Port-security and Nexus 1000v

Is there really any true need for port-security on Nexus 1000v for vethernet ports? Can a VM be assigned a previously used vethernet port that would trigger a port-security action?

If you want to prevent admins or malicious users from being able change the mac address of a VM then port-security is a useful feature. Especially in VDI environments where users might have full admin control of the VM and can change the mac of the vnic.
Now about veths ports. A veth gets assigned to a VM and stays with that VM. A veth is only released when either the nic on the VM is deleted or the nic is assigned to another port-profile on the N1KV or a port-group on a vSwitch or VMware DVS. Now when the veth is released it does not retain any of the piror information. It's freed up and added to a pool of available veths. When a veth is needed for a VM in either the same port-profile or a different port-profile the free veth will be grabbed and initialized. It does not retain any of the previous settings.
So assigning a VM to a previsously used veth port should not trigger a violation. The MAC should get learned and traffic should be able to flow.

Similar Messages

  • Port security and 802.1x (ISE)

    Hi everyone,
    I'm implemmenting ISE in a network with Port Security enabled.
    According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
    I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
    Someone?
    Thanks!

    Hi Neno,
    Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
    Please find below logs from switch - 
    Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
    Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
    Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
    Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
    Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
    Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
    Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
    Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned
    Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
    Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
    Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
    Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
    Can you guide us how to fix this one
    Regards
    Pranav

  • VM-FEX and Nexus 1000v relation

    Hi
    I am a new in virtulaization world and I need to know what is the relation between Cisco Nexus 1000v and Cisco VM-FEX?, and when to use VM-FEX and when to use Nexus 1000v.
    Regards

    Ahmed,
    Sorry for taking this long to get back to you.
    Nexus 1000v is a virtualized switch and as such will require that any traffic coming in or leaving the VM will first need to pass through the virtualization layer, therefore causing a minimum delay that for some applications (VMs) can be catastrophic enough that may mean too much delay.
    With VM-FEX you gain the option to bypass the virtualization layer with for example "Pass-Through" mode where the vmnics are really assigned and managed by the OS, minimizing the delay and making the VMs look as if they were directly attached, also, this offloads CPU workload in the mean time, optimizing the host/VM's performance.
    The need for one or the other will be defined as always by the needs your organization/business has.
    Benefits of VM-FEX (from cisco.com):
    Simplified operations: Eliminates the need for a separate, virtual networking infrastructure
    Improved network security: Contains VLAN proliferation
    Optimized network utilization: Reduces broadcast domains
    Enhanced application performance: Offloads virtual  machine switching from host CPU to parent switch application-specific  integrated circuits (ASICs)
    Benefits of Nexus 1000v here on another post from Rob Burns:
    https://supportforums.cisco.com/thread/2087541 
    https://communities.vmware.com/thread/316542?tstart=0
    I hope that helps 
    -Kenny

  • VWLC and Nexus-1000V

    Hi Experts!
    Does anybody try to install vWLC on ESX with Nexus-1000V as switch?
    All deployment guide are based on standard VMWare vSwitch and I can not find any information about questions:
    1. Is vWLC compatible with Nexus-1000V?
    2. What configuration should be done on Nexus-1000V to vWLC works properly?

    Hi Dave,
    You can access  below URL for nexus 1000v -4.0(4)SV1(3b) docs:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_b/roadmap/guide/n1000v_roadmap.html
    And
    Nexus5000
    http://www.cisco.com/en/US/products/ps9670/tsd_products_support_series_home.html
    BR,
    John Meng

  • How to change Nexus 1010 and Nexus 1000v IP address

    Hi Experts,
    We had run two VSM and one NAM in the Nexus 1010. The Nexus 1010 version is 4.2.1.SP1.4. And the Nexus 1000v version is 4.0.4.SV1.3c. Now we must to change management IP address to the other one. Where can I find the SOP or config sample? And have anything I must to remind?

    If it's only the mgmt0 IP address that you are changing, then you can just enter the new address under the mgmt0 interface. It will automatically sync with the VC.
    I guess you are trying to change the IP address of the VC plus the management VLAN as well. One way of doing this is:
    - From the Nexus 1000v, disconnect the connection to the VC (svs connection -> no connect)
    - Change the VC IP address and connect to it (svs connection -> remote ip address)
    - Change the Nexus 1000v mgmt0 address
    - Change the mgmt VLAN on the N1010
    - Change the mgmt address of the N1010
    - Reconnect the Nexus 1000v back to the VC (svs connection -> connect)
    Correspondingly, change the VLAN configuration on the upstream switch plus the connection to the VC as well.
    Thanks,
    Shankar

  • Dot1x with port security and redundant radius servers

    I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.
    This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?
    Here's the setup and configs:
    freeradius 2.1.12-4
    cisco 3560
    Switch Ports Model              SW Version            SW Image                
    *    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface GigabitEthernet0/1
    switchport access vlan 100
    switchport mode access
    switchport voice vlan 110
    authentication event no-response action authorize vlan 901
    authentication host-mode multi-domain
    authentication port-control auto
    authentication periodic
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 1
    no mdix auto
    spanning-tree portfast
    radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
    radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
    Here's an authentication string from the radius server:
    (there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)
    rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
    User-Name = "001372b639a6"
    User-Password = "001372b639a6"
    Service-Type = Call-Check
    Framed-MTU = 1500
    Called-Station-Id = "9C-AF-CA-23-D9-01"
    Calling-Station-Id = "00-13-72-B6-39-A6"
    Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
    NAS-Port-Type = Ethernet
    NAS-Port = 50001
    NAS-Port-Id = "GigabitEthernet0/1"
    NAS-IP-Address = 10.90.100.7
    Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
    Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
    Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
    Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
    Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
    Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6
    Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
    Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
    Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
    Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
    Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
    Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
    Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
    Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
    Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
    Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
    Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
    Sending Access-Accept of id 204 to 10.90.100.7 port 1645
    Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
    Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
    Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
    Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
    Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
    rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
    User-Name = "3037a616cd49"
    User-Password = "3037a616cd49"
    Service-Type = Call-Check
    Framed-MTU = 1500
    Called-Station-Id = "9C-AF-CA-23-D9-01"
    Calling-Station-Id = "30-37-A6-16-CD-49"
    Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
    NAS-Port-Type = Ethernet
    NAS-Port = 50001
    NAS-Port-Id = "GigabitEthernet0/1"
    NAS-IP-Address = 10.90.100.7
    Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
    Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
    Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
    Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
    Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
    Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49
    Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
    Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
    Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
    Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
    Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
    Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
    Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
    Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
    Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
    Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
    Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
    Sending Access-Accept of id 205 to 10.90.100.7 port 1645
    Cisco-AVPair = "device-traffic-class=voice"
    Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
    Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
    Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
    Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
    Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
    Thanks!

    802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.
    Please check the  below links which can be helpful in configurations:
    Link-1
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

  • Nexus 1000v port-channels questions

    Hi,
    I’m running vCenter 4.1 and Nexus 1000v and about 30 ESX Hosts.
    I’m using one system uplink port profile for all 30 ESX Host; On each of the ESX host I have 2 NICs going to a Catalyst 3750 switch stack (Switch A), and another 2 NICs going to another Catalyst 3750 switch stack (Switch B).
    The Nexus is configured with the “sub-group CDP” command on the system uplink port profile like the following:
    port-profile type ethernet uplink
    vmware port-group
    switchport mode trunk
    switchport trunk allowed vlan 1,800,802,900,988-991,996-997,999
    switchport trunk native vlan 500
    mtu 1500
    channel-group auto mode on sub-group cdp
    no shutdown
    system vlan 988-989
    description System-Uplink
    state enabled
    And the port channel on the Catalyst 3750 are configured like the following:
    interface Port-channel11
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk
    end
    interface GigabitEthernet1/0/18
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    channel-group 11 mode on
    spanning-tree portfast trunk
    spanning-tree guard root
    end
    interface GigabitEthernet1/0/1
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    channel-group 11 mode on
    spanning-tree portfast trunk
    spanning-tree guard root
    end
    Now Cisco is telling me that I should be using MAC pinning when doing a trunk to two different stacks , and that each interface on 3750 should not be configured in a port-channel like above,  but should be configured as individual trunks.
    First question: Is the above statement correct, are my uplinks configured wrong?  Should they be configured individually in trunks instead of a port-channel?
    Second questions: If I need to add the MAC pinning configuration on my system uplink port-profile can I create a new system uplink port profile with the MAC pinning configuration and then move one ESX host (with no VM on them) one at a time to that new system uplink port profile? This way, I could migrate one ESX host at a time without outages to my VMs. Or is there an easier way to move 30 ESX hosts to a new system uplink profile with the MAC Pinning configuration.
    Thanks.

    Hello,
    From what I understood, you have the following setup:
         - Each ESX host has 4 NICS
         - 2 of them go to a 3750 stack and the other 2 go to a different 3750 stack
         - all 4 vmnics on the ESX host use the same Ethernet port-profile
              - this has 'channel-group auto mode on sub-group cdp'
         - The 2 interfaces on each 3750 stack are in a port-channel (just 'mode on')
    If yes, then this sort of a setup is correct. The only problem with this is the dependance on CDP. With CDP loss, the port-channels would go down.
    'mac-pinning' is the recommended option for this sort of a setup. You don't have to bundle the interfaces on the 3750 for this and these can be just regular trunk ports. If all your ports are on the same stack, then you can look at LACP. The CDP option would not be supported in the future releases. In fact, it is supposed to be removed from 4.2(1)SV1(2.1) but I still see the command available (ignore 4.2(1)SV1(4) next to it) - I'll follow up on this internally:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_2_1_1/interface/configuration/guide/b_Cisco_Nexus_1000V_Interface_Configuration_Guide_Release_4_2_1_SV_2_1_1_chapter_01.html
    For migrating, the best option would be as you suggested. Create a new port-profile with mac-pinning and move one host at a time. You can migrate VMs off the host before you change the port-profile and can remove the upstream port-channel config as well.
    Thanks,
    Shankar

  • Nexus 1000V private-vlan issue

    Hello
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:Standardowy;
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";
    mso-ansi-language:#0400;
    mso-fareast-language:#0400;
    mso-bidi-language:#0400;}
    I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
    Thank you in advance
    Lucas

    Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
    We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

  • Nexus 1000v 4.2.1 - Interface Ethernet3/5 has been quarantined due to Cmd Failure

    Hello,
    i get the error message "Interface Ethernet3/5 has been quarantined due to Cmd Failure" when i try to activate the System Uplink ports on the Nexus 1000v VSM. The symptom occurs under 4.2.1.SV1.4 (has been fresh setup, did before tests with 4.0.4). Unfortunately, the link to the 4.2.1 troubleshooting guide does not work (seems it hasn't been released yet).
    Has anyone an idea what the root cause could be?
    The VSM and VEM run on a GP DL3xxG7 with 2 x Dual Port 10Gbit CNA Adapters.
         Nexus 1k config:
    vlan 1
    vlan 260
      name Servers
    vlan 340
      name NfsA
    vlan 357
      name vMotion
    vlan 920
      name Packet_Control
    port-profile type ethernet SYSTEM-UPLINK
      vmware port-group
      switchport mode trunk
      switchport trunk allowed vlan 1,260,301,303,305,307,357,544,920
      spanning-tree port type edge trunk
      switchport trunk native vlan 1
      channel-group auto mode active
      no shutdown
      system vlan 1,357,920
      state enabled
    port-profile type ethernet STORAGE-UPLINK
      vmware port-group
      switchport mode trunk
      switchport trunk allowed vlan 340
      channel-group auto mode active
      no shutdown
      system vlan 340
      state enabled
    When i do a no shut on the physical ports i get:
    switch(config-if)# no shut
    2011 Feb 24 11:43:55 switch %PORT-PROFILE-2-INTERFACE_QUARANTINED: Interface Ethernet3/7 has been quarantined due to Cmd Failure
    2011 Feb 24 11:43:55 switch %PORT-PROFILE-2-INTERFACE_QUARANTINED: Interface Ethernet3/5 has been quarantined due to Cmd Failure
    The other etherchannel (Port Profile STORAGE-UPLINK) does work pretty well...
    The peer switches are two Nexus 5k with VPC.
    config:
    port-profile type port-channel VMWare-LAN
      switchport mode trunk
      switchport trunk allowed vlan 260, 301, 303, 305, 307, 357, 544, 920
      spanning-tree port type edge trunk
      switchport trunk native vlan 1
      state enabled!
    interface port-channel18
      inherit port-profile VMWare-LAN
      description CHA vshpvm001 LAN
      vpc 18
      speed 10000!
    interface Ethernet1/18
      description CHA vshpvm001 LAN
      switchport mode trunk
      switchport trunk allowed vlan 260,301,303,305,307,357,544,920
      channel-group 18 mode active
    switch# show port-profile sync-status
    Ethernet3/5
    port-profile: SYSTEM-UPLINK
    interface status: quarantine
    sync status: out of sync
    cached commands: 
    errors:
        cached command failed
    recovery steps:
        unshut interface
    Ethernet3/7
    port-profile: SYSTEM-UPLINK
    interface status: quarantine
    sync status: out of sync
    cached commands: 
    errors:
        cached command failed
    recovery steps:
        unshut interface
    kind regards,
    andy

    Sean,
    thank you !
    "show accounting log" helped me - i had the command spanning-tree port type edge trunk in the config which i somehow didn't realize that we hadn't this command in the 4.0.4 lab setup...so it was a copy/paste error (i copied the port-profile config from the N5k down to the N1k).
    Fri Feb 25 07:20:32 2011:update:ppm.13880:admin:configure terminal ; interface Ethernet3/5 ; spanning-tree port type edge trunk (FAILURE)
    Fri Feb 25 07:20:32 2011:update:ppm.13890:admin:configure terminal ; interface Ethernet3/5 ; shutdown (FAILURE)
    As the N1k doesn't do STP at all (or does it? ) it's no wonder that the cli was complaining ...
    Maybe this command should get more attention in the tshoot guide as it seems to be a very helpful one.
    Cheers & Thanks,
    Andy

  • Nexus 1000v UCS Manager M81KR

    Hello everyone
    I am confused about how works the integration between N1K and UCS Manager:
    First question:
    If two VMs on different ESXi and different VEM but in the same VLAN,would like to talk each other, the data flow between them is managed from the upstream switch( in this case UCS Fabric Inteconnect), isn'it?
    I created a Ethernet uplink port-profile on N1K in switch port mode access(100), I created a vEthernet port-profile for the VM in switchport mode access(100) as well. In the Fabric Interconnect I created a vNIC profile for the physical NICs of ESXi(where there are the VMs). Also I created the vlan 100(the same in N1K)
    Second question: With the configuration above, if I include in the vNIC profile the vlan 100 (not as native vlan) only, the two VMs can not ping each other. Instead if I include in the vNIC profile only the defaul vlan(I think it is the vlan 1) as native vlan evereything works fine. WHY????
    Third question: How it works the tagging vlan on Fabric interconnectr and also in N1K.
    I tried to read differnt documents, but I did not understand.
    Thanks                 

    Since you have defined switchport mode access vlan 100 on uplink port-profile of Nexus 1000v, it sends all ethernet frames untagged(without 802.1q tag).
    When you include in the vNIC profile the vlan 100 (not as native vlan) ONLY like below screenshot, untagged frames are dropped because UCS expects all frames received on this port as tagged frames.
    When you change vNIC template to include default vlan as native vlan ONLY like below screen shot, you basically bridge two vlans (vlan 100 and vlan 1) because UCS FI now puts all untagged frames in vlan 1. and sends untagged frames to other ESXi host and ESXi host again bridge vlan 1 to vlan 100 with switchport mode access vlan 100 on uplink port profile.

  • 3550 port-security

    i've managed to set up port security and i need to lock the ports down by one mac well after going through each port step by step all the mac's are in the table but it shows them as dynamic address's i thought they were supposed to be static secure? i also thought that setting up port security would make so if someone changed ports on the switch that it would cause a security violation i havent been able to create a security violation yet.

    Hi,
    How have you configured this on your switch ports, all you need to do to restrict the port to a single MAC address is:
    switchport port-security
    switchport port-security violation restrict
    When you look at the CAM table for a specific port, the MAC address learned on that port should be listed as static and not dynamic.
    my_switch#sh mac-address-table int fa 2/0/7
    Mac Address Table
    Vlan Mac Address Type Ports
    134 0003.47a4.db43 STATIC Fa2/0/7
    Total Mac Addresses for this criterion: 1
    EDIT: You can also issue the following command:
    my_switch#sh port-security int fa 2/0/7
    Port Security : Enabled
    Port Status : Secure-up
    Violation Mode : Restrict
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 1
    Total MAC Addresses : 1
    Configured MAC Addresses : 0
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 0003.47a4.db43:134
    Security Violation Count : 0
    This shows the max allowed MACs on the port, the MAC that has been allowed and the port status as Secure_up
    I believe that's all you need to do.
    HTH
    Paddy

  • Firewall between Nexus 1000V VSM and vCenter

    Hi,
    Customer has multiple security zones in environment, and VMware vCenter is located in a Management Security Zone. VSMs in security zones have dedicated management interface facing Management Security Zone with firewall in between. What ports do we need to open for the communication between VSMs and vCenter? The Nexus 1000V troubleshooting guide only mentioned TCP/80 and TCP/443. Are these outbound from VSM to vCenter? Is there any requirements from vCenter to VSM? What's the best practice for VSM management interface configuration in multiple security zones environment? Thanks.

    Avi -
    You need the connection between vCenter and the VSM anytime you want to add or make any changes to the existing port-profiles.  This is how the port-profiles become available to the virtual machines that reside on your ESX hosts.
    One problem when the vCenter is down is what you pointed out - configuration changes cannot be pushed
    The VEM/VSM relationship is independent of the VSM/vCenter connection.  There are separate VLANs or L3 interfaces that are used to pass information and heartbeats between the VSM and its VEMs.
    Jen

  • VSM and Cisco nexus 1000v

    Hi,
    We are planning to install Cisco Nexus 1000v in our environment. Before we want to install we want to explore little bit about Cisco Nexus 1000v
    •  I know there is 2 elements for Cisco 1k, VEM and VSM. Does VSM is required? Can we configure VEM individually?
    •   How does Nexus 1k integrated with vCenter. Can we do all Nexus 1000v configuration from vCenter without going to VEM or VSM?
    •   In term of alarming and reporting, does we need to get SNMP trap and get from individual VEM or can be use VSM to do that. OR can we   get    Cisco Nexus 1000v alarming and reporting form VMware vCenter.
    •  Apart from using Nexus 1010 can what’s the recommended hosting location for VSM, (same Host as VEM, different VM, and different physical server)
    Foyez Ahammed

    Hi Foyez,
    Here is a brief on the Nexus1000v and I'll answer some of your questions in that:
    The Nexus1000v is a Virtual Distributed Switch (software based) from Cisco which integrated with the vSphere environment to provide uniform networking across your vmware environment for the host as well as the VMs. There are two components to the N1K infrastructure 1) VSM 2) VEM.
    VSM - Virtual supervisor module is the one which controls the entire N1K setup and is from where the configuration is done for the VEM modules, interfaces, security, monitoring etc. VSM is the one which interacts with the VC.
    VEM - Virtual ethernet module are simply the module or virtual linecards which provide the connectivity option or virtual ports for the VMs and other virtaul interfaces. Each ESX host today can only have one VEM. These VEMs recieve their configuration / programing from the VSM.
    If you are aware of any other switching products from Cisco like the Cat 6k switches, the n1k behaves the same way but in a software / virtual environment. Where the VSM are equal of a SUPs and the VEM are similar to the line cards. The control and the packet VLANs in the n1k provide the same kind of AIPC and Inband connectivity as the 6k backplane would for the communication between the modules and the SUP (VSM in this case).
    *The n1k configuration is done only from the VSM and is visible in the VC.However the port-profiles created from the VSM are pushed from the VSM to the VC and have to be assigned to the virtual / physical ports from the VC.
    *You can run the VSM either on the Nexus1010 as a Virtual service blade (VSB) or as a normal VM on any of the ESX/ESXi server. The VSM and the VEM on the same server are fully supported.
    You can refer the following deployment guide for some more details: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html
    Hope this answers your queries!
    ./Abhinav

  • Nexus 1000v - port-channel "refresh"

    Hi All,
    My question is, does anyone have any information on this 1000v command:
    Nexus-1000v(config)# port-channel internal device-id table refresh
    I am looking for a way for the port-channel interface to be automatically removed from the 1000v once the VEM has been deleted, currently the port-channel interface does not disappear when the VEM has been removed. This seems to be causing problems once the same VEM is re-added later on. Ports are getting sent into quarantine states and ending up in invalid states (eg. NoPortProfile state when there is actually a port-profile attached).
    Anyway, if anyone can explain the above command or tell me how to find out more, it would be great, I can't find it documented anywhere and the context-sensitive help in the NXOS is vague at best.

    Brendan,
    I don't have much information on that command, but I do know it wont remove any unused port channels.  They have to be manually deleted if they're no longer needed.
    The port Channel ID will remain even after a VEM is removed in case the assigned VEM comes back.  When a VEM is decommisioned permanently, I'll do a "no vem x" to also remove the Host entry for that VEM from the VSM.  This way the module slot # can be re-assigned to the next new VEM inserted.  After adding/removing VEMs just do a "show port-channel summary" to see any unused Port Channel IDs, and delete them.  It's a quick & painless task.
    I would hope this wouldn't be a common issue - how often are you deleting/removing VEMs?
    Regards,
    Robert

  • Firewall ports for Nexus 1000v

    hi all,
    There is firewall between nexus 1000v and vcentre and ESX 4.1i hosts.
    Could u pls advise which TCP/UDP ports to be opened for communication among Nexus1000v, vcentre and ESX hosts?
    Thank you very much!
    Best Regards,

    David,
    Between your VSM & VC you'll need TCP ports 80 & 443 open
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/troubleshooting/configuration/guide/n1000v_trouble_5modules.html
    Between your VEM & VSM you'll need port this should be layer 2 so no ports need to be open.
    If you're using Layer 3 mode then enusre you have UDP 4785 open.
    http://www.ciscosystemsverified.biz/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/system_management/configuration/guide/n1000v_system_3domain.pdf
    Regards,
    Robert

Maybe you are looking for

  • Error while generating Invoice

    Hi All, We are getting an error while generating Invoice from VF03. The error is Form of address key is not defined What I had done is, I had assigned a new PRINT program in output type ZD00 by removing the old one & in quality we were getting the ou

  • Iphone 3gs stuck in recovery mode, will not restore or update error 36

    As the title states, I have a 3gs stuck in recovery mode.  Sort of worked earlier today, been having trouble with the battery draining fast/not holding charge goes into recovery mode on its own at times.  Have been able to force it out of recovery in

  • Discoverer - Import PL/SQL Function - Function Not Appears

    Hi, I´m trying to import 15 PL/SQL Funtions inside a custom package into the discoverer administrator, but they do not appear in the list, when trying to do an automatic import. Also, when I press the Import Button, it takes aproximately one hour to

  • Intro to Programming Small Basic Lab

    Hello All, I am currently working on a lab for my intro to programming class that I am having some difficulty with.  The assignment is to create a program in Small Basic where a teacher can enter a Students name, enter multiple grades for that studen

  • OSB 11g import sbconfig.jar error

    Hello everybody, I'm trying to import OSB config jar to newly created OSB 11g environment. The following error occurs in Oracle Service Bus console during import: The import failed with exception: com.bea.wli.config.component.NotFoundException: Faile