Cisco Nexus 7000 Introduction To NX-OS 2014-05-20

Cisco Demo Cloud (dCloud)
Cisco Nexus 7000: Introduction to NX-OS

Last Updated: 20-MAY-2014
dCloud: The Cisco Demo Cloud
About This Cisco solution

The Cisco NX-OS software for the Cisco Nexus 7000 Series switches fulfills the routing, switching, and storage networking
requirements of data centers and provides an Extensible Markup Language (XML) interface and a command-line interface (CLI)
similar to Cisco IOS software.
About This Demonstration

Nexus 7000
The Cisco Nexus 7000 Series is a modular, data center class series of switching systems designed for highly scalable end-to-end
10 Gigabit Ethernet networks. The Cisco Nexus 7000 Series is purpose built for the data center and has many unique features and
capabilities designed specifically for the most mission critical place in the network, the data center.
Cisco NX-OS
Cisco NX-OS, a state-of-the-art operating system, powers the Cisco Nexus 7000 Platform. Cisco NX-OS is a data center-class
operating system built with modularity, resiliency, and serviceability at its foundation. Drawing on its Cisco IOS and Cisco SAN-OS
heritage, Cisco NX-OS helps ensure continuous availability and sets the standard for mission-critical data center environments.
Titanium
For this demo, we will be using Titanium instead of real Nexus 7000 hardware. The Titanium project allows NX-OS software to run
natively on Intel-based machines (using its Linux kernel). It is currently considered a best effort side-project with the DCBU
engineering team. Only control-plane features and functions are possible in a Titanium image, and obviously the hardware
forwarding functionality is not possible at all. The ability to run NX-OS in a Titanium-based computer allows Cisco employees to run
demos and to offer training on at least a portion of the NX-OS based products. Therefore, within the scope of this hands-on demo
the Titanium boxes will deliver an equal experience as using real Nexus 7000 hardware.
Demo Objectives
This self-paced hands-on demonstration will introduce the users to the new NX-OS, the operating system powering the Nexus
family switches. The participants will be exposed to the configuration of some of the new features present in NX-OS. The demo will
also focus on some of the aspects that differentiate NX-OS from the classical IOS. At the end of this demo session, the attendees
should have gained some degree of familiarity with NX-OS. They should also be able to describe some of the main differences
between NX-OS and the classical IOS.
Demonstration Requirements
The table below outlines the requirements for this preconfigured demo.
Table 1. Demo Requirements
Required Optional
● Laptop ● Cisco AnyConnect
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 39
Demonstration Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios and features of this Cisco
solution. All access information needed to complete the demonstration scenario, is located in the Topology and Servers menus of
your active demonstration, and throughout this script.
 Topology Menu. Click on any server in the topology to display the available server options and credentials.
 Servers Menu. Click on or next to any server name to display the available server options and credentials.
Figure 1. Demonstration Topology
Demonstration Preparation
BEFORE DEMONSTRATING
We strongly recommend that you go through this process at least once, before presenting in front of a live audience. This will allow
you to become familiar with the structure of the document and the demonstration.
PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION.
Follow the steps below to schedule and configure your demonstration environment.
1. Browse to dcloud.cisco.com, choose the location closest to you, and then login with your Cisco.com credentials.
2. Schedule a session. [Show Me How].
3. Test your bandwidth from the demo location before performing any scenario. [Show Me How]
4. Verify your session has a status of Active under My Demonstrations on the My Dashboard page in the Cisco dCloud UI.
 It may take up to 10 minutes for your demo to become active.
5. Access the demonstration workstation named wkst1 and log in using the following credentials: IP Address: 198.18.133.36,
Username: dcloud\demouser, Password: C1sco12345.
o Recommended method: Use Cisco AnyConnect [Show Me How] and the local RDP client on your laptop.
[Show Me How]
o Alternate method: Use the Cisco dCloud Remote Desktop client with HTML5. [Show Me How]
o Accept any certificates or warning.
Cisco dCloud
This demonstration is hosted in Cisco’s dCloud. Within this demo, you are provided with your personal dedicated virtual pod
(vPod). You connect via RDP to a so-called “Cisco dCloud workstation” within this host and walk through the demo steps below. All
necessary tools to complete this demo can be found in the “Cisco dCloud workstation”. Refer to the “Demonstration Preparation”
section for details on how to reach the “Cisco dCloud workstation” within your demo session.
Figure 2. Logical Demo Topology
The username and password to access the Cisco dCloud Workstation of this vPod are listed below:
 User Name: dcloud\demouser
 Password: C1sco12345
Demo Procedure
The demo represents a typical data center setup with a Core and Aggregation layer. The Core layer consist of one Titanium box
representing a Nexus 7000, while two Titanium boxes - thus representing two Nexus 7000 - compose the Aggregation layer. This
demo is designed for the configuration of the Aggregation layer devices. The Core layer device is already pre-configured.
During this demo, the participants will go through the following scenarios:
 System Configuration
 Management VRF Concept and Basic Connectivity
 CLI Familiarization
 Role Based Access Control (RBAC)
 Configuration Rollback
 Configuration Session
 OSPF Configuration
 Process Restartability
 Licensing
 Hot Standby Router Protocol (HSRP)
Demo Topology and Access

The logical topology is shown below.
Figure 3. Logical Topology
Additional Information
For details of the loopback interfaces refer to the table below.
Table 2. Loopback Interfaces
Router Loopback Interface Address
N7k-1 128.0.0.1/24
N7k-2 128.0.0.2/24
N7k-3 128.0.0.3/24
The default gateway is: 198.18.128.1/18
The default gateway is reachable only through the management interfaces.
Access
The Titanium boxes are reachable via SSH. The PuTTY SSH client is available on the desktop and has been pre-configured for
each router. Refer to the table below for details.
Table 3. Management Interface Addresses
Router Management Interface Address
N7k-1 n7k-1.dcloud.cisco.com (198.18.133.221)
 User Name: admin
 Password: C1sco12345
Scenario 1: System Configuration
During the entire duration of this demo, we will just use the management interface. However, it is good to keep in mind that the
Nexus 7000 requires console access to perform the initial configuration of the system. After performing the initial configuration, the
system can be completely managed from the management and/or the CMP interfaces.
Use PuTTY to SSH into the management interface of the Nexus 7000 Access.
Layer device “n7k-2.dcloud.cisco.com” with the username “admin” and the password “C1sco12345”.
Now we are ready to go!
These are the steps for this scenario:
 Verify the hardware configuration
 Check the software version
 Check running-config and running-config all
Verify the Hardware Configuration

Let us start by checking the hardware of the system. Please remember that this is a Titanium box. Therefore, the displayed
hardware will look slightly different from a real Nexus 7000.
show module
n7k-2(config)# sh mod
Mod Ports Module-Type Model Status
--- ----- ----------------------------------- ------------------ ----------
1 0 Unknown Module TITANIUM active *
2 9 Titanium Ethernet Module ok
Mod Sw Hw World-Wide-Name(s) (WWN)

--- -------------- ------ --------------------------------------------------
1 6.1(2) 0.14081 --
2 NA 0.0 --
Mod MAC-Address(es) Serial-Num

--- -------------------------------------- ----------
1 00-19-07-6c-5a-a8 to 00-19-07-6c-62-a7 T505
2 2 02-00-0c-00-02-00 to 02-00-0c-00-02-7f NA
Check the Software Version

Next, we will check the software version. Currently it is NX-OS 6.1(2).
show version
n7k-2(config)# sh ver
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: version N/A
kickstart: version 6.1(2) [gdb]
system: version 6.1(2) [gdb]
kickstart image file is: bootflash:/titanium-d1-kickstart.6.1.2.gbin
kickstart compile time: 12/25/2020 12:00:00 [10/26/2012 04:25:57]
system image file is: bootflash:/titanium-d1.6.1.2.gbin
system compile time: 9/7/2012 13:00:00 [10/26/2012 05:25:42]
Hardware
cisco Nexus 7000 Unknown Chassis ("Unknown Module")
Intel(R) Xeon(R) CPU E7- 283 with 1548192 kB of memory.
Processor Board ID T5056BAE577
Device name: n7k-2

bootflash: 0 kB
Kernel uptime is 0 day(s), 2 hour(s), 20 minute(s), 7 second(s)
plugin
Core Plugin, Ethernet Plugin
NOTE: NX-OS is composed of two images: a kickstart image that contains the Linux Kernel and a system image that contains
most of the NX-OS software components. They both show up in the configuration.
Currently the modular NX-OS only includes the plug-ins Core and Ethernet. In future releases there will be additional plug-ins, like
the "Storage" plug-in for FCoE.
Running-config and Running-config All

Now it is time to display the currently running configuration.
show running-config
n7k-2(config)# show running-config
!Command: show running-config

!Time: Wed Feb 12 09:44:30 2014
version 6.1(2)
license grace-period
hostname n7k-2
vdc n7k-2 id 1
limit-resource module-type m1 f1 m1xl m2xl
allocate interface Ethernet2/1-9
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 96 maximum 96
limit-resource u6route-mem minimum 24 maximum 24
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
feature telnet
username adminbackup password 5 ! role network-operator

username admin password 5 $1$jCPcWfz0$vAWNe70hz7omDHTFwffFt0 role network-admin
no password strength-check
ip domain-lookup
vlan dot1Q tag native
system default switchport
system jumbomtu 0
no logging event trunk-status enable
copp profile strict
snmp-server user admin auth md5 0x6d86012eb8219a8c68031c974492a8bc priv 0x6d8601
2eb8219a8c68031c974492a8bc localizedkey engineID 128:0:0:9:3:0:80:86:159:0:13
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
snmp-server enable traps link
vrf context management

ip route 0.0.0.0/0 198.18.128.1
vlan 1
hardware forwarding unicast trace
interface Ethernet2/1
shutdown
no switchport
mac-address 0050.56ba.e522
shutdown
no switchport
shutdown
no switchport
shutdown
no switchport
mac-address 0050.569f.0015
shutdown
no switchport
shutdown
no switchport
shutdown
no switchport
shutdown
no switchport
shutdown
no switchport
interface mgmt0
ip address 198.18.133.222/18
line console
line vty
boot kickstart bootflash:/titanium-d1-kickstart.6.1.2.gbin
boot system bootflash:/titanium-d1.6.1.2.gbin
no system default switchport shutdown
NX-OS allows also seeing the defaults of the running config:
show running-config all | section mgmt0

N7k-2# show running-config all | section mgmt0
interface mgmt0
no description
speed auto
duplex auto
snmp trap link-status
no shutdown
cdp enable
ip address 198.18.133.222 /18
ip port-unreachable
ip arp gratuitous update
ip arp gratuitous request
Scenario 2: Management VRF Concept and Basic Connectivity
As specified earlier, the default gateway is connected through the management interface. The management interface is by default
part of the management VRF. This particular VRF is part of the default configuration and the management interface "mgmt0" is the
only interface allowed to be part of this VRF.
The philosophy behind Management VRF is to provide total isolation to the management traffic from the rest of the traffic flowing
through the box by confining the former to its own forwarding table.
 Verify that only the mgmt0 interface is part of the management VRF
 Verify that no other interface can be part of the management VRF
 Verify that the default gateway is reachable only using the management VRF
Verify that only the mgmt0 Interface is part of the Management VRF
Display the current mapping of interfaces to VRFs as follows.
show vrf interface

N7k-2# show vrf interface
Interface VRF-Name VRF-ID Site-of-Origin
Ethernet2/1 default 1 --
mgmt0 management 2 --
N7k-2#
NOTE: The management VRF interface is part of the default configuration and the management interface "mgmt0" is the only
interface that can be made a member of this VRF.
Verify that no Other Interface can be part of the Management VRF

As we have seen in the previous step, only mgmt0 is part of the management VRF. Now we will check to ensure that another
interface cannot be added to this VRF.
We will try to add the interface eth2/1 to the management VRF.

N7k-2# conf t
N7k-2(config)# interface eth2/1
NOTE: As you may have noticed when entering in the interface configuration mode, we omitted the kind of the Ethernet interface
(meaning FastEthernet, GigabitEthernet, etc.). In fact in NX-OS there is just "Ethernet".
N7k-2(config-if)# vrf member ?
WORD VRF name (Max Size 32)
management (no abbrev) Configurable VRF name
N7k-2(config-if)# vrf member management
% VRF management is reserved only for mgmt0
N7k-2(config-if)# end
Very good! As expected that did not work. Now we will take a look at the mgmt0 interface before we move on.
N7k-2# conf t
n7k-2(config)# sh ip inter mgmt 0 vrf management
IP Interface Status for VRF "management"(2)
mgmt0, Interface status: protocol-up/link-up/admin-up, iod: 2,
IP address: 198.18.133.222, IP subnet: 198.18.128.0/18
IP broadcast address: 255.255.255.255
IP multicast groups locally joined: none
IP MTU: 1500 bytes (using link MTU)
IP primary address route-preference: 0, tag: 0
IP proxy ARP : disabled
IP Local Proxy ARP : disabled
IP multicast routing: disabled
IP icmp redirects: enabled
IP directed-broadcast: disabled
IP icmp unreachables (except port): disabled
IP icmp port-unreachable: enabled
IP unicast reverse path forwarding: none
IP load sharing: none
IP interface statistics last reset: never
IP interface software stats: (sent/received/forwarded/originated/consumed)
Unicast packets : 1630/2498/0/1630/0
Unicast bytes : 221790/181276/0/221790/0
Multicast packets : 0/1008/0/0/0
Multicast bytes : 0/61692/0/0/0
Broadcast packets : 0/102/0/0/0
Broadcast bytes : 0/11634/0/0/0
Labeled packets : 0/0/0/0/0
Labeled bytes : 0/0/0/0/0
WCCP Redirect outbound: disabled
WCCP Redirect inbound: disabled

WCCP Redirect exclude: disabled
end
Verify that the Default Gateway is Reachable only Using the Management VRF
First, we will try to reach the default gateway with a ping by using the default VRF, which is not the management VRF as we have
seen before. Try to reach the default gateway with a ping.
ping 198.18.128.1
N7k-2# ping 198.18.128.1
PING 198.18.128.1 (198.18.128.1): 56 data bytes
ping: sendto 198.18.128.1 64 chars, No route to host
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
--- 198.18.128.1 ping statistics ---

5 packets transmitted, 0 packets received, 100.00% packet loss
NOTE: The ping fails because the default gateway is reachable only from the management interface, while we just used the default
VRF.
We will now try again with the correct VRF. Try to reach the default gateway with a ping, specifying the VRF management.
ping 198.18.128.1 vrf management

N7k-2# ping 198.18.128.1 vrf management
PING 198.18.128.1 (198.18.128.1): 56 data bytes
64 bytes from 198.18.128.1: icmp_seq=0 ttl=127 time=0.498 ms
--- 198.18.128.1 ping statistics ---

5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.306/0.358/0.498 ms
end
NOTE: The output of the ping is very Linux-like.
Scenario 3: CLI Familiarization
NX-OS CLI is very IOS-like. As you may have already noticed NX-OS gives the user a very IOS look and feel sensation when
configuring the system. However, there are differences, which should be considered improvements. One of the main differences
consists in NX-OS implementing a hierarchy independent CLI. Every command can in fact be issued from anywhere in the
configuration. This short scenario will show you this.
 Verify the CLI hierarchy independence
 Verify the CLI piping functionality
 Usage of the [TAB] button
Verify the CLI Hierarchy Independence

We will now demonstrate the CLI hierarchy independence by issuing a ping from different places in the chain.
First, we will do so from within the config mode.

N7k-2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7k-2(config)# ping ?
*** No matching command found in current mode, matching in (exec) mode ***
<CR>
A.B.C.D or Hostname IP address of remote system
WORD Enter Hostname
multicast Multicast ping
N7k-2(config)# ping 198.18.128.1 vrf management

PING 198.18.128.1 (198.18.128.1): 56 data bytes
--- 198.18.128.1 ping statistics ---

That worked just fine. Now we will try the same from within the interface mode.
N7k-2(config)# int eth2/1
N7k-2(config-if)# ping ?
<CR> A.B.C.D or Hostname IP address of remote system
WORD Enter Hostname
multicast Multicast ping
N7k-2(config-if)# ping 198.18.128.1 vrf management
PING 198.18.128.1 (198.18.128.1): 56 data bytes

--- 198.18.128.1 ping statistics ---
NOTE: You can use the up-arrow and get the command history from the exec mode.
This short demonstration just showed you, that you can ping from everywhere.
Verify the CLI Piping Functionality

The output piping has also been improved. It can now be used in a similar way to Linux.
N7k-2# show running-config ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
aaa Display aaa configuration
acllog Show running config for acllog
aclmgr Show running config for aclmgr
all Current operating configuration with defaults
am Display am information
arp Display arp information
callhome Display callhome configuration
cdp Display cdp configuration
cert-enroll Display certificates configuration
cfs Display cfs configurations
city Display city information
copp Show running config for copp
diff Show the difference between running and startup configuration
eem Show the event manager running configuration
exclude Exclude running configuration of specified features expand-port-profile Expand port profile
icmpv6 Display icmpv6 information
igmp Display igmp information
interface Interface configuration
ip Display ip information ipv6 Display ipv6 information
l2pt Show running configuration for L2PT
l3vm Display l3vm information
license Display licensing configuration
ntp Show NTP information
port-profile Display port-profile configuration
radius Display radius configuration
routing Display routing information
rpm Display Route Policy Manager (RPM) information
security Display security configuration
snmp Display snmp configuration
spanning-tree Show spanning tree information
track Show track running configuration
vdc Show Virtual Device Contexts
vdc-all Display config from all VDC
vlan Vlan commands
vshd Show running config for vshd
| Pipe command output to filter
N7k-2# show running-config | grep ?

WORD Search for the expression
count Print a total count of matching lines only
ignore-case Ignore case difference when comparing strings
invert-match Print only lines that contain no matches for <expr>
line-exp Print only lines where the match is a whole line
line-number Print each match preceded by its line number
next Print <num> lines of context after every matching line
prev Print <num> lines of context before every matching line
word-exp Print only lines where the match is a complete word
The following command will grab all instances of lines matching "mgmt0" and print it along with the next three subsequent lines
and the line number.
sh running-config | grep -A 3 -n mgmt0

N7k-2# sh running-config | grep -A 3 -n mgmt0
114:interface mgmt0
115- ip address 198.18.133.222/18
116-line console
Usage of the [TAB] Button

The [TAB] button does not only complete the command, but also it shows the keywords that are available.
N7k-2# conf t
N7k-2(config-if)#
[TAB]
bandwidth end lacp medium snmp
beacon errdisable link mtu speed
cdp exit load-interval no storm-control
channel-group flowcontrol logging pop switchport
delay inherit mac push this
description ip mac-address rate-mode vrf
duplex ipv6 mdix shutdown where
end
Scenario 4: RBAC
RBAC stands for Role Based Access Control. Every account is assigned to a role which defines the privileges of the user who will
access the system with the corresponding account. NX-OS, through the RBAC feature, provides a very flexible and powerful
framework to create roles for any type of user. In this context, a role can be seen as a group of rules that permit or deny a set of
operations on NX-OS components. These are the steps for this scenario:
 Display the default role
 Display the role features and the feature-groups
 Create a new role and apply the role to a newly created user
 Test the role
Display the Default Role

We will now take a look at the pre-defined default roles.
show role
N7k-2# show role
Role: network-admin
Description: Predefined network admin role has access to all commands on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: network-operator
Description: Predefined network operator role has access to all read commands on the switch
-------------------------------------------------------------------
-------------------------------------------------------------------
1 permit read
Role: vdc-admin
Description: Predefined vdc admin role has access to all commands within a VDC instance
-------------------------------------------------------------------
-------------------------------------------------------------------
1 permit read
Role: vdc-operator
Description: Predefined vdc operator role has access to all read commands within a VDC instance
-------------------------------------------------------------------
-------------------------------------------------------------------
1 permit read
Role: priv-15
Description: This is a system defined privilege role.
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-14
-------------------------------------------------------------------
-------------------------------------------------------------------
1 permit read-write
Role: priv-13
Role: priv-12
Role: priv-11
Role: priv-10
Role: priv-9
Role: priv-8
Role: priv-7
Role: priv-6
Role: priv-5
Role: priv-4
Role: priv-3
Role: priv-2
Role: priv-1
Role: priv-0
-------------------------------------------------------------------
-------------------------------------------------------------------
10 permit command traceroute6 *
9 permit command traceroute *
8 permit command telnet6 *
7 permit command telnet *
6 permit command ping6 *
5 permit command ping *
4 permit command ssh6 *
3 permit command ssh *
2 permit command enable *
1 permit read
Display the Role Features and the Feature-groups

All users when they login are associated to a particular role. It can be one of the default pre-configured roles or a user-made role. A
role is a set of rules that define what operations the user can perform on individual CLI commands, features, and feature-groups
basis. Feature-groups are essentially groups of related features, such as the L3 feature group (defined by default). You can group
features in feature-groups and assign read/read-write permission to the whole group of features.
To see the set of features and the feature groups available to be defined as part of a role, issue the following commands.
show role feature

N7k-2# show role feature
aaa (AAA service related commands)
access-list (IP access list related commands)
arp (ARP protocol related commands)
callhome (Callhome configuration and show commands)
cdp (Cisco Discovery Protocol related commands)
crypto (Security related commands)
diagnostics (Gold diagnostics related commands)
install (Software install related commands)
l3vm (Layer 3 virtualization related commands)
license (License related commands)
ping (Network reachability test commands)
platform (Platform configuration and show commands)
radius (Radius configuration and show commands)
scheduler (Scheduler configuration and show commands)
snmp (SNMP related commands)
syslog (Syslog related commands)
tacacs (TACACS configuration and show commands)
tcap (Terminal settings related commands)
tcpudp (TCP/UDP related commands)
dot1x (DOT1X related commands)
eou (EAP over UDP related commands)
eth-port-sec (Ethernet port security related commands)
glbp (Gateway Load Balancing Protocol related commands)
hsrp (Hot Standby Router Protocol related commands)
igmp (Internet Group Management Protocol related commands)
Interface (Interface configuration commands)
ipfib (IP Forwarding Information Base related commands)
msdp (Multicast Source Discovery Protocol related commands)
pong (Pong related commands)
ptp (PTP (IEEE 1588) related commands
qbridge (Q-Bridge-MIB access control)
qosmgr (Quality of Service related commands)
router-bgp (Border Gateway Protocol related commands)
router-eigrp (Enhanced Interior Gateway Routing Protocol related commands)
router-isis (ISIS protocol related commands)
router-ospf (Open Shortest Path First protocol related commands)
router-rip (Routing Information Protocol related commands)
spanning-tree (Spanning Tree protocol related commands)
svi (Interface VLAN related commands)
vlan (Virtual LAN related commands)
vtp (Cisco-VTP-MIB access control)
vtpmib-auth (Cisco-VTP-MIB vtpAuthenticationTable access control)
wccp (Web Cache Communication Protocol related commands)
acl (FC ACL related commands)
cloud (Cloud discovery related commands)
fc-qos (FC Quality of Service related commands)
fcanalyzer (FC analyzer related commands)
fcns (Fibre Channel Name Server related commands)
fcsp (Fibre Channel Security Protocol related commands)
ficon (Ficon related commands)
fspf (Fabric Shortest Path First protocol related commands)
iscsi (ISCSI related commands)
isns (Internet Storage Name Service related commands)
ivr (InterVsan Routing protocol related commands)
mpls-tunnel (FC tunnel related commands)
rlir (Registered Link Incident Report related commands)
rscn (Registered State Change Notification related commands)
san-ext-tuner (IP Network Simulator related commands)
sme (Storage Media Encryption feature related commands)
sme-kmc-admin (SME Commands authorized to kmc admin)
sme-recovery-officer(SME commands authorize to recovery officer)
sme-stg-admin (SME commands authorize to storage admin)
span (SPAN session related commands)
vsan (VSAN configuration and show commands)
vsan-assign-intf(Assign interfaces to vsan)
wwnm (World Wide Name related commands)
zone (Zone related commands)
show role feature-group

N7k-2# show role feature-group
feature group: L3
router-bgp (Border Gateway Protocol related commands)
router-eigrp (Enhanced Interior Gateway Routing Protocol related commands)
router-isis (ISIS protocol related commands)
router-ospf (Open Shortest Path First protocol related commands)
router-rip (Routing Information Protocol related commands)
Create and Apply a Role

Creating a role is very easy. We will create a new role named nx-os-lab-role that is allowed to issue all the show commands, to
check basic connectivity using ping and to configure just the Cisco Discovery Protocol: cdp. After creating the role, we will define a
new user nx-os-lab-user and associate the role to the newly created user.
N7k-2# conf t
N7k-2(config)# role name nx-os-lab-role
N7k-2(config-role)# ?
description Add a description for the role
interface Configure the interface policy for this role
no Negate a command or set its defaults
rule Enter the rule number
this Shows info about current object (mode's instance)
vlan Configure the vlan policy for this role
vrf Configure the vrf policy for this role
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
N7k-2(config-role)# rule 1 permit read

N7k-2(config-role)# rule 2 permit read-write feature cdp
N7k-2(config-role)# rule 3 permit command ping *
NOTE: You can use the “up” arrow and get the command history from the exec mode.
end
A role can also specify what resources in terms of Interfaces, VLANs and VRFs the user is entitled to access. For now we are not
going to configure any restriction on these resources. We will verify the role and create a user to attach the role to.
show role name <role-name>

N7k-2# show role name nx-os-lab-role
Role: nx-os-lab-role
Description: new role
Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default)
-------------------------------------------------------------------
-------------------------------------------------------------------
3 permit command ping *
2 permit read-write feature cdp
1 permit read
Create a new user and attach the role. After that, please log out and login as the nx-os-lab-user user and test the RBAC
configuration.
username <username> password <password> role <rolename>

N7k-2# conf t
N7k-2(config)# username nx-os-lab-user password C1sco12345 role nx-os-lab-role
N7k-2(config)#
exit
Test the Role

Use PuTTY to SSH into the management interface of the Nexus 7000 Aggregation layer device n7k-2.dcloud.cisco.com with the
username nx-os-lab-user and the password C1sco12345.
login as: nx-os-lab-user
User Access Verification
Using keyboard-interactive authentication. Password:
Cisco NX-OS Software
Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
<some output omitted>
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
n7k-2#
NOTE: Most of the commands are missing; however, the ping functionality is available to this user as previously specified.
We will now test if the ping is really working as specified in the role.
N7k-2# ping 198.18.128.1 vrf management
PING 198.18.128.1 (198.18.128.1): 56 data bytes
--- 198.18.128.1 ping statistics ---

What about the debug mode? Only the CDP debug is actually available.
N7k-2# debug ?
cdp Configure CDP debugging
N7k-2# debug
What about the conf mode? Only the cdp, conf commands are actually available.
N7k-2# conf t
N7k-2(config)# ?
cdp Configure CDP parameters
end Go to exec mode
N7k-2(config)# cdp ?
advertise Highest CDP version supported on the switch
enable Enable/disable CDP on all interfaces
format Device ID format for CDP
holdtime CDP hold time advertised (in seconds)
timer CDP refresh time interval (in seconds)
Log off from the current session. Use PuTTY to SSH into the management interface of the Nexus7000 Aggregation layer device
n7k-2.dcloud.cisco.com with the username admin and the password C1sco12345.
Scenario 5: Configuration Rollback
NX-OS fully supports Configuration Rollback. This functionality allows you to revert to a previous configuration state, effectively
rolling back configuration changes. We will verify its functionality within NX-OS.
 Create a checkpoint for the current configuration
 Modify the configuration for an interface
 Rollback the configuration and verify the interface configuration
Create a Checkpoint for the Current Configuration

We will now create a checkpoint called nx-os-lab and verify its creation.
N7k-2# checkpoint ?
<CR>
WORD Checkpoint name (Max Size 80)
description Checkpoint description for the given checkpoint
file Create configuration rollback checkpoint to file
N7k-2# checkpoint nx-os-lab

.Done
N7k-2# show checkpoint summary
User Checkpoint Summary
----------------------------------------------------------------------------
1) nx-os-lab:
Created by admin
Created at Sat, 14:26:18 25 Sep 2010
Size is 2,781 bytes
Description: None
Modify the Configuration for an Interface

We will now modify the configuration by, for example, configuring an interface.
N7k-2# conf t
N7k-2(config-if)# ip address 1.2.3.4/24
N7k-2(config-if)# no shutdown
N7k-2(config-if)# end
N7k-2# sh running-config int eth2/1
!Command: show running-config interface Ethernet2/1

!Time: Sat Sep 25 14:30:19 2010
version 6.1(2)
no switchport
ip address 1.2.3.4/24
no shutdown
NOTE: With NX-OS finally the slash notation is available for the IP address configuration.
Rollback the Configuration and Verify the Interface Configuration
We will now rollback the configuration.
rollback running-config checkpoint <checkpoint name>

N7k-2# rollback running-config checkpoint nx-os-lab
Note: Applying config parallelly may fail Rollback verification
Collecting Running-Config
#Generating Rollback Patch
Executing Rollback Patch
Generating Running-config for verification
Generating Patch for verification
Verification is Successful.
Rollback completed successfully.
NX-OS will generate and apply a rollback patch, which reverts to the previously issued commands.
Scenario 6: Configuration Session
NX-OS offers a new way of configuring ACLs and QoS: the Configuration Session mode. This new mode allows to "dry-run" the
configuration against the system resources availability. For "dry-run" we mean a process that allows the user to check whether the
hardware resources are available without actually performing any modification on them.
In this scenario, you will get familiar with the new configuration session process by configuring an ACL for a particular interface.
 Create a new configuration session
 Create a simple access-list and apply the access list to an interface
 "Verify" the configuration
 "Commit" the configuration
Create a new Configuration Session

First, we will create a new configuration session.
configure session <session name>

N7k-2# configure session ?
WORD Enter the name of the session (Max Size 64)
N7k-2# configure session nx-os-lab

Config Session started, Session ID is 1
Enter configuration commands, one per line. End with CNTL/Z. N7k-2(config-s)#
NOTE: The "s" in the prompt indicates that the user is in configuration session.
Create a Simple Access List and Apply the Access List to an Interface
From within the session mode we will now configure a simple access list and apply it to an interface.
N7k-2(config-s)# ?
abort Abort the current configuration session
access-list Configure access control list parameters
arp ARP access-list configuration commands
commit Commit the current configuration session

errdisable Error disable
interface Configure interfaces
ip Configure IP features
ipv6 Configure IPv6 features
line Configure a terminal line
logging Modify message logging facilities
mac MAC configuration commands
no Negate a command or set its defaults
object-group Configure ACL object groups
policy-map Configure a policy map
qos QoS Global Commands
resequence Resequence a list with sequence numbers
save Save the current configuration session to uri
system System management controls
table-map Configure a table map
this Shows info about current object (mode's instance)
time-range Define time range entries
verify Verify the current configuration session
vlan Vlan commands
end Go to exec mode
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
N7k-2(config-s)# ip access-list 1 ?
<CR>
N7k-2(config-s)# ip access-list 1
N7k-2(config-s-acl)# permit tcp 1.1.1.1/24 any
N7k-2(config-s-acl)# exit
NOTE: NX-OS introduces some ACL syntax improvements for better usability and manageability: The slash notation for IP
addresses; there are not ACL types anymore. No standard/extended and named/numbered ACLs... just ACLs. You can use either
a number or string of characters or a mix of them, NX-OS will treat them seamlessly just as a name.
Let's now attach the access-group to an interface

N7k-2(config-s)# int eth2/1
N7k-2(config-s-if)# ip access-group 1 in
"Verify" the Configuration

Remember that the access-list has not been programmed into the hardware yet. Let us see our configuration within the config
session.
show configuration session

N7k-2(config-s-if)# show configuration session
config session nx-os-lab

0001 ip access-list 1
0002 permit tcp 1.1.1.1/24 any
0005 interface Ethernet2/1
0006 ip access-group 1 in
Number of active configuration sessions = 1
Let us now verify our configuration. During the verification process, the system checks the configuration against the hardware and
software resources for their availability.
verify
N7k-2(config-s-if)# verify
Verification Successful
N7k-2(config-s)# show running-config int eth2/1

!Time: Thurs May 15 15:43:14 2014
Version 6.1(20)
shutdown
no switchport
The configuration can fit in the hardware table. Again, until this point the ACL TCAM has not been touched yet.
"Commit" the Configuration

We are now ready to commit the configuration. If the commit process will succeed, the session will be considered completed and
will be terminated.
commit
N7k-2(config-s)# commit
Commit Successful
N7k-2# show running-config int eth2/1

!Time: Thurs May 15 15:47:41 2014
Version 6.1(2)
shutdown
no switchport
ip access-group 1 in
N7k-2# show configuration session

There are no active configuration sessions
Before continuing, remove the ACL from the interface.

N7k-2# conf t
N7k-2(config-if)# no ip access-group 1 in
N7k-2(config-if)# exit
N7k-2(config)#
Scenario 7: OSPF Configuration
OSPF is fully implemented in NX-OS as part of the "Enterprise License" (which we will see in the next step). In this step, we will
configure OSPFv2 and we will see how the configuration is interface centric versus the network centric IOS based OSPF
configuration.
 Turn the OSPFv2 service on
 Configure the Loopback interfaces
 Instantiate an OSPF process
 Configure the interface towards N7k-1 (Core Layer)
 Verify OSPF configuration by issuing show commands
Turn the OSPFv2 Service on

Let us start the traditional way and configure the router functionality.
N7k-2(config)# router ?
^
% Invalid command at '^' marker.
The CLI to configure OSPF seems not to be there. NX-OS is a fully modular operating system; most software modules do not run
unless the correspondent service is enabled. We have not enabled the OSPF service so its code is not running and its CLI is not
linked into the system. Now we will enable the OSPF service so that we can proceed with its configuration. We like to refer to these
features that need to be specifically enabled as "conditional services".
We will now enable the OSPF service:

N7k-2(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Manager
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol(EIGRP)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ntp Enable/Disable NTP
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
password Credential(s) for the user(s)/device(s)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
pong Enable/Disable Pong
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
ptp Enable/Disable PTP
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
sla Enable/Disable SLA
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+ telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
N7k-2(config)# feature ospf

LAN_ENTERPRISE_SERVICES_PKG license not installed. ospf feature will be shutdown after grace period of
approximately 120 day(s)
NOTE: As you may have noticed, you are now running OSPF in "grace period". We will talk about that later in another step.
Configure the Loopback Interfaces

Let us configure the loopback interface before we can move on to do the actual configuration of OSPF.
N7k-2(config)# interface loopback0
Instantiate an OSPF Process

Now let us configure the OSPF area 0.
N7k-2(config-if)# router ospf 1
N7k-2(config-router)# area 0 authentication message-digest
N7k-2(config-router)# log-adjacency-changes
N7k-2(config-router)# auto-cost reference-bandwidth 1000000
N7k-2(config-router)# exit
NOTE: As you may have noticed the "network x.x.x.x area y" configuration lines are not present. This is a major difference from
IOS. OSPF, as well as other IGP protocols, are interface centric, as we will see with the next few commands.
Configure the Interface Towards N7k-1 (Core Layer)

Let us now configure the interface towards N7k-1 (Core Layer).
N7k-2(config-if)# description To N7k-1 (Core)
N7k-2(config-if)# ip ospf message-digest-key 1 md5 C1sco12345
N7k-2(config-if)# ip ospf dead-interval 6
N7k-2(config-if)# ip ospf hello-interval 2
N7k-2(config-if)# ip router ospf 1 area 0
N7k-2(config-if)#
NOTE: In the NX-OS the OSPF configuration is interface centric. The membership to an OSPF area is specified at the interface
configuration level. This approach is more intuitive and manageable.
Verify OSPF Configuration by Issuing Show Commands

Let us check if the system was able to establish the adjacency status with the Core layer switch. First, we can check the OSPF
configuration we have been working on.
n7k-2(config-if)# show running-config ospf
!Command: show running-config ospf

!Time: Thu May 15 16:15:29 2014
feature ospf
router ospf 1
area 0.0.0.0 authentication message-digest
log-adjacency-changes
auto-cost reference-bandwidth 1000000
ip ospf message-digest-key 1 md5 3 ef6a8875f8447eac
ip ospf dead-interval 6
ip ospf hello-interval 2
ip router ospf 1 area 0.0.0.0
NOTE: NX-OS is able to show the running config related to a particular feature without the need to show the complete
configuration.
Now we will check if the system was able to establish the adjacency and to exchange routes.
n7k-2(config)# sh ip ospf neighbors
OSPF Process ID 1 VRF default
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
128.0.0.1 1 FULL/DR 00:05:57 198.18.5.2 Eth2/1
N7k-2(config-if)# show ip route ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
A.B.C.D Display single route longest match lookup
A.B.C.D/LEN Display single exact match route
WORD Display single route longest match lookup
am Display routes owned by adjacency manager
broadcast Display connected routes owned by broadcast
detail Display routes in full detail
direct Display connected routes owned by direct
interface Display routes with this output interface only
ip Display information
ipv4 Display information
l3vm-info Display corresponding L3VM information
local Display connected routes owned by local
mstatic Display routes owned by mstatic
next-hop Display routes with this next-hop only
ospf-1 Display routes owned by ospf-1
rpf Display RPF information for multicast source
sal Display connected routes owned by sal
static Display routes owned by static
summary Display route counts
updated Display routes filtered by last updated time
vrf Display per-VRF information
| Pipe command output to filter
n7k-2(config)# sh ip route ospf-1

IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
198.18.6.0/24, ubest/mbest: 1/0

*via 198.18.5.2, Eth2/1, [110/2000], 00:06:30, ospf-1, intra
NOTE: The same output can be displayed issuing the command: "show routing ospf-1".
n7k-2(config-if)# sh ip ospf database
OSPF Router with ID (128.0.0.2) (Process ID 1 VRF default)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# Checksum Link Count

128.0.0.1 128.0.0.1 232 0x80000008 0x1cc7 2
128.0.0.2 128.0.0.2 228 0x80000003 0x148e 1
128.0.0.3 128.0.0.3 322 0x80000007 0x1684 1
Network Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# Checksum

198.18.5.2 128.0.0.1 232 0x80000002 0xe70c
198.18.6.1 128.0.0.1 325 0x80000006 0xec02
n7k-2(config-if)# sh ip ospf interface

Ethernet2/1 is up, line protocol is up
IP address 198.18.5.1/24, Process ID 1 VRF default, area 0.0.0.0
Enabled by interface configuration
State BDR, Network type BROADCAST, cost 1000
Index 1, Transmit delay 1 sec, Router Priority 1
Designated Router ID: 128.0.0.1, address: 198.18.5.2
Backup Designated Router ID: 128.0.0.2, address: 198.18.5.1
1 Neighbors, flooding to 1, adjacent with 1
Timer intervals: Hello 2, Dead 6, Wait 6, Retransmit 5
Hello timer due in 00:00:00
Message-digest authentication, using key id 1
Number of opaque link LSAs: 0, checksum sum 0
Congratulations, your OSPF routing is working.
Scenario 8: Process Restartability
NX-OS is a modern operating system. NX-OS continuously checks the health of each software module making sure that if a
process crashes or hangs the right action is taken to allow service continuity and availability. NX-OS has been designed around
the concept of zero service destruction.
In this scenario we will demonstrate the non-stop forwarding capabilities of OSPF:
 In a first step, a crash of the OSPF process will be simulated. This will cause a stateful restart, which uses our PSS
(Persistent Storage Service) architecture, so that the system recovers in a seamless way. You will see how the connected
Core Layer router will not notice that the process has crashed and been restarted.
 In a second step, we will perform a graceful restart of OSPF. This will utilize the Non-Stop Forwarding (NSF) feature of
OSPF, as defined in RFC 3623, to recover the routing table on the local node by resynchronizing it with the neighbor.
NOTE: The process monitoring feature of NX-OS will also constantly monitor the number and frequency of process restarts and
will escalate the situation accordingly:
 Should the OSPF process crash a second time within four minutes a graceful restart will be performed instead of a stateful
restart.
 Should you trigger a second graceful restart within four minutes a supervisor switchover will be triggered. As our Titanium boxes
only have one simulated Supervisor, this will render the machine that you are using unusable. So please do not do that.
Please perform the steps as stated below and do not repeat them as the results may be different from what you expect or it might
render the boxes unusable for subsequent use.
 Prepare the switches for observing the NSF feature
 Simulate a crash of the OSPF process
 Verify that the OSPF process has been restarted statefully
 Perform a graceful restart
 Observe NSF updates from the peer for the graceful restart
Prepare the Switches for Observing the NSF Feature

Before simulating a failure of the OSPF process on your local switch, we will prepare two more terminal sessions, which will display
status information for making sure that the switch behaves as expected.
Use PuTTY to open a SSH session to the Core Layer switch N7k-1. Use the username admin and the password C1sco12345 to
login.
NOTE: In order to observe the debug output from SSH console, execute the following command on both, N7k-1 and N7k-2:
N7k-1# terminal monitor
On N7k-1 enable that the OSPF adjacency debugging:

N7k-1# debug ip ospf adjacency
Leave the SSH session open to observe OSPF adjacency debug messages.
Use PuTTY to open a SSH session to the Aggregation layer switch N7k-2. Use the username admin and the password
C1sco12345 to login.
Start a ping to the interface of the Aggregation layer switch N7K-3 with an infinite number of packages and a very short repeat
time.
N7k-2# ping
Vrf context to use [default] :
No user input: using default context
Target IP address or Hostname: 198.18.6.2
Repeat count [5] : unlimited
Datagram size [56] :
Timeout in seconds [2] :
Sending interval in seconds [0] :
Extended commands [no] :
Sweep range of sizes [no] :
Sending 0, 56-bytes ICMP Echos to 198.18.6.2
Timeout is 2 seconds, data pattern is 0xABCD

...
This way you will be able to observe the behavior of the setup during the following steps. The debug on N7k-1 will show you the
presence or absence of OSPF adjacency updates while the ping shows you the continuous forwarding capabilities.
Now continue working on your Aggregation Layer switch N7k-2 while monitoring the two other SSH sessions in the background.
Open another PuTTY session, to N7K-2.
Simulate a Crash of the OSPF Process

First, we will display the current OSPF process ID. We will then use the displayed information to simulate a process crash by
explicitly killing the current OSPF process. Furthermore, we will check the restart of the service by comparing the new OSPF
process ID.
N7k-2# show processes | inc ospf
9934 S 775d327b 1 - ospf
- NR - 0 - ospfv3
- NR - 0 - ospf
- NR - 0 - ospfv3
- NR - 0 - ospf
- NR - 0 - ospfv3
- NR - 0 - ospf
- NR - 0 - ospfv3
NOTE: Take note of the OSPF process ID in your switch as you will need it in a subsequent step.
We will invoke a script on your access layer switch that enables us to enter a debug mode in which we can issue a kill command to
stop the OSPF process.
First, we need to create a copy of this special debug script, as it will self-destruct.
While issuing the kill command, observe the SSH window of the Core Layer switch, N7K-1, for the absence of OSPF adjacency
updates and the SSH window of the Aggregation layer switch for no disruption in the ping sequence.
N7k-2# load bootflash:kill.gbin
Loading plugin version 6.1(2)
###############################################################
Warning: debug-plugin is for engineering internal use only!
For security reason, plugin image has been deleted.
###############################################################
Successfully loaded debug-plugin!!!
Enter Commands:
Linux(debug)# kill 9934

Linux(debug)# 2014 Feb 12 11:24:56 n7k-2 %LIBSYSMGR-3-SIGTERM_FORCE_EXIT: Service "__inst_001__ospf" (PID
5674) is forced exit.N7k-2#
IMPORTANT: The number in the “kill” command should be OSPF process ID in your switch
Verify that the OSPF Process has been Restarted Statefully

Killing the OSPF process simulates the crash of this process. Therefore, NX-OS should have done a stateful restart of the OSPF.
To verify this we will check if the OSPF process has been restarted on your local switch:
N7k-2# show processes | inc ospf
12026 S 775d327b 2 - ospf
- NR - 0 - ospfv3
- NR - 0 - ospf
- NR - 0 - ospfv3
- NR - 0 - ospf
- NR - 0 - ospfv3
- NR - 0 - ospf
- NR - 0 - ospfv3
N7k-2#
Notice how the OSPF process has now a new process ID and how, looking at the N7K-1 terminal, the neighbor did not even
realized that our OSPF process was killed and restarted. So there should be no debug message on N7k-1.
N7k-1#
The ping sequence between N7k-2 and N7k-3 should not be affected.
...
...
Perform a Graceful Restart
Now we will perform a graceful restart of OSPF. NX-OS will use Non-Stop Forwarding (NFS), which is enabled by default along
with OSPF, to acquire the OSPF routing table from the neighbor. This graceful restart will also be non-disruptive to the forwarding
plane.
While performing the graceful restart on your Aggregation layer switch N7k-2, observe the second terminal window of the Core
layer switch for the OSPF adjacency debug messages.
N7k-2# restart ospf 1
Observe NSF Updates from the Peer for the Graceful Restart
On the N7K-1 Core layer switch, you can see the OSPF adjacency debug output.
At the same time, the ping sequence between N7k-2 and N7k-3 is still not affected.
...
...
NOTE: The state changes from FULL to EXSTART and not to DOWN as NFS is used to acquire the OSPF routing table.
Before moving on, please interrupt the ping sequence by pressing [Ctrl] + C and close this SSH session. Also close the SSH
session to the Core layer switch N7k-1.
Scenario 9: Licensing
NX-OS enforces licensing for some of its features. However, the licensing scheme has been made very easy to understand and
simple to use. There are three levels of enforced software licensing:
 The Base license which contains a complete set of Layer2 and management features
 The Enterprise Services license which contains the Layer3 routing protocols
 The Advanced Services license for Virtual Device Context (VDC) and Cisco Trusted Security (CTS)
The Base license is free and comes with the Nexus hardware. The Enterprise Services and Advance Services licenses can be
purchased and used independently.
There is a grace period of 120 days, so the users can test out the features before buying. The grace period is calculated on active
features instead of absolute time. So, if a user tries out a licensed feature for a few days and then disabled it, the countdown of the
grace period will stop until a licensed feature within the same license gets turned on again.
 Enable the grace period feature
 Show current license usage
Enable the Grace Period Feature

The grace period feature needs to be enabled first. As we have already used features that require the Enterprise Services License,
we have already done this for you.
You can still verify the steps for enabling the grace period.
N7k-2# conf t
N7k-2(config)# license grace-period
Show Current License Usage

Display the current license usage.
show license usage

N7k-2(config)# show license usage
Feature Ins Lic Status Expiry Date Comments
Count
--------------------------------------------------------------------------------
MPLS_PKG No - Unused -
STORAGE-ENT No - Unused -
VDC_LICENSES No 0 Unused -
ENTERPRISE_PKG No - Unused -
FCOE-N7K-F132XP No 0 Unused -
FCOE-N7K-F248XP No 0 Unused -
ENHANCED_LAYER2_PKG No - Unused -
SCALABLE_SERVICES_PKG No - Unused -
TRANSPORT_SERVICES_PKG No - Unused -
LAN_ADVANCED_SERVICES_PKG No - Unused -
LAN_ENTERPRISE_SERVICES_PKG No - In use Grace 119D 23H
To install a license the customer will use the install license bootflash:<file.lic> CLI command. The licenses can be downloadable
from CCO.
Scenario 10: Hot Standby Router Protocol
In this scenario we will configure Hot Standby Router Protocol (HSRP) between N7k-2 on Eth2/2 and N7k-3 on Eth2/1.
 Open one SSH session to N7K-2 and another one to N7K-3
 Enable the HSRP feature on N7K-2
 Verify operation of HSRP on N7K-3
Open SSH sessions

Use PuTTY to SSH into the management interface of the Nexus 7000 Access. If not open yet, open one session to device n7k-
2.dcloud.cisco.com and one session with device n7k-3.dcloud.cisco.com with username admin and the password
C1sco12345.
Enable the HSRP Feature on N7K-2

You will now see that in NX-OS the HSRP configuration is done in a HSRP sub-interface mode. In your SSH session with N7K-2,
execute the following commands:
N7k-2(config)# feature hsrp
N7k-2(config-if)# description HSRP with N7k-3 - eth2/1
N7k-2(config-if)# hsrp 1
N7k-2(config-if-hsrp)# preempt delay minimum 180
N7k-2(config-if-hsrp)# priority 110
N7k-2(config-if-hsrp)# timers 1 3
N7k-2(config-if-hsrp)# ip 198.18.7.254
N7k-2(config-if-hsrp)# exit
N7k-2(config-if)#
NOTE: In order to observe the debug output from SSH console, execute the following command on both, N7k-2 and N7k-3
N7k-2# terminal monitor
Verify Operation of HSRP

Enable the HSRP debug to see the exchange of hello packets between N7k-2 and N7k-3. In your SSH session with N7K-3,
execute the following commands:
N7k-3(config-if)# debug hsrp engine packet hello
The output should be similar to the text captured below:

2010 Sep 25 19:29:33.001059 hsrp: Eth2/1[1/V4] : Hello out Standby pri 110 ip 198.18.7.254
2010 Sep 25 19:29:33.001098 hsrp: Eth2/1[1/V4] : hel 1 hol 3 auth cisco
2010 Sep 25 19:29:33.619057 hsrp: Eth2/1[1/V4] : Hello in from 198.18.7.1 state Active pri 110 ip
198.18.7.254
2010 Sep 25 19:29:34.000980 hsrp: Eth2/1[1/V4] : Hello out Standby pri 110 ip 198.18.7.254
2010 Sep 25 19:29:34.619031 hsrp: Eth2/1[1/V4] : Hello in from 198.18.7.1
State Active pri 110 ip 198.18.7.254
2010 Sep 25 19:29:34.619058 hsrp: Eth2/1[1/V4] : hel 1 hol 3 auth cisco undebug all
N7k-3(config-if)#
NOTE: When disabling the debug (by issuing for example “undebug all”) the debug messages will stop instantaneously. NX-OS
uses a preemptive scheduler and even simple proof like this underlines the robustness of our control plane.
As a last step, we will verify that for 198.18.7.254 the device N7k-2 is the active router on 198.18.7.2 while N7k-3 is the standby
router on 198.18.7.1. In your SSH session with N7K-2, execute the following command:
show hsrp group 1
The output should be similar to the text captured below:

N7k-2(config-if)# show hsrp group 1
Ethernet2/2 - Group 1 (HSRP-V1) (IPv4)
Local state is Active, priority 110 (Cfged 110), may preempt
Forwarding threshold(for vPC), lower: 1 upper: 110
Preemption Delay (Seconds) Minimum:180
Hellotime 1 sec, holdtime 3 sec
Next hello sent in 0.809000 sec(s)
Virtual IP address is 198.18.7.254 (Cfged)
Active router is local
Standby router is 198.18.7.1 , priority 110 expires in 2.191000 sec(s)
Authentication text "cisco"
Virtual mac address is 0000.0c07.ac01 (Default MAC)
2 state changes, last state change 00:07:09
IP redundancy name is hsrp-Eth2/2-1 (default)
Results
Once you have gone successfully through the above steps you have concluded the demonstration.
Summary
In this demonstration you:
 Have got familiar with the NX-OS Operating System which will power the Nexus7000 switch.
 Learned some of the aspects of NX-OS and some of its difference from classical IOS.
These differences are:
o General
 OS Images: NX-OS consists of two images: Kickstart + System
 Management VRF: Separate Management VRF for total isolation of management traffic
 Modular OS: Non-core Features - called Conditional Services need to be enabled
 Process Restart ability: Monitoring of system service health and stateful/graceful restarts
 Licensing: Enforced Licensing with grace-period for testing features
o CLI
 Hierarchy Independence: Non-config commands can be issued from everywhere. E.g. ping, show
running-config
 Default Config: Display defaults of the running-config
 Interface Types: Only one interface type Ethernet. No distinction between 10MB, 100MB, 1GB, 10GB
interface type
 Slash Notation: For the IP address configuration the slash notation (e.g. x.x.x.x/24) can be used
 Rollback Mode: Rollback of the entire configuration to pre-defined checkpoints
o ACLs & QoS
 ACL Types: No more ACL types such as Standard or Extended
 Configuration Sessions: "Dry-run" mode for checking hard- and software capabilities
o Access-Control
 RBAC: Role-based-access-control
o L3 Forwarding/Protocols
 IGP routing protocols: Interface centric configuration (e.g. for OSPF)
o Interface
 HSRP - Sub-Interface: Configuration for HSRP is performed in a sub- interface mode
For More Information

For more information about the Cisco Nexus 7000, visit http://www.cisco.com/go/nexus7000 or contact your local Cisco account
representative.

Cisco Nexus 7000 Introduction To NX-OS 2014-05-20

Uploaded by

Copyright:

Available Formats

Cisco Nexus 7000 Introduction To NX-OS 2014-05-20

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Nexus 7000 Introduction To NX-OS 2014-05-20

Uploaded by

Copyright:

Available Formats

Cisco Demo Cloud (dCloud)

Cisco Nexus 7000: Introduction to NX-OS

About This Cisco solution

About This Demonstration

Table 1. Demo Requirements

● Laptop ● Cisco AnyConnect

Figure 1. Demonstration Topology

PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION.

2. Schedule a session. [Show Me How].

 It may take up to 10 minutes for your demo to become active.

o Accept any certificates or warning.

Figure 2. Logical Demo Topology

 User Name: dcloud\demouser

 Management VRF Concept and Basic Connectivity

 Role Based Access Control (RBAC)

 Hot Standby Router Protocol (HSRP)

Demo Topology and Access

Figure 3. Logical Topology

Table 2. Loopback Interfaces

Router Loopback Interface Address

The default gateway is: 198.18.128.1/18

The default gateway is reachable only through the management interfaces.

Table 3. Management Interface Addresses

Router Management Interface Address

N7k-1 n7k-1.dcloud.cisco.com (198.18.133.221)

N7k-2 n7k-2.dcloud.cisco.com (198.18.133.222)

N7k-3 n7k-3.dcloud.cisco.com (198.18.133.223)

 User Name: admin

Now we are ready to go!

These are the steps for this scenario:

 Verify the hardware configuration

 Check the software version

 Check running-config and running-config all

Verify the Hardware Configuration

Mod Sw Hw World-Wide-Name(s) (WWN)

Mod MAC-Address(es) Serial-Num

Check the Software Version

Device name: n7k-2

Running-config and Running-config All

!Command: show running-config

username adminbackup password 5 ! role network-operator

vrf context management

hardware forwarding unicast trace

NX-OS allows also seeing the defaults of the running config:

show running-config all | section mgmt0

These are the steps for this scenario:

 Verify that no other interface can be part of the management VRF

show vrf interface

Verify that no Other Interface can be part of the Management VRF

We will try to add the interface eth2/1 to the management VRF.

n7k-2(config)# sh ip inter mgmt 0 vrf management

IP Interface Status for VRF "management"(2)

mgmt0, Interface status: protocol-up/link-up/admin-up, iod: 2,

IP address: 198.18.133.222, IP subnet: 198.18.128.0/18

IP broadcast address: 255.255.255.255

IP multicast groups locally joined: none

IP MTU: 1500 bytes (using link MTU)

IP primary address route-preference: 0, tag: 0

IP proxy ARP : disabled