Dcufiv4 Lab PDF

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Implementing Cisco Data
Center Unified Fabric
v4.0 (DCUFI) Lab Guide
L5292C-001-2
November 2011
For individual use only; may not be reprinted, reused, or distributed without the express written consent of Global Knowledge.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Implementing Cisco Data Center Unified
Fabric v4.0 (DCUFI) Lab Guide
L5292C-001-2
November 2011
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Copyright Information
Copyright 2011 by Global Knowledge Training LLC
The following publication, Implementing Cisco Data Center Unified Fabric v4.0 (DCUFI) Lab Guide, was
developed by Global Knowledge Training LLC. All rights reserved. No part of this publication may be
reproduced or distributed in any form or by any means without the prior written permission of the copyright
holder.
This courseware may contain images from Cisco Systems. All Cisco images are copyright Cisco Systems,
Inc.
Products and company names are the trademarks, registered trademarks, and service marks of their
respective owners. Throughout this manual, Global Knowledge has used its best efforts to distinguish
proprietary trademarks from descriptive names by following the capitalization styles used by the
manufacturer.
Global Knowledge Project Team
CARLY STOUGHTON Course Director
ERIC STRAUSE Product Director, Cisco Product Management
JENNIFER SCOTT Product Manager, Cisco Product Management
9000 Regency Parkway
Cary, North Carolina 27518
Phone: 919-461-8600
1-800-COURSES
Fax: 919-461-8646
www.globalknowledge.com Printed in Canada
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Implementing Cisco Data Center Unified Fabric (DCUFI) v4.0 Lab Guide TOC-1
Global Knowledge Training LLC
Table of Contents
Lab 0: Accessing Remote Labs ................................................................................ L0-1
Lab 1: Configuring Layer 2 Switching .................................................................... L1-1
Lab 2: Configuring Layer 3 Switching .................................................................... L2-1
Lab 3: Configuring Security Features ...................................................................... L3-1
Lab 4: Configuring OTV .......................................................................................... L4-1
Lab 5: Implementing QoS for the Nexus 7000 ........................................................ L5-1
Lab 6: Configuring System Management ................................................................ L6-1
Lab 7: Implementing Cisco DCNM ......................................................................... L7-1
Lab 8: Configuring Cisco FabricPath ....................................................................... L8-1
Lab 9: Accessing Remote Labs: Nexus 5000 ........................................................... L9-1
Lab 10: System and Hardware Platform Management ............................................ L10-1
Lab 11: Configure the Nexus 2000 Fabric Extender ................................................ L11-1
Lab 12: Configuring Cisco vPC ............................................................................... L12-1
Lab 13: Configuring FCoE ....................................................................................... L13-1
Lab 14: Configuring NPV ........................................................................................ L14-1
Lab 15: Implementing QoS for the Nexus 5000 ...................................................... L15-1

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Table of Contents

TOC-2 Implementing Cisco Data Center Unified Fabric (DCUFI) v4.0 Lab Guide
Global Knowledge Training LLC

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 0: Accessing Remote Labs
The purpose of this lab is to introduce you to the Global Knowledge Remote Lab Environment
used for this class.
You will have access to a single Nexus 7010 switch with support for multiple VDCs (Virtual
Device Contexts). In the physical lab topology there will also be several other switches to
interconnect the Nexus 7000 VDCs and the Lab PC desktops. You will not configure these
other switches.
There is a Lab PC desktop allocated to you for remotely accessing the Nexus 7010 switch. This
lab will demonstrate how to access the various pieces of equipment, what features are available,
and how they are connected in the topology.
Each team (pair of students) will have a dedicated VDC on the Nexus 7010. This VDC will
already be setup for you with a basic configuration and a set of interfaces allocated.
Estimated Completion Time
30 minutes
Activity Objective
In this activity, you will access the Remote Labs system and familiarize yourself with the
interface and the devices. After completing this activity, you will be able to meet these
objectives:
Log in to Remote Labs
Become familiar with the lab topology and access all devices
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
L0-2 Implementing Cisco Data Center Unified Fabric (DCUFI) v4.0 2011 Global Knowledge Training LLC
Visual Objective
This figure portrays the Nexus 7000 lab topology you will be accessing. Each team will have a
dedicated VDC (Virtual Device Context) with basic configuration on the Nexus 7010 pictured,
as well as a PC corresponding to your VDC number.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
2011 Global Knowledge Training LLC Lab Guide L0-3
Task 1: Access the Remote Labs Environment
In this task you will connect to the Remote Labs environment, become familiar with the
interface, and access your devices.
Activity Procedure
Complete these steps:
Note Your team number corresponds to your assigned VDC number. Your assigned VDC will
either be 2, 3, or 4. Throughout the lab, your VDC number will be referenced with the letter
V. Replace V with your assigned VDC number.
Step 1 Examine the lab topology diagram in the visual objective to familiarize yourself
with the environment before we login.
The Global Knowledge Remote Labs environment is accessed via a web browser.
Each team will have a unique login, which will grant access to equipment assigned
to your team, including a Lab PC desktop system to work from. The tasks in the lab
guide can all be completed using the Lab PC desktop.
Step 2 Your instructor will provide the credentials necessary to log in to Remote Labs.
Write them down here for your reference:

VDC Number: _________________________________________________

User name: ____________________________________________________

Password: _____________________________________________________

Note When troubleshooting with your instructor, either verbally or via email, you will need to
provide the instructor with your VDC number and credentials.
Step 3 From the computer provided to you in the classroom (or from your own computer),
launch a web browser. Navigate to the following URL: http://www.remotelabs.com.
You can access Remote Labs from the classroom, and additionally from home via
the same steps outlined in this lab.
Step 4 You should see a Remote Labs login screen similar to the provided screenshot:
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Step 5 Log in using the credentials provided to you by your instructor. Accept the terms
and conditions by clicking the I Accept button.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 You should see the Live Labs start page when you have successfully logged in.

Step 7 In the upper left-hand side of the Live Labs page there is a countdown timer. This
timer indicates the amount time remaining in your lab reservation and will provide
ample time to complete the labs. Review the time you have left in your lab for the
week.

Step 8 Look at the options in the left-hand pane below the countdown timer. In the coming
steps we will select a Graphical Firewall option to use to access the labs, either
RDP or Tarantella. Under the Pod Links you can view information about your lab
and its initial setup.
Caution DO NOT use the Reset To link. Reset points are not used in this lab.
Step 9 The PC-Console link is how you will connect to the Lab Topology.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 10 The System Menu allows you to get help and log off of the Remote Labs
environment.

Step 11 Now you will connect to the Lab Topology. First, select a Graphical Firewall
option. RDP (Remote Desktop Protocol) is the preferred and simpler access method.
If you are at a site that blocks RDP connections, you may use the Tarantella Java-
based option.
Step 12 Click the Graphical drop-down menu under the Firewall pane and select RDP 443
(or Tarantella if RDP is not available at your site).

Step 13 Click OK and close any dialog boxes that open once setup has completed. Tarantella
connections may take several seconds for setup to complete.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 14 Click the PC-Console link.
This will open up an RDP session (or a Tarantella session) to the Remote Labs
equipment, landing you on the Lab Topology page. Click Open to launch the RDP
session, and trust connections to the server.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Note Both students in a single team can login to the PC-Console at the same time. One student
can type the commands for a given lab, while the other student shadows.
Step 15 When prompted, enter the user name and password provided by your instructor, and
click OK.
Step 16 Once the Remote Desktop window opens, you will see the Remote Lab Panel, with
the Lab Topology tab open. You should see a picture of the Remote Labs topology.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 17 There are several clickable icons in the Lab Topology. This is how you will access
your lab devices. Clicking an icon will open a new tab.

Step 18 Next, you will connect to your teams PC desktop. Do this by clicking on the PCV
icon labeled with your VDC (team) number. This will bring up a Windows system
with a number of applications on the desktop.
You will use Putty SSH to remotely connect to the management interface (mgmt0)
of the your VDC on the Nexus 7000 chassis.
Step 19 Open the Putty application on the desktop and start an SSH session to the
management IP address (mgmt0) of your assigned Cisco Nexus 7000 VDC, using
the provided table.
VDC Number Mgmt0 IP Address
VDC 2 (N7010-2) 10.1.1.22
VDC 3 (N7010-3) 10.1.1.23
VDC 4 (N7010-4) 10.1.1.24

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 20 Click Yes to acknowledge the Putty security alert to add the host key to the cache.

Step 21 Log in to your VDC with username admin and password C1sco12345. The host
name of the device should be N7010-V where V is your assigned VDC number.
Step 22 Your VDC should have a basic configuration loaded that includes the host name,
management IP settings, admin user settings, and allocated interfaces with
descriptions. View your configuration by issuing a show running-config command.
If the base configuration is missing notify your instructor before you move on.
Note The Nexus 7000 chassis has four VDCs: one management VDC and three student VDCs.
VDCs 2, 3 and 4 are assigned to students who you will interact with during the labs.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Job Aids
Use the following job aids while performing the lab tasks in this lab guide.
Lab Topology Diagram
This diagram describes the physical topology of the lab that is used in this course:

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab Connections
This table lists the physical connections between the devices that are used in this course. It may
be handy to tear out this page for reference during your labs, as interfaces will sometimes be
referenced as 1/C, or 2/F, where you will need to look up the appropriate interface for your
VDC. The 1 and 2 refer to which line card, or module, the interface resides on.
Nexus 7000 VDC Interface Table
Interface Variable
VDC 2
(N7010-2)
VDC 3
(N7010-3)
VDC 4
(N7010-4)
1/A E1/1 E1/2 E1/4
1/B E1/3 E1/5 E1/6
1/C E1/13 E1/14 E1/15
1/D E1/32 E1/33 E1/34
2/E E2/1 E2/3 E2/11
2/F E2/2 E2/4 E2/12
2/G E2/13 E2/15 E2/17
2/H E2/14 E2/16 E2/18
Management 0 interface IP addresses for the Nexus 7000 VDCs
VDC Number Mgmt0 IP Address
VDC 2 (N7010-2) 10.1.1.22
VDC 3 (N7010-3) 10.1.1.23
VDC 4 (N7010-4) 10.1.1.24

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 1: Configuring Layer 2 Switching
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will implement Layer 2 switching features on the Cisco Nexus 7000 and
5000 switches. After completing this activity, you will be able to meet these objectives:
Configure Layer 2 interfaces and implement and verify PVRST+
Implement and verify STP enhancements in order to optimize and protect spanning-tree
operation
Implement and verify MST
Visual Objective
The figure illustrates what you will accomplish in this activity.
E1/2
E1/5
VDC 3
E1/1
E1/3
VDC 2
E1/4 E1/6
mgmt0
10.1.1.24
TASK 1:
PVRSTP+
Root for VLAN 12
Secondary root
VLAN 13, 14
TASK 1:
PVRSTP+
Root for VLAN 13
Secondary root
VLAN 12, 14
TASK 1:
PVRSTP+
Root for VLAN 14
Secondary root
VLAN 12, 13
TASK 2:
STP port type network
STP port type
network
TASK 3: MST
Instance 0 = All others
Instance 1 = VLAN 13,14
Instance 2 = VLAN 10,12
mgmt0
10.1.1.22
mgmt0
10.1.1.23

Required Resources
These are the resources and equipment that are required to complete this activity:
Three Cisco Nexus 7000 VDCs
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
The table describes the commands that are used in this activity.
Command Description
show interface brief Displays a summary of the interfaces.
show interface transceiver Displays detailed information about installed SFPs.
rate-mode dedicated Sets the first port in a port group to dedicated mode.
switchport Configures an interface as a Layer 2 switch port.
switchport mode trunk Configures an interface as a trunk port.
show spanning-tree Displays information related to the Spanning Tree Protocol
(STP).
show vlan internal usage Displays the list of VLANs that are reserved for internal
use.
vlan <vlan-list> Creates one or more VLANs.
name <vlan-name> Configures the VLAN name.
show spanning-tree summary Displays a summarized view of the spanning-tree
operational status.
spanning-tree vlan <vlan-
list> root primary
Changes the priority of the switch in order to make it the
root of the spanning tree for the listed VLANs.
spanning-tree vlan <vlan-
list> root secondary
Lowers the spanning-tree priority of the switch below the
default value to make the switch the backup spanning-tree
root for the listed VLANs.
spanning-tree guard root Enables Root Guard on an interface.
spanning-tree port type
edge
Configures an interface as a spanning-tree edge port.
network
Enables Bridge Assurance on an interface.
show spanning-tree
inconsistentports
Displays the switch ports that are in the spanning-tree
inconsistent state.
spanning-tree mst
configuration
Enters configuration mode for Multiple Spanning Tree
(MST).
name <mst-region-name> Configures the MST region name.
revision <mst-revision-nr> Configures the MST revision number.
spanning-tree mode mst Changes the spanning-tree protocol to MST.
instance <nr> vlan <vlan-
list>
Maps a list of VLANs to an MST instance.
spanning-tree mst <nr>
root primary
Changes the priority of the switch in order to make it the
root of the spanning tree for the MST instance.
spanning-tree mst <nr>
root secondary
Lowers the spanning-tree priority of the switch below the
default value, to make the switch the backup spanning-tree
root for the MST instance.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Job Aids
These job aids are available to help you complete the lab activity.
Lab topology diagram
Lab connections

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configuring and Verifying Layer 2 Interfaces and
PVRST+
During this task, you will configure basic Layer 2 parameters, such as VLAN and trunk
settings. You will also configure PVRST+ and verify proper spanning-tree operation both
within your VDC and between your peer VDCs.
Activity Procedure
Complete the following steps:
Step 1 Connect to your assigned Nexus 7000 VDC.
Step 2 Create a configuration checkpoint so that you may come back to your current VDC
state if you misconfigure a future lab or want come back to this lab.
Note To rollback to a checkpoint you've taken, use the following command rollback running-
config checkpoint BaseLab.
N7010-V# checkpoint BaseLab
Done

Step 3 Check the state of your assigned interfaces.
Refer to the tables at the beginning of the lab guide or on the following page to
determine which interfaces should be allocated to your VDC.

N7010-V# show interface brief

------------------------------------------------------------------------------
Port VRF Status IP Address Speed MTU
------------------------------------------------------------------------------
mgmt0 -- up 10.1.1.2V 1000 1500

------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
------------------------------------------------------------------------------
Eth1/A -- eth routed down Administratively down auto(D) --
Eth1/B -- eth routed down Administratively down auto(D) --
Eth1/C -- eth routed down Administratively down auto(D) --
Eth1/D -- eth routed down Administratively down auto(D) --
Eth2/E 1 eth access down Administratively down auto(D) --
Eth2/F 1 eth access down Administratively down auto(D) --
Eth2/G 1 eth access down Administratively down auto(D) --
Eth2/H 1 eth access down SFP not inserted auto(D) --
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note The interfaces that are listed in the commands and command output are dependent on your
VDC number. Refer to the table below to identify the correct interface numbers that are used
in your VDC. Whenever you encounter interface descriptors using the format Ethernet 1/A
you should replace them with the appropriate interface number from this table, where a V
will always be your VDC number.
Note Your interface descriptions tell you the lettered label as well. Issue a show running-config
and observe the descriptions have been applied as part of the base configuration to help
you match the chart throughout the lab guide.
Interface Variable
VDC 2
(N7010-2)
VDC 3
(N7010-3)
VDC 4
(N7010-4)
1/A E1/1 E1/2 E1/4
1/B E1/3 E1/5 E1/6
1/C E1/13 E1/14 E1/15
1/D E1/32 E1/33 E1/34
2/E E2/1 E2/3 E2/11
2/F E2/2 E2/4 E2/12
2/G E2/13 E2/15 E2/17
2/H E2/14 E2/16 E2/18

Based upon the output of the show interface brief command, how many SFP+ transceivers
are installed in module 2?
_________________________________________________________________________
Are your interfaces Layer 2 or Layer 3 on module 1? What about module 2?
_________________________________________________________________________
Step 4 Determine the SFP+ transceiver type(s) installed in your interfaces.

N7010-V# show interface transceiver

Ethernet1/A
transceiver is not applicable

Ethernet1/B

Ethernet1/C

Ethernet1/D

Ethernet2/E
transceiver is present
type is 1000base-T
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
name is CISCO-METHODE
part number is SP7041-E
revision is E
serial number is MTC152807N4
nominal bitrate is 1300 MBit/sec
Link length supported for copper is 100 m
cisco id is --
cisco extended id number is 4

Ethernet2/F
type is 1000base-T
revision is E
serial number is MTC1528062V
cisco id is --

Ethernet2/G
type is 1000base-T
revision is E
serial number is MTC152801QA
cisco id is --

Ethernet2/H
transceiver is not present
Note Interface 2/H is unused. Since 10 GE interfaces on the F1 series line card have to be
allocated to VDCs as an entire 2-port port group, not individual interfaces, that is why 2/H
has been allocated to your VDC (in the same port group as 2/G). However, interface 2/H will
not be used.
Are there any SFP+ transceivers installed in module (line card) one? Why or why not?
_________________________________________________________________________
What is the maximum distance between devices that your transceivers support?
_________________________________________________________________________
You should see four 10GE-capable interfaces in the output of the show interface brief
command. These interfaces have been assigned to your VDC on module two.
Which port group(s) do these four interfaces belong to? Use the show interface
<interface> capabilities command on a specific interface to find out which port group the
interface belongs to, as well as the features it is capable of.
_________________________________________________________________________
You should see FabricPath as a listed feature under these interfaces. What does this tell you
about which series 10 GE module is installed? Is this an M-series or an F-series 10 GE
module?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 Change all the interfaces on module one to Layer 2 switchports instead of routed
ports, and make them trunking interfaces.
For example, VDC 2 would configure interface e1/1, e1/3, e1/13, e1/32.
VDC 3 would configure interface e1/2, e1/5, e1/14, e1/33.
VDC 4 would configure interface e1/4, e1/6, e1/15, e1/34.

N7010-V# configure
Enter configuration commands, one per line. End with CNTL/Z.
N7010-V(config)# interface ethernet 1/A, ethernet 1/B, ethernet 1/C, ethernet
1/D
N7010-V(config-if-range)# switchport
N7010-V(config-if-range)# switchport mode trunk
N7010-V(config-if-range)# no shutdown
N7010-V(config-if-range)# end
Note You do not have to specify an encapsulation type on trunk interfaces because 802.1Q is the
only supported encapsulation type. ISL is not an option in NX-OS.
Note Do not enable any interfaces on module two (i.e. the linecard in slot two). These interfaces
will be used during a later lab and need to remain disabled until you are specifically
instructed to enable them.
Step 6 Verify that the interfaces on module one have been enabled and changed to Layer 2
switch ports, and the interfaces on module two are all shutdown.
If any interfaces on module 2 are up, shut them down.

N7010-V# show interface brief

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
mgmt0 -- up 10.1.1.2V 1000 1500

--------------------------------------------------------------------------------
Interface Ch #
--------------------------------------------------------------------------------
Eth1/A 1 eth trunk up none 1000(D) --
Eth1/B 1 eth trunk up none 1000(D) --
Eth1/C 1 eth trunk up none 1000(D) --
Eth1/D 1 eth trunk up none 1000(D) --
Eth2/E 1 eth access down Administratively down auto(D) --
Eth2/F 1 eth access down Administratively down auto(D) --
Eth2/G 1 eth access down Administratively down auto(D) --
Eth2/H 1 eth access down SFP not inserted auto(D) --

Note You will have to wait for the other VDCs to bring up their module 1 interfaces before all of
your module one interfaces will show in the up state, since they interconnect the VDCs.
Step 7 Examine Spanning-Tree operation for VLAN 1. Your port states may vary
depending on who was elected as the root bridge.

N7010-V# show spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol rstp
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Root ID Priority 32769
Address 68bd.abd7.92c2
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Eth1/A Desg FWD 4 128.129 P2p
Eth1/B Desg FWD 4 128.131 P2p
Eth1/C Desg FWD 4 128.141 P2p Peer(STP)
Eth1/D Desg FWD 4 128.160 P2p Peer(STP)

Why are your ports in the current roles? Refer back to the Lab Topology diagram to remind
yourself how the VDCs are interconnected.
_________________________________________________________________________
Which device is the root bridge for VLAN 1? It will either be your VDC, or one of two
other student VDCs on the Nexus 7000 chassis.
_________________________________________________________________________
Step 8 Examine which VLANs are reserved and used internally by the Nexus 7000.

N7010-V# show vlan internal usage

VLAN DESCRIPTION
--------- -------------------------------------------------------
3968-4031 Multicast
4032 Online diagnostics vlan1
4036-4041 Reserved
4042 Satellite
4043-4047 Reserved
4094 Reserved

Step 9 Create VLAN 10 and name it TEST. Verify your VDC has VLANs 1 and 10 in your
VLAN database.

N7010-V# configure
N7010-V(config)# vlan 10
N7010-V(config-vlan)# name TEST
Note In NX-OS you must explicitly create VLANs. Putting a port into a non-existent VLAN does
not add the non-existent VLAN to the VLAN database.
Step 10 Examine Spanning-Tree operation for all VLANs. You should see an instance of
Rapid STP for each VLAN. Your port states may vary depending on which VDC
was elected as the root bridge.

N7010-V(config-vlan)# show spanning-tree

VLAN0001
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l


---------------- ---- --- --------- -------- --------------------------------

VLAN0010


---------------- ---- --- --------- -------- --------------------------------
Eth1/C Desg FWD 4 128.141 P2p
Eth1/D Desg FWD 4 128.160 P2p

Which device has been elected the root bridge for the Spanning-Tree instance in VLAN
10? Is it the same or different than VLAN 1?
_________________________________________________________________________
Step 11 Create additional VLANs 1214 in your VDC.

N7010-V(config-vlan)# vlan 12-14
N7010-V(config-vlan)# exit

Step 12 Examine the Spanning-Tree summary output for your VDC. Your output may vary
depending on which VDC was elected as the root bridge. You may also need to wait
for some ports to come out of the learning state before Spanning-Tree converges.

N7010-V(config)# show spanning-tree summary

Switch is in rapid-pvst mode
Root bridge for: VLAN0001, VLAN0010, VLAN0012-VLAN0014
Port Type Default is disable
Edge Port [PortFast] BPDU Guard Default is disabled
Edge Port [PortFast] BPDU Filter Default is disabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 4 4
VLAN0010 0 0 0 4 4
VLAN0012 0 0 0 4 4
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
VLAN0013 0 0 0 4 4
VLAN0014 0 0 0 4 4
---------------------- -------- --------- -------- ---------- ----------
5 vlans 0 0 0 20 20

Is there a separate spanning-tree instance for each VLAN?
_________________________________________________________________________
Step 13 Configure your VDC to be the root for one VLAN. VDC 2 will be the root for
VLAN 12, VDC 3 will be the root for VLAN 13 and VDC 4 will be the root for
VLAN 14.
Also, configure your VDC to be the backup (secondary) root for your non-root
VLANs.
Configuration steps are shown for all three VDCs below. Only follow the steps for
your assigned VDC.

VDC 2:

N7010-V(config)# spanning-tree vlan 12 root primary
N7010-V(config)# spanning-tree vlan 13, 14 root secondary

VDC 3:


VDC 4:


Step 14 Verify Spanning-Tree for VLANs 12-14 is configured correctly.
Note The show command output is repeated three times one for each VDC. Look at the host
name to find the show command output relevant to your VDC.
Note Wait for the other VDC on your Nexus 7000 to issue the primary and secondary root
commands before verifying the show command output below.
N7010-2(config)# show spanning-tree vlan 12-14

VLAN0012


---------------- ---- --- --------- -------- --------------------------------
Eth1/1 Desg FWD 4 128.129 P2p
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

VLAN0013
Cost 4
Port 129 (Ethernet1/1)


---------------- ---- --- --------- -------- --------------------------------
Eth1/1 Root FWD 4 128.129 P2p

VLAN0014
Cost 4


---------------- ---- --- --------- -------- --------------------------------


VLAN0012
Cost 4


---------------- ---- --- --------- -------- --------------------------------

VLAN0013

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

---------------- ---- --- --------- -------- --------------------------------

VLAN0014
Cost 4


---------------- ---- --- --------- -------- --------------------------------
Eth1/2 Altn BLK 4 128.130 P2p


VLAN0012
Cost 4


---------------- ---- --- --------- -------- --------------------------------

VLAN0013
Cost 4


---------------- ---- --- --------- -------- --------------------------------
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

VLAN0014


---------------- ---- --- --------- -------- --------------------------------

Step 15 Save your running configuration.
N7010-V(config)# copy running-config startup-config

[########################################] 100%
Copy complete, now saving to disk (please wait)...

Note If you get an error informing you the default VDC made a global change and therefore VDC
1 needs to have its configuration saved before any other VDCs, notify your instructor. Or,
you can click on the Nexus 7000 to access the console connected to VDC 1 and issue a
copy running-config startup-config vdc-all from there. Then you should be able to save
your configurations normally.
Activity Verification
You have completed this task when you attain these results:
You have verified basic interface operation and settings on your Cisco Nexus 7000 VDC.
You have configured the links between VDC and your peer VDCs as 802.1Q trunks.
You have ensured all interfaces on module two are shutdown.
You have created VLANs 10, and 12-14.
You have configured your VDC as the root for VLAN 1V, where V is your VDC number,
and as a secondary root for the other non-root VLANs in the 12-14 range.
You have verified spanning-tree operation for VLANs 10, and 12-14.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Implementing and Testing Spanning-Tree
Enhancements
During this exercise, you will configure Spanning-Tree optimization and protection, and verify
their operation.
Activity Procedure
Step 1 In the previous task, the Cisco Nexus 7000 VDCs were configured as the root and
backup root for VLANs 1214. Together they form a simulated aggregation layer of
the lab network.
It is important to protect your fabric from a rogue or misconfigured switch
attempting to take over the root bridge role.
Configure root guard on the trunk links that connect your VDC to the other VDC
switches in your peer VDCs.

N7010-V(config)# interface ethernet 1/A, ethernet 1/B
N7010-V(config-if-range)# spanning-tree guard root

N7010-V(config-if-range)# 2011 Sep 16 23:20:37 N7010-V %STP-2-
ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/A.
2011 Sep 16 23:20:37 N7010-V %STP-2-ROOTGUARD_CONFIG_CHANGE: Root guard
enabled on port Ethernet1/B.
2011 Sep 16 23:20:37 N7010-V %STP-2-ROOTGUARD_BLOCK: Root guard blocking port
Ethernet1/B on VLAN0014.
Ethernet1/A on VLAN0001.
2011 Sep 16 23:23:10 N7010-V %STP-2-ROOTGUARD_UNBLOCK: Root guard unblocking
port Ethernet1/A on VLAN0014.
port Ethernet1/B on VLAN0013.
2011 Sep 16 23:23:35 N7010-V %STP-2-DISPUTE_DETECTED: Dispute detected on port
2011 Sep 16 23:24:05 N7010-V %STP-2-DISPUTE_CLEARED: Dispute resolved for port
[output may vary]

Why does root guard block ports for certain VLANs?
_________________________________________________________________________
Note Cisco designed Spanning-Tree root guard to allow administrators to explicitly enforce a root
bridge. Without it, an administrator could only use the Priority variable to try and force a root.
However, even a switch with a priority of zero, there is no guarantee another switch couldnt
plug into the network also with a priority of zero and a lower MAC address. Root guard
solves this problem.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 2 Disable root guard in your VDC.

N7010-V(config-if-range)# no spanning-tree guard root

ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port Ethernet1/A.
2011 Sep 16 23:34:03 N7010-V %STP-2-ROOTGUARD_CONFIG_CHANGE: Root guard
disabled on port Ethernet1/B.

Step 3 The Cisco Bridge Assurance (BA) feature can help protect against bridging loops
caused by software failures by using BPDUs as a type of heartbeat mechanism.
Bridge Assurance is enabled globally by default, and must be disabled globally.
When enabled, Bridge Assurance will automatically run on all Spanning-Tree type
network ports.
Enable Bridge Assurance on the links between the your VDC and your peers VDCs
(the first two interfaces on module one interconnect the VDCs) by ensuring the ports
are type network.

N7010-V(config-if-range)# interface ethernet 1/A, ethernet 1/B
N7010-V(config-if-range)# spanning-tree port type network

BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port Ethernet1/A VLAN0012.
2011 Sep 16 23:54:36 N7010-V %STP-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance
unblocking port Ethernet1/A VLAN0012.
2011 Sep 16 23:54:36 N7010-V %STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance
blocking port Ethernet1/A VLAN0014.
blocking port Ethernet1/A VLAN0010.
blocking port Ethernet1/B VLAN0010.
unblocking port Ethernet1/B VLAN0012.

Step 4 After a lot of output to the console, it can be difficult to remember which
configuration context youre under when all the prompt shows you is N7010-
V(config-if-range)#, and does not tell you which interface range youre under.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Type the command where to make NX-OS list your current configuration context
and the range of interfaces youre currently under, as well as the username and VDC
youre logged into. This command can be issued from any context.

N7010-V(config-if-range)# where
conf; interface Ethernet1/A, Ethernet1/B admin@N7010-V%default

N7010-V(config-if-range)# exit

Step 5 Verify Bridge Assurance is enabled on the interfaces connecting the VDCs using the
show spanning-tree command. Several of your interface Types should now be
different.

N7010-V(config)# show spanning-tree

VLAN0001


---------------- ---- --- --------- -------- --------------------------------
Eth1/A Desg FWD 4 128.129 Network P2p
Eth1/B Desg FWD 4 128.131 Network P2p

VLAN0010


---------------- ---- --- --------- -------- --------------------------------

VLAN0012


G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
---------------- ---- --- --------- -------- --------------------------------

VLAN0013
Cost 4


---------------- ---- --- --------- -------- --------------------------------
Eth1/A Root FWD 4 128.129 Network P2p

VLAN0014
Cost 4


---------------- ---- --- --------- -------- --------------------------------
Eth1/B Root FWD 4 128.131 Network P2p

Which keyword indicates Bridge Assurance is enabled on the port by default?
_________________________________________________________________________

Step 16 Check for any Spanning-Tree ports in the inconsistent state:

N7010-V(config)# show spanning-tree inconsistentports

If you have any inconsistent ports, why are they in that state?
_________________________________________________________________________

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 Repair any misconfiguration by ensuring you have Bridge Assurance enabled on the
interfaces that connect to the other VDCs.


Step 7 Execute the show spanning-tree inconsistentports command again to verify no
inconsistent ports remain.



N7010-V(config)# copy running-config startup-config

[########################################] 100%
You have enabled, and disabled, root guard on the ports on your VDC that connect to the
other VDCs in the Nexus 7000 chassis.
You have successfully enabled Bridge Assurance on the interfaces connecting your VDC to
your peer VDCs.
You have observed Spanning-Tree behavior when Bridge Assurance is only enabled on one
side of a link.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 3: Implementing and Verifying MST
During this exercise, you will configure MST and verify that it is operating properly in your
VDC and peer VDCs.
Activity Procedure
Step 1 Configure your Cisco Nexus 7000 VDC to participate in an MST region using the
following parameters:

N7010-V(config)# spanning-tree mst configuration
N7010-V(config-mst)# name nexus
N7010-V(config-mst)# revision 1
N7010-V(config-mst)# exit

Step 2 Change the spanning-tree mode on your Cisco Nexus 7000 VDC to MST.

N7010-V(config)# spanning-tree mode mst
Note You may see several STP dispute messages until all VDCs have enabled MST.
Step 3 Verify that MST is operating correctly between the VDCs. Your output may differ
depending on which VDC was elected as the root bridge.

N7010-V(config)# show spanning-tree

MST0000
Spanning tree enabled protocol mstp


---------------- ---- --- --------- -------- --------------------------------
Eth1/C Desg FWD 20000 128.141 P2p Bound(STP)
Eth1/D Desg FWD 20000 128.160 P2p Bound(STP)

N7010-V(config)# show spanning-tree mst configuration

Name [nexus]
Revision 1 Instances configured 1
Instance Vlans mapped
-------- --------------------------------------------------------------------
0 1-4094
------------------------------------------------------------------------------

Note MST configuration is not applied until you exit MST configuration mode. Therefore, you
should exit MST configuration mode before issuing any show commands to verify MST
operation.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note While in MST configuration mode, you can enter the command show pending to review the
MST configuration that will be applied upon exiting MST configuration mode.
Which spanning-tree port cost does MST use by default?
_________________________________________________________________________
How many MST instances are currently being used? Does MST load balance VLANs?
_________________________________________________________________________
Step 4 Change the MST configuration on your VDC to add two new MST instances. Map
VLANs 13 and 14 to MST instance 1 and map VLANs 10 and 12 to MST instance
2.

N7010-V(config)# spanning-tree mst configuration
N7010-V(config-mst)# instance 1 vlan 13,14
N7010-V(config-mst)# instance 2 vlan 10,12
N7010-V(config-mst)# exit

Step 5 Verify MST operation on the switches in your VDC. Is it operating as expected?
Note Your roles may differ based on which switch is elected root.
N7010(config)# show spanning-tree

MST0000
Cost 0


---------------- ---- --- --------- -------- --------------------------------

MST0001
Cost 20000


---------------- ---- --- --------- -------- --------------------------------
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

MST0002
Cost 20000


---------------- ---- --- --------- -------- --------------------------------

N7010-V(config)# show spanning-tree mst configuration

Name [nexus]
Revision 1 Instances configured 3
Instance Vlans mapped
-------- --------------------------------------------------------------------
0 1-9,11,15-4094
1 13-14
2 10,12
------------------------------------------------------------------------------

Which VDCs are the root bridges for each of the MST instances? Are they the same or
different?
_________________________________________________________________________
Step 6 Configure your VDC as the root bridge for one MST instance and as the backup root
bridge for the other MST instances.
Configuration is shown for all VDCs. Only follow the configuration specific to your
VDC.

VDC 2:

N7010-2(config)# spanning-tree mst 0 root primary
N7010-2(config)# spanning-tree mst 1 root secondary

VDC 3:


VDC 4:


Step 7 Verify that the root bridges are selected as expected in the show spanning-tree
output.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 8 Ensure that you have no spanning-tree inconsistent ports on the switches in your
VDC and your peers VDCs.

N7010-V(config)# exit


N7010-V# checkpoint EndOfLab1
Done


N7010-V# copy running-config startup-config

[########################################] 100%
You have successfully configured MST instances in your VDC.
Your VDC has taken over as the primary root for one MST instance, and as the secondary
root for the other MST instances.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 2: Configuring Layer 3 Switching
Activity Objective
In this activity, you will configure Layer 3 features between your Cisco Nexus 7000 VDC and
your peer VDCs. After completing this activity, you will be able to meet these objectives:
Configure the RIP inside your VDC and verify the configuration
Configure a VRF with static routing and verify the configuration
Configure a VRF with OSPF running and verify the configuration
Configure a VRF with EIGRP running and verify the configuration
Required Resources
Three Cisco Nexus 7000 VDCs on a single chassis
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command Description
feature interface-vlan Enables the interface-vlan feature, which allows the
creation of switched virtual interfaces (SVI)
ip address
<address>/<prefix>
Configures an IP address and prefix on an interface.
feature rip Enables the RIP feature.
show license usage Displays the license usage in a VDC.
ip router rip <tag> Activates a RIP process on an interface.
show ip route Displays the IP routing table.
show ip rip Displays basic parameters for a RIP process.
router rip <tag> Starts a RIP routing process.
show vrf Lists the VRFs that are present in a VDC.
show vrf detail Displays details for the VRFs in a VDC.
show vrf <vrf> interface Lists the interfaces that are associated with a VRF.
vrf member <vrf> Associates an interface with a VRF.
vrf context <vrf> Creates a new VRF context.
ip route <subnet>/<prefix>
<next-hop>
Creates a static route to a subnet using a specified next
hop router.
show ip route vrf <vrf> Displays the IP routing table for a VRF.
routing-context vrf <vrf> Sets the scope for routing-related commands to a specific
VRF.
feature ospf Enables the OSPF feature.
ip router ospf <tag> area
<area>
Enables an OSPF process on an interface for a specific
area.
show ip ospf Displays basic parameters for an OSPF process.
router ospf <tag> Starts an OSPF routing process.
show ip ospf vrf <vrf> Displays basic parameters for an OSPF process in a VRF.
show ip ospf neighbors vrf
<vrf>
Displays the list of OSPF neighbors for a VRF.
show ip ospf database vrf
<vrf>
Lists the content of the OSPF database for a VRF.
router-id <id> Sets the router ID for an OSPF process.
vrf <vrf> Enters VRF configuration mode under a routing process.
show ip ospf interface
<intf>
Displays OSPF interface parameters.
auto-cost reference-
bandwidth <bw> <unit>
Changes the OSPF auto-cost reference bandwidth.
show ip ospf interface
brief
Displays an overview of the interfaces that are enabled for
OSPF.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
feature eigrp Enables the EIGRP feature.
router eigrp <tag> Starts an EIGRP routing process.
ip router eigrp <tag> Activates an EIGRP routing process on an interface.
show ip eigrp Displays basic EIGRP parameters.
autonomous-system <as-nr> Sets the autonomous system (AS) number for EIGRP in a
VRF.
show ip eigrp neighbors Displays the list of EIGRP neighbors.
Job Aids
Lab connections
Lab IP address plan

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configuring RIP
During this task, you will configure RIP (routing information protocol) version 2 on your Cisco
Nexus 7000 VDC. RIP version 1 is not available in NX-OS.
Visual Objective
Eth 1/A
Eth 1/B
Nexus 7000 VDC
mgmt0
10.1.1.2V
router rip
MYRIP
OTHER
VDCs
INT VLAN 10
172.16.10.7V/24
MYRIP
INT LOOP 10
192.168.10.7V/32
MYRIP
RIP advertisements
TRUNKS

Activity Procedure
Step 1 Connect to your Cisco Nexus 7000 VDC via Putty SSH to your mgmt0 interface.
Step 2 Change the spanning tree mode back to Rapid PVST

N7010-V# configure
N7010-V(config)# spanning-tree mode rapid-pvst

Step 3 Ensure that the ports that are connected to the other Nexus 7000 switches are
Spanning-Tree port type network.


Step 4 Configure an SVI (Switched Virtual Interface) on your Cisco Nexus 7000 VDC to
route traffic for VLAN 10. Assign IP address 172.16.10.7V/24 to it, where V is your
VDC number.

N7010-V(config-if-range)# feature interface-vlan
N7010-V(config)# interface vlan 10
N7010-V(config-if)# ip address 172.16.10.7V/24
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
N7010-V(config-if)# no shutdown
N7010-V(config-if)# exit
Note The interface-vlan feature needs to be enabled before SVIs can be created, like many other
features and protocols in NX-OS. Enabling a feature essentially enables that set of
processes in NX-OS. Configuration and verification commands are not available until you
enable the specific feature.
Step 5 Ping the IP address of your peer VDCs 172.16.10.7X and 172.16.19.7Y, where X
and Y are your peer VDC numbers, to confirm IP connectivity between the three
VDCs.
For example, if you are VDC 3, you need to ping IP addresses 172.16.10.72 (VDC
2) and 172.16.10.74 (VDC 4).

N7010-V(config)# ping 172.16.10.7X

PING 172.16.10.7X (172.16.10.7X): 56 data bytes
Request 0 timed out
64 bytes from 172.16.10.7X: icmp_seq=1 ttl=254 time=1.22 ms

--- 172.16.10.7X ping statistics ---
5 packets transmitted, 4 packets received, 20.00% packet loss
round-trip min/avg/max = 0.701/0.985/1.22 ms

N7010-V(config)# ping 172.16.10.7Y

PING 172.16.10.7Y (172.16.10.7Y): 56 data bytes
Request 0 timed out
64 bytes from 172.16.10.7Y: icmp_seq=1 ttl=254 time=1.22 ms

--- 172.16.10.7Y ping statistics ---

Note Do not proceed until you have confirmed IP connectivity on VLAN 10 between your VDC
and the peer VDCs. If you cannot ping either of your peers, first verify your VLAN 10 SVI IP
address, and then notify your instructor.

Step 6 Enable the RIP feature in your VDC.

N7010-V(config)# feature rip

Step 7 Inspect the RIP feature now that is has been enabled.

N7010-V(config)# show feature | grep rip

rip 1 enabled (not-running)
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note The numbers 1-4 in the show feature output represent the ability of NX-OS to run four
separate instances of the RIP routing protocol in a single VDC.
Note The grep (Global Regular Expression Print) modifier is similar to the include modifier both
will filter show command input piped into them for instances of the keyword you enter.
However, grep and egrep (Extended grep) offer advanced search capabilities and are very
handy for parsing through large configurations. The Include command is still available in NX-
OS.
Step 8 Verify the current license usage on your Cisco Nexus 7000 VDC.

N7010-V(config)# show license usage

Feature Ins Lic Status Expiry Date Comments
Count
------------------------------------------------------------------------------
ENHANCED_LAYER2_PKG No - Unused Grace 107D 0H
SCALABLE_SERVICES_PKG No - Unused -
TRANSPORT_SERVICES_PKG No - Unused Grace 79D 12H
LAN_ADVANCED_SERVICES_PKG Yes - Unused Never -
LAN_ENTERPRISE_SERVICES_PKG Yes - Unused Never -
------------------------------------------------------------------------------

Do you require a license to use RIP on a Cisco Nexus 7000 switch? Which one?
_________________________________________________________________________

Step 9 Configure a loopback interface on your VDC and assign IP address
192.168.10.7V/32 where V is your assigned VDC number.

N7010-V(config)# interface loopback 10

Step 10 Enable RIP on the loopback 10 interface. Choose your own process tag for the RIP
process. This does not have to match between VDCs.
However, ensure that you use the same process tag consistently in this task to avoid
creating multiple RIP routing processes.

N7010-V(config-if)# ip router rip MYRIP

Step 11 Enable the same RIP process on the VLAN 10 SVI.

N7010-V(config-if)# interface vlan 10
N7010-V(config-if)# ip router rip MYRIP

Step 12 View the routing table in your VDC.

N7010-V(config)# show ip route

IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]

172.16.10.0/24, ubest/mbest: 1/0, attached
*via 172.16.10.7V, Vlan10, [0/0], 00:24:50, direct
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
172.16.10.7V/32, ubest/mbest: 1/0, attached
*via 172.16.10.7V, Vlan10, [0/0], 00:24:50, local
*via 192.168.10.7V, Lo10, [0/0], 00:07:40, local
*via 192.168.10.7V, Lo10, [0/0], 00:07:40, direct
Note The routing table contains not only the directly attached subnets as direct connected routes,
but it also lists /32 local entries for locally configured IP addresses, e.g. the loopback 10
interface and the VLAN 10 SVI.
Step 13 Examine the RIP process.

N7010-V(config)# show ip rip
Note: process currently not running
Note Although we have enabled RIP on several interfaces, the process must be enabled globally
to activate RIP and begin establishing neighbors. The RIP commends under the interface
simply tell NX-OS to run a particular RIP process on that interface.
Step 14 Enable the RIP process using the same process tag you used under the interfaces.

N7010-V(config)# router rip MYRIP
N7010-V(config-router)# exit

Step 15 Examine the RIP process again.

N7010-V(config)# show ip rip

Process Name "rip-MYRIP" VRF "default"
RIP port 520, multicast-group 224.0.0.9
Admin-distance: 120
Updates every 30 sec, expire in 180 sec
Collect garbage in 120 sec
Default-metric: 1
Max-paths: 8
Process is up and running
Interfaces supported by ipv4 RIP :
Vlan10
loopback10

Step 16 Examine the routing table again.

N7010-V(config)# show ip route

IP Route Table for VRF "default"

*via 172.16.10.7V, Vlan10, [0/0], 02:24:22, direct
*via 172.16.10.7V, Vlan10, [0/0], 02:24:22, local
*via 192.168.10.7V, Lo10, [0/0], 02:20:43, local
*via 192.168.10.7V, Lo10, [0/0], 02:20:43, direct
192.168.10.7X/32, ubest/mbest: 1/0
*via 172.16.10.7X, Vlan10, [120/2], 00:00:35, rip-MYRIP, rip
192.168.10.7Y/32, ubest/mbest: 1/0
*via 172.16.10.7Y, Vlan10, [120/2], 00:00:31, rip-MYRIP, rip
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Do you see routes from your peers VDCs advertised by RIP?
_________________________________________________________________________

Step 17 Ping the interface loopback 10 IP addresses 192.168.10.7X and 192.168.10.7Y of
your peer VDCs, where X and Y are your peer VDC numbers. Use your VLAN 10
SVI IP address 172.16.10.7V as the source of the ping, where V equals your VDC
number.
This will prove RIP routing is taking place since we are pinging between different
subnets.

N7010-V(config)# ping 192.168.10.7X source 172.16.10.7V

PING 192.168.10.7X (192.168.10.7X) from 172.16.10.7V: 56 data bytes


N7010-V# ping 192.168.10.7Y source 172.16.10.7V

PING 192.168.10.7Y (192.168.10.7Y) from 172.16.10.7V: 56 data bytes


Step 18 Do not proceed to the next task until your pings to both VDCs are successful.
Troubleshoot together with your peer VDCs as necessary.
You have created an SVI for VLAN 10 and verified IP connectivity for this VLAN.
You have created a loopback interface and verified IP connectivity.
You have configured RIP globally and added the VLAN 10 SVI and the loopback 10
interface to the RIP process.
You have verified that RIP is exchanging routing information between your VDC and your
peer VDCs.
You have successfully pinged the loopback 10 interfaces of your peer VDCs.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Configuring VRFs and Static Routing
During this task, you will create a VRF (Virtual Routing and Forwarding) and configure static
routing for that VRF on your Cisco Nexus 7000 VDC.
Visual Objective
Eth 1/A
Eth 1/B
Nexus 7000 VDC
mgmt0
10.1.1.2V
OTHER
VDCs
INT LOOP 14
192.168.14.7V/32
TRUNKS
INT VLAN 14
172.16.14.7V/24
STATIC-VRF
Static routes to:
192.168.14.7X/Y
through
172.16.14.7X/Y

Activity Procedure
Step 1 Examine the VRFs that exist by default in your VDC.

N7010-V(config)# show vrf
VRF-Name VRF-ID State Reason
default 1 Up --
management 2 Up --

Step 2 Examine the VRFs in more detail.

N7010-V(config)# show vrf detail

VRF-Name: default, VRF-ID: 1, State: Up
Table-ID: 0x80000003, AF: IPv6, Fwd-ID: 0x80000003, State: Up

VRF-Name: management, VRF-ID: 2, State: Up
Note VRFs are created for both IPv4 and IPv6 by default in NX-OS.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 3 Examine the interface assignments for these VRFs in your VDC.

N7010-V(config)# show vrf default interface

Interface VRF-Name VRF-ID
Vlan1 default 1
Vlan10 default 1
loopback10 default 1

N7010-V(config)# show vrf management interface

Interface VRF-Name VRF-ID
mgmt0 management 2

Step 4 Try to reassign the VLAN 1 interface from the default VRF to the management
VRF.

N7010-V(config-if)# vrf member management
% VRF management is reserved only for mgmt0

What is the result? Why?
_________________________________________________________________________
Step 5 Create a new VRF named STATIC-VRF and examine the available configuration
commands inside a VRF.

N7010-V(config)# vrf context STATIC-VRF
N7010-V(config-vrf)# ?

ip Configure IP features
ipv6 Configure IPv6 features
no Negate a command or set its defaults
shutdown Shutdown current VRF
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in

N7010-V(config-vrf)# exit
Note It is currently not possible to configure Route Distinguishers (RD) and Route Targets (RT) in
NX-OS VRFs. RDs and RTs are required for MPLS VPNv4 and VPNv6 routes.
Step 6 Create an SVI for VLAN 14 and configure IP address 172.16.14.7V/24 on it where
V is your assigned VDC number. Enable the interface.


Step 7 Assign the VLAN 14 interface to the STATIC-VRF.

N7010-V(config-if)# vrf member STATIC-VRF
% Deleted all L3 config on interface Vlan14
Note The Cisco NX-OS Software supports tab completion for VRF names.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 8 Examine the running configuration for the VLAN 14 interface.

N7010-V(config-if)# show running-config interface vlan 14

!Command: show running-config interface Vlan14
!Time: Sat Sep 17 22:12:26 2011

version 5.1(3)

interface Vlan14
no shutdown
vrf member STATIC-VRF
Note The IP address and any other IP configuration is removed from an interface when it is
assigned to a different VRF. We will have to reassign the IP address to the SVI.
Step 9 Reassign the IP address you configured in Step 7.


and Y are your peer VDC numbers, to confirm IP connectivity between the VDCs
on VLAN 14.

N7010-V(config)# ping 172.16.14.7X vrf STATIC-VRF

Request 0 timed out


N7010-V(config)# ping 172.16.14.7Y vrf STATIC-VRF

Request 0 timed out

Note Do not forget to specify the VRF in the ping command.
Step 11 Configure loopback interface 14 on your VDC, assign it to the STATIC-VRF, and
assign IP address 192.168.14.7V/32 where V is your assigned VDC number.

N7010-V(config)# interface loopback 14
N7010-V(config-if)# vrf member STATIC-VRF
% Deleted all L3 config on interface loopback14
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l


Step 12 Create static routes for VRF-STATIC that point to the loopback 14 IP addresses of
your peer VDCs (192.168.14.7X/32 and 192.168.14.7Y/32) via the VLAN 14 IP
address of your peer VDCs (172.16.14.7X and 172.16.14.7Y).
Steps for all three VDCs have been listed out below. Only enter the commands that
correspond to your VDC number.

VDC 2:

N7010-2(config)# vrf context STATIC-VRF
N7010-2(config-vrf)# ip route 192.168.14.73/32 172.16.14.73
N7010-2(config-vrf)# exit

VDC 3:


VDC 4:

Note Inter-VRF static routes are not supported. The next-hop for a static route must always be in
the same VRF.
Step 13 Examine the routing table for VRF STATIC-VRF.

N7010-V(config)# show ip route vrf STATIC-VRF

IP Route Table for VRF "STATIC-VRF"

*via 172.16.14.7V, Vlan14, [0/0], 00:15:59, direct
*via 172.16.14.7V, Vlan14, [0/0], 00:15:59, local
*via 192.168.10.7V, Lo10, [0/0], 02:51:09, local
*via 192.168.10.7V, Lo10, [0/0], 02:51:09, direct
192.168.14.7X/32, ubest/mbest: 1/0
*via 172.16.14.7X, Vlan14, [1/0], 00:07:43, static
192.168.14.7Y/32, ubest/mbest: 1/0
*via 172.16.14.7Y, Vlan14, [1/0], 00:00:14, static
Note If you do not specify the VRF, the default VRF is displayed for all IP routing-related
commands.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 14 Set the scope of all Cisco NX-OS IP routing-related commands to use the VRF
STATIC-VRF for your current session, instead of the default VRF.

N7010-V(config)# routing-context vrf STATIC-VRF

Step 15 Ping the loopback 14 IP addresses 192.168.14.7X and 192.168.14.7Y of your peer
VDCs. Use your own loopback 14 IP address 192.168.14.7V as the source, where V
is your VDC number, and ping both peer VDCs.

N7010-V%STATIC-VRF(config)# ping 192.168.14.7X source 192.168.14.7V



N7010-V%STATIC-VRF(config)# ping 192.168.14.7Y source 192.168.14.7V



Step 16 Do not proceed to the next task until you succeed in pinging the peer VDCs
loopback 14 IP addresses. Troubleshoot together with your peer VDCs as necessary
until your static routes are functional.
Step 17 Reset the command scope to the default VRF.

N7010-V%STATIC-VRF(config)# routing-context vrf default
N7010-V(config)#

You have created a new VRF in your Cisco Nexus 7000 VDC.
You have created an SVI for VLAN 14, assigned it to a VRF, and verified IP connectivity
for this VLAN.
You have configured static routes in the VRF and you have verified the static routes were
installed in the routing table.
You have successfully pinged the loopback 14 IP address in the STATIC-VRF on your
peer VDCs.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 3: Configuring VRFs and OSPFv2
During this task, you will create a new VRF and configure OSPF version 2 inside the VRF on
your Cisco Nexus 7000 VDC. You will also verify routing is successful with your peer VDCs.
Visual Objective
Eth 1/A
Eth 1/B
Nexus 7000 VDC
mgmt0
10.1.1.2V
OTHER
VDCs
TRUNKS
OSPF-VRF
router ospf
MYOSPF
INT VLAN 12
172.16.12.7V/24
MYOSPF
OSPF advertisements
INT LOOP 12
192.168.12.7V/32
MYOSPF
Area V
Area 0
Router ID
V.V.V.V

Activity Procedure
Step 1 Create a VRF context named OSPF-VRF.

N7010-V(config)# vrf context OSPF-VRF

Step 2 Create an SVI for VLAN 12 and assign it to the VRF OSPF-VRF.

N7010-V(config-if)# vrf member OSPF-VRF

Step 3 Configure IP address 172.16.12.7V/24 on the VLAN 12 SVI where V is your
assigned VDC number and enable the interface.


G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
on VLAN 12.

N7010-V(config-if)# ping 172.16.12.7X vrf OSPF-VRF
Request 0 timed out


N7010-V(config-if)# ping 172.16.12.7Y vrf OSPF-VRF
Request 0 timed out


Step 5 Configure loopback interface 12 on your VDC, assign it to the OSPF-VRF, and
assign IP address 192.168.12.7V/32 where V is your assigned VDC number.

N7010-V(config-if)# interface loopback 12
N7010-V(config-if)# vrf member OSPF-VRF

Step 6 Enable the OSPF feature.
N7010-V(config-if)# feature ospf
Note Feature ospf enables OSPFv2. To enable OSPFv3 you would instead enable feature
ospfv3.
Step 7 Verify the license usage in your VDC.

N7010-V(config)# show license usage

Feature Ins Lic Status Expiry Date Comments
Count
------------------------------------------------------------------------------
ENHANCED_LAYER2_PKG No - Unused Grace 106D 21H
SCALABLE_SERVICES_PKG No - Unused -
TRANSPORT_SERVICES_PKG No - Unused Grace 79D 12H
LAN_ADVANCED_SERVICES_PKG Yes - Unused Never -
LAN_ENTERPRISE_SERVICES_PKG Yes - In use Never -
------------------------------------------------------------------------------

Which licenses are in use on your VDC?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 8 Verify which features cause the Enterprise Services License to be used.

N7010-V(config)# show license usage LAN_ENTERPRISE_SERVICES_PKG

Application
-----------
ospf@V
-----------
Note The @V in the command output specifies the VDC in which the feature is used. Recall that
other VDCs may be using the license as well, but only the default VDC 1 can see other
VDCs. VDCs 2-4 are completely isolated from one other on the Nexus 7000 switch, so you
will only see your VDC.
Step 9 Configure OSPF in area 0 on interface vlan 12. Use a process ID of your choice,
but make sure you use the same process ID consistently throughout this exercise.
The process ID does not have to match your peer VDCs.

N7010-V(config-if)# ip router ospf MYOSPF area 0

Step 10 Configure OSPF in area V, where V is your assigned VDC number, on interface
loopback 12. Use the same process ID as in the previous step.

N7010-V(config-if)# interface loopback 12
N7010-V(config-if)# ip router ospf MYOSPF area V

Step 11 Examine the OSPF process.

N7010-V(config)# show ip ospf
Note: process currently not running

Step 12 Configure the OSPF process using the process ID used in the previous steps.

N7010-V(config)# router ospf MYOSPF
N7010-V(config-router)# exit

Step 13 Examine the OSPF process again.

N7010-V(config)# show ip ospf

Routing Process MYOSPF with ID 192.168.10.7V VRF default
Stateful High Availability enabled
Graceful-restart is configured
Grace period: 60 state: Inactive
Last graceful restart exit status: None
Supports only single TOS(TOS0) routes
Supports opaque LSA
Administrative distance 110
Reference Bandwidth is 40000 Mbps
Initial SPF schedule delay 200.000 msecs,
minimum inter SPF delay of 1000.000 msecs,
maximum inter SPF delay of 5000.000 msecs
Initial LSA generation delay 0.000 msecs,
minimum inter LSA delay of 5000.000 msecs,
maximum inter LSA delay of 5000.000 msecs
Minimum LSA arrival 1000.000 msec
LSA group pacing timer 10 secs
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Maximum paths to destination 8
Number of external LSAs 0, checksum sum 0
Number of opaque AS LSAs 0, checksum sum 0
Number of areas is 0, 0 normal, 0 stub, 0 nssa
Number of active areas is 0, 0 normal, 0 stub, 0 nssa

Why does the output not reflect any active areas?
_________________________________________________________________________
Step 14 Verify the OSPF process in the OSPF-VRF. Leaving this off in the prior command
showed the OSPF status for the default VRF.

N7010-V(config)# show ip ospf vrf OSPF-VRF

Routing Process MYOSPF with ID 192.168.12.7V VRF OSPF-VRF
Stateful High Availability enabled
Graceful-restart is configured
Grace period: 60 state: Inactive
Last graceful restart exit status: None
Supports only single TOS(TOS0) routes
Supports opaque LSA
This router is an area border
Administrative distance 110
Reference Bandwidth is 40000 Mbps
Initial SPF schedule delay 200.000 msecs,
minimum inter SPF delay of 1000.000 msecs,
maximum inter SPF delay of 5000.000 msecs
Initial LSA generation delay 0.000 msecs,
minimum inter LSA delay of 5000.000 msecs,
maximum inter LSA delay of 5000.000 msecs
Minimum LSA arrival 1000.000 msec
LSA group pacing timer 10 secs
Maximum paths to destination 8
Number of external LSAs 0, checksum sum 0
Number of opaque AS LSAs 0, checksum sum 0
Number of areas is 2, 2 normal, 0 stub, 0 nssa
Number of active areas is 2, 2 normal, 0 stub, 0 nssa
Area BACKBONE(0.0.0.0)
Area has existed for 00:04:00
Interfaces in this area: 1 Active interfaces: 1
Passive interfaces: 0 Loopback interfaces: 0
No authentication available
SPF calculation has run 3 times
Last SPF ran for 0.000223s
Area ranges are
Number of LSAs: 7, checksum sum 0x218c5
Area (0.0.0.V) (Inactive)
Area has existed for 00:04:00
Interfaces in this area: 1 Active interfaces: 1
Passive interfaces: 1 Loopback interfaces: 1
No authentication available
SPF calculation has run 3 times
Last SPF ran for 0.000076s
Area ranges are
Number of LSAs: 4, checksum sum 0x24b2e
Note It is not necessary to enable the OSPF process explicitly inside of a VRF. If you enable the
OSPF process on an interface that is a member of a VRF, then the process is automatically
enabled for that VRF.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 15 Verify OSPF neighbor relationships have been established between your VDC and
your peer VDCs.

N7010-V(config)# show ip ospf neighbors vrf OSPF-VRF

OSPF Process ID MYOSPF VRF OSPF-VRF
Total number of neighbors: 2
Neighbor ID Pri State Up Time Address Interface
192.168.12.7X 1 FULL/BDR 00:06:46 172.16.12.7X Vlan12
192.168.12.7Y 1 FULL/DROTHER 00:01:14 172.16.12.7Y Vlan12
Note Dont forget to specify the correct VRF in the command.
Step 16 Examine the OSPF LSA (Link State Advertisement) database for OSPF-VRF.

N7010-V(config)# show ip ospf database vrf OSPF-VRF

OSPF Router with ID (192.168.12.7V) (Process ID MYOSPF VRF OSPF-VRF)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# Checksum Link Count
192.168.12.7V 192.168.12.7V 508 0x80000003 0xa7e3 1
192.168.12.7X 192.168.12.7X 508 0x80000003 0xa5e2 1
192.168.12.7Y 192.168.12.7Y 177 0x80000003 0xa3e1 1

Network Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# Checksum
172.16.12.7Y 192.168.12.7Y 176 0x80000003 0x0b3e

Summary Network Link States (Area 0.0.0.0)

192.168.12.7V 192.168.12.7V 642 0x80000002 0x5887
192.168.12.7X 192.168.12.7X 517 0x80000002 0x4895
192.168.12.7Y 192.168.12.7Y 187 0x80000002 0x38a3

Router Link States (Area 0.0.0.V)

Link ID ADV Router Age Seq# Checksum Link Count
192.168.12.7V 192.168.12.7V 642 0x80000002 0x8c8a 1

Summary Network Link States (Area 0.0.0.V)

172.16.12.0 192.168.12.7V 642 0x80000002 0xdece
192.168.12.7X 192.168.12.7V 500 0x80000002 0xdfd6
192.168.12.7Y 192.168.12.7V 169 0x80000002 0xd5df

Step 17 Change the OSPF router ID to V.V.V.V, where V is your VDC number.

N7010-V(config)# router ospf MYOSPF
N7010-V(config-router)# router-id V.V.V.V

Step 18 Examine the router ID for the OSPF process for the VRF OSPF-VRF.

N7010-V(config-router)# show ip ospf vrf OSPF-VRF | grep ID
Routing Process MYOSPF with ID 192.168.12.7V VRF OSPF-VRF

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 19 Did the router ID change? Why or why not?

Step 20 Examine the router ID for the default VRF.

N7010-V(config-router)# show ip ospf | grep ID
Routing Process MYOSPF with ID V.V.V.V VRF default
Note This result should remind you that we must always specify a VRF in any routing
configuration commands or show commands. NX-OS assumes the default VRF if there is no
VRF specified.
Step 21 Change the OSPF router ID to V.V.V.V for OSPF-VRF, where V is your VDC
number.

N7010-V(config-router)# router ospf MYOSPF
N7010-V(config-router)# vrf OSPF-VRF
N7010-V(config-router-vrf)# router-id V.V.V.V

Step 22 Enable OSPF adjacency logging for the VRF OSPF-VRF.

N7010-V(config-router-vrf)# log-adjacency-changes

Step 23 Examine the OSPF router ID for the VRF again.

N7010-V(config-router-vrf)# show ip ospf vrf OSPF-VRF | grep ID
Routing Process MYOSPF with ID V.V.V.V VRF OSPF-VRF

Note It is not necessary to clear or restart the OSPF process for the router ID change to be
applied. The change will be effective immediately.
Step 24 Examine the OSPF interface cost for interface vlan 12.

N7010-V(config-router-vrf)# show ip ospf interface vlan 12

Vlan12 is up, line protocol is up
IP address 172.16.12.7V/24, Process ID MYOSPF VRF OSPF-VRF, area 0.0.0.0
Enabled by interface configuration
State DR, Network type BROADCAST, cost 40
Index 2, Transmit delay 1 sec, Router Priority 1
Designated Router ID: V.V.V.V, address: 172.16.12.7V
Backup Designated Router ID: X.X.X.X, address: 172.16.12.7X
2 Neighbors, flooding to 2, adjacent with 2
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
Hello timer due in 00:00:04
No authentication
Number of opaque link LSAs: 0, checksum sum 0

How is the interface cost calculated?
_________________________________________________________________________
Step 25 Change the OSPF auto-cost reference bandwidth to 100 Mbps to match the reference
bandwidth of older devices on the network.

N7010-V(config-router-vrf)# auto-cost reference-bandwidth ?
<1-4000000> Rate in Mbps (bandwidth) (Default)
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
*Default value is 40000
<1-4000> Rate in Gbps (bandwidth)
*Default value is 40

N7010-V(config-router-vrf)# auto-cost reference-bandwidth 100 Mbps
N7010-V(config-router-vrf)# end

Step 26 Verify that the OSPF interface cost has changed to reflect the new reference
bandwidth.

N7010-V# show ip ospf interface brief vrf OSPF-VRF

OSPF Process ID MYOSPF VRF OSPF-VRF
Total number of interface: 2
Interface ID Area Cost State Neighbors
Status
Vlan12 2 0.0.0.0 1 DR 2 up
Lo12 1 0.0.0.V 1 LOOPBACK 0 up

Step 27 Examine the routing table for OSPF-VRF.

N7010-V# show ip route vrf OSPF-VRF

IP Route Table for VRF "OSPF-VRF"

*via 172.16.12.7V, Vlan12, [0/0], 02:01:14, direct
*via 172.16.12.7V, Vlan12, [0/0], 02:01:14, local
*via 192.168.12.7V, Lo12, [0/0], 01:56:27, local
*via 192.168.12.7V, Lo12, [0/0], 01:56:27, direct
192.168.12.7X/32, ubest/mbest: 1/0
*via 172.16.12.7X, Vlan12, [110/2], 00:08:19, ospf-MYOSPF, inter
192.168.12.7Y/32, ubest/mbest: 1/0
*via 172.16.12.7Y, Vlan12, [110/2], 00:08:19, ospf-MYOSPF, inter

Step 28 Ping the loopback 12 IP addresses 192.168.12.7X and 192.168.12.7Y of your peer
VDCs, where X and Y are your peer VDC numbers. Use your own VLAN 12 SVI
IP address 172.16.12.7V as the source, where V is your VDC number.

N7010-V# ping 192.168.12.7X source 172.16.12.7V vrf OSPF-VRF



N7010-V# ping 192.168.12.7Y source 172.16.12.7V vrf OSPF-VRF

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l


Step 29 Do not proceed to the next task until you succeed in pinging the peer VDCs
loopback 12 interfaces. Troubleshoot together with your peer VDCs as necessary
until you confirm OSPF is working.
for this VLAN.
You have enabled OSPF for the VRF and verified its operation.
You have successfully pinged the loopback 12 IP address in the VRF on your peer VDCs.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 4: Configuring VRFs and EIGRP
During this task, you will create a VRF and configure EIGRP in that VRF on your Cisco Nexus
7000 VDC. You will also verify EIGRP routing is functional between VDCs.
Visual Objective
Eth 1/A
Eth 1/B
Nexus 7000 VDC
mgmt0
10.1.1.2V
OTHER
VDCs
TRUNKS
EIGRP-VRF
router eigrp
MYEIGRP
INT VLAN 13
172.16.13.7V/24
MYEIGRP
EIGRP advertisements
INT LOOP 13
192.168.13.7V/32
MYEIGRP
AS 42

Activity Procedure
Step 1 Create a VRF named EIGRP-VRF.

N7010-V# configure
N7010-V(config)# vrf context EIGRP-VRF

Step 2 Create an SVI for VLAN 13 and assign it to EIGRP-VRF.

N7010-V(config-vrf)# interface vlan 13
N7010-V(config-if)# vrf member EIGRP-VRF

Step 3 Configure IP address 172.16.13.7V/24 on the SVI for VLAN 13 where V is your
assigned VDC number, and then enable the interface.


G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 4 Set the scope of all Cisco NX-OS IP routing-related commands to use the VRF
EIGRP-VRF for your current session.

N7010-V(config)# routing-context vrf EIGRP-VRF

Step 5 Ping the IP addresses of your peer VDC 172.16.13.7X and 172.16.13.7Y, where X
on VLAN 13.

N7010-V%EIGRP-VRF(config)# ping 172.16.13.7X

Request 0 timed out


N7010-V%EIGRP-VRF(config)# ping 172.16.13.7Y

Request 0 timed out


Step 6 Create loopback interface 13 on your VDC, assign it to EIGRP-VRF, and assign IP
address 192.168.13.7V/32, where V is your assigned VDC number.

N7010-V%EIGRP-VRF(config)# interface loopback 13
N7010-V%EIGRP-VRF(config-if)# vrf member EIGRP-VRF

N7010-V%EIGRP-VRF(config-if)# ip address 192.168.13.7V/32
N7010-V%EIGRP-VRF(config-if)# exit

Step 7 Enable the EIGRP feature.

N7010-V%EIGRP-VRF(config)# feature eigrp

Step 8 Examine the license usage for the Enterprise Services License.

N7010-V%EIGRP-VRF(config)# show license usage LAN_ENTERPRISE_SERVICES_PKG

Application
-----------
ospf@V
eigrp@V
-----------

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 9 Configure an EIGRP process with process tag MYEIGRP.

N7010-V%EIGRP-VRF(config)# router eigrp MYEIGRP

Step 10 Activate EIGRP on interface vlan 13.

N7010-V%EIGRP-VRF(config-router)# interface vlan 13
N7010-V%EIGRP-VRF(config-if)# ip router eigrp MYEIGRP

Step 11 Activate EIGRP on interface loopback 13.

N7010-V%EIGRP-VRF(config-if)# interface loopback 13
N7010-V%EIGRP-VRF(config-if)# ip router eigrp MYEIGRP
N7010-V%EIGRP-VRF(config-if)# exit

Step 12 Examine the EIGRP process.

N7010-V%EIGRP-VRF(config)# show ip eigrp

IP-EIGRP AS 0 ID 192.168.13.7V VRF EIGRP-VRF
Process-tag: MYEIGRP
Status: shutdown
Authentication mode: none
Authentication key-chain: none
Metric weights: K1=1 K2=0 K3=1 K4=0 K5=0
IP proto: 88 Multicast group: 224.0.0.10
Int distance: 90 Ext distance: 170
Max paths: 8
Number of EIGRP interfaces: 2 (1 loopbacks)
Number of EIGRP passive interfaces: 0
Number of EIGRP peers: 0
Graceful-Restart: Enabled
Stub-Routing: Disabled
NSF converge time limit/expiries: 120/0
NSF route-hold time limit/expiries: 240/0
NSF signal time limit/expiries: 20/0
Redistributed max-prefix: Disabled

Why is the EIGRP process shut down?
_________________________________________________________________________
Step 13 Configure EIGRP autonomous system number 42 for EIGRP-VRF.

N7010-V%EIGRP-VRF(config)# router eigrp MYEIGRP
N7010-V%EIGRP-VRF(config-router)# vrf EIGRP-VRF
N7010-V%EIGRP-VRF(config-router-vrf)# autonomous-system 42
N7010-V%EIGRP-VRF(config-router-vrf)# end
Note EIGRP will remain shut down until an autonomous system number is defined for EIGRP to
be a part of. The MYEIGRP keyword in the ip router eigrp MYEIGRP command is simply a
locally significant process tag, not an autonomous system number as in some IOS versions.
Step 14 Examine the EIGRP process again.

N7010-V%EIGRP-VRF# show ip eigrp

IP-EIGRP AS 42 ID 192.168.13.7V VRF EIGRP-VRF
Process-tag: MYEIGRP
Status: running
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Authentication mode: none
Authentication key-chain: none
Metric weights: K1=1 K2=0 K3=1 K4=0 K5=0
IP proto: 88 Multicast group: 224.0.0.10
Int distance: 90 Ext distance: 170
Max paths: 8
Number of EIGRP interfaces: 2 (1 loopbacks)
Number of EIGRP passive interfaces: 0
Number of EIGRP peers: 2
Graceful-Restart: Enabled
Stub-Routing: Disabled
NSF converge time limit/expiries: 120/0
NSF route-hold time limit/expiries: 240/0
NSF signal time limit/expiries: 20/0
Redistributed max-prefix: Disabled

Step 15 Verify that an EIGRP adjacency has been established between your VDC and your
peer VDCs.

N7010-V%EIGRP-VRF# show ip eigrp neighbors

IP-EIGRP neighbors for process 42 VRF EIGRP-VRF
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.13.7X Vlan13 11 00:00:44 3 200 0 6
0 172.16.13.7Y Vlan13 12 00:00:57 1 200 0 6

Step 16 Examine the routing table for VRF EIGRP-VRF.

N7010-V%EIGRP-VRF# show ip route

IP Route Table for VRF "EIGRP-VRF"

*via 172.16.13.7V, Vlan13, [0/0], 00:22:08, direct
*via 172.16.13.7V, Vlan13, [0/0], 00:22:08, local
*via 192.168.13.7V, Lo13, [0/0], 00:14:39, local
*via 192.168.13.7V, Lo13, [0/0], 00:14:39, direct
192.168.13.7X/32, ubest/mbest: 1/0
*via 172.16.13.7X, Vlan13, [90/130816], 00:01:48, eigrp-MYEIGRP, internal
192.168.13.7Y/32, ubest/mbest: 1/0
*via 172.16.13.7Y, Vlan13, [90/130816], 00:01:35, eigrp-MYEIGRP, internal

Step 17 Ping the loopback 13 interfaces with IP addresses 192.168.13.7X and 192.168.13.7Y
of your peer VDCs, where X and Y are your peer VDC numbers. Use your own
loopback 13 IP address 172.16.13.7V as the source, where V is your VDC number.

N7010-V%EIGRP-VRF# ping 192.168.13.7X source 172.16.13.7V


G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

N7010-V%EIGRP-VRF# ping 192.168.13.7Y source 172.16.13.7V



Step 18 Reset the command scope to the default VRF.

N7010-V%EIGRP-VRF# routing-context vrf default


Done


[########################################] 100%

for this VLAN.
You have enabled EIGRP for the VRF and verified its operation.
You have successfully pinged the loopback 13 interface IP addresses in the VRF on your
peer VDCs.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 3: Configuring Security Features
Activity Objective
In this activity, you will configure Cisco NX-OS security features on your Cisco Nexus 7000
VDC. After completing this activity, you will be able to meet these objectives:
Configure and verify access lists using atomic programming
Configure port security on your Cisco Nexus 7000 VDC and verify the configuration has
been applied per the design requirements
Configure traffic storm control on your Cisco Nexus 7000 VDC and verify the
configuration has been applied per the design requirements
Visual Objective
Nexus 7000 VDC
mgmt0
10.1.1.22
Lab PC NIC2
172.16.10.1V1/24
VLAN 10
STP port
type edge
Eth 1/C
INGRESS ACCESS LIST
Permit management LANs
via SSH, Telnet, Rlogin
Deny everything else
INT VLAN 10
172.16.10.7V/24
Enable port-security
Allow two MAC
addresses
Eth 1/A
Eth 1/B
OTHER
VDCs
TRUNKS
Storm
Control
40%

Required Resources
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command Description
switchport access vlan
<vlan>
Configures the VLAN for an access port.
edge
Configures an interface as a spanning-tree edge port.
object-group ip port
<name>
Defines an IP port object group.
object-group ip address
<name>
Defines an IP address object group.
configure session <name> Starts a configuration session.
ip access-list <name> Defines an IP access-list.
show running-config aclmgr Shows the elements of the running configuration that are
related to access-lists.
show configuration session Shows the content of a configuration session.
ip access-group <name> in Associates an access-list with a Layer 3 interface.
verify Verify that an access-list can be installed in the forwarding
engines of a Cisco Nexus switch.
commit Commits the statements in a configuration session to the
running configuration.
show access-lists <name> Displays the access-lists on the switch.
statistics per-entry Enables the gathering of statistics for an access-list.
show access-lists <name>
expanded
Shows an access-list after expansion of any included
object groups.
feature port-security Enables the port security feature.
switchport port-security Enables port security on an interface.
show running-config port-
security all
Shows the elements of the running configuration that are
related to port security including default values.
show port-security address Shows the static and dynamic port security addresses in
the system.
switchport port-security
mac-address <address>
Configures a static port security MAC address for an
interface.
show logging last <nr> Shows the last number of lines in the system log.
storm-control broadcast
level <percent>
Enables storm control for broadcast traffic at the configured
level.
storm-control multicast
level <percent>
Enables storm control for multicast traffic at the configured
level.
storm-control unicast
level <percent>
Enables storm control for unicast traffic at the configured
level.
show interface <intf>
counters storm-control
Displays the operational traffic storm-control parameters
and statistics.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Job Aids
Lab connections
Lab IP address plan

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configuring Access Lists
During this task, you will configure access lists on your Cisco Nexus 7000 VDC.
Activity Procedure
Step 1 Connect to your assigned Cisco Nexus 7000 VDC using Putty SSH to the mgmt0
interface.
Step 2 Assign the Ethernet port that connects to the Lab PC to VLAN 10 and make it a
Spanning-Tree edge port. Refer to the Lab Topology diagram or the lab IP address
plan to find the correct interface for your VDC.

N7010-V# configure
N7010-V(config)# interface ethernet 1/C
N7010-V(config-if)# switchport
N7010-V(config-if)# switchport mode access
N7010-V(config-if)# switchport access vlan 10
N7010-V(config-if)# spanning-tree port type edge

Warning: Edge port type (portfast) should only be enabled on ports connected
to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when edge port type (portfast) is enabled, can cause temporary
bridging loops.
Use with CAUTION

Edge Port Type (Portfast) has been configured on Ethernet1/C but will only
have effect when the interface is in a non-trunking mode.

Step 3 Connect to your assigned Lab PC (appears as PCV in the Lab Topology diagram)
and configure Local Area Connection 2 (NIC 2) with the following IP settings:

IP address Subnet Mask
Default Gateway
(VLAN 10 SVI)
DNS
VDC 2 172.16.10.121 255.255.255.0 172.16.10.72 None
VDC 3 172.16.10.131 255.255.255.0 172.16.10.73 None
VDC 4 172.16.10.141 255.255.255.0 172.16.10.74 None

Tip View and modify your network connections by clicking Start > Settings > Network
Connections.
Step 4 From your Lab PC ping the IP address of VDCs VLAN 10 SVI, which is
172.16.10.7V/24, where V is your VDC number. This will verify you have
successfully configured NIC 2 on your Lab PC.

C:\Documents and Settings\Administrator> ping 172.16.10.7V

Pinging 172.16.10.7V with 32 bytes of data:

Reply from 172.16.10.7V: bytes=32 time=1ms TTL=255
Reply from 172.16.10.7V: bytes=32 time<1ms TTL=255
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Ping statistics for 172.16.10.7V:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Note If your pings are not working, try flapping the 1/C interface on your Nexus 7000 VDC by
typing shutdown, waiting a few seconds, then typing no shutdown to bring the interface
back up.
Step 5 Use Putty to connect from your Lab PC to your Cisco Nexus 7000 VDC on the
VLAN 10 IP address 172.16.10.7V using SSH, where V equals your VDC number.
Disconnect after verifying that you can log in to your VDC through interface
VLAN 10 (instead of mgmt0, like we normally do).
Step 6 Switch back to your active management connection (mgmt0) to your VDC with
Putty SSH.
Step 7 Configure an IP port object group named VIRTUAL-TERMINAL that includes
ports 22 (SSH), 23 (telnet), and 513 (rlogin).

N7010-V(config)# object-group ip port VIRTUAL-TERMINAL
N7010-V(config-port-ogroup)# range 22 23
N7010-V(config-port-ogroup)# eq 513
N7010-V(config-port-ogroup)# exit

Step 8 Configure an IP address object group named MGMT-LANS that includes the
management subnets 172.16.10.0/24, 172.16.12.0/24, 172.16.13.0/24, and
172.16.14.0/24.

N7010-V(config)# object-group ip address MGMT-LANS
N7010-V(config-ipaddr-ogroup)# 172.16.10.0/24

Step 9 Exit configuration mode and start a configuration session named MGMT-ACL.

N7010-V(config-ipaddr-ogroup)# end

N7010-V# configure session MGMT-ACL
Config Session started, Session ID is 1
N7010-V(config-s)#

How can you tell that you are in a configuration session instead of normal configuration
mode?
_________________________________________________________________________
Note The configuration Session Manager allows you to implement ACL and QoS configuration
changes in batch mode in the following phases: configuration session, validation,
verification, commit, and abort. Configuration sessions can be saved and applied later, and
are persistent across a supervisor switchover, but not a software reload. You can create up
to 32 configuration sessions per VDC, with a total of 20,000 commands per VDC.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 10 Within the configuration session, create an IP access list named REMOTE-LOGIN-
ONLY.

N7010-V(config-s)# ip access-list REMOTE-LOGIN-ONLY

Step 11 Configure an access list line that permits TCP traffic from the networks defined in
the object group MGMT-LANS to any other IP address using the destination ports
defined in the object group VIRTUAL-TERMINAL, and then exit the ACL
configuration mode.

N7010-V(config-s-acl)# permit tcp addrgroup MGMT-LANS any portgroup VIRTUAL-
TERMINAL
N7010-V(config-s-acl)# end
Note The purpose of this ACL is to permit connections from the subnets listed in the MGMT-LANS
group to any destination using TCP over the ports defined in the VIRTUAL-TERMINAL
group.
Step 12 Examine the running configuration to see if any access lists are present.

N7010-V# show running-config aclmgr

!Command: show running-config aclmgr
!Time: Sun Sep 18 04:38:38 2011

version 5.1(3)
object-group ip address MGMT-LANS
10 172.16.10.0/24
20 172.16.12.0/24
30 172.16.13.0/24
40 172.16.14.0/24
object-group ip port VIRTUAL-TERMINAL
10 range 22 23
20 eq 513

Do you see the access list REMOTE-LOGIN-ONLY? Why or why not?
_________________________________________________________________________
Step 13 Examine the active configuration sessions in your VDC.

N7010-V# show configuration session

config session MGMT-ACL
0001 ip access-list REMOTE-LOGIN-ONLY
0002 permit tcp addrgroup MGMT-LANS any portgroup VIRTUAL-TERMINAL

Number of active configuration sessions = 1

Step 14 Enter the configuration session MGMT-ACL again and go back to configuration
mode for access list REMOTE-LOGIN-ONLY to add a line to the ACL.

N7010-V# configure session MGMT-ACL
Config Session started, Session ID is 1

N7010-V(config-s)# ip access-list REMOTE-LOGIN-ONLY

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 15 Add an access list line that explicitly drops all other IP packets.

N7010-V(config-s-acl)# deny ip any any

Step 16 Apply the access list REMOTE-LOGIN-ONLY as an inbound access list on
interface VLAN 10 on your Cisco Nexus 7000 VDC.

N7010-V(config-s-acl)# interface vlan 10
N7010-V(config-s-if)# ip access-group REMOTE-LOGIN-ONLY in

Step 17 Without leaving the configuration session, examine the configuration session
MGMT-ACL.

N7010-V(config-s-if)# show configuration session MGMT-ACL

config session name MGMT-ACL
0004 deny ip any any
0005 interface Vlan10
0006 ip access-group REMOTE-LOGIN-ONLY in

Step 18 Verify the configuration session to see if it can be installed in the forwarding
engines on the I/O modules.

N7010-V(config-s-if)# verify
Verification Successful

Step 19 Commit the access list to the configuration.

N7010-V(config-s)# commit
Commit Successful

Step 20 Examine the running configuration again to verify the ACL was successfully created
when you committed the session. The configuration should be visible now that the
commands stored in the configuration session were committed successfully.

N7010-V# show running-config aclmgr

!Command: show running-config aclmgr
!Time: Sun Sep 18 04:58:51 2011

version 5.1(3)
object-group ip address MGMT-LANS
10 172.16.10.0/24
20 172.16.12.0/24
30 172.16.13.0/24
40 172.16.14.0/24
object-group ip port VIRTUAL-TERMINAL
10 range 22 23
20 eq 513
ip access-list REMOTE-LOGIN-ONLY
20 deny ip any any

interface Vlan10
ip access-group REMOTE-LOGIN-ONLY in

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Was the access list entered into the configuration and applied to interface VLAN 10?
_________________________________________________________________________
Step 21 From your Lab PC ping the IP address of your VLAN 10 SVI, which is
172.16.10.7V/24, where V is your VDC number to verify the ACL is working.



Request timed out.
Request timed out.
Request timed out.
Request timed out.


Step 22 Use Putty SSH to connect from your Lab PC to your Cisco Nexus 7000 VDC on the
VLAN 10 IP address 172.16.10.7V, where V is your VDC number. Disconnect after
verifying that you can log in to your VDC via SSH.
Note Pings failed because the only ports that are open are for the management subnets when
they access the Nexus 7000 via Telnet, SSH, or rlogin. Ping uses ICMP, which we did not
explicitly allow in the ACL. Since we included a deny any any line at the end to deny all
other traffic, pings get denied by the ACL. The ACL is working as expected.
Step 23 Connect to your assigned Cisco Nexus 7000 VDC with Putty SSH.
Step 24 Examine the access list REMOTE-LOGIN-ONLY.

N7010-V# show access-lists REMOTE-LOGIN-ONLY

IP access list REMOTE-LOGIN-ONLY
20 deny ip any any

Do you see any hits on the access list lines?
_________________________________________________________________________
Step 25 Enable statistics gathering for access list REMOTE-LOGIN-ONLY.

N7010-V(config)# configure
N7010-V(config)# ip access-list REMOTE-LOGIN-ONLY
N7010-V(config-acl)# statistics per-entry
N7010-V(config-acl)# exit
Note By default the Cisco Nexus switches do not collect access list statistics. You must explicitly
configure the ACL to log statistics in NX-OS.
Step 26 Connect to your assigned Lab PC and repeat the connectivity tests from Step 24 and
Step 25 to test ping and SSH login again. Then return to your mgmt0 SSH
connection to your VDC.
Step 27 Examine the access list REMOTE-LOGIN-ONLY again.

N7010-V(config)# show access-lists REMOTE-LOGIN-ONLY

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
statistics per-entry
20 deny ip any any [match=15]

Do you see hit counts for both access list lines now?
_________________________________________________________________________
Step 28 Expand the access list to see the hit counts for Telnet, SSH, and rlogin.

N7010-V(config)# show access-lists REMOTE-LOGIN-ONLY expanded

statistics per-entry
10 permit tcp 172.16.10.0/24 any range 22 telnet [match=25]
10 permit tcp 172.16.10.0/24 any eq login [match=0]
20 deny ip any any [match=20]
Note Since line 10 of the ACL includes references to two groups an IP address group and a port
group the line must be expanded to see the hits on all objects in the groups.
Step 29 Remove the access list REMOTE-LOGIN-ONLY from interface VLAN 10. You
may verify the ACL has been successfully removed by pinging the VLAN 10 SVI
again from your Lab PC if you wish.

N7010-V(config)# int vlan 10
N7010-V(config-if)# no ip access-group REMOTE-LOGIN-ONLY in

You have assigned your Lab PC NIC2 to VLAN 10 and assigned an IP address to the
VLAN 10 SVI in the 172.16.10.0/24 network.
You have verified connectivity from your Lab PC to your VDC to the VLAN 10 SVI.
You have configured an access list using object groups and applied it to the VLAN 10 SVI
on your Cisco Nexus 7000 VDC, using the Session Manager feature to commit the
configuration.
You have verified the operation of the access list and enabled statistics gathering.
You have removed the access list from interface VLAN 10 on your VDC.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Configuring Port Security
During this task, you will configure the port security feature on your Cisco Nexus 7000 VDC.
Activity Procedure
Step 1 Connect to your assigned Cisco Nexus 7000 VDC mgmt0 interface using Putty SSH.
Step 2 Enable port security on the ethernet 1/C interface that connects to your Lab PC.

N7010-V(config)# feature port-security
N7010-V(config)# interface ethernet e1/C
N7010-V(config-if)# shutdown
N7010-V(config-if)# switchport port-security

Step 3 Configure the maximum MAC addresses allowed to connect to this port to two
MACs.

N7010-V(config-if)# switchport port-security max 2

Step 4 Examine the default port security parameters.

N7010-V(config-if)# show running-config port-security all

!Command: show running-config port-security all
!Time: Sun Sep 18 05:35:13 2011

version 5.1(3)
feature port-security

interface Ethernet1/C
switchport port-security
switchport port-security aging type absolute
switchport port-security aging time 0
switchport port-security maximum 2
switchport port-security violation shutdown
no switchport port-security mac-address sticky

Which action will the switch take when a security violation occurs? How many concurrent
MAC addresses are allowed on the port?
_________________________________________________________________________
Step 5 From your Lab PC ping the IP address of your VLAN 10 SVI, which is
172.16.10.7V/24, where V is your VDC number.



Reply from 172.16.10.7V: bytes=32 time=1ms TTL=255


G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 Go back to you Nexus 7000 VDC and examine the secure MAC addresses that were
learned.

N7010-V(conig-if)# show port-security address

Total Secured Mac Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8191

----------------------------------------------------------------------
Secure Mac Address Table
----------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ------ ----- -------------
10 0800.27E4.A4F0 DYNAMIC Ethernet1/C 0
10 001E.7964.3381 DYNAMIC Ethernet1/C 0
======================================================================

Step 7 Shut down interface Ethernet 1/C, configure 0000.0c12.3456 as the static secure
MAC address for the interface, and re-enable the interface.

N7010-V(config-if)# switchport port-security mac-address 0000.0c12.3456

Step 8 Examine the secure MAC address table again.

N7010-V(config-if)# show port-security address

Total Secured Mac Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8191

----------------------------------------------------------------------
Secure Mac Address Table
----------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ------ ----- -------------
10 0000.0C12.3456 STATIC Ethernet1/C 0
======================================================================

Step 9 Repeat the connectivity test again.



Request timed out.
Request timed out.
Request timed out.
Request timed out.


Step 10 Observe the console message, and then display the brief interface information for
Ethernet 1/C.

N7010-V(config-if)# 2011 Nov 12 16:01:13 N7010-V %ETHPORT-2-
IF_DOWN_ERROR_DISBALED: Interface Ethernet 1/C is down (Error disabled.
Reason:Security violation)

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
N7010-V(config-if)# show interface ethernet 1/C brief

------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/C 10 eth access down Sec-violation errDisable auto(D)

What is the state of the interface?
_________________________________________________________________________
Step 11 Examine the last line in the system log, in case you missed the console message.

N7010-V(config-if)# show logging last 1

2011 Nov 12 06:13:34 switch-N7010-V %ETHPORT-2-IF_DOWN_ERROR_DISABLED:
Interface Ethernet1/C is down (Error disabled. Reason:Security violation)

Step 12 Remove the statically configured secure MAC address from interface Ethernet 1/C.

N7010-V(config-if)# no switchport port-security mac-address 0000.0c12.3456

Step 13 Examine the interface state again.


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/C 10 eth access down Sec-violation errDisable auto(D) --

Has the interface become active again?
_________________________________________________________________________

Step 14 Reactivate the interface by disabling and re-enabling it. This is necessary to clear the
violation and reset the port-security statistics. Disable port security.

N7010-V(config-if)# no switchport port-security

Step 15 Examine the interface state again to verify the port is up.


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/C 10 eth access up none 1000(D) --

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 16 Repeat the connectivity test again to confirm that the connection is working again.





Step 17 Do not continue to the next task until you have restored connectivity from your Lab
PC to your Cisco Nexus 7000 VDC on VLAN 10. Troubleshoot as necessary.
You have assigned your Lab PC to VLAN 10 and assigned an IP address to it.
You have verified connectivity from your Lab PC to your Cisco Nexus 7000 VDC in
VLAN 10.
You have verified the operation of port security.
You have verified connectivity on VLAN 10 is restored at the end of the lab.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 3: Configuring Traffic Storm Control
During this task, you will configure the storm control feature on the Cisco Nexus 7000 VDC
and verify its operation.
Activity Procedure
Step 1 Connect to your assigned Cisco Nexus 7000 VDC with Putty SSH.
Step 2 On the trunks that connect your Cisco Nexus 7000 VDC to your peer VDCs
configure traffic storm control. Set the threshold for broadcasts to 30 percent,
multicast to 40 percent, and unicast to 50 percent.

N7010-V(config-if-range)# storm-control broadcast level 30
N7010-V(config-if-range)# storm-control multicast level 40
N7010-V(config-if-range)# storm-control unicast level 50

Step 3 Examine traffic storm control operation on the configured interfaces.

N7010-V(config-if-range)# show interface ethernet 1/A, ethernet 1/B counters
storm-control

------------------------------------------------------------------------------
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
------------------------------------------------------------------------------
Eth1/A 50.00 50.00 50.00 0
Eth1/B 50.00 50.00 50.00 0

Step 4 Examine the running configuration for your interfaces that connect to your peers
VDCs.

N7010-V(config-if-range)# show running-config interface ethernet 1/A, ethernet
1/B

!Command: show running-config interface Ethernet1/A, Ethernet1/B
!Time: Sun Sep 18 06:31:07 2011

version 5.1(3)

interface Ethernet1/A
description Interface 1/A
switchport
switchport mode trunk
spanning-tree port type network
storm-control broadcast level 50
storm-control multicast level 50
storm-control unicast level 50
no shutdown

interface Ethernet1/B
description Interface 1/B
switchport
no shutdown

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Does the configuration reflect the commands that you typed?
_________________________________________________________________________
Step 5 Change the storm-control level for multicast to 40 percent and examine the
configuration on the interfaces again.

N7010-V(config-if-range)# storm-control multicast level 40
N7010-V# show running-config interface ethernet 1/A, ethernet 1/B

!Time: Sun Sep 18 06:32:19 2011

version 5.1(3)

switchport
no shutdown

switchport
no shutdown
Note There is only a single threshold for traffic storm control, which can be applied to any
combination of unicast, multicast, and broadcast traffic. The traffic types are not controlled
individually.

Done

Step 7 Save the running configuration on your Cisco Nexus 7000 VDC.


[########################################] 100%

You have configured traffic storm control on your Cisco Nexus 7000 VDC.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 4: Configuring OTV
In this activity you will setup OTV between your VDC and the other VDCs in the Nexus 7000
chassis.
Understand how OTV works and shares MAC addresses reachability information with other
OTV sites.
Configure one OTV site to participate in the same OTV overlay network as two other sites.
Extend a VLAN across the OTV overlay network between your VDC and the other VDCs in
the Nexus 7000 chassis.
Activity Objective
Overlay Transport Virtualization (OTV) is a Data Center Interconnect (DCI) technology, which
enables extension of VLANs across Layer 3 networks. This enables new options of data center
scale and design that have not been available in the past.
The two most common use cases for OTV are data center migration and workload mobility.
Many assume at first glance that OTV is only used to interconnect multiple physical data
centers. OTV is also an attractive solution inside the data center where Layer 3 interconnects
may segment the network, imposing boundaries on features that need to talk in the same Layer
2 broadcast domain, like VMware vMotion and clustering. OTV can overcome these
boundaries.
OTV uses the following multicast groups in the Transport Network:
An Any Source Multicast (ASM) group for neighbor discovery and to exchange MAC
reachability.
A Source Specific Multicast (SSM) group range to map internal multicast groups in the
sites to the multicast groups in the core, which will be leveraged to extend the multicast
data traffic across the overlay.
In this lab, you will configure OTV between your VDCs, which will extend a VLANa across
the Layer 3 networks that interconnect the VDCs as show in the visual objective.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Visual Objective
E1/33
VDC 3
E1/13
E1/32
VDC 2
E1/34
VLAN 10
MAC addr A
VLAN 10
MAC addr C
VLAN 10
MAC addr B
E1/15
E1/14
OTV
OVERLAY 1
IP
OTV ROUTING TABLE
MAC Next Hop
MAC A Local: E1/13
MAC B Overlay: VDC3
MAC C Overlay: VDC4
OTV ROUTING TABLE
MAC Next Hop
MAC A Overlay: VDC2
MAC B Local: E1/14
MAC C Overlay: VDC4
OTV ROUTING TABLE
MAC Next Hop
MAC A Overlay: VDC2
MAC B Overlay: VDC3
MAC C Local: E1/15
ENCAP DECAP
Extend VLAN 10

Required Resources
These are the resources and equipment required to complete this activity:
One Cisco Nexus 7000 VDC interconnected to at least one other VDC
Activity Procedure
Step 1 Shut down SVI VLAN 10. In production you cannot have the SVI of the VLAN to
be extended across the overlay network in the OTV VDC. This needs to reside in
another VDC or on another switch. We do not want to route our Lab PC traffic in
this lab.

N7010-V# configure

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 2 Shutdown your Ethernet 1/A and Ethernet 1/B interfaces that interconnect your
VDCs. We will be using a DCI technology (OTV) in this lab to communicate
between VDCs, instead of direct connections. Refer to the table to shut down the
correct interfaces in your VDC.
VDC # Shutdown 1/A Shutdown 1/B
2 Eth 1/1 Eth 1/3
3 Eth 1/2 Eth 1/5
4 Eth 1/4 Eth 1/6

N7010-V(config-if)# interface ethernet 1/A, ethernet 1/B
N7010-V(config-if-range)# shutdown

Step 3 Configure an IP address on the interface in your VDC that joins the Layer 3 DCI
(Data Center Interconnect). Also change the MTU size as OTV adds 42 bytes to the
packet with the DF (Dont Fragment) bit set in the IP header.
Enable IGMP version 3 so your site can join multicast groups in the OTV overlay
network. Refer to the provided table for the correct interface and IP address.
VDC # Interface 1/3V IP Address
2 Eth 1/32 10.4.14.2/24
3 Eth 1/33 10.4.14.3/24
4 Eth 1/34 10.4.14.4/24

N7010-V(config-if-range)# interface ethernet 1/3V
N7010-V(config-if)# no switchport
N7010-V(config-if)# ip address 10.4.14.V/24
N7010-V(config-if)# mtu 9216
N7010-V(config-if)# ip igmp version 3

Step 4 Verify the IP address and subnet mask are configured correctly on your Ethernet
1/3V interface connecting to the DCI. Make sure the interface 1/3V is up. Make sure
the VLAN 10 SVI is shutdown.

N7010-V(config-if)# show ip interface brief

IP Interface Status for VRF "default"(1)
Interface IP Address Interface Status
Vlan10 172.16.10.7V protocol-down/link-down/admin-down
loopback10 192.168.10.7V protocol-up/link-up/admin-up
Ethernet1/3V 10.4.14.V protocol-up/link-up/admin-up

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 Verify the switchport connecting to your Pod PC is up and is member of VLAN 10.
This is the VLAN we will extend across the OTV overlay network. Refer to the
table for you correct Lab PC interface.
VDC # Interface 1/C
2 Eth 1/13
3 Eth 1/14
4 Eth 1/15


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/C 10 eth access up none 1000(D) -

Step 6 Verify connectivity between VDCs across the DCI (Data Center Interconnect) by
using ping. Ensure your VDC has connectivity to both other VDCs before
proceeding to the next step. You will have to wait for the other VDC s to complete
their IP configuration.
VDC # IP Address
2 10.4.14.2/24
3 10.4.14.3/24
4 10.4.14.4/24
Step 7 Create VLAN 502 in the VLAN database. VLAN 502 will be used as the OTV site-
vlan. Give VLAN 502 a meaningful name.

N7010-V(config-if)# vlan 502
N7010-V(config-vlan)# name OTVSiteVLAN
Note A site-vlan allows communication between OTV edge devices in the same site. An active
site VLAN is mandatory for OTV to function properly. Traffic will not be sent across the
overlay without an active site VLAN.
Note A site-vlan should never be extended across OTV. The site VLAN must remain local to a
site. The function of a site VLAN is to determine the AED (Authoritative Edge Device) if you
have more than one OTV device at a single site. Even if you only have a singe VDC for
OTV, you still must have an active site VLAN for OTV to function.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 8 A VLAN must be up on at least one interface to become active. Configure VLAN
502 as the allowed VLAN on an unused trunk interface in your VDC, according to
the table provided.
VDC # Interface 2/G
2 Eth 2/13
3 Eth 2/15
4 Eth 2/17

N7010-V(config-vlan)# interface ethernet 2/G
N7010-V(config-if)# switchport mode trunk
N7010-V(config-if)# switchport trunk allowed vlan 502
This will cause VLANS to be overwritten. Continue anyway? [yes] yes
Note In production the interfaces above could be used to connect to your second OTV device at a
local site. The Cisco Nexus 7000 and Cisco ASR 1000 both currently support OTV.
Step 9 Ensure the new VLAN to be used as the OTV site-vlan is active.

N7010-V(config-if)# show vlan id 502

VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
502 OTVSiteVLAN active Eth1/1, Eth1/3, Eth2/13

VLAN Type Vlan-mode
---- ----- ----------
502 enet CE

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type Ports
------- --------- --------------- -----------------------------------------

Step 10 Enable the OTV feature. Ignore any license warnings, if applicable.

N7010-V(config-if)# feature otv

TRANSPORT_SERVICES_PKG license not installed. otv feature will be shutdown
after grace period of approximately 76 day(s)
N7010-V(config)# 2011 Nov 16 10:53:02 N7010-V %LICMGR-2-LOG_LICAPP_NO_LIC:
Application otv running without TRANSPORT_SERVICES_PKG license, shudown in 76
days
Note If you are unable to enable OTV, one person will have to connect to VDC 1 through the
console and issue the following command to enable the license grace-period to use the
feature for 120 days without a license: N7010(config)# license grace-period
Step 11 Designate the OTV site-vlan. All VDCs will use the same site VLAN per Ciscos
best practice recommendation. VLAN 1 is used by default. Cisco does not
recommend using VLAN 1 for your OTV site-vlan.

N7010-V(config)# otv site-vlan 502
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Step 12 Create a logical OTV overlay interface. The valid overlay range is from 0 to 65535.
Whenever the OTV edge device receives a Layer 2 frame destined for a remote
OTV site, the frame is logically forwarded to the overlay interface. This instructs the
edge device to perform the dynamic OTV encapsulation on the Layer 2 packet and
send it to the join interface toward the routed domain.
Configure a description on your overlay interface, replacing V with your VDC
number.

N7010-V(config-site-vlan)# interface overlay 1
N7010-V(config-if-overlay)# description OTV site V

Step 13 Configure the overlay ASM multicast control group. All OTV speakers in the same
overlay network use the same multicast group. This should be a unique multicast
group in the multicast network.

N7010-2(config-if-overlay)# otv control-group 239.1.1.1

Step 14 Configure the overlay SSM multicast data group which is used to encapsulate any
Layer 2 multicast traffic that is being extended across the Overlay. Any Layer 3
multicast will be routed off of the VLAN through regular multicast mechanisms that
exist on the network (i.e. multicast routing).

N7010-V(config-if-overlay)# otv data-group 232.1.1.0/28

Step 15 Configure an OTV join interface. This is the interface that will be used for the
IGMP join and will be the source IP address of all packets after encapsulation. This
interface connects to the routed domain.
Only one join interface is supported per OTV device, although a PortChannel
interface can be used. Replace V with your VDC number.

N7010-V(config-if-overlay)# otv join-interface e1/3V
OTV needs join interfaces to be configured for IGMP version 3
Note Note We have already enabled IGMPv3 on the join interface this is purely a reminder.
Step 16 Extend the VLAN that your Lab PC (and your peers Lab PCs) are members of,
VLAN 10.

N7010-V(config-if-overlay)# otv extend-vlan 10

Step 17 Enable the OTV overlay interface.

N7010-V(config-if-overlay)# no shutdown
N7010-V(config-if-overlay)# end

Step 18 View the current state of your overlay. The overlay VPN state should be up, VLAN
10 should be extended, and the site-vlan 502 should be up.

N7010-V# show otv

OTV Overlay Information

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Overlay interface Overlay1

VPN name : Overlay1
VPN state : UP
Extended vlans : 10 (Total:1)
Control group : 239.1.1.1
Data group range(s) : 232.1.1.0/28
Join interface(s) : Eth1/3V (10.4.14.V)
Site vlan : 502 (up)

Step 19 View the state of your OTV site. Your VDC should be the only device at your site.

N7010-V# show otv site

Site Adjacency Information (Site-VLAN: 502) (* - this device)

Overlay1 Site-Local Adjacencies (Count: 1)

Hostname System-ID Up Time Ordinal
-------------------------------- -------------- --------- ----------
* N7010-V 68bd.abd7.92cV 00:10:25 0

Step 20 Show the OTV adjacencies. You will see two neighbors, where X and Y are the
other VDCs in your Nexus 7000 chassis.
You will have to wait for your peers to finish configuring their overlay interface
before you see them in the output.

N7010-V# show otv adjacency

Overlay Adjacency database

Overlay-Interface Overlay1 :
Hostname System-ID Dest Addr Up Time State
N7010-X 68bd.abd7.92cX 10.4.14.X 00:16:50 UP
N7010-Y 68bd.abd7.92cY 10.4.14.Y 00:16:50 UP
Note If your peers have finished configuring their overlays and you still do not see any
adjacencies, reload your VDC with the command reload vdc. Your peers should do the
same. Then check the OTV adjacencies again. This reload is being phased out in coming
versions of NX-OS.
Note Since it is recommended to have a dedicated OTV VDC, in a production environment this
would be a non-disruptive reload.
Step 21 For more advanced adjacency information, view the tunnels automatically created
between your VDC and each of your peer VDCs.

N7010-V# show otv internal tunnel

-------Tunnel Src Dest Tree------------------
(10.4.14.V, 10.4.14.X): 402800640
Adj in Q: (Overlay1,10.4.14.X) 402800640

(10.4.14.V, 10.4.14.Y): 402800641
Adj in Q: (Overlay1,10.4.14.Y) 402800641

*********Tunnel If Index Tree********************
(10.4.14.V, 10.4.14.X): 402800640 : 402800640
(10.4.14.V, 10.4.14.Y): 402800641 : 402800641

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 22 Open a Command Prompt from your Lab PC and determine your Lab PCs MAC
address on NIC2 so we can look it up in the MAC address table of your VDC.
Use the ipconfig /all command, and scroll down to LAN 2.

Record your Lab PC NIC 2 MAC address:
_________________________________________________________________________
Step 23 From the Command Prompt of your Lab PC ping the other VDC PC IP addresses.
These pings will traverse the OTV overlay network. You have successfully
configured OTV when you can ping your peer VDCs Lab PCs.
VDC # Lab PC NIC2 IP Address
2 172.16.10.121
3 172.16.10.131
4 172.16.10.141
Note The first couple of pings may timeout.
Step 24 After pings are successful, switch back to your Nexus 7000 VDC and display the
MAC address table. You should find the other VDCs Lab PC MAC addresses that
were learned across the OTV overlay, marked as an O entry in VLAN 10,
meaning Overlay MAC. You should see your own MAC address recorded from
Step 22 as a * entry in VLAN 10, meaning primary entry.

N7010-V# show mac address-table

Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
G - 68bd.abd7.92c2 static - F F sup-eth1(R)
* 10 0800.27e4.a4f0 static - T T Eth1/1V
* 10 2037.069a.710f static - T T Eth1/1V
O 10 0800.2730.2449 dynamic 0 F F Overlay1
O 10 0800.27a0.fb60 dynamic 0 F F Overlay1
O 10 64d9.89c0.3f0f dynamic 0 F F Overlay1
O 10 64d9.89c0.430f dynamic 0 F F Overlay1
Note All Lab PC MAC addresses begin with 0800. The other MAC addresses in the table
correspond to the core switches that connect the backend lab infrastructure. Only use the
0800 MAC addresses for your OTV verification, ignore the others.
Step 25 View the OTV routing table. This should incorporate local reachability information
for the extended VLANs (VLAN 10) from the local MAC address table, as well as
routes learned from other OTV sites.

N7010-V# show otv route

OTV Unicast MAC Routing Table For Overlay1

VLAN MAC-Address Metric Uptime Owner Next-hop(s)
---- -------------- ------ -------- --------- -----------
10 0800.2730.2449 42 00:11:32 overlay N7010-X
10 0800.27a0.fb60 42 00:11:36 overlay N7010-Y
10 0800.27e4.a4f0 1 00:11:37 site Ethernet1/C
10 2037.069a.710f 1 00:16:36 site Ethernet1/C
10 64d9.89c0.3f0f 42 00:14:35 overlay N7010-X
10 64d9.89c0.430f 42 00:14:35 overlay N7010-Y

How can you tell whether the destination is local to your site or at a remote site that would
need to be encapsulated and forwarded over the OTV overlay network?
_________________________________________________________________________
Step 26 View the OTV site information. If you had multiple OTV devices at a single site,
this is where you can determine who has been elected the AED (Authoritative Edge
Device) for the various VLANs, designated by a star next to the VLAN.
The AED role is negotiated, on a per-VLAN basis, between all the OTV edge
devices belonging to the same site

N7010-V# show otv vlan

OTV Extended VLANs and Edge Device State Information (* - AED)

VLAN Auth. Edge Device Vlan State Overlay
---- ----------------------------------- ---------- -------
10* N7010-V active Overlay1

Step 27 There are several other interesting OTV show commands. Explore them as time
permits.

Done

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 29 Save the running configuration on your Cisco Nexus 7000 VDC.


[########################################] 100%
You were able to successfully ping from your Lab PC to the other Lab PCs across the OTV
overlay network.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 5: Implementing QoS for the Nexus 7000
Activity Objective
In this activity, you will configure Cisco Nexus 7000 QoS features to support the lab
requirements. After completing this activity, you will be able to meet these objectives:
Configure type QoS class maps and verify the configuration
Configure type QoS policy maps and verify the configuration
Configure type QoS service policies and verify that the configuration has been applied to
the correct traffic flow and is performing as expected
Visual Objective
Eth 1/A
Eth 1/B
Nexus 7000 VDC
mgmt0
10.1.1.2V
OTHER
VDCs
TRUNKS
STORAGE class = COS 4
NET-MGMT class = COS 2
INGRESS POLICY-MAP MARKING
Mark STORAGE DSCP AF41
Mark NET-MGMT DSCP CS2

Required Resources
One Cisco Nexus 7000 VDC
One Windows Lab PC
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command Description
ip access-list <name> Defines an IP access list.
statistics per-entry Enables the gathering of statistics for an access list.
class-map type qos <name> Creates a class-map of type QoS.
match access-group name
<name>
Matches packets that are permitted by an access list.
show class-map type qos Displays the class maps of type QoS.
match cos <cos> Matches packets with a specific CoS value.
show class-map <name> Displays all class maps on the switch.
show running-config ipqos Shows the elements of the running configuration that are
related to QoS.
policy-map type qos
<name>
Creates a policy-map of type QoS.
class type qos <name> Enters class configuration mode for a class within the
policy map.
set qos-group <nr> Sets the internal QoS group marker.
show policy-map type qos Displays all policy-maps of type QoS on the switch.
class-map type network-qos
<name>
Creates a class map of type network-qos.
match qos-group <nr> Matches packets with a specific QoS group value.
policy-map type network-
qos <name>
Creates a policy-map of type network-qos.
class type network-qos
<name>
Enters class configuration mode for a class within the
policy-map
set cos <cos> Sets the CoS value.
show policy-map type
network-qos
Displays all policy-maps of type network-qos on the switch.
set dscp <dscp> Sets the DSCP value.
system qos Enters system QoS configuration.
service-policy type qos
input <name>
Associates an ingress policy-map of type QoS with an
interface.
service-policy type
network-qos <name>
Associates a policy-map of type network QoS with the
system QoS target.
show policy-map system Displays the policy-maps that are associated with the
system QoS target.
show policy-map interface
<intf> type qos
Displays the policy-map of type QoS that is associated with
an interface, including packet statistics for that interface.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Job Aids
Lab connections
Lab IP address plan

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configure Class Maps
During this task, you will configure class maps of type QoS on your Cisco Nexus 7000 VDC.
Class-maps categorize traffic based on packet markings.
Activity Procedure
Step 1 Connect to your assigned Cisco Nexus 7000 VDC mgmt0 interface with Putty SSH.
Step 2 Create a class-map of type QoS named STORAGE.

N7010-V# configure
N7010-V(config)# class-map type qos STORAGE

Step 3 Configure the class-map to match packets marked with a CoS value of 4.

N7010-V(config-cmap-qos)# match cos 4
Note CoS, or Class of Service, is a QoS marking in the Layer 2 header of a frame. The CoS value
is marked in the 3-bit priority field of an 802.1Q VLAN tag, with possible values ranging from
zero to seven.
Note A QoS best practice is to classify and mark packets as close to the source as possible.
Step 4 Examine your class-map.

N7010-V(config-cmap-qos)# show class-map STORAGE

Type qos class-maps
====================

class-map type qos match-all STORAGE
match cos 4

Step 5 Configure a second class-map named NET-MGMT, which matches packets marked
with a CoS value of 2.

N7010-V(config-cmap-qos)# class-map type qos NET-MGMT
N7010-V(config-cmap-qos)# match cos 2
N7010-V(config-cmap-qos)# exit

Step 6 Examine the QoS portion of the running configuration to verify your class maps
have been configured correctly.

N7010-V(config)# show running-config ipqos

!Command: show running-config ipqos
!Time: Sun Sep 18 06:51:44 2011

version 5.1(3)
class-map type qos match-all STORAGE
match cos 4
class-map type qos match-all NET-MGMT
match cos 2

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
You have defined a class-map to identify storage traffic and network management traffic
based on CoS markings on your Cisco Nexus 7000 VDC.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Configure Policy Maps
During this task, you will configure policy-maps of type QoS on your Cisco Nexus 7000 VDC.
Policy-maps determine what actions should be taken on different classes of traffic, identified by
class-maps.
Activity Procedure
Step 2 Define a policy map of type QoS named MARKING and associate the class map
STORAGE, defined in the previous Task.

N7010-V(config)# policy-map type qos MARKING
N7010-V(config-pmap-qos)# class type qos STORAGE
Note You may use tab completion for class and policy-map names in NX-OS.
Step 3 Examine the available attributes that can be set for the STORAGE class in the
current policy-map.

N7010-V(config-pmap-c-qos)# set ?

cos IEEE 802.1Q class of service
discard-class Discard class
dscp DSCP in IP(v4) and IPv6 packets
load-sharing Load sharing across ECMP by set out-of-order bit
precedence Precedence in IP(v4) and IPv6 packets
qos-group Qos-group

Can you set the CoS marking inside a policy map of type QoS on the Cisco Nexus 7000?
_________________________________________________________________________
Step 4 Mark all packets in the STORAGE class with DSCP value af41.
Mark all packets in the NET-MGMT class with DSCP value cs2.

N7010-V(config-pmap-c-qos)# class type qos STORAGE
N7010-V(config-pmap-c-qos)# set dscp af41
N7010-V(config-pmap-c-qos)# class type qos NET-MGMT
N7010-V(config-pmap-c-qos)# set dscp cs2
N7010-V(config-pmap-c-qos)# end

Step 5 Examine the policy maps of type QoS that exist on the switch.

N7010-V# show policy-map type qos

Type qos policy-maps
====================

policy-map type qos MARKING
class STORAGE
set dscp af41
class NET-MGMT
set dscp cs2

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
You have defined a policy map of type QoS that marks storage traffic and network
management traffic with DSCP markings on your Cisco Nexus 7000 VDC.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 3: Configure Service Policies
During this task, you will configure service policies of type QoS on your Cisco Nexus 7000
VDC and verify their operation. Service policies define where a policy map should be applied.
Activity Procedure
Step 2 Apply the policy-map MARKING as an ingress service policy of type QoS on the
interfaces that connect to your peer VDCs.
This will mark class STORAGE with af41 and class NET-MGMT with cs2 on
traffic ingress to interfaces 1/A and 1/B.

N7010-V# configure
N7010-V(config-if-range)# service-policy type qos input MARKING

Step 3 Verify you have correctly applied the policy-map on your interfaces.

N7010-V(config-if-range)# show running-config interface e1/A, ethernet 1/B

!Time: Sun Sep 18 07:05:43 2011

version 5.1(3)

switchport
service-policy type qos input MARKING

switchport
service-policy type qos input MARKING


Done

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 Save your configuration.

[########################################] 100%

You have associated a policy-map of type QoS and a policy-map of type network-qos as
service policies ingress to interface Ethernet 1/A and Ethernet 1/B, which connect to your
peer VDCs.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 6: Configuring System Management
Activity Objective
In this activity, you will configure system management features on your Cisco Nexus 7000
VDC. After completing this activity, you will be able to meet these objectives:
Configure the scheduler to run a job periodically on-demand, and verify the job runs when
configured to.
Configure Smart Call Home to send an email message when an event occurs, and verify
that the intended recipient receives the email.
Visual Objective
Nexus 7000 VDC
mgmt0
10.1.1.2V
TFTP Server
10.1.1.3V
SCHEDULER JOB
Bootflash
Running-
Config
Smart Call Home

Required Resources
One Windows Lab PC
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command Description
show cli variables Displays the Cisco NX-OS system and user defined CLI
variables.
copy running-config
bootflash:/<filename>
Copies the current running configuration to a file in
bootflash.
dir bootflash: Lists the files in bootflash.
copy bootflash:<filename>
tftp://<ip-address> vrf
<vrf>
Copies a file in bootflash to a TFTP server.
feature scheduler Enables the scheduler feature.
scheduler job name <name> Creates a scheduler job.
scheduler schedule name
<name>
Creates a schedule.
job name <name> Assigns a job to a schedule.
time start +<time> Sets the start time for a schedule as an offset to the current
time.
show scheduler schedule Displays the configured schedules on the switch.
show scheduler logfile Displays the scheduler log.
time weekly <day-and-time> Sets a weekly recurring time for a schedule.
callhome Enters Smart Call Home configuration mode.
email-contact <email-
address>
Sets the email contact for Smart Call Home.
phone-contact <phone-
number>
Sets the contact phone number for Smart Call Home.
streetaddress <address> Sets the contact address for Smart Call Home.
destination-profile
<name> format
<format>
Creates a Smart Call Home destination profile using XML,
short text, or full text format.
destination-profile <name>
message-level <level>
Sets the Smart Call Home message level for a destination
profile.
alert-group <groups>
Sets the Smart Call Home alert groups for a destination
profile.
email-addr <email-address>
Sets the email-address to send Smart Call Home
messages to for a destination profile.
show callhome destination-
profile profile <name>
Displays the operational parameters for a Smart Call Home
destination profile.
message-size <size>
Sets the maximum message size for a Smart Call Home
destination profile.
transport email smtp-
server <ip-address> use-
vrf <vrf>
Sets the IP address for the SMTP server that is used to
send Smart Call Home messages.
transport email from
<email-address>
Sets the from email address used in Smart Call Home
messages.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
transport email reply-to
<email-address>
Sets the reply-to email address used in Smart Call Home
messages.
show callhome transport Displays the transport settings for Smart Call Home
messages.
enable Enables Smart Call Home
snmp-server contact
<contact-name>
Sets the SNMP sysContact name.
callhome test Generates a Smart Call Home message for testing
purposes.
Job Aids
Lab connections
Lab IP address plan

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configure the Scheduler
During this task, you will configure the Cisco NX-OS scheduler on your Cisco Nexus 7000
VDC.
Activity Procedure
Step 1 From your Lab PC, locate the 3CDaemon software in the system tray in the bottom
right-hand corner of a screen (the 3CDaemon icon looks like a blue square) and
launch the program.
Step 2 Under the TFTP Server option on the left side of the screen, make sure that the
TFTP server is started. If it says TFTP Server is stopped. Click here to start it,
click the green button to enable it.
Note If you get an error telling you TFTP Server: Couldnt bind socket. Winsock error 10048. Is
another TFTP server running? this means the TFTP server is already started. Close the
3CDaemon window and open the active window by double-clicking the blue 3CD icon in the
lower-right hand corner of the Lab PC.
Step 4 Examine the default CLI variables that are available on your VDC.

N7010-V# show cli variables

VSH Variable List (* = session vars)
-----------------
SWITCHNAME="N7010-V"
TIMESTAMP="2011-09-18-12.34.23"

Step 5 Copy the running configuration to the bootflash on the supervisor module. Use the
SWITCHNAME and TIMESTAMP variables to create the filename.
Use $(SWITCHNAME)-$(TIMESTAMP).cfg as the name of the file to create the
file and copy the running-config to bootflash.

N7010-V# copy running-config bootflash:/$(SWITCHNAME)-$(TIMESTAMP).cfg

Step 6 List the files in bootflash to verify that the file has been created with the correct
hostname and timestamp.

N7010-V# dir bootflash:
3454 Sep 18 12:36:40 2011 switch-N7010-V-2011-09-18-12.36.40.cfg
[output omitted]
Note Each non-default VDC has its own subdirectory in the root of the bootflash file structure. The
root bootflash directory is only visible from VDC 1, and is also where the NX-OS system and
kickstart images are stored. Non-default VDCs cannot view other VDCs files on bootflash.
Therefore, VDCs are isolated at the file system level as well.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 7 Copy the configuration file from bootflash to the TFTP server running on your
Windows Lab PC. Use the TFTP destination IP address of NIC1 on your Lab PC,
which is 10.1.1.3V, where V is your VDC number.
Tip Use tab completion to fill in the file name.
N7010-V# copy bootflash:N7010-V-2011-02-21-01.26.44.cfg tftp://10.1.1.3V vrf
management
Trying to connect to tftp server......
Connection to Server Established.
TFTP put operation was successful

Step 8 Switch back to 3CDaemon and verify the TFTP server received the configuration
file from your VDC.

Note Do not continue to the next step until you have successfully created a copy of the
configuration in the bootflash and subsequently copied it to the TFTP server running on your
Lab PC.
Step 9 Go back to your Putty session. Enable the scheduler feature.

N7010-V# configure
N7010-V(config)# feature scheduler
Note The scheduler feature allows you to define and schedule maintenance activities like QoS
policy changes, backup, and saving configurations. This feature does not require a license.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 10 Create a scheduler job named BACKUP-CONFIG that will automate the
configuration copying we performed at the beginning of this task:
Copy the running configuration to bootflash using CLI variables $(SWITCHNAME)-
$(TIMESTAMP).cfg in the filename.
Copy the running configuration to the TFTP server running on your Lab PC, also using CLI
variables $(SWITCHNAME)-$(TIMESTAMP).cfg in the filename.

N7010-V(config)# scheduler job name BACKUP-CONFIG
N7010-V(config-job)# copy running-config bootflash:/$(SWITCHNAME)-
$(TIMESTAMP).cfg
N7010-V(config-job)# copy running-config tftp://10.1.1.3V/$(SWITCHNAME)-
$(TIMESTAMP).cfg vrf management
N7010-V(config-job)# exit

Step 11 Create a schedule named TEST-BACKUP that runs the job BACKUP-CONFIG we
just created one time, starting one minute from now.

N7010-V(config)# scheduler schedule name TEST-BACKUP
N7010-V(config-schedule)# job name BACKUP-CONFIG
N7010-V(config-schedule)# time start +1
N7010-V(config-schedule)# exit

Step 12 Examine the schedule.

N7010-V(config)# show scheduler schedule

Schedule Name : TEST-BACKUP
---------------------------------
User Name : admin
Schedule Type : Run once on Sun Sep 18 12:54:00 2011
Last Execution Time : Yet to be executed
-----------------------------------------------
Job Name Last Execution Status
-----------------------------------------------
BACKUP-CONFIG -NA-
==============================================================================

Step 13 Wait a minute and then examine the schedule again to see if the task has run.

N7010-V(config)# show scheduler schedule

Schedule Name : TEST-BACKUP
---------------------------------
User Name : admin
Schedule Type : Run once on Sun Sep 18 12:54:00 2011
Last Execution Time : Sun Sep 18 12:54:00 2011
Last Completion Time: Sun Sep 18 12:54:04 2011
Execution count : 1
-----------------------------------------------
-----------------------------------------------
BACKUP-CONFIG Success (0)
==============================================================================

Did the backup job succeed?
_________________________________________________________________________

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 14 Examine the scheduler log.

N7010-V(config)# show scheduler logfile

Job Name : BACKUP-CONFIG Job Status: Success (0)
Schedule Name : TEST-BACKUP User Name : admin
Completion time: Sun Sep 18 12:54:04 2011
--------------------------------- Job Output ---------------------------------
`copy running-config bootflash:/N7010-V-2011-09-18-12.54.00.cfg`
`copy running-config tftp://10.1.1.3P/N7010-V-2011-09-18-12.54.02.cfg vrf
management `
Connection to Server Established.
[ ] 0.50KBTrying to connect to tftp
server......

TFTP put operation was successful
`end`
==============================================================================

Step 15 Examine the TFTP server, and then view the bootflash on the Cisco Nexus 7000 to
verify the new automated backup files are present.
Step 16 Now that we have verified our temporary schedule is effective, remove the schedule
TEST-BACKUP and create a new permanent schedule named WEEKLY-BACKUP,
which runs the same job BACKUP-CONFIG every Sunday at 10:00 PM.

N7010-V(config)# no scheduler schedule name TEST-BACKUP

N7010-V(config)# scheduler schedule name WEEKLY-BACKUP
N7010-V(config-schedule)# job name BACKUP-CONFIG
N7010-V(config-schedule)# time weekly 1:22:00
N7010-V(config-schedule)# exit
Note There are many syntax options for configuring the schedule time. In this schedule 1:22:00, 1
specifies the first day of the week, and 22:00 is 10pm on a 24-hour clock.
Step 17 Examine the WEEKLY-BACKUP schedule.

N7010-V(config)# show scheduler schedule name WEEKLY-BACKUP

Schedule Name : WEEKLY-BACKUP
-----------------------------------
User Name : admin
Schedule Type : Run on every Sunday at 22 Hrs 0 Mins
Last Execution Time : Yet to be executed
-----------------------------------------------
-----------------------------------------------
BACKUP-CONFIG -NA-
==============================================================================

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
You have created a manual backup of the configuration using the system CLI variables in
bootflash and on a TFTP server on your Lab PC.
You have created a scheduler job that creates a backup of the running configuration in
bootflash and on the TFTP server and successfully run the scheduler job as a one-time job
for testing purposes.
You have configured a permanent weekly backup schedule for the backup scheduler job.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Configure Smart Call Home
During this task, you will configure the Smart Call Home feature on your Cisco Nexus 7000
VDC. Cisco Smart Call Home provides proactive notification via email for system events and
policies. Cisco Smart Call Home can send information in a variety of message formats
including support for pager services, email, or XML-based parsing applications. Cisco Smart
Call Home can also automatically generate TAC (Technical Assistance Center) cases.
Activity Procedure
Step 2 Enter Smart Call Home configuration mode and specify customer information
according to the following table:
Parameter Value
Email contact VDCV-admin@example.net, where V is your VDC number
Phone contact +1-555-867-5309
Street address 123 Main Street, Sometown, USA

N7010-V(config)# callhome
N7010-V(config-callhome)# email-contact VDCV-admin@example.net
N7010-V(config-callhome)# phone-contact +1-555-867-5309
N7010-V(config-callhome)# streetaddress 123 Main Street, Sometown, USA

Step 3 Verify the operational Smart Call Home parameters.

N7010-V(config-callhome)# show callhome

callhome disabled
Callhome Information:
contact person name(sysContact):
contact person's email:VDCV-admin@example.net
contact person's phone number:+1-555-867-5309
street addr:123 Main Street, Sometown, USA
site id:
customer id:
contract id:
switch priority:7
duplicate message throttling : enabled
periodic inventory : enabled
periodic inventory time-period : 7 days
periodic inventory timeofday : 08:00 (HH:MM)
Distribution : Disabled

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 4 Create a destination profile named NEXUS-OPS to be used by Smart Call Home for
notifications using the information in the following table.
Parameter Value
Profile name NEXUS-OPS
Message format Full text
Message level 2
Alert group All
Destination email address VDCV@cisco.com, where V is your VDC number

N7010-V(config-callhome)# destination-profile NEXUS-OPS format full-txt
N7010-V(config-callhome)# destination-profile NEXUS-OPS message-level 2
N7010-V(config-callhome)# destination-profile NEXUS-OPS alert-group all
N7010-V(config-callhome)# destination-profile NEXUS-OPS email-addr
VDCV@cisco.com

Step 5 Examine the Smart Call Home destination profile NEXUS-OPS.

N7010-V(config-callhome)# show callhome destination-profile profile NEXUS-OPS

NEXUS-OPS destination profile information
maximum message size:2500000
message format:full-txt
message-level:2
transport-method:email
email addresses configured:
VDCV@cisco.com

url addresses configured:

alert groups configured:
all

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 Configure two more destination profiles according to the following table.
Parameter Value
Profile name SMS
Message format Short text
Message level 6
Message size 160 characters
Alert group All
Parameter Value
Profile name TICKETING-SYSTEM
Message format XML
Message level 1
Alert group All
Note The three destination profiles represent three different uses of Smart Call Home. The
NEXUS-OPS profile is used to send email to a group of network operators. The SMS profile
is used to send high priority messages to a select group of users via an email-to-SMS
gateway. The TICKETING-SYSTEM profile is used to send messages to a ticketing system
that can parse XML-based messages. Normally, each of these profiles would use a separate
destination email address, but in this lab exercise the same email address is used for all
three profiles.
N7010-V(config-callhome)# destination-profile SMS format short-txt
N7010-V(config-callhome)# destination-profile SMS message-level 6
N7010-V(config-callhome)# destination-profile SMS message-size 160
N7010-V(config-callhome)# destination-profile SMS alert-group all
N7010-V(config-callhome)# destination-profile SMS email-addr VDCV@cisco.com

N7010-V(config-callhome)# destination-profile TICKETING-SYSTEM format xml
N7010-V(config-callhome)# destination-profile TICKETING-SYSTEM message-level 1
N7010-V(config-callhome)# destination-profile TICKETING-SYSTEM alert-group all
N7010-V(config-callhome)# destination-profile TICKETING-SYSTEM email-addr
VDCV@cisco.com

Step 7 Configure the global Smart Call Home sender and reply-to email settings according
to the following table.
Parameter Value
SMTP server 10.1.1.25 (non-existent)
VRF Management
From email address callhome@example.net
Reply-to email address VDCV-admin@example.net, where V is your VDC number

N7010-V(config-callhome)# transport email smtp-server 10.1.1.25 use-vrf
management
N7010-V(config-callhome)# transport email from callhome@example.net
N7010-V(config-callhome)# transport email reply-to VDCV-admin@example.net
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Step 8 Examine the Smart Call Home transport parameters.

N7010-V(config-callhome)# show callhome transport

http vrf:default

from email addr:callhome@example.net
reply to email addr:VDCV-admin@example.net

smtp server:10.1.1.25
smtp server port:25
smtp server vrf:management
smtp server priority:0

Step 9 Enable Smart Call Home.

N7010-V(config-callhome)# enable

sysContact is not configured
callhome can not be enabled on the switch,
because necessary configuration has not been done
Please check if all of following configuration is done
contact person name(sysContact)
contact person's email
contact person's phone number
street addr
To configure sysContact, please use snmp-server command

N7010-V(config-callhome)# exit
Note In addition to the Smart Call Home parameters, the Smart Call Home feature also requires
the SNMP sysContact variable to be set before Smart Call Home can be enabled.
Step 10 Configure the SNMP sysContact to be VDC V Administrator, where V is your
VDC number.

N7010-V(config)# snmp-server contact VDC V Administrator

Step 11 Enable Smart Call Home.

N7010-V(config)# callhome
N7010-V(config-callhome)# enable
N7010-V(config-callhome)# end

Step 12 Generate test messages to verify the operation of Smart Call Home.

N7010-V# callhome test

trying to send test callhome message
successfully sent test callhome message
warning:
The specified message level for destination profile: SMS is higher than the
level for alert Test(2)
no email address configured for destination profile:full_txt
no email address configured for destination profile:short_txt
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
no email address configured for destination profile:CiscoTAC-1 SMTPclient:
Host:10.1.1.25:Invalid hostname or address for mailhost
Error in transporting email message for TICKETING-SYSTEM
SMTPclient: Host:10.1.1.25:Invalid hostname or address for mailhost
Note The SMTP server does not exist, so the last part of the test will not go through. This is
however the correct process for testing Smart Call Home configuration.

Done

Step 14 Save the configuration in your Cisco Nexus 7000 VDC.

[########################################] 100%

You have configured and tested Smart Call Home on your Cisco Nexus 7000 VDC.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 7: Implementing Cisco DCNM
Activity Objective
In this activity, you will configure Cisco DCNM to perform network discovery and network
management of the Cisco Nexus 7000. After completing this activity, you will be able to meet
these objectives:
Use Cisco DCNM to perform a network discovery of the network infrastructure
Use Cisco DCNM to perform a platform inventory of the Cisco Nexus 7000
Use Cisco DCNM to monitor and manage the discovered network
Use Cisco DCNM to troubleshoot issues on the Cisco Nexus 7000
Visual Objective
DCNM
Server
DCNM Client
10.1.1.250
VDC 2
VDC 3
VDC 4
Nexus 7010

Required Resources
One Windows Lab PC
One DCNM Server
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command Description
no feature otv Disables the Overlay Transport Virtualization (OTV)
feature.
switchport Configures an interface as a Layer 2 switched port.
switchport mode trunk Configures an interface to be an 802.1Q trunk.
network
Configures the port as a spanning-tree edge port.
show cdp neighbors Displays the list of Cisco Discovery Protocol neighbors.
show diff rollback-patch
startup-config running-
config
Displays the differences between the running configuration
and startup configuration.
show vlan id <vlan-id> Displays the properties of a specific VLAN.
show running-config
interface <intf>
Displays the running configuration for a specific interface.
show startup-config vlan Displays the startup configuration for a specific VLAN.
show logging last <nr> Displays the last number of lines in the system log file.
show running-config vlan
<vlan-id>
Displays the running configuration for a specific VLAN.
copy bootflash:<filename>
running-config
Merges the configuration in a file in bootflash with the
current running configuration.
checkpoint <name> Creates a configuration checkpoint.
Job Aids
Lab connections
Lab IP address plan

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Network Discovery
During this task, you will discover the network in your VDC and peer VDCs using Cisco
DCNM (Data Center Network Manager).
Activity Procedure
Step 2 Disable the OTV feature that was configured in a previous lab exercise and
shutdown the interface used in the OTV labs, according to the table provided.
SHUTDOWN Interface 1/D Interface 2/G
VDC 2 Eth 1/32 Eth 2/13
VDC 3 Eth 1/33 Eth 2/15
VDC 4 Eth 1/34 Eth 2/17

N7010-V# configure
N7010-V(config)# no feature otv
N7010-V(config)# interface ethernet 1/D, 2/G

Step 3 Ensure the interfaces interconnecting your VDC to your peer VDCs are Layer 2
trunks and enable Spanning-Tree bridge assurance on the ports. Enable the
interfaces.
VDC # Interface 1/A Interface 1/B
VDC 2 Eth 1/1 Eth 1/3

N7010-V(config-if-range)# interface ethernet 1/A, ethernet 1/B
N7010-V(config-if-range)# switchport
N7010-V(config-if-range)# switchport mode trunk

Step 4 Connect to your assigned Lab PC.
Step 5 Download the Cisco DCNM client application by opening a web browser and
navigating to the following URL:
http://10.1.1.250:8080/dcnm-client/index.html
Step 6 Click Launch DCNM-LAN Client to download the client to your Lab PC.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 7 Use the client application to log in to the Cisco DCNM server. Use the following
information to connect:
DCNM Server: 10.1.1.250
Username: admin
Password: C1sco12345

Step 8 The application should open on the Device Discovery screen. In this screen, fill in
the mgmt0 IP address of your Cisco Nexus 7000 VDC as the Seed Device. Refer to
the Lab IP Address Plan job aid to find the correct IP address.
Provide the user name admin and password C1sco12345 of your as the credentials
to be used for device discovery. Set the number of hops to discover to 1.
Note If the Device Discovery screen does not come up automatically click the DCNM Server
Administration button in the left-hand pane, and then select Device Discovery.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 9 Click Start Discovery and wait for device discovery to complete.
Step 10 Stay on the DCNM Server Administration tab and select Devices and
Credentials.
Verify you see three devices listed: Your VDC and your peer VDCs. All devices
should be listed as managed.

Step 11 On the left side of the screen, select the Topology tab and examine the Topology
View of your Nexus 7000. Click the Hide/Show Details icon, select your VDC, and
click the Properties tab to view information associated with the topology diagram.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 12 Make note of some of the other icons. Save your topology diagram by clicking the
Save Layout button.

Step 13 Move some devices in the layout and then return to the saved layout using the
Reload Layout button.
Step 14 Use the Export as JPG button to save your topology to the desktop as a JPG file
named Topology Diagram.jpg.
Tip Use the Legend button to find out the meaning of the different types of icons in the topology
view.
Step 15 Connect to your Cisco Nexus 7000 VDC mgmt0 interface with Putty SSH.
Step 16 Examine the differences between the running configuration and the startup
configuration that you saved in the previous lab.

N7010-V# show diff rollback-patch startup-config running-config

Collecting Running-Config
Collecting Startup-Config
#Generating Rollback Patch

!!
no interface Overlay1
no feature otv
!
hostname N7010-V
logging level port-security 5
logging level interface-vlan 5
!
interface Ethernet1/1
no shutdown
!
no shutdown
!
shutdown
!
shutdown

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Do you see significant differences in the configurations?
_________________________________________________________________________
Note During device discovery, if Cisco DCNM finds that a logging level on a discovered device is
below the minimum logging-level requirement for that logging facility, Cisco DCNM raises
the logging level to meet the minimum requirement. If logging levels meet or exceed the
requirements, Cisco DCNM does not change the logging levels during discovery.

[########################################] 100%

Step 18 Go back to your Cisco DCNM client and spend some time examining the various
options in the topology view of Cisco DCNM before moving on to the next task.
You have logged into your assigned Cisco DCNM server using the Cisco DCNM client.
You have performed a device discovery using your Cisco Nexus 7000 VDC as the seed
device.
You have discovered the other VDCs in your Cisco Nexus 7000 chassis.
You have examined the network map in the topology view of Cisco DCNM and explored
the view options.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Platform Inventory
During this task, you will perform a platform inventory for all of the VDCs in your Nexus 7000
chassis.
Activity Procedure
Step 1 Connect to your assigned Windows Lab PC and open the Cisco DCNM client.
Step 2 On the left side of your screen select the Inventory tab. Expand the inventory of the
Cisco Nexus 7000 chassis.

How many fabric modules are installed in the Cisco Nexus 7000 chassis?
_________________________________________________________________________
How many power supplies are present in the Cisco Nexus 7000 chassis? What is the
capacity of the power supplies? What is the actual power draw of the switch?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 3 Click on the top-level object representing the Nexus 7000 chassis. Click the
Environmental Status tab.

What are the administrative and operational power supply redundancy modes for the
switch?
_________________________________________________________________________
Step 4 Try to change the administrative power supply redundancy setting for the switch by
selecting a different power supply redundancy mode and then selecting Deploy in
the File menu.
Did you succeed in changing the power supply redundancy mode? Why could you or could
you not change this setting?
_________________________________________________________________________

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 Go to the Memory Utilization tab of the Nexus 7000 chassis. Click New Charts in
the toolbar and create a chart that graphs the memory utilization on the switch.
Set the frequency of the chart to 30 seconds and start the data collection for the
chart. Click Okay if you get a license warning. Wait a few minutes to allow the
chart to collect some data.

Step 6 Spend some time examining the various options in the inventory view of DCNM
before moving on to the next task.
You have reviewed the hardware inventory of the Nexus 7000 chassis.
You have created a chart of the memory usage on your Nexus 7000 chassis.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 3: Monitoring
During this task, you will monitor and manage the Cisco Nexus 7000 chassis.
Activity Procedure
Step 1 Connect to your assigned Windows Lab PC and open the Cisco DCNM client.
Step 2 On the left-hand side of your screen, select the Interfaces bar. Select the item for the
physical Ethernet interfaces.
Step 3 Select your Cisco Nexus 7000 VDC and select the interface that connects your VDC
to your Lab PC in slot 1, interface 1/C (your third interface).

Examine the port details and status. Which type of transceiver is plugged into this
interface?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 4 Go to the port mode settings. Change the port mode to trunk, change the native
VLAN

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Step 5 Switch back to your Cisco Nexus 7000 VDC mgmt0 interface with Putty SSH.
Step 6 Verify that the new VLAN 999 exists and that the configuration for the port was
changed.

N7010-V# show vlan id 999

VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
999 VLAN0999 active Eth1/A, Eth1/B, Eth1/C

VLAN Type Vlan-mode
---- ----- ----------
999 enet CE

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type Ports
------- --------- --------------- -----------------------------------------

N7010-V# show running-config interface ethernet 1/C

!Command: show running-config interface Ethernet1/C
!Time: Sun Sep 18 14:42:10 2011

version 5.1(3)

interface Ethernet1/C
description Interface 1/C
switchport
siwtchport port-security maximum 2
switchport access vlan 10
switchport trunk native vlan 999
spanning-tree port type edge
no shutdown

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Was the changed configuration saved to the startup configuration automatically?
_________________________________________________________________________

N7010-V# show startup-config vlan

!Command: show startup-config vlan
!Time: Sun Sep 18 14:52:41 2011
!Startup config saved at: Sun Sep 18 01:40:26 2011

version 5.1(3)
vlan 1,10,12-14,502
vlan 1
vlan 10
name TEST
vlan 12-14
vlan 502
name OTVSiteVLAN

Step 7 Return to the Cisco DCNM client and use the option Copy Run to Start from the
View menu to save the running configuration.

Return to your Cisco Nexus 7000 VDC to verify that the configuration was saved. Did it
work?
_________________________________________________________________________
Step 8 Try again, but make sure that you have selected your Cisco Nexus 7000 VDC in the
view instead of the interface.
Was the configuration saved this time?
_________________________________________________________________________

N7010-V# show startup-config vlan

!Command: show startup-config vlan
!Time: Sun Sep 18 15:08:49 2011
!Startup config saved at: Sun Sep 18 15:07:48 2011

version 5.1(3)
vlan 1,10,12-14,502,999
vlan 1
vlan 10
name TEST
vlan 12-14
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
vlan 502
name OTVSiteVLAN
vlan 999

Step 9 Return to the Cisco DCNM client and select the interface that connects your VDC to
your Lab PC again. Select the Events tab for the interface and review the events for
the interface.

Step 10 Click the Statistics tab for the interface. Click New Chart in the top menu bar, and
select Traffic Statistics. Select the checkboxes to graph unicast, multicast, and
broadcast ingress and egress traffic.
What is the maximum number of parameters that can be graphed in a single chart?
_________________________________________________________________________

Step 11 Deselect the multicast packets and click the chart. Set the Select Frequency option
to 30 secs, and then click Start. Click Okay if you get a license warning.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Let the collection run for a couple of minutes to collect statistics, and then observe
the output.
Step 12 Spend some time examining the various options in the interface view of DCNM
before moving on to the next task.
Step 13 Return to your VDC via Putty SSH.
Step 14 Undo the changes you made in DCNM to your Eth 1/C interface.
VDC # Interface 1/C
VDC 2 Eth 1/13
VDC 3 Eth 1/14
VDC 4 Eth 1/15

N7010-V# configure
N7010-V(config)# interface ethernet 1/C
N7010-V(config-if)# switchport mode access
N7010-V(config-if)# no switchport trunk native vlan 999
N7010-V(config-if)# no vlan 999
N7010-V(config-if)# end


Done


[########################################] 100%
You have examined the interface status and parameters of the devices in your VDC.
You have changed the native VLAN for a trunk port using the Cisco DCNM client.
You have created a chart of the unicast, multicast, and broadcast interface utilization for an
interface on your Cisco Nexus 7000 VDC.
You have returned your interface ethernet 1/C configuration back to normal.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 8: Configuring Cisco FabricPath
FabricPath is a new technology that replaces traditional Spanning-Tree networks. FabricPath
provides separate and intelligent control and data planes, does not block any links, handles
unknown unicast/multicast/broadcast traffic efficiently, and uses Layer 2 ISIS to determine the
best paths. FabricPath brings the benefits of Layer 3 routing to flexible Layer 2 bridged
Ethernet networks.
Activity Objective
In this activity, you will implement Cisco FabricPath and understand Equal Cost Multipathing
capabilities. After completing this activity, you will be able to meet these objectives:
Understand the function of the FabricPath ID
Understand the control plane function of FabricPath
Understand the data plane function of FabricPath
Visual Objective
Eth 2/13 Eth 2/15 Eth 2/17
VDC 2 VDC 3 VDC 4
Eth 2/2 Eth 2/1 Eth 2/3 Eth 2/4 Eth 2/11 Eth 2/12
FabricPath
(No STP)
Classical Ethernet Classical Ethernet Classical Ethernet
STP VLAN 10 STP VLAN 10 STP VLAN 10

Required Resources
Three Windows Lab PCs
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command Description
feature-set fabricpath Enables the fabricpath feature set.
show fabricpath switch-id Lists the switch IDs of all switches in the Cisco FabricPath
network.
fabricpath switch-id <id> Changes the Cisco FabricPath switch ID of a switch.
switchport mode fabricpath Configures an interface as a Cisco FabricPath port.
show fabricpath isis
adjacency
Displays the list of Cisco FabricPath IS-IS neighbors.
show fabricpath route Displays the Cisco FabricPath routing table.
mode fabricpath Changes a VLAN to a Cisco FabricPath VLAN.
show mac address-table
vlan <vlan>
Displays the MAC address table for a VLAN.
show mac address-table
address <mac-address>
Displays the MAC address table entry for a specific MAC
address.
Job Aids
Lab connections
Lab IP address plan
Activity Procedure
Step 1 Connect to your assigned Cisco Nexus 7000 VDC via Putty SSH.
Step 2 Shutdown all interface on module one, according to the provided table.
VDC # Shut 1/A Shut 1/B Shut 1/C Shut 1/D
VDC 2 Eth 1/1 Eth 1/3 Eth 1/13 Eth 1/32

N7010-V# configure
N7010-V(config)# interface ethernet 1/A, ethernet 1/B, ethernet 1/C, ethernet
1/D

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 3 Enable the following interfaces on module two, according to the table provided.
VDC # 2/E 2/F 2/G
VDC 2 Eth 2/1 Eth 2/2 Eth 2/13
VDC 3 Eth 2/3 Eth 2/4 Eth 2/15
VDC 4 Eth 2/11 Eth 2/12 Eth 2/17

N7010-V(config-if-range)# interface ethernet 2/E-F, ethernet 2/G

Step 4 On your module two interface 2/G connecting to your Lab PC, ensure the native
VLAN is 10 and VLAN 10 is the only allowed VLAN on the trunk.
VDC # 2/G
VDC 2 Eth 2/13
VDC 3 Eth 2/15
VDC 4 Eth 2/17

N7010-V(config-if-range)# interface ethernet 2/G
N7010-V(config-if)# switchport mode trunk
N7010-V(config-if)# switchport trunk native vlan 10
N7010-V(config-if)# switchport trunk allowed vlan 10
This will cause VLANs to be overwritten. Continue anyway? [yes] yes

Step 5 Enable the FabricPath feature set on your VDC. This will create a FabricPath switch
ID. The switch ID is a 12-bit value dynamically assigned to every switch in the
FabricPath network, with a unique ID for each switch.
Optionally, you can configure a switch ID. If any of the switch IDs in the FabricPath
network are not unique, the system provides automatic conflict resolution.

N7010-V(config)# feature-set fabricpath
Note If you get an error, someone will need to go to the console to VDC 1 and issue the same
command.
Step 6 Examine the FabricPath switch ID of your Cisco Nexus 7000 VDC.

N7010-V(config)# show fabricpath switch-id

FABRICPATH SWITCH-ID TABLE
Legend: '*' - this system
=========================================================================
SWITCH-ID SYSTEM-ID FLAGS STATE STATIC EMULATED
----------+----------------+------------+-----------+--------------------
*341 68bd.abd7.92cV Primary Confirmed No No

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 7 Configure a static switch ID for your VDC to be V, where V is your VDC number. It
is recommended to change the switch ID, as it is much easier for troubleshooting
sanity.

N7010-V(config)# fabricpath switch-id V

Step 8 Verify the configured FabricPath switch ID.

N7010-V# show fabricpath switch-id

=========================================================================
----------+----------------+------------+-----------+--------------------
*V 68bd.abd7.92cV Primary Confirmed Yes No
Total Switch-ids: 1

Step 9 Configure the interfaces interconnecting the VDCs to be converted to the new
switchport mode: FabricPath. Refer to the table below for the correct interfaces for
your VDC. Together, the three VDCs will become the FabricPath network.
VDC Number Interface 2/D Interface 2/E
VDC2 E2/1 E2/2
VDC3 E2/3 E2/4
VDC4 E2/11 E2/12

N7010-V(config)# interface ethernet 2/D-E
N7010-V(config-if-range)# switchport mode fabricpath

Step 10 Display the FabricPath switch IDs and verify you can see your peer VDC switch IDs
as well.

N7010-V(config)# show fabricpath switch-id

=========================================================================
----------+----------------+------------+-----------+--------------------
*2 68bd.abd7.92c2 Primary Confirmed Yes No
3 68bd.abd7.92c3 Primary Confirmed Yes No
4 68bd.abd7.92c4 Primary Confirmed Yes No
Total Switch-ids: 3
Note Do not continue to the next step until you see your peer VDCs switch IDs listed.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 11 Next we will look at the L2 ISIS adjacencies. This information is exchanged
automatically and will be used to build the FabricPath table.
Use the show fabricpath isis adjacency command to verify that FabricPath IS-IS
adjacencies have been formed between your VDC and your peer VDCs. You output
may vary depending on your VDC number.

N7010-V(config)# show fabricpath isis adjacency

Fabricpath IS-IS domain: default Fabricpath IS-IS adjacency database:
System ID SNPA Level State Hold Time Interface
N7010-3 N/A 1 UP 00:00:29 Ethernet2/1
N7010-4 N/A 1 UP 00:00:28 Ethernet2/2

Step 12 Examine the FabricPath routing table.

N7010-V# show fabricpath route

FabricPath Unicast Route Table
'a/b/c' denotes ftag/switch-id/subswitch-id
'[x/y]' denotes [admin distance/metric]
ftag 0 is local ftag
subswitch-id 0 is default subswitch-id

FabricPath Unicast Route Table for Topology-Default

0/2/0, number of next-hops: 0
via ---- , [60/0], 0 day/s 00:28:18, local
Note The FabricPath routing table does not list any remote switches until at least one FabricPath
VLAN has been configured.
Step 13 Convert VLAN 10 to a FabricPath VLAN.

N7010-V(config)# no spanning-tree bridge assurance
N7010-V(config)# vlan 10
N7010-V(config-vlan)# mode fabricpath
N7010-V(config-vlan)# end
Note FabricPath (FP) VLANs do not perform traditional data plane MAC address learning.
Instead, FabricPath VLANs use conversational MAC address learning. An interface only
learns MAC addresses that are actively speaking to it. With NX-OS release 5.1 and the F-
series module you can also implement conversational MAC address learning on non-
FabricPath VLANs (CE, or Classical Ethernet VLANs).
Step 14 Display the FabricPath routing table. You should now see routes to the switch ID of
your neighboring VDCs. The FabricPath control plane has been established.

N7010-V# show fabricpath route

FabricPath Unicast Route Table
'a/b/c' denotes ftag/switch-id/subswitch-id
'[x/y]' denotes [admin distance/metric]
ftag 0 is local ftag
subswitch-id 0 is default subswitch-id

FabricPath Unicast Route Table for Topology-Default

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
via ---- , [60/0], 0 day/s 00:34:45, local
via Eth2/1, [115/400], 0 day/s 00:01:06, isis_fabricpath-default
via Eth2/2, [115/400], 0 day/s 00:01:16, isis_fabricpath-default

Step 15 Display the MAC address table for VLAN 10. There should be no Lab PC MAC
addresses learned, as there has been no conversational traffic as of yet.
Note You may see core infrastructure switches in the MAC address table. Ignore these. We are
only interested in the Lab PC MAC addresses, which begin with 0800.
N7010-V# show mac address-table vlan 10

Legend:
---------+-----------------+--------+---------+------+----+------------------
* 10 2037.069a.7110 dynamic 30 F F Eth2/13
10 64d9.89c0.3f10 dynamic 90 F F 3.0.14
10 64d9.89c0.4310 dynamic 90 F F 4.0.16

Step 16 From the Command Prompt of your Lab PC ping the IP addresses of your peer
VDCs Lab PCs. This will populate the MAC address table. You will also see the
switch IDs listed in the MAC address table. Use the chart below to identify the
correct IP addresses to ping.
VDC Number Lab PC NIC2 IP address
VDC 2 172.16.10.121
VDC 3 172.16.10.131
VDC 4 172.16.10.141
Step 17 Display the MAC address table for VLAN 10. There should now be MAC addresses
along with switch IDs for the Lab PCs.

N7010-V# show mac address-table

Legend:
---------+-----------------+--------+---------+------+----+------------------
10 0800.2730.2449 dynamic 30 F F 3.0.14
10 0800.27a0.fb60 dynamic 30 F F 4.0.16
* 10 0800.27e4.a4f0 dynamic 30 F F Eth2/13
* 10 2037.069a.7110 dynamic 0 F F Eth2/13
10 64d9.89c0.3f10 dynamic 270 F F 3.0.14
10 64d9.89c0.4310 dynamic 270 F F 4.0.16

Step 18 View the current Spanning-Tree configuration. Is Spanning-Tree running inside
your FabricPath network (between your VDCs)?

N7010-V# show spanning-tree

VLAN0010
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Address c84c.75fa.6000

Address c84c.75fa.6000

---------------- ---- --- --------- -------- --------------------------------


Done


[########################################] 100%
You have implemented Cisco FabricPath on your Cisco Nexus 7000 VDC for VLAN 10.
You have verified IP connectivity between your Lab PCs in VLAN 10 across the
FabricPath network.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 9: Accessing Remote Labs: Nexus 5000
The purpose of this lab is to introduce you to the Global Knowledge Remote Lab Environment
used for this class.
Each pod will have access to a single Cisco Nexus 5000 switch. Each pod consists of two
people. Each pod will also have a Cisco Nexus 2000 Fabric Extender. Additionally, you will
have two servers connected into your Nexus 5000 and Nexus 2000. You will also have a
Windows Lab PC used to remotely connect via SSH to the mgmt0 interface of your Nexus
5000. Your Nexus 5000 will have a basic configuration on it when you login.
There is also a pair of Cisco MDS Fibre Channel switches shared across multiple devices for
SAN connectivity.
In the physical lab topology there will also be several other switches to interconnect the Nexus
5000s, the servers, and the Lab PC desktops. You will not configure these other switches.
This lab will demonstrate how to access the various pieces of equipment, what features are
available, and how they are connected in the topology.
Estimated Completion Time
30 minutes
Activity Objective
In this activity, you will access the Remote Labs system and familiarize yourself with the
interface and the devices. After completing this activity, you will be able to meet these
objectives:
Log in to Remote Labs
Become familiar with the lab topology and access all devices
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Visual Objective
This figure portrays the Nexus 5000 lab topology you will be accessing. Each pod (team of two
students) will have a dedicated Nexus 5000 and 2000, as well as a Lab PC. Your pod number
may vary from those depicted in the visual objective.

Activity Procedure
Note The Global Knowledge Remote Labs environment is accessed via a web browser. Each pod
will have a unique login, which will grant access to equipment assigned to your pod,
including a Lab PC desktop system to work from. The tasks in the lab guide can all be
completed using the Lab PC desktop.
Step 1 Examine the lab topology diagram in the visual objective to familiarize yourself
with the environment before we login.
Step 2 Your instructor will provide the credentials necessary to log in to Remote Labs.
Write them down here for your reference:

Pod Number: __________________________________________________

User name: ____________________________________________________

Password: _____________________________________________________

Note When troubleshooting with your instructor, either verbally or via email, you will need to
provide the instructor with your pod number.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 3 From the PC provided to you in the classroom (or your own computer), launch
Internet Explorer. Navigate to the following URL: http://www.remotelabs.com. You
can access Remote Labs from the classroom, and additionally from home via the
same steps outlined in this lab.
Step 4 You should see a Remote Labs login screen similar to the provided screenshot:

Step 5 Log in using the credentials provided to you by your instructor. Accept the terms
and conditions by clicking the I Accept button.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 You should see the Live Labs start page when you have successfully logged in.

Step 7 In the upper left-hand side of the Live Labs page there is a countdown timer. This
timer indicates the amount time remaining in your lab reservation and will provide
ample time to complete the labs. Review the time you have left in your pod for the
week.

Step 8 Look at the options in the left-hand pane below the countdown timer. In the coming
steps we will select a Graphical Firewall option to use to access the labs, either
RDP or Tarantella. Under the Pod Links you can view information about your pod
and its initial setup. DO NOT use the Reset To link.
Step 9 The PC-Console link is how you will connect to the Lab Topology.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 10 The System Menu allows you to get help and log off of the Remote Labs
environment.

Step 11 Now you will connect to the Lab Topology. First, we must select a Graphical
Firewall option. RDP (Remote Desktop Protocol) is the preferred and simpler
access method.
Step 12 If you are at a site that blocks RDP connections, you may use the Tarantella Java-
based option.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 13 Click the Graphical drop-down menu under the Firewall pane and select RDP 443
(or Tarantella if RDP is not available at your site).

Step 14 Click OK and close any dialog boxes that open once setup has completed. Tarantella
connections may take several seconds for setup to complete.
Step 15 Click the PC-Console link.
This will open up an RDP session (or a Tarantella session) to the Remote Labs
equipment, landing you on the Lab Topology page. Click Open to launch the RDP
session, and trust connections to the server.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Note Both students in a single team can login to the PC-Console at the same time. One student
can type the commands for a given lab, while the other student shadows.
Step 16 When prompted, enter the user name and password provided by your instructor, and
click OK.
Step 17 Once the Remote Desktop window opens, you will see the Remote Lab Panel, with
the Lab Topology tab open. You should see a picture of the Remote Labs topology.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 18 There are several clickable icons in the Lab Topology. This is how you will access
your lab devices. Clicking an icon will open a new tab.

Step 19 Next, you will connect to your pods Lab PC. Do this by clicking on the computer
icon labeled PC. This will open a new tab connected to a Windows system with a
number of applications on the desktop.
Step 20 You will use Putty to remotely connect to the management interface (mgmt0) of
your Nexus 5000.
Step 21 Open the Putty application on the desktop and start an SSH session to the
management IP address of your assigned Cisco Nexus 5000 using the following
information, where P is your assigned pod number.
Mgmt0 IP Address Username Password
192.168.P.1 admin NXos12345
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 22 Click Yes to acknowledge the Putty security alert to add the host key to the cache.

Step 23 Log in to your Nexus 5000. The host name of the device should be N5010-P, where
P is your assigned pod number. Your switch should have a basic configuration
loaded that includes the host name, management IP settings, and admin user settings.
If the base configuration is missing notify your instructor before you move on.
Note Both students can configure simultaneously if one student connects via the console by
clicking on the Nexus 5000 in the topology diagram, and the other connected via the Lab PC
using Putty.
Note Per the lab topology page, your pod is interconnected with another pod. In later labs you will
team with the other pod for advanced configurations, such as vPC. Review the lab topology
page to determine how your pods are interconnected.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 10: System and Hardware Platform
Management
Complete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this activity, you will become familiar with the Cisco Nexus 5010 hardware platform. After
completing this activity, you will be able to meet these objectives:
Configure additional roles and assign them to new users
Investigate the hardware components of the Cisco Nexus 5010 switch and validate system
parameters
Configure trunk interfaces and verify default spanning-tree configuration
Visual Objective

Required Resources
One Nexus 5000 switch
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command
clock set
dir bootflash:
ethanalyzer local interface mgmt brief limit-captured-frames 20
install all
no switchport
rate-mode dedicated
reload
show clock
show cdp neighbors
show environment
show install all impact
show inventory
show interface brief
show interface transceiver
show redundancy status
show spanning-tree
show spanning-tree detail
show system resources
show version
switchport
write erase
Rule
User-account

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configure Additional Administrative Access
There are three default roles in the default NX-OS configuration:
network-admin: Predefined network admin role has access to all commands on the switch.
network-operator: Predefined network operator has access to all read commands on the
switch.
vdc-admin: Predefined vdc admin role has access to all commands within a VDC instance.
Activity Procedure
Complete the following steps to configure additional roles with privileges to the Nexus 5010
NX-OS:
Step 1 Define a new user role named access-admin with a rule to limit the permissions to
read-write access only for interfaces Ethernet 1/1-19.

N5010-P# configure
N5010-Pconfig)# role name access-admin

N5010-P(config-role)# interface policy deny
N5010-P(config-role-interface)# permit interface ethernet 1/1-19
N5010-P(config-role-interface)# exit

N5010-P (config-role)# rule 1 permit read-write
N5010-P (config-role)# exit

Step 2 Define another role called limited-access with a rule that allows read only access.

N5010-P(config)# role name limited-access
N5010-P(config-role)# rule 1 permit read
N5010-P(config-role)# exit

Step 3 Define a user with the access-admin role.

N5010-P(config)# username johnnie password John1234 role access-admin

Step 4 Define a user with the limited-access role.

N5010-P(config)# username zaphod password Beeble1234 role limited-access
N5010-P(config)# exit

Step 5 Verify the user database.

N5010-P# show user-account

user:admin
this user account has no expiry date
roles:network-admin
user:johnnie
roles:access-admin
user:zaphod
roles:limited-access

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 Test the user configuration for access-admin role by logging out as the admin user
and logging in as user johnnie.
After you type exit, you will need to open another Putty session to the same mgmt0
IP address, 192.168.P.1, and login as the different user.

N5010-P# exit

N5010-P login: johnnie
Password: John1234

N5010-P# configure
N5010-P(config)# interface ethernet 1/1
N5010-P(config-if)# interface ethernet 1/20
% Interface permission denied
Note The user johnnie is denied permission to the 20
th
port, but can configure the other 19 on-
board ports, as we defined in the access-admin role.
Step 7 Test the user configuration for limited-access role by logging out as the johnnie user
and logging in as user zaphod.
IP address, 192.168.P.1, and login as a different user.

N5010-P(config-if)# end
N5010-P# exit

N5010-P login: zaphod
Password: Beeble1234

Step 8 View the configured user-accounts again. This command should succeed as this is a
show command and the user zaphod has limited access

N5010-P# show user-account

user:admin
roles:network-admin
user:johnnie
roles:access-admin
user:zaphod
roles:limited-access

Step 9 Next, try a non-read command to test zaphods rights. Attempt to clear the counters
on interface ethernet 1/1.

N5010-P# clear counters interface ethernet 1/1
% Permission denied

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 10 Next, note what commands a read-only user is denied from using. Enter
configuration mode and type ? to see possible commands. Verify the read-only
user does not have rights to any configuration commands.

N5010-P# configure
N5010-P(config)# ?
end Go to exec mode
exit Exit from the command interpreter

Step 11 Logout of the zaphod account and login with the admin account again to complete
the lab.
IP address, 192.168.P.1, and login as a different user.

N5010-P(config)# end
N5010-P# exit

N5010-P login: admin
Password: NXos12345

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Validate Cisco Nexus 5010 Hardware Resources
During this exercise you will investigate the hardware components of your Cisco Nexus 5010
switch.
Activity Procedure
Step 1 Inspect the inventory and module configuration of your Nexus 5010.

N5010-P# show inventory

NAME: "Chassis", DESCR: "Nexus5010 Chassis"
PID: N5K-C5010P-BF , VID: V03 , SN: SSI15100C7V

NAME: "Module 1", DESCR: "20x10GE/Supervisor"
PID: N5K-C5010P-BF , VID: V03 , SN: JAF1520CDQA

NAME: "Module 2", DESCR: "8x1/2/4G FC Module"
PID: N5K-M1008 , VID: V01 , SN: FOC15160882

NAME: "Fan 1", DESCR: "Chassis fan module"
PID: N5K-C5010-FAN , VID: N/A , SN: N/A

NAME: "Fan 2", DESCR: "Chassis fan module"

NAME: "Power supply 1", DESCR: "AC power supply"
PID: N5K-PAC-550W , VID: V02 , SN: DTM14510027

NAME: "Power supply 2", DESCR: "AC power supply"
PID: N5K-PAC-550W , VID: V02 , SN: DTM14510028

N5010-P# show module

Mod Ports Module-Type Model Status
--- ----- ---------------------------- ---------------------- ------
1 20 20x10GE/Supervisor N5K-C5010P-BF-SUP active *
2 8 8x1/2/4G FC Module N5K-M1008 ok

Mod Sw Hw World-Wide-Name(s) (WWN)
--- -------------- ------ ----------------------------------------
1 5.0(3)N1(1b) 1.2 --
2 5.0(3)N1(1b) 1.0 29:8c:b7:24:72:15:af:00 to
00:00:00:5c:72:15:af:64

Mod MAC-Address(es) Serial-Num
--- -------------------------------------- ----------
1 0005.73ee.8c88 to 0005.73ee.8caf JAF1520CDQA
2 0005.73ee.8cb0 to 0005.73ee.8cb7 FOC15160882

How many power supplies are present in your Cisco Nexus 5010 Switch?
_________________________________________________________________________
How many fan modules are present?
_________________________________________________________________________
How many total ports are there within your Cisco Nexus 5010 Switch?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Are they are all Ethernet interfaces?
_________________________________________________________________________
Step 2 View the redundancy status of your Cisco Nexus 5010 switch.

N5010-P# show redundancy status

Redundancy information not available for this platform

System start time: Tue Sep 6 18:10:18 2011

System uptime: 1 days, 21 hours, 5 minutes, 37 seconds
Kernel uptime: 1 days, 21 hours, 9 minutes, 10 seconds
Active supervisor uptime: 1 days, 21 hours, 5 minutes, 37 seconds

Step 3 View the environmental parameters for your Cisco Nexus 5010 switch.

N5010-P# show environment

Fan:
------------------------------------------------------
Fan Model Hw Status
------------------------------------------------------
Chassis-1 N5K-C5010-FAN -- ok
Chassis-2 N5K-C5010-FAN -- ok
PS-1 N5K-PAC-1200W -- ok
PS-2 N5K-PAC-1200W -- ok

Temperature
-----------------------------------------------------------------
Module Sensor MajorThresh MinorThres CurTemp Status
(Celsius) (Celsius) (Celsius)
-----------------------------------------------------------------
1 Outlet-1 60 50 34 ok
1 Outlet-2 60 50 36 ok
1 Outlet-3 60 50 30 ok
1 Outlet-4 60 50 33 ok
1 Intake-1 50 40 24 ok
1 Intake-2 50 40 24 ok
1 Intake-3 50 40 24 ok
1 Intake-4 50 40 25 ok
1 PS-1 60 50 28 ok
1 PS-2 60 50 28 ok
2 Outlet-1 60 50 30 ok

Power Supply:
Voltage: 12 Volts
-----------------------------------------------------
PS Model Power Power Status
(Watts) (Amp)
-----------------------------------------------------
1 N5K-PAC-550W 544.56 45.38 ok
2 N5K-PAC-550W 544.56 45.38 ok

Mod Model Power Power Power Power Status
Requested Requested Allocated Allocated
(Watts) (Amp) (Watts) (Amp)
--------------- -------- -------- --------- -------- -----
1 N5K-C5010P-BF-SUP 349.20 29.10 349.20 29.10 powered-up
2 N5K-M1008 9.96 0.83 9.96 0.83 powered-up

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Power Usage Summary:
--------------------
Power Supply redundancy mode: redundant

Total Power Capacity 1089.12W

Power reserved for Supervisor(s) 349.20W
Power currently used by Modules 9.96 W

-------------
Total Power Available 729.96W
-------------

What is the current power supply redundancy mode?
_________________________________________________________________________
Note You cannot change the power supply redundancy mode on the Nexus 5000 platform. The
power supplies operate in N+1 redundancy mode.
How much power is allocated for the expansion module?
_________________________________________________________________________
How many distributed temperature sensors are present in the Cisco Nexus 5010 chassis?
_________________________________________________________________________
Step 4 View the system resource utilization on your Cisco Nexus 5010 switch.

N5010-P# show system resources

Load average: 1 minute: 0.01 5 minutes: 0.27 15 minutes: 0.36
Processes : 246 total, 1 running
CPU states : 1.0% user, 11.9% kernel, 87.1% idle
Memory usage: 2073408K total, 1184200K used, 889208K free

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 3: Configure Cisco Nexus 5010 Interfaces and Layer 2
Protocols
During this exercise you will configure the interfaces within your Cisco Nexus 5010 switch to
communicate with the core Cisco Nexus 5010 switch, as well as the other pods Nexus 5010 in
your topology. You will also validate the topology of your pod, verify the proper operation of
STP, and view control plane packets using Ethanalyzer.
Activity Procedure
Step 1 From within your Cisco Nexus 5010 switch, view the interface parameters. The
active interfaces will depend on your pod number please refer to your lab topology
diagram.
For example, if you are on an odd pod, you will see interfaces Ethernet 1/2 and
Ethernet 1/3 up, whereas if you are on an even pod, you will see interfaces Ethernet
1/4 and Ethernet 1/5 up.

N5010-P# show interface brief

------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/1 1 eth access up none 10G(D) --
Eth1/4 1 eth access down SFP not inserted 10G(D) --

------------------------------------------------------------------------------
------------------------------------------------------------------------------
mgmt0 -- up 192.168.P.1 1000 1500

In which mode do the Ethernet interfaces operate on this Nexus 5010?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 View the transceivers that are currently installed in your Cisco Nexus 5010 switch.
The position of the installed transceivers depends on your pod number please refer
to your lab topology diagram.

N5010-P# show interface transceiver

Ethernet1/1
type is 10Gbase-SR
name is CISCO-AVAGO
part number is SFBR-7702SDZ
revision is G2.3
serial number is AGD14166AXV
Link length supported for 50/125um fiber is 80 m
Link length supported for 50/125um fiber is 300 m
Link length supported for 62.5/125um fiber is 20 m
cisco id is --

Ethernet1/2
type is SFP-H10GB-CU5M
name is CISCO-MOLEX
part number is 74752-9047
revision is 07
serial number is MOC14435297
cisco id is --

Ethernet1/3
name is CISCO-TYCO
revision is K
serial number is TED1420C77V
cisco id is --

Ethernet1/4

Ethernet1/5

Ethernet1/6

Ethernet1/7
name is CISCO-TYCO
revision is K
serial number is TED1422C1S1
cisco id is --

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Ethernet1/8
name is CISCO-TYCO
revision is K
serial number is TED1420C6XR
cisco id is --

Ethernet1/9
name is CISCO-TYCO
revision is K
serial number is TED1420C77Y
cisco id is --

Ethernet1/10
name is CISCO-TYCO
revision is K
serial number is TED1422C1T2
cisco id is --

Ethernet1/11

Ethernet1/12

[output omitted]

Which ports currently have transceivers installed?
________________________________________________________________________
Are all of the transceivers the same type?
_________________________________________________________________________
Step 6 Try to configure an interface on your Cisco Nexus 5010 switch to operate as Layer 3
interface.

N5010-P# configure
N5010-P(config-if-range)# no switchport
Error: command not supported on this platform

Why wont the Cisco Nexus 5010 Switch execute the no switchport command?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 7 Configure interfaces ethernet 1/7-10 for trunk mode operation and validate their
configuration.

N5010-P(config-if-range)# interface ethernet 1/7-10
N5010-P(config-if-range)# switchport mode trunk
N5010-P(config-if-range)# no shut
N5010-P(config-if-range)# end
Note Interfaces ethernet 1/7 and 1/8 connect to the core, and interfaces ethernet 1/9 and 1/10
connect to the other pods Nexus 5010 in your lab topology.
Step 8 Wait for the other pod in your lab topology to complete the previous step before
validating that all of the active interfaces within your Cisco Nexus 5010 switch are
in the up state.

N5010-P# show interface ethernet 1/7-10 brief

---------------------------------------------------------------------
Interface Ch #
---------------------------------------------------------------------
Eth1/7 1 eth trunk up none 10G(D) --

Step 9 View your directly connected neighbors using Cisco Discovery Protocol (CDP).
Your output may vary depending on your pod number.

N5010-P# show cdp neighbor

Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-
Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute

Device-ID Local Intrfce Hldtme Capability Platform Port ID

N5K-Breakout-2 mgmt0 170 R S I WS-C3750G-24T Gig1/0/13
N5K-Core2-A(SSI14420B8P)Eth1/7 138 S I s N5K-C5010P-BF Eth1/13
N5010-10(SSI150408WJ) Eth1/9 138 S I s N5K-C5010P-BF Eth1/9
N5010-10(SSI150408WJ) Eth1/10 138 S I s N5K-C5010P-BF Eth1/10

Does this match the topology diagram for your pod shown in the lab topology?
_________________________________________________________________________
Step 10 View the current spanning tree topology from your Cisco Nexus 5010 switch. Your
output may vary depending on your pod number.

N5010-P# show spanning-tree brief

VLAN0001
Address 0005.73ed.fa3c
Cost 2
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Address 0005.73ee.8cbc

---------------- ---- --- --------- -------- ------------------------

Which version of STP is running on your Cisco Nexus 5010 switch by default?
_________________________________________________________________________
What are the forwarding states of the ports and why?
_________________________________________________________________________
Step 11 View the control plane traffic within your Nexus 5010 switch using the built-in
Ethanalyzer packet capture tool. Capture and view a brief description of 20 control
plane packets received.

N5010-P# ethanalyzer local interface mgmt limit-captured-frames 20

Capturing on eth0
2011-09-08 13:44:44.419137 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:44.574829 d0:57:4c:75:ee:91 -> d0:57:4c:75:ee:91 LOOP Reply
2011-09-08 13:44:46.340859 00:05:73:ee:8c:80 -> 01:80:c2:00:00:0e LLDP Chassis
I
d = 00:05:73:ee:8c:80 Port Id = mgmt0 TTL = 120
2011-09-08 13:44:46.423038 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:48.426974 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:50.430909 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:52.434849 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:54.442881 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:56.446816 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:44:58.450751 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:00.454686 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:02.458622 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:04.466652 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:06.470590 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:08.474523 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:10.478461 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:12.482395 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
2011-09-08 13:45:14.486328 d0:57:4c:75:ee:91 -> 01:80:c2:00:00:00 STP Conf.
Root
= 32885/d0:57:4c:75:ee:80 Cost = 0 Port = 0x8011
20 packets captured
Program exited with status 0.
(output may vary)

What type of control packets do you see within your Cisco Nexus 5010 switch?
_________________________________________________________________________

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 11: Configure the Nexus 2000 Fabric
Extender
Activity Objective
In this activity, you will learn how to configure a Nexus 2000 through your Nexus 5000. In this
lab, you will:
Become familiar with and configure the Cisco Nexus 2000 Fabric Extender using the Cisco
Nexus 5010 switch
Create uplink pinnings between the Cisco Nexus 2000 front panel interfaces and Cisco
Nexus 5010 switch uplinks
Validate connectivity and configuration parameters between the Cisco Nexus 2000 and
Cisco Nexus 5010 switch
Visual Objective
NEXUS 5000
NEXUS 2000
MyFEX110
interface
port-channel
110
mode fex-fabric

Required Resources
One Cisco Nexus 5000 chassis
One Cisco Nexus 2000 Fabric Extender (FEX)
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command
channel-group 110
description FEX0110
fex associate 110
fex 110
interface port-channel 110
no fex associate
no shut
pinning max-links 2
reload fex 110
show fex detail
show interface ethernet 1/X fex-intf
show interface fex-fabric
show interface port-channel 110 fex-intf
show version
spanning-tree port type edge trunk
switchport mode fex-fabric
Job Aids
Lab connections
Lab IP address plan

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configure the Cisco Nexus 2000 Fabric Extender using
Static Pinning Mode
During this exercise you will log in to your pods Cisco Nexus 5010 switch and configure the
Cisco Nexus 2000 uplinks and server interface pinnings. You will also validate connectivity
between the Cisco Nexus 2000 and Nexus 5010.
You have two uplinks from your FEX to your Nexus 5000. In this Task, we will configure
static pinning across both uplinks, so that half of the FEX ports will be pinned to the first
uplink, and the second half of the FEX ports will be pinned to the second uplink.
Activity Procedure
Step 2 View the state of the Cisco Nexus 5010 interfaces. Compare the active interfaces to
the ones shown in the Lab Topology diagram.
Your output may differ depending if you are on an odd or even pod. Output for an
odd pod is shown.


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------

------------------------------------------------------------------------------
------------------------------------------------------------------------------
mgmt0 -- up 192.168.P.1 1000 1500

Do the interfaces shown in the output match what is shown in your topology diagram?
_________________________________________________________________________
Step 3 Issue a show cdp neighbor command. Do you see a Fabric Extender (Nexus 2000)
connected?

N5010-P# show cdp neighbors

Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute

Device-ID Local Intrfce Hldtme Capability Platform Port ID

N5K-Breakout-2 mgmt0 168 R S I WS-C3750G-24T Gig1/0/13
N5010-P(SSI150408WJ) Eth1/9 164 S I s N5K-C5010P-BF Eth1/9
N5010-P(SSI150408WJ) Eth1/10 164 S I s N5K-C5010P-BF Eth1/10

Step 4 Issue a show fex command to view any Fabric Extenders connected to the Nexus
5000. What is the result?

N5010-P# show fex
^
% Invalid command at '^' marker.

Step 5 The FEX feature must be enabled before the Nexus 5000 can use the relevant FEX
configuration commands. Enabling a feature essentially starts the processes required
in NX-OS to use the feature. Enable the FEX feature.

N5010-P# configure
N5010-P(config)# feature fex

Step 6 Which interfaces connect to the Cisco Nexus 2000 Fabric Extender? To find the
answer to this question, issue a show fex command again. You should now see
information about any connected FEXs.

N5010-P(config)# show fex

FEX FEX FEX FEX
Number Description State Model Serial
------------------------------------------------------------------------
--- -------- Discovered N2K-C2248TP-1GE JAF1519ACGN

Note Note that the FEX is in the discovered state and is not yet configured. If you try to issue a
show fex detail command you will not receive any output. We must first configure the FEX
through the Nexus 5000.
Step 7 Cisco NX-OS Software Release 4.1(3)N1(1) or later is required to support Fabric
Extenders on the Nexus 5000 platform. Confirm your Nexus 5010 is currently
running at this version or later.

N5010-P# show version

Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Software
BIOS: version 1.3.0
loader: version N/A
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
kickstart: version 5.0(3)N1(1b)
system: version 5.0(3)N1(1b)
power-seq: Module 1: version v1.2
BIOS compile time: 09/08/09
kickstart image file is: bootflash:/n5000-uk9-
kickstart.5.0.3.N1.1b.bin
kickstart compile time: 4/3/2011 22:00:00 [04/04/2011 06:06:31]
system image file is: bootflash:/n5000-uk9.5.0.3.N1.1b.bin
system compile time: 4/3/2011 22:00:00 [04/04/2011 13:20:24]

Hardware
cisco Nexus5010 Chassis ("20x10GE/Supervisor")
Intel(R) Celeron(R) M CPU with 2073408 kB of memory.
Processor Board ID JAF1520CDQA

Device name: N5010-17
bootflash: 1003520 kB

Kernel uptime is 1 day(s), 23 hour(s), 53 minute(s), 52 second(s)

Last reset
Reason: Unknown
System version: 5.0(3)N1(1b)
Service:

plugin
Core Plugin, Ethernet Plugin

Is the Cisco Nexus 5010 running at least Cisco NX-OS Software Release 4.1(3)N1(1)?
_________________________________________________________________________
Step 8 Create a FEX instance identified by a number from 100 to 199, which we will later
associate with the connected FEX. Also specify how many FEX uplinks will be
connected to the Nexus 5010.
Note We are configuring static pinning to two ports initially, which will automatically statically pin
the first 24 server-facing FEX ports to one uplink, and pin the last 24 server-facing FEX ports
to the second uplink. Later, we will configure a Port Channel uplink configuration so traffic
can be load balanced across the uplinks.
N5010-P(config)# fex 110
N5010-P(config-fex)# description MyFEX110
N5010-P(config-fex)# pinning max-links 2
Change in Max-links will cause traffic disruption.

Step 9 Use your topology diagram to determine which interfaces your FEX uplinks connect
to on your Nexus 5000. Put these ports into the new switchport mode, fex-fabric
and associate your FEX instance to the ports.
Odd pods should have the FEX connected to interfaces ethernet 1/2 and 1/3, and
even pods should have a FEX connected to interfaces ethernet 1/4 and 1/5. Replace
X and Y below with your FEX interfaces.

N5010-P(config-fex)# interface ethernet1/X-Y (refer to topology)
N5010-P(config-if-range)# switchport mode fex-fabric
N5010-P(config-if-range)# fex associate 110

N5010-P(config-if-range)# 2011 Nov 10 09:18:35 N5010-P %$ VDC-1 %$ %SATCTRL-
FEX110-2-SATCTRL: FEX-1
10 Module 1: Cold boot
2011 Nov 13 10:53:46 N5010-P %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 110 is online
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
2011 Nov 13 10:53:46 N5010-P %$ VDC-1 %$ %NOHMS-2-NOHMS_ENV_FEX_ONLINE: FEX-
110 On-line
2011 Nov 13 10:53:48 N5010-P %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 110 is online

N5010-P(config-if-range)# end

Step 10 Issue the show fex command again to verify your FEX shows in the Online state
once it has completed booting. If the FEX is still in the boot process, you will see
FEX state Online sequence.

N5010-P# show fex

FEX FEX FEX FEX
Number Description State Model Serial
------------------------------------------------------------------------
110 MyFEX110 Online N2K-C2248TP-1GE JAF1519ACGN

Step 11 Examine the current spanning tree state. What has changed?

N5010-P# show spanning-tree brief

VLAN0001
Cost 2

Address 0005.73ef.4bbc

---------------- ---- --- --------- -------- --------------------------------
Eth110/1/1 Desg FWD 4 128.2305 Edge P2p
Note The interfaces attaching the Nexus 5010 to the FEX no longer appear in the spanning-tree
topology. Spanning-tree does not run between the Nexus 5010 and the FEX.
Note You should see two active FEX server interfaces labeled 110/1/1 and 110/1/2. Their port
types are spanning-tree Edge P2p. The spanning-tree edge port feature is also known as
PortFast. However, NX-OS does not support the spanning-tree portfast command.
Note PortFast and BPDU Guard are enabled by default on FEX interfaces and they cannot be
disabled. Therefore, you should never connect switches to a FEX, only servers.
Step 12 View the FEX running parameters.

N5010-P# show fex detail

FEX: 110 Description: MyFEX110 state: Online
FEX version: 5.0(3)N1(1b) [Switch version: 5.0(3)N1(1b)]
FEX Interim version: 5.0(3)N1(1b)
Switch Interim version: 5.0(3)N1(1b)
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Extender Model: N2K-C2248TP-1GE, Extender Serial: JAF1519ACGN
Part No: 73-13232-01
Card Id: 99, Mac Addr: e8:b7:48:a2:e1:42, Num Macs: 64
Module Sw Gen: 12594 [Switch Sw Gen: 21]
post level: complete
pinning-mode: static Max-links: 2
Fabric port for control traffic: Eth1/2
Fabric interface state:
Eth1/2 - Interface Up. State: Active
Fex Port State Fabric Port
Eth110/1/1 Up Eth1/2
Eth110/1/2 Up Eth1/2
Eth110/1/3 Down Eth1/2
Logs:
11/13/2011 10:53:40.698625: Module register received
11/13/2011 10:53:40.700681: Registration response sent
11/13/2011 10:53:40.908031: Module Online Sequence
11/13/2011 10:53:46.342926: Module Online

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note It may take 3-5 minutes for the Fabric Extender to fully download software and register with
the Nexus 5010. You will not be able to view the show command output until the FEX has
been fully configured by the Nexus 5010.
What is the maximum number of uplinks currently configured?
_________________________________________________________________________
Step 13 Display all the interfaces on the Nexus 5000 currently in fex-fabric mode, and
observe the FEX information associated to them.
Output is shown below for both an odd and an even pod.

ODD POD OUTPUT:

N5010-ODD# show interface fex-fabric

Fabric Fabric Fex FEX
Fex Port Port State Uplink Model Serial
---------------------------------------------------------------
110 Eth1/2 Active 1 N2K-C2248TP-1GE JAF1519ACGN
110 Eth1/3 Active 2 N2K-C2248TP-1GE JAF1519ACGN

EVEN POD OUTPUT:

N5010-EVEN# show interface fex-fabric

---------------------------------------------------------------
110 Eth1/4 Active 3 N2K-C2248TP-1GE JAF1519ADAT
110 Eth1/5 Active 4 N2K-C2248TP-1GE JAF1519ADAT

Note The Fex Uplink column shows you the uplink interface number on the FEX side of the link
(out of four possible on the FEX model shown), while the Fabric Port column shows the
interface number on the Nexus 5000 side of the link.
Step 14 Display the pinning of the FEX server-facing ports to the uplinks connected to the
Nexus 5000. Pick the first interface connected to your FEX from the lab topology.
This should be interface ethernet 1/2 for odd pods, and interface ethernet 1/4 for
even pods. Replace X below with your appropriate FEX uplink interface.

N5010-P# show interface ethernet 1/X fex-intf

Fabric FEX
Interface Interfaces
---------------------------------------------------
Eth1/X Eth110/1/1 Eth110/1/2 Eth110/1/3 Eth110/1/4
Eth110/1/5 Eth110/1/6 Eth110/1/7 Eth110/1/8
Eth110/1/9 Eth110/1/10 Eth110/1/11 Eth110/1/12
Eth110/1/13 Eth110/1/14 Eth110/1/15 Eth110/1/16
Eth110/1/17 Eth110/1/18 Eth110/1/19 Eth110/1/20
Eth110/1/21 Eth110/1/22 Eth110/1/23 Eth110/1/24

Which Fabric Extender server-facing interfaces (110/1/1-48) are assigned to your first
uplink interface?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

Step 15 Display the pinning of the FEX server-facing ports to the uplinks connected to the
Nexus 5000. Pick the first interface connected to your FEX from the lab topology.
This should be interface ethernet 1/3 for odd pods, and interface ethernet 1/5 for
even pods. Replace X below with your appropriate FEX uplink interface.

N5010-P# show interface ethernet 1/Y fex-intf

Fabric FEX
---------------------------------------------------
Eth1/Y Eth110/1/25 Eth110/1/26 Eth110/1/27 Eth110/1/28
Eth110/1/29 Eth110/1/30 Eth110/1/31 Eth110/1/32
Eth110/1/33 Eth110/1/34 Eth110/1/35 Eth110/1/36
Eth110/1/37 Eth110/1/38 Eth110/1/39 Eth110/1/40
Eth110/1/41 Eth110/1/42 Eth110/1/43 Eth110/1/44
Eth110/1/45 Eth110/1/46 Eth110/1/47 Eth110/1/48

Which Nexus 5000 interface serves as the uplink for FEX interface 110/1/38? Will this
ever change with our current static-pinning configuration?
_________________________________________________________________________
Step 16 While you do configure the FEX independently of the Nexus 5000, you can connect
to the FEX from the Nexus 5000 and issue several show commands, including
viewing hardware details. Explore these options.

N5010-P# attach fex 110

Attaching to FEX 110 ...
To exit type 'exit', to abort type '$.'
fex-110#

Step 17 View the following advanced troubleshooting command to identify ASIC traffic
drops and ASIC configuration of the FEX.

fex-110# show platform software portola sts
Note If the portola keyword doesnt work in the show command, replace it with redwood and try
again.
Note Portola is the name of the port ASICs on the 2200 series Fabric Extenders. Redwood is the
name of the port ASICs on the 2100 series Fabric Extenders.
Step 18 Spend a few moments exploring other options in this mode.
Step 19 Exit the attach fex mode by typing exit or use the $. escape sequence.

fex-110# exit
rlogin: connection closed.
N5010-P#

Step 20 Reload the Fabric Extender and verify the FEX interfaces. Your Nexus 5000 and
FEX uplink interfaces may vary from the output.

N5010-P# reload fex 110
WARNING: This command will reboot FEX 110
Do you want to continue? (y/n) [n] yes
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

N5010-17# 2011 Sep 8 14:43:11 N5010-17 %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex
110 is offline
2011 Sep 8 14:43:11 N5010-17 %$ VDC-1 %$ %NOHMS-2-NOHMS_ENV_FEX_OFFLINE: FEX-
110 Off-line (Serial
[output omitted]

N5010-P(config)# show interface fex-fabric

---------------------------------------------------------------
110 Eth1/2 Configured 1 N2K-C2248TP-1GE JAF1519ACGN
110 Eth1/3 Configured 2 N2K-C2248TP-1GE JAF1519ACGN

Has the fabric port state changed on the FEX uplinks connected to the Nexus 5000?
_________________________________________________________________________
How long does it take to complete the reload process of the Fabric Extender?
_________________________________________________________________________

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Configure the Cisco Nexus 2000 Fabric Extender using
a PortChannel
During this exercise you will configure static pinning with one uplink a single logical port
channel with two member ports. Using this configuration, all FEX ports will be load balanced
across all interfaces in the uplink PortChannel.
Activity Procedure
Step 1 Enter FEX configuration mode and change the pinning max-links parameter to one.
Note When the max-links parameter is set to 1 this causes all server interface traffic to utilize
only one uplink port, but in this configuration, the FEX sees the port channel as the only
available uplink. The port channel has multiple physical connections and utilizes the port
channel load distribution algorithm when sending traffic between the FEX and Nexus 5000.
N5010-P# configure
N5010-P(config)# fex 110
N5010-P(config-fex)# pinning max-links 1
Change in Max-links will cause traffic disruption.

Step 2 Disassociate the FEX from your Nexus 5000 uplink interfaces. Then, make them
members of a new PortChannel 110, and associate the single logical PortChannel
interfaces as the FEX uplink interface.
Refer to the lab topology diagram for your correct interfaces. Odd pods should use
interfaces 1/2 and 1/3, and even pods should use interfaces 1/4 and 1/5. Replace X
and Y with your interfaces.

N5010-P(config-if)# interface ethernet 1/X-Y
N5010-P(config-if-range)# no fex associate
N5010-P(config-if-range)# channel-group 110

N5010-P(config-if-range)# interface port-channel 110
N5010-P(config-if)# fex associate 110

[output omitted]
2011 Sep 8 15:00:46 N5010-17 %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 110 is
online

Step 3 Display the association between the newly created PortChannel and the Fabric
Extender server-facing interfaces. You will only be able to see the port associations
once the FEX has finished registering with the Nexus 5010.
You should now see all of the FEX interfaces pinned to the single logical
PortChannel interface.

N5010-P# show interface port-channel 110 fex-intf

Fabric FEX
---------------------------------------------------
Po110 Eth110/1/1 Eth110/1/2 Eth110/1/3 Eth110/1/4
Eth110/1/5 Eth110/1/6 Eth110/1/7 Eth110/1/8
Eth110/1/17 Eth110/1/18 Eth110/1/19 Eth110/1/20
Eth110/1/21 Eth110/1/22 Eth110/1/23 Eth110/1/24
Eth110/1/25 Eth110/1/26 Eth110/1/27 Eth110/1/28
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Eth110/1/29 Eth110/1/30 Eth110/1/31 Eth110/1/32
Eth110/1/33 Eth110/1/34 Eth110/1/35 Eth110/1/36
Eth110/1/37 Eth110/1/38 Eth110/1/39 Eth110/1/40
Eth110/1/41 Eth110/1/42 Eth110/1/43 Eth110/1/44
Eth110/1/45 Eth110/1/46 Eth110/1/47 Eth110/1/48

Step 4 View the current FEX details, including the fabric interface state with the
PortChannel and bound physical ports.
Also note the Fabric port for control traffic: Eth1/2 (your interface may vary).
One interface will be selected as the interface for control traffic sent between the
Nexus 5000 and the FEX, which is listed in this output.

N5010-P# show fex 110

FEX: 110 Description: MyFEX110 state: Online
FEX version: 5.0(3)N1(1b) [Switch version: 5.0(3)N1(1b)]
Extender Model: N2K-C2248TP-1GE, Extender Serial: JAF1519ACGN
Part No: 73-13232-01
pinning-mode: static Max-links: 1
Fabric port for control traffic: Eth1/3
Fabric interface state:
Po110 - Interface Up. State: Active

Step 5 View the status Fabric Extender server-facing interfaces at the end of the show
interface brief output on the Nexus 5010.


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/2 1 eth fabric up none 10G(D) 110

------------------------------------------------------------------------------
Port-channel VLAN Type Mode Status Reason Speed Protocol
Interface
------------------------------------------------------------------------------
Po110 1 eth fabric up none a-10G(D) none

------------------------------------------------------------------------------
------------------------------------------------------------------------------
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
mgmt0 -- up 192.168.P.1 1000 1500

------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth110/1/1 1 eth access up none 1000(D) --
Eth110/1/3 1 eth access down Link not connected auto(D) --

Which Fabric Extender interfaces are in the up state?
_________________________________________________________________________
What is the port speed of the Fabric Extender interfaces?
_________________________________________________________________________
What is the operational mode of the Fabric Extender interfaces?
_________________________________________________________________________
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 View the hardware inventory of the Fabric Extender.

N5010-P# show inventory fex 110

NAME: "FEX 110 CHASSIS", DESCR: "N2K-C2248TP-1GE CHASSIS"
PID: N2K-C2248TP-1GE , VID: V03 , SN: SSI15120AJX

NAME: "FEX 110 Module 1", DESCR: "Fabric Extender Module: 48x1GE, 4x10GE
Supervisor"
PID: N2K-C2248TP-1GE , VID: V03 , SN: JAF1519ACGN

NAME: "FEX 110 Fan 1", DESCR: "Fabric Extender Fan module"

NAME: "FEX 110 Power Supply 1", DESCR: "Fabric Extender AC power supply"
PID: N2200-PAC-400W , VID: V02 , SN: LIT15120URR

NAME: "FEX 110 Power Supply 2", DESCR: "Fabric Extender AC power supply"
PID: N2200-PAC-400W , VID: V02 , SN: LIT15120US6

Step 7 View the Fabric Extender modules.

N5010-P# show module fex 110

FEX Mod Ports Card Type Model Status.
--- --- ----- ---------------------------------- ------------------ ----------
110 1 48 Fabric Extender 48x1GE + 4x10G Mod N2K-C2248TP-1GE present

FEX Mod Sw Hw World-Wide-Name(s) (WWN)
--- --- -------------- ------ ----------------------------------------------
110 1 5.0(3)N1(1b) 4.1 --

FEX Mod MAC-Address(es) Serial-Num
--- --- -------------------------------------- ----------
110 1 e8b7.48a2.e140 to e8b7.48a2.e16f JAF1519ACGN


N5010-P# copy running-config startup-config
[########################################] 100%

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 12: Configure Cisco vPC
Activity Objective
In this activity, you will become familiar with the Cisco virtual Port Channel (vPC) feature and
how it operates. In this lab, you will:
Configure a vPC between two pods
Examine how vPC behaves in several failure scenarios
Visual Objective

Required Resources
You must perform this lab at the same time as your peer pod
Two Cisco Nexus 5000 chassis
Two Cisco Nexus 2000 chassis
One shared dual-homed server

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configure Virtual Port Channel
In this task you will configure vPC with your peer pod. Your peer pod is indicated in the lab
topology diagram.
The vPC configuration will include the following components:
vPC Domain = 1. Both Nexus 5000s must be in the same vPC domain to become vPC
peers.
vPC Peer Link will be PortChannel 90, made up of ports ethernet 1/9 and ethernet 1/10,
which connect the two Nexus 5000s. The vPC Peer Link is used for peer-to-peer control
communication.
vPC peer keepalives will be sent to and from the management interfaces. This should
always be on a separate network from the Peer Link so failures can be accurately detected.
The virtual Port Channel will consist of PortChannel 42 on each Nexus 5000, which will
connect a dual homed server on VLAN 300 on the Nexus 2000s.
Activity Procedure
Step 1 Login to your Cisco Nexus 5010 using Putty SSH on your Lab PC.
Step 2 Verify interfaces ethernet 1/9 and ethernet 1/10 are up and in trunk mode.


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------

------------------------------------------------------------------------------
Interface
------------------------------------------------------------------------------

------------------------------------------------------------------------------
------------------------------------------------------------------------------
mgmt0 -- up 192.168.P.1 1000 1500

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth110/1/3 1 eth access down Link not connected auto(D) -

[output omitted]
Note Interfaces e1/9 and e1/10 are connected to you peer Nexus 5010 switch. These interfaces
will later become our vPC peer-links, used to synchronize vPC configuration and state
between peers via CFS (Cisco Fabric Services) protocol.
Step 3 If you view spanning-tree summary information on both Nexus 5010s you should
see that one of the ports connecting the two Nexus is blocking on one side. They are
not in a PortChannel currently, therefore spanning-tree blocks one side to break the
loop.

N5010-P# show spanning-tree

VLAN0001
Cost 4

Address 0005.73ec.fcbc

---------------- ---- --- --------- -------- --------------------------------

Step 4 Ensure that you can ping your peer Nexus 5000 from your management VRF.
Substitute X for your peers pod number in the topology.

N5010-P# ping 192.168.X.1 vrf management

PING 192.168.X.1 (192.168.X.1): 56 data bytes
64 bytes from 192.168.X.1: icmp_seq=0 ttl=253 time=8.217 ms

--- 192.168.X.1 ping statistics ---

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note Unless you explicitly specify a VRF, the pings will be sourced from the default VRF. We do
not have an IP interfaces in the default VRF, which is why we source the ping from the
management VRF, which includes the mgmt0 interface.
Step 5 Enable the vPC feature.

N5010-P# configure
N5010-P(config)# feature vpc

Step 6 Create the PortChannel to be used as the vPC Peer Link for control communication
between your Nexus 5000 and your peer pods Nexus 5000.

N5010-P(config)# interface ethernet 1/9-10
N5010-P(config-if-range)# channel-group 90

N5010-P(config-if-range)# interface port-channel 90
N5010-P(config-if)# description vPC peer link
N5010-P(config-if)# exit

At this point, you should have two active port channels: PortChannel 90 for your
vPC peer-link to the other Nexus 5000, and PortChannel 110 for your Fabric
Extender uplinks from the prior lab.
Verify your PortChannels are active and configured correctly. Your PortChannel
110 FEX interfaces may vary if you depending if you are an odd or an even pod.

N5010-P(config)# show port-channel summary

Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
------------------------------------------------------------------------------
90 Po90(SU) Eth NONE Eth1/9(P) Eth1/10(P)
110 Po110(SU) Eth NONE Eth1/2(P) Eth1/3(P)

Step 7 We are now ready to configure the pair of Nexus 5000s as vPC peers. First, we will
need to create the vPC domain, which has to match on both Nexus 5000s in order to
form a peer relationship.

N5010-P(config)# vpc domain 1

Step 8 Next, identify the peer keepalive destination as the mgmt0 IP address of your peers
Nexus 5000. The vPC peer keepalive link is used to send heartbeats between peers.
Replace X with your peer pods number in the peer-keepalive configuration.

N5010-P(config-vpc-domain)# peer-keepalive destination 192.168.X.1
Note:
--------:: Management VRF will be used as the default VRF ::--------

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 9 To complete the vPC peer configuration, specify PortChannel 90 as the vPC peer-
link to the other Nexus 5000.

N5010-P(config-vpc-domain)# interface port-channel 90
N5010-P(config-if)# vpc peer-link

Please note that spanning tree port type is changed to "network" port type on
vPC peer-link.
This will enable spanning tree Bridge Assurance on vPC peer-link provided the
STP Bridge Assurance(which is enabled by default) is not disabled.
Note There are three spanning tree port types in NX-OS: Edge, Network, and Normal. The
standard port type is Normal.
Note Edge ports connect to hosts, and can either be access or trunk ports. Edge ports have
PortFast enabled, and should not receive BPDUs.
Note Network ports connect to switches or bridges. Network ports have Bridge Assurance
enabled by default. vPC transitions peer-link ports to type Network because these are
switch-to-switch links.
Note Normal ports connect to hosts, switches, or bridges. These ports function as normal
spanning tree ports.
Step 10 Check the status of the vPC peer keepalive. You will need to wait for your peer pod
to finish their peer-link and peer keepalive configuration before you successfully
negotiate as vPC peers.

N5010-P(config)# show vpc peer-keepalive

vPC keep-alive status : peer is alive
--Peer is alive for : (551) seconds, (522) msec
--Send status : Success
--Last send at : 2011.11.13 14:51:24 446 ms
--Sent on interface : mgmt0
--Receive status : Success
--Last receive at : 2011.11.13 14:51:24 445 ms
--Received on interface : mgmt0
--Last update from peer : (0) seconds, (659) msec

vPC Keep-alive parameters
--Destination : 192.168.X.1
--Keepalive interval : 1000 msec
--Keepalive timeout : 5 seconds
--Keepalive hold timeout : 3 seconds
--Keepalive vrf : management
--Keepalive udp port : 3200
--Keepalive tos : 192

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 11 Check that the CFS protocol is running. Cisco Fabric Services is the protocol used
for vPC peers to communicate with one another, as well as for other features like
configuration synchronization.
Also verify the other Nexus 5000 shows up as a CFS peer. P represents your pod
number, and X represents your peer pods number.

N5010-P(config)# show cfs status

Distribution : Enabled
Distribution over IP : Disabled
IPv4 multicast address : 239.255.70.83
IPv6 multicast address : ff15::efff:4653
Distribution over Ethernet : Enabled

N5010-P(config)# show cfs peers

Physical Fabric
-------------------------------------------------------------------------
Switch WWN IP Address
-------------------------------------------------------------------------
20:00:00:05:73:ef:4b:80 192.168.P.1 [Local]
N5010-P
20:00:00:05:73:ec:fc:80 192.168.X.1

Total number of entries = 2

Step 12 Determine which of the two Nexus 5000s has taken on the primary vPC role.

N5010-P(config)# show vpc role

vPC Role status
----------------------------------------------------
vPC role : primary
Dual Active Detection Status : 0
vPC system-mac : 00:23:04:ee:be:01
vPC system-priority : 32667
vPC local system-mac : 00:05:73:ec:fc:bc
vPC local role-priority : 32667
Note By default, the Nexus that joined the vPC domain first is the primary switch, unless role
priorities have been configured. The range of values for role priorities is 1 to 65636, and the
default value is 32667. There is no preemption in vPC.
Note The switch with lower priority will be elected as the vPC primary switch. If the peer link fails,
vPC peer will detect whether the peer switch is alive through the vPC peer keepalive link. If
the vPC primary switch is alive, the vPC secondary switch will suspend its vPC member
ports to prevent potential looping while the vPC primary switch keeps all its vPC member
ports active.
Step 13 Similar to a traditional PortChannel, vPCs have a list of parameters that must be
compatible if a vPC is to be formed within a vPC domain. View the list of
parameters and compare the results between the two peer switches. The consistency
parameters are exchanged via CFSoE (CFS over Ethernet).

N5010-P(config)# show vpc consistency-parameters global

Legend:
Type 1 : vPC will be suspended in case of mismatch

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Name Type Local Value Peer Value
------------- ---- ---------------------- ---------------------
QoS 2 ([], [3], [], [], [], ([], [3], [], [], [],
[]) [])
Network QoS (MTU) 2 (1538, 2240, 0, 0, 0, (1538, 2240, 0, 0, 0,
0) 0)
Network Qos (Pause) 2 (F, T, F, F, F, F) (1538, 2240, 0, 0, 0,
0)
Input Queuing (Bandwidth) 2 (50, 50, 0, 0, 0, 0) (50, 50, 0, 0, 0, 0)
Input Queuing (Absolute 2 (F, F, F, F, F, F) (50, 50, 0, 0, 0, 0)
Priority)
Output Queuing (Bandwidth) 2 (50, 50, 0, 0, 0, 0) (50, 50, 0, 0, 0, 0)
Output Queuing (Absolute 2 (F, F, F, F, F, F) (50, 50, 0, 0, 0, 0)
Priority)
STP Mode 1 Rapid-PVST Rapid-PVST
STP Disabled 1 None None
STP MST Region Name 1 "" ""
STP MST Region Revision 1 0 0
STP MST Region Instance to 1
VLAN Mapping
STP Loopguard 1 Disabled Disabled
STP Bridge Assurance 1 Enabled Enabled
STP Port Type, Edge 1 Normal, Disabled, Normal, Disabled,
BPDUFilter, Edge BPDUGuard Disabled Disabled
STP MST Simulate PVST 1 Enabled Enabled
Allowed VLANs - 1 1
Local suspended VLANs - - -
Note If any of the type 1 parameters in the above display are not identical between the peer
switches, the vPC will fail. Inconsistency of type 2 parameters will not cause the vPC to fail,
but should match as a best practice.
Step 14 View the output of the show vpc command to see a summary of all vPC
configurations so far. From here, you can verify the peer connectivity, consistency
check status, vPC role, and peer-link status.

N5010-P(config)# show vpc

Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer adjacency formed ok
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po90 up 1

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 15 Now that the vPC peers have been configured, you can get ready to create a virtual
Port Channel for a server dual-homed to both pods Nexus 2000s.
First, we will create VLAN 300, and then we will put the servers uplink into
PortChannel 42, and make it a member of VLAN 300.

N5010-P(config)# vlan 300
N5010-P(config-vlan)# name servers

N5010-P(config-if)# interface ethernet 110/1/1
N5010-P(config-if)# channel-group 42

N5010-P(config-if)# interface port-channel 42
N5010-P(config-if)# description SharedServer
N5010-P(config-if)# switchport mode access
N5010-P(config-if)# switchport access vlan 300

Step 16 Ensure both the server interface Ethernet 110/1/1 and the Port Channel 42 interface
are up and in VLAN 300 before we create the vPC.

N5010-P(config-if)# show interface ethernet 110/1/1 brief

------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth110/1/1 300 eth access up none 1000(D) 42

N5010-P(config-if)# show interface port-channel 42 brief

------------------------------------------------------------------------------
Interface
------------------------------------------------------------------------------
Po42 300 eth access up none a-1000(D) none
Tip If your PortChannel 42 is not up and your server interface Ethernet 110/1/1 shows an
inactive state, ensure you created VLAN 300 in the VLAN database. Putting a port into a
VLAN that does not yet exist will NOT create the VLAN in the VLAN database in NX-OS,
unlike some other operating systems.
Step 17 To add the shared server to a vPC, enter vpc 10 under the port-channel 42
configuration mode to create a vPC for the shared server.

N5010-P(config-if)# vpc 10
Note The vPC number needs to be to be the same on both Nexus 5000s for the PortChannels to
become part of the same vPC.
Step 18 You should now see the newly created vPC 10 in the show vpc output, once your
peer pod has also created their vPC.

N5010-P(config-if)# show vpc

Legend:

vPC domain id : 1
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
vPC role : primary

---------------------------------------------------------------------
-- ---- ------ --------------------------------------------------
1 Po90 up 1,300

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
10 Po42 up success success 300

Step 19 Put the uplinks connected to the core switch in VLAN 300. This will allow you to
ping from you shared server to the core server at 10.10.10.1 so we may test vPC
connectivity.

N5010-P(config-if)# interface ethernet 1/7-8
N5010-P(config-if-range)# switchport mode access
N5010-P(config-if-range)# switchport access vlan 300
N5010-P(config-if-range)# exit

Step 20 Log into the shared server from the lab topology tab by clicking on the Shared
Server icon at the bottom of the page.
Send a Ctrl-Alt-Del to the server by right clicking on the Shared Server tab, and
then selecting Send Ctrl Alt Del to Server/PC from the drop-down menu.
If prompted for a username and password, use the following credentials:
Username: Administrator
Password: NXos12345
Step 21 From the desktop of the shared server open a command prompt and initiate a
continuous ping to the core server at 10.10.10.1.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 22 Verify that the pings are successful. This server has NIC teaming configured across
the available uplinks. This step verifies we have successfully configured the vPC
uplinks for the shared server and have placed our devices in the correct VLAN.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: vPC Failure Scenarios
In this task, we will test several types of failures that could happen in a production
environment, and we will observe how vPC recovers seamlessly from these failures.
Step 1 The first failure scenario we will test is if an interface connected to a server on the
FEX fails. If one of the FEX server interfaces fails on one side of the vPC, traffic
destined for the server will be sent to the interface on the other side of the vPC by
passing over the peer-link between the two Nexus 5010s.
This failure scenario is seamless to the server and anyone communicating with it.
Only shut down the interface on the odd pod Nexus 5000 otherwise if we shut
down both server interfaces we would not be able to pass traffic. Have the lower-
numbered pod shut down the interface first.

N5010-ODD(config)# interface ethernet 110/1/1
N5010-ODD(config-if)# shutdown

Step 2 View the state of the vPC on the odd pod Nexus 5000. The vPC should show as
down on this side, and forwarding all packets destined for the Shared Server over the
vPC peer-link since it no longer has a connection to the server.
Under normal operation, server traffic will never pass over the vPC peer-link. This is
only used for server traffic in failure scenarios, as depicted by the show command
output.

N5010-ODD(config-if)# show vpc statistics vpc 10

port-channel42 is down (No operational members)
vPC Status: Down, vPC number: 10 [packets forwarded via vPC peer-link]
Hardware: Port-Channel, address: 0000.0000.0000 (bia 0000.0000.0000)
MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
[output omitted]

Step 3 View the state of the vPC on the even pod Nexus 5000. The vPC should show as up
on this side, and is forwarding traffic normally since its vPC member port is still up
and operational.

N5010-EVEN(config-if)# show vpc statistics vpc 10

port-channel42 is up
vPC Status: Up, vPC number: 10
Hardware: Port-Channel, address: 0000.0000.0000 (bia 0000.0000.0000)
MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
[output omitted]

Step 4 Verify that the continuous ping is still successful from the Shared Server. Although
we may lose one or two pings, there should be no interruption to the end application
user.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 Re-enable the interface on the odd Nexus 5000. You may repeat Steps 1 4 on the
even Nexus 5000 if the other team would like to test. You should observe the same
result.

N5010-ODD(config-if)# no shutdown

Step 6 Verify that the continuous ping is still successful from the Shared Server.
Step 7 For the next failure scenario, you will simulate a vPC peer-link failure by shutting
down the PortChannel that serves as the peer-link between the Nexus 5000s. You
can perform this step on each Nexus 5000.

N5010-P(config-if)# shutdown
2011 Sep 10 17:33:05 N5010-18 %$ VDC-1 %$ %VPC-2-VPC_SUSP_ALL_VPC: Peer-link
going down, suspending all vPCs on secondary
Note You will only see the above console message if you are looking at the Secondary peer at the
time the peer-link is shutdown.
Note To avoid a split brain (or dual-active) condition where the peer-link might be lost but the
Nexus switches are in fact both up and active, the Secondary peer will suspend all vPCs
and allow the Primary peer to actively forward all traffic until the peer-link becomes active
again.
Step 8 Look at the vPC status on both Nexus 5000s. The Primary Nexus should take over
all forwarding for vPC 42, and the Secondary Nexus should shut down its side of
vPC 42.
vPC is designed to only have one peer forward in this failure scenario since the two
devices can no longer exchange information via the peer-link; one must take over as
the brain.
Sample show command output is shown for both the Primary and Secondary vPC
peers.

N5010-PRIMARY(config-if)# show vpc

Legend:

vPC domain id : 1
Peer status : peer link is down
vPC role : primary

---------------------------------------------------------------------
-- ---- ------ --------------------------------------------------
1 Po90 down -

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
vPC status
----------------------------------------------------------------------------
------ ----------- ------ ----------- -------------------------- -----------

N5010-SECONDARY(config-if)# show vpc

Legend:

vPC domain id : 1
vPC role : secondary

---------------------------------------------------------------------
-- ---- ------ --------------------------------------------------
1 Po90 down -

vPC status
----------------------------------------------------------------------------
------ ----------- ------ ----------- -------------------------- -----------
10 Po42 down failed Peer-link is down -

Step 9 Re-enable the peer-link PortChannel to bring both sides of the vPC back up.

N5010-P(config-if)# no shutdown

Step 10 After a few seconds, issue the show vpc command on both switches to verify the
peer-link comes back up and the Secondary Nexus shows vpc 10 up again.
Step 11 Verify that the ping is still successful from the Shared Server. Although we may lose
one or two pings, there should be no interruption to the end application user.
Step 12 In the next failure scenario we will simulate an entire vPC peer switch failure. From
the Primary vPC peer, save the configuration and reload the device to simulate the
device failure.
Caution Make sure you save your configuration before you reload the device! Only reload the
Primary Nexus 5000.
N5010-PRIMARY# copy running-config startup-config
N5010-PRIMARY# reload
WARNING: This command will reboot the system
Do you want to continue? (y/n) [n] y

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 13 Go to the Secondary switch while the Primary is reloading and look at the vPC
status. Note that the keep-alive needs to expire (3 seconds by default) before the peer
can be declared dead.
You should see the peer-link as down (the other end of PortChannel 90 is down
while the switch is reloading), the vPC keep-alive is suspended since the vPC peer
destination IP is not reachable, and the Secondary has taken over the Primary role
since the Primary has disappeared. vPC 10 should remain up.

N5010-SECONDARY# 2011 Sep 10 18:02:00 N5010-18 %$ VDC-1 %$ %VPC-2-
PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed

N5010-SECONDARY# show vpc

Legend:

vPC domain id : 1
vPC keep-alive status : Suspended (Destination IP not reachable)
vPC role : secondary, operational primary

---------------------------------------------------------------------
-- ---- ------ --------------------------------------------------
1 Po90 down -

vPC status
----------------------------------------------------------------------------
------ ----------- ------ ----------- -------------------------- -----------
Note Peer failure will not trigger an election for a new primary. The secondary switch keeps its
role but assumes the operational primary role, as depicted in the show vpc output. The
server still has an interface available to send and receive traffic on its side of the vPC.
Note In the case of a failure of both the vPC peer-link (Port Channel 90) AND backup keep-alives
(sent to mgmt0), but the switches themselves were still in fact up and operational causes a
split-brain condition. Both switches would assume the other had failed and they would each
try assuming the primary role. This could cause multiple frame copies and loops in the
network. vPC will fail closed, but designs should avoid this scenario.
Note To avoid a split-brain condition, Cisco recommends to always dual-home your servers in a
Port Channel, and the interfaces chosen for the peer-link should be on different I/O modules.
Step 14 Verify that the ping is still successful from the Shared Server. Although we may lose
one or two pings, there should be no interruption to the end application user.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 15 Inspect the vPC logs on the Secondary vPC peer to view the logging of the failure
scenario.

N5010-SECONDARY# show cfs internal notification log name vpc

Thu Apr 7 18:05:26 2011: Peer add 20:00:00:05:9b:25:d1:bc
Thu Apr 7 18:34:41 2011: Peer gone 20:00:00:05:9b:25:d1:bc
Thu Apr 7 21:22:27 2011: Peer gone 20:00:00:05:9b:25:d1:bc

Step 16 When the Primary vPC peer comes back online, verify that it brings vPC 10 back
up on its side, and has started communicating with its peer again.

N5010-PRIMARY# show vpc

Legend:

vPC domain id : 1
vPC role : primary, operational secondary

---------------------------------------------------------------------
-- ---- ------ --------------------------------------------------
1 Po90 up 1,300

vPC status
----------------------------------------------------------------------------
------ ----------- ------ ----------- -------------------------- -----------

Note The Nexus should now be in the operational secondary vPC role. There is no preemption
in vPC: when the switch comes back online it did not reclaim the primary role.
Step 17 Save your current configuration.

N5010-P# copy running-config startup-config
[########################################] 100%

Step 18 OPTIONAL: You may reload the Secondary vPC peer to test that failure scenario
if you wish, ensuring you issue copy running-config startup-config BEFORE you
reload the switch.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 13: Configuring FCoE
Activity Objective
In this activity, you will configure FCoE on your the Cisco Nexus 5000 switch for a server with
a CNA (Converged Network Adapter). After completing this activity, you will be able to meet
these objectives:
Configure FCoE on the Nexus 5000 to support the CNA-attached server
Verify CNA server connectivity
Visual Objective
Refer to the Lab TopologyLab Aids section of this lab guide for your group topology
diagram and addressing information.
Eth 1/1
CNA
vfc 20
FCoE
VLAN 200
VSAN 2
Fabric-Mode
Nexus 5000
CNA Server
MDS
FC
2/1
Fibre Channel
TE PORTS
Trunk
STP port type edge trunk
FCoE
N_PORT
F_PORT
FLOGI

Required Resources
One Cisco Nexus 5000 chassis
One server with a CNA (Converged Network Adapter)
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Commands
The table lists the commands that are used in this activity.
Command
bind interface ethernet 1/1
feature fcoe
fcoe mode on
interface vfc 20
no shut
show fcoe
show interface vfc 20
show version
show vlan fcoe
show vsan membership
show vsan 2 membership
vlan id
vsan database
vsan fcoe
vsan id
vsan 2 interface vfc 20

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
2011 Global Knowledge Training LLC Lab Guide 13-3
Task 1: Configure FCoE on the Cisco Nexus 5010
In this activity you will configure FCoE (Fibre Channel over Ethernet) on your Cisco Nexus
5000 switch to support a server connected via a CNA (Converged Network Adapter) speaking
FCoE.
The FCoE-connected server is visible in your lab topology diagram and is labeled CNA
Server. Review the lab topology diagram before beginning the activity.
Activity Procedure
Step 1 From the lab topology diagram for your pod, determine which 10 Gigabit Ethernet
interfaces on your assigned Cisco Nexus 5010 switch connect to your CNA server.
Note The CNA server should connect to the Nexus 5010 interface Ethernet 1/1 use the topology
diagram to verify.
Step 2 Before we begin any storage configuration, determine if there is a Fibre Channel
expansion module installed in your Nexus 5000 chassis. Fibre Channel ports will be
necessary to connect to the Cisco MDS Fibre Channel switch to get to the SAN.

N5010-P# show module

Mod Ports Module-Type Model Status
--- ----- -------------------------------- ---------------------- -----------
1 20 20x10GE/Supervisor N5K-C5010P-BF-SUP active *
2 8 8x1/2/4G FC Module N5K-M1008 ok

Mod Sw Hw World-Wide-Name(s) (WWN)
--- -------------- ------ -------------------------------------------------
1 5.0(3)N1(1b) 1.2 --
2 5.0(3)N1(1b) 1.0 28:8c:b7:00:e5:66:b7:28 to 60:11:b7:28:55:8d:b7:70

Mod MAC-Address(es) Serial-Num
--- -------------------------------------- ----------
1 0005.73ee.8b88 to 0005.73ee.8baf JAF1520CDNL
2 0005.73ee.8bb0 to 0005.73ee.8bb7 FOC1516087W

Do you have a Fibre Channel module installed in your Nexus 5000 chassis?
_________________________________________________________________________
Step 3 View the state of your Fibre Channel interfaces.


------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth1/9 1 eth trunk up none 10G(D) 90
Eth1/10 1 eth trunk up none 10G(D) 90
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

------------------------------------------------------------------------------
Interface
------------------------------------------------------------------------------
Po42 300 eth access up none a-1000(D) none
Po90 1 eth trunk up none a-10G(D) none

------------------------------------------------------------------------------
------------------------------------------------------------------------------
mgmt0 -- up 192.168.P.1 1000 1500

------------------------------------------------------------------------------
Interface Ch #
------------------------------------------------------------------------------
Eth110/1/1 300 eth access up none 1000(D) 42
Eth110/1/3 1 eth access down Link not connected auto(D) -

Do you see any Fibre Channel interfaces in your output? Why or why not?
_________________________________________________________________________
Step 4 In order to configure FCoE or any storage-related features in NX-OS, you must first
enable the FCoE feature.

N5010-P# configure
N5010-P(config)# feature fcoe

FC license checked out successfully
fc_plugin extracted successfully
FC plugin loaded successfully
FCoE manager enabled successfully
FC enabled on all modules successfully
Note The Fibre Channel interfaces on the expansion module should be visible after the FCoE
feature is enabled. You may view them using the show interface brief command. They will
be labeled fc2/1 fc2/8 at the top of the show interface brief output.
Step 5 Enabling the FCoE feature makes all interfaces FCoE-capable and all active
interfaces will display in the FCoE UP state.
Verify FCoE is enabled on the interface connected to the server with the CNA.

N5010-P(config)# show interface ethernet 1/1 fcoe
Ethernet 1/1 is FCoE UP

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 6 Disable spanning-tree negotiation on the physical interface connected to the FCoE
server and configure the port as a trunk.
Note Spanning-Tree negotiation is disabled using the command spanning-tree port type edge
trunk. This ensures the Nexus 5000 knows there is a server not another switch
connected to the port.
N5010-P(config-if-range)# spanning-tree port type edge trunk
N5010-P(config-if-range)# exit

Warning: portfast should only be enabled on ports connected to a single host.
Connecting hubs, concentrators, switches, bridges, etc... to this interface
when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

Step 7 Create a virtual Fibre Channel (vfc) interface and bind it to the physical Ethernet
interface. This will allow the switch to identify the port as a possible receiver of
Fibre Channel traffic (wrapped in Ethernet frames) and handle the traffic
appropriately inside the switch.

N5010-P(config)# interface vfc 20
N5010-P(config-if)# bind interface ethernet 1/1

Step 8 Ensure your virtual Fibre Channel interface

N5010-P(config-if)# show interface vfc 20

vfc20 is trunking (Not all VSANs UP on the trunk)
Bound interface is Ethernet1/1
Hardware is Virtual Fibre Channel
Port WWN is 20:13:00:05:73:ee:8c:bf
Admin port mode is F, trunk mode is on
snmp link state traps are enabled
Port mode is TF
Port vsan is 1
Trunk vsans (admin allowed and active) (1)
[output omitted]

Step 9 Create VSAN 2 and make interface vfc 20 a member of VSAN 2.

N5010-P(config-if)# vsan database
N5010-P(config-vsan-db)# vsan 2
N5010-P(config-vsan-db)# vsan 2 interface vfc 20
N5010-P(config-vsan-db)# exit

N5010-P(config)# show vsan 2 membership
vsan 2 interfaces:
vfc20
Note You cannot abbreviate or shorten VSAN database commands. You must enter the
commands in their complete form.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 10 Ethernet 1/1 is a trunk interface. Currently the physical port is a member of VLAN
1. An FCoE VLAN is required to map the ethernet VLAN to an appropriate Fibre
Channel VSAN, since we will be receiving Fibre Channel traffic in addition to the
typical Ethernet traffic on an FCoE port. This provides a mapping so traffic can be
tagged appropriately.
Create an FCoE VLAN and map VSAN 2 to the FCoE VLAN.

N5010-P(config)# vlan 200
N5010-P(config-vlan)# fcoe vsan 2
N5010-P(config-vlan)# exit

Step 11 Display the member interfaces for all VSANs.

N5010-P(config)# show vsan membership

vsan 1 interfaces:
fc2/1 fc2/2 fc2/3 fc2/4
fc2/5 fc2/6 fc2/7 fc2/8

vsan 2 interfaces:
vfc20

vsan 4079(evfp_isolated_vsan) interfaces:

vsan 4094(isolated_vsan) interfaces:

Step 12 Confirm the FCoE VLAN configuration, and ensure it is operational.

N5010-P(config)# show vlan fcoe

Original VLAN ID Translated VSAN ID Association State
---------------- ------------------ -----------------

200 2 Operational

Step 13 Confirm VSAN 2 is up on the virtual Fibre Channel interface.

N5010-P(config)# show interface vfc 20

vfc20 is trunking (Not all VSANs UP on the trunk)
Port WWN is 20:13:00:05:73:ee:8c:bf
Port mode is TF
Port vsan is 2
Trunk vsans (admin allowed and active) (1-2)
Trunk vsans (up) (2)
Trunk vsans (isolated) ()
Trunk vsans (initializing) (1)
[output omitted]

Note VSAN 1 does not appear in the up state because there are no active member interfaces in
the VSAN.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 14 A handy way to verify your FCoE port has been successfully configured and logged
into the fabric is the show interface ethernet 1/1 fcoe command. You should see
similar output if you have correctly configured FCoE (your FCID, PWWN, and
MAC address will be different, but they should be assigned to the vfc20 port).

N5010-P(config)# show interface ethernet 1/1 fcoe

Ethernet1/1 is FCoE UP
vfc20 is Up
FCID is 0x4a0000
PWWN is 10:00:00:00:c9:97:3f:f1
MAC addr is 00:00:c9:97:3f:f1

Step 15 Enable the Nexus 5000 Fibre Channel interface on the expansion module connected
to the Cisco MDS Fibre Channel switch.

N5010-P(config)# interface fc 2/1
N5010-P(config-if)# no shut

N5010-P(config-if)# show interface fc 2/1

fc2/1 is down (Link failure or not-connected)
Hardware is Fibre Channel, SFP is short wave laser w/o OFC (SN)
Port WWN is 20:41:00:05:73:ee:8c:80
Admin port mode is auto, trunk mode is on
Port vsan is 1
Receive data field Size is 2112
Beacon is turned off
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
0 frames input, 0 bytes
0 discards, 0 errors
0 CRC, 0 unknown class
0 too long, 0 too short
0 frames output, 0 bytes
0 input OLS, 0 LRR, 0 NOS, 0 loop inits
0 output OLS, 0 LRR, 0 NOS, 0 loop inits
last clearing of "show interface" counters never

Note The other end of the interface on the MDS has not yet been configured, so the down state
is expected at this point in the configuration.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Verify the CNA Server Connectivity
In this activity you will verify that the CNA server is talking to your Nexus 5010 via FCoE and
has logged into the Nexus 5000 fabric.
Activity Procedure
Step 1 From your Nexus 5010, determine the FCID (Fibre Channel ID) and pWWN (World
Wide Port Name, sometimes abbreviated as WWPN) burned into your servers CNA
port that is connected to interface Ethernet 1/1 via vfc 20.

N5010-P# show flogi database

------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
------------------------------------------------------------------------------
vfc20 2 0x080000 10:00:00:00:c9:97:40:73 20:00:00:00:c9:97:40:73

Total number of flogi = 1.

Record your FCID and pWWN from your show command output below:
My FCID _____________________________________________________________
My pWWN _____________________________________________________________
Step 2 Click on the Lab Topology tab and then click on the CNA Server icon. Login using
the following: credentials
Username: admin
Password: NXos12345
Note If you are prompted to choose an active session to the server, choose the oldest session in
the list.
Step 3 Launch the OCManager utility from the desktop of the CNA server.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 4 In the left pane, expand the Hosts and N5KCNA icons until you see the adapters
and their ports. This server has 4 CNAs with 2 ports each. Expand each adapter and
each port until you find your pWWN recorded in step 1.

Step 5 Once you have located your port on the server, check that the pWWN of your port
matches what you discovered in the prior steps.
Step 6 Click on your WWPN in the left-hand pane, and then click the Port Information
tab. You should see an entry in the Fabric Name field, which corresponds to the ID
of the Nexus 5000, and the Port Type should be an N_port (Node_port). The Link
Status should also show as up if you have successfully configured FCoE on the
Nexus 5000.

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 14: Configuring NPV
Activity Objective
In this activity, you will configure Cisco N_Port Virtualizer (NPV) mode on the Nexus 5000
switch. After completing this activity, you will be able to meet these objectives:
Understand the difference between Cisco NPV mode and the NPIV feature in the Nexus
5000 and MDS device families
Enable NPV on your Nexus 5000
Configure uplink pinning between server interfaces and MDS-facing interfaces
Configure the Cisco MDS 9124 switch to support NPIV (N_Port Identifier Virtualization)
Validate NPV operation and Cisco MDS configuration using show commands
Visual Objective
CNA
vfc 20
CNA Server
MDS
NPIV-enabled
NP_PORT
SAN
F_PORT
NPV-Mode Nexus 5000
NPV EDGE SWITCH
FC
1/23
FC
1/24
N_PORT
F_PORT
NPV CORE SWITCH
PROXY
FLOGI table
FCNS database, etc.

Required Resources
One CNA Server
One Cisco Nexus 5000
One Cisco MDS 9124 Multilayer Fabric switch
One storage device
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Command List
Command
bind interface eth 1/3
copy bootflash:temp running-config
copy running-config bootflash:temp
dir bootflash:
fcoe mode on
fcoe vsan 2
feature fcoe
interface ethernet 1/3
interface fc1/1
interface fc2/1
interface vfc20
no shutdown
npiv enable
npv auto-load-balance disruptive
npv enable
npv traffic-map server-interface vfc20 external-interface fc2/1
show fcns database
show fcoe
show flogi database
show interface fc2/1
show interface vfc 20
show npv flogi-table
show npv status
show npv traffic-map
show vlan fcoe
show vsan 2 membership
switchport mode F
switchport mode FL
switchport mode NP
vlan 200
vsan 2
vsan 2 interface fc1/1
vsan 2 interface vfc 20
vsan database

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 1: Configure N_Port Virtualizer (NPV) Mode on the Cisco
Nexus 5010 Switch
Activity Procedure
In this activity you will understand the difference between Cisco NPV mode and the NPIV
feature, and why we leverage them in this lab. Next, you will log in to your pods Cisco Nexus
5010 switch, configure it to operate in N_Port Virtualizer (NPV) mode and configure server
and fabric switch facing interfaces.
Note NPV mode on the Cisco Nexus 5000 platform makes the Nexus appear as a host device, or
N_port, to the core MDS. The Nexus proxies all server-side traffic to the core MDS. NPV
mode reduces Fibre Channel management, as the Nexus no longer operates as a Fibre
Channel switch and simply proxies the communication directly to the MDS. Therefore, the
Nexus does not consume a Domain ID (DID), and does not have to run SFPF or maintain
any of the tables and databases Fibre Channel switches normally do.
Note NPIV is an industry-standard feature that allows a switch to assign multiple FCIDs to a
single N_port. Without NPIV, there must be a 1:1 relationship between F_ports and N_ports,
with one FCID assigned to the connected N_port. This concept can be compared to
subinterfaces in the Ethernet world. NPIV is often implemented in a virtualized server
environment so that access control, zoning, and port security can be implemented at the
application (or Virtual Machine) level.
Note In this lab, you will enable NPV mode on your Nexus 5010, removing the need to configure
and maintain Fibre Channel on the Nexus and passing the responsibility to the MDS. The
MDS will need to have the NPIV feature enabled. The Nexus will look like an N_port
connected to an F_port on the MDS when in NPV mode. The Nexus could have many
servers connected, therefore NPIV allows the MDS to assign multiple FCIDs to the single
Nexus N_port.
Step 1 Login to your Cisco Nexus 5010 using Putty SSH on your Lab PC. Connect to your
mgmt0 interface at 192.168.P.1.
Step 2 Switching the Nexus 5010 to N_Port Virtualizer (NPV) mode will initiate a write
erase and a system reload.
Configuration will be erased because moving to NPV mode fundamentally changes
how the Nexus 5010 works internally.
Save your running configuration to bootflash before proceeding so you have it later
for your reference.

N5010-P# copy running-config bootflash:temp
N5010-P# dir bootflash:

1256 Jun 16 18:35:39 2011 aaa_cnv.log
364 Jun 16 18:35:39 2011 assoc_mgr_cnv.log
497 May 24 04:51:32 2011 license_SSI15100C7V_19.lic
16384 May 24 04:39:58 2011 lost+found/
8769 Sep 06 18:08:52 2011 mts.log
25164288 May 24 04:44:33 2011 n5000-uk9-kickstart.5.0.2.N2.1.bin
25136128 Jun 15 23:47:12 2011 n5000-uk9-kickstart.5.0.3.N1.1b.bin
156932426 May 24 04:45:20 2011 n5000-uk9.5.0.2.N2.1.bin
188700150 Jun 16 01:29:13 2011 n5000-uk9.5.0.3.N1.1b.bin
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
4463 Sep 09 16:09:51 2011 beforeNPVConfig

Usage for bootflash://sup-local
458096640 bytes used
425254912 bytes free
883351552 bytes total

Step 3 Enable your Nexus 5010 to function as an N_Port Virtualizer (NPV).

N5010-P# configure
N5010-P(config)# feature npv
Verify that boot variables are set and the changes are saved. Changing to npv
mode erases the current configuration and reboots the switch in npv mode. Do
you want to continue? (y/n): y
2011 Sep 9 16:20:53 N5010-17 Sep 9 16:20:53 %KERN-0-SYSTEM_MSG: Shutdown
Ports.. - kernel
2011 Sep 9 16:20:53 N5010-17 Sep 9 16:20:53 %KERN-0-SYSTEM_MSG: writing
reset reason 90, - kernel

Broadcast message from root (Fri Sep 9 16:20:53 2011):
The system is going down for reboot NOW!
Note If you are connected via SSH through Putty your session will disconnect. It takes
approximately 5 minutes to reboot the lab Nexus 5010s. Then, you will be able to reconnect
via Putty to the mgmt0 interface.

Nexus 5000 Switch
N5010-P login: admin
Password: NXos12345
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software may be covered under the GNU Public
License or the GNU Lesser General Public License. A copy of
each such license is available at
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
N5010-P#

Step 4 Inspect the effect of the change to NPV-mode on the Fibre Channel ports of the
Nexus 5000.


------------------------------------------------------------------------------
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
------------------------------------------------------------------------------
fc2/1 1 NP off down swl -- --
fc2/2 1 NP off down swl -- --
fc2/3 1 NP off sfpAbsent -- -- --
[output omitted]
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note The Fibre Channel interfaces are now in a new port mode: NP. NP_ports are Proxy N_ports
that proxy the server connections to the core, and appear as an N_port themselves to the
core.

Step 5 Re-enable FCoE on the interface that connects the Cisco Nexus 5010 to the CNA
Server.

N5010-P# configure

N5010-P (config-if)# show interface ethernet 1/1 fcoe
Ethernet1/1 is FCoE UP

Step 6 Disable Spanning-Tree on the Ethernet interface connected to the FCoE server and
configure the port as a trunk.

N5010-P(config-if)# switchport mode trunk
N5010-P(config-if)# spanning-tree port type edge trunk

Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

Step 7 Create the FCoE VLAN, and specify the mapped VSAN.

N5010-P(config-if)# vlan 200
N5010-P(config-vlan)# fcoe vsan 2

Step 8 Create a virtual Fibre Channel interface and bind it to the physical Ethernet
interface. Verify the virtual Fibre Channel interface is bound to the physical Ethernet
interface.

N5010-P(config)# interface vfc 20
N5010-P(config-if)# bind interface ethernet 1/1

Step 9 Add VSAN 2 to the VSAN database and make the CNA Server interface vfc20 a
member of VSAN 2.

N5010-P(config-if)# vsan database
N5010-P(config-vsan-db)# vsan 2
N5010-P(config-vsan-db)# vsan 2 interface vfc 20

Step 10 Display the interface membership for all VSANs. Verify interface vfc20 is a
member of VSAN 2.


vsan 1 interfaces:
fc2/1 fc2/2 fc2/3 fc2/4
fc2/5 fc2/6 fc2/7 fc2/8

vsan 2 interfaces:
vfc20

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l


Step 11 Confirm the FCoE VLAN mapping and state.

N5010-P(config)# show vlan fcoe

Original VLAN ID Translated VSAN ID Association State
---------------- ------------------ -----------------

200 2 Operational

Step 12 Assign the Fibre Channel interface that connects the Nexus 5000 to the Cisco MDS
9124 Fabric Switch to VSAN 2.

N5010-P(config)# vsan database
N5010-P(config-vsan-db)# vsan 2 interface fc2/1


vsan 1 interfaces:
fc2/2 fc2/3 fc2/4 fc2/5
fc2/6 fc2/7 fc2/8

vsan 2 interfaces:
fc2/1 vfc20



Step 13 Ensure your interfaces are configured for the correct mode and enable them.

N5010-P(config)# interface fc2/1
N5010-P(config-if)# switchport mode NP

N5010-P(config-if)# interface vfc 20
N5010-P(config-if)# switchport mode F

Step 14 Examine the state of your fc2/1 interface connecting to the MDS switch. Verify the
port is a member of VSAN 2 and is in Admin Mode NP.

N5010-P(config)# show interface fc2/1 brief

------------------------------------------------------------------------------
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
------------------------------------------------------------------------------
fc2/1 2 NP off init swl -- --
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note Your fc2/1 port Status may read notConnected, meaning the other side of the link is
shutdown on the MDS. We will bring this up in the next Task. You can move forward if you
have either init or notConnected status at this point.
Step 15 Examine the state of your vfc20 interface, mapped to Ethernet 1/1 connected to your
CNA server. Ensure vfc20 is bound to Ethernet 1/1, and the Port VSAN is 2.

N5010-P(config)# show interface vfc 20

vfc20 is down (NPV upstream port not available)
Port WWN is 20:13:00:05:73:ee:8b:3f
Port vsan is 2
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
0 frames input, 0 bytes
0 frames output, 0 bytes
last clearing of "show interface" counters never
Note It is expected for vfc20 to be down at this point since we have not yet configured the NPV
upstream ports.
Step 16 Map the FC traffic received from the CNA Server port to be pinned to one of the FC
uplinks to the MDS and enable load balancing.

N5010-P(config)# npv traffic-map server-interface vfc 20 external-interface fc2/1
N5010-P(config)# npv auto-load-balance disruptive

Enabling this feature may flap the server interfaces whenever load is not in a
balanced state. This process may result in traffic disruption. Do you want to
proceed? (y/n): y

Step 17 Verify the NPV server-to-uplink traffic map.

N5010-P(config)# show npv traffic-map

NPV Traffic Map Information:
----------------------------------------
Server-If External-If(s)

----------------------------------------
vfc20 fc2/1
----------------------------------------

Step 18 View the status of NPV.

N5010-P(config)# show npv status

npiv is disabled

disruptive load balancing is enabled

External Interfaces:
====================
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Interface: fc2/1, State: Failed(NPIV is not enabled in upstream switch or
FLOGI denied)

Number of External Interfaces: 1

Server Interfaces:
==================
Interface: vfc20, VSAN: 20, State: Waiting for External Interface
Number of Server Interfaces: 1

[output may vary]
Note The failed state of the external interface is expected at this point. NPIV (N_Port Identifier
Virtualization) must be enabled on the core MDS first. If the port successfully came up and
you do not see the failed state, another lab group may have already enabled NPIV on the
MDS as these are shared devices.
Why does NPIV need to be enabled on the upstream MDS connected to an NPV Nexus
5000 switch?
_________________________________________________________________________

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Task 2: Configure Global N_Port Virtualization Mode (NPIV) on
the MDS 9124 Fabric Switch
During this exercise you will enable the NPIV feature on the MDS 9124 to support the Nexus
5000 in NPV mode. Since the Nexus 5000 can now proxy many server N_port logins to a
single F_port on the MDS, the MDS must support NPIV mode.
Activity Procedure
Step 1 To connect to the Cisco MDS device in your pod, open a new Putty SSH session
from your Lab PC to the IP address corresponding to your pod in the provided table.
POD NUMBER MDS HOSTNAME MDS IP ADDRESS
Odd pod CORE-A-MDS-1 192.168.0.201
Even pod CORE-B-MDS-2 192.168.0.202
Step 2 Login to the MDS using the following credentials:

User Access Verification
login: admin
Password: C1sco12345
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php

Step 3 Enable the NPIV feature on the MDS.
Note Since the MDS equipment is shared across several pods, someone may have already
enabled the NPIV feature. You will still be able to enter the command.
CORE-MDS# configure
CORE-MDS(config)# feature npiv

Step 4 Configure the interfaces connected to your Nexus 5000 on the MDS switch to
operate in Fabric (F) mode, since the Nexus is now in NPV mode it should appear as
a host to the MDS.
Refer to the MDS icon in the Lab Topology diagram for the correct interfaces. Look
for the interfaces connected back to your Nexus 5000 on the MDS. The interface
numbers will depend on your pod. For example, Pod 9 has interfaces fc1/9 and
fc1/10 connected on the MDS. Replace your interfaces with X and Y in the
configuration provided.

CORE-MDS(config)# interface fc1/X-Y
CORE-MDS(config-if)# switchport mode F
CORE-MDS(config-if)# no shutdown

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 Put your Nexus 5010-connected interfaces into VSAN 2. Replace X and Y with your
MDS interfaces per your Lab Topology diagram again.

CORE-MDS(config-if)# vsan database
CORE-MDS(config-vsan-db)# vsan 2
CORE-MDS(config-vsan-db)# vsan 2 interface fc1/X-Y
Traffic on fc1/X may be impacted. Do you want to continue? (y/n) y
Traffic on fc1/Y may be impacted. Do you want to continue? (y/n) y

Step 6 Ensure the EMC CLARiiON storage arrays connected to MDS ports fc1/23 and
fc1/24 are also in VSAN 2 so your CNA Server will be able to talk to the array.
Verify the MDS to SAN connectivity in your Lab Topology diagram.

CORE-MDS(config-vsan-db)# vsan 2 interface fc1/23-24
Traffic on fc1/23 may be impacted. Do you want to continue? (y/n) y
Traffic on fc1/24 may be impacted. Do you want to continue? (y/n) y
CORE-MDS(config-vsan-db)# exit
Note If you see the following message fc1/23:membership being configured is already
configured for the interface, someone else has already put the array ports into VSAN 2.
Continue onto the next task.
Step 7 Verify your MDS Fibre Channel ports show as members of VSAN 2. Also verify the
storage array ports fc1/23 and fc1/24 are members of VSAN 2.
You may see other interfaces in VSAN 2 as well since this is a shared device. Verify
your X and Y interfaces only, per the Lab Topology diagram.

CORE-MDS(config)# show vsan membership

vsan 1 interfaces:
fc1/1 fc1/2 fc1/3 fc1/4
fc1/5 fc1/6 fc1/7 fc1/8
fc1/10 fc1/18 fc1/19 fc1/20
fc1/21 fc1/22

vsan 2 interfaces:
fc1/9 fc1/10 fc1/12 fc1/13
fc1/14 fc1/15 fc1/16 fc1/17
fc1/23 fc1/24



Step 8 Display the Fibre Channel Name Server table and the FLOGI database. You should
see your Cisco NPV device (Nexus 5000), the CLARiiON arrays, and your Emulex
CNA port in the Name Server and FLOGI tables. You may see other pods in your
output, in addition to your own.

CORE-MDS(config)# show fcns database vsan 2

VSAN 2:
--------------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
--------------------------------------------------------------------------
0x880100 N 20:41:00:05:73:ee:8b:80 (Cisco) npv
0x880101 N 10:00:00:00:c9:97:40:83 (Emulex) ipfc scsi-fcp:init
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
0x880200 N 50:06:01:61:4b:e0:08:d8 (Clariion) scsi-fcp
0x880300 N 50:06:01:61:4b:e0:08:a7 (Clariion) scsi-fcp

CORE-MDS(config)# show flogi database

------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
------------------------------------------------------------------------------
fc1/X 2 0x880100 20:41:00:05:73:ee:8b:80 20:02:00:05:73:ee:8b:81
fc1/X 2 0x880101 10:00:00:00:c9:97:40:83 20:00:00:00:c9:97:40:83
fc1/23 2 0x880200 50:06:01:61:4b:e0:08:d8 50:06:01:60:cb:e0:08:d8
fc1/24 2 0x880300 50:06:01:61:4b:e0:08:a7 50:06:01:60:cb:e0:08:a7


Step 9 Reconnect to your Cisco Nexus 5010 switch via Putty SSH and view the FLOGI
table. Your vfc20 FCID and WWPN should correspond to the entries in the MDS
tables.

N5010-P(config)# show npv flogi-table

------------------------------------------------------------------------------
SERVER EXTERNAL
INTERFACE VSAN FCID PORT NAME NODE NAME INTERFACE
------------------------------------------------------------------------------
vfc20 2 0x880101 10:00:00:00:c9:97:40:83 20:00:00:00:c9:97:40:83 fc2/1

Note The tables viewed by the commands show flogi database and show fcns database are no
longer maintained by the Nexus 5000, now that it runs in NPV mode. These Fibre Channel
tables are now only maintained by the MDS.
Step 10 Verify the N_Port Virtualization status. With all interfaces up, and the CNA Server
logged into the MDS fabric, you have successfully configured NPV!

N5010-P(config)# show npv status

npiv is disabled

disruptive load balancing is enabled

External Interfaces:
====================
Interface: fc2/1, VSAN: 2, FCID: 0x880100, State: Up

Number of External Interfaces: 1

Server Interfaces:
==================
Interface: vfc20, VSAN: 2, State: Up

Number of Server Interfaces: 1

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Lab 15: Implementing QOS for the Nexus 5000
Activity Objective
In this activity, you will become familiar with Cisco Nexus 5000 QoS configuration and use
QoS to classify and prioritize traffic. You will make changes on the switch and verify how
these changes affect traffic. After completing this lab, you will be able to meet the following
objectives:
Compare the functionality and configuration of Link-Level flow Control (LLC) and
Priority Flow Control (PFC)
View the pre-defined class-maps on the Nexus 5010
Configure new traffic classifications and define policies for the traffic classes
Enable support for DCBX (DCE Bridging Capability Exchange Protocol)
Visual Objective
Eth 1/1
Nexus 5000
MARKET-DATA class = COS 6
SET QoS group 2
MARKET-DATA-GROUP class = QoS group 2
SYSTEM QOS
Policy-map MARKET-POLICY
Class MARKET-DATA-GROUP
MTU 1700
Pause no-drop
CNA
Link-level flow ctrl
Priority flow ctrl
FCoE Traffic = 60% of link bandwidth
Class Default = 40% of link bandwidth

Required Resources
One Cisco Nexus 5010 switch
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Activity Procedure
Step 1 Login to your Cisco Nexus 5010 using Putty SSH on your Lab PC. Connect to your
mgmt0 interface at 192.168.P.1.
Step 2 Configure link-level flow control (standard Ethernet pause) handling on your CNA
Server interface on the Nexus 5000.

N5010-P# configure
N5010-P(config-if)# no priority-flow-control mode on
N5010-P(config-if)# flowcontrol receive on

2011 Sep 9 19:30:16 N5010-17 %PORT-2-IF_DOWN_ERROR_DISABLED: %$VSAN 2%$
Interface vfc20 is down (Error disabled)

Why does your vfc20 interface (which is part of the FCoE configuration), go into error-
disable mode when you disable Priority Flow Control on the Ethernet interface it is bound
to?
_________________________________________________________________________

Step 3 View the flow control status on your CNA Server interface.

N5010-P(config-if)# show interface ethernet 1/1 flowcontrol

------------------------------------------------------------------------------
Port Send FlowControl Receive FlowControl RxPause TxPause
admin oper admin oper
------------------------------------------------------------------------------
Eth1/1 off off on off 0 0

Note The standard Ethernet pause implementation pauses traffic on the entire link (link-level flow
control).
Note Priority Flow Control (PFC) extends pause functionality to specific classes of traffic on a
single link, specifically Fibre Channel traffic on an FCoE link to maintain lossless behavior.
Step 4 Re-enable PFC handling on the server interface. The virtual Fibre Channel interface
will come back up when PFC is re-enabled. You can verify with the show interface
vfc 20 brief command, if you like.

N5010-P(config-if)# no flowcontrol receive on
2011 Sep 9 20:53:33 N5010-17 %PORT-2-IF_DOWN_ERROR_DISABLED: %$VSAN 2%$
Interface vfc20 is down (Error disabled)

N5010-P(config-if)# priority-flow-control mode auto

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 5 View the default class-maps on the Nexus 5000. Here you will see class-fcoe and
class-default.

N5010-P# show class-map

Type qos class-maps
===================

class-map type qos match-any class-fcoe
match cos 3

class-map type qos match-any class-default
match any

class-map type qos match-any class-all-flood
match all flood

class-map type qos match-any class-ip-multicast
match ip multicast

Type queuing class-maps
=======================

class-map type queuing class-fcoe
match qos-group 1

class-map type queuing class-default
match qos-group 0

class-map type queuing class-all-flood
match qos-group 2

class-map type queuing class-ip-multicast
match qos-group 2

Type network-qos class-maps
==============================

class-map type network-qos class-fcoe
match qos-group 1

class-map type network-qos class-default
match qos-group 0

class-map type network-qos class-all-flood
match qos-group 2

class-map type network-qos class-ip-multicast
match qos-group 2

Step 6 Notice there are three QoS types in NX-OS:
TYPE QOS: Used to classify traffic that is based on various Layer 2, Layer 3, and Layer 4
fields in the frame and to map it to system classes. NX-OS provides the following default
type qos system classes:
class-fcoe All Fibre Channel and FCoE control and data traffic is automatically
classified into the FCoE system class, which provides no-drop service. This class is
created automatically when the system starts up. You cannot delete this class, and
you can only modify the IEEE 802.1p CoS value to associate with this class (by
default CoS for FCoE = 3). This class is identified by qos-group 1.
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
class-default By default, the software classifies all unicast and multicast Ethernet
traffic into the default drop system class. This class is identified by qos-group 0.
This class is created automatically when the system starts up. You cannot delete this
class and you cannot change the match criteria associated with the default class.
NX-OS also defines classes for flood and multicast traffic.
TYPE NETWORK-QOS: Used to instantiate system classes and associate parameters
with those classes that are of system-wide scope.
TYPE QUEUING: A type queuing policy is used to define the scheduling characteristics
of the queues associated with system classes.
Step 7 Create a new type qos class-map named market-data to classify high priority real
time trading data marked with a CoS value of six.

N5010-P# configure
N5010-P(config)# class-map type qos market-data
N5010-P(config-cmap-qos)# match cos 6
Note There are 8 available classes of service, numbered 0-7. Class 0 is reserved for the default-
drop class and cannot be used. Class 3 identifies FCoE traffic, but the value can be
changed from the default.
Step 8 Create a new type qos policy-map named set-market which you will use to set the
qos-group for the market data traffic.

N5010-P(config-cmap-qos)# policy-map type qos set-market
N5010-P(config-pmap-qos)# class type qos market-data
N5010-P(config-pmap-c-qos)# set qos-group 2
Note The policy-map feature allows you to define QoS policy for traffic identified in class-maps.
Note Up to six QoS groups can exist on a Nexus 5000. Two are reserved internal groups (0 for
class-default, and 1 for class-fcoe).
Step 9 Create a new type network-qos class-map named market-data-group to classify the
qos-group 2 marking just configured for the market data traffic.

N5010-P(config-pmap-c-qos)# class-map type network-qos market-data-group
N5010-P(config-cmap-nq)# match qos-group 2

Step 10 Configure a new type network-qos policy-map named market-policy which you
will use to set the MTU (Maximum Transmission Unit) to 1700 Bytes and provide
lossless (no drop) delivery to the market data traffic.

N5010-P(config-cmap-nq)# policy-map type network-qos market-policy
N5010-P(config-pmap-nq)# class type network-qos market-data-group
N5010-P(config-pmap-nq-c)# mtu 1700
N5010-P(config-pmap-nq-c)# pause no-drop

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 11 Verify your configuration by viewing your newly created class- and policy-maps.

N5010-P(config-pmap-nq-c)# show class-map type qos market-data

Type qos class-maps
===================

class-map type qos match-all market-data
match cos 6

N5010-P(config-pmap-nq-c)# show class-map type network-qos market-data-group

Type network-qos class-maps
==============================

class-map type network-qos market-data-group
match qos-group 2

N5010-P(config-pmap-nq-c)# show policy-map type qos set-market

Type qos policy-maps
====================

policy-map type qos set-market
class type qos market-data
set qos-group 2
class type qos class-fcoe
set qos-group 1
class type qos class-default
set qos-group 0

N5010-P(config-pmap-nq-c)# show policy-map type network-qos market-policy

Type network-qos policy-maps
===============================

policy-map type network-qos market-policy
class type network-qos market-data-group
mtu 1700
pause no-drop
class type network-qos class-fcoe
pause no-drop
mtu 2158
class type network-qos class-default
mtu 1500
Note Notice that the default classes have been added to your type qos and type network-qos
policy-maps. These default maps have also been given the default bandwidth guarantee of
50%. If the percentages are not changed the new market-data classes will have no
guaranteed bandwidth and could be starved.
Step 12 Modify the current system QoS policy. You will apply the two policy maps created
in the last steps to the system QoS as service policies.

N5010-P(config-pmap-nq-c)# system qos
N5010-P(config-sys-qos)# service-policy type network-qos market-policy
N5010-P(config-sys-qos)# service-policy type qos input set-market
G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Note The system qos is a type of MQC (Modular QoS CLI) target. You use a service-policy to
associate a policy map with the system qos target. A system qos policy applies to all
interfaces on the switch unless a specific interface has an overriding service-policy
configuration. The system qos policies are used to define system classes, the classes of
traffic across the entire switch, and their attributes. To ensure QoS consistency (and for
ease of configuration), the switch distributes the system class parameter values to all its
attached network adapters using the Data Center Bridging Exchange (DCBX) protocol.
Note If service policies are configured at the interface level, the interface-level policy always takes
precedence over system class configuration or defaults.
Note On the Cisco Nexus 5000 Series switch, a system class is uniquely identified by a qos-group
value. A total of six system classes are supported. Two of the six system classes are
defaults and are always present on the switch. Up to four additional system classes can be
created by the administrator.
Step 13 Modify your type QoS class-map to match market data traffic based on a different
CoS value. Also, modify the default class-fcoe class-map to classify CoS 2 as FCoE
traffic, instead of the default of 3.

N5010-P(config-sys-qos)# class-map type qos market-data
N5010-P(config-cmap-qos)# no match cos 6

N5010-P(config-cmap-qos)# class-map type qos class-fcoe
Note You do not have to use the no version of the match command with the FCoE CoS mapping
to change the default COS matching from 3 to 2.
Step 14 Return the policy-map and class-map settings to the values in the previous step.

N5010-P(config-cmap-qos)# class-map type qos market-data
N5010-P(config-cmap-qos)# no match cos 5

N5010-P(config-cmap-qos)# class-map type qos class-fcoe

Step 15 Create a new type queuing class-map and policy-map for the market data traffic.
Allocate 20% of the available bandwidth to the market data class.
Note NX-OS does not allow you to oversubscribe the bandwidth of a link, unlike other operating
systems. You must ensure the total bandwidth allocated to different classes in the policy-
map does not exceed 100%. Since the class-fcoe and class-default are assigned 50% each
by default you must adjust the bandwidth allocated to these classes.
Note NX-OS will allow you to configure the policy-map over 100% but you will get an error when
you attempt to apply it as a service-policy.
N5010-P(config-cmap-qos)# class-map type queuing market-data-que
N5010-P(config-cmap-que)# match qos-group 2

N5010-P(config-cmap-qos)# policy-map type queuing market-que

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
N5010-P(config-pmap-c-que)# class type queuing class-default
N5010-P(config-pmap-c-que)# bandwidth percent 40
N5010-P(config-pmap-c-que)# class type queuing class-fcoe

N5010-P(config-pmap-c-que)# class type queuing market-data-que

N5010-P(config-pmap-c-que)# show policy-map type queuing market-que

Type queuing policy-maps
========================

policy-map type queuing market-que
class type queuing market-data-que
bandwidth percent 20
class type queuing class-fcoe
class type queuing class-default

Step 16 To ensure this policy is applied globally across the Nexus, it should be applied to the
system QoS policy in both the inbound and outbound directions.

N5010-P(config-pmap-c-que)# system qos
N5010-P(config-sys-qos)# service-policy type queuing input market-que
N5010-P(config-sys-qos)# service-policy type queuing output market-que

Step 17 You can also create specific queuing bandwidth policies on interfaces. Interface
service policies override system qos policies. First we will configure an outbound
bandwidth policy.

N5010-P(config-sys-qos)# policy-map type queuing pod-upstream
N5010-P(config-pmap-que)# class type queuing class-default
N5010-P(config-pmap-c-que)# class type queuing market-data-que
N5010-P(config-pmap-c-que# bandwidth percent 40

N5010-P(config-pmap-c-que)# interface ethernet 1/1
N5010-P(config-if)# service-policy type queuing output pod-upstream

Step 18 Verify your policy-map configuration.

N5010-P(config-if)# show policy-map type queuing pod-upstream

Type queuing policy-maps
========================

policy-map type queuing pod-upstream
class type queuing market-data-que
class type queuing class-fcoe
class type queuing class-default

G
l
o
b
a
l

K
n
o
w
l
e
d
g
e

C
o
p
y
r
i
g
h
t
e
d

M
a
t
e
r
i
a
l
Step 19 Verify the service-policy is applied to the interface.

N5010-P(config-if)# show running-config interface ethernet 1/1

!Command: show running-config interface Ethernet1/1
!Time: Fri Sep 9 23:44:16 2011

version 5.0(3)N1(1b)

service-policy type queuing output pod-upstream

Step 20 Create a policy-map to guarantee Fibre Channel traffic coming from your server a
full 4 Gbps of bandwidth (by allocating 40% of 10G). Apply the policy on the
interface connected to the CNA server and in the ingress direction.

N5010-P(config-if)# policy-map type queuing server-facing
N5010-P(config-pmap-que)# class type queuing class-default

N5010-P(config-pmap-c-que)# interface ethernet 1/1
N5010-P(config-if)# service-policy type queuing input server-facing

Step 21 Verify the service-policy is applied to the interface.

N5010-P(config-if)# show running-config interface ethernet 1/1

!Command: show running-config interface Ethernet1/1
!Time: Fri Sep 9 23:52:45 2011

version 5.0(3)N1(1b)

service-policy type queuing output pod-upstream
service-policy type queuing input server-facing

Step 22 Save your configuration.

N5010-P(config-if)# copy running-config startup-config
[########################################] 100%

Dcufiv4 Lab PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Dcufiv4 Lab PDF

Încărcat de

Drepturi de autor:

Formate disponibile

G

S-ar putea să vă placă și