Page 1 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide First Published: 07/17/2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-16597-01...
Page 2 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE.
Page 3: Table Of Contents
C O N T E N T S New and Changed Information for the Cisco Nexus 5000 Series Preface xliii Audience xliii Document Organization xliii Document Conventions xliv Related Documentation Obtaining Documentation and Submitting a Service Request xlvi Overview Information About Cisco Nexus 5000 Series Switches New Technologies in the Cisco Nexus 5000 Series Fibre Channel over Ethernet Data Center I/O Consolidation...
Page 4 Contents Call Home Online Diagnostics Switch Management Simple Network Management Protocol Role-Based Access Control Configuration Methods Configuring with CLI, XML Management Interface, or SNMP Configuring with Cisco Data Center Network Manager Configuring with Cisco MDS Fabric Manager Network Security Features Virtual Device Contexts Licensing Typical Deployment Topologies...
Page 5 Contents User-Defined Persistent CLI Variables Using Command Aliases Defining Command Aliases Command Scripts Executing Commands Specified in a Script Using CLI Variables in Scripts Setting the Delay Time Initial Switch Configuration Configuring the Switch Image Files on the Switch Starting the Switch Boot Sequence Console Settings Upgrading the Switch Software...
Page 6 Contents Discarding NTP Configuration Changes Releasing Fabric Session Lock Database Merge Guidelines NTP Session Status Verification Management Interface Configuration About the mgmt0 Interface Configuring the Management Interface Displaying Management Interface Configuration Shutting Down the Management Interface Managing the Switch Configuration Displaying the Switch Configuration Saving a Configuration Clearing a Configuration...
Page 7 Contents Uninstalling Licenses Updating Licenses Grace Period Alerts License Transfers Between Switches Verifying the License Configuration LAN Switching Configuring Ethernet Interfaces Information About Ethernet Interfaces About the Interface Command About the Unidirectional Link Detection Parameter UDLD Overview Default UDLD Configuration UDLD Aggressive and Nonaggressive Modes About Interface Speed About the Cisco Discovery Protocol...
Page 8 Contents Configuring a VLAN Creating and Deleting a VLAN Entering the VLAN Submode and Configuring the VLAN Adding Ports to a VLAN Verifying VLAN Configuration Configuring Private VLANs Information About Private VLANs Primary and Secondary VLANs in Private VLANs Private VLAN Ports Primary, Isolated, and Community Private VLANs Associating Primary and Secondary VLANs Private VLAN Promiscuous Trunks...
Page 9 Contents Configuring Access and Trunk Interfaces Configuring a LAN Interface as an Ethernet Access Port Configuring Access Host Ports Configuring Trunk Ports Configuring the Native VLAN for 802.1Q Trunking Ports Configuring the Allowed VLANs for Trunking Ports Configuring Native 802.1Q VLANs Verifying Interface Configuration Configuring EtherChannels Information About EtherChannels...
Page 10 Contents Cisco Nexus 5000 Series Switch vPC Topology Single Homed Fabric Extender vPC Topology Dual Homed Fabric Extender vPC Topology vPC Domain Peer-Keepalive Link and Messages Compatibility Parameters for vPC Peer Links Configuration Parameters That Must Be Identical Configuration Parameters That Should Be Identical vPC Peer Links vPC Peer Link Overview Manually Configured vPC Features...
Page 11 Contents Information About Rapid PVST+ Understanding STP STP Overview Understanding How a Topology is Created Understanding the Bridge ID Bridge Priority Value Extended System ID STP MAC Address Allocation Understanding BPDUs Election of the Root Bridge Creating the Spanning Tree Topology Understanding Rapid PVST+ Rapid PVST+ Overview Rapid PVST+ BPDUs...
Page 12 Contents Enabling Rapid PVST+ per VLAN Configuring the Root Bridge ID Configuring a Secondary Root Bridge Configuring the Rapid PVST+ Port Priority Configuring the Rapid PVST+ Pathcost Method and Port Cost Configuring the Rapid PVST+ Bridge Priority of a VLAN Configuring the Rapid PVST+ Hello Time for a VLAN Configuring the Rapid PVST+ Forward Delay Time for a VLAN Configuring the Rapid PVST+ Maximum Age Time for a VLAN...
Page 13 Contents Specifying the Configuration on an MST Region Mapping and Unmapping VLANs to MST Instances Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs Configuring the Root Bridge Configuring a Secondary Root Bridge Configuring the Port Priority Configuring the Port Cost Configuring the Switch Priority Configuring the Hello Time...
Page 14 Contents Enabling BPDU Guard on Specified Interfaces Enabling BPDU Filtering Globally Enabling BPDU Filtering on Specified Interfaces Enabling Loop Guard Globally Enabling Loop Guard or Root Guard on Specified Interfaces Verifying STP Extension Configuration Configuring the MAC Address Table Information About MAC Addresses Configuring MAC Addresses Configuring a Static MAC Address Configuring the Aging Time for the MAC Table...
Page 15 Contents AAA Service Configuration Options Authentication and Authorization Process for User Login Prerequisites for Remote AAA Information about AAA Guidelines and Limitations Configuring AAA Configuring Console Login Authentication Methods Configuring Default Login Authentication Methods Enabling Login Authentication Failure Messages Enabling MSCHAP Authentication Configuring AAA Accounting Default Methods Using AAA Server VSAs About VSAs...
Page 16 Contents Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server Configuring Accounting and Authentication Attributes for RADIUS Servers Configuring Periodic RADIUS Server Monitoring Configuring the Dead-Time Interval Manually Monitoring RADIUS Servers or Groups Verifying RADIUS Configuration Displaying RADIUS Server Statistics Example RADIUS Configuration Default RADIUS Settings Configuring TACACS+...
Page 17 Contents Verifying TACACS+ Configuration Example TACACS+ Configuration Default TACACS+ Settings Configuring SSH and Telnet Configuring SSH and Telnet Information About SSH and Telnet SSH Server SSH Client SSH Server Keys Telnet Server Guidelines and Limitations for SSH Configuring SSH Generating SSH Server Keys Specifying the SSH Public Keys for User Accounts Specifying the SSH Public Keys in Open SSH Format Specifying the SSH Public Keys in IETF SECSH Format...
Page 18 Contents Rules Source and Destination Protocols Implicit Rules Additional Filtering Options Sequence Numbers Logical Operators and Logical Operation Units Configuring IP ACLs Creating an IP ACL Changing an IP ACL Removing an IP ACL Changing Sequence Numbers in an IP ACL Applying an IP ACL as a Port ACL Verifying IP ACL Configurations Displaying and Clearing IP ACL Statistics...
Page 19 Contents Default ACL Settings System Management Using Cisco Fabric Services Using Cisco Fabric Services Information About CFS CFS Distribution CFS Distribution Modes Uncoordinated Distribution Coordinated Distribution Unrestricted Uncoordinated Distributions Disabling or Enabling CFS Distribution on a Switch Verifying CFS Distribution Status CFS Distribution over IP CFS Distribution over Fibre Channel CFS Distribution Scopes...
Page 20 Contents Configuring CFS over IP Enabling CFS over IPv4 Enabling CFS over IPv6 Verifying the CFS Over IP Configuration Configuring IP Multicast Address for CFS over IP Configuring IPv4 Multicast Address for CFS Configuring IPv6 Multicast Address for CFS Verifying IP Multicast Address Configuration for CFS over IP Displaying CFS Distribution Information Default CFS Settings Configuring User Accounts and RBAC...
Page 21 Contents Verifying a Session Committing a Session Saving a Session Discarding a Session Session Manager Example Configuration Verifying Session Manager Configuration Configuring Online Diagnostics Information About Online Diagnostics Online Diagnostics Overview Bootup Diagnostics Health Monitoring Diagnostics Expansion Module Diagnostics Configuring Online Diagnostics Verifying Online Diagnostics Configuration Default GOLD Settings Configuring System Message Logging...
Page 22 Contents Call Home Message Levels Obtaining Smart Call Home Prerequisites for Call Home Configuration Guidelines and Limitations Configuring Call Home Procedures for Configuring Call Home Configuring Contact Information Creating a Destination Profile Modifying a Destination Profile Associating an Alert Group with a Destination Profile Adding show Commands to an Alert Group Configuring E-Mail Configuring Periodic Inventory Notification...
Page 23 Contents Assigning SNMPv3 Users to Multiple Roles Creating SNMP Communities Configuring SNMP Notification Receivers Configuring the Notification Target User Enabling SNMP Notifications Configuring Link Notifications Disabling Link Notifications on an Interface Enabling One-Time Authentication for SNMP over TCP Assigning SNMP Switch Contact and Location Information Configuring the Context to Network Entity Mapping Verifying SNMP Configuration Default SNMP Settings...
Page 24 Contents DCBX Feature Negotiation Lossless Ethernet Logical Link Up/Down Converged Network Adapters FCoE Topologies Directly Connected CNA Topology Remotely Connected CNA Topology FCoE Best Practices Directly Connected CNA Best Practice Remotely Connected CNA Best Practice Licensing Requirements for FCoE Configuring FCoE Enabling FCoE Disabling FCoE Disabling LAN Traffic on an FCoE Link...
Page 25 Contents System Classes Default System Classes Policy Types Link-Level Flow Control Priority Flow Control Trust Boundaries Ingress Queuing Policies Ingress Classification Policies Egress Queuing Policies QoS for Multicast Traffic Policy for Fibre Channel Interfaces QoS for Traffic Directed to the CPU QoS Configuration Guidelines and Limitations Configuring System Classes Configuring Class Maps...
Page 26 Contents Configuring Priority Flow Control Configuring Link-Level Flow Control Verifying QoS Configuration Example QoS Configurations QoS Example 1 QoS Example 2 QoS Example 3 SAN Switching Configuring Fibre Channel Interfaces Configuring Fibre Channel Interfaces Information About Fibre Channel Interfaces Licensing Requirements for Fibre Channel Physical Fibre Channel Interfaces Virtual Fibre Channel Interfaces Interface Modes...
Page 27 Contents Configuring Receive Data Field Size Understanding Bit Error Thresholds Configuring Buffer-to-Buffer Credits Configuring Global Attributes for Fibre Channel Interfaces Configuring Switch Port Attribute Default Values About N Port Identifier Virtualization Enabling N Port Identifier Virtualization Verifying Fibre Channel Interfaces Verifying SFP Transmitter Types Verifying Interface Information Verifying BB_Credit Information...
Page 28 Contents Locking the Fabric Committing Changes Discarding Changes Clearing a Fabric Lock Displaying CFS Distribution Status Displaying Pending Changes Displaying Session Status About Contiguous Domain ID Assignments Enabling Contiguous Domain ID Assignments FC IDs About Persistent FC IDs Enabling the Persistent FC ID Feature Persistent FC ID Configuration Guidelines Configuring Persistent FC IDs About Unique Area FC IDs for HBAs...
Page 29 Contents Enabling NPV Configuring NPV Interfaces Configuring an NP Interface Configuring a Server Interface Configuring NPV Traffic Management Configuring NPV Traffic Maps Enabling Disruptive Load Balancing Verifying NPV Verifying NPV Examples Verifying NPV Traffic Management Configuring VSAN Trunking Configuring VSAN Trunking Information About VSAN Trunking VSAN Trunking Mismatches VSAN Trunking Protocol...
Page 30 Contents Deleting SAN Port Channels Interfaces in a SAN Port Channel About Interface Addition to a SAN Port Channel Compatibility Check Suspended and Isolated States Adding an Interface to a SAN Port Channel Forcing an Interface Addition About Interface Deletion from a SAN Port Channel Deleting an Interface from a SAN Port Channel SAN Port Channel Protocol About Channel Group Creation...
Page 31 Contents About Load Balancing Configuring Load Balancing About Interop Mode Displaying Static VSAN Configuration Default VSAN Settings Configuring and Managing Zones Configuring and Managing Zones Information About Zoning Zoning Features Zoning Example Zone Implementation Active and Full Zone Set Configuration Guidelines Configuring Zones Configuring Zones Example Zone Sets...
Page 32 Contents About Enhanced Zoning Changing from Basic Zoning to Enhanced Zoning Changing from Enhanced Zoning to Basic Zoning Enabling Enhanced Zoning Modifying the Zone Database Releasing Zone Database Locks Merging the Database Configuring Zone Merge Control Policies Default Zone Policies Configuring System Default Zoning Settings Verifying Enhanced Zone Information Compacting the Zone Database...
Page 33 Contents Default Device Alias Settings Configuring Fibre Channel Routing Services and Protocols Configuring Fibre Channel Routing Services and Protocols Information About FSPF FSPF Examples Fault Tolerant Fabric Example Redundant Link Example FSPF Global Configuration About SPF Computational Hold Times About Link State Records Configuring FSPF on a VSAN Resetting FSPF to the Default Configuration Enabling or Disabling FSPF...
Page 34 Contents Displaying the In-Order Delivery Status Configuring the Drop Latency Time Displaying Latency Information Flow Statistics Configuration About Flow Statistics Counting Aggregated Flow Statistics Counting Individual Flow Statistics Clearing FIB Statistics Displaying Flow Statistics Default FSPF Settings Managing FLOGI, Name Server, FDMI, and RSCN Databases Managing FLOGI, Name Server, FDMI, and RSCN Databases Information About Fabric Login Name Server Proxy...
Page 35 Contents Discarding the RSCN Timer Configuration Changes Clearing a Locked Session Displaying RSCN Configuration Distribution Information Default RSCN Settings Discovering SCSI Targets Discovering SCSI Targets Information About SCSI LUN Discovery About Starting SCSI LUN Discovery Starting SCSI LUN Discovery About Initiating Customized Discovery Initiating Customized Discovery Displaying SCSI LUN Information Advanced Fibre Channel Features and Concepts...
Page 36 Contents Default Settings for Advanced Features Configuring FC-SP and DHCHAP Configuring FC-SP and DHCHAP Information About Fabric Authentication DHCHAP DHCHAP Compatibility with Fibre Channel Features About Enabling DHCHAP Enabling DHCHAP About DHCHAP Authentication Modes Configuring the DHCHAP Mode About the DHCHAP Hash Algorithm Configuring the DHCHAP Hash Algorithm About the DHCHAP Group Settings Configuring the DHCHAP Group Settings...
Page 37 Contents Port Security Activation Activating Port Security Database Activation Rejection Forcing Port Security Activation Database Reactivation Auto-Learning About Enabling Auto-Learning Enabling Auto-Learning Disabling Auto-Learning Auto-Learning Device Authorization Authorization Scenario Port Security Manual Configuration WWN Identification Guidelines Adding Authorized Port Pairs Port Security Configuration Distribution Enabling Port Security Distribution Locking the Fabric...
Page 38 Contents Configuring Fabric Binding Enabling Fabric Binding About Switch WWN Lists Configuring Switch WWN List About Fabric Binding Activation and Deactivation Activating Fabric Binding Forcing Fabric Binding Activation Copying Fabric Binding Configurations Clearing the Fabric Binding Statistics Deleting the Fabric Binding Database Verifying Fabric Binding Information Default Fabric Binding Settings Configuring Fabric Configuration Servers...
Page 39 Contents Configuring SPAN Configuring SPAN SPAN Sources Characteristics of Source Ports SPAN Destinations Characteristics of Destination Ports Configuring SPAN Creating and Deleting a SPAN Session Configuring the Destination Port Configuring an Ethernet Destination Port Configuring Fibre Channel Destination Port Configuring Source Ports Configuring Source Port Channels, VLANs, or VSANs Configuring the Description of a SPAN Session Activating a SPAN Session...
Page 40 Contents Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 41: New And Changed Information For The Cisco Nexus 5000 Series
New and Changed Information for the Cisco Nexus 5000 Series This chapter provides release specific information for each new and changed feature in the Cisco Nexus 5000 Series Switch CLI Software Configuration Guide . To check for additional information about Cisco NX-OS Release 4.1(3)N1(1), see the Cisco Nexus 5000 Series and Cisco Nexus 2000 Series Release Notes, 31/July/2009 available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html.
Page 42 New and Changed Information for the Cisco Nexus 5000 Series Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 43: Document Organization
Preface This preface describes the audience, organization, and conventions of the . It also provides information on how to obtain related documentation. • Audience, page xliii • Document Organization, page xliii • Document Conventions, page xliv • Related Documentation, page xlv Audience This guide is for experienced network administrators who are responsible for configuring and maintaining n5k switches.
Page 44: Document Conventions
Preface Document Conventions Part or Chapter Description System Management, page 297 Describes how to configure CFS, RBAC, System Message Logging, Call Home, SNMP, RMON, network management interfaces, storm control, and SPAN. Fibre Channel over Ethernet, page 391 Describes how to configure FCoE and virtual interfaces.
Page 45: Related Documentation
Preface Related Documentation Convention Description string A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. Screen examples use the following conventions: Convention Description Terminal sessions and information the switch displays are in screen font. screen font Information you must enter is in boldface screen font.
Page 46: Obtaining Documentation And Submitting A Service Request
Obtaining Documentation and Submitting a Service Request Related Documentation Cisco Nexus 2000 Series Fabric Extender Hardware Installation Guide Cisco MDS 9000 and Nexus 5000 Series Fabric Manager Software Configuration Guide, Cisco Fabric Manager Release 4.1 Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Page 47: Overview
C H A P T E R Overview This chapter describes the Cisco Nexus 5000 Series switches. It includes the following sections: • Information About Cisco Nexus 5000 Series Switches, page 1 • New Technologies in the Cisco Nexus 5000 Series, page 1 •...
Page 48: Data Center I/O Consolidation
Data Center I/O Consolidation New Technologies in the Cisco Nexus 5000 Series a lossless transport layer; as a data storage protocol, it is unacceptable to lose a single data packet. Native Fibre Channel implements a lossless service at the transport layer using a buffer-to-buffer credit system. For FCoE traffic, the Ethernet link must provide a lossless service.
Page 49: Virtual Interfaces
Virtual Interfaces New Technologies in the Cisco Nexus 5000 Series The server OS is not aware of the FCoE encapsulation (see the following figure). At the switch, the incoming Ethernet port separates the Ethernet and Fibre Channel traffic (using EtherType to differentiate the frames). Ethernet frames and Fibre Channel frames are switched to their respective network-side interfaces.
Page 50: Cisco Nexus 5000 Series Switch Hardware
Chassis Cisco Nexus 5000 Series Switch Hardware Cisco Nexus 5000 Series Switch Hardware Chassis The Cisco Nexus 5000 Series includes the Cisco Nexus 5010 and Cisco Nexus 5020 switches. The Cisco Nexus 5010 switch is a 1 RU chassis and the Cisco Nexus 5020 switch is a 2 RU chassis designed for rack mounting.
Page 51: Fibre Channel Interfaces
Fibre Channel Interfaces Cisco Nexus 5000 Series Switch Software All of the 10-Gigabit Ethernet ports support FCoE. Each port can be used as a downlink (connected to a server) or as an uplink (to the data center LAN). Fibre Channel Interfaces Fibre Channel ports are optional on the Cisco Nexus 5000 Series switch.
Page 52: Virtual Port Channels
Switched Port Analyzer • Distributed device alias service • SAN port channels Cisco Nexus 5000 Series switches provide quality of service (QoS) capabilities such as traffic prioritization and bandwidth allocation on egress interfaces. The default QoS configuration on the switch provides lossless service for Fibre Channel and FCoE traffic. QoS can be configured to provide additional classes of service for Ethernet traffic.
Page 53: Online Diagnostics
Switch Management Online Diagnostics Online Diagnostics Cisco generic online diagnostics (GOLD) is a suite of diagnostic facilities to verify that hardware and internal data paths are operating as designed. Boot-time diagnostics, continuous monitoring, and on-demand and scheduled tests are part of the Cisco GOLD feature set. GOLD allows rapid fault isolation and continuous system monitoring.
Page 54: Network Security Features
Network Security Features Typical Deployment Topologies Network Security Features Cisco NX-OS Release 4.1 includes the following security features: • Authentication, authorization, and accounting (AAA) and TACACS+ • RADIUS • Secure Shell (SSH) Protocol Version 2 • Simple Network Management Protocol Version 3 (SNMPv3) •...
Page 55 Overview Typical Deployment Topologies In the example configuration, the Cisco Nexus 5000 Series switch has Ethernet uplinks to two Catalyst switches. If STP is enabled in the data center LAN, the links to one of the switches will be STP active and the links to the other switch will be STP blocked.
Page 56: Fabric Extender Deployment Topology
Fabric Extender Deployment Topology Typical Deployment Topologies Fabric Extender Deployment Topology The following figure shows a simplfied configuration using the Cisco Nexus 2000 Series Fabric Extender in combination with the Cisco Nexus 5000 Series switch to provide a simplified and cost-effective 1-Gigabit TOR solution.
Page 57: Data Center I/O Consolidation Topology
Data Center I/O Consolidation Topology Supported Standards Data Center I/O Consolidation Topology The following figure shows a typical I/O consolidation scenario for the Cisco Nexus 5000 Series switch. Figure 4: I/O Consolidation Topology The Cisco Nexus 5000 Series switch connects to the server ports using FCoE. Ports on the server require converged network adapters.
Page 58 Overview Supported Standards Table 2: IEEE Compliance Standard Description 802.1D MAC Bridges 802.1s Multiple Spanning Tree Protocol 802.1w Rapid Spanning Tree Protocol 802.3ad Link aggregation with LACP 802.3ae 10-Gigabit Ethernet 802.1Q VLAN Tagging 802.1p Class of Service Tagging for Ethernet frames Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 59: Configuration Fundamentals
P A R T Configuration Fundamentals • Using the Command-Line Interface, page 15 • Initial Switch Configuration, page 29 • Managing Licenses, page 53...
Page 61: Using The Command-Line Interface
C H A P T E R Using the Command-Line Interface This chapter describes how to use the command-line interface of the Cisco Nexus 5000 Series switch. It contains the following sections: • Accessing the Command Line Interface, page 15 •...
Page 62: Ssh Connection
Accessing the Command Line Interface SSH Connection Step 2 At the switch login prompt, enter your username and password. The Cisco Nexus 5000 Series switch initiates authentication. If no password has been configured, press Note Return Step 3 Exit the session when finished. exit switch# This example shows how to make a Telnet connection to a switch:...
Page 63: Using The Cli
Using the CLI Using CLI Command Modes Using the CLI Using CLI Command Modes Switches in the Cisco Nexus 5000 Series have two main command modes: user EXEC mode and configuration mode. The commands available to you depend on the mode you are in. To obtain a list of available commands in either mode, type a question mark (?) at the system prompt.
Page 64: Listing The Commands Used With Each Command Mode
Using the CLI Listing the Commands Used with Each Command Mode Listing the Commands Used with Each Command Mode You can display the commands available in any command mode by typing a question mark (?) at the switch prompt. CLI Command Hierarchy CLI commands are organized hierarchically, with commands that perform similar functions grouped under the same level.
Page 65 Using the CLI EXEC Mode Commands The following commands are available in EXEC mode: switch# ? attach Connect to a specific linecard callhome callhome commands Change current directory check run consistency check on external storage device clear Reset functions CLI commands clock Manage the system clock configure...
Page 66: Configuration Mode Commands
Using the CLI Configuration Mode Commands Configuration Mode Commands Configuration mode allows you to make changes to the existing configuration. When you save the configuration, these commands are saved across switch reboots. Once you are in configuration mode, you can enter interface configuration mode, zone configuration mode, and a variety of protocol-specific modes.
Page 67 Using the CLI Configuration Mode Commands The following commands are available in configuration mode: switch# configure terminal switch(config)# ? Configure aaa functions banner Configure banner message boot Configure boot variables callhome Enter the callhome configuration mode Configure CDP parameters CFS configuration commands class-map Configure class-map Configure CLI aliases...
Page 68: Using Commands
Using Commands Listing Commands and Syntax track Object tracking configuration commands trunk Configure Switch wide trunk protocol username Configure user information. vlan Vlan commands Configure VRF parameters vsan Enter the vsan configuration mode Set secondary base MAC addr and range for additional WWNs xml agent zone Zone configuration commands...
Page 69: Using Keyboard Shortcuts
Using Commands Using Keyboard Shortcuts If you enter the zone member command, you can undo the results: switch(config)# zone name test vsan 1 switch(config-zone)# member pwwn 12:12:12:12:12:12:12:12 switch(config-zone)# no member pwwn 12:12:12:12:12:12:12:12 WARNING: Zone is empty. Deleting zone test. Exit the submode. switch(config-zone)# •...
Page 70: Using Cli Variables
Using CLI Variables Using Keyboard Shortcuts Command Description Ctrl-G Exit Ctrl-Z Ctrl-L Clear session The following table describes the commonly used configuration submodes. Table 5: Common Configuration Submodes Submode Name From Configuration Mode, Enter: Submode Prompt switch(config-callhome)# Call home callhome switch(config-fcs-register)# FCS Registration fcs register...
Page 71: User-Defined Persistent Cli Variables
Using CLI Variables User-Defined Persistent CLI Variables The variables defined in the parent shell are available for use in the child run-script command process. • Passed as command line arguments to the run-script command. CLI variables have the following characteristics: •...
Page 72: Using Command Aliases
Using Command Aliases Executing Commands Specified in a Script Using Command Aliases Command alias support has the following characteristics: • Command aliases are global for all user sessions. • Command aliases are saved across reboots. • Commands being aliased must be typed in full without abbreviation. •...
Page 73: Using Cli Variables In Scripts
Command Scripts Using CLI Variables in Scripts You cannot create the script file at the switch prompt. You can create the script file on an external machine Note and copy it to the bootflash: directory. This section assumes that the script file resides in the bootflash: directory.
Page 74: Setting The Delay Time
Command Scripts Setting the Delay Time The following example shows how to use CLI session variables in a script file used by the run-script command: switch# cli var name testinterface fc 1/1 switch# show file bootflash:test1.vsh show interface $(testvar) switch# run-script bootflash:test1.vsh `show interface $(testvar)` fc2/1 is down (SFP not present) Hardware is Fibre Channel...
Page 75: Initial Switch Configuration
C H A P T E R Initial Switch Configuration This chapter describes the command-line interface (CLI) and CLI command modes of Cisco Nexus 5000 Series switches. It includes the following sections: • Configuring the Switch, page 29 Configuring the Switch Image Files on the Switch The Cisco Nexus 5000 Series switches have the following images: •...
Page 76: Boot Sequence
Configuring the Switch Boot Sequence Boot Sequence When the switch boots, the golden BIOS validates the checksum of the upgradeable BIOS. If the checksum is valid, then control is transferred to the upgradeable BIOS image. The upgradeable BIOS launches the kickstart image, which then launches the system image.
Page 77: Procedure
Configuring the Switch Console Settings Related Topics • Troubleshooting, page 681 Console Settings The loader, kickstart, and system images have the following factory default console settings: • Speed—9600 baud • Databits—8 bits per byte • Stopbits—1 bit • Parity—none These settings are stored on the switch, and all three images use the stored console settings. To change a console setting, use the line console command in configuration mode.
Page 78 Configuring the Switch Upgrading the Switch Software Example: switch# dir bootflash: 4681 Nov 24 02:43:52 2008 config 13176836 Nov 24 07:19:36 2008 gdb.1 49152 Jan 12 18:38:36 2009 lost+found/ 310556 Dec 23 02:53:28 2008 20058112 Nov 07 02:35:22 2008 n5000-uk9-kickstart.4.0.1a.N1.0.62.bin 20217856 Jan 12 18:26:54 2009 n5000-uk9-kickstart.4.0.1a.N2.0.140.bin...
Page 79: Downgrading From A Higher Release
Configuring the Switch Downgrading from a Higher Release Example: switch# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
Page 80 Configuring the Switch Downgrading from a Higher Release Procedure Step 1 Locate the image files you will use for the downgrade by entering the dir bootflash: command. If the image files are not stored on the bootflash memory, download the files from Cisco.com: a) Log in to Cisco.com to access the Software Download Center.
Page 81: Initial Configuration
Configuring the Switch Initial Configuration Initial Configuration Configuration Prerequisites The following procedure is a review of the tasks you should have completed during hardware installation. These tasks must be completed before you can configure the switch. Before you can configure a switch, follow these steps: Procedure Step 1 Verify the following physical connections for the new Cisco Nexus 5000 Series switch:...
Page 82: Default Login
Configuring the Switch Default Login If a password is weak (short, easy-to-decipher), your password configuration is rejected. Note Be sure to configure a strong password. • If you are using an IPv4 address for the management interface, you need the following information: ◦...
Page 83 Configuring the Switch Configuring the Switch If you do not want to answer a previously configured question, or if you want to skip answers to any questions, press Enter. If a default answer is not available (for example, switch name), the switch uses what was previously configured and skips to the next question.
Page 84 Configuring the Switch Configuring the Switch Example: Enter the password for user_name: user-password Step 6 Enter yes (yes is the default) to create an SNMP read-only community string. Example: Configure read-only SNMP community string (yes/no) [n]:yes SNMP community string: snmp_community Step 7 Enter a name for the switch.
Page 85 Configuring the Switch Configuring the Switch Example: Configure NTP server? (yes/no) [n]: yes NTP server IP address: ntp_server_IP_address Step 13 Enter yes (yes is the default) to configure basic Fibre Channel configurations. Example: Enter basic FC configurations (yes/no) [n]: yes Step 14 Enter shut (shut is the default) to configure the default Fibre Channel switch port interface to the shut (disabled) state.
Page 86: Changing The Initial Configuration
Configuring the Switch Changing the Initial Configuration Step 19 Enter yes (yes is default) to use and save this configuration: Example: Use this configuration and save it? (yes/no) [y]: yes If you do not save the configuration at this point, none of your changes are updated the next time Caution the switch is rebooted.
Page 87: Configuring Date And Time
Configuring the Switch Configuring Date and Time This guide refers to a switch in the Cisco Nexus 5000 Series switch as switch , and it uses the switch# Note prompt. To change the name of the switch, perform this task: Procedure Command or Action Purpose...
Page 88: Adjusting For Daylight Saving Time Or Summer Time
Configuring the Switch Adjusting for Daylight Saving Time or Summer Time Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# clock timezone Sets the time zone. timezone is the three letter time zone (PST for Pacific Standard), the hours offset from UTC timezone hours_offset minutes_offset...
Page 89: Ntp Configuration
Configuring the Switch NTP Configuration Command or Action Purpose Step 4 switch(config)# exit Returns to EXEC mode. Step 5 switch# show running-config | include Verifies the time zone configuration. summer-time The following example adjusts the daylight savings time for the U.S. Pacific daylight time by 60 minutes starting the second Sunday in March at 2 a.m.
Page 90: Configuring Ntp
Configuring the Switch Configuring NTP server. You would configure peer association between these two sets, which forces the clock to be more reliable. • If you only have one server, it is better for all the switches to have a client association with that server. Not even a server down time will affect well-configured switches in the network.
Page 91: Ntp Cfs Distribution
Configuring the Switch NTP CFS Distribution Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# ntp server {ip-address | Forms an association with a server. ipv6-address | dns-name} Step 3 switch(config)# ntp peer {ip-address | Forms an association with a peer.
Page 92: Discarding Ntp Configuration Changes
Configuring the Switch Discarding NTP Configuration Changes commit the NTP configuration changes without implementing the session feature, the NTP configurations are distributed to all the switches in the fabric. To commit the NTP configuration changes, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal...
Page 93: Management Interface Configuration
Configuring the Switch Management Interface Configuration Management Interface Configuration The management interface on the switch allows multiple simultaneous Telnet, SSH, or SNMP sessions. You can remotely configure the switch through the management interface (mgmt0), but first you must configure some IP parameters so that the switch is reachable. You can manually configure the management interface from the CLI through the console port.
Page 94: Displaying Management Interface Configuration
Configuring the Switch Displaying Management Interface Configuration b) switch(config-vrf)# ipv6 route ipv6-prefix[/ length] ipv6-nexthop-address Configures the IPv6 address of the next hop. Step 8 switch(config-vrf)# exit Returns to EXEC mode. Step 9 (Optional) switch# copy running-config startup-config Saves your configuration changes to the file system. In some cases, a switch interface might be administratively shut down.
Page 95: Saving A Configuration
Configuring the Switch Saving a Configuration from the startup configuration, enter the show startup-config command to view the ASCII version of the current startup configuration that was used to boot the switch if a copy running-config startup-config command was not entered after the reboot. Use the show startup-config command to view the contents of the current startup configuration.
Page 96: Listing The Files In A Directory
Configuring the Switch Listing the Files in a Directory Listing the Files in a Directory The dir command displays the contents of the current directory or the specified directory. The syntax for this command is dir directory or dir filename. This example shows how to list the files on the default volatile file system: switch# dir volatile: Usage for volatile://sup-local...
Page 97: Copying Files
Configuring the Switch Copying Files This example moves a file from the current directory level: switch# move samplefile mystorage/samplefile If the current directory is bootflash:mydir, this command moves bootflash:mydir/samplefile to bootflash:mydir/mystorage/samplefile. Copying Files The copy command copies a file between file systems within a switch. Note Use the dir command to ensure that enough space is available in the target file system.
Page 98: Compressing And Uncompressing Files
Configuring the Switch Compressing and Uncompressing Files Compressing and Uncompressing Files The gzip command compresses (zips) the specified file using LZ77 coding. This example directs the output of the show tech-support command to a file (Samplefile), and then zips the file and displays the difference in the space used up in the volatile directory: switch# show tech-support >...
Page 99: Managing Licenses
C H A P T E R Managing Licenses This chapter describes how to manage licenses on Cisco Nexus 5000 Series switches. It contains the following sections: • Licensing Terminology, page 53 • Licensing Model, page 54 • Licence Installation, page 55 •...
Page 100: Licensing Model
Licensing Model • License enforcement—A mechanism that prevents a feature from being used without first obtaining a license. • Node-locked license—A license that can only be used on a particular switch using the switch’s unique host ID. • Host IDs—A unique chassis serial number that is specific to each switch. •...
Page 101: Licence Installation
Licence Installation Obtaining a Factory-Installed License Feature License Features N5000-AS and system features, except features explicitly listed in the Storage Services Package. Nexus 5010 Storage Protocols Services License • N5010-SS includes the following services for N5010-SSK9 one NX5010 system: • Native Fibre Channel •...
Page 102: Performing A Manual Installation
Obtaining the License Key File Performing a Manual Installation Performing a Manual Installation All Cisco Nexus 5000 Series licenses are factory-installed. Manual installation is not required. Obtaining the License Key File To obtain new or updated license key files, perform this task: Procedure Step 1 Use the show license host-id command to obtain the serial number for your switch.
Page 103: Backing Up License Files
Backing Up License Files Performing a Manual Installation Procedure Step 1 Log into the switch through the console port. Step 2 Perform the installation by entering the install license command from the switch console. switch# install license bootflash:license_file.lic Installing license ..done If you provide a target name for the license key file, the file is installed with the specified name.
Page 104: Identifying License Features In Use
Identifying License Features in Use Performing a Manual Installation We recommend backing up your license files immediately after installing them and just before running a write erasecommand. If you erase any existing licenses, you can only install them using the install license command. Caution Identifying License Features in Use When a Cisco NX-OS software feature is enabled, it can activate a license grace period.
Page 105: Updating Licenses
Updating Licenses Performing a Manual Installation Procedure Step 1 Save your running configuration to a remote server using the copy command Step 2 Enter the show license brief command in EXEC mode to view a list of all installed license key files and identify the file to be uninstalled.
Page 106: Grace Period Alerts
Grace Period Alerts Performing a Manual Installation c) Get the product authorization key (PAK) from either the claim certificate or the proof of purchase document. d) Locate the website URL from either the claim certificate or the proof of purchase document. e) Access the specified URL that applies to your switch and enter the switch serial number and the PAK.
Page 107: License Transfers Between Switches
License Transfers Between Switches Performing a Manual Installation countdown for a license package, you must disable every feature in that license package. Use the show license usage license-name command to determine which applications to disable. switch# show license usage FC_FEATURES_PKG Application ----------- -----------...
Page 108 Verifying the License Configuration Performing a Manual Installation Displays information for all installed license files. Step 2 switch# show license file Displays information for a specific license file. Step 3 switch# show license host-id Displays the host ID for the physical switch. Step 4 switch# show license usage Displays the usage information for installed licenses.
Page 109: Lan Switching
P A R T LAN Switching • Configuring Ethernet Interfaces, page 65 • Configuring VLANs, page 79 • Configuring Private VLANs, page 87 • Configuring Access and Trunk Interfaces, page 101 • Configuring EtherChannels, page 111 • Configuring Virtual Port Channels, page 123 •...
Page 111: Configuring Ethernet Interfaces
C H A P T E R Configuring Ethernet Interfaces This section describes the configuration of the Ethernet interfaces on a Cisco Nexus 5000 Series switch. It contains the following sections: • Information About Ethernet Interfaces, page 65 • Configuring Ethernet Interfaces, page 69 •...
Page 112: About The Unidirectional Link Detection Parameter
Information About Ethernet Interfaces About the Unidirectional Link Detection Parameter switch(config)# interface ethernet [chassis/]slot/port • Chassis ID is an optional entry to address the ports of a connected Fabric Extender. The chassis ID is configured on a physical Ethernet or EtherChannel interface on the switch to identify the Fabric Extender discovered via the interface.
Page 113: Default Udld Configuration
Information About Ethernet Interfaces Default UDLD Configuration The following figure shows an example of a unidirectional link condition. Device B successfully receives traffic from Device A on the port. However, Device A does not receive traffic from Device B on the same port.
Page 114: About Interface Speed
Information About Ethernet Interfaces About Interface Speed • One side of a link remains up while the other side of the link is down In these cases, the UDLD aggressive mode disables one of the ports on the link, which prevents traffic from being discarded.
Page 115: About Mtu Configuration
Configuring Ethernet Interfaces About MTU Configuration You can enable the debounce timer for each interface and specify the delay time in milliseconds. Caution When you enable the port debounce timer the link up and link down detections are delayed, resulting in a loss of traffic during the debounce period.
Page 116: Configuring Interface Speed
Configuring Ethernet Interfaces Configuring Interface Speed Command or Action Purpose Step 5 switch(config)# interface type slot/port Specifies an interface to configure, and enters interface configuration mode. Step 6 switch(config-if)# udld {enable | disable Enables the normal UDLD mode, disables | aggressive} UDLD, or enables the aggressive UDLD mode.
Page 117: Configuring The Cisco Discovery Protocol
Configuring Ethernet Interfaces Configuring the Cisco Discovery Protocol The following example shows how to set the speed for a 1-Gigabit Ethernet port: switch# configure terminal switch(config)# interface ethernet 1/4 switch(config-if)# speed 1000 This command can only be applied to a physical Ethernet interface. If the interface and transceiver speed is mismatched, the SFP validation failed message is displayed when Note you enter the show interface ethernet slot/port command.
Page 118: Enabling Or Disabling Cdp
Configuring Ethernet Interfaces Enabling or Disabling CDP Command or Action Purpose Step 5 switch(config)# [no] cdp timer (Optional) seconds Sets the transmission frequency of CDP updates in seconds. The range is 5 to 254; the default is 60 seconds. Use the no form of the command to return to its default setting.
Page 119: Configuring The Description Parameter
Configuring Ethernet Interfaces Configuring the Description Parameter Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Enters interface configuration mode for the specified interface. Step 3 switch(config-if)# link debounce time Enables the debounce timer for the amount of time milliseconds (1 to 5000 milliseconds) specified.
Page 120: Displaying Interface Information
Displaying Interface Information Disabling and Restarting Ethernet Interfaces network servers through all dynamic routing protocols. When shut down, the interface is not included in any routing updates. To disable an interface, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 121 Displaying Interface Information Disabling and Restarting Ethernet Interfaces The show interface command is invoked from EXEC mode and displays the interface configurations. Without any arguments, this command displays the information for all the configured interfaces in the switch. The following example shows how to display the physical Ethernet interface: switch# show interface ethernet 1/1 Ethernet1/1 is up Hardware is 1000/10000 Ethernet, address is 000d.eca3.5f08 (bia 000d.eca3.5f08)
Page 122 Displaying Interface Information Disabling and Restarting Ethernet Interfaces The following example shows how to display the physical Ethernet transceiver: switch# show interface ethernet 1/1 transceiver Ethernet1/1 sfp is present name is CISCO-EXCELIGHT part number is SPP5101SR-C1 revision is A serial number is ECL120901AV nominal bitrate is 10300 MBits/sec Link length supported for 50/125mm fiber is 82 m(s) Link length supported for 62.5/125mm fiber is 26 m(s)
Page 123: Default Physical Ethernet Settings
Displaying Interface Information Default Physical Ethernet Settings Default Physical Ethernet Settings The following table lists the default settings for all physical Ethernet interfaces: Parameter Default Setting Debounce Enable, 100 milliseconds Duplex Auto (full-duplex) Encapsulation ARPA 1500 bytes Port Mode Access Speed Auto (10000) 2 MTU cannot be changed per-physical Ethernet interface.
Page 124 Displaying Interface Information Default Physical Ethernet Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 125: Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure VLANs on the Cisco Nexus 5000 Series switch. It contains the following sections: • Configuring VLANs, page 79 Configuring VLANs You can use virtual LANs (VLANs) to divide the network into separate logical areas. VLANs can also be considered as broadcast domains.
Page 126: Understanding Vlan Ranges
Configuring VLANs Understanding VLAN Ranges The following figure shows VLANs as logical networks. In this diagram, the stations in the engineering department are assigned to one VLAN, the stations in the marketing department are assigned to another VLAN, and the stations in the accounting department are assigned to yet another VLAN. Figure 8: VLANs as Logically Defined Networks VLANs are usually associated with IP subnetworks.
Page 127: Creating, Deleting, And Modifying Vlans
Configuring VLANs Creating, Deleting, and Modifying VLANs Table 9: VLAN Ranges VLANs Numbers Range Usage Normal Cisco default. You can use this VLAN, but you cannot modify or delete it. 2—1005 Normal You can create, use, modify, and delete these VLANs. 1006—4094 Extended You can create, name, and use...
Page 128: Configuring A Vlan
Configuring VLANs Configuring a VLAN • VLAN name • Shutdown or not shutdown When you delete a specified VLAN, the ports associated to that VLAN are shut down and no traffic flows. However, the system retains all the VLAN-to-port mapping for that VLAN, and when you reenable, or recreate, the specified VLAN, the system automatically reinstates all the original ports to that VLAN.
Page 129: Entering The Vlan Submode And Configuring The Vlan
Configuring VLANs Entering the VLAN Submode and Configuring the VLAN You can also create and delete VLANs in the VLAN configuration submode. Note Entering the VLAN Submode and Configuring the VLAN To configure or modify the VLAN for the following parameters, you must be in the VLAN configuration submode: •...
Page 130: Adding Ports To A Vlan
Configuring VLANs Adding Ports to a VLAN Adding Ports to a VLAN After you have completed the configuration of a VLAN, assign ports to it. To add ports, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 131 Configuring VLANs Verifying VLAN Configuration VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- default active Eth1/1, Eth1/2, Eth1/3, Eth1/4 Eth1/5, Eth1/6, Eth1/7, Eth1/8 Eth1/9, Eth1/10, Eth1/11 Eth1/12, Eth1/15, Eth1/16 Eth1/17, Eth1/18, Eth1/19 Eth1/20, Eth1/21, Eth1/22 Eth1/23, Eth1/24, Eth1/25 Eth1/26, Eth1/27, Eth1/28 Eth1/29, Eth1/30, Eth1/31 Eth1/32, Eth1/33, Eth1/34 Eth1/35, Eth1/36, Eth1/37...
Page 132 Configuring VLANs Verifying VLAN Configuration Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 133: Configuring Private Vlans
C H A P T E R Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco Nexus 5000 Series switch. It contains the following sections: • Information About Private VLANs, page 87 • Guidelines and Limitations for Private VLANs, page 92 •...
Page 134: Primary And Secondary Vlans In Private Vlans
Information About Private VLANs Primary and Secondary VLANs in Private VLANs promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs. Figure 9: Private VLAN Domain You must first create the VLAN before you can convert it to a private VLAN, either primary or secondary.
Page 135: Primary, Isolated, And Community Private Vlans
Information About Private VLANs Primary, Isolated, and Community Private VLANs • Promiscuous—A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN.
Page 136: Associating Primary And Secondary Vlans
Information About Private VLANs Associating Primary and Secondary VLANs The following figure shows the traffic flows within a private VLAN, along with the types of VLANs and types of ports. Figure 10: Private VLAN Traffic Flows Note The private VLAN traffic flows are unidirectional from the host ports to the promiscuous ports. Traffic received on primary VLAN enforces no separation and forwarding is done as in normal VLAN.
Page 137: Private Vlan Promiscuous Trunks
Information About Private VLANs Private VLAN Promiscuous Trunks You can associate a secondary VLAN with only one primary VLAN. Note For an association to be operational, the following conditions must be met: • The primary VLAN must exist and be configured as a primary VLAN. •...
Page 138: Broadcast Traffic In Private Vlans
Guidelines and Limitations for Private VLANs Broadcast Traffic in Private VLANs Broadcast Traffic in Private VLANs Broadcast traffic from ports in a private VLAN flows in the following ways: • The broadcast traffic flows from a promiscuous port to all ports in the primary VLAN (which includes all the ports in the community and isolated VLANs).
Page 139: Configuring A Vlan As A Private Vlan
Configuring a Private VLAN Configuring a VLAN as a Private VLAN The private VLAN commands do not appear until you enable the private VLAN feature. Note Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# feature private-vlan Enables the private VLAN feature on the switch.
Page 140: Associating Secondary Vlans With A Primary Private Vlan
Configuring a Private VLAN Associating Secondary VLANs with a Primary Private VLAN This example shows how to assign VLAN 5 to a private VLAN as the primary VLAN: switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# private-vlan primary This example shows how to assign VLAN 100 to a private VLAN as a community VLAN: switch# configure terminal switch(config)# vlan 100 switch(config-vlan)# private-vlan community...
Page 141: Configuring An Interface As A Private Vlan Host Port
Configuring a Private VLAN Configuring an Interface as a Private VLAN Host Port Command or Action Purpose Step 2 switch(config)# vlan primary-vlan-id Enters the number of the primary VLAN that you are working in for the private VLAN configuration. Step 3 switch(config-vlan)# private-vlan Associates the secondary VLANs with the association {[add] secondary-vlan-list |...
Page 142: Configuring An Interface As A Private Vlan Promiscuous Port
Configuring a Private VLAN Configuring an Interface as a Private VLAN Promiscuous Port Command or Action Purpose Step 5 switch(config-if)# no switchport (Optional) private-vlan host-association Removes the private VLAN association from the port. This example shows how to configure Ethernet port 1/12 as a host port for a private VLAN and associate it to primary VLAN 5 and secondary VLAN 101: switch# configure terminal switch(config)# interface ethernet 1/12...
Page 143: Configuring A Promiscuous Trunk Port
Configuring a Private VLAN Configuring a Promiscuous Trunk Port Configuring a Promiscuous Trunk Port In a private VLAN domain, promiscuous trunks are part of the primary VLAN. Promiscuous trunk ports can carry multiple primary VLANs. Multiple secondary VLANs under a given primary VLAN can be mapped to a promiscuous trunk port.
Page 144: Configuring The Allowed Vlans For Pvlan Trunking Ports
Configuring a Private VLAN Configuring the Allowed VLANs for PVLAN Trunking Ports Before You Begin Ensure that the private VLAN feature is enabled. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type Selects the port to configure as a private VLAN isolated trunk port.
Page 145: Configuring Native 802.1Q Vlans On Private Vlans
Configuring a Private VLAN Configuring Native 802.1Q VLANs on Private VLANs Command or Action Purpose Step 2 switch(config)# interface type Selects the port to configure as a private VLAN host port. [chassis/]slot/port This port can be on a Fabric Extender (identified by the chassis option).
Page 146: Verifying Private Vlan Configuration
Verifying Private VLAN Configuration Configuring Native 802.1Q VLANs on Private VLANs Command or Action Purpose Step 4 switch(config-if)# no switchport (Optional) private-vlan trunk native {vlan vlan-id} Removes the native VLAN ID from the private VLAN trunk. Verifying Private VLAN Configuration To display private VLAN configuration information, use the following commands: Command Purpose...
Page 147: Configuring Access And Trunk Interfaces
C H A P T E R Configuring Access and Trunk Interfaces Ethernet interfaces can be configured either as access ports or trunk ports. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across the network. Note Cisco NX-OS supports only IEEE 802.1Q-type VLAN trunk encapsulation.
Page 148: Understanding Ieee 802.1Q Encapsulation
Information About Access and Trunk Interfaces Understanding IEEE 802.1Q Encapsulation The following figure shows how you can use trunk ports in the network. The trunk port carries traffic for two or more VLANs. Figure 11: Devices in a Trunking Environment In order to correctly deliver the traffic on a trunk port with several VLANs, the device uses the IEEE 802.1Q encapsulation or tagging method.
Page 149: Understanding Access Vlans
Information About Access and Trunk Interfaces Understanding Access VLANs To correctly deliver the traffic on a trunk port with several VLANs, the device uses the IEEE 802.1Q encapsulation (tagging) method that uses a tag that is inserted into the frame header. This tag carries information about the specific VLAN to which the frame and packet belong.
Page 150: Understanding The Native Vlan Id For Trunk Ports
Information About Access and Trunk Interfaces Understanding the Native VLAN ID for Trunk Ports Understanding the Native VLAN ID for Trunk Ports A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. When you assign a default port VLAN ID to the trunk port, all untagged traffic travels on the default port VLAN ID for the trunk port, and all untagged traffic is assumed to belong to this VLAN.
Page 151: Configuring A Lan Interface As An Ethernet Access Port
Configuring Access and Trunk Interfaces Configuring a LAN Interface as an Ethernet Access Port The vlan dot1q tag native command is enabled on global basis. Note Configuring Access and Trunk Interfaces Configuring a LAN Interface as an Ethernet Access Port You can configure an Ethernet interface as an access port.
Page 152: Configuring Trunk Ports
Configuring Access and Trunk Interfaces Configuring Trunk Ports Before You Begin Ensure that you are configuring the correct interface; it must be an interface that is connnected to an end station. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 153: Configuring The Native Vlan For 802.1Q Trunking Ports
Configuring Access and Trunk Interfaces Configuring the Native VLAN for 802.1Q Trunking Ports This example shows how to set an interface as an Ethernet trunk port: switch# configure terminal switch(config)# interface ethernet 1/3 switch(config-if)# switchport mode trunk Related Topics • Understanding IEEE 802.1Q Encapsulation, page 102 Configuring the Native VLAN for 802.1Q Trunking Ports If you do not configure this parameter, the trunk port uses the default VLAN as the native VLAN ID.
Page 154: Configuring Native 802.1Q Vlans
Configuring Access and Trunk Interfaces Configuring Native 802.1Q VLANs Command or Action Purpose configurable. By default, all VLANs are allowed on all trunk interfaces. You cannot add internally allocated VLANs as Note allowed VLANs on trunk ports. The system returns a message if you attempt to list an internally allocated VLAN as an allowed VLAN.
Page 155: Verifying Interface Configuration
Verifying Interface Configuration Configuring Native 802.1Q VLANs The following example shows how to enable 802.1Q tagging on the switch: switch# configure terminal switch(config)# vlan dot1q tag native switch(config)# exit switch# show vlan dot1q tag native vlan dot1q native tag is enabled Verifying Interface Configuration To display access and trunk interface configuration information, perform one of these tasks: Command...
Page 156 Verifying Interface Configuration Configuring Native 802.1Q VLANs Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 157: Configuring Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannels and to apply and configure the Link Aggregation Control Protocol (LACP) for more efficient use of EtherChannels in Cisco NX-OS. It contains the following sections: •...
Page 158: Compatibility Requirements
Information About EtherChannels Compatibility Requirements Cisco NX-OS does not support Port Aggregation Protocol (PAgP) for EtherChannels. Note An EtherChannel bundles individual links into a channel group to create a single logical link that provides the aggregate bandwidth of up to 16 physical links. If a member port within an EtherChannel fails, traffic previously carried over the failed link switches to the remaining member ports within the EtherChannel.
Page 159: Load Balancing Using Etherchannels
Information About EtherChannels Load Balancing Using EtherChannels Use the show port-channel compatibility-parameters command to see the full list of compatibility checks that Cisco NX-OS uses. You can only add interfaces configured with the channel mode set to on to static EtherChannels. You can also only add interfaces configured with the channel mode as active or passive to EtherChannels that are running LACP.
Page 160: Understanding Lacp
Information About EtherChannels Understanding LACP • Source TCP/UDP port number • Source and destination TCP/UDP port number The following table shows the criteria used for each configuration: Table 10: EtherChannel Load-Balancing Criteria Configuration Layer 2 Criteria Layer 3 Criteria Layer 4 Criteria Destination MAC Destination MAC Destination MAC...
Page 161: Lacp Id Parameters
Information About EtherChannels LACP ID Parameters The following figure shows how individual links can be combined into LACP EtherChannels and channel groups as well as function as individual links. Figure 13: Individual Links Combined into an EtherChannel With LACP, you can bundle up to 16 interfaces in a channel group. When you delete the EtherChannel, Cisco NX-OS automatically deletes the associated channel group.
Page 162: Channel Modes
Information About EtherChannels Channel Modes ◦ Port physical characteristics, such as the data rate, the duplex capability, and the point-to-point or shared medium state ◦ Configuration restrictions that you establish Channel Modes Individual interfaces in EtherChannels are configured with channel modes. When you run static EtherChannels, with no protocol, the channel mode is always set to on.
Page 163: Lacp Marker Responders
Configuring EtherChannels LACP Marker Responders • A port in active mode can form an EtherChannel successfully with another port that is in active mode. • A port in active mode can form an EtherChannel with another port in passive mode. •...
Page 164: Adding A Port To An Etherchannel
Configuring EtherChannels Adding a Port to an EtherChannel Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface port-channel Specifies the port-channel interface to configure, and enters the interface configuration mode. The range is channel-number from 1 to 4096.
Page 165: Configuring Load Balancing Using Etherchannels
Configuring EtherChannels Configuring Load Balancing Using EtherChannels This example shows how to add an Ethernet interface 1/4 to channel group 1: switch# configure terminal switch (config)# interface ethernet 1/4 switch(config-if)# switchport mode trunk switch(config-if)# channel-group 1 Related Topics • Enabling LACP, page 120 Configuring Load Balancing Using EtherChannels You can configure the load-balancing algorithm for EtherChannels that applies to the entire device.
Page 166: Enabling Lacp
Configuring EtherChannels Enabling LACP Enabling LACP LACP is disabled by default; you must enable LACP before you begin LACP configuration. You cannot disable LACP while any LACP configuration is present. LACP learns the capabilities of LAN port groups dynamically and informs the other LAN ports. Once LACP identifies correctly matched Ethernet links, it facilitates grouping the links into an EtherChannel.
Page 167: Configuring The Lacp System Priority And System Id
Configuring EtherChannels Configuring the LACP System Priority and System ID Command or Action Purpose Step 4 switch(config-if)# no channel-group Returns the port mode to on for the specified interface. number mode This example shows how to set the LACP-enabled interface to active port-channel mode for Ethernet interface 1/4 in channel group 5: switch# configure terminal switch (config)# interface ethernet 1/4...
Page 168: Verifying Etherchannel Configuration
Verifying EtherChannel Configuration Configuring the LACP Port Priority Command or Action Purpose Step 2 switch(config)# interface type Specifies the interface to configure, and enters the slot/port interface configuration mode. Step 3 switch(config-if)# lacp port-priority Configures the port priority for use with LACP. Valid priority values are 1 through 65535, and higher numbers have lower priority.
Page 169: Configuring Virtual Port Channels
C H A P T E R Configuring Virtual Port Channels This chapter describes how to configure virtual port channels (vPCs) on Cisco Nexus 5000 Series switches. It contains the following sections: • Information About vPCs, page 123 • vPC Guidelines and Limitations, page 134 •...
Page 170 Information About vPCs vPC Overview you to create redundancy by enabling multiple parallel paths between nodes and load balancing traffic where alternative paths exist. Figure 14: vPC Architecture You configure the EtherChannels by using one of the following: • No protocol •...
Page 171: Terminology
Information About vPCs Terminology A vPC provides the following benefits: • Allows a single device to use an EtherChannel across two upstream devices • Eliminates Spanning Tree Protocol (STP) blocked ports • Provides a loop-free topology • Uses all available uplink bandwidth •...
Page 172: Supported Vpc Topologies
Information About vPCs Supported vPC Topologies • EtherChannel host interface—An EtherChannel downlink connection from the Fabric Extender host interface to a server port. In Release 4.1(3)N1(1), an EtherChannel host interface consists of only one host interface Note and can be configured either as a Link Aggregation Control Protocol (LACP) or non-LACP EtherChannel.
Page 173: Dual Homed Fabric Extender Vpc Topology
Information About vPCs Dual Homed Fabric Extender vPC Topology topology that is shown in the following figure provides the vPC functionality to dual homed servers with 1-Gigabit Ethernet uplink interfaces. Figure 16: Single Homed Fabric Extender vPC Topology The Cisco Nexus 5000 Series switch can support up to 12 configured single homed Fabric Extenders (576 ports) with this topology however only 480 dual homed host servers can be configured in a vPCs with this configuration.
Page 174: Vpc Domain
Information About vPCs vPC Domain The Cisco Nexus 5000 Series switch can support up to 12 configured dual homed Fabric Extenders with this topology. A maximum of 480 single homed servers can be connected to this configuration. vPC Domain You can use the vPC domain ID to identify the vPC peer links and the ports that are connected to the vPC downstream switches.
Page 175: Compatibility Parameters For Vpc Peer Links
Information About vPCs Compatibility Parameters for vPC Peer Links default VRF, an SVI must be created to act as the source and destination addresses for the vPC peer-keepalive messages. Ensure that both the source and destination IP addresses used for the peer-keepalive messages are unique in your network and these IP addresses are reachable from the VRF associated with the vPC peer-keepalive link.
Page 176: Configuration Parameters That Should Be Identical
Information About vPCs Configuration Parameters That Should Be Identical • STP region configuration for Multiple Spanning Tree (MST) • Enable or disable state per VLAN • STP global settings: ◦ Bridge Assurance setting ◦ Port type setting—We recommend that you set all vPC interfaces as network ports ◦...
Page 177: Vpc Peer Links
Information About vPCs vPC Peer Links link. You must create all VLANs on both the primary and secondary vPC switches, or the VLAN will be suspended. • Private VLAN configuration • All ACL configurations and parameters • Quality of service (QoS) configuration and parameters—Local parameters; global parameters must be identical •...
Page 178: Manually Configured Vpc Features
Information About vPCs Manually Configured vPC Features You must ensure that the two switches connected by the vPC peer link have certain identical operational Note and configuration parameters. When you configure the vPC peer link, the vPC peer switches negotiate that one of the connected switches is the primary switch and the other connected switch is the secondary switch.
Page 179: Vpc Number
Information About vPCs vPC Number • We recommend that you configure Unidirectional Link Detection (UDLD) on both sides of the vPC peer link. vPC Number Once you have created the vPC domain ID and the vPC peer link, you can create EtherChannels to attach the downstream switch to each vPC peer switch.
Page 180: Cfsoe
vPC Guidelines and Limitations CFSoE You must configure a list of parameters to be identical on the vPC peer switches on both sides of the vPC peer link. STP is distributed; that is, the protocol continues running on both vPC peer switches. However, the configuration on the vPC peer switch elected as the primary switch controls the STP process for the vPC interfaces on the secondary vPC peer switch.
Page 181: Configuring Vpcs
Configuring vPCs Enabling vPCs • Only EtherChannels can be in vPCs. A vPC can be configured on a normal EtherChannel (switch-to-switch vPC topology), on an EtherChannel fabric interface (fabric extender vPC topology), and on an EtherChannel host interface (host interface vPC topology). Refer to the Cisco Nexus 2000 Series Fabric Extender Software Configuration Guide Note for information about Fabric Extender host and fabric interfaces.
Page 182: Creating A Vpc Domain
Configuring vPCs Creating a vPC Domain When you disable the vPC feature, the Cisco Nexus 5000 Series switch clears all the vPC configurations. Note Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no feature vpc Disables vPCs on the switch.
Page 183: Configuring A Vpc Keepalive Link
Configuring vPCs Configuring a vPC Keepalive Link Command or Action Purpose Step 4 switch# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. This example shows how to create a vPC domain: switch# configure terminal switch(config)# vpc domain 5 Configuring a vPC Keepalive Link You can configure the destination IP for the peer-keepalive link that carries the keepalive messages.
Page 184: Creating A Vpc Peer Link
Configuring vPCs Creating a vPC Peer Link This example shows how to configure the destination IP address for the vPC-peer-keepalive link: switch# configure terminal switch(config)# vpc domain 5 switch(config-vpc-domain)# peer-keepalive destination 10.10.10.42 Creating a vPC Peer Link You can create a vPC peer link by designating the EtherChannel that you want on each switch as the peer link for the specified vPC domain.
Page 185: Creating An Etherchannel Host Interface
Configuring vPCs Creating an EtherChannel Host Interface This example shows how to check that the required configurations are compatible across all the vPC interfaces: switch# show vpc consistency-parameters global Legend: Type 1 : vPC will be suspended in case of mismatch Name Type Local Value...
Page 186: Moving Other Etherchannels Into A Vpc
Configuring vPCs Moving Other EtherChannels into a vPC Ensure that the connected Fabric Extender is online. You must configure both switches on either side of the vPC peer link with the following procedure. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 187: Manually Configuring A Vpc Domain Mac Address
Configuring vPCs Manually Configuring a vPC Domain MAC Address Command or Action Purpose A vPC can be configured on a normal EtherChannel Note (physical vPC topology), on an EtherChannel fabric interface (fabric extender vPC topology), and on an EtherChannel host interface (host interface vPC topology) Step 3 switch(config-if)# vpc number...
Page 188: Manually Configuring The System Priority
Configuring vPCs Manually Configuring the System Priority Command or Action Purpose Step 4 switch# show vpc role (Optional) Displays the vPC system MAC address. Step 5 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration. This example shows how to configure a vPC domain MAC address: switch# configure terminal switch(config)# vpc domain 5 switch(config-if)# system-mac 23fb.4ab5.4c4e...
Page 189: Manually Configuring A Vpc Peer Switch Role
Configuring vPCs Manually Configuring a vPC Peer Switch Role Command or Action Purpose Step 5 switch# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. This example shows how to configure a vPC peer link: switch# configure terminal switch(config)# vpc domain 5 switch(config-if)# system-priority 4000 Manually Configuring a vPC Peer Switch Role...
Page 190: Verifying The Vpc Configuration
Verifying the vPC Configuration Manually Configuring a vPC Peer Switch Role This example shows how to configure a vPC peer link: switch# configure terminal switch(config)# vpc domain 5 switch(config-if)# role priority 4000 Verifying the vPC Configuration Use the following commands to display vPC configuration information: Command Purpose switch# show feature...
Page 191: Vpc Example Configurations
vPC Example Configurations Dual Homed Fabric Extender vPC Configuration Example vPC Example Configurations Dual Homed Fabric Extender vPC Configuration Example The following example shows how to configure the dual homed Fabric Extender vPC topology using the management VRF to carry the peer-keepalive messages on switch NX-5000-1 as shown in following figure: Figure 18: vPC Configuration Example Before You Begin Ensure that the Cisco Nexus 2000 Series Fabric Extender NX-2000-100 is attached and online.
Page 192: Single Homed Fabric Extender Vpc Configuration Example
vPC Example Configurations Single Homed Fabric Extender vPC Configuration Example Step 5 Configure the fabric EtherChannel links for the Fabric Extender NX-2000-100. NX-5000-1(config)# interface ethernet 1/20 NX-5000-1(config-if)# channel-group 100 NX-5000-1(config-if)# exit NX-5000-1(config)# interface port-channel 100 NX-5000-1(config-if)# switchport mode fex-fabric NX-5000-1(config-if)# vpc 100 NX-5000-1(config-if)# fex associate 100 NX-5000-1(config-if)# exit Step 6...
Page 193 vPC Example Configurations Single Homed Fabric Extender vPC Configuration Example Before You Begin Ensure that the Cisco Nexus 2000 Series Fabric Extenders NX-2000-100 and NX-2000-101 are attached and online. Procedure Step 1 Enable vPC and LACP. NX-5000-1# configure terminal NX-5000-1(config)# feature lacp NX-5000-1(config)# feature vpc Step 2 Enable SVI interfaces, create the VLAN and SVI to be used by the vPC peer-keepalive link.
Page 194: Vpc Default Settings
vPC Default Settings Single Homed Fabric Extender vPC Configuration Example Step 7 Configure a vPC server port on on the Fabric Extender NX-2000-100. NX-5000-1(config-if)# interface ethernet 100/1/1 NX-5000-1(config-if)# switchport mode trunk NX-5000-1(config-if)# switchport trunk native vlan 100 NX-5000-1(config-if)# switchport trunk allowed vlan 100-105 NX-5000-1(config-if)# channel-group 600 NX-5000-1(config-if)# no shutdown NX-5000-1(config-if)# exit...
Page 195: Configuring Rapid Pvst
C H A P T E R Configuring Rapid PVST+ Rapid per VLAN Spanning Tree (Rapid PVST+) is an updated implementation of STP that allows you to create one spanning tree topology for each VLAN. Rapid PVST+ is the default Spanning Tree Protocol (STP) mode on the switch.
Page 196: Understanding Stp
Information About Rapid PVST+ Understanding STP Understanding STP STP Overview For an Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.
Page 197: Bridge Priority Value
Information About Rapid PVST+ Bridge Priority Value Bridge Priority Value The bridge priority is a 4-bit value when the extended system ID is enabled. In Cisco NX-OS, the extended system ID is always enabled; you cannot be disable the extended system Note Related Topics •...
Page 198: Understanding Bpdus
Information About Rapid PVST+ Understanding BPDUs • 16384 • 20480 • 24576 • 28672 • 32768 • 36864 • 40960 • 45056 • 49152 • 53248 • 57344 • 61440 STP uses the extended system ID plus a MAC address to make the bridge ID unique for each VLAN. If another bridge in the same spanning tree domain does not run the MAC address reduction feature, it Note could achieve root bridge ownership because its bridge ID may fall between the values specified by the...
Page 199: Election Of The Root Bridge
Information About Rapid PVST+ Election of the Root Bridge • The shortest distance to the root bridge is calculated for each switch based on the path cost. • A designated bridge for each LAN segment is selected. This is the switch closest to the root bridge through which frames are forwarded to the root.
Page 200: Understanding Rapid Pvst
Information About Rapid PVST+ Understanding Rapid PVST+ to a port that has a higher number than the current root port can cause a root-port change. The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a fiber-optic link, and another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port.
Page 201 Information About Rapid PVST+ Rapid PVST+ Overview • Point-to-point links—If you connect a port to another port through a point-to-point link and the local port becomes a designated port, it negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology.
Page 202: Rapid Pvst+ Bpdus
Information About Rapid PVST+ Rapid PVST+ BPDUs Rapid PVST+ BPDUs Rapid PVST+ and 802.1w use all six bits of the flag byte to add the role and state of the port that originates the BPDU, and the proposal and agreement handshake. The following figure shows the use of the BPDU flags in Rapid PVST+.
Page 203: Proposal And Agreement Handshake
Information About Rapid PVST+ Proposal and Agreement Handshake Proposal and Agreement Handshake As shown in the following figure, switch A is connected to switch B through a point-to-point link, and all of the ports are in the blocking state. Assume that the priority of switch A is a smaller numerical value than the priority of switch B.
Page 204: Protocol Timers
Information About Rapid PVST+ Protocol Timers Related Topics • Summary of Port States, page 161 Protocol Timers The following table describes the protocol timers that affect the Rapid PVST+ performance. Table 15: Rapid PVST+ Protocol Timers Variable Description Hello timer Determines how often each switch broadcasts BPDUs to other switches.
Page 205: Port States
Information About Rapid PVST+ Port States In a stable topology with consistent port roles throughout the network, Rapid PVST+ ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the blocking state. Designated ports start in the blocking state. The port state controls the operation of the forwarding and learning processes.
Page 206: Blocking State
Information About Rapid PVST+ Blocking State When you enable Rapid PVST+, every port in the software, VLAN, and network goes through the blocking state and the transitory states of learning at power up. If properly configured, each LAN port stabilizes to the forwarding or blocking state.
Page 207: Disabled State
Information About Rapid PVST+ Disabled State • Forwards frames switched from another port for forwarding. • Incorporates the end station location information into its address database. • Receives BPDUs and directs them to the system module. • Processes BPDUs received from the system module. •...
Page 208: Processing Superior Bpdu Information
Information About Rapid PVST+ Processing Superior BPDU Information If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the Rapid PVST+ forces it to synchronize with new root information. In general, when the Rapid PVST+ forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking.
Page 209: Detecting Unidirectional Link Failure
Information About Rapid PVST+ Detecting Unidirectional Link Failure Detecting Unidirectional Link Failure The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops. When a designated port detects a conflict, it keeps its role, but reverts to a discarding state because disrupting connectivity in case of inconsistency is preferable to opening a bridging loop.
Page 210: Port Priority
Information About Rapid PVST+ Port Priority You can assign lower cost values to LAN interfaces that you want STP to select first and higher cost values to LAN interfaces that you want STP to select last. If all LAN interfaces have the same cost value, STP puts the LAN interface with the lowest LAN interface number in the forwarding state and blocks other LAN interfaces.
Page 211: Rapid Pvst+ Interoperation With 802.1S Mst
Configuring Rapid PVST+ Rapid PVST+ Interoperation with 802.1s MST This method of operation is required only for 802.1D switches. The 802.1w BPDUs do not have the TCA bit set. • Protocol migration—For backward compatibility with 802.1D switches, 802.1w selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis.
Page 212: Enabling Rapid Pvst+ Per Vlan
Configuring Rapid PVST+ Enabling Rapid PVST+ per VLAN Command or Action Purpose Step 2 switch(config)# spanning-tree Enables Rapid PVST+ on the switch. Rapid PVST+ is the mode rapid-pvst default spanning tree mode. Changing the spanning tree mode disrupts traffic Note because all spanning tree instances are stopped for the previous mode and started for the new mode.
Page 213: Configuring The Root Bridge Id
Configuring Rapid PVST+ Configuring the Root Bridge ID This example shows how to enable STP on a VLAN: switch# configure terminal switch(config)# spanning-tree vlan 5 Configuring the Root Bridge ID The software maintains a separate instance of STP for each active VLAN in Rapid PVST+. For each VLAN, the switch with the lowest bridge ID becomes the root bridge for that VLAN.
Page 214: Configuring A Secondary Root Bridge
Configuring Rapid PVST+ Configuring a Secondary Root Bridge This example shows how to configure the switch as the root bridge for a VLAN: switch# configure terminal switch(config)# spanning-tree vlan 5 root primary diameter 4 Configuring a Secondary Root Bridge When you configure a software switch as the secondary root, the STP bridge priority is modified from the default value (32768) so that the switch is likely to become the root bridge for the specified VLANs if the primary root bridge fails (assuming the other switches in the network use the default bridge priority of 32768).
Page 215: Configuring The Rapid Pvst+ Pathcost Method And Port Cost
Configuring Rapid PVST+ Configuring the Rapid PVST+ Pathcost Method and Port Cost Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type Specifies the interface to configure, and enters interface configuration mode. slot/port Step 3 switch(config-if)# spanning-tree...
Page 216: Configuring The Rapid Pvst+ Bridge Priority Of A Vlan
Configuring Rapid PVST+ Configuring the Rapid PVST+ Bridge Priority of a VLAN Command or Action Purpose The default is auto , which sets the port cost on both the pathcost calculation method and the media speed. This example shows how to configure the access port cost of an Ethernet interface: switch# configure terminal switch (config)# spanning-tree pathcost method long switch (config)# interface ethernet 1/4...
Page 217: Configuring The Rapid Pvst+ Forward Delay Time For A Vlan
Configuring Rapid PVST+ Configuring the Rapid PVST+ Forward Delay Time for a VLAN Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree vlan Configures the hello time of a VLAN. The hello time value can be from 1 to 10 seconds.
Page 218: Specifying The Link Type
Verifying Rapid PVST+ Configurations Specifying the Link Type Specifying the Link Type Rapid connectivity (802.1w standard) is established only on point-to-point links. By default, the link type is controlled from the duplex mode of the interface. A full-duplex port is considered to have a point-to-point connection;...
Page 219 Verifying Rapid PVST+ Configurations Restarting the Protocol Command Purpose switch# show running-config spanning-tree [all] Displays the current spanning tree configuration. switch# show spanning-tree [options] Displays selected detailed information for the current spanning tree configuration. This example shows how to display spanning tree status: switch# show spanning-tree brief VLAN0001 Spanning tree enabled protocol rstp...
Page 220 Verifying Rapid PVST+ Configurations Restarting the Protocol Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 221: Configuring Multiple Spanning Tree
C H A P T E R Configuring Multiple Spanning Tree Multiple Spanning Tree (MST), which is the IEEE 802.1s standard, allows you to assign two or more VLANs to a spanning tree instance. MST is not the default spanning tree mode; Rapid per VLAN Spanning Tree (Rapid PVST+) is the default mode.
Page 222: Mst Regions
Information About MST MST Regions MST provides rapid convergence through explicit handshaking as each MST instance uses the IEEE 802.1w standard, which eliminates the 802.1D forwarding delay and quickly transitions root bridge ports and designated ports to the forwarding state. MAC address reduction is always enabled while you are using MST.
Page 223: Mst Configuration Information
Information About MST MST Configuration Information that one BPDU that the IST sends. Because the MST BPDU carries information for all instances, the number of BPDUs that need to be processed to support MSTIs is significantly reduced. Figure 27: MST BPDU with M-Records for MSTIs MST Configuration Information The MST configuration that must be identical on all switches within a single MST region is configured by the user.
Page 224: Spanning Tree Operation Within An Mst Region
Information About MST Spanning Tree Operation Within an MST Region • An IST is the spanning tree that runs in an MST region. MST establishes and maintains additional spanning trees within each MST region; these spanning trees are called, multiple spanning tree instances (MSTIs). Instance 0 is a special instance for a region, known as the IST.
Page 225: Mst Terminology
Information About MST MST Terminology The IST connects all the MST switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions.
Page 226: Hop Count
Information About MST Hop Count parameters require the external qualifiers and not the internal or regional qualifiers. The MST terminology is as follows: • The CIST root is the root bridge for the CIST, which is the unique instance that spans the whole network. •...
Page 227: Detecting Unidirectional Link Failure
Information About MST Detecting Unidirectional Link Failure that are internal to a region to share a segment with a port that belongs to a different region, creating the possibility of receiving both internal and external messages on a port (see the following figure). Figure 29: MST Boundary Ports At the boundary, the roles of MST ports do not matter;...
Page 228: Port Cost And Port Priority
Information About MST Port Cost and Port Priority Port Cost and Port Priority Spanning tree uses port costs to break a tie for the designated port. Lower values indicate lower port costs, and spanning tree chooses the least costly path. Default port costs are taken from the bandwidth of the interface, as follows: •...
Page 229: Interoperability With Rapid Pvst+: Understanding Pvst Simulation
Configuring MST Interoperability with Rapid PVST+: Understanding PVST Simulation Interoperability with Rapid PVST+: Understanding PVST Simulation MST interoperates with Rapid PVST+ with no need for user configuration. The PVST simulation feature enables this seamless interoperability. Note PVST simulation is enabled by default. That is, by default, all interfaces on the switch interoperate between MST and Rapid PVST+.
Page 230: Entering Mst Configuration Mode
Configuring MST Entering MST Configuration Mode Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree mode mst Enables MST on the switch. Step 3 switch(config)# no spanning-tree mode mst (Optional) Disables MST on the switch and returns you to Rapid PVST+.
Page 231: Specifying The Mst Name
Configuring MST Specifying the MST Name Command or Action Purpose Step 3 switch(config-mst)# exit or • The first form commits all the changes and exits MST switch(config-mst)# abort configuration mode. • The second form exits the MST configuration mode without committing any of the changes. Step 4 switch(config)# no (Optional)
Page 232: Specifying The Configuration On An Mst Region
Configuring MST Specifying the Configuration on an MST Region Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree mst Enters MST configuration submode. configuration Step 3 switch(config-mst)# revision version Specifies the revision number for the MST region. The range is from 0 to 65535, and the default value is 0.
Page 233: Mapping And Unmapping Vlans To Mst Instances
Configuring MST Mapping and Unmapping VLANs to MST Instances Command or Action Purpose Step 4 switch(config-mst)# name Specifies the instance name. The name string has a maximum name length of 32 characters and is case sensitive. Step 5 switch(config-mst)# revision Specifies the configuration revision number.
Page 234: Mapping Secondary Vlans To Same Msti As Primary Vlans For Private Vlans
Configuring MST Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree mst Enters MST configuration submode. configuration Step 3 switch(config-mst)# instance Maps VLANs to an MST instance, as follows: instance-id vlan vlan-range •...
Page 235: Configuring The Root Bridge
Configuring MST Configuring the Root Bridge This example shows how to automatically map all the secondary VLANs to the same MSTI as their associated primary VLANs in all private VLANs: switch# configure terminal switch(config)# spanning-tree mst configuration switch(config-mst)# private-vlan synchronize Configuring the Root Bridge You can configure the switch to become the root bridge.
Page 236: Configuring The Port Priority
Configuring MST Configuring a Secondary Root Bridge This example shows how to configure the switch as the root switch for MSTI 5: switch# configure terminal switch(config)# spanning-tree mst 5 root primary Configuring a Secondary Root Bridge You can execute this command on more than one switch to configure multiple backup root bridges. Enter the same network diameter and hello-time values that you used when you configured the primary root bridge with the spanning-tree mst root primary configuration command.
Page 237: Configuring The Port Cost
Configuring MST Configuring the Port Cost Command or Action Purpose Step 2 switch(config)# interface {{type Specifies an interface to configure, and enters interface slot/port} | {port-channel configuration mode. number}} Step 3 switch(config-if)# spanning-tree Configures the port priority as follows: mst instance-id port-priority •...
Page 238: Configuring The Switch Priority
Configuring MST Configuring the Switch Priority Command or Action Purpose • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is from 1 to 4094.
Page 239: Configuring The Hello Time
Configuring MST Configuring the Hello Time Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root bridge for all instances on the switch by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you enter the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary configuration commands to modify the hello time.
Page 240: Configuring The Maximum-Aging Time
Configuring MST Configuring the Maximum-Aging Time Configuring the Maximum-Aging Time The maximum-aging timer is the number of seconds that a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration. You set the maximum-aging timer for all MST instances on the switch with one command (the maximum age time only applies to the IST).
Page 241: Configuring Pvst Simulation Per Port
Configuring MST Configuring PVST Simulation Per Port Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no spanning-tree Disables all interfaces on the switch from automatically interoperating with connected switch that is running in Rapid mst simulate pvst global PVST+ mode.
Page 242: Restarting The Protocol
Configuring MST Specifying the Link Type This example shows how to prevent the specified interfaces from automatically interoperating with a connecting switch that is not running MST: switch# configure terminal switch(config)# interface ethernet 1/4 switch(config-if)# spanning-tree mst simulate pvst disable Specifying the Link Type Rapid connectivity (802.1w standard) is established only on point-to-point links.
Page 243: Verifying Mst Configurations
Verifying MST Configurations Restarting the Protocol This example shows how to restart MST on the Ethernet interface on slot 2, port 8: switch# clear spanning-tree detected-protocol interface ethernet 2/8 Verifying MST Configurations To display MST configuration information, perform one of the following tasks: Command Purpose switch# show running-config spanning-tree [all]...
Page 244 Verifying MST Configurations Restarting the Protocol Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 245: Configuring Stp Extensions
C H A P T E R Configuring STP Extensions This chapter describes the configuration of extensions to the Spanning Tree Protocol (STP) on Cisco Nexus 5000 Series switches. It includes the following sections: • About STP Extensions, page 199 About STP Extensions Cisco has added extensions to STP that make convergence more efficient.
Page 246: Spanning Tree Network Ports
About STP Extensions Spanning Tree Network Ports If you configure a port connected to another switch as an edge port, you might create a bridging loop. Note Spanning Tree Network Ports Network ports are connected only to switches or bridges. Bridge Assurance is enabled only on network ports. If you mistakenly configure ports that are connected to hosts or other edge devices, as spanning tree Note network ports, those ports will automatically move into the blocking state.
Page 247: Understanding Bpdu Filtering
About STP Extensions Understanding BPDU Filtering When enabled globally, BPDU Guard applies to all operational spanning tree edge interfaces. Note Understanding BPDU Filtering You can use BPDU Filtering to prevent the switch from sending or even receiving BPDUs on specified ports. When configured globally, BPDU Filtering applies to all operational spanning tree edge ports.
Page 248: Understanding Loop Guard
About STP Extensions Understanding Loop Guard Understanding Loop Guard Loop Guard protects networks from loops that are caused by the following: • Network interfaces that malfunction • Busy CPUs • Anything that prevents the normal forwarding of BPDUs An STP loop occurs when a blocking port in a redundant topology erroneously transitions to the forwarding state.
Page 249: Stp Extensions Configuration Guidelines
About STP Extensions Configuring STP Extensions Configuring STP Extensions STP Extensions Configuration Guidelines When configuring STP extensions, follow these guidelines: • Configure all access and trunk ports connected to hosts as edge ports. • Bridge Assurance runs only on point-to-point spanning tree network ports. You must configure each side of the link for this feature.
Page 250: Configuring Spanning Tree Edge Ports On Specified Interfaces
About STP Extensions Configuring Spanning Tree Edge Ports on Specified Interfaces Command or Action Purpose If you configure interfaces connected to hosts as network Note ports, those ports automatically move into the blocking state. This example shows how to configure all access and trunk ports connected to hosts as spanning tree edge ports: switch# configure terminal switch(config)# spanning-tree port type edge default...
Page 251: Configuring Spanning Tree Network Ports On Specified Interfaces
About STP Extensions Configuring Spanning Tree Network Ports on Specified Interfaces Command or Action Purpose Step 2 switch(config)# interface type Specifies the interface to configure, and enters the interface slot/port configuration mode. Step 3 switch(config-if)# spanning-tree Configures the specified access interfaces to be spanning edge ports.
Page 252: Enabling Bpdu Guard Globally
About STP Extensions Enabling BPDU Guard Globally Command or Action Purpose Step 3 switch(config-if)# spanning-tree Configures the specified interfaces to be spanning network port type network ports. If you enable Bridge Assurance, it automatically runs on network ports. By default, spanning tree ports are normal port types.
Page 253: Enabling Bpdu Filtering Globally
About STP Extensions Enabling BPDU Filtering Globally • no spanning-tree bpduguard—Enables BPDU Guard on the interface if it is an operational edge port and if the spanning-tree port type edge bpduguard default command is configured. Before You Begin Ensure that STP is configured. Procedure Command or Action Purpose...
Page 254: Enabling Bpdu Filtering On Specified Interfaces
About STP Extensions Enabling BPDU Filtering on Specified Interfaces Ensure that you have configured some spanning tree edge ports. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# spanning-tree port type Enables BPDU Filtering by default on all edge bpdufilter default operational spanning tree edge ports.
Page 255: Enabling Loop Guard Globally
About STP Extensions Enabling Loop Guard Globally Command or Action Purpose Step 2 switch(config)# interface type Specifies the interface to configure, and enters the slot/port interface configuration mode. Step 3 switch(config-if)# spanning-tree Enables or disables BPDU Filtering for the specified bpdufilter {enable | disable} spanning tree edge interface.
Page 256: Enabling Loop Guard Or Root Guard On Specified Interfaces
About STP Extensions Enabling Loop Guard or Root Guard on Specified Interfaces Enabling Loop Guard or Root Guard on Specified Interfaces You can enable either Loop Guard or Root Guard on specified interfaces. Enabling Root Guard on a port means that port cannot become a root port, and LoopGuard prevents alternate or root ports from becoming the designated port because of a failure that could lead to a unidirectional link.
Page 257: Configuring The Mac Address Table
C H A P T E R Configuring the MAC Address Table All Ethernet interfaces on Cisco Nexus 5000 Series switches maintain media access control (MAC) address tables. This chapter describes the configuration of the MAC address tables. It includes the following sections: •...
Page 258: Configuring The Aging Time For The Mac Table
Configuring MAC Addresses Configuring the Aging Time for the MAC Table You can also configure a static MAC address in interface configuration mode or VLAN configuration Note mode. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config-)# mac-address-table static Specifies a static address to add to the MAC...
Page 259: Clearing Dynamic Addresses From The Mac Table
Verifying the MAC Address Configuration Clearing Dynamic Addresses from the MAC Table This example shows how to set the aging time for entries in the MAC address table to 600 seconds (10 minutes): switch# configure terminal switch(config)# mac-address-table aging-time 600 Clearing Dynamic Addresses from the MAC Table You can clear all dynamic entries in the MAC address table.
Page 260 Verifying the MAC Address Configuration Clearing Dynamic Addresses from the MAC Table Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 261: Configuring Igmp Snooping
C H A P T E R Configuring IGMP Snooping Internet Group Management Protocol (IGMP) snooping streamlines multicast traffic handling for VLANs. By examining (snooping) IGMP membership report messages from interested hosts, multicast traffic is limited to the subset of VLAN interfaces on which the hosts reside. This chapter describes the configuration of IGMP snooping on Cisco Nexus 5000 Series switches.
Page 262: Igmpv1 And Igmpv2
Information About IGMP Snooping IGMPv1 and IGMPv2 The following figure shows an IGMP snooping switch that is located between the host and the IGMP router. The IGMP snooping switch snoops the IGMP membership reports and leave messages and forwards them only when necessary to the connected IGMP routers.
Page 263: Igmpv3
Information About IGMP Snooping IGMPv3 IGMPv3 The IGMPv3 snooping implementation on the switch forwards IGMPv3 reports to allow the upstream multicast router do source-based filtering. By default, the software tracks hosts on each VLAN port. The explicit tracking feature provides a fast leave mechanism.
Page 264: Configuring Igmp Snooping Parameters
Configuring IGMP Snooping Parameters IGMP Forwarding Configuring IGMP Snooping Parameters To manage the operation of the IGMP snooping process, you can configure the optional IGMP snooping parameters described in the following table. Table 19: IGMP Snooping Parameters Parameter Description IGMP snooping Enables IGMP snooping on a per-VLAN basis.
Page 265 Configuring IGMP Snooping Parameters IGMP Forwarding Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# ip igmp snooping Globally enables IGMP snooping. The default is enabled. If the global setting is disabled, then all VLANs Note are treated as disabled, whether they are enabled or not.
Page 266: Verifying Igmp Snooping Configuration
Verifying IGMP Snooping Configuration IGMP Forwarding The following example shows configuring IGMP snooping parameters for a VLAN: switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# ip igmp snooping last-member-query-interval 3 switch(config-vlan)# ip igmp snooping querier 172.20.52.106 switch(config-vlan)# ip igmp snooping explicit-tracking switch(config-vlan)# ip igmp snooping fast-leave switch(config-vlan)# ip igmp snooping report-suppression switch(config-vlan)# ip igmp snooping mrouter interface ethernet 1/10...
Page 267: Configuring Traffic Storm Control
C H A P T E R Configuring Traffic Storm Control This chapter describes how to configure traffic storm control on Cisco Nexus 5000 Series switches. It contains the following sections: • Information About Traffic Storm Control, page 221 • Traffic Storm Guidelines and Limitations, page 222 •...
Page 268: Traffic Storm Guidelines And Limitations
Traffic Storm Guidelines and Limitations The following figure shows the broadcast traffic patterns on an Ethernet interface during a specified time interval. In this example, traffic storm control occurs between times T1 and T2 and between T4 and T5. During those intervals, the amount of broadcast traffic exceeded the configured threshold.
Page 269: Verifying Traffic Storm Control Configuration
Configuring Traffic Storm Control Verifying Traffic Storm Control Configuration • Specify the level as a percentage of the total interface bandwidth: ◦ The level can be from 0 to 100. ◦ The optional fraction of a level can be from 0 to 99. ◦...
Page 270: Traffic Storm Control Example Configuration
Traffic Storm Control Example Configuration Verifying Traffic Storm Control Configuration Command Purpose switch# show running-config interface Displays the traffic storm control configuration. Traffic Storm Control Example Configuration The following example shows how to configure traffic storm control: switch# configure terminal switch(config)# interface ethernet 1/4 switch(config-if)# storm-control broadcast level 40 switch(config-if)# storm-control multicast level 40...
Page 271: Switch Security Features
P A R T Switch Security Features • Configuring Authentication, Authorization, and Accounting, page 227 • Configuring RADIUS, page 241 • Configuring TACACS+, page 255 • Configuring SSH and Telnet, page 269 • Configuring Access Control Lists, page 279...
Page 273: Configuring Authentication, Authorization, And Accounting
C H A P T E R Configuring Authentication, Authorization, and Accounting This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco Nexus 5000 Series switches. It contains the following sections: • Information About AAA, page 227 •...
Page 274: Benefits Of Using Aaa
Information About AAA Benefits of Using AAA • Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, encryption depending on the security protocol that you select. Authentication is the process of verifying the identity of the person or device accessing the Cisco Nexus 5000 Series switches.
Page 275: Aaa Server Groups
Information About AAA AAA Server Groups AAA Server Groups You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond.
Page 276: Authentication And Authorization Process For User Login
Information About AAA Authentication and Authorization Process for User Login Table 22: AAA Authentication Methods for AAA Services AAA Service AAA Methods Console login authentication Server groups, local, and none User login authentication Server groups, local, and none User management session accounting Server groups and local For console login authentication, user login authentication, and user management session accounting, the Note...
Page 277: Prerequisites For Remote Aaa
Prerequisites for Remote AAA Authentication and Authorization Process for User Login • If your username and password are successfully authenticated locally, the Cisco Nexus 5000 Series switch logs you in and assigns you the roles configured in the local database. Figure 33: Authorization and Authentication Flow for User Login Note "No more server groups left"...
Page 278: Information About Aaa Guidelines And Limitations
Information about AAA Guidelines and Limitations Configuring Console Login Authentication Methods • The preshared secret key is configured on the Cisco Nexus 5000 Series switch and on the remote AAA servers. • The remote server responds to AAA requests from the Cisco Nexus 5000 Series switch. Related Topics •...
Page 279: Configuring Default Login Authentication Methods
Configuring AAA Configuring Default Login Authentication Methods Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# aaa Configures login authentication methods for the console. authentication login console The group-list argument consists of a space-delimited list of {group group-list [none] | local group names.
Page 280: Enabling Login Authentication Failure Messages
Configuring AAA Enabling Login Authentication Failure Messages Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# aaa Configures the default authentication methods. authentication login default The group-list argument consists of a space-delimited list of {group group-list [none] | local group names.
Page 281: Enabling Mschap Authentication
Configuring AAA Enabling MSCHAP Authentication Command or Action Purpose Step 5 switch# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. Enabling MSCHAP Authentication Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus 5000 Series switch through a remote authentication server (RADIUS or TACACS+).
Page 282: Configuring Aaa Accounting Default Methods
Configuring AAA Configuring AAA Accounting Default Methods Command or Action Purpose Step 4 switch# show aaa authentication login (Optional) mschap Displays the MS-CHAP configuration. Step 5 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration. Related Topics •...
Page 283: Using Aaa Server Vsas
Configuring AAA Using AAA Server VSAs Command or Action Purpose • named-group —Uses a named subset of TACACS+ or RADIUS servers for accounting. The local method uses the local database for accounting. The default method is local , which is used when no server groups are configured or when all the configured server group do not respond.
Page 284: Specifying Switch User Roles And Smnpv3 Parameters On Aaa Servers
Displaying and Clearing the Local AAA Accounting Log Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers • accountinginfo—Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.
Page 285: Example Aaa Configuration
Example AAA Configuration Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers Procedure Command or Action Purpose Step 1 show aaa accounting Displays AAA accounting configuration. Step 2 show aaa authentication [login Displays AAA authentication information. {error-enable | mschap}] Step 3 show aaa groups Displays the AAA server group configuration.
Page 286 Default AAA Settings Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 287: Configuring Radius
C H A P T E R Configuring RADIUS This chapter contains the following sections: • Configuring RADIUS, page 241 Configuring RADIUS Information About RADIUS The Remote Access Dial-In User Service (RADIUS) distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco Nexus 5000 Series switches and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information.
Page 288: Radius Operation
Configuring RADIUS RADIUS Operation • Networks that support authentication profiles. Using the RADIUS server in your network, you can configure AAA authentication and set up per-user profiles. Per-user profiles enable the Nexus 5000 Series switch to better manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements.
Page 289: Vendor-Specific Attributes
Configuring RADIUS Vendor-Specific Attributes a RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place. Figure 34: RADIUS Server States The monitoring interval for alive servers and dead servers are different and can be configured by the user.
Page 290: Prerequisites For Radius
Configuring RADIUS Prerequisites for RADIUS • roles—Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. • accountinginfo—Stores accounting information in addition to the attributes covered by a standard RADIUS accounting protocol.
Page 291: Configuring Radius Server Hosts
Configuring RADIUS Configuring RADIUS Server Hosts Configuring RADIUS Server Hosts You must configure the IPv4 or IPv6 address or the host name for each RADIUS server that you want to use for authentication. All RADIUS server hosts are added to the default RADIUS server group. You can configure up to 64 RADIUS servers.
Page 292: Configuring Radius Server Preshared Keys
Configuring RADIUS Configuring RADIUS Server Preshared Keys Command or Action Purpose Step 4 switch# show radius-server (Optional) Displays the RADIUS server configuration. The preshared keys are saved in encrypted form in Note the running configuration. Use the show running-config command to display the encrypted preshared keys.
Page 293: Configuring Radius Server Groups
Configuring RADIUS Configuring RADIUS Server Groups The following example shows how to configure a preshared keys for a RADIUS server: switch# configure terminal switch(config)# radius-server host 10.10.1.1 key 0 PlIjUhYg switch(config)# exit switch# show radius-server switch# copy running-config startup-config Configuring RADIUS Server Groups You can specify one or more remote AAA servers for authentication using server groups.
Page 294: Allowing Users To Specify A Radius Server At Login
Configuring RADIUS Allowing Users to Specify a RADIUS Server at Login The following example shows how to configure a RADIUS server group: switch# configure terminal switch(config)# aaa group server radius RadServer switch(config-radius)# server 10.10.1.1 switch(config-radius)# deadtime 30 switch(config-radius)# use-vrf management switch(config-radius)# exit switch(config)# show radius-server group switch(config)# copy running-config startup-config...
Page 295: Server
Configuring RADIUS Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server Command or Action Purpose Step 3 switch(config)# radius-server timeout Specifies the transmission timeout interval for seconds RADIUS servers. The default timeout interval is 5 seconds and the range is from 1 to 60 seconds. Step 4 switch(config)# exit Exits configuration mode.
Page 296: Configuring Accounting And Authentication Attributes For Radius Servers
Configuring RADIUS Configuring Accounting and Authentication Attributes for RADIUS Servers The following example shows how to configure RADIUS transmission retry count and timeout interval for a server: switch# configure terminal switch(config)# radius-server host server1 retransmit 3 switch(config)# radius-server host server1 timeout 10 switch(config)# exit switch# show radius-server switch# copy running-config startup-config...
Page 297: Configuring Periodic Radius Server Monitoring
Configuring RADIUS Configuring Periodic RADIUS Server Monitoring The following example shows how to configure the accounting and authentication attributes for a RADIUS server: switch# configure terminal switch(config)# radius-server host 10.10.1.1 acct-port 2004 switch(config)# radius-server host 10.10.1.1 accounting switch(config)# radius-server host 10.10.2.2 auth-port 2005 switch(config)# radius-server host 10.10.2.2 authentication switch(config)# exit switch# show radius-server...
Page 298: Configuring The Dead-Time Interval
Configuring RADIUS Configuring the Dead-Time Interval Command or Action Purpose Step 6 switch# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. To configure periodic RADIUS server monitoring, perform this task: switch# configure terminal switch(config)# radius-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time switch(config)# radius-server deadtime 5 switch(config)# exit switch# show radius-server...
Page 299: Verifying Radius Configuration
Configuring RADIUS Verifying RADIUS Configuration Procedure Command or Action Purpose Step 1 switch# test aaa server radius {ipv4-address | Sends a test message to a RADIUS server to confirm availability. ipv6-address | server-name} [vrf vrf-name] username password Step 2 switch# test aaa group group-name username Sends a test message to a RADIUS server password group to confirm availability.
Page 300: Example Radius Configuration
Configuring RADIUS Example RADIUS Configuration Example RADIUS Configuration The following example shows how to configure RADIUS: switch# configure terminal switch(config)# radius-server key 7 "ToIkLhPpG" switch(config)# radius-server host 10.10.1.1 key 7 "ShMoMhTl" authentication accounting switch(config)# aaa group server radius RadServer switch(config-radius)# server 10.10.1.1 switch(config-radius)# exit switch(config-radius)# use-vrf management Default RADIUS Settings...
Page 301: Configuring Tacacs
C H A P T E R Configuring TACACS+ This chapter contains the following sections: • About Configuring TACACS+, page 255 About Configuring TACACS+ Information About TACACS+ The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus 5000 Series switch.
Page 302: User Login With Tacacs
About Configuring TACACS+ User Login with TACACS+ User Login with TACACS+ When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus 5000 Series switch using TACACS+, the following actions occur: 1 When the Cisco Nexus 5000 Series switch establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.
Page 303: Tacacs+ Server Monitoring
About Configuring TACACS+ TACACS+ Server Monitoring TACACS+ Server Monitoring An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus 5000 Series switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests.
Page 304: Tacacs+ Server Configuration Process
About Configuring TACACS+ Configuring TACACS+ • You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus 5000 Series switch. Configuring TACACS+ TACACS+ Server Configuration Process To configure TACACS+ servers, perform this task: Procedure Step 1 Enable TACACS+. Step 2 Establish the TACACS+ server connections to the Cisco Nexus 5000 Series switch.
Page 305: Configuring Tacacs+ Server Hosts
About Configuring TACACS+ Configuring TACACS+ Server Hosts Configuring TACACS+ Server Hosts To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the TACACS+ server on the Cisco Nexus 5000 Series switch. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.
Page 306: Configuring Tacacs+ Server Preshared Keys
About Configuring TACACS+ Configuring TACACS+ Server Preshared Keys Command or Action Purpose Step 2 switch(config)# tacacs-server key Specifies a preshared key for all TACACS+ servers. You [0 | 7] key-value can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key.
Page 307: Configuring Tacacs+ Server Groups
About Configuring TACACS+ Configuring TACACS+ Server Groups Command or Action Purpose The preshared keys are saved in encrypted form Note in the running configuration. Use the show running-config command to display the encrypted preshared keys. Step 5 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config...
Page 308: Specifying A Tacacs+ Server At Login
About Configuring TACACS+ Specifying a TACACS+ Server at Login Command or Action Purpose Step 6 switch(config)# show tacacs-server (Optional) groups Displays the TACACS+ server group configuration. Step 7 switch(config)# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration.
Page 309: Configuring The Timeout Interval For A Server
About Configuring TACACS+ Configuring the Timeout Interval for a Server To specify a TACACS+ global timeout interval, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server timeout Specifies the timeout interval for TACACS+ servers. seconds The default timeout interval is 5 second and the range is from 1 to 60 seconds.
Page 310: Configuring Periodic Tacacs+ Server Monitoring
About Configuring TACACS+ Configuring Periodic TACACS+ Server Monitoring To configure TCP ports, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server host Specifies the UDP port to use for TACACS+ {ipv4-address | ipv6-address | host-name} accounting messages.The default TCP port is 49.
Page 311: Configuring The Dead-Time Interval
About Configuring TACACS+ Configuring the Dead-Time Interval Command or Action Purpose Step 2 switch(config)# tacacs-server host Specifies parameters for server monitoring. The default {ipv4-address | ipv6-address | username is test and the default password is test. The host-name} test {idle-time minutes | default value for the idle timer is 0 minutes and the password password [idle-time minutes] valid range is 0 to 1440 minutes.
Page 312: Manually Monitoring Tacacs+ Servers Or Groups
About Configuring TACACS+ Manually Monitoring TACACS+ Servers or Groups Command or Action Purpose Step 3 switch(config)# exit Exits configuration mode. Step 4 switch# show tacacs-server (Optional) Displays the TACACS+ server configuration. Step 5 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration.
Page 313: Displaying Tacacs+ Statistics
About Configuring TACACS+ Displaying TACACS+ Statistics Displaying TACACS+ Statistics To display the statistics the Cisco Nexus 5000 Series switch maintains for TACACS+ activity, perform this task: Procedure Command or Action Purpose Step 1 switch# show tacacs-server statistics {hostname | Displays the TACACS+ statistics. ipv4-address | ipv6-address} For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series Command Reference.
Page 314 About Configuring TACACS+ Default TACACS+ Settings Table 26: Default TACACS+ Parameters Parameters Default TACACS+ Disabled Dead timer interval 0 minutes Timeout interval 5 seconds Idle timer interval 0 minutes Periodic server monitoring username test Periodic server monitoring password test Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 315: Configuring Ssh And Telnet
C H A P T E R Configuring SSH and Telnet This chapter contains the following sections: • Configuring SSH and Telnet, page 269 Configuring SSH and Telnet Information About SSH and Telnet SSH Server The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus 5000 Series switch.
Page 316: Telnet Server
Configuring SSH and Telnet Telnet Server Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2: •...
Page 317: Specifying The Ssh Public Keys For User Accounts
Configuring SSH and Telnet Specifying the SSH Public Keys for User Accounts Command or Action Purpose Step 3 switch(config)# exit Exits global configuration mode. Step 4 switch# show ssh key (Optional) Displays the SSH server keys. Step 5 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config...
Page 318: Specifying The Ssh Public Keys In Ietf Secsh Format
Configuring SSH and Telnet Specifying the SSH Public Keys in IETF SECSH Format The following example shows how to specify an SSH public keys in open SSH format: switch# configure terminal switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc= switch(config)# exit switch# show user-account switch# copy running-config startup-config The username command example above is a single line that has been broken for legibility.
Page 319: Starting Ssh Sessions To Remote Devices
Configuring SSH and Telnet Starting SSH Sessions to Remote Devices Procedure Command or Action Purpose Step 1 switch# copy server-file bootflash: Downloads the file containing the SSH key in PEM-formatted Public Key Certificate form from a filename server. The server can be FTP, SCP, SFTP, or TFTP Step 2 switch# configure terminal Enters configuration mode.
Page 320: Deleting Ssh Server Keys
Configuring SSH and Telnet Deleting SSH Server Keys To disable the SSH server to prevent SSH access to the switch, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no feature ssh Disables the SSH server.
Page 321: Ssh Example Configuration
Configuring SSH and Telnet SSH Example Configuration Procedure Command or Action Purpose Step 1 switch# show users Displays user session information. Step 2 switch# clear line vty-line Clears a user SSH session. SSH Example Configuration The following example shows how to configure SSH: Procedure Step 1 Generate an SSH server key.
Page 322: Configuring Telnet
Configuring SSH and Telnet Configuring Telnet Configuring Telnet Enabling the Telnet Server By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus 5000 Series switch. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 323: Clearing Telnet Sessions
Configuring SSH and Telnet Clearing Telnet Sessions The following example shows starting a Telnet session to connect to a remote device: switch# telnet 10.10.1.1 Trying 10.10.1.1... Connected to 10.10.1.1. Escape character is '^]'. switch login: Clearing Telnet Sessions To clear Telnet sessions from the Cisco Nexus 5000 Series switch, perform this task: Procedure Command or Action Purpose...
Page 324 Configuring SSH and Telnet Default SSH Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 325: Configuring Access Control Lists
C H A P T E R Configuring Access Control Lists This chapter contains the following sections: • Information About ACLs, page 279 • Configuring IP ACLs, page 283 • Configuring MAC ACLs, page 287 • Example Configuration for MAC ACLs, page 291 •...
Page 326: Application Order
Information About ACLs Application Order Table 28: Security ACL Applications Application Supported Interfaces Types of ACLs Supported Port ACL An ACL is considered a port ACL IPv4 ACLs when you apply it to one of the IPv6 ACLs following: MAC ACLs •...
Page 327: Additional Filtering Options
Information About ACLs Additional Filtering Options All IPv4 ACLs include the following implicit rule: deny ip any any This implicit rule ensures that the switch denies unmatched IP traffic. Additional Filtering Options You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering options: •...
Page 328: Logical Operators And Logical Operation Units
Information About ACLs Logical Operators and Logical Operation Units • Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
Page 329: Configuring Ip Acls
Configuring IP ACLs Creating an IP ACL Configuring IP ACLs Creating an IP ACL You can create an IPv4 or IPv6 ACL on the switch and add rules to it. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 330: Removing An Ip Acl
Configuring IP ACLs Removing an IP ACL Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# {ip | ipv6} Enters IP ACL configuration mode for the ACL that you specify by name. access-list name Step 3 switch(config-acl)# Creates a rule in the IP ACL.
Page 331: Changing Sequence Numbers In An Ip Acl
Configuring IP ACLs Changing Sequence Numbers in an IP ACL Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# no {ip | ipv6} access-list Removes the IP ACL that you specified by name from the running configuration.
Page 332: Verifying Ip Acl Configurations
Configuring IP ACLs Verifying IP ACL Configurations Some configuration parameters when applied to an EtherChannel are not reflected on the configuration Note of the member ports. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface {ethernet Enters interface configuration mode for the [chassis/]slot/port | port-channel...
Page 333: Configuring Mac Acls
Configuring MAC ACLs Creating a MAC ACL The mac access-list is applicable to non-IPv4 and non-IPv6 traffic only. Note Procedure Command or Action Purpose Step 1 switch# show {ip | ipv6} access-lists Displays IP ACL configuration. If the IP ACL includes name the statistics command, then the show ip access-lists and show ipv6 access-list command output includes the...
Page 334: Changing A Mac Acl
Configuring MAC ACLs Changing a MAC ACL The following example shows how to create a MAC ACL and add rules to it: switch# configure terminal switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any switch(config-mac-acl)# statistics Changing a MAC ACL In an existing MAC ACL, you can add and remove rules.
Page 335: Removing A Mac Acl
Configuring MAC ACLs Removing a MAC ACL The following example shows how to change a MAC ACL: switch# configure terminal switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any switch(config-mac-acl)# statistics Removing a MAC ACL You can remove a MAC ACL from the switch. Be sure that you know whether the ACL is applied to an interface.
Page 336: Applying A Mac Acl As A Port Acl
Configuring MAC ACLs Applying a MAC ACL as a Port ACL Command or Action Purpose Step 4 switch# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. Related Topics • Rules, page 280 Applying a MAC ACL as a Port ACL You can apply a MAC ACL as a port ACL to any of the following interface types: •...
Page 337: Displaying And Clearing Mac Acl Statistics
Example Configuration for MAC ACLs Displaying and Clearing MAC ACL Statistics Procedure Command or Action Purpose Step 1 switch# show mac access-lists Displays the MAC ACL configuration Step 2 switch# show running-config Displays ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to. Step 3 switch# show running-config Displays the configuration of the interface to which...
Page 338: Vacls And Actions
Configuring VACLs VACLs and Actions VACLs and Actions In access map configuration mode, you use the action command to specify one of the following actions: • Forward—Sends the traffic to the destination determined by normal operation of the switch. • Drop—Drops the traffic. Statistics The switch can maintain global statistics for each rule in a VACL.
Page 339: Removing A Vacl
Configuring VACLs Removing a VACL Command or Action Purpose The no option stops the switch from maintaining global statistics for the VACL. Step 7 switch(config-access-map)# show (Optional) Displays ACL configuration. running-config Step 8 switch(config-access-map)# copy (Optional) running-config startup-config Copies the running configuration to the startup configuration.
Page 340: Verifying Vacl Configuration
Configuring VACLs Verifying VACL Configuration Command or Action Purpose Step 3 switch(config)# show running-config (Optional) Displays ACL configuration. Step 4 switch(config)# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration. Verifying VACL Configuration To display VACL configuration information, perform one of the following tasks: Procedure Command or Action Purpose...
Page 341: Example Configuration For Vacl
Example Configuration for VACL Displaying and Clearing VACL Statistics Example Configuration for VACL This example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82: switch# configure terminal switch(config)# vlan access-map acl-ip-map switch(config-access-map)# match ip address acl-ip-01...
Page 342 Default ACL Settings Displaying and Clearing VACL Statistics Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 343: System Management
P A R T System Management • Using Cisco Fabric Services, page 299 • Configuring User Accounts and RBAC, page 315 • Configuring Session Manager, page 325 • Configuring Online Diagnostics, page 329 • Configuring System Message Logging, page 335 •...
Page 345: Using Cisco Fabric Services
C H A P T E R Using Cisco Fabric Services This chapter contains the following sections: • Using Cisco Fabric Services, page 299 Using Cisco Fabric Services Cisco Nexus 5000 Series switches provide Cisco Fabric Services (CFS) capability, which simplifies provisioning by automatically distributing configuration information to all switches in the network.
Page 346: Cfs Distribution
Using Cisco Fabric Services CFS Distribution ◦ Unrestricted uncoordinated distributions: Multiple parallel distributions are allowed in the network in the presence of an existing coordinated distribution. Unrestricted uncoordinated distributions are allowed to run in parallel with all other types of distributions. The following features are supported for CFS distribution over IP: •...
Page 347: Unrestricted Uncoordinated Distributions
Using Cisco Fabric Services Unrestricted Uncoordinated Distributions Coordinated distribution has two variants: • CFS driven —The stages are executed by CFS in response to an feature request without intervention from the feature. • Feature driven—The stages are under the complete control of the feature. Coordinated distributions are used to distribute information that can be manipulated and distributed from multiple switches, for example, the port security configuration.
Page 348 Using Cisco Fabric Services CFS Distribution over IP The switch attempts to distribute information over Fibre Channel first and then over the IP network if the Note first attempt over Fibre Channel fails. CFS does not send duplicate messages if distribution over both IP and Fibre Channel is enabled.
Page 349: Cfs Distribution Over Fibre Channel
Using Cisco Fabric Services CFS Distribution over Fibre Channel The following figure (Network Example 3) is the same as the previous figure except that node D and node E are connected using IP. Both node C and node D forward the event to E because the node E is not in the distribution list from node B.
Page 350: Cfs Support For Applications
Using Cisco Fabric Services CFS Support for Applications CFS supports a protocol that reduces the number of merges required to one by handling the complexity of the merge at the CFS layer. This protocol runs per application per scope. The protocol involves selecting one switch in a fabric as the merge manager for that fabric.
Page 351: Locking The Network
Using Cisco Fabric Services Locking the Network The show cfs application command only displays applications registered with CFS. Conditional services Note that use CFS do not appear in the output unless these services are running. switch# show cfs application ---------------------------------------------- Application Enabled Scope...
Page 352: Committing Changes
Using Cisco Fabric Services Committing Changes Application: port-security Scope : Logical ----------------------------------------------------------- VSAN Domain IP Address User Name User Type ----------------------------------------------------------- 10.76.100.167 admin CLI/SNMP v3 10.76.100.167 admin CLI/SNMP v3 Total number of entries = 2 The show cfs lock name command displays the lock details for the specified application: switch# show cfs lock name ntp Scope : Physical...
Page 353: Clearing A Locked Session
Using Cisco Fabric Services Clearing a Locked Session Clearing a Locked Session You can clear locks held by an application from any switch in the network to recover from situations where locks are acquired and not released. This function requires Admin permissions. Exercise caution when using this function to clear locks in the network.
Page 354: Assigning Applications To Cfs Regions
Using Cisco Fabric Services Assigning Applications to CFS Regions Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# cfs region region-id Creates a region. Assigning Applications to CFS Regions You can assign an application on a switch to a region. Procedure Command or Action Purpose...
Page 355: Removing An Application From A Region
Using Cisco Fabric Services Removing an Application from a Region The following example shows how to move an application into Region 2 that was originally assigned to Region 1: switch# configure terminal switch(config)# cfs region 2 switch(config-cfs-region)# ntp Removing an Application from a Region Removing an application from a region is the same as moving the application back to the default region (Region 0).
Page 356: Enabling Cfs Over Ipv6
Using Cisco Fabric Services Enabling CFS over IPv6 Procedure Command or Action Purpose Step 1 switch# configure Enters configuration mode. Step 2 switch(config)# cfs ipv4 distribute Globally enables CFS over IPv6 for all applications on the switch. Step 3 switch(config)# no cfs ipv4 distribute (Optional) Disables (default) CFS over IPv6 on the switch.
Page 357: Configuring Ipv4 Multicast Address For Cfs
Using Cisco Fabric Services Configuring IPv4 Multicast Address for CFS Configuring IPv4 Multicast Address for CFS You can configure a CFS over IP multicast address value for IPv4. The default IPv4 multicast address is 239.255.70.83. Procedure Command or Action Purpose Step 1 switch# configure Enters configuration mode.
Page 358: Displaying Cfs Distribution Information
Using Cisco Fabric Services Displaying CFS Distribution Information Displaying CFS Distribution Information The show cfs merge status name command displays the merge status for a given application. The following example displays the output for an application distributing in logical scope. It shows the merge status in all valid VSANs on the switch.
Page 359 Using Cisco Fabric Services Displaying CFS Distribution Information Physical Fabric ------------------------------------------------- Switch WWN IP Address ------------------------------------------------- 20:00:00:05:30:00:6b:9e 10.76.100.167 [Local] 20:00:00:0e:d7:00:3c:9e 10.76.100.169 Total number of entries = 2 The show cfs peers name command displays all the peers for which a particular application is registered with CFS.
Page 360: Default Cfs Settings
Using Cisco Fabric Services Default CFS Settings Default CFS Settings The following table lists the default settings for CFS configurations. Table 32: Default CFS Parameters Parameters Default CFS distribution on the switch Enabled. Database changes Implicitly enabled with the first configuration change. Application distribution Differs based on application.
Page 361: Configuring User Accounts And Rbac
C H A P T E R Configuring User Accounts and RBAC This chapter contains the following sections: • Configuring User Accounts and RBAC, page 315 Configuring User Accounts and RBAC This section describes how to configure user accounts and role-based access control (RBAC) on the Cisco Nexus 5000 Series switch.
Page 362: Characteristics Of Strong Passwords
Configuring User Accounts and RBAC Characteristics of Strong Passwords Characteristics of Strong Passwords A strong password has the following characteristics: • At least eight characters long • Does not contain many consecutive characters (such as "abcd") • Does not contain many repeating characters (such as "aaabbb") •...
Page 363: About Rules
Configuring User Accounts and RBAC About Rules If you belong to multiple roles, you can execute a combination of all the commands permitted by these Note roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands.
Page 364: Configuring User Accounts
Configuring User Accounts and RBAC Configuring User Accounts • You can assign a maximum of 64 user roles to a user account. Note A user account must have at least one user role. Configuring User Accounts You can create a maximum of 256 user accounts on a Cisco Nexus 5000 Series switch. User accounts have the following attributes: •...
Page 365: Configuring Rbac
Configuring User Accounts and RBAC Configuring RBAC The following example shows how to configure a user account: switch# configure terminal switch(config)# username NewUser password 4Ty18Rnt switch(config)# exit switch# show user-account Configuring RBAC Creating User Roles and Rules Each user role can have up to 256 rules. You can assign a user role to more that one user account. The rule number you specify determines the order in which the rules are applied.
Page 366: Creating Feature Groups
Configuring User Accounts and RBAC Creating Feature Groups Command or Action Purpose Step 8 switch# show role (Optional) Displays the user role configuration. Step 9 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration. The following example shows how to create user roles and specify rules: switch# configure terminal switch(config)# role name UserA switch(config-role)# rule deny command clear users...
Page 367: Changing User Role Vlan Policies
Configuring User Accounts and RBAC Changing User Role VLAN Policies Command or Action Purpose Step 2 switch(config)# role name role-name Specifies a user role and enters role configuration mode. Step 3 switch(config-role)# interface policy Enters role interface policy configuration mode. deny Step 4 switch(config-role-interface)# permit...
Page 368: Changing User Role Vsan Policies
Configuring User Accounts and RBAC Changing User Role VSAN Policies Command or Action Purpose Repeat this command for as many VLANs as needed. Step 5 switch# show role (Optional) Displays the role configuration. Step 6 switch# copy running-config (Optional) Copies the running configuration to the startup startup-config configuration.
Page 369: Default User Account And Rbac Settings
Configuring User Accounts and RBAC Default User Account and RBAC Settings Command Purpose switch# show startup-config security Displays the user account configuration in the startup configuration. switch# show running-config security [all] Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts.
Page 370 Configuring User Accounts and RBAC Default User Account and RBAC Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 371: Configuring Session Manager
C H A P T E R Configuring Session Manager This chapter contains the following sections: • Configuring Session Manager, page 325 Configuring Session Manager This section describes how to configure the Session Manager features in Cisco NX-OS. Information About Session Manager Session Manager allows you to implement your configuration changes in batch mode.
Page 372: Creating A Session
Configuring Session Manager Configuring Session Manager • You can configure a maximum of 20,000 commands across all sessions. Configuring Session Manager Creating a Session You can create up to 32 configuration sessions. To create a configuration session, perform this task: Procedure Command or Action Purpose...
Page 373: Verifying A Session
Configuring Session Manager Verifying a Session Verifying a Session To verify a session, use the following command in session mode: Command Purpose switch(config-s)# verify [verbose] Verifies the commands in the configuration session. Committing a Session To commit a session, use the following command in session mode: Command Purpose switch(config-s)# commit [verbose]...
Page 374 Configuring Session Manager Verifying Session Manager Configuration Command Purpose switch# show configuration session [name] Displays the contents of the configuration session. switch# show configuration session status [name] Displays the status of the configuration session. switch# show configuration session summary Displays a summary of all the configuration sessions. Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 375: Configuring Online Diagnostics
C H A P T E R Configuring Online Diagnostics This chapter describes how to configure the generic online diagnostics (GOLD) feature. It contains the following sections: • Information About Online Diagnostics, page 329 • Configuring Online Diagnostics, page 332 •...
Page 376: Health Monitoring Diagnostics
Information About Online Diagnostics Health Monitoring Diagnostics Diagnostic Description NVRAM Verifies the integrity of the NVRAM. In band port Tests connectivity of the inband port to the supervisor. Management port Tests the management port. Memory Verifies the integrity of the DRAM. Bootup diagnostics also include a set of tests that are common with health monitoring diagnostics.
Page 377: Expansion Module Diagnostics
Information About Online Diagnostics Expansion Module Diagnostics Diagnostic Description Forwarding engine Tests the forwarding engine ASICs. Forwarding engine port Tests the ports on the forwarding engine ASICs. Front port Tests the components (such as PHY and MAC) on the front ports. Expansion Module Diagnostics During switch bootup or reset, the bootup diagnostics include tests for the in-service expansion modules in the switch.
Page 378: Verifying Online Diagnostics Configuration
Configuring Online Diagnostics Expansion Module Diagnostics Configuring Online Diagnostics You can configure the bootup diagnostics to run the complete set of tests, or you can bypass all bootup diagnostic tests for a faster module boot up time. Note We recommend that you set the bootup online diagnostics level to complete. We do not recommend bypassing the bootup online diagnostics.
Page 379 Default GOLD Settings Expansion Module Diagnostics Table 39: Default Online Diagnostics Parameters Parameters Default Bootup diagnostics level complete Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 380 Default GOLD Settings Expansion Module Diagnostics Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 381: Configuring System Message Logging
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Cisco Nexus 5000 Series switch and contains the following sections: • Information About System Message Logging, page 335 •...
Page 382: Syslog Servers
Configuring System Message Logging syslog Servers Level Description 5 – notification Normal but significant condition 6 – informational Informational message only 7 – debugging Appears during debugging only The switch logs the most recent 100 messages of severity 0, 1, or 2 to the NVRAM log. You cannot configure logging to the NVRAM.
Page 383 Configuring System Message Logging Configuring System Message Logging to Terminal Sessions Command or Action Purpose value indicates a higher severity level). Severity levels range from 0 to 7: • 0 – emergency • 1 – alert • 2 – critical •...
Page 384: Configuring System Message Logging To A File
Configuring System Message Logging Configuring System Message Logging to a File Command or Action Purpose Step 9 switch# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. The following example shows how to configure a logging level of 3 for the console: switch# configure terminal switch(config)# logging console 3 The following example shows how to display the console logging configuration:...
Page 385: Configuring Module And Facility Messages Logging
Configuring System Message Logging Configuring Module and Facility Messages Logging Command or Action Purpose • 4 – warning • 5 – notification • 6 – informational • 7 – debugging The file size is from 4096 to 10485760 bytes. Step 3 switch(config)# no logging logfile (Optional) [logfile-name severity-level [size...
Page 386 Configuring System Message Logging Configuring Module and Facility Messages Logging Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# logging module Enables module log messages that have the specified severity level or higher. Severity levels range from 0 to 7: [severity-level] •...
Page 387: Configuring Logging Timestamps
Configuring System Message Logging Configuring Logging Timestamps Command or Action Purpose Step 6 switch# show logging module (Optional) Displays the module logging configuration. Step 7 switch# show logging level (Optional) [facility] Displays the logging level configuration and the system default level by facility.
Page 388: Configuring Syslog Servers
Configuring System Message Logging Configuring syslog Servers Configuring syslog Servers You can configure up to three syslog servers that reference remote systems where you want to log system messages. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# logging server host Configures a syslog server at the specified host name or...
Page 389: Configuring Syslog On A Unix Or Linux System
Configuring System Message Logging Configuring syslog on a UNIX or Linux System Configuring syslog on a UNIX or Linux System You can configure a syslog server on a UNIX or Linux system by adding the following line to the /etc/syslog.conf file: facility.level <five tab characters>...
Page 390 Configuring System Message Logging Configuring syslog Server Configuration Distribution After you enable syslog server configuration distribution, you can modify the syslog server configuration and view the pending changes before committing the configuration for distribution. As long as distribution is enabled, the switch maintains pending changes to the syslog server configuration. If the switch is restarted, the syslog server configuration changes that are kept in volatile memory may be Note lost.
Page 391: Displaying And Clearing Log Files
Verifying System Message Logging Configuration Displaying and Clearing Log Files Related Topics • Information About CFS, page 299 Displaying and Clearing Log Files You can display or clear messages in the log file and the NVRAM. Procedure Command or Action Purpose Step 1 switch# show logging last...
Page 392: Default System Message Logging Settings
Default System Message Logging Settings Displaying and Clearing Log Files Command Purpose switch# show logging level [facility] Displays the facility logging severity level configuration. switch# show logging logfile [start-time yyyy mmm Displays the messages in the log file. dd hh:mm:ss] [end-time yyyy mmm dd hh:mm:ss] switch# show logging module Displays the module logging configuration.
Page 393 Default System Message Logging Settings Displaying and Clearing Log Files Parameters Default syslog server configuration distribution Disabled Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 394 Default System Message Logging Settings Displaying and Clearing Log Files Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 395: Configuring Smart Call Home
C H A P T E R Configuring Smart Call Home This chapter contains the following sections: • Configuring Smart Call Home, page 349 Configuring Smart Call Home Information About Call Home Call Home provides e-mail-based notification of critical system events. Cisco Nexus 5000 Series switches provide a range of message formats for optimal compatibility with pager services, standard e-mail, or XML-based automated parsing applications.
Page 396: Destination Profiles
Configuring Smart Call Home Destination Profiles • Multiple concurrent message destinations. You can configure up to 50 e-mail destination addresses for each destination profile. Destination Profiles A destination profile includes the following information: • One or more alert groups—The group of alerts that trigger a specific Call Home message if the alert occurs.
Page 397 Configuring Smart Call Home Call Home Alert Groups Alert Group Description Executed Commands show tech-support platform callhome Supervisor hardware Events related to supervisor show diagnostic result module all modules. detail show moduleshow version show tech-support platform callhome Linecard hardware Events related to standard or show diagnostic result module all intelligent switching modules.
Page 398: Call Home Message Levels
Configuring Smart Call Home Call Home Message Levels You can add show commands only to full text and XML destination profiles. Short text destination profiles do not support additional show commands because they only allow 128 bytes of text. Related Topics •...
Page 399: Obtaining Smart Call Home
Configuring Smart Call Home Obtaining Smart Call Home Call Home Level Keyword syslog Level Description Debugging Debug (7) Debugging messages. Obtaining Smart Call Home If you have a service contract directly with Cisco Systems, you can register your devices for the Smart Call Home service.
Page 400: Configuration Guidelines And Limitations
Configuring Smart Call Home Configuration Guidelines and Limitations Configuration Guidelines and Limitations Call Home has the following configuration guidelines and limitations: • If there is no IP connectivity or if the interface in the VRF to the profile destination is down, the switch cannot send the Call Home message.
Page 401: Creating A Destination Profile
Configuring Smart Call Home Creating a Destination Profile Command or Action Purpose Step 5 switch(config-callhome)# Configures the phone number in international phone phone-contact number format for the primary person responsible for the international-phone-number device. Up to 17 alphanumeric characters are accepted in international format.
Page 402: Modifying A Destination Profile
Configuring Smart Call Home Modifying a Destination Profile Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# callhome Enters callhome configuration mode. Step 3 switch(config-callhome)# destination-profile Creates a new destination profile and sets the message format for the profile.
Page 403: Associating An Alert Group With A Destination Profile
Configuring Smart Call Home Associating an Alert Group with a Destination Profile Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# callhome Enters callhome configuration mode. Step 3 switch(config-callhome)# Configures an e-mail address for a user-defined or destination-profile {name | predefined destination profile.
Page 404: Adding Show Commands To An Alert Group
Configuring Smart Call Home Adding show Commands to an Alert Group Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# callhome Enters callhome configuration mode. Step 3 switch(config-callhome)# destination-profile Associates an alert group with this destination profile.
Page 405: Configuring E-Mail
Configuring Smart Call Home Configuring E-Mail Command or Action Purpose Step 5 switch# copy running-config (Optional) startup-config Saves this configuration change. This example shows how to add the show ip routing command o the Cisco-TAC alert group: switch# configuration terminal switch(config)# callhome switch(config-callhome)# alert-group Configuration user-def-cmd "show ip routing"...
Page 406: Configuring Periodic Inventory Notification
Configuring Smart Call Home Configuring Periodic Inventory Notification This example shows how to configure the e-mail options for Call Home messages: switch# configuration terminal switch(config)# callhome switch(config-callhome)# transport email smtp-server 192.0.2.10 use-vrf Red switch(config-callhome)# transport email from person@example.com switch(config-callhome)# transport email reply-to person@example.com Configuring Periodic Inventory Notification You can configure the switch to periodically send a message with an inventory of all software services currently enabled and running on the device along with hardware inventory information.
Page 407: Testing Call Home Communications
Configuring Smart Call Home Testing Call Home Communications Command Purpose switch(config-callhome)# enable Enables Call Home. Disabled by default. You can disable Call Home in the callhome configuration mode. Command Purpose switch(config-callhome)# no enable Disables Call Home. Disabled by default You can enable Call Home distribution using CFS in the callhome configuration mode. Command Purpose switch(config-callhome)# distribute...
Page 408: Verifying Call Home Configuration
Configuring Smart Call Home Verifying Call Home Configuration Verifying Call Home Configuration To display Call Home configuration information, perform one of the following tasks: Command Purpose switch# show callhome Displays the status for Call Home. switch# show callhome destination-profile name Displays one or more Call Home destination profiles.
Page 409: Additional References
Configuring Smart Call Home Additional References Parameters Default Destination message size for a message sent in short 4000 text format. SMTP server port number if no port is specified. Alert group association with profile. All for full-text-destination and short-text-destination profiles. The cisco-tac alert group for the CiscoTAC-1 destination profile.
Page 410 Configuring Smart Call Home Call Home Message Formats Table 47: Common Fields for All Full Text and XML Messages Data Item(Plain Text Description(Plain XML Tag (XML Only) and XML) Text and XML) Time stamp Date and time stamp /aml/header/time of event in ISO time notation: YYYY-MM-DD HH:MM:SS...
Page 411 Configuring Smart Call Home Call Home Message Formats Data Item(Plain Text Description(Plain XML Tag (XML Only) and XML) Text and XML) • @ is a separator character. • Sid is C, identifying the serial ID as a chassis serial number. •...
Page 412 Configuring Smart Call Home Call Home Message Formats Data Item(Plain Text Description(Plain XML Tag (XML Only) and XML) Text and XML) The format is type@Sid@serial: • type is the product model number from backplane IDPROM. • @ is a separator character.
Page 413 Configuring Smart Call Home Call Home Message Formats Data Item(Plain Text Description(Plain XML Tag (XML Only) and XML) Text and XML) as the contact for this unit. Street address Optional field that /aml/body/sysStreetAddress contains the street address for RMA part shipments associated with this unit.
Page 414 Configuring Smart Call Home Call Home Message Formats Table 48: Inserted Fields for a Reactive or Proactive Event Message Data Item(Plain Text and XML) Description(Plain Text and XML) XML Tag (XML Only) Chassis hardware version Hardware version of chassis. /aml/body/chassis/hwVersion Supervisor module software Top-level software version.
Page 415: Sample Syslog Alert Notification In Full-Text Format
Configuring Smart Call Home Sample syslog Alert Notification in Full-Text Format The following table describes the user-generated test message format for full text or XML. Table 50: Inserted Fields for a User-Generated Test Message Data Item(Plain Text and XML) Description(Plain Text and XML) XML Tag(XML Only) Process ID Unique process ID.
Page 416 Configuring Smart Call Home Sample syslog Alert Notification in XML Format <?xml version="1.0" encoding="UTF-8"?> <soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope"> <soap-env:Header> <aml-session:Session xmlns:aml-session="http://www.example.com/2004/01/aml-session" soap-env:mustUnderstand="true" soap-env:role="http://www.w3.org/2003/05/soap-envelope/role/next"> <aml-session:To>http://tools.example.com/services/DDCEService</aml-session:To> <aml-session:Path> <aml-session:Via>http://www.example.com/appliance/uri</aml-session:Via> </aml-session:Path> <aml-session:From>http://www.example.com/appliance/uri</aml-session:From> <aml-session:MessageId>M2:69000101:C9D9E20B</aml-session:MessageId> </aml-session:Session> </soap-env:Header> <soap-env:Body> <aml-block:Block xmlns:aml-block="http://www.example.com/2004/01/aml-block"> <aml-block:Header> <aml-block:Type>http://www.example.com/2005/05/callhome/syslog</aml-block:Type> <aml-block:CreationDate>2007-04-25 14:19:55 GMT+00:00</aml-block:CreationDate> <aml-block:Builder> <aml-block:Name>Cat6500</aml-block:Name> <aml-block:Version>2.0</aml-block:Version> </aml-block:Builder>...
Page 417 Configuring Smart Call Home Sample syslog Alert Notification in XML Format </aml-block:Content> <aml-block:Attachments> <aml-block:Attachment type="inline"> <aml-block:Name>show logging</aml-block:Name> <aml-block:Data encoding="plain"> <![CDATA[ Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: level debugging, 53 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled...
Page 418 Configuring Smart Call Home Sample syslog Alert Notification in XML Format Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 26-Apr-07 18:00 by xxx 00:03:18: %SYS-SP-6-BOOTTIME: Time taken to reboot after reload = 339 seconds 00:03:18: %OIR-SP-6-INSPS: Power supply inserted in slot 1 00:03:18: %C6KPWR-SP-4-PSOK: power supply 1 turned on.
Page 419 Configuring Smart Call Home Sample syslog Alert Notification in XML Format Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 26-Apr-08 17:20 by username1 00:00:31: DFC8: Currently running ROMMON from S (Gold) region 00:04:59: %DIAG-SP-6-RUN_MINIMUM: Module 2: Running Minimal Diagnostics... 00:05:12: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics...
Page 420 Configuring Smart Call Home Sample syslog Alert Notification in XML Format Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 421: Configuring Snmp
C H A P T E R Configuring SNMP This chapter describes the configuration of the Simple Network Management Protocol (SNMP) on Cisco Nexus 5000 Series switches and contains the following sections: • Information About SNMP, page 375 • Configuration Guidelines and Limitations, page 379 •...
Page 422: Snmp Notifications
Information About SNMP SNMP Notifications The Cisco Nexus 5000 Series switch supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. SNMP is defined in RFC 3410 (http://tools.ietf.org/html/rfc3410), RFC 3411 (http://tools.ietf.org/html/rfc3411), RFC 3412 (http://tools.ietf.org/html/rfc3412), RFC 3413 (http://tools.ietf.org/html/rfc3413), RFC 3414 (http://tools.ietf.org/html/rfc3414), RFC 3415 (http://tools.ietf.org/html/rfc3415), RFC 3416 (http://tools.ietf.org/html/rfc3416), RFC 3417 (http://tools.ietf.org/html/rfc3417), RFC 3418 (http://tools.ietf.org/html/rfc3418), and RFC 3584...
Page 423: User-Based Security Model
Information About SNMP User-Based Security Model User-Based Security Model The following table identifies what the combinations of security models and levels mean. Table 51: SNMP Security Models and Levels Model Level Authentication Encryption What Happens noAuthNoPriv Community string Uses a community string match for authentication.
Page 424: Cli And Snmp User Synchronization
Information About SNMP CLI and SNMP User Synchronization • Message origin authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed. • Message confidentiality—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Page 425: Group-Based Snmp Access
Configuration Guidelines and Limitations Group-Based SNMP Access Group-Based SNMP Access Because group is a standard SNMP term used industry-wide, roles are referred to as groups in this SNMP Note section. SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI. Each group is defined with three accesses: read access, write access, and notification access.
Page 426: Assigning Snmpv3 Users To Multiple Roles
Configuring SNMP Assigning SNMPv3 Users to Multiple Roles You can enforce SNMP message encryption for a specific user. Command Purpose switch(config)# snmp-server user name enforcePriv Enforces SNMP message encryption for this user. You can enforce SNMP message encryption for all users. Command Purpose switch(config)# snmp-server globalEnforcePriv...
Page 427: Configuring The Notification Target User
Configuring SNMP Configuring the Notification Target User Command Purpose switch(config)# snmp-server host ip-address {traps Configures a host receiver for SNMPv2c traps or | informs} version 2c community [udp_port number] informs. The community can be any alphanumeric string up to 255 characters. The UDP port number range is from 0 to 65535.
Page 428: Enabling Snmp Notifications
Configuring SNMP Enabling SNMP Notifications The following example shows how to configure a notification target user: switch(config)# snmp-server user NMS auth sha abcd1234 priv abcdefgh engineID 00:00:00:63:00:01:00:a1:ac:15:10:03 Enabling SNMP Notifications You can enable or disable notifications. If you do not specify a notification name, Cisco NX-OS enables all notifications.
Page 429: Configuring Link Notifications
Configuring SNMP Configuring Link Notifications Related Commands CISCO-RSCN-MIB snmp-server enable traps rscn snmp-server enable traps rscn els snmp-server enable traps rscn ils CISCO-ZS-MIB snmp-server enable traps zone snmp-server enable traps zone default-zone-behavior-change snmp-server enable traps zone merge-failure snmp-server enable traps zone merge-success snmp-server enable traps zone request-reject snmp-server enable traps zone unsupp-mem The license notifications are enabled by default.
Page 430: Disabling Link Notifications On An Interface
Configuring SNMP Disabling Link Notifications on an Interface • IEFT extended—Cisco NX-OS sends only the IETF-defined notifications (linkUp, linkDown defined in IF-MIB), if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface. Cisco NX-OS adds additional varbinds specific to Cisco Systems in addition to the varbinds defined in the IF-MIB. This is the default setting.
Page 431: Assigning Snmp Switch Contact And Location Information
Configuring SNMP Assigning SNMP Switch Contact and Location Information Assigning SNMP Switch Contact and Location Information You can assign the switch contact information, which is limited to 32 characters (without spaces), and the switch location. Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode.
Page 432: Verifying Snmp Configuration
Verifying SNMP Configuration Configuring the Context to Network Entity Mapping Verifying SNMP Configuration To display SNMP configuration information, perform one of the following tasks: Command Purpose switch# show snmp Displays the SNMP status. switch# show snmp community Displays the SNMP community strings. switch# show snmp engineID Displays the SNMP engineID.
Page 433: Configuring Rmon
C H A P T E R Configuring RMON This chapter contains the following sections: • Configuring RMON, page 387 Configuring RMON Information About RMON RMON is an Internet Engineering Task Force (IETF) standard monitoring specification that allows various network agents and console systems to exchange network monitoring data. The Cisco NX-OS supports RMON alarms, events and logs to monitor Cisco Nexus 5000 Series switches An RMON alarm monitors a specific management information base (MIB) object for a specified interval, triggers an alarm at a specified threshold value (threshold), and resets the alarm at another threshold value.
Page 434: Rmon Events
Configuring RMON RMON Events • Rising threshold—The value at which the Cisco Nexus 5000 Series switch triggers a rising alarm or resets a falling alarm. • Falling threshold—The value at which the Cisco Nexus 5000 Series switch triggers a falling alarm or resets a rising alarm.
Page 435: Configuring Rmon Events
Configuring RMON Configuring RMON Events • The owner of the alarm. Ensure you have configured an SNMP user and enabled SNMP notifications. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# rmon alarm index mib-object Creates an RMON alarm.
Page 436: Verifying Rmon Configuration
Configuring RMON Verifying RMON Configuration Command or Action Purpose Step 2 switch(config)# rmon event index Configures an RMON event. The description [description string] [log] [trap] [owner string and owner name can be any alphanumeric string. name] Step 3 switch(config)# show rmon {alarms | (Optional) hcalarms} Displays information about RMON alarms or...
Page 437: Fibre Channel Over Ethernet
P A R T Fibre Channel over Ethernet • Configuring FCoE, page 393 • Configuring FCoE VLANs and Virtual Interfaces, page 411...
Page 439: Configuring Fcoe
C H A P T E R Configuring FCoE This chapter describes how to configure Fibre Channel over Ethernet (FCoE) on Cisco Nexus 5000 Series switches. It contains the following sections: • Information About FCoE, page 393 • FCoE Topologies, page 398 •...
Page 440: Fip Virtual Link Instantiation
Information About FCoE FIP Virtual Link Instantiation • FIP—The Converged Enhanced Ethernet Data Center Bridging Exchange (CEE-DCBX) protocol supports T11-compliant Gen-2 CNAs. • Pre-FIP—The Cisco, Intel, Nuova Data Center Bridging Exchange (CIN-DCBX) protocol supports Gen-1 converged network adapters (CNAs). The Cisco Nexus 5000 Series switch detects the capabilities of the attached CNA and switches to the correct FIP mode.
Page 441: Fip Ethernet Frame Format
Information About FCoE FIP Ethernet Frame Format FIP Ethernet Frame Format FIP is encapsulated in an Ethernet packet with a dedicated EtherType, 0x8914. The packet has a 4-bit version field. Along with the source and destination MAC addresses, the FIP packet also contains a FIP operation code and a FIP operation subcode.
Page 442: Dcbx Feature Negotiation
Information About FCoE DCBX Feature Negotiation • CIN-DCBX—The Cisco, Intel, Nuova DCBX is supported on Gen-1 converged network adapters (CNAs). CIN-DCBX is used to perform link detection in addition to other functions. DCBX runs on the physical Ethernet link between the Cisco Nexus 5000 Series switch and the CNA. By default, DCBX is enabled on Ethernet interfaces.
Page 443: Lossless Ethernet
Information About FCoE Lossless Ethernet Lossless Ethernet Standard Ethernet is a best-effort medium which means that it lacks any form of flow control. In the event of congestion or collisions, Ethernet will drop packets. The higher level protocols detect the missing data and retransmit the dropped packets.
Page 444: Fcoe Topologies
FCoE Topologies Directly Connected CNA Topology To reduce configuration errors and simplify administration, the switch distributes the configuration data to all the connected adapters. FCoE Topologies Directly Connected CNA Topology The Cisco Nexus 5000 Series switch can be deployed as a Fibre Channel Forwarder (FCF) as shown in the following figure.
Page 445: Remotely Connected Cna Topology
FCoE Topologies Remotely Connected CNA Topology between the CNA and the FCF. Make sure that you configure the FCoE VLAN on the directly connected links only. Remotely Connected CNA Topology The Cisco Nexus 5000 Series switch can be deployed as a Fibre Channel Forwarder (FCF) for remotely connected CNAs, but not as a FIP Snooping Bridge, as shown in the following figure.
Page 446: Fcoe Best Practices
FCoE Best Practices Directly Connected CNA Best Practice FCoE Best Practices Directly Connected CNA Best Practice The following figure shows a best practices topology for an access network using directly connected CNAs with Cisco Nexus 5000 Series switches. Figure 41: Directly Connected CNA Follow these configuration best practices for the deployment topology in the preceding figure: 1 You must configure a unique dedicated VLAN at every converged access switch to carry traffic for each Virtual Fabric (VSAN) in the SAN (for example, VLAN 1002 for VSAN 1, VLAN 1003 for VSAN 2,...
Page 447 FCoE Best Practices Directly Connected CNA Best Practice 4 You must not configure the FCoE VLANs as members of Ethernet links that are not designated to carry FCoE traffic because you want to ensure the scope of the STP for the FCoE VLANs is limited to UF links only.
Page 448: Remotely Connected Cna Best Practice
FCoE Best Practices Remotely Connected CNA Best Practice Remotely Connected CNA Best Practice The following figure shows a best practices topology for an access network using remotely connected CNAs with Cisco Nexus 5000 Series switches. Figure 42: Remotely Connected CNAs Follow these configuration best practices for the deployment topology in the preceding figure: 1 You must configure a unique dedicated VLAN at every converged access switch to carry traffic for each Virtual Fabric (VSAN) in the SAN (for example, VLAN 1002 for VSAN 1, VLAN 1003 for VSAN 2,...
Page 449: Licensing Requirements For Fcoe
Licensing Requirements for FCoE Enabling FCoE A unified fabric link carries both Ethernet and FCoE traffic. Note 3 You must configure the CNAs and the blade switches as spanning-tree edge ports. 4 A blade switch must connect to exactly one Cisco Nexus 5000 Series converged access switch, preferably over an EtherChannel, to avoid disruption due to STP reconvergence on events such as provisioning new links or blade switches.
Page 450: Disabling Fcoe
Configuring FCoE Disabling FCoE All the Fibre Channel features of the Cisco Nexus 5000 Series switch are packaged in the FC Plugin. Note When you enable FCoE, the switch software checks for the FC_FEATURES_PKG license. If it finds the license, the software loads the plugin. If the license is not found, the software loads the plugin with a grace period of 180 days.
Page 451: Disabling Lan Traffic On An Fcoe Link
Configuring FCoE Disabling LAN Traffic on an FCoE Link Disabling LAN Traffic on an FCoE Link You can disable LAN traffic on an FCoE link. DCBX allows the switch to send a LAN Logical Link Status (LLS) message to a directly-connected CNA. Enter the shutdown lan command to send an LLS-Down message to the CNA.
Page 452: Configuring The Fabric Priority
Configuring FCoE Configuring the Fabric Priority Configuring the Fabric Priority The Cisco Nexus 5000 Series switch advertises its priority. The priority is used by the CNAs in the fabric to determine the best switch to connect to. Procedure Command or Action Purpose Step 1 switch# configure terminal...
Page 453: Configuring Lldp
Configuring LLDP Configuring Global LLDP Commands Configuring LLDP Configuring Global LLDP Commands You can set global LLDP settings. These settings include the length of time before discarding LLDP information received from peers, the length of time to wait before performing LLDP initialization on any interface, and the rate at which LLDP packets are sent.
Page 454: Verifying Fcoe Configuration
Verifying FCoE Configuration Configuring Interface LLDP Commands Command or Action Purpose This example shows how to set an interface to transmit LLDP packets: switch# configure terminal switch(config)# interface ethernet 1/2 switch(config-if)# lldp transmit This example shows how to configure an interface to disable LLDP: switch# configure terminal switch(config)# interface ethernet 1/2 switch(config-if)# no lldp transmit...
Page 455 Verifying FCoE Configuration Configuring Interface LLDP Commands This example shows how to display LLDP interface information: switch# show lldp interface ethernet 1/2 tx_enabled: TRUE rx_enabled: TRUE dcbx_enabled: TRUE Port MAC address: 00:0d:ec:a3:5f:48 Remote Peers Information No remote peers exist This example shows how to display LLDP neighbor information: switch# show lldp neighbors LLDP Neighbors Remote Peers Information on interface Eth1/40...
Page 456 Verifying FCoE Configuration Configuring Interface LLDP Commands Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 457: Configuring Fcoe Vlans And Virtual Interfaces
C H A P T E R Configuring FCoE VLANs and Virtual Interfaces This chapter describes how to configure Fibre Channel over Ethernet (FCoE) VLANs and virtual interfaces on Cisco Nexus 5000 Series switches. It contains the following sections: • Information About Virtual Interfaces, page 411 •...
Page 458: Configuring Virtual Interfaces
Configuring Virtual Interfaces Mapping a VSAN to a VLAN ◦ The Ethernet or EtherChannel interface must be a trunk port (use the switchport mode trunk command). ◦ The FCoE VLAN that corresponds to a virtual Fibre Channel’s VSAN must be in the allowed VLAN list.
Page 459: Creating A Virtual Fibre Channel Interface
Configuring Virtual Interfaces Creating a Virtual Fibre Channel Interface Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# vlan vlan-id Enters VLAN configuration mode. The VLAN number range is from 1 to 4096. Step 3 switch(config-vlan)# fcoe [vsan Enables FCoE for the specified VLAN.
Page 460: Associating A Virtual Fibre Channel Interface To A Vsan
Verifying the Virtual Interface Associating a Virtual Fibre Channel Interface to a VSAN This example shows how to bind a virtual Fibre Channel interface to an Ethernet interface: switch# configure terminal switch(config)# interface vfc 4 switch(config-if)# bind interface ethernet 1/4 This example shows how to bind a virtual Fibre Channel interface to create a vPC: switch# configure terminal switch(config)# interface vfc 3...
Page 461 Verifying the Virtual Interface Associating a Virtual Fibre Channel Interface to a VSAN Command Purpose switch# show interface vfc vfc-id Displays the detailed configuration of the specified Fibre Channel interface. switch# show interface brief Displays the status of all interfaces. switch# show vlan fcoe Displays the mapping of FCoE VLANs to VSANs.
Page 462: Mapping Vsans To Vlans Example Configuration
Mapping VSANs to VLANs Example Configuration Associating a Virtual Fibre Channel Interface to a VSAN This example shows how to display the status of all the interfaces on the switch (some output has been removed for brevity): switch# show interface brief ------------------------------------------------------------------------------- Interface Vsan...
Page 463 Mapping VSANs to VLANs Example Configuration Associating a Virtual Fibre Channel Interface to a VSAN Step 2 Create a virtual Fibre Channel interface and bind it to a physical Ethernet interface. switch(config)# interface vfc 4 switch(config-if)# bind interface ethernet 1/4 switch(config-if)# exit Step 3 Enable the associated VLAN and map the VLAN to a VSAN.
Page 464 Mapping VSANs to VLANs Example Configuration Associating a Virtual Fibre Channel Interface to a VSAN Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 465: Quality Of Service
P A R T Quality of Service • Configuring QoS, page 421...
Page 467: Configuring Qos
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on Cisco Nexus 5000 Series switches. It contains the following sections: • Information About QoS, page 421 • QoS Configuration Guidelines and Limitations, page 429 •...
Page 468: System Classes
Information About QoS The Cisco Modular QoS CLI (MQC) provides a standard set of commands for configuring QoS. You can use MQC to define additional traffic classes and to configure QoS policies for the whole system and for individual interfaces. Configuring a QoS policy with MQC consists of the following steps: 1 Define traffic classes.
Page 469: Default System Classes
Information About QoS Default System Classes the switch distributes the system class parameter values to all its attached network adapters using the Data Center Bridging Exchange (DCBX) protocol. If service policies are configured at the interface level, the interface-level policy always takes precedence over system class configuration or defaults.
Page 470 Information About QoS Policy Types ◦ Policy—The actions that are performed on the matching traffic are as follows: A network-qos policy can only be attached to the system qos target. Note ◦ MTU—The MTU that needs to be enforced for the traffic that is mapped to a system class. Each system class has a default MTU and the system class MTU is configurable.
Page 471: Link-Level Flow Control
Information About QoS Link-Level Flow Control • Type qos—A type qos policy is used to classify traffic that is based on various Layer 2, Layer 3, and Layer 4 fields in the frame and to map it to system classes. Some configuration parameters when applied to an EtherChannel are not reflected on Note the configuration of the member ports.
Page 472: Trust Boundaries
Information About QoS Ethernet interfaces use PFC to provide lossless service to no-drop system classes. PFC implements pause frames on a per-class basis and uses the IEEE 802.1p CoS value to identify the classes that require lossless service. In the switch, each system class has an associated IEEE 802.1p CoS value that is assigned by default or configured on the system class.
Page 473: Ingress Queuing Policies
Information About QoS Ingress Queuing Policies • All Fibre Channel and virtual Fibre Channel interfaces are automatically classified into the FCoE system class. • By default, all Ethernet interfaces are trusted interfaces. A packet tagged with an 802.1p CoS value is classified into a system class using the value in the packet.
Page 474: Qos For Multicast Traffic
Information About QoS QoS for Multicast Traffic If you add a system class, a queue is assigned to the class. You must reconfigure the bandwidth allocation on all affected interfaces. Bandwidth is not dedicated automatically to user-defined system classes. You can configure a strict priority queue. This queue is serviced before all other queues except the control traffic queue (which carries control rather than data traffic).
Page 475: Qos For Traffic Directed To The Cpu
QoS Configuration Guidelines and Limitations QoS for Traffic Directed to the CPU QoS for Traffic Directed to the CPU The switch automatically applies QoS policies to traffic that is directed to the CPU to ensure that the CPU is not flooded with packets. Control traffic, such as BPDU frames, is given higher priority to ensure delivery. QoS Configuration Guidelines and Limitations Switch resources (such as buffers, virtual output queues, and egress queues) are partitioned based on the default and user-defined system classes.
Page 476: Configuring Acl Classification
Configuring System Classes Configuring ACL Classification Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map [type Creates or accesses a named object that represents the specified class of traffic. Class-map names can contain alphabetic, {network-qos | qos | queuing}] class-name hyphen, or underscore characters, are case sensitive, and can...
Page 477: Configuring Cos Classification
Configuring System Classes Configuring CoS Classification Command or Action Purpose Step 4 switch(config-cmap-qos)# no match (Optional) access-group name acl-name Removes the match from the traffic class. This example shows how to classify traffic by matching packets based on existing ACLs: switch# configure terminal switch(config)# class-map type qos class_acl switch(config-cmap-qos)# match access-group name acl-01...
Page 478: Configuring Dscp Classification
Configuring System Classes Configuring DSCP Classification Use the show class-map command to display the CoS value class-map configuration: switch# show class-map class_cos Configuring DSCP Classification You can classify traffic based on the Differentiated Services Code Point (DSCP) value in the DiffServ field of the IP header (either IPv4 or IPv6).
Page 479: Configuring Ip Rtp Classification
Configuring System Classes Configuring IP RTP Classification Value List of DSCP Values CS6 (precedence 6) dscp (110000)—decimal value CS7 (precedence 7) dscp (111000)—decimal value default Default dscp (000000)—decimal value 0 EF dscp (101110)—decimal value 46 Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 480: Configuring Precedence Classification
Configuring System Classes Configuring Precedence Classification Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos Creates a named object that represents a class of traffic. Class-map names can contain alphabetic, hyphen, or class-name underscore characters, are case sensitive, and can be up to 40 characters.
Page 481: Configuring Protocol Classification
Configuring System Classes Configuring Protocol Classification Value List of Precedence Values priority Priority precedence (1) routine Routine precedence (0) Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos Creates a named object that represents a class of traffic.
Page 482: Configuring Qos Group Classification
Configuring System Classes Configuring QoS Group Classification Argument Description netbios NetBIOS Extended User Interface (NetBEUI) Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# class-map type qos Creates a named object that represents a class of class-name traffic.
Page 483: Configuring Policy Maps
Configuring System Classes Configuring Policy Maps Command or Action Purpose qos-groups 0 and 1 are reserved for default Note classes and cannot be configured. Step 4 switch(config-cmap-que)# no match (Optional) qos-group qos-group-value Removes the match from the traffic class. This example shows how to classify traffic based on the value of the QoS group: switch# configure terminal switch(config)# class-map type queuing class_qos_group switch(config-cmap-que)# match qos-group 4...
Page 484: Configuring Type Network Qos Policies
Configuring System Classes Configuring Type Network QoS Policies Command or Action Purpose The three policy-map configuration modes are as follows: • network-qos—Network-wide (global) mode. CLI prompt: switch(config-pmap-nq)# • qos—Classification mode; this is the default mode. CLI prompt: switch(config-pmap-qos)# • queuing—Queuing mode. CLI prompt: switch(config-pmap-que)# Step 3 switch(config)# no policy-map...
Page 485 Configuring System Classes Configuring Type Network QoS Policies Command or Action Purpose Step 3 switch(config-pmap-nq)# class Associates a class map with the policy map, and enters type network-qos class-name configuration mode for the specified system class. The associated class map must be the same type as Note the policy map type.
Page 486: Configuring Type Queuing Policies
Configuring System Classes Configuring Type Queuing Policies Command or Action Purpose Step 13 switch(config-pmap-c-nq)# no set (Optional) cos cos-value Disables the marking operation in this class. This example shows how to define a type network-qos policy map: switch# configure terminal switch(config)# policy-map type network-qos policy-que1 switch(config-pmap-nq)# class type network-qos class-que1 switch(config-pmap-c-nq)# mtu 5000...
Page 487: Configuring Type Qos Policies
Configuring System Classes Configuring Type QoS Policies Command or Action Purpose Step 7 switch(config-pmap-c-que)# no (Optional) priority Removes the strict priority queuing from the traffic in this class. This example shows how to define a type queuing policy map: switch# configure terminal switch(config)# policy-map type queuing policy-queue1 switch(config-pmap-que)# class type queuing class-queue1 switch(config-pmap-c-que)# bandwidth 20...
Page 488: Attaching The System Service Policy
Configuring System Classes Attaching the System Service Policy Attaching the System Service Policy You can use the service-policy command to associate the system class policy map as the service policy for the system. Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode.
Page 489 Configuring System Classes Restoring the Default System Service Policies Command or Action Purpose Step 2 switch(config)# system qos Enters system class configuration mode. Step 3 switch(config-sys-qos)# service-policy type Resets the classification mode policy map. qos input default-in-policy This policy-map configuration is for system qos input or interface input only: Step 4 switch(config-sys-qos)# service-policy type...
Page 490: Enabling The Jumbo Mtu
Configuring System Classes Enabling the Jumbo MTU Enabling the Jumbo MTU You can enable the jumbo MTU for the whole switch by setting the MTU to its maximum size (9216 bytes) in the policy map for the default Ethernet system class (class-default). This example shows how to configure the default Ethernet system class to support the jumbo MTU: switch(config)# policy-map type network-qos jumbo switch(config-pmap-nq)# class type network-qos class-default...
Page 491: Configuring Qos On Interfaces
Configuring QoS on Interfaces Configuring Untagged CoS This example shows how to display detailed jumbo MTU information for Ethernet 1/2 (the relevant part of the output is shown in bold font): switch# show interface ethernet 1/2 counters detailed Rx Packets: 1547805598 Rx Unicast Packets: 1547805596 Rx Jumbo Packets: 1301767362 Rx Bytes: 7181776513802...
Page 492: Configuring Interface Service Policy
Configuring QoS on Interfaces Configuring Interface Service Policy Configuring Interface Service Policy An input qos policy is a service policy applied to incoming traffic on an Ethernet interface for classification. For type queuing, the output policy is applied to all outgoing traffic that matches the specified class. When you configure an input queuing policy on an interface or EtherChannel, the switch sends the configuration data to the adapter using the DCBX protocol.
Page 493: Configuring Priority Flow Control And Link-Level Flow Control
Configuring Priority Flow Control and Link-Level Flow Control Configuring Priority Flow Control Configuring Priority Flow Control and Link-Level Flow Control Cisco Nexus 5000 Series switches support priority flow control (PFC) and Link-Level Flow Control (LLC) on Ethernet interfaces. The Ethernet interface can operate in two different modes: FCoE mode or standard Ethernet mode.
Page 494: Verifying Qos Configuration
Verifying QoS Configuration Configuring Link-Level Flow Control Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# interface type slot/port Specifies the interface to be changed. Step 3 switch(config-if)# flowcontrol [receive {on | Enables LLC for the selected interface. Set receive and/or transmit on or off.
Page 495 Verifying QoS Configuration Configuring Link-Level Flow Control This example shows how to display the class maps defined on the switch: switch# show class-map Type qos class-maps =================== class-map type qos c1 match cos 0,7 class-map type qos c2 match protocol ldp match ip rtp 2000-65535 match dscp 10,12 match precedence 6-7...
Page 496 Verifying QoS Configuration Configuring Link-Level Flow Control class-map type network-qos class-default match qos-group 0 This example shows how to display the policy maps defined on the switch: switch# show policy-map Type qos policy-maps ==================== policy-map type qos p1 class type qos c1 set qos-group 2 class type qos c3 set qos-group 4...
Page 497 Verifying QoS Configuration Configuring Link-Level Flow Control policy-map type network-qos p1 class type network-qos c1 match qos-group 2 mtu 5000 class type network-qos c2 match qos-group 3 mtu 9216 queue-limit 30000 bytes class type network-qos c3 match qos-group 4 mtu 8000 class type network-qos c4 match qos-group 5 pause no-drop...
Page 498 Verifying QoS Configuration Configuring Link-Level Flow Control Class-map (qos): c1 (match-any) Match: cos 0,7 set qos-group 2 Class-map (qos): c2 (match-any) Match: protocol ldp Match: ip rtp 2000-65535 Match: dscp 10,12 Match: precedence 6-7 Match: protocol dhcp Match: protocol arp set qos-group 3 Class-map (qos): c3 (match-any)
Page 499 Verifying QoS Configuration Configuring Link-Level Flow Control Class-map (queuing): c4 (match-any) Match: qos-group 5 bandwidth percent 40 Class-map (queuing): class-fcoe (match-any) Match: qos-group 1 bandwidth percent 10 Class-map (queuing): class-default (match-any) Match: qos-group 0 bandwidth percent 5 This example shows how to display the queue configuration and statistics: switch# show queuing interface ethernet 1/1 Interface Ethernet1/1 TX Queuing qos-group...
Page 500: Example Qos Configurations
Example QoS Configurations QoS Example 1 qos-group q-size: 30080, MTU: 9216 drop-type: drop, xon: 0, xoff: 188 Statistics: Pkts received over the port Ucast pkts sent to the cross-bar Mcast pkts sent to the cross-bar Ucast pkts received from the cross-bar Pkts sent to the port Pkts discarded on ingress : 0 (0)
Page 501: Qos Example 2
Example QoS Configurations QoS Example 2 Procedure Command or Action Purpose (config)# class-map type qos cmap-qos-acl Step 1 Set up the ingress classification policy (config-cmap-qos)# match access-group ACL-CoS (the access control list was defined (config-cmap-qos)# exit previously). (config)# policy-map type qos pmap-qos-acl (config-pmap-qos)# class cmap-qos-acl (config-pmap-c-qos)# set qos-group 4 (config-pmap-c-qos)# exit...
Page 502 Example QoS Configurations QoS Example 2 Procedure Command or Action Purpose (config)# class-map type qos cmap-qos-bandwidth Step 1 Set up the ingress classification (config-cmap-qos)# match access-group ACL-bandwidth policy. (config-cmap-qos)# exit (config)# policy-map type qos pmap-qos-eth1-1 (config-pmap-qos)# class cmap-qos-bandwidth (config-pmap-c-qos)# set qos-group 2 (config-pmap-c-qos)# exit (config-pmap-qos)# exit Step 2...
Page 503: Qos Example 3
Example QoS Configurations QoS Example 3 Command or Action Purpose Step 5 Attach the bandwidth policy to (config)# interface ethernet 1/3 (config-if)# service-policy type queuing output the egress interface. pmap-que-eth1-2 (config-if)# exit (config)# class-map type network-qos cmap-nq-bandwidth Step 6 Allocate the system class for (config-cmap-nq)# match qos-group 2 qos-group 2.
Page 504 Example QoS Configurations QoS Example 3 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 505: San Switching
P A R T SAN Switching • Configuring Fibre Channel Interfaces, page 461 • Configuring Domain Parameters, page 479 • Configuring N Port Virtualization, page 497 • Configuring VSAN Trunking, page 507 • Configuring SAN Port Channel, page 515 • Configuring and Managing VSANs, page 531 •...
Page 507: Configuring Fibre Channel Interfaces
C H A P T E R Configuring Fibre Channel Interfaces This chapter contains the following sections: • Configuring Fibre Channel Interfaces, page 461 Configuring Fibre Channel Interfaces Information About Fibre Channel Interfaces Licensing Requirements for Fibre Channel On Cisco Nexus 5000 Series switches, Fibre Channel capability is included in the Storage Protocol Services license.
Page 508: Virtual Fibre Channel Interfaces
Configuring Fibre Channel Interfaces Virtual Fibre Channel Interfaces Virtual Fibre Channel Interfaces Fibre Channel over Ethernet (FCoE) encapsulation allows a physical Ethernet cable to simultaneously carry Fibre Channel and Ethernet traffic. In Cisco Nexus 5000 Series switches, an FCoE-capable physical Ethernet interface can carry traffic for one virtual Fibre Channel interface.
Page 509 Configuring Fibre Channel Interfaces E Port Interfaces are automatically assigned VSAN 1 by default. Note Each interface has an associated administrative configuration and an operational status: • The administrative configuration does not change unless you modify it. This configuration has various attributes that you can configure in administrative mode.
Page 510: Auto Mode
Configuring Fibre Channel Interfaces SD Port Related Topics • Configuring VSAN Trunking, page 507 SD Port In SPAN destination port (SD port) mode, an interface functions as a switched port analyzer (SPAN). The SPAN feature monitors network traffic that passes though a Fibre Channel interface. This monitoring is done using a standard Fibre Channel analyzer (or a similar switch probe) that is attached to an SD port.
Page 511: Reason Codes
Configuring Fibre Channel Interfaces Reason Codes Operational State Description be up, and the interface initialization must be completed. Down Interface cannot transmit or receive (data) traffic. Trunking Interface is operational in TE mode. Reason Codes Reason codes are dependent on the operational state of the interface. The following table describes the reason codes for operational states.
Page 512 Configuring Fibre Channel Interfaces Reason Codes Reason Code (long version) Description Applicable Modes Offline The switch software waits for the specified R_A_TOV time before retrying initialization. Inactive The interface VSAN is deleted or is in a suspended state. To make the interface operational, assign that port to a configured and active VSAN.
Page 513: Buffer-To-Buffer Credits
Configuring Fibre Channel Interfaces Buffer-to-Buffer Credits Reason Code (long version) Description Applicable Modes Isolation due to domain manager The fcdomain feature is disabled. disabled Isolation due to zone merge failure The zone merge operation failed. Isolation due to VSAN mismatch The VSANs at both ends of an ISL are different.
Page 514: Configuring A Fibre Channel Interface
Configuring Fibre Channel Interfaces Configuring Fibre Channel Interfaces The receive BB_credit values depend on the port mode. For physical Fibre Channel interfaces, the default Note value is 16 for F mode and E mode interfaces. This value can be changed as required. The maximum value is 64.
Page 515: Configuring Interface Modes
Configuring Fibre Channel Interfaces Configuring Interface Modes Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface {fc Selects a Fibre Channel interface and enters interface configuration mode. slot/port}|{vfc vfc-id} Step 3 switch(config-if)# shutdown Gracefully shuts down the interface and administratively disables traffic flow (default).
Page 516: Configuring Port Speeds
Configuring Fibre Channel Interfaces Configuring Port Speeds Command or Action Purpose Step 4 switch(config-if)# no switchport Clears the description of the interface. description Configuring Port Speeds Port speed can be configured on a physical Fibre Channel interface but not on a virtual Fibre Channel interface. By default, the port speed for an interface is automatically calculated by the switch.
Page 517: Configuring Receive Data Field Size
Configuring Fibre Channel Interfaces Configuring Receive Data Field Size Configuring Receive Data Field Size You can configure the receive data field size for native Fibre Channel interfaces (but not for virtual Fibre Channel interfaces). If the default data field size is 2112 bytes, the frame length will be 2148 bytes. To configure the receive data field size, perform this task: Procedure Command or Action...
Page 518: Configuring Buffer-To-Buffer Credits
Configuring Fibre Channel Interfaces Configuring Buffer-to-Buffer Credits Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface fc slot/port Selects a Fibre Channel interface and enters interface configuration mode. Step 3 switch(config-if)# switchport ignore Prevents the detection of bit error threshold events bit-errors from disabling the interface.
Page 519: Configuring Global Attributes For Fibre Channel Interfaces
Configuring Fibre Channel Interfaces Configuring Global Attributes for Fibre Channel Interfaces Configuring Global Attributes for Fibre Channel Interfaces Configuring Switch Port Attribute Default Values You can configure attribute default values for various switch port attributes. These attributes will be applied globally to all future switch port configurations, even if you do not individually specify them at that time.
Page 520: Enabling N Port Identifier Virtualization
Configuring Fibre Channel Interfaces Enabling N Port Identifier Virtualization Enabling N Port Identifier Virtualization To enable or disable NPIV on the switch, perform this task: Before You Begin You must globally enable NPIV for all VSANs on the switch to allow the NPIV-enabled applications to use multiple N port identifiers.
Page 521 Configuring Fibre Channel Interfaces Verifying Interface Information The following example shows how to display all interfaces: switch# show interface fc3/1 is up fc3/3 is up Ethernet1/3 is up mgmt0 is up vethernet1/1 is up vfc 1 is up The following example shows how to display multiple specified interfaces: switch# show interface fc3/1 , fc3/3 fc3/1 is up fc3/3 is up...
Page 522: Verifying Bb_Credit Information
Configuring Fibre Channel Interfaces Verifying BB_Credit Information The following example shows the interface display when showing the running configuration for a specific interface: switch# show running configuration fc3/5 interface fc3/5 switchport speed 2000 switchport mode E channel-group 11 force no shutdown Verifying BB_Credit Information The following example shows how to display the BB_credit information for all Fibre Channel interfaces: switch# show interface bbcredit...
Page 523 Configuring Fibre Channel Interfaces Default Fibre Channel Interface Settings Parameters Default Interface speed Administrative state Shutdown (unless changed during initial setup) Trunk mode Trunk-allowed VSANs Interface VSAN Default VSAN (1) EISL encapsulation Data field size Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 524 Configuring Fibre Channel Interfaces Default Fibre Channel Interface Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 525: Configuring Domain Parameters
C H A P T E R Configuring Domain Parameters This chapter contains the following sections: • Configuring Domain Parameters, page 479 Configuring Domain Parameters The Fibre Channel domain (fcdomain) feature performs principal switch selection, domain ID distribution, FC ID allocation, and fabric reconfiguration functions as described in the FC-SW-2 standards. The domains are configured on a per-VSAN basis.
Page 526: About Domain Restart
Configuring Domain Parameters About Domain Restart The following figure illustrates an example fcdomain configuration. Figure 45: Sample fcdomain Configuration About Domain Restart Fibre Channel domains can be started disruptively or nondisruptively. If you perform a disruptive restart, reconfigure fabric (RCF) frames are sent to other switches in the fabric and data traffic is disrupted on all the switches in the VSAN (including remotely segmented ISLs).
Page 527: Restarting A Domain
Configuring Domain Parameters Restarting a Domain You can apply most of the configurations to their corresponding runtime values. Each of the following sections provide further details on how the fcdomain parameters are applied to the runtime values. The fcdomain restart command applies your changes to the runtime settings. Use the disruptive option to apply most of the configurations to their corresponding runtime values, including preferred domain IDs.
Page 528: About Switch Priority
Configuring Domain Parameters About Switch Priority Command or Action Purpose Step 4 switch(config)# no fcdomain optimize Disables (default) domain manager fast restart fast-restart vsan vsan-id in the specified VSAN. About Switch Priority By default, the configured priority is 128. The valid range to set the priority is between 1 and 254. Priority 1 has the highest priority.
Page 529: Configuring Fabric Names
Configuring Domain Parameters Configuring Fabric Names Command or Action Purpose Step 3 switch(config)# fcdomain vsan vsan-id Enables the fcdomain configuration in the specified VSAN. Configuring Fabric Names To set the fabric name value for a disabled fcdomain, perform this task: Procedure Command or Action Purpose...
Page 530: About Autoreconfiguring Merged Fabrics
Configuring Domain Parameters About Autoreconfiguring Merged Fabrics Command or Action Purpose Step 4 switch(config-if)# no fcdomain rcf-reject Disables (default) the RCF filter on the vsan vsan-id specified interface in the specified VSAN. About Autoreconfiguring Merged Fabrics By default, the autoreconfigure option is disabled. When you join two switches belonging to two different stable fabrics that have overlapping domains, the following situations can occur: •...
Page 531 Configuring Domain Parameters About Domain IDs The 0 (zero) value can be configured only if you use the preferred option. Note If you do not configure a domain ID, the local switch sends a random ID in its request. We recommend that you use static domain IDs.
Page 532: Specifying Static Or Preferred Domain Ids
Configuring Domain Parameters Specifying Static or Preferred Domain IDs • When the assigned and requested domain IDs are the same, the preferred and static options are not relevant, and the assigned domain ID becomes the runtime domain ID. • When the assigned and requested domain IDs are different, the following cases apply: ◦...
Page 533: About Allowed Domain Id Lists
Configuring Domain Parameters About Allowed Domain ID Lists Command or Action Purpose Step 2 switch(config)# fcdomain domain Configures the switch in the specified VSAN to accept domain-id static vsan vsan-id only a specific value and moves the local interfaces in the specified VSAN to an isolated state if the requested domain ID is not granted.
Page 534: About Cfs Distribution Of Allowed Domain Id Lists
Configuring Domain Parameters About CFS Distribution of Allowed Domain ID Lists Command or Action Purpose Step 3 switch(config)# no fcdomain allowed Reverts to the factory default of allowing domain domain-id range vsan vsan-id IDs from 1 through 239 in the specified VSAN. About CFS Distribution of Allowed Domain ID Lists You can enable the distribution of the allowed domain ID list configuration information to all Cisco SAN switches in the fabric using the Cisco Fabric Services (CFS) infrastructure.
Page 535: Discarding Changes
Configuring Domain Parameters Committing Changes Committing Changes To apply the pending domain configuration changes to other SAN switches in the VSAN, you must commit the changes. The pending configuration changes are distributed and, on a successful commit, the configuration changes are applied to the active configuration in the SAN switches throughout the VSAN and the fabric lock is released.
Page 536: Displaying Pending Changes
Configuring Domain Parameters Displaying Pending Changes Displaying Pending Changes You can display the pending configuration changes using the show fcdomain pending command. switch# show fcdomain pending vsan 10 Pending Configured Allowed Domains ---------------------------------- VSAN 10 Assigned or unallowed domain IDs: 1-9,24,100,231-239. [User] configured allowed domain IDs: 10-230.
Page 537: About Persistent Fc Ids
Configuring Domain Parameters FC IDs Command or Action Purpose The contiguous-allocation option takes Note immediate effect at runtime. You do not need to restart the fcdomain. Step 3 switch(config)# no fcdomain Disables the contiguous allocation option and reverts contiguous-allocation vsan vsan-id it to the factory default in the specified VSAN.
Page 538: Enabling The Persistent Fc Id Feature
Configuring Domain Parameters Enabling the Persistent FC ID Feature Enabling the Persistent FC ID Feature To enable the persistent FC ID feature, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# fcdomain fcid persistent Activates (default) persistency of FC IDs in vsan vsan-id...
Page 539: About Unique Area Fc Ids For Hbas
Configuring Domain Parameters About Unique Area FC IDs for HBAs Command or Action Purpose Step 4 switch(config-fcid-db)# vsan vsan-id Configures a device WWN (11:22:11:22:33:44:33:44) wwn 11:22:11:22:33:44:33:44 fcid with the FC ID 0x070123 in the specified VSAN in dynamic mode. fcid dynamic Step 5 switch(config-fcid-db)# vsan vsan-id Configures a device WWN (11:22:11:22:33:44:33:44)
Page 540: About Persistent Fc Id Selective Purging
Configuring Domain Parameters About Persistent FC ID Selective Purging switch(config-if)# shutdown switch(config-if)# end Step 3 Verify that the FC ID feature is enabled using the show fcdomain vsan command. switch# show fcdomain vsan 1 Local switch configuration information: State: Enabled FCID persistence: Disabled If this feature is disabled, continue to the next step to enable the persistent FC ID.
Page 541: Purging Persistent Fc Ids
Configuring Domain Parameters Purging Persistent FC IDs Purging Persistent FC IDs To purge persistent FC IDs, perform this task: Procedure Command or Action Purpose Step 1 switch# purge fcdomain fcid vsan vsan-id Purges all dynamic and unused FC IDs in the specified VSAN.
Page 542: Default Fibre Channel Domain Settings
Configuring Domain Parameters Default Fibre Channel Domain Settings The following example shows how to display frame and other fcdomain statistics for a specified VSAN or SAN port channel: switch# show fcdomain statistics vsan 1 VSAN Statistics Number of Principal Switch Selections: 5 Number of times Local Switch was Principal: 0 Number of 'Build Fabric's: 3 Number of 'Fabric Reconfigurations': 0...
Page 543: Configuring N Port Virtualization
C H A P T E R Configuring N Port Virtualization This chapter contains the following sections: • Configuring N Port Virtualization, page 497 Configuring N Port Virtualization Information About NPV NPV Overview By default, Cisco Nexus 5000 Series switches operate in fabric mode. In this mode, the switch provides standard Fibre Channel switching capability and features.
Page 544: Npv Mode
Configuring N Port Virtualization NPV Mode The figure below shows an interface-level view of an NPV configuration. Figure 47: NPV Interface Configuration NPV Mode In NPV mode, the edge switch relays all traffic to the core switch, which provides the Fibre Channel switching capabilities.
Page 545: Flogi Operation
Configuring N Port Virtualization FLOGI Operation An NP uplink is a connection from an NP port on the edge switch to an F port on the core switch. When an NP uplink is established, the edge switch sends a fabric login message (FLOGI) to the core switch, and then (if the FLOGI is successful) it registers itself with the name server on the core switch.
Page 546: Npv Traffic Management
Configuring N Port Virtualization NPV Traffic Management • The same device might log in using different fWWNs on the core switch (depending on the NPV link it uses) and may need to be zoned using different fWWNs. Related Topics • Configuring and Managing Zones, page 543 NPV Traffic Management Automatic Uplink Selection...
Page 547: Npv Traffic Management Guidelines
Configuring N Port Virtualization NPV Traffic Management Guidelines NPV Traffic Management Guidelines When deploying NPV traffic management, follow these guidelines: • Use NPV traffic management only when automatic traffic engineering does not meet your network requirements. • You do not need to configure traffic maps for all server interfaces. By default, NPV will use automatic traffic management.
Page 548: Configuring Npv
Configuring N Port Virtualization Configuring NPV • Both servers and targets can be connected to the switch when in NPV mode. • Fibre Channel switching is not performed in the edge switch; all traffic is switched in the core switch. •...
Page 549: Configuring A Server Interface
Configuring N Port Virtualization Configuring a Server Interface Command or Action Purpose Step 3 switch(config-if)# switchport mode NP Configures the interface as an NP port. Step 4 switch(config-if)# no shutdown Brings up the interface. Configuring a Server Interface To configure a server interface, perform this task: Procedure Command or Action Purpose...
Page 550: Verifying Npv
Configuring N Port Virtualization Verifying NPV To enable disruptive load balancing, perform this task: Procedure Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode on the NPV. Step 2 switch(config)# npv auto-load-balance Enables disruptive load balancing on the disruptive switch.
Page 551: Verifying Npv Traffic Management
Configuring N Port Virtualization Verifying NPV Traffic Management Server Interfaces: ================== Interface: vfc3/1, VSAN: 1, NPIV: No, State: Up Number of Server Interfaces: 1 To view fcns database entries for NPV edge switches, you must enter the show fcns database command Note on the core switch.
Page 552 Configuring N Port Virtualization Verifying NPV Traffic Management Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 553: Configuring Vsan Trunking
C H A P T E R Configuring VSAN Trunking This chapter contains the following sections: • Configuring VSAN Trunking, page 507 Configuring VSAN Trunking Information About VSAN Trunking VSAN trunking enables interconnect ports to transmit and receive frames in more than one VSAN, over the same physical link, using enhanced ISL (EISL) frame format (see the following figure).
Page 554: Vsan Trunking Mismatches
Configuring VSAN Trunking VSAN Trunking Mismatches VSAN Trunking Mismatches If you misconfigure VSAN configurations across E ports, issues can occur such as the merging of traffic in two VSANs (causing both VSANs to mismatch). The VSAN trunking protocol validates the VSAN interfaces at both ends of an ISL to avoid merging VSANs (see the following figure).
Page 555: Guidelines And Restrictions
Configuring VSAN Trunking Configuring VSAN Trunking Configuring VSAN Trunking Guidelines and Restrictions When configuring VSAN trunking, note the following guidelines: • We recommend that both ends of a VSAN trunking ISL belong to the same port VSAN. On platforms or fabric switches where the port VSANs are different, one end returns an error, and the other is not connected.
Page 556: Configuring Trunk Mode
Configuring VSAN Trunking Configuring Trunk Mode The preferred configuration on the Cisco Nexus 5000 Series switches is that one side of the trunk is set to auto and the other is set to on. When connected to a third-party switch, the trunk mode configuration has no effect. The ISL is always Note in a trunking disabled state.
Page 557 Configuring VSAN Trunking About Trunk-Allowed VSAN Lists three switches are allowed-active. However, only the common set of allowed-active VSANs at the ends of the ISL become operational as shown in below. Figure 51: Default Allowed-Active VSAN Configuration You can configure a selected set of VSANs (from the allowed-active list) to control access to the VSANs specified in a trunking ISL.
Page 558: Configuring An Allowed-Active List Of Vsans
Configuring VSAN Trunking Configuring an Allowed-Active List of VSANs Consequently, VSAN 2 can only be routed from switch 1 through switch 3 to switch 2. Figure 52: Operational and Allowed VSAN Configuration Configuring an Allowed-Active List of VSANs To configure an allowed-active list of VSANs for an interface, perform this task: Procedure Command or Action Purpose...
Page 559: Displaying Vsan Trunking Information
Configuring VSAN Trunking Displaying VSAN Trunking Information Displaying VSAN Trunking Information The show interface command is invoked from the EXEC mode and displays VSAN trunking configurations for a TE port. Without any arguments, this command displays the information for all of the configured interfaces in the switch.
Page 560 Configuring VSAN Trunking Default Trunk Configuration Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 561: Configuring San Port Channel
C H A P T E R Configuring SAN Port Channel This chapter contains the following sections: • Configuring SAN Port Channels, page 515 Configuring SAN Port Channels SAN port channels refer to the aggregation of multiple physical interfaces into one logical interface to provide higher aggregated bandwidth, load balancing, and link redundancy.
Page 562: Understanding Load Balancing
Configuring SAN Port Channels Understanding Load Balancing • A SAN port channel enables several physical links to be combined into one aggregated logical link. • An industry standard E port can link to other vendor switches and is referred to as inter-switch link (ISL), as shown on the left side of the figure below.
Page 563 Configuring SAN Port Channels Understanding Load Balancing The following figure illustrates how flow-based load balancing works. When the first frame in a flow is received on an interface for forwarding, link 1 is selected. Each subsequent frame in that flow is sent over the same link.
Page 564: Configuring San Port Channels
Configuring SAN Port Channels Configuring SAN Port Channels particular exchange are sent on the same link. For exchange 1, no frame uses link 2. For the next exchange, link 2 is chosen by the hash algorithm. Now all frames in exchange 2 use link 2. Figure 56: SID1, DID1, and Exchange-Based Load Balancing Configuring SAN Port Channels SAN port channels are created with default values.
Page 565: San Port Channel Configuration Guidelines
Configuring SAN Port Channels SAN Port Channel Configuration Guidelines The following figure shows examples of invalid configurations. Assuming that the links are brought up in the 1, 2, 3, 4 sequence, links 3 and 4 will be operationally down as the fabric is misconfigured. Figure 58: Misconfigured Configurations SAN Port Channel Configuration Guidelines Before configuring a SAN port channel, consider the following guidelines:...
Page 566: Creating A San Port Channel
Configuring SAN Port Channels Creating a SAN Port Channel If all three conditions are not met, the faulty link is disabled. Enter the show interface command for that interface to verify that the SAN port channel is functioning as required. Creating a SAN Port Channel To create a SAN port channel, perform this task: Procedure...
Page 567: About San Port Channel Deletion
Configuring SAN Port Channels About SAN Port Channel Deletion On Mode Active Mode When you add or modify a port channel member port When you add or modify a port channel interface, the configuration, you must explicitly disable (shut) and SAN port channel automatically recovers.
Page 568: Deleting San Port Channels
Configuring SAN Port Channels Deleting SAN Port Channels Command or Action Purpose Step 3 switch(config-if)# channel mode active Configures the Active mode. Step 4 switch(config-if)# no channel mode active Reverts to the default On mode. Example of Configuring Active Modes The following example shows how to configure active mode: switch(config)# interface san-port-channel 1 switch(config-if)# channel mode active...
Page 569: Suspended And Isolated States
Configuring SAN Port Channels Suspended and Isolated States • Capability parameters (type of interface, Fibre Channel at both ends). • Administrative compatibility parameters (speed, mode, port VSAN, allowed VSAN, and port security). • Operational parameters (speed and remote switch’s WWN). A port addition procedure fails if the capability and administrative parameters in the remote switch are incompatible with the capability and administrative parameters in the local switch.
Page 570: About Interface Deletion From A San Port Channel
Configuring SAN Port Channels About Interface Deletion from a SAN Port Channel After the members are forcefully added, regardless of the mode (Active and On) used, the ports at either end are gracefully brought down, indicating that no frames are lost when the interface is going down. To force the addition of a port to a SAN port channel, perform this task: Procedure Command or Action...
Page 571: About Channel Group Creation
Configuring SAN Port Channels About Channel Group Creation Cisco SAN switches support a protocol to exchange SAN port channel configurations, which simplifies port channel management with incompatible ISLs. An additional autocreation mode enables ISLs with compatible parameters to automatically form channel groups without manual intervention. The port channel protocol is enabled by default.
Page 572: Autocreation Guidelines
Configuring SAN Port Channels Autocreation Guidelines Table 71: Channel Group Configuration Differences User-Configured Channel Group Autocreated Channel Group Manually configured by the user. Created automatically when compatible links come up between two compatible switches, if channel group autocreation is enabled in all ports at both ends. Member ports cannot participate in autocreation of None of these ports are members of a user-configured channel groups.
Page 573: Enabling And Configuring Autocreation
Configuring SAN Port Channels Enabling and Configuring Autocreation • An autocreated SAN port channel is not persistent through a reboot. An autocreated SAN port channel can be manually configured to appear the same as a persistent SAN port channel. Once the SAN port channel is made persistent, the autocreation feature is disabled in all member ports.
Page 574: Converting To Manually Configured Channel Groups
Configuring SAN Port Channels Converting to Manually Configured Channel Groups Converting to Manually Configured Channel Groups You can convert autocreated channel group to a user-configured channel group using the san-port-channel channel-group-number persistent EXEC command. If the SAN port channel does not exist, this command is not executed.
Page 575: Default Settings For San Port Channels
Configuring SAN Port Channels Default Settings for SAN Port Channels Autocreated SAN port channels are indicated explicitly to help differentiate them from the manually created SAN port channels. The following example shows how to display an autocreated port channel: switch# show interface fc2/1 fc2/1 is trunking Hardware is Fibre Channel, FCOT is short wave laser Port WWN is 20:0a:00:0b:5f:3b:fe:80...
Page 576 Configuring SAN Port Channels Default Settings for SAN Port Channels Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 577: Configuring And Managing Vsans
C H A P T E R Configuring and Managing VSANs This chapter contains the following sections: • Configuring and Managing VSANs, page 531 Configuring and Managing VSANs You can achieve higher security and greater stability in Fibre Channel fabrics by using virtual SANs (VSANs). VSANs provide isolation among devices that are physically connected to the same fabric.
Page 578 Configuring and Managing VSANs VSAN Topologies The following figure shows a fabric with three switches, one on each floor. The geographic location of the switches and the attached devices is independent of their segmentation into logical VSANs. No communication between VSANs is possible. Within each VSAN, all members can talk to one another. Figure 60: Logical VSAN Segmentation The application servers or storage arrays can be connected to the switch using Fibre Channel or virtual Fibre Channel interfaces.
Page 579 Configuring and Managing VSANs VSAN Topologies The following figure shows a physical Fibre Channel switching infrastructure with two defined VSANs: VSAN 2 (dashed) and VSAN 7 (solid). VSAN 2 includes hosts H1 and H2, application servers AS2 and AS3, and storage arrays SA1 and SA4. VSAN 7 connects H3, AS1, SA2, and SA3. Figure 61: Example of Two VSANs The four switches in this network are interconnected by VSAN trunk links that carry both VSAN 2 and VSAN 7 traffic.
Page 580: Vsan Advantages
Configuring and Managing VSANs VSAN Advantages • VSANs can meet the needs of a particular department or application. VSAN Advantages VSANs offer the following advantages: • Traffic isolation—Traffic is contained within VSAN boundaries and devices reside only in one VSAN ensuring absolute separation between user groups, if desired.
Page 581: Configuring Vsans
Configuring and Managing VSANs Configuring VSANs VSAN Characteristic Zone Characteristic VSANs encompass the entire fabric. Zones are configured at the fabric edge. The following figure shows the possible relationships between VSANs and zones. In VSAN 2, three zones are defined: zone A, zone B, and zone C. Zone C overlaps both zone A and zone B as permitted by Fibre Channel standards.
Page 582: About Vsan Creation
Configuring and Managing VSANs About VSAN Creation • VSAN name—This text string identifies the VSAN for management purposes. The name can be from 1 to 32 characters long and it must be unique across all VSANs. By default, the VSAN name is a concatenation of VSAN and a four-digit string representing the VSAN ID.
Page 583: Assigning Static Port Vsan Membership
Configuring and Managing VSANs Assigning Static Port VSAN Membership • Dynamically—Assigning VSANs based on the device WWN. This method is referred to as dynamic port VSAN membership (DPVM). Cisco Nexus 5000 Series switches do not support DPVM. VSAN trunking ports have an associated list of VSANs that are part of an allowed list. Related Topics •...
Page 584: About The Default Vsan
Configuring and Managing VSANs About the Default VSAN san-port-channel 3 vfc3/1 vsan 2 interfaces: fc2/3 vfc4/1 vsan 7 interfaces: vsan 100 interfaces: vsan 4094(isolated vsan) interfaces: The following example displays static membership information for the specified interface: switch # show vsan membership interface fc2/1 fc2/1 vsan:1 allowed list:1-4093...
Page 585: About Static Vsan Deletion
Configuring and Managing VSANs About Static VSAN Deletion About Static VSAN Deletion When an active VSAN is deleted, all of its attributes are removed from the running configuration. VSAN-related information is maintained by the system software as follows: • VSAN attributes and port membership details are maintained by the VSAN manager. This feature is affected when you delete a VSAN from the configuration.
Page 586: About Load Balancing
Configuring and Managing VSANs About Load Balancing Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# vsan database Configures the VSAN database. Step 3 switch-config-db# vsan 2 Places you in VSAN configuration mode. Step 4 switch(config-vsan-db)# no vsan 5 Deletes VSAN 5 from the database and...
Page 587: About Interop Mode
Configuring and Managing VSANs About Interop Mode About Interop Mode Interoperability enables the products of multiple vendors to connect with each other. Fibre Channel standards guide vendors to create common external Fibre Channel interfaces. Related Topics • Switch Interoperability, page 614 Displaying Static VSAN Configuration The following example shows how to display information about a specific VSAN: switch# show vsan 100...
Page 588 Configuring and Managing VSANs Default VSAN Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 589: Configuring And Managing Zones
C H A P T E R Configuring and Managing Zones This chapter contains the following sections: • Configuring and Managing Zones, page 543 Configuring and Managing Zones Zoning enables you to set up access control between storage devices or user groups. If you have administrator privileges in your fabric, you can create zones to increase network security and to prevent data loss or corruption.
Page 590 Configuring and Managing Zones Zoning Features ◦ A zone can be a member of more than one zone set. ◦ A zone switch can have a maximum of 500 zone sets. • Zoning can be administered from any switch in the fabric. ◦...
Page 591: Zoning Example
Configuring and Managing Zones Zoning Example Zoning Example The following figure shows a zone set with two zones, zone 1 and zone 2, in a fabric. Zone 1 provides access from all three hosts (H1, H2, H3) to the data residing on storage systems S1 and S2. Zone 2 restricts the data on S3 to access only by H3.
Page 592: Active And Full Zone Set Configuration Guidelines
Configuring and Managing Zones Active and Full Zone Set Configuration Guidelines • Hard zoning cannot be disabled. • Name server queries are soft-zoned. • Only active zone sets are distributed. • Unzoned devices cannot access each other. • A zone or zone set with the same name can exist in each VSAN. •...
Page 593 Configuring and Managing Zones Active and Full Zone Set Configuration Guidelines If one zone set is active and you activate another zone set, the currently active zone set is automatically Note deactivated. You do not need to explicitly deactivate the currently active zone set before activating a new zone set.
Page 594 Configuring and Managing Zones Active and Full Zone Set Configuration Guidelines The following figure shows a zone being added to an activated zone set. Figure 66: Active and Full Zone Sets Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 595: Configuring Zones
Configuring and Managing Zones Configuring Zones Configuring Zones To configure a zone and assign a zone name, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration Enters configuration mode. terminal Step 2 switch(config)# zone name Configures a zone in the specified VSAN. zone-name vsan vsan-id All alphanumeric characters or one of the following Note...
Page 596: Zone Sets
Configuring and Managing Zones Zone Sets Use the show wwn switch command to retrieve the sWWN. If you do not provide a sWWN, the software automatically uses the local sWWN. The following examples show how to configure zone members: switch(config)# zone name MyZone vsan 2 pWWN example: switch(config-zone)# member pwwn 10:00:00:23:45:67:89:ab Fabric pWWN example:...
Page 597: Activating A Zone Set
Configuring and Managing Zones Activating a Zone Set Zones provide a method for specifying access control, while zone sets are a grouping of zones to enforce access control in the fabric. Either zone set A or zone set B can be activated (but not together). Zone sets are configured with the names of the member zones and the VSAN (if the zone set is in a configured VSAN).
Page 598: Configuring The Default Zone Access Permission
Configuring and Managing Zones Configuring the Default Zone Access Permission The default zone members are explicitly listed when the default policy is configured as permit or when a zone set is active. When the default policy is configured as deny, the members of this zone are not explicitly enumerated when you view the active zone set.
Page 599: Creating Fc Aliases Example
Configuring and Managing Zones Creating FC Aliases Example Command or Action Purpose Step 2 switch(config)# fcalias name Configures an alias name (AliasSample). AliasSample vsan vsan-id Step 3 switch(config-fcalias)# member type Configures a member for the specified fcalias value (AliasSample) based on the type (pWWN, fabric pWWN, FC ID, domain ID, or interface) and value specified.
Page 600: Creating Zone Sets And Adding Member Zones
Configuring and Managing Zones Creating Zone Sets and Adding Member Zones Device alias example: switch(config-fcalias)# member device-alias devName Creating Zone Sets and Adding Member Zones To create a zone set to include several zones, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal...
Page 601: Zone Set Distribution
Configuring and Managing Zones Zone Set Distribution Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access. Note Cisco Nexus 5000 Series switches support both hard and soft zoning. Zone Set Distribution You can distribute full zone sets using one of two methods: one-time distribution using the zoneset distribute vsan command at the EXEC mode level or full zone set distribution using the zoneset distribute full vsan command at the configuration mode level.
Page 602: About Recovering From Link Isolation
Configuring and Managing Zones About Recovering from Link Isolation The one-time distribution of the full zone set is supported in interop 2 and interop 3 modes, and not in Note interop 1 mode. Use the show zone status vsan vsan-id command to check the status of the one-time zone set distribution request.
Page 603: Importing And Exporting Zone Sets
Configuring and Managing Zones Importing and Exporting Zone Sets Importing and Exporting Zone Sets To import or export the zone set information from or to an adjacent switch, perform this task: Procedure Command or Action Purpose Step 1 switch# zoneset import interface fc Imports the zone set from the adjacent switch slot/port vsan vsan-id connected through the specified interface for the VSAN...
Page 604: Renaming Zones, Zone Sets, And Aliases
Configuring and Managing Zones Renaming Zones, Zone Sets, and Aliases Command or Action Purpose Step 2 switch# zone copy vsan vsan-id active-zoneset Copies the active zone in the specified VSAN scp://guest@myserver/tmp/active_zoneset.txt to a remote location using SCP. Renaming Zones, Zone Sets, and Aliases To rename a zone, zone set, fcalias, or zone-attribute-group, perform this task: Procedure Command or Action...
Page 605: Clearing The Zone Server Database
Configuring and Managing Zones Clearing the Zone Server Database Command or Action Purpose Step 6 switch(config)# zoneset activate name newname Activates the zone set and updates the new vsan vsan-id zone name in the active zone set. Clearing the Zone Server Database You can clear all configured information in the zone server database for the specified VSAN.
Page 606: Enhanced Zoning
Configuring and Managing Zones Enhanced Zoning Enhanced Zoning The zoning feature complies with the FC-GS-4 and FC-SW-3 standards. Both standards support the basic zoning functionalities explained in the previous section and the enhanced zoning functionalities described in this section. About Enhanced Zoning The following table lists the advantages of the enhanced zoning feature in all switches in the Cisco Nexus 5000 Series.
Page 607: Changing From Basic Zoning To Enhanced Zoning
Configuring and Managing Zones Changing from Basic Zoning to Enhanced Zoning Basic Zoning Enhanced Zoning Enhanced Zoning Advantages be misunderstood by the non-Cisco switches. The fWWN-based zone Supports fWWN-based The fWWN-based member type is membership is only supported in membership in the standard interop standardized.
Page 608: Modifying The Zone Database
Configuring and Managing Zones Modifying the Zone Database Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# zone mode enhanced vsan Enables enhanced zoning in the specified VSAN. vsan-id Step 3 switch(config)# no zone mode enhanced vsan Disables enhanced zoning in the specified vsan-id VSAN.
Page 609: Merging The Database
Configuring and Managing Zones Merging the Database If session locks remain on remote switches after using the no zone commit vsan command, you can use the clear zone lock vsan command on the remote switches. switch# clear zone lock vsan 2 We recommend using the no zone commit vsan command first to release the session lock in the fabric.
Page 610: Configuring Zone Merge Control Policies
Configuring and Managing Zones Configuring Zone Merge Control Policies Configuring Zone Merge Control Policies To configure merge control policies, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# zone merge-control restrict Configures a restricted merge control setting vsan vsan-id for this VSAN.
Page 611: Verifying Enhanced Zone Information
Configuring and Managing Zones Verifying Enhanced Zone Information Command or Action Purpose Step 3 switch(config)# no system default zone Configures deny (default) as the default zoning default-zone permit policy for new VSANs on the switch. Step 4 switch(config)# system default zone Enables full zone database distribution as the default for new VSANs on the switch.
Page 612: Default Basic Zone Settings
Configuring and Managing Zones Default Basic Zone Settings The following example shows how to display full zoning analysis: switch# show zone analysis vsan 1 The following example shows how to display active zoning analysis: switch# show zone analysis active vsan 1 See the Cisco Nexus 5000 Series Switch Command Reference for the description of the information displayed in the command output.
Page 613: Distributing Device Alias Services
C H A P T E R Distributing Device Alias Services This chapter contains the following sections: • Distributing Device Alias Services, page 567 Distributing Device Alias Services Switches in the Cisco Nexus 5000 Series support Distributed Device Alias Services (device aliases) on a fabric-wide basis.
Page 614: Device Alias Requirements
Distributing Device Alias Services Device Alias Requirements Related Topics • Device Alias Modes, page 569 • Using Cisco Fabric Services, page 299 Device Alias Requirements Device aliases have the following requirements: • You can only assign device aliases to pWWNs. •...
Page 615: Creating Device Aliases
Distributing Device Alias Services Creating Device Aliases • Effective database—The database currently used by the fabric. • Pending database—Your subsequent device alias configuration changes are stored in the pending database. If you modify the device alias configuration, you need to commit or discard the changes as the fabric remains locked during this period.
Page 616: Changing Device Alias Mode Guidelines
Distributing Device Alias Services Changing Device Alias Mode Guidelines track of the device alias membership changes and enforce them accordingly. The primary benefit of operating in enhanced mode is that you have a single point of change. Whenever you change device alias modes, the change is distributed to other switches in the network only if device alias distribution is enabled or on.
Page 617: About Device Alias Distribution
Distributing Device Alias Services About Device Alias Distribution Viewing the Device Alias Mode Setting To view the current device alias mode setting, enter the show device-alias status command. switch# show device-alias status Fabric Distribution: Enabled Database:- Device Aliases 0 Mode: Basic Locked By:- User "admin"...
Page 618: Fabric Lock Override
Distributing Device Alias Services Discarding Changes Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# device-alias commit Commits the changes made to the currently active session. Discarding Changes If you discard the changes made to the pending database, the following events occur: •...
Page 619: Disabling And Enabling Device Alias Distribution
Distributing Device Alias Services Disabling and Enabling Device Alias Distribution To display the status of the clear operation, use the show device-alias status command. switch# show device-alias status Fabric Distribution: Enabled Database:- Device Aliases 24 Status of the last CFS operation issued from this switch: ========================================================== Operation: Clear Session<--------------------Lock released by administrator Status: Success<-----------------------------Successful status of the operation...
Page 620: Importing A Zone Alias
Distributing Device Alias Services Importing a Zone Alias • Each zone alias has only one member. • The member type is pWWN. If any name or definition conflict exists, the zone aliases are not imported. Ensure that you copy any required zone aliases to the device alias database as required by your configuration. When an import operation is complete, the modified alias database is distributed to all other switches in the physical fabric when you perform the commit operation.
Page 621: Default Device Alias Settings
Distributing Device Alias Services Default Device Alias Settings Procedure Command or Action Purpose Step 1 switch# show zoneset [active] Displays the device aliases in the zone set information. Step 2 switch# show device-alias database Displays the device alias database. [pending | pending-diffs] Step 3 switch# show device-alias {pwwn pwwn-id Displays the device alias information for the...
Page 622 Distributing Device Alias Services Default Device Alias Settings Parameters Default Database in use Effective database. Database to accept changes Pending database. Device alias fabric lock state Locked with the first device alias task. Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 623: Configuring Fibre Channel Routing Services And Protocols
C H A P T E R Configuring Fibre Channel Routing Services and Protocols This chapter contains the following sections: • Configuring Fibre Channel Routing Services and Protocols, page 577 Configuring Fibre Channel Routing Services and Protocols Fabric Shortest Path First (FSPF) is the standard path selection protocol used by Fibre Channel fabrics. The FSPF feature is enabled by default on the E mode and TE mode Fibre Channel interfaces on Cisco Nexus 5000 Series switches.
Page 624: Fspf Examples
Configuring Fibre Channel Routing Services and Protocols FSPF Examples • Uses a topology database to keep track of the state of the links on all switches in the fabric and associates a cost with each link. • Guarantees a fast reconvergence time in case of a topology change. Uses the standard Dijkstra algorithm, but there is a static dynamic option for a more robust, efficient, and incremental Dijkstra algorithm.
Page 625: Fspf Global Configuration
Configuring Fibre Channel Routing Services and Protocols FSPF Global Configuration failure of a link in a SAN port channel does not trigger a route change, which reduces the risks of routing loops, traffic loss, or fabric downtime for route reconfiguration. Figure 70: Fault Tolerant Fabric with Redundant Links For example, if all links are of equal speed and no SAN port channels exist, the FSPF calculates four equal paths from A to C: A1-E-C, A2-E-C, A3-D-C, and A4-D-C.
Page 626: Configuring Fspf On A Vsan
Configuring Fibre Channel Routing Services and Protocols Configuring FSPF on a VSAN Table 83: LSR Default Settings LSR Option Default Description Acknowledgment interval 5 seconds The time a switch waits for an (RxmtInterval) acknowledgment from the LSR before retransmission. Refresh time (LSRefreshTime) 30 minutes The time a switch waits before sending an LSR refresh...
Page 627: Enabling Or Disabling Fspf
Configuring Fibre Channel Routing Services and Protocols Enabling or Disabling FSPF Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# no fspf config vsan vsan-id Deletes the FSPF configuration for the specified VSAN. Enabling or Disabling FSPF To enable or disable FSPF routing protocols, perform this task: Procedure...
Page 628: Configuring Fspf Link Cost
Configuring Fibre Channel Routing Services and Protocols Configuring FSPF Link Cost Configuring FSPF Link Cost To configure FSPF link cost, perform this task: Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# interface fc slot/port Configures the specified interface, or if already configured, enters configuration mode for the specified interface.
Page 629: Configuring Dead Time Intervals
Configuring Fibre Channel Routing Services and Protocols Configuring Dead Time Intervals This value must be the same in the ports at both ends of the ISL. Note Caution An error is reported at the command prompt if the configured dead time interval is less than the hello time interval.
Page 630: About Disabling Fspf For Specific Interfaces
Configuring Fibre Channel Routing Services and Protocols About Disabling FSPF for Specific Interfaces Command or Action Purpose Step 3 switch(config-if)# fspf Specifies the retransmit time interval for retransmit-interval value vsan unacknowledged link state updates in the specified VSAN. The default is 5 seconds. vsan-id About Disabling FSPF for Specific Interfaces You can disable the FSPF protocol for selected interfaces.
Page 631: Fspf Routes
Configuring Fibre Channel Routing Services and Protocols FSPF Routes FSPF Routes FSPF routes traffic across the fabric, based on entries in the FSPF database. These routes can be learned dynamically, or configured statically. About Fibre Channel Routes Each port implements forwarding logic, which forwards frames based on its FC ID. Using the FC ID for the specified interface and domain, you can configure the specified route (for example, FC ID 111211 and domain ID 3) in the switch with domain ID 1 (see the following figure).
Page 632: In-Order Delivery
Configuring Fibre Channel Routing Services and Protocols In-Order Delivery Command or Action Purpose Step 5 switch(config)#fcroute fcid interface Adds a static route to the RIB. If this is an active route fc slot/port domain domain-id metric and the FIBFIB = Forwarding Information Base records are free, it is also added to the FIB.
Page 633: About Reordering San Port Channel Frames
Configuring Fibre Channel Routing Services and Protocols About Reordering SAN Port Channel Frames • Frames in the network are delivered in the order in which they are transmitted. • Frames that cannot be delivered in order within the network latency drop period are dropped inside the network.
Page 634: Enabling In-Order Delivery Globally
Configuring Fibre Channel Routing Services and Protocols Enabling In-Order Delivery Globally Enabling In-Order Delivery Globally To ensure that the in-order delivery parameters are uniform across all VSANs on the switch, enable in-order delivery globally. Only enable in-order delivery globally if this is a requirement across your entire fabric. Otherwise, enable IOD only for the VSANs that require this feature.
Page 635: Displaying The In-Order Delivery Status
Configuring Fibre Channel Routing Services and Protocols Displaying the In-Order Delivery Status Displaying the In-Order Delivery Status Use the show in-order-guarantee command to display the present configuration status: switch# show in-order-guarantee global inorder delivery configuration:guaranteed VSAN specific settings vsan 1 inorder delivery:guaranteed vsan 101 inorder delivery:not guaranteed vsan 1000 inorder delivery:guaranteed vsan 1001 inorder delivery:guaranteed...
Page 636: Flow Statistics Configuration
Configuring Fibre Channel Routing Services and Protocols Flow Statistics Configuration Flow Statistics Configuration Flow statistics count the ingress traffic in the aggregated statistics table. You can collect two kinds of statistics: • Aggregated flow statistics to count the traffic for a VSAN. •...
Page 637: Clearing Fib Statistics
Configuring Fibre Channel Routing Services and Protocols Clearing FIB Statistics Clearing FIB Statistics Use the clear fcflow stats command to clear the aggregated flow counter. The following example clears the aggregated flow counters: switch# clear fcflow stats aggregated index 1 The following example clears the flow counters for source and destination FC IDs: switch# clear fcflow stats index 1 Displaying Flow Statistics...
Page 638 Configuring Fibre Channel Routing Services and Protocols Default FSPF Settings Parameters Default Hello interval 20 seconds. Dead interval 80 seconds. Distribution tree information Derived from the principal switch (root node). Routing table FSPF stores up to 16 equal cost paths to a given destination.
Page 639: Managing Flogi, Name Server, Fdmi, And Rscn Databases
C H A P T E R Managing FLOGI, Name Server, FDMI, and RSCN Databases This chapter contains the following sections: • Managing FLOGI, Name Server, FDMI, and RSCN Databases, page 593 Managing FLOGI, Name Server, FDMI, and RSCN Databases Information About Fabric Login In a Fibre Channel fabric, each host or disk requires an FC ID.
Page 640: Name Server Proxy
Managing FLOGI, Name Server, FDMI, and RSCN Databases Name Server Proxy Name Server Proxy The name server functionality maintains a database containing the attributes for all hosts and storage devices in each VSAN. Name servers allow a database entry to be modified by a device that originally registered the information.
Page 641: About Name Server Database Entries
Managing FLOGI, Name Server, FDMI, and RSCN Databases About Name Server Database Entries About Name Server Database Entries The name server stores name entries for all hosts in the FCNS database. The name server permits an Nx port to register attributes during a PLOGI (to the name server) to obtain attributes of other hosts. These attributes are deregistered when the Nx port logs out either explicitly or implicitly.
Page 642: Displaying Fdmi
Managing FLOGI, Name Server, FDMI, and RSCN Databases Displaying FDMI • Host operating system (OS) name and version number All FDMI entries are stored in persistent storage and are retrieved when the FDMI process is started. Displaying FDMI The following example shows how to display all HBA details for a specified VSAN: switch# show fdmi database detail vsan 1 RSCN The Registered State Change Notification (RSCN) is a Fibre Channel service that informs hosts about changes...
Page 643: Configuring The Multi-Pid Option
Managing FLOGI, Name Server, FDMI, and RSCN Databases Configuring the multi-pid Option D2, and H belong to the same zone. If disks D1 and D2 are online at the same time, one of the following actions applies: • The multi-pid option is disabled on switch 1— Two RSCNs are generated to host H: one for the disk D1 and another for disk D2.
Page 644: Configuring The Rscn Timer
Managing FLOGI, Name Server, FDMI, and RSCN Databases Configuring the RSCN Timer The following example shows how to clear the RSCN statistics for the specified VSAN: switch# clear rscn statistics vsan 1 After clearing the RSCN statistics, you can view the cleared counters by entering the show rscn statistics command: switch# show rscn statistics vsan 1 Configuring the RSCN Timer...
Page 645: Rscn Timer Configuration Distribution
Managing FLOGI, Name Server, FDMI, and RSCN Databases RSCN Timer Configuration Distribution RSCN Timer Configuration Distribution Because the timeout value for each switch is configured manually, a misconfiguration occurs when different switches time out at different times. This means different N-ports in a network can receive RSCNs at different times.
Page 646: Discarding The Rscn Timer Configuration Changes
Managing FLOGI, Name Server, FDMI, and RSCN Databases Discarding the RSCN Timer Configuration Changes Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# rscn commit vsan timeout Commits the RSCN timer changes. Discarding the RSCN Timer Configuration Changes If you discard (abort) the changes made to the pending database, the configuration database remains unaffected and the lock is released.
Page 647: Default Rscn Settings
Managing FLOGI, Name Server, FDMI, and RSCN Databases Default RSCN Settings The pending database includes both existing and modified configuration. Note switch# show rscn pending rscn event-tov 2000 ms vsan 1 rscn event-tov 2000 ms vsan 2 rscn event-tov 300 ms vsan 10 The following example shows how to display the difference between pending and active configurations: switch# show rscn pending-diff vsan 10 - rscn event-tov 2000 ms vsan 10...
Page 648 Managing FLOGI, Name Server, FDMI, and RSCN Databases Default RSCN Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 649: Discovering Scsi Targets
C H A P T E R Discovering SCSI Targets This chapter contains the following sections: • Discovering SCSI Targets, page 603 Discovering SCSI Targets Information About SCSI LUN Discovery Small Computer System Interface (SCSI) targets include disks, tapes, and other storage devices. These targets do not register logical unit numbers (LUNs) with the name server.
Page 650: About Initiating Customized Discovery
Discovering SCSI Targets About Initiating Customized Discovery Procedure Command or Action Purpose Step 1 switch# discover scsi-target {custom-list | local | remote Discovers SCSI targets for the specified operating system (OS). | vsan vsan-id fcid fc-id} os {aix | hpux | linux | solaris | windows} [lun | target] Examples of Starting SCSI LUN Discovery The following example discovers local SCSI targets for all operating systems (OSs):...
Page 651 Discovering SCSI Targets Displaying SCSI LUN Information The following example displays the discovered targets: switch# show scsi-target status discovery completed This command takes several minutes to complete, especially if the fabric is large or if several devices are Note slow to respond. The following example displays the FCNS database: switch# show fcns database The following example displays the SCSI target disks:...
Page 652 Discovering SCSI Targets Displaying SCSI LUN Information Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 653: Advanced Fibre Channel Features And Concepts
C H A P T E R Advanced Fibre Channel Features and Concepts This chapter contains the following sections: • Advanced Fibre Channel Features and Concepts, page 607 Advanced Fibre Channel Features and Concepts Fibre Channel Timeout Values You can modify Fibre Channel protocol-related timer values for the switch by configuring the following timeout values (TOVs): •...
Page 654: Timer Configuration Per-Vsan
Advanced Fibre Channel Features and Concepts Timer Configuration Per-VSAN If a VSAN is not specified when you change the timer value, the changed value is applied to all VSANs Note in the switch. To configure Fibre Channel timers across all VSANs, perform this task: Procedure Command or Action Purpose...
Page 655: About Fctimer Distribution
Advanced Fibre Channel Features and Concepts About fctimer Distribution About fctimer Distribution You can enable per-VSAN fctimer fabric distribution for all Cisco SAN switches in the fabric. When you perform fctimer configurations, and distribution is enabled, that configuration is distributed to all the switches in the fabric.
Page 656: Discarding Fctimer Changes
Advanced Fibre Channel Features and Concepts Discarding fctimer Changes Discarding fctimer Changes After making the configuration changes, you can choose to discard the changes by discarding the changes instead of committing them. In either case, the lock is released. To discard the fctimer configuration changes, perform this task: Procedure Command or Action Purpose...
Page 657: Verifying Configured Fctimer Values
Advanced Fibre Channel Features and Concepts Verifying Configured fctimer Values Verifying Configured fctimer Values Use the show fctimer command to display the configured fctimer values. The following example displays the configured global TOVs: switch# show fctimer F_S_TOV D_S_TOV E_D_TOV R_A_TOV ---------------------------------------- 5000 ms 5000 ms...
Page 658: Verifying Wwn Information
Advanced Fibre Channel Features and Concepts Verifying WWN Information Verifying WWN Information Use the show wwn commands to display the status of the WWN configuration. The following example displays the status of all WWNs: switch# show wwn status Type Configured Available Resvd.
Page 659: Default Company Id List
Advanced Fibre Channel Features and Concepts Default Company ID List Some HBAs do not discover targets that have FC IDs with the same domain and area. The switch software maintains a list of tested company IDs that do not exhibit this behavior. These HBAs are allocated with single FC IDs.
Page 660: Verifying The Company Id Configuration
Advanced Fibre Channel Features and Concepts Verifying the Company ID Configuration Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# fcid-allocation area company-id Adds a new company ID to the default list. value Step 3 switch(config)# no fcid-allocation area Deletes a company ID from the default...
Page 661: About Interop Mode
Advanced Fibre Channel Features and Concepts About Interop Mode For more information on configuring interoperability for Cisco Nexus 5000 Series switches, see the Cisco Note MDS 9000 Family Switch-to-Switch Interoperability Configuration Guide About Interop Mode Cisco NX-OS software supports the following four interop modes: •...
Page 662 Advanced Fibre Channel Features and Concepts About Interop Mode Switch Feature Changes if Interoperability Is Enabled D_S_TOV Verify that the Distributed Services Time Out Value timers match exactly. E_D_TOV Verify that the Error Detect Time Out Value timers match exactly. R_A_TOV Verify that the Resource Allocation Time Out Value timers match exactly.
Page 663: Configuring Interop Mode 1
Advanced Fibre Channel Features and Concepts Configuring Interop Mode 1 Switch Feature Changes if Interoperability Is Enabled continues to use src-id, dst-id, and ox-id to load balance across multiple ISL links. Domain reconfiguration disruptive This is a switch-wide impacting event. Brocade and McData require the entire switch to be placed in offline mode and/or rebooted when changing domain IDs.
Page 664: Verifying Interoperating Status
Advanced Fibre Channel Features and Concepts Verifying Interoperating Status The Cisco Nexus 5000 Series, Brocade, and McData FC Error Detect (ED_TOV) and Resource Note Allocation (RA_TOV) timers default to the same values. They can be changed if needed. The RA_TOV default is 10 seconds, and the ED_TOV default is 2 seconds.
Page 665 Advanced Fibre Channel Features and Concepts Verifying Interoperating Status Software BIOS: version 1.2.0 loader: version N/A kickstart: version 4.0(1a)N1(1) system: version 4.0(1a)N1(1) BIOS compile time: 06/19/08 kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N1.latest.bin kickstart compile time: 11/25/2008 6:00:00 [11/25/2008 14:17:12] system image file is: bootflash:/n5000-uk9.4.0.1a.N1.latest.bin system compile time: 11/25/2008 6:00:00 [11/25/2008 14:59:49]...
Page 666 Advanced Fibre Channel Features and Concepts Verifying Interoperating Status interface fc2/2 no shutdown interface fc2/3 interface fc2/4 <snip> interface mgmt0 ip address 6.1.1.96 255.255.255.0 switchport encap default no shutdown vsan database vsan 1 interop boot system bootflash:/nx5000-system-23e.bin boot kickstart bootflash:/nx5000-kickstart-23e.bin callhome fcdomain domain 100 preferred vsan 1 ip route 6.1.1.0 255.255.255.0 6.1.1.1...
Page 667 Advanced Fibre Channel Features and Concepts Verifying Interoperating Status Example: switch# show fcdomain vsan 1 The local switch is a Subordinated Switch. Local switch run time information: State: Stable Local switch WWN: 20:01:00:05:30:00:51:1f Running fabric name: 10:00:00:60:69:22:32:91 Running priority: 128 Current domain ID: 0x64(100) <---------------verify domain id Local switch configuration information: State: Enabled...
Page 668 Advanced Fibre Channel Features and Concepts Verifying Interoperating Status --------- ----------------------- Step 7 Verify the next hop and destination for the switch. Example: switch# show fspf internal route vsan 1 FSPF Unicast Routes --------------------------- VSAN Number Dest Domain Route Cost Next hops ----------------------------------------------- 0x61(97)
Page 669: Default Settings For Advanced Features
Advanced Fibre Channel Features and Concepts Default Settings for Advanced Features Default Settings for Advanced Features The following table lists the default settings for the features included in this chapter. Table 88: Default Settings for Advanced Features Parameters Default CIM server Disabled CIM server security protocol HTTP...
Page 670 Advanced Fibre Channel Features and Concepts Default Settings for Advanced Features Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 671: Configuring Fc-Sp And Dhchap
C H A P T E R Configuring FC-SP and DHCHAP This chapter contains the following sections: • Configuring FC-SP and DHCHAP, page 625 Configuring FC-SP and DHCHAP Fibre Channel Security Protocol (FC-SP) capabilities provide switch-to-switch and host-to-switch authentication to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco Nexus 5000 Series switches and other devices.
Page 672: Dhchap
Configuring FC-SP and DHCHAP DHCHAP Cisco Nexus 5000 Series switches support authentication features to address physical security (see the following figure). Figure 74: Switch and Host Authentication Fibre Channel Host Bus Adapters (HBAs) with appropriate firmware and drivers are required for host-switch Note authentication.
Page 673: Dhchap Compatibility With Fibre Channel Features
Configuring FC-SP and DHCHAP DHCHAP Compatibility with Fibre Channel Features DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication. DHCHAP negotiates hash algorithms and DH groups before performing authentication. It supports MD5 and SHA-1 algorithm-based authentication. To configure DHCHAP authentication using the local password database, perform this task: Procedure Step 1...
Page 674: About Dhchap Authentication Modes
Configuring FC-SP and DHCHAP About DHCHAP Authentication Modes About DHCHAP Authentication Modes The DHCHAP authentication status for each interface depends on the configured DHCHAP port mode. When the DHCHAP feature is enabled in a switch, each Fibre Channel interface or FCIP interface may be configured to be in one of four DHCHAP port modes: •...
Page 675: About The Dhchap Hash Algorithm
Configuring FC-SP and DHCHAP About the DHCHAP Hash Algorithm Command or Action Purpose Step 2 switch(config)# interface fc Selects a range of interfaces and enters the interface slot/port - slot/port configuration mode. Step 3 switch(config-if)# fcsp on Sets the DHCHAP mode for the selected interfaces to be in the on state.
Page 676: About The Dhchap Group Settings
Configuring FC-SP and DHCHAP About the DHCHAP Group Settings Command or Action Purpose Step 2 switch(config)# fcsp dhchap hash [md5] Configures the use of the the MD5 or SHA-1 hash [sha1] algorithm. Step 3 switch(config)# no fcsp dhchap hash Reverts to the factory default priority list of the MD5 hash algorithm followed by the SHA-1 hash sha1 algorithm.
Page 677: Configuring Dhchap Passwords For The Local Switch
Configuring FC-SP and DHCHAP Configuring DHCHAP Passwords for the Local Switch All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted. Note We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use a local password database, you can continue to do so using Configuration 3 and using the Cisco MDS 9000 Family Fabric Manager to manage the password database.
Page 678: About The Dhchap Timeout Value
Configuring FC-SP and DHCHAP About the DHCHAP Timeout Value About the DHCHAP Timeout Value During the DHCHAP protocol exchange, if the Cisco Nexus 5000 Series switch does not receive the expected DHCHAP message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no authentication is performed) to 1000 seconds.
Page 679: Sample Configuration
Configuring FC-SP and DHCHAP Sample Configuration Sample Configuration This section provides the steps to configure the example illustrated in the following figure. Figure 75: Sample DHCHAP Authentication To configure the authentication setup shown in the above figure, perform this task: Procedure Step 1 Obtain the device name of the Cisco Nexus 5000 Series switch in the fabric.
Page 680: Default Fabric Security Settings
Configuring FC-SP and DHCHAP Default Fabric Security Settings Example: switch# show fcsp dhchap database DHCHAP Local Password: Non-device specific password:******* Other Devices' Passwords: Password for device with WWN:20:00:00:05:30:00:38:5e is ******* Step 7 Display the DHCHAP configuration in the Fibre Channel interface. Example: switch# show fcsp interface fc2/4 fc2/4...
Page 681: Configuring Port Security
C H A P T E R Configuring Port Security This chapter contains the following sections: • Configuring Port Security, page 635 Configuring Port Security Cisco Nexus 5000 Series switches provide port security features that reject intrusion attempts and report these intrusions to the administrator.
Page 682: About Auto-Learning
Configuring Port Security About Auto-Learning Each N and xE port can be configured to restrict a single port or a range of ports. Enforcement of port security policies are done on every activation and when the port tries to come up. The port security feature uses two databases to accept and implement configuration changes.
Page 683: Configuring Port Security With Auto-Learning And Cfs Distribution
Configuring Port Security Configuring Port Security After the database is activated, subsequent device login is subject to the activated port bound WWN pairs, excluding the auto-learned entries. You must disable auto-learning before the auto-learned entries become activated. When you activate the port security feature, auto-learning is also automatically enabled. You can choose to activate the port security feature and disable auto-learning.
Page 684: Configuring Port Security With Auto-Learning Without Cfs
Configuring Port Security Configuring Port Security with Auto-Learning without CFS Configuring Port Security with Auto-Learning without CFS To configure port security using auto-learning without CFS, perform this task: Procedure Step 1 Enable port security. Step 2 Activate port security on each VSAN, which turns on auto-learning by default. Step 3 Wait until all switches and all hosts are automatically learned.
Page 685: Port Security Activation
Configuring Port Security Port Security Activation Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# port-security enable Enables port security on that switch. Step 3 switch(config)# no port-security enable Disables (default) port security on that switch.
Page 686: Database Reactivation
Configuring Port Security Database Reactivation If you force the activation, existing devices are logged out if they violate the active database. Note You can view missing or conflicting entries using the port-security database diff active vsan command in EXEC mode. To forcefully activate the port security database, perform this task: Procedure Command or Action...
Page 687: Auto-Learning
Configuring Port Security Auto-Learning Auto-Learning About Enabling Auto-Learning The state of the auto-learning configuration depends on the state of the port security feature: • If the port security feature is not activated, auto-learning is disabled by default. • If the port security feature is activated, auto-learning is enabled by default (unless you explicitly disabled this option).
Page 688: Authorization Scenario
Configuring Port Security Authorization Scenario Table 91: Authorized Auto-Learning Device Requests Condition Device (pWWN, nWWN, Requests Connection to Authorization sWWN) Configured with one or A configured switch port Permitted more switch ports Any other switch port Denied Not configured A switch port that is not Permitted if auto-learning configured enabled...
Page 689 Configuring Port Security Authorization Scenario Device Connection Authorization Condition Reason Request P2, N2, F1 Permitted No conflict. P3, N2, F1 Denied F1 is bound to P1/P2. P1, N3, F1 Permitted Wildcard match for N3. P1, N1, F3 Permitted Wildcard match for F3. P1, N4, F5 Denied P1 is bound to F1.
Page 690: Port Security Manual Configuration
Configuring Port Security Port Security Manual Configuration Port Security Manual Configuration To configure port security on a Cisco Nexus 5000 Series switch, perform this task: Procedure Step 1 Identify the WWN of the ports that need to be secured. Step 2 Secure the fWWN to an authorized nWWN or pWWN.
Page 691: Port Security Configuration Distribution
Configuring Port Security Port Security Configuration Distribution Procedure Command or Action Purpose Step 1 switch# configuration terminal Enters configuration mode. Step 2 switch(config)# port-security database vsan Enters the port security database mode for the specified VSAN. vsan-id Step 3 switch(config)# no port-security database Deletes the port security configuration database vsan vsan-id from the specified VSAN.
Page 692: Locking The Fabric
Configuring Port Security Locking the Fabric For example, if you activate port security, follow up by disabling auto-learning, and finally commit the changes in the pending database, then the net result of your actions is the same as entering a port-security activate vsan vsan-id no-auto-learn command.
Page 693: Discarding The Changes
Configuring Port Security Discarding the Changes Discarding the Changes If you discard (abort) the changes made to the pending database, the configuration remains unaffected and the lock is released. To discard the port security configuration changes for the specified VSAN, perform this task: Procedure Command or Action Purpose...
Page 694: Port Security Database Merge Guidelines
Configuring Port Security Port Security Database Merge Guidelines Scenario Actions Distribution = OFF Distribution = ON 3. You issue a commit. Not applicable configuration database = {A,B, E} active database = {A,B, E, C*, D*} pending database = empty A and B exist in the 1.
Page 695: Database Interaction
Configuring Port Security Database Interaction Related Topics • CFS Merge Support, page 303 Database Interaction The following table lists the differences and interaction between the active and configuration databases. Table 94: Active and Configuration Port Security Databases Active Database Configuration Database Read-only.
Page 696: Database Scenarios
Configuring Port Security Database Scenarios Database Scenarios the follwowing figure illustrates various scenarios showing the active database and the configuration database status based on port security configurations. Figure 76: Port Security Database Scenarios Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 697: Copying The Port Security Database
Configuring Port Security Copying the Port Security Database Copying the Port Security Database We recommend that you copy the active database to the config database after disabling auto-learning. This action will ensure that the configuration database is in synchronization with the active database. If distribution is enabled, this command creates a temporary copy (and consequently a fabric lock) of the configuration database.
Page 698: Displaying Port Security Configuration
Configuring Port Security Displaying Port Security Configuration Use the port-security clear vsan command to clear the pending session in the VSAN from any switch in the VSAN. switch# clear port-security session vsan 5 Displaying Port Security Configuration The show port-security database commands display the configured port security information. You can optionally specify a fWWN and a VSAN, or an interface and a VSAN in the show port-security command to view the output of the activated port security.
Page 699: Configuring Fabric Binding
C H A P T E R Configuring Fabric Binding This chapter contains the following sections: • Configuring Fabric Binding, page 653 Configuring Fabric Binding Information About Fabric Binding The fabric binding feature ensures that ISLs are only enabled between specified switches in the fabric. Fabric binding is configured on a per-VSAN basis.
Page 700: Fabric Binding Enforcement
Configuring Fabric Binding Fabric Binding Enforcement Fabric Binding Port Security to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list). Requires activation on a per VSAN basis.
Page 701: Enabling Fabric Binding
Configuring Fabric Binding Enabling Fabric Binding Procedure Step 1 Enable the fabric configuration feature. Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric. Step 3 Activate the fabric binding database. Step 4 Copy the fabric binding active database to the fabric binding configuration database.
Page 702: About Fabric Binding Activation And Deactivation
Configuring Fabric Binding About Fabric Binding Activation and Deactivation Command or Action Purpose Step 2 switch(config)# fabric-binding database Enters the fabric binding submode for the vsan vsan-id specified VSAN. Step 3 switch(config)# no fabric-binding database Deletes the fabric binding database for the vsan vsan-id specified VSAN.
Page 703: Forcing Fabric Binding Activation
Configuring Fabric Binding Forcing Fabric Binding Activation Forcing Fabric Binding Activation If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed with the activation by using the force option. To forcefully activate the fabric binding database, perform this task: Procedure Command or Action...
Page 704: Deleting The Fabric Binding Database
Configuring Fabric Binding Deleting the Fabric Binding Database Deleting the Fabric Binding Database Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN. switch(config)# no fabric-binding database vsan 10 Verifying Fabric Binding Information To display fabric binding information, perform one of the following tasks Procedure Command or Action...
Page 705: Default Fabric Binding Settings
Configuring Fabric Binding Default Fabric Binding Settings Default Fabric Binding Settings The following table lists the default settings for the fabric binding feature. Table 97: Default Fabric Binding Settings Parameters Default Fabric binding Disabled Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 706 Configuring Fabric Binding Default Fabric Binding Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 707: Configuring Fabric Configuration Servers
C H A P T E R Configuring Fabric Configuration Servers This chapter contains the following sections: • Configuring Fabric Configuration Servers, page 661 Configuring Fabric Configuration Servers Information About FCS The Fabric Configuration Server (FCS) provides discovery of topology attributes and maintains a repository of configuration information of fabric elements.
Page 708: Fcs Characteristics
Configuring Fabric Configuration Servers FCS Characteristics not known to both of them. FCS operations can be done only on those switches that are visible in the VSAN. M2 can send FCS requests only for VSAN 2 even though S3 is also a part of VSAN 1. Figure 77: FCSs in a VSAN Environment FCS Characteristics FCSs have the following characteristics:...
Page 709: Fcs Name Specification
Configuring Fabric Configuration Servers FCS Name Specification FCS Name Specification You can specify if the unique name verification is for the entire fabric (globally) or only for locally (default) registered platforms. Note Set this command globally only if every switch in the fabric belong to the Cisco MDS 9000 Family or Cisco Nexus 5000 Series of switches.
Page 710 Configuring Fabric Configuration Servers Default FCS Settings Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 711: Configuring Port Tracking
C H A P T E R Configuring Port Tracking This chapter contains the following sections: • Configuring Port Tracking, page 665 Configuring Port Tracking Cisco Nexus 5000 Series switches offer the port tracking feature on physical Fibre Channel interfaces (but not on virtual Fibre Channel interfaces).
Page 712: Configuring Port Tracking
Configuring Port Tracking Configuring Port Tracking In the following figure, when the direct link 1 to the host fails, recovery can be immediate. However, when the ISL 2 fails between the two switches, recovery depends on TOVs, RSCNs, and other factors. Figure 78: Traffic Recovery Using Port Tracking The port tracking feature monitors and detects failures that cause topology changes and brings down the links connecting the attached devices.
Page 713: Enabling Port Tracking
Configuring Port Tracking Enabling Port Tracking • Do not track a linked port back to itself (for example, Port fc2/2 to Port fc2/4 and back to Port fc2/2) to avoid recursive dependency. Enabling Port Tracking The port tracking feature is disabled by default in Cisco Nexus 5000 Series switches. When you enable this feature, port tracking is globally enabled for the entire switch.
Page 714: About Tracking Multiple Ports
Configuring Port Tracking About Tracking Multiple Ports About Tracking Multiple Ports You can control the operational state of the linked port based on the operational states of multiple tracked ports. When more than one tracked port is associated with a linked port, the operational state of the linked port will be set to down only if all the associated tracked ports are down.
Page 715: Monitoring Ports In A Vsan
Configuring Port Tracking Monitoring Ports in a VSAN The specified VSAN does not have to be the same as the port VSAN of the linked port. Monitoring Ports in a VSAN To monitor a tracked port in a specific VSAN, perform this task : Procedure Command or Action Purpose...
Page 716: Displaying Port Tracking Information
Configuring Port Tracking Displaying Port Tracking Information Displaying Port Tracking Information The show commands display the current port tracking settings for the switch. The following example shows how to display tracked port configuration for a specific interface: switch# show interface fc2/1 fc2/1 is down (Administratively down) Hardware is Fibre Channel, FCOT is short wave laser w/o OFC (SN) Port WWN is 20:01:00:05:30:00:0d:de...
Page 717: Troubleshooting
VIII P A R T Troubleshooting • Configuring SPAN, page 673 • Troubleshooting, page 681...
Page 719: Configuring Span
C H A P T E R Configuring SPAN This chapter contains the following sections: • Configuring SPAN, page 673 Configuring SPAN The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe, a Fibre Channel Analyzer, or other Remote Monitoring (RMON) probes.
Page 720: Span Destinations
Configuring SPAN SPAN Destinations • Cannot be a destination port. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. For VLAN, VSAN, port channel, and SAN port channel sources, the monitored direction can only be ingress and applies to all physical ports in the group.
Page 721: Creating And Deleting A Span Session
Configuring SPAN Configuring SPAN Configuring SPAN Creating and Deleting a SPAN Session You create a SPAN session by assigning a session number using the monitor command. If the session already exists, any additional configuration is added to that session. Procedure Command or Action Purpose Step 1...
Page 722: Configuring Fibre Channel Destination Port
Configuring SPAN Configuring Fibre Channel Destination Port The following example shows configuring an Ethernet SPAN destination port: switch# configure terminal switch(config)# interface ethernet 1/3 switch(config-if)# switchport monitor switch(config-if)# exit switch(config)# monitor session 2 switch(config-monitor)# destination interface ethernet 1/3 Configuring Fibre Channel Destination Port The SPAN destination port can only be a physical port on the switch.
Page 723: Configuring Source Port Channels, Vlans, Or Vsans
Configuring SPAN Configuring Source Port Channels, VLANs, or VSANs Procedure Command or Action Purpose Step 1 switch(config-monitor)# source Configures sources and the traffic direction in which to duplicate packets. You can enter a range of Ethernet, Fibre interface type slot/port [rx | tx | both] Channel, or virtual Fibre Channel ports.
Page 724: Activating A Span Session
Configuring SPAN Activating a SPAN Session Procedure Command or Action Purpose Step 1 switch(config-monitor)# description description Applies a descriptive name to the SPAN session. The following example shows configuring a description of a SPAN session: switch# configure terminal switch(config)# monitor session 2 switch(config-monitor)# description monitoring ports fc2/2-fc2/4 Activating a SPAN Session The default is to keep the session state shut.
Page 725: Displaying Span Information
Configuring SPAN Displaying SPAN Information Displaying SPAN Information To display SPAN information, perform this task: Procedure Command or Action Purpose Step 1 switch# show monitor [session {all | session-number | Displays the SPAN configuration. range session-range} [brief]] This example shows how to display SPAN session information: switch# show monitor SESSION STATE...
Page 726 Configuring SPAN Displaying SPAN Information Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 727: Recovering A Lost Password
C H A P T E R Troubleshooting • Troubleshooting, page 681 Troubleshooting Recovering a Lost Password This section describes how to recover a lost network administrator password using the console port of the switch. You can recover the network administrator password using one of two methods: •...
Page 728: Power Cycling The Switch
Troubleshooting Power Cycling the Switch Example: switch# configure terminal switch(config)# username admin password <new password> switch(config)# exit Step 3 Save the configuration. Example: switch# copy running-config startup-config Power Cycling the Switch If you cannot start a session on the switch that has network-admin privileges, you must recover the network administrator password by power cycling the switch.
Page 729: Using Ethanalyzer
Troubleshooting Using Ethanalyzer Example: switch(boot)# dir bootflash: Step 5 Load the Cisco NX-OS system software image. Example: In the following example, the system image filename is nx-os.bin: switch(boot) # load bootflash:nx-os.bin Step 6 Log in to the switch using the new administrator password. Example: switch login: admin Password: <new password>...
Page 730 Troubleshooting Using Ethanalyzer Command or Action Purpose Step 4 switch# ethanalyzer local interface Limits the length of the frame to capture. interface limit-frame-size Step 5 switch# ethanalyzer local interface Filters the types of packets to capture. interface capture-filter Step 6 switch# ethanalyzer local interface Filters the types of captured packets to display.
Page 731 Troubleshooting Using Ethanalyzer This example shows detailed captured data for one HSRP packet: switch(config)# ethanalyzer local interface mgmt capture-filter "tcp port 23" limit-captured-frames 1 Capturing on eth0 Frame 1 (60 bytes on wire, 60 bytes captured) Arrival Time: Jan 25, 2005 08:49:49.250719000 [Time delta from previous captured frame: 1106642989.250719000 seconds] [Time delta from previous displayed frame: 1106642989.250719000 seconds] [Time since reference or first frame: 1106642989.250719000 seconds]...
Page 732: Troubleshooting Fibre Channel
Troubleshooting Troubleshooting Fibre Channel Troubleshooting Fibre Channel fctrace The fctrace feature provides the following capabilities: • Trace the route followed by data traffic. • Compute inter-switch (hop-to-hop) latency. You can invoke fctrace by providing the FC ID, the N port WWN, or the device alias of the destination. The trace frame is routed normally through the network until it reaches the far edge of the fabric.
Page 733: Fcping
Troubleshooting fcping This example shows invoking fctrace using the device alias of the destination N port. switch# fctrace device-alias disk1 vsan 1 Route present for : 22:00:00:0c:50:02:ce:f8 20:00:00:05:30:00:31:1e(0xfffca9) fcping The fcping feature verifies reachability of a node by checking its end-to-end connectivity. You can invoke the fcping feature by providing the FC ID, the destination port WWN, or the device alias information.
Page 734: Verifying Switch Connectivity
Troubleshooting Verifying Switch Connectivity This example shows invoking fcping for the specified device alias of the destination: switch# fcping device-alias disk1 vsan 1 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 1883 usec 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 493 usec 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 277 usec 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 391 usec 28 bytes from 22:00:00:0c:50:02:ce:f8 time = 319 usec 5 frames sent, 5 frames received, 0 timeouts...
Page 735: Show Tech-Support Command
Troubleshooting show tech-support Command show tech-support Command The show tech-support command is useful when collecting a large amount of information about the switch for troubleshooting purposes. The output of this command can be provided to technical support representatives when reporting a problem. The show tech-support command displays the output of several show commands at once.
Page 736 Troubleshooting show tech-support Command • show interface brief • show interface • show running-config • show startup-config • show ip route • show arp • show monitor session all • show accounting log • show process • show process cpu •...
Page 737: Show Tech-Support Brief Command
Troubleshooting show tech-support brief Command • show aclmgr status • show aclmgr internal dictionaries • show aclmgr internal log • show aclmgr internal ppf • show aclmgr internal state-cache • show access-lists • show platform software ethpm internal info all •...
Page 738 Troubleshooting show tech-support brief Command This example shows how to display a condensed view of the switch configurations: switch# show tech-support brief Switch Name : switch Switch Type Kickstart Image : 4.0(0) bootflash:///nuova-or-kickstart-nsg.4.0.0.001.bin System Image : 4.0(0) bootflash:/nuova-or-system-nsg.4.0.0.001.binnms-or-47 IP Address/Mask : 172.16.24.47/24 Switch WWN : 20:00:00:0d:ec:6b:cd:c0...
Page 739: Show Tech-Support Fc Command
Troubleshooting show tech-support fc Command ------------------------------------------------------------------------------- mgmt0 172.16.24.47 1500 show tech-support fc Command Use the show tech-support fc command to obtain information about the FC configuration on your switch. The output of the show tech-support fc command includes the output of the following commands: •...
Page 740 Troubleshooting show tech-support fc Command • show fcs ie • show fctimer • show flogi database • show flogi internal info • show fspf • show fspf database • show tech-support rscn • show rscn internal vsan 1-4093 • show rscn internal event-history •...
Page 741: Show Tech-Support Platform Command
Troubleshooting show tech-support platform Command • show zone analysis vsan 1-4093 • show zone ess vsan 1-4093 • show zone internal vsan 1-4093 • show zone internal change event-history vsan 1-4093 • show zone internal ifindex-table vsan 1-4093 • show zone internal merge event-history vsan 1-4093 •...
Page 742 Troubleshooting show tech-support platform Command • show platform fwm info ppf • show platform fwm info pss all • show platform hardware fwm info vlan all • show platform hardware fwm info pif all • show platform hardware fwm info lif all •...
Page 743: Default Settings For Troubleshooting Features
Troubleshooting Default Settings for Troubleshooting Features • show system internal rib system-attributes • show system internal rib unicast • show system internal rib vsan-attributes • show system internal fcfwd fwidxmap if_index • show system internal fcfwd idxmap interface-to-port • show system internal fcfwd pcmap •...
Page 744 Troubleshooting Default Settings for Troubleshooting Features Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 745: Appendix
A P P E N D I X Appendix • Configuration Limits, page 699 Configuration Limits The features supported by the Cisco Nexus 5000 Series switch have maximum configuration limits. Some of these limits apply only when one or more Cisco Nexus 2000 Series Fabric Extender units are attached to the switch.
Page 746 Appendix Configuration Limits Table 102: Fibre Channel Environments Parameter Limit Device Aliases per fabric 8,000 Switches per physical fabric or VSAN Domains per VSAN Native FC Links per switch 16—Requires two N5K-M1008 expansion modules. FLOGIs or FDISCs per NPV port group Zones per virtual or physical F port (includes all VSANs) Zone sets per switch (includes all VSANs)
Page 747 Appendix Configuration Limits Table 103: General Parameters Parameter Limit Maximum Fabric Extenders per Cisco Nexus 5000 12 units Series switch Maximum Fabric Extenders dual-homed to a vPC 12 units Cisco Nexus 5000 Series switch pair Maximum number of hosts connected to Fabric 480 hosts Extenders connected to Cisco Nexus 5000 Series switches...
Page 748 Appendix Configuration Limits Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL-16597-01...
Page 749 I N D E X * (asterisk) AAA services first operational port[asterisk (asterisk) configuration options first operational port] remote accounting description active zone sets 1-Gigabit Ethernet considerations 10-Gigabit Ethernet enabling distribution address allocation cache description administrative speeds configuring administrative states accounting description authentication...
Page 750 Index BPDU guard default settings (continued) bridge ID rollback broadcast storms default users Brocade description native interop mode default VSANs buffer-to-buffer credits description build fabric frames default zones description description interoperability policies destination IDs exchange based flow based call home in-order delivery smart call home feature path selection...
Page 751 Index diagnostics (continued) enhanced zones (continued) runtime changing from basic zones Diffie-Hellman Challenge Handshake Authentication Protocol configuring default full database distribution documentation configuring default policies additional publications configuring default switch-wide zone policies obtaining description xlvi domain IDs modifying database allowed lists ethanalyzer assignment failures EtherChannel...
Page 752 Index fabric binding (continued) FCoE 1, 405 verifying status disable LAN traffic viewing active databases (procedure) fcping viewing EFMD statistics (procedure) default settings viewing violations (procedure) verifying switch connectivity Fabric Configuration Servers FCSs fabric login characteristics fabric port mode configuring names fabric pWWNs default settings zone membership...
Page 753 Index FSPF clearing counters hard zoning clearing VSAN counters description computing link cost HBA ports configuring globally configuring area FCIDs configuring Hello time intervals health monitoring diagnostics configuring link cost information configuring on a VSAN Hello time intervals configuring on interfaces configuring for FSPF dead time intervals description...
Page 754 Index interfaces (continued) link failures VSAN membership recovering Interfaces linkDown notifications 383, 384 interop modes linkUp notifications 383, 384 configuring mode 1 load balancing default settings attributes description attributes for VSANs interoperability configuring configuring interop mode 1 description 516, 540 description guarantees verifying status...
Page 755 Index MSTP (continued) MST region (continued) passwords hop-count mechanism administrator supported spanning-tree instances DHCHAP multicast storms setting administrator default strong characteristics persistent FC IDs configuring description N port identifier virtualization displaying N ports enabling FCS support purging fctrace PLOGI hard zoning name server zone enforcement port channeling...
Page 756 Index port security databases cleaning up RADIUS copying configuring servers copying active to config (procedure) configuring timeout intervals deleting configuring transmission retry counts displaying configuration default settings interactions example configurations manual configuration guidelines network environments merge guidelines RADIUS servers reactivating configuring timeout interval scenarios configuring transmission retry count...
Page 757 Index RSCN (continued) SCSI LUNs displaying information customized discovery multiple port IDs discovering targets suppressing domain format SW-RSCNs displaying information switch RSCN starting discoveries RSCN timers SD port mode configuration distribution using CFS description configuring interface modes RSTP 154, 158, 162, 175 SD ports active topology configuring...
Page 758 Index SNMPv3 (continued) specifying parameters for AAA servers TACACS+ soft zoning advantages over RADIUS description configuring source IDs configuring global timeout interval call home event format description exchange based displaying statistics flow based example configurations in-order delivery field descriptions path selection global preshared keys SPAN limitations...
Page 759 Index troubleshooting (continued) verifying switch connectivity trunk mode defined administrative default vendor-specific attributes configuring 509, 510 verifying NPV default settings virtual device contexts trunk ports Virtual Fibre Channel interfaces displaying information default settings trunk-allowed VSAN lists VLANs description extended range trunking reserved range comparison with port channels...
Page 760 Index VSANs (continued) zone sets (continued) timer configuration creating displaying information traffic isolation distributing configuration trunk-allowed enabling distribution trunking ports exporting VSAs exporting databases format features protocol options importing support description importing databases one-time distribution recovering from link isolations renaming viewing information zones world wide names...

This manual is also suitable for:

Ap776a - nexus converged network switch 5020 Cisco nexus 5000 - converged network switches Nexus 5000 series

Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Table of Contents

Using the Command-Line Interface

Chapter 2

Managing Licenses

Chapter 4

Quick Links

Chapters

Troubleshooting

Related Manuals for Cisco AP775A - Nexus Converged Network Switch 5010

Summary of Contents for Cisco AP775A - Nexus Converged Network Switch 5010