Firewall between Nexus 1000V VSM and vCenter
Hi,
Customer has multiple security zones in environment, and VMware vCenter is located in a Management Security Zone. VSMs in security zones have dedicated management interface facing Management Security Zone with firewall in between. What ports do we need to open for the communication between VSMs and vCenter? The Nexus 1000V troubleshooting guide only mentioned TCP/80 and TCP/443. Are these outbound from VSM to vCenter? Is there any requirements from vCenter to VSM? What's the best practice for VSM management interface configuration in multiple security zones environment? Thanks.
Avi -
You need the connection between vCenter and the VSM anytime you want to add or make any changes to the existing port-profiles. This is how the port-profiles become available to the virtual machines that reside on your ESX hosts.
One problem when the vCenter is down is what you pointed out - configuration changes cannot be pushed
The VEM/VSM relationship is independent of the VSM/vCenter connection. There are separate VLANs or L3 interfaces that are used to pass information and heartbeats between the VSM and its VEMs.
Jen
Similar Messages
-
Nexus 1000v VSM can't comunicate with the VEM
This is the configuration I have on my vsm
!Command: show running-config
!Time: Thu Dec 20 02:15:30 2012
version 4.2(1)SV2(1.1)
svs switch edition essential
no feature telnet
banner motd #Nexus 1000v Switch#
ssh key rsa 2048
ip domain-lookup
ip host Nexus-1000v 172.16.0.69
hostname Nexus-1000v
errdisable recovery cause failed-port-state
vem 3
host vmware id 78201fe5-cc43-e211-0000-00000000000c
vem 4
host vmware id e51f2078-43cc-11e2-0000-000000000009
priv 0xa2cb98ffa3f2bc53380d54d63b6752db localizedkey
vrf context management
ip route 0.0.0.0/0 172.16.0.1
vlan 1-2
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type ethernet vmware-uplinks
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 1-3967,4048-4093
channel-group auto mode on
no shutdown
system vlan 2
state enabled
port-profile type vethernet Management
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
state enabled
port-profile type vethernet vMotion
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
state enabled
port-profile type vethernet ServidoresGestion
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
state enabled
port-profile type vethernet L3-VSM
capability l3control
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
system vlan 2
state enabled
port-profile type vethernet VSG-Data
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
state enabled
port-profile type vethernet VSG-HA
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
state enabled
vdc Nexus-1000v id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 1 maximum 1
limit-resource u6route-mem minimum 1 maximum 1
interface mgmt0
ip address 172.16.0.69/25
interface control0
line console
boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.1.1.bin sup-1
boot system bootflash:/nexus-1000v.4.2.1.SV2.1.1.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.1.1.bin sup-2
boot system bootflash:/nexus-1000v.4.2.1.SV2.1.1.bin sup-2
svs-domain
domain id 1
control vlan 1
packet vlan 1
svs mode L3 interface mgmt0
svs connection vcenter
protocol vmware-vim
remote ip address 172.16.0.66 port 80
vmware dvs uuid "ae 31 14 50 cf b2 e7 3a-5c 48 65 0f 01 9b b5 b1" datacenter-n
ame DTIC Datacenter
admin user n1kUser
max-ports 8192
connect
vservice global type vsg
tcp state-checks invalid-ack
tcp state-checks seq-past-window
no tcp state-checks window-variation
no bypass asa-traffic
vnm-policy-agent
registration-ip 172.16.0.70
shared-secret **********
policy-agent-image bootflash:/vnmc-vsmpa.2.0.0.38.bin
log-level
for some reason my vsm can't the the vem. I could before, but then my server crashed without doing a copy run start and when it booted up all my config but the uplinks was lost.
When I tried to configure the connection again it wasn't working.
I'm also attaching a screen capture of the vds
and a capture of the regular switch.
I will appreciate very much any help you could give me and will provide any configuration details that you might need.
Thank you so much.Carlos,
Looking at vds.jpg, you do not have any VEM vmkernel interface attached to port-profile L3-VSM. So fix VSM-VEM communication problem, you either migrate your VEM management vmkernel interface to L3-VSM port-profile of the vds, or create new VMkernel port on your VEM/host and attach it to L3-VSM port-profile. -
I'm looking over the deployment guide for 1000Vs, and am not clear on the design. If I have a Nexus 4k connecting to a Nexus 5k, how does the Nexus 1000V fit? What I'm seeing is that typically a vpc is built between the Nexus 1k and a clustered upstream switch, such as Nexus 5ks, or VSS with 6500s. However, if I already have a vpc between a Nexus 4k and a pair of 5ks, what affect does adding 1ks to the configuration have? Or is the idea to move the vpc back to the 1000Vs instead of the between the 4k and 5ks? Or perhaps is using a 1000V more suited when you have blades that are pass through modules where each blade has its own NIC or there are blade switches (non Nexus 4k) in the chassis?
thank you,
Billhi bill
mainly there are two options
first option if to use the N1K with a clustered up stream switches as you mentioned vPC or VSS
in this case all what you need form the N1K/ESXi host is to use a normal portchannel and multihome th eport channel links to both of these switches ( this is a recommended solution if applicable )
option two is to use non-clustered switches like in your case the two 4K switches as the upstream switches with the N1K
and in this case you can use vPC host mode where the N1K with new releases uses mac-pining to chose uplink subgroup within the port channel
see below: -
Vmware Tools for Nexus 1000v, VNMC and VSG
Hi everyone, a customer is asking me about how to install the vmware tools in the virtual machines of N1Kv, VSG and VNMC.
Someone knows the procedure, or if thats posiible or not.@Robert
Wanted to know / understand what hardware version would be compatible for Nexus 1000V ? Is there any dependency for hardware version ?
Regards,
Amit Vyas -
Link FC between Nexus 5548 UP and Brocade 300
Hello,
I have got two Nexus 5548UP and fabric Brocade.
I would like to connect my Nexus at my fabric Brocade.
See the pdf file.
Best regards,Its possible to have more links between npv and brocade but if you want to port channel them, please check first with brocade support if they allow F port channel trunking in their code. Not sure if FOS 6.2.2 supports it. From our side (cisco switch running npv) we should be able to do a port channel upto any NPIV switch provided the upstream switch supports it.
https://supportforums.cisco.com/thread/2091664
Thanks,
Vinayak -
Nexus 1000v vsm secondary not recognized
I deployed the seondary vsm but when it came up the primary vsm still does not recognize that there is a standby.
I went through the ovf and selected seondary and only entered the vsm domain id and the admin password.
after the power on the master did not see the secondary
any idea?Hi Tony,
In order for this VSM to see its peer, you need to configure it for system redundancy role Primary.
As shown in the output, it is currently running in standalone mode.
Once we reconfigure the first deployed VSM as primary, the two VSMs should see each other (given they have L2 connectivity)
Nexus1000v# show system redundancy status
Redundancy role
administrative: standalone
operational: standalone
Redundancy mode
administrative: HA
operational: None
This supervisor (sup-1)
Redundancy state: Active
Supervisor state: Active
Internal state: Active with no standby
Other supervisor (sup-2)
Redundancy state: Not present
Nexus1000v# con
Nexus1000v(config)# system redundancy role primary
After this change, the VSMs will negotiate and the secondary will reboot. When the secondary comes back up, we should see that they have paired.
Nexus1000v(config)# show redundancy status
Redundancy role
administrative: primary
operational: primary
Redundancy mode
administrative: HA
operational: HA
This supervisor (sup-1)
Redundancy state: Active
Supervisor state: Active
Internal state: Active with HA standby
HTH,
Joe -
Firewall ports for Nexus 1000v
hi all,
There is firewall between nexus 1000v and vcentre and ESX 4.1i hosts.
Could u pls advise which TCP/UDP ports to be opened for communication among Nexus1000v, vcentre and ESX hosts?
Thank you very much!
Best Regards,David,
Between your VSM & VC you'll need TCP ports 80 & 443 open
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/troubleshooting/configuration/guide/n1000v_trouble_5modules.html
Between your VEM & VSM you'll need port this should be layer 2 so no ports need to be open.
If you're using Layer 3 mode then enusre you have UDP 4785 open.
http://www.ciscosystemsverified.biz/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/system_management/configuration/guide/n1000v_system_3domain.pdf
Regards,
Robert -
Hi,
We are planning to install Cisco Nexus 1000v in our environment. Before we want to install we want to explore little bit about Cisco Nexus 1000v
• I know there is 2 elements for Cisco 1k, VEM and VSM. Does VSM is required? Can we configure VEM individually?
• How does Nexus 1k integrated with vCenter. Can we do all Nexus 1000v configuration from vCenter without going to VEM or VSM?
• In term of alarming and reporting, does we need to get SNMP trap and get from individual VEM or can be use VSM to do that. OR can we get Cisco Nexus 1000v alarming and reporting form VMware vCenter.
• Apart from using Nexus 1010 can what’s the recommended hosting location for VSM, (same Host as VEM, different VM, and different physical server)
Foyez AhammedHi Foyez,
Here is a brief on the Nexus1000v and I'll answer some of your questions in that:
The Nexus1000v is a Virtual Distributed Switch (software based) from Cisco which integrated with the vSphere environment to provide uniform networking across your vmware environment for the host as well as the VMs. There are two components to the N1K infrastructure 1) VSM 2) VEM.
VSM - Virtual supervisor module is the one which controls the entire N1K setup and is from where the configuration is done for the VEM modules, interfaces, security, monitoring etc. VSM is the one which interacts with the VC.
VEM - Virtual ethernet module are simply the module or virtual linecards which provide the connectivity option or virtual ports for the VMs and other virtaul interfaces. Each ESX host today can only have one VEM. These VEMs recieve their configuration / programing from the VSM.
If you are aware of any other switching products from Cisco like the Cat 6k switches, the n1k behaves the same way but in a software / virtual environment. Where the VSM are equal of a SUPs and the VEM are similar to the line cards. The control and the packet VLANs in the n1k provide the same kind of AIPC and Inband connectivity as the 6k backplane would for the communication between the modules and the SUP (VSM in this case).
*The n1k configuration is done only from the VSM and is visible in the VC.However the port-profiles created from the VSM are pushed from the VSM to the VC and have to be assigned to the virtual / physical ports from the VC.
*You can run the VSM either on the Nexus1010 as a Virtual service blade (VSB) or as a normal VM on any of the ESX/ESXi server. The VSM and the VEM on the same server are fully supported.
You can refer the following deployment guide for some more details: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html
Hope this answers your queries!
./Abhinav -
Firewall between WAAS 7341s and Central Manager.
Is there a white paper that describes having a firewall between a Central Manager and the WAAS devices it is managing? I need to know all the ports and protocals that need to be allowed through the firewall. - Thanks
Hi Jeff,
I am searchign for white paper for you but you need following ports bi-directionally open between WAAS CM and WAAS to communicate to each other.
1. TCP 8443
2. TCP 443
3. UDP 4050 - if you are using directed mode.
4. TCP 22 and 23 - If you plan to use SSH / Telnet for management.
Regards,
PS: If this answers your question, please mark this as Answered. -
Install Cisco Nexus 1000V without vCenter?
Hi guys,
Is this possible that we install nexus 1000v without using vcenter?
I have vmware enterprise plus license, but I don't need to install vcenter.
Regards,No, one of the features of the Enterprise Plus licenses provides are VMware & 3rd Party Distributed Virtual Switch functionality. This requires vCenter to manage them.
Regards,
Robert -
Cisco Nexus 1000v VXLAN don't work
Hi to all,
I configured VXLAN configuration by the book (Cisco Nexus 1000V VXLAN Configuration Guide, Release 4.2(1)SV1(5.1)), but there is some problem.
There are two ESXs with four VMs (two VMs on each ESX). Each VM has one NIC and that NIC is assigned to a port-profile configured for same VXLAN bridge-domain access. There is connectivity between VMs on same ESX but there is no connectivity between VMs hosted on different ESXs. In other words, L2 connectivity works between VMs on same ESX but not between VMs on different ESXs.
Nexus 1000V VSM is installed on Nexus 1010 Appliance and manages two VEMs through L3 control interfaces.
VSM version is 4.2(1)SV1(5.1) and VEM feature level is 4.2(1)SV1(5.1).
Bridge-domain is VXLAN-5001 with segment id 5001 and group address 239.1.1.1
Port-profile for VMK VXLAN interface is properly configured for access to VLAN 588 ("transport" VLAN for VXLAN) and capability vxlan.
VLAN 588 is allowed on all uplinks on both sides (Nexus and physical switch).
Port profile for VMs if properly configured for access to bridge-domain.
I was create a monitor session for VLAN 588 on upstrean switch (Cisco 6513 with 12.2(18)SXF14 IOS) and did't see any multicast, unicast or any other traffic. According to documentation, first I shuld to see IGMP join, after that multicast and after that unicast traffic between two VMK interfaces.
Here is MAC address table for bridge-domain VXLAN-5001:
Nexus1000V-VSM-1# sh mac address-table bridge-domain VXLAN-5001
Bridge-domain: VXLAN-5001
MAC Address Type Age Port IP Address Mod
--------------------------+-------+---------+---------------+---------------+---
0050.56a3.0009 static 0 Veth6 0.0.0.0 3
0050.56a3.000a static 0 Veth7 0.0.0.0 3
0050.56a3.0007 static 0 Veth4 0.0.0.0 4
0050.56a3.0008 static 0 Veth5 0.0.0.0 4
Total MAC Addresses: 4
As you can see, there is no proper destination IP addresses.
Can somebody help me?Good hint, but it seems that is not the problem...
Cat ports connecting VEMs support jumbo frames and their MTU is set to 9216B.
I saw that MTU on Ethernet interfaces of VEMs is set to 1500B, I changed uplink port-profile and set MTU to first to 1550B, and after that to 9000B (max), but thing still isn't working.
I'm not using vCloud director, just VMware vSphere 4.1 (vCenter Server with VUM, vCenter Client and two ESX hosts).
Message was edited by: Mate Grbavac
After little research I found something strange... I setted up SVI on Cat in Vlan 588 ("transport" VLAN for VXLAN) and when I ping VMKernel interface (with capabilitiy vxlan) with packet size more than 1500B and df bit set I have no reply. My Cat ports and UpLink port profiles are configured for jumbo frames. Is it possible to change MTU of VMKernel interface? -
Hello ALL!
I am trying to install and configure Nexus 1000v, for the first time and looking to configure the second stage of linking the Nexus 1000v switch to vCenter and from tutorials and white papers say to continue the install using a .jar file. However not seeing this file in the latest release in 1000v zip file.
I can see this .jar file in the version 4 release and re-downloaded the v5 just incase it was corrupt and from a different machine; no .jar file.
%windir%\Nexus1000v.5.2.1.SV3.1.1-pkg\Nexus1000v.5.2.1.SV3.1.1.zip\Nexus1000v.5.2.1.SV3.1.1\VSM\Install
Cant find the white papers for v5, has anything changed?
HELP!!
JCCheck this:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/5_2_1_s_v_3_1_1/install_upgrade/workflow/nexus_1000v_r_5_2_1_s_v_3_1_1.html
2-All files for this release can be found here:
http://www.cisco.com/c/en/us/support/switches/nexus-1000v-switch/model.html
HTH -
Nexus 1000v 4.2.1 - Interface Ethernet3/5 has been quarantined due to Cmd Failure
Hello,
i get the error message "Interface Ethernet3/5 has been quarantined due to Cmd Failure" when i try to activate the System Uplink ports on the Nexus 1000v VSM. The symptom occurs under 4.2.1.SV1.4 (has been fresh setup, did before tests with 4.0.4). Unfortunately, the link to the 4.2.1 troubleshooting guide does not work (seems it hasn't been released yet).
Has anyone an idea what the root cause could be?
The VSM and VEM run on a GP DL3xxG7 with 2 x Dual Port 10Gbit CNA Adapters.
Nexus 1k config:
vlan 1
vlan 260
name Servers
vlan 340
name NfsA
vlan 357
name vMotion
vlan 920
name Packet_Control
port-profile type ethernet SYSTEM-UPLINK
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 1,260,301,303,305,307,357,544,920
spanning-tree port type edge trunk
switchport trunk native vlan 1
channel-group auto mode active
no shutdown
system vlan 1,357,920
state enabled
port-profile type ethernet STORAGE-UPLINK
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 340
channel-group auto mode active
no shutdown
system vlan 340
state enabled
When i do a no shut on the physical ports i get:
switch(config-if)# no shut
2011 Feb 24 11:43:55 switch %PORT-PROFILE-2-INTERFACE_QUARANTINED: Interface Ethernet3/7 has been quarantined due to Cmd Failure
2011 Feb 24 11:43:55 switch %PORT-PROFILE-2-INTERFACE_QUARANTINED: Interface Ethernet3/5 has been quarantined due to Cmd Failure
The other etherchannel (Port Profile STORAGE-UPLINK) does work pretty well...
The peer switches are two Nexus 5k with VPC.
config:
port-profile type port-channel VMWare-LAN
switchport mode trunk
switchport trunk allowed vlan 260, 301, 303, 305, 307, 357, 544, 920
spanning-tree port type edge trunk
switchport trunk native vlan 1
state enabled!
interface port-channel18
inherit port-profile VMWare-LAN
description CHA vshpvm001 LAN
vpc 18
speed 10000!
interface Ethernet1/18
description CHA vshpvm001 LAN
switchport mode trunk
switchport trunk allowed vlan 260,301,303,305,307,357,544,920
channel-group 18 mode active
switch# show port-profile sync-status
Ethernet3/5
port-profile: SYSTEM-UPLINK
interface status: quarantine
sync status: out of sync
cached commands:
errors:
cached command failed
recovery steps:
unshut interface
Ethernet3/7
port-profile: SYSTEM-UPLINK
interface status: quarantine
sync status: out of sync
cached commands:
errors:
cached command failed
recovery steps:
unshut interface
kind regards,
andySean,
thank you !
"show accounting log" helped me - i had the command spanning-tree port type edge trunk in the config which i somehow didn't realize that we hadn't this command in the 4.0.4 lab setup...so it was a copy/paste error (i copied the port-profile config from the N5k down to the N1k).
Fri Feb 25 07:20:32 2011:update:ppm.13880:admin:configure terminal ; interface Ethernet3/5 ; spanning-tree port type edge trunk (FAILURE)
Fri Feb 25 07:20:32 2011:update:ppm.13890:admin:configure terminal ; interface Ethernet3/5 ; shutdown (FAILURE)
As the N1k doesn't do STP at all (or does it? ) it's no wonder that the cli was complaining ...
Maybe this command should get more attention in the tshoot guide as it seems to be a very helpful one.
Cheers & Thanks,
Andy -
I am looking to design a solution for a customer and they run a very tight hosting environment with Nexus 1000V switches and want to setup private vlans as they are running out of vlans
I need to find some info on if it is possible to trunk a private vlan between 2 nexus switches
Or any info on private vlans on Nexus 1000V
Thanks
RogerHello Roger,
Yes, pVLANs can be trunked between switches. A good discussion can be found here. Have you considered VXLAN as an alternative to pVLANs? VXLAN allows up to 16M segments definied though they differ slightly from pVLAN in that all VMs in a VXLAN segment can communicate.
Matthew -
Nexus 1000v and vcenter domain admin account
I changed out domain admin account on our domain in which vcenter services runs as and now its using a different services account. I am wondering if I need to update anything on the nexus 1000v switch side between the 1000v and venter
Hi Dan,
You are on the right track. However you can perform some of these function "online".
First you want to ensure that you are running at a minimum, Nexus 1000v SV1(4a) as ESXi 5.0 only began support on this release. With SV1(4a), it provides support for both ESXi 5.0 and ESX/i 4.1.
Then you can follow the procedure documented here:
Upgrading from VMware Release 4.0/4.1 to VMware Release 5.0.0
This document walks you through upgrading your ESX infrastructure to VMware Release 5.0.0 when Cisco Nexus 1000V is installed. It is required to be completed in the following order:
1. Upgrade the VSMs and VEMs to Release 4.2(1)SV1(4a).
2. Upgrade the VMware vCenter Server to VMware Release 5.0.0.
3. Upgrade the VMware Update Manager to VMware Release 5.0.0.
4. Upgrade your ESX hosts to VMware Release 5.0.0 with a custom ESXi image that includes the VEM bits.
Upgrading the ESX/ESXi hosts consists of the following procedures:
–Upgrading the vCenter Server
–Upgrading the vCenter Update Manager
–Augmenting the Customized ISO
–Upgrading the ESXi Hosts
There is also a 3 part video highlighting the procedure to perfrom the last two steps above (customized ISO and upgrading ESXi hosts)
Video: Upgrading the VEM to VMware ESXi Release 5.0.0
Hope that helps you with your upgrade.
Thanks,
Michael
Maybe you are looking for
-
Windows 8 HP Pavillion Laptop won't boot from cd?
Hello everyone, I have a Windows 8 HP Pavillion Laptop. I've forgotten the password to my account, but I wasn't worried because I had a recovery disk. However, even with the cd in the laptop, I've directed to the login page each time. I want the cd t
-
Nidll.tlc does not generate .dll file
Hello all, I have been following the tutorial at http://zone.ni.com/reference/en-XX/help/371504F-01/lvsithowto/sit_h_convert_model_to_dll/ After I click "Build", MatLab says: Successful completion of Real-Time Workshop build procedure for model: sine
-
Hi, I've made a class ClientServer which extends Thread implements Remote, Serializable. Inside, i've got this attribute : private transient static Logger LOG = Logger.getLogger(ClientServer.class);I've made another class ClientPartenaire which exten
-
Hi! I'm trying to make a swf file autostartable from a usb drive. I have tryed to make the swf into a exe file and make a autorun.inf and just juse a open=shape.exe comand tho i cant get it to work i have tryed some outer lines of code aswell but thi
-
Hi, I want to add some objects in TCLO table in order to make document links for O4V1,04G1 T-code in DMS (CV01n/2n/3n/4n). I want to link Vehicles with DMS is it possible??? Thanx & Best Rgds, Akhil