Learn Nexus In Comparison with IOS By: Prashant Phirke (CCIE R&S)
Table of Contents Configuration Fundamentals.................................................................................................................... 3 Interface Configuration .......................................................................................................................... 10 Port-Channel ......................................................................................................................................... 15 HSRP...................................................................................................................................................... 20 DHCP Relay ............................................................................................................................................ 25 STP ........................................................................................................................................................ 28 EIGRP .................................................................................................................................................... 32 OSPF ...................................................................................................................................................... 37 BGP ....................................................................................................................................................... 42 BGP (Advanced) ..................................................................................................................................... 48 Multicast ............................................................................................................................................... 54 Netflow ................................................................................................................................................. 65 SPAN ..................................................................................................................................................... 70 TACACS+, RADIUS, and AAA ................................................................................................................... 74 Layer-3 Virtualization............................................................................................................................. 79
Learn Nexus
Page 2
Configuration Fundamentals The Cisco NX-OS is a data center class operating system designed for maximum scalability and application availability. The CLI interface for the NX-OS is very similar to Cisco IOS, so if you understand the Cisco IOS you can easily adapt to the Cisco NX-OS. However, a few key differences should be understood prior to working with the Cisco NX-OS.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • •
•
•
•
• •
• •
•
• •
When you first log into the NX-OS, you go directly into EXEC mode. Role Based Access Control (RBAC) determines a user’s permissions by default. NX-OS 5.0(2a) introduced privilege levels and two-stage authentication using an enable secret that can be enabled with the global feature privilege configuration command. By default, the admin user has network-admin rights that allow full read/write access. Additional users can be created with very granular rights to permit or deny specific CLI commands. The Cisco NX-OS has a Setup Utility that allows a user to specify the system defaults, perform basic configuration, and apply a pre-defined Control Plane Policing (CoPP) security policy. The Cisco NX-OS uses a feature based license model. An Enterprise or Advanced Services license is required depending on the features required. Additional licenses may be required in the future. A 120 day license grace period is supported for testing, but features are automatically removed from the running configuration after the expiration date is reached. The Cisco NX-OS has the ability to enable and disable features such as OSPF, BGP, etc… using the feature configuration command. Configuration and verification commands are not available until you enable the specific feature. Interfaces are labeled in the configuration as Ethernet. There aren’t any speed designations. The Cisco NX-OS supports Virtual Device Contexts (VDCs), which allow a physical device to be partitioned into logical devices. When you log in for the first time You are in the default VDC (VDC 1). The Cisco NX-OS has two preconfigured VRF instances by default (management, default). The management VRF is applied to the supervisor module out-of-band Ethernet port (mgmt0), and the default VRF instance is applied to all other I/O module Ethernet ports. SSHv2 server/client functionality is enabled by default. TELNET server functionality is disabled by default. (The TELNET client is enabled by default and cannot be disabled.) VTY and Auxiliary port configurations do not show up in the default configuration unless a parameter is modified (The Console port is included in the default configuration). The VTY port supports 32 simultaneous sessions and the timeout is disabled by default for all three port types.
Learn Nexus
Page 3
Things You Should Know The following list provides some additional Cisco NX-OS information that should be helpful when configuring and maintaining the Cisco NX-OS. •
• •
• •
The default administer user is predefined as admin. An admin user password has to be specified when the system is powered up for the first time, or if the running configuration is erased with the write erase command and system is repowered. If you remove a feature with the global no feature configuration command, all relevant commands related to that feature are removed from the running configuration. The NX-OS uses a kickstart image and a system image. Both images are identified in the configuration file as the kickstart and system boot variables. The boot variables determine what version of NX-OS is loaded when the system is powered on. (The kickstart and system boot variables have to be configured for the same NX-OS version.) The show running-config command accepts several options, such as OSPF, BGP, etc… that will display the runtime configuration for a specific feature. The show tech command accepts several options that will display information for a specific feature.
Configuration Comparison The following sample code show similarities and differences between the Cisco NX-OS software and the Cisco IOS Software CLI.
Cisco IOS CLI
Cisco NX-OS CLI
Default User Prompt c6500>
n7000#
Entering Configuration Mode c6500# configure terminal
n7000# configure terminal
Saving the Running Config to the Startup Config (nvram) c6500# write memory or
n7000# copy running-config startup-config
c6500# copy running-config startup-config Erasing the startup config (nvram) c6500# write erase Learn Nexus
n7000# write erase Page 4
Installing a License Cisco IOS Software does not require a license file installation.
n7000# install license bootflash:license_file.lic
Interface Naming Convention interface Ethernet 1/1 interface FastEthernet 1/1
interface Ethernet 1/1
interface GigabitEthernet 1/1 interface TenGigabitEthernet 1/1 Default VRF Configuration (management)
Cisco IOS Software doesn’t enable VRFs by vrf context management default. Configuring the Software Image Boot Variables boot kickstart bootflash:/n7000-s1kickstart.4.0.4.bin sup-1 boot system flash sup-bootdisk:s72033ipservicesk9_wan-mz.122-33.SXH1.bin
boot system bootflash:/n7000-s1dk9.4.0.4.bin sup-1 boot kickstart bootflash:/n7000-s1kickstart.4.0.4.bin sup-2 boot system bootflash:/n7000-s1dk9.4.0.4.bin sup-2
Enabling Features Cisco IOS Software does not have the functionality to enable or disable features.
feature ospf
Enabling TELNET (SSHv2 is recommended) Cisco IOS Software enables TELNET by default.
feature telnet
Configuring the VTY Timeout and Session Limit line vty 0 9 Learn Nexus
line vty Page 5
exec-timeout 15 0
session-limit 10
login
exec-timeout 15
Verification Command Comparison The following table compares some useful show commands for verifying the initial system startup and running configuration. Cisco NX-OS
Cisco IOS Software
show startup-config
show startup-config
show running-config -
show interface
Command Description
show running-config
Displays the running configuration
-
-
show interface
Displays the startup configuration
Displays the status for all of the interfaces
show interface ethernet
show interface
Displays the status for a specific interface
show boot
show boot
Displays the current boot variables
show clock
show clock
show clock detail
show clock detail
Displays the system clock and time zone configuration
Displays the summer-time configuration
show environment
show environment
Displays all environment parameters
-
-
show environment clock
-
-
show environment status clock
-
-
Displays clock status for A/B and active clock
show environment cooling fan-tray
Displays fan status
show power
Displays power budget
show environment temperature
show environment temperature
Displays environment data
show log logfile
show log
Displays the local log
show environment fan show environment power
-
Learn Nexus
-
-
Page 6
show log nvram
-
show module
show module
show module uptime
-
show module fabric
-
Displays persistent log messages (severity 0-2) stored in NVRAM
Displays installed modules and their status Displays how long each module has be powered up
Displays fabric modules and their current status
show platform fabricshow fabric utilization Displays the % of fabric utilized per module utilization show process cpu
show process cpu
show process cpu sorted
show process cpu sorted
show process cpu history
-
show process cpu history
Displays the processes running on the CPU
Displays the process history of the CPU in chart form
Displays sorted processes running on the CPU
-
-
show exception
Displays last exception log
show system redundancy status
show redundancy
Displays the supervisors High Availability status
show system uptime
-
-
-
show tech-support
show tech-support
show tech-support
show tech-support
show version
show version
-
-
show line
show line
show line com1
-
show system cores show system exception-info
-
show system resources show process cpu
-
show line console Learn Nexus
-
show line console 0
Displays the core dump files if present
Displays CPU and memory usage data
Displays system and kernel start time (Displays active supervisor uptime) -
Displays system technical information for Cisco TAC
Displays feature specific technical information for Cisco TAC -
Displays running software version, basic hardware, CMP status and system uptime -
Displays console and auxiliary port information Displays auxiliary port information
Displays console port information
Page 7
show line console connected
-
States if the console port is physically connected
show terminal
show terminal
-
-
-
show ip vrf
Displays an specified VRF
show users
show users
show vrf
show ip vrf
show vrf detail
show vrf detail
show vrf
show vrf interface
-
show vrf default
-
show vrf interface
show ip vrf interface
show vrf detail
show vrf detail
show vrf management -
show license host-id
-
show license usage
-
show license usage vdc-all
-
show vdc
-
-
-
show vdc
-
show vdc Learn Nexus
Displays interface assignment for a specified VRF Displays a summary of the default VRF
Displays details for all VRF's
Displays VRF interface assignment
Displays a summary of the management VRF
Displays the license file names installed
-
show vdc membership
Displays details for a specified
-
show license file
show vdc detail
Displays a list of all configured VRFs
-
-
show license usage
Displays current virtual terminal settings
-
show license
show license brief
Displays terminal settings
-
Displays all license file information
Displays license contents based on a specified name
Displays the chassis Host-ID used for creating a license Displays all licenses used by the system
Displays all licenses used by the system per type
Displays all licenses used by the system for all VDCs -
Displays a list of the configured VDC's
Displays a summary of the individual VDC
Displays configuration details for a specific VDC
Displays interface membership for a specific VDC Displays resource allocation for a specific
Page 8
resource
show vdc current-vdc show vdc detail
-
-
show vdc membership show vdc resources
Learn Nexus
-
VDC
Displays the VDC that the user is currently in Displays details information for all VDCs
Displays interface membership for all VDCs
Displays resource allocation for all VDCs
Page 9
Interface Configuration The NX-OS supports different physical and virtual interface types to meet various network connectivity requirements. The different interface types include: layer-2 switched (access or trunk), layer-3 routed, layer-3 routed (sub-interface trunk), switched virtual interface (SVI), port-channel, loopback, and tunnel interfaces.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • •
SVI command-line interface (CLI) configuration and verification commands are not available until you enable the SVI feature with the feature interface-vlan command. Tunnel interface command-line interface (CLI) configuration and verification commands are not available until you enable the Tunnel feature with the feature tunnel command. Interfaces support stateful and stateless restarts after a supervisor switchover for high availability. Only 802.1q trunks are supported, so the encapsulation command isn't necessary when configuring a layer-2 switched trunk interface. (Cisco ISL is not supported) An IP subnet mask can be applied using /xx or xxx.xxx.xxx.xxx notation when configuring an IP address on a layer-3 interface. The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2) The out-of-band management ethernet port located on the supervisor module is configured with the interface mgmt 0 CLI command.
Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when configuring interfaces. • •
• • •
•
An interface can only be configured in 1 VDC at a time. All 4 interfaces in a port group must be assigned to the same VDC when assigning interfaces on the 32 port 10GE module. There are not any restrictions for the 48 port 1GE modules. 10 GE interfaces can be configured in dedicated mode using the rate-mode dedicated interface CLI command. The default port type is configurable for L3 routed or L2 switched in the setup startup script. (L3 is the default port type prior to running the script) A layer-2 switched trunk port sends and receives traffic for all VLANs by default (This is the same as Cisco IOS Software). Use the switchport trunk allowed vlan interface CLI command to specify the VLANs allowed on the trunk. The clear counters interface ethernet x/x CLI command resets the counters for a specific interface.
Learn Nexus
Page 10
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS Software.
Cisco IOS CLI
Cisco NX-OS CLI
Configuring a Routed Interface interface gigabitethernet 1/1
interface ethernet 1/1
ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.1/24
no shutdown
no shutdown
Configuring a Switched Interface (VLAN 10) vlan 10
vlan 10
interface gigabitethernet 1/1
interface ethernet 1/1
switchport
switchport
switchport mode access
switchport mode access
switchport access vlan 10
switchport access vlan 10
no shutdown
no shutdown
Configuring a Switched Virtual Interface (SVI) Cisco IOS Software does not have the ability to enable or disable SVI interfaces using the feature interface-vlan feature command. interface vlan 10 ip address 192.168.1.1 255.255.255.0 no shutdown
interface vlan 10 ip address 192.168.1.1./24 no shutdown
Configuring a Switched Trunk Interface Learn Nexus
Page 11
interface GigabitEthernet 1/1 switchport
interface ethernet 1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 2
switchport trunk allowed vlan 10,20
switchport trunk allowed vlan 10,20
switchport trunk native vlan 2
switchport mode trunk
no shutdown
no shutdown Configuring a Routed Trunk Sub-Interface interface gigabitethernet 1/1 no switchport no shutdown
interface gigabitethernet1/1.10 encapsulation dot1Q 10 ip address 192.168.1.1 255.255.255.0 no shutdown
interface ethernet 1/1 no switchport no shutdown interface ethernet 1/1.10 encapsulation dot1q 10 ip address 192.168.1.1/24 no shutdown
Configuring a Loopback Interface interface loopback 1
interface loopback 1
ip address 192.168.1.1 255.255.255.255
ip address 192.168.1.1/32
no shutdown
no shutdown
Configuring a Tunnel Interface Cisco IOS Software does not have the ability feature tunnel to enable or disable Tunnel interfaces using the feature command.
Learn Nexus
Page 12
interface tunnel 1 interface Tunnel 1
ip address 192.168.1.1/24
ip address 192.168.1.1 255.255.255.0
tunnel source 172.16.1.1
tunnel source 172.16.1.1
tunnel destination 172.16.2.1
tunnel destination 172.16.2.1
no shutdown
no shutdown Configuring an Interface Description interface gigabitethernet 1/1
interface ethernet 1/1
description Test Interface
description Test Interface
Configuring Jumbo Frames
interface gigabitethernet 1/1
interface ethernet 1/1
mtu 9216
mtu 9216
Configuring Multiple Interfaces (Examples) interface range gigabitethernet 1/1-2 or interface range gigabitethernet 1/1, gigabitethernet 2/1
interface ethernet 1/1-1 or interface ethernet 1/1, ethernet 2/1
Verification Command Comparison The following table lists some useful show commands for verifying the status and troubleshooting an interface. Cisco NX-OS Interface
Cisco IOS Software Command Description Interface
show interface
show interface
show interface brief Learn Nexus
Displays the status and statistics for all interfaces or a specific interface
Displays a brief list of the interfaces (type, mode, Page 13
status, speed, MTU)
show interface capabilities
show interface capabilities
show interface debounce
-
Displays the de-bounce status and time in ms for all interfaces
-
Displays all interfaces with configured descriptions
show interface ethernet
show interface interface-type
Displays status and statistics for a specific interface
show interface loopback
show interface loopback
show interface counters
show interface description
show interface flowcontrol
show interface counters
show interface flowcontrol
show interface macaddress
Displays interface capabilities Displays interface counters (input/output unicast, multicast & broadcast)
Displays Flow Control (802.1p) status and state for all interfaces Displays status and statistics for a specific loopback interface
Displays all interfaces and their associated MAC Addresses
Displays status and statistics for the management interface located on the supervisor
show interface mgmt
-
show interface status
show interface status Displays all interfaces and their current status
show interface port- show interface port- Displays status and statistics for a specific portchannel channel channel
show interface switchport
show interface switchport
show interface trunk
show interface trunk Displays a list of all interfaces configured as trunks
show interface transceiver
show interface tunnel <#>
show interface transceiver
show interface tunnel <#>
show interface vlan show interface vlan <#> <#>
Learn Nexus
Displays a list of all interfaces that are configured as switchports Displays a list of all interfaces and optic information (calibrations, details)
Displays status and statistics for a specific tunnel interface
Displays status and statistics for a specific VLAN interface
Page 14
Port-Channel Port-Channels provide a mechanism for aggregating multiple physical Ethernet links into a single logical Ethernet link. Port-Channels are typically used to increase availability and bandwidth, while simplifying the network topology. Port-Channels can be configured in Static Mode (no protocol) or in conjunction with a protocol such as LaCP defined in IEEE 802.3ad or PaGP for dynamic negotiations and keep-alive detection for failover.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • •
256 Port-Channels are supported per chassis LaCP and Static Mode Port-Channels are supported (PaGP is not supported in Cisco NXOS Software). LaCP command-line interface (CLI) configuration and verification commands are not available until you enable the LaCP feature with the feature lacp command. The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2) A Port-Channel can be converted between a layer-2 and layer-3 Port-Channel without removing the member ports. The force keyword can be used when adding an interface to an existing Port-Channel to force the new interface to inherit all of the existing Port-Channel compatibility parameters.
Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network using Port-Channels. • •
• •
A single Port-Channel cannot connect to two different VDCs in the same chassis. You cannot disable LaCP with the no feature lacp command if LaCP is configured for a Port-Channel. LaCP must be disabled on all Port-Channels prior to disabling LaCP globally. The show port-channel compatibility-parameters CLI command is very useful for verifying interface parameters when configuring Port-Channels. The show port-channel load-balance forwarding-path CLI command can be used to determine the individual link a flow traverses over a specific Port-Channel.
Learn Nexus
Page 15
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS. Cisco NX-OS does not use the range keyword when specifying multiple interfaces. Cisco NX-OS also has the ability to force an interface to inherit existing Port-Channel compatibility parameters using the force keyword.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the LaCP Feature Cisco IOS Software does not have the ability feature lacp to enable or disable LaCP. Configuring LACP Active Mode interface range gigabitethernet 1/1-2
interface ethernet 1/1-2
channel-group 1 mode active
channel-group 1 mode active
Configuring LaCP Passive Mode interface range gigabitethernet 1/1-2
interface ethernet 1/1-2
channel-group 1 mode passive
channel-group 1 mode passive
Configuring Static Mode (no protocol) interface range gigabitethernet 1/1-2
interface ethernet 1/1-2
channel-group 1 mode on
channel-group 1 mode on
Enabling a Port Channel interface port-channel 1
interface port-channel 1
no shutdown
no shutdown
Layer-2 Port-Channel Example interface range gigabitethernet 1/1-2
interface ethernet 1/1-1
switchport
switchport
channel-group 1 mode active
channel-group 1 mode active
Learn Nexus
Page 16
interface port-channel 1
interface port-channel 1
no shutdown
no shutdown
Layer-3 Port-Channel Example interface range gigabitethernet 1/1-2
interface ethernet 1/1-1
no switchport
no switchport
channel-group 1 mode active
channel-group 1 mode active
interface port-channel 1
interface port-channel 1
ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.1/32
no shutdown
no shutdown
Adding an Interface to an Existing Port-Channel Cisco IOS Software does not have the force option, so all interface parameters have to be compatible prior to adding the interface to an existing Port-Channel. interface range gigabitethernet 1/3
interface ethernet 1/3 channel-group 1 force mode active
no switchport channel-group 1 mode active[ Configuring the System Load-Balance Algorithm port-channel load-balance dst-mac
port-channel load-balance ethernet destination-mac
Configuring the Load-Balance Algorithm per Module port-channel per-module load-balance port-channel load-balance dst-mac module 1
Learn Nexus
port-channel load-balance ethernet destination-mac module 1
Page 17
Verification Command Comparison The following table lists some useful show commands for verifying and troubleshooting a PortChannel configuration.
Cisco NX-OS Port-Channels
Cisco IOS Software Port-Channels
show interface
show interface
show interface port-channel show interface port<#> channel <#> -
-
show port-channel capacity
-
show port-channel compatibility-parameters
-
show port-channel database show port-channel loadbalance
show etherchannel loadbalance
Command Description Displays statistics all interfaces or a specific interface
Displays statistics for a specific portchannel -
Displays port-channel resources (total, used, free) Displays the compatibility-parameters (IE: speed, duplex, etc) Displays the aggregation state for one or more port-channels
Displays the load-balancing algorithm (hash) configured
show etherchannel loadbalance hash-result
show port-channel summary
show etherchannel summary
Displays packet forwarding information
show port-channel traffic
-
Displays the load per link in a portchannel (Based in interface counters)
show port-channel usage
-
-
-
show lacp counters
show lacp counters
show lacp interface
-
show lacp neighbors
show lacp neighbors
show lacp port-channel
show lacp
show port-channel loadbalance forwarding-path
Learn Nexus
Displays a summarized list of all portchannels
Displays the range of used and unused port-channel numbers -
Displays the LaCP PDU and error counters
Displays detailed LaCP information per interface Displays detailed LaCP information per neighbor Displays the port-channel LaCP configuration
Page 18
show lacp system-identifier
Learn Nexus
show lacp sys-id
Displays the LaCP system ID (Priority / MAC address)
Page 19
HSRP HSRP is a Cisco proprietary First Hop Redundancy Protocol (FHRP) designed to allow transparent failover for an IP client’s default gateway (first-hop router).
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • •
HSRP command-line interface (CLI) configuration and verification commands are not available until you enable the HSRP feature with the feature hsrp command. HSRP is hierarchical. All related commands for an HSRP group are configured under the group number. The HSRP configuration commands use the format hsrp instead of standby . The HSRP verification commands use the format show hsrp instead of show standby . HSRP supports stateful process restart by default. The hello and hold-time timer ranges for the millisecond options are different. In Cisco NX-OS, hello = 250 to 999 milliseconds, and hold time = 750 to 3000 milliseconds. In Cisco IOS Software, hello = 15 to 999 milliseconds, and hold time = 50 to 3000 milliseconds.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining HSRP-enabled networks.
• • • • • • •
If you remove the feature hsrp command, all relevant HSRP configuration information is also removed. HSRPv1 is enabled by default (HSRPv2 can be enabled per interface). HSRPv1 supports 256 group numbers (0 to 255). HSRPv2 supports 4096 group numbers (0 to 4095). HSRPv1 and HSRPv2 are not compatible. However, a device can be configured to run a different version on different interfaces. The show running-config hsrp command displays the current HSRP configuration. Configuration of more than one FHRP on an interface is not recommended. Object tracking is supported. Tracking can be configured for an interface’s line protocol state, IP address state, and for IP route reachability (determining whether a route is available in the routing table).
Learn Nexus
Page 20
• • •
An interface can track multiple objects. Secondary IP addresses are supported in the same or a different group as the interface’s primary IP address. Load sharing can be accomplished by using multiple HSRP groups per interface.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS uses a hierarchical configuration, and it uses the hsrp keyword instead of the standby keyword for configuration and verification commands. Both enhancements make the configuration easier to read.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the HSRP Feature Cisco IOS Software does not have the ability feature hsrp to enable or disable HSRP. Configuring HSRP on an Interface interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 ip 192.168.10.1
Configuring the priority and preempt Options interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 priority 110 standby 0 preempt Learn Nexus
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 preempt priority 110 Page 21
ip 192.168.10.1 Modifying the Hello and Holdtime Timers (Seconds) interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 timers 1 3
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 timers 1 3 ip 192.168.10.1
Modifying the Hello and Holdtime Timers (Milliseconds) interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 timers msec 250 msec 750
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 timers msec 250 msec 750 ip 192.168.10.1
Configuring MD5 Authentication interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 authentication md5 key-string cisco123
interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 authentication md5 key-string cisco123 ip 192.168.10.1
Configuring HSRP Version 2 on an Interface interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
ip address 192.168.10.2/24
standby version 2
hsrp version 2
Configuring Minimum and Reload Initialization Delay Learn Nexus
Page 22
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
ip address 192.168.10.2/24
standby delay minimum 5 reload 10
hsrp delay minimum 5 reload 10
Configuring Object Tracking (Interface Line-Protocol) track 1 interface Ethernet2/2 line-protocol
track 1 interface ethernet 2/2 line-protocol interface Ethernet2/1
interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 track 1 decrement 20
ip address 192.168.10.2/24 hsrp 0 track 1 decrement 20 ip 192.168.10.1
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an HSRP configuration.
Cisco NX-OS HSRP
Cisco IOS Software HSRP
show hsrp
show standby <#>
show hsrp active
-
show hsrp delay
-
show hsrp group
-
show hsrp init
-
show hsrp brief
Learn Nexus
show standby brief
Command Description Displays detailed information for all HSRP groups
Displays all of the groups in the “active” state
Displays a summary of all the HSRP groups
Displays minimum and maximum delay times for preempting
Displays detailed information for a specified group Displays all the groups in the "init" state
Page 23
show hsrp interface
-
show hsrp learn
-
show hsrp speak
-
show hsrp listen
-
show hsrp standby
-
show hsrp summary
-
-
-
show track brief
show track brief
show track
show track interface show track ip
Learn Nexus
show track
show track interface show track ip
Displays detailed information for a specific interface Displays all the groups in the "learn" state
Displays all the groups in the "listen" state
Displays all the groups in the "speak" state
Displays all the groups in the "standby" state
Displays summary information for HSRP groups -
Displays the configured tracked objects Displays a brief list of tracked objects
Displays the status of tracked interfaces
Displays the IP protocol objects that are tracked
Page 24
DHCP Relay The DHCP Relay feature was designed to forward DHCP broadcast requests as unicast packets to a configured DHCP server or servers for redundancy.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •
•
DHCP command-line interface (CLI) configuration and verification commands are not available until you enable the DCHP feature with the feature dhcp command. The DHCP service is not enabled by default, whereas it is enabled by default in Cisco IOS Software. The DHCP-Relay command ip dchp relay address is equivalent to the ip helperaddress command in Cisco IOS Software. Only packets destined to User Datagram (UDP) port 67 (Bootps) and 68 (Bootpc) are forwarded by the relay, whereas Cisco IOS Software forwards additional protocols (Trivial File Transfer Protocol [TFTP], Domain Name System [DNS], Time, NetBios, and Neighbor Discovery). The Cisco NX-OS cannot act as a DHCP server.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining networks with the DHCP-Relay feature. • • • • • • •
If you remove the feature dhcp command, all relevant DHCP configuration information is also removed. Prior to NX-OS 4.2(1), the service dhcp command enabled the DHCP Relay feature. In NX-OS 4.2(1) the command was changed to ip dhcp relay. Sixteen DHCP Relay addresses can be configured per interface. DHCP packets are always forwarded through DHCP Relay in the same Virtual Route Forwarding (VRF) instance assigned to the interface. Assign a DHCP Relay to every interface that may have a client, even if the server resides in the same Layer-2 broadcast domain (VLAN). - This has been fixed in 4.2(1) software. DHCP Option 82 information can be configured with the ip dhcp relay information option global command. The DHCP Relay configuration can be verified with the show ip dhcp relay address command.
Learn Nexus
Page 25
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: in Cisco NX-OS, the DHCP feature must be enabled, and the DHCP service is not enabled by default.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the DHCP Feature Cisco IOS Software does not have the ability feature dhcp to enable or disable DHCP. Enabling the DHCP Service Cisco IOS Software enables service dhcp by default.
ip dhcp relay
Configuring DHCP Relay for an Interface interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.1/24
ip helper-address 1.1.1.1
ip dhcp relay address 1.1.1.1
Configuring Option 82 Information ip dhcp relay information option
ip dhcp relay information option
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting the DHCP-Relay feature.
Cisco NX-OS DHCPRelay show ip dhcp relay address show ip dhcp relay Learn Nexus
Cisco IOS Software DHCP-Relay -
Command Description Displays a list of DHCP-Relay(s) configured for all interfaces
Displays the DHCP-Relay(s) configured Page 26
address interface
Learn Nexus
for a specific interface
Page 27
STP STP is a standards based link-layer protocol originally defined in IEEE 802.1d that runs on switches to prevent forwarding loops when using redundant layer-2 network topologies. Newer variants of STP have been developed called Rapid Spanning Tree protocol (RSTP) defined in IEEE 802.1w and Multiple Spanning Tree protocol (MST) defined in IEEE 802.1s that are enhanced for better scalability and converge faster than the original version.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •
Rapid-PVST+ and the MST protocols are supported. Rapid-PVST+ is enabled by default. High availability is achieved with stateful switchover when two supervisors are installed in a chassis. The STP port types are identified with the port type designation as opposed to the portfast designation in Cisco IOS Software.
Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network configured with the STP.
• • • • • • •
Rapid-PVST+ is interoperable with the 802.1d STP. Rapid-PVST+ is interoperable with MST. (This is enabled by default) Only one STP can be enabled per VDC. Bridge Assurance is enabled globally by default, but is disabled on an interface by default. Bridge Assurance can be enabled for an interface using the spanning-tree port type network interface command. The clear spanning-tree counters command clears the counters for an STP interface or a VLAN. STP enhancements such as BPDU Guard, Loop Guard, Root Guard, and BPDU Filtering are supported.
Spanning-Tree best practices are applicable to both Cisco NX-OS and Cisco IOS Software
Learn Nexus
Page 28
• • • • • •
Do not disable STP. Even if the layer-2 topology does not require STP, it should always be enabled as a safeguard for configuration and/or cabling errors. Changing the STP mode can disrupt traffic. Enabling Bridge Assurance is recommended. However, only enable Bridge Assurance on layer-2 links if both devices on each end of the link support it. Typically the core/backbone devices should be configured as the primary and secondary root bridges. The default bridge priority is 32,768 (plus the VLAN #). The lower the value, the more likely it will become the root bridge. Configure 802.1q trunk ports as edge trunk port type when connecting to L3 hosts such as firewalls, load-balancers, or servers for faster convergence.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is identical with the exception of the port type terminology. The Cisco IOS uses the portfast designation, whereas Cisco NX-OS uses the port type designation.
Cisco IOS CLI
Cisco NX-OS CLI
Configuring VLANs vlan 10,20
vlan 10,20
Configuring Rapid PVST+ spanning-tree mode rapid-pvst
Rapid-PVST is enabled by default. spanning-tree mode rapid-pvst
Configuring the Rapid-PVST+ Bridge Priority spanning-tree vlan 10 root primary
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root secondary
spanning-tree vlan 20 root secondary
Configuring MST spanning-tree mode mst
spanning-tree mode mst
Configuring a MST Instance Learn Nexus
Page 29
spanning-tree mst configuration
spanning-tree mst configuration
instance 1 vlan 10
instance 1 vlan 10
instance 2 vlan 20
instance 2 vlan 20
Configuring the MST Bridge Priority spanning-tree mst 1 root primary
spanning-tree mst 1 root primary
spanning-tree mst 2 root secondary
spanning-tree mst 2 root secondary
Configuring STP Port Types Globally spanning-tree portfast edge default
spanning-tree port type edge default
or
or
spanning-tree portfast network default
spanning-tree port type network default
Configuring STP Port Types per Interface interface GigabitEthernet1/1
interface ethernet 1/1
switchport
switchport
spanning-tree portfast edge
spanning-tree port type edge
or
or
spanning-tree portfast network
spanning-tree port type network
or
or
spanning-tree portfast disable
spanning-tree port type normal
Configuring a Trunk as an Edge Port Type interface GigabitEthernet1/1
interface ethernet 1/1
switchport
switchport
spanning-tree portfast edge trunk
spanning-tree port type edge trunk
Disabling PVST Simulation Globally no spanning-tree mst simulate pvst global Learn Nexus
no spanning-tree mst simulate pvst global Page 30
Disabling PVST Simulation per Port interface GigabitEthernet1/1
interface ethernet 1/1
switchport
switchport
spanning-tree mst simulate pvst disable
spanning-tree mst simulate pvst disable
Verification Command Comparison The following table lists some useful show commands for verifying and troubleshooting a STP network configuration. The show commands are identical for Cisco IOS and Cisco NX-OS Software. Cisco NX-OS STP
Cisco IOS Software STP Command Description
show spanning-tree
show spanning-tree
show spanning-tree active
show spanning-tree active Displays all ports in the active state
show spanning-tree blockedports
show spanning-tree blockedports
show spanning-tree detail
show spanning-tree detail
show spanning-tree interface
show spanning-tree interface
show spanning-tree mst
show spanning-tree mst
show spanning-tree mst configuration
show spanning-tree mst configuration
show spanning-tree mst detail
show spanning-tree root show spanning-tree summary
show spanning-tree vlan
Learn Nexus
show spanning-tree mst detail
show spanning-tree root show spanning-tree summary
show spanning-tree vlan
Displays high level STP process information
Displays all ports in the blocked state Displays detailed information per STP instance
Displays detailed STP information for a specific interface
Displays high-level MST configuration
Displays the MST instance configuration Displays detailed MST information
Displays STP root information Displays STP summary information Displays per VLAN STP information
Page 31
EIGRP EIGRP is a Cisco proprietary hybrid distance vector routing protocol used to exchange network reachability information within an autonomous system.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • •
•
•
•
EIGRP command-line interface (CLI) configuration and verification commands are not available until you enable the EIGRP feature with the feature eigrp command. The EIGRP protocol requires the Enterprise Services license. The EIGRP instance can consist of 20 characters. Cisco IOS Software supports numbers 1- 65536. Eight equal-cost paths are supported by default; Cisco NX-OS supports up to 16. Route auto-summarization is disabled by default. Networks and interfaces are added to an EIGRP instance under the interface configuration mode. If a router ID is not manually configured, the loopback-0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration. A default route can be generated with the default-information originate command, whereas Cisco IOS Software requires additional CLI commands to achieve similar results. When interface authentication is configured, the EIGRP key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command. Distribute-lists used to filter routes from routing updates are applied under the interface with the ip distribute-list eigrp command, as opposed to under the EIGRP router instance.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an EIGRP network.
• •
Four EIGRP instances can be configured per virtual device context (VDC). Numerous Virtual Route Forwarding (VRF) instances can be associated with an EIGRP instance.
Learn Nexus
Page 32
• •
• • • • •
If the feature eigrp command is removed, all relevant EIGRP configuration information is also removed. The shutdown command can be used to disable an EIGRP instance while retaining the configuration. This feature can also be applied per interface with the ip eigrp shutdown command. The show running-config eigrp command displays the current EIGRP configuration. An EIGRP instance can be restarted with the restart eigrp command. Graceful restart (RFC 3623) is enabled by default. Multiple EIGRP instances can be configured on the same interface. Secondary IP addresses are advertised by default and cannot be suppressed per interface.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are three significant differences: Cisco NX-OS allows EIGRP to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read. In addition, Cisco NX-OS has the capability to generate a default route, whereas Cisco IOS Software requires additional CLI commands to achieve similar results.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the EIGRP Feature Cisco IOS Software does not have the ability feature eigrp to enable or disable EIGRP. Configuring an EIGRP Instance and Router ID router eigrp 10
router eigrp 10
eigrp router-id 192.168.1.1
router-id 192.168.1.1
Associating a Network with an EIGRP Instance router eigrp 10 network 192.168.10.0
interface Ethernet2/1 ip address 192.168.10.1/24 ip router eigrp 10
Configuring a Passive Interface Learn Nexus
Page 33
router eigrp 10 network 192.168.10.0 passive-interface GigabitEthernet2/1
interface Ethernet2/1 ip address 192.168.10.1/24 ip router eigrp 10 ip passive-interface eigrp 10
Configuring Interface Authentication (MD5) key chain eigrp-key key chain eigrp-key key 1 key-string cisco123
key 1 key-string 7 070c285f4d06485744 interface Ethernet2/1
ip address 192.168.10.1/24 interface GigabitEthernet2/1 ip address 192.168.10.1 255.255.255.0 ip authentication ip router eigrp 10 mode eigrp 10 md5 ip authentication keychain eigrp 10 eigrp-key ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 eigrpkey Configuring an EIGRP Distribution List to Filter Routes ip prefix-list eigrp-10-list seq 5 permit 159.142.1.0/24 router eigrp 10 network 192.168.10.0 distribute-list prefix eigrp-10-list out GigabitEthernet2/1
ip prefix-list eigrp-10-list seq 5 permit 159.142.1.0/24 interface Ethernet2/1 ip address 192.168.10.1/24 ip router eigrp 10 ip distribute-list eigrp 10 prefix-list eigrp10-list out
Configuring Route Summarization interface GigabitEthernet2/1
Learn Nexus
interface Ethernet2/1
Page 34
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.1/24
ip summary-address eigrp 10 159.142.0.0 255.255.0.0 5
ip router eigrp 10 ip summary-address eigrp 10 159.142.0.0/16
Generating A Default Route (Conditional) Cisco IOS Software doesn’t have the same CLI to generate a default route, but redistribution or the ip summary address command can be used to achieve similar results.
router eigrp 10 default-information originate
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an EIGRP network configuration.
Cisco NX-OS EIGRP
Cisco IOS Software EIGRP
show ip eigrp
show ip eigrp <#>
show ip eigrp accounting
-
Command Description Displays all EIGRP information for a specified process
Displays the number of prefixes that each neighbor advertised
show ip eigrp interfaces
show ip eigrp interfaces Displays interfaces configured for EIGRP
show ip eigrp neighbors
show ip eigrp neighbors
Displays currently connected neighbors
show ip eigrp policy
-
Displays redistribution statistics for the specified protocol
show ip eigrp interfaces detail
show ip eigrp neighbors detail
Learn Nexus
show ip eigrp interfaces Displays detailed interface information detail
show ip eigrp neighbors detail
Displays connected neighbors and associated details
Page 35
show ip eigrp route
-
Displays EIGRP routes
show ip eigrp traffic
show ip eigrp traffic
Displays statistics related to EIGRP
show ip eigrp topology show ip eigrp topology Displays the EIGRP topology table
Learn Nexus
Page 36
OSPF OSPFv2 is an IETF (RFC 2328) standards-based dynamic link-state routing protocol used to exchange network reachability within an autonomous system.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • •
• •
• •
•
•
OSPF command-line interface (CLI) configuration and verification commands are not available until you enable the OSPF feature with the feature ospf command. The OSPF protocol requires the Enterprise Services license. The OSPF instance can consists of 20 characters, whereas the IOS supports numbers 1 – 65536. Eight equal-cost paths are supported by default. You can configure up to sixteen. The default reference bandwidth used in the OSPF cost calculation is 40 Gbps. Networks and interfaces are added to an OSPF instance under the interface configuration mode. An OSPF area can be configured using decimal or decimal dotted notation, but it is always displayed in decimal dotted notation in the configuration and in the show command output. Passive interfaces are applied to the interface as opposed to under the OSPF router instance. If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration. Neighbor adjacency changes are not logged by default. The log-adjacency-changes CLI command is required under the OSPF instance. When interface authentication is configured, the OSPF key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command. When you rollover an OSPF authentication key in a combined Cisco NX-OS/Cisco IOS network, you should configure both keys on the Cisco NX-OS router to ensure that there is sufficient overlap between the old key and the new key for a smooth transition to the new key. You should configure the new key as a valid accept key on all the NX-OS and IOS routers before the new key becomes a valid generation key in the keychain. During the overlap period, Cisco NX-OS transmits the new OSPF key and accepts OSPF authenticated packets from both the old key and the new key. The NX-OS does not support distribute-lists used to remove OSPF routes from the routing table. The NX-OS does support inter-area LSA/route filtering using the filter-list command configured under the OSPF routing instance.
Learn Nexus
Page 37
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an OSPF network.
• • • •
• • • • • • • •
Four OSPF instances can be configured per virtual device context (VDC). Numerous Virtual Route Forwarding (VRF) instances can be associated to an OSPF instance. If you remove the feature ospf command, all relevant OSPF configuration information is also removed. The shutdown command under the OSPF process can be used to disable OSPF while retaining the configuration. Similar functionality can also be applied per interface with the ip ospf shutdown command. The show running-config ospf command displays the current OSPF configuration. An OSPF instance can be restarted with the restart ospf command. Graceful Restart (RFC 3623) is enabled by default. OSPF supports stateful process restarts if two supervisors are present. You cannot configure multiple OSPF instances on the same interface. An interface can support multi-area adjacencies using the multi-area option with the ip router ospf interface command. Secondary IP addresses are advertised by default, but can be suppressed per interface with the ip router ospf area <#> secondaries none interface command. By default all loopback IP address subnet masks are advertised in an LSA as a /32. The loopback interface command ip ospf advertise-subnet can be configured to advertise the primary IP address subnet mask. (This command does not apply to secondary IP addresses. They will still be advertised as a /32.)
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS allows OSPF to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the OSPF Feature Cisco IOS Software does not have the ability feature ospf Learn Nexus
Page 38
to enable or disable OSPF. Configuring an OSPF Instance and Router ID router ospf 10
router ospf 10
router-id 192.168.1.1
router-id 192.168.1.1
Associating a Network with an OSPF Instance and Area router ospf 10 network 192.168.1.0 0.0.0.255 area 1
interface Ethernet2/1 ip address 192.168.10.1/24 ip router ospf 10 area 1
Configuring a Passive Interface router ospf 10 passive-interface GigabitEthernet2/1 network 192.168.1.0 0.0.0.255 area 1
interface Ethernet2/1 ip address 192.168.11.1/24 ip ospf passive-interface ip router ospf 10 area 0
Configuring Interface Authentication (MD5) interface GigabitEthernet2/1 ip address 192.168.10.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco123
interface Ethernet2/1 ip address 192.168.10.1/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 a667d47acc18ea6b ip router ospf 10 area 1
Configuring a Stub Area with the no summary Option router ospf 10
router ospf 10
area 2 stub no-summary
area 2 stub no-summary
Creating a Not-So-Stubby Area (NSSA) and Generating a Default Route Learn Nexus
Page 39
router ospf 10
router ospf 10
area 3 nssa default-information-originate
area 3 nssa default-information-originate
Configuring Inter-Area and External Summarization router ospf 10
router ospf 10
area 0 range 159.142.0.0 255.255.0.0 summary-address 172.16.0.0 255.255.0.0
area 0 range 159.142.0.0/16 summaryaddress 172.16.0.0/16
Generating a Default Route (Conditional) router ospf 10
router ospf 10
default-information originate
default-information originate
Generating a Maximum Metric (Max-Metric) Value router ospf 10
router ospf 10
max-metric router-lsa
max-metric router-lsa
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an OSPFv2 network configuration.
Cisco NX-OS OSPFv2 show ip ospf
show ip ospf borderrouters
show ip ospf database show ip ospf interface show ip ospf interface detail Learn Nexus
Cisco IOS Software OSPFv2
Command Description
show ip ospf borderrouters
Displays a list of border routers
show ip ospf
Displays the running configuration
show ip ospf database Displays OSPF database information show ip ospf interface Displays OSPF database information -
Displays additional packet statistics for each interface Page 40
show ip ospf memory
-
Displays the memory allocated for OSPF
show ip ospf neighbors
Displays neighbor-specific information
show ip ospf policy statistics
-
Displays redistribution statistics for a specified protocol
show ip ospf retransmission list
show module
Displays installed modules and their status
-
Displays all routes learned through OSPF
show ip ospf neighbor show ip ospf neighbor detail
show ip ospf request list
show ip ospf route
show ip ospf statistics
show ip ospf neighbor Displays details for each OSPF neighbor detail
show ip ospf request list
show ip ospf statistics Displays OSPF LSA statistics
show ip ospf summary- show ip ospf summary-address address show ip ospf traffic
show ip ospf traffic
show ip ospf vrf
-
Learn Nexus
Displays a list of link-state advertisements (LSAs) that have been requested
Displays OSPF-summarized networks Displays OSPF-related packet counters
Displays information for a specified OSPF VRF instance
Page 41
BGP BGPv4 is a standard Exterior Routing Protocol defined in RFC 4271, commonly used to exchange network reachability information between autonomous systems. This document covers the features required for basic connectivity.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • • •
• •
BGP CLI configuration and verification commands are not available until you enable the BGP feature with the feature bgp command. The BGP protocol requires an Enterprise Services license. Autonomous system numbers can be configured as 16 or 32 bit values. Address families need to be explicitly enabled (IE: IPv4 unicast, IPv6 unicast, etc…) By default, eBGP supports 8 Equal Cost Paths and iBGP supports 1. The Cisco NX-OS supports up to 16 Equal Cost Paths for both eBGP and iBGP. Automatic Route Summarization and Synchronization are disabled by default. BGP consists of a hierarchical configuration based on neighbors and address families. If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration. Neighbor logging is not enabled by default under the BGP instance. Neighbor logging can be enabled with the log-neighbor-changes command. When neighbor authentication is configured, the BGP key is 3DES encrypted in the configuration. Cisco IOS Software requires the service password command to encrypt it in the configuration.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining a BGP network.
• • • •
One BGP instances can be configured per Virtual Device Context (VDC). Numerous Virtual Route Forwarding (VRF) instances can be associated to a BGP instance. If the feature bgp command is removed, all relevant BGP configuration information is also removed. Network statements must be configured under their respective address-family configuration mode when advertising them via BGP.
Learn Nexus
Page 42
• • • •
The shutdown command under the BGP instance can be used to disable BGP while retaining the configuration. The show running-config bgp command displays the current BGP configuration. A BGP instance can be restarted with the restart bgp command. Graceful Restart (RFC 3623) is enabled by default.
Configuration Comparison The following sample configuration code similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are three significant differences: The Cisco NX-OS allows BGP to be enabled and disabled globally. It utilizes a hierarchical configuration that makes it easier to read. The Cisco NX-OS does not enable any address families by default. Each addressfamily needs to be explicitly enabled. The following examples demonstrate this using the IPv4 unicast address family.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the BGP Feature Cisco IOS Software does not have the functionality to enable or disable BGP.
feature bgp
Configuring a BGP Instance and Router ID router bgp 10
router bgp 10
bgp router-id 192.168.1.1
router-id 192.168.1.1
Configuring a BGP Neighbor (Internal) router bgp 10 neighbor 192.168.2.1 remote-as 10 neighbor 192.168.2.1 update-source Loopback0
router bgp 10 neighbor 192.168.2.1 remote-as 10 update-source loopback0 address-family ipv4 unicast
Configuring a BGP Neighbor (External) router bgp 10 neighbor 192.168.10.2 remote-as 11 Learn Nexus
router bgp 10 Page 43
neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast Advertising a Network in an Address Family (IPv4) router bgp 10 router bgp 10
address-family ipv4 unicast
network 159.142.1.0 mask 255.255.255.0
network 159.142.1.0/24
network 159.142.254.0 mask 255.255.255.0
network 159.142.254.0/24
neighbor 192.168.10.2 remote-as 11
neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast
Configuring Neighbor Authentication (MD5) router bgp 10 neighbor 192.168.10.2 remote-as 11 neighbor 192.168.10.2 password cisco123
router bgp 10 neighbor 192.168.10.2 remote-as 11 password 3 a667d47acc18ea6b address-family ipv4 unicast
Configuring an Aggregate Address (Summary-Only) router bgp 10 router bgp 10
address-family ipv4 unicast
network 159.142.1.0 mask 255.255.255.0
network 159.142.1.0/24
network 159.142.254.0 mask 255.255.255.0
network 159.142.254.0/24
aggregate-address 159.142.0.0 255.255.0.0 summary-only
aggregate-address 159.142.0.0/16 summaryonly
neighbor 192.168.10.2 remote-as 11
neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast
Learn Nexus
Page 44
Generating a Default Route for a Neighbor router bgp 10
router bgp 10 neighbor 192.168.10.2 remote-as 11 neighbor 192.168.10.2 default-originate
neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast default-originate
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting a BGP network configuration.
Cisco NX-OS BGP
Cisco IOS Software BGP
show ip bgp
show ip bgp
show ip bgp x.x.x.x
show ip bgp x.x.x.x
show ip bgp x.x.x.x vrf
-
show ip bgp x.x.x.x/len
show ip bgp x.x.x.x mask
show ip bgp x.x.x.x/len longer-prefix
show ip bgp x.x.x.x mask Displays a prefix in the table with longer-prefix longer prefixes
show ip bgp all
show ip bgp all
show ip bgp community
show ip bgp community <#>
show ip bgp community show ip bgp community internet Learn Nexus
-
Command Description Displays BGP Process and BGP table entries
Displays a specific network in the BGP table
Displays a network in a specified VRF BGP table Displays a specific prefix in the BGP table
Displays the BGP table for all protocol families Displays routes with a specific regular expression Displays routes with a specific community value
Displays BGP routes advertised to the Internet Page 45
show ip bgp community no-advertise show ip bgp community no-export show ip bgp community no-export-spoofed show ip bgp dampening dampened-paths
show ip bgp community no-advertise
show ip bgp community no-export show ip bgp dampening dampened-paths
Displays BGP routes not advertised to peers
Displays BGP routes not exported to next AS
Displays BGP routes not sent to outside local AS
Displays all Dampened paths Displays flap statistics for BGP routes
show ip bgp dampening history-paths
show ip bgp dampening flap-statistics
-
Displays all history paths
show ip bgp dampening parameters
show ip bgp dampening parameters
Displays all of the Dampening parameters
show ip bgp filter-list
show ip bgp filter-list
show ip bgp dampening flap-statistics
show ip bgp flap-statistics -
show ip bgp ipv4 multicast show ip bgp ipv4 multicast
Displays all routes matching a specified filter list Displays all BGP route flap statistics
Displays BGP IPv4 multicast address families
show ip bgp ipv4 unicast
show ip bgp ipv4 unicast Displays BGP IPv4 unicast address families
show ip bgp neighbors x.x.x.x
show ip bgp neighbors x.x.x.x
show ip bgp neighbors
show ip bgp neighbors
show ip bgp nexhop x.x.x.x -
Displays detailed neighbor information Displays detailed information for a neighbor
Displays all routes matching a specified next-hop
show ip bgp paths
show ip bgp paths
show ip bgp peer-policy
-
show ip bgp peer-session
-
show ip bgp peer-template
show ip bgp unicast ipv4 Displays information about a peer template template
show ip bgp prefix-list
show ip bgp prefix-list
show ip bgp regexp
show ip bgp regexp
Learn Nexus
Displays all BGP paths
Displays BGP peer policy by specified name
Displays information about a peer session
Displays routes matching a specified prefix-list Displays routes matching a regularexpression
Page 46
show ip bgp route-map
show ip bgp route-map
show ip bgp summary
show ip bgp summary
show ip bgp vrf
show ip bgp vpnv4 vrf
Learn Nexus
Displays BGP routes matching a routemap Displays a summary list of neighbors and statistics
Displays information for a specified BGP VRF
Page 47
BGP (Advanced) BGPv4 is a standard exterior routing protocol defined in RFC 4271, commonly used to exchange network reachability information between autonomous systems. This document discusses route reflectors, confederations, peer templates, route-map policies and the prefix-lists feature.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • •
When configuring route reflectors, the route-reflector-client command is assigned per neighbor under the neighbor-specific address family. When configuring confederations, the confederation is configured under the autonomous system without the leading bgp keyword. Cisco NX-OS uses a peer template instead of a peer group to reuse common BGP policies. Multiple policy templates can be applied to a single neighbor. Cisco IOS Software allows only one policy template per neighbor. Cisco NX-OS does not require a manual reset for a neighbor when its routing policy is modified. Cisco IOS Software requires a hard or soft reset depending on the neighbor capabilities exchanged.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an advanced BGP network configuration.
• • • • • • • •
Peer and session templates define neighbor attributes such as security passwords, timers, and transport options. Peer templates and session templates have identical configuration capabilities with one exception: peer templates can configure address families. Peer and session templates are inherited by a neighbor through the BGP neighbor configuration mode. Only one peer template and session template can be inherited by a single BGP neighbor. Peer templates can inherit session templates. Session templates can inherit other session templates. Policy templates define address-family policies for inbound or outbound polices, including default-route origination, filter lists, route-map polices, prefix lists, etc. Multiple policy templates can be assigned per neighbor. Policy templates are executed in order based on the configured sequence number.
Learn Nexus
Page 48
• • •
Policy templates are inherited by a neighbor through the neighbor and address-family configuration mode. Route-map polices can configure BGP attributes such as as-path, community lists, community attributes, dampening, local preference, metric type, origin, and weight. Route-map polices can be applied per neighbor for inbound and outbound routing policies.
Configuration Comparison The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations are very similar with the exception of the hierarchy used in Cisco NX-OS.
Cisco IOS CLI
Cisco NX-OS CLI
Configuring a Route-Reflector router bgp 10 no synchronization network 192.168.11.1 mask 255.255.255.255 neighbor 192.168.2.1 remote-as 10 neighbor 192.168.2.1 update-source Loopback0 neighbor 192.168.2.1 route-reflector-client no auto-summary
router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 neighbor 192.168.2.1 remote-as 10 update-source loopback0 address-family ipv4 unicast route-reflector-client
Configuring Confederations router bgp
router bgp 65534
no synchronization
confederation identifier 10
bgp confederation identifier 10
confederation peers 65535
Learn Nexus
Page 49
bgp confederation peers 65535
address-family ipv4 unicast
network 192.168.11.1 mask 255.255.255.255
network 192.168.11.1/32
neighbor 192.168.10.2 remote-as 65535
neighbor 192.168.10.2 remote-as 65535
no auto-summary
address-family ipv4 unicast
Configuring a Peer Template router bgp 10 no synchronization network 192.168.11.1 mask 255.255.255.255 neighbor IBGP-Template peer-group neighbor IBGP-Template password cisco123 neighbor IBGP-Template update-source Loopback0 neighbor 192.168.2.1 remote-as 10 neighbor 192.168.2.1 peer-group IBGPTemplate no auto-summary
router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 template peer IBGP-Template password 3 a667d47acc18ea6b update-source loopback0 address-family ipv4 unicast neighbor 192.168.2.1 remote-as 10 inherit peer IBGP-Template
Configuring a Policy Template router bgp 10 template peer-policy EBGP-Policy default-originate send-community exit-peer-policy no synchronization Learn Nexus
router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 template peer-policy EBGP-Policy send-community default-originate
Page 50
network 192.168.11.1 mask 255.255.255.255
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 remote-as 20
address-family ipv4 unicast
neighbor 192.168.10.2 inherit peer-policy EBGP-Policy
inherit peer-policy EBGP-Policy 10
no auto-summary Configuring an Outbound Neighbor Route-Map Policy route-map EBGP-Policy permit 10 set as-path prepend 10 10 10 router bgp 10 no synchronization network 192.168.11.1 mask 255.255.255.255 neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 route-map EBGPPolicy out no auto-summary
route-map EBGP-Policy permit 10 set as-path prepend 10 10 10 router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast route-map EBGP-Policy out
Configuring an Outbound Prefix-List ip prefix-list EBGP-Policy seq 5 permit 192.168.11.1/32 router bgp 10 no synchronization neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 prefix-list EBGPPolicy out no auto-summary Learn Nexus
ip prefix-list EBGP-Policy seq 5 permit 192.168.11.1/32 router bgp 10 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast prefix-list EBGP-Policy out
Page 51
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting a BGP network configuration.
Cisco NX-OS BGP
Cisco IOS Software BGP
show ip bgp
show ip bgp
show ip bgp x.x.x.x
show ip bgp x.x.x.x
show ip bgp x.x.x.x vrf
-
show ip bgp x.x.x.x/len
show ip bgp x.x.x.x mask
show ip bgp x.x.x.x/len longer-prefix
show ip bgp x.x.x.x mask Displays a prefix in the table with longer-prefix longer prefixes
show ip bgp all
show ip bgp all
show ip bgp community
show ip bgp community <#>
show ip bgp community
-
show ip bgp community internet
-
show ip bgp community no-export
show ip bgp community no-export
show ip bgp community no-advertise
show ip bgp community no-advertise
show ip bgp community no-export-spoofed
-
show ip bgp dampening dampened-paths show ip bgp dampening flap-statistics show ip bgp dampening history-paths Learn Nexus
show ip bgp dampening dampened-paths
Command Description Displays BGP Process and BGP table entries
Displays a specific network in the BGP table
Displays a network in a specified VRF BGP table Displays a specific prefix in the BGP table
Displays the BGP table for all protocol families
Displays routes with a specific regular expression Displays routes with a specific community value
Displays BGP routes advertised to the Internet
Displays BGP routes not advertised to peers Displays BGP routes not exported to next AS
Displays BGP routes not sent to outside local AS Displays all Dampened paths
show ip bgp dampening flap-statistics
Displays flap statistics for BGP routes
-
Displays all history paths Page 52
show ip bgp dampening parameters
show ip bgp dampening parameters
show ip bgp filter-list
show ip bgp filter-list
show ip bgp flap-statistics -
show ip bgp ipv4 multicast show ip bgp ipv4 multicast
Displays all of the Dampening parameters
Displays all routes matching a specified filter list Displays all BGP route flap statistics
Displays BGP IPv4 multicast address families
show ip bgp ipv4 unicast
show ip bgp ipv4 unicast Displays BGP IPv4 unicast address families
show ip bgp neighbors x.x.x.x
show ip bgp neighbors x.x.x.x
show ip bgp neighbors
show ip bgp neighbors
show ip bgp nexhop x.x.x.x -
Displays detailed neighbor information Displays detailed information for a neighbor
Displays all routes matching a specified next-hop
show ip bgp paths
show ip bgp paths
show ip bgp peer-policy
-
show ip bgp peer-session
-
show ip bgp peer-template
show ip bgp unicast ipv4 Displays information about a peer template template
show ip bgp prefix-list
show ip bgp prefix-list
show ip bgp regexp
show ip bgp regexp
show ip bgp route-map
show ip bgp route-map
show ip bgp summary
show ip bgp summary
show ip bgp vrf
show ip bgp vpnv4 vrf
Learn Nexus
Displays all BGP paths
Displays BGP peer policy by specified name
Displays information about a peer session
Displays routes matching a specified prefix-list Displays routes matching a regularexpression
Displays BGP routes matching a routemap Displays a summary list of neighbors and statistics
Displays information for a specified BGP VRF
Page 53
Multicast Multicast transmission (one-to-many) provides the capability for a source host to forward IP packets to an interested group of destination hosts , as opposed to using unicast transmission (one-to-one) or broadcast transmission (one-to-everyone in the broadcast domain). Multicast functionally is typically enabled using multiple protocols. This tech note includes the following Cisco NX-OS protocols: Protocol Independent Multicast (PIM), Internet Group Membership Protocol (IGMP) and Multicast Source Discovery Protocol (MSDP).
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • •
• • • •
• • •
•
•
•
PIM and MSDP protocols require a LAN Enterprise Services license. The global ip multicast-routing command does not exist and is not required to enable multicast forwarding/routing. (It is required in Cisco IOS Software to enable multicast forwarding/routing) PIM command-line interface (CLI) configuration and verification commands are not available until you enable the PIM feature with the feature pim command. MSDP CLI configuration and verification commands are not available until you enable the MSDP feature with the feature msdp command. IGMP versions 2 and 3 are supported. IGMP version 1 and Version 3 Lite are not supported. An IGMP Snooping Querier is configured under the layer-2 VLAN with the ip igmp snooping querier CLI command (Physical L3 interfaces cannot be configured as IGMP Snooping Queriers). In Cisco IOS Software, an IGMP Snooping Querier is configured under the layer-3 interface. PIM version 2 Sparse Mode is supported. Cisco NX-OS does not support PIM version 1 Sparse Mode or Dense Mode. The NX-OS cannot fallback to Dense Mode operation. PIM is not supported on IP Tunnel interfaces. When configuring a PIM Auto-RP Candidate or BSR RP-Candidate the NX-OS requires a configured group-list (i.e. x.x.x.x/x), whereas Cisco IOS Software defaults to 224.0.0.0/4. An optional standard ACL can be configured to specify multicast groups in Cisco IOS Software. When configuring PIM Auto-RP Mapping-Agent's or Candidate-RP's, Cisco NX-OS uses a default scope of 32, whereas Cisco IOS Software requires it to be specified with the scope option (1-255). When configuring PIM Auto-RP, Cisco NX-OS multicast devices must be enabled to listen and/or forward RP advertisements with the ip pim auto-rp forward listen global CLI configuration command. Cisco IOS Software has to be configured for Sparse-Dense Mode or Sparse Mode with the global ip pim autorp listener CLI configuration command. When configuring PIM BSR, Cisco NX-OS multicast devices must be enabled to listen and/or forward RP advertisements with the ip pim bsr forward listen global CLI
Learn Nexus
Page 54
•
•
•
•
•
•
• •
• •
configuration command. Cisco IOS Software doesn’t require additional configuration, but does not have the ability to enable/disable RP forwarding and listening capabilities. BSR-Candidate routers have a default priority of 64. Cisco IOS Software defaults to 0. The priority value can be configured between 0 – 255 in both operating systems using the priority option. A higher numeric value is preferred when comparing priorities. BSR RP-Candidate routers have a default priority of 192. Cisco IOS Software defaults to 0. The priority value can be configured between 0 – 255 in both operating systems using the priority option. The lower numeric value is preferred when comparing priorities. When configuring a Static-RP, the NX-OS does not have an override option like Cisco IOS Software that forces the Static-RP to be elected for it’s specified multicast group list. Cisco IOS Software prefers dynamically learned RP’s over Static RP’s if the override option is not configured. When comparing PIM Static-RP’s to dynamically learned RP’s (Auto-RP and BSR) during the election process: The RP with the most specific multicast group-list is elected. If the group-lists are identical, the router with the highest RP IP address is elected. When configuring a PIM domain border, the ip pim border interface CLI command prevents BSR and Auto-RP packets from being sent or received on an interface. The Cisco IOS Software command equivalent (ip pim bsr-border) only prevents BSR packets. Cisco IOS Software requires the ip multicast boundary interface command to prevent Auto-RP packets. PIM neighbor authentication (IPSec ah-md5) can be enabled to authenticate directly connected neighbors to increase security. Cisco IOS Software does not support this functionality. PIM neighbor logging can be enabled with the global ip pim log-neighbor-changes CLI command. (Cisco IOS Software enables PIM neighbor logging by default) The data in the MSDP Source-Active (SA) messages are cached by default, whereas Cisco IOS Software requires the global ip msdp cache-sa-state and ip msdp cacherejected-sa CLI commands. PIM is configured with the Source Specific Multicast (SSM) group range 232.0.0.0/8 by default (ip pim ssm range 232.0.0.0/8). Beginning with NX-OS 5.0(2a), PIM supports Bidirectional Forwarding Detection (BFD) for rapid failure detection.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining multicast enabled networks. • •
If you remove the feature pim command, all relevant PIM configuration information is also removed. If you remove the feature msdp command, all relevant MSDP configuration information is also removed.
Learn Nexus
Page 55
• • •
•
• • • •
IGMP Snooping is enabled globally by default. It can be disabled globally, or per layer-2 VLAN with the no igmp snooping command. IGMP version 2 is enabled by default when PIM Sparse Mode is configured on an interface. PIM supports three modes of operation: Any Source Multicast (ASM), Single Source Multicast (SSM), Bidirectional Shared Tree (Bidr). The default mode is ASM. Bidr can be configured with the bidr option when configuring a RP. The Cisco NX-OS supports four types of PIM Rendezvous Points: Static, Bootstrap router (BSR), Auto-RP and Anycast-RP. (Do not configure Auto-RP and BSR in the same network) When configuring a PIM Static-RP, the group-list defaults to 224.0.0.0/4 if one is not specified. The Cisco NX-OS has two different CLI syntax options when configuring BSR and Auto RP's (New Cisco NX-OS syntax, and backwards compatible Cisco IOS Software syntax). The Cisco NX-OS supports multicast routing per layer-3 Virtual Routing and Forwarding (VRF) instance. PIM SSM and Bidr are not supported on Virtual Port-Channels (vPCs).
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are few significant differences: Cisco NX-OS does not require the global ip multicast-routing command, but does require PIM and MSDP to be enabled individually with the global feature CLI commands. The Cisco NX-OS has backwards compatible syntax with Cisco IOS Software when configuring PIM BSR and Auto-RP, but Cisco NX-OS requires RP forwarding and/or listening to be configured prior to learning or forwarding dynamic RP information. Both Cisco NX-OS and Cisco IOS Software support multicast routing within a VRF instance, but Cisco NX-OS requires global commands to be configured under the VRF context as opposed to using the vrf option as with Cisco IOS Software.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling Multicast Forwarding ip multicast-routing Enabling the PIM Feature Learn Nexus
The Cisco NX-OS does not have a single global command to enable multicast forwarding/routing.
Page 56
Cisco IOS Software does not have the ability feature pim to enable or disable PIM. Configuring PIM Sparse Mode on an Interface interface TenGigabitEthernet1/1
interface Ethernet1/1
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.1/24
ip pim sparse-mode
ip pim sparse-mode
Configuring a PIM Auto-RP interface loopback10 ip address 172.16.1.1/32 interface Loopback10 ip address 172.16.1.1 255.255.255.255 ip pim sparse-mode ip pim send-rp-announce Loopback10 scope 32 ip pim send-rp-discovery Loopback10 scope 32 ip pim autorp listener
ip pim sparse-mode ip pim auto-rp rp-candidate loopback10 group-list 224.0.0.0/4 ip pim auto-rp mapping-agent loopback10 ip pim auto-rp forward listen or ip pim send-rp-announce loopback10 group-list 224.0.0.0/4 ip pim send-rp-discovery loopback10 ip pim auto-rp forward listen
Configuring a PIM BSR RP interface Loopback10
interface loopback10
ip address 172.16.1.1 255.255.255.255
ip address 172.16.1.1/32
ip pim sparse-mode
ip pim sparse-mode
Learn Nexus
Page 57
ip pim bsr-candidate Loopback10
ip pim bsr bsr-candidate loopback10
ip pim rp-candidate Loopback10
ip pim bsr rp-candidate loopback10 grouplist 224.0.0.0/4 ip pim bsr forward listen or ip pim bsr-candidate loopback10 ip pim rp-candidate loopback10 group-list 224.0.0.0/4 ip pim bsr forward listen
Configuring a PIM Static-RP ip pim rp-address 172.16.1.1
ip pim rp-address 172.16.1.1
Configuring a PIM Anycast-RP (BSR Example) interface loopback0 ip address 192.168.10.1/32 ip pim sparse-mode interface loopback10 Cisco IOS Software does not have the ability to enable the PIM Anycast RP feature.
description Anycast-RP-Address ip address 172.16.1.1/32 ip pim sparse-mode ip pim bsr bsr-candidate loopback0 ip pim bsr rp-candidate loopback10 group-list 224.0.0.0/4 ip pim anycast-rp 172.16.1.1 192.168.10.1
Learn Nexus
Page 58
ip pim anycast-rp 172.16.1.1 192.168.10.2 ip pim bsr forward listen Configuring PIM Neighbor Authentication interface Ethernet1/1 Cisco IOS Software does not have the ability to enable neighbor authentication.
ip address 192.168.10.1/24 ip pim sparse-mode ip pim hello-authentication ah-md5 3 a667d47acc18ea6b
Configuring a PIM BSR Border on an Interface interface TenGigabitEthernet1/1 ip address 192.168.10.1 255.255.255.0 ip pim bsr-border ip pim sparse-mode ip multicast boundary 10 access-list 10 deny 224.0.1.39
interface Ethernet1/1 ip address 192.168.10.1/24 ip pim sparse-mode ip pim border
access-list 10 deny 224.0.1.40 access-list 10 permit 224.0.0.0 15.255.255.255 Configuring PIM in a Non-Default VRF Instance ip vrf production ip multicast-routing vrf production interface Loopback10 ip vrf forwarding production
Learn Nexus
vrf context production ip pim rp-address 172.16.1.1 group-list 224.0.0.0/4 interface loopback10 vrf member production
Page 59
ip address 172.16.1.1 255.255.255.255 ip pim sparse-mode
ip address 172.16.1.1/32 interface Ethernet1/1
interface TenGigabitEthernet1/1
vrf member production
ip vrf forwarding production
ip address 192.168.10.1/24
ip address 192.168.10.1 255.255.255.0
ip pim sparse-mode
ip pim sparse-mode ip pim vrf production rp-address 172.16.1.1 Configuring IGMP Version 3 for an Interface interface TenGigabitEthernet1/1
interface Ethernet1/1
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.1/24
ip pim sparse-mode
ip pim sparse-mode
ip igmp version 3
ip igmp version 3
Configuring an IGMP Snooping Querier for a VLAN interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip igmp snooping querier
vlan 10 ip igmp snooping querier 192.168.10.1
Configuring MSDP (Anycast-RP) interface Loopback0
interface loopback0
description MSDP Peer Address
description MSDP Peer Address
ip address 192.168.1.1 255.255.255.255
ip address 192.168.1.1/32
interface Loopback10
interface loopback10
Learn Nexus
Page 60
description PIM RP Address
description PIM RP Address
ip address 1.1.1.1 255.255.255.255
ip address 1.1.1.1/32
ip pim rp-address 1.1.1.1
ip pim rp-address 1.1.1.1 group-list 224.0.0.0/4
ip msdp peer 192.168.2.1 connect-source Loopback0 ip msdp cache-sa-state
ip msdp peer 192.168.2.1 connect-source loopback0
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting multicast network configurations.
Cisco NX-OS Multicast
Cisco IOS Software Multicast
show ip igmp groups
show ip igmp groups
show ip igmp interface show ip igmp interface show ip igmp interface brief
Command Description Displays all IGMP attached group membership information
Displays IGMP information for all interfaces
Displays a one line summary status per interface
show ip igmp interface show ip igmp interface int- Displays IGMP information for a specific int-type type interface show ip igmp interface show ip igmp vrf name vrf name show ip igmp localgroups int-type
-
show ip igmp localgroups vrf name
-
show ip igmp route
-
show ip igmp route
-
Learn Nexus
Displays IGMP information for a specific VRF instance
Displays IGMP local groups associated to a specific interface
Displays IGMP local groups associated to a specific VRF instance Displays IGMP attached group membership information
Displays IGMP attached group Page 61
x.x.x.x
show ip igmp route int-type show ip igmp route vrf name
membership for a specific group -
Displays IGMP attached group membership for a specific interface
Displays IGMP attached group membership for a specific VRF instance
-
show ip igmp snooping explicittracking
Displays global and per interface IGMP Snooping information
show ip igmp snooping explicit-tracking
Displays explicit tracking information for IGMPv3
show ip igmp snooping mrouter
show mac-address-table multicast igmp-snooping show ip igmp snooping mrouter
Displays IGMP Snooping groups information
show ip igmp snooping
show ip igmp snooping groups
show ip igmp snooping otv
show ip igmp snooping querier
show ip igmp snooping statistics
show ip igmp snooping statistics
show ip igmp snooping vlan #
-
show ip msdp count
Displays detected multicast routers Displays IGMP Snooping OTV information
Displays IGMP Snooping querier information Displays packet/error counter statistics Displays IGMP Snooping information per specific VLAN
-
-
show ip msdp meshgroup
show ip msdp count
Displays MSDP SA cache counters
-
Displays MSDP Mesh-Group members
show ip msdp peer
Displays all MSDP peers
show ip msdp peer x.x.x.x
Displays a specific MSDP peer
show ip msdp peer show ip msdp peer x.x.x.x
show ip msdp peer vrf show ip msdp vrf name name show ip msdp peer policy
-
Displays MSDP peers related to a specific VRF instance
-
Displays the MSDP peer policies
show ip msdp peer route
-
Displays the MSDP route-cache
show ip msdp source
-
show ip msdp sa-cache show ip msdp sa-cache
Learn Nexus
Displays the MSDP SA route-cache
Displays the MSDP learned sources and Page 62
associated statistics
show ip msdp summary
show ip msdp summary
Displays the MSDP peer summary
-
show ip pim df
-
show ip pim interface df
-
show ip pim df x.x.x.x
show ip pim interface df x.x.x.x
Displays Bidr designated forwarders for a specific RP or group
Displays Bidr designated forwarders
-
Displays Bidr designated forwarders for a specific VRF instance
-
Displays the PIM group-ranges
-
Displays a specific PIM group-range
show ip pim grouprange vrf name
-
Displays the PIM group-ranges for a specific VRF instance
show ip pim interface brief x.x.x.x
-
show ip pim df vrf name
show ip pim grouprange show ip pim grouprange x.x.x.x
show ip pim interface
show ip pim interface int-type show ip pim interface vrf name
-
show ip pim interface inttype -
Displays all PIM enabled interfaces
Displays a one line summary of all PIM enabled interfaces
Displays information for a specific PIM interface
Displays the PIM interfaces for a specific VRF instance
show ip pim neighbor show ip pim neighbor
Displays all PIM neighbors
show ip pim neighbor show ip pim neighbor intinterface int-type type
Displays a specific PIM neighbor for a specific interface
show ip pim oif-list x.x.x.x
-
show ip pim policy statistics
Displays PIM OIF-List for a specific multicast group address
-
Displays PIM statistics
show ip pim route x.x.x.x
-
Displays PIM routes
-
Displays a specific PIM route
show ip pim neighbor show ip pim neighbor x.x.x.x x.x.x.x
show ip pim neighbor vrf name
show ip pim route
show ip pim route vrf Learn Nexus
Displays a specific PIM neighbor for a specific IP address
Displays PIM neighbors for a specific VRF instance
Displays PIM routes for a specific VRF Page 63
name
show ip pim rp
show ip pim rp mapping
show ip pim rp x.x.x.x
show ip pim rp x.x.x.x
show ip pim rp vrf name
-
show ip pim statistics
-
instance
Displays PIM RP information
Displays information for a specific PIM group address Displays information for PIM RP's in a specific VRF instance
show ip pim rp-hash x.x.x.x
show ip pim rp-hash x.x.x.x
Displays PIM RP-Hash value for a specific group
show ip pim statistics vrf name
-
Displays per packet statistics for a specific VRF instance
show ip pim vrf name
show ip pim vrf name
-
-
show ip mroute summary
show ip mroute summary
show ip mroute
show ip mroute
show ip mroute x.x.x.x show ip mroute x.x.x.x show ip mroute vrf name
show ip mroute vrf name
-
-
show ip route rpf
show ip rpf
Learn Nexus
Displays PIM packet statistics
Displays detailed PIM information per specific VRF instance -
Displays the multicast routing table
Displays the multicast routing table with packet counts and bit rates Displays a specific multicast route
Displays the multicast routing table for a specific VRF instance -
Displays the Reverse Path Forwarding (RPF) table used for multicast source lookup
Page 64
Netflow NetFlow provides flow-based statistics collection that is useful for troubleshooting, traffic analysis, performance monitoring, and security threat prevention. Cisco NX-OS supports a flexible architecture that allows a user to collect different data for different applications per interface, whereas the Cisco IOS Software supports one flow mask and export pair for the entire chassis.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • • • • • • • • •
NetFlow command-line interface (CLI) configuration and verification commands are not available until you enable the NetFlow feature with the feature netflow command. Two flow modes are supported: full and sampled. Sampled mode supports packet-based sampling (1-64 out of 1-8192). In sampled mode, the sampling occurs before the NetFlow cache is populated. Each line-card module supports 512,000 NetFlow cache entries. Layer 2 NetFlow based on MAC addresses is not supported at this time. A flexible architecture is used that consist of flow records, flow exports, and flow monitors. Cisco NX-OS supports more key and non-key fields for creating flow records and can collect additional information such as TCP flags and system uptime. NetFlow Versions 5 and 9 Export features are supported (Version 9 is recommended). A source interface must be configured for each flow export. Cisco NX-OS defaults to User Datagram Protocol (UDP) port 9995 for NetFlow Data Export. Cisco NX-OS provides more granular aging timers (session timer and aggressive threshold). The default aging timer values are different than in Cisco IOS Software. The NetFlow feature supports stateful process restarts.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and managing NetFlow.
•
If the feature netflow command is removed, all relevant NetFlow configuration information is also removed.
Learn Nexus
Page 65
•
• • • • • • •
NetFlow consumes hardware resources (ternary content-addressable memory [TCAM], CPU, etc.), so understanding the resource utilization on a device is important before enabling NetFlow. Sampling mode preserves CPU and NetFlow cache entries in high-traffic environments. A traffic direction needs to be specified when a flow monitor is applied to an interface. The active-aging flow timeout is 1800 seconds by default The inactive-aging flow timeout is 15 seconds by default. The fast-aging flow timeout is disabled by default. The aggressive-aging flow threshold is disabled by default. TCP session aging is disabled by default.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are several significant differences: Cisco NX-OS allows NetFlow to be enabled and disabled globally, and it uses a more flexible architecture that allows different statistics to be collected for different applications. The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling the NetFlow Feature Cisco IOS Software does not have the ability feature netflow to enable or disable NetFlow. Configuring a NetFlow Flow Record (Custom) Cisco IOS Softfware does not have the ability to create custom NetFlow records. A system wide flow mask is defined. The following example uses interface-full. mls netflow interface mls flow ip interface-full mls nde sender version 5
flow record Netflow-Record-1 description Custom-Flow-Record match ipv4 source address match ipv4 destination address match transport destination-port collect counter bytes collect counter packets
Configuring a NetFlow Flow Export Learn Nexus
Page 66
flow exporter Netflow-Exporter-1 ip flow-export source GigabitEthernet2/2
description Production-Netflow-Exporter
ip flow-export version 9
destination 192.168.11.2
ip flow-export destination 192.168.11.2 2000
source Ethernet2/2 version 9
Configuring a NetFlow Monitor with a Custom Record flow monitor Netflow-Monitor-1 Cisco IOS Software does not have the ability description Applied Inbound-Eth-2/1 to create flow monitors that associate NetFlow records to NetFlow exporters. record Netflow-Record-1 exporter Netflow-Exporter-1 Configuring a NetFlow Monitor with an Original Record flow monitor Netflow-Monitor-2 description Use Predefined “OriginalCisco IOS Software does not have the ability Netflow-Record” to create flow monitors that associate NetFlow records to NetFlow exporters. record netflow-original exporter Netflow-Exporter-1 Applying a NetFlow Monitor to an Interface interface gigabitethernet 6/1
interface Ethernet2/1
ip flow ingress
ip flow monitor Netflow-Monitor-1 input
Adjusting NetFlow Timers mls aging fast mls aging long 120 mls aging normal 32
Learn Nexus
flow timeout active 120 flow timeout inactive 32 flow timeout fast 32 threshold 100
Page 67
flow timeout session flow timeout aggressive threshold 75 Configuring a NetFlow Sampler mls sampling packet-based 64 8000
sampler NF-Sampler-1
mls flow int-full
description Sampler-for-Int-Eth-2/1
mls nde sender version 5
mode 1 out-of 1000
Applying a NetFlow Sampler to an Interface interface GigabitEthernet2/1 mls netflow sampling
interface Ethernet2/1 ip flow monitor NF-Mntr-1 input sampler NF-Sampler-1
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting NetFlow.
Cisco IOS Software Netflow
Command Description
show flow interface
-
Displays interfaces configured for NetFlow
show flow record
-
Cisco NX-OS Netflow show flow exporter show flow monitor
show mls nde
Displays the configured exporter maps
-
Displays information about monitor maps
show flow timeout
-
show hardware flow entry
show mls netflow ip flow
show hardware flow aging
show hardware flow ip Learn Nexus
show mls netflow aging
show mls netflow ip
Displays information about record maps
Displays the NetFlow timeout value
Displays the NetFlow table aging timeout value Displays flow-specific information Displays the IP NetFlow table Page 68
show hardware flow sampler show hardware flow utilization module show sampler
Learn Nexus
show mls sampling show mls netflow table summary
show flow-sampler
Displays the NetFlow sampling configuration
Displays NetFlow table utilization per module
Displays information about sampler maps
Page 69
SPAN The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •
• • • •
Only Local SPAN is supported. Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources. 18 monitor sessions can be configured. Only two sessions can be active simultaneously. Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software Release 12.2(18)SXH and later. A single SPAN session can include mixed sources (Ethernet ports, Ethernet PortChannels, RSPAN sources, VLANs, and the CPU control-plane interface). Destination SPAN ports must be configured as Layer 2 ports with the switchport command. Destination SPAN ports require the switchport monitor interface configuration command. The SPAN feature supports stateful and stateless process restarts.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature. • • • • • • • • •
Two active SPAN sessions are supported for all virtual device contexts (VDCs). Monitor sessions are disabled by default. They can be enabled with the no shut command. The source traffic direction can be configured as rx, tx, or both. The default is both. When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the specified VLAN are sent to the destination. The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All VDC traffic is visible.) By default, SPAN does not copy the IEEE 802.1q tag from trunk sources. A destination port can be configured in switchport access or trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.) A destination port does not participate in a spanning-tree instance. A destination port can be configured in only one SPAN session at a time.
Learn Nexus
Page 70
• • • •
A port cannot be configured as both a source and destination port. 128 source interfaces can be configured per session. 32 source VLANs can be configured per session. 2 destination interfaces can be configured per session.
Configuration Comparison The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat configuration.
Cisco IOS CLI
Cisco NX-OS CLI
Configuring the Destination Switchport Mode Cisco IOS Software does not require any destination port configuration.
interface Ethernet2/2 switchport switchport monitor
Configuring Destination Port Ingress Forwarding and Learning monitor session 1 type local destination interface Gi2/2 ingress learning
interface Ethernet2/2 switchport switchport monitor ingress learning
Configuring a SPAN Monitor (Ethernet Source and Destination) monitor session 1 type local source interface Gi2/1 destination interface Gi2/2
monitor session 1 source interface Ethernet2/1 both destination interface Ethernet2/2 no shut
Configuring a SPAN Monitor (VLAN Source) Learn Nexus
Page 71
monitor session 1 type local source vlan 10 , 20 destination interface Gi2/2
monitor session 1 source vlan 10,20 both destination interface Ethernet2/2 no shut
Filtering VLANs for IEEE 802.1q Trunk Sources interface GigabitEthernet2/1
interface Ethernet2/1
switchport
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan 10-20
switchport mode trunk
monitor session 1
monitor session 1 type local
source interface Ethernet2/1 both
filter vlan 15 - 20
destination interface Ethernet2/2
source interface Gi2/1
filter vlan 15-20
destination interface Gi2/1
no shut
no shutdown Configuring a SPAN Monitor (CPU Source) monitor session 1 type local
monitor session 1
source cpu rp rx
source interface sup-eth0 rx
destination interface Gi2/2
destination interface Ethernet2/2
no shutdown
no shut
Verification Command Comparison Learn Nexus
Page 72
The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.
Cisco NX-OS SPAN show interface -
show monitor session <#>
show monitor session all show monitor range <#-#>
Learn Nexus
Cisco IOS Software SPAN
Command Description
-
-
show interface
show monitor session <#>
show monitor session all
show monitor range <#-#>
Displays destination port characteristics
Displays a specific SPAN and monitor session Displays all SPAN and monitor sessions Displays a range of specified SPAN sessions
Page 73
TACACS+, RADIUS, and AAA AAA used in combination with TACACS+ or RADIUS provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify network management because they use a central security database rather than local databases.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •
• •
TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the TACACS+ feature with the feature tacacs+ command. The aaa new-model command is not required to enable AAA authentication, authorization, or accounting. The RADIUS vendor-specific attributes (VSA) feature is enabled by default. Local command authorization can be performed when using role-based access control (RBAC) without a AAA server. User roles can be associated with users configured on the AAA server using VSAs. Remote command authorization can be performed on a AAA server when using AAA with TACACS+. If no AAA server is available for authentication, the local database is automatically used for device access. The TACACS+ and RADIUS host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining TACACS+, RADIUS, and AAA services. • • • •
• •
Different AAA, TACACS+, and RADIUS policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC. If you remove the feature tacacs+ command, all relevant TACACS+ configuration information is also removed. 64 TACACS+ and 64 RADIUS servers can be configured per device. AAA server groups are associated with the default Virtual Route Forwarding (VRF) instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor or if the AAA server is in a non default VRF instance. An IP source interface can be associated with AAA server groups. TACACS+ and RADIUS server keys can be specified for a group of servers or per individual server.
Learn Nexus
Page 74
• • • •
By default, TACACS+ uses TCP port 49, and RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting). Directed server requests are enabled by default for TACACS+ and RADIUS. The local option can be used with AAA authorization to fallback to RBAC in the event a AAA server is not available for command authorization. Use the show running-config command with the aaa, tacacs+, or radius option to display the current AAA configuration.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling TACACS+ Cisco IOS Software does not have the ability to enable or disable TACACS+.
feature tacacs+
Configuring a TACACS+ Server with a Key tacacs-server host 192.168.1.1 key cisco123
tacacs-server host 192.168.1.1 key 7 "fewhg123"
Specifying a Nondefualt TACACS+ TCP Port tacacs-server host 192.168.1.1 port 85
tacacs-server host 192.168.1.1 port 85
Specifying the TACACS+ Timeout Value (Global) tacacs-server timeout 10
tacacs-server timeout 10
Configuring a RADIUS Server with a Key radius-server host 192.168.1.1 key cisco123
radius-server host 192.168.1.1 key 7 "fewhg123"
Specifying Nondefualt RADIUS UDP Ports radius-server host 192.16.1.1 auth-port 1645 radius-server 192.168.1.1 auth-port 1645 acct-port 1646 acct-port 1646 Learn Nexus
Page 75
Specifying the RADIUS Timeout Value (Global) radius-server host 192.168.1.1 timeout 10
radius-server timeout 10
Configuring an AAA Server Group (TACACS+) aaa group server tacacs+ AAA-Servers
aaa group server tacacs+ AAA-Servers
server 192.168.1.1
server 192.168.1.1
Configuring an AAA Server Group (RADIUS) aaa group server radius AAA-Servers
aaa group server radius AAA-Servers
server 192.168.1.1
server 192.168.1.1
Configuring an AAA Server Group for a VRF Instance (RADIUS) aaa group server radius AAA-Servers
aaa group server radius AAA-Servers
server 192.168.1.1
server 192.168.1.1
ip vrf forwarding management
use-vrf management
Configuring the AAA Server Group Dead Time (RADIUS) aaa group server radius AAA-Servers
aaa group server radius AAA-Servers
deadtime 5
deadtime 5
Enabling AAA Authentication with an AAA Server Group aaa new-model
aaa authentication login default group AAAaaa authentication login default group AAA- Servers Servers Enabling AAA Authorization with an AAA Server Group aaa new-model aaa authorization config-commands aaa authorization commands 1 default group AAA-Servers
aaa authorization config-commands default group AAA-Servers aaa authorization commands default group AAA-Servers
Enabling AAA Accounting with an AAA Server Group Learn Nexus
Page 76
aaa new-model aaa accounting exec default start-stop group AAA-Servers
aaa accounting default group AAA-Servers
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting AAA, TACACS+, and RADIUS. Cisco NX-OS AAA
Cisco IOS Software AAA
show tacacs
show tacacs
show tacacs
-
show tacacs server directed-request
-
Displays the status of the directed-request feature (enabled or disabled)
-
Displays TACACS+ server groups
show tacacs statistics
-
Displays TACACS+ statistics for a specific server
-
-
-
show radius
-
show radius
-
show tacacs server groups
show radius server directed-request show radius server groups
show radius statistics -
show aaa accounting
show radius server-group show radius statistics -
show aaa authentication Learn Nexus
Command Description Displays the TACACS+ server configuration for all servers
Displays a specific TACACS+ server configuration
Displays the RADIUS server configuration for all servers Displays a specific RADIUS server configuration
Displays the status of the directed-request feature (enabled or disabled) Displays RADIUS server groups Displays RADIUS statistics for a specific server -
Displays the status of AAA accounting
Displays the default and console login methods Page 77
show aaa authentication login error-enable show aaa authentication login mschap show aaa authorization show aaa groups
-
show user-account
-
-
show users
Learn Nexus
Displays the login error message status (enabled or disabled)
Displays the status of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP; enabled or disabled) Displays the AAA authorization configuration
Displays the AAA groups that are configured
-
-
show users
Displays the users who are logged in
Displays a list of locally configured users
Page 78
Layer-3 Virtualization Virtual Routing and Forwarding (VRF) provides an additional layer of network virtualization on top of virtual device contexts (VDCs). VRF provides separate unicast and multicast address space and associated routing protocols that make independent forwarding decisions. All unicast and multicast protocols support VRF.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • •
• •
•
•
• • • •
Cisco NX-OS supports 200 VRF instances per VDC. Two VRF instances are configured by default. The management port on the supervisor module is assigned to the management VRF, and all I/O module ports are assigned to the default VRF. The default VRF is the default routing context for all show commands. VRF instances can be enabled without any command-line interface (CLI) prerequisites. Cisco IOS Software requires ip cef to be enabled globally before VRF instances can be configured. Multicast routing/forwarding can be configured per VRF instance without having to globally enable the VRF instance for multicast . Cisco IOS Software requires the global ip multicast-routing vrf command per VRF instance. The CLI for enabling VRF routing for a protocol is consistent for all routing protocols, whereas Cisco IOS Software uses address families for Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Enhanced Interior Gateway Routing Protocol (EIGRP) and requires unique routing process IDs per VRF for Integrated Intermediate System-to-Intermediate System (ISIS) and Open Shortest Path First (OSPF). In Cisco NX-OS, numerous VRF instances can be assigned to a single routing protocol instance. IP static routes are configured under the specified vrf context. In Cisco IOS Software, all static routes are configured in global configuration mode with the vrf option. A VRF instance can be manually disabled with the shutdown command. Cisco IOS Software does not have the CLI capability to manually disable a VRF instance. If a VRF context is removed with the no vrf context configuration command, the VRF context commands will be removed from the running configuration making the VRF non-functional, but all non context related VRF commands will remain in the running configuration. When a VRF is removed in Cisco IOS Software, the VRF instance and all related VRF commands are automatically removed from the running configuration, including any interface IP addresses previously associated to the VRF.
Learn Nexus
Page 79
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining VRF instances.
• • • •
•
When you assign a VRF instance to an interface with an IP address previously configured, the interface IP address is automatically removed. Static routes or dynamic routing protocols can be configured for routing in a VRF instance (BGP, EIGRP, ISIS, OSPF, static routes, and RIPv2). IP troubleshooting tools such as ping and traceroute are VRF aware and require the name of a specific VRF instance if testing in the default VRF instance is not desired. The routing-context vrf command can be executed in EXEC mode to change the routing context to a non-default VRF instance. For example, typing routing-context vrf management changes the routing context, so all VRF related commands are executed in the management VRF as opposed to the default VRF. Network management–related services such as authentication, authorization and accounting (AAA), Call Home, Domain Name System (DNS), FTP, HTTP, NetFlow Network Time Protocol (NTP), RADIUS, Simple Network Management Protocol (SNMP), SSH, syslog, TACACS+, Telnet, Trivial File Transfer Protocol (TFTP), and XML are VRF aware.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. Sample code is provided only to illustrate how to enable VRF routing. The Cisco NX-OS CLI is simpler and more consistent since it allows multiple VRF instances to be assigned to a single routing protocol instance, whereas Cisco IOS Software uses different techniques depending on the routing protocol.
Cisco IOS CLI
Cisco NX-OS CLI
Creating a VRF ip cef ip vrf vrf-1
vrf context vrf-1
Assigning an Interface to a VRF interface Ethernet2/1 Learn Nexus
interface Ethernet2/1 Page 80
ip vrf forwarding vrf-1
vrf member vrf-1
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.1/24
Enabling BGP in a VRF router bgp 10 address-family ipv4 vrf vrf-1 neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 activate network 192.168.1.1 mask 255.255.255.255 exit-address-family
router bgp 10 vrf vrf-1 address-family ipv4 unicast network 192.168.1.1/32 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast
Enabling EIGRP in a VRF router eigrp 10 address-family ipv4 vrf vrf-1 network 192.168.10.0 auto-summary
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router eigrp 10
autonomous-system 10
router eigrp 10
exit-address-family!
vrf vrf-1
Enabling ISIS in a VRF interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 ip router isis 10
Learn Nexus
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router isis 10
Page 81
router isis 10 router isis 10
vrf vrf-1
vrf vrf-1
net 49.0001.0000.0001.00
net 49.0001.0000.0001.00 Enabling OSPF in a VRF interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 router ospf 10 vrf vrf-1 network 192.168.10.0 0.0.0.255 area 0
interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router ospf 10 router ospf 10 vrf vrf-1
Enabling RIPv2 in a VRF interface Ethernet2/1 ip vrf forwarding vrf-1
interface Ethernet2/1
ip address 192.168.10.1 255.255.255.0
vrf member vrf-1
router rip address-family ipv4 vrf vrf-1
ip address 192.168.10.1/24 ip router rip 10
network 192.168.10.0
router rip 10
version 2
vrf vrf-1
exit-address-family Configuring Static Routes in a VRF ip route vrf vrf-1 192.168.2.0 255.255.255.0 192.168.10.2 Learn Nexus
vrf context vrf-1 Page 82
ip route 192.168.2.0/24 192.168.10.2
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting VRF instances.
Cisco NX-OS VRF
Cisco IOS Software VRF
Command Description
show ip vrf
Displays a specific VRF instance
show vrf
show ip vrf
show vrf detail
show ip vrf detail
show vrf
show vrf interface
-
show vrf default
-
show vrf detail
show ip vrf detail
show vrf interface
show ip vrf interface
show vrf management -
Displays a list of all configured VRF instances
Displays details for a specific VRF instance Displays the interface assignment for a specific VRF instance
Displays a summary of the default VRF instance
Displays details for all VRF instances Displays VRF interface assignments
Displays a summary of the management VRF instance
-
-
show ip route vrf default
-
Displays routes for the default VRF instance
-
Displays routes for the management VRF instance
show ip route vrf all
show ip route vrf management
-
-
Displays routes for all VRF instances
show ip route vrf
show ip route vrf
Displays routes for a specific VRF instance
show ip arp vrf
show ip arp vrf
Displays Address Resolution Protocol (ARP) entries for a specific VRF instance
-
Learn Nexus
-
-
Page 83
-
-
-
show ip bgp vrf
show ip bgp vpnv4 vrf
Displays BGP commands for a specific VRF instance
show ip isis vrf
show isis <#>
Displays ISIS commands for a specific VRF instance
show ip eigrp vrf
show ip eigrp vrf
Displays EIGRP information for specific VRF instance
Displays OSPF information for a specific VRF instance
show ip ospf vrf
show ip ospf <#>
show ip static-route vrf
-
show forwarding vrf
show ip cef vrf
Displays FIB information for a specific VRF (multiple sub-options)
show routing vrf
-
Displays a subset of the show vrf commands
show ip rip vrf
-
-
show routing-context
Learn Nexus
show ip rip database vrf
-
-
Displays RIP information for a specific VRF instance
Displays static routes for a specific VRF instance -
-
Displays the current routing context
Page 84