Nexus 1000v / pvlan promiscuous trunk / Cross-host communication.

Hello,
We are planning the deployment of Nexus 1000v with “promiscuous trunk” uplink ports. We want to be sure cross-host in isolated pvlan will not be possible .
Looking at the picture, I was wondering if the communication between VM-A on ESX1 and VM-B on ESX 2 (both on isolated pvlan) will be impossible as expected.
Example: If VM-A on ESX 1 tries to send traffic to VM-B on ESX-2, the vlan 11 tag is remapped to vlan 10 tag at the outgoing uplink on ESX 1.
Then the flow arrives on ESX 2 with vlan 10 tag on the promiscuous trunk. I understand the promiscuous port can talk to all secondary pvlans, so VM-A can in this case talk with VM-B.
Is my understanding correct ?
Or does the Nexus 1000v have an enhanced cross-VEM mechanism which allow to check the source mac address and know that it comes from pan isolated pvlan and as a result cannot communicate.
Best regards.
Karim  

Hello Karim,
N1k enforces pVLANs across all hosts.  Think of all the N1k VEMs as a single switch.  In your example, VM-A will not be able to talk with VM-B.  We accomplish this isolation by poisoning VEM mac address tables with a null destination.  For example, ESX1 would contain a dynamic entry for VM-B that points to a null LTL value.  If VM-A attempted to send traffic to VM-B's mac, it would not leave the host.
Please be aware that N1k can only enforce pVLANs for traffic behind the VEMs.  If you have other servers in VLAN 10 on the blue switch, it would be seen as a promiscuous port from N1k standpoint.  Additional configuration would be required to prevent communication.

Similar Messages

  • Nexus 1000v VEM module bouncing between hosts

    I'm receiving these error messages on my N1KV and don't know how to fix it.  I've tried removing, rebooting, reinstalling host B's VEM but that did not fix the issue.  How do I debug this?
    My setup,
    Two physical hosts running esxi 5.1, vcenter appliance, n1kv with two system uplinks and two uplinks for iscsi for each host.  Let me know if you need more output from logs or commands, thanks.
    N1KV# 2013 Jun 17 18:18:07 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.52.100 detected as module 3
    2013 Jun 17 18:18:07 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 17 18:18:08 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_UNEXP_NODEID_REQ: Removing VEM 3 (Unexpected Node Id Request)
    2013 Jun 17 18:18:09 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 17 18:18:13 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.51.100 detected as module 3
    2013 Jun 17 18:18:13 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 17 18:18:16 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_UNEXP_NODEID_REQ: Removing VEM 3 (Unexpected Node Id Request)
    2013 Jun 17 18:18:17 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 17 18:18:21 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.52.100 detected as module 3
    2013 Jun 17 18:18:21 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 17 18:18:22 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_UNEXP_NODEID_REQ: Removing VEM 3 (Unexpected Node Id Request)
    2013 Jun 17 18:18:23 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 17 18:18:28 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.51.100 detected as module 3
    2013 Jun 17 18:18:29 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 17 18:18:44 N1KV %PLATFORM-2-MOD_DETECT: Module 2 detected (Serial number :unavailable) Module-Type Virtual Supervisor Module Model :unavailable
    N1KV# sh module
    Mod  Ports  Module-Type                       Model               Status
    1    0      Virtual Supervisor Module         Nexus1000V          ha-standby
    2    0      Virtual Supervisor Module         Nexus1000V          active *
    3    248    Virtual Ethernet Module           NA                  ok
    Mod  Sw                  Hw     
    1    4.2(1)SV2(1.1a)     0.0                                             
    2    4.2(1)SV2(1.1a)     0.0                                             
    3    4.2(1)SV2(1.1a)     VMware ESXi 5.1.0 Releasebuild-838463 (3.1)     
    Mod  MAC-Address(es)                         Serial-Num
    1    00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8  NA
    2    00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8  NA
    3    02-00-0c-00-03-00 to 02-00-0c-00-03-80  NA
    Mod  Server-IP        Server-UUID                           Server-Name
    1    192.168.54.2     NA                                    NA
    2    192.168.54.2     NA                                    NA
    3    192.168.51.100   03000200-0400-0500-0006-000700080009  NA
    * this terminal session
    ~ # vemcmd show card
    Card UUID type  2: 03000200-0400-0500-0006-000700080009
    Card name:
    Switch name: N1KV
    Switch alias: DvsPortset-1
    Switch uuid: e6 dc 36 50 c0 a9 d9 a5-0b 98 fb 90 e1 fc 99 af
    Card domain: 2
    Card slot: 3
    VEM Tunnel Mode: L3 Mode
    L3 Ctrl Index: 49
    L3 Ctrl VLAN: 51
    VEM Control (AIPC) MAC: 00:02:3d:10:02:02
    VEM Packet (Inband) MAC: 00:02:3d:20:02:02
    VEM Control Agent (DPA) MAC: 00:02:3d:40:02:02
    VEM SPAN MAC: 00:02:3d:30:02:02
    Primary VSM MAC : 00:50:56:b6:0c:b2
    Primary VSM PKT MAC : 00:50:56:b6:35:3f
    Primary VSM MGMT MAC : 00:50:56:b6:d5:12
    Standby VSM CTRL MAC : 00:50:56:b6:96:f2
    Management IPv4 address: 192.168.51.100
    Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
    Primary L3 Control IPv4 address: 192.168.54.2
    Secondary VSM MAC : 00:00:00:00:00:00
    Secondary L3 Control IPv4 address: 0.0.0.0
    Upgrade : Default
    Max physical ports: 32
    Max virtual ports: 216
    Card control VLAN: 1
    Card packet VLAN: 1
    Control type multicast: No
    Card Headless Mode : No
           Processors: 4
      Processor Cores: 4
    Processor Sockets: 1
      Kernel Memory:   16669760
    Port link-up delay: 5s
    Global UUFB: DISABLED
    Heartbeat Set: True
    PC LB Algo: source-mac
    Datapath portset event in progress : no
    Licensed: Yes
    ~ # vemcmd show card
    Card UUID type  2: 03000200-0400-0500-0006-000700080009
    Card name:
    Switch name: N1KV
    Switch alias: DvsPortset-0
    Switch uuid: e6 dc 36 50 c0 a9 d9 a5-0b 98 fb 90 e1 fc 99 af
    Card domain: 2
    Card slot: 3
    VEM Tunnel Mode: L3 Mode
    L3 Ctrl Index: 49
    L3 Ctrl VLAN: 52
    VEM Control (AIPC) MAC: 00:02:3d:10:02:02
    VEM Packet (Inband) MAC: 00:02:3d:20:02:02
    VEM Control Agent (DPA) MAC: 00:02:3d:40:02:02
    VEM SPAN MAC: 00:02:3d:30:02:02
    Primary VSM MAC : 00:50:56:b6:0c:b2
    Primary VSM PKT MAC : 00:50:56:b6:35:3f
    Primary VSM MGMT MAC : 00:50:56:b6:d5:12
    Standby VSM CTRL MAC : 00:50:56:b6:96:f2
    Management IPv4 address: 192.168.52.100
    Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
    Primary L3 Control IPv4 address: 192.168.54.2
    Secondary VSM MAC : 00:00:00:00:00:00
    Secondary L3 Control IPv4 address: 0.0.0.0
    Upgrade : Default
    Max physical ports: 32
    Max virtual ports: 216
    Card control VLAN: 1
    Card packet VLAN: 1
    Control type multicast: No
    Card Headless Mode : Yes
           Processors: 4
      Processor Cores: 4
    Processor Sockets: 1
      Kernel Memory:   16669764
    Port link-up delay: 5s
    Global UUFB: DISABLED
    Heartbeat Set: False
    PC LB Algo: source-mac
    Datapath portset event in progress : no
    Licensed: Yes
    ! ports 1-6 connected to physical host A
    interface GigabitEthernet1/0/1
    description VMWARE ESXi Trunk
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk
    spanning-tree bpdufilter enable
    spanning-tree bpduguard enable
    channel-group 1 mode active
    ! ports 7-12 connected to phys host B
    interface GigabitEthernet1/0/7
    description VMWARE ESXi Trunk
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk
    spanning-tree bpdufilter enable
    spanning-tree bpduguard enable
    channel-group 2 mode active

    ok after deleteing the n1kv vms and vcenter and then reinstalling all I got the error again,
    N1KV# 2013 Jun 18 17:48:12 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_STATE_CONFLICT: Removing VEM 3 due to state conflict VSM(NodeId Processed), VEM(ModIns End Rcvd)
    2013 Jun 18 17:48:13 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 18 17:48:16 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.52.100 detected as module 3
    2013 Jun 18 17:48:16 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 18 17:48:22 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_STATE_CONFLICT: Removing VEM 3 due to state conflict VSM(NodeId Processed), VEM(ModIns End Rcvd)
    2013 Jun 18 17:48:23 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 18 17:48:34 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.52.100 detected as module 3
    2013 Jun 18 17:48:34 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 18 17:48:41 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_STATE_CONFLICT: Removing VEM 3 due to state conflict VSM(NodeId Processed), VEM(ModIns End Rcvd)
    2013 Jun 18 17:48:42 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 18 17:49:03 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.52.100 detected as module 3
    2013 Jun 18 17:49:03 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 18 17:49:10 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_STATE_CONFLICT: Removing VEM 3 due to state conflict VSM(NodeId Processed), VEM(ModIns End Rcvd)
    2013 Jun 18 17:49:11 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 18 17:49:29 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.51.100 detected as module 3
    2013 Jun 18 17:49:29 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 18 17:49:35 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_STATE_CONFLICT: Removing VEM 3 due to state conflict VSM(NodeId Processed), VEM(ModIns End Rcvd)
    2013 Jun 18 17:49:36 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 18 17:49:53 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.51.100 detected as module 3
    2013 Jun 18 17:49:53 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2013 Jun 18 17:49:59 N1KV %VEM_MGR-2-VEM_MGR_REMOVE_STATE_CONFLICT: Removing VEM 3 due to state conflict VSM(NodeId Processed), VEM(ModIns End Rcvd)
    2013 Jun 18 17:50:00 N1KV %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    2013 Jun 18 17:50:05 N1KV %VEM_MGR-2-VEM_MGR_DETECTED: Host 192.168.52.100 detected as module 3
    2013 Jun 18 17:50:05 N1KV %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    Host A
    ~ # vemcmd show card
    Card UUID type  2: 03000200-0400-0500-0006-000700080009
    Card name:
    Switch name: N1KV
    Switch alias: DvsPortset-0
    Switch uuid: e6 dc 36 50 c0 a9 d9 a5-0b 98 fb 90 e1 fc 99 af
    Card domain: 2
    Card slot: 1
    VEM Tunnel Mode: L3 Mode
    L3 Ctrl Index: 49
    L3 Ctrl VLAN: 52
    VEM Control (AIPC) MAC: 00:02:3d:10:02:00
    VEM Packet (Inband) MAC: 00:02:3d:20:02:00
    VEM Control Agent (DPA) MAC: 00:02:3d:40:02:00
    VEM SPAN MAC: 00:02:3d:30:02:00
    Primary VSM MAC : 00:50:56:b6:96:f2
    Primary VSM PKT MAC : 00:50:56:b6:11:b6
    Primary VSM MGMT MAC : 00:50:56:b6:48:c6
    Standby VSM CTRL MAC : ff:ff:ff:ff:ff:ff
    Management IPv4 address: 192.168.52.100
    Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
    Primary L3 Control IPv4 address: 192.168.54.2
    Secondary VSM MAC : 00:00:00:00:00:00
    Secondary L3 Control IPv4 address: 0.0.0.0
    Upgrade : Default
    Max physical ports: 32
    Max virtual ports: 216
    Card control VLAN: 1
    Card packet VLAN: 1
    Control type multicast: No
    Card Headless Mode : Yes
           Processors: 4
      Processor Cores: 4
    Processor Sockets: 1
      Kernel Memory:   16669764
    Port link-up delay: 5s
    Global UUFB: DISABLED
    Heartbeat Set: False
    PC LB Algo: source-mac
    Datapath portset event in progress : no
    Licensed: No
    Host B
    ~ # vemcmd show card
    Card UUID type  2: 03000200-0400-0500-0006-000700080009
    Card name:
    Switch name: N1KV
    Switch alias: DvsPortset-0
    Switch uuid: bf fb 28 50 1b 26 dd ae-05 bd 4e 48 2e 37 56 f3
    Card domain: 2
    Card slot: 3
    VEM Tunnel Mode: L3 Mode
    L3 Ctrl Index: 49
    L3 Ctrl VLAN: 51
    VEM Control (AIPC) MAC: 00:02:3d:10:02:02
    VEM Packet (Inband) MAC: 00:02:3d:20:02:02
    VEM Control Agent (DPA) MAC: 00:02:3d:40:02:02
    VEM SPAN MAC: 00:02:3d:30:02:02
    Primary VSM MAC : 00:50:56:a8:f5:f0
    Primary VSM PKT MAC : 00:50:56:a8:3c:62
    Primary VSM MGMT MAC : 00:50:56:a8:b4:a4
    Standby VSM CTRL MAC : 00:50:56:a8:30:d5
    Management IPv4 address: 192.168.51.100
    Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
    Primary L3 Control IPv4 address: 192.168.54.2
    Secondary VSM MAC : 00:00:00:00:00:00
    Secondary L3 Control IPv4 address: 0.0.0.0
    Upgrade : Default
    Max physical ports: 32
    Max virtual ports: 216
    Card control VLAN: 1
    Card packet VLAN: 1
    Control type multicast: No
    Card Headless Mode : No
           Processors: 4
      Processor Cores: 4
    Processor Sockets: 1
      Kernel Memory:   16669760
    Port link-up delay: 5s
    Global UUFB: DISABLED
    Heartbeat Set: True
    PC LB Algo: source-mac
    Datapath portset event in progress : no
    Licensed: Yes
    I used the nexus 1000v java installer so I don't know what it keeps assigning the same UUID nor do I know how to change it.
    Here is the other output you requested,
    N1KV# show vms internal info dvs
      DVS INFO:
    DVS name: [N1KV]
          UUID: [bf fb 28 50 1b 26 dd ae-05 bd 4e 48 2e 37 56 f3]
          Description: [(null)]
          Config version: [1]
          Max ports: [8192]
          DC name: [Galaxy]
         OPQ data: size [1121], data: [data-version 1.0
    switch-domain 2
    switch-name N1KV
    cp-version 4.2(1)SV2(1.1a)
    control-vlan 1
    system-primary-mac 00:50:56:a8:f5:f0
    active-vsm packet mac 00:50:56:a8:3c:62
    active-vsm mgmt mac 00:50:56:a8:b4:a4
    standby-vsm ctrl mac 0050-56a8-30d5
    inband-vlan 1
    svs-mode L3
    l3control-ipaddr 192.168.54.2
    upgrade state 0 mac 0050-56a8-30d5 l3control-ipv4 null
    cntl-type-mcast 0
    profile dvportgroup-26 trunk 1,51-57,110
    profile dvportgroup-26 mtu 9000
    profile dvportgroup-27 access 51
    profile dvportgroup-27 mtu 1500
    profile dvportgroup-27 capability l3control
    profile dvportgroup-28 access 52
    profile dvportgroup-28 mtu 1500
    profile dvportgroup-28 capability l3control
    profile dvportgroup-29 access 53
    profile dvportgroup-29 mtu 1500
    profile dvportgroup-30 access 54
    profile dvportgroup-30 mtu 1500
    profile dvportgroup-31 access 55
    profile dvportgroup-31 mtu 1500
    profile dvportgroup-32 access 56
    profile dvportgroup-32 mtu 1500
    profile dvportgroup-34 trunk 220
    profile dvportgroup-34 mtu 9000
    profile dvportgroup-35 access 220
    profile dvportgroup-35 mtu 1500
    profile dvportgroup-35 capability iscsi-multipath
    end-version 1.0
          push_opq_data flag: [1]
    show svs neighbors
    Active Domain ID: 2
    AIPC Interface MAC: 0050-56a8-f5f0
    Inband Interface MAC: 0050-56a8-3c62
    Src MAC           Type   Domain-id    Node-id     Last learnt (Sec. ago)
    0050-56a8-30d5     VSM         2         0201      1020.45
    0002-3d40-0202     VEM         2         0302         1.33
    I cannot add Host A to the N1KV it errors out with,
    vDS operation failed on host 192.168.52.100, An error occurred during host configuration. got (vim.fault.PlatformConfigFault) exception
    Host B (192.168.51.100) was added fine, then I moved a vmkernel to the N1KV which brought up the VEM and got the VEM flapping errors.

  • Cisco Nexus 1000v stops inheriting

    Guys,
    I have an issue with the Nexus 1000v, basically the trunk ports on the ESXi hosts stop inheriting from the main DATA-UP link port profile, which means that not all VLANS get presented down that given trunk port, its like it gets completey out of sync somehow. An example is below,
    THIS IS A PC CONFIG THAT'S NOT WOKRING CORRECTLY
    show int trunk
    Po9        100,400-401,405-406,412,430,434,438-439,446,449-450,591,850
    sh run int po9
    interface port-channel9
      inherit port-profile DATA-UP
      switchport trunk allowed vlan add 438-439,446,449-450,591,850 (the system as added this not user)
    THIS IS A PC CONFIG THAT IS WORKING CORRECTLY
    show int trunk
    Po2        100,292,300,313,400-401,405-406,412,429-430,434,438-439,446,449-450,582,591,850
    sh run int po2
    interface port-channel2
        inherit port-profile DATA-UP
    I have no idea why this keeps happening, when i remove the manual static trunk configuration on po9, everything is fine, few days later, it happens again, its not just po9, there is at least 3 port-channel that it affects.
    My DATA-UP link port-profile configuration looks like this and all port channels should reflect the VLANs allowed but some are way out.
    port-profile type ethernet DATA-UP
      vmware port-group
      switchport mode trunk
      switchport trunk allowed vlan 100,292,300,313,400-401,405-406,412,429-430,434,438-439,446,449-450,5
    82,591,850
      channel-group auto mode on sub-group cdp
      no shutdown
      state enabled
    The upstream switches match the same VLANs allowed and the VLAN database is a mirror image between Nexus and Upstream switches.
    The Cisco Nexus version is 4.2.1
    Anyone seen this problem?
    Cheers

    Using vMotion you can perform the entire upgrade with no disruption to your virtual infrastructure. 
    If this is your first upgrade, I highly recommend you go through the upgrade guides in detail.
    There are two main guides.  One details the VSM and overall process, the other covers the VEM (ESX) side of the upgrade.  They're not very long guides, and should be easy to follow.
    1000v Upgrade Guide:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4_a/upgrade/software/guide/n1000v_upgrade_software.html
    VEM Upgrade Guides:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4_a/install/vem/guide/n1000v_vem_install.html
    In a nutshell the procedure looks like this:
    -Backup of VSM Config
    -Run pre-upgrade check script (which will identify any config issues & ensures validation of new version with old config)
    -Upgrade standby VSM
    -Perform switchover
    -Upgrade image on old active (current standby)
    -Upgrade VEM modules
    One decision you'll need to make is whether to use Update Manager or not for the VEM upgrades.  If you don't have many hosts, the manual method is a nice way to maintain control on exactly what's being upgrade & when.  It will allow you to migrate VMs off the host, upgrade it, and then continue in this manner for all remaining hosts.  The alternate is Update Manager, which can be a little sticky if it runs into issues.  This method will automatically put hosts in Maintenance Mode, migrate VMs off, and then upgrade each VEM one by one.  This is a non-stop process so there's a little less control from that perspective.   My own preference is any environment with 10 or less hosts, I use manual, for more than that let VUM do the work.
    Let me know if you have any other questions.
    Regards,
    Robert

  • Nexus 1000v port-channels questions

    Hi,
    I’m running vCenter 4.1 and Nexus 1000v and about 30 ESX Hosts.
    I’m using one system uplink port profile for all 30 ESX Host; On each of the ESX host I have 2 NICs going to a Catalyst 3750 switch stack (Switch A), and another 2 NICs going to another Catalyst 3750 switch stack (Switch B).
    The Nexus is configured with the “sub-group CDP” command on the system uplink port profile like the following:
    port-profile type ethernet uplink
    vmware port-group
    switchport mode trunk
    switchport trunk allowed vlan 1,800,802,900,988-991,996-997,999
    switchport trunk native vlan 500
    mtu 1500
    channel-group auto mode on sub-group cdp
    no shutdown
    system vlan 988-989
    description System-Uplink
    state enabled
    And the port channel on the Catalyst 3750 are configured like the following:
    interface Port-channel11
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk
    end
    interface GigabitEthernet1/0/18
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    channel-group 11 mode on
    spanning-tree portfast trunk
    spanning-tree guard root
    end
    interface GigabitEthernet1/0/1
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    channel-group 11 mode on
    spanning-tree portfast trunk
    spanning-tree guard root
    end
    Now Cisco is telling me that I should be using MAC pinning when doing a trunk to two different stacks , and that each interface on 3750 should not be configured in a port-channel like above,  but should be configured as individual trunks.
    First question: Is the above statement correct, are my uplinks configured wrong?  Should they be configured individually in trunks instead of a port-channel?
    Second questions: If I need to add the MAC pinning configuration on my system uplink port-profile can I create a new system uplink port profile with the MAC pinning configuration and then move one ESX host (with no VM on them) one at a time to that new system uplink port profile? This way, I could migrate one ESX host at a time without outages to my VMs. Or is there an easier way to move 30 ESX hosts to a new system uplink profile with the MAC Pinning configuration.
    Thanks.

    Hello,
    From what I understood, you have the following setup:
         - Each ESX host has 4 NICS
         - 2 of them go to a 3750 stack and the other 2 go to a different 3750 stack
         - all 4 vmnics on the ESX host use the same Ethernet port-profile
              - this has 'channel-group auto mode on sub-group cdp'
         - The 2 interfaces on each 3750 stack are in a port-channel (just 'mode on')
    If yes, then this sort of a setup is correct. The only problem with this is the dependance on CDP. With CDP loss, the port-channels would go down.
    'mac-pinning' is the recommended option for this sort of a setup. You don't have to bundle the interfaces on the 3750 for this and these can be just regular trunk ports. If all your ports are on the same stack, then you can look at LACP. The CDP option would not be supported in the future releases. In fact, it is supposed to be removed from 4.2(1)SV1(2.1) but I still see the command available (ignore 4.2(1)SV1(4) next to it) - I'll follow up on this internally:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_2_1_1/interface/configuration/guide/b_Cisco_Nexus_1000V_Interface_Configuration_Guide_Release_4_2_1_SV_2_1_1_chapter_01.html
    For migrating, the best option would be as you suggested. Create a new port-profile with mac-pinning and move one host at a time. You can migrate VMs off the host before you change the port-profile and can remove the upstream port-channel config as well.
    Thanks,
    Shankar

  • Trunking Vlans in Nexus 1000V

    I am looking to design a solution for a customer and they run a very tight hosting environment with Nexus 1000V switches and want to setup private vlans as they are running out of vlans
    I need to find some info on if it is possible to trunk a private vlan between 2 nexus switches
    Or any info on private vlans on Nexus 1000V
    Thanks
    Roger

    Hello Roger,
    Yes, pVLANs can be trunked between switches.  A good discussion can be found here.  Have you considered VXLAN as an alternative to pVLANs?  VXLAN allows up to 16M segments definied though they differ slightly from pVLAN in that all VMs in a VXLAN segment can communicate.
    Matthew

  • Can a Nexus 1000v be configured to NOT do local switching in an ESX host?

    Before the big YES, use an external Nexus switch and use VN-Tag. The question is when there is a 3120 in a blade chassis that connects to the ESX hosts that have a 1000v installed on the ESX host. So, first hop outside the ESX host is not a Nexus box.
    Looking for if this is possible, if so how, and if not, where that might be documented. I have a client who's security policy prohibits switching (yes, even on the same VLAN) within a host (in this case blade server). Oh and there is an insistance to use 3120s inside the blade chassis.
    Has to be the strangest request I have had in a while.
    Any data would be GREATY appreciated!

    Thanks for the follow up.
    So by private VLANs, are you referring to "PVLAN":
    "PVLANs: PVLANs are a new feature available with the VMware vDS and the Cisco Nexus
    1000V Series. PVLANs provide a simple mechanism for isolating virtual machines in the
    same VLAN from each other. The VMware vDS implements PVLAN enforcement at the
    destination host. The Cisco Nexus 1000V Series supports a highly efficient enforcement
    mechanism that filters packets at the source rather than at the destination, helping ensure
    that no unwanted traffic traverses the physical network and so increasing the network
    bandwidth available to other virtual machines"

  • Nexus 1000v: Control VLAN must be same VLAN as ESX hosts?

    Hello,
    I'm trying to install nexus 1000v and came across the below prerequisite.
    The below release notes for Nexus 1000v states
    VMware and Host Prerequisites
    The VSM VM control interface must be on the same Layer 2 VLAN as the ESX 4.0 host that it manages. If you configure Layer 3, then you do not have this restriction. In each case however, the two VSMs must run in the same IP subnet.
    What I'm trying to do is to create 2 VLANs - one for management and the other for control & Data (as per latest deployment guide, we can put control & data in the same vlan).
    However, I wanted to have all ESX host management same VLAN as the VSM management as well as the vCenter Management. Essentially, creating a management network.
    However, from the above "VMWare and Host Prerequisites", does this means I cannot do this?
    I need to have the ESX host management same VLAN as the control VLAN?
    This means that my ESX host will reside in a different VLAN than my management subnet?
    Thanks...

    Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
    We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

  • Nexus 1000v VSM can't comunicate with the VEM

    This is the configuration I have on my vsm
    !Command: show running-config
    !Time: Thu Dec 20 02:15:30 2012
    version 4.2(1)SV2(1.1)
    svs switch edition essential
    no feature telnet
    banner motd #Nexus 1000v Switch#
    ssh key rsa 2048
    ip domain-lookup
    ip host Nexus-1000v 172.16.0.69
    hostname Nexus-1000v
    errdisable recovery cause failed-port-state
    vem 3
      host vmware id 78201fe5-cc43-e211-0000-00000000000c
    vem 4
      host vmware id e51f2078-43cc-11e2-0000-000000000009
    priv 0xa2cb98ffa3f2bc53380d54d63b6752db localizedkey
    vrf context management
      ip route 0.0.0.0/0 172.16.0.1
    vlan 1-2
    port-channel load-balance ethernet source-mac
    port-profile default max-ports 32
    port-profile type ethernet Unused_Or_Quarantine_Uplink
      vmware port-group
      shutdown
      description Port-group created for Nexus1000V internal usage. Do not use.
      state enabled
    port-profile type vethernet Unused_Or_Quarantine_Veth
      vmware port-group
      shutdown
      description Port-group created for Nexus1000V internal usage. Do not use.
      state enabled
    port-profile type ethernet vmware-uplinks
      vmware port-group
      switchport mode trunk
      switchport trunk allowed vlan 1-3967,4048-4093
      channel-group auto mode on
      no shutdown
      system vlan 2
      state enabled
    port-profile type vethernet Management
      vmware port-group
      switchport mode access
      switchport access vlan 2
      no shutdown
      state enabled
    port-profile type vethernet vMotion
      vmware port-group
      switchport mode access
      switchport access vlan 2
      no shutdown
      state enabled
    port-profile type vethernet ServidoresGestion
      vmware port-group
      switchport mode access
      switchport access vlan 2
      no shutdown
      state enabled
    port-profile type vethernet L3-VSM
      capability l3control
      vmware port-group
      switchport mode access
      switchport access vlan 2
      no shutdown
      system vlan 2
      state enabled
    port-profile type vethernet VSG-Data
      vmware port-group
      switchport mode access
      switchport access vlan 2
      no shutdown
      state enabled
    port-profile type vethernet VSG-HA
      vmware port-group
      switchport mode access
      switchport access vlan 2
      no shutdown
      state enabled
    vdc Nexus-1000v id 1
      limit-resource vlan minimum 16 maximum 2049
      limit-resource monitor-session minimum 0 maximum 2
      limit-resource vrf minimum 16 maximum 8192
      limit-resource port-channel minimum 0 maximum 768
      limit-resource u4route-mem minimum 1 maximum 1
      limit-resource u6route-mem minimum 1 maximum 1
    interface mgmt0
      ip address 172.16.0.69/25
    interface control0
    line console
    boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.1.1.bin sup-1
    boot system bootflash:/nexus-1000v.4.2.1.SV2.1.1.bin sup-1
    boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.1.1.bin sup-2
    boot system bootflash:/nexus-1000v.4.2.1.SV2.1.1.bin sup-2
    svs-domain
      domain id 1
      control vlan 1
      packet vlan 1
      svs mode L3 interface mgmt0
    svs connection vcenter
      protocol vmware-vim
      remote ip address 172.16.0.66 port 80
      vmware dvs uuid "ae 31 14 50 cf b2 e7 3a-5c 48 65 0f 01 9b b5 b1" datacenter-n
    ame DTIC Datacenter
      admin user n1kUser
      max-ports 8192
      connect
    vservice global type vsg
      tcp state-checks invalid-ack
      tcp state-checks seq-past-window
      no tcp state-checks window-variation
      no bypass asa-traffic
    vnm-policy-agent
      registration-ip 172.16.0.70
      shared-secret **********
      policy-agent-image bootflash:/vnmc-vsmpa.2.0.0.38.bin
      log-level
    for some reason my vsm can't the the vem. I could before, but then my server crashed without doing a copy run start and when it booted up all my config but the uplinks was lost.
    When I tried to configure the connection again it wasn't working.
    I'm also attaching a screen capture of the vds
    and a capture of the regular switch.
    I will appreciate very much any help you could give me and will provide any configuration details that you might need.
    Thank you so much.

    Carlos,
       Looking at vds.jpg, you do not have any VEM vmkernel interface attached to port-profile L3-VSM. So fix VSM-VEM communication problem, you either migrate your VEM management vmkernel interface to L3-VSM port-profile of the vds, or create new VMkernel port on your VEM/host and attach it to L3-VSM port-profile.

  • Firewall between Nexus 1000V VSM and vCenter

    Hi,
    Customer has multiple security zones in environment, and VMware vCenter is located in a Management Security Zone. VSMs in security zones have dedicated management interface facing Management Security Zone with firewall in between. What ports do we need to open for the communication between VSMs and vCenter? The Nexus 1000V troubleshooting guide only mentioned TCP/80 and TCP/443. Are these outbound from VSM to vCenter? Is there any requirements from vCenter to VSM? What's the best practice for VSM management interface configuration in multiple security zones environment? Thanks.

    Avi -
    You need the connection between vCenter and the VSM anytime you want to add or make any changes to the existing port-profiles.  This is how the port-profiles become available to the virtual machines that reside on your ESX hosts.
    One problem when the vCenter is down is what you pointed out - configuration changes cannot be pushed
    The VEM/VSM relationship is independent of the VSM/vCenter connection.  There are separate VLANs or L3 interfaces that are used to pass information and heartbeats between the VSM and its VEMs.
    Jen

  • Nexus 1000V. problem when working with the console VMWare

    I have a problem when working with the console VMWare.
    Sometimes it is impossible to connect any of the hypervisor to the guest OS managed by them.
    I get the message: "Unable connect to the MKS: Host address lookup for server <name of the hypervisor> failed: No such host is known."
    This message always appears in conjunction with the reconfiguration of virtual switch: "Reconfigure vNetwork Distributed Switch .... Initiated by Cisco_Nexus_1000V_ ....."
    Upon completion of the reconfiguration, Communication console, with guest OS is restored, or on its own or after a reboot srv-vc.
    In this time, I do not see any message in Nexus 1000v log.
    What is this?
    Thanks in advance.

    Smells of a DNS issue.  Are you sure your ESX hosts are reachable from your client via DNS hostname?  Try pinging them from a command prompt/terminal.  You may have DNS server issues.
    As a temp fix, edit your [windowspath]/system32/etc/drivers/hosts file and manually add the ESX host name and IP, then re-test.
    Regards,
    Robert

  • Nexus 1000V private-vlan issue

    Hello
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:Standardowy;
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";
    mso-ansi-language:#0400;
    mso-fareast-language:#0400;
    mso-bidi-language:#0400;}
    I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
    Thank you in advance
    Lucas

    Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
    We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

  • Firewall ports for Nexus 1000v

    hi all,
    There is firewall between nexus 1000v and vcentre and ESX 4.1i hosts.
    Could u pls advise which TCP/UDP ports to be opened for communication among Nexus1000v, vcentre and ESX hosts?
    Thank you very much!
    Best Regards,

    David,
    Between your VSM & VC you'll need TCP ports 80 & 443 open
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/troubleshooting/configuration/guide/n1000v_trouble_5modules.html
    Between your VEM & VSM you'll need port this should be layer 2 so no ports need to be open.
    If you're using Layer 3 mode then enusre you have UDP 4785 open.
    http://www.ciscosystemsverified.biz/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/system_management/configuration/guide/n1000v_system_3domain.pdf
    Regards,
    Robert

  • VSM and Cisco nexus 1000v

    Hi,
    We are planning to install Cisco Nexus 1000v in our environment. Before we want to install we want to explore little bit about Cisco Nexus 1000v
    •  I know there is 2 elements for Cisco 1k, VEM and VSM. Does VSM is required? Can we configure VEM individually?
    •   How does Nexus 1k integrated with vCenter. Can we do all Nexus 1000v configuration from vCenter without going to VEM or VSM?
    •   In term of alarming and reporting, does we need to get SNMP trap and get from individual VEM or can be use VSM to do that. OR can we   get    Cisco Nexus 1000v alarming and reporting form VMware vCenter.
    •  Apart from using Nexus 1010 can what’s the recommended hosting location for VSM, (same Host as VEM, different VM, and different physical server)
    Foyez Ahammed

    Hi Foyez,
    Here is a brief on the Nexus1000v and I'll answer some of your questions in that:
    The Nexus1000v is a Virtual Distributed Switch (software based) from Cisco which integrated with the vSphere environment to provide uniform networking across your vmware environment for the host as well as the VMs. There are two components to the N1K infrastructure 1) VSM 2) VEM.
    VSM - Virtual supervisor module is the one which controls the entire N1K setup and is from where the configuration is done for the VEM modules, interfaces, security, monitoring etc. VSM is the one which interacts with the VC.
    VEM - Virtual ethernet module are simply the module or virtual linecards which provide the connectivity option or virtual ports for the VMs and other virtaul interfaces. Each ESX host today can only have one VEM. These VEMs recieve their configuration / programing from the VSM.
    If you are aware of any other switching products from Cisco like the Cat 6k switches, the n1k behaves the same way but in a software / virtual environment. Where the VSM are equal of a SUPs and the VEM are similar to the line cards. The control and the packet VLANs in the n1k provide the same kind of AIPC and Inband connectivity as the 6k backplane would for the communication between the modules and the SUP (VSM in this case).
    *The n1k configuration is done only from the VSM and is visible in the VC.However the port-profiles created from the VSM are pushed from the VSM to the VC and have to be assigned to the virtual / physical ports from the VC.
    *You can run the VSM either on the Nexus1010 as a Virtual service blade (VSB) or as a normal VM on any of the ESX/ESXi server. The VSM and the VEM on the same server are fully supported.
    You can refer the following deployment guide for some more details: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html
    Hope this answers your queries!
    ./Abhinav

  • Nexus 1000V VEM Issues

    I am having some problems with VSM/VEM connectivity after an upgrade that I'm hoping someone can help with.
    I have a 2 ESXi host cluster that I am upgrading from vSphere 5.0 to 5.5u1, and upgrading a Nexus 1000V from SV2(2.1) to SV2(2.2).  I upgraded vCenter without issue (I'm using the vCSA), but when I attempted to upgrade ESXi-1 to 5.5u1 using VUM it complained that a VIB was incompatible.  After tracing this VIB to the 1000V VEM, I created an ESXi 5.5u1 installer package containing the SV2(2.2) VEM VIB for ESXi 5.5 and attempted to use VUM again but was still unsuccessful
    I removed the VEM VIB from the vDS and the host and was able to upgrade the host to 5.5u1.  I tried to add it back to the vDS and was given the error below:
    vDS operation failed on host esxi1, Received SOAP response fault from [<cs p:00007fa5d778d290, TCP:esxi1.gooch.net:443>]: invokeHostTransactionCall
    Received SOAP response fault from [<cs p:1f3cee20, TCP:localhost:8307>]: invokeHostTransactionCall
    An error occurred during host configuration. got (vim.fault.PlatformConfigFault) exception
    I installed the VEM VIB manually at the CLI with 'esxcli software vib install -d /tmp/cisco-vem-v164-4.2.1.2.2.2.0-3.2.1.zip' and I'm able to add to to the vDS, but when I connect the uplinks and migrate the L3 Control VMKernel, I get the following error where it complains about the SPROM when the module comes online, then it eventually drops the VEM.
    2014 Mar 29 15:34:54 n1kv %VEM_MGR-2-VEM_MGR_DETECTED: Host esxi1 detected as module 3
    2014 Mar 29 15:34:54 n1kv %VDC_MGR-2-VDC_CRITICAL: vdc_mgr has hit a critical error: SPROM data is invalid. Please reprogram your SPROM!
    2014 Mar 29 15:34:54 n1kv %VEM_MGR-2-MOD_ONLINE: Module 3 is online
    2014 Mar 29 15:37:14 n1kv %VEM_MGR-2-VEM_MGR_REMOVE_NO_HB: Removing VEM 3 (heartbeats lost)
    2014 Mar 29 15:37:19 n1kv %STP-2-SET_PORT_STATE_FAIL: Port state change req to PIXM failed, status = 0x41e80001 [failure] vdc 1, tree id 0, num ports 1, ports  state BLK, opcode MTS_OPC_PIXM_SET_MULT_CBL_VLAN_BM_FOR_MULT_PORTS, msg id (2274781), rr_token 0x22B5DD
    2014 Mar 29 15:37:21 n1kv %VEM_MGR-2-MOD_OFFLINE: Module 3 is offline
    I have tried gracefully removing ESXi-1 from the vDS and cluster, reformatting it with a fresh install of ESXi 5.5u1, but when I try to join it to the N1KV it throws the same error.

    Hi, 
    The SET_PORT_STATE_FAIL message is usually thrown when there is a communication issue between the VSM and the VEM while the port-channel interface is being programmed. 
    What is the uplink port profile configuration? 
    Other hosts are using this uplink port profile successfully?
    The upstream configuration on an affected and a working host is the same? (ie control VLAN allowed where necessary)
    Per kpate's post, control VLAN needs to be a system VLAN on the uplink port profile.
    The VDC SPROM message is a cosmetic defect
    https://tools.cisco.com/bugsearch/bug/CSCul65853/
    HTH,
    Joe

  • Nexus 1000v UCS Manager and Cisco UCS M81KR

    Hello everyone
    I am confused about how works the integration between N1K and UCS Manager:
    First question:
    If two VMs on different ESXi and different VEM but in the same VLAN,would like to talk each other, the data flow between them is managed from the upstream switch( in this case UCS Fabric Inteconnect), isn'it?
    I created a Ethernet uplink port-profile on N1K in switch port mode access(100), I created a vEthernet port-profile for the VM in switchport mode access(100) as well. In the Fabric Interconnect I created a vNIC profile for the physical NICs of ESXi(where there are the VMs). Also I created the vlan 100(the same in N1K)
    Second question: With the configuration above, if I include in the vNIC profile the vlan 100 (not as native vlan) only, the two VMs can not ping each other. Instead if I include in the vNIC profile only the defaul vlan(I think it is the vlan 1) as native vlan evereything works fine. WHY????
    Third question: How it works the tagging vlan on Fabric interconnectr and also in N1K.
    I tried to read differnt documents, but I did not understand.
    Thanks                 

    This document may help...
    Best Practices in Deploying Cisco Nexus 1000V Series Switches on Cisco UCS B and C Series Cisco UCS Manager Servers
    http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.html
    If two VMs on different ESXi and different VEM but in the same  VLAN,would like to talk each other, the data flow between them is  managed from the upstream switch( in this case UCS Fabric Inteconnect),  isn'it?
    -Yes.  Each ESX host with the VEM will have one or more dedicated NICs for the VEMs to communicate with the upstream network.  These would be your 'type ethernet' port-profiles.  The ustream network would need to bridge the vlan between the two physicall nics.
    Second question: With the configuration above, if I include in the vNIC  profile the vlan 100 (not as native vlan) only, the two VMs can not ping  each other. Instead if I include in the vNIC profile only the defaul  vlan(I think it is the vlan 1) as native vlan evereything works fine.  WHY????
    -  The N1K port profiles are switchport access making them untagged.  This would be the native vlan in ucs.  If there is no native vlan in the UCS configuration, we do not have the upstream networking bridging the vlan.
    Third question: How it works the tagging vlan on Fabric interconnectr and also in N1K.
    -  All ports on the UCS are effectively trunks and you can define what vlans are allowed on the trunk as well as what vlan is passed natively or untagged.  In N1K, you will want to leave your vEthernet port profiles as 'switchport mode access'.  For your Ethernet profiles, you will want them to be 'switchport mode trunk'.  Use an used used vlan as the native vlan.  All production vlans will be passed from N1K to UCS as tagged vlans.
    Thank You,
    Dan Laden
    PDI Helpdesk
    http://www.cisco.com/go/pdihelpdesk

Maybe you are looking for