Deploying Nexus 7000 in Data Centre Networks BRKDCT-2951

Transcription

1 Deploying Nexus 7000 in Data Centre Networks BRKDCT-2951

2 giving us enough rope to hang ourselves 2 2

3 Paul Horrocks Solutions Architect Cisco Advanced Services Adam Raffe Network Consulting Engineer Cisco Advanced Services 3

4 What s the Goal of This Session? To provide design guidance and leading practice to network architects and administrators who have deployed or are considering deploying the Nexus 7000 into the Data Centre 4

5 Housekeeping We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times 5

6 Agenda Nexus 7000 Data Centre Designs Implementation & Leading Practices Common DC Designs Virtual Port Channels (vpc) Virtual Device Contexts (VDC) Installation & Maintenance Layer 2 Features Virtual Port Channel (vpc) Fabric Extenders Access Control 6

7 Agenda Nexus 7000 Data Centre Designs Implementation & Leading Practices Common DC Designs Virtual Port Channels (vpc) Virtual Device Contexts (VDC) 7

8 Data Centre Design Example Nexus 7000 typically in core and aggregation Nexus 5000 / Nexus 2000 in access layer Virtual Port Channel between aggregation / access Core Core1 Core2 L3 L3 Channel L3 link L2 Channel L2 link Aggregation agg1a VPC agg1b.. aggna VPC aggnb L3 L2 Access VPC VPC vpc vpc Active/Standby Active/Standby vpc active standby active active 8

9 Uses Virtual Eliminates all available Port-Channel blocked uplink ports bandwidth (vpc) Access Switch 9

10 VSS: single control plane, single configuration vpc: independent control planes, consistent configuration Si L2 Si Si L2 Non-VSS VSS Non-VPC vpc Catalyst VSS Nexus vpc 10

11 Virtual Device Contexts (VDCs) VDC 1 VDC 2 VDC 3 11

12 Virtual Device Contexts (VDCs) What can we use them for? Consolidate multiple business units, departments, and networks Provide network segmentation to meet security compliance requirements Implement logical tier design VDC2 Core VDC2 Prod VDC3 Dev VDC4 Test VDC2 Secure VDC3 Non- Secure VDC3 Agg VDC4 Access 12

13 Data Centre Design Leveraging VDCs Large Data Centre utilizing 3-Tier DC design Nexus 7000s in Core and Aggregation Utilize VDCs in aggregation layer to create a non-secured zone and a secured zone Core Aggregation Core1 Core2 L3 L3 Channel L3 link L2 Channel L2 link SW-1a VDC2 vpc SW-1b VDC2 SW-1a VDC3 vpc SW-1b VDC3 SW-2a VDC2 vpc SW-2b VDC2 SW-2a VDC3 vpc SW-2b VDC3 L3 L2 Access active standby active vpc active active standby active vpc active L2 13

14 Agenda Nexus 7000 Data Centre Designs Implementation & Leading Practices Installation & Maintenance Layer 2 Features Virtual Port Channel (vpc) Fabric Extenders Access Control 14

15 Implementation and Leading Practices Installation and Maintenance BRKDCT Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Chassis Installation Use standard four-post, 19-inch Electronic Industries Alliance (EIA) Data Centre rack Cabinet can be leveraged to convert 7018 to front-to-back air cooling When installing 7018: Reserve 11 space on both sides of the rack to allow for side-to-side airflow Route cables on front side of the rack to clear the rear side for airflow 7018 chassis Always perform chassis / system grounding 7010 chassis 16

17 Power Considerations Configure power redundancy mode System default is PS redundant, N+1 Connect PS input sources to two different power grids Power redundancy mode Full Set max fabric modules per system - allows the system to release some of the reserved power (supported in NX- OS 5.0) By default system reserves enough power for five fabric modules 220V 220V Grid 1 Grid 2 Nexus7K(config)# power redundancy-mode redundant Nexus7K(config)# hardware fabrics max 3 17

18 VDC Leading Practices VDC2 Agg1 VDC1 Admin VDC4 Test VDC3 Acc1 Reserve VDC 1 (default) as the administrative VDC On VDC 1, assign accounts with minimum privileges necessary to accomplish operational tasks Customize VDC HA policy and resource configurations as necessary Dual-sup default is switchover and single-sup default is restart Nexus7K(config-vdc)# ha-policy dual-sup <policy> single-sup <policy> Nexus7K(config-vdc)# limit-resource vlan minimum <#> maximum <#> Only non-default VDCs can be suspended, resumed, reloaded, or restarted Nexus7K(config)# vdc <name> suspend Nexus7K# reload vdc <name> 18

19 Assign I/O modules to VDCs such that TCAM resources are shared effectively All ports in the same port group on the 32 port 10GE I/O modules must be allocated to the same VDC Allocate entire I/O module to a VDC if possible Linecard 1 Linecard 2 Linecard 3 Linecard 4 Linecard 5 Linecard 6 Linecard 7 Linecard 8 FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM 128K 128K 128K 128K 128K 128K 128K 128K ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM 64K 64K 64K 64K 64K 64K 64K 64K Nexus7K(config-vdc)#allocate interface e2/1,e2/3,e2/5,e2/7 19

20 Out-of-Band Management Network Agg1a Agg1b Acc1 Mgmt0 x2 CMP x2 Mgmt0 Core1 Acc2 Mgmt0 x2 Mgmt0 x2 CMP x2 Mgmt0 Core2 L3 mgmt1 Mgmt0 x2 OOB Mgmt Dist mgmt2 Separate physical infrastructure is ideal Use mgmt0 or Connectivity Management Processor (CMP) ports or both! Mgmt0 IP address for default and nondefault VDCs must be from same subnet Assign different IP address for redundant CMP (same IP address for redundant mgmt0 interface) Use the management VRF on the Nexus 7000 for all management system connectivity Mgmt0 VDC1 Admin VDC2 Agg1 OOB Mgmt Network Management VRF Default VRF VDC1 Admin VDC2 Agg1 Mgmt0 Sys Mgmt server VDC3 Agg2 VDC3 Agg3 20

21 Software Licensing License is tied to chassis serial number License is stored in dual redundant NVRAM modules on chassis backplane If chassis is replaced, work with Cisco TAC to re-key the license If supervisor is replaced, license should be re-installed (although features still work) License installation is non-disruptive to features already running under the grace period 21

22 Software Licensing (cont.) License PAK PAK + chassis serial # <xml... lica...> license file Follow the steps to manually install the licenses: 1) Identify chassis serial number and PAK (Product Activation Key) Nexu7K# show license host-id License hostid: VDH=TBM######## 3) Install licenses and copy to bootflash & external location 2) Obtain the license key file from Nexu7K# install license bootflash:<license_file.lic> Nexu7K# copy bootflash:<license_file.lic> tftp:. Nexu7K# show license usage Feature Ins Lic Status Expiry Date Comments Count LAN_ADVANCED_SERVICES_PKG Yes - In use Never - LAN_ENTERPRISE_SERVICES_PKG Yes - Unused Never - 22

23 Software Upgrade Cold Start Upgrade Cold start upgrade procedure recommended for Pre- Production Synchronise the Kickstart image and the System image Nexu7K(config)# boot system bootflash:<system-image> sup-1 sup-2 boot kickstart bootflash:<kickstart-image> sup-1 sup-2 Nexus7K# copy run startup-config Nexus-3# sh boot ---deleted--- Boot Variables on next reload: sup-1 kickstart variable = bootflash:/<kickstart-image> system variable = bootflash:/<system-image> sup-2 kickstart variable = bootflash:/<kickstart-image> system variable = bootflash:/<system-image> No module boot variable set Nexus7K# reload 23

24 In-Service Software Upgrade (ISSU) Show commands can be used to determine any potential impact prior to performing ISSU Determine impact of upgrade: Nexus7K# show install all impact kickstart bootflash:<kickstart> system bootflash:<system> If downgrading, use show incompatibility-all to determine if any features need to be disabled: Nexus7K# show incompatibility-all system bootflash:<system-image> The following configurations on active are incompatible with the system image 1) Service : vpc, Capability : CAP_FEATURE_VPC_RELOAD_RESTORE ---deleted--- install all command used to kick-off the upgrade: Nexus7K# install all kickstart bootflash:<kickstart-image> system bootflash:<system-image> Nexus7K# show install all status 24

25 What Happens During an ISSU? Provide descriptive upgrade information and option to cancel Verify and validate the image Check image compatibility Upgrade and switchover standby sup Upgrade previous active sup and I/O modules Sync images to standby sup Load new image to CMP 25

26 Your network needs to be stable for ISSU to work properly!! STP topology changes, routing instability, module removal, power interruption, etc 26

27 ISSU Routing Protocol Timers Tuned routing protocol timers may interfere with ISSU In most cases, tuned timers are not necessary due to point-to-point L3 links Keep OSPF, EIGRP, BGP hello / dead timers at default levels if possible If shared L2 segment is in use, look at Bidirectional Forwarding Detection (BFD) instead 27

28 EPLD Upgrade EPLDs (Electronic Programmable Logical Devices) upgrade is used to enhance hardware functionality or to resolve known issues Performed on all the field replaceable modules (fan trays, fabric modules, I/O modules, and supervisor) It is recommended to upgrade to the latest EPLD image only when directed to do so by TAC or AS Nexus7K# install all epld bootflash:<epld_image_name> EPLD upgrade is a separate and independent process from ISSU and is typically not required Check EPLD module versions using show install all impact epld Nexus7K# show install all impact epld bootflash:<epld_image_name> Nexus7K# show version <type> <mod #> epld 28

29 Checkpoint / Configuration Rollback Use It!! Rollback allows users to take a configuration snapshot and reapply the config at any point Create up to 10 checkpoints per VDC Nexus7K# checkpoint checkpt1 Processing the Request... Please Wait The rollback changes can be viewed before committing to the rollback operation Nexus7K# show diff rollback-patch running-config checkpoint checkpt1 Processing the Request... Please Wait Nexus7K# rollback running-config checkpoint checkpt1.. Auto-checkpoint is invoked upon feature removal and license expiration Nexus7K(config)# no feature ospf Nexus7K(config)# sh checkpoint all Name: system-fm- inst_1 ospf 29

30 Implementation and Leading Practices Layer-2 Features BRKDCT Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 VLAN Trunking Protocol (VTP) Nexus7K(config)# no feature vtp VTP OFF mode is recommended agg1a Off agg1b Switches do not participate in VTP and all VTP advertisements are not forwarded Acc1 Transparent Acc2 Nexus7K(config)# feature vtp Nexus7K(config)# vtp domain <name> VTP packets agg1a Acc1 VTP server Transparent Must allow VLAN1 agg1b Acc2 VTP client Utilize VTP transparent mode if VTP domain needs to extend across Nexus 7000 switches VTP client / server mode introduced in NX-OS 5.1 VLANs , 4094 are reserved Catalyst 6500 reserved VLANs

32 Unidirectional Link Detection (UDLD) Enable UDLD feature to configure UDLD normal mode on all fiber interfaces Nexus7K(config)# feature udld Enables UDLD Normal Mode on all Fibre interfaces UDLD aggressive on port-channel member ports is optional Nexus7K(config-if-range)# udld aggressive Interface config supersedes the global UDLD setting 32

33 What About CAM / ARP Timers? Do I Need to Tweak Them? Not required Other platforms require CAM / ARP timers tweaking to avoid Unicast flooding Default NX-OS CAM aging timer is 1800s and ARP timeout is 1500s 33

34 Basic L2 Leading Practices Still Apply! Assign unused VLAN as native VLAN (consistent across the same L2) Clear native VLAN from the trunk Configure native VLAN tagging on trunks Nexus7K(config)# vlan dot1q tag native Error Disable Recovery is disabled by default leave it this way if possible! Nexus7K# show interface status err-disabled Nexus7K(config)# errdisable recovery cause <cause> Nexus7K(config)# errdisable recovery interval <time> Implement storm-control to prevent disruptions caused by broadcast and multicast storms Nexus7K(config-if)# storm-control broadbcast level 40 34

35 Port Channels Use LACP to negotiate both L2 and L3 port-channels Nexus7K(config)# feature lacp Nexus7K(config)# int e<mod>/<port> Nexus7K(config-if)# channel-group <#> mode active Implement port channels with 2, 4 or 8 members for optimal traffic distribution Understand port-channel failure behaviour Core1 Core-2 BW and IGP cost for L3 channel are recalculated when physical member fails STP cost for L2 channels does not recalculate when physical member fails OSPF Cost Aggr1a 50 Aggr1b Access 35

36 Spanning-Tree Protocol (STP): Which Mode? Implement consistent STP mode in the same L2 domain RPVST+ is the default and is backward compatible with PVST Nexus7K# sh spanning-tree active i Peer Po11 Desg FWD P2p Peer(STP) Utilize MST for larger scale L2 network MST supports 75K logical ports (90K in NX-OS 5.0) and RPVST+ supports 16K logical ports MST introduces some complexity and requires detailed planning Nexus7K# show spanning-tree summary total ----deleted---- Name Blocking Listening Learning Forwarding STP Active vlans Total number of logical ports 3 msts MST ports 36

37 Spanning-Tree Leading Practices L3 FW agg1a agg1b L3 FW Root/ Backup Root BPDUguard Access2 Access1 Bridge Assurance Loop-Guard Port Type Edge / Edge Trunk Aggregation switches should be STP root and secondary root Configure host ports as port type edge or port type edge trunk Nexus7K(config-if)#spanning-tree port type edge trunk Enable STP BPDU-guard globally Nexus7K(config)#spanning-tree port type edge bpduguard default Use spanning-tree pathcost method long 37

38 What is Bridge Assurance? BPDUs sent in both directions Root BPDUs Network Enabled by default globally Active only on interfaces configured as port type network BPDUs Network Network BPDUs Network Network Nexus7K(config-if)# spanning-tree port type network Edge Edge 38

39 What is Bridge Assurance? OK, but where should I enable it? Root BPDUs - Generally, BA should be enabled on all inter-switch links which support it (i.e. Nexus to Nexus) - Exception: not on vpc member links BPDUs Network Network BPDUs Network Network Network - If it s not supported at both ends, then use Loop Guard instead Edge Edge 39

40 Port Profiles Useful for enforcing consistent configuration, not necessarily a Layer 2 feature - can also be applied to Layer 3 Create Port Profile Configure port parameters once Apply to multiple ports Nexus7K(config)# port-profile type ethernet trunk-port state enable switchport switchport mode trunk switchport trunk native vlan <vlan> spanning-tree port type network no shut Nexus7K(config-if)# switchport inherit port-profile trunk-port switchport trunk allow vlan <vlans> Warning: Port-Profiles are live profiles (modifying or deleting port-profiles will be reflected on the assigned interfaces) 40

41 Implementation and Leading Practices Virtual Port-Channel (vpc) BRKDCT Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Virtual Port-Channel (vpc) Terminology vpc Peer-Link used to sync state between peers vpc Peer-Keepalive detect status of vpc peer devices vpc Peer vpc Peer vpc Member Port vpc Member Port Access Switch vpc 42

43 Virtual Port-Channel (vpc) Terminology vpc VLAN: Any VLAN which is carried over the peer-link even if it isn t trunked on a vpc! Cisco Fabric Services over Ethernet (CFSoE): used for state sync and config validation between vpc peers Access Switch Under normal conditions, traffic received on the peer link cannot be forwarded on a vpc 43

44 What Happens to vpc When Failures Occur? Access Switch Access Switch Access Switch Access Switch Traffic re-hashed to existing vpc member Traffic may traverse peer-link & egress on a vpc if the correspondent peer vpc instance is down (peer-link used as backup) Traffic re-hashed to peer 44

45 What if the Peer Link Fails? Primary? Secondary 1) Secondary checks to see if primary is up (using Peer-Keepalive) 2) If primary is still up, secondary shuts local vpc ports Access Switch Access Switch This server is single homed what happens to him? He is isolated!!! The moral: don t single home devices to a vpc peer! 45

46 What if the Peer Link Fails? Primary Secondary Access Switch Access Switch If you have no choice: Connect the single attached device to primary vpc peer Use dual-active exclude interfacevlan to avoid SVI shutdown 46

47 vpc Leading Practices Use diverse 10GE modules to form Peer-Link Use dedicated mode for Peer-Link ports Shared mode is supported but not recommended Use a dedicated link for Peer-Keepalive and assign to a separate VRF If mgmt0 is used, it should be connected to an OOB mgmt network agg1a vpc_pl agg1b Back-to-back mgmt0 connection should only be used in single supervisor implementation Don t use SVI interface over vpc peer-link as vpc keepalive link!! Mgmt0 X 2 vpc_pkl Mgmt Network Mgmt0 X 2 47

48 vpc Leading Practices (cont) Primary vpc domain 10 Secondary Assign unique vpc domain-id for each pair of vpc peer devices in the same L2 domain LACP negotiation (LAGID) Try to match vpc ID to the portchannel number for easier management Primary Secondary vpc domain 20 48

49 vpc Peer-Gateway Feature Some devices send traffic to senders MAC address rather than HSRP virtual MAC HSRP In that case, traffic may cross the Peer-Link to reach the SVI, but will get dropped if exiting through another vpc Other vpc Access Switch Enable peer-gateway to enable devices to act as gateway for packets destined to other peer 49

50 vpc Peer-Gateway Feature (cont) Nexus7K(config)# vpc domain <domain-id> Nexus7K(config-vpc-domain)# peer-gateway Note: Disable IP redirects on all interface-vlans of this vpc domain for correct operation of this feature! interface vlan <vlan x>, vlan <vlan y> no ip redirects Disable IP redirects on all SVIs of the vpc VLANs to avoid generating IP redirect messages if peer-gateway is configured (default in later versions) 50

51 vpc Peer-Switch Feature Allows vpc peer devices to act as single STP root Improves STP convergence during switch failure STP Root STP Root Nexus7K-1a(config-vpc-domain)# peer-switch Nexus7K-1a(config)# Spanning-tree vlan pri 8192 BPDUs Access Switch BPDUs Nexus7K-1b(config-vpc-domain)# peer-switch Nexus7K-1b(config)# Spanning-tree vlan pri 8192 Nexus7K-1a# show spanning-tree summary i peer vpc peer-switch is enabled (operational) Nexus7K-1a# sh spanning vlan 1 ---deleted--- Root ID Priority 8193 Address ee.be01 This bridge is the root ---deleted--- Po1 Desg FWD (vPC peer-link) Network P2p Nexus7K-1b# show spanning-tree summary i peer vpc peer-switch is enabled (operational) Nexus7K-1a# sh spanning vlan 1 ---deleted--- Root ID Priority 8193 Address ee.be01 This bridge is the root ---deleted--- Po1 Root FWD (vpc peer-link) Network P2p 51

52 vpc ARP Synchronisation CLI enabled on each vpc device After the peer-link comes up following reload, perform an ARP bulk sync to the peer switch Improves convergence for Layer 3 flows ARP TABLE IP1 MAC1 VLAN 100 IP2 MAC2 VLAN 200 ARP TABLE IP1 MAC1 VLAN 100 IP2 MAC2 VLAN 200 P S SVIs P S Primary vpc Secondary vpc IP1 MAC1 IP2 MAC2 52

53 vpc and Layer 3 Routing Adjacencies When connect layer 3 routing devices to a vpc domain, do not form routing adjacency with peer devices over vpc member links 7K-1 7K-2 R2 R3 R1 R1 L3 adjacency 53

54 vpc & L3 Supported Designs 7K-1 7K-2 7K-1 7K-2 VDC1 VDC2 R1 R1 54

55 vpc & Single 10GE Modules: What Happens if Single 10GE Module Fails? To Core? 1) 10GE module fails takes down vpc Peer-Link and Core Links 2) Secondary sees Peer-Link has failed, however Peer-Keepalive link shows Peer 1 is alive 3) Secondary peer disables its own vpc links Result: Complete Isolation! Access Switch Access Switch 55

56 vpc & Single 10GE Modules: What s the Solution? Preferred solution: use multiple 10GE modules Enable vpc object tracking to prevent traffic black-hole (supported in NX-OS 4.2) Primary, operational secondary Secondary, operational primary To Core Nexus7K-1a(config)# track 1 interface port-channel1 line-protocol track 2 interface ethernet1/25 line-protocol track 3 interface ethernet1/26 line-protocol! track 10 list boolean or object 1 object 2 object 3! vpc domain 1 track 10 Nexus7K-1a# show int po 11 port-channel11 is down (suspended by vpc) Nexus7K-1a# show int vlan 11 Vlan11 is down, line protocol is down Nexus7K-1a# show track 10 Track 10 List Boolean or Boolean or is DOWN 6 changes, last change 00:11:12 Track List Members: object 3 DOWN object 2 DOWN object 1 DOWN Tracked by: vpcm Access Switch Access Switch 56

57 vpc configuration vpc Role priority for primary and secondary device (default is 32667) *no preempt Best Practice to make common STP root-bridge, HSRP Active Peer vpc id MUST match across both peers Port Channel SHOULD match across both peers (mgmt ease) feature vpc vpc domain 101 ip arp synchronize peer-switch role priority 10 peer-keepalive destination source vrf VPC_KAL peer-gateway interface port-channel11 vpc peer-link interface port-channel301 vpc 101 feature vpc vpc domain 101 ip arp synchronize peer-switch role priority 20 peer-keepalive destination source vrf VPC_KAL peer-gateway interface port-channel11 vpc peer-link interface port-channel301 vpc

58 Implementation and Leading Practices Nexus 7000 and Nexus 2248TP (Fabric Extender) BRKDCT Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 The Nexus 2000: a Remote Linecard Physical view Logical view The Nexus 2000 (aka Fabric Extender or FEX) can be viewed as a remote linecard for the Nexus 7000: No local switching Benefit from the feature set of the parent switch From the network perspective, a device attached to a Nexus 2000 behaves as if it was directly attached to the parent switch. 59

60 Nexus 7000 with Fabric Extenders Combines benefits of Top of Rack (ToR) & End of Row (EoR) network architectures Physically resides on the top of each server rack Logically acts like an end of access row device Scales in a manner that enables collapsing of Agg + Access layers in many networks 2 x N2248 per server rack 60

61 Data Centre Designs with Nexus 7000 & 2000 Core Aggregation + Access FEX 61

62 Data Centre Designs with Nexus 7000 & 2000 Core + Aggregation + Access FEX 62

63 Nexus 7000 / 2000: Supported Topologies active standby active active Single-attached Standard NIC teaming* Active / Active with MAC Pinning (Nexus 1000V, etc) * Be aware of impact of Peer-Link failure 63

64 Coming Soon! Port-Channel from Host vpc from Host to Fabric Extender 64

65 Nexus 7000/ 2248 Connectivity Rules Up to 32 Nexus 2248 attached to a single Nexus 7000 N7K-M132XP-12 and N7K-M132XP-12XL linecards only Port channel between a Nexus 2248 and a single Nexus 7000 (no vpc) The port channel can span several I/O Modules for redundancy 65

66 Fabric Extender Configuration Nexus7000# show run interface 1/3 interface Ethernet1/3 switchport mode fex-fabric fex associate 100 channel-group 1 Nexus7000# show interface brief Host ok Edge + BPDU guard Must not send BPDUs Ethernet VLAN Type Mode Status Reason Speed Port Interface Ch # Eth100/1/1 100 eth access up none auto(d) -- Eth100/1/2 1 eth access up none 1000(D) -- Eth100/1/3 100 eth access up none 1000(D) -- Eth100/1/4 100 eth access down Link not connected 1000(D) -- Eth100/1/5 100 eth access down Link not connected 1000(D) -- Eth100/1/6 100 eth access down Link not connected 1000(D) -- Eth100/1/7 1 eth access down Link not connected 1000(D) -- 66

67 Implementation and Leading Practices Access Control BRKDCT Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Network Access Allow only SSH remote access (default) If telnet is required, feature telnet If telnet access to CMP is required, telnet server enable needs to be configured on the CMP Secure interface mgmt0 with ACL CoPP does not protect interface mgmt0 ACL with the logging option is supported in NX-OS 5.0 ACL is not supported on VTY CoPP can be leveraged to secure VTY access Configure exec-timeout for VTY and console access Nexus7K(config)# no feature telnet! vrf context management ip route /0 <IP address>! ip access-list <ACL-name> 10 remark allow specific ssh 11 permit tcp <addr>/24 any eq permit tcp any eq 22 <addr>/24 13 deny tcp any any eq deny tcp any eq 22 any 20 remark allow specific snmp 21 permit udp <addr>/24 any eq snmp.. 50 permit ip any any! interface mgmt0 ip address <ip address>/<mask> ip access-group <ACL-name> in! line vty exec-timeout <time> session-limit <session#> line console exec-timeout <time>! int cmp-mgmt module <module> ip address <addr>/<mask> ip default-gateway <IP addr> Nexus7K-cmp10(config)# telnet server enable 68

69 Control Plane Policing (CoPP) Implement strict control plane policing (default) If default policy is required, run setup command to reapply the default policy after software upgrade between major releases Any non-default CoPP policies need to be reapplied after setup Future software release will generate syslog on CoPP policy changes Tune default CoPP policy according to needs The configured setting is per line card and not per system. If high number of I/O modules are installed, the conform rate may need to be tuned down Future enhancement to generate syslog messages if drops exceed user configured threshold Nexus7K# setup ----deleted---- Configure best practices CoPP profile (strict/moderate/lenient/none) [strict]: Nexus7K# show policy-map interface control-plane inc violated violated 59 bytes; action: drop per module statistics 69

70 Packet Sanity Checks The Intrusion Detection System (IDS) check performs sanity checks on the IP headers to protect the network and the system (enabled by default) In NX-OS 5.0, the system generates syslogs on IDS drops (max is one every 30 min) It is recommended to disable fragment IDS check since some applications sends IP packets with DF bit and fragment offset Fragment IDS check is disabled by default in NX-OS 5.0 Disable individual IDS checks as required Ex. If BFD is configured, disable address identical IDS check Nexus7K# show hardware forwarding ip verify IPv4 and v6 IDS Checks Status Packets Failed deleted--- address identical Enabled 0 ---deleted--- fragment Enabled 0 ---deleted--- Nexus7K(config)# no hardware ip verify fragment Nexus7K(config)# no hardware ip verify address identical 70

71 giving us enough rope to hang ourselves 71 71

72 72

73 Recommended Reading 73

74 Please complete your Session Survey We value your feedback - don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Networkers 20 th Anniversary t-shirt. All surveys can be found on our onsite portal and mobile website: You can also access our mobile site and complete your evaluation from your mobile phone: 1. Scan the Access Code (See for software, alternatively type in the access URL) 2. Login 3. Complete and Submit the evaluation 74

75 75