Tip:
Highlight text to annotate it
X
00:00:00 - Before we dig into technologies that we can carry
00:00:03 - out in the modern data center thanks to our Nexus equipment,
00:00:07 - let's make sure we can connect to the Nexus equipment, and
00:00:11 - let's make sure we know some of the aspects surrounding
00:00:13 - network management. 00:00:15 - It's time for us to really get
into detail on some of the 00:00:18 - things we've only mentioned briefly
so far 00:00:21 - in this Nugget series.
00:00:22 - We'll take a detailed look at the setup script, the
00:00:25 - In-Service Software Upgrade feature. 00:00:28 - We'll take a look at Control Plane
Policing, which we would 00:00:31 - definitely want to consider when
we start opening up 00:00:34 - management connections to the devices.
00:00:36 - And speaking of those management connections, we'll
00:00:39 - see them in this Nugget as well as important verification
00:00:43 - commands we're going to want to know to run once we make
00:00:46 - that management connection. 00:00:49 - Now for those of you coming from
the IOS world, this will 00:00:52 - be no surprise.
00:00:53 - We can make a console port connection to the Nexus, let's
00:00:57 - say, 7000 switch. 00:00:58 - Notice it's a serial RJ45 connection
that we're going to 00:01:02 - make to the console port that's
located on the 00:01:05 - Supervisor engine.
00:01:07 - Yeah. 00:01:07 - So this is our sup engine inside
00:01:09 - the 7000 series chassis. 00:01:11 - What are the settings for our favorite
terminal 00:01:15 - application of choice?
00:01:16 - Well, it's going to be 9,600 bits per second, 8 data bits,
00:01:22 - no parity, 1 stop bit, and no flow control.
00:01:26 - These are the settings that we're going to make sure are
00:01:28 - inside our terminal app of choice. 00:01:30 - We could use HyperTerminal built
into Windows. 00:01:33 - But most these days prefer to utilize
something like 00:01:36 - SecureCRT or TeraTerm.
00:01:39 - Now when you power on the Nexus 7000 series, or any
00:01:43 - Nexus for that matter, initially you make this
00:01:46 - console connection, and there's not going to be a
00:01:49 - configuration. 00:01:50 - So the device kind of freaks out
a little bit and presents 00:01:53 - you with a basic system configuration
dialog. 00:01:57 - This is called the setup utility.
00:02:00 - Or for those of us that have been around Cisco for a while,
00:02:02 - we tend to call it the setup script. 00:02:05 - Notice this device is asking us
would we like to enter the 00:02:08 - basic configuration dialog.
00:02:10 - We can say no and go right to the Command prompt, or we can
00:02:14 - go ahead and say yes and begin this setup script.
00:02:18 - And it will ask us a series of questions, like do we want to
00:02:22 - enforce secure password standard? 00:02:25 - I just hit the carriage return.
00:02:27 - As a result of that, it accepts the default yes here.
00:02:31 - So yes, we are going to enforce 00:02:34 - secure password standard.
00:02:35 - It says, do you want to create another login account?
00:02:39 - I'll go ahead and say yes here, and I'll create the
00:02:42 - johns login account. 00:02:44 - The password is going to have to
meet secure password 00:02:48 - standards of this particular device.
00:02:50 - So it is going to be pretty intense, the password that we
00:02:55 - have to put in. 00:02:56 - It's going to have to be a mix
of lowercase and uppercase 00:03:03 - characters.
00:03:04 - And notice this particular user role can be, by default,
00:03:09 - in network operator. 00:03:10 - Or we could go ahead and create
another full network 00:03:13 - admin on this particular device.
00:03:16 - You get the idea. 00:03:17 - We're going to go through here,
and we are going to 00:03:20 - configure the basics for this particular
00:03:23 - device via the script. 00:03:26 - I'll just say no to everything
I can here so we can quickly 00:03:34 - get to the end of the script.
00:03:36 - We'll learn how to configure all of this stuff manually as
00:03:42 - we go through this course. 00:03:45 - Let's see.
00:03:45 - Default switchport trunk mode. 00:03:48 - Oh, that's fine.
00:03:48 - I'll just say on. 00:03:50 - No, deny, no, configure the default
zone mode. 00:03:56 - This is for Storage Area Networking
00:03:59 - capabilities on the device. 00:04:00 - All right.
00:04:00 - And here we are at the end. 00:04:02 - Notice would we like to edit the
configuration that we have 00:04:07 - just applied to this device with
the script? 00:04:10 - We can say yes, and we can actually
go in and change one 00:04:14 - of these aspects that we selected
and then use this 00:04:18 - configuration and save, a simple
yes or no. 00:04:21 - If we wanted to apply the very
basic configuration that we 00:04:25 - got through the script, we could
here. 00:04:27 - I'll say no to return us to the
command prompt. 00:04:30 - By the way, one more thing you
need to know about the setup 00:04:33 - utility is the fact that you can
launch it any time you 00:04:38 - like with the keyword setup.
00:04:41 - Obviously, I'm not going to launch it here.
00:04:43 - We just got through it. 00:04:44 - But notice we could launch it at
any time by issuing the 00:04:49 - setup keyword.
00:04:51 - Now please remember, if you have a Nexus 7000 series and
00:04:57 - you are using the sup engine I, then over here on the
00:05:03 - right-hand side of your Supervisor engine you have the
00:05:06 - Connectivity Management Processor port, or the CMP.
00:05:12 - The CMP was an interesting concept, and it's kind of
00:05:16 - curious that Cisco abandoned this concept, but they did.
00:05:20 - The idea was that you would have your dedicated operating
00:05:24 - system running here for complete and total out of band
00:05:28 - management of the device. 00:05:30 - You could connect to this particular
port, and you could 00:05:33 - initiate a reset of the entire
Nexus device, and you wouldn't 00:05:38 - lose a connection while the entire
00:05:41 - Nexus device is rebooting. 00:05:43 - So you talk about true out of band
management. 00:05:46 - This is all possible, of course,
because, again, this 00:05:49 - Connectivity Management Processor
has a dedicated 00:05:52 - operating system, dedicated resources.
00:05:55 - It even has its own LEDs that are surrounding this
00:05:58 - particular port to give you information about its health.
00:06:01 - As far as user accounts go, it has its own local
00:06:05 - authentication that it can do so that you can set up
00:06:08 - Connectivity Management Processor accounts, and you
00:06:10 - can access those accounts for managing the system.
00:06:14 - Once again, I must remind you this is on the sup engine I,
00:06:18 - and the sup engine IIA and II from Cisco Systems does not
00:06:23 - possess such a capability. 00:06:26 - Now an obvious question becomes,
how in the world 00:06:29 - would you connect to the Connectivity
Management 00:06:32 - Processor in order to manage that
particular component? 00:06:36 - Well, you use the attach privilege
mode command. 00:06:39 - Notice I don't have a CMP, so none
is listed here. 00:06:43 - But if you did have a CMP on your
particular Nexus 7000, it 00:06:47 - would be listed.
00:06:48 - So you would say attach CMP for 00:06:51 - Connectivity Management Processor.
00:06:53 - You would then be prompted for a login.
00:06:56 - By default, your global admin accounts from your default
00:07:00 - virtual device context are synchronized to the
00:07:03 - connectivity management processor. 00:07:05 - So just use your god-like administrator
account from the 00:07:08 - Nexus 7K, and you'll into the CMP.
00:07:13 - Your prompt will change. 00:07:15 - In our case, it would be N7K-1-CMP
for Connectivity 00:07:21 - Management Processor.
00:07:25 - What about remote access? 00:07:26 - Obviously, we're going to want
the convenience that remote 00:07:29 - access provides.
00:07:31 - Understand on the Nexus SSH is going to
00:07:34 - be enabled by default. 00:07:36 - But keep in mind is only SSH version
2 that is going to be 00:07:41 - operational.
00:07:42 - Tenet is, of course, disabled by default.
00:07:46 - And for both Telnet and SSH, if you want, you have both
00:07:50 - client and server capabilities on the Nexus.
00:07:53 - And as you might guess, both version 4 and
00:07:55 - version 6 are supported. 00:07:58 - When you're in the CMP and you
want to control these remote 00:08:02 - access behaviors, the appropriate
commands are going 00:08:05 - to be ssh server and then enable.
00:08:09 - This would enable SSH capabilities if someone
00:08:13 - disabled them. 00:08:14 - Same with Telnet.
00:08:15 - You would do telnet and then the server keyword and then
00:08:19 - the keyword enable in order to enable that
00:08:23 - capability in the CMP. 00:08:27 - Now the Nexus borrows a concept
from the Layer 3 MPLS 00:08:32 - VPN, and that is the concept of
a virtual routing and 00:08:36 - forwarding table.
00:08:37 - A virtual routing and forwarding table is a set of
00:08:41 - routing structures that can be applied to an interface to
00:08:46 - virtualize the interface. 00:08:48 - That's right.
00:08:49 - The interface can have multiple routing tables,
00:08:53 - multiple forwarding information bases, even
00:08:56 - multiple routing protocol configurations. 00:09:00 - You could have an interface participating
for customer A, 00:09:03 - let's say, and for customer B,
let's say. 00:09:07 - And it would have a separate routing
table, separate 00:09:09 - routing protocols for each of these
customers. 00:09:12 - So this is an amazing virtualization
capability that 00:09:17 - Cisco takes advantage of for the
Nexus. 00:09:20 - By default, they have two VRFs
in place for you on your Nexus 00:09:25 - device, and that is the default
VRF and 00:09:30 - the management VRF.
00:09:32 - So we have this wonderful automatic partitioning of
00:09:36 - management traffic through the use of its own virtual routing
00:09:41 - and forwarding table. 00:09:43 - As a great way to partition the
management traffic, sure 00:09:48 - enough, Cisco did something brilliant
with 00:09:51 - the management interface.
00:09:53 - We know there's a management interface on our Nexus
00:09:57 - devices, like, for instance, the 5500 series, and this
00:10:00 - management interface is placed in the management VRF.
00:10:08 - It's very important to keep this concept in mind when
00:10:12 - you're verifying reachability. 00:10:14 - For instance, if we are on the
device and we want to verify 00:10:18 - reachability in our management
VRF, we could go ahead and go 00:10:22 - to the Nexus, for instance, and
ping our workstation. 00:10:27 - Let's say we have a network management
workstation at 00:10:30 - 172.16.1.42.
00:10:31 - 142 00:10:33 - But hold on.
00:10:34 - This is part of that virtual routing and forwarding
00:10:38 - instance of the management VRF, right?
00:10:41 - So what we do is after specifying the address, we use
00:10:45 - the VRF keyword and then the name of that particular VRF.
00:10:51 - So in order to test our connectivity for management
00:10:56 - purposes, our full command would be ping, the address,
00:11:01 - and then VRF. 00:11:02 - And in this case, our management
VRF is specified. 00:11:07 - Another great feature that's been
a long time in coming 00:11:10 - from Cisco with their software
is the 00:11:12 - In-Service Software Upgrade.
00:11:15 - This is a capability that allows 00:11:18 - us to upgrade software--
00:11:19 - and we know we're going to be doing that periodically with
00:11:23 - our Cisco equipment-- 00:11:24 - and the key is it's non-disruptive.
00:11:27 - That's right. 00:11:28 - That data plane on our device can
continue forwarding 00:11:31 - traffic during the upgrade process.
00:11:34 - Now this has been a possibility with an NX-OS
00:11:37 - software since 4.2.1. 00:11:40 - And the components that can be
upgraded during this process 00:11:44 - include the kickstart image, the
Supervisor BIOS, the 00:11:48 - actual system image itself, those
fabric extenders that 00:11:52 - are children of our Nexus devices,
like the 2000 series, 00:11:57 - and then the I/O module BIOS and
image that powers the I/O 00:12:01 - modules on our device.
00:12:03 - So a very robust upgrade that can be done while the Nexus
00:12:08 - device is forwarding traffic for you in your data center.
00:12:12 - The In-Serve Software Upgrade process started life on things
00:12:16 - like Nexus 7000 series. 00:12:19 - And this was pretty obvious, because
you had dual 00:12:22 - Supervisor engines in both of most
of these devices. 00:12:26 - The process would be to go to the
standby Supervisor engine 00:12:30 - and go ahead and upgrade it.
00:12:31 - Then go ahead and make it the primary sup engine, and then
00:12:35 - go ahead and upgrade the one that is now
00:12:38 - the new standby system. 00:12:39 - So this was pretty obvious and
a pretty simple way in which 00:12:43 - to carry out the ISSU process.
00:12:46 - But what's exciting now is we do indeed have this process
00:12:50 - for something like the 5000 series, which, as you know,
00:12:54 - only has a single sup engine. 00:12:57 - What happens on the 5000 or the
5500 series is the fact 00:13:01 - that the control plane will momentarily
be offline, but 00:13:07 - the data plane is kept forwarding
traffic, which is 00:13:10 - all we really care about during
the upgrade process. 00:13:13 - And oh yeah, by the way, if you're
on a 5500 series and it 00:13:17 - is indeed doing Layer three routing
for you, you are not 00:13:21 - going to be able to take advantage
of this 00:13:23 - functionality.
00:13:24 - So keep in mind that this is possible in the 5500s, but you
00:13:28 - can't be doing Layer 3 routing in order to
00:13:31 - get this nice feature. 00:13:33 - Of course, you can always remove
the Layer 3 routing 00:13:36 - capability and then do it and then
add the Layer 3 routing 00:13:39 - capability back, or just go ahead
and do the upgrade in 00:13:43 - your Layer 3 mode and just have
a momentary disruption of 00:13:47 - user traffic.
00:13:49 - You're not really responsible for performing this process in
00:13:53 - the certification environment. 00:13:55 - But to make this Nugget really
complete for you, I wanted to 00:13:59 - go ahead and give you an overview
of the steps that you 00:14:01 - would carry out on the 5000 series.
00:14:04 - Step one is obviously you're going to download the
00:14:07 - appropriate software from cisco.com. 00:14:10 - Remember, they have added the Nexus
software to things like 00:14:14 - the Feature Navigator.
00:14:15 - So if you want to find the particular operating system
00:14:19 - that would be right for you, just do a cisco.com/go/fn for
00:14:25 - Feature Navigator, and you can help find the right software
00:14:29 - for your particular environment. 00:14:31 - Once you've got it downloaded,
you're going to use something 00:14:34 - like TFTP to go ahead and copy
the kickstart and the system 00:14:40 - image to the boot flash that is
located on 00:14:44 - your 5000 series device.
00:14:47 - I presume you did your homework 00:14:49 - with the Feature Navigator.
00:14:51 - But just to be sure, you can go ahead and run a command on
00:14:55 - your Nexus 5000 called show incompatibility. 00:15:01 - Yeah, this is awesome.
00:15:02 - This will go ahead and report to you any particular features
00:15:07 - that are not going to be compatible with your current
00:15:11 - image that you were trying to implement on the 5000 series.
00:15:16 - Another great pre-upgrade command that you can issue is
00:15:20 - show install all impact. 00:15:26 - This command is going to allow
you literally to identify the 00:15:31 - impact that your upgrade is going
to have. 00:15:35 - This excellent command is going
to literally verify the 00:15:39 - images that you're about to apply
to the device and, most 00:15:42 - importantly, ensure that they're
going to work 00:15:45 - seamlessly with this In-Service
Upgrade process. 00:15:50 - At this point, you should be feeling
very confident. 00:15:53 - And you'll go ahead and issue the
install all command in 00:15:58 - order to begin the actual installation.
00:16:01 - Once the installation is done, verification is going to be
00:16:05 - with the show command. 00:16:06 - I'm sure you're not surprised.
00:16:07 - We're going to do show install all status, and this is going
00:16:13 - to allow us to verify that this installation process has
00:16:17 - indeed succeeded as we planned. 00:16:21 - Now the Supervisor engine does
a remarkable job of separating 00:16:26 - the traffic into different planes
of operation. 00:16:30 - Then we can enact certain types
of controls on that 00:16:33 - various traffic.
00:16:34 - The Supervisor engine identifies data plane traffic.
00:16:38 - Sure, the packets that are coursing through our data
00:16:42 - center in order to go ahead and move information from
00:16:45 - place to place. 00:16:46 - But then we have management plane
traffic. 00:16:49 - A great example here would be something
like Simple Network 00:16:52 - Management Protocol and also packets
related to the command 00:16:56 - line interface.
00:16:58 - Then there's the control plane, and these are all the
00:17:01 - control functions of the device. 00:17:03 - Examples at Layer 2 would include
Spanning Tree Protocol 00:17:07 - and the Link Aggregation and Control
Protocol. 00:17:10 - And then examples at Layer 3 abound.
00:17:13 - How about our Open Shortest Path First Interior Gateway
00:17:16 - protocol and BGP, our exterior gateway protocol?
00:17:21 - Now over the years many attacks have come up against
00:17:24 - systems in the form of control plane attacks.
00:17:28 - Think about how easy it would be to do a denial of service
00:17:31 - attack by flooding the BGP table with false
00:17:34 - updates, for example. 00:17:36 - This would be very simple, relatively
simple for an 00:17:39 - attacker to carry out.
00:17:40 - So Cisco invented Control Plane Policing or
00:17:45 - C-small-o-P-P. Control Plane Policing allows us to go in
00:17:51 - and literally set limits on interactivity on the number of
00:17:56 - packets, for instance, coming in ingress or egress to the
00:18:01 - Control Plane. 00:18:03 - Something that might surprise you
is the fact that Cisco is 00:18:06 - so concerned about this that they
actually have a default 00:18:12 - Control Plane Policing policy that
they apply 00:18:15 - to the Nexus device.
00:18:17 - So we have a default protection policy.
00:18:20 - That's how important this is. 00:18:23 - In fact, during the setup script,
it's asked of you 00:18:27 - whether you want to set a strict
default COPP policy, a 00:18:32 - moderate policy, a lenient policy,
or if you want 00:18:37 - absolutely no Control Plane Policing
in place whatsoever. 00:18:42 - As you might guess, the stricter
our policy, the less 00:18:47 - forgiving the Nexus is going to
be of high rates of 00:18:52 - incoming Control Plane traffic.
00:18:55 - In the predecessor course to this one, the Introducing
00:18:58 - Cisco Data Center Networking Course, we took a look at a
00:19:01 - lot of great key CLI commands that we would use in the Nexus
00:19:06 - environment. 00:19:07 - Obviously, I don't want to repeat
those here. 00:19:09 - Let me just give you a few that
were not mentioned in 00:19:12 - that initial course.
00:19:13 - The where command. 00:19:14 - What a great way to quickly see
in what mode, in what 00:19:19 - virtual device context, and in
what user account 00:19:23 - you are logged in.
00:19:25 - So if you're a bit lost at the command line and you want to
00:19:28 - figure out just who and where you are, experiment with the
00:19:32 - where command. 00:19:33 - Now when you do a show run now
in the Nexus environment, you 00:19:37 - can specify particular features.
00:19:40 - For instance, I could say show run ipqos in order to see just
00:19:44 - those particular parameters that are enacted for QoS on
00:19:48 - the device. 00:19:49 - By the way, you want to see all
of them, including those 00:19:53 - that wouldn't normally show up
because 00:19:55 - they are default settings.
00:19:56 - Just follow it up with the all keyword.
00:19:58 - That's like if we were to do something 00:20:00 - like a show run interface.
00:20:03 - If you want to see all of the commands that are enabled
00:20:06 - under that particular interface, including those
00:20:09 - that would not normally appear because they're default, just
00:20:13 - add that all keyword. 00:20:15 - There's show module in order to
see the particular I/O 00:20:19 - modules and various other modules
that might be 00:20:22 - installed in your Nexus chassis.
00:20:24 - And then, finally, let's not forget the importance of the
00:20:27 - show logging command. 00:20:29 - In fact, if you do show logging
and then a question 00:20:31 - mark, you'll see how this powerful
command can be 00:20:34 - utilized to see all of the various
potential logging 00:20:38 - locations that you have set up
on your Nexus device. 00:20:43 - So what an important Nugget.
00:20:44 - We took a look at the various management connections that we
00:20:47 - have capable in the Nexus line. 00:20:50 - We talked about that setup script,
which we will default 00:20:53 - to if we are on a device that has
no configuration. 00:20:56 - We talked about the In-Service
Software Upgrade and Control 00:21:00 - Plane Policing possibilities our
Nexus line, and we wrapped 00:21:04 - up taking a look at some important
commands that I 00:21:07 - really didn't point out to you
in our first CCNA data series 00:21:11 - here at CBT Nuggets.
00:21:13 - I sincerely hope that this has been informative for you, and
00:21:17 - I'd like to thank you for viewing.