Nexus port-profile

Port-profile is the way to configure the configuration template and to apply configuration on the multiple interfaces at the same time.

The entire configuration is done under port-profile and it gets replicated on the interfaces as soon as port-profile is mapped to the interface. All the configuration changes in port-profile will be replicated in the interface. It is not an initial template but an updating template which always attached to the interface.

Port-profile is used when the same configuration needs to be done on many interfaces.

There are below types of Port-profiles:-

•    Ethernet: - It is used when port-profile applied on the physical interfaces.
•    Port-channel:- Used in case of port-channel
•    Interface-vlan: - When port-profile is applied on the SVI.

Below is the process used to configure and apply the port-profiles:-

Step1. Create the port-profile based on the type of interface it is getting mapped. There are four types of port-profile like Ethernet, interface-vlan, port-channel and tunnel-te.

Note:- Ethernet is the default port-profile.

N7K-1(config)# port-profile type ?   ethernet        Ethernet type  ----------<<<<<< Default   interface-vlan  Interface-vlan type   port-channel    Port-channel type   tunnel-te       Tunnel-te type N7K-1(config)# port-profile test N7K-1# sh run port-profile test !Command: show running-config port-profile test !Time: Wed Sep 17 18:46:58 2014 version 5.2(1) port-profile type ethernet test  ------------<<<<<<Default

Step2. Configure the port-profile as per the requirement.

Note: - Please keep in mind port-profile name is case sensitive. It can be seen that same name with different case, will create two different port-profiles.

N7K-1(config)# port-profile type ethernet Access_PORT N7K-1(config-port-prof)# switchport mode access N7K-1(config-port-prof)# switchport access vlan 100 N7K-1(config-port-prof)# spanning-tree port type edge N7K-1(config)# port-profile type ethernet ACCESS_PORT N7K-1(config-port-prof)# switchport N7K-1(config-port-prof)#   switchport mode access N7K-1(config-port-prof)#   switchport access vlan 100 N7K-1(config-port-prof)#   spanning-tree port type edge N7K-1(config)# sh run port-profile !Command: show running-config port-profile !Time: Wed Sep 17 16:49:36 2014 version 5.2(1) port-profile type ethernet Access_PORT   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge port-profile type ethernet ACCESS_PORT   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge

Step 3. Verify the port-profile configuration.

N7K-1(config)# sh run port-profile port-profile type ethernet ACCESS_PORT   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge

Step4. Once the configuration verification is done, enable the port profile.

N7K-1(config)# port-profile type ethernet ACCESS_PORT N7K-1(config-port-prof)#   state enabled N7K-1(config-port-prof)# exit

Step5. Apply port-profile on the physical interface which inherits the configuration of port-profile.

N7K-1(config)#Interface Eth1/1 N7K-1(config)#inherit port-profile ACCESS_PORT

N7K-1(config)# int eth1/21 N7K-1(config-if)# inherit port-profile access_port ERROR: No profile matching given profile name - - - <<This error is encountered when the port-profile name give is not correct or with different case.

Step6.  Show run interface command will not show the complete switchport configuration as shown below.

N7K-1(config)# sh run int eth1/21 !Command: show running-config interface Ethernet1/21 !Time: Wed Sep 17 16:51:12 2014 version 5.2(1) interface Ethernet1/21   inherit port-profile ACCESS_PORT

Use the below command to check the entire configuration associated to the switchport:-

N7K-1(config)# sh port-profile expand-interface name ACCESS_PORT port-profile ACCESS_PORT  Ethernet1/21   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge

Step7.  Below command can be used to find what all interfaces as well as configuration associated to the port-profiles.

N7K-1# show port-profile name ACCESS_PORT port-profile ACCESS_PORT  type: Ethernet  description:  status: enabled  max-ports: 512  -----------------------<<<<<<<<<<<<<<  inherit:  config attributes:  ------------<<<<<<<<<<<<<<<<<<<<<   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge  evaluated config attributes:   switchport   switchport mode access   switchport access vlan 100   spanning-tree port type edge  assigned interfaces:   Ethernet1/21  ------------------<<<<<<<<<<<<<<<<<<<<

Step8. Configuration done on the interface will take preference over the port-profile.

In the below output, Eth1/21 is configured as trunk which override the access port configuration in the port-profile.

N7K-1(config)#  int eth1/21 N7K-1(config-if)# switchport mode trunk N7K-1(config-if)# end N7K-1# sh run int eth1/21 !Command: show running-config interface Ethernet1/21 !Time: Wed Sep 17 19:03:34 2014 version 5.2(1) interface Ethernet1/21   inherit port-profile ACCESS_PORT   switchport mode trunk N7K-1# sh int eth1/21 switchport vdc 4 vlan 100Name: Ethernet1/21   Switchport: Enabled   Switchport Monitor: Not enabled   Operational Mode: trunk  ---------------<<<<<<<<<<<<<<   Access Mode VLAN: 100 (Vlan not created)   Trunking Native Mode VLAN: 1 (default)   Trunking VLANs Allowed: 1-4094   FabricPath Topology List Allowed: 0   Administrative private-vlan primary host-association: none   Administrative private-vlan secondary host-association: none   Administrative private-vlan primary mapping: none   Administrative private-vlan secondary mapping: none   Administrative private-vlan trunk native VLAN: none   Administrative private-vlan trunk encapsulation: dot1q   Administrative private-vlan trunk normal VLANs: none   Administrative private-vlan trunk

Step9. NO command is used to delete the port-profile. It also deletes the entire port-profile related configuration from the switchport whereas the configuration done inside the interface will not be removed.

N7K-1(config)# no port-profile ACCESS_PORT Profile is applied on some interfaces. Do you want to continue (y/n)? [n] y N7K-1(config)#sh run int eth1/21 !Command: show running-config interface Ethernet1/21 !Time: Wed Sep 17 19:08:33 2014 version 5.2(1) interface Ethernet1/21

Why we need Nexus 2K ( FEX) ?

 To understand the need to Nexus 2000, we must know the Datacenter architecture designs.

There are two types of design architecture:-

1.       TOP (Top of Rack) :-

2.       EOR (End of Row ):

Each above method has its own pros n corns. Please go through the below blog to find more details about the methods.

http://netterrene.blogspot.in/2014/09/top-of-rack-vs-end-of-row.html

Below are the disadvantages of both the designs:-

TOP (Top of Rack) :-

Disadvantage:-

·         Switch management: - As each Rack requires one or two switch, the management of the switch becomes an overhead. Which requires not only extra IPs but also management tool configuration is required which has its own capability to monitor the maximum number of devices. More devices in the network, more license cost etc.

EOR (End of Row) :

  

Disadvantage:-

·         Cable requirement: - As cable runs between each server and network switch, located in different racks, increases of cable requirement and add cost to the deployment and maintenance.

·         Cable management: - More resources and skill required for cable management. It increases the overall budget of the project.

·         Time to make changes: - As more cabling infrastructure is involved, modification not only becomes tedious but also require more time.

N2K not only increases the access port for end host connection but also reduces the major disadvantages of both TOR and EOR as discussed below:-

1.       Unlike EOR, it reduces the number of cable between network and server rack as there are only few uplinks between 2k and its parent switch i.e. 5k/7k. Less cable means low cable management and procurement cost. It also in turns increases the efficiency.

2.       Cisco nexus 2000 cannot work standalone. It needs either N5k or N7k as the parent and hence it reduces the management overburden unlike TOR. Less management require less number of IP address ,network resources as well as inventory and configuration management server license.

  

Apart from the above advantages, cisco 2k has few disadvantages as well which are mentioned below:-

1.       It doesn’t perform local switching. Two servers connected to same FEX cannot communicate directly. The traffic from server-1 will go to the parent switch i.e. 5k/7K and then come back to the server-2 connected to the same Fex.

  

Default Vs. Admin VDC in Nexus 7000

Both are used for the management of the complete switch and are used to assign interfaces to other non-default VDCs. Also global parameters like COPP etc. are only configured in default/admin VDC. So what is the difference?

Below is the difference between default and admin VDC.

Default VDC:-

In nexus, default VDC ( VDC-1) performs below two functions:-

1.       Default vdc can be used for the management of all the VDCs in the chassis. From default VDC, network-admin user creates, delete or modify other non-default VDCs.  It can allocate the interfaces to other non-default VDCs.

2.       Interface can be allocated to default VDC and then it can handle user traffic similar to the non-default VDC.

Admin VDC:-

Admin VDC can be created from the initial configuration wizard. It is only used for the management of the complete chassis and associated non-default VDCs. No interface can be allocated to admin VDC and hence it cannot handle user traffic.

Before 6.2(2), it is not available in SUP-1. In 6.2(2) version it is available on all supervisor modules.

Note: - Default and admin VDC cannot coexist at the same time. VDC 1 can either configure as default or Admin.

We can convert default VDC to admin by using below two commands:-

·         System admin-vdc :- When it is applied on default VDC, all the non-global configuration ( VDC specific)  will be removed.  And hence need to apply with caution otherwise the default VDC user traffic will be impacted.  It is generally applied during the initial configuration.

·         System admin-vdc migrate new-vdc-name :- It creates a new VDC and then migrate all configuration ,specific to the default VDC, to the new VDC except few configuration like management IP address, NTP address etc.

              All global configurations, like COPP, load balance methods etc., will remain in the admin                   VDC.

Configuring Mobility on Cisco 5508 WLC

Before configuring the mobility between the two controllers, please make sure that both the WLC’s are able to ping each other.

Step 1. Click on the Controller Tab from the main menu and from the left hand side menu click on Mobility Group.

Step 2. Click on New at the right hand  side of the screen to create a new Mobility group.

Step 3. Enter the IP address of WLC with which the mobility is to be created and also enter the MAC address of the management interface of the WLC.

Note: The Group name has to same on both the WLCs in order to establish  the mobility between the both.

Click Apply.

The mobility group once configured and applied will take some time to come up. Initially it shows the control and data path down. Later both Control and data path comes up. The mobility is said UP once both control and data paths are up.

Difference between HSRP version 1 and version 2

HSRP version 1:-

·         Maximum number of group supported –256 ( 0 -255 )

·         Mac used – 0000.0c07.ac00 to 0000.0c07.acff (which can conflict with CGMP leave processing)

·         Hello packet multicast address is 224.0.0.2

·         Default version  ( in both catalyst and Nexus switches )

·         Only Text authentication with cisco password is supported.
·         Millisecond Timers are not advertised or learned.
·        The active router will send hello messages with source MAC address of the HSRP virtual MAC address
.

HSRP version 2:-

·         Maximum number of group supported – 4096 ( 0 – 4095 ).

·         Mac address used – 0000.0c9f.f000 – 0000.0c9F.FFFF.

·         Hello packet multicast address 224.0.0.102 which removes the problem with version1

·         Need to enable version 2 explicitly.

·         Supports MD5 authentication

·         Millisecond Timers can be advertised or learned.
·        The active router will send hello messages with source MAC address of the interface MAC address.

Note  :- 

• HSRP version 1 and 2 have different Packet format
• Both are not compatible to each other. Both side of interface must have identical version.

VDC user Roles

Network-admin: - It only exists in default vdc. User with network-admin access can configure all the chassis level configuration like reload, creation/deletion of VDC, allocation of interface to non-default VDC etc.

Network-admin user use switchto vdc vdc_name command to access other non-default VDC from default vdc.  Network-admin has the vdc-admin role in non-default VDC.

We can configure more than one network-admin users but as per the recommendation it should be as minimum as well.

Network-operator: - Exists only in default VDC. Network-operator user can access non-default VDC using switchto command from default VDC and will have vdc-operator access in non-default VDC.

User in this role can only view configuration and will not able to make any changes.

VDC-ADMIN: - VDC-ADMIN user can do configuration within the VDC. VDC-ADMIN and network-admin can create/delete or modify user account within the VDC.

VDC-ADMIN can change the configuration of its own vdc; it cannot make any changes in other VDCs and to the physical level configuration like reload etc.

we can also configure vdc-admin role to the user within default VDC. By doing it we can restrict user access limited to default VDC only. He will not able to make any changes in other non default VDCs.

VDC-Operator: - It provides read-only access to the user limited to VDC only and hence VDC-operator user cannot make any configuration change.

Top of Rack Vs. End of Row - Data-center Architecture

What is TOP OF RACK (TOR)?

In TOR, there is one or two access switch installed on the top of each server rack which provides servers network connectivity and then that access switch has the connections towards the aggregation switch which is located in the Network Rack. Hence there are only few cables going from server Rack to the network Rack.

Advantage:-

·         Cabling Cost: - It reduces the cable requirement as all servers connections are terminated to its own Rack. And hence there are only few cables running between the server and network racks.

·         Cable management: - Less resources and skills are needed to manage the cabling infrastructure.

·          Easy management and changes: - Since very less number of cable running between server and network rack, it is quite easy to locate the cable and make changes.

Disadvantage:-

·         Switch management: - As each Rack requires one or two local switches, the management of the switch becomes an overhead. It requires not only extra IPs but also management tool that manages inventory and configuration of the devices. Tools have its own capability to monitor the maximum number of devices. More devices in the network, more license cost etc.

·         Network resources: - As there are more managed devices, it require more network resources to manage the infrastructure. 

·         BW requirement:- This is only for the legacy environment where 10/40/100 Gig links are not present. As there are only few uplink available to access switch there can be issues with the BW available.

·         More rack space: We require more rack space to install SAN and LAN switches in the server rack. It in turns increases the overall Rack requirement.

·         More Space in Datacenters: - As the space requirement is very critical and expensive criteria to datacenter design and we always try to make our DC compact and efficient. As stated above more rack space can increase DC space requirement.

What is END OF ROW ( EOR )?

In EOR, all the network switches are placed in network rack only whereas cable from each server, located in server racks, runs towards the network rack.

Advantage:-

·         Less device count: - As we needn’t to install switches in each rack, the number of required switches reduces. In TOR, each rack must have a switch whether the rack is fully loaded or not, that reduces the device count.

·         Rack space: - As the overall device count reduces and hence it requires less space.

·         Cooling requirement:- Less devices in datacenter, less is the Cooling requirement. It also reduces the electricity bills and resources needed to maintain the DC environment.

Disadvantage:-

·         Inefficient Layer 2 traffic: - We all know that traffic from East to west is more than top to bottom. In EOR design, if two servers in same rack and vlan need to talk to each other, the traffic will go to the aggregation switch in network rack and then comes back. And hence reduces the efficiency.

       Similarly in case of TOR, traffic could easily and efficiently switched by the local switch present on the server rack. It could not only reduce the traffic on uplinks but also saves CPU and memory consumption of the aggregate or core switches.

·         Cable requirement: - As cable runs between each server and network switch, located in different racks, increases of cable requirement and add cost to the deployment and maintenance.

·         Cable management: - More resources and skill required for cable management. It increases the overall budget of the project.

·         Time to make changes: - As more cabling infrastructure is involved, modification not only becomes tedious but also require more time.