Nexus 7000 with VPC and HSRP Configuration

Similar Messages

• Multicast: duplicated packets on nexus 7k with vpc and HSRP

  Hi guys,
  I'm testing multicast deployment on the lab shown below. The sender and the receiver are connected to the 6500 in two different vlans. The sender is in vlan 23 and the reciever in vlan 500. They are connected to the 6500 with a trunk link. There is VPc between the two nexus 7k and the 6500.
  Furthermore, there is HSRP running on the two vlan interface 23 and 500 on both nexus.
  I have configured the minimum to use PIM-SM with static RP. The RP is the 3750 above the nexus. (*,G) and (S,G) states are created correctly.
  IGMP snopping is enabled on 6500, and the two nexus.
  I'm using iperf to generate my flow, and netflow and snmp to monitor what happens.
  All works correctly, my receiver receive the flow and it takes the good route. My problem is that I have four times more multicast traffic on the vlan interface 500 on both nexus but this traffic is only sent one time to the receiver (which is the good comportment) and the rest of the traffic is not shown on any other physical interface in outbound.
  Indeed, I'm sending one flow, the two nexus receive it (one from peer link and the other from the 6500) in the vlan 23 (for example 25 packets inbound).
  But when the flow is routed in the vlan 500, there is 100 packets on each interface vlan 500 on each nexus in outbound.
  And when monitoring all physical interfaces, I only see 25 packets outbound on the interface linked with the receiver and the overflow isn't outgone.
  I have joined the graphs I obtain on one of the nexus for the vlan 23 and the vlan 500. Netflow says the same things in bits/s.
  Had someone already seen that? Any idea about the duplication of the packets?
  Thanks for any comment,
  Regards,
  Configuration:
  Nexus 1: n7000-s1-dk9.5.2.7.bin, 2 SUP1, 1 N7K-M132XP-12, 1 N7K-M148GS-11
  Nexus 2: n7000-s1-dk9.5.2.7.bin, 2 SUP1, 1 N7K-M132XP-12, 1 N7K-M148GS-11
  6500: s72033-adventerprisek9_wan-mz.122-33.SXI5.bin (12.2(33)SXI5)
  3750: c3750-ipservicesk9-mz.122-50.SE5.bin (12.2(50)SE5)

  Hi Kuldeep,
  If you intend to put those routers on a non-vpc vlan, you  may create  a new inter-switch trunk between the N7K and allow that non-vpc vlan . However if those will be on a VPC vlan, best to create two links to the N7K pair and create a VPC, otherwise configure those ports as orphan ports which will leverage the VPC peer link .
  HTH
  Jay Ocampo

• Nexus 7000, 2000, FCOE and Fabric Path

  Hello,
  I have a couple of design questions that I am hoping some of you can help me with.
  I am working on a Dual DC Upgrade. It is pretty standard design, customer requires a L2 extension between the DC for Vmotion etc. Customer would like to leverage certain features of the Nexus product suite, including:
  Trust Sec
  VDC
  VPC
  High Bandwidth Scalability
  Unified I/O
  As always cost is a major issue and consolidation is encouraged where possible. I have worked on a couple of Nexus designs in the past and have levergaed the 7000, 5000, 2000 and 1000 in the DC.
  The feedback that I am getting back from Customer seems to be mirrored in Cisco's technology roadmap. This relates specifically to the features supported in the Nexus 7000 and Nexus 5000.
  Many large enterprise Customers ask the question of why they need to have the 7000 and 5000 in their topologies as many of the features they need are supported in both platforms and their environments will never scale to meet such a modular, tiered design.
  I have a few specific questions that I am hoping can be answered:
  The Nexus 7000 only supports the 2000 on the M series I/O Modules; can FCOE be implemented on a 2000 connected to a 7000 using the M series I/O Module?
  Is the F Series I/O Module the only I/O Module that supports FCOE?
  Are there any plans to introduce the native FC support on the Nexus 7000?
  Are there any plans to introduce full fabric support (230 Gbps) to the M series I/O module?
  Are there any plans to introduce Fabric path to the M series I/O module?
  Are there any plans to introduce L3 support to the F series I/O Module?
  Is the entire 2000 series allocated to a single VDC or can individual 2000 series ports be allocated to a VDC?
  Is Trust Sec only support on multi hop DCI links when using the ASR on EoMPLS pwire?
  Are there any plans to inroduce Trust Sec and VDC to the Nexus 5500?
  Thanks,
  Colm

  Hello Allan
  The only IO card which cannot co-exist with other cards in the same VDC is F2 due to specific hardware realisation.
  All other cards can be mixed.
  Regarding the Fabric versions - Fabric-2 gives much bigger throughoutput in comparing with Fabric-1
  So in order to get full speed from F2/M2 modules you will need Fab-2 modules.
  Fab2 modules won't give any advantages to M1/F1 modules.
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/data_sheet_c78-685394.html
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/prodcut_bulletin_c25-688075.html
  HTH,
  Alex

• Peer-Switch with vPC and non-vPC Vlan Port-Channels

  Hi,                 
  in a design guide i have noticed that it is best practice to split vPC and non-vPC vlans on different inter-switch port-channels. Now, if i want to use the Peer-Switch function, but the port-channel interface of the non-vPC-vlan channel moves into blocking state. The option spanning-tree pseudo-information has no influence. Is peer-switch possible in my kind of topology?
  Greeting,
  Stephan

  I believe absolutly possible. specifically coz peer-switch and spt pseudo-info are specific and local to cisco fabric services running as part of  vpc technology. Personally me has lab with vpc-domain compounded of 2 N5Ks. They are peer-switches with spt-pseudoinfo and they have MST running on non VPC links independantly from vpc.

• Jboss with mapviewer and network configuration.

  Hello All,
  developped succesfully an application piece with mapviewer and network (10.x) ndm on OAS.
  Now should integrate in solution running on JBoss 4.0.5.
  First problem arises when cannot reach new mapviewer html admin pages.
  Anybody has experience on this?
  Thank you,
  David

  Thank you again Justin.
  I think I'm getting closer but not working yet.
  Was missing the step you pointed out.
  Used succesfully the AdfInstaller from OTN after copying the 36 lib files to JBOSS_HOME/server/default/lib.
  But can't run /mapviewer/faces/home.jspx yet.
  Next I post errors for before (a) and after (b) having deleted folder jboss\server\default\deploy\jbossweb-tomcat55.sar\jsf-libs [Understood this as equivalent step from doc "JBoss Deployment Notes" although written for version 4.0.3]
  Also tried to delete folders tmp, log and data, but get same error.
  (A)
  Error raised on executing
  /mapviewer/faces/home.jspx
  org.apache.jasper.JasperException
       org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:512)
       org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:395)
       org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
       org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
       com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:322)
  On the log at the jboss cmd prompt:
  22:22:08,421 ERROR [STDERR] Thu Dec 06 22:22:08 CET 2007 INFO [oracle.lbs.mapcac
  he.mcservlet] *** Oracle MapCacheServer started. ***
  22:22:55,812 ERROR [UIComponentTag] Faces context not found. getResponseWriter w
  ill fail. Check if the FacesServlet has been initialized at all in your web.xml.
  22:22:55,953 ERROR [[jsp]] Servlet.service() for servlet jsp threw exception
  java.lang.NullPointerException
  at javax.faces.webapp.UIComponentTag.setupResponseWriter(UIComponentTag.
  java:929)
  at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:310)
  (B)
  Error raised on executing
  /mapviewer/faces/home.jspx
  org.apache.jasper.JasperException: org.apache.myfaces.taglib.core.ViewTag
       org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:512)
       org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
       org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
       org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:810
  On the log at the jboss cmd prompt:
  22:50:56,156 INFO [STDOUT] INFO [oracle.lbs.mapserver.core.MapperConfig] settin
  g logging level to error
  22:51:01,859 ERROR [STDERR] Thu Dec 06 22:51:01 CET 2007 INFO [oracle.lbs.mapcac
  he.mcservlet] *** Oracle MapCacheServer started. ***
  22:51:47,687 ERROR [[jsp]] Servlet.service() for servlet jsp threw exception
  java.lang.NoClassDefFoundError: org.apache.myfaces.taglib.core.ViewTag
  at org.apache.jsp.home_jspx._jspx_meth_f_view_0(home_jspx.java:137)
  at org.apache.jsp.home_jspx._jspService(home_jspx.java:118)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
  at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper
  .java:334)
  22:51:47,687 ERROR [[Faces Servlet]] Servlet.service() for servlet Faces Servle
  threw exception
  java.lang.NoClassDefFoundError: org.apache.myfaces.taglib.core.ViewTag
  at org.apache.jsp.home_jspx._jspx_meth_f_view_0(home_jspx.java:137)
  at org.apache.jsp.home_jspx._jspService(home_jspx.java:118)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
  Also would like to solve error related to georaster that seems a missing class:
  22:58:42,343 ERROR [STDERR] Exception in thread "Thread-81"
  22:58:42,343 ERROR [STDERR] java.lang.NoClassDefFoundError: javax/media/jai/Data
  BufferFloat
  22:58:42,359 ERROR [STDERR] at oracle.sdovis.theme.GeoRasterThemeProducer.pr
  epareData(GeoRasterThemeProducer.java:577)
  22:58:42,359 ERROR [STDERR] at oracle.sdovis.GeoRasterTheme.prepareData(GeoR
  asterTheme.java:90)
  22:58:42,359 ERROR [STDERR] at oracle.sdovis.LoadThemeData.run(LoadThemeData
  .java:66)
  Regards,
  David

• Nexus 7000 - Moving vPC keep alive

  We have two Nexus 7010 switches running a vPC domain between the two switches.  On one of the 7010B, the peer keep alive (from the mgmt VRF) is connected to a 3560B *and* that 3560B also has a data connection back to the same 7010B.  Everything is fine with that setup.
  Our second 7010A, the peer keep alive link is also connected to a coresponding 3560A switch.  However, that 3560A switch is not connected to 7010A.
  I want to move the uplink from the 3560A from where it is to the 7010A which will break the keep alive.  However, I will not be breaking the vPC peer link as it is a pair of 10G connections between the two 7010 switches.
  I have read that the vPC won't come up unless the peer keep alive is present, but it wasn't clear about taking down the keep alive link momentarily.  Moving the cable would be quick, but I know the mac table will need to update since 7010B switch will now see the keep alive across it's peer link instead of some other direction.
  Can I take the peer keep alive link down providing the peer link stays up?
  We are running kickstart and system version 5.0(3).
  Thanks!
  /alan

  Peer keepalive works on UDP port 3200 over IP with 1 sec interval and 5 sec timeout.
  Iit is not requirement to have peer-keepalive destination IP in same subnet but if you do not have it in same subnet then you need to make sure you route it properly and your IP routed infrastructure that carries keeplive satisfies above requirement to make sure not a single event cause on that IP infrastructure causes keeplives to loose packets since peer-keepalive is UDP it is not reliable delivery method.
  Recommendation in past i heard was to use your managemet ports as peer-keepalive. But one problem happens during ISSU with dual sup, the each supervisor reboots and after it comes up role of active and standby gets switch at the end. So If you did not connect two managment ports(one from each supervisor) to your management network then you will loose keepalives during software upgrade because supervisor switch over occurs and new maangement port becomes active.
  So second recomendation is to create one peer-keepalive vrf so that it will have its own address space, if you have M1 1 gig card in each switch then connect one cable between switch and assign IP address (like 1.1.1.1-2/30) and put it in peer-keepalive vrf. With this set up during ISSU you do not loose peer keepalives because line cards does not need to reboot and your peer-keepalive UDP traffic will not depend on any other switch or router.    

• Problem with internet and mail configuration(From France)

  Hey x)
  I just got my Blackberry yesterday (I'm from France) with Universal Mobile- Bougues Telecome, forfait bloqué pour BlackBerry.
  In that "package" i have SMS/mms ,internet and emails unlimited.
  But i can't go to internet , its not working and when I'm trying to configure the mail option in "advanced option" , I don't have any kind of confirmation message.
  I tried on the website but I got that error message:
  "Cannot create account:
  This BlackBerry(R) device is not registered with your wireless service provider.
  Please register this device and verify that the URL of the current web site matches
  the one provided by your wireless service provider.
  To register:
  1. In the Application list on your device, click Options, or click Settings Options.
  2. Click Advanced Options > Host Routing Table.
  3. Click the Menu key and click Register Now.
  If the error persists, contact your wireless service provider."
  And so as I said, I did that manipulation but I don't have a confirmation when I put "host routing table".
  And In the email configuration I just have the professional thing.
  Can you please help me ?

  Do you have a BlackBerry Data Plan enabled on your account with your carrier or mobile provider?
  You must, in order to get the RIM push email functions you are looking for, as well as addtional BlackBerry data services such as the internet browser, Facebook for BlackBerry, BlackBerry Messenger, and much more.
  So, call your carrier and inquire about having the BlackBerry Data Plan added to your account.
  Good luck.
  1. If any post helps you please click the below the post(s) that helped you.
  2. Please resolve your thread by marking the post "Solution?" which solved it for you!
  3. Install free BlackBerry Protect today for backups of contacts and data.
  4. Guide to Unlocking your BlackBerry & Unlock Codes
  Join our BBM Channels (Beta)
  BlackBerry Support Forums Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Need some help with WM and gkt configuration

  Hello everybody.
  I've installed Arch Linux few days ago and currently I'm having a problem with gtk apps. It's the classic problem that they look ugly under fluxbox, my WM. I've tried to put this on ~/.xinitrc:
  exec fluxbox
  # load this to have gtk2 apps look ok
  GSDPID=`pidof gnome-settings-daemon`
  if [ "x$GSDPID" == "x" ]; then
  gnome-settings-daemon &
  fi
  or:
  # load this to have gtk2 apps look ok
  GSDPID=`pidof gnome-settings-daemon`
  if [ "x$GSDPID" == "x" ]; then
  gnome-settings-daemon &
  fi
  exec fluxbox
  And nothing happened. I'm sure it's an easy issue to solve, but I'm stuck here with this. Thank you for reading and thank you for your help.
  EDIT: I still have some time to lose on my laptop so can you recomend me which minimalist WM is better??
  Last edited by xlasttrainhomex (2008-10-05 11:49:15)

  I highly recommend Openbox. It doesn't provide you a panel like Fluxbox does, so you'll need to find yourself a panel - if you're lost for choice I can recommend tint2 and bmpanel as starters.
  Anyway, Openbox has session configurations for both GNOME and KDE, meaning that while GNOME will be sitting under all your applications, will try to manage your desktop, will try to launch panels, etc etc etc, Openbox will be managing your windows, and you can turn off whatever you don't want anyway - I have a highly configured, customized Openbox setup that gives me no indication except in my process listing that I'm using the GNOME session manager: the splash is disabled, Nautilus doesn't try to manage my desktop, I have no GNOME panels, and so on.
  -dav7

• Nexus 7000 - Fabric Failure and VOQ

  I have been doing some research on the Nexus 7k and from what i am reading the following occurs:
  1. Fabric Module Failure - Causes all traffic sent across that fabric modules crossbar to be lost
  2. VOQ - protects against lack of buffer availability on the egress interface
  Neither of these provide reliable transmission over the crossbar or acknowledgement of data crossing the crossbar fabric.
  So my question is, if i have storage traffic (unicast based FCIP) that is crossing the fabric when a fabric module fails, is my understanding correct, that those frames are lost on the portion of the fabric that is controlled by the failed fabric module?
  Even though the main fabric itself is intact for other traffic, this still means that I have loss in what is supposed to be a system built for zero-loss to support storage traffic.
  Am i way off here or is this accurate.
  Thanks.

  Thanks for the response. From what i have read the control plane and data plane are completely isolated in the nexus 7k. The supervisor modules control the control plane and the central arbiter and the fabric modules handle the VOQ and the xbar communication.
  It works like this as i understand it:
  1. packet arrives at the ingress of a line card and is passed on the port asic
  2. port asic does its thing and forwards the packet to the replication engine
  3. rep engine passes the packet onto the L2 and L3 Forwarding engines - they do their dance and pass the packet on to the fabric engine
  4. Fabric Engine and VOQ mgmr consults the central arbiters to get credits to send traffic on the fabric
  5. Central Arbiter checks the egress line card to ensure buffer space is available. If its available it grants credit to the fabric engine and VOQ engine to send the packet on the fabric.
  The fabric crossbar is BW is determined by the amount of fabric modules installed - 1 FM = 23Gbs x 2. When 2 or more FM are installed to create more Fabric BW, they forwarding across the fabric for unicast traffic acts like a Etherchannel and performs some sort of hashing algorithm to send the packet across the fabric.
  Lets say you have a 9216Byte packet and 3 Fabric modules installed. From what i am reading the packet would be broken up into 4 packets, around 2304 Bytes each (i think they might be 2460 can't recall), and passed across the fabric.
  So you have 1 large packet, fragmented across the fabric cards, sent to the destination IO card.
  While in transit, lets say one of the fabric Modules in the LB group dies. my understanding is the traffic on the trace goes with it.
  The traffic is lost in this case since there is no acknowledgement of traffic sent across the fabric. I would think in a high bandwidth situtation this could be a lot of traffic, considering the speeds we are talking about here.
  Is this a possibility or am i missing some redundancy here that will protect the traffic that would be lossed crossing the fabric?
  Is this the case on the 65k as well for traffic crossing the fabric?
  Thanks in advance.
  Mike

• Problems with SVN and sync configuration

  Hello,
  I'm struggling with two 'features' of DW CS5.
  The first is the following behavior of the integrated SVN-client in DW.
  On every startup of the program DW sets the SVN-property to ignore the _notes directories (in wich DW stores the sync-information) to all the folders of my sites. I set the global property in my local SVN-client to ignore those anyway, because I don't want the property in the folders of my repositories. Is there any way to say DW to NOT set this property itself? It's really annoying to delete the property every day...
  The second is when I have to start a sync to the remote-/testserver DW always marks all the files where just the date is different to mine but the content is the same. When a colleague is updating/sync'ing a whole site, with his IDE (not DW), all the files and folders get a new date and DW wants me to sync all these (10k files and growing...). That gets a little time intensive after a while. Is there a way to say DW to ignore the date of the file like in nearly every other sync-tool?
  Thanks for your answer(s),
  c

  Try this Re: Wi-Fi Sync not working in iOS 5

• ESXi 4.1 NIC Teaming's Load-Balancing Algorithm,Nexus 7000 and UCS

  Hi, Cisco Gurus:
  Please help me in answering the following questions (UCSM 1.4(xx), 2 UCS 6140XP, 2 Nexus 7000, M81KR in B200-M2, No Nexus 1000V, using VMware Distributed Switch:
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned?
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct?
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES?
  I would really appreciate if someone can help me clear these lingering doubts of mine.
  God Bless.
  SiM

  Sim,
  Here are my thoughts without a 1000v in place,
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?   //Yes, for vPC to UCS the best practice is to bowtie uplink to (2) 7K or 5Ks.
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned? //The port channel will be configured on both the UCSM and the 7K. The pro of a port channel would be both bandwidth and redundancy. vPC would be prefered.
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct? //Without the 1000v, I always tend to leave to dvSwitch load balence behavior at the default of "route by portID". 
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES? UCS can perform L2 but Northbound should be performing L3.
  Cheers,
  David Jarzynka

• Ask the Expert: Basic Introduction and Troubleshooting on Cisco Nexus 7000 NX-OS Virtual Device Context

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions of Cisco expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and support for the Cisco NX-OS Software platform .
  The Cisco® Nexus 7000 Series Switches introduce support for the Cisco NX-OS Software platform, a new class of operating system designed for data centers. Based on the Cisco MDS 9000 SAN-OS platform, Cisco NX-OS introduces support for virtual device contexts (VDCs), which allows the switches to be virtualized at the device level. Each configured VDC presents itself as a unique device to connected users within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event. This event lasts through through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Vignesh
  Is there is any limitation to connect a N2K directly to the N7K?
  if i have a an F2 card 10G and another F2 card 1G and i want to creat 3 VDC'S
  VDC1=DC-Core
  VDC2=Aggregation
  VDC3=Campus core
  do we need to add a link between the different VDC's
  thanks

• Nexus 5000 vpc and fabricpath considerations

  Hello community,
  I'm currently in the process of implementing a fabricpath environment which includes Nexus 5548UP as well Nexus 7009
  NX OS on N5K is 6.0(2)N1(2)
  Regarding the FP config on the N5K I wonder what is the best practice for the peer-link. Is it necessary to configure the Portchannel like below:
  interface port-channel2
    description VPC+ Peer Link
    switchport mode fabricpath
    spanning-tree port type network
    vpc peer-link
  There are several VLANs configured as FP.
  As I understand we can remove the command:
  spanning-tree port type network
  Can anyone confirm this ?
  Also I noticed a "cosmetic" problem. On two port 1/9 and 1/10 on both N5K it isn't possible to execute the command "speed"?!
  When the command speed is executed I receive the following error:
  ERROR: Ethernet1/9: Configuration does not match the port capability
  Also please notice after the vPC and FP configuration we don't do a reload!
  Thanks
  Udo

  Hi Simon -
  Have done some testings in the lab on ISSU with FEXes either in Active/Active and Straight-through fashion, and it works.
  Disabling BA on N5K(except the vPC peer link) is one of the requirements for ISSU . 
  In a lately lab testing with the following topo, BA is configured on the vpc 101 between the N5Ks and Cat6k.  We have a repeated regular ping between the SVI interfaces of c3750 and Cat6K. 
                        c3750
                           ||
                        vPC
                           ||
      N5K =====vPC====== N5K
                            ||
                       vpc 101
                            ||
                       Cat6k
  When we changed the network type to disable BA, we observed some ping drops, which around 20-30.
  I am not sure what your network looks like, hopefully this will give you some ideas about the ISSU.  As a general recommendation, schedule a change window for some changes or even ISSU.
  regards,
  Michael

• Smart call home - HTTPS transport from the Nexus 7000 to Cisco

  hi
  i try configured call home on nexus 7000 with https transport and proxy server
  i follow this guide -
  http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/QuickStart_NX7000.pdf
  and configured this :
  callhome
    email-contact XXXXXXXXXXX
    phone-contact XXXXXXXXXXX
    streetaddress XXXXXXXXXXXXXXXX
    destination-profile CiscoTAC-1 transport-method http
    destination-profile CiscoTAC-1 http https://tools.cisco.com/its/service/oddce/services/DDCEService
     transport http use-vrf management
    transport http proxy server XXXXXXXXXX port 8080                --------- XXXXXXXXX = my proxy server
    transport http proxy enable
    enable
    periodic-inventory notification interval  30
  i have a problem to install the security certificate , i follow thw guide but i get the error :
  failed to load or parse certificate
  could not perform CA authentication
  when i try test call home eith the command : callhome test
  trying to send test callhome message
  warning:no callhome message sent
  email configuration incomplete for destination profile:full_txt
  email configuration incomplete for destination profile:short_txt
  Error in transporting http message for CiscoTAC-1
  http: Received HTTP code 407 from proxy after CONNECT
  i guess the problem is because i didnt install the certificate , how can i install the certificate ?
  is this the real problem ?

  I agree with Bryan that the easiest proxy server to setup for the  nexus 7000 is the Transport Gateway. The documentation (certificates) is  setup to allow you to connect to a Cisco Transport Gateway or directly  into tools.cisco.com. Both have a Cisco certificate.
  But that doesn't explain your issue. To answer your issue, you need to look here
  http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/SCH31_Ch6.html#wp1039385
  except  you need your proxy server's chained certificate in PEM format since  the Nexus 7000 is going to terminate at your proxy server. Take a look  at this line in the documentation.
  Input (cut & paste) the CA certificate (chain) in PEM format
  The error code 407 you indicated makes sense and  indicates "Proxy Authentication Required". You need the certificate  installed first. NX-OS uses the openssl crypto library to implement the  cert-pki feature if that helps. A complete certificate chain is required. Also,  you might make sure the CRL (certificate revocation list) is set to none  so it doesn't do that first.
  revocation-check none
  The 4 chained certificates given in the documentation are tools.cisco.com.cer, Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer,  Verisign-Root-CA.cer. The non-nexus 7000 devices just use the last one. Most likely you need a certificate that looks like
  your proxy server.cer,Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer,  Verisign-Root-CA.cer
  If you are using your own root CA (which typically are taken  off-line after authorizing subordinate CAs for security reasons) , then  make sure that their certificates are in the correct order to be  processed so each can be authenticated.
  Now you can see why a Cisco proxy server (Transport Gateway) is easier to setup.

• Netflow Nexus 7000

  Hi all,
  A few months ago I have configured netflow on a Nexus 7000 with NX-OS version 6.0.2.
  This was my config:
  flow exporter Fluke_NetflowTracker
    description export netflow to Fluke_NetflowTracker
    destination x.x.x.x use-vrf management
    transport udp 2055
    source mgmt0
    version 9
  flow exporter Fluke_Optiview
    description export netflow to Fluke_Optiview
    destination x.x.x.x  transport udp 2055
    source Vlanx
    version 9
  flow monitor MonitorTrafficToFluke
    record netflow-original
    exporter Fluke_NetflowTracker
    exporter Fluke_Optiview
  This flow was activated on some SVI's. "ip flow monitor MonitorTrafficToFluke input"
  Recently we have upgraded the NX-OS to version 6.1.3. The netflow keeps on working, but the syntax of the netflow configuration has changed. Now you have to add a sampler as well.
  So I have created the following sampler.
  sampler NetFlow-Sampler
    description Netflow Sampler
    mode 1 out-of 1000
  When I want to update the current configuration with the sampler I can't adapt or remove the existing netflow configuration on the SVI.
  NK7(config-if)# no ip flow monitor MonitorTrafficToFluke input
  ERROR: A sampler must be configured for an interface on an F2 card
  NK7(config-if)# ip flow monitor MonitorTrafficToFluke input sampler NetFlow-Sampler
  An additional 1:100 sampler, over the configured sampler is applicable for F2 ports
  Error: Sampler can not be changed on Interface Vlanx. Remove flow monitor first.
  ERROR: Command has failed
  How do I update or remove the existing configuration on the SVI.
  I want the config to be "ip flow monitor MonitorTrafficToFluke input sampler NetFlow-Sampler"
  Thank you,
  Best Regards,
  Joris

  Hi Joris,
  Try no feature netflow under the interface and try to re-apply the whole configs. Since its a F2 we dont support config changes until 6.2(2) only way is to remove the configs using no feature netflow and re-applying it.
  Thanks,
  Richard.
  *Rate if its useful