1. הגדרת NEXUS 7000 - נכתב על ידי אלי קנדל<br />על גבי כרטיס CPU ישנם מספר חיבורים Console , AUX , CMP<br />חיבור Console להתחברות מרחוק <br />חיבור OOB לרשת ניהול <br />חיבור CMP זהו חיבור למכונה ולראות את כל תהליך העלאה של המכונה כאשר מבצעים RESET למכונה Nexus 7000 , החיבור זהו מיני PC שממשיך לעבוד למרות שהמכונה מבצעת RESET כאשר ה-OOB מחובר לפורט זה עלינו להתחבר ל-Supervisor , התחברות ל-CP מנתקת את ה-Console בממוקם בחלק הקדמי של ה-SUPERVISOR<br />attach cp<br />הגדרת כתובת עבור OOB כולל DWG , פורט ניהול יושב על VRF נפרד<br />interface mgmt0<br /> ip address 192.168.254.22/24<br />!<br />vrf context management<br /> ip route 0.0.0.0/0 192.168.254.1<br />!<br />הגדרת כתובת עבור פורט CMP<br />interface cmp-mgmt module 5<br /> ip address 192.168.254.22 255.255.255.0<br /> ip default-gateway 192.168.254.1<br />שדרוג גרסה , ישנם שתי קבצים שצריכים על מנת לשדרג את המערכת<br />האחד kickstart והשני קובץ המערכת<br />install all kickstart bootflash:bootflash:n7000-s1-kickstart.5.1.2.bin system bootflash:bootflash:n7000-s1-dk9.5.1.2.bin<br />!<br />boot kickstart bootflash:/n7000-s1-kickstart.5.1.2.bin sup-1<br />boot system bootflash:/n7000-s1-dk9.5.1.2.bin sup-1<br />על מנת להפעיל את הרישיון הזמני של VDC + OTV יש להריץ את הפקודה license grace-period<br />הגדרת VDC על גבי 7K<br />הדוגמה הבאה מציגה כיצד להגדיר VDC על גבי פלטפורמה 7K , חשוב לזכור שכרגע <br />על גבי גרסה 5.1.2 ישנו מגבלה של 4 VDC בלבד לכל המכונה<br />! After creating the VDC you must allocate the interfaces that will belong to it<br />vdc VDC-LAYER3<br /> allocate interface Ethernet1/3-5<br />! To enter the VDC use the next command<br />switchto vdc VDC-LAYER3<br />!<br />לראות את כל ה-VDC שמוגדרים על גבי המכונה <br />Sh vdc<br />BB-7K-DRP# sh vdc <br />vdc_id vdc_name state mac <br /> lc <br />------ -------- ----- ---------- <br /> ------ <br />1 BB-7K-DRP active 00:26:98:0f:f7:41 <br /> m1 f1 m1xl <br />2 VDC-LAYER3 active 00:26:98:0f:f7:42 <br /> m1 f1 m1xl <br />3 Kendel active 00:26:98:0f:f7:43 <br /> m1 f1 m1xl<br />לראות את הרגלים שמשויכות לכל VDC<br />Sh Vdc Membership<br />BB-7K-DRP# sh vdc <br />vdc_id vdc_name state mac <br /> lc <br />------ -------- ----- ---------- <br /> ------ <br />1 BB-7K-DRP active 00:26:98:0f:f7:41 <br /> m1 f1 m1xl <br />2 VDC-LAYER3 active 00:26:98:0f:f7:42 <br /> m1 f1 m1xl <br />3 Kendel active 00:26:98:0f:f7:43 <br /> m1 f1 m1xl<br />!<br />מחיקת VDC <br />no vdc kendel <br />Deleting this vdc will remove its config. Continue deleting this vdc (y/n)? [no] y<br />Note: Deleting VDC, one moment please ...<br />BB-7K-DRP(config)# 2011 Feb 20 18:25:04 BB-7K-DRP %$ VDC-1 %$ %VDC_MGR-2-VDC_OFFLINE: vdc 3 is now offline<br />!<br />הגדרת OTV <br />OTV is used to create a layer 2 connection between datacenters on a layer 3 core and prevent both sites going down when a problem (like a broadcast storm) exists only in one of them. OTV should be configured in the default VDC.<br />! Enable the use of OTV<br />feature otv<br />! Configure an interface that will connect to the layer 3 core. This interface must use<br />! IGMP version 3<br />interface Ethernet1/1<br /> no switchport<br /> ip address 192.168.1.2/24<br /> ip igmp version 3<br /> no shutdown<br />! Configure the virtual layer 2 link between the sites<br />! The control group is used for discovering other OTV sites<br />! The data group is used to send multicast between OTV sites<br />! The extended vlans are the vlans that are being connected between the sites<br />interface Overlay1<br /> otv join-interface Ethernet1/1<br /> otv control-group 239.0.0.1<br /> otv data-group 232.0.0.0/8<br /> otv extend-vlan 2100, 2120-2130<br /> no shutdown<br />!<br />בגרסאות הבאות של NEXUS סיסקו תוציא פקודה שתיישם Active Active בפרוטוקול VRRP , HSRP<br />עד שהפקודה תייצא אנחנו נצטרך להגדיר הגדרות ב-7K כך שניישם לבסוף שכל אתר יהיה<br />אקטיבי בצד שלו<br />FHRP Isolation (VRRP active on both sides)<br />With the current NX-OS releaseOTV provides a single command to enable the FHRP filtering functionality. However, this is not available in the current OTV software release An alternative configuration (leveraging MAC access-control lists) can be implemented in the interim to achieve the same result.<br />!<br />In order to use OTV and both sides serve the ARP request for the same IP address it important to enter the next configuration on both OTV devices. This config stop the VRRP advertisements from traversing the overlay interface and stop learning the VRRP mac from the opposite otv device<br />ip access-list ALL_IPs<br />10 permit ip any any<br />!<br />ip access-list VRRP_IP<br />10 permit ip any 224.0.0.18/32<br />!<br />vlan access-map VRRP_Localization 10<br />match ip address VRRP_IP<br />action drop<br />vlan access-map VRRP_Localization 20<br />match ip address ALL_IPs<br />action forward<br />!<br />vlan filter VRRP_Localization vlan-list 2120-2130<br />!<br />mac-list VRRP-vmac-deny seq 5 deny 0000.5e00.0100 ffff.ffff.ff00<br />mac-list VRRP-vmac-deny seq 10 permit 0000.0000.0000 0000.0000.0000<br />!<br />route-map stop-VRRP permit 10<br />match mac-list VRRP-vmac-deny<br />!<br />otv-isis default<br />vpn Overlay1<br />redistribute filter route-map stop-VRRP<br /> הגדרת inetrace L3 + VRRP<br />feature pim<br />feature pim<br />!<br />interface Vlan120<br /> ip address 192.168.120.251/24<br /> ip ospf passive-interface<br /> ip router ospf 1 area 0.0.0.0<br /> ip pim sparse-mode<br /> no shutdown<br /> description Vlan 120<br /> vrrp 120<br /> priority 50<br /> address 192.168.120.254 <br /> no shutdown <br />הגדרת Multicast<br />feature pim<br />ip pim bsr-candidate Vlan130<br />ip pim rp-candidate Vlan130 group-list 224.0.0.0/4<br />ip pim ssm range 232.0.0.0/8<br /> הגדרת OSPF<br />feature ospf<br />!<br />router ospf 1<br /> log-adjacency-changes<br />!<br />interface Vlan130<br />ip ospf passive-interface<br /> ip router ospf 1 area 0.0.0.0<br />!<br />interface Vlan119<br />ip router ospf 1 area 0.0.0.0<br />הגדרת DHCP<br />Configuration Examples for DHCP Snooping<br />This example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:<br />feature dhcp <br />ip dhcp snooping <br />ip dhcp snooping info option<br />interface Ethernet 2/5<br /> ip dhcp snooping trust <br />ip dhcp snooping vlan 1 <br />ip dhcp snooping vlan 50<br />This example shows how to enable the DHCP relay agent and configure the DHCP server IP address for Ethernet interface 2/3, where the DHCP server IP address is 10.132.7.120 and the DHCP server is in the VRF named red:<br />feature dhcp <br />ip dhcp snooping <br />ip dhcp relay <br />ip dhcp relay information option<br />ip dhcp relay information option vpn – support on VRF<br />interface Ethernet 2/3<br /> ip dhcp relay address 10.132.7.120 use-vrf red<br /> <br />Nexus 5000 Configuration<br />In order to connect Nexus 2000 there is a need to used special SFPs called FET10G.<br />The next configuration must be entered after connecting the optic cables in order for the NX5K to recognize the NX2K and automatically upgrade them to the required software.<br />! This commands enable the feature to use of the NX2K as slot extension<br />feature fex<br />! This defines the 2K slot number <br />fex 101<br /> pinning max-links 1<br /> description quot;
FEX0101quot;
<br />! The port-channel is associated with an interface that is connected to the NX2K<br />! The port mode must be fex-fabric which indicates that the port will be connected to a<br />! NX2K<br />! The fex associate commands defines slot number 101 to be associated with this port<br />! channel<br />! When using the NX2K being dual homed to two NX5K we must associate a VPC number<br />! to the port channel being the same on both NX5K<br />interface Ethernet1/1<br /> fex associate 101<br /> switchport mode fex-fabric<br /> channel-group 101<br />!<br />interface port-channel101<br /> switchport mode fex-fabric<br /> vpc 101<br /> fex associate 101<br />When configuring two NX5K to be used as one virtual switch when relating to the devices connected to them the next configuration must be implemented.<br />! The role priority decided which of the switches will be master. The role is not<br />! preemptive<br />! The keepalive is needed for bringing up the vpc peer-link ( it should be done through <br />! the management port) and check what is the status of both Nexuses in case that the<br />! vpc peer link goes down<br />הגדרת Vpc Domain<br />vpc domain 1<br /> role priority 1000<br /> peer-keepalive destination 192.168.254.25 source 192.168.254.24<br />! The only configuration done on the port is turning the mode to be trunk and <br />! Configuring it as a peer-link<br />interface port-channel1<br /> switchport mode trunk<br /> vpc peer-link<br /> spanning-tree port type network<br /> speed 10000<br /> The next configuration indicates how to configure the OOB management port<br />interface mgmt0<br /> description OOB Connection<br /> ip address 192.168.254.24/24<br />!<br />ip route 0.0.0.0/0 192.168.254.1<br />!<br />כאשר אנחנו מעוניינים ששתי מכונות 5K יהיו מחוברים למכונת 2K יש צורך להגדיר VPC בין שתי המכונות על מנת ליצור מכונה וירטואלית אחת , אם לא מוגדר VPC לאותו FEX אזי רק במכונה הראשונה יעלה ה-UPLINK ובמכונה 5K השנייה לא<br /> יעלה ה-UPLINK יישאר במצב של Offline ההגנה הזאת מתבצעת על ידי ה-2K <br />פקודות Fex<br />show environment fex 101 all<br />sh fex<br />sh fex 101 <br />sh fex 101 details<br />sh fex 101 transceiver<br />!<br />show interface fex-fabric <br /> Fabric Fabric Fex FEX <br />Fex Port Port State Uplink Model Serial <br />---------------------------------------------------------------<br />101 Eth1/1 Active 1 N2K-C2248TP-1GE JAF1442BGNE<br />102 Eth1/2 Active 1 N2K-C2248TP-1GE JAF1441DGRT<br />103 Eth1/3 Active 1 N2K-C2248TP-1GE JAF1441BTMJ<br />104 Eth1/4 Active 1 N2K-C2248TP-1GE JAF1453CBHQ<br />105 Eth1/5 Active 1 N2K-C2248TP-1GE JAF1453CBFG<br />106 Eth1/6 Active 1 N2K-C2248TP-1GE JAF1441CJGK<br />107 Eth1/7 Active 1 N2K-C2248TP-1GE JAF1441CJQB<br />108 Eth1/8 Active 1 N2K-C2248TP-1GE JAF1441ANHT<br />109 Eth1/9 Active 1 N2K-C2248TP-1GE JAF1442BFNT<br />110 Eth1/10 Active 1 N2K-C2248TP-1GE JAF1442BGPC<br />!<br />sh fex<br /> FEX FEX FEX FEX <br />Number Description State Model Serial <br />------------------------------------------------------------------------<br />--- -------- Offline N2K-C2248TP-1GE JAF1441CJGK<br />--- -------- Offline N2K-C2248TP-1GE JAF1441BTMJ<br />--- -------- Offline N2K-C2248TP-1GE JAF1441ANHT<br />--- -------- Offline N2K-C2248TP-1GE JAF1453CBHQ<br />--- -------- Offline N2K-C2248TP-1GE JAF1441DGRT<br />--- -------- Offline N2K-C2248TP-1GE JAF1442BFNT<br />--- -------- Offline N2K-C2248TP-1GE JAF1453CBFG<br />--- -------- Offline N2K-C2248TP-1GE JAF1442BGPC<br />--- -------- Offline N2K-C2248TP-1GE JAF1441CJQB<br />--- -------- Offline N2K-C2248TP-1GE JAF1442BGNE<br />!<br />על מנת להגדיר Vpc Peer Link יש צורך להגדיר מספר פונקציות להלן השלבים :<br />הגדרת Vpc Domain<br />הגדרת Port-Channel עם הגדרת vpc peer-link<br />שיוך ה-port-channel לפורט המקשר בין המתגים 5K<br />ולבדוק שאכן ה-vpc עלה – sh vpc<br />על מנת להגדיר את מתג 2K על גבי שתי מכונות 5K יש צורך להגדיר מספר פונקציות להלן השלבים :<br />יש צורך להגדיר ה-FEX<br />fex 101<br /> pinning max-links 1<br /> description quot;
FEX-101quot;
<br /> type N2248T<br />הגדרת port-channel <br />interface port-channel101<br /> switchport mode fex-fabric<br /> vpc 101<br /> fex associate 101<br />שיוך ה-port-channel לפורט הפיזי שאליו מחובר המתג<br />interface Ethernet1/1<br /> fex associate 101<br /> switchport mode fex-fabric<br /> channel-group 101<br />!<br />פקודת show FEX<br /> FEX FEX FEX FEX <br />Number Description State Model Serial <br />------------------------------------------------------------------------<br />101 FEX-101 Online N2K-C2248TP-1GE JAF1442BGNE<br />102 FEX-102 Online N2K-C2248TP-1GE JAF1441DGRT<br />103 FEX-103 Online N2K-C2248TP-1GE JAF1441BTMJ<br />104 FEX-104 Online N2K-C2248TP-1GE JAF1453CBHQ<br />105 FEX-105 Online N2K-C2248TP-1GE JAF1453CBFG<br />106 FEX-106 Online N2K-C2248TP-1GE JAF1441CJGK<br />107 FEX-107 Online N2K-C2248TP-1GE JAF1441CJQB<br />108 FEX-108 Online N2K-C2248TP-1GE JAF1441ANHT<br />109 FEX-109 Online N2K-C2248TP-1GE JAF1442BFNT<br /> FEX-110 Online N2K-C2248TP-1GE JAF1442BGPC<br />!<br />Configuring Session Manager<br />Information About Session Manager<br />Session Manager allows you to implement your configuration changes in batch mode. Session Manager works in the following phases: <br />Configuration session—Creates a list of commands that you want to implement in session manager mode. <br />Validation—Provides a basic semantic check on your configuration. Cisco NX-OS returns an error if the semantic check fails on any part of the configuration. <br />Verification—Verifies the configuration as a whole, based on the existing hardware and software configuration and resources. Cisco NX-OS returns an error if the configuration does not pass this verification phase. <br />Commit— Cisco NX-OS verifies the complete configuration and implements the changes atomically to the device. If a failure occurs, Cisco NX-OS reverts to the original configuration. <br />Abort—Discards the configuration changes before implementation. <br />Configuration Guidelines and Limitations<br />Session Manager has the following configuration guidelines and limitations: <br />Session Manager supports only the ACL feature. <br />You can create up to 32 configuration sessions. <br />You can configure a maximum of 20,000 commands across all sessions. <br />Configure session manager<br />configure session name test2<br />ip access-list acl2<br />permit tcp any any<br />exit<br />interface Ethernet 1/4<br />ip port access-group acl2 in<br />exit<br /> verify<br />exit<br />show configuration session test2<br />!<br />Config sync הגדרת <br />כאשר יש לנו תצורה של שתי מכונות נקסוס 5000 ועובדים בתצורת vpc יש צורך להגדיר את ההגדרות בשתי המכונות<br />מאחר וישנו הסתברות גבוהה לטעיות ופספוס של פקודות, סיסקו פיתחה פונקציה שבאמצעותה מגדירים קונפיגורציה בצד אחד<br /> של המכונה והמכונה מעדכנת את החבר בקבוצה באותם פרמטרים בדיוק באמצאות פקודה config sync<br />להלן הפקודות להגדרת ה-config sync :<br />CONFIG SYNC<br />switch-profile sync<br /> sync-peers destination 192.168.254.25<br />יש להגדיר את אותם ההגדרות במתג השני שמקבלת את הקונפיגורציה מהמתג הראשי<br />פקודות תצוגה :<br />SHOW SWITCH-PROFILE PEER<br />SHOW SWITCH-PROFILE SYNC STATUS<br />SHOW SWITCH-PROFILE SYNC BUFFER<br />VERIFY<br />COMMIT<br />