manualshive.com logo in svg

Cisco Nexus 5000 Series, Cli Configuration Manual, Page: 236 / 660

Share
Download
Cisco Nexus 5000 Series Cli Configuration Manual Download Page 236

S e n d   f e e d b a c k   t o   n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m

1-4

Cisco Nexus 5000 Series Switch CLI Software Configuration Guide

OL-16597-01

Chapter 1      Configuring RADIUS

Prerequisites for RADIUS

When you use RADIUS servers for authentication on a Nexus 5000 Series switch, the RADIUS protocol 
directs the RADIUS server to return user attributes, such as authorization information, along with 
authentication results. This authorization information is specified through VSAs. 

The following VSA protocol options are supported by the Nexus 5000 Series switch:

Shell— Used in access-accept packets to provide user profile information. 

Accounting— Used in accounting-request packets. If a value contains any white spaces, you should 
enclose the value within double quotation marks.

The Nexus 5000 Series switch supports the following attributes:

roles—Lists all the roles to which the user belongs. The value field is a string that lists the role 
names delimited by white space. 

accountinginfo—Stores accounting information in addition to the attributes covered by a standard 
RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request 
frames from the RADIUS client on the switch. It can be used only with the accounting protocol data 
units (PDUs).

Prerequisites for RADIUS

RADIUS has the following prerequisites:

Obtain IPv4 or IPv6 addresses or host names for the RADIUS servers.

Obtain preshared keys from the RADIUS servers.

Ensure that the Nexus 5000 Series switch is configured as a RADIUS client of the AAA servers.

Guidelines and Limitations

RADIUS has the following guidelines and limitations:

You can configure a maximum of 64 RADIUS servers on the Nexus 5000 Series switch.

Configuring RADIUS Servers

To configure RADIUS servers, perform this task:

Step 1

Establish the RADIUS server connections to the Nexus 5000 Series switch.

See the 

“Configuring RADIUS Server Hosts” section on page 1-5

.

Step 2

Configure the preshared secret keys for the RADIUS servers.

See the 

“Configuring Global Preshared Keys” section on page 1-6

.

Step 3

If needed, configure RADIUS server groups with subsets of the RADIUS servers for AAA 
authentication methods.

See the 

“Allowing Users to Specify a RADIUS Server at Login” section on page 1-9

 and the 

“Configuring AAA” section on page 1-6

.

Step 4

If needed, configure any of the following optional parameters:

Summary of Contents for Nexus 5000 Series

Page 1: ...ers 18 3 prerequisites 16 5 TACACS server groups 17 15 18 8 18 14 user login process 16 4 verifying configurations 16 13 AAA accounting adding rule methods 16 1 changing rule methods 16 1 configuring default methods 16 10 deleting rule methods 16 1 rearranging rule methods 16 1 AAA accounting logs clearing 16 12 displaying 16 12 AAA authentication rules adding methods 16 1 changing methods 16 1 de...

Page 2: ...ization description 16 2 user login 16 4 auto mode configuring 32 10 auto port mode description 32 4 autosensing speed 32 10 B BB_credits configuring 32 12 description 32 6 displaying information 32 17 reason codes 32 6 bit errors reasons 32 11 bit error thresholds configuring 32 11 description 32 11 blocking state STP 8 12 BPDU guard See STP BPDU guard bridge ID See STP bridge ID broadcast storms...

Page 3: ...k 23 4 default users description 3 9 default VSANs description 37 8 default zones configuring 38 10 configuring access permissions 38 10 configuring policies 38 8 description 38 9 interoperability 43 10 policies 38 10 destination IDs exchange based 36 3 flow based 36 3 in order delivery 40 10 path selection 37 10 device alias databases committing changes 39 6 disabling distribution 39 7 discarding...

Page 4: ...d lists 33 10 configuring CFS distribution 33 10 33 13 configuring fcalias members 38 10 contiguous assignments 33 13 description 33 7 distributing 33 1 enabling contiguous assignments 33 13 interoperability 43 10 preferred 33 9 static 33 9 domain manager fast restart feature 33 3 isolation 32 7 drop latency time configuring 40 13 configuring for FSPF in order delivery 40 14 displaying information...

Page 5: ...3 EFMD 46 1 enabling 46 3 enforcement 46 2 forceful activation 46 5 forceful deactivation 46 5 initiation process 46 3 licensing requirements 46 1 port security comparison 46 1 saving to config database 46 5 sWWN lists 46 4 verifying status 46 3 viewing active databases procedure 46 6 viewing EFMD statistics procedure 46 6 viewing violations procedure 46 6 Fabric Configuration Servers See FCSs Fab...

Page 6: ...7 1 displaying fabric ports using Device Manager 47 4 displaying information 47 3 fctimers displaying configured values 43 4 distribution 43 3 fctrace default settings 50 16 invoking 50 5 FDMI description 41 4 displaying database information 41 4 Fibre Channel sWWNs for fabric binding 46 4 timeout values 43 1 TOVs 43 2 Fibre Channel domains See fcdomains Fibre Channel interfaces administrative sta...

Page 7: ... 40 5 disabling on interfaces 40 8 disabling routing protocols 40 5 displaying database information 40 16 displaying global information 40 16 enabling 40 5 fault tolerant fabrics 40 2 in order delivery 40 10 interoperability 43 11 link state record defaults 40 3 reconvergence times 40 2 redundant links 40 2 resetting configuration 40 4 resetting to defaults 40 4 retransmitting intervals 40 7 routi...

Page 8: ...ptions 32 9 configuring fcalias members 38 11 configuring receive data field size 32 11 debounce timer configuring 5 7 deleting from port channels 36 11 displaying information 32 15 displaying SFP information 32 16 forced addition to port channels 36 11 isolated states 36 10 SFP types 32 15 suspended states 36 10 UDLD configuring 5 4 defined 5 2 VSAN membership 37 6 interface speed 5 4 interface s...

Page 9: ... 1 load balancing attributes 37 10 attributes for VSANs 37 5 configuring 37 10 description 36 2 37 10 guarantees 37 10 port channels 36 1 logical unit numbers See LUNs LUNs displaying discovered SCSI targets 42 3 M MAC addresses configuring secondary 43 6 management access description 3 12 management interfaces displaying information 3 21 using force option during shutdown 3 21 management interfac...

Page 10: ...es 41 3 interoperability 43 11 LUN information 42 1 proxy feature 41 2 registering proxies 41 2 rejecting duplicate pWWNs 41 2 Network Time Protocol See NTP NPIV description 32 13 enabling 32 14 NP links 34 2 N port identifier virtualization See NPIV N ports FCS support 47 1 fctrace 50 5 hard zoning 38 12 zone enforcement 38 12 zone membership 38 2 See also Nx ports NP ports 34 1 NPV configuring 3...

Page 11: ...arantee 40 12 interface states 36 10 interoperability 43 10 link changes 40 11 link failures 40 2 load balancing 36 2 misconfiguration error detection 36 6 PortFast BPDU filtering See STP PortFast BPDU filtering port modes auto 32 4 port priority MSTP 9 18 9 19 ports VSAN membership 37 6 port security activating 45 5 activation 45 2 activation rejection 45 6 adding authorized pairs 45 11 auto lear...

Page 12: ...e VLANs community VLANs 7 2 7 3 end station access to 7 5 isolated VLANs 7 2 7 3 ports community 7 3 isolated 7 3 promiscuous 7 3 primary VLANs 7 2 secondary VLANs 7 2 promiscuous ports 7 3 proxies registering for name servers 41 2 pWWNs configuring fcalias members 38 10 rejecting duplicates 41 2 zone membership 38 2 R RADIUS configuring global preshared keys 17 6 configuring servers 17 4 to 17 13...

Page 13: ...back checkpoint copy 23 1 creating a checkpoint copy 23 1 default settings 23 4 deleting a checkpoint file 23 1 description 23 1 example configuration 23 1 guidelines 23 1 high availability 23 1 implementing a rollback 23 1 limitations 23 1 reverting to checkpoint file 23 1 verifying configuration 23 4 root guard See STP root guard root switch MSTP 9 16 route costs computing 40 6 RSCNs clearing st...

Page 14: ...tion 23 4 verifying the session 23 3 SFPs displaying transmitter types 32 16 transmitter types 32 15 small computer system interface See SCSI smart call home description 26 4 registration requirements 26 5 Transport Gateway TG aggregation point 26 5 SMARTnet smart call home registration 26 5 SNMP access groups 27 4 assigning contact 27 11 assigning location 27 11 configuring LinkUp LinkDown notifi...

Page 15: ...33 4 description 33 4 switch priority MSTP 9 20 sWWNs configuring for fabric binding 46 4 T TACACS advanages over RADIUS 18 2 configuring 18 4 18 13 configuring global preshared keys 18 6 configuring global timeout interval 18 9 description 18 1 disabling 18 13 displaying statistics 18 13 enabling 18 5 example configurations 18 14 field descriptions 18 14 global preshared keys 18 3 limitations 18 ...

Page 16: ... 7 trunk allowed VSAN lists description 35 4 trunking comparison with port channels 36 2 configuration guidelines 35 1 configuring modes 35 3 default settings 35 7 description 35 1 displaying information 35 6 interoperability 43 10 link state 35 3 merging traffic 35 2 restrictions 35 1 trunking E port mode See TE port mode trunking ports associated with VSANs 37 7 trunking protocol default setting...

Page 17: ...allowed lists 35 4 35 6 default settings 37 11 default VSANs 37 8 deleting 37 9 description 37 1 displaying configuration 37 11 displaying membership 37 7 displaying usage 37 11 domain ID automatic reconfiguration 33 6 FC IDs 37 1 FCS support 47 1 features 37 1 flow statistics 40 14 FSPF 40 4 FSPF connectivity 40 1 interop mode 43 10 isolated 37 8 load balancing 37 10 load balancing attributes 37 ...

Page 18: ...nformation 38 17 editing full zone databases 38 8 enforcing restrictions 38 12 exporting databases 38 14 features 38 1 38 4 importing databases 38 14 membership using pWWNs 37 4 merge failures 32 7 renaming 38 16 restoring procedure 38 16 show tech support zone command 50 12 viewing information 38 18 See also default zones See also enhanced zones See also hard zoning soft zoning 38 12 See also zon...

Page 19: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m Index IN 19 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 implementation 38 4 See also zones zone sets 38 1 ...

Page 20: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m Index IN 20 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 ...

Page 21: ...r 1 Product Overview Presents an overview of the Cisco Nexus 5000 Series switches Part 1 Configuration Fundamentals Contains chapters on using the CLI and initial switch configuration Part 2 LAN Switching Contains chapters on how to configure Ethernet interfaces VLANs STP Port Channels trunks the MAC address table and IGMP snooping Part 3 Switch Security Features Contains chapters on how to config...

Page 22: ... chapters on how to configure Fibre Channel interfaces and Fibre Channel capabilities such as NPV SAN Port Channels zones DDAS FSPF and security features Part 8 Troubleshooting Contains chapters on how to perform basic troubleshooting Chapter Title Description boldface font Commands and keywords are in boldface italic font Arguments for which you supply values are in italics Elements in square bra...

Page 23: ...ference Release 4 0 Cisco Nexus 5000 Series Hardware Installation Guide Release 4 0 Cisco Nexus 5000 Series MIBs Reference Release 4 0 Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisc...

Page 24: ... e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 4 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Preface Obtaining Documentation and Submitting a Service Request ...

Page 25: ...s Switch Hardware page 1 3 Cisco Nexus 5000 Series Switch Software page 1 4 Typical Deployment Topologies page 1 7 Supported Standards page 1 10 New Technologies in the Cisco Nexus 5000 Series Cisco Nexus 5000 Series switches introduce several new technologies which are described in the following sections Fibre Channel over Ethernet page 1 1 I O Consolidation page 1 2 Virtual Interfaces page 1 3 F...

Page 26: ...ibre Channel operational model is maintained FCoE network management and configuration is similar to a native Fibre Channel network Cisco Nexus 5000 Series switches use FCoE to carry Fibre Channel and Ethernet traffic on the same physical Ethernet connection between the switch and the server At the server the connection terminates to a converged network adapter CNA The adapter presents two interfa...

Page 27: ...d in the following topics Chassis page 1 3 Expansion Modules page 1 3 Ethernet Interfaces page 1 3 Fibre Channel Interfaces page 1 4 Management Interfaces page 1 4 Chassis The Nexus 5010 switch is a 1 RU chassis and the Nexus 5020 switch is a 2 RU chassis designed for rack mounting The chassis supports redundant fans and power supplies The Cisco Nexus 5000 Series switching fabric is low latency no...

Page 28: ...bre Channel port can be used as a downlink connected to a server or as an uplink to the data center SAN fabric Management Interfaces A Cisco Nexus 5000 Series switch has two dedicated management interfaces one serial console port and one 10 100 1000 Ethernet interface Cisco Nexus 5000 Series Switch Software The Cisco Nexus 5000 Series switch is a Layer 2 device which runs the Cisco Nexus operating...

Page 29: ...e licenses and install additional licenses QoS The Cisco Nexus 5000 Series switch provides quality of service QoS capabilities such as traffic prioritization and bandwidth allocation on egress interfaces The default QoS configuration on the switch provides lossless service for Fibre Channel and FCoE traffic QoS can be configured to provide additional classes of service for Ethernet traffic Service...

Page 30: ...fy services to directly generate a case with the Cisco Technical Assistance Center TAC This feature is a step toward autonomous system operation which enables networking devices to inform IT when a problem occurs and helps to ensure that the problem is resolved quickly Online Diagnostics Cisco generic online diagnostics GOLD is a suite of diagnostic facilities to verify that hardware and internal ...

Page 31: ...formation see the Cisco NX OS XML Management Interface User Guide Release 4 0 SNMP SNMP allows you to configure switches using Management Information Bases MIBs Configuring with Cisco MDS Fabric Manager You can configure Cisco Nexus 5000 Series switches using the Fabric Manager client which runs on a local PC and uses the Fabric Manager server Network Security Features Cisco NX OS Release 4 0 incl...

Page 32: ...ot support FCoE so there is no FCoE traffic and no Fibre Channel ports on the Cisco Nexus 5000 Series switch In the example configuration the Cisco Nexus 5000 Series switch has Ethernet uplinks to two Catalyst switches If STP is enabled in the data center LAN the links to one of the switches will be STP active and the links to the other switch will be STP blocked Figure 1 2 Ethernet TOR Switch Top...

Page 33: ...active passive mode and the server needs to support server based failover On the Cisco Nexus 5000 Series switch the Ethernet network facing ports are connected to two Catalyst 6500 switches Depending on required uplink traffic volume there may be multiple ports connected to each Catalyst 6500 switch configured as port channels If STP is enabled in the data center LAN the links to one of the switch...

Page 34: ...rted Standards Supported Standards Table 1 1 lists the standards supported by the Cisco Nexus 5000 Series switches Table 1 1 IEEE Compliance Standard Description 802 1D MAC Bridges 802 1s Multiple Spanning Tree Protocol 802 1w Rapid Spanning Tree Protocol 802 3ad Link aggregation with LACP 802 3ae 10 Gigabit Ethernet 802 1Q VLAN Tagging 802 1p Class of Service Tagging for Ethernet frames ...

Page 35: ...mand Line Interface You can connect to the switch using a terminal plugged into the console port See Console Settings page 1 3 for information on how to set console port parameters You can also connect to the switch with Telnet or SSH The switch supports up to eight simultaneous Telnet and SSH connections To connect with Telnet or SSH you need to know the hostname or IP address of the switch To ma...

Page 36: ...at the system prompt Table 1 1 lists and describes the two commonly used modes how to enter the modes and the resulting system prompts The system prompt helps you identify which mode you are in and the commands that are available to you in that mode Command Purpose ssh hostname ip_addr Makes an SSH connection from your host to the switch that you want to access Table 1 1 Frequently Used Switch Com...

Page 37: ...ration or hardware are grouped under the show command and all commands that allow you to configure the switch are grouped under the configure terminal command To execute a command you enter the command by starting at the top level of the hierarchy For example to configure an interface use the config terminal command Once you are in configuration mode enter the interface command When you are in the...

Page 38: ...ve Move files no Negate a command or set its defaults ntp Execute NTP commands ping Test network reachability purge Deletes unused data pwd View current directory reload Reboot the entire box replace Discard the entire configuration and load the entire configuration in filename rmdir delete a directory run script Run shell scripts san port channel Port Channel related commands send Send message to...

Page 39: ...c Switch fabric information fabric binding Fabric Binding configuration fc FCoE FC feature fcalias Fcalias configuration commands fcdomain Enter the fcdomain configuration mode fcdroplatency configure switch or network latency fcflow Configure fcfloww fcid allocation Add remove company id or OUIs from auto area list fcinterop Interop commands fcns name server configuration fcroute Configure FC rou...

Page 40: ... vlan Vlan commands vrf Configure VRF parameters vsan Enter the vsan configuration mode wwn Set secondary base MAC addr and range for additional WWNs xml xml agent zone Zone configuration commands zoneset Zoneset configuration commands Using Commands You can configure the CLI to function in two ways configure it interactively by entering commands at the CLI prompt or create an ASCII file containin...

Page 41: ...ne member command you can undo the results switch config zone name test vsan 1 switch config zone member pwwn 12 12 12 12 12 12 12 12 switch config zone no member pwwn 12 12 12 12 12 12 12 12 WARNING Zone is empty Deleting zone test Exit the submode switch config zone Delete a created facility If you want to delete a zone that you created switch config zone name test vsan 1 switch config zone exit...

Page 42: ...ion Ctrl P Up history Ctrl N Down history Ctrl X H List history Alt P History search backwards Note The difference between Tab completion and Alt P or Alt N is that pressing Tab completes the current word while Alt P and Alt N completes a previously entered command Alt N History search forwards Ctrl G Exit Ctrl Z End Ctrl L Clear session Table 1 3 Common Configuration Submodes Submode Name From Co...

Page 43: ...User Defined Persistent CLI Variables You can define CLI session variables to persist only for the duration of your CLI session using the cli var name command in EXEC mode CLI session variables are useful for scripts that you execute periodically The following example shows how to create a user defined CLI session variable switch cli var name testinterface fc 1 1 You can reference a variable using...

Page 44: ... Commands being aliased must be typed in full without abbreviation Command alias translation always takes precedence over any keyword in any configuration mode or submode Command alias support is only available on the supervisor module not the switching modules Command alias configuration takes effect for other user sessions immediately You cannot override the default command alias alias which ali...

Page 45: ...ote You cannot create the script file at the switch prompt You can create the script file on an external machine and copy it to the bootflash directory This section assumes that the script file resides in the bootflash directory The syntax for this command is run script filename This example displays the CLI commands specified in a test file that resides in the bootflash directory switch show file...

Page 46: ...9 or passed as arguments in the run script command The following example shows how to use CLI session variables in a script file used by the run script command switch cli var name testinterface fc 1 1 switch show file bootflash test1 vsh show interface testvar switch run script bootflash test1 vsh show interface testvar fc2 1 is down SFP not present Hardware is Fibre Channel Port WWN is 20 01 00 0...

Page 47: ...tion by a specified number of seconds The syntax for this command is sleep seconds switch sleep 30 You will see the switch prompt return after 30 seconds This command is useful within scripts For example if you create a command script called test script switch show file bootflash test script discover scsi target remote sleep 10 show scsi target disk switch run script bootflash test script When you...

Page 48: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Using the Command Line Interface Command Scripts ...

Page 49: ...ms page 1 22 Image Files on the Switch The Cisco Nexus 5000 Series switches have the following images BIOS and loader images combined in one file Kickstart image System image that includes a BIOS image that can be upgraded The switch has flash memory that consists of two separate flash parts A 2 MB flash part holds two BIOS and loader images A 1 GB flash part holds configuration files kickstart im...

Page 50: ...e If the checksum of the upgradeable BIOS is not valid then the golden BIOS launches the kickstart image which then launches the system image You can force the switch to bypass the upgradeable BIOS and use the golden BIOS instead If you press Ctrl Shift 6 within two seconds of when power is supplied to the switch the golden BIOS will be used to launch the kickstart image even if the checksum of th...

Page 51: ...nsole and sets the options for that terminal line switch configure terminal switch config line console switch config console databits 7 switch config console exec timeout 30 switch config console parity even switch config console stopbits 2 You cannot change the BIOS console settings These are the same as the default console settings Golden BIOS waits for Ctrl Shift 6 9600 baud Is Upgradeable BIOS...

Page 52: ...ll command Caution While the switch performs the installation all traffic through the switch is disrupted Detailed Upgrade Procedure Caution Upgrading a Cisco Nexus 5000 Series switch disrupts all traffic flow through the switch To upgrade the software on the switch follow these steps Step 1 Log in to the switch on the console port connection Step 2 Log in to Cisco com to access the Software Downl...

Page 53: ...le config out Usage for bootflash sup local 855547904 bytes used 6942613504 bytes free 7798161408 bytes total Tip We recommend that you keep the kickstart and system image files for at least one previous software release to use if the new image files do not load successfully Step 8 If you need more space on the active supervisor module bootflash delete unnecessary files to make space available swi...

Page 54: ...c License or the GNU Lesser General Public License A copy of each such license is available at http www gnu org licenses gpl html and http www gnu org licenses lgpl html Software BIOS version 1 2 0 kickstart version 4 0 0 N1 2 system version 4 0 0 N1 2 BIOS compile time 06 19 08 kickstart image file is bootflash n5000 uk9 kickstart 4 0 0 N1 2 467 bin kickstart compile time 7 28 2008 2 00 00 07 28 ...

Page 55: ...nt to the show incompatibility command for the images that you have specified If there are compatibility issues an error message is displayed and the installation does not proceed Displays the compatibility check results and displays whether the installation is disruptive Provides a prompt to allow you to continue or abort the installation Note A disruptive installation causes traffic disruption w...

Page 56: ...server attached to the switch console port 9600 baud 8 data bits No parity 1 stop bit Initial Setup The first time that you access a switch in the Cisco Nexus 5000 Series it runs a setup program that prompts you for the IP address and other configuration information necessary for the switch to communicate over the Ethernet interface This information is required to configure and manage the switch N...

Page 57: ...word configuration is rejected Be sure to configure a strong password If you configure and subsequently forget this new password you have the option to recover this password Note If you enter a write erase command and reload the switch you must reconfigure the default user admin password using the setup procedure Configuring the Switch This section describes how to initially configure the switch N...

Page 58: ...s Press Ctrl C at any prompt to end the configuration process Step 4 Enter the new password for the administrator admin is the default Enter the password for admin admin Step 5 Enter yes no is the default to create additional accounts Create another login account yes no n yes While configuring your initial setup you can create an additional user account in the network admin role besides the admini...

Page 59: ... the default to configure basic Fibre Channel configurations Enter basic FC configurations yes no n yes Step 16 Enter shut shut is the default to configure the default Fibre Channel switch port interface to the shut disabled state Configure default physical FC switchport interface state shut noshut shut shut Step 17 Enter on on is the default to configure the switch port trunk mode Configure defau...

Page 60: ...es are also automatically configured see Image Files on the Switch section on page 1 1 Changing the Initial Configuration To make changes to the initial configuration at a later time enter the setup command in EXEC mode switch setup Basic System Configuration Dialog This setup utility will guide you through the basic configuration of the system Setup configures only enough connectivity for managem...

Page 61: ...tch as switch and it uses the switch prompt To change the name of the switch perform this task Configuring Date Time and Time Zone The Cisco Nexus 5000 Series switches use Universal Coordinated Time UTC which is the same as Greenwich Mean Time GMT To change the default time on the switch perform this task The following example sets the time for the switch switch clock set 15 58 09 29 February 2008...

Page 62: ...owing U S standards defined by the Energy Policy Act of 2005 you can have the switch advance the clock one hour at 2 00 a m on the second Sunday in March and move back the clock one hour at 2 00 a m on the first Sunday in November You can also explicitly specify the start and end dates and times and whether or not the time adjustment recurs every year To enable the daylight saving time clock adjus...

Page 63: ... 1 15 NTP Configuration Guidelines page 1 16 Configuring NTP page 1 17 NTP CFS Distribution page 1 17 About NTP In a large enterprise network having one time standard for all network devices is critical for management reporting and event logging functions when trying to correlate interacting events logged across multiple devices Many enterprise customers with extremely mission critical networks ma...

Page 64: ...e a peer the most accurate peer takes on the role of the NTP server and the other peer s acts as a peer s NTP Configuration Guidelines The following guidelines apply to all NTP configurations You should have a peer association with another switch only when you are sure that your clock is reliable which means that you are a client of a reliable NTP server A peer configured alone takes on the role o...

Page 65: ...ly acquire a fabric wide lock when you enter the first configuration command after you enabled distribution in a switch The NTP application uses an effective and pending database model to store or commit the commands based on your configuration You changes are stored in the pending database and committed to the effective database See the Information About CFS section on page 1 1 for more informati...

Page 66: ...ges perform this task Discarding NTP Configuration Changes After making the configuration changes you can choose to discard the changes or to commit them In either case the lock is released To discard NTP configuration changes perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config ntp distribute Enables NTP configuration distribution to al...

Page 67: ... Do not configure an IP address as a server on one switch and as a peer on another switch The merge can fail if this configuration exists Verify that the union of the databases does not exceed the maximum limit of 64 NTP Session Status Verification To verify the status of the NTP session use the show ntp session status command switch show ntp session status last action Distribution Enable Result S...

Page 68: ...s the management Ethernet interface on the switch and enters interface configuration submode Step 3 switch config if ip address ipv4 address length Configures the IPv4 address and its subnet mask switch config if ip address ipv4 address subnet mask An alternative method that configures the IPv4 address and its subnet mask switch config if ipv6 address ipv6 address length Configures the IPv6 addres...

Page 69: ...shut down the management interface mgmt0 you use the shutdown command A system prompt requests you confirm your action before it executes the command You can use the force option to bypass this confirmation The following example shuts down the interface without using the force option switch configure terminal switch config interface mgmt 0 switch config if shutdown Shutting down this interface wil...

Page 70: ... identical Clearing a Configuration Use the write erase command to clear a startup configuration Once this command is executed the switch s startup configuration reverts to factory defaults The running configuration is not affected Caution The write erase command erases the entire startup configuration with the exception of any configuration that affects the loader functionality The write erase bo...

Page 71: ...ctory switch cd mystorage Displaying the Current Directory The pwd command displays the current directory location This example changes the directory and displays the current directory switch cd bootflash switch pwd bootflash Listing the Files in a Directory The dir command displays the contents of the current directory or the specified directory The syntax for this command is dir directory or dir...

Page 72: ...s the bootflash mydir test directory Moving Files The move command removes a file from the source directory and places it in the destination directory Caution If a file with the same name already exists in the destination directory that file is overwritten by the moved file This example moves the file called samplefile from the root directory to the mystorage directory switch move bootflash sample...

Page 73: ...residing in the current directory switch show file myfile Saving Command Output to a File You can force all screen output to go to a file by appending filename to any command For example enter show interface samplefile at the EXEC mode switch prompt to save the interface configuration to samplefile which is a file created at the same directory level At the EXEC mode switch prompt enter a dir comma...

Page 74: ...6597 01 Chapter 1 Configuring the Switch Using Switch File Systems The gunzip command uncompresses unzips LZ77 coded files This example unzips the file that was compressed in the previous example switch gunzip samplefile switch dir 1525859 Jul 04 00 51 03 2003 Samplefile Usage for volatile 1527808 bytes used 19443712 bytes free 20971520 bytes total ...

Page 75: ...nse Key File page 1 4 Backing Up License Files page 1 6 Identifying License Features in Use page 1 6 Uninstalling Licenses page 1 6 Updating Licenses page 1 8 Grace Period Alerts page 1 8 License Transfers Between Switches page 1 9 Verifying the License Configuration page 1 10 Licensing Terminology The following terms are used in this chapter Licensed feature Permission to use a particular feature...

Page 76: ... License keys are incremental If you purchase some features now and others later the license file and the software detect the sum of all features for the specified switch Evaluation license A temporary license Evaluation licenses are time bound valid for a specified number of days and are not tied to a host ID switch serial number Permanent license A license that is not time bound is called a perm...

Page 77: ...task Step 1 Contact your reseller or Cisco representative and request this service Note If you purchased Cisco support through a Cisco reseller contact the reseller directly If you purchased support directly from Cisco Systems contact Cisco Technical Support at this URL http www cisco com warp public 687 Directory DirTAC shtml Your switch is shipped with the required licenses installed in the syst...

Page 78: ...cument Step 4 Locate the website URL from either the claim certificate or the proof of purchase document Step 5 Access the specified URL that applies to your switch and enter the switch serial number and the PAK The license key file is sent to you by e mail The license key file is digitally signed to only authorize use on the requested switch The requested features are also enabled once the Cisco ...

Page 79: ...se tar Backing up license done Step 4 Exit the switch console and open a new terminal session to view all license files installed on the switch using the show license command switch show license Enterprise lic SERVER this_host ANY VENDOR cisco INCREMENT ENTERPRISE_PKG cisco 1 0 permanent uncounted HOSTID VDH FOX0646S017 NOTICE LicFileID LicFileID LicLineID 0 LicLineID PAK dummyPak PAK SIGN EE9F91E...

Page 80: ...software feature is enabled it can activate a license grace period To identify the features active for a specific license use the show license usage license name command switch show license usage FC_FEATURES_PKG Application PFM Use the show license usage command to identify all of the active features on your switch switch show license usage Feature Ins Lic Status Expiry Date Comments Count FM_SERV...

Page 81: ...witch Step 2 Enter the show license brief command in EXEC mode to view a list of all installed license key files and identify the file to be uninstalled In this example the file to be uninstalled is the FibreChannel lic file switch show license brief Enterprise lic FibreChannel lic Step 3 Disable the features provided by the license to be uninstalled Enter the show license usage package_name comma...

Page 82: ...of the file to be updated switch show license brief Enterprise lic Step 4 Update the license file using the update license url command where url specifies the bootflash or volatile location of the updated license file switch update license bootflash Advanced2 lic Advanced1 lic Updating Advanced1 lic SERVER this_host ANY VENDOR cisco An example fcports license INCREMENT SAN_EXTN_OVER_IP cisco 1 000...

Page 83: ...ceive console messages SNMP traps system messages and Call Home messages on a daily basis The frequency of these messages become hourly during the last seven days of the grace period Note You cannot modify the frequency of the grace period messages Caution After the final seven days of the grace period the feature is turned off and your network traffic may be disrupted Any future upgrade will enfo...

Page 84: ...the License Configuration To display the license configuration information perform one of the following tasks Command Purpose switch show license brief Displays information for all installed license files switch show license file Displays information for a specific license file switch show license host id Displays the host ID for the physical switch switch show license usage Displays the usage inf...

Page 85: ...hernet and Fibre Channel traffic For additional information see Chapter 1 Configuring FCoE and Chapter 1 Configuring Virtual Interfaces On a Cisco Nexus 5000 Series switch the Ethernet interfaces are enabled by default This section includes the following topics About the Interface Command page 1 1 Unidirectional Link Detection Parameter page 1 2 Interface Speed page 1 4 About the Debounce Timer Pa...

Page 86: ...t physical and logical unidirectional connections and the malfunctioning of other protocols A unidirectional link occurs whenever traffic transmitted by the local device over a link is received by the neighbor but traffic transmitted from the neighbor is not received by the local device If one of the fiber strands in a pair is disconnected as long as autonegotiation is active the link does not sta...

Page 87: ...to reestablish the connection with the neighbor After eight failed retries the port is disabled To prevent spanning tree loops nonaggressive UDLD with the default interval of 15 seconds is fast enough to shut down a unidirectional link before a blocking port transitions to the forwarding state with default spanning tree parameters When you enable the UDLD aggressive mode the following occurs One s...

Page 88: ... the debounce period This situation might affect the convergence and reconvergence of some protocols About MTU Configuration A per physical Ethernet interface maximum transmission unit MTU is not supported Instead MTU is set according to the QoS classes You modify MTU by setting Policy and Class maps See Chapter 1 Configuring QoS for more details When you show the interface settings an MTU of 1500...

Page 89: ... disable UDLD for an Ethernet port switch configure terminal switch config interface ethernet 1 4 switch config if udld disable This example shows how to disable UDLD for the switch switch configure terminal switch config no feature udld Configuring Interface Speed The first eight ports of a Nexus 5010 switch and the first 16 ports of a Nexus 5020 switch are switchable 1 Gigabit 10 Gigabit ports T...

Page 90: ...for Ethernet interfaces This protocol works only when you have it enabled on both interfaces on the same link To enable or disable CDP for an interface perform this task The following example shows how to enable CDP for an Ethernet port switch configure terminal switch config interface ethernet 1 4 switch config if cdp enable This command can only be applied to a physical Ethernet interface Comman...

Page 91: ...rminal switch config interface ethernet 1 4 switch config if link debounce time 0 This command can only be applied to a physical Ethernet interface Configuring the Description Parameter To provide textual interface descriptions for the Ethernet ports perform this task This example shows how to set the interface description to Server 3 Interface switch configure terminal switch config interface eth...

Page 92: ...n the interface is not included in any routing updates To disable an interface perform this task The following example shows how to disable an Ethernet port switch configure terminal switch config interface ethernet 1 4 switch config if shutdown To restart an interface perform this task The following example shows how to restart an Ethernet interface switch configure terminal switch config interfa...

Page 93: ...1806 bytes sec 14721892 packets sec 5 minute output rate 935840313 bytes sec 14622492 packets sec Rx 129141483840 input packets 0 unicast packets 129141483847 multicast packets 0 broadcast packets 0 jumbo packets 0 storm suppression packets 8265054965824 bytes 0 No buffer 0 runt 0 Overrun 0 crc 0 Ignored 0 Bad etype drop 0 Bad proto drop Tx 119038487241 output packets 119038487245 multicast packet...

Page 94: ...w interface ethernet 1 3 transceiver Ethernet1 3 sfp is present name is CISCO AVAGO part number is SFBR 7700SDZ B4 R revision is B4 R serial number is AGD1134229V 070823 nominal bitrate is 0 MBits sec Link length supported for 50 125mm fiber is 0 m s Link length supported for 62 5 125mm fiber is 0 m s cisco id is cisco extended id number is 4 The following example shows how to display a brief inte...

Page 95: ...Host I IGMP r Repeater V VoIP Phone D Remotely Managed Device s Supports STP Dispute Device ID Local Intrfce Hldtme Capability Platform Port ID d5 switch 9 qa Eth1 40 148 R S I WS C6506 E Ten4 2 dist row d mgmt0 147 R S I WS C3560G 48T Gig0 34 Default Physical Ethernet Settings The following table lists the default settings for all physical Ethernet interfaces Parameter Default Setting Debounce En...

Page 96: ... b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Ethernet Interfaces Displaying Interface Information ...

Page 97: ...out VLANs This section includes the following topics Understanding VLANs page 1 1 Understanding VLAN Ranges page 1 2 Creating Deleting and Modifying VLANs page 1 3 Understanding VLANs Note VLAN Trunking Protocol VTP mode is OFF VTP BPDUs are dropped on all interfaces of a Cisco Nexus 5000 Series switch which partitions VTP domains if other switches have VTP turned on A VLAN is a group of end stati...

Page 98: ...he traffic By default a newly created VLAN is operational that is the VLAN is in the no shutdown condition Additionally you can configure VLANs to be in the active state which is passing traffic or the suspended state in which the VLANs are not passing packets By default the VLANs are in the active state and pass traffic Understanding VLAN Ranges The Cisco Nexus 5000 Series switch supports VLAN nu...

Page 99: ...s moving them from the active operational state to the suspended operational state If you attempt to create a VLAN with an existing VLAN ID the switch goes into the VLAN submode but does not create the same VLAN again Newly created VLANs remain unused until ports are assigned to the specific VLAN All the ports are assigned to VLAN1 by default Depending on the range of the VLAN you can configure th...

Page 100: ...ocated for use by the switch Once a VLAN is created it is automatically in the active state Note When you delete a VLAN ports associated to that VLAN shut down The traffic does not flow and the packets are dropped To create a VLAN perform this task This example shows how to create a range of VLANs from 15 to 20 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switc...

Page 101: ...igure optional parameters for VLAN 5 switch configure terminal switch config vlan 5 switch config vlan name accounting switch config vlan state active Command Purpose switch config vlan no vlan vlan id vlan range Deletes the specified VLAN or range of VLANs and removes you from the VLAN configuration submode You cannot delete VLAN1 or the internally allocated VLANs Command Purpose Step 1 switch co...

Page 102: ...an 1 21 version 4 0 0 vlan 1 vlan 5 The following example shows the VLANs created on the switch and their status switch show vlan VLAN Name Status Ports 1 default active Eth1 1 Eth1 2 Eth1 3 Eth1 4 Eth1 5 Eth1 6 Eth1 7 Eth1 8 Eth1 9 Eth1 10 Eth1 11 Eth1 12 Eth1 15 Eth1 16 Eth1 17 Eth1 18 Eth1 19 Eth1 20 Eth1 21 Eth1 22 Command Purpose Step 1 switch configure terminal Enters configuration mode Step...

Page 103: ...1 36 Eth1 37 Eth1 38 Eth1 39 Eth1 40 Eth3 1 Eth3 2 Eth3 3 Eth3 4 veth1 1 13 VLAN0005 active Eth1 13 Eth1 14 The following example shows the details of VLAN 13 including its member ports switch show vlan id 13 VLAN Name Status Ports 13 VLAN0005 active Eth1 13 Eth1 14 VLAN Type MTU 13 enet 576 Remote SPAN VLAN Disabled Primary Secondary Type Ports The following example shows the VLAN settings summar...

Page 104: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring VLANs Verifying VLAN Configuration ...

Page 105: ... VLAN into subdomains allowing you to isolate the ports on the switch from each other A subdomain consists of a primary VLAN and one or more secondary VLANs see Figure 1 1 All VLANs in a private VLAN domain share the same primary VLAN The secondary VLAN ID differentiates one subdomain from another The secondary VLANs may either be isolated VLANs or community VLANs A host on an isolated VLAN can on...

Page 106: ...ge 1 5 Primary and Secondary VLANs in Private VLANs A private VLAN domain has only one primary VLAN Each port in a private VLAN domain is a member of the primary VLAN the primary VLAN is the entire private VLAN domain Secondary VLANs provide isolation between ports within the same private VLAN domain The following two types are secondary VLANs within a primary VLAN Isolated VLANs Ports within an i...

Page 107: ...in the isolated VLAN Community A community port is a host port that belongs to a community secondary VLAN Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain Note Because trunks can support the VLANs carryi...

Page 108: ...ironment you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations The end stations need to communicate only with a default gateway to communicate outside the private VLAN Associating Primary and Secondary VLANs For host ports in secondary VLANs to communicate outside the private VLAN you associate secondary VLANs to the primary VLAN If t...

Page 109: ...sociation Understanding Broadcast Traffic in Private VLANs Broadcast traffic from ports in a private VLAN flows in the following ways The broadcast traffic flows from a promiscuous port to all ports in the primary VLAN which includes all the ports in the community and isolated VLANs This broadcast traffic is distributed to all ports within the primary VLAN including those ports that are not config...

Page 110: ...ronize command to map the secondary VLANs to the same Multiple Spanning Tree MST instance as the primary VLAN See the Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs section on page 1 16 for more details Enabling Private VLANs You must enable private VLANs on the switch to use the private VLAN functionality Note The private VLAN commands do not appear until you enable the p...

Page 111: ...o disable a private VLAN perform this task Associating Secondary VLANs with a Primary Private VLAN When you associate secondary VLANs with a primary VLAN follow these guidelines The secondary vlan list parameter cannot contain spaces It can contain multiple comma separated items Each item can be a single secondary VLAN ID or a hyphenated range of secondary VLAN IDs The secondary vlan list paramete...

Page 112: ...condary VLAN the private VLAN associations with that VLAN are suspended and return when you recreate the specified VLAN and configure it as the previous secondary VLAN Ensure that the private VLAN feature is enabled To associate secondary VLANs with a primary VLAN perform this task This example shows how to associate community VLANs 100 through 103 and isolated VLAN 109 with primary VLAN 5 switch ...

Page 113: ...ure an interface as a private VLAN promiscuous port and then you can associate that promiscuous port with the primary and secondary VLANs Ensure that the private VLAN feature is enabled To configure an interface as a private VLAN promiscuous port perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface type slot port Selects the po...

Page 114: ...rts 5 100 community 5 101 community Eth1 12 veth1 1 5 102 community 5 103 community 5 109 isolated Eth1 2 switch show vlan private vlan type Vlan Type 5 primary Step 3 switch config if switchport mode private vlan promiscuous Configures the port as a promiscuous port for a private VLAN You can only enable a physical Ethernet port as the promiscuous port Step 4 switch config if switchport private v...

Page 115: ...itch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Private VLANs Verifying Private VLAN Configuration 100 community 101 community 102 community 103 community 109 isolated The following example shows how to display enabled features switch show system internal clis feature 7 pvlan enabled ...

Page 116: ...d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Private VLANs Verifying Private VLAN Configuration ...

Page 117: ...ing Tree MST and Chapter 1 Configuring STP Extensions for complete information on STP extensions Information About Rapid PVST This section provides describes the Rapid PVST protocol which is the IEEE 802 1w standard Rapid Spanning Tree Protocol RSTP implemented on a per VLAN basis Rapid PVST interoperates with the IEEE 802 1D standard which mandates a single STP instance for all VLANs rather than ...

Page 118: ...se frames but use the frames to construct a loop free path Multiple active paths between end stations cause loops in the network If a loop exists in the network end stations might receive duplicate messages and switches might learn end station MAC addresses on multiple LAN ports These conditions result in a broadcast storm which creates an unstable network STP defines a tree with a root bridge and...

Page 119: ...following topics Bridge Priority Value page 1 3 Extended System ID page 1 3 STP MAC Address Allocation page 1 4 Bridge Priority Value The bridge priority is a 4 bit value when the extended system ID is enabled see Configuring the Rapid PVST Bridge Priority of a VLAN section on page 1 22 Note In Cisco NX OS the extended system ID is always enabled you cannot be disable the extended system ID Extend...

Page 120: ...bridge the lowest being preferred as a multiple of 4096 Only the following values are possible 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 STP uses the extended system ID plus a MAC address to make the bridge ID unique for each VLAN Note If another bridge in the same spanning tree domain does not run the MAC address reduction feature it could achieve r...

Page 121: ...t is the lowest numerical ID value is elected as the root bridge If all switches are configured with the default priority 32768 the switch with the lowest MAC address in the VLAN becomes the root bridge The bridge priority value occupies the most significant bits of the bridge ID When you change the bridge priority value you change the probability that the switch will be elected as the root bridge...

Page 122: ...he high speed fiber optic link By changing the STP port priority on the fiber optic port to a higher priority lower numerical value than the root port the fiber optic port becomes the new root port Understanding Rapid PVST This section includes the following Rapid PVST topics Overview page 1 6 Rapid PVST BPDUs page 1 8 Proposal and Agreement Handshake page 1 8 Protocol Timers page 1 9 Port Roles p...

Page 123: ...ure a port as an STP edge port Note We recommend that you configure all ports connected to a host as edge ports See Chapter 1 Configuring STP Extensions for more information on STP port types Root ports If Rapid PVST selects a new root port it blocks the old root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port th...

Page 124: ...d PVST BPDUs Rapid PVST and 802 1w use all six bits of the flag byte to add the role and state of the port that originates the BPDU and the proposal and agreement handshake Figure 1 3 shows the use of the BPDU flags in Rapid PVST Figure 1 3 Rapid PVST Flag Byte in BPDU Another important change is that the Rapid PVST BPDU is type 2 version 2 which makes it possible for the switch to detect connecte...

Page 125: ...to switch B a similar set of handshaking messages are exchanged Switch C selects the port connected to switch B as its root port and both ends of the link immediately transition to the forwarding state With each iteration of this handshaking process one more network device joins the active topology As the network converges this proposal agreement handshaking progresses from the root toward the lea...

Page 126: ... by a point to point link or when a switch has two or more connections to a shared LAN segment A backup port provides another path in the topology to the switch Disabled port Has no role within the operation of the spanning tree In a stable topology with consistent port roles throughout the network Rapid PVST ensures that every root port and designated port immediately transition to the forwarding...

Page 127: ...s and at different places in a switched network When a LAN port transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Ports must wait for new topology information to propagate through the switched LAN before starting to forward frames Each LAN port on a software using Rapid PVST or MST exists in one of the following four...

Page 128: ...frame forwarding A LAN port in the blocking state performs as follows Discards frames received from the attached segment Discards frames switched from another port for forwarding Does not incorporate the end station location into its address database There is no learning on a blocking LAN port so there is no address database update Receives BPDUs and directs them to the system module Receives proc...

Page 129: ...ble 1 3 lists the possible operational and Rapid PVST states for ports and the corresponding inclusion in the active topology Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port Rapid PVST forces all other ports to synchronize with the new root information The switch is synchronized with superior root informat...

Page 130: ...is a Rapid PVST BPDU with the proposal flag set the switch sends an agreement message after all of the other ports are synchronized The new root port transitions to the forwarding state as soon as the previous port reaches the blocking state If the superior information received on the port causes the port to become a backup port or an alternate port Rapid PVST sets the port to the blocking state a...

Page 131: ...athcost method you can assign any value in the range of 1 to 65535 However you can configure the switch to use the long 32 bit pathcost method which allows you to assign any value in the range of 1 to 200 000 000 You configure the pathcost calculation method globally The STP port path cost default value is determined from the media speed and path cost calculation method of a LAN interface see Tabl...

Page 132: ... Cisco 802 1Q cloud that separates the Cisco switches is treated as a single trunk link between the switches Rapid PVST Interoperation with Legacy 802 1D STP Rapid PVST can interoperate with switches that are running the legacy 802 1D protocol The switch knows that it is interoperating with equipment running 802 1D when it receives a BPDU version 0 The BPDUs for Rapid PVST are version 2 If the BPD...

Page 133: ...VST protocol is the default STP setting in the software You enable Rapid PVST on a per VLAN basis The software maintains a separate instance of STP for each VLAN except on those VLANS on which you disable STP By default Rapid PVST is enabled on the default VLAN and on each VLAN that you create This section includes the following topics Enabling Rapid PVST page 1 17 Enabling Rapid PVST per VLAN pag...

Page 134: ...ST per VLAN You can enable or disable Rapid PVST on each VLAN Note Rapid PVST is enabled by default on the default VLAN and on all VLANs that you create To enable Rapid PVST per VLAN perform this task This example shows how to enable STP on VLAN 5 switch configure terminal switch config spanning tree vlan 5 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch co...

Page 135: ... of the current root bridges for each VLAN The switch sets the bridge priority for the specified VLANs to 24576 if this value will cause the switch to become the root for the specified VLANs If any root bridge for the specified VLANs has a bridge priority lower than 24576 the switch sets the bridge priority for the specified VLANs to 4096 less than the lowest bridge priority Note The spanning tree...

Page 136: ...e automatically calculated hello time You configure more than one switch in this manner to have multiple backup root bridges Enter the same network diameter and hello time values that you used when configuring the primary root bridge Note With the switch configured as the root bridge do not manually configure the hello time forward delay time and maximum age time using the spanning tree mst hello ...

Page 137: ...ou can only apply this command to a physical Ethernet interface Configuring the Rapid PVST Pathcost Method and Port Cost On access ports you assign port cost by the port On trunk ports you assign the port cost by VLAN you can configure the same port cost on all the VLANs on a trunk Note In Rapid PVST mode you can use either the short or long pathcost method and you can configure the method in eith...

Page 138: ...e shows how to configure the priority of VLAN 5 on Gigabit Ethernet port 1 4 to 8192 switch configure terminal switch config spanning tree vlan 5 priority 8192 Step 3 switch config interface type slot port Specifies the interface to configure and enters the interface configuration mode Step 4 switch config if spanning tree vlan vlan id cost value auto Configures the port cost for the LAN interface...

Page 139: ...me per VLAN when using Rapid PVST To configure the forward delay time per VLAN perform this task This example shows how to configure the forward delay time for VLAN 5 to 21 seconds switch configure terminal switch config spanning tree vlan 5 forward time 21 Configuring the Rapid PVST Maximum Age Time for a VLAN You can configure the maximum age time per VLAN when using Rapid PVST To configure the ...

Page 140: ...his example shows how to configure the link type as a point to point link switch configure terminal switch config interface ethernet 1 4 switch config if spanning tree link type point to point You can only apply this command to a physical Ethernet interface Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree vlan vlan range max age value Co...

Page 141: ...interface ethernet 2 8 Verifying Rapid PVST Configurations To display Rapid PVST configuration information perform one of these tasks This example shows how to display spanning tree status switch show spanning tree brief VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 32768 Address 001c b05a 5447 Cost 2 Port 131 Ethernet1 3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ...

Page 142: ...e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 26 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Rapid PVST Verifying Rapid PVST Configurations ...

Page 143: ...ocol STP when it receives an 802 1D message from a neighboring switch Note Spanning tree is used to refer to IEEE 802 1w and IEEE 802 1s If the text is discussing the IEEE 802 1D Spanning Tree Protocol 802 1D is stated specifically This chapter includes the following sections Information About MST page 1 1 Configuring MST page 1 9 Note See Chapter 1 Configuring Rapid PVST for complete information ...

Page 144: ...mproves spanning tree operation and maintains backward compatibility with these STP versions Original 802 1D spanning tree Rapid per VLAN spanning tree Rapid PVST Note IEEE 802 1w defined the Rapid Spanning Tree Protocol RSTP and was incorporated into IEEE 802 1D IEEE 802 1s defined MST and was incorporated into IEEE 802 1Q MST Regions To allow switches to participate in MST instances you must con...

Page 145: ...uration Information The MST configuration that must be identical on all switches within a single MST region is configured by the user You can configure the following three parameters of the MST configuration Name 32 character string null padded and null terminated identifying the MST region Revision number Unsigned 16 bit number that identifies the revision of the current MST configuration Note Yo...

Page 146: ...n all ports you cannot delete the IST or Instance 0 By default all VLANs are assigned to the IST All other MST instances are numbered from 1 to 4094 The IST is the only STP instance that sends and receives BPDUs All of the other MSTI information is contained in MST records M records which are encapsulated within MST BPDUs All MSTIs within the same region share the same protocol timers but each MST...

Page 147: ...ach with its own CIST regional root As switches receive superior IST information from a neighbor in the same region they leave their old subregions and join the new subregion that contains the true CIST regional root This action causes all subregions to shrink except for the subregion that contains the true CIST regional root All switches in the MST region must agree on the same CIST regional root...

Page 148: ... to communicate with 802 1D only switches MST switches use MST BPDUs to communicate with MST switches MST Terminology MST naming conventions include identification of some internal or regional parameters These parameters are used only within an MST region compared to external parameters that are used throughout the whole network Because the CIST is the only spanning tree instance that spans the wh...

Page 149: ...alue When a switch receives this BPDU it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs that it generates When the count reaches zero the switch discards the BPDU and ages the information held for the port The message age and maximum age information in the 802 1w portion of the BPDU remain the same throughout the region only on ...

Page 150: ...dging loop Switch A is the root bridge and its BPDUs are lost on the link leading to switch B Rapid PVST 802 1w and MST BPDUs include the role and state of the sending port With this information switch A can detect that switch B does not react to the superior BPDUs that it sends and that switch B is the designated not root port As a result switch A blocks or keeps blocking its port which prevents ...

Page 151: ...can send either Version 0 configuration and topology change notification TCN BPDUs or Version 3 MST BPDUs on a boundary port A boundary port connects to a LAN the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration Note MST interoperates with the Cisco prestandard MSTP whenever it receives prestandard MSTP on an MST port no explicit con...

Page 152: ...lation Globally page 1 23 Configuring PVST Simulation Per Port page 1 23 Specifying the Link Type page 1 24 Restarting the Protocol page 1 25 MST Configuration Guidelines When configuring MST follow these guidelines When you work with private VLANs enter the private vlan synchronize command to map the secondary VLANs to the same MST instance as the primary VLAN When you are in the MST configuratio...

Page 153: ...o view the resulting configuration does not display the command that you entered to enable STP Entering MST Configuration Mode You enter MST configuration mode to configure the MST name VLAN to instance mapping and MST revision number on the switch For two or more switches to be in the same MST region they must have the identical MST name VLAN to instance mapping and MST revision number Note Each ...

Page 154: ...idge For two or more bridges to be in the same MST region they must have the identical MST name VLAN to instance mapping and MST revision number Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst configuration Enters MST configuration submode on the system You must be in the MST configuration submode to assign the MST configuration par...

Page 155: ... two or more switches to be in the same MST region they must have the same VLAN to instance mapping the same configuration revision number and the same MST name A region can have one member or multiple members with the same MST configuration each member must be capable of processing IEEE 802 1w RSTP BPDUs There is no limit to the number of MST regions in a network but each region can support only ...

Page 156: ...de switch config spanning tree mst configuration switch config mst instance 1 vlan 10 20 switch config mst name region1 switch config mst revision 1 switch config mst show pending Pending MST configuration Name region1 Revision 1 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst configuration Enters MST configuration submode Step 3 sw...

Page 157: ...rminal switch config spanning tree mst configuration switch config mst instance 3 vlan 200 To unmap VLAN to MST instances perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst configuration Enters MST configuration submode Step 3 switch config mst instance instance id vlan vlan range Maps VLANs to an MST instance as foll...

Page 158: ... switch as the spanning tree primary root bridge Enter the diameter keyword which is available only for MSTI 0 or the IST to specify the network diameter that is the maximum number of hops between any two end stations in the network When you specify the network diameter the switch automatically sets an optimal hello time forward delay time and maximum age time for a network of that diameter which ...

Page 159: ...tree mst root primary global configuration command Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst instance id root primary secondary diameter dia hello time hello time Configures a switch as the root bridge as follows For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instanc...

Page 160: ...er in the forwarding state and blocks the other interfaces To configure the port priority perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst instance id root primary secondary diameter dia hello time hello time Configures a switch as the secondary root bridge as follows For instance id you can specify a single instanc...

Page 161: ...s that you want selected last If all interfaces have the same cost value MST puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Note MST uses the long pathcost calculation method To configure the port cost perform this task Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interf...

Page 162: ...you enter the spanning tree mst root primary and the spanning tree mst root secondary global configuration commands to modify the switch priority Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interface configuration mode Step 3 switch config if spanning tree mst instance id cost cost auto Configures the cost If a loop occurs MST us...

Page 163: ... switch to 1 second switch configure terminal switch config spanning tree mst hello time 1 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config spanning tree mst instance id priority priority value Configures a switch priority as follows For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances s...

Page 164: ...erminal switch config spanning tree mst max age 40 Configuring the Maximum Hop Count MST uses the path cost to the IST regional root and a hop count mechanism similar to the IP time to live TTL mechanism You configure the maximum hops inside the region and apply it to the IST and all MST instances in that region The hop count achieves the same result as the message age information triggers a recon...

Page 165: ... and Rapid PVST MST interoperates seamlessly with Rapid PVST However to prevent an accidental connection to a switch that does not run MST as the default STP mode you may want to disable this automatic feature If you disable PVST simulation the MST enabled port moves to the blocking state once it detects it is connected to a Rapid PVST enabled port This port remains in the inconsistent state until...

Page 166: ...figure terminal Enters configuration mode Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interface configuration mode Step 3 switch config if spanning tree mst simulate pvst disable Disables specified interfaces from automatically interoperating with connected switch that is running in Rapid PVST mode By default all interfaces on th...

Page 167: ...negotiation force the renegotiation with neighboring switches on the entire switch or on specified interfaces To restart the protocol perform this task This example shows how to restart MST on the Ethernet interface on slot 2 port 8 switch clear spanning tree detected protocol interface ethernet 2 8 Verifying MST Configurations To display MST configuration information perform one of the following ...

Page 168: ... d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 26 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring MST Verifying MST Configurations ...

Page 169: ...of these features can be applied either globally or on specified interfaces Note Spanning tree is used to refer to IEEE 802 1w and IEEE 802 1s If the text is discussing the IEEE 802 1D Spanning Tree Protocol 802 1D is stated specifically This chapter includes the following sections Information About STP Extensions page 1 1 Configuring STP Extensions page 1 5 Verifying STP Extension Configuration p...

Page 170: ... as the Cisco proprietary feature PortFast Interfaces that are connected to hosts should not receive STP Bridge Protocol Data Units BPDUs Note If you configure a port connected to another switch set as an edge port you might create a bridging loop Spanning Tree Network Ports Network ports are connected only to switches or bridges Bridge Assurance is enabled only on network ports Note If you mistak...

Page 171: ...en they receive a BPDU BPDU Guard provides a secure response to invalid configurations because you must manually put the LAN interface back in service after an invalid configuration Note When enabled globally BPDU Guard applies to all operational spanning tree edge interfaces Understanding BPDU Filtering You can use BPDU Filtering to prevent the switch from sending or even receiving BPDUs on speci...

Page 172: ...puts the port into an inconsistent state blocking until the port starts to receive BPDUs again A port in the inconsistent state does not transmit BPDUs If the port receives BPDUs again the protocol removes its loop inconsistent condition and the STP determines the port state because such recovery is automatic Loop Guard isolates the failure and allows STP to converge to a stable topology without t...

Page 173: ...consistent STP state In this way Root Guard enforces the position of the root bridge You cannot configure Root Guard globally Note You can enable Root Guard on all spanning tree port types normal edge and network ports Configuring STP Extensions This section includes the following topics STP Extensions Configuration Guidelines page 1 5 Configuring Spanning Tree Port Types Globally page 1 6 Configu...

Page 174: ...t types globally perform this task This example shows how to configure all access and trunk ports connected to hosts as spanning tree edge ports switch configure terminal switch config spanning tree port type edge default This example shows how to configure all ports connected to switches or bridges as spanning tree network ports switch configure terminal switch config spanning tree port type netw...

Page 175: ...port type edge default command in global configuration mode If you do not configure the edge ports globally the no spanning tree port type command is equivalent to the spanning tree port type disable command Before you configure the spanning port type you should do the following Ensure that STP is configured Ensure that the interface is connected to hosts To configure spanning tree edge ports on a...

Page 176: ...ng Ensure that STP is configured Ensure that the interface is connected to switches or routers To configure spanning tree network ports on a specified interface perform this task This example shows how to configure the Ethernet interface 1 4 to be a spanning tree network port switch configure terminal switch config interface ethernet 1 4 switch config if spanning tree port type network Enabling BP...

Page 177: ...erational edge port and if the spanning tree port type edge bpduguard default command is configured Before you configure this feature you should do the following Ensure that STP is configured To enable BPDU Guard on an interface perform this task This example shows how to explicitly enable BPDU Guard on the Ethernet edge port 1 4 switch configure terminal switch config interface ethernet 1 4 switc...

Page 178: ...inkup before they effectively filter outbound BPDUs If a BPDU is received on an edge port it immediately loses its operational edge port status and BPDU Filtering is disabled To enable BPDU Filtering globally perform this task This example shows how to enable BPDU Filtering on all operational spanning tree edge ports switch configure terminal switch config spanning tree port type edge bpdufilter d...

Page 179: ...nd Before you configure this feature you should do the following Ensure that STP is configured Note When you enable BPDU Filtering locally on a port this feature prevents the device from receiving or sending BPDUs on this port To enable BPDU Filtering on an interface perform this task This example shows how to explicitly enable BPDU Filtering on the Ethernet spanning tree edge port 1 4 switch conf...

Page 180: ...Loop Guard on all spanning tree normal or network ports switch configure terminal switch config spanning tree loopguard default Enabling Loop Guard or Root Guard on Specified Interfaces Note You can run Loop Guard on spanning tree normal or network ports You can run Root Guard on all spanning tree ports normal edge or network You can enable either Loop Guard or Root Guard on specified interfaces E...

Page 181: ...on information for the STP extensions perform one of the following tasks Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface type slot port Specifies the interface to configure and enter s the interface configuration mode Step 3 switch config if spanning tree guard loop root none Enables or disables either Loop Guard or Root Guard for the speci...

Page 182: ... b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring STP Extensions Verifying STP Extension Configuration ...

Page 183: ...nel by bundling compatible interfaces You can configure and run either static port channels or ports channels running the Link Aggregation Control Protocol LACP See Understanding LACP section on page 1 4 for information on LACP Any configuration changes that you apply to the port channel are applied to each member interface of that port channel For example if you configure Spanning Tree Protocol S...

Page 184: ...nel Modes section on page 1 6 Note You cannot change the mode from ON to Active or from ON to Passive You can create a port channel directly by creating the port channel interface or you can create a channel group that acts to aggregate individual ports into a bundle When you associate an interface with a channel group Cisco NX OS creates a matching port channel automatically if the port channel d...

Page 185: ...ith the interface joins a port channel as follows Description CDP LACP port priority Debounce Load Balancing Using Port Channels The Cisco NX OS load balances traffic across all operational interfaces in a port channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel Port channels provide load balancing ...

Page 186: ...ders page 1 7 LACP Enabled and Static Port Channels Differences page 1 7 Table 1 1 Port Channel Load Balancing Criteria Configuration Layer 2 Criteria Layer 3 Criteria Layer 4 Criteria Destination MAC Destination MAC Destination MAC Destination MAC Source MAC Source MAC Source MAC Source MAC Source and destination MAC Source and destination MAC Source and destination MAC Source and destination MAC...

Page 187: ... that runs LACP has an LACP system priority value You can accept the default value of 32768 for this parameter or you can configure a value between 1 and 65535 LACP uses the system priority with the MAC address to form the system ID and also uses the system priority during negotiation with other devices A higher system priority value means a lower priority Note The LACP system ID is the combinatio...

Page 188: ... in either the active or passive channel mode Table 1 2 describes the channel modes Both the passive and active modes allow LACP to negotiate between ports to determine if they can form a port channel based on criteria such as the port speed and the trunking state The passive mode is useful when you do not know whether the remote system or partner supports LACP Ports can form an LACP port channel ...

Page 189: ...tween port channels with LACP enabled and static port channels Configuring Port Channels You can configure multiple port channels on a device This section includes the following topics Creating a Port Channel page 1 7 Adding a Port to a Port Channel page 1 8 Configuring Load Balancing Using Port Channels page 1 9 Enabling LACP page 1 10 Configuring Port Channel Port Modes page 1 10 Configuring the...

Page 190: ... 1 to 4096 Cisco NX OS automatically creates the channel group if it does not already exist Note Enter an unused channel number to create a new port channel for Ethernet ports To view the range of used and unused channel numbers use the show port channel usage command Command Purpose switch config no interface port channel channel number Removes the port channel and deletes the associated channel ...

Page 191: ... balancing for port channels switch configure terminal switch config port channel load balance ethernet source ip To restore the default load balancing algorithm of source dest mac for non IP traffic and source dest ip for IP traffic perform this task 1 This is called implicit port channel creation Command Purpose switch config no channel group Removes the port from the channel group The port reve...

Page 192: ...d to the spanning tree as a single bridge port To enable LACP perform this task This example shows how to enable LACP switch configure terminal switch config feature lacp Configuring Port Channel Port Modes After you enable LACP you can configure the channel mode for each individual link in the LACP port channel as active or passive This channel configuration mode allows the link to operate with L...

Page 193: ...ACP you can configure each link in the LACP port channel for the port priority To configure the LACP link mode and port priority perform this task Step 3 switch config if channel group number mode active on passive Specifies the port mode for the link in a port channel After LACP is enabled you configure each link or the entire channel as active or passive When you run port channels with no associ...

Page 194: ...32768 Command Purpose Command Purpose switch show interface port channel channel number Displays the status of a port channel interface switch show system internal clis feature Displays enabled features switch show lacp counters interface type slot port neighbor port channel system identifier Displays LACP information switch show port channel compatibility parameters Displays the parameters that m...

Page 195: ...Interfaces This section includes the following topics Understanding Access and Trunk Interfaces page 1 1 Understanding IEEE 802 1Q Encapsulation page 1 2 Understanding Access VLANs page 1 3 Understanding the Native VLAN ID for Trunk Ports page 1 3 Understanding Allowed VLANs page 1 4 Note Cisco NX OS supports only IEEE 802 1Q type VLAN trunk encapsulation Understanding Access and Trunk Interfaces ...

Page 196: ...ess port receives a packet with an 802 1Q tag in the header other than the access VLAN value that port drops the packet without learning its MAC source address Note An Ethernet interface can function as either an access port or a trunk port it cannot function as both port types simultaneously Understanding IEEE 802 1Q Encapsulation A trunk is a point to point link between the device and another ne...

Page 197: ... the new VLAN You must create the VLAN before you can assign it as an access VLAN for an access port If you change the access VLAN on an access port to a VLAN that is not yet created the system will shut that access port down If an access port receives a packet with an 802 1Q tag in the header other than the access VLAN value that port drops the packet without learning its MAC source address Under...

Page 198: ...ing tree protocol STP topology for the default VLAN you can remove VLAN1 from the list of allowed VLANs Otherwise VLAN1 which is enabled on all ports by default will have a very big STP topology which can result in problems during STP convergence When you remove VLAN1 all data traffic for VLAN1 on this port is blocked but the control traffic continues to move on the port Configuring Access and Tru...

Page 199: ...nel interfaces and Chapter 1 Configuring Rapid PVST for complete information on the Spanning Tree Protocol Ensure that you are configuring the correct interface to an interface that is an end station To configure an access host port perform this task Step 3 switch config if switchport mode access trunk Sets the interface as a nontrunking nontagged single VLAN Ethernet interface An access port can ...

Page 200: ... how to set Ethernet 3 1 as an Ethernet trunk port switch configure terminal switch config interface ethernet 3 1 switch config if switchport mode trunk Configuring the Native VLAN for 802 1Q Trunking Ports If you do not configure this parameter the trunk port uses the default VLAN as the native VLAN ID To configure native VLAN for a 802 1Q trunk port perform this task Command Purpose Step 1 switc...

Page 201: ... switchport trunk allow vlan 15 20 Step 2 switch config interface type slot port port channel number Specifies an interface to configure and enters interface configuration mode Step 3 switch config if switchport trunk native vlan vlan id Sets the native VLAN for the 802 1Q trunk Valid values are from 1 to 4094 except those VLANs reserved for internal use The default value is VLAN1 Command Purpose ...

Page 202: ...Interface Configuration Verifying Interface Configuration To display access and trunk interface configuration information perform one of these tasks Command Purpose switch show interface Displays the interface configuration switch show interface switchport Displays information for all Ethernet interfaces including access and trunk interfaces switch show interface brief Displays interface configura...

Page 203: ...AN ports of the same VLAN except the port that received the frame When the destination station replies the switch adds its relevant MAC source address and port ID to the address table The switch then forwards subsequent frames to a single LAN port without flooding all LAN ports You can also enter a MAC address which is termed a static MAC address into the table These static MAC entries are retaine...

Page 204: ...can use the mac address table static command to assign a static MAC address to a virtual interface Configuring the Aging Time for the MAC Table You can configure the amount of time that an entry the packet source MAC address and port that packet ingresses remain in the MAC table Note You can also configure MAC aging time in interface configuration mode or VLAN configuration mode Command Purpose St...

Page 205: ...nformation perform one of these tasks This example shows how to display the MAC address table switch show mac address table VLAN MAC Address Type Age Port 1 0018 b967 3cd0 dynamic 10 Eth1 3 1 001c b05a 5380 dynamic 200 Eth1 3 Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config mac address table aging time seconds vlan vlan_id Specifies the time before an...

Page 206: ...Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring the MAC Address Table Verifying the MAC Address Configuration Total MAC Addresses 2 This example shows how to display the current aging time switch show mac address table aging time Vlan Aging Time 1 300 13 300 42 300 ...

Page 207: ...sing the interface information IGMP snooping can reduce bandwidth consumption in a multi access LAN environment to avoid flooding the entire VLAN The IGMP snooping feature tracks which ports are attached to multicast capable routers to help it manage the forwarding of IGMP membership reports The IGMP snooping software responds to topology change notifications Note IGMP snooping is supported on all...

Page 208: ...bership report suppression which means that if two hosts on the same subnet want to receive multicast data for the same group then the host that receives a member report from the other host suppresses sending its report Membership report suppression occurs for hosts that share a port If no more than one host is attached to each VLAN switch port then you can configure the fast leave feature in IGMP...

Page 209: ... IGMP Forwarding The control plane of the Cisco Nexus 5000 Series switch is able to detect IP addresses but forwarding occurs using the MAC address only When a host connected to the switch wants to join an IP multicast group it sends an unsolicited IGMP join message specifying the IP multicast group to join Alternatively when the switch receives a general query from a connected router it forwards ...

Page 210: ...nterval Sets the interval that the software waits after sending an IGMP query to verify that no hosts that want to receive a particular multicast group remain on a network segment If no hosts respond before the last member query interval expires the software removes the group from the associated VLAN port Values range from 1 to 25 seconds The default is 1 second Snooping querier Configures a snoop...

Page 211: ...citly tracked because of the host report suppression mechanism of the IGMPv2 protocol When you enable fast leave the IGMP software assumes that no more than one host is present on each VLAN port The default is disabled for all VLANs switch config vlan ip igmp snooping last member query interval seconds Removes the group from the associated VLAN port if no hosts respond to an IGMP query message bef...

Page 212: ...bled Explicit tracking enabled Fast leave disabled Report suppression enabled Router port detection using PIM Hellos IGMP Queries Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config no ip igmp snooping Globally disables IGMP snooping The default is enabled Note If the global setting is disabled then all VLANs are treated as disabled whether they are enab...

Page 213: ...s 0 Number of groups 0 IGMP Snooping information for vlan 5 IGMP snooping enabled IGMP querier present address 172 16 24 1 version 3 Querier interval 125 secs Querier last member query interval 10 secs Querier robustness 2 Switch querier enabled address 172 16 24 1 currently running Explicit tracking enabled Fast leave enabled Report suppression enabled Router port detection using PIM Hellos IGMP ...

Page 214: ...d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring IGMP Snooping Verifying IGMP Snooping Configuration ...

Page 215: ...g network performance You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast multicast or unknown unicast traffic storm on physical interfaces Traffic storm control also called traffic suppression allows you to monitor the levels of the incoming broadcast multicast and unicast traffic over a 10 microsecond interval During this interval the traffic leve...

Page 216: ... affect the operation of traffic storm control The following are examples of how traffic storm control operation is affected If you enable broadcast traffic storm control and broadcast traffic exceeds the level within the 10 microsecond interval traffic storm control drops all broadcast traffic until the end of the interval If you enable multicast traffic storm control and the multicast traffic ex...

Page 217: ...sk This example shows how to configure unicast traffic storm control for Ethernet interface 1 4 switch configure terminal switch config interface ethernet 1 4 switch config if storm control unicast level 40 Verifying Traffic Storm Control Configuration To display traffic storm control configuration information perform one of these tasks Displaying Traffic Storm Control Counters You can display the...

Page 218: ...e Configuration The following example shows how to configure traffic storm control switch configure terminal switch config interface ethernet 1 4 switch config if storm control broadcast level 40 switch config if storm control multicast level 40 switch config if storm control unicast level 40 Default Settings Table 1 1 lists the default settings for traffic storm control parameters Command Purpose...

Page 219: ...Accounting Log page 1 13 Verifying AAA Configuration page 1 13 Example AAA Configuration page 1 13 Default Settings page 1 14 Information About AAA This section includes the following topics AAA Security Services page 1 1 Benefits of Using AAA page 1 2 Remote AAA Services page 1 3 AAA Server Groups page 1 3 AAA Service Configuration Options page 1 3 Authentication and Authorization Process for Use...

Page 220: ...r TACACS servers Authorization Provides access control AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform Authorization in Nexus 5000 Series switches is provided by attributes that are downloaded from AAA servers Remote security servers such as RADIUS and TACACS authorize users for specific rights by associating attribute value A...

Page 221: ...nd the next remote server in the group is tried until one of the servers sends a response If all the AAA servers in the server group fail to respond then that server group option is considered a failure If required you can specify multiple server groups If a Nexus 5000 Series switch encounters errors from the servers in the first group it tries the servers in the next server group AAA Service Conf...

Page 222: ...le login options 2 When you have configured the AAA server groups using the server group authentication method the Nexus 5000 Series switch sends an authentication request to the first AAA server in the group as follows a If the AAA server fails to respond then the next AAA server is tried and so on until the remote server responds to the authentication request b If all AAA servers in the server g...

Page 223: ...ore server groups left means that there is no response from any server in all server groups No more servers left means that there is no response from any server within this server group Accept Access permitted Incoming access request to switch Failure No response Failure Access permitted Local Success Denied access No more servers left Remote Found a RADIUS server 185099 Incoming access request to...

Page 224: ...l users with all numeric names If an all numeric username exists on an AAA server and is entered during login the Nexus 5000 Series switch will log in the user Configuring AAA To configure AAA authentication and accounting perform this task Step 1 If you want to use remote RADIUS or TACACS servers for authentication configure the hosts on your Nexus 5000 Series switch See Chapter 1 Configuring RAD...

Page 225: ...radius server host command to configure the host servers Use the aaa group server radius command to create a named group of servers Before you configure console login authentication methods configure RADIUS or TACACS server groups as needed To configure console login authentication methods perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch co...

Page 226: ...fault login authentication methods perform this task Step 4 switch show aaa authentication Optional Displays the configuration of the console login authentication methods Step 5 switch copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch conf...

Page 227: ...es switch uses Password Authentication Protocol PAP authentication between the Nexus 5000 Series switch and the remote server If you enable MSCHAP you need to configure your RADIUS server to recognize the MSCHAP vendor specific attributes VSAs See the Using AAA Server VSAs with Nexus 5000 Series Switches section on page 1 11 Table 1 3 describes the RADIUS VSAs required for MSCHAP Step 4 switch sho...

Page 228: ...ACACS server group for accounting Local Uses the local username or password database for accounting Note If you have configured server groups and the server groups do not respond by default the local database is used for authentication Before you configure AAA accounting default methods configure RADIUS or TACACS server groups as needed Table 1 3 MSCHAP RADIUS VSAs Vendor ID Number Vendor Type Num...

Page 229: ...eir own extended attributes that are not suitable for general use The Cisco RADIUS Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config aaa accounting default group group list local Configures default accounting method One or more server group names can be specified in a space separated list The group list argument consists of a space delimited list of gr...

Page 230: ...aces put it within double quotation marks The following attributes are supported by the Nexus 5000 Series switches roles Lists all the roles assigned to the user The value field is a string that stores the list of group names delimited by white space accountinginfo Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol This attribute...

Page 231: ...uthentication login default group radius aaa authentication login console group radius aaa accounting default group radius Command Purpose Step 1 switch show accounting log size start time year month day hh mm ss Displays the accounting log contents By default the command output contains up to 250 000 bytes of the accounting log You can use the size argument to limit command output The range is fr...

Page 232: ...iguring AAA Default Settings Default Settings Table 1 4 lists the default settings for AAA parameters Table 1 4 Default AAA Parameters Parameters Default Console authentication method local Default authentication method local Login authentication failure messages Disabled MSCHAP authentication Disabled Default accounting method local Accounting log display length 250 KB ...

Page 233: ...isplaying RADIUS Server Statistics page 1 14 Example RADIUS Configuration page 1 15 Default Settings page 1 15 Information About RADIUS The RADIUS distributed client server system allows you to secure networks against unauthorized access In the Cisco implementation RADIUS clients run on the Nexus 5000 Series of switches and send authentication and accounting requests to a central RADIUS server tha...

Page 234: ... Per user profiles enable the Nexus 5000 Series switch to better manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service level agreements RADIUS Operation When a user attempts to log in and authenticate to a Nexus 5000 Series switch using RADIUS the following process occurs 1 The user is prompted for and enters a username and passwor...

Page 235: ...S Server States Note The monitoring interval for alive servers and dead servers are different and can be configured by the user The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server Vendor Specific Attributes The Internet Engineering Task Force IETF draft standard specifies a method for communicating vendor specific attributes VSA s between the net...

Page 236: ...S accounting protocol This attribute is sent only in the VSA portion of the Account Request frames from the RADIUS client on the switch It can be used only with the accounting protocol data units PDUs Prerequisites for RADIUS RADIUS has the following prerequisites Obtain IPv4 or IPv6 addresses or host names for the RADIUS servers Obtain preshared keys from the RADIUS servers Ensure that the Nexus ...

Page 237: ...RADIUS configuration procedure in more details Configuring RADIUS Server Hosts page 1 5 Configuring Global Preshared Keys page 1 6 Configuring RADIUS Server Preshared Keys page 1 7 Configuring RADIUS Server Groups page 1 8 Allowing Users to Specify a RADIUS Server at Login page 1 9 Configuring the Global RADIUS Transmission Retry Count and Timeout Interval page 1 9 Configuring the RADIUS Transmiss...

Page 238: ...ared keys obtain the preshared key values for the remote RADIUS servers and perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config radius server host ipv4 address ipv6 address host name Specifies the IPv4 or IPv6 address or hostname for a RADIUS server Step 3 switch config exit Exits configuration mode Step 4 switch show radius server Opti...

Page 239: ...ys are saved in encrypted form in the running configuration Use the show running config command to display the encrypted preshared keys Step 5 switch copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config radius server host ipv4 address ...

Page 240: ...d Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config aaa group server radius group name Creates a RADIUS server group and enters the RADIUS server group configuration submode for that group The group name argument is a case sensitive alphanumeric string with a maximum length of 127 characters Step 3 switch config radius server ipv4 address ipv6 address server n...

Page 241: ...User specified logins are only supported for Telnet sessions To allow users to specify a RADIUS server at login perform this task Configuring the Global RADIUS Transmission Retry Count and Timeout Interval You can configure a global retransmission retry count and timeout interval for all RADIUS servers By default a switch retries transmission to a RADIUS server only once before reverting to local ...

Page 242: ... 1 and the range is from 0 to 5 Step 3 switch config radius server timeout seconds Specifies the transmission timeout interval for RADIUS servers The default timeout interval is 5 seconds and the range is from 1 to 60 seconds Step 4 switch config exit Exits configuration mode Step 5 switch show radius server Optional Displays the RADIUS server configuration Step 6 switch copy running config startu...

Page 243: ...up config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config radius server host ipv4 address ipv6 address host name acct port udp port Optional Specifies a UDP port to use for RADIUS accounting messages The default UDP port is 1812 The range is from 0 to 65535 Step 3 ...

Page 244: ...e timer specifies the interval during which a RADIUS server receives no requests before the Nexus 5000 Series switch sends out a test packet Note The default idle timer value is 0 minutes When the idle time interval is 0 minutes the Nexus 5000 Series switch does not perform periodic RADIUS server monitoring To configure periodic RADIUS server monitoring perform this task Command Purpose Step 1 swi...

Page 245: ...its after declaring a RADIUS server is dead before sending out a test packet to determine if the server is now alive The default value is 0 minutes Note When the dead time interval is 0 minutes RADIUS servers are not marked as dead even if they are not responding You can configure the dead time interval for a RADIUS server group see the Configuring RADIUS Server Groups section on page 1 8 To confi...

Page 246: ...mand Reference Displaying RADIUS Server Statistics To display the statistics the Cisco Nexus 5000 Series switch maintains for RADIUS server activity perform this task Command Purpose Step 1 switch test aaa server radius ipv4 address ipv6 address server name vrf vrf name username password Sends a test message to a RADIUS server to confirm availability Step 1 switch test aaa group group name usernam...

Page 247: ... how to configure RADIUS radius server key 7 ToIkLhPpG radius server host 10 10 1 1 key 7 ShMoMhTl authentication accounting aaa group server radius RadServer server 10 10 1 1 use vrf management Default Settings Table 1 1 lists the default settings for RADIUS parameters Table 1 1 Default RADIUS Parameters Parameters Default Server roles Authentication and accounting Dead timer interval 0 minutes R...

Page 248: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 16 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring RADIUS Default Settings ...

Page 249: ...ch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You must have access to and must configure a TACACS server before the configured TACACS features on your Nexus 5000 Series switch are available TACACS provides for separate authentication authorization and accounting facilities TACACS allows for a single access control server th...

Page 250: ... combination but may include prompts for other items such as the user s mother s maiden name 2 The Nexus 5000 Series switch will receive one of the following responses from the TACACS daemon ACCEPT User authentication succeeds and service begins If the Nexus 5000 Series switch requires user authorization authorization begins REJECT User authentication failed The TACACS daemon either denies further...

Page 251: ...xus 5000 Series switch can periodically monitor an TACACS server to check whether it is responding or alive to save time in processing AAA requests The Nexus 5000 Series switch marks unresponsive TACACS servers as dead and does not send AAA requests to any dead TACACS servers A Nexus 5000 Series switch periodically monitors dead TACACS servers and brings them to the alive state once they are respo...

Page 252: ...witch Configuring TACACS This section includes the following topics TACACS Server Configuration Process page 1 5 Enabling TACACS page 1 5 Configuring TACACS Server Hosts page 1 6 Configuring Global Preshared Keys page 1 6 Configuring TACACS Server Preshared Keys page 1 7 Configuring TACACS Server Groups page 1 8 Specifying a TACACS Server at Login page 1 9 Configuring the Global TACACS Timeout Int...

Page 253: ...TACACS Server Groups section on page 1 8 and the Configuring AAA section on page 1 6 Step 5 If needed configure any of the following optional parameters Dead time interval Allow TACACS server specification at login Timeout interval See the Configuring the Global TACACS Timeout Interval section on page 1 10 TCP port See the Configuring TCP Ports section on page 1 11 Step 6 If needed configure perio...

Page 254: ...on on page 1 5 Obtain the IPv4 or IPv6addresses or the hostnames for the remote TACACS servers To configure TACACS server hosts perform this task You can delete a TACACS server host from a server group Configuring Global Preshared Keys You can configure preshared keys at the global level for all servers used by the Nexus 5000 Series switch A preshared key is a shared secret text string between the...

Page 255: ...eshared key for all TACACS servers You can specify a clear text 0 or encrypted 7 preshared key The default format is clear text The maximum length is 63 characters By default no preshared key is configured Step 3 switch config exit Exits configuration mode Step 4 switch show tacacs server Optional Displays the TACACS server configuration Note The preshared keys are saved in encrypted form in the r...

Page 256: ...configuration mode Step 4 switch show tacacs server Optional Displays the TACACS server configuration Note The preshared keys are saved in encrypted form in the running configuration Use the show running config command to display the encrypted preshared keys Step 5 switch copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Comma...

Page 257: ...is option the user can log in as username hostname where hostname is the name of a configured RADIUS server Note User specified logins are only supported for Telnet sessions To specify a TACACS server at login perform this task Step 5 switch config tacacs exit Exits configuration mode Step 6 switch config show tacacs server groups Optional Displays the TACACS server group configuration Step 7 swit...

Page 258: ...rpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config tacacs server timeout seconds Specifies the timeout interval for TACACS servers The default timeout interval is 5 second and the range is from 1 to 60 seconds Step 3 switch config exit Exits configuration mode Step 4 switch show tacacs server Optional Displays the TACACS server configuration Step 5 switch copy ru...

Page 259: ...Series switch sends out a test packet You can configure this option to test servers periodically or you can run a one time only test Note To protect network security we recommend that you use a user name that is not the same as an existing username in the TACACS database The test idle timer specifies the interval in which a TACACS server receives no requests before the Nexus 5000 Series switch sen...

Page 260: ...p see the Configuring TACACS Server Groups section on page 1 8 To configure the dead time interval for all TACACS servers perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config tacacs server host ipv4 address ipv6 address host name test idle time minutes password password idle time minutes username name password password idle time minutes ...

Page 261: ...h configure terminal Enters configuration mode Step 2 switch config tacacs server deadtime minutes Configures the global dead time interval The default value is 0 minutes The range is from 1 to 1440 minutes Step 3 switch config exit Exits configuration mode Step 4 switch show tacacs server Optional Displays the TACACS server configuration Step 5 switch copy running config startup config Optional C...

Page 262: ...ow to configure TACACS feature tacacs tacacs server key 7 ToIkLhPpG tacacs server host 10 10 2 2 key 7 ShMoMhTl aaa group server tacacs TacServer server 10 10 2 2 use vrf management Step 3 switch config exit Exits configuration mode Step 4 switch copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch s...

Page 263: ...apter 1 Configuring TACACS Default Settings Default Settings Table 1 1 lists the default settings for TACACS parameters Table 1 1 Default TACACS Parameters Parameters Default TACACS Disabled Dead timer interval 0 minutes Timeout interval 5 seconds Idle timer interval 0 minutes Periodic server monitoring username test Periodic server monitoring password test ...

Page 264: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 16 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring TACACS Default Settings ...

Page 265: ...lnet page 1 7 Verifying the SSH and Telnet Configuration page 1 9 SSH Example Configuration page 1 9 Default Settings page 1 10 Information About SSH and Telnet This section includes the following topics SSH Server page 1 1 SSH Client page 1 2 SSH Server Keys page 1 2 Telnet Server page 1 2 SSH Server The SSH server feature enables a SSH client to make a secure encrypted connection to a Nexus 5000...

Page 266: ...A public key cryptography SSH version 2 using the Digital System Algrorithm DSA Be sure to have an SSH server key pair with the appropriate version before enabling the SSH service You can generate the SSH server key pair according to the SSH client version used The SSH service accepts three types of key pairs for use by SSH version 2 The dsa option generates the DSA key pair for the SSH version 2 ...

Page 267: ... Devices page 1 6 Clearing SSH Hosts page 1 6 Disabling the SSH Server page 1 6 Deleting SSH Server Keys page 1 7 Clearing SSH Sessions page 1 7 Generating SSH Server Keys You can generate an SSH server key based on your security requirements The default SSH server key is an RSA key generated using 1024 bits To generate SSH server keys perform this task Command Purpose Step 1 switch configure term...

Page 268: ... accounts To specify the SSH public keys in open SSH format generate an SSH public key in open SSH format and perform this task The following example shows how to specify an SSH public keys in open SSH format switch configure terminal switch config switch config username User1 sshkey ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G 3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf DQhum lJNqJP eLow...

Page 269: ...M formatted Public Key Certificate form generate an SSH public key in PEM Formatted Public Key Certificate form and perform this task Command Purpose Step 1 switch copy server file bootflash filename Downloads the file containing the SSH key in IETF SECSH format from a server The server can be FTP SCP SFTP or TFTP Step 2 switch configure terminal Enters configuration mode Step 3 switch config user...

Page 270: ...r the list of trusted SSH servers for your user account perform this task Disabling the SSH Server By default the SSH server is enabled on the Nexus 5000 Series switch To disable the SSH server to prevent SSH access to the switch perform this task Command Purpose Step 1 switch ssh hostname username hostname vrf vrf name Creates an SSH session to a remote device The hostname argument can be an IPv4...

Page 271: ...lnet Sessions to Remote Devices page 1 8 Clearing SSH Sessions page 1 7 Enabling the Telnet Server By default the Telnet server is enabled To disable the Telnet server on your Nexus 5000 Series switch perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config no feature ssh Enable disables the SSH server Step 3 switch config no ssh key dsa rsa...

Page 272: ...switch perform this task The following example shows starting a Telnet session to connect to a remote device switch telnet 10 10 1 1 Trying 10 10 1 1 Connected to 10 10 1 1 Escape character is switch login Clearing Telnet Sessions To clear Telnet sessions from the Nexus 5000 Series switch perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch con...

Page 273: ...ZKr MZm99n2U0 ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39HmXL6VgpRVn1XQFiBwn4 na H1d3Q0hDt uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE bitcount 1024 fingerprint 51 6d de 1c c3 29 50 88 df cc 95 f0 15 5d 9a df could not retrieve dsa key information Step 4 Specify the SSH public key in Open SSH format switch config username User1 sshkey ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G 3f1Xsw...

Page 274: ...figuration Guide OL 16597 01 Chapter 1 Configuring SSH and Telnet Default Settings Default Settings Table 1 1 lists the default settings for SSH parameters Table 1 1 Default SSH Parameters Parameters Default SSH server Enabled SSH server key RSA key generated with 1024 bits RSA key bits for generation 1024 Telnet server Enabled ...

Page 275: ...nditions of all rules The first match determines whether the packet is permitted or denied If there is no match the switch applies the applicable default rule The switch continues processing packets that are permitted and drops packets that are denied For more information see the Implicit Rules section on page 1 3 You can use ACLs to protect networks and specific hosts from unnecessary or unwanted...

Page 276: ... 1 2 Implicit Rules page 1 3 Additional Filtering Options page 1 3 Sequence Numbers page 1 3 Logical Operators and Logical Operation Units page 1 4 Source and Destination In each rule you specify the source and the destination of the traffic that matches the rule You can specify both the source and destination as a specific host a network or group of hosts or any host Protocols ACLs allow you to i...

Page 277: ...int DSCP value TCP packets with the ACK FIN PSH RST SYN or URG bit set Established TCP connections Sequence Numbers The switch supports sequence numbers for rules Every rule that you enter receives a sequence number either assigned by you or assigned automatically by the switch Sequence numbers simplify the following ACL tasks Adding new rules between existing rules By specifying the sequence numb...

Page 278: ...of boundary values The following guidelines determine when the switch stores operator operand couples in LOUs If the operator or operand differs from other operator operand couples that are used in other rules the couple is stored in an LOU For example the operator operand couples gt 10 and gt 11 would be stored separately in half an LOU each The couples gt 10 and lt 10 would also be stored separa...

Page 279: ...s you can use the resequence command to reassign sequence numbers For more information see the Changing Sequence Numbers in an IP ACL section on page 1 7 Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config ip access list name Creates the IP ACL and enters IP ACL configuration mode The name argument can be up to 64 characters Step 3 switch config a...

Page 280: ... rule in the IP ACL Using a sequence number allows you to specify a position for the rule in the ACL Without a sequence number the rule is added to the end of the rules The sequence number argument can be a whole number between 1 and 4294967295 The permit and deny commands support many ways of identifying traffic For more information see the Cisco Nexus 5000 Series Command Reference Step 4 switch ...

Page 281: ...onfig Optional Displays ACL configuration The removed IP ACL should not appear Step 4 switch config copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config resequence ip access list name starting sequence number increment Assigns sequence numbers ...

Page 282: ...roup acl 01 in Applying an IP ACL as a VACL For information about configuring VACLs see Configuring VACLs section on page 1 15 Step 2 switch config interface ethernet slot port Enters interface configuration mode for the specified interface switch config interface port channel channel number Enters interface configuration mode for a port channel Step 3 switch config interface ethernet slot port sw...

Page 283: ...c access list is applicable to non IPv4 and non IPv6 traffic only To display or clear VACL statistics perform one of the following tasks For detailed information about these commands refer to the Cisco Nexus 5000 Series Command Reference Configuring MAC ACLs This section includes the following topics Creating a MAC ACL page 1 10 Changing a MAC ACL page 1 10 Command Purpose show running config Disp...

Page 284: ...tch config mac acl copy running config startup config Changing a MAC ACL In an existing MAC ACL you can add and remove rules You cannot change existing rules Instead to change a rule you can remove it and recreate it with the desired changes Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch mac access list name Creates the MAC ACL and enters ACL config...

Page 285: ...ve applied the ACL Instead the switch considers the removed ACL to be empty Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config mac access list name Enters ACL configuration mode for the ACL that you specify by name Step 3 switch config mac acl sequence number permit deny source destination protocol Optional Creates a rule in the MAC ACL Using a s...

Page 286: ...ring IP ACLs section on page 1 4 Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config no mac access list name Removes the MAC ACL that you specify by name from the running configuration Step 3 switch config show mac access lists Optional Displays the MAC ACL configuration Step 4 switch config copy running config startup config Optional Copies the r...

Page 287: ...ed each rule Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config interface ethernet slot port Enters interface configuration mode for the specified interface switch config interface port channel channel number Enters interface configuration mode for a port channel interface Step 3 switch config if mac port access group access list Applies a MAC AC...

Page 288: ...e not defined by direction ingress or egress For more information about types and applications of ACLs see the Information About ACLs section on page 1 1 This section includes the following topics VACLs and Access Maps page 1 14 VACLs and Actions page 1 14 Statistics page 1 15 VACLs and Access Maps VACLs use access maps to link an IP ACL or a MAC ACL to an action The switch takes the configured ac...

Page 289: ...nformation about displaying VACL statistics see the Displaying and Clearing IP ACL Statistics section on page 1 9 Configuring VACLs This section includes the following topics Creating or Changing a VACL page 1 15 Removing a VACL page 1 16 Applying a VACL to a VLAN page 1 16 Verifying VACL Configuration page 1 17 Displaying and Clearing VACL Statistics page 1 17 Creating or Changing a VACL You can ...

Page 290: ...p forward Specifies the action that the switch applies to traffic that matches the ACL Step 5 switch config access map no statistics Optional Specifies that the switch maintains global statistics for packets matching the rules in the VACL The no option stops the switch from maintaining global statistics for the VACL Step 6 switch config access map show running config Optional Displays ACL configur...

Page 291: ... vlan list list Applies the VACL to the VLANs by the list that you specified The no option unapplies the VACL The vlan list command can specify a list of up to 32 vlans but multiple vlan list commands can be configured to cover more than 32 vlans Step 3 switch config show running config Optional Displays ACL configuration Step 4 switch config copy running config startup config Optional Copies the ...

Page 292: ...rs Table 1 4 lists the default settings for VACL parameters Table 1 2 Default IP ACLs Parameters Parameters Default IP ACLs No IP ACLs exist by default ACL rules Implicit rules apply to all ACLs See the Implicit Rules section on page 1 3 Table 1 3 Default MAC ACLs Parameters Parameters Default MAC ACLs No MAC ACLs exist by default ACL rules Implicit rules apply to all ACLs See the Implicit Rules s...

Page 293: ...nfiguration synchronization with other switches in the network to function correctly Synchronization through manual configuration at each switch in the network can be a tedious and error prone process Cisco Fabric Services CFS provides a common infrastructure for automatic configuration synchronization in the network It provides the transport function and a set of common services to the features C...

Page 294: ...elected set of VSANs Some features require configuration distribution over some specific VSANs These features can specify to CFS the set of VSANs over which to restrict the distribution Supports a merge protocol that facilitates the merge of feature configuration during a fabric merge event when two independent SAN fabrics merge CFS Distribution The CFS distribution functionality is independent of...

Page 295: ...that can be manipulated and distributed from multiple switches for example the port security configuration Unrestricted Uncoordinated Distributions Unrestricted uncoordinated distributions allow multiple parallel distributions in the network in the presence of an existing coordinated distribution Unrestricted uncoordinated distributions are allowed to run in parallel with all other types of distri...

Page 296: ...to distribute information over Fibre Channel first and then over the IP network if the first attempt over Fibre Channel fails CFS does not send duplicate messages if distribution over both IP and Fibre Channel is enabled Distribution over IP version 4 IPv4 or IP version 6 IPv6 Note CFS cannot distribute over both IPv4 and IPv6 from the same switch Keepalive mechanism to detect network topology cha...

Page 297: ... with Fibre Channel and IP Connections CFS Distribution over Fibre Channel For FCS distribution over Fibre Channel the CFS protocol layer resides on top of the FC2 layer CFS uses the FC2 transport services to send information to other switches CFS uses a proprietary SW_ILS 0x77434653 protocol for all CFS packets CFS packets are sent to or from the switch domain controller addresses CFS Distributio...

Page 298: ...y of the merge at the CFS layer This protocol runs per application per scope The protocol involves selecting one switch in a fabric as the merge manager for that fabric The other switches do not have a role in the merge process During a merge the merge manager in the two fabrics exchange their configuration databases with each other The application on one of them merges the information decides if ...

Page 299: ...cit commit operation to copy the changes in the temporary buffer to the application database to distribute the new database to the network and to release the network lock The changes in the temporary buffer are not applied if you do not perform the commit operation Enabling CFS for an Application All CFS based applications provide an option to enable or disable the distribution capabilities Applic...

Page 300: ...at requires a network lock but forget to end the session an administrator can clear the session If you lock a network at any time your user name is remembered across restarts and switchovers If another user on the same machine tries to perform configuration tasks that user s attempts are rejected Verifying CFS Lock Status The show cfs lock command displays all the locks that are currently acquired...

Page 301: ...nsiders this state a failure and does not apply the changes to any switch in the network The network lock is not released You can commit changes for a specified feature by entering the commit command for that feature Discarding Changes If you discard configuration changes the application flushes the pending database and releases locks in the network Both the abort and commit functions are only sup...

Page 302: ...all Home application triggers alerts to network administrators when a situation arises or something abnormal occurs When the network covers many geographies and there are multiple network administrators who are each responsible for a subset of switches in the network the Call Home application sends alerts to all network administrators regardless of their location For the Call Home application to s...

Page 303: ... originating region with NTP and Call Home applications assigned to it to Region 2 target region perform this task Note If you try adding an application to the same region more than once you see the error message Application already present in the same region Command Purpose Step 1 switch configure switch config Enters configuration mode Step 2 switch config cfs region region id Creates a region C...

Page 304: ...orm this task Note After Step 2 you see the warning All the applications in the region will be moved to the default region Configuring CFS Over IP The following sections provide information about configuring CFS over IP Enabling CFS Over IP page 1 12 Verifying the CFS Over IP Configuration page 1 13 Configuring IP Multicast Address for CFS over IP page 1 13 Verifying IP Multicast Address Configura...

Page 305: ...ol specific distributions such as the keepalive mechanism for detecting network topology changes use the IP multicast address to send and receive information Note CFS distributions for application data use directed unicast You can configure a CFS over IP multicast address value for either IPv4 or IPv6 The default IPv4 multicast address is 239 255 70 83 and the default IPv6 multicast address is ff1...

Page 306: ...figuration mode Step 2 switch config cfs ipv4 mcast address ipv4 address Distribution over this IP type will be affected Change multicast address for CFS IP Are you sure y n n y Configures the IPv4 multicast address for CFS distribution over IPv4 The ranges of valid IPv4 addresses are 239 255 0 0 through 239 255 255 255 and 239 192 16 through 239 251 16 switch config no cfs ipv4 mcast address ipv4...

Page 307: ...ic Domain Switch WWN IP Address 211 20 00 00 05 30 00 6b 9e 10 76 100 167 Merge Master 1 20 00 00 0e d7 00 3c 9e 10 76 100 169 Logical VSAN 3 Merge Status Success Local Fabric Domain Switch WWN IP Address 221 20 00 00 05 30 00 6b 9e 10 76 100 167 Merge Master 103 20 00 00 0e d7 00 3c 9e 10 76 100 169 The following example of the show cfs merge status name command output displays an application usi...

Page 308: ...20 00 00 05 30 01 1b c2 172 22 92 215 The following example show cfs peers name command output displays all the application peers all switches in which that application is registered The local switch is indicated as Local switch show cfs peers name port security Scope Logical VSAN 1 Domain Switch WWN IP Address 124 20 00 00 44 22 00 4a 9e 172 22 92 27 Local 98 20 00 00 05 30 01 1b c2 172 22 92 215...

Page 309: ...m 1 17 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Using Cisco Fabric Services Default Settings IPv4 multicast address 239 255 70 83 IPv6 multicast address ff15 efff 4653 Table 1 1 Default CFS Parameters continued Parameters Default ...

Page 310: ... d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 18 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Using Cisco Fabric Services Default Settings ...

Page 311: ...and RBAC Configuration page 1 9 Default Settings page 1 10 Information About User Accounts and RBAC You can create and manage users accounts and assign roles that limit access to operations on the Nexus 5000 Series switch RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations This section includes the following topic...

Page 312: ...any consecutive characters such as abcd Does not contain many repeating characters such as aaabbb Does not contain dictionary words Does not contain proper names Contains both uppercase and lowercase characters Contains numbers The following are examples of strong passwords If2CoM18 2004AsdfLkj30 Cb1955S21 Note Clear text passwords can contain alphanumeric characters only Special characters such a...

Page 313: ...ault or user defined group of features Enter the show role feature group command to display the default feature groups available for this parameter These parameters create a hierarchical relationship The most basic control parameter is the command The next control parameter is the feature which represents all commands associated with the feature The last control parameter is the feature group The ...

Page 314: ...se Note A user account must have at least one user role Configuring User Accounts You can create a maximum of 256 user accounts on a Nexus 5000 Series switch User accounts have the following attributes Username Password Expiry date User roles User accounts can have a maximum of 64 user roles For more information on user roles see the Configuring RBAC section on page 1 5 Note Changes to user accoun...

Page 315: ...rule 2 which is applied before rule 1 To create user roles and specify rules perform this task Step 3 switch config username user id password password expire date role role name Configure a user account The user id argument is a case sensitive alphanumeric character string with a maximum length of 28 characters The default password is undefined Note If you do not specify a password the user might ...

Page 316: ...l Ethernet interfaces Repeat this command for as many rules as needed switch config role rule number deny permit read read write Configures a read only or read and write rule for all operations switch config role rule number deny permit read read write feature feature name Configures a read only or read and write rule for a feature Use the show role feature command to display a list of features Re...

Page 317: ...feature group configuration mode Step 4 switch config show role feature group Optional Displays the role feature group configuration Step 5 switch config copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config role name role name Specifies a user ...

Page 318: ...his task Step 7 switch config role show role Optional Displays the role configuration Step 8 switch config role copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config role name role name Specifies a user role and enters role confi...

Page 319: ... to allow access to all VSANs Step 4 switch config role vsan policy deny Enters role VSAN policy configuration mode Step 5 switch config role vsan permit vsan vsan list Specifies a range of VSANs that the role can access Repeat this command for as many VSANs as needed Step 6 switch config role vsan exit Exits role VSAN policy configuration mode Step 7 switch config role show role Example switch co...

Page 320: ...e feature group name Security features feature radius feature tacacs feature aaa feature acl feature access list Default Settings Table 1 1 lists the default settings for user accounts and RBAC parameters Table 1 1 Default User Accounts and RBAC Parameters Parameters Default User account password Undefined User account expiry date None Interface policy All interfaces are accessible VLAN policy All...

Page 321: ...ides a basic semantic check on your configuration Cisco NX OS returns an error if the semantic check fails on any part of the configuration Verification Verifies the configuration as a whole based on the existing hardware and software configuration and resources Cisco NX OS returns an error if the configuration does not pass this verification phase Commit Cisco NX OS verifies the complete configur...

Page 322: ... a configuration session and enters session configuration mode The name can be any alphanumeric string Step 2 switch config s show configuration session name Optional Displays the contents of the session Step 3 switch config s save location Optional Saves the session to a file The location can be in bootflash or volatile Command Purpose Step 1 switch configure session name Creates a configuration ...

Page 323: ... creates a configuration session for ACLs switch configure session name test2 switch config s ip access list acl2 switch config s acl permit tcp any any switch config s acl exit switch config s interface Ethernet 1 4 switch config s ip ip port access group acl2 in switch config s ip exit switch config s verify switch config s exit switch show configuration session test2 Command Purpose switch conf...

Page 324: ...anager Configuration Verifying Session Manager Configuration To verify Session Manager configuration information use the following commands Command Purpose show configuration session name Displays the contents of the configuration session show configuration session status name Displays the status of the configuration session show configuration session summary Displays a summary of all the configur...

Page 325: ...rmal switch operation This section includes the following topics Online Diagnostics Overview page 1 1 Bootup Diagnostics page 1 1 Health Monitoring Diagnostics page 1 2 Expansion Module Diagnostics page 1 3 Online Diagnostics Overview Cisco Nexus 5000 Series switches support bootup diagnostics and runtime diagnostics Bootup diagnostics include disruptive tests and nondisruptive tests that run duri...

Page 326: ...detect runtime hardware errors memory errors software faults and resource exhaustion Health monitoring diagnostics are nondisruptive and run in the background to ensure the health of a switch that is processing live network traffic Table 1 2 describes the health monitoring diagnostics for the switch Table 1 1 Bootup Diagnostics Diagnostic Description USB Flash Verifies the integrity of the USB fla...

Page 327: ...ecific to health monitoring diagnostics for expansion modules Table 1 3 Health Monitoring and Bootup Diagnostics Tests Diagnostic Description SPROM Verifies the integrity of backplane and supervisor SPROMs Fabric engine Tests the switch fabric ASICs Fabric port Tests the ports on the switch fabric ASIC Forwarding engine Tests the forwarding engine ASICs Forwarding engine port Tests the ports on th...

Page 328: ...omplete Verifying Online Diagnostics Configuration To display online diagnostics configuration information perform one of the following tasks Default Settings Table 1 6 lists the default settings for online diagnostics parameters Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config diagnostic bootup level complete bypass Configures the bootup diagn...

Page 329: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 5 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Online Diagnostics Default Settings ...

Page 330: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 6 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Online Diagnostics Default Settings ...

Page 331: ... system processes generate You can configure logging to terminal sessions a log file and syslog servers on remote systems By default the switch outputs messages to terminal sessions For information about configuring logging to terminal sessions see the Configuring System Message Logging to Terminal Sessions section on page 1 2 By default the switch logs system messages to a log file For informatio...

Page 332: ...he Cisco Fabric Services CFS to distribute the syslog server configuration For information about distributing the syslog server configuration see the Configuring syslog Server Configuration Distribution section on page 1 7 Note When the switch first initializes messages are sent to syslog servers only after the network is initialized Configuring System Message Logging This section includes the fol...

Page 333: ...erform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config logging console severity level Enables the switch to log messages to the console session based on a specified severity level or higher Severity levels which can range from 0 to 7 are listed in Table 1 1 If the severity level is not specified the default of 2 is used switch config no log...

Page 334: ...store system messages and the minimum severity level to log You can optionally specify a maximum file size The default severity level is 5 and the file size is 10485760 Severity levels are listed in Table 1 1 The file size is from 4096 to 10485760 bytes switch config no logging logfile logfile name severity level size bytes Disables logging to the log file Step 3 switch config show logging info Op...

Page 335: ...tch config logging level facility severity level Enables logging messages from the specified facility that have the specified severity level or higher Severity levels which range from 0 to 7 are listed in Table 1 1 To apply the same severity level to all facilities use the all facility For defaults see the show logging level command switch config no logging level facility severity level Resets the...

Page 336: ...low you to control the destination of messages based on their origin Note Check your configuration before using a local facility Level Minimum severity level at which messages are logged which can be debug info notice warning err crit alert emerg or an asterisk for all You can use none to disable a facility Action Destination for messages which can be a filename a host name preceded by the at sign...

Page 337: ...changes to the syslog server configuration Note If the switch is restarted the syslog server configuration changes that are kept in volatile memory may be lost To configure syslog server configuration distribution perform this task Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config logging distribute Enables distribution of syslog server configuration t...

Page 338: ...on about the current state of syslog server distribution and the last action taken Step 8 switch config copy running config startup config Optional Copies the running configuration to the startup configuration Command Purpose Command Purpose Step 1 switch show logging last number lines Displays the last number of lines in the logging file You can specify from 1 to 9999 for the last number of lines...

Page 339: ... configuration show logging info Displays the logging configuration show logging internal info Displays the syslog distribution information show logging last number lines Displays the last number of lines of the log file show logging level facility Displays the facility logging severity level configuration show logging logfile start time yyyy mmm dd hh mm ss end time yyyy mmm dd hh mm ss Displays ...

Page 340: ...the default settings for system message logging parameters Table 1 3 Default System Message Logging Parameters Parameters Default Console logging Enabled at severity level 2 Monitor logging Enabled at severity level 2 Log file logging Enabled to log messages at severity level 5 Module logging Enabled at severity level 5 Facility logging Enabled Time stamp units Seconds syslog server logging Disabl...

Page 341: ...ased notification of critical system events Nexus 5000 Series switches provide a range of message formats for optimal compatibility with pager services standard e mail or XML based automated parsing applications You can use this feature to page a network support engineer e mail a Network Operations Center or use Cisco Smart Call Home services to automatically generate a case with the Technical Ass...

Page 342: ... groups The group of alerts that trigger a specific Call Home message if the alert occurs One or more e mail destinations The list of receipents for the Call Home messages generated by alert groups assigned to this destination profile Message format The format for the Call Home message short text full text or XML Message severity level The Call Home severity level that the alert must meet before t...

Page 343: ...ined for Smart Call Home Execute commands based on the alert group that originates the alert Configuration Periodic events related to configuration show module show module fex show running config all show startup config show version Diagnostic Events generated by diagnostics show diagnostic result fex all show diagnostic result module all show diagnostic result module number show logging last numb...

Page 344: ...license usage show logging last number Linecard hardware Events related to standard or intelligent switching modules show diagnostic result module all show diagnostic result module number show module show prom all show tech support ethpm show tech support platform show tech support platform callhome show version Supervisor hardware Events related to supervisor modules show diagnostic result module...

Page 345: ...me message level Note Call Home does not change the syslog message level in the message text Table 1 2 lists each Call Home message level keyword and the corresponding syslog level for the syslog port alert group Obtaining Smart Call Home If you have a service contract directly with Cisco Systems you can register your devices for the Smart Call Home service Smart Call Home provides fast resolution...

Page 346: ...s security advisories and end of life information You need the following items to register The SMARTnet contract number for your switch Your e mail address Your Cisco com ID For more information about Smart Call Home see the Smart Call Home page at this location http www cisco com go smartcall Prerequisites for Call Home Call Home has the following prerequisites You must configure an e mail server...

Page 347: ...nfiguring Call Home To configure Call Home perform this task Step 1 Assign contact information Step 2 Configure destination profiles Step 3 Associate one or more alert groups to each profile Step 4 Optional Add additional show commands to the alert groups Step 5 Configure transport options Step 6 Enable Call Home Step 7 Optional Test Call Home messages Configuring Contact Information You must conf...

Page 348: ...aces Step 7 switch config callhome contract id contract number Optional Configures the contract number for this device from the service agreement The contract number can be up to 255 alphanumeric characters in free format Step 8 switch config callhome customer id customer number Optional Configures the customer number for this device from the service agreement The customer number can be up to 255 ...

Page 349: ... a predefined or user defined destination profile Destination address The actual address pertinent to the transport mechanism to which the alert should be sent Message formatting The message format used for sending the alert full text short text or XML Message level The Call Home message severity level for this destination profile Message size The allowed length of a Call Home message sent to the ...

Page 350: ...lhome destination profile name full txt destination short txt destination email addr address Configures an e mail address for a user defined or predefined destination profile Tip You can configure up to 50 e mail addresses in a destination profile Step 4 destination profile name full txt destination short txt destination message level number Example destination profile full txt destination message...

Page 351: ...me alert group All Configuration Diagnostic EEM Cisco TAC Environmental Inventory License Linecard Hardware Supervisor Hardware Syslog group port System Crash Test Associates an alert group with this destination profile Use the All keyword to associate all alert groups with the destination profile Step 4 switch config callhome show callhome destination profile profile name Optional Displays inform...

Page 352: ...onfiguration change Command Purpose Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config callhome Enters callhome configuration mode Step 3 switch config callhome transport email smtp server ip address port number use vrf vrf name Configures the SMTP server as either the domain name server DNS name IPv4 address or IPv6 address Optionally configures th...

Page 353: ...nfigure the periodic inventory messages to generate every 20 days switch configuration terminal switch config callhome switch config callhome periodic inventory notification interval 20 Disabling Duplicate Message Throttle You can limit the number of duplicate messages received for the same event By default the switch limits the number of duplicate messages received for the same event If the numbe...

Page 354: ...erate a test message to test your Call Home communications To generate a test Call Home message perform this task Command Purpose switch config callhome no duplicate message throttle Disables duplicate message throttling for Call Home Enabled by default Command Purpose switch config callhome enable Enables Call Home Disabled by default Command Purpose switch config callhome no enable Disables Call...

Page 355: ...profile full text destination message level 5 destination profile Noc101 alert group Configuration alert group Configuration user def cmd show ip routing transport email smtp server 192 0 2 10 use vrf Red enable commit Default Settings Table 1 3 lists the default settings for Call Home parameters Command Purpose show callhome Displays the status for Call Home show callhome destination profile name...

Page 356: ...for a User Generated Test Message Table 1 4 describes the short text formatting option for all message types Table 1 3 Default Call Home Parameters Parameters Default Destination message size for a message sent in full text format 4000000 Destination message size for a message sent in XML format 4000000 Destination message size for a message sent in short text format 4000 SMTP server port number i...

Page 357: ...kplane IDPROM is a separator character Sid is C identifying the serial ID as a chassis serial number serial is the number identified by the Sid field An example is WS C6509 C 12345678 aml header deviceId Customer ID Optional user configurable field used for contract information or other ID by any support service aml header customerID Contract ID Optional user configurable field used for contract i...

Page 358: ...mand output name Exact name of the issued CLI command aml attachments attachment name Attachment type Specific command output aml attachments attachment t ype MIME type Either plain text or encoding type aml attachments attachment mime Command output text Output of command automatically executed see Call Home Alert Groups section on page 1 2 aml attachments attachment atdata Table 1 5 Common Field...

Page 359: ...nly Table 1 7 Inserted Fields for an Inventory Event Message Data Item Plain Text and XML Description Plain Text and XML XML Tag XML Only Chassis hardware version Hardware version of the chassis aml body chassis hwVersion Supervisor module software version Top level software version aml body chassis swVersion FRU name Name of the affected FRU that is generating the event message aml body fru name ...

Page 360: ... a syslog port alert group notification From example Sent Wednesday April 25 2007 7 20 AM To User user Subject System Notification From Router syslog 2007 04 25 14 19 55 GMT 00 00 xml version 1 0 encoding UTF 8 soap env Envelope xmlns soap env http www w3 org 2003 05 soap envelope soap env Header aml session Session xmlns aml session http www example com 2004 01 aml session soap env mustUnderstand...

Page 361: ...eviceId WS C6509 C 69000101 ch DeviceId ch ContractData ch SystemInfo ch Name Router ch Name ch Contact ch Contact ch ContactEmail user example com ch ContactEmail ch ContactPhoneNumber 1 408 555 1212 ch ContactPhoneNumber ch StreetAddress 270 E Tasman Drive San Jose CA ch StreetAddress ch SystemInfo ch CustomerData ch Device rme Chassis xmlns rme http www example com rme 4 0 rme Model WS C6509 rm...

Page 362: ...er supply inserted in slot 2 00 01 09 SSH 5 ENABLED SSH 1 99 has been enabled 00 03 18 C6KPWR SP 4 PSOK power supply 2 turned on 00 03 18 C6KPWR SP 4 PSREDUNDANTMISMATCH power supplies rated outputs do not match 00 03 18 C6KPWR SP 4 PSREDUNDANTBOTHSUPPLY in power redundancy mode system is operating on both power supplies 00 01 10 CRYPTO 6 ISAKMP_ON_OFF ISAKMP is OFF 00 01 10 CRYPTO 6 ISAKMP_ON_OFF...

Page 363: ...0 05 12 DIAG SP 6 RUN_MINIMUM Module 8 Running Minimal Diagnostics 00 05 13 DIAG SP 6 RUN_MINIMUM Module 1 Running Minimal Diagnostics 00 00 24 SYS DFC1 5 RESTART System restarted Cisco DCOS Software c6slc Software c6slc SPDBG VM Experimental Version 4 0 20080421 012711 Copyright c 1986 2008 by Cisco Systems Inc Compiled Thu 26 Apr 08 16 40 by username1 00 00 25 DFC1 Currently running ROMMON from ...

Page 364: ...f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 24 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Smart Call Home Additional References ...

Page 365: ...e format for communication between SNMP managers and agents SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network This section includes the following topics SNMP Functional Overview page 1 1 SNMP Notifications page 1 2 SNMPv3 page 1 2 SNMP Functional Overview The SNMP framework consists of three parts An SNMP manager The system ...

Page 366: ...ponse protocol data unit PDU If the Cisco Nexus 5000 Series switch never receives a response it can send the inform request again You can configure the Cisco Nexus 5000 Series switch to send notifications to multiple host receivers See the Configuring SNMP Notification Receivers section on page 1 7 for more information about host receivers SNMPv3 SNMPv3 provides secure access to devices by a combi...

Page 367: ...ity Ensures that messages have not been altered or destroyed in an unauthorized manner and that data sequences have not been altered to an extent greater than can occur non maliciously Message origin authentication Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed Message confidentiality Ensures that information is not made available or disclos...

Page 368: ...ment allows the SNMP agent in Cisco Nexus 5000 Series to leverage the user authentication service of the AAA server Once user authentication is verified the SNMP PDUs are processed further Additionally the AAA server is also used to store user group names SNMP uses the group names to apply the access role policy that is locally available in the switch Any configuration changes made to the user gro...

Page 369: ... SNMP This section includes the following topics Configuring SNMP Users page 1 6 Enforcing SNMP Message Encryption page 1 6 Assigning SNMPv3 Users to Multiple Roles page 1 7 Creating SNMP Communities page 1 7 Configuring SNMP Notification Receivers page 1 7 Configuring the Notification Target User page 1 8 Enabling SNMP Notifications page 1 8 Configuring linkUp linkDown Notifications page 1 10 Dis...

Page 370: ...NMP message encryption for a user in the global configuration mode perform this task To enforce SNMP message encryption for all users in the global configuration mode perform this task Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config snmp server user name auth md5 sha passphrase auto priv aes 128 passphrase engineID id localizedkey Configures an S...

Page 371: ...le host receivers To configure a host receiver for SNMPv1 traps in a global configuration mode perform this task To configure a host receiver for SNMPv2c traps or informs in a global configuration mode perform this task Command Purpose switch config snmp server user name group Associates this SNMP user with the configured user role Command Purpose switch config snmp server community name group ro ...

Page 372: ...and decrypting the received INFORM PDU The notification host receiver should have the same user credentials as configured in the Cisco Nexus 5000 Series switch to authenticate and decrypt the informs Use the following command in global configuration mode to configure the notification target user The following example shows how to configure a notification target user switch config snmp server user ...

Page 373: ...ty fru CISCO LICENSE MGR MIB snmp server enable traps license IF MIB snmp server enable traps link CISCO PSM MIB snmp server enable traps port security SNMPv2 MIB snmp server enable traps snmp snmp server enable traps snmp authentication CISCO FCC MIB snmp server enable traps fcc CISCO DM MIB snmp server enable traps fcdomain CISCO NS MIB snmp server enable traps fcns CISCO FCS MIB snmp server ena...

Page 374: ...etting IEFT Cisco Cisco Nexus 5000 Series sends the notifications linkUp linkDown defined in IF MIB and notifications cieLinkUp cieLinkDown defined in CISCO IF EXTENSION MIB my if ifLinkUpDownTrapEnable defined in IF MIB is enabled for that interface Cisco Nexus 5000 Series sends only the varbinds defined in the linkUp and linkDown notifications IEFT extended Cisco Cisco Nexus 5000 Series sends th...

Page 375: ...ations for the interface in interface configuration mode perform this task Enabling One Time Authentication for SNMP over TCP You can enable a one time authentication for SNMP over a TCP session To enable one time authentication for SNMP over TCP in global configuration mode perform this task Command Purpose switch config snmp server enable traps link cisco ietf ietf extended Enables the link SNMP...

Page 376: ...configuration terminal Enters configuration mode Step 2 switch config snmp server contact name Configures sysContact the SNMP contact name Step 3 switch config snmp server location name Configures sysLocation the SNMP location Step 4 switch config callhome show snmp Optional Displays information about one or more destination profiles Step 5 switch config copy running config startup config Optional...

Page 377: ...nd defines two SNMP users Admin and NMS configuration terminal snmp server contact Admin company com snmp server user Admin auth sha abcd1234 priv abcdefgh snmp server user NMS auth sha abcd1234 priv abcdefgh enginID 00 00 00 63 00 01 00 a1 ac 15 10 03 snmp server host 192 0 2 1 informs version 3 auth NMS snmp server host 192 0 2 1 snmp server enable traps link cisco Default Settings Table 1 3 lis...

Page 378: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 14 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring SNMP Default Settings ...

Page 379: ...o NX OS supports RMON alarms events and logs to monitor Cisco Nexus 5000 Series switches An RMON alarm monitors a specific management information base MIB object for a specified interval triggers an alarm at a specified threshold value threshold and resets the alarm at another threshold value You can use alarms with RMON events to generate a log entry or an SNMP notification when the RMON alarm tr...

Page 380: ...ect For example you can set a delta type rising alarm on an error counter MIB object If the error counter delta exceeds this value you can trigger an event that sends an SNMP notification and logs the rising alarm event This rising alarm will not occur again until the delta sample for the error counter drops below the falling threshold Note The falling threshold must be less than the rising thresh...

Page 381: ... falling event parameters to specify the event number value The range is from 0 to 65535 If no value is specified event 0 is the default The rising and falling threshold value for 32 bit RMON alarms Use the rising threshold value command or the falling threshold value command The range is from 2147483647 to 214748364 The rising threshold value for 64 bit RMON alarms Use the rising threshold high v...

Page 382: ...tch config rmon alarm index mib object sample interval absolute delta rising threshold value event index falling threshold value event index owner name Creates a 32 bit RMON alarm The value range is from 2147483647 to 2147483647 The owner name can be any alphanumeric string switch config rmon hcalarm index mib object sample interval absolute delta rising threshold high value rising threshold low v...

Page 383: ...eshold 0 owner test rmon event 1 trap Related Topics See the following related topics Configuring SNMP page 1 5 Default Settings Table 1 1 lists the default settings for RMON parameters Step 3 switch config show rmon alarms hcalarms Optional Displays information about RMON alarms or high capacity alarms Step 4 switch config copy running config startup config Optional Saves this configuration chang...

Page 384: ...Se n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 6 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring RMON Default Settings ...

Page 385: ...page 1 8 Information About FCoE In Cisco Nexus 5000 Series switches FCoE is supported on all 10 Gigabit Ethernet interfaces To use FCoE the switch must be directly connected to the server and the server port must terminate the Ethernet with a converged network adapter This section includes the following topics Licensing Requirements page 1 1 Converged Network Adapters page 1 2 DCBX Capabilities pa...

Page 386: ...es supported by Cisco Nexus 5000 Series switches are described in the following topics FCoE page 1 2 Priority Flow Control page 1 2 Logical Link Up Down page 1 3 FCoE By default each Ethernet interface attempts to enable FCoE capability by advertising the capability to the adapter If the FCoE negotiation fails you can configure the switch to disable FCoE or to force enable FCoE for this interface ...

Page 387: ...switch and the converged network adapter on the server By default DCBX is enabled on Ethernet interfaces When an Ethernet interface is brought up the switch automatically starts to communicate with the adapter During normal operation of FCoE between the switch and the adapter the DCBX protocol provides link error detection DCBX is also used to negotiate capabilities between the switch and the adap...

Page 388: ...o be enabled or disabled For additional information see the Configuring FCoE section on page 1 4 Ethernet Frame Formats Ethernet frames sent by the switch to the adapter may include the IEEE 802 1Q tag This tag includes a field for the CoS value used by PFC The IEEE 802 1Q tag also includes a VLAN field currently not used by the Cisco Nexus 5000 Series switch The switch will always accept tagged o...

Page 389: ...al switch config interface ethernet 1 4 switch config if fcoe mode on To disable the FCoE capability perform this task This example shows how to disable FCoE for an Ethernet interface switch configure terminal switch config interface ethernet 1 4 switch config if no fcoe mode auto Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config feature fcoe Enables t...

Page 390: ... Level Flow Control By default link level flow control capability on Ethernet interfaces is disabled Only enable the link level flow control capability if PFC is disabled on the interface To configure link level flow control see the Configuring IEEE 802 3x Link Level Flow Control section on page 1 8 Configuring LLDP This section shows how to configure LLDP both globally and on individual interface...

Page 391: ...to set an interface to transmit LLDP packets Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config lldp holdtime seconds reinit seconds timer seconds Configures LLDP options Use the holdtime option to set the length of time 10 to 255 seconds default 120 seconds that a device should save LLDP information received before discarding it Use the reinit option t...

Page 392: ... one of these tasks The following example shows how to verify that the FCoE capability is enabled switch show fcoe FCoE FC feature is desired The following example shows how to display LLDP interface information switch show lldp interface ethernet 1 2 tx_enabled TRUE rx_enabled TRUE dcbx_enabled TRUE Port MAC address 00 0d ec a3 5f 48 Remote Peers Information No remote peers exist The following ex...

Page 393: ...the switch and the servers For additional information about FCoE see Chapter 1 Configuring FCoE The Fibre Channel portion of FCoE is configured as a virtual Fibre Channel interface Logical Fibre Channel features such as interface mode can be configured on virtual Fibre Channel interfaces Note Virtual interfaces are created with the administrative state set to down You need to explicitly configure ...

Page 394: ...e trunk port The Ethernet interface must be configured as portfast use the spanning tree port type edge trunk command Following the above configuration guidelines will ensure a smooth upgrade to a T11 Fibre Channel Initialization Protocol FIP based FCoE release in the future To create a virtual Fibre Channel interface perform this task Mapping VSANs to VLANs To create a mapping between a VSAN and ...

Page 395: ...Deleting a Virtual Fibre Channel Interface To delete a virtual Fibre Channel interface perform this task The following example shows how to delete a virtual Fibre Channel interface switch configure terminal switch config no interface vfc 4 switch config if exit Step 3 switch config vlan fcoe vsan vsan id Enables FCoE for the specified VLAN By default a mapping is created from this VLAN to the VSAN...

Page 396: ...es sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 0 frames input 0 bytes 0 discards 0 errors 0 frames output 0 bytes 0 discards 0 errors The following example shows the status of all the interfaces on the switch some output has been removed for brevity switch show interface brief Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbp...

Page 397: ...o m 1 5 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Virtual Interfaces Verifying Virtual Interface Information Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbps vfc 1 1 F down ...

Page 398: ...a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 6 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Virtual Interfaces Verifying Virtual Interface Information ...

Page 399: ...n About QoS The Cisco Nexus 5000 Series switch provides QoS capabilities such as traffic prioritization and egress bandwidth allocation The default QoS configuration on the switch provides lossless service for Fibre Channel and Fibre Channel Over Ethernet FCoE traffic and best effort service for Ethernet traffic QoS can be configured to provide additional classes of service for Ethernet traffic Ci...

Page 400: ...target and specifies whether to apply the policy on incoming or outgoing packets This enables the configuration of interface specific QoS policies such as policing and bandwidth allocation System Classes The system class is a new type of MQC target A service policy can associate a policy map with a system class which enables application of a QoS policy across the whole switch Parameters in system ...

Page 401: ...and multicast Ethernet traffic is classified into the default drop system class This class is created automatically when the system starts up the class is named class default in the CLI You cannot delete this class and you cannot change the CoS value associated with the default class There are two reserved system classes for internal system use Link Level Flow Control The IEEE 802 3x link level fl...

Page 402: ...s 2112 bytes across the switch As a result the rxbufsize for Fibre Channel interfaces is fixed at 2112 bytes If the Cisco Nexus 5000 Series switch receives an rxbufsize from a peer different than 2112 bytes it will fail ELP negotiation and not bring the link up The system jumbomtu command defines the upper bound of any MTU in the system System jumbo MTU has a default value of 9216 bytes The minimu...

Page 403: ...ue FCoE traffic traffic that maps to the FCoE system class is assigned a queue This queue uses WRR scheduling with 50 percent of the bandwidth Standard Ethernet traffic in the default drop system class is assigned a queue This queue uses WRR scheduling with 50 percent of the bandwidth If you add a system class a queue is assigned to the class You must reconfigure the bandwidth allocation on all af...

Page 404: ...es all available multicast queues for this traffic class ip multicast The class ip multicast class map matches all IP multicast traffic Policy options configured in this class map apply to traffic across all Ethernet CoS values For example if you enable optimized multicast for this class the IP multicast traffic for all CoS values is optimized If you configure this class as a no drop class the pri...

Page 405: ...affic is mapped to the default drop system class The CoS value 0 is reserved for the default drop system class This value cannot be mapped to any other class When configuring Ethernet port channels note the following guidelines Service policies configured on port channel interfaces are applied to all members of the port channel Service policies configured on individual member interfaces are ignore...

Page 406: ...priority flow control mode on To disable PFC capability for an interface perform this task Configuring IEEE 802 3x Link Level Flow Control By default link level flow control capability on Ethernet interfaces is disabled You can enable link level flow control capability for the transmit and receive directions To enable link level flow control capability perform this task Command Purpose Step 1 swit...

Page 407: ...Policy page 1 11 System Class Example page 1 12 Enabling Jumbo MTU page 1 12 Verifying Jumbo MTU page 1 12 Configuring Class Maps The class map command creates a named object that represents a class of traffic In the class map you specify a set of match criteria for classifying the packets For system classes the only match criteria supported is match cos If a system class is configured with no dro...

Page 408: ...configuration mode Step 2 switch config class map name Creates a named object that represents a class of traffic Class map names can contain alphabetic hyphen or underscore characters are case sensitive and can be up to 40 characters Step 3 switch config cmap match cos cos value Specifies the CoS value to match for classifying packets into this class You can configure a CoS value in the range of 1...

Page 409: ...no drop Creating the System Service Policy The service policy command is used to associate the system class policy map as the service policy for the system The following example sets a no drop Ethernet policy map as the system class switch config class map ethCoS4 switch config cmap match cos 4 Step 5 switch config pmap c mtu value Optional Specifies the MTU value in bytes Step 6 switch config pma...

Page 410: ...tem with 802 1p CoS value of 5 will be classified into this new system class The second class map command changes the match value of the default no drop system class The policy map command defines a QoS policy for each traffic class The new Ethernet class is configured as a no drop class with an MTU of 2000 bytes The pause no drop command causes PFC to apply pause functionality for packets with IE...

Page 411: ...ters detailed Rx Packets 1547805598 Rx Unicast Packets 1547805596 Rx Jumbo Packets 1301767362 Rx Bytes 7181776513802 Rx Storm Suppression 33690 Rx Packets from 0 to 64 bytes 169219 Rx Packets from 65 to 127 bytes 10657133 Rx Packets from 128 to 255 bytes 21644488 Rx Packets from 256 to 511 bytes 43290596 Rx Packets from 512 to 1023 bytes 86583071 Rx Packets from 1024 to 1518 bytes 83693729 Rx Trun...

Page 412: ...Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config interface ethernet slot port port channel channel number Enters configuration mode for the specified interface or port channel Step 3 switch config if untagged cos cos value Configures the untagged CoS value Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config ...

Page 413: ...h config pmap class best effort drop class switch config pmap c bandwidth percent 20 switch config int eth1 1 switch config if service policy output policy1 egress Command Purpose Step 1 switch configure terminal Enters configuration mode Step 2 switch config class map class name Defines a class name for the egress policy Step 3 switch config policy map policy1 name Creates a policy map to specify...

Page 414: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 16 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring QoS Configuring QoS on Interfaces ...

Page 415: ...rmation About Fibre Channel Interfaces This section describes Fibre Channel interfaces and virtual Fibre Channel interfaces This section includes the following topics Licensing Requirements page 1 1 Physical Fibre Channel Interfaces page 1 2 Virtual Fibre Channel Interfaces page 1 2 Interface Modes page 1 2 Interface States page 1 5 Buffer to Buffer Credits page 1 7 Licensing Requirements On Cisco...

Page 416: ...e Channel and virtual Fibre Channel interfaces are configured using the same CLI commands Virtual Fibre Channel interfaces support only F mode and offer a subset of the features that are supported on native Fibre Channel interfaces The following capabilities are not supported for virtual Fibre Channel interfaces SAN port channels VSAN trunking The virtual Fibre Channel is associated with one VSAN ...

Page 417: ...he interface speed This status cannot be changed and is read only Some values may not be valid when the interface is down for example the operational speed The following sections provide a brief description of each interface mode E Port page 1 3 F Port page 1 4 NP Port page 1 4 TE Port page 1 4 SD Port page 1 4 Auto Mode page 1 4 E Port In expansion port E port mode an interface functions as a fab...

Page 418: ...ISL frame format which contains VSAN information Interconnected switches use the VSAN ID to multiplex traffic from one or more VSANs across the same physical link This feature is referred to as VSAN trunking in the Cisco Nexus 5000 Series see Chapter 1 Configuring VSAN Trunking TE ports support class 3 and class F service SD Port In SPAN destination port SD port mode an interface functions as a sw...

Page 419: ...s Reason Codes Reason codes are dependent on the operational state of the interface Table 1 3 describes the reason codes for operational states Table 1 1 Administrative States Administrative State Description Up Interface is enabled Down Interface is disabled If you administratively disable an interface by shutting down that interface the physical link layer state change is ignored Table 1 2 Opera...

Page 420: ...cal layer link is operational and the protocol initialization is in progress All Reconfigure fabric in progress The fabric is currently being reconfigured Offline The switch software waits for the specified R_A_TOV time before retrying initialization Inactive The interface VSAN is deleted or is in a suspended state To make the interface operational assign that port to a configured and active VSAN ...

Page 421: ... to invalid fabric reconfiguration The port is isolated due to fabric reconfiguration Isolation due to domain manager disabled The fcdomain feature is disabled Isolation due to zone merge failure The zone merge operation failed Isolation due to VSAN mismatch The VSANs at both ends of an ISL are different port channel administratively down The interfaces belonging to the SAN port channel are down O...

Page 422: ...l interfaces and includes the following topics Configuring a Fibre Channel Interface page 1 8 Setting the Interface Administrative State page 1 9 Configuring Interface Modes page 1 9 Configuring the Interface Description page 1 10 Configuring Port Speeds page 1 10 Configuring SD Port Frame Encapsulation page 1 11 Configuring Receive Data Field Size page 1 11 Understanding Bit Error Thresholds page...

Page 423: ...se Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port vfc vfc id Selects a Fibre Channel interface and enters interface configuration mode Step 3 switch config if shutdown Gracefully shuts down the interface and administratively disables traffic flow default Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2...

Page 424: ...witch config if switchport mode F For a virtual Fibre Channel only the F port mode is supported switch config if switchport mode E F SD auto For a Fibre Channel interface you can set the mode to E F or SD port mode Set the mode to auto to auto negotiate an E F TE port mode not SD port mode of operation Note SD ports cannot be configured automatically They must be administratively configured Comman...

Page 425: ...how interface SD_port_interface command output Configuring Receive Data Field Size You can configure the receive data field size for native Fibre Channel interfaces but not for virtual Fibre Channel interfaces If the default data field size is 2112 bytes the frame length will be 2148 bytes To configure the receive data field size perform this task Understanding Bit Error Thresholds The bit error r...

Page 426: ...the interface You can configure the switch to not disable an interface when the threshold is crossed To disable the bit error threshold for an interface perform this task Note The switch generates a syslog message when bit error threshold events are detected even if the interface is configured not to be disabled by bit error threshold events Configuring Buffer to Buffer Credits To configure BB_cre...

Page 427: ...tch port attributes perform this task Step 3 switch config if switchport fcrxbbcredit default Applies the default operational value to the selected interface The operational value depends on the port mode The default values are assigned based on the port capabilities switch config if switchport fcrxbbcredit 5 Assigns a BB_credit of 5 to the selected interface The range to assign BB_credits is betw...

Page 428: ... N port identifiers Note All of the N port identifiers are allocated in the same VSAN Step 2 switch config no system default switchport shutdown san Configures the default setting for administrative state of an interface as Up The factory default setting is Down Tip This command is applicable only to interfaces for which no user configuration exists for the administrative state switch config syste...

Page 429: ...D then the show interface and show interface brief commands display the ID instead of the transmitter type The show interface transceiver command and the show interface fc slot port transceiver command display both values for Cisco supported SFPs Verifying Interface Information The show interface command displays interface configurations If no arguments are provided this command displays the infor...

Page 430: ...to display interface counters switch show interface counters The following example shows how to display transceiver information for a specific interface switch show interface fc3 1 transceiver Note The show interface transceiver command is only valid if the SFP is present The show running configuration command displays the entire running configuration with information for all interfaces The interf...

Page 431: ...ng Transmit B2B Credit is 255 Receive B2B Credit is 12 Receive B2B Credit performance buffers is 375 12 receive B2B credit remaining 255 transmit B2B credit remaining Default Settings Table 1 5 lists the default settings for native Fibre Channel interface parameters Table 1 5 lists the default settings for virtual Fibre Channel interface parameters Table 1 5 Default native Fibre Channel Interface ...

Page 432: ... OL 16597 01 Chapter 1 Configuring Fibre Channel Interfaces Default Settings Administrative state Shutdown unless changed during initial setup Trunk mode n a Trunk allowed VSANs n a Interface VSAN Default VSAN 1 EISL encapsulation n a Data field size n a Table 1 6 Default Virtual Fibre Channel Interface Parameters continued Parameters Default ...

Page 433: ... time you reboot the switch the saved configuration is used If you do not save the configuration the previously saved startup configuration is used This chapter includes the following sections Information About Fibre Channel Domains page 1 1 Domain IDs page 1 7 FC IDs page 1 14 Verifying fcdomain Information page 1 19 Default Settings page 1 20 Information About Fibre Channel Domains This section ...

Page 434: ...1 4 Configuring Switch Priority page 1 5 About fcdomain Initiation page 1 5 Disabling or Reenabling fcdomains page 1 5 Configuring Fabric Names page 1 5 About Incoming RCFs page 1 5 Rejecting Incoming RCFs page 1 6 Local WWN 20 02 ab ba cd dc f4 00 Configured domain ID 0 zero preferred Runtime domain ID 7 Configured priority 128 Runtime priority 128 Runtime fabric name 20 01 ab ba cd cd dc f4 Loca...

Page 435: ...static one and the actual domain ID remains the same Note A static domain is specifically configured by the user and may be different from the runtime domain If the domain IDs are different the runtime domain ID changes to take on the static domain ID after the next restart either disruptive or nondisruptive Tip If a VSAN is in interop mode you cannot disruptively restart the fcdomain for that VSA...

Page 436: ...ast restart feature can be used in any interoperability mode Enabling Domain Manager Fast Restart To enable the domain manager fast restart feature perform this task About Switch Priority By default the configured priority is 128 The valid range to set the priority is between 1 and 254 Priority 1 has the highest priority Value 255 is accepted from other switches but cannot be locally configured An...

Page 437: ... rcf reject option is disabled that is RCF request frames are not automatically rejected Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config fcdomain priority number VSAN vsan id Configures the specified priority for the local switch in the specified VSAN switch config no fcdomain priority number VSAN vsan id Reverts the priority to the...

Page 438: ...either or both switches the links between the two switches become isolated The autoreconfigure option takes immediate effect at runtime You do not need to restart the fcdomain If a domain is currently isolated due to domain overlap and you later enable the autoreconfigure option on both switches the fabric continues to be isolated If you enabled the autoreconfigure option on both switches before c...

Page 439: ...e 1 11 Enabling Distribution page 1 11 Locking the Fabric page 1 11 Committing Changes page 1 12 Discarding Changes page 1 12 Clearing a Fabric Lock page 1 12 Displaying CFS Distribution Status page 1 12 Displaying Pending Changes page 1 13 Displaying Session Status page 1 13 About Contiguous Domain ID Assignments page 1 13 Enabling Contiguous Domain ID Assignments page 1 14 About Domain IDs The c...

Page 440: ...D The domain ID that the principal switch has assigned to the requesting switch Local WWN 20 02 ab ba cd dc f4 00 Configured domain ID 7 preferred Runtime domain ID 7 Configured priority 128 Runtime priority 128 Runtime fabric name 20 01 ab ba cd cd dc f4 Local WWN 20 01 ab ba cd dc f4 00 Configured domain ID 0 zero preferred Runtime domain ID 3 Configured priority 128 Runtime priority 2 Runtime f...

Page 441: ...onfigured in the VSAN Alternatively you can also configure zero preferred domain ID Caution You must enter the fcdomain restart command if you want to apply the configured domain changes to the runtime domain Note If you have configured an allow domain ID list the domain IDs that you add must be in that range for the VSAN See the About Allowed Domain ID Lists section on page 1 10 Specifying Static...

Page 442: ...tch the local runtime domain ID must be in the allowed list The locally configured domain ID of the switch must be in the allowed list The intersection of the assigned domain IDs with other already configured domain ID lists must not be empty Configuring Allowed Domain ID Lists To configure the allowed domain ID list perform this task Step 2 switch config fcdomain domain domain id preferred vsan v...

Page 443: ...sabled by default You must enable distribution on all switches to which you want to distribute the allowed domain ID lists To enable or disable allowed domain ID list configuration distribution perform this task Locking the Fabric The first action that modifies the existing configuration creates the pending configuration and locks the feature in the fabric After you lock the fabric the following c...

Page 444: ...f you have performed a domain configuration task and have not released the lock by either committing or discarding the changes an administrator can release the lock from any switch in the fabric If the administrator performs this task your pending changes are discarded and the fabric lock is released Tip The pending changes are only available in the volatile directory and are discarded if the swit...

Page 445: ...239 Pending Configured Allowed Domains VSAN 10 Assigned or unallowed domain IDs 1 9 24 100 231 239 User configured allowed domain IDs 10 230 Displaying Session Status You can display the status of the distribution session using the show fcdomain session status vsan command switch show fcdomain session status vsan 1 Last Action Distribution Enable Result Success About Contiguous Domain ID Assignmen...

Page 446: ...WN to FC ID binding If this cache is full a new more recent entry overwrites the oldest entry in the cache In this case the corresponding WWN to FC ID association for the oldest entry is lost N ports receive the same FC IDs if disconnected and reconnected to any port within the same switch as long as it belongs to the same VSAN This section describes configuring FC IDs and includes the following t...

Page 447: ...enable the persistent FC ID feature perform this task Persistent FC ID Configuration Guidelines When the persistent FC ID feature is enabled you can enter the persistent FC ID submode and add static or dynamic entries in the FC ID database By default all added entries are static Persistent FC IDs are configured on a per VSAN basis When manually configuring a persistent FC ID follow these requireme...

Page 448: ...r an HBA The following task uses an example configuration with a switch domain of 111 6f hex The server connects to the switch over FCoE The HBA port connects to interface vfc20 1 and the storage port connects to interface fc2 3 on the same switch Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config fcdomain fcid database switch config f...

Page 449: ...000 Series switch switch configuration terminal switch config interface vfc20 1 switch config if shutdown switch config if end switch Step 3 Verify that the FC ID feature is enabled using the show fcdomain vsan command switch show fcdomain vsan 1 Local switch configuration information State Enabled FCID persistence Disabled If this feature is disabled continue with this procedure to enable the per...

Page 450: ...e 80 03 29 61 0f 50 06 0e 80 03 29 61 0f Note Both FC IDs now have different area assignments About Persistent FC ID Selective Purging Persistent FC IDs can be purged selectively Static entries and FC IDs currently in use cannot be deleted Table 1 1 identifies the FC ID entries that are deleted or retained when persistent FC IDs are purged Purging Persistent FC IDs To purge persistent FC IDs perfo...

Page 451: ...30 00 47 df as the WWN for a virtual switch switch show fcdomain domain list vsan 76 Number of domains 3 Domain ID WWN 0xc8 200 20 01 00 05 30 00 47 df Principal 0x63 99 20 01 00 0d ec 08 60 c1 Local 0x61 97 50 00 53 0f ff f0 10 06 Virtual IVR Use the show fcdomain allowed vsan command to display the list of allowed domain IDs configured on this switch switch show fcdomain allowed vsan 1 Assigned ...

Page 452: ... disk or host that exited and reentered the fabric In the cache content VSAN refers to the VSAN that contains the device WWN refers to the device that owned the FC IDs and mask refers to a single or entire area of FC IDs switch show fcdomain address allocation cache Default Settings Table 1 2 lists the default settings for all fcdomain parameters Table 1 2 Default fcdomain Parameters Parameters De...

Page 453: ...FLOGI Operation page 1 3 NPV Traffic Management page 1 4 NPV Traffic Management Guidelines page 1 5 NPV Overview By default Cisco Nexus 5000 Series switches operate in fabric mode In this mode the switch provides standard Fibre Channel switching capability and features In fabric mode each switch that joins a SAN is assigned a domain ID Each SAN or VSAN supports a maximum of 239 domain IDs so the S...

Page 454: ...server registration are not required on the edge switch because these functions are provided in the core switch To display the fabric login and name server registration databases you must enter the show flogi database and show fcns database commands on the core switch Server Interfaces Server interfaces are F ports on the edge switch that connect to the servers A server interface may support multi...

Page 455: ...en an NP port becomes operational the switch first logs itself in to the core switch by sending a FLOGI request using the port WWN of the NP port After completing the FLOGI request the switch registers itself with the fabric name server on the core switch using the symbolic port name of the NP port and the IP address of the edge switch Table 1 1 identifies port and node names in the edge switch us...

Page 456: ...N2 1 and later software releases NPV supports traffic maps A traffic map allows you to specify the NP uplinks that a server interface can use to connect to the core switches Note When an NPV traffic map is configured for a server interface the server interface must select only from the NP uplinks in its traffic map If none of the specified NP uplinks are operational the server remains in a non ope...

Page 457: ... link a set of servers to a specific core switch associate the server interfaces with a set of NP uplink interfaces that all connect to that core switch Configure Persistent FC IDs on the core switch and use the Traffic Map feature to direct server interface traffic onto NP uplinks that all connect to the associated core switch Guidelines and Limitations When configuring NPV note the following gui...

Page 458: ... all traffic is switched in the core switch NPV supports NPIV capable servers This capability is called nested NPIV Connecting two Cisco NPV switches together is not supported Only F NP and SD ports are supported in NPV mode Configuring NPV Configuring NPV mode is described in the following topics Enabling NPV page 1 6 Configuring NPV Interfaces page 1 7 Configuring NPV Traffic Management page 1 7...

Page 459: ... NPV traffic map associates one or more NP uplink interfaces with a server interface The switch associates the server interface with one of these NP uplinks Note If a server interface is already mapped to an NP uplink you should include this mapping in the traffic map configuration Command Purpose Step 1 switch configure terminal switch config Enters configuration mode Step 2 switch config interfa...

Page 460: ... display information about NPV perform the following task Command Purpose Step 1 switch config t switch config Enters configuration mode on the NPV Step 2 switch config npv traffic map server interface fc slot port vfc vfc id external interface fc slot port switch config Configures a mapping between a server interface or range of server interfaces and an NP uplink interface or range of NP uplink i...

Page 461: ...he status of the server interfaces and the NP uplink interfaces enter the show npv status command switch show npv status npiv is enabled External Interfaces Interface fc2 1 VSAN 1 FCID 0x1c0000 State Up Interface fc2 2 VSAN 1 FCID 0x040000 State Up Interface fc2 3 VSAN 1 FCID 0x260000 State Up Interface fc2 4 VSAN 1 FCID 0x1a0000 State Up Number of External Interfaces 4 Server Interfaces Interface...

Page 462: ...on Verifying NPV Server If External If s fc1 3 fc1 10 fc1 11 fc1 5 fc1 1 fc1 2 To display the NPV internal traffic details enter the show npv internal info traffic map command To display the disruptive load balancing status enter the show npv status command switch show npv status npiv is enabled disruptive load balancing is enabled External Interfaces Interface fc2 1 VSAN 2 FCID 0x1c0000 State Up ...

Page 463: ...nking is supported on native Fibre Channel interfaces but not on virtual Fibre Channel interfaces Figure 1 1 VSAN Trunking The VSAN trunking feature includes the following restrictions Trunking configurations are only applicable to E ports If trunk mode is enabled in an E port and that port becomes operational as a trunking E port it is referred to as a TE port The trunk allowed VSANs configured f...

Page 464: ...e name server and the zone applications The Cisco MDS 9000 Fabric Manager helps detect such topologies VSAN Trunking Protocol The trunking protocol is important for E port and TE port operations It supports the following capabilities Dynamic negotiation of operational trunk mode Selection of a common set of trunk allowed VSANs Detection of a VSAN mismatch across an ISL By default the VSAN trunking...

Page 465: ... inconsistent configurations disable all E ports with a shutdown command before enabling or disabling the VSAN trunking protocol Enabling or Disabling the VSAN Trunking Protocol To enable or disable the VSAN trunking protocol perform this task About Trunk Mode By default trunk mode is enabled in all Fibre Channel interfaces However trunk mode configuration takes effect only in E port mode You can ...

Page 466: ... protocol uses the list of allowed active VSANs at the two ends of an ISL to determine the list of operational VSANs in which traffic is allowed In Figure 1 4 switch 1 has VSANs 1 through 5 switch 2 has VSANs 1 through 3 and switch 3 has VSANs 1 2 4 and 5 with a default configuration of trunk allowed VSANs All VSANs configured in all three switches are allowed active However only the common set of...

Page 467: ...n a per interface basis see Figure 1 5 For example if VSANs 2 and 4 are removed from the allowed VSAN list of ISLs connecting to switch 1 the operational allowed list of VSANs for each ISL would be as follows The ISL between switch 1 and switch 2 includes VSAN 1 and VSAN 3 The ISL between switch 2 and switch 3 includes VSAN 1 and VSAN 2 The ISL between switch 3 and switch 1 includes VSAN 1 2 and 5...

Page 468: ...ist VSANs 1 and 3 are operational VSANs 1 2 5 are operational VSANs 1 2 5 are on the allowed list VSANs 1 and 2 are operational VSANs 1 and 2 are on the allowed list Switch 3 VSAN1 VSAN2 VSAN4 VSAN5 Switch 1 VSAN1 VSAN2 VSAN3 VSAN4 VSAN5 Switch 2 VSAN1 VSAN2 VSAN3 79946 Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port switch...

Page 469: ... example shows how to display the trunk protocol of a Fibre Channel interface switch show trunk protocol Trunk protocol is enabled The following example shows how to display the VSAN information for all trunk interfaces switch show interface trunk vsan 1 1000 fc3 1 is not trunking fc3 11 is trunking Belongs to san port channel 6 Vsan 1 is up FCID is 0xef0000 Vsan 2 is up FCID is 0xef0000 san port ...

Page 470: ...n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring VSAN Trunking Default Settings ...

Page 471: ... Settings page 1 17 Information About SAN Port Channels A SAN port channel has the following functionality Provides a point to point connection over ISL E ports or EISL TE ports Multiple links can be combined into a SAN port channel Increases the aggregate bandwidth on an ISL by distributing traffic among all functional links in the channel Load balances across multiple links and maintains optimum...

Page 472: ...ransmitting frames in the EISL format to carry traffic for multiple VSAN When trunking is operational on an E port that E port becomes a TE port EISLs connects only between Cisco switches as shown on the right side of Figure 1 1 See Chapter 1 Configuring VSAN Trunking for information on trunk interfaces Figure 1 1 VSAN Trunking Only You can create a SAN port channel with members that are E ports a...

Page 473: ...change is assigned to a link and then subsequent frames in the exchange follow the same link However subsequent exchanges can use a different link This method provides finer granularity for load balancing while preserving the order of frames for each exchange Figure 1 3 illustrates how flow based load balancing works When the first frame in a flow is received on an interface for forwarding link 1 ...

Page 474: ...t frame in an exchange is received for forwarding on an interface link 1 is chosen by a hash algorithm All remaining frames in that particular exchange are sent on the same link For exchange 1 no frame uses link 2 For the next exchange link 2 is chosen by the hash algorithm Now all frames in exchange 2 use link 2 Figure 1 4 SID1 DID1 and Exchange Based Load Balancing Frame 1 Frame 2 Frame 3 Frame ...

Page 475: ... configuration just as any other physical interface Figure 1 5 provides examples of valid SAN port channel configurations Figure 1 5 Valid SAN Port Channel Configurations Figure 1 6 shows examples of invalid configurations Assuming that the links are brought up in the 1 2 3 4 sequence links 3 and 4 will be operationally down as the fabric is misconfigured 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 Switch A S...

Page 476: ...re configuring a SAN port channel consider the following guidelines Configure the SAN port channel using Fibre Channel ports from both expansion modules to provide increased availability if one of the expansion modules failed Ensure that one SAN port channel is not connected to different sets of switches SAN port channels require point to point connections between the same set of switches If you m...

Page 477: ...e parameter to determine the port channel protocol behavior for all member ports in this channel group The possible values for a channel group mode are as follows On default The member ports only operate as part of a SAN port channel or remain inactive In this mode the port channel protocol is not initiated However if a port channel protocol frame is received from a peer port the software indicate...

Page 478: ...erfaces to the isolated state if its operational values are incompatible with the SAN port channel When you add or modify a port channel member port configuration you must explicitly disable shut and enable no shut the port channel member ports at either end When you add or modify a port channel interface the SAN port channel automatically recovers Port initialization is not synchronized There is ...

Page 479: ...n on the switch at the other end of the san port channel Interfaces in a SAN Port Channel You can add or remove a physical Fibre Channel interface or a range of interfaces to an existing SAN port channel The compatible parameters on the configuration are mapped to the SAN port channel Adding an interface to a SAN port channel increases the channel size and bandwidth of the SAN port channel Removin...

Page 480: ...trative compatibility parameters speed mode port VSAN allowed VSAN and port security Operational parameters speed and remote switch s WWN A port addition procedure fails if the capability and administrative parameters in the remote switch are incompatible with the capability and administrative parameters in the local switch If the compatibility check is successful the interfaces are operational an...

Page 481: ...ee the Setting the Interface Administrative State section on page 1 9 To force the addition of a port to a SAN port channel perform this task The following example adds an interface to a SAN port channel switch config interface fc2 3 switch config if channel group 15 force fc2 3 added to san port channel 15 and disabled please do the same operation on the switch at the other end of the san port ch...

Page 482: ...ement with incompatible ISLs An additional autocreation mode enables ISLs with compatible parameters to automatically form channel groups without manual intervention The port channel protocol is enabled by default The port channel protocol expands the port channel functional model in Cisco SAN switches It uses the exchange peer parameters EPP services to communicate across peer ports in an ISL Eac...

Page 483: ... example of channel group autocreation The first ISL comes up as an individual link In the example shown in Figure 1 7 this is link A1 B1 When the next link comes up A2 B2 in the example the port channel protocol determines if this link is compatible with link A1 B1 and automatically creates channel groups 10 and 20 in the respective switches Link A3 B3 can join the channel groups and the port cha...

Page 484: ...Channel Group Autocreated Channel Group Manually configured by the user Created automatically when compatible links come up between two compatible switches if channel group autocreation is enabled in all ports at both ends Member ports cannot participate in autocreation of channel groups The autocreation feature cannot be configured None of these ports are members of a user configured channel grou...

Page 485: ...autocreation configuration If all ports between two switches are configured with the autocreation feature at the same time a possible traffic disruption may occur between these two switches as ports are automatically disabled and reenabled when they are added to an autocreated SAN port channel Enabling and Configuring Autocreation To configure automatic channel groups perform this task The followi...

Page 486: ...P which is the primary operational interface selected in the SAN port channel to carry control plane traffic no load balancing The FOP is the first port that comes up in a SAN port channel and can change if the port goes down The FOP is also identified by an asterisk To display VSAN configuration information perform one of the following tasks The following example shows how to display a summary of...

Page 487: ...g example shows how to display an autocreated port channel switch show interface fc2 1 fc2 1 is trunking Hardware is Fibre Channel FCOT is short wave laser Port WWN is 20 0a 00 0b 5f 3b fe 80 Receive data field Size is 2112 Beacon is turned off Port channel auto creation is enabled Belongs to port channel 123 Default Settings Table 1 3 lists the default settings for SAN port channels Table 1 3 Def...

Page 488: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 18 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring SAN Port Channels Default Settings ...

Page 489: ... Information About VSANs A VSAN is a virtual storage area network SAN A SAN is a dedicated network that interconnects hosts and storage devices primarily to exchange SCSI traffic In SANs you use the physical links to make these interconnections A set of protocols run over the SAN to handle routing naming and zoning You can design multiple SANs with different topologies This section describes VSANs...

Page 490: ...es is independent of their segmentation into logical VSANs No communication between VSANs is possible Within each VSAN all members can talk to one another Figure 1 1 Logical VSAN Segmentation Figure 1 2 shows a physical Fibre Channel switching infrastructure with two defined VSANs VSAN 2 dashed and VSAN 7 solid VSAN 2 includes hosts H1 and H2 application servers AS2 and AS3 and storage arrays SA1 ...

Page 491: ...abling VSANs the same switches and links may be shared by multiple VSANs VSANs allow SANs to be built on port granularity instead of switch granularity Figure 1 2 illustrates that a VSAN is a group of hosts or storage devices that communicate with each other using a virtual topology defined on the physical SAN The criteria for creating such groups differ based on the VSAN topology VSANs can separa...

Page 492: ...us Zones Zones are always contained within a VSAN You can define multiple zones in a VSAN Because two VSANs are equivalent to two unconnected SANs zone A on VSAN 1 is different and separate from zone A in VSAN 2 Table 1 1 lists the differences between VSANs and zones Figure 1 3 shows the possible relationships between VSANs and zones In VSAN 2 three zones are defined zone A zone B and zone C Zone ...

Page 493: ...igured in this VSAN it is disabled Use this state to deactivate a VSAN without losing the VSAN s configuration All ports in a suspended VSAN are disabled By suspending a VSAN you can preconfigure all the VSAN parameters for the whole fabric and activate the VSAN immediately VSAN name This text string identifies the VSAN for management purposes The name can be from 1 to 32 characters long and it mu...

Page 494: ...one port is up This state indicates that traffic can pass through this VSAN This state cannot be configured Creating VSANs Statically You cannot configure any application specific parameters for a VSAN before creating the VSAN To create VSANs perform this task Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config vsan database switch config vsan db Con...

Page 495: ...AN static membership information use the show vsan membership command The following example displays membership information for the specified VSAN switch show vsan 1 membership vsan 1 interfaces fc2 1 fc2 2 fc2 3 fc2 4 san port channel 3 vfc1 1 Note Interface information is not displayed if interfaces are not configured on this VSAN The following example displays membership information for all VSA...

Page 496: ...ult VSAN By default all ports are assigned to the default VSAN Note VSAN 1 cannot be deleted but it can be suspended Note Up to 256 VSANs can be configured in a switch Of these one is a default VSAN VSAN 1 and another is an isolated VSAN VSAN 4094 User specified VSAN IDs range from 2 to 4093 About the Isolated VSAN VSAN 4094 is an isolated VSAN When a VSAN is deleted all nontrunking ports are tran...

Page 497: ...VSAN is deleted all the ports in that VSAN are made inactive and the ports are moved to the isolated VSAN If the same VSAN is recreated the ports do not automatically get assigned to that VSAN You must explicitly reconfigure the port VSAN membership see Figure 1 4 Figure 1 4 VSAN Port Membership Details VSAN based runtime name server zoning and configuration static routes information is removed wh...

Page 498: ...se and switch Step 5 switch config vsan db end switch Places you in EXEC mode Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config vsan database switch config vsan db Enters VSAN database configuration submode Step 3 switch config vsan db vsan vsan id Specifies an existing VSAN Step 4 switch config vsan db vsan vsan id loadbalancing src dst id Enables...

Page 499: ...on page 1 9 Displaying Static VSAN Configuration The following example shows how to display information about a specific VSAN switch show vsan 100 The following example shows how to display VSAN usage switch show vsan usage 4 vsan configured configured vsans 1 4 vsans available for configuration 5 4093 The following example shows how to display all VSANs switch show vsan Default Settings Table 1 2...

Page 500: ... f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring and Managing VSANs Default Settings ...

Page 501: ...rds are supported You can use either the existing basic zoning capabilities or the advanced standards compliant zoning capabilities This chapter includes the following sections Information About Zoning page 1 1 Configuring Zones page 1 7 Zone Sets page 1 8 Zone Set Distribution page 1 13 Zone Set Duplication page 1 15 Verifying Zone Information page 1 17 Enhanced Zoning page 1 18 Compacting the Zo...

Page 502: ...e fabric receive the active zone set Additionally full zone sets are distributed to all switches in the fabric if this feature is enabled in the source switch If a new switch is added to an existing fabric zone sets are acquired by the new switch Zone changes can be configured nondisruptively New zones and zone sets can be activated without interrupting traffic on unaffected ports or devices Zone ...

Page 503: ...rface based zoning does not work for VSANs configured in interop mode Zoning Example Figure 1 1 shows a zone set with two zones zone 1 and zone 2 in a fabric Zone 1 provides access from all three hosts H1 H2 H3 to the data residing on storage systems S1 and S2 Zone 2 restricts the data on S3 to access only by H3 H3 resides in both zones Figure 1 1 Fabric with Two Zones You can use other ways to pa...

Page 504: ...t in each VSAN Each VSAN has a full database and an active database Active zone sets cannot be changed without activating a full zone database Active zone sets are preserved across switch reboots Changes to the full database must be explicitly saved Zone reactivation a zone set is active and you activate another zone set does not disrupt existing traffic If required you can additionally configure ...

Page 505: ...e set even if a zone set with the same name is active However the modification will be enforced only upon reactivation When the activation is done the active zone set is automatically stored in persistent configuration This enables the switch to preserve the active zone set information across switch resets All other switches in the fabric receive the active zone set so they can enforce zoning in t...

Page 506: ...2 Zone C Zone D Zone E Zone set Z3 Zone A Zone C Zone D Full zone set Zone set Z1 Zone A Zone B Zone C After activating Zone set Z1 Full zone set Active zone set Zone set Z1 Zone A Zone B Zone C Zone set Z2 Zone C Zone D Zone E Zone set Z3 Zone A Zone C Zone D Zone set Z1 Zone A Zone B Zone C After adding Zone D to Zone set Z1 Full zone set Active zone set Zone set Z1 Zone A Zone B Zone C Zone set...

Page 507: ...zone member pwwn pwwn id Fabric pWWN example switch config zone member fwwn fwwn id FC ID example switch config zone member fcid fcid FC alias example switch config zone member fcalias Payroll Domain ID example switch config zone member domain id domain id portnumber number Local sWWN interface examples switch config zone member interface type slot port Remote sWWN interface example switch config ...

Page 508: ...le switch config zone member fcalias Payroll Domain ID example switch config zone member domain id 2 portnumber 23 Local sWWN interface examples switch config zone member interface fc 2 1 Remote sWWN interface example switch config zone member interface fc2 1 swwn 20 00 00 05 30 00 4a de Domain ID interface example switch config zone member interface fc2 1 domain id 25 Zone Sets This section descr...

Page 509: ... or zone set B can be activated but not together Tip Zone sets are configured with the names of the member zones and the VSAN if the zone set is in a configured VSAN Activating a Zone Set Changes to a zone set do not take effect in a full zone set until you activate it To activate or deactivate an existing zone set perform this task Zone 3 H2 S2 Zone 2 H3 S2 Zone 1 H1 H3 S1 Zone set A Zone set B H...

Page 510: ...efault zone Members are not permitted to communicate with each other Configure the default zone policy on each switch in the fabric If you change the default zone policy on one switch in a fabric be sure to change it on all the other switches in the fabric Note The default settings for default zone configurations can be changed The default zone members are explicitly listed when the default policy...

Page 511: ...WN example switch config fcalias member fwwn 10 01 10 01 10 ab cd ef FC ID example switch config fcalias member fcid 0x222222 Domain ID example switch config fcalias member domain id 2 portnumber 23 Local sWWN interface example switch config fcalias member interface fc2 1 Remote sWWN interface example switch config fcalias member interface fc2 1 swwn 20 00 00 05 30 00 4a de Domain ID interface exa...

Page 512: ...t zoning zoning restrictions are applied only during interaction between the name server and the end device If an end device somehow knows the FC ID of a device outside its zone it can access that device Hard zoning is enforced by the hardware on each frame sent by an N port As frames enter the switch source destination IDs are compared with permitted combinations to allow the frame at wire speed ...

Page 513: ... Nexus 5000 Series distribute active zone sets when new E port links come up or when a new zone set is activated in a VSAN The zone set distribution takes effect while sending merge requests to the adjacent switch or while activating a zone set To enable full zone set and active zone set distribution to all switches on a per VSAN basis perform this task Enabling a One Time Distribution You can per...

Page 514: ...one time zone set distribution request switch show zone status vsan 3 VSAN 3 default zone permit distribute active only Interop 100 mode basic merge control allow session none hard zoning enabled Default zone qos none broadcast disabled ronly disabled Full Zoning Database Zonesets 0 Zones 0 Aliases 0 Active Zoning Database Name nozoneset Zonesets 1 Zones 2 Status Zoneset distribution completed at ...

Page 515: ...CP SFTP or TFTP The active zone set is not part of the full zone set You cannot make changes to an existing zone set and activate it if the full zone set is lost or is not propagated Switch 1 Switch 2 79949 Isolated port due to active zone set mismatch From Switch 1 Import database forces Switch 1 to use the database configured in Switch 2 From Switch 1 Export database forces Switch 2 to use the d...

Page 516: ...a zone zone set fcalias or zone attribute group perform this task Command Purpose Step 1 switch zone copy active zoneset full zoneset vsan vsan id Please enter yes to proceed y n n y Makes a copy of the active zone set in the specified VSAN to the full zone set switch zone copy vsan vsan id active zoneset scp guest myserver tmp active_zoneset txt Copies the active zone in the specified VSAN to a r...

Page 517: ...ect for example a specific zone zone set VSAN or alias or keywords such as brief or active only information for the specified object is displayed The following example shows how to display zone information for all VSANs switch show zone The following example shows how to display zone information for a specific VSAN switch show zone vsan 1 The following example shows how to display the configured z...

Page 518: ...ow to display the active zones switch show zone active The following example shows how to display the zone status switch show zone status Enhanced Zoning The zoning feature complies with the FC GS 4 and FC SW 3 standards Both standards support the basic zoning functionalities explained in the previous section and the enhanced zoning functionalities described in this section This section includes t...

Page 519: ...ple zone sets you create an instance of this zone in each zone set References to the zone are used by the zone sets as required once you define the zone Reduced payload size as the zone is referenced The size is more pronounced with bigger databases The default zone policy is defined per switch To ensure smooth fabric operation all switches in the fabric must have the same default zone setting Enf...

Page 520: ...n using the basic zoning data structure apply the configuration changes and release the lock from all switches in the fabric All switches in the fabric then move to basic zoning mode Enabling Enhanced Zoning By default the enhanced zoning feature is disabled in all switches in the Cisco Nexus 5000 Series To enable enhanced zoning in a VSAN perform this task Modifying the Zone Database Modification...

Page 521: ...ion locks remain on remote switches after using the no zone commit vsan command you can use the clear zone lock vsan command on the remote switches switch clear zone lock vsan 2 Note We recommend using the no zone commit vsan command first to release the session lock in the fabric If that fails use the clear zone lock vsan command on the remote switches where the session is still locked Command Pu...

Page 522: ...ge Configuring Zone Merge Control Policies To configure merge control policies perform this task Table 1 3 Database Zone Merge Status Local Database Adjacent Database Merge Status Results of the Merge The databases contain zone sets with the same name1 but different zones aliases and attributes groups 1 In the enhanced zoning mode the active zone set does not have a name in interop mode 1 The zone...

Page 523: ...he VSAN Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config zone default zone permit vsan vsan id Permits traffic flow to default zone members switch config no zone default zone permit vsan vsan id Denies traffic flow to default zone members and reverts to factory default Step 3 switch config zone commit vsan vsan id Commits the changes made to the s...

Page 524: ...ple shows how to display full zoning analysis switch show zone analysis vsan 1 The following example shows how to display active zoning analysis switch show zone analysis active vsan 1 See the Cisco Nexus 5000 Series Switch Command Reference for the description of the information displayed in the command output Default Settings Table 1 4 lists the default settings for basic zone parameters Command...

Page 525: ...igure features for example zoning DPVM or port security in a Cisco Nexus 5000 Series switch you must assign the correct device name each time you configure these features An inaccurate device name may cause unexpected results You can circumvent this problem if you define a user friendly name for a pWWN and use this name in all the configuration commands as required These user friendly names are re...

Page 526: ...icted to 64 alphanumeric characters and may include one or more of the following characters a to z and A to Z Device alias names must begin with an alphabetic character a to z or A to Z 1 to 9 hyphen and _ underscore dollar sign and up caret Zone Aliases Versus Device Aliases Table 1 1 compares the configuration differences between zone based alias configuration and device alias configuration Tabl...

Page 527: ...Device Alias Modes page 1 4 Changing Device Alias Mode Guidelines page 1 4 Configuring Device Alias Modes page 1 5 About Device Alias Distribution page 1 5 Locking the Fabric page 1 6 Committing Changes page 1 6 Discarding Changes page 1 6 Fabric Lock Override page 1 7 Disabling and Enabling Device Alias Distribution page 1 7 Creating Device Aliases To a create a device alias in the pending databa...

Page 528: ...ed configurations are not accepted in interop mode VSANs IVR zoneset activation will fail in interop mode VSANs if the corresponding zones have native device alias based members Changing Device Alias Mode Guidelines When changing device alias modes follow these guidelines If two fabrics running in different device alias modes are joined together the device alias merge will fail There is no automat...

Page 529: ...abase changes are not distributed to the switches in the fabric The same changes would have to be performed manually on all switches in the fabric to keep the device alias database up to date Database changes immediately take effect so there would not be any pending database and commit or abort operations either If you have not committed the changes and you disable distribution then a commit task ...

Page 530: ...he pending database is distributed to the switches in the fabric and the effective database on those switches is overwritten with the new changes 3 The pending database is emptied of its contents 4 The fabric lock is released for this feature To commit the changes perform this task Discarding Changes If you discard the changes made to the pending database the following events occur 1 The effective...

Page 531: ...s of the clear operation use the show device alias status command switch show device alias status Fabric Distribution Enabled Database Device Aliases 24 Status of the last CFS operation issued from this switch Operation Clear Session Lock released by administrator Status Success Successful status of the operation Disabling and Enabling Device Alias Distribution To disable or enable the device alia...

Page 532: ...onfiguration When an import operation is complete the modified alias database is distributed to all other switches in the physical fabric when you perform the commit operation If you do not want to distribute the configuration to other switches in the fabric you can perform the abort operation and the merge changes are completely discarded Importing a Zone Alias To import the zone alias for a spec...

Page 533: ... e0 8b 0b 66 56 SampleName pwwn 21 00 00 20 37 39 ac 0d z The following example shows how to display pending changes in the device alias database switch show device alias database pending The following example shows how to display a specific pWWN in the device alias database switch show device alias pwwn 21 01 00 e0 8b 2e 80 93 pending The following example shows how to display the difference betw...

Page 534: ...ce Alias Services Default Settings Default Settings Table 1 2 lists the default settings for device alias parameters Table 1 2 Default Device Alias Parameters Parameters Default Device alias distribution Enabled Device alias mode Basic Database in use Effective database Database to accept changes Pending database Device alias fabric lock state Locked with the first device alias task ...

Page 535: ...st path between any two switches Selects an alternative path in the event of the failure of a given path FSPF supports multiple paths and automatically computes an alternative path around a failed link It provides a preferred route when two equal paths are available This chapter provides details on Fibre Channel routing services and protocols It includes the following sections Information About FS...

Page 536: ...al mesh topology If a link goes down anywhere in the fabric any switch can still communicate with all others in the fabric In the same way if any switch goes down the connectivity of the rest of the fabric is preserved Figure 1 1 Fault Tolerant Fabric For example if all links are of equal speed the FSPF calculates two equal paths from A to C A D C green and A E C blue Redundant Link Example To imp...

Page 537: ... errors or other minor configuration errors Note FSPF is enabled by default Generally you do not need to configure these advanced features Caution The default for the backbone region is 0 zero You do not need to change this setting unless your region is different from the default If you are operating with other vendors using the backbone region you can change this default to be compatible with tho...

Page 538: ...ault Description Acknowledgment interval RxmtInterval 5 seconds The time a switch waits for an acknowledgment from the LSR before retransmission Refresh time LSRefreshTime 30 minutes The time a switch waits before sending an LSR refresh transmission Maximum age MaxAge 60 minutes The time a switch waits before dropping the LSR from the database Command Purpose Step 1 switch configuration terminal s...

Page 539: ...des the following topics About FSPF Link Cost page 1 6 Configuring FSPF Link Cost page 1 6 About Hello Time Intervals page 1 6 Configuring Hello Time Intervals page 1 6 About Dead Time Intervals page 1 7 Configuring Dead Time Intervals page 1 7 About Retransmitting Intervals page 1 7 Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config n...

Page 540: ...The default cost for 1 Gbps is 1000 and for 2 Gbps is 500 Configuring FSPF Link Cost To configure FSPF link cost perform this task About Hello Time Intervals You can set the FSPF Hello time interval to specify the interval between the periodic hello messages sent to verify the health of the link The integer value can range from 1 to 65 535 seconds Note This value must be the same in the ports at b...

Page 541: ...be transmitted on the interface The integer value to specify retransmit intervals can range from 1 to 65 535 seconds Note This value must be the same on the switches on both ends of the interface Step 2 switch config interface fc slot port switch config if Configures the specified interface or if already configured enters configuration mode for the specified interface Step 3 switch config if fspf ...

Page 542: ...or selected interfaces By default FSPF is enabled on all E ports and TE ports This default can be disabled by setting the interface as passive Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config interface fc slot port switch config if Configures the specified interface or if already configured enters configuration mode for the specified...

Page 543: ...igured statically This section includes the following topics About Fibre Channel Routes page 1 9 Configuring Fibre Channel Routes page 1 10 About Fibre Channel Routes Each port implements forwarding logic which forwards frames based on its FC ID Using the FC ID for the specified interface and domain you can configure the specified route for example FC ID 111211 and domain ID 3 in the switch with d...

Page 544: ...slot port domain domain id vsan vsan id switch config Configures the route for the specified Fibre Channel interface and domain In this example the specified interface is assigned an FC ID and a domain ID to the next hop switch switch config fcroute fcid interface san port channel port domain domain id vsan vsan id switch config Configures the route for the specified SAN port channel interface and...

Page 545: ...Frames When you experience a route change in the network the new selected path may be faster or less congested than the old route Figure 1 4 Route Change Delivery In Figure 1 4 the new path from Switch 1 to Switch 4 is faster In this scenario Frame 3 and Frame 4 may be delivered before Frame 1 and Frame 2 If the in order guarantee feature is enabled the frames within the network are delivered as f...

Page 546: ... delivery is disabled on switches in the Cisco Nexus 5000 Series Tip We recommend that you only enable this feature when devices that cannot handle any out of order frames are present in the switch Load balancing algorithms within the Cisco Nexus 5000 Series switch ensure that frames are delivered in order during normal fabric operation The load balancing algorithms based on source FC ID destinati...

Page 547: ...n 1 inorder delivery guaranteed vsan 101 inorder delivery not guaranteed vsan 1000 inorder delivery guaranteed vsan 1001 inorder delivery guaranteed vsan 1682 inorder delivery guaranteed vsan 2001 inorder delivery guaranteed vsan 2009 inorder delivery guaranteed vsan 2456 inorder delivery guaranteed vsan 3277 inorder delivery guaranteed vsan 3451 inorder delivery guaranteed vsan 3452 inorder deliv...

Page 548: ... vsan 460 network latency 500 milliseconds Flow Statistics Configuration Flow statistics count the ingress traffic in the aggregated statistics table You can collect two kinds of statistics Aggregated flow statistics to count the traffic for a VSAN Flow statistics to count the traffic for a source and destination ID pair in a VSAN This section includes the following topics About Flow Statistics pa...

Page 549: ...tatistics Use the clear fcflow stats command to clear the aggregated flow counter The following example clears the aggregated flow counters switch clear fcflow stats aggregated index 1 The following example clears the flow counters for source and destination FC IDs Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config fcflow stats aggrega...

Page 550: ...nfigured configured flow 3 7 7 The following example shows how to display global FSPF information for a specific VSAN switch show fspf vsan 1 The following example shows how to display a summary of the FSPF database for a specified VSAN If no additional parameters are specified all LSRs in the database are displayed switch show fspf database vsan 1 The following example shows how to display FSPF i...

Page 551: ...ing table FSPF stores up to 16 equal cost paths to a given destination Load balancing Based on destination ID and source ID on different equal cost paths In order delivery Disabled Drop latency Disabled Static route cost If the cost metric of the route is not specified the default is 10 Remote destination switch If the remote destination switch is not specified the default is direct Multicast rout...

Page 552: ...ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 18 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Fibre Channel Routing Services and Protocols Default Settings ...

Page 553: ... the following examples If the required device is displayed in the FLOGI table the fabric login is successful Examine the FLOGI database on a switch that is directly connected to the host HBA and connected ports The following example shows how to verify the storage devices in the fabric login FLOGI table switch show flogi database INTERFACE VSAN FCID PORT NAME NODE NAME fc2 3 1 0xb200e2 21 00 00 0...

Page 554: ...roxies page 1 2 Registering Name Server Proxies page 1 2 About Rejecting Duplicate pWWNs page 1 2 Rejecting Duplicate pWWNs page 1 3 About Name Server Database Entries page 1 3 Displaying Name Server Database Entries page 1 3 About Registering Name Server Proxies All name server registration requests come from the same port whose parameter is registered or changed If it does not then the request i...

Page 555: ...0 scsi fcp fc gs 0x010001 N 10 00 00 05 30 00 24 63 Cisco ipfc 0x010002 N 50 06 04 82 c3 a0 98 52 Company 1 scsi fcp 250 0x010100 N 21 00 00 e0 8b 02 99 36 Company A scsi fcp 0x020000 N 21 00 00 e0 8b 08 4b 20 Company A 0x020100 N 10 00 00 05 30 00 24 23 Cisco ipfc 0x020200 N 21 01 00 e0 8b 22 99 36 Company A scsi fcp The following example shows how to display the name server database and statisti...

Page 556: ...tary host agents Manufacturer model and serial number Node name and node symbolic name Hardware driver and firmware versions Host operating system OS name and version number All FDMI entries are stored in persistent storage and are retrieved when the FDMI process is started Displaying FDMI The following example shows how to display all HBA details for a specified VSAN switch show fdmi database det...

Page 557: ...n 1 Note The SCR table is not configurable It is populated when hosts send SCR frames with RSCN information If hosts do not receive RSCN information then the show rscn scr table command will not return entries About the multi pid Option If the RSCN multi pid option is enabled then RSCNs generated to the registered Nx ports may contain more than one affected port IDs In this case zoning rules are a...

Page 558: ...l To suppress the transmission of these SW RSCNs over an ISL perform this task Note You cannot suppress transmission of port address or area address format RSCNs Clearing RSCN Statistics You can clear the counters and later view the counters for a different set of events For example you can keep track of how many RSCNs or SW RSCNs are generated on a particular event such as ONLINE or OFFLINE event...

Page 559: ...Failure to do so will disable the links across your VSANs and other devices To configure the RSCN timer perform this task In this example the event time out value is set to 300 milliseconds for VSAN 12 switch rscn event tov 300 vsan 12 Verifying the RSCN Timer Configuration You verify the RSCN timer configuration using the show rscn event tov vsan command The following example shows how to clear t...

Page 560: ... commands on the local switch are affected Note All configuration commands are not distributed Only the rscn event tov tov vsan vsan command is distributed Note Only the RSCN timer configuration is distributed The RSCN timer is registered with CFS during initialization and switchover For high availability if the RSCN timer distribution crashes and restarts or a switchover occurs it resumes normal ...

Page 561: ...onfiguration database remains unaffected and the lock is released To discard RSCN timer configuration changes perform this task Clearing a Locked Session If you have changed the RSCN timer configuration and have forgotten to release the lock by either committing or discarding the changes an administrator can release the lock from any switch in the fabric If the administrator performs this task you...

Page 562: ...e merging fabrics The following example shows how to display the set of configuration commands that would take effect when you commit the configuration Note The pending database includes both existing and modified configuration switch show rscn pending rscn event tov 2000 ms vsan 1 rscn event tov 2000 ms vsan 2 rscn event tov 300 ms vsan 10 The following example shows how to display the difference...

Page 563: ... can access this information To report device capacity serial number and device ID information To register the initiator and target features with the name server The SCSI LUN discovery feature uses the local domain controller Fibre Channel address It uses the local domain controller as the source FC ID and performs SCSI INQUIRY REPORT LUNS and READ CAPACITY commands on SCSI devices The SCSI LUN di...

Page 564: ...any 4 Model ST318203FC Rev 0004 Other 00 00 02 32 8b 00 50 0a The following example discovers SCSI targets from the customized list assigned to the Linux OS switch discover scsi target custom list os linux discovery started About Initiating Customized Discovery Customized discovery consists of a list of VSAN and domain pairs that are selectively configured to initiate a discovery Use the custom li...

Page 565: ...rgets switch show scsi target status discovery completed Note This command takes several minutes to complete especially if the fabric is large or if several devices are slow to respond The following example displays the FCNS database switch show fcns database The following example displays the SCSI target disks switch show scsi target disk The following example displays the discovered LUNs on all ...

Page 566: ... e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 4 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Discovering SCSI Targets Displaying SCSI LUN Information ...

Page 567: ...stributed services TOV D_S_TOV The valid range is from 5 000 to 10 000 milliseconds The default is 5 000 milliseconds Error detect TOV E_D_TOV The valid range is from 1 000 to 10 000 milliseconds The default is 2 000 milliseconds This value is matched with the other end during port initialization Resource allocation TOV R_A_TOV The valid range is from 5 000 to 10 000 milliseconds The default is 10...

Page 568: ...ure different TOV values for VSANs with special links such as Fibre Channel You can configure different E_D_TOV R_A_TOV and D_S_TOV values for individual VSANs Active VSANs are suspended and activated when their timer values are changed Note This configuration must be propagated to all switches in the fabric Be sure to configure the same value in all switches in the fabric To configure per VSAN Fi...

Page 569: ...ng Cisco Fabric Services for more information on the CFS application Enabling or Disabling fctimer Distribution To enable or disable fctimer fabric distribution perform this task Committing fctimer Changes When you commit the fctimer configuration changes the effective database is overwritten by the configuration changes in the pending database and all the switches in the fabric receive the same c...

Page 570: ...se administrative privileges and release a locked fctimer session use the clear fctimer session command switch clear fctimer session Database Merge Guidelines When merging two fabrics follow these guidelines Be aware of the following merge conditions The merge protocol is not implemented for distribution of the fctimer values You must manually merge the fctimer values when a fabric is merged The p...

Page 571: ...0000 ms World Wide Names The world wide name WWN in the switch is equivalent to the Ethernet MAC address As with the MAC address you must uniquely associate the WWN to a single device The principal switch selection and the allocation of domain IDs rely on the WWN Cisco Nexus 5000 Series switches support three network address authority NAA address formats see Table 1 1 Caution Changes to the world ...

Page 572: ... Exchange Link Protocol ELP and Exchange Fabric Protocol EFP use WWNs during link initialization ELPs and EFPs both use the VSAN WWN by default during link initialization However the ELP usage changes based on the peer switch s usage If the peer switch ELP uses the switch WWN then the local switch also uses the switch WWN If the peer switch ELP uses the VSAN WWN then the local switch also uses the...

Page 573: ...ocated Regardless of the type whole area or single of FC ID allocated the FC ID entries remain persistent This section includes the following topics Default Company ID List page 1 7 Verifying the Company ID Configuration page 1 8 Default Company ID List All Cisco Nexus 5000 Series switches contain a default list of company IDs that require area allocation Using the company ID reduces the number of...

Page 574: ...d 0x003223 Verifying the Company ID Configuration You can view the configured company IDs by entering the show fcid allocation area command Default entries are listed first and the user added entries are listed next Entries are listed even if they were part of the default list and you later removed them The following example displays the list of default and configured company IDs switch show fcid ...

Page 575: ...is section briefly explains the basic concepts of these modes Each vendor has a regular mode and an equivalent interoperability mode which specifically turns off advanced or proprietary features and provides the product with a standards compliant implementation Note For more information on configuring interoperability for Cisco Nexus 5000 Series switches see the Cisco MDS 9000 Family Switch to Swi...

Page 576: ...h exactly E_D_TOV Verify that the Error Detect Time Out Value timers match exactly R_A_TOV Verify that the Resource Allocation Time Out Value timers match exactly Trunking Trunking is not supported between two different vendor s switches This feature may be disabled on a per port or per switch basis Default zone The default zone operation of permit all nodes can see all other nodes or deny all nod...

Page 577: ...e McData switches switch config fcdomain domain 100 preferred vsan 1 In Cisco Nexus 5000 Series switches the default is to request an ID from the principal switch If the preferred option is used Cisco Nexus 5000 Series switches request a specific ID but still join the fabric if the principal switch assigns a different ID If the static option is used the Cisco Nexus 5000 Series switches do not join...

Page 578: ...ration switch config fcdomain restart vsan 1 Verifying Interoperating Status This section highlights the commands used to verify if the fabric is up and running in interoperability mode To verify the resulting status of entering the interoperability command in any switch in the Cisco Nexus 5000 Series perform this task Step 1 Verify the software version switch show version Cisco Storage Area Netwo...

Page 579: ...face Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbps fc3 1 1 E on trunking swl TE 2 fc3 2 1 auto on sfpAbsent fc3 3 1 E on trunking swl TE 2 fc3 4 1 auto on sfpAbsent fc3 5 1 auto auto notConnected swl fc3 6 1 auto on sfpAbsent fc3 7 1 auto auto sfpAbsent fc3 8 1 auto auto sfpAbsent Step 3 Verify if you are running the desired configuration switch show run Buildi...

Page 580: ...ch Local switch run time information State Stable Local switch WWN 20 01 00 05 30 00 51 1f Running fabric name 10 00 00 60 69 22 32 91 Running priority 128 Current domain ID 0x64 100 verify domain id Local switch configuration information State Enabled Auto reconfiguration Disabled Contiguous allocation Disabled Configured fabric name 41 6e 64 69 61 6d 6f 21 Configured priority 128 Configured doma...

Page 581: ... 28 2e 65 Seagate scsi fcp 0x6105e4 NL 21 00 00 20 37 28 26 0d Seagate scsi fcp 0x630400 N 10 00 00 00 c9 24 3f 75 Emulex scsi fcp 0x630500 N 50 06 01 60 88 02 90 cb scsi fcp 0x6514e2 NL 21 00 00 20 37 a7 ca b7 Seagate scsi fcp 0x6514e4 NL 21 00 00 20 37 a7 c7 e0 Seagate scsi fcp 0x6514e8 NL 21 00 00 20 37 a7 c7 df Seagate scsi fcp 0x651500 N 10 00 00 e0 69 f0 43 9f JNI Total number of entries 12 ...

Page 582: ... CLI Software Configuration Guide OL 16597 01 Chapter 1 Advanced Fibre Channel Features and Concepts Default Settings Local capture frame limits 10 frames FC ID allocation mode Auto mode Loop monitoring Disabled Interop mode Disabled Table 1 3 Default Settings for Advanced Features continued Parameters Default ...

Page 583: ...es the following sections Information About Fabric Authentication page 1 1 DHCHAP page 1 2 Sample Configuration page 1 10 Default Settings page 1 11 Information About Fabric Authentication All Cisco Nexus 5000 Series switches enable fabric wide authentication from one switch to another switch or from a switch to a host These switch and host authentications are performed locally or remotely in each...

Page 584: ...n Note Fibre Channel host bus adapters HBAs with appropriate firmware and drivers are required for host switch authentication DHCHAP DHCHAP is an authentication protocol that authenticates the devices connecting to a switch Fibre Channel authentication allows only trusted devices to be added to a fabric which prevents unauthorized devices from accessing the switch Note The terms FC SP and DHCHAP a...

Page 585: ...Features page 1 3 About Enabling DHCHAP page 1 4 Enabling DHCHAP page 1 4 About DHCHAP Authentication Modes page 1 4 Configuring the DHCHAP Mode page 1 5 About the DHCHAP Hash Algorithm page 1 6 Configuring the DHCHAP Hash Algorithm page 1 6 About the DHCHAP Group Settings page 1 6 Configuring the DHCHAP Group Settings page 1 6 About the DHCHAP Password page 1 7 Configuring DHCHAP Passwords for th...

Page 586: ...witch initialization if the connecting device supports DHCHAP authentication the software performs the authentication sequence If the connecting device does not support DHCHAP authentication the link is placed in an isolated state Auto Active During switch initialization if the connecting device supports DHCHAP authentication the software performs the authentication sequence If the connecting devi...

Page 587: ... mode Step 2 switch config interface fc slot port slot port switch config if Selects a range of interfaces and enters the interface configuration mode Step 3 switch config if fcsp on Sets the DHCHAP mode for the selected interfaces to be in the on state switch config if no fcsp on Reverts to the factory default of auto passive for these three interfaces Step 4 switch config if fcsp auto active 0 C...

Page 588: ...ttings All Cisco Nexus 5000 Series switches support all DHCHAP groups specified in the standard 0 null DH group which does not perform the Diffie Hellman exchange 1 2 3 or 4 Tip If you change the DH group configuration change it globally for all switches in the fabric Configuring the DHCHAP Group Settings To change the DH group settings perform this task Command Purpose Step 1 switch configuration...

Page 589: ...he fabric must be generated and configured in each switch Even if one switch is compromised the password of other switches are still protected This configuration requires considerable password maintenance by the user Note All passwords are restricted to 64 alphanumeric characters and can be changed but not deleted Tip We recommend using RADIUS or TACACS for fabrics with more than five switches If ...

Page 590: ...ap devicename 00 11 55 66 00 aa bb cc password 0 NewPassword The following example configures a password entered in an encrypted format for another switch in the fabric that is identified by the switch WWN device name switch config fcsp dhchap devicename 00 11 22 33 55 aa bb cc password 7 asdflkjh About the DHCHAP Timeout Value During the DHCHAP protocol exchange if the Cisco Nexus 5000 Series swi...

Page 591: ...ce fc2 4 fc2 4 fcsp authentication mode SEC_MODE_ON Status Successfully authenticated The following example shows how to display DHCHAP statistics for the specified interface switch show fcsp interface fc2 4 statistics The following example shows how to display the FC SP WWN of the device connected to the specified interface switch show fcsp interface fc2 1 wwn The following example shows how to d...

Page 592: ...all related configurations are automatically discarded switch config fcsp enable Step 3 Configure a clear text password for this switch This password will be used by the connecting device switch config fcsp dhchap password rtp9216 Step 4 Configures a password for another switch in the fabric that is identified by the switch WWN device name switch config fcsp dhchap devicename 20 00 00 05 30 00 38 ...

Page 593: ...d rtp9216 MDS 9509 config interface fc 4 5 MDS 9509 config if fcsp on MDS 9509 show fcsp dhchap database DHCHAP Local Password Non device specific password Other Devices Passwords Password for device with WWN 20 00 00 05 30 00 54 de is MDS 9509 show fcsp interface fc2 4 Fc2 4 fcsp authentication mode SEC_MODE_ON Status Successfully authenticated You have now enabled and configured DHCHAP authentic...

Page 594: ...d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 12 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring FC SP and DHCHAP Default Settings ...

Page 595: ...ribution page 1 12 Database Merge Guidelines page 1 14 Database Interaction page 1 15 Displaying Port Security Configuration page 1 19 Default Settings page 1 19 Information About Port Security Typically any Fibre Channel device in a SAN can attach to any SAN switch port and access SAN services based on zone membership Port security features prevent unauthorized access to a switch port in the Cisc...

Page 596: ...ty active database The software uses this active database to enforce authorization About Auto Learning You can instruct the switch to automatically learn auto learn the port security configurations over a specified period This feature allows any Cisco Nexus 5000 Series switch to automatically learn about devices and switches that connect to it Use this feature when you activate the port security f...

Page 597: ...ally enabled You can choose to activate the port security feature and disable auto learning Tip If a port is shut down because of a denied login attempt and you subsequently configure the database to allow that login the port does not come up automatically You must explicitly enter a no shutdown CLI command to bring that port back online Configuring Port Security The steps to configure port securi...

Page 598: ...itting the Changes section on page 1 13 This ensures that the configure database is the same on all switches in the fabric Step 10 Copy the running configuration to the startup configuration using the fabric option This step saves the port security configure database to the startup configuration on all switches in the fabric Configuring Port Security with Auto Learning without CFS To configure por...

Page 599: ...arning section on page 1 8 Step 4 Disable auto learn on each VSAN See the Disabling Auto Learning section on page 1 8 Step 5 Copy the running configuration to the startup configuration which saves the port security configuration database to the startup configuration Step 6 Repeat Step 1 through Step 5 for all switches in the fabric Enabling Port Security By default the port security feature is dis...

Page 600: ...ation request is rejected you can force the activation Note If you force the activation existing devices are logged out if they violate the active database You can view missing or conflicting entries using the port security database diff active vsan command in EXEC mode To forcefully activate the port security database perform this task Command Purpose Step 1 switch configuration terminal switch c...

Page 601: ... perform this task Auto Learning This section includes the following topics About Enabling Auto Learning page 1 8 Enabling Auto Learning page 1 8 Disabling Auto Learning page 1 8 Auto Learning Device Authorization page 1 8 Authorization Scenario page 1 9 Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config no port security auto learn vsa...

Page 602: ...k Auto Learning Device Authorization Table 1 1 summarizes the authorized connection conditions for device requests Command Purpose Step 1 switch configuration terminal switch config Enters configuration mode Step 2 switch config port security auto learn vsan vsan id Enables auto learning so the switch can learn about any device that is allowed to access VSAN 1 These devices are logged in the port ...

Page 603: ...security authorization results for this active database The conditions listed refer to the conditions from Table 1 1 3 Not configured A switch port that is not configured Permitted if auto learning enabled 4 Denied if auto learning disabled 5 Configured or not configured A switch port that allows any device Permitted 6 Configured to log in to any switch port Any port on the switch Permitted 7 Not ...

Page 604: ...elines If you decide to manually configure port security note the following guidelines Identify switch ports by the interface or by the fWWN Identify devices by the pWWN or by the nWWN If an N port is allowed to log in to SAN switch port F then that N port can only log in through the specified F port S2 F11 Denied 7 P10 is bound to F11 P4 N4 F5 auto learning on Permitted 3 No conflict P4 N4 F5 aut...

Page 605: ...either the fWWN or sWWN interface combination To add authorized port pairs for port security perform this task This example enters the port security database mode for VSAN 2 switch config port security database vsan 2 This example configures the specified sWWN to only log in through SAN port channel 5 switch config port security swwn 20 01 33 11 00 2a 4a 66 interface san port channel 5 This exampl...

Page 606: ...uration you need to commit or discard the pending database changes to the configurations The fabric remains locked during this period Changes to the pending database are not reflected in the configurations until you commit the changes Note Port activation or deactivation and auto learning enable or disable do not take effect until after a CFS commit if CFS distribution is enabled Always follow any...

Page 607: ...d and the lock is released To discard the port security configuration changes for the specified VSAN perform this task Activation and Auto Learning Configuration Distribution Activation and auto learning configurations in distributed mode are remembered as actions to be performed when you commit the changes in the pending database Learned entries are temporary and do not have any role in determini...

Page 608: ...n is not done and devices C D are logged in 1 You activate the port security database and enableauto learning configuration database A B active database A B C1 D 1 The asterisk indicates learned entries configuration database A B active database null pending database A B activation to be enabled 2 A new entry E is added to the configuration database configuration database A B E active database A B...

Page 609: ... This section includes the following topics Database Scenarios page 1 16 Copying the Port Security Database page 1 17 Deleting the Port Security Database page 1 18 Clearing the Port Security Database page 1 18 Table 1 4 Active and Configuration Port Security Databases Active Database Configuration Database Read only Read write Saving the configuration only saves the activated entries Learned entri...

Page 610: ...s Switch 1 config Database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 pwwn4 fwwn4 pwwn5 fwwn5 active Database Saving the configuration copy running start Activating the database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 s Note Learned entries are not saved in the startup configuration Switch 1 config Database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 active Database Learning entries pwwn4 5 already logged in pwwn1 f...

Page 611: ...the switches CLI Switch 1 config Database 99301 pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 active Database EMPTY Configuring authorized ports Switch 1 config Database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 pwwn4 fwwn4 pwwn5 fwwn5 active Database Saving the configuration copy running start Activating the database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 s Note Learned entries are not saved in the startup configur...

Page 612: ... actually delete the database Use the no port security database vsan command in configuration mode to delete the configured database for a specified VSAN switch config no port security database vsan 1 Clearing the Port Security Database Use the clear port security statistics vsan command to clear all existing statistics from the port security database for a specified VSAN switch clear port securit...

Page 613: ...rity configuration database for VSAN 1 switch show port security database vsan 1 The following example shows how to display the activated database switch show port security database active The following example shows how to display difference between the temporary configuration database and the configuration database switch show port security pending diff vsan 1 The following example shows how to ...

Page 614: ...n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 20 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Port Security Default Settings ...

Page 615: ...The fabric binding feature ensures that ISLs are only enabled between specified switches in the fabric Fabric binding is configured on a per VSAN basis This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations It uses the Exchange Fabric Membership Data EFMD protocol to ensure that the list of authorized switches is identical in all switches i...

Page 616: ...ing feature requires all sWWNs connected to a switch to be part of the fabric binding active database Table 1 1 Fabric Binding and Port Security Comparison Fabric Binding Port Security Uses a set of sWWNs and a persistent domain ID Uses pWWNs nWWNs or fWWNs sWWNs Binds the fabric at the switch level Binds devices at the interface level Authorizes only the configured sWWN stored in the fabric bindi...

Page 617: ...rform this task Step 1 Enable the fabric configuration feature Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric Step 3 Activate the fabric binding database Step 4 Copy the fabric binding active database to the fabric binding configuration database Step 5 Save the fabric binding configuration Step 6 Verify the fabric binding confi...

Page 618: ...e fabric binding feature maintains a configuration database config database and an active database The config database is a read write database that collects the configurations you perform These configurations are only enforced upon activation This activation overwrites the active database with the contents of the config database The active database is read only and is the database that checks eac...

Page 619: ...e Use the fabric binding database copy vsan command to copy from the active database to the config database If the configured database is empty this command is not accepted switch fabric binding database copy vsan 1 Use the fabric binding database diff active vsan command to view the differences between the active database and the config database This command can be used when resolving conflicts s...

Page 620: ...ng command in configuration mode to delete the configured database for a specified VSAN switch config no fabric binding database vsan 10 Verifying Fabric Binding Information To display fabric binding information perform one of the following tasks The following example displays the active fabric binding information for VSAN 4 switch show fabric binding database active vsan 4 The following example d...

Page 621: ...ch 3 20 00 00 05 30 00 4a 1e Nov 25 05 44 58 2003 2 sWWN not found 4 20 00 00 05 30 00 4a 1e Nov 25 05 46 25 2003 1 Database mismatch Note In VSAN 3 the sWWN was not found in the list In VSAN 2 the sWWN was found in the list but has a domain ID mismatch The following example displays EFMD Statistics for VSAN 4 switch show fabric binding efmd statistics vsan 4 Default Settings Table 1 2 lists the d...

Page 622: ...n d f e e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Fabric Binding Default Settings ...

Page 623: ...ject A set of nodes may be defined as a platform object to make it a single manageable entity These nodes are end devices host systems storage subsystems attached to the fabric Platform objects reside at the edge switches of the fabric Each object has its own set of attributes and values A null value may also be defined for some attributes In the Cisco Nexus 5000 Series switch environment a fabric...

Page 624: ...anagement information base MIB to start discovery and obtain information about the fabric topology Support TE ports in addition to the standard F and E ports Can maintain a group of nodes with a logical name and management address when a platform registers with it FCSs maintain a backup of all registrations in secondary storage and update it with every change When a restart or switchover happens F...

Page 625: ...itch config fcs register attrib Enters the FCS registration attributes submode switch config fcs register no platform name SamplePlatform vsan vsan id switch config fcs register Deletes a registered platform Step 4 switch config fcs register attrib mgmt addr 1 1 1 1 Configures the platform management IPv4 address switch config fcs register attrib no mgmt addr 1 1 1 1 Deletes the platform managemen...

Page 626: ...database switch show fcs database The following example shows how to display a list of all interconnect elements for VSAN 1 switch show fcs ie vsan 1 The following example shows how to display information for a specific platform switch show fcs platform name SamplePlatform vsan 1 The following example shows how to display port information for a specific pWWN switch show fcs port pwwn 20 51 00 05 3...

Page 627: ...be redirected to another redundant link This chapter includes the following sections Information About Port Tracking page 1 1 Configuring Port Tracking page 1 2 Displaying Port Tracking Information page 1 6 Default Port Tracking Settings page 1 7 Information About Port Tracking Generally hosts can instantly recover from a link failure on a link that is immediately direct link connected to a switch...

Page 628: ...te is altered based on the operational state of the tracked ports Only physical Fibre Channel ports can be linked ports Port tracking has the following features The application brings the linked port down when the tracked port goes down When the tracked port recovers from the failure and comes back up again the linked port is also brought up automatically unless otherwise configured You can forcef...

Page 629: ...e of two methods Operationally binding the linked ports to the tracked port default Continuing to keep the linked port down forcefully even if the tracked port has recovered from the link failure Operationally Binding a Tracked Port When you configure the first tracked port operational binding is automatically in effect When you use this method you have the option to monitor multiple ports or moni...

Page 630: ...linked port will be set to down only if all the associated tracked ports are down Even if one tracked port is up the linked port will stay up In Figure 1 2 only if both ISLs 2 and 3 fail will the direct link 1 be brought down Direct link 1 will not be brought down if either 2 or 3 are still functioning as desired Figure 1 2 Traffic Recovery Using Port Tracking Step 3 switch config if port track in...

Page 631: ...p only when the VSAN is up on the tracked port Tip The specified VSAN does not have to be the same as the port VSAN of the linked port Monitoring Ports in a VSAN To monitor a tracked port in a specific VSAN perform this task Command Purpose Step 1 switch configuration terminal Enters configuration mode Step 2 switch config interface fc slot port Configures the specified interface and enters the in...

Page 632: ... task Displaying Port Tracking Information The show commands display the current port tracking settings for the switch The following example shows how to display tracked port configuration for a specific interface switch show interface fc2 1 fc2 1 is down Administratively down Hardware is Fibre Channel FCOT is short wave laser w o OFC SN Port WWN is 20 01 00 05 30 00 0d de Admin port mode is FX Po...

Page 633: ...ack mode switch show interface fc 2 4 fc2 4 is up Hardware is Fibre Channel FCOT is short wave laser Transmit B2B Credit is 64 Receive B2B Credit is 16 Receive data field Size is 2112 Beacon is turned off Port track mode is force_shut this port remains shut even if the tracked port is back up Default Port Tracking Settings Table 1 1 lists the default settings for port tracking parameters Table 1 1...

Page 634: ... e d b a ck t o n x 5 0 0 0 d o c f e e d b a ck c i s c o c o m 1 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring Port Tracking Default Port Tracking Settings ...

Page 635: ...th VLANs or VSANs all supported interfaces in the specified VLAN or VSAN are included as SPAN sources You can choose the SPAN traffic in the ingress direction the egress direction or both directions for Ethernet Fibre Channel and virtual Fibre Channel source interfaces Ingress source Rx Traffic entering the switch through this source port is copied to the SPAN destination port Egress source Tx Tra...

Page 636: ...ssion must have a destination port also called a monitoring port that receives a copy of traffic from the source ports VLANs or VSANs A destination port has these characteristics Can be any physical port Ethernet Ethernet FCoE or Fibre Channel and virtual Fibre Channel ports cannot be destination ports Cannot be a source port Cannot be a port channel or SAN port channel group Does not participate ...

Page 637: ...h a completely new session you can delete the desired session number or all SPAN sessions To delete SPAN sessions perform this task Command Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config monitor session session number Enters the monitor configuration mode New session configuration is added to the existing session configuration The session number can ...

Page 638: ...Purpose Step 1 switch configure terminal Enters global configuration mode Step 2 switch config interface ethernet slot port Enters interface configuration mode for the specified Ethernet interface selected by the slot and port values Step 3 switch config if switchport monitor Sets the interface to monitor mode Priority flow control is disabled when the port is configured as a SPAN destination Step...

Page 639: ...rface ethernet 1 16 The following example shows configuring a Fibre Channel SPAN source port switch config monitor source interface fc 2 1 The following example shows configuring a virtual Fibre Channel SPAN source port switch config monitor source interface vfc 129 Configuring Source Port Channels VLANs or VSANs You can configure the source channels for a SPAN session These ports can be port chan...

Page 640: ...he following example shows configuring a VSAN SPAN source switch config monitor source vsan 1 Configuring the Description of a SPAN Session To provide a descriptive name of the SPAN session for ease of reference perform this task The following example shows configuring a description of a SPAN session switch configure terminal switch config monitor session 2 switch config monitor description monito...

Page 641: ...ple if you configured ten sessions 1 to 10 where 1 and 2 are active after a reboot sessions 9 and 10 will be active To enable deterministic behavior explicitly suspend the sessions 3 to 10 with the monitor session session number shut command Displaying SPAN Information To display SPAN information perform this task This example shows how to display SPAN session information switch show monitor SESSI...

Page 642: ... c i s c o c o m 1 8 Cisco Nexus 5000 Series Switch CLI Software Configuration Guide OL 16597 01 Chapter 1 Configuring SPAN Configuring SPAN type local state up source intf rx fc3 1 tx fc3 1 both fc3 1 source VLANs rx source VSANs rx 1 destination ports Eth3 1 ...

Page 643: ... page 1 1 Using Ethanalyzer page 1 3 Troubleshooting Fibre Channel page 1 5 show tech support Command page 1 8 Default Settings page 1 16 Recovering a Lost Password This section describes how to recover a lost network administrator password using the console port of the switch You can recover the network administrator password using one of two methods From the CLI with a username that has network ...

Page 644: ...nfigure terminal switch config username admin password new password switch config exit switch Step 3 Save the configuration switch copy running config startup config Power Cycling the Switch If you cannot start a session on the switch that has network admin privileges you must recover the network administrator password by power cycling the switch Caution This procedure disrupts all traffic on the ...

Page 645: ...ion switch copy running config startup config Using Ethanalyzer Ethanalyzer is a Cisco NX OS protocol analyzer tool based on the Wireshark formerly Ethereal open source code Ethanalyzer is a command line version of Wireshark that captures and decodes packets You can use Ethanalyzer to troubleshoot your network and analyze the control plane traffic To configure Ethanalyzer use the following command...

Page 646: ...mit captured frames 1 Capturing on eth0 Frame 1 60 bytes on wire 60 bytes captured Arrival Time Jan 25 2005 08 49 49 250719000 Time delta from previous captured frame 1106642989 250719000 seconds Time delta from previous displayed frame 1106642989 250719000 seconds Time since reference or first frame 1106642989 250719000 seconds Frame Number 1 Frame Length 60 bytes Capture Length 60 bytes Frame is...

Page 647: ...3 Sequence number 0 relative sequence number Acknowledgement number 0 relative ack number Header length 20 bytes Flags 0x10 ACK 0 Congestion Window Reduced CWR Not set 0 ECN Echo Not set 0 Urgent Not set 1 Acknowledgment Set 0 Push Not set 0 Reset Not set 0 Syn Not set 0 Fin Not set Window size 64334 Checksum 0x934f correct Good Checksum True Bad Checksum False 1 packets captured For more informat...

Page 648: ...ed by that switch Also fctrace times out in the originator and path discovery does not start To perform the fctrace operation perform one of these tasks Command Purpose switch fctrace fcid 0xd70000 vsan 1 Route present for 0xd70000 20 00 00 0b 46 00 02 82 0xfffcd5 Timestamp Invalid 20 00 00 05 30 00 18 db 0xfffcd7 Timestamp Invalid 20 00 00 05 30 00 18 db 0xfffcd7 Invokes fctrace for the specified...

Page 649: ...es from 0xd70000 time 229 usec 28 bytes from 0xd70000 time 183 usec 10 frames sent 10 frames received 0 timeouts Round trip min avg max 165 270 730 usec Sets the number of frames to be sent using the count option The range is from 0 through 2147483647 A value of 0 causes the command to send frames forever switch fcping fcid 0xd500b4 vsan 1 timeout 10 28 bytes from 0xd500b4 time 1345 usec 5 frames ...

Page 650: ...ar interface module or VSAN Each command output is separated by line and the command precedes the output Note Explicitly set the terminal length command to 0 zero to disable auto scrolling and enable manual scrolling Use the show terminal command to view the configured the terminal size After obtaining the output of this command remember to reset your terminal length as required Command Purpose St...

Page 651: ...the required location using the copy command and unzip the file using the gunzip command The default output of the show tech support command includes the output of the following commands show switchname show system uptime show interface mgmt0 show interface mgmt1 show system resources show version dir bootflash show inventory show diagnostic result all show logging log show module show environment...

Page 652: ...ow spanning tree summary show spanning tree active show interface trunk show aclmgr status show aclmgr internal dictionaries show aclmgr internal log show aclmgr internal ppf show aclmgr internal state cache show access lists show platform software ethpm internal info all show object group show logging onboard obfl logs show tech support brief Command Use the show tech support brief command to obt...

Page 653: ... active zone NONE default zone deny Interface Vsan Admin Admin Status SFP Oper Oper Port Mode Trunk Mode Speed Channel Mode Gbps fc3 1 1 auto on down swl fc3 2 1 auto on sfpAbsent fc3 3 1 auto on down swl fc3 4 1 auto on sfpAbsent fc3 5 1 auto on down swl fc3 6 1 auto on sfpAbsent fc3 7 1 auto on down swl fc3 8 1 auto on down swl Interface Status IP Address Speed MTU Port Channel Ethernet1 1 sfpIs...

Page 654: ... MTU mgmt0 up 172 16 24 47 100 1500 show tech support fc Command Use the show tech support fc command to obtain information about the FC configuration on your switch The output of the show tech support fc command includes the output of the following commands show interface brief show interface show port internal info all show port internal event history lock show port internal event history msgs s...

Page 655: ...fctimer show flogi database show flogi internal info show fspf show fspf database show tech support rscn show rscn internal vsan 1 4093 show rscn internal event history show rscn internal mem stats detail show rscn internal session history vsan 1 4093 show rscn internal merge history vsan 1 4093 show rscn statistics vsan 1 4093 show rscn scr table vsan 1 4093 show rscn session status vsan 1 4093 s...

Page 656: ...ry vsan 1 4093 show zone statistics vsan 1 4093 show system default zone show zone internal ddas table show zone internal sdv table vsan 1 4093 show zone internal mem stats show zone internal mem stats detail show zone internal transit table received vsan 1 4093 show zone internal transit table forwarded vsan 1 4093 show zone internal transit table rejected vsan 1 4093 Tip You can save the output ...

Page 657: ...w hardware internal gatos all ports detail show hardware internal altos detail show hardware internal altos event history errors show hardware internal altos event history messages show platform fcfib fcflow show platform fcfib event history all show platform fcfib unicasts show platform fcfib unicasts forwarding configuration show platform fcfib vsan show platform fcfib san port channel show plat...

Page 658: ...p all show platform software altos detail show platform software altos event history errors show platform software altos event history msgs show platform software altos ports all show platform hardware altos counters all show platform hardware altos counters interrupts all show platform hardware altos interrupts all detail Default Settings Table 1 1 lists the default settings for the features incl...

Page 659: ...ernet MTU 9 216 bytes 9 216 bytes ASIC limit PVRST 250 PVRST instances 4 000 STP interface states 53 248 STP interface states2 MST instances per switch every instance is RSTP enabled 64 64 IEEE standard Station Table3 16 000 entries 32 000 entries IP Multicast addresses IGMP snooping 1 000 addresses 1 000 addresses VSANs per switch4 32 256 Device Aliases per fabric 8 000 8 000 Event Traps forward ...

Page 660: ...gress SPAN sources 2 2 1 The entire 4094 VLAN ID space is supported 2 1024 STP instances times 52 10 Gigabit Ethernet ports 3 Station table contains all unicast Ethernet MAC addresses and Ethernet multicast addresses 4 The entire 4094 VSAN ID space is supported 5 This ASIC limit will only become significant in a future software release when multiple virtual interfaces can be configured per Etherne...

Reviews:

No comments