Trust state in Nexus 7000

Similar Messages

• GLBP on Nexus 7000's

      We have GLBP configured on two Nexus 7000's using "load-balancing host-dependant" as our method of balancing. My question is, is there a quick way to determine which router each host is using. These are in production so any debugging is frowned on.
  Thanks
  David

  Available command to verify GLBP operation is following
  show glbp [group group-number]
  Displays the GLBP status for all or one group.
  show glbp capability
  Displays the GLBP capability for all or one group.
  show glbp interface interface-type slot/port
  Displays the GLBP status for an interface.
  show glbp interface interface-type slot/port [active] [disabled] [init] [listen] [standby]
  Displays the GLBP status for a group or interface for virtual forwarders in the selected state.
  show glbp interface interface-type slot/port [active] [disabled] [init] [listen] [standby] brief
  Displays a brief summary of the GLBP status for a group or interface for virtual forwarders in the selected state.
  But none of these will show you which host uses which AVF. In GLBP, Hosts still point to a default gateway IP address, but GLBP causes different hosts to send their traffic to one of up to four routers in a GLBP group. To do so, the GLBP Active Virtual Gateway (AVG) assigns each router in the group a unique virtual MAC address format 0007.B400.xxyy, where xx is the GLBP group number, and yy is a different number for each router (01, 02, 03, or 04). When a client ARPs for the (virtual) IP address of its default gateway, the GLBP AVG replies with one of the four possible virtual MACs. By replying to ARP requests with different virtual MACs, the hosts in that subnet will in effect balance the traffic across the routers, rather than send all traffic to the one active router. You can check ARP table of host and see the mac address of default gateway. But this is not an easy way.

• Nexus 7000, 2000, FCOE and Fabric Path

  Hello,
  I have a couple of design questions that I am hoping some of you can help me with.
  I am working on a Dual DC Upgrade. It is pretty standard design, customer requires a L2 extension between the DC for Vmotion etc. Customer would like to leverage certain features of the Nexus product suite, including:
  Trust Sec
  VDC
  VPC
  High Bandwidth Scalability
  Unified I/O
  As always cost is a major issue and consolidation is encouraged where possible. I have worked on a couple of Nexus designs in the past and have levergaed the 7000, 5000, 2000 and 1000 in the DC.
  The feedback that I am getting back from Customer seems to be mirrored in Cisco's technology roadmap. This relates specifically to the features supported in the Nexus 7000 and Nexus 5000.
  Many large enterprise Customers ask the question of why they need to have the 7000 and 5000 in their topologies as many of the features they need are supported in both platforms and their environments will never scale to meet such a modular, tiered design.
  I have a few specific questions that I am hoping can be answered:
  The Nexus 7000 only supports the 2000 on the M series I/O Modules; can FCOE be implemented on a 2000 connected to a 7000 using the M series I/O Module?
  Is the F Series I/O Module the only I/O Module that supports FCOE?
  Are there any plans to introduce the native FC support on the Nexus 7000?
  Are there any plans to introduce full fabric support (230 Gbps) to the M series I/O module?
  Are there any plans to introduce Fabric path to the M series I/O module?
  Are there any plans to introduce L3 support to the F series I/O Module?
  Is the entire 2000 series allocated to a single VDC or can individual 2000 series ports be allocated to a VDC?
  Is Trust Sec only support on multi hop DCI links when using the ASR on EoMPLS pwire?
  Are there any plans to inroduce Trust Sec and VDC to the Nexus 5500?
  Thanks,
  Colm

  Hello Allan
  The only IO card which cannot co-exist with other cards in the same VDC is F2 due to specific hardware realisation.
  All other cards can be mixed.
  Regarding the Fabric versions - Fabric-2 gives much bigger throughoutput in comparing with Fabric-1
  So in order to get full speed from F2/M2 modules you will need Fab-2 modules.
  Fab2 modules won't give any advantages to M1/F1 modules.
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/data_sheet_c78-685394.html
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/prodcut_bulletin_c25-688075.html
  HTH,
  Alex

• Nexus 7000 vPC modification - avoiding type1 inconsistencies

  Hi Everyone,
  I need to configure some features on a pair of Nexus 7000's running 4.2(6) - one of them is Root Guard.
  I am aware that when I enable Root Guard on the first vPC peer, the vPC will go into suspended state until I configure the other vPC peer identically.
  This is causing me a big service disruption headache as I need to do this for a whole Data Centre.
  I see on the Nexus 5k, you can do port-profiles which seems to enabled config synchronisation across vPC peers - so I assume the vPC would stay up due to both peers receiving config at exactly the same time - but this feature is not available on Nexus 7k.
  Does anybody know for sure if I were to create a scheduled job to run at the same time on both vPC peers with identical config content - i.e. apply Root Guard to vPC - would this prevent the vPC going into suspend state?
  If not, do you know of any other ways to prevent vPC going into suspend?
  Thanks in advance for any advice!

  Hi Raj,
  thankyou for your response.
  We have VPC between Core - Aggregation - all 7k and Aggregation to Access (5ks). VPC down from Core all the way to Access and also up all the way from Access to Core.
  So from a STP point of view, the topology is a single switch for Core, Aggregation and Access - so no loops.
  I agree this limits the potential for trouble if a switch is plugged into the access layer by mistake for example - but the customer is adamant they want it (RootGuard).
  Thanks,
  Oswaldo

• NEXUS 7000 xcvrInval

  Hi,
  I have some Nexus 7000 with FET-10G with xcvrInval status
  Eth7/33          N5k-S1-3T-1/3   xcvrInval trunk     auto    auto    Fabric Exte
  and some other FET-10G with notconn status
  Eth7/8           FEX-101         notconnec 1         auto    auto    Fabric Exte
  If I inter exchange the position of both FET-10G the status port doesn´t change
  FET-10G from 7/8 to 7/33
  FET-10G from 7/33 to 7/8
  7/33 holds xcvrInval status
  7/8 holds notconnec status
  I have reconfigured from default interface with same results
  Next you´ll find the same serial number in deferent port, the diference is the current
  when is xcvrInva or when is notconnec
  What can I do to get FET10G in e7/33 validated?
  sh interface e7/33   transceiver details
  Ethernet7/33
        transceiver is present
        type is Fabric Extender Transceiver
        name is CISCO-FINISAR  
        part number is FTLX8570D3BCL-C2
        revision is A  
        serial number is FNS17201TE5    
        nominal bitrate is 10300 MBit/sec
        Link length supported for 62.5/125um fiber is 10 m
        Link length supported for 50/125um OM3 fiber is 100 m
        cisco id is --
        cisco extended id number is 4
        cisco part number is 10-2566-02
        cisco product id is FET-10G            
        cisco vendor id is V02
        number of lanes 1
               SFP Detail Diagnostics Information (internal calibration)
                  Current              Alarms                  Warnings
                  Measurement     High        Low         High          Low
      Temperature   19.30 C        75.00 C      5.00 C     70.00 C       10.00 C
  [7m--More-- [m
      Voltage        3.31 V         3.63 V      2.97 V      3.46 V        3.13 V
      Current        0.06 mA  --     11.80 mA     4.00 mA    10.80 mA       5.00 mA
      Tx Power          N/A        22.69 dBm    8.69 dBm     18.69 dBm     12.69 dBm
      Rx Power          N/A        22.99 dBm    6.09 dBm     18.99 dBm     10.09 dBm
      Transmit Fault Count = 0
      Note: ++  high-alarm; +  high-warning; --  low-alarm; -  low-warning
  now in slot 7/8
  Ethernet7/8
        transceiver is present
        type is Fabric Extender Transceiver
        name is CISCO-FINISAR  
        part number is FTLX8570D3BCL-C2
        revision is A  
        serial number is FNS17201TE5    
        nominal bitrate is 10300 MBit/sec
        Link length supported for 62.5/125um fiber is 10 m
        Link length supported for 50/125um OM3 fiber is 100 m
        cisco id is --
        cisco extended id number is 4
        cisco part number is 10-2566-02
        cisco product id is FET-10G            
        cisco vendor id is V02
        number of lanes 1
               SFP Detail Diagnostics Information (internal calibration)
                  Current              Alarms                  Warnings
                  Measurement     High        Low         High          Low
      Temperature   23.17 C        75.00 C      5.00 C     70.00 C       10.00 C
  [7m--More-- [m
      Voltage        3.30 V         3.63 V      2.97 V      3.46 V        3.13 V
      Current        7.50 mA       11.80 mA     4.00 mA    10.80 mA       5.00 mA
      Tx Power      17.65 dBm      22.69 dBm    8.69 dBm     18.69 dBm     12.69 dBm
      Rx Power     -12.21 dBm --   22.99 dBm    6.09 dBm     18.99 dBm     10.09 dBm
      Transmit Fault Count = 0
      Note: ++  high-alarm; +  high-warning; --  low-alarm; -  low-warning
  NX7K-1-VDC-3T-S1-L2FP# sh int e7/33
  Ethernet7/33 is down (Transceiver validation failed)
  admin state is up, Dedicated Interface
    Belongs to Po51
    Hardware: 1000/10000 Ethernet, address: 8478.ac23.6cec (bia 8478.ac23.6cec)
    Description: N5k-S1-3T-1/3
    MTU bytes (CoS values):  MTU  1500(0-2,4-7) bytes  MTU  2112(3) bytes
    BW 10000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, medium is broadcast
    Port mode is trunk
  auto-speed  auto-duplex,, media type is 10G
    Beacon is turned off
    Auto-Negotiation is turned on
    Input flow-control is off, output flow-control is off
    Auto-mdix is turned on
    Rate mode is dedicated
    Switchport monitor is off
    EtherType is 0x8100
    EEE (efficient-ethernet) : n/a
    Last link flapped never
    Last clearing of "show interface" counters 07:22:09
    0 interface resets
    Load-Interval #1: 30 seconds
      30 seconds input rate 0 bits/sec, 0 packets/sec
      30 seconds output rate 0 bits/sec, 0 packets/sec
    Load-Interval #2: 5 minute (300 seconds)
      300 seconds input rate 0 bits/sec, 0 packets/sec
      300 seconds output rate 0 bits/sec, 0 packets/sec
    RX
      88 unicast packets  0 multicast packets  0 broadcast packets
      0 input packets  0 bytes
      0 jumbo packets  0 storm suppression packets
      0 runts  0 giants  0 CRC/FCS  0 no buffer
      0 input error  0 short frame  0 overrun   0 underrun  0 ignored
      0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
      0 input with dribble  0 input discard
      0 Rx pause
    TX
      88 unicast packets  0 multicast packets  0 broadcast packets
      0 output packets  0 bytes
      0 jumbo packets
      0 output error  0 collision  0 deferred  0 late collision
      0 lost carrier  0 no carrier  0 babble  0 output discard
      0 Tx pause
  NX7K-1-VDC-3T-S1-L2FP# sh int e7/33
  Ethernet7/8 is down (Link not connected)
  admin state is up, Dedicated Interface
    Belongs to Po101
    Hardware: 1000/10000 Ethernet, address: 8478.ac23.6cd3 (bia 8478.ac23.6cd3)
    Description: FEX-101
    MTU bytes (CoS values):  MTU  1500(0-2,4-7) bytes  MTU  2112(3) bytes
    BW 10000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, medium is p2p
    Port mode is fex-fabric
  auto-speed  auto-duplex,, media type is 10G
    Beacon is turned off
    Auto-Negotiation is turned on
    Input flow-control is off, output flow-control is off
    Auto-mdix is turned on
    Rate mode is dedicated
    Switchport monitor is off
    EtherType is 0x8100
    EEE (efficient-ethernet) : n/a
    Last link flapped 5week(s) 1day(s)
    Last clearing of "show interface" counters never
    0 interface resets
    Load-Interval #1: 30 seconds
      30 seconds input rate 0 bits/sec, 0 packets/sec
  [7m--More-- [m
      30 seconds output rate 0 bits/sec, 0 packets/sec
    Load-Interval #2: 5 minute (300 seconds)
      300 seconds input rate 0 bits/sec, 0 packets/sec
      300 seconds output rate 0 bits/sec, 0 packets/sec
    RX
      10588 unicast packets  0 multicast packets  0 broadcast packets
      4 input packets  0 bytes
      0 jumbo packets  0 storm suppression packets
      0 runts  0 giants  0 CRC/FCS  0 no buffer
      0 input error  0 short frame  0 overrun   0 underrun  0 ignored
      0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
      0 input with dribble  0 input discard
      0 Rx pause
    TX
      10588 unicast packets  1 multicast packets  0 broadcast packets
      4 output packets  5688 bytes
      0 jumbo packets
      0 output error  0 collision  0 deferred  0 late collision
      0 lost carrier  0 no carrier  0 babble  0 output discard
      0 Tx pause

  Hi Ans,
  You are rigth, I have defaulted againt the port, now configured with switchport mode FEX, and now the FET-10G is validated
  NX7K-1-VDC-3T-S1-L2FP(config-if)#  description FEX-101
  NX7K-1-VDC-3T-S1-L2FP(config-if)#   switchport
  NX7K-1-VDC-3T-S1-L2FP(config-if)#   switchport mode fex-fabric
  NX7K-1-VDC-3T-S1-L2FP(config-if)#   fex associate 101
  NX7K-1-VDC-3T-S1-L2FP(config-if)#   medium p2p
  NX7K-1-VDC-3T-S1-L2FP(config-if)#   channel-group 101
  NX7K-1-VDC-3T-S1-L2FP(config-if)#   no shutdown
  NX7K-1-VDC-3T-S1-L2FP(config-if)#
  NX7K-1-VDC-3T-S1-L2FP(config-if)# sh int e7/33 status
  Port             Name            Status    Vlan      Duplex  Speed   Type
  Eth7/33          FEX-101         notconnec 1         auto    auto    Fabric Exte
  NX7K-1-VDC-3T-S1-L2FP(config-if)#
  Thanks for your help, and have a nice weekend.
  Atte,
  EF

• Nexus 7000 route leak from GRT (default VRF) to other VRF's

  Hello
  We have a Nexus 7000 infrastructure whereby we have had multiple VDC's and VRF's deployed. A requirement has now come about whereby one of these VRF's needs to be able to see our GRT (default VRF) so we need to leak the GRT routes into the VRF and vice versa.
  I have been doing a lot of reading and I am happy with the how this works with inter-VRF route leaking but I seem to missing a few things in respect of how this works with the GRT.
  I have also read on another forum that this is not supported. See link below.
  https://supportforums.cisco.com/document/133711/vrf-configuration-and-verification-nexus-7000
  Does anyone have experience of this? I can also see how this works in IOS and I have GNS3 and got this working.
  We use BGP currently so we are able to use MP-BGP if required.
  Any help would be very useful.

  Hi,
  In Table 14 of the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide the verified limit is specified as 1000 per system i.e., across all VDCs for NX-OS release 5.2, 6.0 and 6.1.
  There is a footnote associated with this number which states:
  With each new VDC configured, the number of configurable VRFs per system is reduced by two as each VDC has a default VRF and management VRFs that are not removable. For example, with 8 configured VDCs on Cisco NX-OS Release 5.2, you can configure up to 984 VRFs per system (either all in one VDC or across VDCs).
  Regards

• Catalyst 6500 - Nexus 7000 migration

  Hello,
  I'm planning a platform migration from Catalyst 6500 til Nexus 7000. The old network consists of two pairs of 6500's as serverdistribution, configured with HSRPv1 as FHRP, rapid-pvst and ospf as IGP. Futhermore, the Cat6500 utilize mpls/l3vpn with BGP for 2/3 of the vlans. Otherwise, the topology is quite standard, with a number of 6500 and CBS3020/3120 as serveraccess.
  In preparing for the migration, VTP will be discontinued and vlans have been manually "copied" from the 6500 to the N7K's. Bridge assurance is enabled downstream toward the new N55K access-switches, but toward the 6500, the upcoming etherchannels will run in "normal" mode, trying to avoid any problems with BA this way. For now, only L2 will be utilized on the N7K, as we're avaiting the 5.2 release, which includes mpls/l3vpn. But all servers/blade switches will be migrated prior to that.
  The questions arise, when migrating Layer3 functionality, incl. hsrp. As per my understanding, hsrp in nxos has been modified slightly to better align with the vPC feature and to avoid sub-optimal forwarding across the vPC peerlink. But that aside, is there anything that would complicate a "sliding" FHRP migration? I'm thinking of configuring SVI's on the N7K's, configuring them with unused ip's and assign the same virtual ip, only decrementing the prio to a value below the current standby-router. Also spanning-tree prio will, if necessary, be modified to better align with hsrp.
  From a routing perspective, I'm thinking of configuring ospf/bgp etc. similar to that of the 6500's, only tweaking the metrics (cost, localpref etc) to constrain forwarding on the 6500's and subsequently migrate both routing and FHRP at the same time. Maybe not in a big bang style, but stepwise. Is there anything in particular one should be aware of when doing this? At present, for me this seems like a valid approach, but maybe someone has experience with this (good/bad), so I'm hoping someone has some insight they would like to share.
  Topology drawing is attached.
  Thanks
  /Ulrich

  In a normal scenario, yes. But not in vPC. HSRP is a bit different in the vPC environment. Even though the SVI is not the HSRP primary, it will still forward traffic. Please see the below white paper.
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-516396.html
  I will suggest you to set up the SVIs on the N7K but leave them in the down state. Until you are ready to use the N7K as the gateway for the SVIs, shut down the SVIs on the C6K one at a time and turn up the N7K SVIs. When I said "you are ready", it means the spanning-tree root is at the N7K along with all the L3 northbound links (toward the core).
  I had a customer who did the same thing that you are trying to do - to avoid down time. However, out of the 50+ SVIs, we've had 1 SVI that HSRP would not establish between C6K and N7K, we ended up moving everything to the N7K on a fly during of the migration. Yes, they were down for about 30 sec - 1 min for each SVI but it is less painful and waste less time because we don't need to figure out what is wrong or any NXOS bugs.
  HTH,
  jerry

• Nexus 7000 Platform Logging

  Hello,
  We recently had a power supply failure in one of our Nexus 7000s, and I noticed that the syslog for the Platform is only present in the default VDC, and not in any of the other VDCs syslogs. Is this by design, or is there a logging level I can turn up in another VDC to capture this log? Thanks for any input
  syslog from default VDC -
  2013 Mar 18 23:10:34  %PLATFORM-2-PS_CAPACITY_CHANGE: Power supply PS3 changed i
  ts capacity. possibly due to power cable removal/insertion (Serial number xxxxxxxx)
  nothing in the VDC where I would like to get the logging
  default VDC logging level -
  xxx7K02# show log level platform
  Facility        Default Severity        Current Session Severity
  platform                5                       5
  0(emergencies)          1(alerts)       2(critical)
  3(errors)               4(warnings)     5(notifications)
  6(information)          7(debugging)
  xxx7K02#
  loggging from the specific VDC where we have management tools.
  xxx-LOW# show log level platform
  Facility        Default Severity        Current Session Severity
  platform                5                       5
  0(emergencies)          1(alerts)       2(critical)
  3(errors)               4(warnings)     5(notifications)
  6(information)          7(debugging)
  xxx-LOW#

  Hello Carl,
  What version of code are you running on your Nexus 7k?
  The expected behavior is:
  "When a hardware issue occurs, syslog messages are sent to all VDCs."
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/virtual_device_context/configuration/guide/vdc_mgmt.html#wp1170241
  Dave

• Dell Servers with Nexus 7000 + Nexus 2000 extenders

  << Original post by smunzani. Answered by Robert. Moving from Document section to Discussions>>
  Team,
  I would like to use some of the existing Dell Servers for new network design of Nexus 7000 + Nexus 2000 extenders. What are my options for FEC to the hosts? All references of M81KR I found on CCO are related to UCS product only.
  What's best option for following setup?
  N7K(Aggregation Layer) -- N2K(Extenders) -- Dell servers
  Need 10G to the servers due to dense population of the VMs. The customer is not up for dumping recently purchased dell boxes in favor of UCS. Customer VMware license is Enterprise Edition.
  Thanks in advance.

  To answer your question, the M81KR-VIC is a Mezz card for UCS blades only.  For Cisco rack there is a PCIe version which is called the P81.  These are both made for Cisco servers only due to the integration with server management and virtual interface functionality.
  http://www.cisco.com/en/US/prod/collateral/ps10265/ps10493/data_sheet_c78-558230.html
  More information on it here:
  Regards,
  Robert

• Ask the Expert: Basic Introduction and Troubleshooting on Cisco Nexus 7000 NX-OS Virtual Device Context

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions of Cisco expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and support for the Cisco NX-OS Software platform .
  The Cisco® Nexus 7000 Series Switches introduce support for the Cisco NX-OS Software platform, a new class of operating system designed for data centers. Based on the Cisco MDS 9000 SAN-OS platform, Cisco NX-OS introduces support for virtual device contexts (VDCs), which allows the switches to be virtualized at the device level. Each configured VDC presents itself as a unique device to connected users within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event. This event lasts through through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Vignesh
  Is there is any limitation to connect a N2K directly to the N7K?
  if i have a an F2 card 10G and another F2 card 1G and i want to creat 3 VDC'S
  VDC1=DC-Core
  VDC2=Aggregation
  VDC3=Campus core
  do we need to add a link between the different VDC's
  thanks

• LMS 4.2.2 Interface utilisation on Nexus 7000

  Hi All,
  I'm trying to poll some interfaces for their utilization on a nexus 7000 through LMS 4.2.2.
  When I create a poller fot the specific instances, the LMS recognises the instances, but after activating the poller I get the error "No Such Instance - The specified instance is not available".
  No info is displayed when I generate an interface utilization report for the specific nexus.
  When I activate the automonitor for interface utilization, the interfaces on the nexus are polled.
  On the cisco website there are some features listed which LMS does not support on the Nexus 7000, but polling is not in that list (neither in the supported feature list).
  Any tips?
  Thanks for your help.
  Joris

  Any Idea..??

• ESXi 4.1 NIC Teaming's Load-Balancing Algorithm,Nexus 7000 and UCS

  Hi, Cisco Gurus:
  Please help me in answering the following questions (UCSM 1.4(xx), 2 UCS 6140XP, 2 Nexus 7000, M81KR in B200-M2, No Nexus 1000V, using VMware Distributed Switch:
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned?
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct?
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES?
  I would really appreciate if someone can help me clear these lingering doubts of mine.
  God Bless.
  SiM

  Sim,
  Here are my thoughts without a 1000v in place,
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?   //Yes, for vPC to UCS the best practice is to bowtie uplink to (2) 7K or 5Ks.
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned? //The port channel will be configured on both the UCSM and the 7K. The pro of a port channel would be both bandwidth and redundancy. vPC would be prefered.
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct? //Without the 1000v, I always tend to leave to dvSwitch load balence behavior at the default of "route by portID". 
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES? UCS can perform L2 but Northbound should be performing L3.
  Cheers,
  David Jarzynka

• Privilege Level for Tacacs Account in Nexus 7000

  Hi,
  I have configured the Tacacs (ACS 4.2v) on Nexus 7000 (as mentioned below) and works fine but unlike IOS (6509) It's doesn't prompt that you are in userexec mode (>) and then need to type enable and password for full privilege.
  In n7k when I entered into "configure terminal" It won't allow me to access other commands.
  How to login into level 15 privilege mode after authenticating from tacacs
  (config)# show running-config tacacs+
  tacacs-server key 7 "xxxxx"
  tacacs-server host x.x.x.x key 7 "xxxx"
  aaa group server tacacs+ TacServer
      server x.x.x.x (same ip as tacacs-server host)
      use-vrf management
      source-interface Vlan2
  (config)# show running-config aaa
  aaa authentication login default group TacServer
  aaa authentication login console local
  aaa user default-role
  Here below are the commands accessible in "Terminal" currently
  (config)# ?
    no        Negate a command or set its defaults
    username  Configure user information.
    end       Go to exec mode
    exit      Exit from command interpreter
  isb.n7k-dcn-agg-1-sw(config)#

  Hi Jan.nielsen
  Issue is resolved but by another way.
  I have found the same resolution too of custom attirbute command but the Custom attribute Option for shell command wasn't available in ACS v4.2, so after enabling shell for users and by clicking exec--> Shell Exec and enabling priviledge level 15 in the same box of Shell options, It start working without any command

• Nexus 7000 - unexpected shutdown of vPC-Ports during reload of the primary vPC Switch

  Dear Community,
  We experienced an unusual behavior of two Nexus 7000 switches within a vPC domain.
  According to the attached sketch, we have four N7Ks in two data centers - two Nexus 7Ks are in a vPC domain for each data center.
  Both data centers are connected via a Multilayer-vPC.
  We had to reload one of these switches and I expected the other N7K in this vPC domain to continue forwarding over its vPC-Member-ports.
  Actually, all vPC ports have been disabled on the secondary switch until the reload of the first N7K (vPC-Role: primary) finished.
  Logging on Switch B:
  20:11:51 <Switch B> %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary
  20:12:01 <Switch B> %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed
  In case of a Peer-link failure, I would expect this behavior if the other switch is still reachable via the Peer-Keepalive-Link (via the Mgmt-Port), but since we reloaded the whole switch, the vPCs should continue forwarding. 
  Could this be a bug or are there any timers to be tuned?
  All N7K switches are running on NX-OS 6.2(8)
  Switch A:
  vpc domain 1
    peer-switch
    role priority 2048
    system-priority 1024
    peer-keepalive destination <Mgmt-IP-Switch-B>
    delay restore 360
    peer-gateway
    auto-recovery reload-delay 360
    ip arp synchronize
  interface port-channel1
    switchport mode trunk
    switchport trunk allowed vlan <x-y>
    spanning-tree port type network
    vpc peer-link
  Switch B:
  vpc domain 1
    peer-switch
    role priority 1024
    system-priority 1024
    peer-keepalive destination <Mgmt-IP-Switch-A>
    delay restore 360
    peer-gateway
    auto-recovery reload-delay 360
    ip arp synchronize
  interface port-channel1
    switchport mode trunk
    switchport trunk allowed vlan <x-y>
    spanning-tree port type network
    vpc peer-link
  Best regards

  Problem solved:
  During the reload of the Nexus 7K, the linecards were powerd off a short time earlier than the Mgmt-Interface. As a result of this behavior, the secondary Nexus 7K received at least one vPC-Peer-Keepalive Message while its peer-link was already powerd off. To avoid a split brain scenario, the VPC-member-ports have been shut down.
  Now we are using dedicated interfaces on the linecards for the VPC-Peer-Keepalive-Link and a reload of one N7K won't result in a total network outage any more.

• Using SNMP to monitor Nexus 7000 Series Supervisor Module

  Hello,
  I got a Nexus 7000 supervisor module recently, I met a SNMP problem for this module
  I would like to know which specific OIDs to use to monitor the following using SNMP on a Nexus 7000 supervisor module:
  - Port status
  - CPU total utilization
  - Power Supply status
  - Chassis Fan status
  etc.
  The Nexus is quite different from other Cisco devices - any help will be appreciated!

  hope help,  and 
  port status OID is ifOperStatus
  CPU total utilization OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
  [root@NET-MONITOR-1 ~]# 
  [root@NET-MONITOR-1 ~]# snmpwalk -On -v 2c -c 360buy 172.17.0.253 ifDescr.83886080
  .1.3.6.1.2.1.2.2.1.2.83886080 = STRING: mgmt0
  [root@NET-MONITOR-1 ~]# 
  [root@NET-MONITOR-1 ~]# snmpwalk -On -v 2c -c 360buy 172.17.0.253 ifOperStatus.83886080
  .1.3.6.1.2.1.2.2.1.8.83886080 = INTEGER: up(1)
  [root@NET-MONITOR-1 ~]# 
  [root@NET-MONITOR-1 ~]# snmpwalk -On -v 2c -c 360buy 172.17.0.253 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
  .1.3.6.1.4.1.9.9.109.1.1.1.1.6.1 = Gauge32: 21
  [root@NET-MONITOR-1 ~]#