manualshive.com logo in svg

Cisco N5010P-N2K-BE, Software Configuration Manual

The Cisco N5010P-N2K-BE is a cutting-edge networking device that empowers enterprises with seamless connectivity. Ensure an optimal user experience by configuring the device effortlessly with our comprehensive Software Configuration Manual. Access the free manual for download at manualshive.com, enabling you to maximize the potential of this exceptional product.

Share
Download
background image

S e n d   f e e d b a c k   t o   n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m

22-8

Cisco Nexus 5000 Series Switch CLI Software Configuration Guide

OL-16597-01

Chapter 22      Configuring User Accounts and RBAC

Configuring RBAC

You can specify a list of interfaces that the role can access. You can specify it for as many interfaces as 
needed:

switch(config-role-interface)# 

permit interface ethernet 2/1 

switch(config-role-interface)# 

permit interface fc 3/1 

switch(config-role-interface)#

 permit interface vfc 30/1 

Changing User Role VLAN Policies

You can change a user role VLAN policy to limit the VLANs that the user can access. To change a user 
role VLAN policy, perform this task:

Changing User Role VSAN Policies

You can change a user role VSAN policy to limit the VSANs that the user can access. 

To change a user role VSAN policy to limit the VSANs that the user can access, perform this task: 

Command

Purpose

Step 1

switch# 

configure terminal

Enters configuration mode.

Step 2

switch(config)# 

role name 

role-name

Specifies a user role and enters role configuration 
mode.

Step 3

switch(config-role)# 

rule

 

number

 

permit

 

command

 

configure terminal ; vlan *

Configures a command rule to allow access to all 
VLANs.

Step 4

switch(config-role)# 

vlan policy deny

Enters role VLAN policy configuration mode.

Step 5

switch(config-role-vlan)# 

permit vlan

 

vlan-list

Specifies a range of VLANs that the role can access.

Repeat this command for as many VLANs as needed.

Step 6

switch(config-role-vlan)# 

exit

Exits role VLAN policy configuration mode.

Step 7

switch(config-role)# 

show role

(Optional) Displays the role configuration.

Step 8

switch(config-role)# 

copy running-config 

startup-config

(Optional) Copies the running configuration to the 
startup configuration. 

Command

Purpose

Step 1

switch# 

configure terminal

Enters configuration mode.

Step 2

switch(config-role)# 

role name 

role-name

Specifies a user role and enters role configuration 
mode.

Step 3

switch(config-role)# 

rule

 

number

 

permit

 

command

 

vsan database; vsan *

Configures a command rule to allow access to all 
VSANs.

Step 4

switch(config-role)# 

vsan policy deny

Enters role VSAN policy configuration mode.

Step 5

switch(config-role-vsan)# 

permit vsan

 

vsan-list

Specifies a range of VSANs that the role can access.

Repeat this command for as many VSANs as needed.

Step 6

switch(config-role-vsan)# 

exit

Exits role VSAN policy configuration mode.

Summary of Contents for N5010P-N2K-BE

Page 1: ...Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Nexus 5000 Series NX OS Software Configuration Guide Release 4 0 1a N2 1 June 2009 Text Part Number OL 16597 01 ...

Page 2: ...OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco HealthPresence the Cisco logo Cisco Lumin Cisco Nexus Cisco StadiumVision Cisco TelePresence Cisco WebEx DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn and Cisco Store are service marks and Access Registrar Aironet AsyncOS Bringing the Meeting To You Ca...

Page 3: ... Ethernet 1 1 I O Consolidation 1 2 Virtual Interfaces 1 3 Cisco Nexus 5000 Series Switch Hardware 1 3 Chassis 1 3 Expansion Modules 1 3 Fabric Extender 1 4 Ethernet Interfaces 1 4 Fibre Channel Interfaces 1 4 Management Interfaces 1 4 Cisco Nexus 5000 Series Switch Software 1 4 Ethernet Switching 1 5 FCoE and Fibre Channel Switching 1 5 Licensing 1 5 QoS 1 5 Serviceability 1 6 Switch Management 1...

Page 4: ...lues or Conditions 2 7 Using Keyboard Shortcuts 2 8 Using CLI Variables 2 9 User Defined Persistent CLI Variables 2 9 Using Command Aliases 2 10 Defining Command Aliases 2 11 Command Scripts 2 11 Executing Commands Specified in a Script 2 11 Using CLI Variables in Scripts 2 12 Setting the Delay Time 2 13 C H A P T E R 3 Configuring the Switch 3 1 Image Files on the Switch 3 1 Starting the Switch 3...

Page 5: ... Shutting Down the Management Interface 3 21 Managing the Switch Configuration 3 21 Displaying the Switch Configuration 3 21 Saving a Configuration 3 21 Clearing a Configuration 3 22 Using Switch File Systems 3 22 Setting the Current Directory 3 22 Displaying the Current Directory 3 23 Listing the Files in a Directory 3 23 Creating a Directory 3 23 Deleting an Existing Directory 3 23 Moving Files ...

Page 6: ...Speed 5 4 About the Cisco Discovery Protocol 5 4 About the Debounce Timer Parameters 5 4 About MTU Configuration 5 5 Configuring Ethernet Interfaces 5 5 Configuring the UDLD Mode 5 5 Configuring Interface Speed 5 6 Configuring the Cisco Discovery Protocol 5 7 Configuring the Debounce Timer 5 8 Configuring the Description Parameter 5 9 Disabling and Restarting Ethernet Interfaces 5 9 Displaying Int...

Page 7: ...te VLAN Configuration 7 10 C H A P T E R 8 Configuring Rapid PVST 8 1 Information About Rapid PVST 8 1 Understanding STP 8 2 Understanding Rapid PVST 8 6 Rapid PVST and IEEE 802 1Q Trunks 8 16 Rapid PVST Interoperation with Legacy 802 1D STP 8 16 Rapid PVST Interoperation with 802 1s MST 8 17 Configuring Rapid PVST 8 17 Enabling Rapid PVST 8 17 Enabling Rapid PVST per VLAN 8 18 Configuring the Roo...

Page 8: ...n Number 9 13 Specifying the Configuration on an MST Region 9 13 Mapping and Unmapping VLANs to MST Instances 9 15 Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs 9 16 Configuring the Root Bridge 9 16 Configuring a Secondary Root Bridge 9 17 Configuring the Port Priority 9 18 Configuring the Port Cost 9 19 Configuring the Switch Priority 9 20 Configuring the Hello Time 9 21...

Page 9: ...nabling Loop Guard or Root Guard on Specified Interfaces 10 12 Verifying STP Extension Configuration 10 13 C H A P T E R 11 Configuring EtherChannels 11 1 Information About EtherChannels 11 1 Understanding EtherChannels 11 2 Compatibility Requirements 11 2 Load Balancing Using EtherChannels 11 3 Understanding LACP 11 4 Configuring EtherChannels 11 7 Creating an EtherChannel 11 7 Adding a Port to a...

Page 10: ...g MAC Addresses 13 1 Configuring a Static MAC Address 13 2 Configuring the Aging Time for the MAC Table 13 2 Clearing Dynamic Addresses from the MAC Table 13 3 Verifying the MAC Address Configuration 13 3 C H A P T E R 14 Configuring IGMP Snooping 14 1 Information About IGMP Snooping 14 1 IGMPv1 and IGMPv2 14 2 IGMPv3 14 3 IGMP Snooping Querier 14 3 IGMP Forwarding 14 3 Configuring IGMP Snooping P...

Page 11: ...nfiguring AAA Accounting Default Methods 16 10 Using AAA Server VSAs with Nexus 5000 Series Switches 16 11 Displaying and Clearing the Local AAA Accounting Log 16 12 Verifying AAA Configuration 16 12 Example AAA Configuration 16 12 Default Settings 16 13 C H A P T E R 17 Configuring RADIUS 17 1 Information About RADIUS 17 1 RADIUS Network Environments 17 1 RADIUS Operation 17 2 RADIUS Server Monit...

Page 12: ...ACS Server Encryption Type and Preshared Key 18 3 TACACS Server Monitoring 18 3 Prerequisites for TACACS 18 4 Guidelines and Limitations 18 4 Configuring TACACS 18 4 TACACS Server Configuration Process 18 4 Enabling TACACS 18 5 Configuring TACACS Server Hosts 18 5 Configuring Global Preshared Keys 18 6 Configuring TACACS Server Preshared Keys 18 7 Configuring TACACS Server Groups 18 7 Specifying a...

Page 13: ...Disabling the SSH Server 19 6 Deleting SSH Server Keys 19 6 Clearing SSH Sessions 19 7 Configuring Telnet 19 7 Enabling the Telnet Server 19 7 Starting Telnet Sessions to Remote Devices 19 8 Clearing Telnet Sessions 19 8 Verifying the SSH and Telnet Configuration 19 9 SSH Example Configuration 19 9 Default Settings 19 10 C H A P T E R 20 Configuring ACLs 20 1 Information About ACLs 20 1 IP ACL Typ...

Page 14: ...s 20 15 Creating or Changing a VACL 20 15 Removing a VACL 20 16 Applying a VACL to a VLAN 20 16 Verifying VACL Configuration 20 17 Displaying and Clearing VACL Statistics 20 17 Default Settings 20 18 System Management C H A P T E R 21 Using Cisco Fabric Services 21 1 Information About CFS 21 1 CFS Distribution 21 2 CFS Distribution Modes 21 2 Enabling Disabling CFS Distribution on a Switch 21 3 Ve...

Page 15: ...ounts and RBAC 22 1 Information About User Accounts and RBAC 22 1 About User Accounts 22 1 Characteristics of Strong Passwords 22 2 About User Roles 22 2 About Rules 22 3 About User Role Policies 22 3 Guidelines and Limitations 22 4 Configuring User Accounts 22 4 Configuring RBAC 22 5 Creating User Roles and Rules 22 5 Creating Feature Groups 22 7 Changing User Role Interface Policies 22 7 Changin...

Page 16: ...nfiguration 24 4 Default Settings 24 4 C H A P T E R 25 Configuring System Message Logging 25 1 Information About System Message Logging 25 1 syslog Servers 25 2 Configuring System Message Logging 25 2 Configuring System Message Logging to Terminal Sessions 25 2 Configuring System Message Logging to a File 25 3 Configuring Module and Facility Messages Logged 25 4 Configuring syslog Servers 25 5 Co...

Page 17: ...nications 26 13 Verifying Call Home Configuration 26 13 Call Home Example Configuration 26 14 Default Settings 26 14 Additional References 26 15 Message Formats 26 15 Sample syslog Alert Notification in Full Text Format 26 18 Sample syslog Alert Notification in XML Format 26 19 C H A P T E R 27 Configuring SNMP 27 1 Information About SNMP 27 1 SNMP Functional Overview 27 1 SNMP Notifications 27 2 ...

Page 18: ... 3 Configuring RMON Events 28 4 Verifying RMON Configuration 28 4 RMON Example Configuration 28 4 Default Settings 28 5 Fibre Channel over Ethernet C H A P T E R 29 Configuring FCoE 29 1 Information About FCoE 29 1 Licensing Requirements 29 1 Converged Network Adapters 29 2 DCBX Capabilities 29 2 DCE Bridging Capability Exchange Protocol 29 3 DCBX Feature Negotiation 29 3 Ethernet Frame Formats 29...

Page 19: ...ation About QoS 31 1 MQC 31 2 System Classes 31 2 Default System Classes 31 3 Link Level Flow Control 31 3 Priority Flow Control 31 3 MTU 31 4 Trust Boundaries 31 4 Ingress Policies 31 5 Egress Policies 31 5 QoS for Multicast Traffic 31 5 Policy for Fibre Channel Interfaces 31 6 QoS for Traffic Directed to the CPU 31 6 Configuration Guidelines and Limitations 31 6 Configuring PFC and LLC 31 7 Conf...

Page 20: ...erface Modes 32 9 Configuring the Interface Description 32 10 Configuring Port Speeds 32 10 Configuring SD Port Frame Encapsulation 32 11 Configuring Receive Data Field Size 32 11 Understanding Bit Error Thresholds 32 11 Configuring Buffer to Buffer Credits 32 12 Configuring Global Attributes for Fibre Channel Interfaces 32 13 Configuring Switch Port Attribute Default Values 32 13 About N Port Ide...

Page 21: ...f Allowed Domain ID Lists 33 10 Enabling Distribution 33 10 Locking the Fabric 33 11 Committing Changes 33 11 Discarding Changes 33 11 Clearing a Fabric Lock 33 12 Displaying CFS Distribution Status 33 12 Displaying Pending Changes 33 12 Displaying Session Status 33 13 About Contiguous Domain ID Assignments 33 13 Enabling Contiguous Domain ID Assignments 33 13 FC IDs 33 13 About Persistent FC IDs ...

Page 22: ...ng 35 1 Information About VSAN Trunking 35 1 VSAN Trunking Mismatches 35 2 VSAN Trunking Protocol 35 2 Configuring VSAN Trunking 35 3 Guidelines and Restrictions 35 3 Enabling or Disabling the VSAN Trunking Protocol 35 3 About Trunk Mode 35 3 Configuring Trunk Mode 35 4 About Trunk Allowed VSAN Lists 35 4 Configuring an Allowed Active List of VSANs 35 6 Displaying VSAN Trunking Information 35 6 De...

Page 23: ...gured Channel Groups 36 14 Converting to Manually Configured Channel Groups 36 14 Verifying SAN Port Channel Configuration 36 15 Default Settings 36 16 C H A P T E R 37 Configuring and Managing VSANs 37 1 Information About VSANs 37 1 VSAN Topologies 37 1 VSAN Advantages 37 3 VSANs Versus Zones 37 4 Configuring VSANs 37 5 About VSAN Creation 37 6 Creating VSANs Statically 37 6 About Port VSAN Membe...

Page 24: ...bling Full Zone Set Distribution 38 14 Enabling a One Time Distribution 38 14 About Recovering from Link Isolation 38 14 Importing and Exporting Zone Sets 38 15 Zone Set Duplication 38 16 Copying Zone Sets 38 16 Renaming Zones Zone Sets and Aliases 38 16 Cloning Zones Zone Sets FC Aliases and Zone Attribute Groups 38 17 Clearing the Zone Server Database 38 17 Verifying Zone Information 38 18 Enhan...

Page 25: ...ution 39 5 Locking the Fabric 39 5 Committing Changes 39 6 Discarding Changes 39 6 Fabric Lock Override 39 7 Disabling and Enabling Device Alias Distribution 39 7 About Legacy Zone Alias Configuration 39 8 Importing a Zone Alias 39 8 Database Merge Guidelines 39 8 Verifying Device Alias Configuration 39 9 Default Settings 39 10 C H A P T E R 40 Configuring Fibre Channel Routing Services and Protoc...

Page 26: ... SAN Port Channel Frames 40 11 About Enabling In Order Delivery 40 12 Enabling In Order Delivery Globally 40 12 Enabling In Order Delivery for a VSAN 40 13 Displaying the In Order Delivery Status 40 13 Configuring the Drop Latency Time 40 13 Displaying Latency Information 40 14 Flow Statistics Configuration 40 14 About Flow Statistics 40 15 Counting Aggregated Flow Statistics 40 15 Counting Indivi...

Page 27: ...Starting SCSI LUN Discovery 42 1 Starting SCSI LUN Discovery 42 2 About Initiating Customized Discovery 42 2 Initiating Customized Discovery 42 2 Displaying SCSI LUN Information 42 3 C H A P T E R 43 Advanced Fibre Channel Features and Concepts 43 1 Fibre Channel Timeout Values 43 1 Timer Configuration Across All VSANs 43 2 Timer Configuration Per VSAN 43 2 About fctimer Distribution 43 3 Enabling...

Page 28: ...up Settings 44 6 Configuring the DHCHAP Group Settings 44 6 About the DHCHAP Password 44 6 Configuring DHCHAP Passwords for the Local Switch 44 7 About Password Configuration for Remote Devices 44 7 Configuring DHCHAP Passwords for Remote Devices 44 8 About the DHCHAP Timeout Value 44 8 Configuring the DHCHAP Timeout Value 44 8 Configuring DHCHAP AAA Authentication 44 9 Displaying Protocol Securit...

Page 29: ...ity Configuration Distribution 45 12 Enabling Distribution 45 12 Locking the Fabric 45 13 Committing the Changes 45 13 Discarding the Changes 45 13 Activation and Auto Learning Configuration Distribution 45 13 Database Merge Guidelines 45 14 Database Interaction 45 15 Database Scenarios 45 15 Copying the Port Security Database 45 17 Deleting the Port Security Database 45 18 Clearing the Port Secur...

Page 30: ...racteristics 47 2 FCS Name Specification 47 2 Displaying FCS Information 47 3 Default Settings 47 4 C H A P T E R 48 Configuring Port Tracking 48 1 Information About Port Tracking 48 1 Configuring Port Tracking 48 2 Enabling Port Tracking 48 3 About Configuring Linked Ports 48 3 Operationally Binding a Tracked Port 48 3 About Tracking Multiple Ports 48 4 Tracking Multiple Ports 48 5 About Monitori...

Page 31: ... Description of a SPAN Session 49 6 Suspending or Activating a SPAN Session 49 7 Displaying SPAN Information 49 7 C H A P T E R 50 Troubleshooting 50 1 Recovering a Lost Password 50 1 Using the CLI with Network Admin Privileges 50 1 Power Cycling the Switch 50 2 Using Ethanalyzer 50 3 Troubleshooting Fibre Channel 50 5 fctrace 50 5 fcping 50 7 show tech support Command 50 8 show tech support brief...

Page 32: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m Contents xxx Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 ...

Page 33: ...n Chapter 1 Product Overview Presents an overview of the Cisco Nexus 5000 Series switches Part 1 Configuration Fundamentals Contains chapters on using the CLI and initial switch configuration Part 2 LAN Switching Contains chapters on how to configure Ethernet interfaces VLANs STP Port Channels trunks the MAC address table and IGMP snooping Part 3 Switch Security Features Contains chapters on how t...

Page 34: ...PV SAN Port Channels zones DDAS FSPF and security features Part 8 Troubleshooting Contains chapters on how to perform basic troubleshooting Chapter Title Description boldface font Commands and keywords are in boldface italic font Arguments for which you supply values are in italics Elements in square brackets are optional x y z Optional alternative keywords are grouped in brackets and separated by...

Page 35: ...m Messages Reference Cisco Nexus 5000 Series Release Notes Cisco Nexus 2000 Series Fabric Extender Software Configuration Guide Cisco NX OS Release 4 0 Cisco Nexus 2000 Series Fabric Extender Hardware Installation Guide Cisco Nexus 5000 Series Fabric Manager Software Configuration Guide Cisco NX OS Release 4 0 Obtaining Documentation and Submitting a Service Request For information on obtaining do...

Page 36: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m iv Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Preface ...

Page 37: ...eries Switch Hardware page 1 3 Cisco Nexus 5000 Series Switch Software page 1 4 Typical Deployment Topologies page 1 8 Supported Standards page 1 12 New Technologies in the Cisco Nexus 5000 Series Cisco Nexus 5000 Series switches introduce several new technologies which are described in the following sections Fibre Channel over Ethernet page 1 1 I O Consolidation page 1 2 Virtual Interfaces page 1...

Page 38: ...the Fibre Channel operational model is maintained FCoE network management and configuration is similar to a native Fibre Channel network Cisco Nexus 5000 Series switches use FCoE to carry Fibre Channel and Ethernet traffic on the same physical Ethernet connection between the switch and the server At the server the connection terminates to a converged network adapter CNA The adapter presents two in...

Page 39: ... the Cisco Nexus 5010 and Cisco Nexus 5020 switches The Cisco Nexus 5000 Series switch hardware is described in the following topics Chassis page 1 3 Expansion Modules page 1 3 Fabric Extender page 1 4 Ethernet Interfaces page 1 4 Fibre Channel Interfaces page 1 4 Management Interfaces page 1 4 Chassis The Cisco Nexus 5010 switch is a 1 RU chassis and the Cisco Nexus 5020 switch is a 2 RU chassis ...

Page 40: ... Cisco Nexus 5020 switch has 40 fixed 10 Gigabit Ethernet ports equipped with SFP interface adapters The first 16 ports are switchable 1 Gigabit and 10 Gigabit ports Up to 12 additional 10 Gigabit Ethernet ports are available on the expansion modules All of the 10 Gigabit Ethernet ports support FCoE Each port can be used as a downlink connected to a server or as an uplink to the data center LAN Fi...

Page 41: ...oE and Fibre Channel Switching Cisco Nexus 5000 Series switches support data center I O consolidation by providing FCoE interfaces to the servers and native Fibre Channel interfaces to the SAN FCoE and Fibre Channel switching includes the following features Cisco fabric services N port virtualization VSANs and VSAN trunking Zoning Distributed device alias service SAN port channels Licensing Cisco ...

Page 42: ...ng Ethanalyzer section on page 50 3 Call Home The Call Home feature continuously monitors hardware and software components to provide e mail based notification of critical system events A versatile range of message formats is available for optimal compatibility with pager services standard e mail and XML based automated parsing applications The feature offers alert grouping capabilities and custom...

Page 43: ...with Cisco MDS Fabric Manager page 1 7 Configuring with CLI XML Management Interface or SNMP You can configure Cisco Nexus 5000 Series switches using the command line interface CLI the XML management interface over SSH or SNMP as follows CLI You can configure switches using the CLI from an SSH session a Telnet session or the console port SSH provides a secure connection to the device XML Managemen...

Page 44: ...thernet TOR Switch Topology page 1 8 Fabric Extender Deployment Topology page 1 9 I O Consolidation Topology page 1 11 Ethernet TOR Switch Topology The Cisco Nexus 5000 Series switch can be deployed as a 10 Gigabit Ethernet top of rack TOR switch with uplinks to the data center LAN distribution layer switches An example configuration in shown in Figure 1 2 In this example the blade server rack inc...

Page 45: ...E is not required so the server ports are connected using 10 Gigabit Ethernet NICs The servers are connected to the data center SAN through MDS 9134 SAN switches The server Fibre Channel ports require standard Fibre Channel HBAs Fabric Extender Deployment Topology Figure 1 3 shows a simplfied configuration using the Cisco Nexus 2000 Series Fabric Extender in combination with the Cisco Nexus 5000 S...

Page 46: ...Gigabit fabric interfaces Each Fabric Extender acts as a Remote I O Module on the parent Cisco Nexus 5000 Series switch All device configurations are managed on the Cisco Nexus 5000 Series switch and configuration information is downloaded using inband communication to the Fabric Extender See the Cisco Nexus 2000 Series Fabric Extender Software Configuration Guide for an overview of the Fabric Ext...

Page 47: ...figured in active passive mode and the server needs to support server based failover On the Cisco Nexus 5000 Series switch the Ethernet network facing ports are connected to two Catalyst 6500 switches Depending on required uplink traffic volume there may be multiple ports connected to each Catalyst 6500 switch configured as port channels If STP is enabled in the data center LAN the links to one of...

Page 48: ...rted Standards Supported Standards Table 1 1 lists the standards supported by the Cisco Nexus 5000 Series switches Table 1 1 IEEE Compliance Standard Description 802 1D MAC Bridges 802 1s Multiple Spanning Tree Protocol 802 1w Rapid Spanning Tree Protocol 802 3ad Link aggregation with LACP 802 3ae 10 Gigabit Ethernet 802 1Q VLAN Tagging 802 1p Class of Service Tagging for Ethernet frames ...

Page 49: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 1 Configuration Fundamentals ...

Page 50: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 51: ...mand Line Interface You can connect to the switch using a terminal plugged into the console port See Console Settings page 3 3 for information on how to set console port parameters You can also connect to the switch with Telnet or SSH The switch supports up to eight simultaneous Telnet and SSH connections To connect with Telnet or SSH you need to know the hostname or IP address of the switch To ma...

Page 52: ...at the system prompt Table 2 1 lists and describes the two commonly used modes how to enter the modes and the resulting system prompts The system prompt helps you identify which mode you are in and the commands that are available to you in that mode Command Purpose ssh hostname ip_addr Makes an SSH connection from your host to the switch that you want to access Table 2 1 Frequently Used Switch Com...

Page 53: ...you to configure the switch are grouped under the configure terminal command To execute a command you enter the command by starting at the top level of the hierarchy For example to configure an interface use the config terminal command Once you are in configuration mode enter the interface command When you are in the interface submode you can query the available commands The following example show...

Page 54: ...ory discover discover information echo echo argument back to screen usefull for run script end Exit configuration mode ethanalyzer Configure cisco fabric analyzer exit Exit from command interpreter fcping Ping an N Port fctrace Trace the route for an N Port fex FEX control commands find Find a file below the current directory format Format disks gunzip Uncompresses LZ77 coded files gzip Compresses...

Page 55: ...starting point for all configuration commands The following commands are available in configuration mode switch configure terminal switch config aaa Configure aaa functions banner Configure banner message boot Configure boot variables callhome Enter the callhome configuration mode cdp Configure CDP parameters cfs CFS configuration commands class map Configure class map cli Configure CLI aliases cl...

Page 56: ...related parameters resequence Resequence a list with sequence numbers rib Configure RIB parameters rlir config commands for RLIR rmon Remote Monitoring role Configure roles rscn config commands for RSCN scsi target scsi target configuration show Show running system information snmp server Configure snmp server spanning tree Spanning Tree Subsystem ssh Configure SSH parameters switchname Configure ...

Page 57: ... are having trouble entering a command check the system prompt and enter the question mark for a list of available commands You might be in the wrong command mode or using incorrect syntax Entering Command Sequences In any command mode you can begin a particular command sequence then immediately press the Tab key to complete the rest of the command switch config ro Tab switch config role Tab switc...

Page 58: ...ubmode prompt You can enter this command from any submode within the configuration mode The command is executed at the EXEC level and the prompt resumes its current mode level as in the following example switch config terminal session timeout 0 switch config In this example terminal session timeout is an EXEC mode command Table 2 2 lists some useful command keys that can be used in both EXEC and c...

Page 59: ... one predefined system variable which is the TIMESTAMP variable User Defined Persistent CLI Variables You can define CLI session variables to persist only for the duration of your CLI session using the cli var name command in EXEC mode CLI session variables are useful for scripts that you execute periodically The following example shows how to create a user defined CLI session variable switch cli ...

Page 60: ...ytes 0 discards 0 errors 0 input OLS 0 LRR 0 NOS 0 loop inits 1 output OLS 1 LRR 0 NOS 1 loop inits 16 receive B2B credit remaining 7 transmit B2B credit remaining Use the show cli variables command to display user defined CLI session variables The following example displays user defined CLI session variables switch show cli variables VSH Variable List TIMESTAMP 2005 10 24 21 29 33 testinterface f...

Page 61: ...e brief switch config cli alias name shfcintup shintbr include up include fc You can display the command aliases defined on the switch using the alias default command alias The following example shows how to display the command aliases defined on the switch switch alias CLI alias commands alias show cli alias gigint interface gigabitethernet shintbr show interface brief shfcintup shintbr include u...

Page 62: ...led Port mode is TE Port vsan is 1 Speed is 2 Gbps Transmit B2B Credit is 255 Receive B2B Credit is 16 Receive data field Size is 2112 Beacon is turned off Trunk vsans admin allowed and active 1 Trunk vsans up 1 Trunk vsans isolated Trunk vsans initializing 5 minutes input rate 96 bits sec 12 bytes sec 0 frames sec 5 minutes output rate 64 bits sec 8 bytes sec 0 frames sec 77423 frames input 67088...

Page 63: ...llowing example shows how you can pass CLI session variable as arguments to a child run script command process switch show file bootflash test1 vsh show interface var1 var2 switch run bootflash test2 vsh var1 fc2 1 var2 brief show interface var1 var2 Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbps fc2 1 1 auto on sfpAbsent Setting the Delay Time The sle...

Page 64: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 2 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 2 Using the Command Line Interface Command Scripts ...

Page 65: ...ms page 3 22 Image Files on the Switch The Cisco Nexus 5000 Series switches have the following images BIOS and loader images combined in one file Kickstart image System image that includes a BIOS image that can be upgraded The switch has flash memory that consists of two separate flash parts A 2 MB flash part holds two BIOS and loader images A 1 GB flash part holds configuration files kickstart im...

Page 66: ...e If the checksum of the upgradeable BIOS is not valid then the golden BIOS launches the kickstart image which then launches the system image You can force the switch to bypass the upgradeable BIOS and use the golden BIOS instead If you press Ctrl Shift 6 within two seconds of when power is supplied to the switch the golden BIOS will be used to launch the kickstart image even if the checksum of th...

Page 67: ...nsole and sets the options for that terminal line switch configure terminal switch config line console switch config console databits 7 switch config console exec timeout 30 switch config console parity even switch config console stopbits 2 You cannot change the BIOS console settings These are the same as the default console settings Golden BIOS waits for Ctrl Shift 6 9600 baud Is Upgradeable BIOS...

Page 68: ...ation all traffic through the switch is disrupted Detailed Upgrade Procedure Caution Upgrading a Cisco Nexus 5000 Series switch disrupts all traffic flow through the switch To upgrade the software on the switch follow these steps Step 1 Log in to the switch on the console port connection Step 2 Log in to Cisco com to access the Software Download Center To log in to Cisco com go to the URL http www...

Page 69: ... sftp The examples in this procedure use scp switch copy scp user scpserver cisco com downloads n5000 uk9 kickstart 4 0 1a N2 0 140 bin bootflash n5000 uk9 kickstart 4 0 1a N2 0 140 bin switch copy scp user scpserver cisco com downloads n5000 uk9 4 0 1a N2 0 140 bin bootflash n5000 uk9 4 0 1a N2 0 140 bin Step 10 Install the new images specifying the new image names that you downloaded in step 9 s...

Page 70: ...th 2074308 kB of memory Processor Board ID JAB1232002F Device name switch bootflash 1003520 kB Kernel uptime is 2 day s 5 hour s 22 minute s 19 second s Last reset at 695620 usecs after Mon Jan 12 18 54 03 2009 Reason Reset Requested by CLI command reload System version 4 0 1a N2 1 Service plugin Core Plugin Ethernet Plugin Downgrading from a Higher Release The procedure to downgrade the switch is...

Page 71: ... is running the required software version switch show version Initial Configuration The section includes the following topics Configuration Prerequisites page 3 7 Initial Setup page 3 8 Preparing to Configure the Switch page 3 8 Default Login page 3 9 Configuring the Switch page 3 9 Changing the Initial Configuration page 3 12 Configuration Prerequisites The following procedure is a review of the ...

Page 72: ... When the switch powers up for the first time you should assign the IP address After you perform this step the Cisco MDS 9000 Family Fabric Manager can reach the switch through the console port Preparing to Configure the Switch Before you configure Cisco Nexus 5000 Series switch for the first time you need the following information Administrator password Note If a password is weak short easy to de...

Page 73: ...ribes how to initially configure the switch Note Press Ctrl C at any prompt to skip the remaining configuration options and proceed with what you have configured up to that point Entering the new password for the administrator is a requirement and cannot be skipped Tip If you do not want to answer a previously configured question or if you want to skip answers to any questions press Enter If a def...

Page 74: ...trator s account See the Configuring RBAC section on page 22 5 for information on default roles and permissions a Enter the user login ID Enter the user login ID user_name b Enter the user password Enter the password for user_name user password Step 6 Enter yes yes is the default to create an SNMP read only community string Configure read only SNMP community string yes no n yes SNMP community stri...

Page 75: ...de Configure default physical FC switchport trunk mode on off auto on on Step 18 Enter permit deny is the default to deny a default zone policy configuration Configure default zone policy permit deny deny permit Permits traffic flow to all members of the default zone Note If you are executing the setup script after entering a write erase command you explicitly must change the default zone policy t...

Page 76: ...g This setup utility will guide you through the basic configuration of the system Setup configures only enough connectivity for management of the system Note setup is mainly used for configuring the system initially when no configuration is present So setup always assumes system defaults and not the current system configuration values Press Enter at anytime to skip a dialog Use ctrl c at anytime t...

Page 77: ...exus 5000 Series switches use Universal Coordinated Time UTC which is the same as Greenwich Mean Time GMT To change the default time on the switch perform this task The following example sets the time for the switch switch clock set 15 58 09 29 February 2008 Mon Feb 20 15 58 09 UTC 2008 Note The clock command changes are saved across system resets You can specify a time zone for the switch To spec...

Page 78: ... one hour at 2 00 a m on the second Sunday in March and move back the clock one hour at 2 00 a m on the first Sunday in November You can also explicitly specify the start and end dates and times and whether or not the time adjustment recurs every year To enable the daylight saving time clock adjustment perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Ste...

Page 79: ...ion page 3 17 About NTP In a large enterprise network having one time standard for all network devices is critical for management reporting and event logging functions when trying to correlate interacting events logged across multiple devices Many enterprise customers with extremely mission critical networks maintain their own stratum 1 NTP source Time synchronization happens when several frames a...

Page 80: ...owing guidelines apply to all NTP configurations You should have a peer association with another switch only when you are sure that your clock is reliable which means that you are a client of a reliable NTP server A peer configured alone takes on the role of a server and should be used as backup If you have two servers then you can have several switches point to one server and the remaining switch...

Page 81: ...n command after you enabled distribution in a switch The NTP application uses an effective and pending database model to store or commit the commands based on your configuration You changes are stored in the pending database and committed to the effective database See the Information About CFS section on page 21 1 for more information on the CFS application This section includes the following sect...

Page 82: ...changes perform this task Releasing Fabric Session Lock If you have performed an NTP fabric task and have forgotten to release the lock by either committing or discarding the changes an administrator can release the lock from any switch in the fabric If the administrator performs this task your changes to the pending database are discarded and the fabric lock is released Command Purpose Step 1 swi...

Page 83: ...s of the NTP session use the show ntp session status command switch show ntp session status last action Distribution Enable Result Success Management Interface Configuration The management interface on the switch allows multiple simultaneous Telnet or SNMP sessions You can remotely configure the switch through the management interface mgmt0 but first you must configure some IP parameters so that t...

Page 84: ...0 frame 0 overrun 0 fifo 570 packets output 85555 bytes 0 underrun 0 output errors 0 collisions 0 fifo 0 carrier errors Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface mgmt 0 Selects the management Ethernet interface on the switch and enters interface configuration submode Step 3 switch config if ip address ipv4 address length Configures th...

Page 85: ... 3 21 Saving a Configuration page 3 21 Clearing a Configuration page 3 22 Displaying the Switch Configuration You can view the ASCII form of the configuration file when required To view the current configuration tree from the EXEC prompt enter the show running config command If the running configuration is different from the startup configuration enter the show startup config command to view the A...

Page 86: ...ot variables and the IP configuration of interface mgmt 0 Using Switch File Systems This section includes the following topics Setting the Current Directory page 3 22 Displaying the Current Directory page 3 23 Listing the Files in a Directory page 3 23 Creating a Directory page 3 23 Deleting an Existing Directory page 3 23 Moving Files page 3 24 Copying Files page 3 24 Deleting Files page 3 24 Dis...

Page 87: ...971520 bytes free 20971520 bytes total Creating a Directory The mkdir command creates a directory at the current directory level or at a specified directory level The syntax for this command is mkdir name This example creates a directory called test in the bootflash directory switch mkdir bootflash test This example creates a directory called test in the current directory switch mkdir test Deletin...

Page 88: ...vel switch move samplefile mystorage samplefile If the current directory is bootflash mydir this command moves bootflash mydir samplefile to bootflash mydir mystorage samplefile Copying Files The copy command copies a file between file systems within a switch Note Use the dir command to ensure that enough space is available in the target file system If enough space is not available use the delete ...

Page 89: ...l At the EXEC mode switch prompt enter a dir command to view all files in this directory including the recently saved Samplefile Compressing and Uncompressing Files The gzip command compresses zips the specified file using LZ77 coding This example directs the output of the show tech support command to a file Samplefile and then zips the file and displays the difference in the space used up in the ...

Page 90: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 3 26 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 3 Configuring the Switch Using Switch File Systems ...

Page 91: ...nse Key File page 4 4 Backing Up License Files page 4 6 Identifying License Features in Use page 4 6 Uninstalling Licenses page 4 6 Updating Licenses page 4 8 Grace Period Alerts page 4 8 License Transfers Between Switches page 4 9 Verifying the License Configuration page 4 10 Licensing Terminology The following terms are used in this chapter Licensed feature Permission to use a particular feature...

Page 92: ... License keys are incremental If you purchase some features now and others later the license file and the software detect the sum of all features for the specified switch Evaluation license A temporary license Evaluation licenses are time bound valid for a specified number of days and are not tied to a host ID switch serial number Permanent license A license that is not time bound is called a perm...

Page 93: ...task Step 1 Contact your reseller or Cisco representative and request this service Note If you purchased Cisco support through a Cisco reseller contact the reseller directly If you purchased support directly from Cisco Systems contact Cisco Technical Support at this URL http www cisco com warp public 687 Directory DirTAC shtml Your switch is shipped with the required licenses installed in the syst...

Page 94: ...ment Step 4 Locate the website URL from either the claim certificate or the proof of purchase document Step 5 Access the specified URL that applies to your switch and enter the switch serial number and the PAK The license key file is sent to you by e mail The license key file is digitally signed to only authorize use on the requested switch The requested features are also enabled once the Cisco NX...

Page 95: ...se tar Backing up license done Step 4 Exit the switch console and open a new terminal session to view all license files installed on the switch using the show license command switch show license Enterprise lic SERVER this_host ANY VENDOR cisco INCREMENT ENTERPRISE_PKG cisco 1 0 permanent uncounted HOSTID VDH FOX0646S017 NOTICE LicFileID LicFileID LicLineID 0 LicLineID PAK dummyPak PAK SIGN EE9F91E...

Page 96: ...software feature is enabled it can activate a license grace period To identify the features active for a specific license use the show license usage license name command switch show license usage FC_FEATURES_PKG Application PFM Use the show license usage command to identify all of the active features on your switch switch show license usage Feature Ins Lic Status Expiry Date Comments Count FM_SERV...

Page 97: ...witch Step 2 Enter the show license brief command in EXEC mode to view a list of all installed license key files and identify the file to be uninstalled In this example the file to be uninstalled is the FibreChannel lic file switch show license brief Enterprise lic FibreChannel lic Step 3 Disable the features provided by the license to be uninstalled Enter the show license usage package_name comma...

Page 98: ...of the file to be updated switch show license brief Enterprise lic Step 4 Update the license file using the update license url command where url specifies the bootflash or volatile location of the updated license file switch update license bootflash Advanced2 lic Advanced1 lic Updating Advanced1 lic SERVER this_host ANY VENDOR cisco An example fcports license INCREMENT SAN_EXTN_OVER_IP cisco 1 000...

Page 99: ...ceive console messages SNMP traps system messages and Call Home messages on a daily basis The frequency of these messages become hourly during the last seven days of the grace period Note You cannot modify the frequency of the grace period messages Caution After the final seven days of the grace period the feature is turned off and your network traffic may be disrupted Any future upgrade will enfo...

Page 100: ...the License Configuration To display the license configuration information perform one of the following tasks Command Purpose switch show license brief Displays information for all installed license files switch show license file Displays information for a specific license file switch show license host id Displays the host ID for the physical switch switch show license usage Displays the usage inf...

Page 101: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 2 LAN Switching ...

Page 102: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 103: ...h Ethernet and Fibre Channel traffic For additional information see Chapter 29 Configuring FCoE and Chapter 30 Configuring Virtual Interfaces On a Cisco Nexus 5000 Series switch the Ethernet interfaces are enabled by default This section includes the following topics About the Interface Command page 5 1 About the Unidirectional Link Detection Parameter page 5 2 About Interface Speed page 5 4 About...

Page 104: ...er 1 protocols to determine the physical status of a link At Layer 1 autonegotiation takes care of physical signaling and fault detection UDLD performs tasks that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down misconnected LAN ports When you enable both autonegotiation and UDLD Layer 1 and Layer 2 detections work together to prevent physical and logi...

Page 105: ...port UDLD aggressive mode If UDLD aggressive mode is enabled when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving UDLD frames UDLD tries to reestablish the connection with the neighbor After eight failed retries the port is disabled To prevent spanning tree loops nonaggressive UDLD with the default interval of 15 seconds is fast enough to shut down ...

Page 106: ...nsparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about each other Each CDP configured device sends periodic messages to a multicast address advertising at least one addr...

Page 107: ...ing topics Configuring the UDLD Mode page 5 5 Configuring Interface Speed page 5 6 Configuring the Cisco Discovery Protocol page 5 7 Configuring the Debounce Timer page 5 8 Configuring the Description Parameter page 5 9 Disabling and Restarting Ethernet Interfaces page 5 9 Configuring the UDLD Mode You can configure normal or aggressive unidirectional link detection UDLD modes for Ethernet interfa...

Page 108: ... first 8 ports of a Cisco Nexus 5010 switch and the first 16 ports of a Cisco Nexus 5020 switch are switchable 1 Gigabit and 10 Gigabit ports The default interface speed is 10 Gigabit To configure these ports for 1 Gigabit Ethernet insert a 1 Gigabit Ethernet SFP transceiver into the applicable port and then set its speed with the speed command To configure a 1 Gigabit Ethernet port perform this t...

Page 109: ...5 7 Enabling or Disabling CDP page 5 8 Configuring the CDP Characteristics You can configure the frequency of CDP updates the amount of time to hold the information before discarding it and whether or not to send Version 2 advertisements To configure CDP characteristics for an interface perform this task Use the no form of the CDP commands to return to the default settings Command Purpose Step 1 s...

Page 110: ...enable the debounce timer for Ethernet ports by specifying a debounce time in milliseconds or disable the timer by specifying a debounce time of 0 You can show the debounce times for all of the Ethernet ports by using the show interface debounce command To enable or disable the debounce timer perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch...

Page 111: ...scription to Server 3 Interface switch configure terminal switch config interface ethernet 1 3 switch config if description Server 3 Interface Disabling and Restarting Ethernet Interfaces You can shut down and restart an Ethernet interface This action disables all of the interface functions and marks the interface as being down on all monitoring displays This information is communicated to other n...

Page 112: ...rface switch show interface ethernet 1 1 Ethernet1 1 is up Hardware is 1000 10000 Ethernet address is 000d eca3 5f08 bia 000d eca3 5f08 MTU 1500 bytes BW 10000000 Kbit DLY 10 usec reliability 255 255 txload 190 255 rxload 192 255 Encapsulation ARPA Port mode is trunk full duplex 10 Gb s media type is 1 10g Input flow control is off output flow control is off Command Purpose switch config if no shu...

Page 113: ...0 underrun 0 if down drop 0 output error 0 collision 0 deferred 0 late collision 0 lost carrier 0 no carrier 0 babble 0 Rx pause 8031547972 Tx pause 0 reset The following example shows how to display the physical Ethernet capabilities switch show interface ethernet 1 1 capabilities Ethernet1 1 Model 734510033 Type 10Gbase unknown Speed 1000 10000 Duplex full Trunk encap type 802 1Q Channel yes Bro...

Page 114: ...display the link debounce status some of the output has been removed for brevity switch show interface debounce Port Debounce time Value ms Eth1 1 enable 100 Eth1 2 enable 100 Eth1 3 enable 100 The following example shows how to display the CDP neighbors switch show cdp neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater V VoIP Phone D Remotel...

Page 115: ... OL 16597 01 Chapter 5 Configuring Ethernet Interfaces Displaying Interface Information Encapsulation ARPA MTU1 1500 bytes Port Mode Access Speed Auto 10000 1 MTU cannot be changed per physical Ethernet interface You modify MTU by selecting maps of QoS classes See Chapter 31 Configuring QoS for additional information Parameter Default Setting ...

Page 116: ... b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 5 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 5 Configuring Ethernet Interfaces Displaying Interface Information ...

Page 117: ...out VLANs This section includes the following topics Understanding VLANs page 6 1 Understanding VLAN Ranges page 6 2 Creating Deleting and Modifying VLANs page 6 3 Understanding VLANs Note VLAN Trunking Protocol VTP mode is OFF VTP BPDUs are dropped on all interfaces of a Cisco Nexus 5000 Series switch which partitions VTP domains if other switches have VTP turned on A VLAN is a group of end stati...

Page 118: ...elong to the same VLAN To communicate between VLANs you must route the traffic By default a newly created VLAN is operational that is the VLAN is in the no shutdown condition Additionally you can configure VLANs to be in the active state which is passing traffic or the suspended state in which the VLANs are not passing packets By default the VLANs are in the active state and pass traffic Understan...

Page 119: ...s moving them from the active operational state to the suspended operational state If you attempt to create a VLAN with an existing VLAN ID the switch goes into the VLAN submode but does not create the same VLAN again Newly created VLANs remain unused until ports are assigned to the specific VLAN All the ports are assigned to VLAN1 by default Depending on the range of the VLAN you can configure th...

Page 120: ...n you delete a VLAN ports associated to that VLAN shut down The traffic does not flow and the packets are dropped To create a VLAN perform this task This example shows how to create a range of VLANs from 15 to 20 switch configure terminal switch config vlan 15 20 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config vlan vlan id vlan range Creates a VLAN o...

Page 121: ...ch configure terminal switch config vlan 5 switch config vlan name accounting switch config vlan state active switch config vlan no shutdown Command Purpose switch config vlan no vlan vlan id vlan range Deletes the specified VLAN or range of VLANs and removes you from the VLAN configuration submode You cannot delete VLAN1 or the internally allocated VLANs Command Purpose Step 1 switch configure te...

Page 122: ...ng example shows the VLANs created on the switch and their status switch show vlan VLAN Name Status Ports 1 default active Eth1 1 Eth1 2 Eth1 3 Eth1 4 Eth1 5 Eth1 6 Eth1 7 Eth1 8 Eth1 9 Eth1 10 Eth1 11 Eth1 12 Eth1 15 Eth1 16 Eth1 17 Eth1 18 Eth1 19 Eth1 20 Eth1 21 Eth1 22 Eth1 23 Eth1 24 Eth1 25 Eth1 26 Eth1 27 Eth1 28 Eth1 29 Eth1 30 Eth1 31 Command Purpose Step 1 switch configure terminal Enter...

Page 123: ... Eth3 1 Eth3 2 Eth3 3 Eth3 4 veth1 1 13 VLAN0005 active Eth1 13 Eth1 14 The following example shows the details of VLAN 13 including its member ports switch show vlan id 13 VLAN Name Status Ports 13 VLAN0005 active Eth1 13 Eth1 14 VLAN Type MTU 13 enet 576 Remote SPAN VLAN Disabled Primary Secondary Type Ports The following example shows the VLAN settings summary switch show vlan summary Number of...

Page 124: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 6 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 6 Configuring VLANs Verifying VLAN Configuration ...

Page 125: ... VLAN into subdomains allowing you to isolate the ports on the switch from each other A subdomain consists of a primary VLAN and one or more secondary VLANs see Figure 7 1 All VLANs in a private VLAN domain share the same primary VLAN The secondary VLAN ID differentiates one subdomain from another The secondary VLANs may either be isolated VLANs or community VLANs A host on an isolated VLAN can on...

Page 126: ...ge 7 5 Primary and Secondary VLANs in Private VLANs A private VLAN domain has only one primary VLAN Each port in a private VLAN domain is a member of the primary VLAN the primary VLAN is the entire private VLAN domain Secondary VLANs provide isolation between ports within the same private VLAN domain The following two types are secondary VLANs within a primary VLAN Isolated VLANs Ports within an i...

Page 127: ...in the isolated VLAN Community A community port is a host port that belongs to a community secondary VLAN Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain Note Because trunks can support the VLANs carryi...

Page 128: ...ironment you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations The end stations need to communicate only with a default gateway to communicate outside the private VLAN Associating Primary and Secondary VLANs For host ports in secondary VLANs to communicate outside the private VLAN you associate secondary VLANs to the primary VLAN If t...

Page 129: ...sociation Understanding Broadcast Traffic in Private VLANs Broadcast traffic from ports in a private VLAN flows in the following ways The broadcast traffic flows from a promiscuous port to all ports in the primary VLAN which includes all the ports in the community and isolated VLANs This broadcast traffic is distributed to all ports within the primary VLAN including those ports that are not config...

Page 130: ...ronize command to map the secondary VLANs to the same Multiple Spanning Tree MST instance as the primary VLAN See the Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs section on page 9 16 for more details Enabling Private VLANs You must enable private VLANs on the switch to use the private VLAN functionality Note The private VLAN commands do not appear until you enable the p...

Page 131: ...o disable a private VLAN perform this task Associating Secondary VLANs with a Primary Private VLAN When you associate secondary VLANs with a primary VLAN follow these guidelines The secondary vlan list parameter cannot contain spaces It can contain multiple comma separated items Each item can be a single secondary VLAN ID or a hyphenated range of secondary VLAN IDs The secondary vlan list paramete...

Page 132: ...condary VLAN the private VLAN associations with that VLAN are suspended and return when you recreate the specified VLAN and configure it as the previous secondary VLAN Ensure that the private VLAN feature is enabled To associate secondary VLANs with a primary VLAN perform this task This example shows how to associate community VLANs 100 through 103 and isolated VLAN 109 with primary VLAN 5 switch ...

Page 133: ...ure an interface as a private VLAN promiscuous port and then you can associate that promiscuous port with the primary and secondary VLANs Ensure that the private VLAN feature is enabled To configure an interface as a private VLAN promiscuous port perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface type slot port Selects the po...

Page 134: ...rts 5 100 community 5 101 community Eth1 12 veth1 1 5 102 community 5 103 community 5 109 isolated Eth1 2 switch show vlan private vlan type Vlan Type 5 primary Step 3 switch config if switchport mode private vlan promiscuous Configures the port as a promiscuous port for a private VLAN You can only enable a physical Ethernet port as the promiscuous port Step 4 switch config if switchport private v...

Page 135: ...itch CLI Software Configuration Guide OL 16597 01 Chapter 7 Configuring Private VLANs Verifying Private VLAN Configuration 100 community 101 community 102 community 103 community 109 isolated The following example shows how to display enabled features switch show system internal clis feature 7 pvlan enabled ...

Page 136: ...d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 7 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 7 Configuring Private VLANs Verifying Private VLAN Configuration ...

Page 137: ...ng Tree MST and Chapter 10 Configuring STP Extensions for complete information on STP extensions Information About Rapid PVST This section provides describes the Rapid PVST protocol which is the IEEE 802 1w standard Rapid Spanning Tree Protocol RSTP implemented on a per VLAN basis Rapid PVST interoperates with the IEEE 802 1D standard which mandates a single STP instance for all VLANs rather than ...

Page 138: ...se frames but use the frames to construct a loop free path Multiple active paths between end stations cause loops in the network If a loop exists in the network end stations might receive duplicate messages and switches might learn end station MAC addresses on multiple LAN ports These conditions result in a broadcast storm which creates an unstable network STP defines a tree with a root bridge and...

Page 139: ...following topics Bridge Priority Value page 8 3 Extended System ID page 8 3 STP MAC Address Allocation page 8 4 Bridge Priority Value The bridge priority is a 4 bit value when the extended system ID is enabled see Configuring the Rapid PVST Bridge Priority of a VLAN section on page 8 22 Note In Cisco NX OS the extended system ID is always enabled you cannot be disable the extended system ID Extend...

Page 140: ...bridge the lowest being preferred as a multiple of 4096 Only the following values are possible 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 STP uses the extended system ID plus a MAC address to make the bridge ID unique for each VLAN Note If another bridge in the same spanning tree domain does not run the MAC address reduction feature it could achieve r...

Page 141: ...t is the lowest numerical ID value is elected as the root bridge If all switches are configured with the default priority 32768 the switch with the lowest MAC address in the VLAN becomes the root bridge The bridge priority value occupies the most significant bits of the bridge ID When you change the bridge priority value you change the probability that the switch will be elected as the root bridge...

Page 142: ...he high speed fiber optic link By changing the STP port priority on the fiber optic port to a higher priority lower numerical value than the root port the fiber optic port becomes the new root port Understanding Rapid PVST This section includes the following Rapid PVST topics Overview page 8 6 Rapid PVST BPDUs page 8 8 Proposal and Agreement Handshake page 8 8 Protocol Timers page 8 9 Port Roles p...

Page 143: ...ure a port as an STP edge port Note We recommend that you configure all ports connected to a host as edge ports See Chapter 10 Configuring STP Extensions for more information on STP port types Root ports If Rapid PVST selects a new root port it blocks the old root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port t...

Page 144: ...d PVST BPDUs Rapid PVST and 802 1w use all six bits of the flag byte to add the role and state of the port that originates the BPDU and the proposal and agreement handshake Figure 8 3 shows the use of the BPDU flags in Rapid PVST Figure 8 3 Rapid PVST Flag Byte in BPDU Another important change is that the Rapid PVST BPDU is type 2 version 2 which makes it possible for the switch to detect connecte...

Page 145: ...to switch B a similar set of handshaking messages are exchanged Switch C selects the port connected to switch B as its root port and both ends of the link immediately transition to the forwarding state With each iteration of this handshaking process one more network device joins the active topology As the network converges this proposal agreement handshaking progresses from the root toward the lea...

Page 146: ... by a point to point link or when a switch has two or more connections to a shared LAN segment A backup port provides another path in the topology to the switch Disabled port Has no role within the operation of the spanning tree In a stable topology with consistent port roles throughout the network Rapid PVST ensures that every root port and designated port immediately transition to the forwarding...

Page 147: ...s and at different places in a switched network When a LAN port transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Ports must wait for new topology information to propagate through the switched LAN before starting to forward frames Each LAN port on a software using Rapid PVST or MST exists in one of the following four...

Page 148: ...frame forwarding A LAN port in the blocking state performs as follows Discards frames received from the attached segment Discards frames switched from another port for forwarding Does not incorporate the end station location into its address database There is no learning on a blocking LAN port so there is no address database update Receives BPDUs and directs them to the system module Receives proc...

Page 149: ...ble 8 3 lists the possible operational and Rapid PVST states for ports and the corresponding inclusion in the active topology Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port Rapid PVST forces all other ports to synchronize with the new root information The switch is synchronized with superior root informat...

Page 150: ...is a Rapid PVST BPDU with the proposal flag set the switch sends an agreement message after all of the other ports are synchronized The new root port transitions to the forwarding state as soon as the previous port reaches the blocking state If the superior information received on the port causes the port to become a backup port or an alternate port Rapid PVST sets the port to the blocking state a...

Page 151: ...athcost method you can assign any value in the range of 1 to 65535 However you can configure the switch to use the long 32 bit pathcost method which allows you to assign any value in the range of 1 to 200 000 000 You configure the pathcost calculation method globally The STP port path cost default value is determined from the media speed and path cost calculation method of a LAN interface see Tabl...

Page 152: ... Cisco 802 1Q cloud that separates the Cisco switches is treated as a single trunk link between the switches Rapid PVST Interoperation with Legacy 802 1D STP Rapid PVST can interoperate with switches that are running the legacy 802 1D protocol The switch knows that it is interoperating with equipment running 802 1D when it receives a BPDU version 0 The BPDUs for Rapid PVST are version 2 If the BPD...

Page 153: ...VST protocol is the default STP setting in the software You enable Rapid PVST on a per VLAN basis The software maintains a separate instance of STP for each VLAN except on those VLANS on which you disable STP By default Rapid PVST is enabled on the default VLAN and on each VLAN that you create This section includes the following topics Enabling Rapid PVST page 8 17 Enabling Rapid PVST per VLAN pag...

Page 154: ...ST per VLAN You can enable or disable Rapid PVST on each VLAN Note Rapid PVST is enabled by default on the default VLAN and on all VLANs that you create To enable Rapid PVST per VLAN perform this task This example shows how to enable STP on VLAN 5 switch configure terminal switch config spanning tree vlan 5 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch co...

Page 155: ... of the current root bridges for each VLAN The switch sets the bridge priority for the specified VLANs to 24576 if this value will cause the switch to become the root for the specified VLANs If any root bridge for the specified VLANs has a bridge priority lower than 24576 the switch sets the bridge priority for the specified VLANs to 4096 less than the lowest bridge priority Note The spanning tree...

Page 156: ...e automatically calculated hello time You configure more than one switch in this manner to have multiple backup root bridges Enter the same network diameter and hello time values that you used when configuring the primary root bridge Note With the switch configured as the root bridge do not manually configure the hello time forward delay time and maximum age time using the spanning tree mst hello ...

Page 157: ...ou can only apply this command to a physical Ethernet interface Configuring the Rapid PVST Pathcost Method and Port Cost On access ports you assign port cost by the port On trunk ports you assign the port cost by VLAN you can configure the same port cost on all the VLANs on a trunk Note In Rapid PVST mode you can use either the short or long pathcost method and you can configure the method in eith...

Page 158: ...e shows how to configure the priority of VLAN 5 on Gigabit Ethernet port 1 4 to 8192 switch configure terminal switch config spanning tree vlan 5 priority 8192 Step 3 switch config interface type slot port Specifies the interface to configure and enters the interface configuration mode Step 4 switch config if spanning tree vlan vlan id cost value auto Configures the port cost for the LAN interface...

Page 159: ...me per VLAN when using Rapid PVST To configure the forward delay time per VLAN perform this task This example shows how to configure the forward delay time for VLAN 5 to 21 seconds switch configure terminal switch config spanning tree vlan 5 forward time 21 Configuring the Rapid PVST Maximum Age Time for a VLAN You can configure the maximum age time per VLAN when using Rapid PVST To configure the ...

Page 160: ...his example shows how to configure the link type as a point to point link switch configure terminal switch config interface ethernet 1 4 switch config if spanning tree link type point to point You can only apply this command to a physical Ethernet interface Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree vlan vlan range max age value Co...

Page 161: ...interface ethernet 2 8 Verifying Rapid PVST Configurations To display Rapid PVST configuration information perform one of these tasks This example shows how to display spanning tree status switch show spanning tree brief VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 32768 Address 001c b05a 5447 Cost 2 Port 131 Ethernet1 3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ...

Page 162: ...e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 8 26 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 8 Configuring Rapid PVST Verifying Rapid PVST Configurations ...

Page 163: ...ocol STP when it receives an 802 1D message from a neighboring switch Note Spanning tree is used to refer to IEEE 802 1w and IEEE 802 1s If the text is discussing the IEEE 802 1D Spanning Tree Protocol 802 1D is stated specifically This chapter includes the following sections Information About MST page 9 1 Configuring MST page 9 9 Note See Chapter 8 Configuring Rapid PVST for complete information ...

Page 164: ...mproves spanning tree operation and maintains backward compatibility with these STP versions Original 802 1D spanning tree Rapid per VLAN spanning tree Rapid PVST Note IEEE 802 1w defined the Rapid Spanning Tree Protocol RSTP and was incorporated into IEEE 802 1D IEEE 802 1s defined MST and was incorporated into IEEE 802 1Q MST Regions To allow switches to participate in MST instances you must con...

Page 165: ...uration Information The MST configuration that must be identical on all switches within a single MST region is configured by the user You can configure the following three parameters of the MST configuration Name 32 character string null padded and null terminated identifying the MST region Revision number Unsigned 16 bit number that identifies the revision of the current MST configuration Note Yo...

Page 166: ...n all ports you cannot delete the IST or Instance 0 By default all VLANs are assigned to the IST All other MST instances are numbered from 1 to 4094 The IST is the only STP instance that sends and receives BPDUs All of the other MSTI information is contained in MST records M records which are encapsulated within MST BPDUs All MSTIs within the same region share the same protocol timers but each MST...

Page 167: ...ach with its own CIST regional root As switches receive superior IST information from a neighbor in the same region they leave their old subregions and join the new subregion that contains the true CIST regional root This action causes all subregions to shrink except for the subregion that contains the true CIST regional root All switches in the MST region must agree on the same CIST regional root...

Page 168: ... to communicate with 802 1D only switches MST switches use MST BPDUs to communicate with MST switches MST Terminology MST naming conventions include identification of some internal or regional parameters These parameters are used only within an MST region compared to external parameters that are used throughout the whole network Because the CIST is the only spanning tree instance that spans the wh...

Page 169: ...alue When a switch receives this BPDU it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs that it generates When the count reaches zero the switch discards the BPDU and ages the information held for the port The message age and maximum age information in the 802 1w portion of the BPDU remain the same throughout the region only on ...

Page 170: ...dging loop Switch A is the root bridge and its BPDUs are lost on the link leading to switch B Rapid PVST 802 1w and MST BPDUs include the role and state of the sending port With this information switch A can detect that switch B does not react to the superior BPDUs that it sends and that switch B is the designated not root port As a result switch A blocks or keeps blocking its port which prevents ...

Page 171: ...can send either Version 0 configuration and topology change notification TCN BPDUs or Version 3 MST BPDUs on a boundary port A boundary port connects to a LAN the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration Note MST interoperates with the Cisco prestandard MSTP whenever it receives prestandard MSTP on an MST port no explicit con...

Page 172: ...lation Globally page 9 23 Configuring PVST Simulation Per Port page 9 23 Specifying the Link Type page 9 24 Restarting the Protocol page 9 25 MST Configuration Guidelines When configuring MST follow these guidelines When you work with private VLANs enter the private vlan synchronize command to map the secondary VLANs to the same MST instance as the primary VLAN When you are in the MST configuratio...

Page 173: ...o view the resulting configuration does not display the command that you entered to enable STP Entering MST Configuration Mode You enter MST configuration mode to configure the MST name VLAN to instance mapping and MST revision number on the switch For two or more switches to be in the same MST region they must have the identical MST name VLAN to instance mapping and MST revision number Note Each ...

Page 174: ...idge For two or more bridges to be in the same MST region they must have the identical MST name VLAN to instance mapping and MST revision number Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst configuration Enters MST configuration submode on the system You must be in the MST configuration submode to assign the MST configuration par...

Page 175: ... two or more switches to be in the same MST region they must have the same VLAN to instance mapping the same configuration revision number and the same MST name A region can have one member or multiple members with the same MST configuration each member must be capable of processing IEEE 802 1w RSTP BPDUs There is no limit to the number of MST regions in a network but each region can support only ...

Page 176: ...de switch config spanning tree mst configuration switch config mst instance 1 vlan 10 20 switch config mst name region1 switch config mst revision 1 switch config mst show pending Pending MST configuration Name region1 Revision 1 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst configuration Enters MST configuration submode Step 3 sw...

Page 177: ...rminal switch config spanning tree mst configuration switch config mst instance 3 vlan 200 To unmap VLAN to MST instances perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst configuration Enters MST configuration submode Step 3 switch config mst instance instance id vlan vlan range Maps VLANs to an MST instance as foll...

Page 178: ... switch as the spanning tree primary root bridge Enter the diameter keyword which is available only for MSTI 0 or the IST to specify the network diameter that is the maximum number of hops between any two end stations in the network When you specify the network diameter the switch automatically sets an optimal hello time forward delay time and maximum age time for a network of that diameter which ...

Page 179: ...tree mst root primary global configuration command Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst instance id root primary secondary diameter dia hello time hello time Configures a switch as the root bridge as follows For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instanc...

Page 180: ...er in the forwarding state and blocks the other interfaces To configure the port priority perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst instance id root primary secondary diameter dia hello time hello time Configures a switch as the secondary root bridge as follows For instance id you can specify a single instanc...

Page 181: ...s that you want selected last If all interfaces have the same cost value MST puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Note MST uses the long pathcost calculation method To configure the port cost perform this task Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interf...

Page 182: ...you enter the spanning tree mst root primary and the spanning tree mst root secondary global configuration commands to modify the switch priority Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interface configuration mode Step 3 switch config if spanning tree mst instance id cost cost auto Configures the cost If a loop occurs MST us...

Page 183: ... switch to 1 second switch configure terminal switch config spanning tree mst hello time 1 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst instance id priority priority value Configures a switch priority as follows For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances s...

Page 184: ...erminal switch config spanning tree mst max age 40 Configuring the Maximum Hop Count MST uses the path cost to the IST regional root and a hop count mechanism similar to the IP time to live TTL mechanism You configure the maximum hops inside the region and apply it to the IST and all MST instances in that region The hop count achieves the same result as the message age information triggers a recon...

Page 185: ... and Rapid PVST MST interoperates seamlessly with Rapid PVST However to prevent an accidental connection to a switch that does not run MST as the default STP mode you may want to disable this automatic feature If you disable PVST simulation the MST enabled port moves to the blocking state once it detects it is connected to a Rapid PVST enabled port This port remains in the inconsistent state until...

Page 186: ...figure terminal Enters configuration mode Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interface configuration mode Step 3 switch config if spanning tree mst simulate pvst disable Disables specified interfaces from automatically interoperating with connected switch that is running in Rapid PVST mode By default all interfaces on th...

Page 187: ...negotiation force the renegotiation with neighboring switches on the entire switch or on specified interfaces To restart the protocol perform this task This example shows how to restart MST on the Ethernet interface on slot 2 port 8 switch clear spanning tree detected protocol interface ethernet 2 8 Verifying MST Configurations To display MST configuration information perform one of the following ...

Page 188: ... d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 9 26 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 9 Configuring MST Verifying MST Configurations ...

Page 189: ...hese features can be applied either globally or on specified interfaces Note Spanning tree is used to refer to IEEE 802 1w and IEEE 802 1s If the text is discussing the IEEE 802 1D Spanning Tree Protocol 802 1D is stated specifically This chapter includes the following sections Information About STP Extensions page 10 1 Configuring STP Extensions page 10 5 Verifying STP Extension Configuration pag...

Page 190: ...red as the Cisco proprietary feature PortFast Interfaces that are connected to hosts should not receive STP Bridge Protocol Data Units BPDUs Note If you configure a port connected to another switch set as an edge port you might create a bridging loop Spanning Tree Network Ports Network ports are connected only to switches or bridges Bridge Assurance is enabled only on network ports Note If you mis...

Page 191: ...hen they receive a BPDU BPDU Guard provides a secure response to invalid configurations because you must manually put the LAN interface back in service after an invalid configuration Note When enabled globally BPDU Guard applies to all operational spanning tree edge interfaces Understanding BPDU Filtering You can use BPDU Filtering to prevent the switch from sending or even receiving BPDUs on spec...

Page 192: ... puts the port into an inconsistent state blocking until the port starts to receive BPDUs again A port in the inconsistent state does not transmit BPDUs If the port receives BPDUs again the protocol removes its loop inconsistent condition and the STP determines the port state because such recovery is automatic Loop Guard isolates the failure and allows STP to converge to a stable topology without ...

Page 193: ...istent STP state In this way Root Guard enforces the position of the root bridge You cannot configure Root Guard globally Note You can enable Root Guard on all spanning tree port types normal edge and network ports Configuring STP Extensions This section includes the following topics STP Extensions Configuration Guidelines page 10 5 Configuring Spanning Tree Port Types Globally page 10 6 Configuri...

Page 194: ...rt types globally perform this task This example shows how to configure all access and trunk ports connected to hosts as spanning tree edge ports switch configure terminal switch config spanning tree port type edge default This example shows how to configure all ports connected to switches or bridges as spanning tree network ports switch configure terminal switch config spanning tree port type net...

Page 195: ... port type edge default command in global configuration mode If you do not configure the edge ports globally the no spanning tree port type command is equivalent to the spanning tree port type disable command Before you configure the spanning port type you should do the following Ensure that STP is configured Ensure that the interface is connected to hosts To configure spanning tree edge ports on ...

Page 196: ...ing Ensure that STP is configured Ensure that the interface is connected to switches or routers To configure spanning tree network ports on a specified interface perform this task This example shows how to configure the Ethernet interface 1 4 to be a spanning tree network port switch configure terminal switch config interface ethernet 1 4 switch config if spanning tree port type network Enabling B...

Page 197: ...perational edge port and if the spanning tree port type edge bpduguard default command is configured Before you configure this feature you should do the following Ensure that STP is configured To enable BPDU Guard on an interface perform this task This example shows how to explicitly enable BPDU Guard on the Ethernet edge port 1 4 switch configure terminal switch config interface ethernet 1 4 swit...

Page 198: ...linkup before they effectively filter outbound BPDUs If a BPDU is received on an edge port it immediately loses its operational edge port status and BPDU Filtering is disabled To enable BPDU Filtering globally perform this task This example shows how to enable BPDU Filtering on all operational spanning tree edge ports switch configure terminal switch config spanning tree port type edge bpdufilter ...

Page 199: ...and Before you configure this feature you should do the following Ensure that STP is configured Note When you enable BPDU Filtering locally on a port this feature prevents the device from receiving or sending BPDUs on this port To enable BPDU Filtering on an interface perform this task This example shows how to explicitly enable BPDU Filtering on the Ethernet spanning tree edge port 1 4 switch con...

Page 200: ... Loop Guard on all spanning tree normal or network ports switch configure terminal switch config spanning tree loopguard default Enabling Loop Guard or Root Guard on Specified Interfaces Note You can run Loop Guard on spanning tree normal or network ports You can run Root Guard on all spanning tree ports normal edge or network You can enable either Loop Guard or Root Guard on specified interfaces ...

Page 201: ...ion information for the STP extensions perform one of the following tasks Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface type slot port Specifies the interface to configure and enters the interface configuration mode Step 3 switch config if spanning tree guard loop root none Enables or disables either Loop Guard or Root Guard for the speci...

Page 202: ...b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 10 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 10 Configuring STP Extensions Verifying STP Extension Configuration ...

Page 203: ...erface within the EtherChannel is operational You create an EtherChannel by bundling compatible interfaces You can configure and run either static EtherChannels or EtherChannels running the Link Aggregation Control Protocol LACP See Understanding LACP section on page 11 4 for information on LACP Any configuration changes that you apply to the EtherChannel are applied to each member interface of th...

Page 204: ...n you are running static EtherChannels without LACP the individual links are all in the on channel mode you cannot change this mode without enabling LACP see the Port Channel Modes section on page 11 6 Note You cannot change the mode from ON to Active or from ON to Passive You can create an EtherChannel directly by creating the port channel interface or you can create a channel group that acts to ...

Page 205: ...annel the following individual parameters are replaced with the values on the EtherChannel Bandwidth MAC address Spanning Tree Protocol The following interface parameters remain unaffected when the interface joins an EtherChannel Description CDP LACP port priority Debounce Load Balancing Using EtherChannels Cisco NX OS load balances traffic across all operational interfaces in an EtherChannel by r...

Page 206: ...ng topics LACP Overview page 11 5 LACP ID Parameters page 11 5 Port Channel Modes page 11 6 LACP Marker Responders page 11 7 Table 11 1 EtherChannel Load Balancing Criteria Configuration Layer 2 Criteria Layer 3 Criteria Layer 4 Criteria Destination MAC Destination MAC Destination MAC Destination MAC Source MAC Source MAC Source MAC Source MAC Source and destination MAC Source and destination MAC ...

Page 207: ...LACP system priority Each system that runs LACP has an LACP system priority value You can accept the default value of 32768 for this parameter or you can configure a value between 1 and 65535 LACP uses the system priority with the MAC address to form the system ID and also uses the system priority during negotiation with other devices A higher system priority value means a lower priority Note The ...

Page 208: ...n either the active or passive channel mode Table 11 2 describes the channel modes Both the passive and active modes allow LACP to negotiate between ports to determine if they can form an EtherChannel based on criteria such as the port speed and the trunking state The passive mode is useful when you do not know whether the remote system or partner supports LACP Ports can form an LACP EtherChannel ...

Page 209: ...ef summary of major differences between EtherChannels with LACP enabled and static EtherChannels Configuring EtherChannels You can configure multiple EtherChannels on a device This section includes the following topics Creating an EtherChannel page 11 7 Adding a Port to an EtherChannel page 11 8 Configuring Load Balancing Using EtherChannels page 11 9 Enabling LACP page 11 10 Configuring Port Chan...

Page 210: ...ou need to enable LACP see the Enabling LACP section on page 11 10 To configure an EtherChannel perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface port channel channel number Specifies the port channel interface to configure and enters the interface configuration mode The range is from 1 to 4096 Cisco NX OS automatically crea...

Page 211: ...4 switch config if switchport trunk allowed vlan vlan id native vlan vlan id Optional Configures necessary parameters for a trunk port Step 5 switch config if channel group channel number Configures the port in a channel group and sets the mode The channel number range is from 1 to 4096 Cisco NX OS creates the EtherChannel associated with this channel group if the EtherChannel does not already exi...

Page 212: ...dynamically and informs the other LAN ports Once LACP identifies correctly matched Ethernet links it facilitates grouping the links into an EtherChannel The EtherChannel is then added to the spanning tree as a single bridge port To enable LACP perform this task This example shows how to enable LACP switch configure terminal switch config feature lacp Configuring Port Channel Port Modes After you e...

Page 213: ...le LACP you can configure each link in the LACP EtherChannel for the port priority Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface type slot port Specifies the interface to configure and enters the interface configuration mode Step 3 switch config if channel group number mode active on passive Specifies the port mode for the link in an Ethe...

Page 214: ...are 1 through 65535 and higher numbers have lower priority The default value is 32768 Command Purpose switch show interface port channel channel number Displays the status of a port channel interface switch show system internal clis feature Displays enabled features switch show lacp counters interface type slot port neighbor port channel system identifier Displays LACP information switch show port...

Page 215: ...nterfaces This section includes the following topics Understanding Access and Trunk Interfaces page 12 1 Understanding IEEE 802 1Q Encapsulation page 12 2 Understanding Access VLANs page 12 3 Understanding the Native VLAN ID for Trunk Ports page 12 3 Understanding Allowed VLANs page 12 4 Note Cisco NX OS supports only IEEE 802 1Q type VLAN trunk encapsulation Understanding Access and Trunk Interfa...

Page 216: ...ccess port receives a packet with an 802 1Q tag in the header other than the access VLAN value that port drops the packet without learning its MAC source address Note An Ethernet interface can function as either an access port or a trunk port it cannot function as both port types simultaneously Understanding IEEE 802 1Q Encapsulation A trunk is a point to point link between the device and another ...

Page 217: ...ng the new VLAN You must create the VLAN before you can assign it as an access VLAN for an access port If you change the access VLAN on an access port to a VLAN that is not yet created the system will shut that access port down If an access port receives a packet with an 802 1Q tag in the header other than the access VLAN value that port drops the packet without learning its MAC source address Und...

Page 218: ...g tree protocol STP topology for the default VLAN you can remove VLAN1 from the list of allowed VLANs Otherwise VLAN1 which is enabled on all ports by default will have a very big STP topology which can result in problems during STP convergence When you remove VLAN1 all data traffic for VLAN1 on this port is blocked but the control traffic continues to move on the port Configuring Access and Trunk...

Page 219: ...nnel interfaces and Chapter 8 Configuring Rapid PVST for complete information on the Spanning Tree Protocol Ensure that you are configuring the correct interface to an interface that is an end station To configure an access host port perform this task Step 3 switch config if switchport mode access trunk Sets the interface as a nontrunking nontagged single VLAN Ethernet interface An access port can...

Page 220: ...s how to set Ethernet 3 1 as an Ethernet trunk port switch configure terminal switch config interface ethernet 3 1 switch config if switchport mode trunk Configuring the Native VLAN for 802 1Q Trunking Ports If you do not configure this parameter the trunk port uses the default VLAN as the native VLAN ID To configure native VLAN for a 802 1Q trunk port perform this task Command Purpose Step 1 swit...

Page 221: ...f switchport trunk allow vlan 15 20 Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interface configuration mode Step 3 switch config if switchport trunk native vlan vlan id Sets the native VLAN for the 802 1Q trunk Valid values are from 1 to 4094 except those VLANs reserved for internal use The default value is VLAN1 Command Purpose...

Page 222: ... Interface Configuration Verifying Interface Configuration To display access and trunk interface configuration information perform one of these tasks Command Purpose switch show interface Displays the interface configuration switch show interface switchport Displays information for all Ethernet interfaces including access and trunk interfaces switch show interface brief Displays interface configur...

Page 223: ...AN ports of the same VLAN except the port that received the frame When the destination station replies the switch adds its relevant MAC source address and port ID to the address table The switch then forwards subsequent frames to a single LAN port without flooding all LAN ports You can also enter a MAC address which is termed a static MAC address into the table These static MAC entries are retaine...

Page 224: ...orm this task You can use the mac address table static command to assign a static MAC address to a virtual interface Configuring the Aging Time for the MAC Table You can configure the amount of time that an entry the packet source MAC address and port that packet ingresses remain in the MAC table Note You can also configure MAC aging time in interface configuration mode or VLAN configuration mode ...

Page 225: ...information perform one of these tasks This example shows how to display the MAC address table switch show mac address table VLAN MAC Address Type Age Port 1 0018 b967 3cd0 dynamic 10 Eth1 3 1 001c b05a 5380 dynamic 200 Eth1 3 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config mac address table aging time seconds vlan vlan_id Specifies the time before a...

Page 226: ...Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 13 Configuring the MAC Address Table Verifying the MAC Address Configuration Total MAC Addresses 2 This example shows how to display the current aging time switch show mac address table aging time Vlan Aging Time 1 300 13 300 42 300 ...

Page 227: ... Using the interface information IGMP snooping can reduce bandwidth consumption in a multi access LAN environment to avoid flooding the entire VLAN The IGMP snooping feature tracks which ports are attached to multicast capable routers to help it manage the forwarding of IGMP membership reports The IGMP snooping software responds to topology change notifications Note IGMP snooping is supported on a...

Page 228: ...membership report suppression which means that if two hosts on the same subnet want to receive multicast data for the same group then the host that receives a member report from the other host suppresses sending its report Membership report suppression occurs for hosts that share a port If no more than one host is attached to each VLAN switch port then you can configure the fast leave feature in I...

Page 229: ...g IGMP Forwarding The control plane of the Cisco Nexus 5000 Series switch is able to detect IP addresses but forwarding occurs using the MAC address only When a host connected to the switch wants to join an IP multicast group it sends an unsolicited IGMP join message specifying the IP multicast group to join Alternatively when the switch receives a general query from a connected router it forwards...

Page 230: ... interval Sets the interval that the software waits after sending an IGMP query to verify that no hosts that want to receive a particular multicast group remain on a network segment If no hosts respond before the last member query interval expires the software removes the group from the associated VLAN port Values range from 1 to 25 seconds The default is 1 second Snooping querier Configures a sno...

Page 231: ...icitly tracked because of the host report suppression mechanism of the IGMPv2 protocol When you enable fast leave the IGMP software assumes that no more than one host is present on each VLAN port The default is disabled for all VLANs switch config vlan ip igmp snooping last member query interval seconds Removes the group from the associated VLAN port if no hosts respond to an IGMP query message be...

Page 232: ...abled Explicit tracking enabled Fast leave disabled Report suppression enabled Router port detection using PIM Hellos IGMP Queries Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config no ip igmp snooping Globally disables IGMP snooping The default is enabled Note If the global setting is disabled then all VLANs are treated as disabled whether they are ena...

Page 233: ...ts 0 Number of groups 0 IGMP Snooping information for vlan 5 IGMP snooping enabled IGMP querier present address 172 16 24 1 version 3 Querier interval 125 secs Querier last member query interval 10 secs Querier robustness 2 Switch querier enabled address 172 16 24 1 currently running Explicit tracking enabled Fast leave enabled Report suppression enabled Router port detection using PIM Hellos IGMP...

Page 234: ... b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 14 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 14 Configuring IGMP Snooping Verifying IGMP Snooping Configuration ...

Page 235: ...fic and degrading network performance You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast multicast or unknown unicast traffic storm on physical interfaces Traffic storm control also called traffic suppression allows you to monitor the levels of the incoming broadcast multicast and unicast traffic over a 10 microsecond interval During this interval ...

Page 236: ...n affect the operation of traffic storm control The following are examples of how traffic storm control operation is affected If you enable broadcast traffic storm control and broadcast traffic exceeds the level within the 10 microsecond interval traffic storm control drops all broadcast traffic until the end of the interval If you enable multicast traffic storm control and the multicast traffic e...

Page 237: ...is task This example shows how to configure unicast traffic storm control for Ethernet interface 1 4 switch configure terminal switch config interface ethernet 1 4 switch config if storm control unicast level 40 Verifying Traffic Storm Control Configuration To display traffic storm control configuration information perform one of these tasks Displaying Traffic Storm Control Counters You can displa...

Page 238: ...e Configuration The following example shows how to configure traffic storm control switch configure terminal switch config interface ethernet 1 4 switch config if storm control broadcast level 40 switch config if storm control multicast level 40 switch config if storm control unicast level 40 Default Settings Table 15 1 lists the default settings for traffic storm control parameters Command Purpos...

Page 239: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 3 Switch Security Features ...

Page 240: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 241: ...counting Log page 16 12 Verifying AAA Configuration page 16 13 Example AAA Configuration page 16 13 Default Settings page 16 13 Information About AAA This section includes the following topics AAA Security Services page 16 1 Benefits of Using AAA page 16 2 Remote AAA Services page 16 3 AAA Server Groups page 16 3 AAA Service Configuration Options page 16 3 Authentication and Authorization Process ...

Page 242: ...or TACACS servers Authorization Provides access control AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform Authorization in Nexus 5000 Series switches is provided by attributes that are downloaded from AAA servers Remote security servers such as RADIUS and TACACS authorize users for specific rights by associating attribute value ...

Page 243: ...nd the next remote server in the group is tried until one of the servers sends a response If all the AAA servers in the server group fail to respond then that server group option is considered a failure If required you can specify multiple server groups If a Nexus 5000 Series switch encounters errors from the servers in the first group it tries the servers in the next server group AAA Service Conf...

Page 244: ...ole login options 2 When you have configured the AAA server groups using the server group authentication method the Nexus 5000 Series switch sends an authentication request to the first AAA server in the group as follows a If the AAA server fails to respond then the next AAA server is tried and so on until the remote server responds to the authentication request b If all AAA servers in the server ...

Page 245: ...A Remote AAA servers have the following prerequisites At least one RADIUS or TACACS server must be IP reachable see the Configuring RADIUS Server Hosts section on page 17 5 and the Configuring TACACS Server Hosts section on page 18 5 The Nexus 5000 Series switch is configured as a client of the AAA servers The preshared secret key is configured on the Nexus 5000 Series switch and on the remote AAA...

Page 246: ...tion configure the hosts on your Nexus 5000 Series switch See Chapter 17 Configuring RADIUS and Chapter 18 Configuring TACACS Step 2 Configure console login authentication methods See the Configuring Console Login Authentication Methods section on page 16 6 Step 3 Configure default login authentication methods for user logins See the Configuring Default Login Authentication Methods section on page...

Page 247: ... config aaa authentication login console group radius switch config exit switch show aaa authentication switch copy running config startup config Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config aaa authentication login console group group list none local none Configures login authentication methods for the console The group list argument consists of ...

Page 248: ...uthentication done Remote AAA servers unreachable local authentication failed To enable login authentication failure messages perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config aaa authentication login default group group list none local none Configures the default authentication methods The group list argument consists of a space deli...

Page 249: ...authentication login error enable Enables login authentication failure messages The default is disabled Step 3 switch config exit Exits configuration mode Step 4 switch show aaa authentication Optional Displays the login failure message configuration Step 5 switch copy running config startup config Optional Copies the running configuration to the startup configuration Table 16 3 MSCHAP RADIUS VSAs...

Page 250: ...server group for accounting Local Uses the local username or password database for accounting Note If you have configured server groups and the server groups do not respond by default the local database is used for authentication Before you configure AAA accounting default methods configure RADIUS or TACACS server groups as needed To configure AAA accounting default methods perform this task Comma...

Page 251: ...te seperator value The protocol is a Cisco attribute for a particular type of authorization separator is an equal sign for mandatory attributes and an asterisk indicates optional attributes When you use RADIUS servers for authentication on a Nexus 5000 Series switch the RADIUS protocol directs the RADIUS server to return user attributes such as authorization information along with authentication r...

Page 252: ...rivacy protocol attributes as follows shell roles roleA roleB snmpv3 auth SHA priv AES 128 The SNMPv3 authentication protocol options are SHA and MD5 The privacy protocol options are AES 128 and DES If you do not specify these options in the cisco av pair attribute MD5 and DES are the default authentication protocols For more information on user roles see Chapter 22 Configuring User Accounts and R...

Page 253: ...ttings Table 16 4 lists the default settings for AAA parameters Command Purpose show aaa accounting Displays AAA accounting configuration show aaa authentication login error enable mschap Displays AAA authentication information show aaa groups Displays the AAA server group configuration show running config aaa all Displays the AAA configuration in the running configuration show startup config aaa ...

Page 254: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 16 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 16 Configuring AAA Default Settings ...

Page 255: ...tatistics page 17 13 Example RADIUS Configuration page 17 14 Default Settings page 17 14 Information About RADIUS The RADIUS distributed client server system allows you to secure networks against unauthorized access In the Cisco implementation RADIUS clients run on the Nexus 5000 Series of switches and send authentication and accounting requests to a central RADIUS server that contains all user au...

Page 256: ...s Per user profiles enable the Nexus 5000 Series switch to better manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service level agreements RADIUS Operation When a user attempts to log in and authenticate to a Nexus 5000 Series switch using RADIUS the following process occurs 1 The user is prompted for and enters a username and passwo...

Page 257: ...DIUS server monitoring is performed by sending a test authentication request to the RADIUS server Vendor Specific Attributes The Internet Engineering Task Force IETF draft standard specifies a method for communicating vendor specific attributes VSAs between the network access server and the RADIUS server The IETF uses attribute 26 VSAs allow vendors to support their own extended attributes that ar...

Page 258: ...rerequisites for RADIUS RADIUS has the following prerequisites Obtain IPv4 or IPv6 addresses or host names for the RADIUS servers Obtain preshared keys from the RADIUS servers Ensure that the Nexus 5000 Series switch is configured as a RADIUS client of the AAA servers Guidelines and Limitations RADIUS has the following guidelines and limitations You can configure a maximum of 64 RADIUS servers on ...

Page 259: ...Specify a RADIUS Server at Login page 17 8 Configuring the Global RADIUS Transmission Retry Count and Timeout Interval page 17 9 Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server page 17 9 Configuring Accounting and Authentication Attributes for RADIUS Servers page 17 10 Configuring Periodic RADIUS Server Monitoring page 17 11 Configuring the Dead Time Interval page...

Page 260: ...itch config exit switch show radius server switch copy running config startup config Configuring RADIUS Server Preshared Keys You can configure preshared keys for a RADIUS server A preshared key is a shared secret text string between the Nexus 5000 Series switch and the RADIUS server host To configure radius server preshared keys obtain the preshared key values for the remote RADIUS servers and pe...

Page 261: ...mmand Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config radius server host ipv4 address ipv6 address host name key 0 7 key value Specifies a preshared key for a specific RADIUS server You can specify a clear text 0 or encrypted 7 preshared key The default format is clear text The maximum length is 63 characters This preshared key is used instead of the global ...

Page 262: ...To allow users to specify a RADIUS server at login perform this task Step 3 switch config radius server ipv4 address ipv6 address server name Configures the RADIUS server as a member of the RADIUS server group Tip If the specified RADIUS server is not found configure it using the radius server host command and retry this command Step 4 switch config radius deadtime minutes Optional Configures the ...

Page 263: ...e this number up to a maximum of five retries per server You can also set a timeout interval that the Nexus 5000 Series switch waits for responses from RADIUS servers before declaring a timeout failure To configure RADIUS transmission retry count and timeout interval for a server perform this task Step 4 switch show radius server directed request Optional Displays the directed request configuratio...

Page 264: ...host name retransmit count Specifies the retransmission count for a specific server The default is the global value Note The retransmission count value specified for a RADIUS server overrides the count specified for all RADIUS servers in Step 2 Step 3 switch config switch config radius server host ipv4 address ipv6 address host name timeout seconds Specifies the transmission timeout interval for a...

Page 265: ...option to test servers periodically Note For security reasons we recommend that you do not configure a test username that is the same as an existing user in the RADIUS database The test idle timer specifies the interval during which a RADIUS server receives no requests before the Nexus 5000 Series switch sends out a test packet Note The default idle timer value is 0 minutes When the idle time inte...

Page 266: ... Groups section on page 17 7 To configure dead time interval perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config radius server host ipv4 address ipv6 address host name test idle time minutes password password idle time minutes username name password password idle time minutes Specifies parameters for server monitoring The default userna...

Page 267: ...atistics the Cisco Nexus 5000 Series switch maintains for RADIUS server activity perform this task Step 3 switch config exit Exits configuration mode Step 4 switch show radius server Optional Displays the RADIUS server configuration Step 5 switch copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch t...

Page 268: ...erver host 10 10 1 1 key 7 ShMoMhTl authentication accounting aaa group server radius RadServer server 10 10 1 1 use vrf management Default Settings Table 17 1 lists the default settings for RADIUS parameters Command Purpose switch switch show radius server statistics hostname ipv4 address ipv6 address Displays the RADIUS statistics Table 17 1 Default RADIUS Parameters Parameters Default Server ro...

Page 269: ...switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You must have access to and must configure a TACACS server before the configured TACACS features on your Nexus 5000 Series switch are available TACACS provides for separate authentication authorization and accounting facilities TACACS allows for a single access control serve...

Page 270: ...d combination but may include prompts for other items such as the user s mother s maiden name 2 The Nexus 5000 Series switch will receive one of the following responses from the TACACS daemon ACCEPT User authentication succeeds and service begins If the Nexus 5000 Series switch requires user authorization authorization begins REJECT User authentication failed The TACACS daemon either denies furthe...

Page 271: ...xus 5000 Series switch can periodically monitor an TACACS server to check whether it is responding or alive to save time in processing AAA requests The Nexus 5000 Series switch marks unresponsive TACACS servers as dead and does not send AAA requests to any dead TACACS servers A Nexus 5000 Series switch periodically monitors dead TACACS servers and brings them to the alive state once they are respo...

Page 272: ... TACACS Server Configuration Process page 18 4 Enabling TACACS page 18 5 Configuring TACACS Server Hosts page 18 5 Configuring Global Preshared Keys page 18 6 Configuring TACACS Server Preshared Keys page 18 7 Configuring TACACS Server Groups page 18 7 Specifying a TACACS Server at Login page 18 8 Configuring the Global TACACS Timeout Interval page 18 9 Configuring the Timeout Interval for a Serve...

Page 273: ... 18 11 Enabling TACACS By default the TACACS feature is disabled on the Nexus 5000 Series switch To explicitly enable the TACACS feature to access the configuration and verification commands for authentication perform this task Configuring TACACS Server Hosts To access a remote TACACS server you must configure the IPv4 or IPv6 address or the hostname for the TACACS server on the Nexus 5000 Series ...

Page 274: ...inal Enters configuration mode Step 2 switch config tacacs server host ipv4 address ipv6 address host name Specifies the IPv4 or IPv6 address or hostname for a TACACS server Step 3 switch config exit Exits configuration mode Step 4 switch show tacacs server Optional Displays the TACACS server configuration Step 5 switch copy running config startup config Optional Copies the running configuration t...

Page 275: ... AAA servers to authenticate users using server groups All members of a group must belong to the TACACS protocol The servers are tried in the same order in which you configure them You can configure these server groups at any time but they only take effect when you apply them to an AAA service For information on AAA services see the Remote AAA Services section on page 16 2 Command Purpose Step 1 s...

Page 276: ... is the name of a configured RADIUS server Note User specified logins are only supported for Telnet sessions Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config aaa group server tacacs group name Creates a TACACS server group and enters the TACACS server group configuration mode for that group Step 3 switch config tacacs server ipv4 address ipv6 address ...

Page 277: ... switch waits for responses from a TACACS server before declaring a timeout failure Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config tacacs server directed request Allows users to specify a TACACS server to send the authentication request when logging in The default is disabled Step 3 switch config exit Exits configuration mode Step 4 switch show taca...

Page 278: ...pv4 address ipv6 address host name timeout seconds Specifies the timeout interval for a specific server The default is the global value Note The timeout interval value specified for a TACACS server overrides the global timeout interval value specified for all TACACS servers Step 3 switch config exit Exits configuration mode Step 4 switch show tacacs server Optional Displays the TACACS server confi...

Page 279: ...e shows how to configure periodic TACACS server monitoring switch configure terminal switch config tacacs server host 10 10 1 1 test username user1 password Ur2Gd2BH idle time 3 switch config tacacs server dead time 5 switch config exit switch show tacacs server switch copy running config startup config Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config...

Page 280: ...oup perform this task The following example shows how to manually issue a test message switch test aaa server tacacs 10 10 1 1 user1 Ur2Gd2BH switch test aaa group TacGroup user2 As3He3CI Disabling TACACS You can disable TACACS Caution When you disable TACACS all related configurations are automatically discarded Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 swi...

Page 281: ...cacs tacacs server key 7 ToIkLhPpG tacacs server host 10 10 2 2 key 7 ShMoMhTl aaa group server tacacs TacServer server 10 10 2 2 use vrf management Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config feature tacacs Enables TACACS Step 3 switch config exit Exits configuration mode Step 4 switch copy running config startup config Optional Copies the runni...

Page 282: ...pter 18 Configuring TACACS Default Settings Default Settings Table 18 1 lists the default settings for TACACS parameters Table 18 1 Default TACACS Parameters Parameters Default TACACS Disabled Dead timer interval 0 minutes Timeout interval 5 seconds Idle timer interval 0 minutes Periodic server monitoring username test Periodic server monitoring password test ...

Page 283: ...net page 19 7 Verifying the SSH and Telnet Configuration page 19 9 SSH Example Configuration page 19 9 Default Settings page 19 10 Information About SSH and Telnet This section includes the following topics SSH Server page 19 1 SSH Client page 19 2 SSH Server Keys page 19 2 Telnet Server page 19 2 SSH Server The SSH server feature enables a SSH client to make a secure encrypted connection to a Nex...

Page 284: ...SA public key cryptography SSH version 2 using the Digital System Algrorithm DSA Be sure to have an SSH server key pair with the appropriate version before enabling the SSH service You can generate the SSH server key pair according to the SSH client version used The SSH service accepts three types of key pairs for use by SSH version 2 The dsa option generates the DSA key pair for the SSH version 2...

Page 285: ...n generate an SSH server key based on your security requirements The default SSH server key is an RSA key generated using 1024 bits To generate SSH server keys perform this task The following example shows how to generate an SSH server key switch configure terminal switch config ssh key rsa 2048 switch config exit switch show ssh key switch copy running config startup config Command Purpose Step 1...

Page 286: ...yuA50rv7gsEPjhOBYmsi6PAVKui1nIf DQhum lJNqJP eLowb7ubO lVKRXFY G lJNIQW3g9igG30c6k6 XVn NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH 3UD vKyziEh5S4Tplx8 switch config exit switch show user account switch copy running config startup config Specifying the SSH Public Keys in IETF SECSH Format You can specify the SSH public keys in IETF SECSH format for user accounts To specify the SSH public keys in IETF SECSH...

Page 287: ...ollowing example shows how to specify the SSH public keys in PEM formatted public key certificate form switch copy tftp 10 10 1 1 cert pem bootflash cert pem switch configure terminal switch show user account switch copy running config startup config Step 3 switch config username username sshkey file filename Configures the SSH public key in SSH format Step 4 switch config exit Exits global config...

Page 288: ...s to the switch perform this task Deleting SSH Server Keys You can delete SSH server keys after you disable the SSH server Note To reenable SSH you must first generate an SSH server key see Generating SSH Server Keys section on page 19 3 Command Purpose switch ssh hostname username hostname vrf vrf name Creates an SSH session to a remote device The hostname argument can be an IPv4 address an IPv6 ...

Page 289: ...5000 Series switch perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config no ssh server enable Disables the SSH server Step 3 switch config no ssh key dsa rsa Deletes the SSH server key The default is to delete all the SSH keys Step 4 switch config exit Exits global configuration mode Step 5 switch show ssh key Optional Displays the SSH se...

Page 290: ... device To start Telnet sessions to connect to remote devices from your Nexus 5000 Series switch perform this task The following example shows starting a Telnet session to connect to a remote device switch telnet 10 10 1 1 Trying 10 10 1 1 Connected to 10 10 1 1 Escape character is switch login Clearing Telnet Sessions To clear Telnet sessions from the Nexus 5000 Series switch perform this task Co...

Page 291: ...ZKr MZm99n2U0ChzZG4svRW mHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4na H1d3Q0hDt uWEA0tk a2uOtXlDhliEmn4HVXOjGhFhoNE bitcount 1024 fingerprint 51 6d de 1c c3 29 50 88 df cc 95 f0 15 5d 9a df could not retrieve dsa key information Step 4 Specify the SSH public key in Open SSH format switch config username User1 sshkey ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G 3f1 Xs...

Page 292: ...iguration Guide OL 16597 01 Chapter 19 Configuring SSH and Telnet Default Settings Default Settings Table 19 1 lists the default settings for SSH parameters Table 19 1 Default SSH Parameters Parameters Default SSH server Enabled SSH server key RSA key generated with 1024 bits RSA key bits for generation 1024 Telnet server Enabled ...

Page 293: ...conditions of all rules The first match determines whether the packet is permitted or denied If there is no match the switch applies the applicable default rule The switch continues processing packets that are permitted and drops packets that are denied For more information see the Implicit Rules section on page 20 3 You can use ACLs to protect networks and specific hosts from unnecessary or unwan...

Page 294: ...it Rules page 20 3 Additional Filtering Options page 20 3 Sequence Numbers page 20 3 Logical Operators and Logical Operation Units page 20 4 Source and Destination In each rule you specify the source and the destination of the traffic that matches the rule You can specify both the source and destination as a specific host a network or group of hosts or any host Protocols ACLs allow you to identify...

Page 295: ...oint DSCP value TCP packets with the ACK FIN PSH RST SYN or URG bit set Established TCP connections Sequence Numbers The switch supports sequence numbers for rules Every rule that you enter receives a sequence number either assigned by you or assigned automatically by the switch Sequence numbers simplify the following ACL tasks Adding new rules between existing rules By specifying the sequence num...

Page 296: ...boundary values The following guidelines determine when the switch stores operator operand couples in LOUs If the operator or operand differs from other operator operand couples that are used in other rules the couple is stored in an LOU For example the operator operand couples gt 10 and gt 11 would be stored separately in half an LOU each The couples gt 10 and lt 10 would also be stored separatel...

Page 297: ...llows you can use the resequence command to reassign sequence numbers For more information see the Changing Sequence Numbers in an IP ACL section on page 20 7 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config ip access list name Creates the IP ACL and enters IP ACL configuration mode The name argument can be up to 64 characters Step 3 switch config acl...

Page 298: ...ule in the IP ACL Using a sequence number allows you to specify a position for the rule in the ACL Without a sequence number the rule is added to the end of the rules The sequence number argument can be a whole number between 1 and 4294967295 The permit and deny commands support many ways of identifying traffic For more information see the Cisco Nexus 5000 Series Command Reference Step 4 switch co...

Page 299: ...unning config startup config Optional Copies the running configuration to the startup configuration Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config resequence ip access list name starting sequence number increment Assigns sequence numbers to the rules contained in the ACL where the first rule receives the starting sequence number that you specify Eac...

Page 300: ... IP ACL Configurations To display IP ACL configuration information perform one of the following tasks For detailed information about the fields in the output from these commands refer to the Cisco Nexus 5000 Series Command Reference Step 3 switch config if ipv6 port traffic filter name in Applies an IPv6 port access list Step 4 switch config if ip port access group access list in Applies an IPv4 A...

Page 301: ...erform one of the following tasks For detailed information about these commands refer to the Cisco Nexus 5000 Series Command Reference Configuring MAC ACLs This section includes the following topics Creating a MAC ACL page 20 10 Changing a MAC ACL page 20 10 Removing a MAC ACL page 20 11 Changing Sequence Numbers in a MAC ACL page 20 12 Applying a MAC ACL as a Port ACL page 20 12 Applying a MAC AC...

Page 302: ...uence command to reassign sequence numbers For more information see the Changing Sequence Numbers in an IP ACL section on page 20 7 To change a MAC ACL perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch mac access list name Creates the MAC ACL and enters ACL configuration mode Step 3 switch config mac acl permit deny source destination protoc...

Page 303: ...oved ACL to be empty Step 3 switch config mac acl sequence number permit deny source destination protocol Optional Creates a rule in the MAC ACL Using a sequence number allows you to specify a position for the rule in the ACL Without a sequence number the rule is added to the end of the rules The permit and deny commands support many ways of identifying traffic Step 4 switch config mac acl no sequ...

Page 304: ... Configuring IP ACLs section on page 20 4 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config no mac access list name Removes the MAC ACL that you specify by name from the running configuration Step 3 switch config show mac access lists Optional Displays the MAC ACL configuration Step 4 switch config copy running config startup config Optional Copies the...

Page 305: ... matched each rule Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface ethernetslot port Enters interface configuration mode for the specified interface switch config interface port channel channel number Enters interface configuration mode for a port channel interface Step 3 switch config if mac port access group access list Applies a MAC ACL ...

Page 306: ... not defined by direction ingress or egress For more information about types and applications of ACLs see the Information About ACLs section on page 20 1 This section includes the following topics VACLs and Access Maps page 20 14 VACLs and Actions page 20 14 Statistics page 20 15 VACLs and Access Maps VACLs use access maps to link an IP ACL or a MAC ACL to an action The switch takes the configured...

Page 307: ...information about displaying VACL statistics see the Displaying and Clearing IP ACL Statistics section on page 20 9 Configuring VACLs This section includes the following topics Creating or Changing a VACL page 20 15 Removing a VACL page 20 16 Applying a VACL to a VLAN page 20 16 Verifying VACL Configuration page 20 17 Displaying and Clearing VACL Statistics page 20 17 Creating or Changing a VACL Y...

Page 308: ... drop forward Specifies the action that the switch applies to traffic that matches the ACL Step 5 switch config access map no statistics Optional Specifies that the switch maintains global statistics for packets matching the rules in the VACL The no option stops the switch from maintaining global statistics for the VACL Step 6 switch config access map show running config Optional Displays ACL conf...

Page 309: ...g no vlan filter map name vlan list list Applies the VACL to the VLANs by the list that you specified The no option unapplies the VACL The vlan list command can specify a list of up to 32 VLANs but multiple vlan list commands can be configured to cover more than 32 VLANs Step 3 switch config show running config Optional Displays ACL configuration Step 4 switch config copy running config startup co...

Page 310: ...lt settings for VACL parameters Table 20 2 Default IP ACLs Parameters Parameters Default IP ACLs No IP ACLs exist by default ACL rules Implicit rules apply to all ACLs See the Implicit Rules section on page 20 3 Table 20 3 Default MAC ACLs Parameters Parameters Default MAC ACLs No MAC ACLs exist by default ACL rules Implicit rules apply to all ACLs See the Implicit Rules section on page 20 3 Table...

Page 311: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 4 System Management ...

Page 312: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 313: ...e configuration synchronization with other switches in the network to function correctly Synchronization through manual configuration at each switch in the network can be a tedious and error prone process Cisco Fabric Services CFS provides a common infrastructure for automatic configuration synchronization in the network It provides the transport function and a set of common services to the featur...

Page 314: ...ted set of VSANs Some features require configuration distribution over some specific VSANs These features can specify to CFS the set of VSANs over which to restrict the distribution Supports a merge protocol that facilitates the merge of feature configuration during a fabric merge event when two independent SAN fabrics merge CFS Distribution The CFS distribution functionality is independent of the...

Page 315: ...ordinated distributions are used to distribute information that can be manipulated and distributed from multiple switches for example the port security configuration Unrestricted Uncoordinated Distributions Unrestricted uncoordinated distributions allow multiple parallel distributions in the network in the presence of an existing coordinated distribution Unrestricted uncoordinated distributions ar...

Page 316: ...empt over Fibre Channel fails CFS does not send duplicate messages if distribution over both IP and Fibre Channel is enabled Distribution over IP version 4 IPv4 or IP version 6 IPv6 Note CFS cannot distribute over both IPv4 and IPv6 from the same switch Keepalive mechanism to detect network topology changes using a configurable multicast address Compatibility with Cisco MDS 9000 Family switches ru...

Page 317: ...ILS 0x77434653 protocol for all CFS packets CFS packets are sent to or from the switch domain controller addresses CFS Distribution Scopes Different applications on the Cisco Nexus 5000 Series switches need to distribute the configuration at various levels The following levels are available when using CFS distribution over Fibre Channel VSAN level logical scope Applications that operate within the...

Page 318: ...ful and informs all switches in the combined fabric of the status of the merge In case of a successful merge the merged database is distributed to all switches in the combined fabric and the entire new fabric remains in a consistent state You can recover from a merge failure by starting a distribution from any of the switches in the new fabric This distribution restores all peers in the fabric to ...

Page 319: ...ion is not distributed by CFS unless distribution is explicitly enabled for that application Verifying Application Registration Status The show cfs application command displays the applications that are currently registered with CFS The first column displays the application name The second column indicates whether the application is enabled or disabled for distribution enabled or disabled The last...

Page 320: ...ing CFS Lock Status The show cfs lock command displays all the locks that are currently acquired by any application For each application the command displays the application name and scope of the lock taken If the application lock is taken in the physical scope then this command displays the switch WWN IP address user name and user type of the lock holder If the application is taken in the logical...

Page 321: ...nges the application flushes the pending database and releases locks in the network Both the abort and commit functions are only supported from the switch from which the network lock is acquired You can discard changes for a specified feature by using the abort command for that feature Saving the Configuration Configuration changes that have not been applied yet still in the pending database are n...

Page 322: ...to all network administrators regardless of their location For the Call Home application to send message alerts selectively to network administrators the physical scope of the application has to be fine tuned or narrowed down which is achieved by implementing CFS regions CFS regions are identified by numbers ranging from 0 through 200 Region 0 is reserved as the default region and contains every s...

Page 323: ... network into the scope of distribution for the application To remove applications from a region perform this task Command Purpose Step 1 switch configure Enters configuration mode Step 2 switch config cfs region region id Creates a region Command Purpose Step 1 switch configure Enters configuration mode Step 2 switch config cfs region region id Creates a region Step 3 switch config cfs region ntp...

Page 324: ...guring IP Multicast Address for CFS over IP page 21 13 Verifying IP Multicast Address Configuration for CFS over IP page 21 14 Enabling CFS over IP Note CFS cannot distribute over both IPv4 and IPv6 from the same switch To enable or disable CFS over IPv4 perform this task To enable or disable CFS over IPv6 perform this task Command Purpose Step 1 switch configure Enters configuration mode Step 2 s...

Page 325: ...default IPv6 multicast address is ff13 7743 4653 To configure an IP multicast address for CFS over IPv4 perform this task To configure an IP multicast address for CFS over IPv6 perform this task Command Purpose Step 1 switch configure Enters configuration mode Step 2 switch config cfs ipv4 mcast address ipv4 address Configures the IPv4 multicast address for CFS distribution over IPv4 The ranges of...

Page 326: ...r the local network In case of a merge failure or a merge in progress the local network and the remote network involved in the merge are indicated separately The application server in each network that is mainly responsible for the merge is indicated by the term Merge Master switch show cfs merge status name port security Logical VSAN 1 Merge Status Failed Local Fabric Domain Switch WWN IP Address...

Page 327: ... which a particular application is registered with CFS The command output shows all the peers for the physical scope or for each of the valid VSANs on the switch depending on the application scope For physical scope the switch WWNs for all the peers are indicated The local switch is indicated as Local switch show cfs peers name ntp Scope Physical Switch WWN IP Address 20 00 00 44 22 00 4a 9e 172 2...

Page 328: ...ettings Table 21 1 lists the default settings for CFS configurations Table 21 1 Default CFS Parameters Parameters Default CFS distribution on the switch Enabled Database changes Implicitly enabled with the first configuration change Application distribution Differs based on application Commit Explicit configuration is required CFS over IP Disabled IPv4 multicast address 239 255 70 83 IPv6 multicas...

Page 329: ...and RBAC Configuration page 22 9 Default Settings page 22 10 Information About User Accounts and RBAC You can create and manage users accounts and assign roles that limit access to operations on the Nexus 5000 Series switch RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations This section includes the following top...

Page 330: ... dictionary words Does not contain proper names Contains both uppercase and lowercase characters Contains numbers The following are examples of strong passwords If2CoM18 2004AsdfLkj30 Cb1955S21 Note Clear text passwords can contain alphanumeric characters only Special characters such as the dollar sign or the percent sign are not allowed Tip If a password is trivial such as a short easy to deciphe...

Page 331: ...fault or user defined group of features Enter the show role feature group command to display the default feature groups available for this parameter These parameters create a hierarchical relationship The most basic control parameter is the command The next control parameter is the feature which represents all commands associated with the feature The last control parameter is the feature group The...

Page 332: ...user roles see the Configuring RBAC section on page 22 5 Note Changes to user account attributes do not take effect until the user logs in and creates a new session To configure a user account perform this task Command Purpose Step 1 switch config show role Optional Displays the user roles available You can configure other user roles if necessary see the Creating User Roles and Rules section on pa...

Page 333: ... up to 256 rules You can assign a user role to more that one user account The rule number you specify determines the order in which the rules are applied Rules are applied in descending order For example if a role has three rules rule 3 is applied before rule 2 which is applied before rule 1 To create user roles and specify rules perform this task Step 5 switch show user account Optional Displays ...

Page 334: ...ll Ethernet interfaces Repeat this command for as many rules as needed switch config role rule number deny permit read read write Configures a read only or read and write rule for all operations switch config role rule number deny permit read read write feature feature name Configures a read only or read and write rule for a feature Use the show role feature command to display a list of features R...

Page 335: ...e feature group configuration Step 5 switch config copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config role name role name Specifies a user role and enters role configuration mode Step 3 switch config role rule number permit command configure termina...

Page 336: ...h config role rule number permit command configure terminal vlan Configures a command rule to allow access to all VLANs Step 4 switch config role vlan policy deny Enters role VLAN policy configuration mode Step 5 switch config role vlan permit vlan vlan list Specifies a range of VLANs that the role can access Repeat this command for as many VLANs as needed Step 6 switch config role vlan exit Exits...

Page 337: ...r role feature group role feature group name Security features feature radius feature tacacs feature aaa feature acl feature access list Step 7 switch config role show role Optional Displays the role configuration Step 8 switch config role copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose show role Displays the...

Page 338: ...AC Default Settings Default Settings Table 22 1 lists the default settings for user accounts and RBAC parameters Table 22 1 Default User Accounts and RBAC Parameters Parameters Default User account password Undefined User account expiry date None Interface policy All interfaces are accessible VLAN policy All VLANs are accessible VFC policy All VFCs are accessible VETH policy All VETHs are accessib...

Page 339: ...ovides a basic semantic check on your configuration Cisco NX OS returns an error if the semantic check fails on any part of the configuration Verification Verifies the configuration as a whole based on the existing hardware and software configuration and resources Cisco NX OS returns an error if the configuration does not pass this verification phase Commit Cisco NX OS verifies the complete config...

Page 340: ...ask Command Purpose Step 1 switch configure session name Creates a configuration session and enters session configuration mode The name can be any alphanumeric string Step 2 switch config s show configuration session name Optional Displays the contents of the session Step 3 switch config s save location Optional Saves the session to a file The location can be in bootflash or volatile Command Purpo...

Page 341: ...s how to create a configuration session for ACLs switch configure session name test2 switch config s ip access list acl2 switch config s acl permit tcp any any switch config s acl exit switch config s interface Ethernet 1 4 switch config s ip ip port access group acl2 in switch config s ip exit switch config s verify switch config s exit switch show configuration session test2 Command Purpose swit...

Page 342: ...figuration Verifying Session Manager Configuration To verify Session Manager configuration information use the following commands Command Purpose switch show configuration session name Displays the contents of the configuration session switch show configuration session status name Displays the status of the configuration session switch show configuration session summary Displays a summary of all t...

Page 343: ...rmal switch operation This section includes the following topics Online Diagnostics Overview page 24 1 Bootup Diagnostics page 24 1 Health Monitoring Diagnostics page 24 2 Expansion Module Diagnostics page 24 3 Online Diagnostics Overview Cisco Nexus 5000 Series switches support bootup diagnostics and runtime diagnostics Bootup diagnostics include disruptive tests and nondisruptive tests that run ...

Page 344: ... detect runtime hardware errors memory errors software faults and resource exhaustion Health monitoring diagnostics are nondisruptive and run in the background to ensure the health of a switch that is processing live network traffic Table 24 2 describes the health monitoring diagnostics for the switch Table 24 1 Bootup Diagnostics Diagnostic Description USB Flash Verifies the integrity of the USB ...

Page 345: ...specific to health monitoring diagnostics for expansion modules Table 24 3 Health Monitoring and Bootup Diagnostics Tests Diagnostic Description SPROM Verifies the integrity of backplane and supervisor SPROMs Fabric engine Tests the switch fabric ASICs Fabric port Tests the ports on the switch fabric ASIC Forwarding engine Tests the forwarding engine ASICs Forwarding engine port Tests the ports on...

Page 346: ...figure terminal switch config diagnostic bootup level complete Verifying Online Diagnostics Configuration To display online diagnostics configuration information perform one of the following tasks Default Settings Table 24 6 lists the default settings for online diagnostics parameters Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config diagnostic bootup ...

Page 347: ...k c i s c o c o m 24 5 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 24 Configuring Online Diagnostics Default Settings Table 24 6 Default Online Diagnostics Parameters Parameters Default Bootup diagnostics level complete ...

Page 348: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 24 6 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 24 Configuring Online Diagnostics Default Settings ...

Page 349: ...t system processes generate You can configure logging to terminal sessions a log file and syslog servers on remote systems By default the switch outputs messages to terminal sessions For information about configuring logging to terminal sessions see the Configuring System Message Logging to Terminal Sessions section on page 25 2 By default the switch logs system messages to a log file For informat...

Page 350: ...in a fabric you can use the Cisco Fabric Services CFS to distribute the syslog server configuration For information about distributing the syslog server configuration see the Configuring syslog Server Configuration Distribution section on page 25 7 Note When the switch first initializes messages are sent to syslog servers only after the network is initialized Configuring System Message Logging Thi...

Page 351: ...re terminal Enters configuration mode Step 2 switch config logging console severity level Enables the switch to log messages to the console session based on a specified severity level or higher Severity levels which can range from 0 to 7 are listed in Table 25 1 If the severity level is not specified the default of 2 is used switch config no logging console severity level Disables the switch s abi...

Page 352: ...store system messages and the minimum severity level to log You can optionally specify a maximum file size The default severity level is 5 and the file size is 10485760 Severity levels are listed in Table 25 1 The file size is from 4096 to 10485760 bytes switch config no logging logfile logfile name severity level size bytes Disables logging to the log file Step 3 switch config show logging info O...

Page 353: ...ity severity level Enables logging messages from the specified facility that have the specified severity level or higher Severity levels which range from 0 to 7 are listed in Table 25 1 To apply the same severity level to all facilities use the all facility For defaults see the show logging level command switch config no logging level facility severity level Resets the logging severity level for t...

Page 354: ...ll These facility designators allow you to control the destination of messages based on their origin Note Check your configuration before using a local facility Level Minimum severity level at which messages are logged which can be debug info notice warning err crit alert emerg or an asterisk for all You can use none to disable a facility Action Destination for messages which can be a filename a h...

Page 355: ... changes to the syslog server configuration Note If the switch is restarted the syslog server configuration changes that are kept in volatile memory may be lost To configure syslog server configuration distribution perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config logging distribute Enables distribution of syslog server configuration ...

Page 356: ...ion about the current state of syslog server distribution and the last action taken Step 8 switch config copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch show logging last number lines Displays the last number of lines in the logging file You can specify from 1 to 9999 for the last number of line...

Page 357: ...g configuration show logging info Displays the logging configuration show logging internal info Displays the syslog distribution information show logging last number lines Displays the last number of lines of the log file show logging level facility Displays the facility logging severity level configuration show logging logfile start time yyyy mmm dd hh mm ss end time yyyy mmm dd hh mm ss Displays...

Page 358: ... the default settings for system message logging parameters Table 25 3 Default System Message Logging Parameters Parameters Default Console logging Enabled at severity level 2 Monitor logging Enabled at severity level 2 Log file logging Enabled to log messages at severity level 5 Module logging Enabled at severity level 5 Facility logging Enabled Time stamp units Seconds syslog server logging Disa...

Page 359: ... based notification of critical system events Nexus 5000 Series switches provide a range of message formats for optimal compatibility with pager services standard e mail or XML based automated parsing applications You can use this feature to page a network support engineer e mail a Network Operations Center or use Cisco Smart Call Home services to automatically generate a case with the Technical A...

Page 360: ... groups The group of alerts that trigger a specific Call Home message if the alert occurs One or more e mail destinations The list of receipents for the Call Home messages generated by alert groups assigned to this destination profile Message format The format for the Call Home message short text full text or XML Message severity level The Call Home severity level that the alert must meet before t...

Page 361: ...tail show module show version show tech support platform callhome Supervisor hardware Events related to supervisor modules show diagnostic result module all detail show module show version show tech support platform callhome Linecard hardware Events related to standard or intelligent switching modules show diagnostic result module all detail show module show version show tech support platform call...

Page 362: ...me messages with a value lower than this threshold for the destination profile The Call Home message level ranges from 0 lowest level of urgency to 9 highest level of urgency and the default is 0 Nexus 5000 Series sends all messages Call Home messages that are sent for syslog alert groups have the syslog severity level mapped to the Call Home message level Note Call Home does not change the syslog...

Page 363: ...nt in cases that require support for multiple devices or in cases where security requirements mandate that your devices may not be connected directly to the Internet Web based access to Call Home messages and recommendations inventory and configuration information for all Call Home devices Provides access to associated field notices security advisories and end of life information You need the foll...

Page 364: ...Call Home page 26 12 Testing Call Home Communications page 26 13 Guidelines for Configuring Call Home To configure Call Home perform this task Step 1 Assign contact information Step 2 Configure destination profiles Step 3 Associate one or more alert groups to each profile Step 4 Optional Add additional show commands to the alert groups Step 5 Configure transport options Step 6 Enable Call Home Ste...

Page 365: ...annot use spaces Be sure to use the prefix before the number Step 6 switch config callhome streetaddress address Configures the street address as an alphanumeric string with white paces for the primary person responsible for the device Up to 255 alphanumeric characters are accepted including spaces Step 7 switch config callhome contract id contract number Optional Configures the contract number fo...

Page 366: ... profile Message size The allowed length of a Call Home message sent to the e mail addresses in this destination profile See the Associating an Alert Group with a Destination Profile section on page 26 9 for information on configuring an alert group for a destination profile Note You cannot modify or delete the CiscoTAC 1 destination profile To modify the attributes for a destination profile perfo...

Page 367: ...sends only alerts that have a matching or higher Call Home severity level to destinations in this profile The range is from 0 to 9 where 9 is the highest severity level Step 5 switch config callhome destination profile name full txt destination short txt destination message size number Configures the maximum message size for this destination profile The range is from 0 to 4000000 The default is 40...

Page 368: ...E Mail You must configure the SMTP server address for the Call Home functionality to work You can also configure the from and reply to e mail addresses To configure e mail perform this task Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config callhome Enters callhome configuration mode Step 3 switch config callhome alert group Configuration Diagnostic...

Page 369: ...il smtp server ip address port number use vrf vrf name Configures the SMTP server as either the domain name server DNS name IPv4 address or IPv6 address Optionally configures the port number The port ranges is from 1 to 65535 The default port number is 25 Also optionally configures the VRF to use when communicating with this SMTP server Step 4 switch config callhome transport email from email addr...

Page 370: ...able the Call Home function To enable Call Home in callhome configuration mode perform this task To disable Call Home in the callhome configuration mode perform this task To enable Call Home distribution using CFS in the callhome configuration mode perform this task To commit Call Home configuration changes and distribute using CFS in the callhome configuration mode perform this task Command Purpo...

Page 371: ...olds the CFS lock Command Purpose switch config callhome callhome send diagnostic Sends the specified Call Home test message to all configured destinations switch config callhome callhome test Sends a test message to all configured destinations callhome test and callhome test inventory commands are supported Command Purpose show callhome Displays the status for Call Home show callhome destination ...

Page 372: ...le Noc101 alert group Configuration alert group Configuration user def cmd show ip routing transport email smtp server 192 0 2 10 use vrf Red enable commit Default Settings Table 26 3 lists the default settings for Call Home parameters show running config callhome callhome all show startup config callhome Displays the running configuration for Call Home show startup config callhome Displays the st...

Page 373: ...pes Table 26 5 describes the common event message format for full text or XML Table 26 4 Short Text Message Format Data Item Description Device identification Configured device name Date time stamp Time stamp of the triggering event Error isolation message Plain English description of triggering event Alarm urgency level Error level such as that applied to system message Table 26 5 Common Fields f...

Page 374: ...UDI of the device The format is type Sid serial type is the product model number from backplane IDPROM is a separator character Sid is C identifying the serial ID as a chassis serial number serial is the number identified by the Sid field An example is WS C6509 C 12345678 aml header serverId Message description Short text that describes the error aml body msgDesc Device name Node that experienced ...

Page 375: ...ext and XML Description Plain Text and XML XML Tag XML Only Table 26 6 Inserted Fields for a Reactive or Proactive Event Message Data Item Plain Text and XML Description Plain Text and XML XML Tag XML Only Chassis hardware version Hardware version of chassis aml body chassis hwVersion Supervisor module software version Top level software version aml body chassis swVersion Affected FRU name Name of...

Page 376: ...0 44 10 76 100 177 PORT 5 IF_TRUNK_UP VLAN 1 Interface e2 5 vlan 1 is up syslog_facility PORT start chassis information Affected Chassis WS C6509 Affected Chassis Serial Number FG 07120011 FRU name Name of the affected FRU that is generating the event message aml body fru name FRU s n Serial number of the FRU aml body fru serialNo FRU part number Part number of the FRU aml body fru partNo FRU slot...

Page 377: ... example com appliance uri aml session From aml session MessageId M2 69000101 C9D9E20B aml session MessageId aml session Session soap env Header soap env Body aml block Block xmlns aml block http www example com 2004 01 aml block aml block Header aml block Type http www example com 2005 05 callhome syslog aml block Type aml block CreationDate 2007 04 25 14 19 55 GMT 00 00 aml block CreationDate am...

Page 378: ...nt aml block Attachments aml block Attachment type inline aml block Name show logging aml block Name aml block Data encoding plain CDATA Syslog logging enabled 0 messages dropped 0 messages rate limited 0 flushes 0 overruns xml disabled filtering disabled Console logging level debugging 53 messages logged xml disabled filtering disabled Monitor logging level debugging 0 messages logged xml disable...

Page 379: ...ning Minimal Diagnostics 00 03 50 DIAG SP 6 DIAG_OK Module 6 Passed Online Diagnostics 00 03 50 OIR SP 6 INSCARD Card inserted in slot 6 interfaces are now online 00 03 51 DIAG SP 6 RUN_MINIMUM Module 3 Running Minimal Diagnostics 00 03 51 DIAG SP 6 RUN_MINIMUM Module 7 Running Minimal Diagnostics 00 03 51 DIAG SP 6 RUN_MINIMUM Module 9 Running Minimal Diagnostics 00 01 51 MFIB_CONST_RP 6 REPLICAT...

Page 380: ...0 05 30 DIAG SP 6 DIAG_OK Module 4 Passed Online Diagnostics 00 05 31 SPAN SP 6 SPAN_EGRESS_REPLICATION_MODE_CHANGE Span Egress HW Replication Mode Change Detected Current replication mode for unused asic session 0 is Centralized 00 05 31 SPAN SP 6 SPAN_EGRESS_REPLICATION_MODE_CHANGE Span Egress HW Replication Mode Change Detected Current replication mode for unused asic session 1 is Centralized 0...

Page 381: ...ge format for communication between SNMP managers and agents SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network This section includes the following topics SNMP Functional Overview page 27 1 SNMP Notifications page 27 2 SNMPv3 page 27 2 SNMP Functional Overview The SNMP framework consists of three parts An SNMP manager The sys...

Page 382: ...cations to multiple host receivers See the Configuring SNMP Notification Receivers section on page 27 6 for more information about host receivers SNMPv3 SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network The security features provided in SNMPv3 are the following Message integrity Ensures that a packet has not been tampered with in tra...

Page 383: ...inated is confirmed Message confidentiality Ensures that information is not made available or disclosed to unauthorized individuals entities or processes SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages Cisco NX OS uses two authentication protocols for SNMPv3 HMAC MD5 96 authentication protocol HMAC SHA 96 authentication protocol Cisco NX OS uses Advanced...

Page 384: ...er is also used to store user group names SNMP uses the group names to apply the access role policy that is locally available in the switch Any configuration changes made to the user group role or password results in database synchronization for both SNMP and AAA Cisco NX OS synchronizes user configuration in the following ways The auth passphrase specified in the snmp server user command becomes ...

Page 385: ...age 27 10 Enabling One Time Authentication for SNMP over TCP page 27 10 Assigning SNMP Switch Contact and Location Information page 27 11 Configuring SNMP Users To configure a user for SNMP perform this task Enforcing SNMP Message Encryption You can configure SNMP to require authentication or encryption for incoming requests By default the SNMP agent accepts SNMPv3 messages without authentication ...

Page 386: ...ssign a role to an SNMP user in a global configuration mode perform this task Creating SNMP Communities You can create SNMP communities for SNMPv1 or SNMPv2c To create an SNMP community string in a global configuration mode perform this task Configuring SNMP Notification Receivers You can configure Cisco NX OS to generate SNMP notifications to multiple host receivers Command Purpose switch config ...

Page 387: ... Nexus 5000 Series switch uses the credentials of the notification target user to encrypt the SNMPv3 inform notification messages to the configured notification host receiver Note For authenticating and decrypting the received INFORM PDU The notification host receiver should have the same user credentials as configured in the Cisco Nexus 5000 Series switch to authenticate and decrypt the informs C...

Page 388: ...ssphrase auto priv aes 128 passphrase engineID id Configures the notification target user with the specified engine ID for notification host receiver The engineID format is a 12 digit colon separated hexadecimal number Table 27 2 Enabling SNMP Notifications MIB Related Commands All notifications snmp server enable traps CISCO AAA SERVER MIB snmp server enable traps aaa ENITY MIB CISCO ENTITY FRU C...

Page 389: ...own defined in IF MIB if ifLinkUpDownTrapEnable defined in IF MIB is enabled for that interface Cisco NX OS adds additional varbinds specific to Cisco Systems in addition to the varbinds defined in the IF MIB This is the default setting CISCO RSCN MIB snmp server enable traps rscn snmp server enable traps rscn els snmp server enable traps rscn ils CISCO ZS MIB snmp server enable traps zone snmp se...

Page 390: ...nd linkDown notifications To configure the type of linkUp linkDown notifications in a global configuration mode perform this task Disabling Up Down Notifications on an Interface You can disable linkUp and linkDown notifications on an individual interface You can use this limit notifications on flapping interface an interface that transitions between up and down repeatedly To disable linkUp linkDow...

Page 391: ...sha abcd1234 priv abcdefgh snmp server user NMS auth sha abcd1234 priv abcdefgh enginID 00 00 00 63 00 01 00 a1 ac 15 10 03 snmp server host 192 0 2 1 informs version 3 auth NMS snmp server host 192 0 2 1 snmp server enable traps link cisco Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config snmp server contact name Configures sysContact the SNMP con...

Page 392: ...ies Switch CLI Software Configuration Guide OL 16597 01 Chapter 27 Configuring SNMP Default Settings Default Settings Table 27 3 lists the default settings for SNMP parameters Table 27 3 Default SNMP Parameters Parameters Default license notifications enabled linkUp Down notification type ietf extended ...

Page 393: ...pports RMON alarms events and logs to monitor Cisco Nexus 5000 Series switches An RMON alarm monitors a specific management information base MIB object for a specified interval triggers an alarm at a specified threshold value threshold and resets the alarm at another threshold value You can use alarms with RMON events to generate a log entry or an SNMP notification when the RMON alarm triggers RMO...

Page 394: ...arm on a 64 bit integer MIB object For example you can set a delta type rising alarm on an error counter MIB object If the error counter delta exceeds this value you can trigger an event that sends an SNMP notification and logs the rising alarm event This rising alarm will not occur again until the delta sample for the error counter drops below the falling threshold Note The falling threshold must...

Page 395: ...1 is active owned by test Monitors 1 3 6 1 2 1 2 2 1 17 83886080 every 5 second s Taking delta samples last value was 0 Rising threshold is 5 assigned to event 1 Falling threshold is 0 assigned to event 0 On startup enable rising or falling alarm Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config rmon alarm index mib object sample interval absolute delt...

Page 396: ...s and associates a notification event with this alarm configure terminal rmon alarm 1 1 3 6 1 2 1 2 2 1 17 83886080 5 delta rising threshold 5 1 falling threshold 0 owner test rmon event 1 trap public Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config rmon event index description string log trap owner name Configures an RMON event The description string...

Page 397: ...exus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 28 Configuring RMON Default Settings Default Settings Table 28 1 lists the default settings for RMON parameters Table 28 1 Default RMON Parameters Parameters Default Alarms None configured Events None configured ...

Page 398: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 28 6 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 28 Configuring RMON Default Settings ...

Page 399: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 5 Fibre Channel over Ethernet ...

Page 400: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 401: ...age 29 8 Information About FCoE In Cisco Nexus 5000 Series switches FCoE is supported on all 10 Gigabit Ethernet interfaces To use FCoE the switch must be directly connected to the server and the server port must terminate the Ethernet with a converged network adapter This section includes the following topics Licensing Requirements page 29 1 Converged Network Adapters page 29 2 DCBX Capabilities ...

Page 402: ...s supported by Cisco Nexus 5000 Series switches are described in the following topics FCoE page 29 2 Priority Flow Control page 29 2 Logical Link Up Down page 29 3 FCoE By default each Ethernet interface attempts to enable FCoE capability by advertising the capability to the adapter If the FCoE negotiation fails you can configure the switch to disable FCoE or to force enable FCoE for this interfac...

Page 403: ... switch and the converged network adapter on the server By default DCBX is enabled on Ethernet interfaces When an Ethernet interface is brought up the switch automatically starts to communicate with the adapter During normal operation of FCoE between the switch and the adapter the DCBX protocol provides link error detection DCBX is also used to negotiate capabilities between the switch and the ada...

Page 404: ...e capabilities to be enabled or disabled For additional information see the Configuring FCoE section on page 29 4 Ethernet Frame Formats Ethernet frames sent by the switch to the adapter may include the IEEE 802 1Q tag This tag includes a field for the CoS value used by PFC The IEEE 802 1Q tag also includes a VLAN field currently not used by the Cisco Nexus 5000 Series switch The switch will alway...

Page 405: ...es negotiate FCoE capability with the adapter You can override the negotiation result by force enabling the FCoE capability To force enable the FCoE capability perform this task The following example shows how to force enable FCoE for an Ethernet interface switch configure terminal switch config interface ethernet 1 4 switch config if fcoe mode on Command Purpose Step 1 switch configure terminal E...

Page 406: ...itch config interface ethernet 1 2 switch config if priority flow control mode on To disable PFC capability for this interface perform this task Configuring IEEE 802 3x Link Level Flow Control By default link level flow control capability on Ethernet interfaces is disabled Only enable the link level flow control capability if PFC is disabled on the interface To configure link level flow control se...

Page 407: ...packets are sent To configure LLDP settings perform this task The following example shows how to set LLDP timer option to 15 seconds switch configure terminal switch config lldp timer 15 To reset LLDP settings perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config lldp holdtime seconds reinit seconds timer seconds Configures LLDP options U...

Page 408: ... command to a physical Ethernet interface Verifying FCoE Configuration To verify FCoE configuration information perform one of these tasks The following example shows how to verify that the FCoE capability is enabled switch show fcoe FCoE FC feature is desired The following example shows how to display LLDP interface information switch show lldp interface ethernet 1 2 tx_enabled TRUE rx_enabled TR...

Page 409: ...ying FCoE Configuration No remote peers exist The following example shows how to display LLDP neighbor information switch show lldp neighbors The following example shows how to display LLDP timer information switch show lldp timers LLDP Timers holdtime 120 seconds reinit 2 seconds msg_tx_interval 30 seconds The following example shows how to display LLDP counters switch show lldp traffic ...

Page 410: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 29 10 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 29 Configuring FCoE Verifying FCoE Configuration ...

Page 411: ...n the switch and the servers For additional information about FCoE see Chapter 29 Configuring FCoE The Fibre Channel portion of FCoE is configured as a virtual Fibre Channel interface Logical Fibre Channel features such as interface mode can be configured on virtual Fibre Channel interfaces Note Virtual interfaces are created with the administrative state set to down You need to explicitly configu...

Page 412: ... the trunk port The Ethernet interface must be configured as PortFast use the spanning tree port type edge trunk command Following the above configuration guidelines will ensure a smooth upgrade to a T11 Fibre Channel Initialization Protocol FIP based FCoE release in the future To create a virtual Fibre Channel interface perform this task Mapping VSANs to VLANs To create a mapping between a VSAN a...

Page 413: ... Deleting a Virtual Fibre Channel Interface To delete a virtual Fibre Channel interface perform this task The following example shows how to delete a virtual Fibre Channel interface switch configure terminal switch config no interface vfc 4 switch config if exit Step 3 switch config vlan fcoe vsan vsan id Enables FCoE for the specified VLAN By default a mapping is created from this VLAN to the VSA...

Page 414: ...tes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 0 frames input 0 bytes 0 discards 0 errors 0 frames output 0 bytes 0 discards 0 errors The following example shows the status of all the interfaces on the switch some output has been removed for brevity switch show interface brief Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gb...

Page 415: ... m 30 5 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 30 Configuring Virtual Interfaces Verifying Virtual Interface Information Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbps vfc 1 1 F down ...

Page 416: ... ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 30 6 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 30 Configuring Virtual Interfaces Verifying Virtual Interface Information ...

Page 417: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 6 Quality of Service ...

Page 418: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 419: ... About QoS The Cisco Nexus 5000 Series switch provides QoS capabilities such as traffic prioritization and egress bandwidth allocation The default QoS configuration on the switch provides lossless service for Fibre Channel and Fibre Channel Over Ethernet FCoE traffic and best effort service for Ethernet traffic QoS can be configured to provide additional classes of service for Ethernet traffic Cis...

Page 420: ...C target and specifies whether to apply the policy on incoming or outgoing packets This enables the configuration of interface specific QoS policies such as policing and bandwidth allocation System Classes The system class is a new type of MQC target A service policy can associate a policy map with a system class which enables application of a QoS policy across the whole switch Parameters in syste...

Page 421: ... and multicast Ethernet traffic is classified into the default drop system class This class is created automatically when the system starts up the class is named class default in the CLI You cannot delete this class and you cannot change the CoS value associated with the default class There are two reserved system classes for internal system use Link Level Flow Control The IEEE 802 3x link level f...

Page 422: ...e Cisco Nexus 5000 Series switch receives an rxbufsize from a peer different than 2112 bytes it will fail ELP negotiation and not bring the link up The system jumbomtu command defines the upper bound of any MTU in the system System jumbo MTU has a default value of 9216 bytes The minimum MTU is 2240 bytes and the maximum MTU is 9216 bytes The system class MTU sets the MTU for all packets in the cla...

Page 423: ...is assigned a queue This queue uses WRR scheduling with 50 percent of the bandwidth If you add a system class a queue is assigned to the class You must reconfigure the bandwidth allocation on all affected interfaces Bandwidth is not dedicated automatically to user defined system classes You can configure an additional strict priority queue This queue is serviced before all other queues except queu...

Page 424: ...figured in the system QoS policy Policy for Fibre Channel Interfaces The egress queues are not configurable for native Fibre Channel interfaces Two queues are available as follows A strict priority queue to serve high priority control traffic A queue to serve all data traffic and low priority control traffic QoS for Traffic Directed to the CPU The switch automatically applies QoS policies to traff...

Page 425: ...bout configuring PFC and LLC when the interface is operating in FCoE mode If the interface is operating in standard Ethernet mode the Ethernet link is connected at the server port with a standard Ethernet network adapter NIC The network adapter must support DCBX protocol for PFC or ingress policing to be supported on the interface Note You must configure a no drop Ethernet system class for PFC to ...

Page 426: ...ethernet 1 2 switch config if flowcontrol receive on transmit on To disable link level flow control perform this task Configuring System Classes This section describes how to configure system classes on the switch The steps to configure a system class are described in the following topics Configuring Class Maps page 31 9 Configuring Policy Maps page 31 9 Creating the System Service Policy page 31 ...

Page 427: ...erform this task Configuring Policy Maps The policy map command is used to create a named object representing a set of policies that are to be applied to a set of traffic classes The switch provides two default system classes a no drop class for lossless service and a drop class for best effort service You can define up to four additional system classes for Ethernet traffic You need to create a po...

Page 428: ... mode Step 2 switch config policy map name Creates a named object representing a set of policies that are to be applied to a set of traffic classes Policy map names can contain alphabetic hyphen or underscore characters are case sensitive and can be up to 40 characters Step 3 switch config pmap class class name Associates a class map with the policy map and enters configuration mode for the specif...

Page 429: ...system policy switch config pmap class trading data no drop switch config pmap c pause no drop switch config pmap c mtu 2000 switch config system qos switch config system service policy system policy In this example the first class map command defines a new Ethernet system class Packets from all over the system with 802 1p CoS value of 5 will be classified into this new system class The second cla...

Page 430: ...98 Input Packets 1547805596 Unicast Packets 0 Multicast Packets 0 Broadcast Packets 1301767362 Jumbo Packets 33690 Storm Suppression Packets 7181776513802 Bytes Tx 1186564478 Output Packets 7060 Multicast Packets 0 Broadcast Packets 997813205 Jumbo Packets 4813632103603 Bytes The following example shows how to display detailed jumbo MTU information for Ethernet 2 1 the relevant part of the output ...

Page 431: ... on an Ethernet interface The ingress policy is applied in the adapter to all outgoing traffic that matches the specified class When you configure an ingress policy on an interface or port channel the switch sends the configuration data to the adapter To configure an ingress policy perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config int...

Page 432: ...switch config interface ethernet slot port port channel channel number Enters configuration mode for the specified interface Note The service policy on a port channel applies to all member interfaces Step 8 switch config if service policy input policy name Applies the policy map to the interface Command Purpose Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switc...

Page 433: ...wing example shows that the system class best effort drop class is guaranteed 20 percent of the bandwidth on interface eth1 1 switch config class map best effort drop class switch config cmap match cos 5 switch config policy map policy1 egress switch config pmap class best effort drop class switch config pmap c bandwidth percent 20 switch config interface ethernet 1 1 switch config if service poli...

Page 434: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 31 16 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 31 Configuring QoS Configuring QoS on Interfaces ...

Page 435: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 7 SAN Switching ...

Page 436: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 437: ...ormation About Fibre Channel Interfaces This section describes Fibre Channel interfaces and virtual Fibre Channel interfaces This section includes the following topics Licensing Requirements page 32 1 Physical Fibre Channel Interfaces page 32 2 Virtual Fibre Channel Interfaces page 32 2 Interface Modes page 32 2 Interface States page 32 5 Buffer to Buffer Credits page 32 7 Licensing Requirements O...

Page 438: ...e Channel and virtual Fibre Channel interfaces are configured using the same CLI commands Virtual Fibre Channel interfaces support only F mode and offer a subset of the features that are supported on native Fibre Channel interfaces The following capabilities are not supported for virtual Fibre Channel interfaces SAN port channels VSAN trunking The virtual Fibre Channel is associated with one VSAN ...

Page 439: ... interface speed This status cannot be changed and is read only Some values may not be valid when the interface is down for example the operational speed The following sections provide a brief description of each interface mode E Port page 32 3 F Port page 32 4 NP Port page 32 4 TE Port page 32 4 SD Port page 32 4 Auto Mode page 32 4 E Port In expansion port E port mode an interface functions as a...

Page 440: ...ISL frame format which contains VSAN information Interconnected switches use the VSAN ID to multiplex traffic from one or more VSANs across the same physical link This feature is referred to as VSAN trunking in the Cisco Nexus 5000 Series see Chapter 35 Configuring VSAN Trunking TE ports support class 3 and class F service SD Port In SPAN destination port SD port mode an interface functions as a s...

Page 441: ...es Reason Codes Reason codes are dependent on the operational state of the interface Table 32 3 describes the reason codes for operational states Table 32 1 Administrative States Administrative State Description Up Interface is enabled Down Interface is disabled If you administratively disable an interface by shutting down that interface the physical link layer state change is ignored Table 32 2 O...

Page 442: ...sical layer link is operational and the protocol initialization is in progress All Reconfigure fabric in progress The fabric is currently being reconfigured Offline The switch software waits for the specified R_A_TOV time before retrying initialization Inactive The interface VSAN is deleted or is in a suspended state To make the interface operational assign that port to a configured and active VSA...

Page 443: ...e to invalid fabric reconfiguration The port is isolated due to fabric reconfiguration Isolation due to domain manager disabled The fcdomain feature is disabled Isolation due to zone merge failure The zone merge operation failed Isolation due to VSAN mismatch The VSANs at both ends of an ISL are different port channel administratively down The interfaces belonging to the SAN port channel are down ...

Page 444: ...nterfaces and includes the following topics Configuring a Fibre Channel Interface page 32 8 Setting the Interface Administrative State page 32 9 Configuring Interface Modes page 32 9 Configuring the Interface Description page 32 10 Configuring Port Speeds page 32 10 Configuring SD Port Frame Encapsulation page 32 11 Configuring Receive Data Field Size page 32 11 Understanding Bit Error Thresholds ...

Page 445: ...ose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port vfc vfc id Selects a Fibre Channel interface and enters interface configuration mode Step 3 switch config if shutdown Gracefully shuts down the interface and administratively disables traffic flow default Command Purpose Step 1 switch configuration terminal Enters configuration mode Step ...

Page 446: ...switch config if switchport mode F For a virtual Fibre Channel only the F port mode is supported switch config if switchport mode E F SD auto For a Fibre Channel interface you can set the mode to E F or SD port mode Set the mode to auto to auto negotiate an E F TE port mode not SD port mode of operation Note SD ports cannot be configured automatically They must be administratively configured Comma...

Page 447: ...mand output Configuring Receive Data Field Size You can configure the receive data field size for native Fibre Channel interfaces but not for virtual Fibre Channel interfaces If the default data field size is 2112 bytes the frame length will be 2148 bytes To configure the receive data field size perform this task Understanding Bit Error Thresholds The bit error rate threshold is used by the switch...

Page 448: ...e switch to not disable an interface when the threshold is crossed To disable the bit error threshold for an interface perform this task Note The switch generates a syslog message when bit error threshold events are detected even if the interface is configured not to be disabled by bit error threshold events Configuring Buffer to Buffer Credits To configure BB_credits for a Fibre Channel interface...

Page 449: ...switch port attributes perform this task Step 3 switch config if switchport fcrxbbcredit default Applies the default operational value to the selected interface The operational value depends on the port mode The default values are assigned based on the port capabilities switch config if switchport fcrxbbcredit 5 Assigns a BB_credit of 5 to the selected interface The range to assign BB_credits is b...

Page 450: ...le N port identifiers Note All of the N port identifiers are allocated in the same VSAN Step 2 switch config no system default switchport shutdown san Configures the default setting for administrative state of an interface as Up The factory default setting is Down Tip This command is applicable only to interfaces for which no user configuration exists for the administrative state switch config sys...

Page 451: ... ID then the show interface and show interface brief commands display the ID instead of the transmitter type The show interface transceiver command and the show interface fc slot port transceiver command display both values for Cisco supported SFPs Verifying Interface Information The show interface command displays interface configurations If no arguments are provided this command displays the inf...

Page 452: ...ters The following example shows how to display transceiver information for a specific interface switch show interface fc3 1 transceiver Note The show interface transceiver command is only valid if the SFP is present The show running configuration command displays the entire running configuration with information for all interfaces The interfaces have multiple entries in the configuration files to...

Page 453: ...75 12 receive B2B credit remaining 255 transmit B2B credit remaining Default Settings Table 32 6 lists the default settings for native Fibre Channel interface parameters Table 32 6 lists the default settings for virtual Fibre Channel interface parameters Table 32 5 Default Native Fibre Channel Interface Parameters Parameters Default Interface mode Auto Interface speed Auto Administrative state Shu...

Page 454: ... Switch CLI Software Configuration Guide OL 16597 01 Chapter 32 Configuring Fibre Channel Interfaces Default Settings Trunk allowed VSANs n a Interface VSAN Default VSAN 1 EISL encapsulation n a Data field size n a Table 32 6 Default Virtual Fibre Channel Interface Parameters continued Parameters Default ...

Page 455: ...ime you reboot the switch the saved configuration is used If you do not save the configuration the previously saved startup configuration is used This chapter includes the following sections Information About Fibre Channel Domains page 33 1 Domain IDs page 33 6 FC IDs page 33 13 Verifying fcdomain Information page 33 18 Default Settings page 33 19 Information About Fibre Channel Domains This secti...

Page 456: ...Priority page 33 4 About fcdomain Initiation page 33 5 Disabling or Reenabling fcdomains page 33 5 Configuring Fabric Names page 33 5 About Incoming RCFs page 33 5 Rejecting Incoming RCFs page 33 6 About Autoreconfiguring Merged Fabrics page 33 6 Local WWN 20 02 ab ba cd dc f4 00 Configured domain ID 0 zero preferred Runtime domain ID 7 Configured priority 128 Runtime priority 128 Runtime fabric n...

Page 457: ... the next restart either disruptive or nondisruptive Tip If a VSAN is in interop mode you cannot disruptively restart the fcdomain for that VSAN You can apply most of the configurations to their corresponding runtime values Each of the following sections provide further details on how the fcdomain parameters are applied to the runtime values The fcdomain restart command applies your changes to the...

Page 458: ...ins a stable fabric During the principal switch selection phase the switch with the highest priority becomes the principal switch If two switches have the same configured priority the switch with the lower world wide name WWN becomes the principal switch The priority configuration is applied to runtime when the fcdomain is restarted see the About Domain Restart section on page 33 3 This configurat...

Page 459: ...is By default the rcf reject option is disabled that is RCF request frames are not automatically rejected The rcf reject option takes effect immediately No fcdomain restart is required Note You do not need to configure the RFC reject option on virtual Fibre Channel interfaces because these interfaces operate only in F port mode Command Purpose Step 1 switch configuration terminal switch config Ent...

Page 460: ...l occur A disruptive reconfiguration may affect data traffic You can nondisruptively reconfigure the fcdomain by changing the configured domains on the overlapping links and eliminating the domain overlap Enabling Autoreconfiguration To enable automatic reconfiguration in a specific VSAN or range of VSANs perform this task Domain IDs Domain IDs uniquely identify a switch in a VSAN A switch may hav...

Page 461: ...12 Displaying CFS Distribution Status page 33 12 Displaying Pending Changes page 33 12 Displaying Session Status page 33 13 About Contiguous Domain ID Assignments page 33 13 Enabling Contiguous Domain ID Assignments page 33 13 About Domain IDs The configured domain ID can be preferred or static By default the configured domain ID is 0 zero and the configured type is preferred Note The 0 zero value...

Page 462: ...the domain ID assigned by the principal switch and the assigned domain ID becomes the runtime domain ID If you change the configured domain ID the change is only accepted if the new domain ID is included in all the allowed domain ID lists currently configured in the VSAN Alternatively you can also configure zero preferred domain ID Caution You must enter the fcdomain restart command if you want to...

Page 463: ... domain ID perform this task About Allowed Domain ID Lists By default the valid range for an assigned domain ID list is from 1 to 239 You can specify a list of ranges to be in the allowed domain ID list and separate each range with a comma The principal switch assigns domain IDs that are available in the locally configured allowed domain list Use allowed domain ID lists to design your VSANs with n...

Page 464: ...all Cisco SAN switches in the fabric using the Cisco Fabric Services CFS infrastructure This feature allows you to synchronize the configuration across the fabric from the console of a single switch Because the same configuration is distributed to the entire VSAN you can avoid possible misconfiguration and the possibility that two switches in the same VSAN have configured incompatible allowed doma...

Page 465: ...d on a successful commit the configuration changes are applied to the active configuration in the SAN switches throughout the VSAN and the fabric lock is released To commit pending domain configuration changes and release the lock perform this task Discarding Changes At any time you can discard the pending changes to the domain configuration and release the fabric lock If you discard abort the pen...

Page 466: ...eges switch clear fcdomain session vsan 10 Displaying CFS Distribution Status You can display the status of CFS distribution for allowed domain ID lists using the show fcdomain status command switch show fcdomain status CFS distribution is enabled Displaying Pending Changes You can display the pending configuration changes using the show fcdomain pending command switch show fcdomain pending vsan 1...

Page 467: ... Assignments To enable contiguous domains in a specific VSAN or a range of VSANs perform this task FC IDs When an N port logs into a Cisco Nexus 5000 Series switch it is assigned an FC ID By default the persistent FC ID feature is enabled If this feature is disabled the following situations can occur An N port logs into a Cisco Nexus 5000 Series switch The WWN of the requesting N port and the assi...

Page 468: ...istent FC IDs page 33 18 About Persistent FC IDs When persistent FC IDs are enabled the following occurs The current FC IDs in use in the fcdomain are saved across reboots The fcdomain automatically populates the database with dynamic entries that the switch has learned about after a device host or disk is plugged into a port interface Note If you connect to the switch from an AIX or HP UX host be...

Page 469: ...ort field of the FC ID is 0 zero when configuring an area Configuring Persistent FC IDs To configure persistent FC IDs perform this task Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config fcdomain fcid database switch config fcid db Enters FC ID database configuration submode Step 3 switch config fcid db vsan vsan id wwn 33 e8 00 05 30...

Page 470: ...rver connects to the switch over FCoE The HBA port connects to interface vfc20 1 and the storage port connects to interface fc2 3 on the same switch To configure a different area ID for the HBA port perform this task Step 1 Obtain the port WWN Port Name field ID of the HBA using the show flogi database command switch show flogi database INTERFACE VSAN FCID PORT NAME NODE NAME vfc10 1 3 0x6f7703 50...

Page 471: ...fig if no shutdown switch config if end switch Step 7 Verify the pWWN ID of the HBA by using the show flogi database command switch show flogi database INTERFACE VSAN FCID PORT NAME NODE NAME vfc20 1 3 0x6fee00 50 05 08 b2 00 71 c8 c2 50 05 08 b2 00 71 c8 c0 fc2 3 3 0x6f7704 50 06 0e 80 03 29 61 0f 50 06 0e 80 03 29 61 0f Note Both FC IDs now have different area assignments About Persistent FC ID ...

Page 472: ...nd to show the domain list and has domain 99 The IVR manager obtained virtual domain 97 using 20 01 00 05 30 00 47 df as the WWN for a virtual switch switch show fcdomain domain list vsan 76 Number of domains 3 Domain ID WWN 0xc8 200 20 01 00 05 30 00 47 df Principal 0x63 99 20 01 00 0d ec 08 60 c1 Local 0x61 97 50 00 53 0f ff f0 10 06 Virtual IVR Use the show fcdomain allowed vsan command to disp...

Page 473: ...ain address allocation vsan 1 The following example shows how to display the valid address allocation cache The cache is used by the principal switch to reassign the FC IDs for a device disk or host that exited and reentered the fabric In the cache content VSAN refers to the VSAN that contains the device WWN refers to the device that owned the FC IDs and mask refers to a single or entire area of F...

Page 474: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 33 20 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 33 Configuring Domain Parameters Default Settings ...

Page 475: ...4 3 FLOGI Operation page 34 3 NPV Traffic Management page 34 4 NPV Traffic Management Guidelines page 34 5 NPV Overview By default Cisco Nexus 5000 Series switches operate in fabric mode In this mode the switch provides standard Fibre Channel switching capability and features In fabric mode each switch that joins a SAN is assigned a domain ID Each SAN or VSAN supports a maximum of 239 domain IDs s...

Page 476: ... server registration are not required on the edge switch because these functions are provided in the core switch To display the fabric login and name server registration databases you must enter the show flogi database and show fcns database commands on the core switch Server Interfaces Server interfaces are F ports on the edge switch that connect to the servers A server interface may support mult...

Page 477: ...hen an NP port becomes operational the switch first logs itself in to the core switch by sending a FLOGI request using the port WWN of the NP port After completing the FLOGI request the switch registers itself with the fabric name server on the core switch using the symbolic port name of the NP port and the IP address of the edge switch Table 34 1 identifies port and node names in the edge switch ...

Page 478: ...1a N2 1 and later software releases NPV supports traffic maps A traffic map allows you to specify the NP uplinks that a server interface can use to connect to the core switches Note When an NPV traffic map is configured for a server interface the server interface must select only from the NP uplinks in its traffic map If none of the specified NP uplinks are operational the server remains in a non ...

Page 479: ...o link a set of servers to a specific core switch associate the server interfaces with a set of NP uplink interfaces that all connect to that core switch Configure Persistent FC IDs on the core switch and use the Traffic Map feature to direct server interface traffic onto NP uplinks that all connect to the associated core switch Guidelines and Limitations When configuring NPV note the following gu...

Page 480: ...rformed in the edge switch all traffic is switched in the core switch NPV supports NPIV capable module servers This capability is called nested NPIV Only F NP and SD ports are supported in NPV mode Configuring NPV Configuring NPV mode is described in the following topics Enabling NPV page 34 6 Configuring NPV Interfaces page 34 7 Configuring NPV Traffic Management page 34 7 Enabling NPV When you e...

Page 481: ...An NPV traffic map associates one or more NP uplink interfaces with a server interface The switch associates the server interface with one of these NP uplinks Note If a server interface is already mapped to an NP uplink you should include this mapping in the traffic map configuration Command Purpose Step 1 switch configure terminal switch config Enters configuration mode Step 2 switch config inter...

Page 482: ...o display information about NPV perform the following task Command Purpose Step 1 switch config t switch config Enters configuration mode on the NPV Step 2 switch config npv traffic map server interface fc slot port vfc vfc id external interface fc slot port switch config Configures a mapping between a server interface or range of server interfaces and an NP uplink interface or range of NP uplink ...

Page 483: ...the status of the server interfaces and the NP uplink interfaces enter the show npv status command switch show npv status npiv is enabled External Interfaces Interface fc2 1 VSAN 1 FCID 0x1c0000 State Up Interface fc2 2 VSAN 1 FCID 0x040000 State Up Interface fc2 3 VSAN 1 FCID 0x260000 State Up Interface fc2 4 VSAN 1 FCID 0x1a0000 State Up Number of External Interfaces 4 Server Interfaces Interfac...

Page 484: ...ion Verifying NPV Server If External If s fc1 3 fc1 10 fc1 11 fc1 5 fc1 1 fc1 2 To display the NPV internal traffic details enter the show npv internal info traffic map command To display the disruptive load balancing status enter the show npv status command switch show npv status npiv is enabled disruptive load balancing is enabled External Interfaces Interface fc2 1 VSAN 2 FCID 0x1c0000 State Up...

Page 485: ...runking is supported on native Fibre Channel interfaces but not on virtual Fibre Channel interfaces Figure 35 1 VSAN Trunking The VSAN trunking feature includes the following restrictions Trunking configurations are only applicable to E ports If trunk mode is enabled in an E port and that port becomes operational as a trunking E port it is referred to as a TE port The trunk allowed VSANs configure...

Page 486: ...N Mismatch VSAN 2 and VSAN 3 are effectively merged with overlapping entries in the name server and the zone applications The Cisco MDS 9000 Fabric Manager helps detect such topologies VSAN Trunking Protocol The trunking protocol is important for E port and TE port operations It supports the following capabilities Dynamic negotiation of operational trunk mode Selection of a common set of trunk all...

Page 487: ...urations disable all E ports with a shutdown command before enabling or disabling the VSAN trunking protocol Enabling or Disabling the VSAN Trunking Protocol To enable or disable the VSAN trunking protocol perform this task About Trunk Mode By default trunk mode is enabled in all Fibre Channel interfaces However trunk mode configuration takes effect only in E port mode You can configure trunk mode...

Page 488: ...the switch are included in the trunk allowed VSAN list for an interface and they are called allowed active VSANs The trunking protocol uses the list of allowed active VSANs at the two ends of an ISL to determine the list of operational VSANs in which traffic is allowed In Figure 35 4 switch 1 has VSANs 1 through 5 switch 2 has VSANs 1 through 3 and switch 3 has VSANs 1 2 4 and 5 with a default con...

Page 489: ...ied in a trunking ISL Using Figure 35 4 as an example you can configure the list of allowed VSANs on a per interface basis see Figure 35 5 For example if VSANs 2 and 4 are removed from the allowed VSAN list of ISLs connecting to switch 1 the operational allowed list of VSANs for each ISL would be as follows The ISL between switch 1 and switch 2 includes VSAN 1 and VSAN 3 The ISL between switch 2 a...

Page 490: ...arguments this command displays the information for all of the configured interfaces in the switch The following example shows how to display the trunk mode of a Fibre Channel interface Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port Configures the specified interface Step 3 switch config if switchport trunk allowed vsan vs...

Page 491: ...ocol of a Fibre Channel interface switch show trunk protocol Trunk protocol is enabled The following example shows how to display the VSAN information for all trunk interfaces switch show interface trunk vsan 1 1000 fc3 1 is not trunking fc3 11 is trunking Belongs to san port channel 6 Vsan 1 is up FCID is 0xef0000 Vsan 2 is up FCID is 0xef0000 san port channel 6 is trunking Vsan 1 is up FCID is 0...

Page 492: ... d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 35 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 35 Configuring VSAN Trunking Default Settings ...

Page 493: ...ult Settings page 36 16 Information About SAN Port Channels A SAN port channel has the following functionality Provides a point to point connection over ISL E ports or EISL TE ports Multiple links can be combined into a SAN port channel Increases the aggregate bandwidth on an ISL by distributing traffic among all functional links in the channel Load balances across multiple links and maintains opt...

Page 494: ...connects only between Cisco switches as shown on the right side of Figure 36 1 See Chapter 35 Configuring VSAN Trunking for information on trunk interfaces Figure 36 1 VSAN Trunking Only You can create a SAN port channel with members that are E ports as shown on the left side of Figure 36 2 In this configuration the port channel implements a logical ISL carrying traffic for one VSAN You can create...

Page 495: ...low is received on an interface for forwarding link 1 is selected Each subsequent frame in that flow is sent over the same link No frame in SID1 and DID1 utilizes link 2 Figure 36 3 SID1 DID1 and Flow Based Load Balancing Figure 36 4 illustrates how exchange based load balancing works When the first frame in an exchange is received for forwarding on an interface link 1 is chosen by a hash algorith...

Page 496: ...eated with default values You can change the default configuration just as any other physical interface Figure 36 5 provides examples of valid SAN port channel configurations Figure 36 5 Valid SAN Port Channel Configurations Frame 1 Frame 2 Frame 3 Frame 1 Frame 2 Frame 3 Frame n Frame n SID1 DID1 Exchange 1 SID1 DID1 Exchange 2 Link 1 Link 2 Link 1 Link 2 79531 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 Swi...

Page 497: ...tion page 36 7 Deleting SAN Port Channels page 36 8 SAN Port Channel Configuration Guidelines Before configuring a SAN port channel consider the following guidelines Configure the SAN port channel using Fibre Channel ports from both expansion modules to provide increased availability if one of the expansion modules failed Ensure that one SAN port channel is not connected to different sets of switc...

Page 498: ...de parameter to determine the port channel protocol behavior for all member ports in this channel group The possible values for a channel group mode are as follows On default The member ports only operate as part of a SAN port channel or remain inactive In this mode the port channel protocol is not initiated However if a port channel protocol frame is received from a peer port the software indicat...

Page 499: ...interfaces to the isolated state if its operational values are incompatible with the SAN port channel When you add or modify a port channel member port configuration you must explicitly disable shut and enable no shut the port channel member ports at either end When you add or modify a port channel interface the SAN port channel automatically recovers Port initialization is not synchronized There ...

Page 500: ...n on the switch at the other end of the san port channel Interfaces in a SAN Port Channel You can add or remove a physical Fibre Channel interface or a range of interfaces to an existing SAN port channel The compatible parameters on the configuration are mapped to the SAN port channel Adding an interface to a SAN port channel increases the channel size and bandwidth of the SAN port channel Removin...

Page 501: ...trative compatibility parameters speed mode port VSAN allowed VSAN and port security Operational parameters speed and remote switch s WWN A port addition procedure fails if the capability and administrative parameters in the remote switch are incompatible with the capability and administrative parameters in the local switch If the compatibility check is successful the interfaces are operational an...

Page 502: ...see the Setting the Interface Administrative State section on page 32 9 To force the addition of a port to a SAN port channel perform this task The following example adds an interface to a SAN port channel switch config interface fc2 3 switch config if channel group 15 force fc2 3 added to san port channel 15 and disabled please do the same operation on the switch at the other end of the san port ...

Page 503: ...SLs with compatible parameters to automatically form channel groups without manual intervention The port channel protocol is enabled by default The port channel protocol expands the port channel functional model in Cisco SAN switches It uses the exchange peer parameters EPP services to communicate across peer ports in an ISL Each switch uses the information received from the peer ports along with ...

Page 504: ...A3 B3 can join the channel groups and the port channels if the respective ports have compatible configurations Link A4 B4 operates as an individual link because it is not compatible with the existing member ports in the channel group Figure 36 7 Autocreating Channel Groups The channel group numbers are assigned dynamically when the channel group is formed The channel group number may change across...

Page 505: ...utocreation feature is disabled in all member ports You can enable or disable the autocreation feature on a per port basis or for all ports in the switch When this configuration is enabled the channel group mode is assumed to be active The default for this task is disabled If autocreation of channel groups is enabled for an interface you must first disable autocreation before downgrading to earlie...

Page 506: ...o an autocreated channel group However you can convert an autocreated channel group to a manual channel group This task is irreversible The channel group number does not change but the member ports operate according to the properties of the manually configured channel group and channel group autocreation is implicitly disabled for all the member ports Tip If you enable persistence be sure to enabl...

Page 507: ...el information switch show san port channel summary Interface Total Ports Oper Ports First Oper Port san port channel 7 2 0 san port channel 8 2 0 san port channel 9 2 2 The following example shows how to display SAN port channel consistency switch show san port channel consistency Database is consistent The following example shows how to display details of the used and unused port channel numbers...

Page 508: ... OL 16597 01 Chapter 36 Configuring SAN Port Channels Default Settings Default Settings Table 36 3 lists the default settings for SAN port channels Table 36 3 Default SAN Port Channel Parameters Parameters Default Port channels FSPF is enabled by default Create port channel Administratively up Default port channel mode On Autocreation Disabled ...

Page 509: ...11 Information About VSANs A VSAN is a virtual storage area network SAN A SAN is a dedicated network that interconnects hosts and storage devices primarily to exchange SCSI traffic In SANs you use the physical links to make these interconnections A set of protocols run over the SAN to handle routing naming and zoning You can design multiple SANs with different topologies This section describes VSA...

Page 510: ...es is independent of their segmentation into logical VSANs No communication between VSANs is possible Within each VSAN all members can talk to one another Figure 37 1 Logical VSAN Segmentation Figure 37 2 shows a physical Fibre Channel switching infrastructure with two defined VSANs VSAN 2 dashed and VSAN 7 solid VSAN 2 includes hosts H1 and H2 application servers AS2 and AS3 and storage arrays SA...

Page 511: ...tches and links may be shared by multiple VSANs VSANs allow SANs to be built on port granularity instead of switch granularity Figure 37 2 illustrates that a VSAN is a group of hosts or storage devices that communicate with each other using a virtual topology defined on the physical SAN The criteria for creating such groups differ based on the VSAN topology VSANs can separate traffic based on the ...

Page 512: ...ontained within a VSAN You can define multiple zones in a VSAN Because two VSANs are equivalent to two unconnected SANs zone A on VSAN 1 is different and separate from zone A in VSAN 2 Table 37 1 lists the differences between VSANs and zones Figure 37 3 shows the possible relationships between VSANs and zones In VSAN 2 three zones are defined zone A zone B and zone C Zone C overlaps both zone A an...

Page 513: ...figured in this VSAN it is disabled Use this state to deactivate a VSAN without losing the VSAN s configuration All ports in a suspended VSAN are disabled By suspending a VSAN you can preconfigure all the VSAN parameters for the whole fabric and activate the VSAN immediately VSAN name This text string identifies the VSAN for management purposes The name can be from 1 to 32 characters long and it m...

Page 514: ... least one port is up This state indicates that traffic can pass through this VSAN This state cannot be configured Creating VSANs Statically You cannot configure any application specific parameters for a VSAN before creating the VSAN To create VSANs perform this task Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config vsan database switch config vsan...

Page 515: ...VSAN static membership information use the show vsan membership command The following example displays membership information for the specified VSAN switch show vsan 1 membership vsan 1 interfaces fc2 1 fc2 2 fc2 3 fc2 4 san port channel 3 vfc1 1 Note Interface information is not displayed if interfaces are not configured on this VSAN The following example displays membership information for all V...

Page 516: ...ault VSAN By default all ports are assigned to the default VSAN Note VSAN 1 cannot be deleted but it can be suspended Note Up to 256 VSANs can be configured in a switch Of these one is a default VSAN VSAN 1 and another is an isolated VSAN VSAN 4094 User specified VSAN IDs range from 2 to 4093 About the Isolated VSAN VSAN 4094 is an isolated VSAN When a VSAN is deleted all nontrunking ports are tra...

Page 517: ...VSAN is deleted all the ports in that VSAN are made inactive and the ports are moved to the isolated VSAN If the same VSAN is recreated the ports do not automatically get assigned to that VSAN You must explicitly reconfigure the port VSAN membership see Figure 37 4 Figure 37 4 VSAN Port Membership Details VSAN based runtime name server zoning and configuration static routes information is removed ...

Page 518: ...ase and switch Step 5 switch config vsan db end switch Places you in EXEC mode Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config vsan database switch config vsan db Enters VSAN database configuration submode Step 3 switch config vsan db vsan vsan id Specifies an existing VSAN Step 4 switch config vsan db vsan vsan id loadbalancing src dst id Enable...

Page 519: ...n page 43 9 Displaying Static VSAN Configuration The following example shows how to display information about a specific VSAN switch show vsan 100 The following example shows how to display VSAN usage switch show vsan usage 4 vsan configured configured vsans 1 4 vsans available for configuration 5 4093 The following example shows how to display all VSANs switch show vsan Default Settings Table 37 ...

Page 520: ...f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 37 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 37 Configuring and Managing VSANs Default Settings ...

Page 521: ... supported You can use either the existing basic zoning capabilities or the advanced standards compliant zoning capabilities This chapter includes the following sections Information About Zoning page 38 1 Configuring Zones page 38 7 Zone Sets page 38 8 Zone Set Distribution page 38 13 Zone Set Duplication page 38 16 Verifying Zone Information page 38 18 Enhanced Zoning page 38 18 Compacting the Zo...

Page 522: ...he fabric receive the active zone set Additionally full zone sets are distributed to all switches in the fabric if this feature is enabled in the source switch If a new switch is added to an existing fabric zone sets are acquired by the new switch Zone changes can be configured nondisruptively New zones and zone sets can be activated without interrupting traffic on unaffected ports or devices Zone...

Page 523: ...rface based zoning does not work for VSANs configured in interop mode Zoning Example Figure 38 1 shows a zone set with two zones zone 1 and zone 2 in a fabric Zone 1 provides access from all three hosts H1 H2 H3 to the data residing on storage systems S1 and S2 Zone 2 restricts the data on S3 to access only by H3 H3 resides in both zones Figure 38 1 Fabric with Two Zones You can use other ways to ...

Page 524: ...ive database Active zone sets cannot be changed without activating a full zone database Active zone sets are preserved across switch reboots Changes to the full database must be explicitly saved Zone reactivation a zone set is active and you activate another zone set does not disrupt existing traffic If required you can additionally configure the following zone features Propagate full zone sets to...

Page 525: ...ever the modification will be enforced only upon reactivation When the activation is done the active zone set is automatically stored in persistent configuration This enables the switch to preserve the active zone set information across switch resets All other switches in the fabric receive the active zone set so they can enforce zoning in their respective switches Hard and soft zoning are impleme...

Page 526: ... Z2 Zone C Zone D Zone E Zone set Z3 Zone A Zone C Zone D Full zone set Zone set Z1 Zone A Zone B Zone C After activating Zone set Z1 Full zone set Active zone set Zone set Z1 Zone A Zone B Zone C Zone set Z2 Zone C Zone D Zone E Zone set Z3 Zone A Zone C Zone D Zone set Z1 Zone A Zone B Zone C After adding Zone D to Zone set Z1 Full zone set Active zone set Zone set Z1 Zone A Zone B Zone C Zone s...

Page 527: ...meric characters or one of the following symbols _ are supported Step 3 switch config zone member type value Configures a member for the specified zone based on the type pWWN fabric pWWN FC ID fcalias domain ID or interface and value specified See Table 38 1 for details Caution You must only configure pWWN type zoning on all SAN switches running Cisco NX OS if there is a Cisco MDS 9020 switch runn...

Page 528: ...mber domain id 2 portnumber 23 Local sWWN interface example switch config zone member interface fc 2 1 Remote sWWN interface example switch config zone member interface fc 2 1 swwn 20 00 00 05 30 00 4a de Domain ID interface example switch config zone member interface fc 2 1 domain id 25 Zone Sets This section describes zone sets and includes the following topics Activating a Zone Set page 38 9 Ab...

Page 529: ...one set A or zone set B can be activated but not together Tip Zone sets are configured with the names of the member zones and the VSAN if the zone set is in a configured VSAN Activating a Zone Set Changes to a zone set do not take effect in a full zone set until you activate it To activate or deactivate an existing zone set perform this task Zone 3 H2 S2 Zone 2 H3 S2 Zone 1 H1 H3 S1 Zone set A Zon...

Page 530: ...default zone Members are not permitted to communicate with each other Configure the default zone policy on each switch in the fabric If you change the default zone policy on one switch in a fabric be sure to change it on all the other switches in the fabric Note The default settings for default zone configurations can be changed The default zone members are explicitly listed when the default polic...

Page 531: ... switch config fcalias name AliasSample vsan 3 pWWN example switch config fcalias member pwwn 10 00 00 23 45 67 89 ab fWWN example switch config fcalias member fwwn 10 01 10 01 10 ab cd ef Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config fcalias name AliasSample vsan vsan id Configures an alias name AliasSample Step 3 switch config fcalias member ...

Page 532: ...opy the running configuration to the startup configuration to store the active zone set However you need to copy the running configuration to the startup configuration to explicitly store full zone sets Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config zoneset name zoneset name vsan vsan id Configures a zone set called Zoneset1 Tip To activate a zo...

Page 533: ...allow the frame at wire speed Hard zoning is applied to all forms of zoning Note Hard zoning enforces zoning restrictions on every frame and prevents unauthorized access Cisco Nexus 5000 Series switches support both hard and soft zoning Zone Set Distribution You can distribute full zone sets using one of two methods one time distribution using the zoneset distribute vsan command at the EXEC mode l...

Page 534: ... enter the copy running config startup config command to save the full zone set information to the startup configuration Note The one time distribution of the full zone set is supported in interop 2 and interop 3 modes and not in interop 1 mode Use the show zone status vsan vsan id command to check the status of the one time zone set distribution request switch show zone status vsan 3 VSAN 3 defau...

Page 535: ...ngle switch Importing from one switch and exporting from another switch can lead to isolation again Switch 1 Switch 2 79949 Isolated port due to active zone set mismatch From Switch 1 Import database forces Switch 1 to use the database configured in Switch 2 From Switch 1 Export database forces Switch 2 to use the database configured in Switch 1 Command Purpose Step 1 switch zoneset import interfa...

Page 536: ... the full zone set database This section includes the following topics Copying Zone Sets page 38 16 Renaming Zones Zone Sets and Aliases page 38 16 Cloning Zones Zone Sets FC Aliases and Zone Attribute Groups page 38 17 Clearing the Zone Server Database page 38 17 Copying Zone Sets On Cisco Nexus 5000 Series switches you cannot edit an active zone set However you can copy an active zone set to cre...

Page 537: ...zone set in the specified VSAN switch config zone rename oldname newname vsan vsan id Renames a zone in the specified VSAN switch config fcalias rename oldname newname vsan vsan id Renames a fcalias in the specified VSAN switch config zone attribute group rename oldname newname vsan vsan id Renames a zone attribute group in the specified VSAN Step 3 switch config zoneset activate name newname vsan...

Page 538: ...h show zone name Zone1 The following example shows how to display fcalias configuration switch show fcalias vsan 1 The following example shows how to display all zones to which a member belongs switch show zone member pwwn 21 00 00 20 37 9c 48 e5 The following example shows how to display the number of control frames exchanged with other switches switch show zone statistics The following example s...

Page 539: ... zone is referenced The size is more pronounced with bigger databases The default zone policy is defined per switch To ensure smooth fabric operation all switches in the fabric must have the same default zone setting Enforces and exchanges the default zone setting throughout the fabric Fabric wide policy enforcement reduces troubleshooting time To retrieve the results of the activation on a per sw...

Page 540: ...ic zoning to enhanced zoning we recommend that you save the running configuration Changing from Enhanced Zoning to Basic Zoning Cisco SAN switches allow you to change from enhanced zoning to basic zoning to enable you to downgrade and upgrade to other Cisco NX OS releases To change to the basic zoning mode from the enhanced mode perform this task Step 1 Verify that the active and full zone set do ...

Page 541: ... Database Locks To release the session lock on the zoning database on the switches in a VSAN use the no zone commit vsan command from the switch where the database was initially locked switch configuration terminal switch config no zone commit vsan 2 If session locks remain on remote switches after using the no zone commit vsan command you can use the clear zone lock vsan command on the remote swi...

Page 542: ...pared If the zone policies differ then the ISL is isolated 3 If the zone merge options are the same then the comparison is implemented based on the merge control setting a If the setting is restrict the active zone set and the full zone set should be identical Otherwise the link is isolated b If the setting is allow then the merge rules are used to perform the merge Table 38 5 Database Zone Merge ...

Page 543: ...the allow merge control setting for this VSAN switch config zone commit vsan vsan id Commits the changes made to the specified VSAN Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config zone default zone permit vsan vsan id Permits traffic flow to default zone members switch config no zone default zone permit vsan vsan id Denies traffic flow to default...

Page 544: ...er VSAN To delete zones and compact the zone database for a VSAN perform this task Zone and Zone Set Analysis To better manage the zones and zone sets on your switch you can display zone and zone set information using the show zone analysis command The following example shows how to display full zoning analysis switch show zone analysis vsan 1 The following example shows how to display active zoni...

Page 545: ...e OL 16597 01 Chapter 38 Configuring and Managing Zones Default Settings Default Settings Table 38 6 lists the default settings for basic zone parameters Table 38 6 Default Basic Zone Parameters Parameters Default Default zone policy Denied to all members Full zone set distribute The full zone set s is not distributed Enhanced zoning Disabled ...

Page 546: ...f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 38 26 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 38 Configuring and Managing Zones Default Settings ...

Page 547: ...onfigure features for example zoning DPVM or port security in a Cisco Nexus 5000 Series switch you must assign the correct device name each time you configure these features An inaccurate device name may cause unexpected results You can circumvent this problem if you define a user friendly name for a pWWN and use this name in all the configuration commands as required These user friendly names are...

Page 548: ...to z and A to Z Device alias names must begin with an alphabetic character a to z or A to Z 1 to 9 hyphen and _ underscore dollar sign and up caret Zone Aliases Versus Device Aliases Table 39 1 compares the configuration differences between zone based alias configuration and device alias configuration Device Alias Databases The device alias feature uses two databases to accept and implement device...

Page 549: ...ge 39 5 Locking the Fabric page 39 5 Committing Changes page 39 6 Discarding Changes page 39 6 Fabric Lock Override page 39 7 Disabling and Enabling Device Alias Distribution page 39 7 Creating Device Aliases To a create a device alias in the pending database perform this task To display the device alias configuration use the show device alias name command switch show device alias name x device al...

Page 550: ...will fail in interop mode VSANs if the corresponding zones have native device alias based members Changing Device Alias Mode Guidelines When changing device alias modes follow these guidelines If two fabrics running in different device alias modes are joined together the device alias merge will fail There is no automatic conversion to one mode or the other during the merge process In this situatio...

Page 551: ...in the fabric to keep the device alias database up to date Database changes immediately take effect so there would not be any pending database and commit or abort operations either If you have not committed the changes and you disable distribution then a commit task will fail The following example displays a failed device alias status switch show device alias status Fabric Distribution Disabled Da...

Page 552: ...The pending database is emptied of its contents 4 The fabric lock is released for this feature To commit the changes perform this task Discarding Changes If you discard the changes made to the pending database the following events occur 1 The effective database contents remain unaffected 2 The pending database is emptied of its contents 3 The fabric lock is released for this feature To discard the...

Page 553: ...bled Database Device Aliases 24 Status of the last CFS operation issued from this switch Operation Clear Session Lock released by administrator Status Success Successful status of the operation Disabling and Enabling Device Alias Distribution To disable or enable the device alias distribution perform this task To display the status of device alias distribution use the show device alias status comm...

Page 554: ... discarded Importing a Zone Alias To import the zone alias for a specific VSAN perform this task Database Merge Guidelines When merging two device alias databases follow these guidelines Verify that two device aliases with different names are not mapped to the same pWWN Verify that two identical pWWNs are not mapped to two different device aliases Verify that the combined number of device aliases ...

Page 555: ... to display a specific pWWN in the device alias database switch show device alias pwwn 21 01 00 e0 8b 2e 80 93 pending The following example shows how to display the difference between the pending and effective device alias databases switch show device alias database pending diff device alias name Doc pwwn 21 01 02 03 00 01 01 01 device alias name SampleName pwwn 21 00 00 e0 8b 0b 66 56 Where avai...

Page 556: ...ce Alias Services Default Settings Default Settings Table 39 2 lists the default settings for device alias parameters Table 39 2 Default Device Alias Parameters Parameters Default Device alias distribution Enabled Device alias mode Basic Database in use Effective database Database to accept changes Pending database Device alias fabric lock state Locked with the first device alias task ...

Page 557: ...path between any two switches Selects an alternative path in the event of the failure of a given path FSPF supports multiple paths and automatically computes an alternative path around a failed link It provides a preferred route when two equal paths are available This chapter provides details on Fibre Channel routing services and protocols It includes the following sections Information About FSPF ...

Page 558: ...al mesh topology If a link goes down anywhere in the fabric any switch can still communicate with all others in the fabric In the same way if any switch goes down the connectivity of the rest of the fabric is preserved Figure 40 1 Fault Tolerant Fabric For example if all links are of equal speed the FSPF calculates two equal paths from A to C A D C green and A E C blue Redundant Link Example To im...

Page 559: ...errors or other minor configuration errors Note FSPF is enabled by default Generally you do not need to configure these advanced features Caution The default for the backbone region is 0 zero You do not need to change this setting unless your region is different from the default If you are operating with other vendors using the backbone region you can change this default to be compatible with thos...

Page 560: ...ption Default Description Acknowledgment interval RxmtInterval 5 seconds The time a switch waits for an acknowledgment from the LSR before retransmission Refresh time LSRefreshTime 30 minutes The time a switch waits before sending an LSR refresh transmission Maximum age MaxAge 60 minutes The time a switch waits before dropping the LSR from the database Command Purpose Step 1 switch configuration t...

Page 561: ... a specific VSAN This section includes the following topics About FSPF Link Cost page 40 6 Configuring FSPF Link Cost page 40 6 About Hello Time Intervals page 40 6 Configuring Hello Time Intervals page 40 6 About Dead Time Intervals page 40 7 Configuring Dead Time Intervals page 40 7 Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config no fspf config...

Page 562: ...ue to specify cost can range from 1 to 65 535 The default cost for 1 Gbps is 1000 and for 2 Gbps is 500 Configuring FSPF Link Cost To configure FSPF link cost perform this task About Hello Time Intervals You can set the FSPF Hello time interval to specify the interval between the periodic hello messages sent to verify the health of the link The integer value can range from 1 to 65 535 seconds Note...

Page 563: ...n unacknowledged link state update should be transmitted on the interface The integer value to specify retransmit intervals can range from 1 to 65 535 seconds Note This value must be the same on the switches on both ends of the interface Step 2 switch config interface fc slot port Configures the specified interface or if already configured enters configuration mode for the specified interface Step...

Page 564: ...ace perform this task You can disable the FSPF protocol for selected interfaces By default FSPF is enabled on all E ports and TE ports This default can be disabled by setting the interface as passive Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port Configures the specified interface or if already configured enters configurat...

Page 565: ...gured statically This section includes the following topics About Fibre Channel Routes page 40 9 Configuring Fibre Channel Routes page 40 10 About Fibre Channel Routes Each port implements forwarding logic which forwards frames based on its FC ID Using the FC ID for the specified interface and domain you can configure the specified route for example FC ID 111211 and domain ID 3 in the switch with ...

Page 566: ...route fcid interface fc slot port domain domain id vsan vsan id Configures the route for the specified Fibre Channel interface and domain In this example the specified interface is assigned an FC ID and a domain ID to the next hop switch switch config fcroute fcid interface san port channel port domain domain id vsan vsan id Configures the route for the specified SAN port channel interface and dom...

Page 567: ...ork Frames When you experience a route change in the network the new selected path may be faster or less congested than the old route Figure 40 4 Route Change Delivery In Figure 40 4 the new path from Switch 1 to Switch 4 is faster In this scenario Frame 3 and Frame 4 may be delivered before Frame 1 and Frame 2 If the in order guarantee feature is enabled the frames within the network are delivere...

Page 568: ... in order delivery is disabled on switches in the Cisco Nexus 5000 Series Tip We recommend that you only enable this feature when devices that cannot handle any out of order frames are present in the switch Load balancing algorithms within the Cisco Nexus 5000 Series switch ensure that frames are delivered in order during normal fabric operation The load balancing algorithms based on source FC ID ...

Page 569: ...uaranteed vsan 1000 inorder delivery guaranteed vsan 1001 inorder delivery guaranteed vsan 1682 inorder delivery guaranteed vsan 2001 inorder delivery guaranteed vsan 2009 inorder delivery guaranteed vsan 2456 inorder delivery guaranteed vsan 3277 inorder delivery guaranteed vsan 3451 inorder delivery guaranteed vsan 3452 inorder delivery guaranteed Configuring the Drop Latency Time You can change...

Page 570: ...gress traffic in the aggregated statistics table You can collect two kinds of statistics Aggregated flow statistics to count the traffic for a VSAN Flow statistics to count the traffic for a source and destination ID pair in a VSAN This section includes the following topics About Flow Statistics page 40 15 Counting Aggregated Flow Statistics page 40 15 Counting Individual Flow Statistics page 40 1...

Page 571: ... Use the clear fcflow stats command to clear the aggregated flow counter The following example clears the aggregated flow counters switch clear fcflow stats aggregated index 1 The following example clears the flow counters for source and destination FC IDs switch clear fcflow stats index 1 Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config fcflow st...

Page 572: ...ation for a specific VSAN switch show fspf vsan 1 The following example shows how to display a summary of the FSPF database for a specified VSAN If no additional parameters are specified all LSRs in the database are displayed switch show fspf database vsan 1 The following example shows how to display FSPF interface information switch show fspf vsan 1 interface fc2 1 Default Settings Table 40 2 lis...

Page 573: ...d balancing Based on destination ID and source ID on different equal cost paths In order delivery Disabled Drop latency Disabled Static route cost If the cost metric of the route is not specified the default is 10 Remote destination switch If the remote destination switch is not specified the default is direct Multicast routing Uses the principal switch to compute the multicast tree Table 40 2 Def...

Page 574: ...k t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 40 18 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 40 Configuring Fibre Channel Routing Services and Protocols Default Settings ...

Page 575: ...s in the following examples If the required device is displayed in the FLOGI table the fabric login is successful Examine the FLOGI database on a switch that is directly connected to the host HBA and connected ports The following example shows how to verify the storage devices in the fabric login FLOGI table switch show flogi database INTERFACE VSAN FCID PORT NAME NODE NAME fc2 3 1 0xb200e2 21 00 ...

Page 576: ...xies page 41 2 Registering Name Server Proxies page 41 2 About Rejecting Duplicate pWWNs page 41 2 Rejecting Duplicate pWWNs page 41 3 About Name Server Database Entries page 41 3 Displaying Name Server Database Entries page 41 3 About Registering Name Server Proxies All name server registration requests come from the same port whose parameter is registered or changed If it does not then the reque...

Page 577: ...80 scsi fcp fc gs 0x010001 N 10 00 00 05 30 00 24 63 Cisco ipfc 0x010002 N 50 06 04 82 c3 a0 98 52 Company 1 scsi fcp 250 0x010100 N 21 00 00 e0 8b 02 99 36 Company A scsi fcp 0x020000 N 21 00 00 e0 8b 08 4b 20 Company A 0x020100 N 10 00 00 05 30 00 24 23 Cisco ipfc 0x020200 N 21 01 00 e0 8b 22 99 36 Company A scsi fcp The following example shows how to display the name server database and statist...

Page 578: ...ary host agents Manufacturer model and serial number Node name and node symbolic name Hardware driver and firmware versions Host operating system OS name and version number All FDMI entries are stored in persistent storage and are retrieved when the FDMI process is started Displaying FDMI The following example shows how to display all HBA details for a specified VSAN switch show fdmi database deta...

Page 579: ... vsan 1 Note The SCR table is not configurable It is populated when hosts send SCR frames with RSCN information If hosts do not receive RSCN information then the show rscn scr table command will not return entries About the multi pid Option If the RSCN multi pid option is enabled then RSCNs generated to the registered Nx ports may contain more than one affected port IDs In this case zoning rules a...

Page 580: ...ml To suppress the transmission of these SW RSCNs over an ISL perform this task Note You cannot suppress transmission of port address or area address format RSCNs Clearing RSCN Statistics You can clear the counters and later view the counters for a different set of events For example you can keep track of how many RSCNs or SW RSCNs are generated on a particular event such as ONLINE or OFFLINE even...

Page 581: ...e Failure to do so will disable the links across your VSANs and other devices To configure the RSCN timer perform this task In this example the event time out value is set to 300 milliseconds for VSAN 12 switch rscn event tov 300 vsan 12 Verifying the RSCN Timer Configuration You verify the RSCN timer configuration using the show rscn event tov vsan command The following example shows how to clear...

Page 582: ...an vsan command is distributed Note Only the RSCN timer configuration is distributed The RSCN timer is registered with CFS during initialization and switchover For high availability if the RSCN timer distribution crashes and restarts or a switchover occurs it resumes normal functionality from the state prior to the crash or switchover This section includes the following topics Enabling RSCN Timer ...

Page 583: ... the lock by either committing or discarding the changes an administrator can release the lock from any switch in the fabric If the administrator performs this task your changes to the pending database are discarded and the fabric lock is released Tip The pending database is only available in the volatile directory and are subject to being discarded if the switch is restarted To use administrative...

Page 584: ...e effect when you commit the configuration Note The pending database includes both existing and modified configuration switch show rscn pending rscn event tov 2000 ms vsan 1 rscn event tov 2000 ms vsan 2 rscn event tov 300 ms vsan 10 The following example shows how to display the difference between pending and active configurations switch show rscn pending diff vsan 10 rscn event tov 2000 ms vsan ...

Page 585: ... can access this information To report device capacity serial number and device ID information To register the initiator and target features with the name server The SCSI LUN discovery feature uses the local domain controller Fibre Channel address It uses the local domain controller as the source FC ID and performs SCSI INQUIRY REPORT LUNS and READ CAPACITY commands on SCSI devices The SCSI LUN di...

Page 586: ...ompany 4 Model ST318203FC Rev 0004 Other 00 00 02 32 8b 00 50 0a The following example discovers SCSI targets from the customized list assigned to the Linux OS switch discover scsi target custom list os linux discovery started About Initiating Customized Discovery Customized discovery consists of a list of VSAN and domain pairs that are selectively configured to initiate a discovery Use the custom...

Page 587: ...argets switch show scsi target status discovery completed Note This command takes several minutes to complete especially if the fabric is large or if several devices are slow to respond The following example displays the FCNS database switch show fcns database The following example displays the SCSI target disks switch show scsi target disk The following example displays the discovered LUNs on all...

Page 588: ...e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 42 4 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 42 Discovering SCSI Targets Displaying SCSI LUN Information ...

Page 589: ... TOV D_S_TOV The valid range is from 5 000 to 10 000 milliseconds The default is 5 000 milliseconds Error detect TOV E_D_TOV The valid range is from 1 000 to 10 000 milliseconds The default is 2 000 milliseconds This value is matched with the other end during port initialization Resource allocation TOV R_A_TOV The valid range is from 5 000 to 10 000 milliseconds The default is 10 000 milliseconds ...

Page 590: ...e different TOV values for VSANs with special links such as Fibre Channel You can configure different E_D_TOV R_A_TOV and D_S_TOV values for individual VSANs Active VSANs are suspended and activated when their timer values are changed Note This configuration must be propagated to all switches in the fabric Be sure to configure the same value in all switches in the fabric To configure per VSAN Fibr...

Page 591: ...sing Cisco Fabric Services for more information on the CFS application Enabling or Disabling fctimer Distribution To enable or disable fctimer fabric distribution perform this task Committing fctimer Changes When you commit the fctimer configuration changes the effective database is overwritten by the configuration changes in the pending database and all the switches in the fabric receive the same...

Page 592: ...use administrative privileges and release a locked fctimer session use the clear fctimer session command switch clear fctimer session Database Merge Guidelines When merging two fabrics follow these guidelines Be aware of the following merge conditions The merge protocol is not implemented for distribution of the fctimer values You must manually merge the fctimer values when a fabric is merged The ...

Page 593: ...000 ms World Wide Names The world wide name WWN in the switch is equivalent to the Ethernet MAC address As with the MAC address you must uniquely associate the WWN to a single device The principal switch selection and the allocation of domain IDs rely on the WWN Cisco Nexus 5000 Series switches support three network address authority NAA address formats see Table 43 1 Caution Changes to the world ...

Page 594: ...WN Usage Exchange Link Protocol ELP and Exchange Fabric Protocol EFP use WWNs during link initialization ELPs and EFPs both use the VSAN WWN by default during link initialization However the ELP usage changes based on the peer switch s usage If the peer switch ELP uses the switch WWN then the local switch also uses the switch WWN If the peer switch ELP uses the VSAN WWN then the local switch also ...

Page 595: ...ries remain persistent This section includes the following topics Default Company ID List page 43 7 Verifying the Company ID Configuration page 43 8 Default Company ID List All Cisco Nexus 5000 Series switches contain a default list of company IDs that require area allocation Using the company ID reduces the number of configured persistent FC ID entries You can configure or modify these entries us...

Page 596: ...ries are listed next Entries are listed even if they were part of the default list and you later removed them The following example displays the list of default and configured company IDs switch show fcid allocation area FCID area allocation company id info 00 50 2E Default entry 00 50 8B 00 60 B0 00 A0 B8 00 E0 69 00 30 AE User added entry 00 32 23 00 E0 8B Explicitly deleted entry from the origi...

Page 597: ...ability mode which specifically turns off advanced or proprietary features and provides the product with a standards compliant implementation Note For more information on configuring interoperability for Cisco Nexus 5000 Series switches see the Cisco MDS 9000 Family Switch to Switch Interoperability Configuration Guide This section includes the following topics About Interop Mode page 43 9 Configu...

Page 598: ...rify that the Resource Allocation Time Out Value timers match exactly Trunking Trunking is not supported between two different vendor s switches This feature may be disabled on a per port or per switch basis Default zone The default zone operation of permit all nodes can see all other nodes or deny all nodes are isolated when not explicitly placed in a zone may change Zoning attributes Zones may b...

Page 599: ... 127 0x7F Note This is an limitation imposed by the McData switches switch config fcdomain domain 100 preferred vsan 1 In Cisco Nexus 5000 Series switches the default is to request an ID from the principal switch If the preferred option is used Cisco Nexus 5000 Series switches request a specific ID but still join the fabric if the principal switch assigns a different ID If the static option is use...

Page 600: ...figuration switch config fcdomain restart vsan 1 Verifying Interoperating Status This section highlights the commands used to verify if the fabric is up and running in interoperability mode To verify the resulting status of entering the interoperability command in any switch in the Cisco Nexus 5000 Series perform this task Step 1 Verify the software version switch show version Cisco Nexus Operatin...

Page 601: ...if the interface states are as required by your configuration switch show int brief Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbps fc3 1 1 E on trunking swl TE 2 fc3 2 1 auto on sfpAbsent fc3 3 1 E on trunking swl TE 2 fc3 4 1 auto on sfpAbsent fc3 5 1 auto auto notConnected swl fc3 6 1 auto on sfpAbsent fc3 7 1 auto auto sfpAbsent fc3 8 1 auto auto sf...

Page 602: ...in vsan 1 The local switch is a Subordinated Switch Local switch run time information State Stable Local switch WWN 20 01 00 05 30 00 51 1f Running fabric name 10 00 00 60 69 22 32 91 Running priority 128 Current domain ID 0x64 100 verify domain id Local switch configuration information State Enabled Auto reconfiguration Disabled Contiguous allocation Disabled Configured fabric name 41 6e 64 69 61...

Page 603: ...2 ea Seagate scsi fcp 0x6105e2 NL 21 00 00 20 37 28 2e 65 Seagate scsi fcp 0x6105e4 NL 21 00 00 20 37 28 26 0d Seagate scsi fcp 0x630400 N 10 00 00 00 c9 24 3f 75 Emulex scsi fcp 0x630500 N 50 06 01 60 88 02 90 cb scsi fcp 0x6514e2 NL 21 00 00 20 37 a7 ca b7 Seagate scsi fcp 0x6514e4 NL 21 00 00 20 37 a7 c7 e0 Seagate scsi fcp 0x6514e8 NL 21 00 00 20 37 a7 c7 df Seagate scsi fcp 0x651500 N 10 00 0...

Page 604: ...uration Guide OL 16597 01 Chapter 43 Advanced Fibre Channel Features and Concepts Default Settings Remote capture connection mode Passive Local capture frame limits 10 frames FC ID allocation mode Auto mode Loop monitoring Disabled Interop mode Disabled Table 43 3 Default Settings for Advanced Features continued Parameters Default ...

Page 605: ...es the following sections Information About Fabric Authentication page 44 1 DHCHAP page 44 2 Sample Configuration page 44 9 Default Settings page 44 11 Information About Fabric Authentication All Cisco Nexus 5000 Series switches enable fabric wide authentication from one switch to another switch or from a switch to a host These switch and host authentications are performed locally or remotely in e...

Page 606: ...ion Note Fibre Channel Host Bus Adapters HBAs with appropriate firmware and drivers are required for host switch authentication DHCHAP DHCHAP is an authentication protocol that authenticates the devices connecting to a switch Fibre Channel authentication allows only trusted devices to be added to a fabric which prevents unauthorized devices from accessing the switch Note The terms FC SP and DHCHAP...

Page 607: ... page 44 3 About Enabling DHCHAP page 44 4 Enabling DHCHAP page 44 4 About DHCHAP Authentication Modes page 44 4 Configuring the DHCHAP Mode page 44 5 About the DHCHAP Hash Algorithm page 44 5 Configuring the DHCHAP Hash Algorithm page 44 6 About the DHCHAP Group Settings page 44 6 Configuring the DHCHAP Group Settings page 44 6 About the DHCHAP Password page 44 6 Configuring DHCHAP Passwords for ...

Page 608: ...switch initialization if the connecting device supports DHCHAP authentication the software performs the authentication sequence If the connecting device does not support DHCHAP authentication the link is placed in an isolated state Auto Active During switch initialization if the connecting device supports DHCHAP authentication the software performs the authentication sequence If the connecting dev...

Page 609: ...ed Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port slot port switch config if Selects a range of interfaces and enters the interface configuration mode Step 3 switch config if fcsp on Sets the DHCHAP mode for the selected interfaces to be in the on state switch config if no fcsp on Reverts to the factory default of auto pas...

Page 610: ...p configuration change it globally for all switches in the fabric Configuring the DHCHAP Group Settings To change the DH group settings perform this task About the DHCHAP Password DHCHAP authentication in each direction requires a shared secret password between the connected devices To do this you can use one of three configurations to manage passwords for all switches in the fabric that participa...

Page 611: ...ot deleted Tip We recommend using RADIUS or TACACS for fabrics with more than five switches If you need to use a local password database you can continue to do so using Configuration 3 and using the Cisco MDS 9000 Family Fabric Manager to manage the password database Configuring DHCHAP Passwords for the Local Switch To configure the DHCHAP password for the local switch perform this task The follow...

Page 612: ... if the Cisco Nexus 5000 Series switch does not receive the expected DHCHAP message within a specified time interval authentication failure is assumed The time ranges from 20 no authentication is performed to 1000 seconds The default is 30 seconds When changing the timeout value consider the following factors The existing RADIUS and TACACS timeout values The same value must also be configured on a...

Page 613: ...tication mode SEC_MODE_ON Status Successfully authenticated The following example shows how to display DHCHAP statistics for the specified interface switch show fcsp interface fc2 4 statistics The following example shows how to display the FC SP WWN of the device connected to the specified interface switch show fcsp interface fc2 1 wwn The following example shows how to display the hash algorithm ...

Page 614: ...cename 20 00 00 05 30 00 38 5e password rtp9509 Step 5 Enable the DHCHAP mode for the required Fibre Channel interface Note Whenever DHCHAP port mode is changed to a mode other than the Off mode reauthentication is performed switch config interface fc2 4 switch config if fcsp on Step 6 Verify the protocol security information configured in this switch by displaying the DHCHAP local password databa...

Page 615: ...SEC_MODE_ON Status Successfully authenticated You have now enabled and configured DHCHAP authentication for the sample setup in Figure 44 2 Default Settings Table 44 2 lists the default settings for all fabric security features in any switch Table 44 2 Default Fabric Security Settings Parameters Default DHCHAP feature Disabled DHCHAP hash algorithm A priority list of MD5 followed by SHA 1 for DHCH...

Page 616: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 44 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 44 Configuring FC SP and DHCHAP Default Settings ...

Page 617: ...stribution page 45 12 Database Merge Guidelines page 45 14 Database Interaction page 45 15 Displaying Port Security Configuration page 45 19 Default Settings page 45 19 Information About Port Security Typically any Fibre Channel device in a SAN can attach to any SAN switch port and access SAN services based on zone membership Port security features prevent unauthorized access to a switch port in t...

Page 618: ...urity active database The software uses this active database to enforce authorization About Auto Learning You can instruct the switch to automatically learn auto learn the port security configurations over a specified period This feature allows any Cisco Nexus 5000 Series switch to automatically learn about devices and switches that connect to it Use this feature when you activate the port securit...

Page 619: ...ly enabled You can choose to activate the port security feature and disable auto learning Tip If a port is shut down because of a denied login attempt and you subsequently configure the database to allow that login the port does not come up automatically You must explicitly enter a no shutdown CLI command to bring that port back online Configuring Port Security The steps to configure port security...

Page 620: ...mitting the Changes section on page 45 13 This ensures that the configure database is the same on all switches in the fabric Step 10 Copy the running configuration to the startup configuration using the fabric option This step saves the port security configure database to the startup configuration on all switches in the fabric Configuring Port Security with Auto Learning without CFS To configure p...

Page 621: ...rning section on page 45 8 Step 4 Disable auto learn on each VSAN See the Disabling Auto Learning section on page 45 8 Step 5 Copy the running configuration to the startup configuration which saves the port security configuration database to the startup configuration Step 6 Repeat Step 1 through Step 5 for all switches in the fabric Enabling Port Security By default the port security feature is di...

Page 622: ...vation request is rejected you can force the activation Note If you force the activation existing devices are logged out if they violate the active database You can view missing or conflicting entries using the port security database diff active vsan command in EXEC mode To forcefully activate the port security database perform this task Command Purpose Step 1 switch configuration terminal switch ...

Page 623: ...perform this task Auto Learning This section includes the following topics About Enabling Auto Learning page 45 8 Enabling Auto Learning page 45 8 Disabling Auto Learning page 45 8 Auto Learning Device Authorization page 45 8 Authorization Scenario page 45 9 Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config no port security auto learn...

Page 624: ...k Auto Learning Device Authorization Table 45 1 summarizes the authorized connection conditions for device requests Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config port security auto learn vsan vsan id Enables auto learning so the switch can learn about any device that is allowed to access VSAN 1 These devices are logged in the port...

Page 625: ...security authorization results for this active database The conditions listed refer to the conditions from Table 45 1 3 Not configured A switch port that is not configured Permitted if auto learning enabled 4 Denied if auto learning disabled 5 Configured or not configured A switch port that allows any device Permitted 6 Configured to log in to any switch port Any port on the switch Permitted 7 Not...

Page 626: ...idelines If you decide to manually configure port security note the following guidelines Identify switch ports by the interface or by the fWWN Identify devices by the pWWN or by the nWWN If an N port is allowed to log in to SAN switch port F then that N port can only log in through the specified F port S2 F11 Denied 7 P10 is bound to F11 P4 N4 F5 auto learning on Permitted 3 No conflict P4 N4 F5 a...

Page 627: ... either the fWWN or sWWN interface combination To add authorized port pairs for port security perform this task This example enters the port security database mode for VSAN 2 switch config port security database vsan 2 This example configures the specified sWWN to only log in through SAN port channel 5 switch config port security swwn 20 01 33 11 00 2a 4a 66 interface san port channel 5 This examp...

Page 628: ...figuration you need to commit or discard the pending database changes to the configurations The fabric remains locked during this period Changes to the pending database are not reflected in the configurations until you commit the changes Note Port activation or deactivation and auto learning enable or disable do not take effect until after a CFS commit if CFS distribution is enabled Always follow ...

Page 629: ...ed and the lock is released To discard the port security configuration changes for the specified VSAN perform this task Activation and Auto Learning Configuration Distribution Activation and auto learning configurations in distributed mode are remembered as actions to be performed when you commit the changes in the pending database Learned entries are temporary and do not have any role in determin...

Page 630: ...tion is not done and devices C D are logged in 1 You activate the port security database and enableauto learning configuration database A B active database A B C1 D 1 The asterisk indicates learned entries configuration database A B active database null pending database A B activation to be enabled 2 A new entry E is added to the configuration database configuration database A B E active database ...

Page 631: ...he Port Security Database page 45 17 Deleting the Port Security Database page 45 18 Clearing the Port Security Database page 45 18 Database Scenarios Figure 45 1 illustrates various scenarios showing the active database and the configuration database status based on port security configurations Table 45 4 Active and Configuration Port Security Databases Active Database Configuration Database Read ...

Page 632: ... fwwn5 active Database Saving the configuration copy running start Activating the database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 s Note Learned entries are not saved in the startup configuration Switch 1 config Database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 active Database Learning entries pwwn4 5 already logged in pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 pwwn4 fwwn4 pwwn5 fwwn5 Note Learned entries are sa...

Page 633: ... the switches CLI Switch 1 config Database 99301 pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 active Database EMPTY Configuring authorized ports Switch 1 config Database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 pwwn4 fwwn4 pwwn5 fwwn5 active Database Saving the configuration copy running start Activating the database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 s Note Learned entries are not saved in the startup configu...

Page 634: ...o actually delete the database Use the no port security database vsan command in configuration mode to delete the configured database for a specified VSAN switch config no port security database vsan 1 Clearing the Port Security Database Use the clear port security statistics vsan command to clear all existing statistics from the port security database for a specified VSAN switch clear port securi...

Page 635: ...rity configuration database for VSAN 1 switch show port security database vsan 1 The following example shows how to display the activated database switch show port security database active The following example shows how to display difference between the temporary configuration database and the configuration database switch show port security pending diff vsan 1 The following example shows how to ...

Page 636: ... d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 45 20 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 45 Configuring Port Security Default Settings ...

Page 637: ...g The fabric binding feature ensures that ISLs are only enabled between specified switches in the fabric Fabric binding is configured on a per VSAN basis This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations It uses the Exchange Fabric Membership Data EFMD protocol to ensure that the list of authorized switches is identical in all switches...

Page 638: ...ding feature requires all sWWNs connected to a switch to be part of the fabric binding active database Table 46 1 Fabric Binding and Port Security Comparison Fabric Binding Port Security Uses a set of sWWNs and a persistent domain ID Uses pWWNs nWWNs or fWWNs sWWNs Binds the fabric at the switch level Binds devices at the interface level Authorizes only the configured sWWN stored in the fabric bin...

Page 639: ...ric perform this task Step 1 Enable the fabric configuration feature Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric Step 3 Activate the fabric binding database Step 4 Copy the fabric binding active database to the fabric binding configuration database Step 5 Save the fabric binding configuration Step 6 Verify the fabric binding...

Page 640: ...he fabric binding feature maintains a configuration database config database and an active database The config database is a read write database that collects the configurations you perform These configurations are only enforced upon activation This activation overwrites the active database with the contents of the config database The active database is read only and is the database that checks ea...

Page 641: ...se Use the fabric binding database copy vsan command to copy from the active database to the config database If the configured database is empty this command is not accepted switch fabric binding database copy vsan 1 Use the fabric binding database diff active vsan command to view the differences between the active database and the config database This command can be used when resolving conflicts ...

Page 642: ...ing command in configuration mode to delete the configured database for a specified VSAN switch config no fabric binding database vsan 10 Verifying Fabric Binding Information To display fabric binding information perform one of the following tasks The following example displays the active fabric binding information for VSAN 4 switch show fabric binding database active vsan 4 The following example ...

Page 643: ...ch 3 20 00 00 05 30 00 4a 1e Nov 25 05 44 58 2003 2 sWWN not found 4 20 00 00 05 30 00 4a 1e Nov 25 05 46 25 2003 1 Database mismatch Note In VSAN 3 the sWWN was not found in the list In VSAN 2 the sWWN was found in the list but has a domain ID mismatch The following example displays EFMD Statistics for VSAN 4 switch show fabric binding efmd statistics vsan 4 Default Settings Table 46 2 lists the ...

Page 644: ... d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 46 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 46 Configuring Fabric Binding Default Settings ...

Page 645: ... object A set of nodes may be defined as a platform object to make it a single manageable entity These nodes are end devices host systems storage subsystems attached to the fabric Platform objects reside at the edge switches of the fabric Each object has its own set of attributes and values A null value may also be defined for some attributes In the Cisco Nexus 5000 Series switch environment a fab...

Page 646: ...management information base MIB to start discovery and obtain information about the fabric topology Support TE ports in addition to the standard F and E ports Can maintain a group of nodes with a logical name and management address when a platform registers with it FCSs maintain a backup of all registrations in secondary storage and update it with every change When a restart or switchover happens ...

Page 647: ... 2 switch config fcs register Enters the FCS registration submode Step 3 switch config fcs register platform name platform name vsan vsan id Enters the FCS registration attributes submode switch config fcs register no platform name platform name vsan vsan id Deletes a registered platform Step 4 switch config fcs register attrib mgmt addr ipv4 addr Configures the platform management IPv4 address sw...

Page 648: ...elements for VSAN 1 switch show fcs ie vsan 1 The following example shows how to display information for a specific platform switch show fcs platform name SamplePlatform vsan 1 The following example shows how to display port information for a specific pWWN switch show fcs port pwwn 20 51 00 05 30 00 16 de vsan 24 Default Settings Table 47 1 lists the default FCS settings Table 47 1 Default FCS Set...

Page 649: ...redirected to another redundant link This chapter includes the following sections Information About Port Tracking page 48 1 Configuring Port Tracking page 48 2 Displaying Port Tracking Information page 48 6 Default Port Tracking Settings page 48 7 Information About Port Tracking Generally hosts can instantly recover from a link failure on a link that is immediately direct link connected to a switc...

Page 650: ...orts A port whose operational state is altered based on the operational state of the tracked ports Only physical Fibre Channel ports can be linked ports Port tracking has the following features The application brings the linked port down when the tracked port goes down When the tracked port recovers from the failure and comes back up again the linked port is also brought up automatically unless ot...

Page 651: ... one of two methods Operationally binding the linked ports to the tracked port default Continuing to keep the linked port down forcefully even if the tracked port has recovered from the link failure Operationally Binding a Tracked Port When you configure the first tracked port operational binding is automatically in effect When you use this method you have the option to monitor multiple ports or m...

Page 652: ...nked port the operational state of the linked port will be set to down only if all the associated tracked ports are down Even if one tracked port is up the linked port will stay up In Figure 48 2 only if both ISLs 2 and 3 fail will the direct link 1 be brought down Direct link 1 will not be brought down if either 2 or 3 are still functioning as desired Figure 48 2 Traffic Recovery Using Port Track...

Page 653: ...p only when the VSAN is up on the tracked port Tip The specified VSAN does not have to be the same as the port VSAN of the linked port Monitoring Ports in a VSAN To monitor a tracked port in a specific VSAN perform this task Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port Configures the specified interface and enters the in...

Page 654: ...s task Displaying Port Tracking Information The show commands display the current port tracking settings for the switch The following example shows how to display tracked port configuration for a specific interface switch show interface fc2 1 fc2 1 is down Administratively down Hardware is Fibre Channel FCOT is short wave laser w o OFC SN Port WWN is 20 01 00 05 30 00 0d de Admin port mode is FX P...

Page 655: ...ack mode switch show interface fc 2 4 fc2 4 is up Hardware is Fibre Channel FCOT is short wave laser Transmit B2B Credit is 64 Receive B2B Credit is 16 Receive data field Size is 2112 Beacon is turned off Port track mode is force_shut this port remains shut even if the tracked port is back up Default Port Tracking Settings Table 48 1 lists the default settings for port tracking parameters Table 48...

Page 656: ...e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 48 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 48 Configuring Port Tracking Default Port Tracking Settings ...

Page 657: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m P A R T 8 Troubleshooting ...

Page 658: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m ...

Page 659: ...With VLANs or VSANs all supported interfaces in the specified VLAN or VSAN are included as SPAN sources You can choose the SPAN traffic in the ingress direction the egress direction or both directions for Ethernet Fibre Channel and virtual Fibre Channel source interfaces Ingress source Rx Traffic entering the switch through this source port is copied to the SPAN destination port Egress source Tx T...

Page 660: ...ssion must have a destination port also called a monitoring port that receives a copy of traffic from the source ports VLANs or VSANs A destination port has these characteristics Can be any physical port Ethernet Ethernet FCoE or Fibre Channel and virtual Fibre Channel ports cannot be destination ports Cannot be a source port Cannot be a port channel or SAN port channel group Does not participate ...

Page 661: ...ng a SPAN session switch configure terminal switch config monitor session 2 To ensure that you are working with a completely new session you can delete the desired session number or all SPAN sessions To delete SPAN sessions perform this task Configuring the Destination Port The SPAN destination port can only be a physical port on the switch There are minor differences between the configuration of ...

Page 662: ...nd port values Step 3 switch config if switchport monitor Sets the interface to monitor mode Priority flow control is disabled when the port is configured as a SPAN destination Step 4 switch config if exit Reverts to global configuration mode Step 5 switch config monitor session session number Enters the monitor configuration mode Step 6 switch config monitor destination interface ethernet slot po...

Page 663: ... SPAN source port switch configure terminal switch config monitor session 2 switch config monitor source interface ethernet 1 16 The following example shows configuring a Fibre Channel SPAN source port switch config monitor source interface fc 2 1 The following example shows configuring a virtual Fibre Channel SPAN source port switch config monitor source interface vfc 129 Configuring Source Port ...

Page 664: ...The following example shows configuring a VSAN SPAN source switch config monitor source vsan 1 Configuring the Description of a SPAN Session To provide a descriptive name of the SPAN session for ease of reference perform this task The following example shows configuring a description of a SPAN session switch configure terminal switch config monitor session 2 switch config monitor description monit...

Page 665: ...mple if you configured ten sessions 1 to 10 where 1 and 2 are active after a reboot sessions 9 and 10 will be active To enable deterministic behavior explicitly suspend the sessions 3 to 10 with the monitor session session number shut command Displaying SPAN Information To display SPAN information perform this task This example shows how to display SPAN session information switch show monitor SESS...

Page 666: ...c i s c o c o m 49 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 49 Configuring SPAN Configuring SPAN type local state up source intf rx fc3 1 tx fc3 1 both fc3 1 source VLANs rx source VSANs rx 1 destination ports Eth3 1 ...

Page 667: ...ribes how to recover a lost network administrator password using the console port of the switch You can recover the network administrator password using one of two methods From the CLI with a username that has network admin privileges By power cycling the switch This section includes the following topics Using the CLI with Network Admin Privileges page 50 1 Power Cycling the Switch page 50 2 Using...

Page 668: ...or password from a Telnet or SSH session You must have access to the local console connection To recover the network administrator password by power cycling the switch follow these steps Step 1 Establish a terminal session on the console port of the supervisor module Step 2 Power cycle the switch Step 3 Press the Ctrl key sequence from the console port session when the switch begins the Cisco NX O...

Page 669: ... URL http www tcpdump org tcpdump_man html For information on the syntax of the display filter see the following URL http wiki wireshark org DisplayFilters Command Purpose switch ethanalyzer local interface interface Captures packets sent or received by the supervisor and provides detailed protocol information Note For all commands in this table interface is inbound hi Inbound high priority interf...

Page 670: ... Time since reference or first frame 1106642989 250719000 seconds Frame Number 1 Frame Length 60 bytes Capture Length 60 bytes Frame is marked False Protocols in frame eth ip tcp Ethernet II Src 00 1a a2 d2 d7 00 00 1a a2 d2 d7 00 Dst 00 0d ec 6d 81 00 00 0d ec 6d 81 00 Destination 00 0d ec 6d 81 00 00 0d ec 6d 81 00 Address 00 0d ec 6d 81 00 00 0d ec 6d 81 00 0 IG bit Individual address unicast 0...

Page 671: ...annel This section includes the following topics fctrace page 50 5 fcping page 50 7 fctrace The fctrace feature provides the following capabilities Trace the route followed by data traffic Compute inter switch hop to hop latency You can invoke fctrace by providing the FC ID the N port WWN or the device alias of the destination The trace frame is routed normally through the network until it reaches...

Page 672: ...05 30 00 18 db 0xfffcd7 Invokes fctrace for the specified FC ID of the destination N port switch fctrace pwwn 21 00 00 e0 8b 06 d9 1d vsan 1 timeout 5 Route present for 21 00 00 e0 8b 06 d9 1d 20 00 00 0b 46 00 02 82 0xfffcd5 Timestamp Invalid 20 00 00 05 30 00 18 db 0xfffcd7 Timestamp Invalid 20 00 00 05 30 00 18 db 0xfffcd7 Invokes fctrace using the pWWN of the destination N port By default the ...

Page 673: ...8 bytes from 0xd70000 time 225 usec 28 bytes from 0xd70000 time 229 usec 28 bytes from 0xd70000 time 183 usec 10 frames sent 10 frames received 0 timeouts Round trip min avg max 165 270 730 usec Sets the number of frames to be sent using the count option The range is from 0 through 2147483647 A value of 0 causes the command to send frames forever switch fcping fcid 0xd500b4 vsan 1 timeout 10 28 by...

Page 674: ...nd to view the configured the terminal size After obtaining the output of this command remember to reset your terminal length as required Tip You can save the output of this command to a file by appending left arrow and the filename to the show tech support command If you save this file verify you have sufficient space to do so each of these files may take about 1 8 MB However you can zip this fil...

Page 675: ...t1 show system resources show version dir bootflash show inventory show diagnostic result all show logging log show module show environment show sprom backplane show clock show callhome show cfs application show cfs lock show snmp show interface brief show interface show running config show startup config show ip route show arp show monitor session all show accounting log show process show process...

Page 676: ...w platform software ethpm internal info all show object group show logging onboard obfl logs show tech support brief Command Use the show tech support brief command to obtain a quick condensed review of the switch configurations This command provides a summary of the current running state of the switch see the following example The show tech support brief command is useful when collecting informat...

Page 677: ...tus IP Address Speed MTU Port Channel Ethernet1 1 sfpIsAbsen 1500 Ethernet1 2 sfpIsAbsen 1500 Ethernet1 3 up 10000 1500 Ethernet1 4 sfpIsAbsen 1500 Ethernet1 5 sfpIsAbsen 1500 Ethernet1 6 sfpIsAbsen 1500 Ethernet1 7 sfpIsAbsen 1500 Ethernet1 8 sfpIsAbsen 1500 Ethernet1 9 sfpIsAbsen 1500 Ethernet1 10 sfpIsAbsen 1500 Ethernet1 11 sfpIsAbsen 1500 Ethernet1 12 sfpIsAbsen 1500 Ethernet1 13 sfpIsAbsen 1...

Page 678: ...rt internal info all show port internal event history lock show port internal event history msgs show port internal event history errors show port internal mem stats detail show san port channel internal event history all show san port channel internal event history errors show san port channel internal event history msgs show san port channel internal event history lock show san port channel inte...

Page 679: ...093 show rscn internal merge history vsan 1 4093 show rscn statistics vsan 1 4093 show rscn scr table vsan 1 4093 show rscn session status vsan 1 4093 show vsan show vsan membership show tech support zone show zone status vsan 1 4093 show zoneset active vsan 1 4093 show zoneset vsan 1 4093 show zone vsan 1 4093 show fcalias vsan 1 4093 show zone attribute group vsan 1 4093 show zone policy vsan 1 ...

Page 680: ...le received vsan 1 4093 show zone internal transit table forwarded vsan 1 4093 show zone internal transit table rejected vsan 1 4093 Tip You can save the output of this command to a file by appending left arrow and the filename to the show tech support zone command show tech support platform Command Use the show tech support platform command to obtain information about the platform configuration o...

Page 681: ...rm fcfib unicasts show platform fcfib unicasts forwarding configuration show platform fcfib vsan show platform fcfib san port channel show platform software fcfib devices show platform software fcfib multipath show platform software fcfib vsanidxtable show platform software fcfib domainidxtable show platform hardware fcfib pathselecttable show platform hardware fcfib pathselecttable all show platf...

Page 682: ...gs show platform software altos ports all show platform hardware altos counters all show platform hardware altos counters interrupts all show platform hardware altos interrupts all detail Default Settings Table 50 1 lists the default settings for the features included in this chapter Table 50 1 Default Settings for Troubleshooting Features Parameters Default Timeout period to invoke fctrace 5 seco...

Page 683: ...bric Extender per switch 12 units N A VLANs per switch1 256 1024 minus the number of configured VSANs Ethernet MTU 9 216 bytes 9 216 bytes ASIC limit STP logical interface instances 3 000 instances Only 2 500 can be true STP bridge to STP bridge connections N A MST instances per switch every instance is RSTP enabled 64 64 IEEE standard Station Table2 16 000 entries 32 000 entries IP Multicast addr...

Page 684: ...h 1 024 1 024 Port ACL PACL entries per physical Ethernet interface 128 128 ACL Accounting 32 32 Fibre Channel Flows 32 32 EtherChannels and SAN port channels 4 SAN port channels and 12 EtherChannels 16 port channels any combination of SAN port channels and EtherChannels SPAN Sessions6 2 active sessions 18 sessions configured 2 active Egress SPAN sources 2 2 1 The entire 4094 VLAN ID space is supp...

Page 685: ... 1 configuring default methods 16 9 deleting rule methods 16 1 rearranging rule methods 16 1 AAA accounting logs clearing 16 12 displaying 16 12 AAA authentication rules adding methods 16 1 changing methods 16 1 deleting methods 16 1 rearranging methods 16 1 AAA login authentication configuring console methods 16 6 configuring default methods 16 7 AAA logins enabling authentication failure message...

Page 686: ...reason codes 32 6 bit errors reasons 32 11 bit error thresholds configuring 32 11 description 32 11 blocking state STP 8 12 BPDU guard see STP BPDU guard bridge ID see STP bridge ID broadcast storms see traffic storm control Brocade native interop mode 43 9 buffer to buffer credits see BB_credits build fabric frames 33 3 description 33 3 C Call Home description 26 1 27 1 message format options 26 ...

Page 687: ...ability 43 10 policies 38 10 destination IDs exchange based 36 3 flow based 36 3 in order delivery 40 10 path selection 37 10 device alias databases committing changes 39 6 disabling distribution 39 7 discarding changes 39 6 distribution to fabric 39 5 enabling distribution 39 7 locking the fabric 39 5 merging 39 8 overriding fabric locks 39 6 device aliases comparison with zones table 39 2 creati...

Page 688: ...bility 43 10 preferred 33 9 static 33 9 domain manager fast restart feature 33 3 isolation 32 7 drop latency time configuring 40 13 configuring for FSPF in order delivery 40 13 displaying information 40 14 E EFMD displaying statistics 46 7 fabric binding 46 1 fabric binding initiation 46 3 EISLs port channel links 36 1 e mail notifications Call Home 26 1 enhanced zones advantages over basic zones ...

Page 689: ...port security comparison 46 1 saving to config database 46 5 sWWN lists 46 4 verifying status 46 3 viewing active databases procedure 46 6 viewing EFMD statistics procedure 46 6 viewing violations procedure 46 6 Fabric Configuration Servers see FCSs Fabric Device Management Interface see FDMI fabric login see FLOGI fabric port mode see F port mode fabric pWWNs zone membership 38 2 fabric reconfigu...

Page 690: ...ution 43 3 fctrace default settings 50 16 invoking 50 5 FDMI description 41 4 displaying database information 41 4 Fibre Channel sWWNs for fabric binding 46 4 timeout values 43 1 TOVs 43 2 Fibre Channel domains See fcdomains Fibre Channel interfaces administrative states 32 5 BB_credits 32 6 configuring 32 8 configuring auto port mode 32 10 configuring bit error thresholds 32 11 configuring descri...

Page 691: ...abase information 40 16 displaying global information 40 16 enabling 40 5 fault tolerant fabrics 40 2 in order delivery 40 10 interoperability 43 10 link state record defaults 40 3 reconvergence times 40 2 redundant links 40 2 resetting configuration 40 4 resetting to defaults 40 4 retransmitting intervals 40 7 routing services 40 1 topology examples 40 2 FSPF routes configuring 40 9 description 4...

Page 692: ...ounce timer configuring 5 8 deleting from port channels 36 10 displaying information 32 15 displaying SFP information 32 16 forced addition to port channels 36 10 isolated states 36 9 1 Gigabit speed configuring 5 6 options 5 1 SFP types 32 15 suspended states 36 9 UDLD configuring 5 5 defined 5 2 VSAN membership 37 6 interface speed 5 4 interface statistics description 32 15 interoperability conf...

Page 693: ...0 attributes for VSANs 37 5 configuring 37 10 description 36 2 37 10 guarantees 37 10 port channels 36 1 logical unit numbers See LUNs LUNs displaying discovered SCSI targets 42 3 M MAC addresses configuring secondary 43 6 management access description 3 12 management interfaces displaying information 3 20 using force option during shutdown 3 21 management interfaces See mgmt0 interfaces maximum a...

Page 694: ...on module 1 3 name servers displaying database entries 41 3 interoperability 43 11 LUN information 42 1 proxy feature 41 2 registering proxies 41 2 rejecting duplicate pWWNs 41 2 Network Time Protocol See NTP NPIV description 32 13 enabling 32 14 NP links 34 2 N port identifier virtualization see NPIV N ports FCS support 47 1 fctrace 50 5 hard zoning 38 13 zone enforcement 38 13 zone membership 38...

Page 695: ...cription 36 1 forcing interface additions 36 10 in order guarantee 40 12 interface states 36 9 interoperability 43 10 link changes 40 11 link failures 40 2 load balancing 36 2 misconfiguration error detection 36 5 PortFast BPDU filtering see STP PortFast BPDU filtering port modes auto 32 4 port priority MSTP 9 18 9 19 ports VSAN membership 37 6 port security activating 45 5 activation 45 2 activat...

Page 696: ...VLANs 7 2 principal switches assigning domain ID 33 8 configuring 33 9 private VLANs community VLANs 7 2 7 3 end station access to 7 5 isolated VLANs 7 2 7 3 ports community 7 3 isolated 7 3 promiscuous 7 3 primary VLANs 7 2 secondary VLANs 7 2 promiscuous ports 7 3 proxies registering for name servers 41 2 pWWNs configuring fcalias members 38 10 rejecting duplicates 41 2 zone membership 38 2 R RA...

Page 697: ...scription 40 7 roles authentication 22 1 rollback checkpoint copy 23 1 creating a checkpoint copy 23 1 default settings 23 4 deleting a checkpoint file 23 1 description 23 1 example configuration 23 1 guidelines 23 1 high availability 23 1 implementing a rollback 23 1 limitations 23 1 reverting to checkpoint file 23 1 verifying configuration 23 4 root guard see STP root guard root switch MSTP 9 16...

Page 698: ...erifying configuration 23 4 verifying the session 23 3 SFPs displaying transmitter types 32 16 transmitter types 32 15 small computer system interface See SCSI smart call home description 26 5 registration requirements 26 5 Transport Gateway TG aggregation point 26 5 SMARTnet smart call home registration 26 5 SNMP access groups 27 4 assigning contact 27 11 assigning location 27 11 configuring Link...

Page 699: ...3 switch priorities configuring 33 4 default 33 4 description 33 4 switch priority MSTP 9 20 sWWNs configuring for fabric binding 46 4 T TACACS advanages over RADIUS 18 2 configuring 18 4 18 13 configuring global preshared keys 18 6 configuring global timeout interval 18 9 description 18 1 disabling 18 12 displaying statistics 18 13 enabling 18 5 example configurations 18 13 field descriptions 18 ...

Page 700: ...tech support command 50 8 verifying switch connectivity 50 7 trunk allowed VSAN lists description 35 4 trunking comparison with port channels 36 2 configuration guidelines 35 1 configuring modes 35 3 default settings 35 7 description 35 1 displaying information 35 6 interoperability 43 10 link state 35 3 merging traffic 35 2 restrictions 35 1 trunking E port mode see TE port mode trunking ports as...

Page 701: ...ive lists 35 6 configuring FSPF 40 3 configuring trunk allowed lists 35 4 35 6 default settings 37 11 default VSANs 37 8 deleting 37 9 description 37 1 displaying configuration 37 11 displaying membership 37 7 displaying usage 37 11 domain ID automatic reconfiguration 33 6 FC IDs 37 1 FCS support 47 1 features 37 1 flow statistics 40 14 FSPF 40 4 FSPF connectivity 40 1 interop mode 43 10 isolated ...

Page 702: ...38 2 default settings 38 24 displaying information 38 18 editing full zone databases 38 8 enforcing restrictions 38 13 exporting databases 38 15 features 38 1 38 4 importing databases 38 14 membership using pWWNs 37 4 merge failures 32 7 renaming 38 16 restoring procedure 38 16 show tech support zone command 50 12 viewing information 38 18 See also default zones See also enhanced zones See also ha...

Page 703: ...k t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m Index IN 19 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 description 38 1 example 38 3 implementation 38 4 See also zones zone sets 38 1 ...

Page 704: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m Index IN 20 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 ...

Reviews:

No comments

Related manuals for N5010P-N2K-BE

Lantronix SISPM1040-582-LRT Quick Start Manual preview
SISPM1040-582-LRT
Brand: Lantronix Pages: 2
Lantronix SDS1101 Quick Start Manual preview
SDS1101
Brand: Lantronix Pages: 7
Lantronix Maestro E220 Series Quick Start Manual preview
Maestro E220 Series
Brand: Lantronix Pages: 25
IBM 8677 - BladeCenter Rack-mountable - Power... Planning And Installation Manual preview
8677 - BladeCenter Rack-mountable - Power...
Brand: IBM Pages: 126
LaCie 301160U - 1TB Ethernet Disk RAID Network Attached... Quick Install Manual preview
301160U - 1TB Ethernet Disk RAID Network Attached...
Brand: LaCie Pages: 5
Edge-Core SDW100 Quick Start Manual preview
SDW100
Brand: Edge-Core Pages: 7
peplink balance ONE Manual preview
balance ONE
Brand: peplink Pages: 2
IDT Tsi310TM User Manual preview
Tsi310TM
Brand: IDT Pages: 207
ETL TeleCLIENT TC7730 Series User Manual preview
TeleCLIENT TC7730 Series
Brand: ETL Pages: 83
TP-Link TL-MR3620 Installation Manual preview
TL-MR3620
Brand: TP-Link Pages: 2
LevelOne NetCon FBR-1409TX User Manual preview
NetCon FBR-1409TX
Brand: LevelOne Pages: 88
Xantech RT1610 Installation Instructions Manual preview
RT1610
Brand: Xantech Pages: 6
SONIX MP5S Plus Writer Quick Manual preview
MP5S Plus Writer
Brand: SONIX Pages: 23
Planet ADE-3110 User Manual preview
ADE-3110
Brand: Planet Pages: 66
Tenda FH456 User Manual preview
FH456
Brand: Tenda Pages: 82
Jensen of Scandinavia Air:Link 29150 Installation Manual preview
Air:Link 29150
Brand: Jensen of Scandinavia Pages: 2
Airlinkplus UG-ASW232-1103 User Manual preview
UG-ASW232-1103
Brand: Airlinkplus Pages: 24
H3C SecPath L5030 Installation Manual preview
SecPath L5030
Brand: H3C Pages: 62

Brands by name

Popular brands

Load more brands