Learn Nexus

Learn Nexus In Comparison with IOS By: Prashant Phirke (CCIE R&S)

Table of Contents Configuration Fundamentals.................................................................................................................... 3 Interface Configuration .......................................................................................................................... 10 Port-Channel ......................................................................................................................................... 15 HSRP...................................................................................................................................................... 20 DHCP Relay ............................................................................................................................................ 25 STP ........................................................................................................................................................ 28 EIGRP .................................................................................................................................................... 32 OSPF ...................................................................................................................................................... 37 BGP ....................................................................................................................................................... 42 BGP (Advanced) ..................................................................................................................................... 48 Multicast ............................................................................................................................................... 54 Netflow ................................................................................................................................................. 65 SPAN ..................................................................................................................................................... 70 TACACS+, RADIUS, and AAA ................................................................................................................... 74 Layer-3 Virtualization............................................................................................................................. 79

Learn Nexus

Page 2

Configuration Fundamentals The Cisco NX-OS is a data center class operating system designed for maximum scalability and application availability. The CLI interface for the NX-OS is very similar to Cisco IOS, so if you understand the Cisco IOS you can easily adapt to the Cisco NX-OS. However, a few key differences should be understood prior to working with the Cisco NX-OS.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • •

•

•

•

• •

• •

•

• •

When you first log into the NX-OS, you go directly into EXEC mode. Role Based Access Control (RBAC) determines a user’s permissions by default. NX-OS 5.0(2a) introduced privilege levels and two-stage authentication using an enable secret that can be enabled with the global feature privilege configuration command. By default, the admin user has network-admin rights that allow full read/write access. Additional users can be created with very granular rights to permit or deny specific CLI commands. The Cisco NX-OS has a Setup Utility that allows a user to specify the system defaults, perform basic configuration, and apply a pre-defined Control Plane Policing (CoPP) security policy. The Cisco NX-OS uses a feature based license model. An Enterprise or Advanced Services license is required depending on the features required. Additional licenses may be required in the future. A 120 day license grace period is supported for testing, but features are automatically removed from the running configuration after the expiration date is reached. The Cisco NX-OS has the ability to enable and disable features such as OSPF, BGP, etc… using the feature configuration command. Configuration and verification commands are not available until you enable the specific feature. Interfaces are labeled in the configuration as Ethernet. There aren’t any speed designations. The Cisco NX-OS supports Virtual Device Contexts (VDCs), which allow a physical device to be partitioned into logical devices. When you log in for the first time You are in the default VDC (VDC 1). The Cisco NX-OS has two preconfigured VRF instances by default (management, default). The management VRF is applied to the supervisor module out-of-band Ethernet port (mgmt0), and the default VRF instance is applied to all other I/O module Ethernet ports. SSHv2 server/client functionality is enabled by default. TELNET server functionality is disabled by default. (The TELNET client is enabled by default and cannot be disabled.) VTY and Auxiliary port configurations do not show up in the default configuration unless a parameter is modified (The Console port is included in the default configuration). The VTY port supports 32 simultaneous sessions and the timeout is disabled by default for all three port types.

Learn Nexus

Page 3

Things You Should Know The following list provides some additional Cisco NX-OS information that should be helpful when configuring and maintaining the Cisco NX-OS. •

• •

• •

The default administer user is predefined as admin. An admin user password has to be specified when the system is powered up for the first time, or if the running configuration is erased with the write erase command and system is repowered. If you remove a feature with the global no feature configuration command, all relevant commands related to that feature are removed from the running configuration. The NX-OS uses a kickstart image and a system image. Both images are identified in the configuration file as the kickstart and system boot variables. The boot variables determine what version of NX-OS is loaded when the system is powered on. (The kickstart and system boot variables have to be configured for the same NX-OS version.) The show running-config command accepts several options, such as OSPF, BGP, etc… that will display the runtime configuration for a specific feature. The show tech command accepts several options that will display information for a specific feature.

Configuration Comparison The following sample code show similarities and differences between the Cisco NX-OS software and the Cisco IOS Software CLI.

Cisco IOS CLI

Cisco NX-OS CLI

Default User Prompt c6500>

n7000#

Entering Configuration Mode c6500# configure terminal

n7000# configure terminal

Saving the Running Config to the Startup Config (nvram) c6500# write memory or

n7000# copy running-config startup-config

c6500# copy running-config startup-config Erasing the startup config (nvram) c6500# write erase Learn Nexus

n7000# write erase Page 4

Installing a License Cisco IOS Software does not require a license file installation.

n7000# install license bootflash:license_file.lic

Interface Naming Convention interface Ethernet 1/1 interface FastEthernet 1/1

interface Ethernet 1/1

interface GigabitEthernet 1/1 interface TenGigabitEthernet 1/1 Default VRF Configuration (management)

Cisco IOS Software doesn’t enable VRFs by vrf context management default. Configuring the Software Image Boot Variables boot kickstart bootflash:/n7000-s1kickstart.4.0.4.bin sup-1 boot system flash sup-bootdisk:s72033ipservicesk9_wan-mz.122-33.SXH1.bin

boot system bootflash:/n7000-s1dk9.4.0.4.bin sup-1 boot kickstart bootflash:/n7000-s1kickstart.4.0.4.bin sup-2 boot system bootflash:/n7000-s1dk9.4.0.4.bin sup-2

Enabling Features Cisco IOS Software does not have the functionality to enable or disable features.

feature ospf

Enabling TELNET (SSHv2 is recommended) Cisco IOS Software enables TELNET by default.

feature telnet

Configuring the VTY Timeout and Session Limit line vty 0 9 Learn Nexus

line vty Page 5

exec-timeout 15 0

session-limit 10

login

exec-timeout 15

Verification Command Comparison The following table compares some useful show commands for verifying the initial system startup and running configuration. Cisco NX-OS

Cisco IOS Software

show startup-config

show startup-config

show running-config -

show interface

Command Description

show running-config

Displays the running configuration

-

-

show interface

Displays the startup configuration

Displays the status for all of the interfaces

show interface ethernet

show interface

Displays the status for a specific interface

show boot

show boot

Displays the current boot variables

show clock

show clock

show clock detail

show clock detail

Displays the system clock and time zone configuration

Displays the summer-time configuration

show environment

show environment

Displays all environment parameters

-

-

show environment clock

-

-

show environment status clock

-

-

Displays clock status for A/B and active clock

show environment cooling fan-tray

Displays fan status

show power

Displays power budget

show environment temperature

show environment temperature

Displays environment data

show log logfile

show log

Displays the local log

show environment fan show environment power

-

Learn Nexus

-

-

Page 6

show log nvram

-

show module

show module

show module uptime

-

show module fabric

-

Displays persistent log messages (severity 0-2) stored in NVRAM

Displays installed modules and their status Displays how long each module has be powered up

Displays fabric modules and their current status

show platform fabricshow fabric utilization Displays the % of fabric utilized per module utilization show process cpu

show process cpu

show process cpu sorted

show process cpu sorted

show process cpu history

-

show process cpu history

Displays the processes running on the CPU

Displays the process history of the CPU in chart form

Displays sorted processes running on the CPU

-

-

show exception

Displays last exception log

show system redundancy status

show redundancy

Displays the supervisors High Availability status

show system uptime

-

-

-

show tech-support

show tech-support

show tech-support

show tech-support

show version

show version

-

-

show line

show line

show line com1

-

show system cores show system exception-info

-

show system resources show process cpu

-

show line console Learn Nexus

-

show line console 0

Displays the core dump files if present

Displays CPU and memory usage data

Displays system and kernel start time (Displays active supervisor uptime) -

Displays system technical information for Cisco TAC

Displays feature specific technical information for Cisco TAC -

Displays running software version, basic hardware, CMP status and system uptime -

Displays console and auxiliary port information Displays auxiliary port information

Displays console port information

Page 7

show line console connected

-

States if the console port is physically connected

show terminal

show terminal

-

-

-

show ip vrf

Displays an specified VRF

show users

show users

show vrf

show ip vrf

show vrf detail

show vrf detail

show vrf

show vrf interface

-

show vrf default

-

show vrf interface

show ip vrf interface

show vrf detail

show vrf detail

show vrf management -

show license host-id

-

show license usage

-

show license usage vdc-all

-

show vdc

-

-

-

show vdc

-

show vdc Learn Nexus

Displays interface assignment for a specified VRF Displays a summary of the default VRF

Displays details for all VRF's

Displays VRF interface assignment

Displays a summary of the management VRF

Displays the license file names installed

-

show vdc membership

Displays details for a specified

-

show license file

show vdc detail

Displays a list of all configured VRFs

-

-

show license usage

Displays current virtual terminal settings

-

show license

show license brief

Displays terminal settings

-

Displays all license file information

Displays license contents based on a specified name

Displays the chassis Host-ID used for creating a license Displays all licenses used by the system

Displays all licenses used by the system per type

Displays all licenses used by the system for all VDCs -

Displays a list of the configured VDC's

Displays a summary of the individual VDC

Displays configuration details for a specific VDC

Displays interface membership for a specific VDC Displays resource allocation for a specific

Page 8

resource

show vdc current-vdc show vdc detail

-

-

show vdc membership show vdc resources

Learn Nexus

-

VDC

Displays the VDC that the user is currently in Displays details information for all VDCs

Displays interface membership for all VDCs

Displays resource allocation for all VDCs

Page 9

Interface Configuration The NX-OS supports different physical and virtual interface types to meet various network connectivity requirements. The different interface types include: layer-2 switched (access or trunk), layer-3 routed, layer-3 routed (sub-interface trunk), switched virtual interface (SVI), port-channel, loopback, and tunnel interfaces.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • •

SVI command-line interface (CLI) configuration and verification commands are not available until you enable the SVI feature with the feature interface-vlan command. Tunnel interface command-line interface (CLI) configuration and verification commands are not available until you enable the Tunnel feature with the feature tunnel command. Interfaces support stateful and stateless restarts after a supervisor switchover for high availability. Only 802.1q trunks are supported, so the encapsulation command isn't necessary when configuring a layer-2 switched trunk interface. (Cisco ISL is not supported) An IP subnet mask can be applied using /xx or xxx.xxx.xxx.xxx notation when configuring an IP address on a layer-3 interface. The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2) The out-of-band management ethernet port located on the supervisor module is configured with the interface mgmt 0 CLI command.

Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when configuring interfaces. • •

• • •

•

An interface can only be configured in 1 VDC at a time. All 4 interfaces in a port group must be assigned to the same VDC when assigning interfaces on the 32 port 10GE module. There are not any restrictions for the 48 port 1GE modules. 10 GE interfaces can be configured in dedicated mode using the rate-mode dedicated interface CLI command. The default port type is configurable for L3 routed or L2 switched in the setup startup script. (L3 is the default port type prior to running the script) A layer-2 switched trunk port sends and receives traffic for all VLANs by default (This is the same as Cisco IOS Software). Use the switchport trunk allowed vlan interface CLI command to specify the VLANs allowed on the trunk. The clear counters interface ethernet x/x CLI command resets the counters for a specific interface.

Learn Nexus

Page 10

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS Software.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring a Routed Interface interface gigabitethernet 1/1

interface ethernet 1/1

ip address 192.168.1.1 255.255.255.0

ip address 192.168.1.1/24

no shutdown

no shutdown

Configuring a Switched Interface (VLAN 10) vlan 10

vlan 10

interface gigabitethernet 1/1

interface ethernet 1/1

switchport

switchport

switchport mode access

switchport mode access

switchport access vlan 10

switchport access vlan 10

no shutdown

no shutdown

Configuring a Switched Virtual Interface (SVI) Cisco IOS Software does not have the ability to enable or disable SVI interfaces using the feature interface-vlan feature command. interface vlan 10 ip address 192.168.1.1 255.255.255.0 no shutdown

interface vlan 10 ip address 192.168.1.1./24 no shutdown

Configuring a Switched Trunk Interface Learn Nexus

Page 11

interface GigabitEthernet 1/1 switchport

interface ethernet 1/1

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk native vlan 2

switchport trunk allowed vlan 10,20

switchport trunk allowed vlan 10,20

switchport trunk native vlan 2

switchport mode trunk

no shutdown

no shutdown Configuring a Routed Trunk Sub-Interface interface gigabitethernet 1/1 no switchport no shutdown

interface gigabitethernet1/1.10 encapsulation dot1Q 10 ip address 192.168.1.1 255.255.255.0 no shutdown

interface ethernet 1/1 no switchport no shutdown interface ethernet 1/1.10 encapsulation dot1q 10 ip address 192.168.1.1/24 no shutdown

Configuring a Loopback Interface interface loopback 1

interface loopback 1

ip address 192.168.1.1 255.255.255.255

ip address 192.168.1.1/32

no shutdown

no shutdown

Configuring a Tunnel Interface Cisco IOS Software does not have the ability feature tunnel to enable or disable Tunnel interfaces using the feature command.

Learn Nexus

Page 12

interface tunnel 1 interface Tunnel 1

ip address 192.168.1.1/24

ip address 192.168.1.1 255.255.255.0

tunnel source 172.16.1.1

tunnel source 172.16.1.1

tunnel destination 172.16.2.1

tunnel destination 172.16.2.1

no shutdown

no shutdown Configuring an Interface Description interface gigabitethernet 1/1

interface ethernet 1/1

description Test Interface

description Test Interface

Configuring Jumbo Frames

interface gigabitethernet 1/1

interface ethernet 1/1

mtu 9216

mtu 9216

Configuring Multiple Interfaces (Examples) interface range gigabitethernet 1/1-2 or interface range gigabitethernet 1/1, gigabitethernet 2/1

interface ethernet 1/1-1 or interface ethernet 1/1, ethernet 2/1

Verification Command Comparison The following table lists some useful show commands for verifying the status and troubleshooting an interface. Cisco NX-OS Interface

Cisco IOS Software Command Description Interface

show interface

show interface

show interface brief Learn Nexus

Displays the status and statistics for all interfaces or a specific interface

Displays a brief list of the interfaces (type, mode, Page 13

status, speed, MTU)

show interface capabilities

show interface capabilities

show interface debounce

-

Displays the de-bounce status and time in ms for all interfaces

-

Displays all interfaces with configured descriptions

show interface ethernet

show interface interface-type

Displays status and statistics for a specific interface

show interface loopback

show interface loopback

show interface counters

show interface description

show interface flowcontrol

show interface counters

show interface flowcontrol

show interface macaddress

Displays interface capabilities Displays interface counters (input/output unicast, multicast & broadcast)

Displays Flow Control (802.1p) status and state for all interfaces Displays status and statistics for a specific loopback interface

Displays all interfaces and their associated MAC Addresses

Displays status and statistics for the management interface located on the supervisor

show interface mgmt

-

show interface status

show interface status Displays all interfaces and their current status

show interface port- show interface port- Displays status and statistics for a specific portchannel channel channel

show interface switchport

show interface switchport

show interface trunk

show interface trunk Displays a list of all interfaces configured as trunks

show interface transceiver

show interface tunnel <#>

show interface transceiver

show interface tunnel <#>

show interface vlan show interface vlan <#> <#>

Learn Nexus

Displays a list of all interfaces that are configured as switchports Displays a list of all interfaces and optic information (calibrations, details)

Displays status and statistics for a specific tunnel interface

Displays status and statistics for a specific VLAN interface

Page 14

Port-Channel Port-Channels provide a mechanism for aggregating multiple physical Ethernet links into a single logical Ethernet link. Port-Channels are typically used to increase availability and bandwidth, while simplifying the network topology. Port-Channels can be configured in Static Mode (no protocol) or in conjunction with a protocol such as LaCP defined in IEEE 802.3ad or PaGP for dynamic negotiations and keep-alive detection for failover.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • •

256 Port-Channels are supported per chassis LaCP and Static Mode Port-Channels are supported (PaGP is not supported in Cisco NXOS Software). LaCP command-line interface (CLI) configuration and verification commands are not available until you enable the LaCP feature with the feature lacp command. The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2) A Port-Channel can be converted between a layer-2 and layer-3 Port-Channel without removing the member ports. The force keyword can be used when adding an interface to an existing Port-Channel to force the new interface to inherit all of the existing Port-Channel compatibility parameters.

Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network using Port-Channels. • •

• •

A single Port-Channel cannot connect to two different VDCs in the same chassis. You cannot disable LaCP with the no feature lacp command if LaCP is configured for a Port-Channel. LaCP must be disabled on all Port-Channels prior to disabling LaCP globally. The show port-channel compatibility-parameters CLI command is very useful for verifying interface parameters when configuring Port-Channels. The show port-channel load-balance forwarding-path CLI command can be used to determine the individual link a flow traverses over a specific Port-Channel.

Learn Nexus

Page 15

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS. Cisco NX-OS does not use the range keyword when specifying multiple interfaces. Cisco NX-OS also has the ability to force an interface to inherit existing Port-Channel compatibility parameters using the force keyword.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the LaCP Feature Cisco IOS Software does not have the ability feature lacp to enable or disable LaCP. Configuring LACP Active Mode interface range gigabitethernet 1/1-2

interface ethernet 1/1-2

channel-group 1 mode active

channel-group 1 mode active

Configuring LaCP Passive Mode interface range gigabitethernet 1/1-2

interface ethernet 1/1-2

channel-group 1 mode passive

channel-group 1 mode passive

Configuring Static Mode (no protocol) interface range gigabitethernet 1/1-2

interface ethernet 1/1-2

channel-group 1 mode on

channel-group 1 mode on

Enabling a Port Channel interface port-channel 1

interface port-channel 1

no shutdown

no shutdown

Layer-2 Port-Channel Example interface range gigabitethernet 1/1-2

interface ethernet 1/1-1

switchport

switchport

channel-group 1 mode active

channel-group 1 mode active

Learn Nexus

Page 16

interface port-channel 1

interface port-channel 1

no shutdown

no shutdown

Layer-3 Port-Channel Example interface range gigabitethernet 1/1-2

interface ethernet 1/1-1

no switchport

no switchport

channel-group 1 mode active

channel-group 1 mode active

interface port-channel 1

interface port-channel 1

ip address 192.168.1.1 255.255.255.0

ip address 192.168.1.1/32

no shutdown

no shutdown

Adding an Interface to an Existing Port-Channel Cisco IOS Software does not have the force option, so all interface parameters have to be compatible prior to adding the interface to an existing Port-Channel. interface range gigabitethernet 1/3

interface ethernet 1/3 channel-group 1 force mode active

no switchport channel-group 1 mode active[ Configuring the System Load-Balance Algorithm port-channel load-balance dst-mac

port-channel load-balance ethernet destination-mac

Configuring the Load-Balance Algorithm per Module port-channel per-module load-balance port-channel load-balance dst-mac module 1

Learn Nexus

port-channel load-balance ethernet destination-mac module 1

Page 17

Verification Command Comparison The following table lists some useful show commands for verifying and troubleshooting a PortChannel configuration.

Cisco NX-OS Port-Channels

Cisco IOS Software Port-Channels

show interface

show interface

show interface port-channel show interface port<#> channel <#> -

-

show port-channel capacity

-

show port-channel compatibility-parameters

-

show port-channel database show port-channel loadbalance

show etherchannel loadbalance

Command Description Displays statistics all interfaces or a specific interface

Displays statistics for a specific portchannel -

Displays port-channel resources (total, used, free) Displays the compatibility-parameters (IE: speed, duplex, etc) Displays the aggregation state for one or more port-channels

Displays the load-balancing algorithm (hash) configured

show etherchannel loadbalance hash-result

show port-channel summary

show etherchannel summary

Displays packet forwarding information

show port-channel traffic

-

Displays the load per link in a portchannel (Based in interface counters)

show port-channel usage

-

-

-

show lacp counters

show lacp counters

show lacp interface

-

show lacp neighbors

show lacp neighbors

show lacp port-channel

show lacp

show port-channel loadbalance forwarding-path

Learn Nexus

Displays a summarized list of all portchannels

Displays the range of used and unused port-channel numbers -

Displays the LaCP PDU and error counters

Displays detailed LaCP information per interface Displays detailed LaCP information per neighbor Displays the port-channel LaCP configuration

Page 18

show lacp system-identifier

Learn Nexus

show lacp sys-id

Displays the LaCP system ID (Priority / MAC address)

Page 19

HSRP HSRP is a Cisco proprietary First Hop Redundancy Protocol (FHRP) designed to allow transparent failover for an IP client’s default gateway (first-hop router).

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • •

HSRP command-line interface (CLI) configuration and verification commands are not available until you enable the HSRP feature with the feature hsrp command. HSRP is hierarchical. All related commands for an HSRP group are configured under the group number. The HSRP configuration commands use the format hsrp instead of standby . The HSRP verification commands use the format show hsrp instead of show standby . HSRP supports stateful process restart by default. The hello and hold-time timer ranges for the millisecond options are different. In Cisco NX-OS, hello = 250 to 999 milliseconds, and hold time = 750 to 3000 milliseconds. In Cisco IOS Software, hello = 15 to 999 milliseconds, and hold time = 50 to 3000 milliseconds.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining HSRP-enabled networks.

• • • • • • •

If you remove the feature hsrp command, all relevant HSRP configuration information is also removed. HSRPv1 is enabled by default (HSRPv2 can be enabled per interface). HSRPv1 supports 256 group numbers (0 to 255). HSRPv2 supports 4096 group numbers (0 to 4095). HSRPv1 and HSRPv2 are not compatible. However, a device can be configured to run a different version on different interfaces. The show running-config hsrp command displays the current HSRP configuration. Configuration of more than one FHRP on an interface is not recommended. Object tracking is supported. Tracking can be configured for an interface’s line protocol state, IP address state, and for IP route reachability (determining whether a route is available in the routing table).

Learn Nexus

Page 20

• • •

An interface can track multiple objects. Secondary IP addresses are supported in the same or a different group as the interface’s primary IP address. Load sharing can be accomplished by using multiple HSRP groups per interface.

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS uses a hierarchical configuration, and it uses the hsrp keyword instead of the standby keyword for configuration and verification commands. Both enhancements make the configuration easier to read.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the HSRP Feature Cisco IOS Software does not have the ability feature hsrp to enable or disable HSRP. Configuring HSRP on an Interface interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1

interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 ip 192.168.10.1

Configuring the priority and preempt Options interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 priority 110 standby 0 preempt Learn Nexus

interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 preempt priority 110 Page 21

ip 192.168.10.1 Modifying the Hello and Holdtime Timers (Seconds) interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 timers 1 3

interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 timers 1 3 ip 192.168.10.1

Modifying the Hello and Holdtime Timers (Milliseconds) interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 timers msec 250 msec 750

interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 timers msec 250 msec 750 ip 192.168.10.1

Configuring MD5 Authentication interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 authentication md5 key-string cisco123

interface Ethernet2/1 ip address 192.168.10.2/24 hsrp 0 authentication md5 key-string cisco123 ip 192.168.10.1

Configuring HSRP Version 2 on an Interface interface Ethernet2/1

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

ip address 192.168.10.2/24

standby version 2

hsrp version 2

Configuring Minimum and Reload Initialization Delay Learn Nexus

Page 22

interface Ethernet2/1

interface Ethernet2/1

ip address 192.168.10.2 255.255.255.0

ip address 192.168.10.2/24

standby delay minimum 5 reload 10

hsrp delay minimum 5 reload 10

Configuring Object Tracking (Interface Line-Protocol) track 1 interface Ethernet2/2 line-protocol

track 1 interface ethernet 2/2 line-protocol interface Ethernet2/1

interface Ethernet2/1 ip address 192.168.10.2 255.255.255.0 standby 0 ip 192.168.10.1 standby 0 track 1 decrement 20

ip address 192.168.10.2/24 hsrp 0 track 1 decrement 20 ip 192.168.10.1

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an HSRP configuration.

Cisco NX-OS HSRP

Cisco IOS Software HSRP

show hsrp

show standby <#>

show hsrp active

-

show hsrp delay

-

show hsrp group

-

show hsrp init

-

show hsrp brief

Learn Nexus

show standby brief

Command Description Displays detailed information for all HSRP groups

Displays all of the groups in the “active” state

Displays a summary of all the HSRP groups

Displays minimum and maximum delay times for preempting

Displays detailed information for a specified group Displays all the groups in the "init" state

Page 23

show hsrp interface

-

show hsrp learn

-

show hsrp speak

-

show hsrp listen

-

show hsrp standby

-

show hsrp summary

-

-

-

show track brief

show track brief

show track

show track interface show track ip

Learn Nexus

show track

show track interface show track ip

Displays detailed information for a specific interface Displays all the groups in the "learn" state

Displays all the groups in the "listen" state

Displays all the groups in the "speak" state

Displays all the groups in the "standby" state

Displays summary information for HSRP groups -

Displays the configured tracked objects Displays a brief list of tracked objects

Displays the status of tracked interfaces

Displays the IP protocol objects that are tracked

Page 24

DHCP Relay The DHCP Relay feature was designed to forward DHCP broadcast requests as unicast packets to a configured DHCP server or servers for redundancy.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •

•

DHCP command-line interface (CLI) configuration and verification commands are not available until you enable the DCHP feature with the feature dhcp command. The DHCP service is not enabled by default, whereas it is enabled by default in Cisco IOS Software. The DHCP-Relay command ip dchp relay address is equivalent to the ip helperaddress command in Cisco IOS Software. Only packets destined to User Datagram (UDP) port 67 (Bootps) and 68 (Bootpc) are forwarded by the relay, whereas Cisco IOS Software forwards additional protocols (Trivial File Transfer Protocol [TFTP], Domain Name System [DNS], Time, NetBios, and Neighbor Discovery). The Cisco NX-OS cannot act as a DHCP server.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining networks with the DHCP-Relay feature. • • • • • • •

If you remove the feature dhcp command, all relevant DHCP configuration information is also removed. Prior to NX-OS 4.2(1), the service dhcp command enabled the DHCP Relay feature. In NX-OS 4.2(1) the command was changed to ip dhcp relay. Sixteen DHCP Relay addresses can be configured per interface. DHCP packets are always forwarded through DHCP Relay in the same Virtual Route Forwarding (VRF) instance assigned to the interface. Assign a DHCP Relay to every interface that may have a client, even if the server resides in the same Layer-2 broadcast domain (VLAN). - This has been fixed in 4.2(1) software. DHCP Option 82 information can be configured with the ip dhcp relay information option global command. The DHCP Relay configuration can be verified with the show ip dhcp relay address command.

Learn Nexus

Page 25

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: in Cisco NX-OS, the DHCP feature must be enabled, and the DHCP service is not enabled by default.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the DHCP Feature Cisco IOS Software does not have the ability feature dhcp to enable or disable DHCP. Enabling the DHCP Service Cisco IOS Software enables service dhcp by default.

ip dhcp relay

Configuring DHCP Relay for an Interface interface Ethernet2/1

interface Ethernet2/1

ip address 192.168.10.1 255.255.255.0

ip address 192.168.10.1/24

ip helper-address 1.1.1.1

ip dhcp relay address 1.1.1.1

Configuring Option 82 Information ip dhcp relay information option

ip dhcp relay information option

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting the DHCP-Relay feature.

Cisco NX-OS DHCPRelay show ip dhcp relay address show ip dhcp relay Learn Nexus

Cisco IOS Software DHCP-Relay -

Command Description Displays a list of DHCP-Relay(s) configured for all interfaces

Displays the DHCP-Relay(s) configured Page 26

address interface

Learn Nexus

for a specific interface

Page 27

STP STP is a standards based link-layer protocol originally defined in IEEE 802.1d that runs on switches to prevent forwarding loops when using redundant layer-2 network topologies. Newer variants of STP have been developed called Rapid Spanning Tree protocol (RSTP) defined in IEEE 802.1w and Multiple Spanning Tree protocol (MST) defined in IEEE 802.1s that are enhanced for better scalability and converge faster than the original version.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •

Rapid-PVST+ and the MST protocols are supported. Rapid-PVST+ is enabled by default. High availability is achieved with stateful switchover when two supervisors are installed in a chassis. The STP port types are identified with the port type designation as opposed to the portfast designation in Cisco IOS Software.

Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network configured with the STP.

• • • • • • •

Rapid-PVST+ is interoperable with the 802.1d STP. Rapid-PVST+ is interoperable with MST. (This is enabled by default) Only one STP can be enabled per VDC. Bridge Assurance is enabled globally by default, but is disabled on an interface by default. Bridge Assurance can be enabled for an interface using the spanning-tree port type network interface command. The clear spanning-tree counters command clears the counters for an STP interface or a VLAN. STP enhancements such as BPDU Guard, Loop Guard, Root Guard, and BPDU Filtering are supported.

Spanning-Tree best practices are applicable to both Cisco NX-OS and Cisco IOS Software

Learn Nexus

Page 28

• • • • • •

Do not disable STP. Even if the layer-2 topology does not require STP, it should always be enabled as a safeguard for configuration and/or cabling errors. Changing the STP mode can disrupt traffic. Enabling Bridge Assurance is recommended. However, only enable Bridge Assurance on layer-2 links if both devices on each end of the link support it. Typically the core/backbone devices should be configured as the primary and secondary root bridges. The default bridge priority is 32,768 (plus the VLAN #). The lower the value, the more likely it will become the root bridge. Configure 802.1q trunk ports as edge trunk port type when connecting to L3 hosts such as firewalls, load-balancers, or servers for faster convergence.

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is identical with the exception of the port type terminology. The Cisco IOS uses the portfast designation, whereas Cisco NX-OS uses the port type designation.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring VLANs vlan 10,20

vlan 10,20

Configuring Rapid PVST+ spanning-tree mode rapid-pvst

Rapid-PVST is enabled by default. spanning-tree mode rapid-pvst

Configuring the Rapid-PVST+ Bridge Priority spanning-tree vlan 10 root primary

spanning-tree vlan 10 root primary

spanning-tree vlan 20 root secondary

spanning-tree vlan 20 root secondary

Configuring MST spanning-tree mode mst

spanning-tree mode mst

Configuring a MST Instance Learn Nexus

Page 29

spanning-tree mst configuration

spanning-tree mst configuration

instance 1 vlan 10

instance 1 vlan 10

instance 2 vlan 20

instance 2 vlan 20

Configuring the MST Bridge Priority spanning-tree mst 1 root primary

spanning-tree mst 1 root primary

spanning-tree mst 2 root secondary

spanning-tree mst 2 root secondary

Configuring STP Port Types Globally spanning-tree portfast edge default

spanning-tree port type edge default

or

or

spanning-tree portfast network default

spanning-tree port type network default

Configuring STP Port Types per Interface interface GigabitEthernet1/1

interface ethernet 1/1

switchport

switchport

spanning-tree portfast edge

spanning-tree port type edge

or

or

spanning-tree portfast network

spanning-tree port type network

or

or

spanning-tree portfast disable

spanning-tree port type normal

Configuring a Trunk as an Edge Port Type interface GigabitEthernet1/1

interface ethernet 1/1

switchport

switchport

spanning-tree portfast edge trunk

spanning-tree port type edge trunk

Disabling PVST Simulation Globally no spanning-tree mst simulate pvst global Learn Nexus

no spanning-tree mst simulate pvst global Page 30

Disabling PVST Simulation per Port interface GigabitEthernet1/1

interface ethernet 1/1

switchport

switchport

spanning-tree mst simulate pvst disable

spanning-tree mst simulate pvst disable

Verification Command Comparison The following table lists some useful show commands for verifying and troubleshooting a STP network configuration. The show commands are identical for Cisco IOS and Cisco NX-OS Software. Cisco NX-OS STP

Cisco IOS Software STP Command Description

show spanning-tree

show spanning-tree

show spanning-tree active

show spanning-tree active Displays all ports in the active state

show spanning-tree blockedports

show spanning-tree blockedports

show spanning-tree detail

show spanning-tree detail

show spanning-tree interface

show spanning-tree interface

show spanning-tree mst

show spanning-tree mst

show spanning-tree mst configuration

show spanning-tree mst configuration

show spanning-tree mst detail

show spanning-tree root show spanning-tree summary

show spanning-tree vlan

Learn Nexus

show spanning-tree mst detail

show spanning-tree root show spanning-tree summary

show spanning-tree vlan

Displays high level STP process information

Displays all ports in the blocked state Displays detailed information per STP instance

Displays detailed STP information for a specific interface

Displays high-level MST configuration

Displays the MST instance configuration Displays detailed MST information

Displays STP root information Displays STP summary information Displays per VLAN STP information

Page 31

EIGRP EIGRP is a Cisco proprietary hybrid distance vector routing protocol used to exchange network reachability information within an autonomous system.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • •

•

•

•

EIGRP command-line interface (CLI) configuration and verification commands are not available until you enable the EIGRP feature with the feature eigrp command. The EIGRP protocol requires the Enterprise Services license. The EIGRP instance can consist of 20 characters. Cisco IOS Software supports numbers 1- 65536. Eight equal-cost paths are supported by default; Cisco NX-OS supports up to 16. Route auto-summarization is disabled by default. Networks and interfaces are added to an EIGRP instance under the interface configuration mode. If a router ID is not manually configured, the loopback-0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration. A default route can be generated with the default-information originate command, whereas Cisco IOS Software requires additional CLI commands to achieve similar results. When interface authentication is configured, the EIGRP key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command. Distribute-lists used to filter routes from routing updates are applied under the interface with the ip distribute-list eigrp command, as opposed to under the EIGRP router instance.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an EIGRP network.

• •

Four EIGRP instances can be configured per virtual device context (VDC). Numerous Virtual Route Forwarding (VRF) instances can be associated with an EIGRP instance.

Learn Nexus

Page 32

• •

• • • • •

If the feature eigrp command is removed, all relevant EIGRP configuration information is also removed. The shutdown command can be used to disable an EIGRP instance while retaining the configuration. This feature can also be applied per interface with the ip eigrp shutdown command. The show running-config eigrp command displays the current EIGRP configuration. An EIGRP instance can be restarted with the restart eigrp command. Graceful restart (RFC 3623) is enabled by default. Multiple EIGRP instances can be configured on the same interface. Secondary IP addresses are advertised by default and cannot be suppressed per interface.

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are three significant differences: Cisco NX-OS allows EIGRP to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read. In addition, Cisco NX-OS has the capability to generate a default route, whereas Cisco IOS Software requires additional CLI commands to achieve similar results.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the EIGRP Feature Cisco IOS Software does not have the ability feature eigrp to enable or disable EIGRP. Configuring an EIGRP Instance and Router ID router eigrp 10

router eigrp 10

eigrp router-id 192.168.1.1

router-id 192.168.1.1

Associating a Network with an EIGRP Instance router eigrp 10 network 192.168.10.0

interface Ethernet2/1 ip address 192.168.10.1/24 ip router eigrp 10

Configuring a Passive Interface Learn Nexus

Page 33

router eigrp 10 network 192.168.10.0 passive-interface GigabitEthernet2/1

interface Ethernet2/1 ip address 192.168.10.1/24 ip router eigrp 10 ip passive-interface eigrp 10

Configuring Interface Authentication (MD5) key chain eigrp-key key chain eigrp-key key 1 key-string cisco123

key 1 key-string 7 070c285f4d06485744 interface Ethernet2/1

ip address 192.168.10.1/24 interface GigabitEthernet2/1 ip address 192.168.10.1 255.255.255.0 ip authentication ip router eigrp 10 mode eigrp 10 md5 ip authentication keychain eigrp 10 eigrp-key ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 eigrpkey Configuring an EIGRP Distribution List to Filter Routes ip prefix-list eigrp-10-list seq 5 permit 159.142.1.0/24 router eigrp 10 network 192.168.10.0 distribute-list prefix eigrp-10-list out GigabitEthernet2/1

ip prefix-list eigrp-10-list seq 5 permit 159.142.1.0/24 interface Ethernet2/1 ip address 192.168.10.1/24 ip router eigrp 10 ip distribute-list eigrp 10 prefix-list eigrp10-list out

Configuring Route Summarization interface GigabitEthernet2/1

Learn Nexus

interface Ethernet2/1

Page 34

ip address 192.168.10.1 255.255.255.0

ip address 192.168.10.1/24

ip summary-address eigrp 10 159.142.0.0 255.255.0.0 5

ip router eigrp 10 ip summary-address eigrp 10 159.142.0.0/16

Generating A Default Route (Conditional) Cisco IOS Software doesn’t have the same CLI to generate a default route, but redistribution or the ip summary address command can be used to achieve similar results.

router eigrp 10 default-information originate

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an EIGRP network configuration.

Cisco NX-OS EIGRP

Cisco IOS Software EIGRP

show ip eigrp

show ip eigrp <#>

show ip eigrp accounting

-

Command Description Displays all EIGRP information for a specified process

Displays the number of prefixes that each neighbor advertised

show ip eigrp interfaces

show ip eigrp interfaces Displays interfaces configured for EIGRP

show ip eigrp neighbors

show ip eigrp neighbors

Displays currently connected neighbors

show ip eigrp policy

-

Displays redistribution statistics for the specified protocol

show ip eigrp interfaces detail

show ip eigrp neighbors detail

Learn Nexus

show ip eigrp interfaces Displays detailed interface information detail

show ip eigrp neighbors detail

Displays connected neighbors and associated details

Page 35

show ip eigrp route

-

Displays EIGRP routes

show ip eigrp traffic

show ip eigrp traffic

Displays statistics related to EIGRP

show ip eigrp topology show ip eigrp topology Displays the EIGRP topology table

Learn Nexus

Page 36

OSPF OSPFv2 is an IETF (RFC 2328) standards-based dynamic link-state routing protocol used to exchange network reachability within an autonomous system.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • •

• •

• •

•

•

OSPF command-line interface (CLI) configuration and verification commands are not available until you enable the OSPF feature with the feature ospf command. The OSPF protocol requires the Enterprise Services license. The OSPF instance can consists of 20 characters, whereas the IOS supports numbers 1 – 65536. Eight equal-cost paths are supported by default. You can configure up to sixteen. The default reference bandwidth used in the OSPF cost calculation is 40 Gbps. Networks and interfaces are added to an OSPF instance under the interface configuration mode. An OSPF area can be configured using decimal or decimal dotted notation, but it is always displayed in decimal dotted notation in the configuration and in the show command output. Passive interfaces are applied to the interface as opposed to under the OSPF router instance. If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration. Neighbor adjacency changes are not logged by default. The log-adjacency-changes CLI command is required under the OSPF instance. When interface authentication is configured, the OSPF key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command. When you rollover an OSPF authentication key in a combined Cisco NX-OS/Cisco IOS network, you should configure both keys on the Cisco NX-OS router to ensure that there is sufficient overlap between the old key and the new key for a smooth transition to the new key. You should configure the new key as a valid accept key on all the NX-OS and IOS routers before the new key becomes a valid generation key in the keychain. During the overlap period, Cisco NX-OS transmits the new OSPF key and accepts OSPF authenticated packets from both the old key and the new key. The NX-OS does not support distribute-lists used to remove OSPF routes from the routing table. The NX-OS does support inter-area LSA/route filtering using the filter-list command configured under the OSPF routing instance.

Learn Nexus

Page 37

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an OSPF network.

• • • •

• • • • • • • •

Four OSPF instances can be configured per virtual device context (VDC). Numerous Virtual Route Forwarding (VRF) instances can be associated to an OSPF instance. If you remove the feature ospf command, all relevant OSPF configuration information is also removed. The shutdown command under the OSPF process can be used to disable OSPF while retaining the configuration. Similar functionality can also be applied per interface with the ip ospf shutdown command. The show running-config ospf command displays the current OSPF configuration. An OSPF instance can be restarted with the restart ospf command. Graceful Restart (RFC 3623) is enabled by default. OSPF supports stateful process restarts if two supervisors are present. You cannot configure multiple OSPF instances on the same interface. An interface can support multi-area adjacencies using the multi-area option with the ip router ospf interface command. Secondary IP addresses are advertised by default, but can be suppressed per interface with the ip router ospf area <#> secondaries none interface command. By default all loopback IP address subnet masks are advertised in an LSA as a /32. The loopback interface command ip ospf advertise-subnet can be configured to advertise the primary IP address subnet mask. (This command does not apply to secondary IP addresses. They will still be advertised as a /32.)

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS allows OSPF to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the OSPF Feature Cisco IOS Software does not have the ability feature ospf Learn Nexus

Page 38

to enable or disable OSPF. Configuring an OSPF Instance and Router ID router ospf 10

router ospf 10

router-id 192.168.1.1

router-id 192.168.1.1

Associating a Network with an OSPF Instance and Area router ospf 10 network 192.168.1.0 0.0.0.255 area 1

interface Ethernet2/1 ip address 192.168.10.1/24 ip router ospf 10 area 1

Configuring a Passive Interface router ospf 10 passive-interface GigabitEthernet2/1 network 192.168.1.0 0.0.0.255 area 1

interface Ethernet2/1 ip address 192.168.11.1/24 ip ospf passive-interface ip router ospf 10 area 0

Configuring Interface Authentication (MD5) interface GigabitEthernet2/1 ip address 192.168.10.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco123

interface Ethernet2/1 ip address 192.168.10.1/24 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 3 a667d47acc18ea6b ip router ospf 10 area 1

Configuring a Stub Area with the no summary Option router ospf 10

router ospf 10

area 2 stub no-summary

area 2 stub no-summary

Creating a Not-So-Stubby Area (NSSA) and Generating a Default Route Learn Nexus

Page 39

router ospf 10

router ospf 10

area 3 nssa default-information-originate

area 3 nssa default-information-originate

Configuring Inter-Area and External Summarization router ospf 10

router ospf 10

area 0 range 159.142.0.0 255.255.0.0 summary-address 172.16.0.0 255.255.0.0

area 0 range 159.142.0.0/16 summaryaddress 172.16.0.0/16

Generating a Default Route (Conditional) router ospf 10

router ospf 10

default-information originate

default-information originate

Generating a Maximum Metric (Max-Metric) Value router ospf 10

router ospf 10

max-metric router-lsa

max-metric router-lsa

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an OSPFv2 network configuration.

Cisco NX-OS OSPFv2 show ip ospf

show ip ospf borderrouters

show ip ospf database show ip ospf interface show ip ospf interface detail Learn Nexus

Cisco IOS Software OSPFv2

Command Description

show ip ospf borderrouters

Displays a list of border routers

show ip ospf

Displays the running configuration

show ip ospf database Displays OSPF database information show ip ospf interface Displays OSPF database information -

Displays additional packet statistics for each interface Page 40

show ip ospf memory

-

Displays the memory allocated for OSPF

show ip ospf neighbors

Displays neighbor-specific information

show ip ospf policy statistics

-

Displays redistribution statistics for a specified protocol

show ip ospf retransmission list

show module

Displays installed modules and their status

-

Displays all routes learned through OSPF

show ip ospf neighbor show ip ospf neighbor detail

show ip ospf request list

show ip ospf route

show ip ospf statistics

show ip ospf neighbor Displays details for each OSPF neighbor detail

show ip ospf request list

show ip ospf statistics Displays OSPF LSA statistics

show ip ospf summary- show ip ospf summary-address address show ip ospf traffic

show ip ospf traffic

show ip ospf vrf

-

Learn Nexus

Displays a list of link-state advertisements (LSAs) that have been requested

Displays OSPF-summarized networks Displays OSPF-related packet counters

Displays information for a specified OSPF VRF instance

Page 41

BGP BGPv4 is a standard Exterior Routing Protocol defined in RFC 4271, commonly used to exchange network reachability information between autonomous systems. This document covers the features required for basic connectivity.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • • •

• •

BGP CLI configuration and verification commands are not available until you enable the BGP feature with the feature bgp command. The BGP protocol requires an Enterprise Services license. Autonomous system numbers can be configured as 16 or 32 bit values. Address families need to be explicitly enabled (IE: IPv4 unicast, IPv6 unicast, etc…) By default, eBGP supports 8 Equal Cost Paths and iBGP supports 1. The Cisco NX-OS supports up to 16 Equal Cost Paths for both eBGP and iBGP. Automatic Route Summarization and Synchronization are disabled by default. BGP consists of a hierarchical configuration based on neighbors and address families. If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration. Neighbor logging is not enabled by default under the BGP instance. Neighbor logging can be enabled with the log-neighbor-changes command. When neighbor authentication is configured, the BGP key is 3DES encrypted in the configuration. Cisco IOS Software requires the service password command to encrypt it in the configuration.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining a BGP network.

• • • •

One BGP instances can be configured per Virtual Device Context (VDC). Numerous Virtual Route Forwarding (VRF) instances can be associated to a BGP instance. If the feature bgp command is removed, all relevant BGP configuration information is also removed. Network statements must be configured under their respective address-family configuration mode when advertising them via BGP.

Learn Nexus

Page 42

• • • •

The shutdown command under the BGP instance can be used to disable BGP while retaining the configuration. The show running-config bgp command displays the current BGP configuration. A BGP instance can be restarted with the restart bgp command. Graceful Restart (RFC 3623) is enabled by default.

Configuration Comparison The following sample configuration code similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are three significant differences: The Cisco NX-OS allows BGP to be enabled and disabled globally. It utilizes a hierarchical configuration that makes it easier to read. The Cisco NX-OS does not enable any address families by default. Each addressfamily needs to be explicitly enabled. The following examples demonstrate this using the IPv4 unicast address family.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the BGP Feature Cisco IOS Software does not have the functionality to enable or disable BGP.

feature bgp

Configuring a BGP Instance and Router ID router bgp 10

router bgp 10

bgp router-id 192.168.1.1

router-id 192.168.1.1

Configuring a BGP Neighbor (Internal) router bgp 10 neighbor 192.168.2.1 remote-as 10 neighbor 192.168.2.1 update-source Loopback0

router bgp 10 neighbor 192.168.2.1 remote-as 10 update-source loopback0 address-family ipv4 unicast

Configuring a BGP Neighbor (External) router bgp 10 neighbor 192.168.10.2 remote-as 11 Learn Nexus

router bgp 10 Page 43

neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast Advertising a Network in an Address Family (IPv4) router bgp 10 router bgp 10

address-family ipv4 unicast

network 159.142.1.0 mask 255.255.255.0

network 159.142.1.0/24

network 159.142.254.0 mask 255.255.255.0

network 159.142.254.0/24

neighbor 192.168.10.2 remote-as 11

neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast

Configuring Neighbor Authentication (MD5) router bgp 10 neighbor 192.168.10.2 remote-as 11 neighbor 192.168.10.2 password cisco123

router bgp 10 neighbor 192.168.10.2 remote-as 11 password 3 a667d47acc18ea6b address-family ipv4 unicast

Configuring an Aggregate Address (Summary-Only) router bgp 10 router bgp 10

address-family ipv4 unicast

network 159.142.1.0 mask 255.255.255.0

network 159.142.1.0/24

network 159.142.254.0 mask 255.255.255.0

network 159.142.254.0/24

aggregate-address 159.142.0.0 255.255.0.0 summary-only

aggregate-address 159.142.0.0/16 summaryonly

neighbor 192.168.10.2 remote-as 11

neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast

Learn Nexus

Page 44

Generating a Default Route for a Neighbor router bgp 10

router bgp 10 neighbor 192.168.10.2 remote-as 11 neighbor 192.168.10.2 default-originate

neighbor 192.168.10.2 remote-as 11 address-family ipv4 unicast default-originate

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting a BGP network configuration.

Cisco NX-OS BGP

Cisco IOS Software BGP

show ip bgp

show ip bgp

show ip bgp x.x.x.x

show ip bgp x.x.x.x

show ip bgp x.x.x.x vrf

-

show ip bgp x.x.x.x/len

show ip bgp x.x.x.x mask

show ip bgp x.x.x.x/len longer-prefix

show ip bgp x.x.x.x mask Displays a prefix in the table with longer-prefix longer prefixes

show ip bgp all

show ip bgp all

show ip bgp community

show ip bgp community <#>

show ip bgp community show ip bgp community internet Learn Nexus

-

Command Description Displays BGP Process and BGP table entries

Displays a specific network in the BGP table

Displays a network in a specified VRF BGP table Displays a specific prefix in the BGP table

Displays the BGP table for all protocol families Displays routes with a specific regular expression Displays routes with a specific community value

Displays BGP routes advertised to the Internet Page 45

show ip bgp community no-advertise show ip bgp community no-export show ip bgp community no-export-spoofed show ip bgp dampening dampened-paths

show ip bgp community no-advertise

show ip bgp community no-export show ip bgp dampening dampened-paths

Displays BGP routes not advertised to peers

Displays BGP routes not exported to next AS

Displays BGP routes not sent to outside local AS

Displays all Dampened paths Displays flap statistics for BGP routes

show ip bgp dampening history-paths

show ip bgp dampening flap-statistics

-

Displays all history paths

show ip bgp dampening parameters

show ip bgp dampening parameters

Displays all of the Dampening parameters

show ip bgp filter-list

show ip bgp filter-list

show ip bgp dampening flap-statistics

show ip bgp flap-statistics -

show ip bgp ipv4 multicast show ip bgp ipv4 multicast

Displays all routes matching a specified filter list Displays all BGP route flap statistics

Displays BGP IPv4 multicast address families

show ip bgp ipv4 unicast

show ip bgp ipv4 unicast Displays BGP IPv4 unicast address families

show ip bgp neighbors x.x.x.x

show ip bgp neighbors x.x.x.x

show ip bgp neighbors

show ip bgp neighbors

show ip bgp nexhop x.x.x.x -

Displays detailed neighbor information Displays detailed information for a neighbor

Displays all routes matching a specified next-hop

show ip bgp paths

show ip bgp paths

show ip bgp peer-policy

-

show ip bgp peer-session

-

show ip bgp peer-template

show ip bgp unicast ipv4 Displays information about a peer template template

show ip bgp prefix-list

show ip bgp prefix-list

show ip bgp regexp

show ip bgp regexp

Learn Nexus

Displays all BGP paths

Displays BGP peer policy by specified name

Displays information about a peer session

Displays routes matching a specified prefix-list Displays routes matching a regularexpression

Page 46

show ip bgp route-map

show ip bgp route-map

show ip bgp summary

show ip bgp summary

show ip bgp vrf

show ip bgp vpnv4 vrf

Learn Nexus

Displays BGP routes matching a routemap Displays a summary list of neighbors and statistics

Displays information for a specified BGP VRF

Page 47

BGP (Advanced) BGPv4 is a standard exterior routing protocol defined in RFC 4271, commonly used to exchange network reachability information between autonomous systems. This document discusses route reflectors, confederations, peer templates, route-map policies and the prefix-lists feature.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • •

When configuring route reflectors, the route-reflector-client command is assigned per neighbor under the neighbor-specific address family. When configuring confederations, the confederation is configured under the autonomous system without the leading bgp keyword. Cisco NX-OS uses a peer template instead of a peer group to reuse common BGP policies. Multiple policy templates can be applied to a single neighbor. Cisco IOS Software allows only one policy template per neighbor. Cisco NX-OS does not require a manual reset for a neighbor when its routing policy is modified. Cisco IOS Software requires a hard or soft reset depending on the neighbor capabilities exchanged.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an advanced BGP network configuration.

• • • • • • • •

Peer and session templates define neighbor attributes such as security passwords, timers, and transport options. Peer templates and session templates have identical configuration capabilities with one exception: peer templates can configure address families. Peer and session templates are inherited by a neighbor through the BGP neighbor configuration mode. Only one peer template and session template can be inherited by a single BGP neighbor. Peer templates can inherit session templates. Session templates can inherit other session templates. Policy templates define address-family policies for inbound or outbound polices, including default-route origination, filter lists, route-map polices, prefix lists, etc. Multiple policy templates can be assigned per neighbor. Policy templates are executed in order based on the configured sequence number.

Learn Nexus

Page 48

• • •

Policy templates are inherited by a neighbor through the neighbor and address-family configuration mode. Route-map polices can configure BGP attributes such as as-path, community lists, community attributes, dampening, local preference, metric type, origin, and weight. Route-map polices can be applied per neighbor for inbound and outbound routing policies.

Configuration Comparison The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations are very similar with the exception of the hierarchy used in Cisco NX-OS.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring a Route-Reflector router bgp 10 no synchronization network 192.168.11.1 mask 255.255.255.255 neighbor 192.168.2.1 remote-as 10 neighbor 192.168.2.1 update-source Loopback0 neighbor 192.168.2.1 route-reflector-client no auto-summary

router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 neighbor 192.168.2.1 remote-as 10 update-source loopback0 address-family ipv4 unicast route-reflector-client

Configuring Confederations router bgp

router bgp 65534

no synchronization

confederation identifier 10

bgp confederation identifier 10

confederation peers 65535

Learn Nexus

Page 49

bgp confederation peers 65535

address-family ipv4 unicast

network 192.168.11.1 mask 255.255.255.255

network 192.168.11.1/32

neighbor 192.168.10.2 remote-as 65535

neighbor 192.168.10.2 remote-as 65535

no auto-summary

address-family ipv4 unicast

Configuring a Peer Template router bgp 10 no synchronization network 192.168.11.1 mask 255.255.255.255 neighbor IBGP-Template peer-group neighbor IBGP-Template password cisco123 neighbor IBGP-Template update-source Loopback0 neighbor 192.168.2.1 remote-as 10 neighbor 192.168.2.1 peer-group IBGPTemplate no auto-summary

router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 template peer IBGP-Template password 3 a667d47acc18ea6b update-source loopback0 address-family ipv4 unicast neighbor 192.168.2.1 remote-as 10 inherit peer IBGP-Template

Configuring a Policy Template router bgp 10 template peer-policy EBGP-Policy default-originate send-community exit-peer-policy no synchronization Learn Nexus

router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 template peer-policy EBGP-Policy send-community default-originate

Page 50

network 192.168.11.1 mask 255.255.255.255

neighbor 192.168.10.2 remote-as 20

neighbor 192.168.10.2 remote-as 20

address-family ipv4 unicast

neighbor 192.168.10.2 inherit peer-policy EBGP-Policy

inherit peer-policy EBGP-Policy 10

no auto-summary Configuring an Outbound Neighbor Route-Map Policy route-map EBGP-Policy permit 10 set as-path prepend 10 10 10 router bgp 10 no synchronization network 192.168.11.1 mask 255.255.255.255 neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 route-map EBGPPolicy out no auto-summary

route-map EBGP-Policy permit 10 set as-path prepend 10 10 10 router bgp 10 address-family ipv4 unicast network 192.168.11.1/32 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast route-map EBGP-Policy out

Configuring an Outbound Prefix-List ip prefix-list EBGP-Policy seq 5 permit 192.168.11.1/32 router bgp 10 no synchronization neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 prefix-list EBGPPolicy out no auto-summary Learn Nexus

ip prefix-list EBGP-Policy seq 5 permit 192.168.11.1/32 router bgp 10 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast prefix-list EBGP-Policy out

Page 51

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting a BGP network configuration.

Cisco NX-OS BGP

Cisco IOS Software BGP

show ip bgp

show ip bgp

show ip bgp x.x.x.x

show ip bgp x.x.x.x

show ip bgp x.x.x.x vrf

-

show ip bgp x.x.x.x/len

show ip bgp x.x.x.x mask

show ip bgp x.x.x.x/len longer-prefix

show ip bgp x.x.x.x mask Displays a prefix in the table with longer-prefix longer prefixes

show ip bgp all

show ip bgp all

show ip bgp community

show ip bgp community <#>

show ip bgp community

-

show ip bgp community internet

-

show ip bgp community no-export

show ip bgp community no-export

show ip bgp community no-advertise

show ip bgp community no-advertise

show ip bgp community no-export-spoofed

-

show ip bgp dampening dampened-paths show ip bgp dampening flap-statistics show ip bgp dampening history-paths Learn Nexus

show ip bgp dampening dampened-paths

Command Description Displays BGP Process and BGP table entries

Displays a specific network in the BGP table

Displays a network in a specified VRF BGP table Displays a specific prefix in the BGP table

Displays the BGP table for all protocol families

Displays routes with a specific regular expression Displays routes with a specific community value

Displays BGP routes advertised to the Internet

Displays BGP routes not advertised to peers Displays BGP routes not exported to next AS

Displays BGP routes not sent to outside local AS Displays all Dampened paths

show ip bgp dampening flap-statistics

Displays flap statistics for BGP routes

-

Displays all history paths Page 52

show ip bgp dampening parameters

show ip bgp dampening parameters

show ip bgp filter-list

show ip bgp filter-list

show ip bgp flap-statistics -

show ip bgp ipv4 multicast show ip bgp ipv4 multicast

Displays all of the Dampening parameters

Displays all routes matching a specified filter list Displays all BGP route flap statistics

Displays BGP IPv4 multicast address families

show ip bgp ipv4 unicast

show ip bgp ipv4 unicast Displays BGP IPv4 unicast address families

show ip bgp neighbors x.x.x.x

show ip bgp neighbors x.x.x.x

show ip bgp neighbors

show ip bgp neighbors

show ip bgp nexhop x.x.x.x -

Displays detailed neighbor information Displays detailed information for a neighbor

Displays all routes matching a specified next-hop

show ip bgp paths

show ip bgp paths

show ip bgp peer-policy

-

show ip bgp peer-session

-

show ip bgp peer-template

show ip bgp unicast ipv4 Displays information about a peer template template

show ip bgp prefix-list

show ip bgp prefix-list

show ip bgp regexp

show ip bgp regexp

show ip bgp route-map

show ip bgp route-map

show ip bgp summary

show ip bgp summary

show ip bgp vrf

show ip bgp vpnv4 vrf

Learn Nexus

Displays all BGP paths

Displays BGP peer policy by specified name

Displays information about a peer session

Displays routes matching a specified prefix-list Displays routes matching a regularexpression

Displays BGP routes matching a routemap Displays a summary list of neighbors and statistics

Displays information for a specified BGP VRF

Page 53

Multicast Multicast transmission (one-to-many) provides the capability for a source host to forward IP packets to an interested group of destination hosts , as opposed to using unicast transmission (one-to-one) or broadcast transmission (one-to-everyone in the broadcast domain). Multicast functionally is typically enabled using multiple protocols. This tech note includes the following Cisco NX-OS protocols: Protocol Independent Multicast (PIM), Internet Group Membership Protocol (IGMP) and Multicast Source Discovery Protocol (MSDP).

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • •

• • • •

• • •

•

•

•

PIM and MSDP protocols require a LAN Enterprise Services license. The global ip multicast-routing command does not exist and is not required to enable multicast forwarding/routing. (It is required in Cisco IOS Software to enable multicast forwarding/routing) PIM command-line interface (CLI) configuration and verification commands are not available until you enable the PIM feature with the feature pim command. MSDP CLI configuration and verification commands are not available until you enable the MSDP feature with the feature msdp command. IGMP versions 2 and 3 are supported. IGMP version 1 and Version 3 Lite are not supported. An IGMP Snooping Querier is configured under the layer-2 VLAN with the ip igmp snooping querier CLI command (Physical L3 interfaces cannot be configured as IGMP Snooping Queriers). In Cisco IOS Software, an IGMP Snooping Querier is configured under the layer-3 interface. PIM version 2 Sparse Mode is supported. Cisco NX-OS does not support PIM version 1 Sparse Mode or Dense Mode. The NX-OS cannot fallback to Dense Mode operation. PIM is not supported on IP Tunnel interfaces. When configuring a PIM Auto-RP Candidate or BSR RP-Candidate the NX-OS requires a configured group-list (i.e. x.x.x.x/x), whereas Cisco IOS Software defaults to 224.0.0.0/4. An optional standard ACL can be configured to specify multicast groups in Cisco IOS Software. When configuring PIM Auto-RP Mapping-Agent's or Candidate-RP's, Cisco NX-OS uses a default scope of 32, whereas Cisco IOS Software requires it to be specified with the scope option (1-255). When configuring PIM Auto-RP, Cisco NX-OS multicast devices must be enabled to listen and/or forward RP advertisements with the ip pim auto-rp forward listen global CLI configuration command. Cisco IOS Software has to be configured for Sparse-Dense Mode or Sparse Mode with the global ip pim autorp listener CLI configuration command. When configuring PIM BSR, Cisco NX-OS multicast devices must be enabled to listen and/or forward RP advertisements with the ip pim bsr forward listen global CLI

Learn Nexus

Page 54

•

•

•

•

•

•

• •

• •

configuration command. Cisco IOS Software doesn’t require additional configuration, but does not have the ability to enable/disable RP forwarding and listening capabilities. BSR-Candidate routers have a default priority of 64. Cisco IOS Software defaults to 0. The priority value can be configured between 0 – 255 in both operating systems using the priority option. A higher numeric value is preferred when comparing priorities. BSR RP-Candidate routers have a default priority of 192. Cisco IOS Software defaults to 0. The priority value can be configured between 0 – 255 in both operating systems using the priority option. The lower numeric value is preferred when comparing priorities. When configuring a Static-RP, the NX-OS does not have an override option like Cisco IOS Software that forces the Static-RP to be elected for it’s specified multicast group list. Cisco IOS Software prefers dynamically learned RP’s over Static RP’s if the override option is not configured. When comparing PIM Static-RP’s to dynamically learned RP’s (Auto-RP and BSR) during the election process: The RP with the most specific multicast group-list is elected. If the group-lists are identical, the router with the highest RP IP address is elected. When configuring a PIM domain border, the ip pim border interface CLI command prevents BSR and Auto-RP packets from being sent or received on an interface. The Cisco IOS Software command equivalent (ip pim bsr-border) only prevents BSR packets. Cisco IOS Software requires the ip multicast boundary interface command to prevent Auto-RP packets. PIM neighbor authentication (IPSec ah-md5) can be enabled to authenticate directly connected neighbors to increase security. Cisco IOS Software does not support this functionality. PIM neighbor logging can be enabled with the global ip pim log-neighbor-changes CLI command. (Cisco IOS Software enables PIM neighbor logging by default) The data in the MSDP Source-Active (SA) messages are cached by default, whereas Cisco IOS Software requires the global ip msdp cache-sa-state and ip msdp cacherejected-sa CLI commands. PIM is configured with the Source Specific Multicast (SSM) group range 232.0.0.0/8 by default (ip pim ssm range 232.0.0.0/8). Beginning with NX-OS 5.0(2a), PIM supports Bidirectional Forwarding Detection (BFD) for rapid failure detection.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining multicast enabled networks. • •

If you remove the feature pim command, all relevant PIM configuration information is also removed. If you remove the feature msdp command, all relevant MSDP configuration information is also removed.

Learn Nexus

Page 55

• • •

•

• • • •

IGMP Snooping is enabled globally by default. It can be disabled globally, or per layer-2 VLAN with the no igmp snooping command. IGMP version 2 is enabled by default when PIM Sparse Mode is configured on an interface. PIM supports three modes of operation: Any Source Multicast (ASM), Single Source Multicast (SSM), Bidirectional Shared Tree (Bidr). The default mode is ASM. Bidr can be configured with the bidr option when configuring a RP. The Cisco NX-OS supports four types of PIM Rendezvous Points: Static, Bootstrap router (BSR), Auto-RP and Anycast-RP. (Do not configure Auto-RP and BSR in the same network) When configuring a PIM Static-RP, the group-list defaults to 224.0.0.0/4 if one is not specified. The Cisco NX-OS has two different CLI syntax options when configuring BSR and Auto RP's (New Cisco NX-OS syntax, and backwards compatible Cisco IOS Software syntax). The Cisco NX-OS supports multicast routing per layer-3 Virtual Routing and Forwarding (VRF) instance. PIM SSM and Bidr are not supported on Virtual Port-Channels (vPCs).

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are few significant differences: Cisco NX-OS does not require the global ip multicast-routing command, but does require PIM and MSDP to be enabled individually with the global feature CLI commands. The Cisco NX-OS has backwards compatible syntax with Cisco IOS Software when configuring PIM BSR and Auto-RP, but Cisco NX-OS requires RP forwarding and/or listening to be configured prior to learning or forwarding dynamic RP information. Both Cisco NX-OS and Cisco IOS Software support multicast routing within a VRF instance, but Cisco NX-OS requires global commands to be configured under the VRF context as opposed to using the vrf option as with Cisco IOS Software.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling Multicast Forwarding ip multicast-routing Enabling the PIM Feature Learn Nexus

The Cisco NX-OS does not have a single global command to enable multicast forwarding/routing.

Page 56

Cisco IOS Software does not have the ability feature pim to enable or disable PIM. Configuring PIM Sparse Mode on an Interface interface TenGigabitEthernet1/1

interface Ethernet1/1

ip address 192.168.10.1 255.255.255.0

ip address 192.168.10.1/24

ip pim sparse-mode

ip pim sparse-mode

Configuring a PIM Auto-RP interface loopback10 ip address 172.16.1.1/32 interface Loopback10 ip address 172.16.1.1 255.255.255.255 ip pim sparse-mode ip pim send-rp-announce Loopback10 scope 32 ip pim send-rp-discovery Loopback10 scope 32 ip pim autorp listener

ip pim sparse-mode ip pim auto-rp rp-candidate loopback10 group-list 224.0.0.0/4 ip pim auto-rp mapping-agent loopback10 ip pim auto-rp forward listen or ip pim send-rp-announce loopback10 group-list 224.0.0.0/4 ip pim send-rp-discovery loopback10 ip pim auto-rp forward listen

Configuring a PIM BSR RP interface Loopback10

interface loopback10

ip address 172.16.1.1 255.255.255.255

ip address 172.16.1.1/32

ip pim sparse-mode

ip pim sparse-mode

Learn Nexus

Page 57

ip pim bsr-candidate Loopback10

ip pim bsr bsr-candidate loopback10

ip pim rp-candidate Loopback10

ip pim bsr rp-candidate loopback10 grouplist 224.0.0.0/4 ip pim bsr forward listen or ip pim bsr-candidate loopback10 ip pim rp-candidate loopback10 group-list 224.0.0.0/4 ip pim bsr forward listen

Configuring a PIM Static-RP ip pim rp-address 172.16.1.1

ip pim rp-address 172.16.1.1

Configuring a PIM Anycast-RP (BSR Example) interface loopback0 ip address 192.168.10.1/32 ip pim sparse-mode interface loopback10 Cisco IOS Software does not have the ability to enable the PIM Anycast RP feature.

description Anycast-RP-Address ip address 172.16.1.1/32 ip pim sparse-mode ip pim bsr bsr-candidate loopback0 ip pim bsr rp-candidate loopback10 group-list 224.0.0.0/4 ip pim anycast-rp 172.16.1.1 192.168.10.1

Learn Nexus

Page 58

ip pim anycast-rp 172.16.1.1 192.168.10.2 ip pim bsr forward listen Configuring PIM Neighbor Authentication interface Ethernet1/1 Cisco IOS Software does not have the ability to enable neighbor authentication.

ip address 192.168.10.1/24 ip pim sparse-mode ip pim hello-authentication ah-md5 3 a667d47acc18ea6b

Configuring a PIM BSR Border on an Interface interface TenGigabitEthernet1/1 ip address 192.168.10.1 255.255.255.0 ip pim bsr-border ip pim sparse-mode ip multicast boundary 10 access-list 10 deny 224.0.1.39

interface Ethernet1/1 ip address 192.168.10.1/24 ip pim sparse-mode ip pim border

access-list 10 deny 224.0.1.40 access-list 10 permit 224.0.0.0 15.255.255.255 Configuring PIM in a Non-Default VRF Instance ip vrf production ip multicast-routing vrf production interface Loopback10 ip vrf forwarding production

Learn Nexus

vrf context production ip pim rp-address 172.16.1.1 group-list 224.0.0.0/4 interface loopback10 vrf member production

Page 59

ip address 172.16.1.1 255.255.255.255 ip pim sparse-mode

ip address 172.16.1.1/32 interface Ethernet1/1

interface TenGigabitEthernet1/1

vrf member production

ip vrf forwarding production

ip address 192.168.10.1/24

ip address 192.168.10.1 255.255.255.0

ip pim sparse-mode

ip pim sparse-mode ip pim vrf production rp-address 172.16.1.1 Configuring IGMP Version 3 for an Interface interface TenGigabitEthernet1/1

interface Ethernet1/1

ip address 192.168.10.1 255.255.255.0

ip address 192.168.10.1/24

ip pim sparse-mode

ip pim sparse-mode

ip igmp version 3

ip igmp version 3

Configuring an IGMP Snooping Querier for a VLAN interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip igmp snooping querier

vlan 10 ip igmp snooping querier 192.168.10.1

Configuring MSDP (Anycast-RP) interface Loopback0

interface loopback0

description MSDP Peer Address

description MSDP Peer Address

ip address 192.168.1.1 255.255.255.255

ip address 192.168.1.1/32

interface Loopback10

interface loopback10

Learn Nexus

Page 60

description PIM RP Address

description PIM RP Address

ip address 1.1.1.1 255.255.255.255

ip address 1.1.1.1/32

ip pim rp-address 1.1.1.1

ip pim rp-address 1.1.1.1 group-list 224.0.0.0/4

ip msdp peer 192.168.2.1 connect-source Loopback0 ip msdp cache-sa-state

ip msdp peer 192.168.2.1 connect-source loopback0

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting multicast network configurations.

Cisco NX-OS Multicast

Cisco IOS Software Multicast

show ip igmp groups

show ip igmp groups

show ip igmp interface show ip igmp interface show ip igmp interface brief

Command Description Displays all IGMP attached group membership information

Displays IGMP information for all interfaces

Displays a one line summary status per interface

show ip igmp interface show ip igmp interface int- Displays IGMP information for a specific int-type type interface show ip igmp interface show ip igmp vrf name vrf name show ip igmp localgroups int-type

-

show ip igmp localgroups vrf name

-

show ip igmp route

-

show ip igmp route

-

Learn Nexus

Displays IGMP information for a specific VRF instance

Displays IGMP local groups associated to a specific interface

Displays IGMP local groups associated to a specific VRF instance Displays IGMP attached group membership information

Displays IGMP attached group Page 61

x.x.x.x

show ip igmp route int-type show ip igmp route vrf name

membership for a specific group -

Displays IGMP attached group membership for a specific interface

Displays IGMP attached group membership for a specific VRF instance

-

show ip igmp snooping explicittracking

Displays global and per interface IGMP Snooping information

show ip igmp snooping explicit-tracking

Displays explicit tracking information for IGMPv3

show ip igmp snooping mrouter

show mac-address-table multicast igmp-snooping show ip igmp snooping mrouter

Displays IGMP Snooping groups information

show ip igmp snooping

show ip igmp snooping groups

show ip igmp snooping otv

show ip igmp snooping querier

show ip igmp snooping statistics

show ip igmp snooping statistics

show ip igmp snooping vlan #

-

show ip msdp count

Displays detected multicast routers Displays IGMP Snooping OTV information

Displays IGMP Snooping querier information Displays packet/error counter statistics Displays IGMP Snooping information per specific VLAN

-

-

show ip msdp meshgroup

show ip msdp count

Displays MSDP SA cache counters

-

Displays MSDP Mesh-Group members

show ip msdp peer

Displays all MSDP peers

show ip msdp peer x.x.x.x

Displays a specific MSDP peer

show ip msdp peer show ip msdp peer x.x.x.x

show ip msdp peer vrf show ip msdp vrf name name show ip msdp peer policy

-

Displays MSDP peers related to a specific VRF instance

-

Displays the MSDP peer policies

show ip msdp peer route

-

Displays the MSDP route-cache

show ip msdp source

-

show ip msdp sa-cache show ip msdp sa-cache

Learn Nexus

Displays the MSDP SA route-cache

Displays the MSDP learned sources and Page 62

associated statistics

show ip msdp summary

show ip msdp summary

Displays the MSDP peer summary

-

show ip pim df

-

show ip pim interface df

-

show ip pim df x.x.x.x

show ip pim interface df x.x.x.x

Displays Bidr designated forwarders for a specific RP or group

Displays Bidr designated forwarders

-

Displays Bidr designated forwarders for a specific VRF instance

-

Displays the PIM group-ranges

-

Displays a specific PIM group-range

show ip pim grouprange vrf name

-

Displays the PIM group-ranges for a specific VRF instance

show ip pim interface brief x.x.x.x

-

show ip pim df vrf name

show ip pim grouprange show ip pim grouprange x.x.x.x

show ip pim interface

show ip pim interface int-type show ip pim interface vrf name

-

show ip pim interface inttype -

Displays all PIM enabled interfaces

Displays a one line summary of all PIM enabled interfaces

Displays information for a specific PIM interface

Displays the PIM interfaces for a specific VRF instance

show ip pim neighbor show ip pim neighbor

Displays all PIM neighbors

show ip pim neighbor show ip pim neighbor intinterface int-type type

Displays a specific PIM neighbor for a specific interface

show ip pim oif-list x.x.x.x

-

show ip pim policy statistics

Displays PIM OIF-List for a specific multicast group address

-

Displays PIM statistics

show ip pim route x.x.x.x

-

Displays PIM routes

-

Displays a specific PIM route

show ip pim neighbor show ip pim neighbor x.x.x.x x.x.x.x

show ip pim neighbor vrf name

show ip pim route

show ip pim route vrf Learn Nexus

Displays a specific PIM neighbor for a specific IP address

Displays PIM neighbors for a specific VRF instance

Displays PIM routes for a specific VRF Page 63

name

show ip pim rp

show ip pim rp mapping

show ip pim rp x.x.x.x

show ip pim rp x.x.x.x

show ip pim rp vrf name

-

show ip pim statistics

-

instance

Displays PIM RP information

Displays information for a specific PIM group address Displays information for PIM RP's in a specific VRF instance

show ip pim rp-hash x.x.x.x

show ip pim rp-hash x.x.x.x

Displays PIM RP-Hash value for a specific group

show ip pim statistics vrf name

-

Displays per packet statistics for a specific VRF instance

show ip pim vrf name

show ip pim vrf name

-

-

show ip mroute summary

show ip mroute summary

show ip mroute

show ip mroute

show ip mroute x.x.x.x show ip mroute x.x.x.x show ip mroute vrf name

show ip mroute vrf name

-

-

show ip route rpf

show ip rpf

Learn Nexus

Displays PIM packet statistics

Displays detailed PIM information per specific VRF instance -

Displays the multicast routing table

Displays the multicast routing table with packet counts and bit rates Displays a specific multicast route

Displays the multicast routing table for a specific VRF instance -

Displays the Reverse Path Forwarding (RPF) table used for multicast source lookup

Page 64

Netflow NetFlow provides flow-based statistics collection that is useful for troubleshooting, traffic analysis, performance monitoring, and security threat prevention. Cisco NX-OS supports a flexible architecture that allows a user to collect different data for different applications per interface, whereas the Cisco IOS Software supports one flow mask and export pair for the entire chassis.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • • • • • • • • • • • •

NetFlow command-line interface (CLI) configuration and verification commands are not available until you enable the NetFlow feature with the feature netflow command. Two flow modes are supported: full and sampled. Sampled mode supports packet-based sampling (1-64 out of 1-8192). In sampled mode, the sampling occurs before the NetFlow cache is populated. Each line-card module supports 512,000 NetFlow cache entries. Layer 2 NetFlow based on MAC addresses is not supported at this time. A flexible architecture is used that consist of flow records, flow exports, and flow monitors. Cisco NX-OS supports more key and non-key fields for creating flow records and can collect additional information such as TCP flags and system uptime. NetFlow Versions 5 and 9 Export features are supported (Version 9 is recommended). A source interface must be configured for each flow export. Cisco NX-OS defaults to User Datagram Protocol (UDP) port 9995 for NetFlow Data Export. Cisco NX-OS provides more granular aging timers (session timer and aggressive threshold). The default aging timer values are different than in Cisco IOS Software. The NetFlow feature supports stateful process restarts.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and managing NetFlow.

•

If the feature netflow command is removed, all relevant NetFlow configuration information is also removed.

Learn Nexus

Page 65

•

• • • • • • •

NetFlow consumes hardware resources (ternary content-addressable memory [TCAM], CPU, etc.), so understanding the resource utilization on a device is important before enabling NetFlow. Sampling mode preserves CPU and NetFlow cache entries in high-traffic environments. A traffic direction needs to be specified when a flow monitor is applied to an interface. The active-aging flow timeout is 1800 seconds by default The inactive-aging flow timeout is 15 seconds by default. The fast-aging flow timeout is disabled by default. The aggressive-aging flow threshold is disabled by default. TCP session aging is disabled by default.

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are several significant differences: Cisco NX-OS allows NetFlow to be enabled and disabled globally, and it uses a more flexible architecture that allows different statistics to be collected for different applications. The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling the NetFlow Feature Cisco IOS Software does not have the ability feature netflow to enable or disable NetFlow. Configuring a NetFlow Flow Record (Custom) Cisco IOS Softfware does not have the ability to create custom NetFlow records. A system wide flow mask is defined. The following example uses interface-full. mls netflow interface mls flow ip interface-full mls nde sender version 5

flow record Netflow-Record-1 description Custom-Flow-Record match ipv4 source address match ipv4 destination address match transport destination-port collect counter bytes collect counter packets

Configuring a NetFlow Flow Export Learn Nexus

Page 66

flow exporter Netflow-Exporter-1 ip flow-export source GigabitEthernet2/2

description Production-Netflow-Exporter

ip flow-export version 9

destination 192.168.11.2

ip flow-export destination 192.168.11.2 2000

source Ethernet2/2 version 9

Configuring a NetFlow Monitor with a Custom Record flow monitor Netflow-Monitor-1 Cisco IOS Software does not have the ability description Applied Inbound-Eth-2/1 to create flow monitors that associate NetFlow records to NetFlow exporters. record Netflow-Record-1 exporter Netflow-Exporter-1 Configuring a NetFlow Monitor with an Original Record flow monitor Netflow-Monitor-2 description Use Predefined “OriginalCisco IOS Software does not have the ability Netflow-Record” to create flow monitors that associate NetFlow records to NetFlow exporters. record netflow-original exporter Netflow-Exporter-1 Applying a NetFlow Monitor to an Interface interface gigabitethernet 6/1

interface Ethernet2/1

ip flow ingress

ip flow monitor Netflow-Monitor-1 input

Adjusting NetFlow Timers mls aging fast mls aging long 120 mls aging normal 32

Learn Nexus

flow timeout active 120 flow timeout inactive 32 flow timeout fast 32 threshold 100

Page 67

flow timeout session flow timeout aggressive threshold 75 Configuring a NetFlow Sampler mls sampling packet-based 64 8000

sampler NF-Sampler-1

mls flow int-full

description Sampler-for-Int-Eth-2/1

mls nde sender version 5

mode 1 out-of 1000

Applying a NetFlow Sampler to an Interface interface GigabitEthernet2/1 mls netflow sampling

interface Ethernet2/1 ip flow monitor NF-Mntr-1 input sampler NF-Sampler-1

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting NetFlow.

Cisco IOS Software Netflow

Command Description

show flow interface

-

Displays interfaces configured for NetFlow

show flow record

-

Cisco NX-OS Netflow show flow exporter show flow monitor

show mls nde

Displays the configured exporter maps

-

Displays information about monitor maps

show flow timeout

-

show hardware flow entry

show mls netflow ip flow

show hardware flow aging

show hardware flow ip Learn Nexus

show mls netflow aging

show mls netflow ip

Displays information about record maps

Displays the NetFlow timeout value

Displays the NetFlow table aging timeout value Displays flow-specific information Displays the IP NetFlow table Page 68

show hardware flow sampler show hardware flow utilization module show sampler

Learn Nexus

show mls sampling show mls netflow table summary

show flow-sampler

Displays the NetFlow sampling configuration

Displays NetFlow table utilization per module

Displays information about sampler maps

Page 69

SPAN The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •

• • • •

Only Local SPAN is supported. Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources. 18 monitor sessions can be configured. Only two sessions can be active simultaneously. Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software Release 12.2(18)SXH and later. A single SPAN session can include mixed sources (Ethernet ports, Ethernet PortChannels, RSPAN sources, VLANs, and the CPU control-plane interface). Destination SPAN ports must be configured as Layer 2 ports with the switchport command. Destination SPAN ports require the switchport monitor interface configuration command. The SPAN feature supports stateful and stateless process restarts.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature. • • • • • • • • •

Two active SPAN sessions are supported for all virtual device contexts (VDCs). Monitor sessions are disabled by default. They can be enabled with the no shut command. The source traffic direction can be configured as rx, tx, or both. The default is both. When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the specified VLAN are sent to the destination. The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All VDC traffic is visible.) By default, SPAN does not copy the IEEE 802.1q tag from trunk sources. A destination port can be configured in switchport access or trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.) A destination port does not participate in a spanning-tree instance. A destination port can be configured in only one SPAN session at a time.

Learn Nexus

Page 70

• • • •

A port cannot be configured as both a source and destination port. 128 source interfaces can be configured per session. 32 source VLANs can be configured per session. 2 destination interfaces can be configured per session.

Configuration Comparison The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat configuration.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring the Destination Switchport Mode Cisco IOS Software does not require any destination port configuration.

interface Ethernet2/2 switchport switchport monitor

Configuring Destination Port Ingress Forwarding and Learning monitor session 1 type local destination interface Gi2/2 ingress learning

interface Ethernet2/2 switchport switchport monitor ingress learning

Configuring a SPAN Monitor (Ethernet Source and Destination) monitor session 1 type local source interface Gi2/1 destination interface Gi2/2

monitor session 1 source interface Ethernet2/1 both destination interface Ethernet2/2 no shut

Configuring a SPAN Monitor (VLAN Source) Learn Nexus

Page 71

monitor session 1 type local source vlan 10 , 20 destination interface Gi2/2

monitor session 1 source vlan 10,20 both destination interface Ethernet2/2 no shut

Filtering VLANs for IEEE 802.1q Trunk Sources interface GigabitEthernet2/1

interface Ethernet2/1

switchport

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 10-20

switchport trunk allowed vlan 10-20

switchport mode trunk

monitor session 1

monitor session 1 type local

source interface Ethernet2/1 both

filter vlan 15 - 20

destination interface Ethernet2/2

source interface Gi2/1

filter vlan 15-20

destination interface Gi2/1

no shut

no shutdown Configuring a SPAN Monitor (CPU Source) monitor session 1 type local

monitor session 1

source cpu rp rx

source interface sup-eth0 rx

destination interface Gi2/2

destination interface Ethernet2/2

no shutdown

no shut

Verification Command Comparison Learn Nexus

Page 72

The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.

Cisco NX-OS SPAN show interface -

show monitor session <#>

show monitor session all show monitor range <#-#>

Learn Nexus

Cisco IOS Software SPAN

Command Description

-

-

show interface

show monitor session <#>

show monitor session all

show monitor range <#-#>

Displays destination port characteristics

Displays a specific SPAN and monitor session Displays all SPAN and monitor sessions Displays a range of specified SPAN sessions

Page 73

TACACS+, RADIUS, and AAA AAA used in combination with TACACS+ or RADIUS provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify network management because they use a central security database rather than local databases.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • • • •

• •

TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the TACACS+ feature with the feature tacacs+ command. The aaa new-model command is not required to enable AAA authentication, authorization, or accounting. The RADIUS vendor-specific attributes (VSA) feature is enabled by default. Local command authorization can be performed when using role-based access control (RBAC) without a AAA server. User roles can be associated with users configured on the AAA server using VSAs. Remote command authorization can be performed on a AAA server when using AAA with TACACS+. If no AAA server is available for authentication, the local database is automatically used for device access. The TACACS+ and RADIUS host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining TACACS+, RADIUS, and AAA services. • • • •

• •

Different AAA, TACACS+, and RADIUS policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC. If you remove the feature tacacs+ command, all relevant TACACS+ configuration information is also removed. 64 TACACS+ and 64 RADIUS servers can be configured per device. AAA server groups are associated with the default Virtual Route Forwarding (VRF) instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor or if the AAA server is in a non default VRF instance. An IP source interface can be associated with AAA server groups. TACACS+ and RADIUS server keys can be specified for a group of servers or per individual server.

Learn Nexus

Page 74

• • • •

By default, TACACS+ uses TCP port 49, and RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting). Directed server requests are enabled by default for TACACS+ and RADIUS. The local option can be used with AAA authorization to fallback to RBAC in the event a AAA server is not available for command authorization. Use the show running-config command with the aaa, tacacs+, or radius option to display the current AAA configuration.

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.

Cisco IOS CLI

Cisco NX-OS CLI

Enabling TACACS+ Cisco IOS Software does not have the ability to enable or disable TACACS+.

feature tacacs+

Configuring a TACACS+ Server with a Key tacacs-server host 192.168.1.1 key cisco123

tacacs-server host 192.168.1.1 key 7 "fewhg123"

Specifying a Nondefualt TACACS+ TCP Port tacacs-server host 192.168.1.1 port 85

tacacs-server host 192.168.1.1 port 85

Specifying the TACACS+ Timeout Value (Global) tacacs-server timeout 10

tacacs-server timeout 10

Configuring a RADIUS Server with a Key radius-server host 192.168.1.1 key cisco123

radius-server host 192.168.1.1 key 7 "fewhg123"

Specifying Nondefualt RADIUS UDP Ports radius-server host 192.16.1.1 auth-port 1645 radius-server 192.168.1.1 auth-port 1645 acct-port 1646 acct-port 1646 Learn Nexus

Page 75

Specifying the RADIUS Timeout Value (Global) radius-server host 192.168.1.1 timeout 10

radius-server timeout 10

Configuring an AAA Server Group (TACACS+) aaa group server tacacs+ AAA-Servers

aaa group server tacacs+ AAA-Servers

server 192.168.1.1

server 192.168.1.1

Configuring an AAA Server Group (RADIUS) aaa group server radius AAA-Servers

aaa group server radius AAA-Servers

server 192.168.1.1

server 192.168.1.1

Configuring an AAA Server Group for a VRF Instance (RADIUS) aaa group server radius AAA-Servers

aaa group server radius AAA-Servers

server 192.168.1.1

server 192.168.1.1

ip vrf forwarding management

use-vrf management

Configuring the AAA Server Group Dead Time (RADIUS) aaa group server radius AAA-Servers

aaa group server radius AAA-Servers

deadtime 5

deadtime 5

Enabling AAA Authentication with an AAA Server Group aaa new-model

aaa authentication login default group AAAaaa authentication login default group AAA- Servers Servers Enabling AAA Authorization with an AAA Server Group aaa new-model aaa authorization config-commands aaa authorization commands 1 default group AAA-Servers

aaa authorization config-commands default group AAA-Servers aaa authorization commands default group AAA-Servers

Enabling AAA Accounting with an AAA Server Group Learn Nexus

Page 76

aaa new-model aaa accounting exec default start-stop group AAA-Servers

aaa accounting default group AAA-Servers

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting AAA, TACACS+, and RADIUS. Cisco NX-OS AAA

Cisco IOS Software AAA

show tacacs

show tacacs

show tacacs

-

show tacacs server directed-request

-

Displays the status of the directed-request feature (enabled or disabled)

-

Displays TACACS+ server groups

show tacacs statistics

-

Displays TACACS+ statistics for a specific server

-

-

-

show radius

-

show radius

-

show tacacs server groups

show radius server directed-request show radius server groups

show radius statistics -

show aaa accounting

show radius server-group show radius statistics -

show aaa authentication Learn Nexus

Command Description Displays the TACACS+ server configuration for all servers

Displays a specific TACACS+ server configuration

Displays the RADIUS server configuration for all servers Displays a specific RADIUS server configuration

Displays the status of the directed-request feature (enabled or disabled) Displays RADIUS server groups Displays RADIUS statistics for a specific server -

Displays the status of AAA accounting

Displays the default and console login methods Page 77

show aaa authentication login error-enable show aaa authentication login mschap show aaa authorization show aaa groups

-

show user-account

-

-

show users

Learn Nexus

Displays the login error message status (enabled or disabled)

Displays the status of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP; enabled or disabled) Displays the AAA authorization configuration

Displays the AAA groups that are configured

-

-

show users

Displays the users who are logged in

Displays a list of locally configured users

Page 78

Layer-3 Virtualization Virtual Routing and Forwarding (VRF) provides an additional layer of network virtualization on top of virtual device contexts (VDCs). VRF provides separate unicast and multicast address space and associated routing protocols that make independent forwarding decisions. All unicast and multicast protocols support VRF.

Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS: • •

• •

•

•

• • • •

Cisco NX-OS supports 200 VRF instances per VDC. Two VRF instances are configured by default. The management port on the supervisor module is assigned to the management VRF, and all I/O module ports are assigned to the default VRF. The default VRF is the default routing context for all show commands. VRF instances can be enabled without any command-line interface (CLI) prerequisites. Cisco IOS Software requires ip cef to be enabled globally before VRF instances can be configured. Multicast routing/forwarding can be configured per VRF instance without having to globally enable the VRF instance for multicast . Cisco IOS Software requires the global ip multicast-routing vrf command per VRF instance. The CLI for enabling VRF routing for a protocol is consistent for all routing protocols, whereas Cisco IOS Software uses address families for Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Enhanced Interior Gateway Routing Protocol (EIGRP) and requires unique routing process IDs per VRF for Integrated Intermediate System-to-Intermediate System (ISIS) and Open Shortest Path First (OSPF). In Cisco NX-OS, numerous VRF instances can be assigned to a single routing protocol instance. IP static routes are configured under the specified vrf context. In Cisco IOS Software, all static routes are configured in global configuration mode with the vrf option. A VRF instance can be manually disabled with the shutdown command. Cisco IOS Software does not have the CLI capability to manually disable a VRF instance. If a VRF context is removed with the no vrf context configuration command, the VRF context commands will be removed from the running configuration making the VRF non-functional, but all non context related VRF commands will remain in the running configuration. When a VRF is removed in Cisco IOS Software, the VRF instance and all related VRF commands are automatically removed from the running configuration, including any interface IP addresses previously associated to the VRF.

Learn Nexus

Page 79

Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining VRF instances.

• • • •

•

When you assign a VRF instance to an interface with an IP address previously configured, the interface IP address is automatically removed. Static routes or dynamic routing protocols can be configured for routing in a VRF instance (BGP, EIGRP, ISIS, OSPF, static routes, and RIPv2). IP troubleshooting tools such as ping and traceroute are VRF aware and require the name of a specific VRF instance if testing in the default VRF instance is not desired. The routing-context vrf command can be executed in EXEC mode to change the routing context to a non-default VRF instance. For example, typing routing-context vrf management changes the routing context, so all VRF related commands are executed in the management VRF as opposed to the default VRF. Network management–related services such as authentication, authorization and accounting (AAA), Call Home, Domain Name System (DNS), FTP, HTTP, NetFlow Network Time Protocol (NTP), RADIUS, Simple Network Management Protocol (SNMP), SSH, syslog, TACACS+, Telnet, Trivial File Transfer Protocol (TFTP), and XML are VRF aware.

Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. Sample code is provided only to illustrate how to enable VRF routing. The Cisco NX-OS CLI is simpler and more consistent since it allows multiple VRF instances to be assigned to a single routing protocol instance, whereas Cisco IOS Software uses different techniques depending on the routing protocol.

Cisco IOS CLI

Cisco NX-OS CLI

Creating a VRF ip cef ip vrf vrf-1

vrf context vrf-1

Assigning an Interface to a VRF interface Ethernet2/1 Learn Nexus

interface Ethernet2/1 Page 80

ip vrf forwarding vrf-1

vrf member vrf-1

ip address 192.168.10.1 255.255.255.0

ip address 192.168.10.1/24

Enabling BGP in a VRF router bgp 10 address-family ipv4 vrf vrf-1 neighbor 192.168.10.2 remote-as 20 neighbor 192.168.10.2 activate network 192.168.1.1 mask 255.255.255.255 exit-address-family

router bgp 10 vrf vrf-1 address-family ipv4 unicast network 192.168.1.1/32 neighbor 192.168.10.2 remote-as 20 address-family ipv4 unicast

Enabling EIGRP in a VRF router eigrp 10 address-family ipv4 vrf vrf-1 network 192.168.10.0 auto-summary

interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router eigrp 10

autonomous-system 10

router eigrp 10

exit-address-family!

vrf vrf-1

Enabling ISIS in a VRF interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 ip router isis 10

Learn Nexus

interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router isis 10

Page 81

router isis 10 router isis 10

vrf vrf-1

vrf vrf-1

net 49.0001.0000.0001.00

net 49.0001.0000.0001.00 Enabling OSPF in a VRF interface Ethernet2/1 ip vrf forwarding vrf-1 ip address 192.168.10.1 255.255.255.0 router ospf 10 vrf vrf-1 network 192.168.10.0 0.0.0.255 area 0

interface Ethernet2/1 vrf member vrf-1 ip address 192.168.10.1/24 ip router ospf 10 router ospf 10 vrf vrf-1

Enabling RIPv2 in a VRF interface Ethernet2/1 ip vrf forwarding vrf-1

interface Ethernet2/1

ip address 192.168.10.1 255.255.255.0

vrf member vrf-1

router rip address-family ipv4 vrf vrf-1

ip address 192.168.10.1/24 ip router rip 10

network 192.168.10.0

router rip 10

version 2

vrf vrf-1

exit-address-family Configuring Static Routes in a VRF ip route vrf vrf-1 192.168.2.0 255.255.255.0 192.168.10.2 Learn Nexus

vrf context vrf-1 Page 82

ip route 192.168.2.0/24 192.168.10.2

Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting VRF instances.

Cisco NX-OS VRF

Cisco IOS Software VRF

Command Description

show ip vrf

Displays a specific VRF instance

show vrf

show ip vrf

show vrf detail

show ip vrf detail

show vrf

show vrf interface

-

show vrf default

-

show vrf detail

show ip vrf detail

show vrf interface

show ip vrf interface

show vrf management -

Displays a list of all configured VRF instances

Displays details for a specific VRF instance Displays the interface assignment for a specific VRF instance

Displays a summary of the default VRF instance

Displays details for all VRF instances Displays VRF interface assignments

Displays a summary of the management VRF instance

-

-

show ip route vrf default

-

Displays routes for the default VRF instance

-

Displays routes for the management VRF instance

show ip route vrf all

show ip route vrf management

-

-

Displays routes for all VRF instances

show ip route vrf

show ip route vrf

Displays routes for a specific VRF instance

show ip arp vrf

show ip arp vrf

Displays Address Resolution Protocol (ARP) entries for a specific VRF instance

-

Learn Nexus

-

-

Page 83

-

-

-

show ip bgp vrf

show ip bgp vpnv4 vrf

Displays BGP commands for a specific VRF instance

show ip isis vrf

show isis <#>

Displays ISIS commands for a specific VRF instance

show ip eigrp vrf

show ip eigrp vrf

Displays EIGRP information for specific VRF instance

Displays OSPF information for a specific VRF instance

show ip ospf vrf

show ip ospf <#>

show ip static-route vrf

-

show forwarding vrf

show ip cef vrf

Displays FIB information for a specific VRF (multiple sub-options)

show routing vrf

-

Displays a subset of the show vrf commands

show ip rip vrf

-

-

show routing-context

Learn Nexus

show ip rip database vrf

-

-

Displays RIP information for a specific VRF instance

Displays static routes for a specific VRF instance -

-

Displays the current routing context

Page 84