Cisco Nexus NX-OS version 4.3.1

Source: DSLReports.com Cisco Nexus Commands

 
All FAQs → Cisco Forum FAQ → 30.0 Technologies
This Section
How can I find out how far I am from the CO.
Basic Cisco IOS Commands and Descriptions
What features does my IOS support?
What are the various show commands?
Technical Aspects in xDSL/Cable Internet connection
Things to expect when setup network for home or small business
Circuit Commission and Troubleshooting
How your ISP annouce your subnet via BGP to the Internet: BGP Looking Glass
Between DHCP, PPP, Dynamic, and Static IP Address
Setting Up Private Site-To-Site Connections
Understanding PIX Firewall/ASA
Setting Up Wireless LAN
Automatic Network Health Monitoring and Reporting System: An Introduction
VPN Concentrator 3000 series – Various Info
WAN Acceleration
Network Management Software
Between Catalyst 6500, Catalyst 6500E, and Nexus platforms
Nexus 5000 and 2000 switches: What’s new with NX-OS
New Platform: Routers, Switches
Introduction to Optical Network Engineering, application, and maintenance
Calculating need of initial Internet bandwidth
Cisco ASA/PIX Firewall licenses and features
Cisco Nexus Commands and Descriptions
Setting Up Cisco Nexus Fabric Extender
Dialup (POTS) modem setup to CONSOLE/AUX Cisco port access
Load Balance technology
Cisco Nexus Commands and Descriptions
Basic Commands: A Quick Guide

show version
show inventory
show environment

show module
show redundancy status
show system resources
show feature
show boot
show role

show int counters errors

show run int
show run int eth 1/4-12
show int eth 1/4-12
show int brief
show int transceiver

show cdp neighbors
show cdp neighbors int e1/15 detail

int e1/4
beacon

Cool pipe options: grep, less, no-more, wc, sed, diff

show ip arp
show mac address-table

show vrf
show vrf default interface (per-interface listing)
show ip int brief vrf all

show int status module 2 | grep disabled

show log last 10

dir
where
pwd

Detach from any module:
~,

show spanning-tree vlan 5

password strength-check

ping 192.168.100.23 vrf management
ssh 192.168.100.23 vrf management
telnet 192.168.100.23 vrf management

switchport (L2)
no switchport (L3)

* 5000 Series Features

show feature
show feature | grep enabled
show license usage

dhcp-snooping – DHCP Snooping
fcoe – Fibre Channel over Ethernet (LICENSE REQUIRED)
fex – Fabric Extender
http-server – HTTP Server (for management)
interface-vlan, SVI (Switch Virtual Interface)
lacp – LACP, required for PortChannels
ldap – LDAP
lldp – Link Layer Discovery Protocol
niv – Network Interface Virtualization
private-vlan – PVLAN
privilege –
sshServer – SSH Server (for management)
tacacs – TACACS Authentication
telnetServer – Telnet Server (for management)
udld
vpc – Virtual PortChannel, aka MEC (Multichassis EtherChannel)
vtp – VLAN Trunking Protocol

* Licensing

http://www.cisco.com/web/go/license

show license host-id
show license usage

copy scp://jeremy@192.168.1.25/home/jeremy/cisco/foo.lic bootflash:foo.lic
install license bootflash:foo.lic

* Upgrade NX-OS (Nexus 5010, NX-OS 5.0(2)N2(1), non-disruptive)

# copy running-config startup-config
# show version
# show boot
# dir bootflash:
# show spanning-tree issu-impact

copy scp://jeremy@192.168.1.25/home/jeremy/cisco/n5000-uk9-kickstart.5.0.2.N2.1.bin bootfl ash:n5000-uk9-kickstart.5.0.2.N2.1.bin
copy scp://jeremy@192.168.1.25/home/jeremy/cisco/n5000-uk9.5.0.2.N2.1.bin bootflash:n5000- uk9.5.0.2.N2.1.bin

show install all impact  kickstart bootflash:n5000-uk9-kickstart.5.0.2.N2.1.bin system boo tflash:n5000-uk9.5.0.2.N2.1.bin

install all kickstart bootflash:n5000-uk9-kickstart.5.0.2.N2.1.bin system bootflash:n5000- uk9.5.0.2.N2.1.bin

…stuff…

Compatibility check is done:
Module  bootable          Impact  Install-type  Reason
——  ——–  ————–  ————  ——
     1       yes  non-disruptive         reset

Images will be upgraded according to following table:
Module       Image         Running-Version             New-Version  Upg-Required
——  ———-  ———————-  ———————-  ————
     1      system             4.2(1)N1(1)             5.0(2)N2(1)           yes
     1   kickstart             4.2(1)N1(1)             5.0(2)N2(1)           yes
     1        bios        v1.3.0(09/08/09)        v1.3.0(09/08/09)            no
     1   power-seq                    v1.0                    v1.2           yes

Do you want to continue with the installation (y/n)?  [n] y

Install is in progress, please wait.

…more stuff…

Supervisor non-disruptive upgrade successful.

Install has been successful.

* PortChannel (EtherChannel)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
feature lacp
 
interface port-channel21
  description Uplink to core
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 13,31-38,155
 
interface Ethernet1/1
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 13,31-38,15
  channel-group 21
 
interface  Ethernet1/2
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 13,31-38,15
  channel-group 21
 
show port-channel summary

* Enable Jumbo Frames (Nexus 5010)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# show policy-map
 
# Prep (safe, since it is a policy that is not attached to anything)
policy-map type network-qos jumbo
class type network-qos class-default
mtu 9216
exit
class type network-qos class-fcoe
pause no-drop
mtu 2158
exit
exit
 
# Deploy (deploys the new ‘jumbo’ policy):
system qos
service-policy type network-qos jumbo
 
# Rollback (deploys the default policy):
system qos
service-policy type network-qos default-nq-policy

* VPC – Virtual PortChannel (aka MEC, Multichassis EtherChannel)

Yes, it’s a feature so nice, it gets two acronyms, and sometimes a third, as some folks call Multichassis EtherChannel MCE.

But wait! Cisco has a newer, better technology called FabricPath. See Scale Data Centers with Cisco FabricPath and Migration from Virtual PortChannel to Cisco FabricPath for further info.

* Checkpoint

Note: If you use the default syntax (checkpoint foo), the checkpoint file is place in volatile memory, and is lost on reload!
You probably want to write the file to flash, as illustrated below:

Summary:

1
2
3
checkpoint file bootflash:20110208-foo
rollback running-config file bootflash:20110208-foo

Full Example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
5010-lab# checkpoint file bootflash:20110211-foo
..Done
 
5010-lab# conf
Enter configuration commands, one per line.  End with CNTL/Z.
5010-lab(config)# int e1/10-15
5010-lab(config-if-range)# desc A Tragic Mistake is Made
5010-lab(config-if-range)# end
 
5010-lab# rollback running-config file bootflash:20110211-foo
Note: Applying config parallelly may fail Rollback verification
Collecting Running-Config
Generating Rollback patch for switch profile
Rollback Patch is Empty
Collecting Running-Config
#Generating Rollback Patch
Executing Rollback Patch
Generating Running-config for verification
Generating Patch for verification
 
Rollback completed successfully.
 
5010-lab#

* FEX (4x 10Gb connection from 5010 to 2148T)

Note: The doc indicates there is another way to attach a FEX, without the port channel, using ‘pinning max-links 4’ and
directly associating each interface with a set of ports on the FEX (for example, on the 2148T, each 10Gb connection
would map to 12 1 Gb ports). This method makes each 10 Gb link a single point of failure, and should not be used.
Below is the preferred configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
feature fex
 
fex 115
desc FEX115
pinning max-links 1
exit
 
interface port-channel115
switchport mode fex-fabric
fex associate 115
exit
 
interface e1/17-20
switchport mode fex-fabric
fex associate 115
channel-group 115
no shutdown

Note: At this point, wait a minute or two for the FEX module to come online

1
2
3
show int fex-fabric
show int po115 fex-intf

* FCOE (5010, Two servers connecting to a storage array)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
feature fcoe
reload
 
vlan 50
fcoe vsan 50
exit
 
int e1/5
desc VM01 CNA port 1
switchport mode trunk
spanning-tree port type edge trunk
 
int vfc51
bind int e1/5
no shut
exit
 
int e1/6
desc VM02 CNA port 1
switchport mode trunk
spanning-tree port type edge trunk
 
int vfc52
bind int e1/6
no shut
exit
 
int fc2/1
desc EMC101 port 1
no shut
exit
 
vsan database
vsan 50
vsan 50 interface vfc 51
vsan 50 interface vfc 52
vsan 50 interface fc2/1
exit

Note: Zones use the PORT WWN, not the NODE WWN. Pay attention to the output of show fcns database!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
zone name EMC101-VM vsan 50
member pwwn 11:11:11:11:11:11:11:10
member pwwn 11:11:11:11:11:11:11:1a
member pwwn 22:11:11:11:11:11:11:10
 
zoneset name ZONESET1 vsan 50
member EMC101-VM
 
zoneset activate name ZONESET1 vsan 50
 
zoneset distribute vsan 50 (only needed if there are multiple switches in the fabric)
 
show zoneset active (look for an asterisk next to each member)
 
show vsan
show vsan 50 membership
show vlan fcoe
show int vfc
show flogi database
show fcns database vsan 50
show zoneset active
 
fcping fcid 0x010101 vsan 50

Descriptions

Checkpoints and rollbacks

Using the Cisco Nexus 7010, 5010 and 2148’s has changed some of the habits I have traditionally used for the Cisco IOS command set. Some of the new Nexus commands have become second nature and I now miss them on IOS. Being able to use grep is one I really wish was incorporated into IOS. I am used to having it with the ASA platform and now with the Nexus platform – going back to IOS 12.x and not having it there is annoying.

A new command that is really useful on the Nexus platform is checkpoint. There are several things that are unique about checkpoints and how you can use them. First, checkpoints are primarily used for rollback situations. They allow you to make changes on the system and if required due to an error rollback to a known good configuration on the system. There are three rollback types.

• Atomic rollback is done when the configuration can be applied with NO errors

• Best Effort rollback will ignore errors and push the configuration onto the system

• Stop At First Failure will process the rollback request until it hits an error and then stops

The default rollback type is Atomic and this is likely the most common rollback method you would use on a production environment. I am not aware of many folks wanting to rollback to a “Stop At First Failure” or “Best Effort” scenario situation unless true desperation has kicked in. There might be a case of the order of rollback if you are using VDC’s and moving physical resources from one VDC to the other in which case perhaps Best Effort might be useful.

Also of note, the rollback feature must be used per Virtual Device Context (VDC), in other words, you have to run the command in each VDC. This is expected behavior as each VDC is it’s own NX-OS instance and you have to run all the same commands to get the desired behavior out of the NX-OS platform.

The command itself is very simple:

checkpoint {checkpoint name} description {a description} | filename {path and filename}

Example:
checkpoint cp-running-config-known-good-2010-03-22 description checkpoint of running config

There are some restrictions on the checkpoint name (max length 80 characters) and there are restrictions on the filename (max length of 75 characters and filename can’t start with the word “system”) but otherwise it is pretty straightforward process to get this going. I am using this on NX-OS version 4.3.1, earlier versions had more restrictions on file names and such so read the documentation if you are on an earlier release.

To see what the checkpoint command does you can use the show commands. To see all the checkpoints that are in a given VDC:
show checkpoint all
show checkpoint summary

The checkpoint command basically keeps a small database of checkpoints to allow you to rollback to a specific one and calculates the differences between a current state or checkpoint and that checkpoint you want to move to. It will generate a rollback script when you use the rollback command. If you want to see the differences that are being generated you can do that too:

show diff rollback-patch {checkpoint source name | running-config | startup-config |  file filename} {checkpoint destination name | running-config | startup-config | file filen ame}

Example:
show diff rollback-patch running-config checkpoint cp-running-config-known-good-2010-03-22

To actually do a rollback:
rollback running-config {checkpoint cp name | running-config | startup-config | file  filename} {atomic | best-effort | stop-at-first-failure}

Example:
rollback running-config checkpoint cp-running-config-known-good-2010-03-22 atomic

To see the status of rollbacks
show rollback log

You can also clear out the checkpoint history and files, use the command with caution.
clear checkpoint database

This is a VERY useful command to build into your scripts prior to pushing out production changes on gear. It allows you to have a well known state stored locally and be able to rollback to it quickly in case of problems in your scripts. Awesome!

Nexus Features

To turn a feature on within configuration mode, it is simply feature followed by name of the feature. For example:
feature interface-vlan (Allows to add an IP address on a vlan interface)
feature lacp (Port-Channel Mode)
feature vpc (Virtual Port Channel)
feature lldp (Similar to CDP but is not Cisco proprietary)
feature vtp (Vlan Trunking Protocol)
feature fex (Used when connecting Nexus 2ks)

DNS and Name Resolution

ip domain-lookup (turns on name resolution)
ip domain-name domain-name (DNS domain name, i.e. could be your active directory domain or real world domain name)
ip name-server x.x.x.x (x.x.x.x being the IP address of your DNS server. Repeat this command to add multiple DNS servers)

Access Lists

ip access-list access-list-name (creates an access list with a name)
10 remark Access-List-For-Remote-Access (creates a remark in position 10 of Access-List-For-Remote-Access for the current access list)
20 permit tcp x.x.x.x/24 any eq 22 (creates an access rule in position 20 to allow the network x.x.x.x/24 to any for SSH)
30 deny ip any any log (creates an access rule in position 30 to deny everything and log)
no 25 permit tcp y.y.y.y/24 any eq 22 (removes the access rule in position 25)

Spanning-Tree

spanning-tree mode rapid-pvst (Turns Rapid Per-Vlan Spanning Tree on. Other option is Multiple Spanning-Tree mode MST)
spanning-tree port type edge (Configured on the interface when connecting to end devices. This is essentially port-fast)
spanning-tree port type normal (Configured on the interface and/or port-channel. Used when uplinking to Non-Nexus switches. Does not use Bridge Assurance)
spanning-tree port type network (Configured on the interface and/or port-channel. Used when uplinking to Nexus switches. Uses Bridge Assurance)
spanning-tree port type network default (Makes spanning-tree type network default for all interfaces that do no use one of the above options)
spanning-tree vlan 1 priority 4096 (Makes this switch the root for vlan 1)

Fex Nexus 2000

fex 100 (Creates a FEX ID of 100. This is used to identify the Nexus2k. i.e. port 1 of the Nexus2k will be eth100/1/1)
pinning max-links 2 (Allow a maximum of 2 uplinks from the Nexus 2k FEX)
description Nexus2k-Level-1 (Creates a description of Nexus2k-Level-1)
interface ethernet1/1 (Enter into the interface you wish to connect the fex to)
switchport mode fex-fabric (Put the interface into fex-fabric mode)
fex associate 100 (Associate this port to the FEX ID we created earlier)

VLANS

vlan 10 (Creates vlan 10)
name storage (Creates a name of storage for vlan)
interface vlan 10 (Creates a vlan interface for vlan 10. Must have feature interface-vlan turned on)
ip address x.x.x.x/24 (Creates an ip address of x.x.x.x/24 for vlan interface 10)
description iSCSI-Storage (Creates a description of iSCSI-Storage for interface vlan 10)

Port-Channels

interface port-channel 1 (Creates an interface port-channel 1)
description Uplink-to-Cisco-3750 (Gives the port-channel interface a description)
switchport mode trunk (Turns the interface into vlan trunk mode)
switchport trunk allowed vlan 10 (Restrict which vlans are allowed over the trunk)
switchport trunk allowed vlan add 15 (Add vlan 15 to the restricted allowed vlans on the trunk)
switchport trunk native vlan 20 (Any untag packets will be placed in vlan 20)
switchport mode access (Turns the interface into access mode)
switchport access vlan 10 (Places the interface into vlan 10)
For spanning-tree options please refer to spanning-tree above
interface eth1/1-2 (Enter into interface range mode) eth1/1 and eth1/2
channel-group mode 1 active (Add the 2 interfaces into port-channel 1 using LACP) OR
channel-group mode 1 on (Add the 2 interfaces into port-channel 1. Forces the ports into a channel and does NOT use LACP)
show port-channel summary (Shows a summary of your port-channel interfaces and status)

VPC Virtual Port Channel

Make sure you have turn on feature vpc
Complete this on Switch 1:
vpc domain 100 (Create a unique VPC domain ID between the 2 Nexus 5Ks)
role priority 20 (Switch 1 will have a higher priority than switch 2)
peer-keepalive destination x.x.x.x source y.y.y.y (VPC keep-alive link x.x.x.x being the destination switch ip and y.y.y.y being the source switch ip)
interface port-channel 10 (Enter into the port-channel 10 interface)
vpc 10 (This port-channel belongs to vpc 10, this is not the same as VPC domain. These need to be unique among different port-channels)
interface port-channel 20 (Enter into the port-channel 20 interface)
vpc 20 (This port-channel belongs to vpc 20, this is not the same as VPC domain. These need to be unique among different port-channels)
Complete this on Switch 2:
vpc domain 100 (Create a unique VPC domain ID between the 2 Nexus 5Ks)
peer-keepalive destination y.y.y.y source x.x.x.x (VPC keep-alive link y.y.y.y being the destination switch ip and x.x.x.x being the source switch ip)
interface port-channel 10 (Enter into the port-channel 10 interface)
vpc 10 (This port-channel belongs to vpc 10, this is not the same as VPC domain. These need to be unique among different port-channels)
interface port-channel 20 (Enter into the port-channel 20 interface)
vpc 20 (This port-channel belongs to vpc 20, this is not the same as VPC domain. These need to be unique among different port-channels)
show run vpc (shows the vpc config from the running-config)
show vpc (show vpc information and status)

A nice explanation of what VPC is can be found by Jason Nash on his blog

SPAN or Port-Mirroring for Packet Capture

monitor session 1 (Creates a Monitor Session of 1)
source interface ethernet1/1 (Tells the monitor session which port to use as the source) OR
source interface port-channel 1 (Tells the monitor session which port-channel to use as the source) OR
source interface vlan 10 (Tells the monitor session which vlan to use as the source)
destination interface ethernet1/2 (Tells the monitor session which port to use as the destination, where you would plug your packet capture software such as wire shark)

Line Console

line console (Enter into line console)
speed 38400 (change baud rate to 38400. Might be used if changing the console logging level lower than warning)

Logging

logging console 7 (Turns logging on the console to debug. Must change line baud rate for this, see Line Console above)
logging monitor 7 (Turns logging on the monitor i.e. telnet or ssh, to debug)

Notes

Connecting a 1Gb SFP into a Nexus 5K requires the following command on the interface speed 1000
If you install the Layer 3 daughter card you must have this Base License LAN_BASE_SERVICES_PKG. It comes with the 5k by default, if it is not installed from the factory you may need to contact Cisco Licensing to get it issued to you as its free.

Additional Information
Cisco Nexus NXOS and Fixing Broken Switchto Syntax With Alias
SAN Port Channels from Nexus 5010 to MDS 9134

by aryoba See Profile
last modified: 2014-09-08 10:10:54

© DSLReports · Est.1999 · Friday, 06-Feb 19:51:26

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s