuring VLANs You can use virtual LANs (VLANs) to divide the network into separate logical areas. VLANs can also be considered as broadcast domains. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in that VLAN.
Configuring VLANs Understanding VLAN Ranges The following figure shows VLANs as logical networks. In this diagram, the stations in the engineering department are assigned to one VLAN, the stations in the marketing department are assigned to another VLAN, and the stations in the accounting department are assigned to yet another VLAN. Figure 8: VLANs as Logically Defined Networks VLANs are usually associated with IP subnetworks.
Configuring VLANs Creating, Deleting, and Modifying VLANs Table 9: VLAN Ranges VLANs Numbers Range Usage 1 Normal Cisco default. You can use this VLAN, but you cannot modify or delete it. 2—1005 Normal You can create, use, modify, and delete these VLANs. 1006—4094 Extended You can create, name, and use these VLANs. You cannot change the following parameters: • State is always active. • VLAN is always enabled. You cannot shut down these VLANs.
Configuring VLANs Configuring a VLAN • VLAN name • Shutdown or not shutdown When you delete a specified VLAN, the ports associated to that VLAN are shut down and no traffic flows. However, the system retains all the VLAN-to-port mapping for that VLAN, and when you reenable, or recreate, the specified VLAN, the system automatically reinstates all the original ports to that VLAN. Note Commands entered in the VLAN configuration submode are immediately executed.
Configuring VLANs Entering the VLAN Submode and Configuring the VLAN Note You can also create and delete VLANs in the VLAN configuration submode. Entering the VLAN Submode and Configuring the VLAN To configure or modify the VLAN for the following parameters, you must be in the VLAN configuration submode: • Name • Shut down Note You cannot create, delete, or modify the default VLAN or the internally allocated VLANs. Additionally, some of these parameters cannot be modified on some VLANs.
Configuring VLANs Adding Ports to a VLAN Adding Ports to a VLAN After you have completed the configuration of a VLAN, assign ports to it. To add ports, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface {ethernet slot/port | port-channel number} Specifies the interface to configure, and enters the interface configuration mode. The interface can be a physical Ethernet port or an EtherChannel.
Configuring VLANs Verifying VLAN Configuration VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Eth1/1, Eth1/2, Eth1/3, Eth1/4 Eth1/5, Eth1/6, Eth1/7, Eth1/8 Eth1/9, Eth1/10, Eth1/11 Eth1/12, Eth1/15, Eth1/16 Eth1/17, Eth1/18, Eth1/19 Eth1/20, Eth1/21, Eth1/22 Eth1/23, Eth1/24, Eth1/25 Eth1/26, Eth1/27, Eth1/28 Eth1/29, Eth1/30, Eth1/31 Eth1/32, Eth1/33, Eth1/34 Eth1/35, Eth1/36, Eth1/37 Eth1/38, Eth1/39, Eth1/40 Eth3/1, Eth3/2, Eth3/3, E
Configuring VLANs Verifying VLAN Configuration Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 86 OL-16597-01
CHAPTER 7 Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco Nexus 5000 Series switch.
Information About Private VLANs Primary and Secondary VLANs in Private VLANs promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs. Figure 9: Private VLAN Domain Note You must first create the VLAN before you can convert it to a private VLAN, either primary or secondary. Primary and Secondary VLANs in Private VLANs A private VLAN domain has only one primary VLAN.
Information About Private VLANs Primary, Isolated, and Community Private VLANs • Promiscuous—A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN.
Information About Private VLANs Associating Primary and Secondary VLANs The following figure shows the traffic flows within a private VLAN, along with the types of VLANs and types of ports. Figure 10: Private VLAN Traffic Flows Note The private VLAN traffic flows are unidirectional from the host ports to the promiscuous ports. Traffic received on primary VLAN enforces no separation and forwarding is done as in normal VLAN.
Information About Private VLANs Private VLAN Promiscuous Trunks Note You can associate a secondary VLAN with only one primary VLAN. For an association to be operational, the following conditions must be met: • The primary VLAN must exist and be configured as a primary VLAN. • The secondary VLAN must exist and be configured as either an isolated or community VLAN. Note Use the show vlan private-vlan commmand to verify that the association is operational.
Guidelines and Limitations for Private VLANs Broadcast Traffic in Private VLANs Broadcast Traffic in Private VLANs Broadcast traffic from ports in a private VLAN flows in the following ways: • The broadcast traffic flows from a promiscuous port to all ports in the primary VLAN (which includes all the ports in the community and isolated VLANs). This broadcast traffic is distributed to all ports within the primary VLAN, including those ports that are not configured with private VLAN parameters.
Configuring a Private VLAN Configuring a VLAN as a Private VLAN Note The private VLAN commands do not appear until you enable the private VLAN feature. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# feature private-vlan Enables the private VLAN feature on the switch. Step 3 switch(config)# no feature private-vlan (Optional) Disables the private VLAN feature on the switch.
Configuring a Private VLAN Associating Secondary VLANs with a Primary Private VLAN This example shows how to assign VLAN 5 to a private VLAN as the primary VLAN: switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# private-vlan primary This example shows how to assign VLAN 100 to a private VLAN as a community VLAN: switch# configure terminal switch(config)# vlan 100 switch(config-vlan)# private-vlan community This example shows how to assign VLAN 200 to a private VLAN as an insolated VL
Configuring a Private VLAN Configuring an Interface as a Private VLAN Host Port Command or Action Purpose Step 2 switch(config)# vlan primary-vlan-id Enters the number of the primary VLAN that you are working in for the private VLAN configuration. Step 3 switch(config-vlan)# private-vlan association {[add] secondary-vlan-list | remove secondary-vlan-list} Associates the secondary VLANs with the primary VLAN.
Configuring a Private VLAN Configuring an Interface as a Private VLAN Promiscuous Port Step 5 Command or Action Purpose switch(config-if)# no switchport private-vlan host-association (Optional) Removes the private VLAN association from the port.
Configuring a Private VLAN Configuring a Promiscuous Trunk Port Configuring a Promiscuous Trunk Port In a private VLAN domain, promiscuous trunks are part of the primary VLAN. Promiscuous trunk ports can carry multiple primary VLANs. Multiple secondary VLANs under a given primary VLAN can be mapped to a promiscuous trunk port. Configuring a promiscuous port involves two steps. First, you define the port as a promiscuous port and then you configure the mapping between a secondary VLAN and the primary VLAN.
Configuring a Private VLAN Configuring the Allowed VLANs for PVLAN Trunking Ports Before You Begin Ensure that the private VLAN feature is enabled. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type [chassis/]slot/port Selects the port to configure as a private VLAN isolated trunk port. This port can be on a Fabric Extender (identified by the chassis option).
Configuring a Private VLAN Configuring Native 802.1Q VLANs on Private VLANs Command or Action Purpose Step 2 switch(config)# interface type [chassis/]slot/port Selects the port to configure as a private VLAN host port. This port can be on a Fabric Extender (identified by the chassis option). Step 3 switch(config-if)# switchport private-vlan trunk allowed vlan {vlan-list | all | none [add | except | none | remove {vlan-list}]} Sets the allowed VLANs for the private trunk interface.
Verifying Private VLAN Configuration Configuring Native 802.1Q VLANs on Private VLANs Command or Action Step 4 Purpose switch(config-if)# no switchport (Optional) private-vlan trunk native {vlan vlan-id} Removes the native VLAN ID from the private VLAN trunk. Verifying Private VLAN Configuration To display private VLAN configuration information, use the following commands: Command Purpose switch# show feature Displays the features enabled on the switch.
CHAPTER 8 Configuring Access and Trunk Interfaces Ethernet interfaces can be configured either as access ports or trunk ports. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across the network. Note Cisco NX-OS supports only IEEE 802.1Q-type VLAN trunk encapsulation. This chapter describes the configuration of access or trunk ports on Cisco Nexus 5000 Series switches.
Information About Access and Trunk Interfaces Understanding IEEE 802.1Q Encapsulation The following figure shows how you can use trunk ports in the network. The trunk port carries traffic for two or more VLANs. Figure 11: Devices in a Trunking Environment In order to correctly deliver the traffic on a trunk port with several VLANs, the device uses the IEEE 802.1Q encapsulation or tagging method. To optimize the performance on access ports, you can configure the port as a host port.
Information About Access and Trunk Interfaces Understanding Access VLANs To correctly deliver the traffic on a trunk port with several VLANs, the device uses the IEEE 802.1Q encapsulation (tagging) method that uses a tag that is inserted into the frame header. This tag carries information about the specific VLAN to which the frame and packet belong. This method allows packets that are encapsulated for several different VLANs to traverse the same port and maintain traffic separation between the VLANs.
Information About Access and Trunk Interfaces Understanding the Native VLAN ID for Trunk Ports Understanding the Native VLAN ID for Trunk Ports A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. When you assign a default port VLAN ID to the trunk port, all untagged traffic travels on the default port VLAN ID for the trunk port, and all untagged traffic is assumed to belong to this VLAN. This VLAN is referred to as the native VLAN ID for a trunk port.
Configuring Access and Trunk Interfaces Configuring a LAN Interface as an Ethernet Access Port Note The vlan dot1q tag native command is enabled on global basis. Configuring Access and Trunk Interfaces Configuring a LAN Interface as an Ethernet Access Port You can configure an Ethernet interface as an access port. An access port transmits packets on only one, untagged VLAN. You specify which VLAN traffic that the interface carries.
Configuring Access and Trunk Interfaces Configuring Trunk Ports Before You Begin Ensure that you are configuring the correct interface; it must be an interface that is connnected to an end station. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Specifies an interface to configure, and enters interface configuration mode.
Configuring Access and Trunk Interfaces Configuring the Native VLAN for 802.1Q Trunking Ports This example shows how to set an interface as an Ethernet trunk port: switch# configure terminal switch(config)# interface ethernet 1/3 switch(config-if)# switchport mode trunk Related Topics • Understanding IEEE 802.1Q Encapsulation, page 102 Configuring the Native VLAN for 802.1Q Trunking Ports If you do not configure this parameter, the trunk port uses the default VLAN as the native VLAN ID.
Configuring Access and Trunk Interfaces Configuring Native 802.1Q VLANs Command or Action Purpose configurable. By default, all VLANs are allowed on all trunk interfaces. Note You cannot add internally allocated VLANs as allowed VLANs on trunk ports. The system returns a message if you attempt to list an internally allocated VLAN as an allowed VLAN.
Verifying Interface Configuration Configuring Native 802.1Q VLANs The following example shows how to enable 802.
Verifying Interface Configuration Configuring Native 802.
CHAPTER 9 Configuring EtherChannels This chapter describes how to configure EtherChannels and to apply and configure the Link Aggregation Control Protocol (LACP) for more efficient use of EtherChannels in Cisco NX-OS.
Information About EtherChannels Compatibility Requirements Note Cisco NX-OS does not support Port Aggregation Protocol (PAgP) for EtherChannels. An EtherChannel bundles individual links into a channel group to create a single logical link that provides the aggregate bandwidth of up to 16 physical links. If a member port within an EtherChannel fails, traffic previously carried over the failed link switches to the remaining member ports within the EtherChannel. Each port can be in only one EtherChannel.
Information About EtherChannels Load Balancing Using EtherChannels Use the show port-channel compatibility-parameters command to see the full list of compatibility checks that Cisco NX-OS uses. You can only add interfaces configured with the channel mode set to on to static EtherChannels. You can also only add interfaces configured with the channel mode as active or passive to EtherChannels that are running LACP. You can configure these attributes on an individual member port.
Information About EtherChannels Understanding LACP • Source TCP/UDP port number • Source and destination TCP/UDP port number The following table shows the criteria used for each configuration: Table 10: EtherChannel Load-Balancing Criteria Configuration Layer 2 Criteria Layer 3 Criteria Layer 4 Criteria Destination MAC Destination MAC Destination MAC Destination MAC Source MAC Source MAC Source MAC Source MAC Source and destination MAC Source and destination MAC Source and destination MAC S
Information About EtherChannels LACP ID Parameters The following figure shows how individual links can be combined into LACP EtherChannels and channel groups as well as function as individual links. Figure 13: Individual Links Combined into an EtherChannel With LACP, you can bundle up to 16 interfaces in a channel group. Note When you delete the EtherChannel, Cisco NX-OS automatically deletes the associated channel group. All member interfaces revert to their previous configuration.
Information About EtherChannels Channel Modes ◦ Port physical characteristics, such as the data rate, the duplex capability, and the point-to-point or shared medium state ◦ Configuration restrictions that you establish Channel Modes Individual interfaces in EtherChannels are configured with channel modes. When you run static EtherChannels, with no protocol, the channel mode is always set to on.
Configuring EtherChannels LACP Marker Responders • A port in active mode can form an EtherChannel successfully with another port that is in active mode. • A port in active mode can form an EtherChannel with another port in passive mode. • A port in passive mode cannot form an EtherChannel with another port that is also in passive mode because neither port will initiate negotiation. • A port in on mode is not running LACP.
Configuring EtherChannels Adding a Port to an EtherChannel Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface port-channel Specifies the port-channel interface to configure, and enters the interface configuration mode. The range is channel-number from 1 to 4096. Cisco NX-OS automatically creates the channel group if it does not already exist.
Configuring EtherChannels Configuring Load Balancing Using EtherChannels This example shows how to add an Ethernet interface 1/4 to channel group 1: switch# configure terminal switch (config)# interface ethernet 1/4 switch(config-if)# switchport mode trunk switch(config-if)# channel-group 1 Related Topics • Enabling LACP, page 120 Configuring Load Balancing Using EtherChannels You can configure the load-balancing algorithm for EtherChannels that applies to the entire device.
Configuring EtherChannels Enabling LACP Enabling LACP LACP is disabled by default; you must enable LACP before you begin LACP configuration. You cannot disable LACP while any LACP configuration is present. LACP learns the capabilities of LAN port groups dynamically and informs the other LAN ports. Once LACP identifies correctly matched Ethernet links, it facilitates grouping the links into an EtherChannel. The EtherChannel is then added to the spanning tree as a single bridge port.
Configuring EtherChannels Configuring the LACP System Priority and System ID Command or Action Step 4 Purpose switch(config-if)# no channel-group Returns the port mode to on for the specified interface.
Verifying EtherChannel Configuration Configuring the LACP Port Priority Command or Action Purpose Step 2 switch(config)# interface type slot/port Specifies the interface to configure, and enters the interface configuration mode. Step 3 switch(config-if)# lacp port-priority Configures the port priority for use with LACP. Valid values are 1 through 65535, and higher numbers have priority lower priority. The default value is 32768.
CHAPTER 10 Configuring Virtual Port Channels This chapter describes how to configure virtual port channels (vPCs) on Cisco Nexus 5000 Series switches.
Information About vPCs vPC Overview you to create redundancy by enabling multiple parallel paths between nodes and load balancing traffic where alternative paths exist. Figure 14: vPC Architecture You configure the EtherChannels by using one of the following: • No protocol • Link Aggregation Control Protocol (LACP) When you configure the EtherChannels in a vPC—including the vPC peer link channel—each switch can have up to 16 active links in a single EtherChannel.
Information About vPCs Terminology A vPC provides the following benefits: • Allows a single device to use an EtherChannel across two upstream devices • Eliminates Spanning Tree Protocol (STP) blocked ports • Provides a loop-free topology • Uses all available uplink bandwidth • Provides fast convergence if either the link or a switch fails • Provides link-level resiliency • Assures high availability Terminology vPC Terminology The terminology used in vPCs is as follows: • vPC—The combined EtherChannel betw
Information About vPCs Supported vPC Topologies • EtherChannel host interface—An EtherChannel downlink connection from the Fabric Extender host interface to a server port. Note In Release 4.1(3)N1(1), an EtherChannel host interface consists of only one host interface and can be configured either as a Link Aggregation Control Protocol (LACP) or non-LACP EtherChannel. For further information about the Fabric Extender, refer to the Cisco Nexus 2000 Series Fabric Extender Software Configuration Guide.
Information About vPCs Dual Homed Fabric Extender vPC Topology topology that is shown in the following figure provides the vPC functionality to dual homed servers with 1-Gigabit Ethernet uplink interfaces. Figure 16: Single Homed Fabric Extender vPC Topology The Cisco Nexus 5000 Series switch can support up to 12 configured single homed Fabric Extenders (576 ports) with this topology however only 480 dual homed host servers can be configured in a vPCs with this configuration.
Information About vPCs vPC Domain The Cisco Nexus 5000 Series switch can support up to 12 configured dual homed Fabric Extenders with this topology. A maximum of 480 single homed servers can be connected to this configuration. vPC Domain You can use the vPC domain ID to identify the vPC peer links and the ports that are connected to the vPC downstream switches.
Information About vPCs Compatibility Parameters for vPC Peer Links default VRF, an SVI must be created to act as the source and destination addresses for the vPC peer-keepalive messages. Ensure that both the source and destination IP addresses used for the peer-keepalive messages are unique in your network and these IP addresses are reachable from the VRF associated with the vPC peer-keepalive link.
Information About vPCs Configuration Parameters That Should Be Identical • STP region configuration for Multiple Spanning Tree (MST) • Enable or disable state per VLAN • STP global settings: ◦ Bridge Assurance setting ◦ Port type setting—We recommend that you set all vPC interfaces as network ports ◦ Loop Guard settings • STP interface settings: ◦ Port type setting ◦ Loop Guard ◦ Root Guard • Maximum Transmission Unit (MTU) • Quality of Service global settings ◦ System QoS policy ◦ System Network-QoS polic
Information About vPCs vPC Peer Links link. You must create all VLANs on both the primary and secondary vPC switches, or the VLAN will be suspended.
Information About vPCs Manually Configured vPC Features Note You must ensure that the two switches connected by the vPC peer link have certain identical operational and configuration parameters. When you configure the vPC peer link, the vPC peer switches negotiate that one of the connected switches is the primary switch and the other connected switch is the secondary switch. By default, the Cisco NX-OS software uses the lowest MAC address to elect the primary switch.
Information About vPCs vPC Number • We recommend that you configure Unidirectional Link Detection (UDLD) on both sides of the vPC peer link. vPC Number Once you have created the vPC domain ID and the vPC peer link, you can create EtherChannels to attach the downstream switch to each vPC peer switch. That is, you create one EtherChannel from the downstream switch to the primary vPC peer switch and you create another EtherChannel from the downstream switch to the secondary peer switch.
vPC Guidelines and Limitations CFSoE You must configure a list of parameters to be identical on the vPC peer switches on both sides of the vPC peer link. STP is distributed; that is, the protocol continues running on both vPC peer switches. However, the configuration on the vPC peer switch elected as the primary switch controls the STP process for the vPC interfaces on the secondary vPC peer switch.
Configuring vPCs Enabling vPCs • Only EtherChannels can be in vPCs. A vPC can be configured on a normal EtherChannel (switch-to-switch vPC topology), on an EtherChannel fabric interface (fabric extender vPC topology), and on an EtherChannel host interface (host interface vPC topology). Note Refer to the Cisco Nexus 2000 Series Fabric Extender Software Configuration Guide for information about Fabric Extender host and fabric interfaces.
Configuring vPCs Creating a vPC Domain Note When you disable the vPC feature, the Cisco Nexus 5000 Series switch clears all the vPC configurations. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no feature vpc Disables vPCs on the switch. Step 3 switch# show feature (Optional) Displays which features are enabled on the switch.
Configuring vPCs Configuring a vPC Keepalive Link Step 4 Command or Action Purpose switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. This example shows how to create a vPC domain: switch# configure terminal switch(config)# vpc domain 5 Configuring a vPC Keepalive Link You can configure the destination IP for the peer-keepalive link that carries the keepalive messages.
Configuring vPCs Creating a vPC Peer Link This example shows how to configure the destination IP address for the vPC-peer-keepalive link: switch# configure terminal switch(config)# vpc domain 5 switch(config-vpc-domain)# peer-keepalive destination 10.10.10.42 Creating a vPC Peer Link You can create a vPC peer link by designating the EtherChannel that you want on each switch as the peer link for the specified vPC domain.
Configuring vPCs Creating an EtherChannel Host Interface This example shows how to check that the required configurations are compatible across all the vPC interfaces: switch# show vpc consistency-parameters global Legend: Type 1 : vPC will be suspended in case of mismatch Name Type Local Value Peer Value ---------------- ---------------------- ----------------------QoS 1 ([], [3], [0,7], [2], ([], [3], [0,7], [2], [4], [6]) [4], [6]) Network QoS (MTU) 1 (1538, 2240, 0, 0, 0, (1538, 2240, 0, 0, 0, 0) 0) Ne
Configuring vPCs Moving Other EtherChannels into a vPC Ensure that the connected Fabric Extender is online. You must configure both switches on either side of the vPC peer link with the following procedure. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface ethernet chassis/slot/port Specifies an interface to configure, and enters interface configuration mode.
Configuring vPCs Manually Configuring a vPC Domain MAC Address Command or Action Purpose Note Step 3 A vPC can be configured on a normal EtherChannel (physical vPC topology), on an EtherChannel fabric interface (fabric extender vPC topology), and on an EtherChannel host interface (host interface vPC topology) switch(config-if)# vpc number Configures the selected EtherChannel into the vPC to connect to the downstream switch. The range is from 1 to 4096.
Configuring vPCs Manually Configuring the System Priority Command or Action Purpose Step 4 switch# show vpc role (Optional) Displays the vPC system MAC address. Step 5 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. This example shows how to configure a vPC domain MAC address: switch# configure terminal switch(config)# vpc domain 5 switch(config-if)# system-mac 23fb.4ab5.
Configuring vPCs Manually Configuring a vPC Peer Switch Role Step 5 Command or Action Purpose switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
Verifying the vPC Configuration Manually Configuring a vPC Peer Switch Role This example shows how to configure a vPC peer link: switch# configure terminal switch(config)# vpc domain 5 switch(config-if)# role priority 4000 Verifying the vPC Configuration Use the following commands to display vPC configuration information: Command Purpose switch# show feature Displays whether vPC is enabled or not.
vPC Example Configurations Dual Homed Fabric Extender vPC Configuration Example vPC Example Configurations Dual Homed Fabric Extender vPC Configuration Example The following example shows how to configure the dual homed Fabric Extender vPC topology using the management VRF to carry the peer-keepalive messages on switch NX-5000-1 as shown in following figure: Figure 18: vPC Configuration Example Before You Begin Ensure that the Cisco Nexus 2000 Series Fabric Extender NX-2000-100 is attached and online.
vPC Example Configurations Single Homed Fabric Extender vPC Configuration Example Step 5 Configure the fabric EtherChannel links for the Fabric Extender NX-2000-100.
vPC Example Configurations Single Homed Fabric Extender vPC Configuration Example Before You Begin Ensure that the Cisco Nexus 2000 Series Fabric Extenders NX-2000-100 and NX-2000-101 are attached and online. Procedure Step 1 Enable vPC and LACP. NX-5000-1# configure terminal NX-5000-1(config)# feature lacp NX-5000-1(config)# feature vpc Step 2 Enable SVI interfaces, create the VLAN and SVI to be used by the vPC peer-keepalive link.
vPC Default Settings Single Homed Fabric Extender vPC Configuration Example Step 7 Configure a vPC server port on on the Fabric Extender NX-2000-100.
CHAPTER 11 Configuring Rapid PVST+ Rapid per VLAN Spanning Tree (Rapid PVST+) is an updated implementation of STP that allows you to create one spanning tree topology for each VLAN. Rapid PVST+ is the default Spanning Tree Protocol (STP) mode on the switch. Note Spanning tree is used to refer to IEEE 802.1w and IEEE 802.1s. If the text is discussing the IEEE 802.1D Spanning Tree Protocol, 802.1D is stated specifically.
Information About Rapid PVST+ Understanding STP Understanding STP STP Overview For an Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments. When you create fault-tolerant internetworks, you must have a loop-free path between all nodes in a network.
Information About Rapid PVST+ Bridge Priority Value Bridge Priority Value The bridge priority is a 4-bit value when the extended system ID is enabled. Note In Cisco NX-OS, the extended system ID is always enabled; you cannot be disable the extended system ID. Related Topics • Configuring the Rapid PVST+ Bridge Priority of a VLAN, page 170 Extended System ID A 12-bit extended system ID field is part of the bridge ID.
Information About Rapid PVST+ Understanding BPDUs • 16384 • 20480 • 24576 • 28672 • 32768 • 36864 • 40960 • 45056 • 49152 • 53248 • 57344 • 61440 STP uses the extended system ID plus a MAC address to make the bridge ID unique for each VLAN. If another bridge in the same spanning tree domain does not run the MAC address reduction feature, it could achieve root bridge ownership because its bridge ID may fall between the values specified by the MAC address reduction feature.
Information About Rapid PVST+ Election of the Root Bridge • The shortest distance to the root bridge is calculated for each switch based on the path cost. • A designated bridge for each LAN segment is selected. This is the switch closest to the root bridge through which frames are forwarded to the root. • A root port is selected. This is the port providing the best path from the bridge to the root bridge. • Ports included in the spanning tree are selected.
Information About Rapid PVST+ Understanding Rapid PVST+ to a port that has a higher number than the current root port can cause a root-port change. The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a fiber-optic link, and another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port. Network traffic might be more efficient over the high-speed fiber-optic link.
Information About Rapid PVST+ Rapid PVST+ Overview • Point-to-point links—If you connect a port to another port through a point-to-point link and the local port becomes a designated port, it negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology. Rapid PVST+ achieves rapid transition to the forwarding state only on edge ports and point-to-point links.
Information About Rapid PVST+ Rapid PVST+ BPDUs Rapid PVST+ BPDUs Rapid PVST+ and 802.1w use all six bits of the flag byte to add the role and state of the port that originates the BPDU, and the proposal and agreement handshake. The following figure shows the use of the BPDU flags in Rapid PVST+. Figure 22: Rapid PVST+ Flag Byte in BPDU Another important change is that the Rapid PVST+ BPDU is type 2, version 2, which makes it possible for the switch to detect connected legacy (802.1D) bridges.
Information About Rapid PVST+ Proposal and Agreement Handshake Proposal and Agreement Handshake As shown in the following figure, switch A is connected to switch B through a point-to-point link, and all of the ports are in the blocking state. Assume that the priority of switch A is a smaller numerical value than the priority of switch B.
Information About Rapid PVST+ Protocol Timers Related Topics • Summary of Port States, page 161 Protocol Timers The following table describes the protocol timers that affect the Rapid PVST+ performance. Table 15: Rapid PVST+ Protocol Timers Variable Description Hello timer Determines how often each switch broadcasts BPDUs to other switches. The default is 2 seconds, and the range is from 1 to 10.
Information About Rapid PVST+ Port States In a stable topology with consistent port roles throughout the network, Rapid PVST+ ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the blocking state. Designated ports start in the blocking state. The port state controls the operation of the forwarding and learning processes. A port with the root or a designated port role is included in the active topology.
Information About Rapid PVST+ Blocking State When you enable Rapid PVST+, every port in the software, VLAN, and network goes through the blocking state and the transitory states of learning at power up. If properly configured, each LAN port stabilizes to the forwarding or blocking state.
Information About Rapid PVST+ Disabled State • Forwards frames switched from another port for forwarding. • Incorporates the end station location information into its address database. • Receives BPDUs and directs them to the system module. • Processes BPDUs received from the system module. • Receives and responds to network management messages. Disabled State A LAN port in the disabled state does not participate in frame forwarding or STP. A LAN port in the disabled state is virtually nonoperational.
Information About Rapid PVST+ Processing Superior BPDU Information If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the Rapid PVST+ forces it to synchronize with new root information. In general, when the Rapid PVST+ forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking.
Information About Rapid PVST+ Detecting Unidirectional Link Failure Detecting Unidirectional Link Failure The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops. When a designated port detects a conflict, it keeps its role, but reverts to a discarding state because disrupting connectivity in case of inconsistency is preferable to opening a bridging loop.
Information About Rapid PVST+ Port Priority You can assign lower cost values to LAN interfaces that you want STP to select first and higher cost values to LAN interfaces that you want STP to select last. If all LAN interfaces have the same cost value, STP puts the LAN interface with the lowest LAN interface number in the forwarding state and blocks other LAN interfaces. On access ports, you assign port cost by the port.
Configuring Rapid PVST+ Rapid PVST+ Interoperation with 802.1s MST This method of operation is required only for 802.1D switches. The 802.1w BPDUs do not have the TCA bit set. • Protocol migration—For backward compatibility with 802.1D switches, 802.1w selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis. When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which 802.1w BPDUs are sent), and 802.1w BPDUs are sent.
Configuring Rapid PVST+ Enabling Rapid PVST+ per VLAN Step 2 Command or Action Purpose switch(config)# spanning-tree mode rapid-pvst Enables Rapid PVST+ on the switch. Rapid PVST+ is the default spanning tree mode. Note Changing the spanning tree mode disrupts traffic because all spanning tree instances are stopped for the previous mode and started for the new mode.
Configuring Rapid PVST+ Configuring the Root Bridge ID This example shows how to enable STP on a VLAN: switch# configure terminal switch(config)# spanning-tree vlan 5 Configuring the Root Bridge ID The software maintains a separate instance of STP for each active VLAN in Rapid PVST+. For each VLAN, the switch with the lowest bridge ID becomes the root bridge for that VLAN.
Configuring Rapid PVST+ Configuring a Secondary Root Bridge This example shows how to configure the switch as the root bridge for a VLAN: switch# configure terminal switch(config)# spanning-tree vlan 5 root primary diameter 4 Configuring a Secondary Root Bridge When you configure a software switch as the secondary root, the STP bridge priority is modified from the default value (32768) so that the switch is likely to become the root bridge for the specified VLANs if the primary root bridge fails (assuming
Configuring Rapid PVST+ Configuring the Rapid PVST+ Pathcost Method and Port Cost Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Specifies the interface to configure, and enters interface configuration mode. Step 3 switch(config-if)# spanning-tree Configures the port priority for the LAN interface. The [vlan vlan-list] port-priority priority priority value can be from 0 to 224.
Configuring Rapid PVST+ Configuring the Rapid PVST+ Bridge Priority of a VLAN Command or Action Purpose The default is auto , which sets the port cost on both the pathcost calculation method and the media speed.
Configuring Rapid PVST+ Configuring the Rapid PVST+ Forward Delay Time for a VLAN Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree vlan vlan-range hello-time hello-time Configures the hello time of a VLAN. The hello time value can be from 1 to 10 seconds. The default is 2 seconds.
Verifying Rapid PVST+ Configurations Specifying the Link Type Specifying the Link Type Rapid connectivity (802.1w standard) is established only on point-to-point links. By default, the link type is controlled from the duplex mode of the interface. A full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection.
Verifying Rapid PVST+ Configurations Restarting the Protocol Command Purpose switch# show running-config spanning-tree [all] Displays the current spanning tree configuration. switch# show spanning-tree [options] Displays selected detailed information for the current spanning tree configuration. This example shows how to display spanning tree status: switch# show spanning-tree brief VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 32768 Address 001c.b05a.
Verifying Rapid PVST+ Configurations Restarting the Protocol Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 174 OL-16597-01
CHAPTER 12 Configuring Multiple Spanning Tree Multiple Spanning Tree (MST), which is the IEEE 802.1s standard, allows you to assign two or more VLANs to a spanning tree instance. MST is not the default spanning tree mode; Rapid per VLAN Spanning Tree (Rapid PVST+) is the default mode. MST instances with the same name, revision number, and VLAN-to-instance mapping combine to form an MST region. The MST region appears as a single bridge to spanning tree configurations outside the region.
Information About MST MST Regions MST provides rapid convergence through explicit handshaking as each MST instance uses the IEEE 802.1w standard, which eliminates the 802.1D forwarding delay and quickly transitions root bridge ports and designated ports to the forwarding state. MAC address reduction is always enabled while you are using MST. You cannot disable this feature. MST improves spanning tree operation and maintains backward compatibility with these STP versions: • Original 802.
Information About MST MST Configuration Information that one BPDU that the IST sends. Because the MST BPDU carries information for all instances, the number of BPDUs that need to be processed to support MSTIs is significantly reduced. Figure 27: MST BPDU with M-Records for MSTIs MST Configuration Information The MST configuration that must be identical on all switches within a single MST region is configured by the user.
Information About MST Spanning Tree Operation Within an MST Region • An IST is the spanning tree that runs in an MST region. MST establishes and maintains additional spanning trees within each MST region; these spanning trees are called, multiple spanning tree instances (MSTIs). Instance 0 is a special instance for a region, known as the IST. The IST always exists on all ports; you cannot delete the IST, or Instance 0. By default, all VLANs are assigned to the IST.
Information About MST MST Terminology The IST connects all the MST switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. The following figure shows a network with three MST regions and an 802.1D switch (D). The CIST regional root for region 1 (A) is also the CIST root.
Information About MST Hop Count parameters require the external qualifiers and not the internal or regional qualifiers. The MST terminology is as follows: • The CIST root is the root bridge for the CIST, which is the unique instance that spans the whole network. • The CIST external root path cost is the cost to the CIST root. This cost is left unchanged within an MST region. An MST region looks like a single switch to the CIST.
Information About MST Detecting Unidirectional Link Failure that are internal to a region to share a segment with a port that belongs to a different region, creating the possibility of receiving both internal and external messages on a port (see the following figure). Figure 29: MST Boundary Ports At the boundary, the roles of MST ports do not matter; the system forces their state to be the same as the IST port state.
Information About MST Port Cost and Port Priority Port Cost and Port Priority Spanning tree uses port costs to break a tie for the designated port. Lower values indicate lower port costs, and spanning tree chooses the least costly path. Default port costs are taken from the bandwidth of the interface, as follows: • 10 Mbps—2,000,000 • 100 Mbps—200,000 • 1 Gigabit Ethernet—20,000 • 10 Gigabit Ethernet—2,000 You can configure the port costs in order to influence which port is chosen.
Configuring MST Interoperability with Rapid PVST+: Understanding PVST Simulation Interoperability with Rapid PVST+: Understanding PVST Simulation MST interoperates with Rapid PVST+ with no need for user configuration. The PVST simulation feature enables this seamless interoperability. Note PVST simulation is enabled by default. That is, by default, all interfaces on the switch interoperate between MST and Rapid PVST+.
Configuring MST Entering MST Configuration Mode Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree mode mst Enables MST on the switch. Step 3 switch(config)# no spanning-tree mode mst (Optional) Disables MST on the switch and returns you to Rapid PVST+.
Configuring MST Specifying the MST Name Command or Action Step 3 Purpose switch(config-mst)# exit or switch(config-mst)# abort • The first form commits all the changes and exits MST configuration mode. • The second form exits the MST configuration mode without committing any of the changes. Step 4 switch(config)# no spanning-tree mst configuration (Optional) Returns the MST region configuration to the following default values: • The region name is an empty string.
Configuring MST Specifying the Configuration on an MST Region Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree mst configuration Enters MST configuration submode. Step 3 switch(config-mst)# revision version Specifies the revision number for the MST region. The range is from 0 to 65535, and the default value is 0.
Configuring MST Mapping and Unmapping VLANs to MST Instances Command or Action Purpose Step 4 switch(config-mst)# name name Specifies the instance name. The name string has a maximum length of 32 characters and is case sensitive. Step 5 switch(config-mst)# revision version Specifies the configuration revision number. The range is from 0 to 65535.
Configuring MST Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree mst Enters MST configuration submode. configuration Step 3 switch(config-mst)# instance instance-id vlan vlan-range Maps VLANs to an MST instance, as follows: • For instance-id the range is from 1 to 4094. Instance 0 is reserved for the IST for each MST region.
Configuring MST Configuring the Root Bridge This example shows how to automatically map all the secondary VLANs to the same MSTI as their associated primary VLANs in all private VLANs: switch# configure terminal switch(config)# spanning-tree mst configuration switch(config-mst)# private-vlan synchronize Configuring the Root Bridge You can configure the switch to become the root bridge. Note The root bridge for each MSTI should be a backbone or distribution switch.
Configuring MST Configuring a Secondary Root Bridge This example shows how to configure the switch as the root switch for MSTI 5: switch# configure terminal switch(config)# spanning-tree mst 5 root primary Configuring a Secondary Root Bridge You can execute this command on more than one switch to configure multiple backup root bridges.
Configuring MST Configuring the Port Cost Command or Action Purpose Step 2 switch(config)# interface {{type slot/port} | {port-channel number}} Specifies an interface to configure, and enters interface configuration mode. Step 3 switch(config-if)# spanning-tree mst instance-id port-priority priority Configures the port priority as follows: • For instance-id, you can specify a single MSTI, a range of MSTIs separated by a hyphen, or a series of MSTIs separated by a comma. The range is from 1 to 4094.
Configuring MST Configuring the Switch Priority Command or Action Purpose • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is from 1 to 4094. • For cost, the range is from 1 to 200000000. The default value is auto, which is derived from the media speed of the interface.
Configuring MST Configuring the Hello Time Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root bridge for all instances on the switch by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you enter the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary configuration commands to modify the hello time.
Configuring MST Configuring the Maximum-Aging Time Configuring the Maximum-Aging Time The maximum-aging timer is the number of seconds that a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration. You set the maximum-aging timer for all MST instances on the switch with one command (the maximum age time only applies to the IST). Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Configuring MST Configuring PVST Simulation Per Port Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no spanning-tree Disables all interfaces on the switch from automatically interoperating with connected switch that is running in Rapid mst simulate pvst global PVST+ mode. The default for this is enabled; that is, by default, all interfaces on the switch operate seamlessly between Rapid PVST+ and MST.
Configuring MST Specifying the Link Type This example shows how to prevent the specified interfaces from automatically interoperating with a connecting switch that is not running MST: switch# configure terminal switch(config)# interface ethernet 1/4 switch(config-if)# spanning-tree mst simulate pvst disable Specifying the Link Type Rapid connectivity (802.1w standard) is established only on point-to-point links. By default, the link type is controlled from the duplex mode of the interface.
Verifying MST Configurations Restarting the Protocol This example shows how to restart MST on the Ethernet interface on slot 2, port 8: switch# clear spanning-tree detected-protocol interface ethernet 2/8 Verifying MST Configurations To display MST configuration information, perform one of the following tasks: Command Purpose switch# show running-config spanning-tree [all] Displays the current spanning tree configuration.
Verifying MST Configurations Restarting the Protocol Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 198 OL-16597-01
CHAPTER 13 Configuring STP Extensions This chapter describes the configuration of extensions to the Spanning Tree Protocol (STP) on Cisco Nexus 5000 Series switches. It includes the following sections: • About STP Extensions, page 199 About STP Extensions Cisco has added extensions to STP that make convergence more efficient. In some cases, even though similar functionality may be incorporated into the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) standard, we recommend using these extensions.
About STP Extensions Spanning Tree Network Ports Note If you configure a port connected to another switch as an edge port, you might create a bridging loop. Spanning Tree Network Ports Network ports are connected only to switches or bridges. Bridge Assurance is enabled only on network ports. Note If you mistakenly configure ports that are connected to hosts or other edge devices, as spanning tree network ports, those ports will automatically move into the blocking state.
About STP Extensions Understanding BPDU Filtering Note When enabled globally, BPDU Guard applies to all operational spanning tree edge interfaces. Understanding BPDU Filtering You can use BPDU Filtering to prevent the switch from sending or even receiving BPDUs on specified ports. When configured globally, BPDU Filtering applies to all operational spanning tree edge ports. You should connect edge ports only to hosts, which typically drop BPDUs.
About STP Extensions Understanding Loop Guard Understanding Loop Guard Loop Guard protects networks from loops that are caused by the following: • Network interfaces that malfunction • Busy CPUs • Anything that prevents the normal forwarding of BPDUs An STP loop occurs when a blocking port in a redundant topology erroneously transitions to the forwarding state.
About STP Extensions Configuring STP Extensions Configuring STP Extensions STP Extensions Configuration Guidelines When configuring STP extensions, follow these guidelines: • Configure all access and trunk ports connected to hosts as edge ports. • Bridge Assurance runs only on point-to-point spanning tree network ports. You must configure each side of the link for this feature. • Loop Guard does not run on spanning tree edge ports.
About STP Extensions Configuring Spanning Tree Edge Ports on Specified Interfaces Command or Action Purpose Note If you configure interfaces connected to hosts as network ports, those ports automatically move into the blocking state.
About STP Extensions Configuring Spanning Tree Network Ports on Specified Interfaces Command or Action Purpose Step 2 switch(config)# interface type slot/port Specifies the interface to configure, and enters the interface configuration mode. Step 3 switch(config-if)# spanning-tree port type edge Configures the specified access interfaces to be spanning edge ports. Edge ports immediately transition to the forwarding state without passing through the blocking or learning state at linkup.
About STP Extensions Enabling BPDU Guard Globally Step 3 Command or Action Purpose switch(config-if)# spanning-tree port type network Configures the specified interfaces to be spanning network ports. If you enable Bridge Assurance, it automatically runs on network ports. By default, spanning tree ports are normal port types.
About STP Extensions Enabling BPDU Filtering Globally • no spanning-tree bpduguard—Enables BPDU Guard on the interface if it is an operational edge port and if the spanning-tree port type edge bpduguard default command is configured. Before You Begin Ensure that STP is configured. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
About STP Extensions Enabling BPDU Filtering on Specified Interfaces Ensure that you have configured some spanning tree edge ports. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree port type Enables BPDU Filtering by default on all operational spanning tree edge ports. Global BPDU edge bpdufilter default Filtering is disabled by default.
About STP Extensions Enabling Loop Guard Globally Command or Action Purpose Step 2 switch(config)# interface type slot/port Specifies the interface to configure, and enters the interface configuration mode. Step 3 switch(config-if)# spanning-tree bpdufilter {enable | disable} Enables or disables BPDU Filtering for the specified spanning tree edge interface. By default, BPDU Filtering is disabled. Step 4 switch(config-if)# no spanning-tree (Optional) Disables BPDU Filtering on the interface.
About STP Extensions Enabling Loop Guard or Root Guard on Specified Interfaces Enabling Loop Guard or Root Guard on Specified Interfaces You can enable either Loop Guard or Root Guard on specified interfaces. Enabling Root Guard on a port means that port cannot become a root port, and LoopGuard prevents alternate or root ports from becoming the designated port because of a failure that could lead to a unidirectional link.
CHAPTER 14 Configuring the MAC Address Table All Ethernet interfaces on Cisco Nexus 5000 Series switches maintain media access control (MAC) address tables. This chapter describes the configuration of the MAC address tables.
Configuring MAC Addresses Configuring the Aging Time for the MAC Table Note You can also configure a static MAC address in interface configuration mode or VLAN configuration mode. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config-)# mac-address-table static mac_address vlan vlan-id {drop | interface {type slot/port} | port-channel number} [auto-learn] Specifies a static address to add to the MAC address table.
Verifying the MAC Address Configuration Clearing Dynamic Addresses from the MAC Table This example shows how to set the aging time for entries in the MAC address table to 600 seconds (10 minutes): switch# configure terminal switch(config)# mac-address-table aging-time 600 Clearing Dynamic Addresses from the MAC Table You can clear all dynamic entries in the MAC address table. Command Purpose switch(config)# clear mac-address-table dynamic Clears the dynamic address entries from the MAC address table.
Verifying the MAC Address Configuration Clearing Dynamic Addresses from the MAC Table Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 214 OL-16597-01
CHAPTER 15 Configuring IGMP Snooping Internet Group Management Protocol (IGMP) snooping streamlines multicast traffic handling for VLANs. By examining (snooping) IGMP membership report messages from interested hosts, multicast traffic is limited to the subset of VLAN interfaces on which the hosts reside. This chapter describes the configuration of IGMP snooping on Cisco Nexus 5000 Series switches.
Information About IGMP Snooping IGMPv1 and IGMPv2 The following figure shows an IGMP snooping switch that is located between the host and the IGMP router. The IGMP snooping switch snoops the IGMP membership reports and leave messages and forwards them only when necessary to the connected IGMP routers. Figure 31: IGMP Snooping Switch Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Information About IGMP Snooping IGMPv3 IGMPv3 The IGMPv3 snooping implementation on the switch forwards IGMPv3 reports to allow the upstream multicast router do source-based filtering. By default, the software tracks hosts on each VLAN port. The explicit tracking feature provides a fast leave mechanism. Because every IGMPv3 host sends membership reports, a report suppression feature limits the amount of traffic the switch sends to other multicast capable routers.
Configuring IGMP Snooping Parameters IGMP Forwarding Configuring IGMP Snooping Parameters To manage the operation of the IGMP snooping process, you can configure the optional IGMP snooping parameters described in the following table. Table 19: IGMP Snooping Parameters Parameter Description IGMP snooping Enables IGMP snooping on a per-VLAN basis. The default is enabled. Note If the global setting is disabled, then all VLANs are treated as disabled, whether they are enabled or not.
Configuring IGMP Snooping Parameters IGMP Forwarding Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# ip igmp snooping Globally enables IGMP snooping. The default is enabled. Note If the global setting is disabled, then all VLANs are treated as disabled, whether they are enabled or not. Step 3 switch(config)# vlan vlan-id Enters VLAN configuration mode.
Verifying IGMP Snooping Configuration IGMP Forwarding The following example shows configuring IGMP snooping parameters for a VLAN: switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# ip igmp switch(config-vlan)# ip igmp switch(config-vlan)# ip igmp switch(config-vlan)# ip igmp switch(config-vlan)# ip igmp switch(config-vlan)# ip igmp switch(config-vlan)# ip igmp switch(config-vlan)# end snooping snooping snooping snooping snooping snooping snooping last-member-query-interval 3 querier
CHAPTER 16 Configuring Traffic Storm Control This chapter describes how to configure traffic storm control on Cisco Nexus 5000 Series switches.
Traffic Storm Guidelines and Limitations The following figure shows the broadcast traffic patterns on an Ethernet interface during a specified time interval. In this example, traffic storm control occurs between times T1 and T2 and between T4 and T5. During those intervals, the amount of broadcast traffic exceeded the configured threshold.
Configuring Traffic Storm Control Verifying Traffic Storm Control Configuration • Specify the level as a percentage of the total interface bandwidth: ◦ The level can be from 0 to 100. ◦ The optional fraction of a level can be from 0 to 99. ◦ 100 percent means no traffic storm control. ◦ 0.0 percent suppresses all traffic. Because of hardware limitations and the method by which packets of different sizes are counted, the level percentage is an approximation.
Traffic Storm Control Example Configuration Verifying Traffic Storm Control Configuration Command Purpose switch# show running-config interface Displays the traffic storm control configuration.
PART III Switch Security Features • Configuring Authentication, Authorization, and Accounting, page 227 • Configuring RADIUS, page 241 • Configuring TACACS+, page 255 • Configuring SSH and Telnet, page 269 • Configuring Access Control Lists, page 279
CHAPTER 17 Configuring Authentication, Authorization, and Accounting This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco Nexus 5000 Series switches.
Information About AAA Benefits of Using AAA • Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, encryption depending on the security protocol that you select. Authentication is the process of verifying the identity of the person or device accessing the Cisco Nexus 5000 Series switches. This process is based on the user ID and password combination provided by the entity trying to access the switch.
Information About AAA AAA Server Groups AAA Server Groups You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response.
Information About AAA Authentication and Authorization Process for User Login Table 22: AAA Authentication Methods for AAA Services Note AAA Service AAA Methods Console login authentication Server groups, local, and none User login authentication Server groups, local, and none User management session accounting Server groups and local For console login authentication, user login authentication, and user management session accounting, the Cisco Nexus 5000 Series switches try each option in the ord
Prerequisites for Remote AAA Authentication and Authorization Process for User Login • If your username and password are successfully authenticated locally, the Cisco Nexus 5000 Series switch logs you in and assigns you the roles configured in the local database. Figure 33: Authorization and Authentication Flow for User Login Note "No more server groups left" means that there is no response from any server in all server groups.
Information about AAA Guidelines and Limitations Configuring Console Login Authentication Methods • The preshared secret key is configured on the Cisco Nexus 5000 Series switch and on the remote AAA servers. • The remote server responds to AAA requests from the Cisco Nexus 5000 Series switch.
Configuring AAA Configuring Default Login Authentication Methods Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# aaa Configures login authentication methods for the console. authentication login console The group-list argument consists of a space-delimited list of {group group-list [none] | local group names. The group names are the following: | none} • radius —Uses the global pool of RADIUS servers for authentication.
Configuring AAA Enabling Login Authentication Failure Messages Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# aaa Configures the default authentication methods. authentication login default The group-list argument consists of a space-delimited list of {group group-list [none] | local group names. The group names are the following: | none} • radius —Uses the global pool of RADIUS servers for authentication.
Configuring AAA Enabling MSCHAP Authentication Step 5 Command or Action Purpose switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Enabling MSCHAP Authentication Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus 5000 Series switch through a remote authentication server (RADIUS or TACACS+).
Configuring AAA Configuring AAA Accounting Default Methods Command or Action Purpose Step 4 switch# show aaa authentication login mschap (Optional) Displays the MS-CHAP configuration. Step 5 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Related Topics • About VSAs, page 237 Configuring AAA Accounting Default Methods The Cisco Nexus 5000 Series switch supports TACACS+ and RADIUS methods for accounting.
Configuring AAA Using AAA Server VSAs Command or Action Purpose • named-group —Uses a named subset of TACACS+ or RADIUS servers for accounting. The local method uses the local database for accounting. The default method is local , which is used when no server groups are configured or when all the configured server group do not respond. Step 3 switch(config)# exit Step 4 switch# show aaa accounting (Optional) Displays the configuration AAA accounting default methods.
Displaying and Clearing the Local AAA Accounting Log Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers • accountinginfo—Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.
Example AAA Configuration Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers Procedure Command or Action Purpose Step 1 show aaa accounting Displays AAA accounting configuration. Step 2 show aaa authentication [login {error-enable | mschap}] Displays AAA authentication information. Step 3 show aaa groups Displays the AAA server group configuration. Step 4 show running-config aaa [all] Displays the AAA configuration in the running configuration.
Default AAA Settings Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 240 OL-16597-01
CHAPTER 18 Configuring RADIUS This chapter contains the following sections: • Configuring RADIUS, page 241 Configuring RADIUS Information About RADIUS The Remote Access Dial-In User Service (RADIUS) distributed client/server system allows you to secure networks against unauthorized access.
Configuring RADIUS RADIUS Operation • Networks that support authentication profiles. Using the RADIUS server in your network, you can configure AAA authentication and set up per-user profiles. Per-user profiles enable the Nexus 5000 Series switch to better manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements.
Configuring RADIUS Vendor-Specific Attributes a RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place. Figure 34: RADIUS Server States Note The monitoring interval for alive servers and dead servers are different and can be configured by the user. The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server.
Configuring RADIUS Prerequisites for RADIUS • roles—Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. • accountinginfo—Stores accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch. It can be used only with the accounting protocol data units (PDUs).
Configuring RADIUS Configuring RADIUS Server Hosts Configuring RADIUS Server Hosts You must configure the IPv4 or IPv6 address or the host name for each RADIUS server that you want to use for authentication. All RADIUS server hosts are added to the default RADIUS server group. You can configure up to 64 RADIUS servers. To configure a RADIUS server host, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Configuring RADIUS Configuring RADIUS Server Preshared Keys Step 4 Command or Action Purpose switch# show radius-server (Optional) Displays the RADIUS server configuration. Note Step 5 switch# copy running-config startup-config The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys. (Optional) Copies the running configuration to the startup configuration.
Configuring RADIUS Configuring RADIUS Server Groups The following example shows how to configure a preshared keys for a RADIUS server: switch# configure terminal switch(config)# radius-server host 10.10.1.1 key 0 PlIjUhYg switch(config)# exit switch# show radius-server switch# copy running-config startup-config Configuring RADIUS Server Groups You can specify one or more remote AAA servers for authentication using server groups. All members of a group must belong to the RADIUS protocol.
Configuring RADIUS Allowing Users to Specify a RADIUS Server at Login The following example shows how to configure a RADIUS server group: switch# configure terminal switch(config)# aaa group server radius RadServer switch(config-radius)# server 10.10.1.
Configuring RADIUS Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server Command or Action Purpose Step 3 switch(config)# radius-server timeout Specifies the transmission timeout interval for RADIUS servers. The default timeout interval is 5 seconds seconds and the range is from 1 to 60 seconds. Step 4 switch(config)# exit Exits configuration mode. Step 5 switch# show radius-server (Optional) Displays the RADIUS server configuration.
Configuring RADIUS Configuring Accounting and Authentication Attributes for RADIUS Servers The following example shows how to configure RADIUS transmission retry count and timeout interval for a server: switch# configure terminal switch(config)# radius-server host server1 retransmit 3 switch(config)# radius-server host server1 timeout 10 switch(config)# exit switch# show radius-server switch# copy running-config startup-config Configuring Accounting and Authentication Attributes for RADIUS Servers You can
Configuring RADIUS Configuring Periodic RADIUS Server Monitoring The following example shows how to configure the accounting and authentication attributes for a RADIUS server: switch# configure terminal switch(config)# radius-server host 10.10.1.1 switch(config)# radius-server host 10.10.1.1 switch(config)# radius-server host 10.10.2.2 switch(config)# radius-server host 10.10.2.
Configuring RADIUS Configuring the Dead-Time Interval Step 6 Command or Action Purpose switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. To configure periodic RADIUS server monitoring, perform this task: switch# configure terminal switch(config)# radius-server host 10.10.1.
Configuring RADIUS Verifying RADIUS Configuration Procedure Command or Action Purpose Step 1 switch# test aaa server radius {ipv4-address | ipv6-address | server-name} [vrf vrf-name] username password Sends a test message to a RADIUS server to confirm availability. Step 2 switch# test aaa group group-name username password Sends a test message to a RADIUS server group to confirm availability.
Configuring RADIUS Example RADIUS Configuration Example RADIUS Configuration The following example shows how to configure RADIUS: switch# configure terminal switch(config)# radius-server key 7 "ToIkLhPpG" switch(config)# radius-server host 10.10.1.1 key 7 "ShMoMhTl" authentication accounting switch(config)# aaa group server radius RadServer switch(config-radius)# server 10.10.1.
CHAPTER 19 Configuring TACACS+ This chapter contains the following sections: • About Configuring TACACS+, page 255 About Configuring TACACS+ Information About TACACS+ The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus 5000 Series switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation.
About Configuring TACACS+ User Login with TACACS+ User Login with TACACS+ When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus 5000 Series switch using TACACS+, the following actions occur: 1 When the Cisco Nexus 5000 Series switch establishes a connection, it contacts the TACACS+ daemon to obtain the username and password. Note TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user.
About Configuring TACACS+ TACACS+ Server Monitoring TACACS+ Server Monitoring An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus 5000 Series switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco Nexus 5000 Series switch marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers.
About Configuring TACACS+ Configuring TACACS+ • You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus 5000 Series switch. Configuring TACACS+ TACACS+ Server Configuration Process To configure TACACS+ servers, perform this task: Procedure Step 1 Step 2 Step 3 Enable TACACS+. Establish the TACACS+ server connections to the Cisco Nexus 5000 Series switch. Configure the preshared secret keys for the TACACS+ servers.
About Configuring TACACS+ Configuring TACACS+ Server Hosts Configuring TACACS+ Server Hosts To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the TACACS+ server on the Cisco Nexus 5000 Series switch. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers. If a preshared key is not configured for a configured TACACS+ server, a warning message is issued if a global key is not configured.
About Configuring TACACS+ Configuring TACACS+ Server Preshared Keys Command or Action Step 2 Purpose switch(config)# tacacs-server key Specifies a preshared key for all TACACS+ servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared [0 | 7] key-value key. The default format is clear text. The maximum length is 63 characters. By default, no preshared key is configured. Step 3 switch(config)# exit Exits configuration mode.
About Configuring TACACS+ Configuring TACACS+ Server Groups Command or Action Purpose Note Step 5 switch# copy running-config startup-config The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys. (Optional) Copies the running configuration to the startup configuration.
About Configuring TACACS+ Specifying a TACACS+ Server at Login Command or Action Purpose Step 6 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server group configuration. groups Step 7 switch(config)# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration.
About Configuring TACACS+ Configuring the Timeout Interval for a Server To specify a TACACS+ global timeout interval, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server timeout Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the seconds range is from 1 to 60 seconds. Step 3 switch(config)# exit Exits configuration mode.
About Configuring TACACS+ Configuring Periodic TACACS+ Server Monitoring To configure TCP ports, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server host Specifies the UDP port to use for TACACS+ {ipv4-address | ipv6-address | host-name} accounting messages.The default TCP port is 49. The range is from 1 to 65535. port tcp-port Step 3 switch(config)# exit Exits configuration mode.
About Configuring TACACS+ Configuring the Dead-Time Interval Step 2 Command or Action Purpose switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]} Specifies parameters for server monitoring. The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is 0 to 1440 minutes.
About Configuring TACACS+ Manually Monitoring TACACS+ Servers or Groups Command or Action Purpose Step 3 switch(config)# exit Exits configuration mode. Step 4 switch# show tacacs-server (Optional) Displays the TACACS+ server configuration. Step 5 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
About Configuring TACACS+ Displaying TACACS+ Statistics Displaying TACACS+ Statistics To display the statistics the Cisco Nexus 5000 Series switch maintains for TACACS+ activity, perform this task: Procedure Step 1 Command or Action Purpose switch# show tacacs-server statistics {hostname | ipv4-address | ipv6-address} Displays the TACACS+ statistics. For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series Command Reference.
About Configuring TACACS+ Default TACACS+ Settings Table 26: Default TACACS+ Parameters Parameters Default TACACS+ Disabled Dead timer interval 0 minutes Timeout interval 5 seconds Idle timer interval 0 minutes Periodic server monitoring username test Periodic server monitoring password test Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 268 OL-16597-01
CHAPTER 20 Configuring SSH and Telnet This chapter contains the following sections: • Configuring SSH and Telnet, page 269 Configuring SSH and Telnet Information About SSH and Telnet SSH Server The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus 5000 Series switch. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus 5000 Series switch will interoperate with publicly and commercially available SSH clients.
Configuring SSH and Telnet Telnet Server Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2: • The dsa option generates the DSA key-pair for the SSH version 2 protocol. • The rsa option generates the RSA key-pair for the SSH version 2 protocol.
Configuring SSH and Telnet Specifying the SSH Public Keys for User Accounts Command or Action Purpose Step 3 switch(config)# exit Exits global configuration mode. Step 4 switch# show ssh key (Optional) Displays the SSH server keys. Step 5 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
Configuring SSH and Telnet Specifying the SSH Public Keys in IETF SECSH Format The following example shows how to specify an SSH public keys in open SSH format: switch# configure terminal switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc= switch(config)# exit switch# show user-account switch# copy running-c
Configuring SSH and Telnet Starting SSH Sessions to Remote Devices Procedure Command or Action Purpose Step 1 switch# copy server-file bootflash: filename Downloads the file containing the SSH key in PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP Step 2 switch# configure terminal Enters configuration mode. Step 3 switch# show user-account (Optional) Displays the user account configuration.
Configuring SSH and Telnet Deleting SSH Server Keys To disable the SSH server to prevent SSH access to the switch, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no feature ssh Disables the SSH server. The default is enabled. Step 3 switch(config)# exit Exits global configuration mode. Step 4 switch# show ssh server (Optional) Displays the SSH server configuration.
Configuring SSH and Telnet SSH Example Configuration Procedure Command or Action Purpose Step 1 switch# show users Displays user session information. Step 2 switch# clear line vty-line Clears a user SSH session. SSH Example Configuration The following example shows how to configure SSH: Procedure Step 1 Generate an SSH server key. switch(config)# ssh key rsa generating rsa key(1024 bits)..... . generated rsa key Step 2 Enable the SSH server.
Configuring SSH and Telnet Configuring Telnet Configuring Telnet Enabling the Telnet Server By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus 5000 Series switch. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# feature telnet Disables the Telnet server. The default is enabled.
Configuring SSH and Telnet Clearing Telnet Sessions The following example shows starting a Telnet session to connect to a remote device: switch# telnet 10.10.1.1 Trying 10.10.1.1... Connected to 10.10.1.1. Escape character is '^]'. switch login: Clearing Telnet Sessions To clear Telnet sessions from the Cisco Nexus 5000 Series switch, perform this task: Procedure Command or Action Purpose Step 1 switch# show users Displays user session information.
Configuring SSH and Telnet Default SSH Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 278 OL-16597-01
CHAPTER 21 Configuring Access Control Lists This chapter contains the following sections: • Information About ACLs, page 279 • Configuring IP ACLs, page 283 • Configuring MAC ACLs, page 287 • Example Configuration for MAC ACLs, page 291 • Information About VLAN ACLs, page 291 • Configuring VACLs, page 292 • Example Configuration for VACL, page 295 • Default ACL Settings, page 295 Information About ACLs An access control list (ACL) is an ordered set of rules that you can use to filter traffic.
Information About ACLs Application Order Table 28: Security ACL Applications Application Supported Interfaces Types of ACLs Supported Port ACL An ACL is considered a port ACL IPv4 ACLs when you apply it to one of the IPv6 ACLs following: MAC ACLs • Ethernet interface • Ethernet port-channel interface When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.
Information About ACLs Additional Filtering Options All IPv4 ACLs include the following implicit rule: deny ip any any This implicit rule ensures that the switch denies unmatched IP traffic. Additional Filtering Options You can identify traffic by using additional options.
Information About ACLs Logical Operators and Logical Operation Units • Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule. • Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows: switch(config-acl)# no permit tcp 10.0.0.
Configuring IP ACLs Creating an IP ACL Configuring IP ACLs Creating an IP ACL You can create an IPv4 or IPv6 ACL on the switch and add rules to it. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# {ip | ipv6 } access-list name Creates the IP ACL and enters IP ACL configuration mode. The name argument can be up to 64 characters.
Configuring IP ACLs Removing an IP ACL Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# {ip | ipv6} access-list name Enters IP ACL configuration mode for the ACL that you specify by name. Step 3 switch(config-acl)# Creates a rule in the IP ACL. Using a sequence number [sequence-number] {permit | deny} allows you to specify a position for the rule in the ACL.
Configuring IP ACLs Changing Sequence Numbers in an IP ACL Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no {ip | ipv6} access-list Removes the IP ACL that you specified by name from the running configuration. name Step 3 switch# show running-config (Optional) Displays ACL configuration. The removed IP ACL should not appear.
Configuring IP ACLs Verifying IP ACL Configurations Note Some configuration parameters when applied to an EtherChannel are not reflected on the configuration of the member ports. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface {ethernet [chassis/]slot/port | port-channel channel-number} Enters interface configuration mode for the specified interface.
Configuring MAC ACLs Creating a MAC ACL Note The mac access-list is applicable to non-IPv4 and non-IPv6 traffic only. Procedure Command or Action Purpose Step 1 switch# show {ip | ipv6} access-lists Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip access-lists and name show ipv6 access-list command output includes the number of packets that have matched each rule.
Configuring MAC ACLs Changing a MAC ACL The following example shows how to create a MAC ACL and add rules to it: switch# configure terminal switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any switch(config-mac-acl)# statistics Changing a MAC ACL In an existing MAC ACL, you can add and remove rules. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
Configuring MAC ACLs Removing a MAC ACL The following example shows how to change a MAC ACL: switch# configure terminal switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any switch(config-mac-acl)# statistics Removing a MAC ACL You can remove a MAC ACL from the switch. Be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are current applied.
Configuring MAC ACLs Applying a MAC ACL as a Port ACL Step 4 Command or Action Purpose switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
Example Configuration for MAC ACLs Displaying and Clearing MAC ACL Statistics Procedure Command or Action Purpose Step 1 switch# show mac access-lists Displays the MAC ACL configuration Step 2 switch# show running-config Displays ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to. Step 3 switch# show running-config interface Displays the configuration of the interface to which you applied the ACL.
Configuring VACLs VACLs and Actions VACLs and Actions In access map configuration mode, you use the action command to specify one of the following actions: • Forward—Sends the traffic to the destination determined by normal operation of the switch. • Drop—Drops the traffic. Statistics The switch can maintain global statistics for each rule in a VACL.
Configuring VACLs Removing a VACL Command or Action Purpose The no option stops the switch from maintaining global statistics for the VACL. Step 7 switch(config-access-map)# show running-config (Optional) Displays ACL configuration. Step 8 switch(config-access-map)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Removing a VACL You can remove a VACL, which means that you will delete the VLAN access map.
Configuring VACLs Verifying VACL Configuration Command or Action Purpose Step 3 switch(config)# show running-config (Optional) Displays ACL configuration. Step 4 switch(config)# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration.
Example Configuration for VACL Displaying and Clearing VACL Statistics Example Configuration for VACL This example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82: switch# configure terminal switch(config)# vlan access-map acl-ip-map switch(config-access-map)# match ip address acl-ip-01 switch(config-access-map)# action forward switch(config-access-map)# exit switch(config)# vlan filter acl-ip-map vlan-list 50-82 Defa
Default ACL Settings Displaying and Clearing VACL Statistics Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 296 OL-16597-01
PART IV System Management • Using Cisco Fabric Services, page 299 • Configuring User Accounts and RBAC, page 315 • Configuring Session Manager, page 325 • Configuring Online Diagnostics, page 329 • Configuring System Message Logging, page 335 • Configuring Smart Call Home, page 349 • Configuring SNMP, page 375 • Configuring RMON, page 387
CHAPTER 22 Using Cisco Fabric Services This chapter contains the following sections: • Using Cisco Fabric Services, page 299 Using Cisco Fabric Services Cisco Nexus 5000 Series switches provide Cisco Fabric Services (CFS) capability, which simplifies provisioning by automatically distributing configuration information to all switches in the network. Switch features can use the CFS infrastructure to distribute feature data or configuration data required by the feature.
Using Cisco Fabric Services CFS Distribution ◦ Unrestricted uncoordinated distributions: Multiple parallel distributions are allowed in the network in the presence of an existing coordinated distribution. Unrestricted uncoordinated distributions are allowed to run in parallel with all other types of distributions. The following features are supported for CFS distribution over IP: • One scope of distribution over an IP network: ◦ Physical scope: The distribution spans the entire IP network.
Using Cisco Fabric Services Unrestricted Uncoordinated Distributions Coordinated distribution has two variants: • CFS driven —The stages are executed by CFS in response to an feature request without intervention from the feature. • Feature driven—The stages are under the complete control of the feature. Coordinated distributions are used to distribute information that can be manipulated and distributed from multiple switches, for example, the port security configuration.
Using Cisco Fabric Services CFS Distribution over IP Note The switch attempts to distribute information over Fibre Channel first and then over the IP network if the first attempt over Fibre Channel fails. CFS does not send duplicate messages if distribution over both IP and Fibre Channel is enabled. • Distribution over IP version 4 (IPv4) or IP version 6 (IPv6). Note CFS cannot distribute over both IPv4 and IPv6 from the same switch.
Using Cisco Fabric Services CFS Distribution over Fibre Channel The following figure (Network Example 3) is the same as the previous figure except that node D and node E are connected using IP. Both node C and node D forward the event to E because the node E is not in the distribution list from node B. Figure 38: Network Example 3 with Fibre Channel and IP Connections CFS Distribution over Fibre Channel For FCS distribution over Fibre Channel, the CFS protocol layer resides on top of the FC2 layer.
Using Cisco Fabric Services CFS Support for Applications CFS supports a protocol that reduces the number of merges required to one by handling the complexity of the merge at the CFS layer. This protocol runs per application per scope. The protocol involves selecting one switch in a fabric as the merge manager for that fabric. The other switches do not have a role in the merge process. During a merge, the merge manager in the two fabrics exchange their configuration databases with each other.
Using Cisco Fabric Services Locking the Network Note The show cfs application command only displays applications registered with CFS. Conditional services that use CFS do not appear in the output unless these services are running.
Using Cisco Fabric Services Committing Changes Application: port-security Scope : Logical ----------------------------------------------------------VSAN Domain IP Address User Name User Type ----------------------------------------------------------1 238 10.76.100.167 admin CLI/SNMP v3 2 211 10.76.100.
Using Cisco Fabric Services Clearing a Locked Session Clearing a Locked Session You can clear locks held by an application from any switch in the network to recover from situations where locks are acquired and not released. This function requires Admin permissions. Caution Exercise caution when using this function to clear locks in the network. Any pending configurations in any switch in the network is flushed and lost.
Using Cisco Fabric Services Assigning Applications to CFS Regions Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# cfs region region-id Creates a region. Assigning Applications to CFS Regions You can assign an application on a switch to a region. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# cfs region region-id Creates a region.
Using Cisco Fabric Services Removing an Application from a Region The following example shows how to move an application into Region 2 that was originally assigned to Region 1: switch# configure terminal switch(config)# cfs region 2 switch(config-cfs-region)# ntp Removing an Application from a Region Removing an application from a region is the same as moving the application back to the default region (Region 0). This brings the entire network into the scope of distribution for the application.
Using Cisco Fabric Services Enabling CFS over IPv6 Procedure Command or Action Purpose Step 1 switch# configure Enters configuration mode. Step 2 switch(config)# cfs ipv4 distribute Globally enables CFS over IPv6 for all applications on the switch. Step 3 switch(config)# no cfs ipv4 distribute (Optional) Disables (default) CFS over IPv6 on the switch. Enabling CFS over IPv6 You can enable or disable CFS over IPv6. Note CFS cannot distribute over both IPv4 and IPv6 from the same switch.
Using Cisco Fabric Services Configuring IPv4 Multicast Address for CFS Configuring IPv4 Multicast Address for CFS You can configure a CFS over IP multicast address value for IPv4. The default IPv4 multicast address is 239.255.70.83. Procedure Command or Action Purpose Step 1 switch# configure Enters configuration mode. Step 2 switch(config)# cfs ipv4 mcast-address ipv4-address Configures the IPv4 multicast address for CFS distribution over IPv4. The ranges of valid IPv4 addresses are 239.255.0.
Using Cisco Fabric Services Displaying CFS Distribution Information Displaying CFS Distribution Information The show cfs merge status name command displays the merge status for a given application. The following example displays the output for an application distributing in logical scope. It shows the merge status in all valid VSANs on the switch. The command output shows the merge status as one of the following: Success, Waiting, or Failure or In Progress.
Using Cisco Fabric Services Displaying CFS Distribution Information Physical Fabric ------------------------------------------------Switch WWN IP Address ------------------------------------------------20:00:00:05:30:00:6b:9e 10.76.100.167 [Local] 20:00:00:0e:d7:00:3c:9e 10.76.100.169 Total number of entries = 2 The show cfs peers name command displays all the peers for which a particular application is registered with CFS.
Using Cisco Fabric Services Default CFS Settings Default CFS Settings The following table lists the default settings for CFS configurations. Table 32: Default CFS Parameters Parameters Default CFS distribution on the switch Enabled. Database changes Implicitly enabled with the first configuration change. Application distribution Differs based on application. Commit Explicit configuration is required. CFS over IP Disabled. IPv4 multicast address 239.255.70.83.
CHAPTER 23 Configuring User Accounts and RBAC This chapter contains the following sections: • Configuring User Accounts and RBAC, page 315 Configuring User Accounts and RBAC This section describes how to configure user accounts and role-based access control (RBAC) on the Cisco Nexus 5000 Series switch. Information About User Accounts and RBAC You can create and manage users accounts and assign roles that limit access to operations on the Cisco Nexus 5000 Series switch.
Configuring User Accounts and RBAC Characteristics of Strong Passwords Characteristics of Strong Passwords A strong password has the following characteristics: • At least eight characters long • Does not contain many consecutive characters (such as "abcd") • Does not contain many repeating characters (such as "aaabbb") • Does not contain dictionary words • Does not contain proper names • Contains both uppercase and lowercase characters • Contains numbers The following are examples of strong passwords: • If
Configuring User Accounts and RBAC About Rules Note If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also has RoleB, which has access to the configuration commands. In this case, the users has access to the configuration commands.
Configuring User Accounts and RBAC Configuring User Accounts • You can assign a maximum of 64 user roles to a user account. Note A user account must have at least one user role. Configuring User Accounts You can create a maximum of 256 user accounts on a Cisco Nexus 5000 Series switch. User accounts have the following attributes: • Username • Password • Expiry date • User roles User accounts can have a maximum of 64 user roles.
Configuring User Accounts and RBAC Configuring RBAC The following example shows how to configure a user account: switch# configure terminal switch(config)# username NewUser password 4Ty18Rnt switch(config)# exit switch# show user-account Configuring RBAC Creating User Roles and Rules Each user role can have up to 256 rules. You can assign a user role to more that one user account. The rule number you specify determines the order in which the rules are applied. Rules are applied in descending order.
Configuring User Accounts and RBAC Creating Feature Groups Command or Action Purpose Step 8 switch# show role (Optional) Displays the user role configuration. Step 9 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
Configuring User Accounts and RBAC Changing User Role VLAN Policies Command or Action Purpose Step 2 switch(config)# role name role-name Specifies a user role and enters role configuration mode. Step 3 switch(config-role)# interface policy deny Enters role interface policy configuration mode. Step 4 switch(config-role-interface)# permit interface interface-list Specifies a list of interfaces that the role can access. Repeat this command for as many interfaces as needed.
Configuring User Accounts and RBAC Changing User Role VSAN Policies Command or Action Purpose Repeat this command for as many VLANs as needed. Step 5 switch# show role (Optional) Displays the role configuration. Step 6 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Changing User Role VSAN Policies You can change a user role VSAN policy to limit the VSANs that the user can access.
Configuring User Accounts and RBAC Default User Account and RBAC Settings Command Purpose switch# show startup-config security Displays the user account configuration in the startup configuration. switch# show running-config security [all] Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts. switch# show user-account Displays user account information.
Configuring User Accounts and RBAC Default User Account and RBAC Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 324 OL-16597-01
CHAPTER 24 Configuring Session Manager This chapter contains the following sections: • Configuring Session Manager, page 325 Configuring Session Manager This section describes how to configure the Session Manager features in Cisco NX-OS. Information About Session Manager Session Manager allows you to implement your configuration changes in batch mode. Session Manager works in the following phases: • Configuration session—Creates a list of commands that you want to implement in session manager mode.
Configuring Session Manager Configuring Session Manager • You can configure a maximum of 20,000 commands across all sessions. Configuring Session Manager Creating a Session You can create up to 32 configuration sessions. To create a configuration session, perform this task: Procedure Command or Action Purpose Step 1 switch# configure session name Creates a configuration session and enters session configuration mode. The name can be any alphanumeric string.
Configuring Session Manager Verifying a Session Verifying a Session To verify a session, use the following command in session mode: Command Purpose switch(config-s)# verify [verbose] Verifies the commands in the configuration session. Committing a Session To commit a session, use the following command in session mode: Command Purpose switch(config-s)# commit [verbose] Commits the commands in the configuration session.
Configuring Session Manager Verifying Session Manager Configuration Command Purpose switch# show configuration session [name] Displays the contents of the configuration session. switch# show configuration session status [name] Displays the status of the configuration session. switch# show configuration session summary Displays a summary of all the configuration sessions.
CHAPTER 25 Configuring Online Diagnostics This chapter describes how to configure the generic online diagnostics (GOLD) feature.
Information About Online Diagnostics Health Monitoring Diagnostics Diagnostic Description NVRAM Verifies the integrity of the NVRAM. In band port Tests connectivity of the inband port to the supervisor. Management port Tests the management port. Memory Verifies the integrity of the DRAM. Bootup diagnostics also include a set of tests that are common with health monitoring diagnostics. Bootup diagnostics log any failures to the onboard failure logging (OBFL) system.
Information About Online Diagnostics Expansion Module Diagnostics Diagnostic Description Forwarding engine Tests the forwarding engine ASICs. Forwarding engine port Tests the ports on the forwarding engine ASICs. Front port Tests the components (such as PHY and MAC) on the front ports. Expansion Module Diagnostics During switch bootup or reset, the bootup diagnostics include tests for the in-service expansion modules in the switch.
Configuring Online Diagnostics Expansion Module Diagnostics Configuring Online Diagnostics You can configure the bootup diagnostics to run the complete set of tests, or you can bypass all bootup diagnostic tests for a faster module boot up time. Note We recommend that you set the bootup online diagnostics level to complete. We do not recommend bypassing the bootup online diagnostics. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Default GOLD Settings Expansion Module Diagnostics Table 39: Default Online Diagnostics Parameters Parameters Default Bootup diagnostics level complete Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01 333
Default GOLD Settings Expansion Module Diagnostics Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 334 OL-16597-01
CHAPTER 26 Configuring System Message Logging This chapter describes how to configure system message logging on the Cisco Nexus 5000 Series switch and contains the following sections: • Information About System Message Logging, page 335 • Configuring System Message Logging, page 336 • Verifying System Message Logging Configuration, page 345 • Default System Message Logging Settings, page 346 Information About System Message Logging You can use system message logging to control the destination and to filt
Configuring System Message Logging syslog Servers Level Description 5 – notification Normal but significant condition 6 – informational Informational message only 7 – debugging Appears during debugging only The switch logs the most recent 100 messages of severity 0, 1, or 2 to the NVRAM log. You cannot configure logging to the NVRAM. You can configure which system messages should be logged based on the facility that generated the message and its severity level.
Configuring System Message Logging Configuring System Message Logging to Terminal Sessions Command or Action Purpose value indicates a higher severity level). Severity levels range from 0 to 7: • 0 – emergency • 1 – alert • 2 – critical • 3 – error • 4 – warning • 5 – notification • 6 – informational • 7 – debugging If the severity level is not specified, the default of 2 is used.
Configuring System Message Logging Configuring System Message Logging to a File Step 9 Command or Action Purpose switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
Configuring System Message Logging Configuring Module and Facility Messages Logging Command or Action Purpose • 4 – warning • 5 – notification • 6 – informational • 7 – debugging The file size is from 4096 to 10485760 bytes. Step 3 switch(config)# no logging logfile [logfile-name severity-level [size bytes]] (Optional) Disables logging to the log file. Step 4 switch# show logging info (Optional) Displays the logging configuration.
Configuring System Message Logging Configuring Module and Facility Messages Logging Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# logging module Enables module log messages that have the specified severity level or higher.
Configuring System Message Logging Configuring Logging Timestamps Command or Action Purpose Step 6 switch# show logging module (Optional) Displays the module logging configuration. Step 7 switch# show logging level [facility] (Optional) Displays the logging level configuration and the system default level by facility. If you do not specify a facility, the switch displays levels for all facilities.
Configuring System Message Logging Configuring syslog Servers Configuring syslog Servers You can configure up to three syslog servers that reference remote systems where you want to log system messages. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# logging server host Configures a syslog server at the specified host name or IPv4 or IPv6 address.
Configuring System Message Logging Configuring syslog on a UNIX or Linux System Configuring syslog on a UNIX or Linux System You can configure a syslog server on a UNIX or Linux system by adding the following line to the /etc/syslog.conf file: facility.level action The following table describes the syslog fields that you can configure. Table 41: syslog Fields in syslog.
Configuring System Message Logging Configuring syslog Server Configuration Distribution After you enable syslog server configuration distribution, you can modify the syslog server configuration and view the pending changes before committing the configuration for distribution. As long as distribution is enabled, the switch maintains pending changes to the syslog server configuration. Note If the switch is restarted, the syslog server configuration changes that are kept in volatile memory may be lost.
Verifying System Message Logging Configuration Displaying and Clearing Log Files Related Topics • Information About CFS, page 299 Displaying and Clearing Log Files You can display or clear messages in the log file and the NVRAM. Procedure Command or Action Purpose Step 1 switch# show logging last number-lines Displays the last number of lines in the logging file. You can specify from 1 to 9999 for the last number of lines.
Default System Message Logging Settings Displaying and Clearing Log Files Command Purpose switch# show logging level [facility] Displays the facility logging severity level configuration. switch# show logging logfile [start-time yyyy mmm Displays the messages in the log file. dd hh:mm:ss] [end-time yyyy mmm dd hh:mm:ss] switch# show logging module Displays the module logging configuration. switch# show logging monitor Displays the monitor logging configuration.
Default System Message Logging Settings Displaying and Clearing Log Files Parameters Default syslog server configuration distribution Disabled Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01 347
Default System Message Logging Settings Displaying and Clearing Log Files Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 348 OL-16597-01
CHAPTER 27 Configuring Smart Call Home This chapter contains the following sections: • Configuring Smart Call Home, page 349 Configuring Smart Call Home Information About Call Home Call Home provides e-mail-based notification of critical system events. Cisco Nexus 5000 Series switches provide a range of message formats for optimal compatibility with pager services, standard e-mail, or XML-based automated parsing applications.
Configuring Smart Call Home Destination Profiles • Multiple concurrent message destinations. You can configure up to 50 e-mail destination addresses for each destination profile. Destination Profiles A destination profile includes the following information: • One or more alert groups—The group of alerts that trigger a specific Call Home message if the alert occurs.
Configuring Smart Call Home Call Home Alert Groups Alert Group Description Executed Commands show tech-support platform callhome Supervisor hardware Events related to supervisor modules. show diagnostic result module all detail show moduleshow version show tech-support platform callhome Linecard hardware Events related to standard or intelligent switching modules.
Configuring Smart Call Home Call Home Message Levels You can add show commands only to full text and XML destination profiles. Short text destination profiles do not support additional show commands because they only allow 128 bytes of text. Related Topics • Call Home Message Levels , page 352 Call Home Message Levels Call Home allows you to filter messages based on their level of urgency. You can associate each destination profile (predefined and user defined) with a Call Home message level threshold.
Configuring Smart Call Home Obtaining Smart Call Home Call Home Level Keyword syslog Level Description 0 Debugging Debug (7) Debugging messages. Obtaining Smart Call Home If you have a service contract directly with Cisco Systems, you can register your devices for the Smart Call Home service. Smart Call Home provides fast resolution of system problems by analyzing Call Home messages sent from your devices and providing background information and recommendations.
Configuring Smart Call Home Configuration Guidelines and Limitations Configuration Guidelines and Limitations Call Home has the following configuration guidelines and limitations: • If there is no IP connectivity or if the interface in the VRF to the profile destination is down, the switch cannot send the Call Home message. • Operates with any SMTP server. Configuring Call Home Procedures for Configuring Call Home Procedure Step 1 Step 2 Step 3 Step 4 Assign contact information.
Configuring Smart Call Home Creating a Destination Profile Step 5 Command or Action Purpose switch(config-callhome)# phone-contact international-phone-number Configures the phone number in international phone number format for the primary person responsible for the device. Up to 17 alphanumeric characters are accepted in international format. Note The phone number cannot contain spaces. Be sure to use the + prefix before the number.
Configuring Smart Call Home Modifying a Destination Profile Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# callhome Enters callhome configuration mode.
Configuring Smart Call Home Associating an Alert Group with a Destination Profile Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# callhome Enters callhome configuration mode. Step 3 switch(config-callhome)# destination-profile {name | full-txt-destination | short-txt-destination} email-addr address Configures an e-mail address for a user-defined or predefined destination profile.
Configuring Smart Call Home Adding show Commands to an Alert Group Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# callhome Enters callhome configuration mode.
Configuring Smart Call Home Configuring E-Mail Step 5 Command or Action Purpose switch# copy running-config startup-config (Optional) Saves this configuration change. This example shows how to add the show ip routing command o the Cisco-TAC alert group: switch# configuration terminal switch(config)# callhome switch(config-callhome)# alert-group Configuration user-def-cmd "show ip routing" Configuring E-Mail You must configure the SMTP server address for the Call Home functionality to work.
Configuring Smart Call Home Configuring Periodic Inventory Notification This example shows how to configure the e-mail options for Call Home messages: switch# configuration terminal switch(config)# callhome switch(config-callhome)# transport email smtp-server 192.0.2.10 use-vrf Red switch(config-callhome)# transport email from person@example.com switch(config-callhome)# transport email reply-to person@example.
Configuring Smart Call Home Testing Call Home Communications Command Purpose switch(config-callhome)# enable Enables Call Home. Disabled by default. You can disable Call Home in the callhome configuration mode. Command Purpose switch(config-callhome)# no enable Disables Call Home. Disabled by default You can enable Call Home distribution using CFS in the callhome configuration mode. Command Purpose switch(config-callhome)# distribute Enables Call Home distribution using CFS. Disabled by default.
Configuring Smart Call Home Verifying Call Home Configuration Verifying Call Home Configuration To display Call Home configuration information, perform one of the following tasks: Command Purpose switch# show callhome Displays the status for Call Home. switch# show callhome destination-profile name Displays one or more Call Home destination profiles. switch# show callhome merge Displays the status of the last CFS merge for Call Home.
Configuring Smart Call Home Additional References Parameters Default Destination message size for a message sent in short 4000 text format. SMTP server port number if no port is specified. 25 Alert group association with profile. All for full-text-destination and short-text-destination profiles. The cisco-tac alert group for the CiscoTAC-1 destination profile. Format type. XML Call Home message level.
Configuring Smart Call Home Call Home Message Formats Table 47: Common Fields for All Full Text and XML Messages Data Item(Plain Text Description(Plain and XML) Text and XML) Time stamp XML Tag (XML Only) Date and time stamp /aml/header/time of event in ISO time notation: YYYY-MM-DD HH:MM:SS GMT+HH:MM Message name Name of message. /aml/header/name Specific event names are listed in the preceding table. Message type Name of message type, such as reactive or proactive.
Configuring Smart Call Home Call Home Message Formats Data Item(Plain Text Description(Plain and XML) Text and XML) XML Tag (XML Only) • @ is a separator character. • Sid is C, identifying the serial ID as a chassis serial number. • serial is the number identified by the Sid field. An example is WS-C6509@C@12345678 Customer ID Optional /aml/ user-configurable header/customerID field used for contract information or other ID by any support service.
Configuring Smart Call Home Call Home Message Formats Data Item(Plain Text Description(Plain and XML) Text and XML) XML Tag (XML Only) The format is type@Sid@serial: • type is the product model number from backplane IDPROM. • @ is a separator character. • Sid is C, identifying the serial ID as a chassis serial number. • serial is the number identified by the Sid field. An example is WS-C6509@C@12345678 Message description Short text that describes the error.
Configuring Smart Call Home Call Home Message Formats Data Item(Plain Text Description(Plain and XML) Text and XML) XML Tag (XML Only) as the contact for this unit. Street address Optional field that /aml/body/sysStreetAddress contains the street address for RMA part shipments associated with this unit. Model name Model name of the /aml/body/chassis/name device (the specific model as part of a product family name). Serial number Chassis serial /aml/body/chassis/serialNo number of the unit.
Configuring Smart Call Home Call Home Message Formats Table 48: Inserted Fields for a Reactive or Proactive Event Message Data Item(Plain Text and XML) Description(Plain Text and XML) XML Tag (XML Only) Chassis hardware version Hardware version of chassis. /aml/body/chassis/hwVersion Supervisor module software version Top-level software version. /aml/body/chassis/swVersion Affected FRU name Name of the affected FRU that is generating the event message.
Configuring Smart Call Home Sample syslog Alert Notification in Full-Text Format The following table describes the user-generated test message format for full text or XML. Table 50: Inserted Fields for a User-Generated Test Message Data Item(Plain Text and XML) Description(Plain Text and XML) XML Tag(XML Only) Process ID Unique process ID. /aml/body/process/id Process state State of process (for example, running or halted).
Configuring Smart Call Home Sample syslog Alert Notification in XML Format http://tools.example.
Configuring Smart Call Home Sample syslog Alert Notification in XML Format show logging
Configuring Smart Call Home Sample syslog Alert Notification in XML Format Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 26-Apr-07 18:00 by xxx 00:03:18: %SYS-SP-6-BOOTTIME: Time taken to reboot after reload = 339 seconds 00:03:18: %OIR-SP-6-INSPS: Power supply inserted in slot 1 00:03:18: %C6KPWR-SP-4-PSOK: power supply 1 turned on. 00:03:18: %OIR-SP-6-INSPS: Power supply inserted in slot 2 00:01:09: %SSH-5-ENABLED: SSH 1.
Configuring Smart Call Home Sample syslog Alert Notification in XML Format Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 26-Apr-08 17:20 by username1 00:00:31: DFC8: Currently running ROMMON from S (Gold) region 00:04:59: %DIAG-SP-6-RUN_MINIMUM: Module 2: Running Minimal Diagnostics... 00:05:12: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics... 00:05:13: %DIAG-SP-6-RUN_MINIMUM: Module 1: Running Minimal Diagnostics...
Configuring Smart Call Home Sample syslog Alert Notification in XML Format Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 374 OL-16597-01
CHAPTER 28 Configuring SNMP This chapter describes the configuration of the Simple Network Management Protocol (SNMP) on Cisco Nexus 5000 Series switches and contains the following sections: • Information About SNMP, page 375 • Configuration Guidelines and Limitations, page 379 • Configuring SNMP, page 379 • Verifying SNMP Configuration, page 386 • Default SNMP Settings, page 386 Information About SNMP The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message
Information About SNMP SNMP Notifications The Cisco Nexus 5000 Series switch supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. SNMP is defined in RFC 3410 (http://tools.ietf.org/html/rfc3410), RFC 3411 (http://tools.ietf.org/html/rfc3411), RFC 3412 (http://tools.ietf.org/html/rfc3412), RFC 3413 (http://tools.ietf.org/html/rfc3413), RFC 3414 (http://tools.ietf.org/html/rfc3414), RFC 3415 (http://tools.ietf.org/html/rfc3415), RFC 3416 (http://tools.ietf.
Information About SNMP User-Based Security Model User-Based Security Model The following table identifies what the combinations of security models and levels mean. Table 51: SNMP Security Models and Levels Model Level Authentication Encryption What Happens v1 noAuthNoPriv Community string No Uses a community string match for authentication. v2c noAuthNoPriv Community string No Uses a community string match for authentication.
Information About SNMP CLI and SNMP User Synchronization • Message origin authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed. • Message confidentiality—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes. SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages.
Configuration Guidelines and Limitations Group-Based SNMP Access Group-Based SNMP Access Note Because group is a standard SNMP term used industry-wide, roles are referred to as groups in this SNMP section. SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI. Each group is defined with three accesses: read access, write access, and notification access. Each access can be enabled or disabled within each group.
Configuring SNMP Assigning SNMPv3 Users to Multiple Roles You can enforce SNMP message encryption for a specific user. Command Purpose switch(config)# snmp-server user name enforcePriv Enforces SNMP message encryption for this user. You can enforce SNMP message encryption for all users. Command Purpose switch(config)# snmp-server globalEnforcePriv Enforces SNMP message encryption for all users.
Configuring SNMP Configuring the Notification Target User Command Purpose switch(config)# snmp-server host ip-address {traps Configures a host receiver for SNMPv2c traps or | informs} version 2c community [udp_port number] informs. The community can be any alphanumeric string up to 255 characters. The UDP port number range is from 0 to 65535. You can configure a host receiver for SNMPv3 traps or informs in a global configuration mode.
Configuring SNMP Enabling SNMP Notifications The following example shows how to configure a notification target user: switch(config)# snmp-server user NMS auth sha abcd1234 priv abcdefgh engineID 00:00:00:63:00:01:00:a1:ac:15:10:03 Enabling SNMP Notifications You can enable or disable notifications. If you do not specify a notification name, Cisco NX-OS enables all notifications.
Configuring SNMP Configuring Link Notifications MIB Related Commands CISCO-RSCN-MIB snmp-server enable traps rscn snmp-server enable traps rscn els snmp-server enable traps rscn ils CISCO-ZS-MIB snmp-server enable traps zone snmp-server enable traps zone default-zone-behavior-change snmp-server enable traps zone merge-failure snmp-server enable traps zone merge-success snmp-server enable traps zone request-reject snmp-server enable traps zone unsupp-mem Note The license notifications are enabled by
Configuring SNMP Disabling Link Notifications on an Interface • IEFT extended—Cisco NX-OS sends only the IETF-defined notifications (linkUp, linkDown defined in IF-MIB), if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface. Cisco NX-OS adds additional varbinds specific to Cisco Systems in addition to the varbinds defined in the IF-MIB. This is the default setting.
Configuring SNMP Assigning SNMP Switch Contact and Location Information Assigning SNMP Switch Contact and Location Information You can assign the switch contact information, which is limited to 32 characters (without spaces), and the switch location. Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# snmp-server contact name Configures sysContact, the SNMP contact name.
Verifying SNMP Configuration Configuring the Context to Network Entity Mapping Verifying SNMP Configuration To display SNMP configuration information, perform one of the following tasks: Command Purpose switch# show snmp Displays the SNMP status. switch# show snmp community Displays the SNMP community strings. switch# show snmp engineID Displays the SNMP engineID. switch# show snmp group Displays SNMP roles. switch# show snmp sessions Displays SNMP sessions.
CHAPTER 29 Configuring RMON This chapter contains the following sections: • Configuring RMON, page 387 Configuring RMON Information About RMON RMON is an Internet Engineering Task Force (IETF) standard monitoring specification that allows various network agents and console systems to exchange network monitoring data.
Configuring RMON RMON Events • Rising threshold—The value at which the Cisco Nexus 5000 Series switch triggers a rising alarm or resets a falling alarm. • Falling threshold—The value at which the Cisco Nexus 5000 Series switch triggers a falling alarm or resets a rising alarm. • Events—The action that the Cisco Nexus 5000 Series switch takes when an alarm (rising or falling) triggers. Note Use the hcalarms option to set an alarm on a 64-bit integer MIB object.
Configuring RMON Configuring RMON Events • The owner of the alarm. Ensure you have configured an SNMP user and enabled SNMP notifications. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# rmon alarm index mib-object sample-interval {absolute | delta} rising-threshold value [event-index] falling-threshold value [event-index] [owner name] Creates an RMON alarm. The value range is from -2147483647 to 2147483647.
Configuring RMON Verifying RMON Configuration Command or Action Purpose Step 2 switch(config)# rmon event index [description string] [log] [trap] [owner name] Configures an RMON event. The description string and owner name can be any alphanumeric string. Step 3 switch(config)# show rmon {alarms | hcalarms} (Optional) Displays information about RMON alarms or high-capacity alarms. Step 4 switch# copy running-config startup-config (Optional) Saves this configuration change.
PART V Fibre Channel over Ethernet • Configuring FCoE, page 393 • Configuring FCoE VLANs and Virtual Interfaces, page 411
CHAPTER 30 Configuring FCoE This chapter describes how to configure Fibre Channel over Ethernet (FCoE) on Cisco Nexus 5000 Series switches.
Information About FCoE FIP Virtual Link Instantiation • FIP—The Converged Enhanced Ethernet Data Center Bridging Exchange (CEE-DCBX) protocol supports T11-compliant Gen-2 CNAs. • Pre-FIP—The Cisco, Intel, Nuova Data Center Bridging Exchange (CIN-DCBX) protocol supports Gen-1 converged network adapters (CNAs). The Cisco Nexus 5000 Series switch detects the capabilities of the attached CNA and switches to the correct FIP mode. FIP Virtual Link Instantiation Cisco NX-OS Release 4.
Information About FCoE FIP Ethernet Frame Format FIP Ethernet Frame Format FIP is encapsulated in an Ethernet packet with a dedicated EtherType, 0x8914. The packet has a 4-bit version field. Along with the source and destination MAC addresses, the FIP packet also contains a FIP operation code and a FIP operation subcode. The following table describes the FIP operation codes.
Information About FCoE DCBX Feature Negotiation • CIN-DCBX—The Cisco, Intel, Nuova DCBX is supported on Gen-1 converged network adapters (CNAs). CIN-DCBX is used to perform link detection in addition to other functions. DCBX runs on the physical Ethernet link between the Cisco Nexus 5000 Series switch and the CNA. By default, DCBX is enabled on Ethernet interfaces. When an Ethernet interface is brought up, the switch automatically starts to communicate with the CNA.
Information About FCoE Lossless Ethernet Lossless Ethernet Standard Ethernet is a best-effort medium which means that it lacks any form of flow control. In the event of congestion or collisions, Ethernet will drop packets. The higher level protocols detect the missing data and retransmit the dropped packets. To properly support Fibre Channel, Ethernet has been enhanced with a priority flow control (PFC) mechanism.
FCoE Topologies Directly Connected CNA Topology To reduce configuration errors and simplify administration, the switch distributes the configuration data to all the connected adapters. FCoE Topologies Directly Connected CNA Topology The Cisco Nexus 5000 Series switch can be deployed as a Fibre Channel Forwarder (FCF) as shown in the following figure.
FCoE Topologies Remotely Connected CNA Topology between the CNA and the FCF. Make sure that you configure the FCoE VLAN on the directly connected links only. Remotely Connected CNA Topology The Cisco Nexus 5000 Series switch can be deployed as a Fibre Channel Forwarder (FCF) for remotely connected CNAs, but not as a FIP Snooping Bridge, as shown in the following figure.
FCoE Best Practices Directly Connected CNA Best Practice FCoE Best Practices Directly Connected CNA Best Practice The following figure shows a best practices topology for an access network using directly connected CNAs with Cisco Nexus 5000 Series switches.
FCoE Best Practices Directly Connected CNA Best Practice 4 You must not configure the FCoE VLANs as members of Ethernet links that are not designated to carry FCoE traffic because you want to ensure the scope of the STP for the FCoE VLANs is limited to UF links only. 5 If the converged access switches (in the same SAN fabric or in another) need to be connected to each other over Ethernet links for a LAN alternate path, then such links must explicitly be configured to exclude all FCoE VLANs from membership.
FCoE Best Practices Remotely Connected CNA Best Practice Remotely Connected CNA Best Practice The following figure shows a best practices topology for an access network using remotely connected CNAs with Cisco Nexus 5000 Series switches.
Licensing Requirements for FCoE Enabling FCoE Note A unified fabric link carries both Ethernet and FCoE traffic. 3 You must configure the CNAs and the blade switches as spanning-tree edge ports. 4 A blade switch must connect to exactly one Cisco Nexus 5000 Series converged access switch, preferably over an EtherChannel, to avoid disruption due to STP reconvergence on events such as provisioning new links or blade switches.
Configuring FCoE Disabling FCoE Note All the Fibre Channel features of the Cisco Nexus 5000 Series switch are packaged in the FC Plugin. When you enable FCoE, the switch software checks for the FC_FEATURES_PKG license. If it finds the license, the software loads the plugin. If the license is not found, the software loads the plugin with a grace period of 180 days.
Configuring FCoE Disabling LAN Traffic on an FCoE Link Disabling LAN Traffic on an FCoE Link You can disable LAN traffic on an FCoE link. DCBX allows the switch to send a LAN Logical Link Status (LLS) message to a directly-connected CNA. Enter the shutdown lan command to send an LLS-Down message to the CNA. This command causes all VLANs on the interface that are not enabled for FCoE to be brought down.
Configuring FCoE Configuring the Fabric Priority Configuring the Fabric Priority The Cisco Nexus 5000 Series switch advertises its priority. The priority is used by the CNAs in the fabric to determine the best switch to connect to. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# fcoe fcf-priority fabric-priority Configures the global fabric priority. The default value is 128. The range is from 0 (higher) to 255 (lower).
Configuring LLDP Configuring Global LLDP Commands Configuring LLDP Configuring Global LLDP Commands You can set global LLDP settings. These settings include the length of time before discarding LLDP information received from peers, the length of time to wait before performing LLDP initialization on any interface, and the rate at which LLDP packets are sent. To configure LLDP settings, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Verifying FCoE Configuration Configuring Interface LLDP Commands Command or Action Purpose This example shows how to set an interface to transmit LLDP packets: switch# configure terminal switch(config)# interface ethernet 1/2 switch(config-if)# lldp transmit This example shows how to configure an interface to disable LLDP: switch# configure terminal switch(config)# interface ethernet 1/2 switch(config-if)# no lldp transmit switch(config-if)# no lldp receive Verifying FCoE Configuration To verify FCoE c
Verifying FCoE Configuration Configuring Interface LLDP Commands This example shows how to display LLDP interface information: switch# show lldp interface ethernet 1/2 tx_enabled: TRUE rx_enabled: TRUE dcbx_enabled: TRUE Port MAC address: 00:0d:ec:a3:5f:48 Remote Peers Information No remote peers exist This example shows how to display LLDP neighbor information: switch# show lldp neighbors LLDP Neighbors Remote Peers Information on interface Eth1/40 Remote peer's MSAP: length 12 Bytes: 00 c0 dd 0e 5f 3a 0
Verifying FCoE Configuration Configuring Interface LLDP Commands Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 410 OL-16597-01
CHAPTER 31 Configuring FCoE VLANs and Virtual Interfaces This chapter describes how to configure Fibre Channel over Ethernet (FCoE) VLANs and virtual interfaces on Cisco Nexus 5000 Series switches.
Configuring Virtual Interfaces Mapping a VSAN to a VLAN ◦ The Ethernet or EtherChannel interface must be a trunk port (use the switchport mode trunk command). ◦ The FCoE VLAN that corresponds to a virtual Fibre Channel’s VSAN must be in the allowed VLAN list. ◦ You must not configure an FCoE VLAN as the native VLAN of the trunk port. Note The native VLAN is the default VLAN on a trunk. Any untagged frames transit the trunk as native VLAN traffic. ◦ You should use an FCoE VLAN only for FCoE.
Configuring Virtual Interfaces Creating a Virtual Fibre Channel Interface Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# vlan vlan-id Enters VLAN configuration mode. The VLAN number range is from 1 to 4096. Step 3 switch(config-vlan)# fcoe [vsan vsan-id] Enables FCoE for the specified VLAN. If you do not specify a VSAN number, a mapping is created from this VLAN to the VSAN with the same number.
Verifying the Virtual Interface Associating a Virtual Fibre Channel Interface to a VSAN This example shows how to bind a virtual Fibre Channel interface to an Ethernet interface: switch# configure terminal switch(config)# interface vfc 4 switch(config-if)# bind interface ethernet 1/4 This example shows how to bind a virtual Fibre Channel interface to create a vPC: switch# configure terminal switch(config)# interface vfc 3 switch(config-if)# bind interface port-channel 1 This example shows how to bind a v
Verifying the Virtual Interface Associating a Virtual Fibre Channel Interface to a VSAN Command Purpose switch# show interface vfc vfc-id Displays the detailed configuration of the specified Fibre Channel interface. switch# show interface brief Displays the status of all interfaces. switch# show vlan fcoe Displays the mapping of FCoE VLANs to VSANs.
Mapping VSANs to VLANs Example Configuration Associating a Virtual Fibre Channel Interface to a VSAN This example shows how to display the status of all the interfaces on the switch (some output has been removed for brevity): switch# show interface brief ------------------------------------------------------------------------------Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode (Gbps) ------------------------------------------------------------------------------fc3/1
Mapping VSANs to VLANs Example Configuration Associating a Virtual Fibre Channel Interface to a VSAN Step 2 Create a virtual Fibre Channel interface and bind it to a physical Ethernet interface. switch(config)# interface vfc 4 switch(config-if)# bind interface ethernet 1/4 switch(config-if)# exit Step 3 Enable the associated VLAN and map the VLAN to a VSAN.
Mapping VSANs to VLANs Example Configuration Associating a Virtual Fibre Channel Interface to a VSAN Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 418 OL-16597-01
PART VI Quality of Service • Configuring QoS, page 421
CHAPTER 32 Configuring QoS This chapter describes how to configure quality of service (QoS) on Cisco Nexus 5000 Series switches.
Information About QoS MQC MQC The Cisco Modular QoS CLI (MQC) provides a standard set of commands for configuring QoS. You can use MQC to define additional traffic classes and to configure QoS policies for the whole system and for individual interfaces. Configuring a QoS policy with MQC consists of the following steps: 1 Define traffic classes. 2 Associate policies and actions with each traffic class. 3 Attach policies to logical or physical interfaces as well as at the global system level.
Information About QoS Default System Classes the switch distributes the system class parameter values to all its attached network adapters using the Data Center Bridging Exchange (DCBX) protocol. If service policies are configured at the interface level, the interface-level policy always takes precedence over system class configuration or defaults. On the Cisco Nexus 5000 Series switch, a system class is uniquely identified by a qos-group value. A total of six system classes are supported.
Information About QoS Policy Types ◦ Policy—The actions that are performed on the matching traffic are as follows: Note A network-qos policy can only be attached to the system qos target. ◦ MTU—The MTU that needs to be enforced for the traffic that is mapped to a system class. Each system class has a default MTU and the system class MTU is configurable. ◦ Multicast optimization—This configuration specifies if the performance of multicast traffic mapped to this class will be optimized.
Information About QoS Link-Level Flow Control • Type qos—A type qos policy is used to classify traffic that is based on various Layer 2, Layer 3, and Layer 4 fields in the frame and to map it to system classes. Note Some configuration parameters when applied to an EtherChannel are not reflected on the configuration of the member ports. ◦ Classification—The traffic that matches this class are as follows: ◦ Access Control Lists—Classifies traffic based on the criteria in existing ACLs.
Information About QoS MTU Ethernet interfaces use PFC to provide lossless service to no-drop system classes. PFC implements pause frames on a per-class basis and uses the IEEE 802.1p CoS value to identify the classes that require lossless service. In the switch, each system class has an associated IEEE 802.1p CoS value that is assigned by default or configured on the system class. If you enable PFC, the switch sends the no-drop CoS values to the adapter, which then applies PFC to these CoS values.
Information About QoS Ingress Queuing Policies • All Fibre Channel and virtual Fibre Channel interfaces are automatically classified into the FCoE system class. • By default, all Ethernet interfaces are trusted interfaces. A packet tagged with an 802.1p CoS value is classified into a system class using the value in the packet. • Any packet that is not tagged with an 802.1p CoS value is classified into the default drop system class.
Information About QoS QoS for Multicast Traffic If you add a system class, a queue is assigned to the class. You must reconfigure the bandwidth allocation on all affected interfaces. Bandwidth is not dedicated automatically to user-defined system classes. You can configure a strict priority queue. This queue is serviced before all other queues except the control traffic queue (which carries control rather than data traffic).
QoS Configuration Guidelines and Limitations QoS for Traffic Directed to the CPU QoS for Traffic Directed to the CPU The switch automatically applies QoS policies to traffic that is directed to the CPU to ensure that the CPU is not flooded with packets. Control traffic, such as BPDU frames, is given higher priority to ensure delivery.
Configuring System Classes Configuring ACL Classification Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map [type Creates or accesses a named object that represents the specified {network-qos | qos | queuing}] class of traffic. Class-map names can contain alphabetic, hyphen, or underscore characters, are case sensitive, and can class-name be up to 40 characters.
Configuring System Classes Configuring CoS Classification Command or Action Step 4 Purpose switch(config-cmap-qos)# no match (Optional) Removes the match from the traffic class.
Configuring System Classes Configuring DSCP Classification Use the show class-map command to display the CoS value class-map configuration: switch# show class-map class_cos Configuring DSCP Classification You can classify traffic based on the Differentiated Services Code Point (DSCP) value in the DiffServ field of the IP header (either IPv4 or IPv6).
Configuring System Classes Configuring IP RTP Classification Value List of DSCP Values cs6 CS6 (precedence 6) dscp (110000)—decimal value 48 cs7 CS7 (precedence 7) dscp (111000)—decimal value 56 default Default dscp (000000)—decimal value 0 ef EF dscp (101110)—decimal value 46 Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos Creates a named object that represents a class of traffic.
Configuring System Classes Configuring Precedence Classification Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos Creates a named object that represents a class of traffic. Class-map names can contain alphabetic, hyphen, or class-name underscore characters, are case sensitive, and can be up to 40 characters.
Configuring System Classes Configuring Protocol Classification Value List of Precedence Values priority Priority precedence (1) routine Routine precedence (0) Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos class-name Creates a named object that represents a class of traffic. Class-map names can contain alphabetic, hyphen, or underscore characters, are case sensitive, and can be up to 40 characters.
Configuring System Classes Configuring QoS Group Classification Argument Description netbios NetBIOS Extended User Interface (NetBEUI) Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos class-name Creates a named object that represents a class of traffic. Class-map names can contain alphabetic, hyphen, or underscore characters, are case sensitive, and can be up to 40 characters.
Configuring System Classes Configuring Policy Maps Command or Action Purpose Note Step 4 qos-groups 0 and 1 are reserved for default classes and cannot be configured. switch(config-cmap-que)# no match (Optional) Removes the match from the traffic class.
Configuring System Classes Configuring Type Network QoS Policies Command or Action Purpose The three policy-map configuration modes are as follows: • network-qos—Network-wide (global) mode. CLI prompt: switch(config-pmap-nq)# • qos—Classification mode; this is the default mode. CLI prompt: switch(config-pmap-qos)# • queuing—Queuing mode.
Configuring System Classes Configuring Type Network QoS Policies Step 3 Command or Action Purpose switch(config-pmap-nq)# class type network-qos class-name Associates a class map with the policy map, and enters configuration mode for the specified system class. Note Step 4 The associated class map must be the same type as the policy map type. switch(config-pmap-c-nq)# mtu mtu-value Specifies the MTU value in bytes.
Configuring System Classes Configuring Type Queuing Policies Command or Action Step 13 Purpose switch(config-pmap-c-nq)# no set (Optional) Disables the marking operation in this class.
Configuring System Classes Configuring Type QoS Policies Step 7 Command or Action Purpose switch(config-pmap-c-que)# no priority (Optional) Removes the strict priority queuing from the traffic in this class.
Configuring System Classes Attaching the System Service Policy Attaching the System Service Policy You can use the service-policy command to associate the system class policy map as the service policy for the system. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# system qos Enters system class configuration mode. Step 3 switch(config-sys-qos)# Specifies the policy map to use as the service policy for the system.
Configuring System Classes Restoring the Default System Service Policies Command or Action Purpose Step 2 switch(config)# system qos Enters system class configuration mode. Step 3 switch(config-sys-qos)# service-policy type qos input default-in-policy Resets the classification mode policy map. This policy-map configuration is for system qos input or interface input only: Step 4 switch(config-sys-qos)# service-policy type network-qos default-nq-policy Resets the network-wide policy map.
Configuring System Classes Enabling the Jumbo MTU Enabling the Jumbo MTU You can enable the jumbo MTU for the whole switch by setting the MTU to its maximum size (9216 bytes) in the policy map for the default Ethernet system class (class-default).
Configuring QoS on Interfaces Configuring Untagged CoS This example shows how to display detailed jumbo MTU information for Ethernet 1/2 (the relevant part of the output is shown in bold font): switch# show interface ethernet 1/2 counters detailed Rx Packets: 1547805598 Rx Unicast Packets: 1547805596 Rx Jumbo Packets: 1301767362 Rx Bytes: 7181776513802 Rx Storm Suppression: 33690 Rx Packets from 0 to 64 bytes: 169219 Rx Packets from 65 to 127 bytes: 10657133 Rx Packets from 128 to 255 bytes: 21644488 Rx Pa
Configuring QoS on Interfaces Configuring Interface Service Policy Configuring Interface Service Policy An input qos policy is a service policy applied to incoming traffic on an Ethernet interface for classification. For type queuing, the output policy is applied to all outgoing traffic that matches the specified class. When you configure an input queuing policy on an interface or EtherChannel, the switch sends the configuration data to the adapter using the DCBX protocol.
Configuring Priority Flow Control and Link-Level Flow Control Configuring Priority Flow Control Configuring Priority Flow Control and Link-Level Flow Control Cisco Nexus 5000 Series switches support priority flow control (PFC) and Link-Level Flow Control (LLC) on Ethernet interfaces. The Ethernet interface can operate in two different modes: FCoE mode or standard Ethernet mode.
Verifying QoS Configuration Configuring Link-Level Flow Control Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Specifies the interface to be changed. Step 3 switch(config-if)# flowcontrol [receive {on | Enables LLC for the selected interface. Set receive and/or transmit on or off.
Verifying QoS Configuration Configuring Link-Level Flow Control This example shows how to display the class maps defined on the switch: switch# show class-map Type qos class-maps =================== class-map type qos c1 match cos 0,7 class-map type qos c2 match protocol ldp match ip rtp 2000-65535 match dscp 10,12 match precedence 6-7 match protocol dhcp match protocol arp class-map type qos c3 match cos 2,4-6 class-map type qos c4 match access-group name ipv4 class-map type qos class-fcoe match cos 3 cla
Verifying QoS Configuration Configuring Link-Level Flow Control class-map type network-qos class-default match qos-group 0 This example shows how to display the policy maps defined on the switch: switch# show policy-map Type qos policy-maps ==================== policy-map type qos p1 class type qos c1 set qos-group 2 class type qos c3 set qos-group 4 class type qos c4 set qos-group 5 class type qos c2 set qos-group 3 class type qos c22 set qos-group 3 class type qos class-fcoe set qos-group 1 class type q
Verifying QoS Configuration Configuring Link-Level Flow Control policy-map type network-qos p1 class type network-qos c1 match qos-group 2 mtu 5000 class type network-qos c2 match qos-group 3 mtu 9216 queue-limit 30000 bytes class type network-qos c3 match qos-group 4 mtu 8000 class type network-qos c4 match qos-group 5 pause no-drop class type network-qos class-fcoe pause no-drop mtu 2240 class type network-qos class-default match qos-group 1 match qos-group 0 mtu 1538 Service-policy (queuing)
Verifying QoS Configuration Configuring Link-Level Flow Control Class-map (qos): Match: cos 0,7 set qos-group 2 c1 (match-any) Class-map (qos): c2 (match-any) Match: protocol ldp Match: ip rtp 2000-65535 Match: dscp 10,12 Match: precedence 6-7 Match: protocol dhcp Match: protocol arp set qos-group 3 Class-map (qos): c3 (match-any) Match: cos 2,4-6 set qos-group 4 Class-map (qos): class-ip-multicast (match-any) Match: ip multicast set qos-group 5 Class-map (qos): class-fcoe (match-any) Match: cos 3 set qo
Verifying QoS Configuration Configuring Link-Level Flow Control Class-map (queuing): c4 (match-any) Match: qos-group 5 bandwidth percent 40 Class-map (queuing): class-fcoe (match-any) Match: qos-group 1 bandwidth percent 10 Class-map (queuing): Match: qos-group 0 bandwidth percent 5 class-default (match-any) This example shows how to display the queue configuration and statistics: switch# show queuing interface ethernet 1/1 Interface Ethernet1/1 TX Queuing qos-group sched-type oper-bandwidth 0 WRR 5 1 WR
Example QoS Configurations QoS Example 1 qos-group 3: q-size: 30080, MTU: 9216 drop-type: drop, xon: 0, xoff: 188 Statistics: Pkts received over the port Ucast pkts sent to the cross-bar Mcast pkts sent to the cross-bar Ucast pkts received from the cross-bar Pkts sent to the port Pkts discarded on ingress Per-priority-pause status : : : : : : : 0 0 0 0 0 0 (0) Rx (Inactive), Tx (Inactive) qos-group 4: q-size: 20480, MTU: 8000 drop-type: drop, xon: 0, xoff: 128 Statistics: Pkts received over the port Uca
Example QoS Configurations QoS Example 2 Procedure Command or Action Purpose Step 1 Set up the ingress classification policy (the access control list was defined previously).
Example QoS Configurations QoS Example 2 Procedure Command or Action Purpose Step 1 Set up the ingress classification policy. (config)# class-map type qos cmap-qos-bandwidth (config-cmap-qos)# match access-group ACL-bandwidth (config-cmap-qos)# exit (config)# policy-map type qos pmap-qos-eth1-1 (config-pmap-qos)# class cmap-qos-bandwidth (config-pmap-c-qos)# set qos-group 2 (config-pmap-c-qos)# exit (config-pmap-qos)# exit Step 2 Attach the classification policy to the interface Ethernet 1/1.
Example QoS Configurations QoS Example 3 Command or Action Purpose Step 5 Attach the bandwidth policy to the egress interface. (config)# interface ethernet 1/3 (config-if)# service-policy type queuing output pmap-que-eth1-2 (config-if)# exit Step 6 Allocate the system class for qos-group 2. (config)# class-map type network-qos cmap-nq-bandwidth (config-cmap-nq)# match qos-group 2 (config-cmap-nq)# exit Step 7 Set up the network-qos policy.
Example QoS Configurations QoS Example 3 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 458 OL-16597-01
PART VII SAN Switching • Configuring Fibre Channel Interfaces, page 461 • Configuring Domain Parameters, page 479 • Configuring N Port Virtualization, page 497 • Configuring VSAN Trunking, page 507 • Configuring SAN Port Channel, page 515 • Configuring and Managing VSANs, page 531 • Configuring and Managing Zones, page 543 • Distributing Device Alias Services, page 567 • Configuring Fibre Channel Routing Services and Protocols, page 577 • Managing FLOGI, Name Server, FDMI, and RSCN Databases, page 593 • D
CHAPTER 33 Configuring Fibre Channel Interfaces This chapter contains the following sections: • Configuring Fibre Channel Interfaces, page 461 Configuring Fibre Channel Interfaces Information About Fibre Channel Interfaces Licensing Requirements for Fibre Channel On Cisco Nexus 5000 Series switches, Fibre Channel capability is included in the Storage Protocol Services license. Ensure that you have the correct license installed (N5010SS or N5020SS) before using Fibre Channel interfaces and capabilities.
Configuring Fibre Channel Interfaces Virtual Fibre Channel Interfaces Virtual Fibre Channel Interfaces Fibre Channel over Ethernet (FCoE) encapsulation allows a physical Ethernet cable to simultaneously carry Fibre Channel and Ethernet traffic. In Cisco Nexus 5000 Series switches, an FCoE-capable physical Ethernet interface can carry traffic for one virtual Fibre Channel interface. Native Fibre Channel and virtual Fibre Channel interfaces are configured using the same CLI commands.
Configuring Fibre Channel Interfaces E Port Note Interfaces are automatically assigned VSAN 1 by default. Each interface has an associated administrative configuration and an operational status: • The administrative configuration does not change unless you modify it. This configuration has various attributes that you can configure in administrative mode. • The operational status represents the current status of a specified attribute such as the interface speed.
Configuring Fibre Channel Interfaces SD Port Related Topics • Configuring VSAN Trunking, page 507 SD Port In SPAN destination port (SD port) mode, an interface functions as a switched port analyzer (SPAN). The SPAN feature monitors network traffic that passes though a Fibre Channel interface. This monitoring is done using a standard Fibre Channel analyzer (or a similar switch probe) that is attached to an SD port. SD ports do not receive frames, instead they transmit a copy of the source traffic.
Configuring Fibre Channel Interfaces Reason Codes Operational State Description be up, and the interface initialization must be completed. Down Interface cannot transmit or receive (data) traffic. Trunking Interface is operational in TE mode. Reason Codes Reason codes are dependent on the operational state of the interface. The following table describes the reason codes for operational states.
Configuring Fibre Channel Interfaces Reason Codes Reason Code (long version) Description Offline The switch software waits for the specified R_A_TOV time before retrying initialization. Inactive The interface VSAN is deleted or is in a suspended state. Applicable Modes To make the interface operational, assign that port to a configured and active VSAN. Hardware failure A hardware failure is detected. Error disabled Error conditions require administrative attention.
Configuring Fibre Channel Interfaces Buffer-to-Buffer Credits Reason Code (long version) Description Isolation due to domain manager disabled The fcdomain feature is disabled. Applicable Modes Isolation due to zone merge failure The zone merge operation failed. Isolation due to VSAN mismatch The VSANs at both ends of an ISL are different. port channel administratively down The interfaces belonging to the SAN port channel are down.
Configuring Fibre Channel Interfaces Configuring Fibre Channel Interfaces Note The receive BB_credit values depend on the port mode. For physical Fibre Channel interfaces, the default value is 16 for F mode and E mode interfaces. This value can be changed as required. The maximum value is 64. For virtual Fibre Channel interfaces, BB_credits are not used.
Configuring Fibre Channel Interfaces Configuring Interface Modes Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface {fc slot/port}|{vfc vfc-id} Selects a Fibre Channel interface and enters interface configuration mode. Step 3 switch(config-if)# shutdown Gracefully shuts down the interface and administratively disables traffic flow (default).
Configuring Fibre Channel Interfaces Configuring Port Speeds Step 4 Command or Action Purpose switch(config-if)# no switchport description Clears the description of the interface. Configuring Port Speeds Port speed can be configured on a physical Fibre Channel interface but not on a virtual Fibre Channel interface. By default, the port speed for an interface is automatically calculated by the switch. Caution Changing the interface speed is a disruptive operation.
Configuring Fibre Channel Interfaces Configuring Receive Data Field Size Configuring Receive Data Field Size You can configure the receive data field size for native Fibre Channel interfaces (but not for virtual Fibre Channel interfaces). If the default data field size is 2112 bytes, the frame length will be 2148 bytes. To configure the receive data field size, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Fibre Channel Interfaces Configuring Buffer-to-Buffer Credits Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface fc slot/port Selects a Fibre Channel interface and enters interface configuration mode. Step 3 switch(config-if)# switchport ignore bit-errors Prevents the detection of bit error threshold events from disabling the interface.
Configuring Fibre Channel Interfaces Configuring Global Attributes for Fibre Channel Interfaces Configuring Global Attributes for Fibre Channel Interfaces Configuring Switch Port Attribute Default Values You can configure attribute default values for various switch port attributes. These attributes will be applied globally to all future switch port configurations, even if you do not individually specify them at that time.
Configuring Fibre Channel Interfaces Enabling N Port Identifier Virtualization Enabling N Port Identifier Virtualization To enable or disable NPIV on the switch, perform this task: Before You Begin You must globally enable NPIV for all VSANs on the switch to allow the NPIV-enabled applications to use multiple N port identifiers. Note All of the N port identifiers are allocated in the same VSAN. Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Fibre Channel Interfaces Verifying Interface Information The following example shows how to display all interfaces: switch# show interface fc3/1 is up ... fc3/3 is up ... Ethernet1/3 is up ... mgmt0 is up ... vethernet1/1 is up ... vfc 1 is up ... The following example shows how to display multiple specified interfaces: switch# show interface fc3/1 , fc3/3 fc3/1 is up ... fc3/3 is up ...
Configuring Fibre Channel Interfaces Verifying BB_Credit Information The following example shows the interface display when showing the running configuration for a specific interface: switch# show running configuration fc3/5 interface fc3/5 switchport speed 2000 switchport mode E channel-group 11 force no shutdown Verifying BB_Credit Information The following example shows how to display the BB_credit information for all Fibre Channel interfaces: switch# show interface bbcredit ...
Configuring Fibre Channel Interfaces Default Fibre Channel Interface Settings Parameters Default Interface speed n/a Administrative state Shutdown (unless changed during initial setup) Trunk mode n/a Trunk-allowed VSANs n/a Interface VSAN Default VSAN (1) EISL encapsulation n/a Data field size n/a Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01 477
Configuring Fibre Channel Interfaces Default Fibre Channel Interface Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 478 OL-16597-01
CHAPTER 34 Configuring Domain Parameters This chapter contains the following sections: • Configuring Domain Parameters, page 479 Configuring Domain Parameters The Fibre Channel domain (fcdomain) feature performs principal switch selection, domain ID distribution, FC ID allocation, and fabric reconfiguration functions as described in the FC-SW-2 standards. The domains are configured on a per-VSAN basis. If you do not configure a domain ID, the local switch uses a random ID.
Configuring Domain Parameters About Domain Restart The following figure illustrates an example fcdomain configuration. Figure 45: Sample fcdomain Configuration About Domain Restart Fibre Channel domains can be started disruptively or nondisruptively. If you perform a disruptive restart, reconfigure fabric (RCF) frames are sent to other switches in the fabric and data traffic is disrupted on all the switches in the VSAN (including remotely segmented ISLs).
Configuring Domain Parameters Restarting a Domain You can apply most of the configurations to their corresponding runtime values. Each of the following sections provide further details on how the fcdomain parameters are applied to the runtime values. The fcdomain restart command applies your changes to the runtime settings. Use the disruptive option to apply most of the configurations to their corresponding runtime values, including preferred domain IDs.
Configuring Domain Parameters About Switch Priority Step 4 Command or Action Purpose switch(config)# no fcdomain optimize fast-restart vsan vsan-id Disables (default) domain manager fast restart in the specified VSAN. About Switch Priority By default, the configured priority is 128. The valid range to set the priority is between 1 and 254. Priority 1 has the highest priority. Value 255 is accepted from other switches, but cannot be locally configured.
Configuring Domain Parameters Configuring Fabric Names Step 3 Command or Action Purpose switch(config)# fcdomain vsan vsan-id Enables the fcdomain configuration in the specified VSAN. Configuring Fabric Names To set the fabric name value for a disabled fcdomain, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Domain Parameters About Autoreconfiguring Merged Fabrics Command or Action Step 4 Purpose switch(config-if)# no fcdomain rcf-reject Disables (default) the RCF filter on the specified interface in the specified VSAN. vsan vsan-id About Autoreconfiguring Merged Fabrics By default, the autoreconfigure option is disabled.
Configuring Domain Parameters About Domain IDs Note The 0 (zero) value can be configured only if you use the preferred option. If you do not configure a domain ID, the local switch sends a random ID in its request. We recommend that you use static domain IDs. When a subordinate switch requests a domain, the following process takes place (see the figure below): • The local switch sends a configured domain ID request to the principal switch.
Configuring Domain Parameters Specifying Static or Preferred Domain IDs • When the assigned and requested domain IDs are the same, the preferred and static options are not relevant, and the assigned domain ID becomes the runtime domain ID.
Configuring Domain Parameters About Allowed Domain ID Lists Command or Action Purpose Step 2 switch(config)# fcdomain domain domain-id static vsan vsan-id Configures the switch in the specified VSAN to accept only a specific value and moves the local interfaces in the specified VSAN to an isolated state if the requested domain ID is not granted. Step 3 switch(config)# no fcdomain domain Resets the configured domain ID to factory defaults in the specified VSAN.
Configuring Domain Parameters About CFS Distribution of Allowed Domain ID Lists Step 3 Command or Action Purpose switch(config)# no fcdomain allowed domain-id range vsan vsan-id Reverts to the factory default of allowing domain IDs from 1 through 239 in the specified VSAN. About CFS Distribution of Allowed Domain ID Lists You can enable the distribution of the allowed domain ID list configuration information to all Cisco SAN switches in the fabric using the Cisco Fabric Services (CFS) infrastructure.
Configuring Domain Parameters Committing Changes Committing Changes To apply the pending domain configuration changes to other SAN switches in the VSAN, you must commit the changes. The pending configuration changes are distributed and, on a successful commit, the configuration changes are applied to the active configuration in the SAN switches throughout the VSAN and the fabric lock is released.
Configuring Domain Parameters Displaying Pending Changes Displaying Pending Changes You can display the pending configuration changes using the show fcdomain pending command. switch# show fcdomain pending vsan 10 Pending Configured Allowed Domains ---------------------------------VSAN 10 Assigned or unallowed domain IDs: 1-9,24,100,231-239. [User] configured allowed domain IDs: 10-230.
Configuring Domain Parameters FC IDs Command or Action Purpose Note Step 3 switch(config)# no fcdomain contiguous-allocation vsan vsan-id The contiguous-allocation option takes immediate effect at runtime. You do not need to restart the fcdomain. Disables the contiguous allocation option and reverts it to the factory default in the specified VSAN. FC IDs When an N port logs into a Cisco Nexus 5000 Series switch, it is assigned an FC ID. By default, the persistent FC ID feature is enabled.
Configuring Domain Parameters Enabling the Persistent FC ID Feature Enabling the Persistent FC ID Feature To enable the persistent FC ID feature, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# fcdomain fcid persistent vsan vsan-id Activates (default) persistency of FC IDs in the specified VSAN.
Configuring Domain Parameters About Unique Area FC IDs for HBAs Command or Action Purpose Step 4 switch(config-fcid-db)# vsan vsan-id Configures a device WWN (11:22:11:22:33:44:33:44) with the FC ID 0x070123 in the specified VSAN in wwn 11:22:11:22:33:44:33:44 fcid dynamic mode. fcid dynamic Step 5 switch(config-fcid-db)# vsan vsan-id Configures a device WWN (11:22:11:22:33:44:33:44) with the FC IDs 0x070100 through 0x701FF in the wwn 11:22:11:22:33:44:33:44 fcid specified VSAN.
Configuring Domain Parameters About Persistent FC ID Selective Purging switch(config-if)# shutdown switch(config-if)# end Step 3 Verify that the FC ID feature is enabled using the show fcdomain vsan command. switch# show fcdomain vsan 1 ... Local switch configuration information: State: Enabled FCID persistence: Disabled If this feature is disabled, continue to the next step to enable the persistent FC ID. If this feature is already enabled, skip to the following step.
Configuring Domain Parameters Purging Persistent FC IDs Purging Persistent FC IDs To purge persistent FC IDs, perform this task: Procedure Command or Action Purpose Step 1 switch# purge fcdomain fcid vsan vsan-id Purges all dynamic and unused FC IDs in the specified VSAN. Step 2 switch# purge fcdomain fcid vsan vsan-id Purges dynamic and unused FC IDs in the specified VSAN range.
Configuring Domain Parameters Default Fibre Channel Domain Settings The following example shows how to display frame and other fcdomain statistics for a specified VSAN or SAN port channel: switch# show fcdomain statistics vsan 1 VSAN Statistics Number of Principal Switch Selections: 5 Number of times Local Switch was Principal: 0 Number of 'Build Fabric's: 3 Number of 'Fabric Reconfigurations': 0 The following example shows how to display FC ID allocation statistics including a list of assigned and free F
CHAPTER 35 Configuring N Port Virtualization This chapter contains the following sections: • Configuring N Port Virtualization, page 497 Configuring N Port Virtualization Information About NPV NPV Overview By default, Cisco Nexus 5000 Series switches operate in fabric mode. In this mode, the switch provides standard Fibre Channel switching capability and features. In fabric mode, each switch that joins a SAN is assigned a domain ID.
Configuring N Port Virtualization NPV Mode The figure below shows an interface-level view of an NPV configuration. Figure 47: NPV Interface Configuration NPV Mode In NPV mode, the edge switch relays all traffic to the core switch, which provides the Fibre Channel switching capabilities. The edge switch shares the domain ID of the core switch. To convert a switch into NPV mode, you set the NPV feature to enabled. This configuration command automatically triggers a switch reboot.
Configuring N Port Virtualization FLOGI Operation An NP uplink is a connection from an NP port on the edge switch to an F port on the core switch. When an NP uplink is established, the edge switch sends a fabric login message (FLOGI) to the core switch, and then (if the FLOGI is successful) it registers itself with the name server on the core switch. Subsequent FLOGIs from end devices connected to this NP uplink are converted to fabric discovery messages (FDISCs).
Configuring N Port Virtualization NPV Traffic Management • The same device might log in using different fWWNs on the core switch (depending on the NPV link it uses) and may need to be zoned using different fWWNs. Related Topics • Configuring and Managing Zones, page 543 NPV Traffic Management Automatic Uplink Selection NPV supports automatic selection of NP uplinks.
Configuring N Port Virtualization NPV Traffic Management Guidelines NPV Traffic Management Guidelines When deploying NPV traffic management, follow these guidelines: • Use NPV traffic management only when automatic traffic engineering does not meet your network requirements. • You do not need to configure traffic maps for all server interfaces. By default, NPV will use automatic traffic management.
Configuring N Port Virtualization Configuring NPV • Both servers and targets can be connected to the switch when in NPV mode. • Fibre Channel switching is not performed in the edge switch; all traffic is switched in the core switch. • NPV supports NPIV-capable module servers. This capability is called nested NPIV. • Only F, NP, and SD ports are supported in NPV mode. Configuring NPV Enabling NPV When you enable NPV, the system configuration is erased and the switch reboots.
Configuring N Port Virtualization Configuring a Server Interface Command or Action Purpose Step 3 switch(config-if)# switchport mode NP Configures the interface as an NP port. Step 4 switch(config-if)# no shutdown Brings up the interface. Configuring a Server Interface To configure a server interface, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Configuring N Port Virtualization Verifying NPV To enable disruptive load balancing, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode on the NPV. Step 2 switch(config)# npv auto-load-balance disruptive Enables disruptive load balancing on the switch. Step 3 switch (config)# no npv auto-load-balance disruptive Disables disruptive load balancing on the switch.
Configuring N Port Virtualization Verifying NPV Traffic Management Server Interfaces: ================== Interface: vfc3/1, VSAN: 1, NPIV: No, State: Up Number of Server Interfaces: 1 Note To view fcns database entries for NPV edge switches, you must enter the show fcns database command on the core switch.
Configuring N Port Virtualization Verifying NPV Traffic Management Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 506 OL-16597-01
CHAPTER 36 Configuring VSAN Trunking This chapter contains the following sections: • Configuring VSAN Trunking, page 507 Configuring VSAN Trunking Information About VSAN Trunking VSAN trunking enables interconnect ports to transmit and receive frames in more than one VSAN, over the same physical link, using enhanced ISL (EISL) frame format (see the following figure). Figure 48: VSAN Trunking VSAN trunking is supported on native Fibre Channel interfaces, but not on virtual Fibre Channel interfaces.
Configuring VSAN Trunking VSAN Trunking Mismatches VSAN Trunking Mismatches If you misconfigure VSAN configurations across E ports, issues can occur such as the merging of traffic in two VSANs (causing both VSANs to mismatch). The VSAN trunking protocol validates the VSAN interfaces at both ends of an ISL to avoid merging VSANs (see the following figure). Figure 49: VSAN Mismatch In this example, the trunking protocol detects potential VSAN merging and isolates the ports involved.
Configuring VSAN Trunking Configuring VSAN Trunking Configuring VSAN Trunking Guidelines and Restrictions When configuring VSAN trunking, note the following guidelines: • We recommend that both ends of a VSAN trunking ISL belong to the same port VSAN. On platforms or fabric switches where the port VSANs are different, one end returns an error, and the other is not connected.
Configuring VSAN Trunking Configuring Trunk Mode The preferred configuration on the Cisco Nexus 5000 Series switches is that one side of the trunk is set to auto and the other is set to on. Note When connected to a third-party switch, the trunk mode configuration has no effect. The ISL is always in a trunking disabled state. Configuring Trunk Mode To configure trunk mode, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring VSAN Trunking About Trunk-Allowed VSAN Lists three switches are allowed-active. However, only the common set of allowed-active VSANs at the ends of the ISL become operational as shown in below. Figure 51: Default Allowed-Active VSAN Configuration You can configure a selected set of VSANs (from the allowed-active list) to control access to the VSANs specified in a trunking ISL.
Configuring VSAN Trunking Configuring an Allowed-Active List of VSANs Consequently, VSAN 2 can only be routed from switch 1 through switch 3 to switch 2. Figure 52: Operational and Allowed VSAN Configuration Configuring an Allowed-Active List of VSANs To configure an allowed-active list of VSANs for an interface, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring VSAN Trunking Displaying VSAN Trunking Information Displaying VSAN Trunking Information The show interface command is invoked from the EXEC mode and displays VSAN trunking configurations for a TE port. Without any arguments, this command displays the information for all of the configured interfaces in the switch.
Configuring VSAN Trunking Default Trunk Configuration Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 514 OL-16597-01
CHAPTER 37 Configuring SAN Port Channel This chapter contains the following sections: • Configuring SAN Port Channels, page 515 Configuring SAN Port Channels SAN port channels refer to the aggregation of multiple physical interfaces into one logical interface to provide higher aggregated bandwidth, load balancing, and link redundancy. On Cisco Nexus 5000 Series switches, SAN port channels can include physical Fibre Channel interfaces, but not virtual Fibre Channel interfaces.
Configuring SAN Port Channels Understanding Load Balancing • A SAN port channel enables several physical links to be combined into one aggregated logical link. • An industry standard E port can link to other vendor switches and is referred to as inter-switch link (ISL), as shown on the left side of the figure below. • VSAN trunking enables a link transmitting frames in the EISL format to carry traffic for multiple VSAN . When trunking is operational on an E port, that E port becomes a TE port.
Configuring SAN Port Channels Understanding Load Balancing The following figure illustrates how flow-based load balancing works. When the first frame in a flow is received on an interface for forwarding, link 1 is selected. Each subsequent frame in that flow is sent over the same link. No frame in SID1 and DID1 utilizes link 2. Figure 55: SID1, DID1, and Flow-Based Load Balancing The following figure illustrates how exchange-based load balancing works.
Configuring SAN Port Channels Configuring SAN Port Channels particular exchange are sent on the same link. For exchange 1, no frame uses link 2. For the next exchange, link 2 is chosen by the hash algorithm. Now all frames in exchange 2 use link 2. Figure 56: SID1, DID1, and Exchange-Based Load Balancing Configuring SAN Port Channels SAN port channels are created with default values. You can change the default configuration just as any other physical interface.
Configuring SAN Port Channels SAN Port Channel Configuration Guidelines The following figure shows examples of invalid configurations. Assuming that the links are brought up in the 1, 2, 3, 4 sequence, links 3 and 4 will be operationally down as the fabric is misconfigured.
Configuring SAN Port Channels Creating a SAN Port Channel If all three conditions are not met, the faulty link is disabled. Enter the show interface command for that interface to verify that the SAN port channel is functioning as required. Creating a SAN Port Channel To create a SAN port channel, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring SAN Port Channels About SAN Port Channel Deletion On Mode Active Mode When you add or modify a port channel member port When you add or modify a port channel interface, the configuration, you must explicitly disable (shut) and SAN port channel automatically recovers. enable (no shut) the port channel member ports at either end. Port initialization is not synchronized. There is synchronized startup of all ports in a channel across peer switches.
Configuring SAN Port Channels Deleting SAN Port Channels Command or Action Purpose Step 3 switch(config-if)# channel mode active Configures the Active mode. Step 4 switch(config-if)# no channel mode active Reverts to the default On mode.
Configuring SAN Port Channels Suspended and Isolated States • Capability parameters (type of interface, Fibre Channel at both ends). • Administrative compatibility parameters (speed, mode, port VSAN, allowed VSAN, and port security). • Operational parameters (speed and remote switch’s WWN). A port addition procedure fails if the capability and administrative parameters in the remote switch are incompatible with the capability and administrative parameters in the local switch.
Configuring SAN Port Channels About Interface Deletion from a SAN Port Channel After the members are forcefully added, regardless of the mode (Active and On) used, the ports at either end are gracefully brought down, indicating that no frames are lost when the interface is going down. To force the addition of a port to a SAN port channel, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring SAN Port Channels About Channel Group Creation Cisco SAN switches support a protocol to exchange SAN port channel configurations, which simplifies port channel management with incompatible ISLs. An additional autocreation mode enables ISLs with compatible parameters to automatically form channel groups without manual intervention. The port channel protocol is enabled by default. The port channel protocol expands the port channel functional model in Cisco SAN switches.
Configuring SAN Port Channels Autocreation Guidelines Table 71: Channel Group Configuration Differences User-Configured Channel Group Autocreated Channel Group Manually configured by the user. Created automatically when compatible links come up between two compatible switches, if channel group autocreation is enabled in all ports at both ends. Member ports cannot participate in autocreation of channel groups. The autocreation feature cannot be configured.
Configuring SAN Port Channels Enabling and Configuring Autocreation • An autocreated SAN port channel is not persistent through a reboot. An autocreated SAN port channel can be manually configured to appear the same as a persistent SAN port channel. Once the SAN port channel is made persistent, the autocreation feature is disabled in all member ports. • You can enable or disable the autocreation feature on a per-port basis or for all ports in the switch.
Configuring SAN Port Channels Converting to Manually Configured Channel Groups Converting to Manually Configured Channel Groups You can convert autocreated channel group to a user-configured channel group using the san-port-channel channel-group-number persistent EXEC command. If the SAN port channel does not exist, this command is not executed. Verifying SAN Port Channel Configuration You can view specific information about existing SAN port channels at any time from EXEC mode.
Configuring SAN Port Channels Default Settings for SAN Port Channels Autocreated SAN port channels are indicated explicitly to help differentiate them from the manually created SAN port channels. The following example shows how to display an autocreated port channel: switch# show interface fc2/1 fc2/1 is trunking Hardware is Fibre Channel, FCOT is short wave laser Port WWN is 20:0a:00:0b:5f:3b:fe:80 ...
Configuring SAN Port Channels Default Settings for SAN Port Channels Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 530 OL-16597-01
CHAPTER 38 Configuring and Managing VSANs This chapter contains the following sections: • Configuring and Managing VSANs, page 531 Configuring and Managing VSANs You can achieve higher security and greater stability in Fibre Channel fabrics by using virtual SANs (VSANs). VSANs provide isolation among devices that are physically connected to the same fabric. With VSANs you can create multiple logical SANs over a common physical infrastructure.
Configuring and Managing VSANs VSAN Topologies The following figure shows a fabric with three switches, one on each floor. The geographic location of the switches and the attached devices is independent of their segmentation into logical VSANs. No communication between VSANs is possible. Within each VSAN, all members can talk to one another. Figure 60: Logical VSAN Segmentation The application servers or storage arrays can be connected to the switch using Fibre Channel or virtual Fibre Channel interfaces.
Configuring and Managing VSANs VSAN Topologies The following figure shows a physical Fibre Channel switching infrastructure with two defined VSANs: VSAN 2 (dashed) and VSAN 7 (solid). VSAN 2 includes hosts H1 and H2, application servers AS2 and AS3, and storage arrays SA1 and SA4. VSAN 7 connects H3, AS1, SA2, and SA3. Figure 61: Example of Two VSANs The four switches in this network are interconnected by VSAN trunk links that carry both VSAN 2 and VSAN 7 traffic.
Configuring and Managing VSANs VSAN Advantages • VSANs can meet the needs of a particular department or application. VSAN Advantages VSANs offer the following advantages: • Traffic isolation—Traffic is contained within VSAN boundaries and devices reside only in one VSAN ensuring absolute separation between user groups, if desired. • Scalability—VSANs are overlaid on top of a single physical fabric. The ability to create several logical VSAN layers increases the scalability of the SAN.
Configuring and Managing VSANs Configuring VSANs VSAN Characteristic Zone Characteristic VSANs encompass the entire fabric. Zones are configured at the fabric edge. The following figure shows the possible relationships between VSANs and zones. In VSAN 2, three zones are defined: zone A, zone B, and zone C. Zone C overlaps both zone A and zone B as permitted by Fibre Channel standards. In VSAN 7, two zones are defined: zone A and zone D. No zone crosses the VSAN boundary.
Configuring and Managing VSANs About VSAN Creation • VSAN name—This text string identifies the VSAN for management purposes. The name can be from 1 to 32 characters long and it must be unique across all VSANs. By default, the VSAN name is a concatenation of VSAN and a four-digit string representing the VSAN ID. For example, the default name for VSAN 3 is VSAN0003. Note A VSAN name must be unique.
Configuring and Managing VSANs Assigning Static Port VSAN Membership • Dynamically—Assigning VSANs based on the device WWN. This method is referred to as dynamic port VSAN membership (DPVM). Cisco Nexus 5000 Series switches do not support DPVM. VSAN trunking ports have an associated list of VSANs that are part of an allowed list.
Configuring and Managing VSANs About the Default VSAN san-port-channel 3 vfc3/1 vsan 2 interfaces: fc2/3 vfc4/1 vsan 7 interfaces: vsan 100 interfaces: vsan 4094(isolated vsan) interfaces: The following example displays static membership information for the specified interface: switch # show vsan membership interface fc2/1 fc2/1 vsan:1 allowed list:1-4093 About the Default VSAN The factory settings for switches in the Cisco Nexus 5000 Series have only the default VSAN 1 enabled.
Configuring and Managing VSANs About Static VSAN Deletion About Static VSAN Deletion When an active VSAN is deleted, all of its attributes are removed from the running configuration. VSAN-related information is maintained by the system software as follows: • VSAN attributes and port membership details are maintained by the VSAN manager. This feature is affected when you delete a VSAN from the configuration.
Configuring and Managing VSANs About Load Balancing Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# vsan database Configures the VSAN database. Step 3 switch-config-db# vsan 2 Places you in VSAN configuration mode. Step 4 switch(config-vsan-db)# no vsan 5 Deletes VSAN 5 from the database and switch. Step 5 switch(config-vsan-db)# end Places you in EXEC mode.
Configuring and Managing VSANs About Interop Mode About Interop Mode Interoperability enables the products of multiple vendors to connect with each other. Fibre Channel standards guide vendors to create common external Fibre Channel interfaces.
Configuring and Managing VSANs Default VSAN Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 542 OL-16597-01
CHAPTER 39 Configuring and Managing Zones This chapter contains the following sections: • Configuring and Managing Zones, page 543 Configuring and Managing Zones Zoning enables you to set up access control between storage devices or user groups. If you have administrator privileges in your fabric, you can create zones to increase network security and to prevent data loss or corruption. Zoning is enforced by examining the source-destination ID field.
Configuring and Managing Zones Zoning Features ◦ A zone can be a member of more than one zone set. ◦ A zone switch can have a maximum of 500 zone sets. • Zoning can be administered from any switch in the fabric. ◦ When you activate a zone (from any switch), all switches in the fabric receive the active zone set. Additionally, full zone sets are distributed to all switches in the fabric, if this feature is enabled in the source switch.
Configuring and Managing Zones Zoning Example Zoning Example The following figure shows a zone set with two zones, zone 1 and zone 2, in a fabric. Zone 1 provides access from all three hosts (H1, H2, H3) to the data residing on storage systems S1 and S2. Zone 2 restricts the data on S3 to access only by H3. H3 resides in both zones. Figure 64: Fabric with Two Zones You can use other ways to partition this fabric into zones. The following figure shows another possibility.
Configuring and Managing Zones Active and Full Zone Set Configuration Guidelines • Hard zoning cannot be disabled. • Name server queries are soft-zoned. • Only active zone sets are distributed. • Unzoned devices cannot access each other. • A zone or zone set with the same name can exist in each VSAN. • Each VSAN has a full database and an active database. • Active zone sets cannot be changed, without activating a full zone database. • Active zone sets are preserved across switch reboots.
Configuring and Managing Zones Active and Full Zone Set Configuration Guidelines Note If one zone set is active and you activate another zone set, the currently active zone set is automatically deactivated. You do not need to explicitly deactivate the currently active zone set before activating a new zone set.
Configuring and Managing Zones Active and Full Zone Set Configuration Guidelines The following figure shows a zone being added to an activated zone set.
Configuring and Managing Zones Configuring Zones Configuring Zones To configure a zone and assign a zone name, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# zone name zone-name vsan vsan-id Configures a zone in the specified VSAN. Step 3 Note All alphanumeric characters or one of the following symbols ($, -, ^, _) are supported.
Configuring and Managing Zones Zone Sets Tip Use the show wwn switch command to retrieve the sWWN. If you do not provide a sWWN, the software automatically uses the local sWWN.
Configuring and Managing Zones Activating a Zone Set Zones provide a method for specifying access control, while zone sets are a grouping of zones to enforce access control in the fabric. Either zone set A or zone set B can be activated (but not together). Tip Zone sets are configured with the names of the member zones and the VSAN (if the zone set is in a configured VSAN). Activating a Zone Set Changes to a zone set do not take effect in a full zone set until you activate it.
Configuring and Managing Zones Configuring the Default Zone Access Permission The default zone members are explicitly listed when the default policy is configured as permit or when a zone set is active. When the default policy is configured as deny, the members of this zone are not explicitly enumerated when you view the active zone set.
Configuring and Managing Zones Creating FC Aliases Example Command or Action Purpose Step 2 switch(config)# fcalias name AliasSample vsan vsan-id Configures an alias name (AliasSample). Step 3 switch(config-fcalias)# member type Configures a member for the specified fcalias (AliasSample) based on the type (pWWN, fabric value pWWN, FC ID, domain ID, or interface) and value specified. Note Multiple members can be specified on multiple lines.
Configuring and Managing Zones Creating Zone Sets and Adding Member Zones Device alias example: switch(config-fcalias)# member device-alias devName Creating Zone Sets and Adding Member Zones To create a zone set to include several zones, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# zone set name zoneset-name vsan vsan-id Configures a zone set with the configured zoneset-name.
Configuring and Managing Zones Zone Set Distribution Note Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access. Cisco Nexus 5000 Series switches support both hard and soft zoning. Zone Set Distribution You can distribute full zone sets using one of two methods: one-time distribution using the zoneset distribute vsan command at the EXEC mode level or full zone set distribution using the zoneset distribute full vsan command at the configuration mode level.
Configuring and Managing Zones About Recovering from Link Isolation Note The one-time distribution of the full zone set is supported in interop 2 and interop 3 modes, and not in interop 1 mode. Use the show zone status vsan vsan-id command to check the status of the one-time zone set distribution request.
Configuring and Managing Zones Importing and Exporting Zone Sets Importing and Exporting Zone Sets To import or export the zone set information from or to an adjacent switch, perform this task: Procedure Command or Action Purpose Step 1 switch# zoneset import interface fc slot/port vsan vsan-id Imports the zone set from the adjacent switch connected through the specified interface for the VSAN .
Configuring and Managing Zones Renaming Zones, Zone Sets, and Aliases Command or Action Step 2 Purpose switch# zone copy vsan vsan-id active-zoneset Copies the active zone in the specified VSAN scp://guest@myserver/tmp/active_zoneset.txt to a remote location using SCP. Renaming Zones, Zone Sets, and Aliases To rename a zone, zone set, fcalias, or zone-attribute-group, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring and Managing Zones Clearing the Zone Server Database Command or Action Step 6 Purpose switch(config)# zoneset activate name newname Activates the zone set and updates the new zone name in the active zone set. vsan vsan-id Clearing the Zone Server Database You can clear all configured information in the zone server database for the specified VSAN.
Configuring and Managing Zones Enhanced Zoning Enhanced Zoning The zoning feature complies with the FC-GS-4 and FC-SW-3 standards. Both standards support the basic zoning functionalities explained in the previous section and the enhanced zoning functionalities described in this section. About Enhanced Zoning The following table lists the advantages of the enhanced zoning feature in all switches in the Cisco Nexus 5000 Series.
Configuring and Managing Zones Changing from Basic Zoning to Enhanced Zoning Basic Zoning Enhanced Zoning Enhanced Zoning Advantages be misunderstood by the non-Cisco switches. The fWWN-based zone membership is only supported in Cisco interop mode. Supports fWWN-based The fWWN-based member type is membership in the standard interop standardized. mode (interop mode 1).
Configuring and Managing Zones Modifying the Zone Database Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# zone mode enhanced vsan vsan-id Enables enhanced zoning in the specified VSAN. Step 3 switch(config)# no zone mode enhanced vsan Disables enhanced zoning in the specified VSAN. vsan-id Modifying the Zone Database Modifications to the zone database is done within a session.
Configuring and Managing Zones Merging the Database If session locks remain on remote switches after using the no zone commit vsan command, you can use the clear zone lock vsan command on the remote switches. switch# clear zone lock vsan 2 We recommend using the no zone commit vsan command first to release the session lock in the fabric. If that fails, use the clear zone lock vsan command on the remote switches where the session is still locked.
Configuring and Managing Zones Configuring Zone Merge Control Policies Configuring Zone Merge Control Policies To configure merge control policies, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# zone merge-control restrict Configures a restricted merge control setting for this VSAN.
Configuring and Managing Zones Verifying Enhanced Zone Information Command or Action Purpose Step 3 switch(config)# no system default zone Configures deny (default) as the default zoning policy for new VSANs on the switch. default-zone permit Step 4 switch(config)# system default zone distribute full Step 5 switch(config)# no system default zone Disables (default) full zone database distribution as the default for new VSANs on the switch. Only the distribute full active zone database is distributed.
Configuring and Managing Zones Default Basic Zone Settings The following example shows how to display full zoning analysis: switch# show zone analysis vsan 1 The following example shows how to display active zoning analysis: switch# show zone analysis active vsan 1 See the Cisco Nexus 5000 Series Switch Command Reference for the description of the information displayed in the command output. Default Basic Zone Settings The following table lists the default settings for basic zone parameters.
CHAPTER 40 Distributing Device Alias Services This chapter contains the following sections: • Distributing Device Alias Services, page 567 Distributing Device Alias Services Switches in the Cisco Nexus 5000 Series support Distributed Device Alias Services (device aliases) on a fabric-wide basis.
Distributing Device Alias Services Device Alias Requirements Related Topics • • Device Alias Modes, page 569 Using Cisco Fabric Services, page 299 Device Alias Requirements Device aliases have the following requirements: • You can only assign device aliases to pWWNs. • There must be a one-to-one relationship between the pWWN and the device alias that maps to it.
Distributing Device Alias Services Creating Device Aliases • Effective database—The database currently used by the fabric. • Pending database—Your subsequent device alias configuration changes are stored in the pending database. If you modify the device alias configuration, you need to commit or discard the changes as the fabric remains locked during this period. Device alias database changes are validated with the applications.
Distributing Device Alias Services Changing Device Alias Mode Guidelines track of the device alias membership changes and enforce them accordingly. The primary benefit of operating in enhanced mode is that you have a single point of change. Whenever you change device alias modes, the change is distributed to other switches in the network only if device alias distribution is enabled or on. Otherwise, the mode change only takes place on the local switch.
Distributing Device Alias Services About Device Alias Distribution Viewing the Device Alias Mode Setting To view the current device alias mode setting, enter the show device-alias status command. switch# show device-alias status Fabric Distribution: Enabled Database:- Device Aliases 0 Mode: Basic Locked By:- User "admin" SWWN 20:00:00:0d:ec:30:90:40 Pending Database:- Device Aliases 0 Mode: Basic About Device Alias Distribution By default, device alias distribution is enabled.
Distributing Device Alias Services Discarding Changes Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# device-alias commit Commits the changes made to the currently active session. Discarding Changes If you discard the changes made to the pending database, the following events occur: • The effective database contents remain unaffected. • The pending database is emptied of its contents.
Distributing Device Alias Services Disabling and Enabling Device Alias Distribution To display the status of the clear operation, use the show device-alias status command.
Distributing Device Alias Services Importing a Zone Alias • Each zone alias has only one member. • The member type is pWWN. If any name or definition conflict exists, the zone aliases are not imported. Ensure that you copy any required zone aliases to the device alias database as required by your configuration. When an import operation is complete, the modified alias database is distributed to all other switches in the physical fabric when you perform the commit operation.
Distributing Device Alias Services Default Device Alias Settings Procedure Command or Action Purpose Step 1 switch# show zoneset [active] Displays the device aliases in the zone set information. Step 2 switch# show device-alias database [pending | pending-diffs] Displays the device alias database. Step 3 switch# show device-alias {pwwn pwwn-id Displays the device alias information for the specified pwwn or alias.
Distributing Device Alias Services Default Device Alias Settings Parameters Default Database in use Effective database. Database to accept changes Pending database. Device alias fabric lock state Locked with the first device alias task.
CHAPTER 41 Configuring Fibre Channel Routing Services and Protocols This chapter contains the following sections: • Configuring Fibre Channel Routing Services and Protocols, page 577 Configuring Fibre Channel Routing Services and Protocols Fabric Shortest Path First (FSPF) is the standard path selection protocol used by Fibre Channel fabrics. The FSPF feature is enabled by default on the E mode and TE mode Fibre Channel interfaces on Cisco Nexus 5000 Series switches.
Configuring Fibre Channel Routing Services and Protocols FSPF Examples • Uses a topology database to keep track of the state of the links on all switches in the fabric and associates a cost with each link. • Guarantees a fast reconvergence time in case of a topology change. Uses the standard Dijkstra algorithm, but there is a static dynamic option for a more robust, efficient, and incremental Dijkstra algorithm.
Configuring Fibre Channel Routing Services and Protocols FSPF Global Configuration failure of a link in a SAN port channel does not trigger a route change, which reduces the risks of routing loops, traffic loss, or fabric downtime for route reconfiguration. Figure 70: Fault Tolerant Fabric with Redundant Links For example, if all links are of equal speed and no SAN port channels exist, the FSPF calculates four equal paths from A to C: A1-E-C, A2-E-C, A3-D-C, and A4-D-C.
Configuring Fibre Channel Routing Services and Protocols Configuring FSPF on a VSAN Table 83: LSR Default Settings LSR Option Default Description Acknowledgment interval (RxmtInterval) 5 seconds The time a switch waits for an acknowledgment from the LSR before retransmission. Refresh time (LSRefreshTime) 30 minutes The time a switch waits before sending an LSR refresh transmission. Maximum age (MaxAge) 60 minutes The time a switch waits before dropping the LSR from the database.
Configuring Fibre Channel Routing Services and Protocols Enabling or Disabling FSPF Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# no fspf config vsan vsan-id Deletes the FSPF configuration for the specified VSAN. Enabling or Disabling FSPF To enable or disable FSPF routing protocols, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Fibre Channel Routing Services and Protocols Configuring FSPF Link Cost Configuring FSPF Link Cost To configure FSPF link cost, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface fc slot/port Configures the specified interface, or if already configured, enters configuration mode for the specified interface.
Configuring Fibre Channel Routing Services and Protocols Configuring Dead Time Intervals Note Caution This value must be the same in the ports at both ends of the ISL. An error is reported at the command prompt if the configured dead time interval is less than the hello time interval. Configuring Dead Time Intervals To configure the FSPF dead time interval, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Fibre Channel Routing Services and Protocols About Disabling FSPF for Specific Interfaces Step 3 Command or Action Purpose switch(config-if)# fspf retransmit-interval value vsan vsan-id Specifies the retransmit time interval for unacknowledged link state updates in the specified VSAN. The default is 5 seconds. About Disabling FSPF for Specific Interfaces You can disable the FSPF protocol for selected interfaces. By default, FSPF is enabled on all E ports and TE ports.
Configuring Fibre Channel Routing Services and Protocols FSPF Routes FSPF Routes FSPF routes traffic across the fabric, based on entries in the FSPF database. These routes can be learned dynamically, or configured statically. About Fibre Channel Routes Each port implements forwarding logic, which forwards frames based on its FC ID.
Configuring Fibre Channel Routing Services and Protocols In-Order Delivery Command or Action Step 5 Purpose switch(config)#fcroute fcid interface Adds a static route to the RIB. If this is an active route fc slot/port domain domain-id metric and the FIBFIB = Forwarding Information Base records are free, it is also added to the FIB. value remote vsan vsan-id If the cost (metric) of the route is not specified, the default is 10.
Configuring Fibre Channel Routing Services and Protocols About Reordering SAN Port Channel Frames • Frames in the network are delivered in the order in which they are transmitted. • Frames that cannot be delivered in order within the network latency drop period are dropped inside the network. About Reordering SAN Port Channel Frames When a link change occurs in a SAN port channel, the frames for the same exchange or the same flow can switch from one path to another faster path.
Configuring Fibre Channel Routing Services and Protocols Enabling In-Order Delivery Globally Enabling In-Order Delivery Globally To ensure that the in-order delivery parameters are uniform across all VSANs on the switch, enable in-order delivery globally. Only enable in-order delivery globally if this is a requirement across your entire fabric. Otherwise, enable IOD only for the VSANs that require this feature.
Configuring Fibre Channel Routing Services and Protocols Displaying the In-Order Delivery Status Displaying the In-Order Delivery Status Use the show in-order-guarantee command to display the present configuration status: switch# show in-order-guarantee global inorder delivery configuration:guaranteed VSAN specific settings vsan 1 inorder delivery:guaranteed vsan 101 inorder delivery:not guaranteed vsan 1000 inorder delivery:guaranteed vsan 1001 inorder delivery:guaranteed vsan 1682 inorder delivery:guaran
Configuring Fibre Channel Routing Services and Protocols Flow Statistics Configuration Flow Statistics Configuration Flow statistics count the ingress traffic in the aggregated statistics table. You can collect two kinds of statistics: • Aggregated flow statistics to count the traffic for a VSAN. • Flow statistics to count the traffic for a source and destination ID pair in a VSAN.
Configuring Fibre Channel Routing Services and Protocols Clearing FIB Statistics Clearing FIB Statistics Use the clear fcflow stats command to clear the aggregated flow counter. The following example clears the aggregated flow counters: switch# clear fcflow stats aggregated index 1 The following example clears the flow counters for source and destination FC IDs: switch# clear fcflow stats index 1 Displaying Flow Statistics Use the show fcflow stats commands to view flow statistics.
Configuring Fibre Channel Routing Services and Protocols Default FSPF Settings Parameters Default Hello interval 20 seconds. Dead interval 80 seconds. Distribution tree information Derived from the principal switch (root node). Routing table FSPF stores up to 16 equal cost paths to a given destination. Load balancing Based on destination ID and source ID on different, equal cost paths. In-order delivery Disabled. Drop latency Disabled.
CHAPTER 42 Managing FLOGI, Name Server, FDMI, and RSCN Databases This chapter contains the following sections: • Managing FLOGI, Name Server, FDMI, and RSCN Databases, page 593 Managing FLOGI, Name Server, FDMI, and RSCN Databases Information About Fabric Login In a Fibre Channel fabric, each host or disk requires an FC ID. Use the show flogi command to verify if a storage device is displayed in the fabric login (FLOGI) table as in the following examples.
Managing FLOGI, Name Server, FDMI, and RSCN Databases Name Server Proxy Name Server Proxy The name server functionality maintains a database containing the attributes for all hosts and storage devices in each VSAN. Name servers allow a database entry to be modified by a device that originally registered the information. The proxy feature is useful when you need to modify (update or delete) the contents of a database entry that was previously registered by a different device.
Managing FLOGI, Name Server, FDMI, and RSCN Databases About Name Server Database Entries About Name Server Database Entries The name server stores name entries for all hosts in the FCNS database. The name server permits an Nx port to register attributes during a PLOGI (to the name server) to obtain attributes of other hosts. These attributes are deregistered when the Nx port logs out either explicitly or implicitly.
Managing FLOGI, Name Server, FDMI, and RSCN Databases Displaying FDMI • Host operating system (OS) name and version number All FDMI entries are stored in persistent storage and are retrieved when the FDMI process is started. Displaying FDMI The following example shows how to display all HBA details for a specified VSAN: switch# show fdmi database detail vsan 1 RSCN The Registered State Change Notification (RSCN) is a Fibre Channel service that informs hosts about changes in the fabric.
Managing FLOGI, Name Server, FDMI, and RSCN Databases Configuring the multi-pid Option D2, and H belong to the same zone. If disks D1 and D2 are online at the same time, one of the following actions applies: • The multi-pid option is disabled on switch 1— Two RSCNs are generated to host H: one for the disk D1 and another for disk D2. • The multi-pid option is enabled on switch 1—A single RSCN is generated to host H, and the RSCN payload lists the affected port IDs (in this case, both D1 and D2).
Managing FLOGI, Name Server, FDMI, and RSCN Databases Configuring the RSCN Timer The following example shows how to clear the RSCN statistics for the specified VSAN: switch# clear rscn statistics vsan 1 After clearing the RSCN statistics, you can view the cleared counters by entering the show rscn statistics command: switch# show rscn statistics vsan 1 Configuring the RSCN Timer RSCN maintains a per VSAN event list queue, where the RSCN events are queued as they are generated.
Managing FLOGI, Name Server, FDMI, and RSCN Databases RSCN Timer Configuration Distribution RSCN Timer Configuration Distribution Because the timeout value for each switch is configured manually, a misconfiguration occurs when different switches time out at different times. This means different N-ports in a network can receive RSCNs at different times.
Managing FLOGI, Name Server, FDMI, and RSCN Databases Discarding the RSCN Timer Configuration Changes Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# rscn commit vsan timeout Commits the RSCN timer changes. Discarding the RSCN Timer Configuration Changes If you discard (abort) the changes made to the pending database, the configuration database remains unaffected and the lock is released.
Managing FLOGI, Name Server, FDMI, and RSCN Databases Default RSCN Settings Note The pending database includes both existing and modified configuration.
Managing FLOGI, Name Server, FDMI, and RSCN Databases Default RSCN Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 602 OL-16597-01
CHAPTER 43 Discovering SCSI Targets This chapter contains the following sections: • Discovering SCSI Targets, page 603 Discovering SCSI Targets Information About SCSI LUN Discovery Small Computer System Interface (SCSI) targets include disks, tapes, and other storage devices. These targets do not register logical unit numbers (LUNs) with the name server.
Discovering SCSI Targets About Initiating Customized Discovery Procedure Command or Action Step 1 Purpose switch# discover scsi-target {custom-list | local | remote Discovers SCSI targets for the specified | vsan vsan-id fcid fc-id} os {aix | hpux | linux | solaris operating system (OS).
Discovering SCSI Targets Displaying SCSI LUN Information The following example displays the discovered targets: switch# show scsi-target status discovery completed Note This command takes several minutes to complete, especially if the fabric is large or if several devices are slow to respond.
Discovering SCSI Targets Displaying SCSI LUN Information Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 606 OL-16597-01
CHAPTER 44 Advanced Fibre Channel Features and Concepts This chapter contains the following sections: • Advanced Fibre Channel Features and Concepts, page 607 Advanced Fibre Channel Features and Concepts Fibre Channel Timeout Values You can modify Fibre Channel protocol-related timer values for the switch by configuring the following timeout values (TOVs): • Distributed services TOV (D_S_TOV)—The valid range is from 5,000 to 10,000 milliseconds. The default is 5,000 milliseconds.
Advanced Fibre Channel Features and Concepts Timer Configuration Per-VSAN Note If a VSAN is not specified when you change the timer value, the changed value is applied to all VSANs in the switch. To configure Fibre Channel timers across all VSANs, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# fctimer R_A_TOV Configures the R_A_TOV timeout value for all VSANs. The units is milliseconds.
Advanced Fibre Channel Features and Concepts About fctimer Distribution About fctimer Distribution You can enable per-VSAN fctimer fabric distribution for all Cisco SAN switches in the fabric. When you perform fctimer configurations, and distribution is enabled, that configuration is distributed to all the switches in the fabric. You automatically acquire a fabric-wide lock when you enter the first configuration command after you enabled distribution in a switch.
Advanced Fibre Channel Features and Concepts Discarding fctimer Changes Discarding fctimer Changes After making the configuration changes, you can choose to discard the changes by discarding the changes instead of committing them. In either case, the lock is released. To discard the fctimer configuration changes, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Advanced Fibre Channel Features and Concepts Verifying Configured fctimer Values Verifying Configured fctimer Values Use the show fctimer command to display the configured fctimer values. The following example displays the configured global TOVs: switch# show fctimer F_S_TOV D_S_TOV E_D_TOV R_A_TOV ---------------------------------------5000 ms 5000 ms 2000 ms 10000 ms Note The F_S_TOV constant, though not configured, is displayed in the output of the show fctimer command.
Advanced Fibre Channel Features and Concepts Verifying WWN Information Verifying WWN Information Use the show wwn commands to display the status of the WWN configuration. The following example displays the status of all WWNs: switch# show wwn status Type Configured Available ------------- -------------1 64 48 ( 75%) 2,5 524288 442368 ( 84%) Resvd.
Advanced Fibre Channel Features and Concepts Default Company ID List Some HBAs do not discover targets that have FC IDs with the same domain and area. The switch software maintains a list of tested company IDs that do not exhibit this behavior. These HBAs are allocated with single FC IDs. If the HBA can discover targets within the same domain and area, a full area is allocated.
Advanced Fibre Channel Features and Concepts Verifying the Company ID Configuration Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# fcid-allocation area company-id Adds a new company ID to the default list. value Step 3 switch(config)# no fcid-allocation area company-id value Deletes a company ID from the default list.
Advanced Fibre Channel Features and Concepts About Interop Mode Note For more information on configuring interoperability for Cisco Nexus 5000 Series switches, see the Cisco MDS 9000 Family Switch-to-Switch Interoperability Configuration Guide About Interop Mode Cisco NX-OS software supports the following four interop modes: • Mode 1— Standards-based interop mode that requires all other vendors in the fabric to be in interop mode. • Mode 2—Brocade native mode (Core PID 0).
Advanced Fibre Channel Features and Concepts About Interop Mode Switch Feature Changes if Interoperability Is Enabled D_S_TOV Verify that the Distributed Services Time Out Value timers match exactly. E_D_TOV Verify that the Error Detect Time Out Value timers match exactly. R_A_TOV Verify that the Resource Allocation Time Out Value timers match exactly. Trunking Trunking is not supported between two different vendor’s switches. This feature may be disabled on a per port or per switch basis.
Advanced Fibre Channel Features and Concepts Configuring Interop Mode 1 Switch Feature Changes if Interoperability Is Enabled continues to use src-id, dst-id, and ox-id to load balance across multiple ISL links. Domain reconfiguration disruptive This is a switch-wide impacting event. Brocade and McData require the entire switch to be placed in offline mode and/or rebooted when changing domain IDs. Domain reconfiguration nondisruptive This event is limited to the affected VSAN.
Advanced Fibre Channel Features and Concepts Verifying Interoperating Status Note The Cisco Nexus 5000 Series, Brocade, and McData FC Error Detect (ED_TOV) and Resource Allocation (RA_TOV) timers default to the same values. They can be changed if needed. The RA_TOV default is 10 seconds, and the ED_TOV default is 2 seconds. Per the FC-SW2 standard, these values must be the same on each switch within the fabric.
Advanced Fibre Channel Features and Concepts Verifying Interoperating Status Software BIOS: version 1.2.0 loader: version N/A kickstart: version 4.0(1a)N1(1) system: version 4.0(1a)N1(1) BIOS compile time: 06/19/08 kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N1.latest.bin kickstart compile time: 11/25/2008 6:00:00 [11/25/2008 14:17:12] system image file is: bootflash:/n5000-uk9.4.0.1a.N1.latest.
Advanced Fibre Channel Features and Concepts Verifying Interoperating Status interface fc2/2 no shutdown interface fc2/3 interface fc2/4 interface mgmt0 ip address 6.1.1.96 255.255.255.0 switchport encap default no shutdown vsan database vsan 1 interop boot system bootflash:/nx5000-system-23e.bin boot kickstart bootflash:/nx5000-kickstart-23e.bin callhome fcdomain domain 100 preferred vsan 1 ip route 6.1.1.0 255.255.255.0 6.1.1.
Advanced Fibre Channel Features and Concepts Verifying Interoperating Status Example: switch# show fcdomain vsan 1 The local switch is a Subordinated Switch.
Advanced Fibre Channel Features and Concepts Verifying Interoperating Status --------- Step 7 ----------------------- Verify the next hop and destination for the switch.
Advanced Fibre Channel Features and Concepts Default Settings for Advanced Features Default Settings for Advanced Features The following table lists the default settings for the features included in this chapter.
Advanced Fibre Channel Features and Concepts Default Settings for Advanced Features Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 624 OL-16597-01
CHAPTER 45 Configuring FC-SP and DHCHAP This chapter contains the following sections: • Configuring FC-SP and DHCHAP, page 625 Configuring FC-SP and DHCHAP Fibre Channel Security Protocol (FC-SP) capabilities provide switch-to-switch and host-to-switch authentication to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco Nexus 5000 Series switches and other devices.
Configuring FC-SP and DHCHAP DHCHAP Cisco Nexus 5000 Series switches support authentication features to address physical security (see the following figure). Figure 74: Switch and Host Authentication Note Fibre Channel Host Bus Adapters (HBAs) with appropriate firmware and drivers are required for host-switch authentication. DHCHAP DHCHAP is an authentication protocol that authenticates the devices connecting to a switch.
Configuring FC-SP and DHCHAP DHCHAP Compatibility with Fibre Channel Features DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication. DHCHAP negotiates hash algorithms and DH groups before performing authentication. It supports MD5 and SHA-1 algorithm-based authentication.
Configuring FC-SP and DHCHAP About DHCHAP Authentication Modes About DHCHAP Authentication Modes The DHCHAP authentication status for each interface depends on the configured DHCHAP port mode. When the DHCHAP feature is enabled in a switch, each Fibre Channel interface or FCIP interface may be configured to be in one of four DHCHAP port modes: • On—During switch initialization, if the connecting device supports DHCHAP authentication, the software performs the authentication sequence.
Configuring FC-SP and DHCHAP About the DHCHAP Hash Algorithm Command or Action Purpose Step 2 switch(config)# interface fc slot/port - slot/port Selects a range of interfaces and enters the interface configuration mode. Step 3 switch(config-if)# fcsp on Sets the DHCHAP mode for the selected interfaces to be in the on state. Step 4 switch(config-if)# no fcsp on Reverts to the factory default of auto-passive for these three interfaces.
Configuring FC-SP and DHCHAP About the DHCHAP Group Settings Command or Action Purpose Step 2 switch(config)# fcsp dhchap hash [md5] Configures the use of the the MD5 or SHA-1 hash algorithm. [sha1] Step 3 switch(config)# no fcsp dhchap hash sha1 Reverts to the factory default priority list of the MD5 hash algorithm followed by the SHA-1 hash algorithm.
Configuring FC-SP and DHCHAP Configuring DHCHAP Passwords for the Local Switch Note All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted. We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use a local password database, you can continue to do so using Configuration 3 and using the Cisco MDS 9000 Family Fabric Manager to manage the password database.
Configuring FC-SP and DHCHAP About the DHCHAP Timeout Value About the DHCHAP Timeout Value During the DHCHAP protocol exchange, if the Cisco Nexus 5000 Series switch does not receive the expected DHCHAP message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no authentication is performed) to 1000 seconds. The default is 30 seconds. When changing the timeout value, consider the following factors: • The existing RADIUS and TACACS+ timeout values.
Configuring FC-SP and DHCHAP Sample Configuration Sample Configuration This section provides the steps to configure the example illustrated in the following figure. Figure 75: Sample DHCHAP Authentication To configure the authentication setup shown in the above figure, perform this task: Procedure Step 1 Obtain the device name of the Cisco Nexus 5000 Series switch in the fabric. The Cisco Nexus 5000 Series switch in the fabric is identified by the switch WWN.
Configuring FC-SP and DHCHAP Default Fabric Security Settings Example: switch# show fcsp dhchap database DHCHAP Local Password: Non-device specific password:******* Other Devices' Passwords: Password for device with WWN:20:00:00:05:30:00:38:5e is ******* Step 7 Display the DHCHAP configuration in the Fibre Channel interface. Example: switch# show fcsp interface fc2/4 fc2/4 fcsp authentication mode:SEC_MODE_ON Status:Successfully authenticated Step 8 Repeat these steps on the connecting MDS 9509 switch.
CHAPTER 46 Configuring Port Security This chapter contains the following sections: • Configuring Port Security, page 635 Configuring Port Security Cisco Nexus 5000 Series switches provide port security features that reject intrusion attempts and report these intrusions to the administrator. Note Port security is supported on virtual Fibre Channel ports and physical Fibre Channel ports.
Configuring Port Security About Auto-Learning Each N and xE port can be configured to restrict a single port or a range of ports. Enforcement of port security policies are done on every activation and when the port tries to come up. The port security feature uses two databases to accept and implement configuration changes. • Configuration database—All configuration changes are stored in the configuration database. • Active database—The database currently enforced by the fabric.
Configuring Port Security Configuring Port Security After the database is activated, subsequent device login is subject to the activated port bound WWN pairs, excluding the auto-learned entries. You must disable auto-learning before the auto-learned entries become activated. When you activate the port security feature, auto-learning is also automatically enabled. You can choose to activate the port security feature and disable auto-learning.
Configuring Port Security Configuring Port Security with Auto-Learning without CFS Configuring Port Security with Auto-Learning without CFS To configure port security using auto-learning without CFS, perform this task: Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Enable port security. Activate port security on each VSAN, which turns on auto-learning by default. Wait until all switches and all hosts are automatically learned. Disable auto-learn on each VSAN.
Configuring Port Security Port Security Activation Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# port-security enable Enables port security on that switch. Step 3 switch(config)# no port-security enable Disables (default) port security on that switch.
Configuring Port Security Database Reactivation Note If you force the activation, existing devices are logged out if they violate the active database. You can view missing or conflicting entries using the port-security database diff active vsan command in EXEC mode. To forcefully activate the port security database, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Port Security Auto-Learning Auto-Learning About Enabling Auto-Learning The state of the auto-learning configuration depends on the state of the port security feature: • If the port security feature is not activated, auto-learning is disabled by default. • If the port security feature is activated, auto-learning is enabled by default (unless you explicitly disabled this option).
Configuring Port Security Authorization Scenario Table 91: Authorized Auto-Learning Device Requests Condition Device (pWWN, nWWN, Requests Connection to sWWN) 1 Configured with one or more switch ports 2 3 Not configured Authorization A configured switch port Permitted Any other switch port Denied A switch port that is not configured Permitted if auto-learning enabled 4 Denied ifauto-learning disabled 5 Configured or not configured A switch port that allows Permitted any device 6 Configur
Configuring Port Security Authorization Scenario Device Connection Request Authorization Condition Reason P2, N2, F1 Permitted 1 No conflict. P3, N2, F1 Denied 2 F1 is bound to P1/P2. P1, N3, F1 Permitted 6 Wildcard match for N3. P1, N1, F3 Permitted 5 Wildcard match for F3. P1, N4, F5 Denied 2 P1 is bound to F1. P5, N1, F5 Denied 2 N1 is only allowed on F2. P3, N3, F4 Permitted 1 No conflict. S1, F10 Permitted 1 No conflict. S2, F11 Denied 7 P10 is bound to F11.
Configuring Port Security Port Security Manual Configuration Port Security Manual Configuration To configure port security on a Cisco Nexus 5000 Series switch, perform this task: Procedure Step 1 Step 2 Step 3 Step 4 Identify the WWN of the ports that need to be secured. Secure the fWWN to an authorized nWWN or pWWN. Activate the port security database. Verify your configuration.
Configuring Port Security Port Security Configuration Distribution Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# port-security database vsan Enters the port security database mode for the specified VSAN. vsan-id Step 3 switch(config)# no port-security database vsan vsan-id Step 4 switch(config-port-security)# swwn swwn-id Configures the specified sWWN to only log in through SAN port channel 5.
Configuring Port Security Locking the Fabric For example, if you activate port security, follow up by disabling auto-learning, and finally commit the changes in the pending database, then the net result of your actions is the same as entering a port-security activate vsan vsan-id no-auto-learn command. Tip We recommend that you perform a commit after you activate port security and after you enable auto learning.
Configuring Port Security Discarding the Changes Discarding the Changes If you discard (abort) the changes made to the pending database, the configuration remains unaffected and the lock is released. To discard the port security configuration changes for the specified VSAN, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Port Security Port Security Database Merge Guidelines Scenario Actions Distribution = OFF Distribution = ON 3. You issue a commit. Not applicable configuration database = {A,B, E} active database = {A,B, E, C*, D*} pending database = empty A and B exist in the 1. You activate the port configuration database, security database and activation is not done and enable auto-learning. devices C,D are logged in. configuration database = configuration database = {A,B} {A,B} 2.
Configuring Port Security Database Interaction Related Topics • CFS Merge Support, page 303 Database Interaction The following table lists the differences and interaction between the active and configuration databases. Table 94: Active and Configuration Port Security Databases Active Database Configuration Database Read-only. Read-write. Saving the configuration only saves the activated entries. Learned entries are not saved.
Configuring Port Security Database Scenarios Database Scenarios the follwowing figure illustrates various scenarios showing the active database and the configuration database status based on port security configurations.
Configuring Port Security Copying the Port Security Database Copying the Port Security Database Tip We recommend that you copy the active database to the config database after disabling auto-learning. This action will ensure that the configuration database is in synchronization with the active database. If distribution is enabled, this command creates a temporary copy (and consequently a fabric lock) of the configuration database.
Configuring Port Security Displaying Port Security Configuration Use the port-security clear vsan command to clear the pending session in the VSAN from any switch in the VSAN. switch# clear port-security session vsan 5 Displaying Port Security Configuration The show port-security database commands display the configured port security information. You can optionally specify a fWWN and a VSAN, or an interface and a VSAN in the show port-security command to view the output of the activated port security.
CHAPTER 47 Configuring Fabric Binding This chapter contains the following sections: • Configuring Fabric Binding, page 653 Configuring Fabric Binding Information About Fabric Binding The fabric binding feature ensures that ISLs are only enabled between specified switches in the fabric. Fabric binding is configured on a per-VSAN basis. This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations.
Configuring Fabric Binding Fabric Binding Enforcement Fabric Binding Port Security to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list). Requires activation on a per VSAN basis. Requires activation on a per VSAN basis.
Configuring Fabric Binding Enabling Fabric Binding Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Enable the fabric configuration feature. Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric. Activate the fabric binding database. Copy the fabric binding active database to the fabric binding configuration database. Save the fabric binding configuration. Verify the fabric binding configuration.
Configuring Fabric Binding About Fabric Binding Activation and Deactivation Command or Action Purpose Step 2 switch(config)# fabric-binding database vsan vsan-id Enters the fabric binding submode for the specified VSAN. Step 3 switch(config)# no fabric-binding database Deletes the fabric binding database for the specified VSAN. vsan vsan-id Step 4 switch(config-fabric-binding)#swwn swwn-id Adds the sWWN of another switch for a specific domain ID to the configured database list.
Configuring Fabric Binding Forcing Fabric Binding Activation Forcing Fabric Binding Activation If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed with the activation by using the force option. To forcefully activate the fabric binding database, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Configuring Fabric Binding Deleting the Fabric Binding Database Deleting the Fabric Binding Database Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN.
Configuring Fabric Binding Default Fabric Binding Settings Default Fabric Binding Settings The following table lists the default settings for the fabric binding feature.
Configuring Fabric Binding Default Fabric Binding Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 660 OL-16597-01
CHAPTER 48 Configuring Fabric Configuration Servers This chapter contains the following sections: • Configuring Fabric Configuration Servers, page 661 Configuring Fabric Configuration Servers Information About FCS The Fabric Configuration Server (FCS) provides discovery of topology attributes and maintains a repository of configuration information of fabric elements. A management application is usually connected to the FCS on the switch through an N port.
Configuring Fabric Configuration Servers FCS Characteristics not known to both of them. FCS operations can be done only on those switches that are visible in the VSAN. M2 can send FCS requests only for VSAN 2 even though S3 is also a part of VSAN 1. Figure 77: FCSs in a VSAN Environment FCS Characteristics FCSs have the following characteristics: • Support network management including the following: ◦ N port management application can query and obtain information about fabric elements.
Configuring Fabric Configuration Servers FCS Name Specification FCS Name Specification You can specify if the unique name verification is for the entire fabric (globally) or only for locally (default) registered platforms. Note Set this command globally only if every switch in the fabric belong to the Cisco MDS 9000 Family or Cisco Nexus 5000 Series of switches.
Configuring Fabric Configuration Servers Default FCS Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 664 OL-16597-01
CHAPTER 49 Configuring Port Tracking This chapter contains the following sections: • Configuring Port Tracking, page 665 Configuring Port Tracking Cisco Nexus 5000 Series switches offer the port tracking feature on physical Fibre Channel interfaces (but not on virtual Fibre Channel interfaces). This feature uses information about the operational state of the link to initiate a failure in the link that connects the edge device.
Configuring Port Tracking Configuring Port Tracking In the following figure, when the direct link 1 to the host fails, recovery can be immediate. However, when the ISL 2 fails between the two switches, recovery depends on TOVs, RSCNs, and other factors. Figure 78: Traffic Recovery Using Port Tracking The port tracking feature monitors and detects failures that cause topology changes and brings down the links connecting the attached devices.
Configuring Port Tracking Enabling Port Tracking • Do not track a linked port back to itself (for example, Port fc2/2 to Port fc2/4 and back to Port fc2/2) to avoid recursive dependency. Enabling Port Tracking The port tracking feature is disabled by default in Cisco Nexus 5000 Series switches. When you enable this feature, port tracking is globally enabled for the entire switch. To configure port tracking, enable the port tracking feature and configure the linked ports for the tracked port.
Configuring Port Tracking About Tracking Multiple Ports About Tracking Multiple Ports You can control the operational state of the linked port based on the operational states of multiple tracked ports. When more than one tracked port is associated with a linked port, the operational state of the linked port will be set to down only if all the associated tracked ports are down. Even if one tracked port is up, the linked port will stay up.
Configuring Port Tracking Monitoring Ports in a VSAN The specified VSAN does not have to be the same as the port VSAN of the linked port. Monitoring Ports in a VSAN To monitor a tracked port in a specific VSAN, perform this task : Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface fc slot/port Configures the specified interface and enters the interface configuration mode. You can now configure tracked ports.
Configuring Port Tracking Displaying Port Tracking Information Displaying Port Tracking Information The show commands display the current port tracking settings for the switch.
PART VIII Troubleshooting • Configuring SPAN, page 673 • Troubleshooting, page 681
CHAPTER 50 Configuring SPAN This chapter contains the following sections: • Configuring SPAN, page 673 Configuring SPAN The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe, a Fibre Channel Analyzer, or other Remote Monitoring (RMON) probes. SPAN Sources SPAN sources refer to the interfaces from which traffic can be monitored.
Configuring SPAN SPAN Destinations • Cannot be a destination port. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. For VLAN, VSAN, port channel, and SAN port channel sources, the monitored direction can only be ingress and applies to all physical ports in the group. The rx/tx option is not available for VLAN or VSAN SPAN sessions. • Source ports can be in the same or different VLANs or VSANs.
Configuring SPAN Configuring SPAN Configuring SPAN Creating and Deleting a SPAN Session You create a SPAN session by assigning a session number using the monitor command. If the session already exists, any additional configuration is added to that session. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# monitor session session-number Enters the monitor configuration mode.
Configuring SPAN Configuring Fibre Channel Destination Port The following example shows configuring an Ethernet SPAN destination port: switch# configure terminal switch(config)# interface ethernet 1/3 switch(config-if)# switchport monitor switch(config-if)# exit switch(config)# monitor session 2 switch(config-monitor)# destination interface ethernet 1/3 Configuring Fibre Channel Destination Port Note The SPAN destination port can only be a physical port on the switch.
Configuring SPAN Configuring Source Port Channels, VLANs, or VSANs Procedure Step 1 Command or Action Purpose switch(config-monitor)# source interface type slot/port [rx | tx | both] Configures sources and the traffic direction in which to duplicate packets. You can enter a range of Ethernet, Fibre Channel, or virtual Fibre Channel ports. You can specify the traffic direction to duplicate as ingress (rx), egress (tx), or both. By default, the direction is both.
Configuring SPAN Activating a SPAN Session Procedure Command or Action Step 1 Purpose switch(config-monitor)# description description Applies a descriptive name to the SPAN session. The following example shows configuring a description of a SPAN session: switch# configure terminal switch(config)# monitor session 2 switch(config-monitor)# description monitoring ports fc2/2-fc2/4 Activating a SPAN Session The default is to keep the session state shut.
Configuring SPAN Displaying SPAN Information Displaying SPAN Information To display SPAN information, perform this task: Procedure Command or Action Step 1 Purpose switch# show monitor [session {all | session-number | Displays the SPAN configuration.
Configuring SPAN Displaying SPAN Information Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 680 OL-16597-01
CHAPTER 51 Troubleshooting • Troubleshooting, page 681 Troubleshooting Recovering a Lost Password This section describes how to recover a lost network administrator password using the console port of the switch.
Troubleshooting Power Cycling the Switch Example: switch# configure terminal switch(config)# username admin password switch(config)# exit Step 3 Save the configuration. Example: switch# copy running-config startup-config Power Cycling the Switch If you cannot start a session on the switch that has network-admin privileges, you must recover the network administrator password by power cycling the switch. Caution Note This procedure disrupts all traffic on the switch.
Troubleshooting Using Ethanalyzer Example: switch(boot)# dir bootflash: Step 5 Load the Cisco NX-OS system software image. Example: In the following example, the system image filename is nx-os.bin: switch(boot) # load bootflash:nx-os.bin Step 6 Log in to the switch using the new administrator password. Example: switch login: admin Password: Step 7 Reset the new password to ensure that is it is also the SNMP password.
Troubleshooting Using Ethanalyzer Command or Action Purpose Step 4 switch# ethanalyzer local interface interface limit-frame-size Limits the length of the frame to capture. Step 5 switch# ethanalyzer local interface interface capture-filter Filters the types of packets to capture. Step 6 switch# ethanalyzer local interface interface display-filter Filters the types of captured packets to display. Step 7 switch# ethanalyzer local interface interface write Saves the captured data to a file.
Troubleshooting Using Ethanalyzer This example shows detailed captured data for one HSRP packet: switch(config)# ethanalyzer local interface mgmt capture-filter "tcp port 23" limit-captured-frames 1 Capturing on eth0 Frame 1 (60 bytes on wire, 60 bytes captured) Arrival Time: Jan 25, 2005 08:49:49.250719000 [Time delta from previous captured frame: 1106642989.250719000 seconds] [Time delta from previous displayed frame: 1106642989.250719000 seconds] [Time since reference or first frame: 1106642989.
Troubleshooting Troubleshooting Fibre Channel Troubleshooting Fibre Channel fctrace The fctrace feature provides the following capabilities: • Trace the route followed by data traffic. • Compute inter-switch (hop-to-hop) latency. You can invoke fctrace by providing the FC ID, the N port WWN, or the device alias of the destination. The trace frame is routed normally through the network until it reaches the far edge of the fabric.
Troubleshooting fcping This example shows invoking fctrace using the device alias of the destination N port. switch# fctrace device-alias disk1 vsan 1 Route present for : 22:00:00:0c:50:02:ce:f8 20:00:00:05:30:00:31:1e(0xfffca9) fcping The fcping feature verifies reachability of a node by checking its end-to-end connectivity. You can invoke the fcping feature by providing the FC ID, the destination port WWN, or the device alias information.
Troubleshooting Verifying Switch Connectivity This example shows invoking fcping for the specified device alias of the destination: switch# fcping device-alias disk1 vsan 1 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 5 frames sent, 5 frames received, 0 timeouts Round-trip min/avg/max = 277/672/1883 usec 1883 usec 493 usec 277 u
Troubleshooting show tech-support Command show tech-support Command The show tech-support command is useful when collecting a large amount of information about the switch for troubleshooting purposes. The output of this command can be provided to technical support representatives when reporting a problem. The show tech-support command displays the output of several show commands at once. The output from this command varies depending on your configuration.
Troubleshooting show tech-support Command • show interface brief • show interface • show running-config • show startup-config • show ip route • show arp • show monitor session all • show accounting log • show process • show process cpu • show process log • show process memory • show processes log details • show logging log • show license host-id • show license • show license usage • show system reset-reason • show logging nvram • show install all status • show install all failure-reason • show system inter
Troubleshooting show tech-support brief Command • show aclmgr status • show aclmgr internal dictionaries • show aclmgr internal log • show aclmgr internal ppf • show aclmgr internal state-cache • show access-lists • show platform software ethpm internal info all • show object-group • show logging onboard obfl-logs show tech-support brief Command Use the show tech-support brief command to obtain a quick, condensed review of the switch configurations.
Troubleshooting show tech-support brief Command This example shows how to display a condensed view of the switch configurations: switch# show tech-support brief Switch Name : switch Switch Type : Kickstart Image : 4.0(0) bootflash:///nuova-or-kickstart-nsg.4.0.0.001.bin System Image : 4.0(0) bootflash:/nuova-or-system-nsg.4.0.0.001.binnms-or-47 IP Address/Mask : 172.16.24.
Troubleshooting show tech-support fc Command ------------------------------------------------------------------------------mgmt0 up 172.16.24.47 100 1500 show tech-support fc Command Use the show tech-support fc command to obtain information about the FC configuration on your switch.
Troubleshooting show tech-support fc Command • show fcs ie • show fctimer • show flogi database • show flogi internal info • show fspf • show fspf database • show tech-support rscn • show rscn internal vsan 1-4093 • show rscn internal event-history • show rscn internal mem-stats detail • show rscn internal session-history vsan 1-4093 • show rscn internal merge-history vsan 1-4093 • show rscn statistics vsan 1-4093 • show rscn scr-table vsan 1-4093 • show rscn session status vsan 1-4093 • show vsan • show v
Troubleshooting show tech-support platform Command • show zone analysis vsan 1-4093 • show zone ess vsan 1-4093 • show zone internal vsan 1-4093 • show zone internal change event-history vsan 1-4093 • show zone internal ifindex-table vsan 1-4093 • show zone internal merge event-history vsan 1-4093 • show zone internal event-history • show zone internal event-history errors • show zone internal tcam event-history vsan 1-4093 • show zone statistics vsan 1-4093 • show system default zone • show zone internal
Troubleshooting show tech-support platform Command • show platform fwm info ppf • show platform fwm info pss all • show platform hardware fwm info vlan all • show platform hardware fwm info pif all • show platform hardware fwm info lif all • show platform hardware fwm info global • show platform software zschk internal info • show platform software zschk internal msgs • show platform software statsclient msgs • show hardware internal gatos detail • show hardware internal gatos all-ports detail • show hardw
Troubleshooting Default Settings for Troubleshooting Features • show system internal rib system-attributes • show system internal rib unicast • show system internal rib vsan-attributes • show system internal fcfwd fwidxmap if_index • show system internal fcfwd idxmap interface-to-port • show system internal fcfwd pcmap • show platform afm info global • show platform afm info attachment brief • show platform afm info group-cfg all • show platform afm info lop all • show platform software altos detail • show
Troubleshooting Default Settings for Troubleshooting Features Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 698 OL-16597-01
APPENDIX A Appendix • Configuration Limits, page 699 Configuration Limits The features supported by the Cisco Nexus 5000 Series switch have maximum configuration limits. Some of these limits apply only when one or more Cisco Nexus 2000 Series Fabric Extender units are attached to the switch. The following tables list the Cisco verified limits for Cisco Nexus 5000 Series switches running Cisco NX-OS Release 4.1.x. Table 101: Ethernet Environments Parameter Limit Active VLANs/VSANs per switch 512.
Appendix Configuration Limits Table 102: Fibre Channel Environments 6 7 8 9 10 11 12 13 Parameter Limit Device Aliases per fabric 8,000 Switches per physical fabric or VSAN 506 Domains per VSAN 407 Native FC Links per switch 16—Requires two N5K-M1008 expansion modules.
Appendix Configuration Limits Table 103: General Parameters Parameter Limit Maximum Fabric Extenders per Cisco Nexus 5000 Series switch 12 units14 Maximum Fabric Extenders dual-homed to a vPC Cisco Nexus 5000 Series switch pair 12 units15 Maximum number of hosts connected to Fabric Extenders connected to Cisco Nexus 5000 Series switches 480 hosts16 MAC Table Size 16,000 entries17 Event Traps - forward via Email 4 destinations18 QoS System Classes 5 all user-configurable classes Port channels
Appendix Configuration Limits Cisco Nexus 5000 Series Switch CLI Software Configuration Guide 702 OL-16597-01
INDEX * (asterisk) first operational port[asterisk (asterisk) first operational port] 528 1-Gigabit Ethernet 4 10-Gigabit Ethernet 4 A AAA accounting 227 authentication 227 benefits 228 configuring console login 232 default settings 239 DHCHAP authentication 632 enabling MSCHAP authentication 235 example configuration 238 guidelines 232 limitations 232 prerequisites 231 user login process 230 verifying configurations 238 AAA accounting configuring default methods 236 AAA accounting logs clearing 238 disp
Index BPDU guard 200 bridge ID 150 broadcast storms 221 Brocade native interop mode 615 buffer-to-buffer credits 467 build fabric frames 480 description 480 C call home smart call home feature 353 Call Home description 349 message format options 349 Call Home messages configuring levels 352 format options 349 call home notifications full-txt format for syslog 369 XML format for syslog 369 CFS configuring for NTP 45 Cisco vendor ID 237, 243 Cisco Nexus 2000 Series Fabric Extender 4 Cisco Nexus 2148T Fabric
Index diagnostics (continued) runtime 329 Diffie-Hellman Challenge Handshake Authentication Protocol 625 documentation additional publications xlv obtaining xlvi domain IDs allowed lists 487 assignment failures 465 configuring allowed lists 487 configuring CFS distribution 488 configuring fcalias members 552 contiguous assignments 490 description 484 distributing 479 enabling contiguous assignments 490, 491 interoperability 615 preferred 484 static 484 domain manager fast restart feature 481 isolation 465
Index fabric binding (continued) verifying status 655 viewing active databases (procedure) 657 viewing EFMD statistics (procedure) 657 viewing violations (procedure) 657 Fabric Configuration Servers 661 fabric login 593 fabric port mode 463 fabric pWWNs zone membership 543 fabric reconfiguration fcdomain phase 479 fabric security authentication 625 default settings 634 Fabric Shortest Path First routing services 577 Fabric-Device Management Interface 595 fabrics 480 fault tolerant fabrics example (figure)
Index FSPF clearing counters 584 clearing VSAN counters 581 computing link cost 582 configuring globally 579 configuring Hello time intervals 582 configuring link cost 581 configuring on a VSAN 580 configuring on interfaces 581 dead time intervals 582 default settings 591 description 577 disabling 581 disabling on interfaces 584 disabling routing protocols 581 displaying database information 591 displaying global information 591 enabling 581 fault tolerant fabrics 577 in-order delivery 586 interoperability
Index interfaces (continued) VSAN membership 536 Interfaces 464 interop modes configuring mode 1 615 default settings 623 description 615 interoperability configuring interop mode 1 615 description 614 verifying status 618 VSANs 541 IOD 586 ISLs SAN port channel links 515 isolated port 88 isolated VLANs 88, 89 isolated VSANs description 538 displaying membership 538 L LACP 111, 115, 120 system ID 115 license key files description 53 licenses claim certificates 53 displaying information 56 evaluation 53 gr
Index MSTP (continued) MST region (continued) hop-count mechanism 179 supported spanning-tree instances 176 multicast storms 221 N N port identifier virtualization 473 N ports FCS support 661 fctrace 686 hard zoning 554 zone enforcement 554 zone membership 543 N5K-M1008 expansion module 4, 461 N5K-M1404 expansion module 4, 461 N5K-M1600 expansion module 4 name servers displaying database entries 595 interoperability 615 LUN information 603 proxy feature 594 registering proxies 594 Network Time Protocol 43
Index port security databases cleaning up 651 copying 651 copying active to config (procedure) 640 deleting 651 displaying configuration 652 interactions 649 manual configuration guidelines 638 merge guidelines 648 reactivating 640 scenarios 650 port speeds configuring 470 port tracking default settings 670 description 665 displaying information 670 enabling 667 guidelines 666 shutting down ports forcefully 669 port world wide names 543 PortChannels show tech-support port-channel command 693 PortFast BPDU
Index RSCN (continued) displaying information 596 multiple port IDs 596 suppressing domain format SW-RSCNs 597 switch RSCN 596 RSCN timers configuration distribution using CFS 599 configuring 598 RSTP 154, 158, 162, 175 active topology 158 BPDU processing 162 designated port, defined 158 designated switch, defined 158 proposal-agreement handshake process 154 rapid convergence 154 point-to-point links 154 root ports 154 root port, defined 158 runtime checks static routes 585 runtime diagnostics information
Index SNMPv3 (continued) specifying parameters for AAA servers 238 soft zoning description 554 source IDs call home event format 363 exchange based 516 flow based 516 in-order delivery 586 path selection 540 SPAN egress sources 673 ingress sources 673 sources for monitoring 673 SPAN destination port mode 464 SPAN sources egress 673 ingress 673 SPF computational hold times 579 static routes runtime checks 585 statistics TACACS+ 267 storage devices access control 543 STP edge ports 154, 199 EtherChannel 111
Index troubleshooting (continued) verifying switch connectivity 688 trunk mode administrative default 473 configuring 509, 510 default settings 513 trunk ports displaying information 513 trunk-allowed VSAN lists description 510 trunking comparison with port channels 515 configuration guidelines 508 configuring modes 509 default settings 513 description 507 displaying information 513 interoperability 615 link state 509 merging traffic 508 restrictions 507 trunking E port mode 463 trunking ports associated w
Index VSANs (continued) timer configuration 607 TOV 607 traffic isolation 531 trunk-allowed 508 trunking ports 536 VSAs format 237 protocol options 237 support description 237 W world wide names 611 WWNs description 611 displaying information 612 link initialization 612 secondary MAC addresses 612 suspended connections 465 Z zone aliases conversion to device aliases 573 zone attribute groups cloning 558 zone databases migrating a non-MDS database 559 release locks 562 zone members displaying information
