Learn Nexus In Comparison with IOS
By: Prashant Phirke (CCIE R&S)
Learn Nexus Page 2
Table of Contents
Configuration Fundamentals .................................................................................................................... 3 Interface Configuration .......................................................................................................................... 10 Port-Channel ......................................................................................................................................... 15 HSRP ...................................................................................................................................................... 20 DHCP Relay ............................................................................................................................................ 25 STP ........................................................................................................................................................ 28 EIGRP .................................................................................................................................................... 32 OSPF ...................................................................................................................................................... 37 BGP ....................................................................................................................................................... 42 BGP (Advanced) ..................................................................................................................................... 48 Multicast ............................................................................................................................................... 54 Netflow ................................................................................................................................................. 65 SPAN ..................................................................................................................................................... 70 TACACS+, RADIUS, and AAA ................................................................................................................... 74 Layer-3 Virtualization ............................................................................................................................. 79
Learn Nexus Page 3
Configuration Fundamentals The Cisco NX-OS is a data center class operating system designed for maximum scalability and application availability. The CLI interface for the NX-OS is very similar to Cisco IOS, so if you understand the Cisco IOS you can easily adapt to the Cisco NX-OS. However, a few key differences should be understood prior to working with the Cisco NX-OS. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• When you first log into the NX-OS, you go directly into EXEC mode. • Role Based Access Control (RBAC) determines a user’s permissions by default. NX-OS
5.0(2a) introduced privilege levels and two-stage authentication using an enable secret that can be enabled with the global feature privilege configuration command.
• By default, the admin user has network-admin rights that allow full read/write access. Additional users can be created with very granular rights to permit or deny specific CLI commands.
• The Cisco NX-OS has a Setup Utility that allows a user to specify the system defaults, perform basic configuration, and apply a pre-defined Control Plane Policing (CoPP) security policy.
• The Cisco NX-OS uses a feature based license model. An Enterprise or Advanced Services license is required depending on the features required. Additional licenses may be required in the future.
• A 120 day license grace period is supported for testing, but features are automatically removed from the running configuration after the expiration date is reached.
• The Cisco NX-OS has the ability to enable and disable features such as OSPF, BGP, etc… using the feature configuration command. Configuration and verification commands are not available until you enable the specific feature.
• Interfaces are labeled in the configuration as Ethernet. There aren’t any speed designations.
• The Cisco NX-OS supports Virtual Device Contexts (VDCs), which allow a physical device to be partitioned into logical devices. When you log in for the first time You are in the default VDC (VDC 1).
• The Cisco NX-OS has two preconfigured VRF instances by default (management, default). The management VRF is applied to the supervisor module out-of-band Ethernet port (mgmt0), and the default VRF instance is applied to all other I/O module Ethernet ports.
• SSHv2 server/client functionality is enabled by default. TELNET server functionality is disabled by default. (The TELNET client is enabled by default and cannot be disabled.)
• VTY and Auxiliary port configurations do not show up in the default configuration unless a parameter is modified (The Console port is included in the default configuration). The VTY port supports 32 simultaneous sessions and the timeout is disabled by default for all three port types.
Learn Nexus Page 4
Things You Should Know The following list provides some additional Cisco NX-OS information that should be helpful when configuring and maintaining the Cisco NX-OS.
• The default administer user is predefined as admin. An admin user password has to be specified when the system is powered up for the first time, or if the running configuration is erased with the write erase command and system is repowered.
• If you remove a feature with the global no feature configuration command, all relevant commands related to that feature are removed from the running configuration.
• The NX-OS uses a kickstart image and a system image. Both images are identified in the configuration file as the kickstart and system boot variables. The boot variables determine what version of NX-OS is loaded when the system is powered on. (The kickstart and system boot variables have to be configured for the same NX-OS version.)
• The show running-config command accepts several options, such as OSPF, BGP, etc… that will display the runtime configuration for a specific feature.
• The show tech command accepts several options that will display information for a specific feature.
Configuration Comparison The following sample code show similarities and differences between the Cisco NX-OS software and the Cisco IOS Software CLI.
Cisco IOS CLI Cisco NX-OS CLI Default User Prompt
c6500> n7000# Entering Configuration Mode c6500# configure terminal n7000# configure terminal Saving the Running Config to the Startup Config (nvram) c6500# write memory
or
c6500# copy running-config startup-config
n7000# copy running-config startup-config
Erasing the startup config (nvram) c6500# write erase n7000# write erase
Learn Nexus Page 5
Installing a License Cisco IOS Software does not require a license file installation. n7000# install license bootflash:license_file.lic
Interface Naming Convention interface Ethernet 1/1
interface FastEthernet 1/1
interface GigabitEthernet 1/1
interface TenGigabitEthernet 1/1
interface Ethernet 1/1
Default VRF Configuration (management) Cisco IOS Software doesn’t enable VRFs by default. vrf context management
Configuring the Software Image Boot Variables
boot system flash sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXH1.bin
boot kickstart bootflash:/n7000-s1-kickstart.4.0.4.bin sup-1
boot system bootflash:/n7000-s1-dk9.4.0.4.bin sup-1
boot kickstart bootflash:/n7000-s1-kickstart.4.0.4.bin sup-2
boot system bootflash:/n7000-s1-dk9.4.0.4.bin sup-2
Enabling Features Cisco IOS Software does not have the functionality to enable or disable features. feature ospf
Enabling TELNET (SSHv2 is recommended) Cisco IOS Software enables TELNET by default. feature telnet
Configuring the VTY Timeout and Session Limit
line vty 0 9 line vty
Learn Nexus Page 6
exec-timeout 15 0
login
session-limit 10
exec-timeout 15
Verification Command Comparison The following table compares some useful show commands for verifying the initial system startup and running configuration.
Cisco NX-OS Cisco IOS Software Command Description show running-config show running-config Displays the running configuration show startup-config show startup-config Displays the startup configuration - - - show interface show interface Displays the status for all of the interfaces show interface ethernet <x/x>
show interface <int type> Displays the status for a specific interface
- - - show boot show boot Displays the current boot variables - - - show clock show clock Displays the system clock and time zone
configuration show clock detail show clock detail Displays the summer-time configuration - - - show environment show environment Displays all environment parameters show environment clock
show environment status clock Displays clock status for A/B and active clock
show environment fan show environment cooling fan-tray Displays fan status
show environment power show power Displays power budget show environment temperature
show environment temperature Displays environment data
- - - show log logfile show log Displays the local log
Learn Nexus Page 7
show log nvram - Displays persistent log messages (severity 0-2) stored in NVRAM
show module show module Displays installed modules and their status show module uptime - Displays how long each module has be
powered up show module fabric - Displays fabric modules and their current
status show platform fabric-utilization show fabric utilization Displays the % of fabric utilized per module show process cpu show process cpu Displays the processes running on the CPU show process cpu history
show process cpu history
Displays the process history of the CPU in chart form
show process cpu sorted
show process cpu sorted Displays sorted processes running on the CPU
- - - show system cores - Displays the core dump files if present show system exception-info show exception Displays last exception log show system redundancy status show redundancy Displays the supervisors High Availability
status show system resources show process cpu Displays CPU and memory usage data show system uptime - Displays system and kernel start time
(Displays active supervisor uptime) - - - show tech-support show tech-support Displays system technical information for
Cisco TAC show tech-support <name>
show tech-support <name>
Displays feature specific technical information for Cisco TAC
- - - show version show version Displays running software version, basic
hardware, CMP status and system uptime - - - show line show line Displays console and auxiliary port
information show line com1 - Displays auxiliary port information show line console show line console 0 Displays console port information
Learn Nexus Page 8
show line console connected - States if the console port is physically
connected show terminal show terminal Displays terminal settings show users show users Displays current virtual terminal settings - - - show vrf show ip vrf Displays a list of all configured VRFs show vrf <name> show ip vrf <name> Displays an specified VRF show vrf <name> detail
show vrf detail <name> Displays details for a specified
show vrf <name> interface - Displays interface assignment for a specified
VRF show vrf default - Displays a summary of the default VRF show vrf detail show vrf detail Displays details for all VRF's show vrf interface show ip vrf interface Displays VRF interface assignment show vrf management - Displays a summary of the management VRF - - - show license - Displays all license file information show license brief - Displays the license file names installed show license file <name> - Displays license contents based on a specified
name show license host-id - Displays the chassis Host-ID used for creating
a license show license usage - Displays all licenses used by the system show license usage <license-type> - Displays all licenses used by the system per
type show license usage vdc-all - Displays all licenses used by the system for all
VDCs - - - show vdc - Displays a list of the configured VDC's show vdc <name> - Displays a summary of the individual VDC show vdc <name> detail - Displays configuration details for a specific
VDC show vdc <name> membership - Displays interface membership for a specific
VDC show vdc <name> - Displays resource allocation for a specific
Learn Nexus Page 9
resource VDC show vdc current-vdc - Displays the VDC that the user is currently in show vdc detail - Displays details information for all VDCs show vdc membership - Displays interface membership for all VDCs show vdc resources - Displays resource allocation for all VDCs
Learn Nexus Page 10
Interface Configuration The NX-OS supports different physical and virtual interface types to meet various network connectivity requirements. The different interface types include: layer-2 switched (access or trunk), layer-3 routed, layer-3 routed (sub-interface trunk), switched virtual interface (SVI), port-channel, loopback, and tunnel interfaces.
Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• SVI command-line interface (CLI) configuration and verification commands are not available until you enable the SVI feature with the feature interface-vlan command.
• Tunnel interface command-line interface (CLI) configuration and verification commands are not available until you enable the Tunnel feature with the feature tunnel command.
• Interfaces support stateful and stateless restarts after a supervisor switchover for high availability.
• Only 802.1q trunks are supported, so the encapsulation command isn't necessary when configuring a layer-2 switched trunk interface. (Cisco ISL is not supported)
• An IP subnet mask can be applied using /xx or xxx.xxx.xxx.xxx notation when configuring an IP address on a layer-3 interface.
• The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software. The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2)
• The out-of-band management ethernet port located on the supervisor module is configured with the interface mgmt 0 CLI command.
Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when configuring interfaces.
• An interface can only be configured in 1 VDC at a time. • All 4 interfaces in a port group must be assigned to the same VDC when assigning
interfaces on the 32 port 10GE module. There are not any restrictions for the 48 port 1GE modules.
• 10 GE interfaces can be configured in dedicated mode using the rate-mode dedicated interface CLI command.
• The default port type is configurable for L3 routed or L2 switched in the setup startup script. (L3 is the default port type prior to running the script)
• A layer-2 switched trunk port sends and receives traffic for all VLANs by default (This is the same as Cisco IOS Software). Use the switchport trunk allowed vlan interface CLI command to specify the VLANs allowed on the trunk.
• The clear counters interface ethernet x/x CLI command resets the counters for a specific interface.
Learn Nexus Page 11
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS Software.
Cisco IOS CLI Cisco NX-OS CLI Configuring a Routed Interface
interface gigabitethernet 1/1
ip address 192.168.1.1 255.255.255.0
no shutdown
interface ethernet 1/1
ip address 192.168.1.1/24
no shutdown Configuring a Switched Interface (VLAN 10) vlan 10
interface gigabitethernet 1/1
switchport
switchport mode access
switchport access vlan 10
no shutdown
vlan 10
interface ethernet 1/1
switchport
switchport mode access
switchport access vlan 10
no shutdown Configuring a Switched Virtual Interface (SVI) Cisco IOS Software does not have the ability to enable or disable SVI interfaces using the feature command.
interface vlan 10
ip address 192.168.1.1 255.255.255.0
no shutdown
feature interface-vlan
interface vlan 10
ip address 192.168.1.1./24
no shutdown
Configuring a Switched Trunk Interface
Learn Nexus Page 12
interface GigabitEthernet 1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 10,20
switchport mode trunk
no shutdown
interface ethernet 1/1
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 2
no shutdown
Configuring a Routed Trunk Sub-Interface interface gigabitethernet 1/1
no switchport
no shutdown
interface gigabitethernet1/1.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
no shutdown
interface ethernet 1/1
no switchport
no shutdown
interface ethernet 1/1.10
encapsulation dot1q 10
ip address 192.168.1.1/24
no shutdown
Configuring a Loopback Interface
interface loopback 1
ip address 192.168.1.1 255.255.255.255
no shutdown
interface loopback 1
ip address 192.168.1.1/32
no shutdown Configuring a Tunnel Interface Cisco IOS Software does not have the ability to enable or disable Tunnel interfaces using the feature command.
feature tunnel
Learn Nexus Page 13
interface Tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source 172.16.1.1
tunnel destination 172.16.2.1
no shutdown
interface tunnel 1
ip address 192.168.1.1/24
tunnel source 172.16.1.1
tunnel destination 172.16.2.1
no shutdown
Configuring an Interface Description interface gigabitethernet 1/1
description Test Interface
interface ethernet 1/1
description Test Interface Configuring Jumbo Frames interface gigabitethernet 1/1
mtu 9216
interface ethernet 1/1
mtu 9216 Configuring Multiple Interfaces (Examples) interface range gigabitethernet 1/1-2
or
interface range gigabitethernet 1/1, gigabitethernet 2/1
interface ethernet 1/1-1
or
interface ethernet 1/1, ethernet 2/1
Verification Command Comparison The following table lists some useful show commands for verifying the status and troubleshooting an interface.
Cisco NX-OS Interface
Cisco IOS Software Interface Command Description
show interface show interface Displays the status and statistics for all interfaces or a specific interface
show interface brief - Displays a brief list of the interfaces (type, mode,
Learn Nexus Page 14
status, speed, MTU) show interface capabilities
show interface capabilities Displays interface capabilities
show interface counters
show interface counters
Displays interface counters (input/output unicast, multicast & broadcast)
show interface debounce - Displays the de-bounce status and time in ms for all
interfaces show interface description - Displays all interfaces with configured descriptions show interface ethernet
show interface interface-type Displays status and statistics for a specific interface
show interface flowcontrol
show interface flowcontrol
Displays Flow Control (802.1p) status and state for all interfaces
show interface loopback
show interface loopback
Displays status and statistics for a specific loopback interface
show interface mac-address - Displays all interfaces and their associated MAC
Addresses show interface mgmt - Displays status and statistics for the management
interface located on the supervisor show interface port-channel
show interface port-channel
Displays status and statistics for a specific port-channel
show interface status show interface status Displays all interfaces and their current status show interface switchport
show interface switchport
Displays a list of all interfaces that are configured as switchports
show interface transceiver
show interface transceiver
Displays a list of all interfaces and optic information (calibrations, details)
show interface trunk show interface trunk Displays a list of all interfaces configured as trunks show interface tunnel <#>
show interface tunnel <#>
Displays status and statistics for a specific tunnel interface
show interface vlan <#>
show interface vlan <#>
Displays status and statistics for a specific VLAN interface
Learn Nexus Page 15
Port-Channel Port-Channels provide a mechanism for aggregating multiple physical Ethernet links into a single logical Ethernet link. Port-Channels are typically used to increase availability and bandwidth, while simplifying the network topology. Port-Channels can be configured in Static Mode (no protocol) or in conjunction with a protocol such as LaCP defined in IEEE 802.3ad or PaGP for dynamic negotiations and keep-alive detection for failover. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• 256 Port-Channels are supported per chassis • LaCP and Static Mode Port-Channels are supported (PaGP is not supported in Cisco NX-
OS Software). • LaCP command-line interface (CLI) configuration and verification commands are not
available until you enable the LaCP feature with the feature lacp command. • The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software.
The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2) • A Port-Channel can be converted between a layer-2 and layer-3 Port-Channel without
removing the member ports. • The force keyword can be used when adding an interface to an existing Port-Channel to
force the new interface to inherit all of the existing Port-Channel compatibility parameters.
Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network using Port-Channels.
• A single Port-Channel cannot connect to two different VDCs in the same chassis. • You cannot disable LaCP with the no feature lacp command if LaCP is configured for a
Port-Channel. LaCP must be disabled on all Port-Channels prior to disabling LaCP globally.
• The show port-channel compatibility-parameters CLI command is very useful for verifying interface parameters when configuring Port-Channels.
• The show port-channel load-balance forwarding-path CLI command can be used to determine the individual link a flow traverses over a specific Port-Channel.
Learn Nexus Page 16
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is very similar between Cisco IOS and Cisco NX-OS. Cisco NX-OS does not use the range keyword when specifying multiple interfaces. Cisco NX-OS also has the ability to force an interface to inherit existing Port-Channel compatibility parameters using the force keyword.
Cisco IOS CLI Cisco NX-OS CLI Enabling the LaCP Feature
Cisco IOS Software does not have the ability to enable or disable LaCP. feature lacp
Configuring LACP Active Mode interface range gigabitethernet 1/1-2
channel-group 1 mode active
interface ethernet 1/1-2
channel-group 1 mode active Configuring LaCP Passive Mode interface range gigabitethernet 1/1-2
channel-group 1 mode passive
interface ethernet 1/1-2
channel-group 1 mode passive Configuring Static Mode (no protocol) interface range gigabitethernet 1/1-2
channel-group 1 mode on
interface ethernet 1/1-2
channel-group 1 mode on Enabling a Port Channel interface port-channel 1
no shutdown
interface port-channel 1
no shutdown Layer-2 Port-Channel Example interface range gigabitethernet 1/1-2
switchport
channel-group 1 mode active
interface ethernet 1/1-1
switchport
channel-group 1 mode active
Learn Nexus Page 17
interface port-channel 1
no shutdown
interface port-channel 1
no shutdown Layer-3 Port-Channel Example interface range gigabitethernet 1/1-2
no switchport
channel-group 1 mode active
interface port-channel 1
ip address 192.168.1.1 255.255.255.0
no shutdown
interface ethernet 1/1-1
no switchport
channel-group 1 mode active
interface port-channel 1
ip address 192.168.1.1/32
no shutdown Adding an Interface to an Existing Port-Channel Cisco IOS Software does not have the force option, so all interface parameters have to be compatible prior to adding the interface to an existing Port-Channel.
interface range gigabitethernet 1/3
no switchport
channel-group 1 mode active[
interface ethernet 1/3
channel-group 1 force mode active
Configuring the System Load-Balance Algorithm
port-channel load-balance dst-mac port-channel load-balance ethernet destination-mac
Configuring the Load-Balance Algorithm per Module port-channel per-module load-balance
port-channel load-balance dst-mac module 1
port-channel load-balance ethernet destination-mac module 1
Learn Nexus Page 18
Verification Command Comparison The following table lists some useful show commands for verifying and troubleshooting a Port-Channel configuration.
Cisco NX-OS Port-Channels Cisco IOS Software Port-Channels Command Description
show interface show interface Displays statistics all interfaces or a specific interface
show interface port-channel <#>
show interface port-channel <#>
Displays statistics for a specific port-channel
- - - show port-channel capacity - Displays port-channel resources (total,
used, free) show port-channel compatibility-parameters - Displays the compatibility-parameters
(IE: speed, duplex, etc) show port-channel database - Displays the aggregation state for one
or more port-channels show port-channel load-balance
show etherchannel load-balance
Displays the load-balancing algorithm (hash) configured
show port-channel load-balance forwarding-path
show etherchannel load-balance hash-result
Displays packet forwarding information
show port-channel summary show etherchannel summary
Displays a summarized list of all port-channels
show port-channel traffic - Displays the load per link in a port-channel (Based in interface counters)
show port-channel usage - Displays the range of used and unused port-channel numbers
- - - show lacp counters show lacp counters Displays the LaCP PDU and error
counters show lacp interface - Displays detailed LaCP information
per interface show lacp neighbors show lacp neighbors Displays detailed LaCP information
per neighbor show lacp port-channel show lacp <port-
channel-#> Displays the port-channel LaCP configuration
Learn Nexus Page 19
show lacp system-identifier show lacp sys-id Displays the LaCP system ID (Priority / MAC address)
Learn Nexus Page 20
HSRP HSRP is a Cisco proprietary First Hop Redundancy Protocol (FHRP) designed to allow transparent failover for an IP client’s default gateway (first-hop router). Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• HSRP command-line interface (CLI) configuration and verification commands are not available until you enable the HSRP feature with the feature hsrp command.
• HSRP is hierarchical. All related commands for an HSRP group are configured under the group number.
• The HSRP configuration commands use the format hsrp <option> instead of standby <option>.
• The HSRP verification commands use the format show hsrp <option> instead of show standby <option>.
• HSRP supports stateful process restart by default. • The hello and hold-time timer ranges for the millisecond options are different. In Cisco
NX-OS, hello = 250 to 999 milliseconds, and hold time = 750 to 3000 milliseconds. In Cisco IOS Software, hello = 15 to 999 milliseconds, and hold time = 50 to 3000 milliseconds.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining HSRP-enabled networks.
• If you remove the feature hsrp command, all relevant HSRP configuration information is also removed.
• HSRPv1 is enabled by default (HSRPv2 can be enabled per interface). • HSRPv1 supports 256 group numbers (0 to 255). HSRPv2 supports 4096 group numbers
(0 to 4095). • HSRPv1 and HSRPv2 are not compatible. However, a device can be configured to run a
different version on different interfaces. • The show running-config hsrp command displays the current HSRP configuration. • Configuration of more than one FHRP on an interface is not recommended. • Object tracking is supported. Tracking can be configured for an interface’s line protocol
state, IP address state, and for IP route reachability (determining whether a route is available in the routing table).
Learn Nexus Page 21
• An interface can track multiple objects. • Secondary IP addresses are supported in the same or a different group as the interface’s
primary IP address. • Load sharing can be accomplished by using multiple HSRP groups per interface.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS uses a hierarchical configuration, and it uses the hsrp keyword instead of the standby keyword for configuration and verification commands. Both enhancements make the configuration easier to read.
Cisco IOS CLI Cisco NX-OS CLI Enabling the HSRP Feature
Cisco IOS Software does not have the ability to enable or disable HSRP. feature hsrp
Configuring HSRP on an Interface
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby 0 ip 192.168.10.1
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp 0
ip 192.168.10.1 Configuring the priority and preempt Options
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby 0 ip 192.168.10.1
standby 0 priority 110
standby 0 preempt
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp 0
preempt
priority 110
Learn Nexus Page 22
ip 192.168.10.1 Modifying the Hello and Holdtime Timers (Seconds)
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby 0 ip 192.168.10.1
standby 0 timers 1 3
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp 0
timers 1 3
ip 192.168.10.1 Modifying the Hello and Holdtime Timers (Milliseconds)
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby 0 ip 192.168.10.1
standby 0 timers msec 250 msec 750
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp 0
timers msec 250 msec 750
ip 192.168.10.1 Configuring MD5 Authentication
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby 0 ip 192.168.10.1
standby 0 authentication md5 key-string cisco123
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp 0
authentication md5 key-string cisco123
ip 192.168.10.1 Configuring HSRP Version 2 on an Interface interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby version 2
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp version 2 Configuring Minimum and Reload Initialization Delay
Learn Nexus Page 23
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby delay minimum 5 reload 10
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp delay minimum 5 reload 10 Configuring Object Tracking (Interface Line-Protocol)
track 1 interface Ethernet2/2 line-protocol
interface Ethernet2/1
ip address 192.168.10.2 255.255.255.0
standby 0 ip 192.168.10.1
standby 0 track 1 decrement 20
track 1 interface ethernet 2/2 line-protocol
interface Ethernet2/1
ip address 192.168.10.2/24
hsrp 0
track 1 decrement 20
ip 192.168.10.1
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an HSRP configuration.
Cisco NX-OS HSRP Cisco IOS Software HSRP Command Description
show hsrp show standby <#> Displays detailed information for all HSRP groups
show hsrp active - Displays all of the groups in the “active” state show hsrp brief show standby brief Displays a summary of all the HSRP groups show hsrp delay - Displays minimum and maximum delay times
for preempting show hsrp group - Displays detailed information for a specified
group show hsrp init - Displays all the groups in the "init" state
Learn Nexus Page 24
show hsrp interface - Displays detailed information for a specific interface
show hsrp learn - Displays all the groups in the "learn" state show hsrp listen - Displays all the groups in the "listen" state show hsrp speak - Displays all the groups in the "speak" state show hsrp standby - Displays all the groups in the "standby" state show hsrp summary - Displays summary information for HSRP
groups - - - show track show track Displays the configured tracked objects show track brief show track brief Displays a brief list of tracked objects show track interface show track interface Displays the status of tracked interfaces show track ip show track ip Displays the IP protocol objects that are
tracked
Learn Nexus Page 25
DHCP Relay The DHCP Relay feature was designed to forward DHCP broadcast requests as unicast packets to a configured DHCP server or servers for redundancy. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• DHCP command-line interface (CLI) configuration and verification commands are not available until you enable the DCHP feature with the feature dhcp command.
• The DHCP service is not enabled by default, whereas it is enabled by default in Cisco IOS Software.
• The DHCP-Relay command ip dchp relay address is equivalent to the ip helper-address command in Cisco IOS Software.
• Only packets destined to User Datagram (UDP) port 67 (Bootps) and 68 (Bootpc) are forwarded by the relay, whereas Cisco IOS Software forwards additional protocols (Trivial File Transfer Protocol [TFTP], Domain Name System [DNS], Time, NetBios, and Neighbor Discovery).
• The Cisco NX-OS cannot act as a DHCP server.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining networks with the DHCP-Relay feature.
• If you remove the feature dhcp command, all relevant DHCP configuration information is also removed.
• Prior to NX-OS 4.2(1), the service dhcp command enabled the DHCP Relay feature. In NX-OS 4.2(1) the command was changed to ip dhcp relay.
• Sixteen DHCP Relay addresses can be configured per interface. • DHCP packets are always forwarded through DHCP Relay in the same Virtual Route
Forwarding (VRF) instance assigned to the interface. • Assign a DHCP Relay to every interface that may have a client, even if the server resides
in the same Layer-2 broadcast domain (VLAN). - This has been fixed in 4.2(1) software. • DHCP Option 82 information can be configured with the ip dhcp relay information
option global command. • The DHCP Relay configuration can be verified with the show ip dhcp relay address
command.
Learn Nexus Page 26
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: in Cisco NX-OS, the DHCP feature must be enabled, and the DHCP service is not enabled by default.
Cisco IOS CLI Cisco NX-OS CLI Enabling the DHCP Feature
Cisco IOS Software does not have the ability to enable or disable DHCP. feature dhcp
Enabling the DHCP Service Cisco IOS Software enables service dhcp by default. ip dhcp relay
Configuring DHCP Relay for an Interface interface Ethernet2/1
ip address 192.168.10.1 255.255.255.0
ip helper-address 1.1.1.1
interface Ethernet2/1
ip address 192.168.10.1/24
ip dhcp relay address 1.1.1.1 Configuring Option 82 Information ip dhcp relay information option ip dhcp relay information option
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting the DHCP-Relay feature.
Cisco NX-OS DHCP-Relay
Cisco IOS Software DHCP-Relay Command Description
show ip dhcp relay address - Displays a list of DHCP-Relay(s)
configured for all interfaces show ip dhcp relay - Displays the DHCP-Relay(s) configured
Learn Nexus Page 27
address interface for a specific interface
Learn Nexus Page 28
STP STP is a standards based link-layer protocol originally defined in IEEE 802.1d that runs on switches to prevent forwarding loops when using redundant layer-2 network topologies. Newer variants of STP have been developed called Rapid Spanning Tree protocol (RSTP) defined in IEEE 802.1w and Multiple Spanning Tree protocol (MST) defined in IEEE 802.1s that are enhanced for better scalability and converge faster than the original version. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• Rapid-PVST+ and the MST protocols are supported. • Rapid-PVST+ is enabled by default. • High availability is achieved with stateful switchover when two supervisors are installed
in a chassis. • The STP port types are identified with the port type designation as opposed to the
portfast designation in Cisco IOS Software.
Things You Should Know The following list provides some additional facts about the Cisco NX-OS that should be helpful when designing, configuring, and maintaining a network configured with the STP.
• Rapid-PVST+ is interoperable with the 802.1d STP. • Rapid-PVST+ is interoperable with MST. (This is enabled by default) • Only one STP can be enabled per VDC. • Bridge Assurance is enabled globally by default, but is disabled on an interface by
default. • Bridge Assurance can be enabled for an interface using the spanning-tree port type
network interface command. • The clear spanning-tree counters command clears the counters for an STP interface or a
VLAN. • STP enhancements such as BPDU Guard, Loop Guard, Root Guard, and BPDU Filtering
are supported. Spanning-Tree best practices are applicable to both Cisco NX-OS and Cisco IOS Software
Learn Nexus Page 29
• Do not disable STP. Even if the layer-2 topology does not require STP, it should always be enabled as a safeguard for configuration and/or cabling errors.
• Changing the STP mode can disrupt traffic. • Enabling Bridge Assurance is recommended. However, only enable Bridge Assurance on
layer-2 links if both devices on each end of the link support it. • Typically the core/backbone devices should be configured as the primary and secondary
root bridges. • The default bridge priority is 32,768 (plus the VLAN #). The lower the value, the more
likely it will become the root bridge. • Configure 802.1q trunk ports as edge trunk port type when connecting to L3 hosts such
as firewalls, load-balancers, or servers for faster convergence.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The CLI is identical with the exception of the port type terminology. The Cisco IOS uses the portfast designation, whereas Cisco NX-OS uses the port type designation.
Cisco IOS CLI Cisco NX-OS CLI Configuring VLANs
vlan 10,20 vlan 10,20 Configuring Rapid PVST+
spanning-tree mode rapid-pvst Rapid-PVST is enabled by default.
spanning-tree mode rapid-pvst Configuring the Rapid-PVST+ Bridge Priority spanning-tree vlan 10 root primary
spanning-tree vlan 20 root secondary
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root secondary Configuring MST spanning-tree mode mst spanning-tree mode mst Configuring a MST Instance
Learn Nexus Page 30
spanning-tree mst configuration
instance 1 vlan 10
instance 2 vlan 20
spanning-tree mst configuration
instance 1 vlan 10
instance 2 vlan 20 Configuring the MST Bridge Priority spanning-tree mst 1 root primary
spanning-tree mst 2 root secondary
spanning-tree mst 1 root primary
spanning-tree mst 2 root secondary Configuring STP Port Types Globally spanning-tree portfast edge default
or
spanning-tree portfast network default
spanning-tree port type edge default
or
spanning-tree port type network default Configuring STP Port Types per Interface interface GigabitEthernet1/1
switchport
spanning-tree portfast edge
or
spanning-tree portfast network
or
spanning-tree portfast disable
interface ethernet 1/1
switchport
spanning-tree port type edge
or
spanning-tree port type network
or
spanning-tree port type normal Configuring a Trunk as an Edge Port Type interface GigabitEthernet1/1
switchport
spanning-tree portfast edge trunk
interface ethernet 1/1
switchport
spanning-tree port type edge trunk Disabling PVST Simulation Globally no spanning-tree mst simulate pvst global no spanning-tree mst simulate pvst global
Learn Nexus Page 31
Disabling PVST Simulation per Port interface GigabitEthernet1/1
switchport
spanning-tree mst simulate pvst disable
interface ethernet 1/1
switchport
spanning-tree mst simulate pvst disable
Verification Command Comparison The following table lists some useful show commands for verifying and troubleshooting a STP network configuration. The show commands are identical for Cisco IOS and Cisco NX-OS Software.
Cisco NX-OS STP Cisco IOS Software STP Command Description show spanning-tree show spanning-tree Displays high level STP process
information show spanning-tree active show spanning-tree active Displays all ports in the active state show spanning-tree blockedports
show spanning-tree blockedports Displays all ports in the blocked state
show spanning-tree detail show spanning-tree detail Displays detailed information per STP instance
show spanning-tree interface
show spanning-tree interface
Displays detailed STP information for a specific interface
show spanning-tree mst show spanning-tree mst Displays high-level MST configuration
show spanning-tree mst configuration
show spanning-tree mst configuration
Displays the MST instance configuration
show spanning-tree mst detail
show spanning-tree mst detail Displays detailed MST information
show spanning-tree root show spanning-tree root Displays STP root information show spanning-tree summary
show spanning-tree summary Displays STP summary information
show spanning-tree vlan show spanning-tree vlan Displays per VLAN STP information
Learn Nexus Page 32
EIGRP EIGRP is a Cisco proprietary hybrid distance vector routing protocol used to exchange network reachability information within an autonomous system. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• EIGRP command-line interface (CLI) configuration and verification commands are not available until you enable the EIGRP feature with the feature eigrp command.
• The EIGRP protocol requires the Enterprise Services license. • The EIGRP instance can consist of 20 characters. Cisco IOS Software supports numbers
1- 65536. • Eight equal-cost paths are supported by default; Cisco NX-OS supports up to 16. • Route auto-summarization is disabled by default. • Networks and interfaces are added to an EIGRP instance under the interface
configuration mode. • If a router ID is not manually configured, the loopback-0 IP address is always preferred.
If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration.
• A default route can be generated with the default-information originate command, whereas Cisco IOS Software requires additional CLI commands to achieve similar results.
• When interface authentication is configured, the EIGRP key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command.
• Distribute-lists used to filter routes from routing updates are applied under the interface with the ip distribute-list eigrp command, as opposed to under the EIGRP router instance.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an EIGRP network.
• Four EIGRP instances can be configured per virtual device context (VDC). • Numerous Virtual Route Forwarding (VRF) instances can be associated with an EIGRP
instance.
Learn Nexus Page 33
• If the feature eigrp command is removed, all relevant EIGRP configuration information is also removed.
• The shutdown command can be used to disable an EIGRP instance while retaining the configuration. This feature can also be applied per interface with the ip eigrp <instance #> shutdown command.
• The show running-config eigrp command displays the current EIGRP configuration. • An EIGRP instance can be restarted with the restart eigrp <instance #> command. • Graceful restart (RFC 3623) is enabled by default. • Multiple EIGRP instances can be configured on the same interface. • Secondary IP addresses are advertised by default and cannot be suppressed per interface.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are three significant differences: Cisco NX-OS allows EIGRP to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read. In addition, Cisco NX-OS has the capability to generate a default route, whereas Cisco IOS Software requires additional CLI commands to achieve similar results.
Cisco IOS CLI Cisco NX-OS CLI Enabling the EIGRP Feature
Cisco IOS Software does not have the ability to enable or disable EIGRP. feature eigrp
Configuring an EIGRP Instance and Router ID router eigrp 10
eigrp router-id 192.168.1.1
router eigrp 10
router-id 192.168.1.1 Associating a Network with an EIGRP Instance
router eigrp 10
network 192.168.10.0
interface Ethernet2/1
ip address 192.168.10.1/24
ip router eigrp 10 Configuring a Passive Interface
Learn Nexus Page 34
router eigrp 10
network 192.168.10.0 passive-interface GigabitEthernet2/1
interface Ethernet2/1
ip address 192.168.10.1/24
ip router eigrp 10
ip passive-interface eigrp 10 Configuring Interface Authentication (MD5)
key chain eigrp-key
key 1 key-string cisco123
interface GigabitEthernet2/1 ip address 192.168.10.1 255.255.255.0 ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 eigrp-key
key chain eigrp-key
key 1 key-string 7 070c285f4d06485744
interface Ethernet2/1
ip address 192.168.10.1/24
ip router eigrp 10
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp-key
Configuring an EIGRP Distribution List to Filter Routes
ip prefix-list eigrp-10-list seq 5 permit 159.142.1.0/24
router eigrp 10
network 192.168.10.0
distribute-list prefix eigrp-10-list out GigabitEthernet2/1
ip prefix-list eigrp-10-list seq 5 permit 159.142.1.0/24
interface Ethernet2/1
ip address 192.168.10.1/24
ip router eigrp 10
ip distribute-list eigrp 10 prefix-list eigrp-10-list out
Configuring Route Summarization interface GigabitEthernet2/1 interface Ethernet2/1
Learn Nexus Page 35
ip address 192.168.10.1 255.255.255.0
ip summary-address eigrp 10 159.142.0.0 255.255.0.0 5
ip address 192.168.10.1/24
ip router eigrp 10
ip summary-address eigrp 10 159.142.0.0/16 Generating A Default Route (Conditional) Cisco IOS Software doesn’t have the same CLI to generate a default route, but redistribution or the ip summary address command can be used to achieve similar results.
router eigrp 10
default-information originate
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an EIGRP network configuration.
Cisco NX-OS EIGRP Cisco IOS Software EIGRP Command Description
show ip eigrp show ip eigrp <#> Displays all EIGRP information for a specified process
show ip eigrp accounting - Displays the number of prefixes that each
neighbor advertised show ip eigrp interfaces show ip eigrp interfaces Displays interfaces configured for EIGRP show ip eigrp interfaces detail
show ip eigrp interfaces detail Displays detailed interface information
show ip eigrp neighbors
show ip eigrp neighbors Displays currently connected neighbors
show ip eigrp neighbors detail
show ip eigrp neighbors detail
Displays connected neighbors and associated details
show ip eigrp policy - Displays redistribution statistics for the specified protocol
Learn Nexus Page 36
show ip eigrp route - Displays EIGRP routes show ip eigrp topology show ip eigrp topology Displays the EIGRP topology table show ip eigrp traffic show ip eigrp traffic Displays statistics related to EIGRP
Learn Nexus Page 37
OSPF OSPFv2 is an IETF (RFC 2328) standards-based dynamic link-state routing protocol used to exchange network reachability within an autonomous system. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• OSPF command-line interface (CLI) configuration and verification commands are not available until you enable the OSPF feature with the feature ospf command.
• The OSPF protocol requires the Enterprise Services license. • The OSPF instance can consists of 20 characters, whereas the IOS supports numbers 1 –
65536. • Eight equal-cost paths are supported by default. You can configure up to sixteen. • The default reference bandwidth used in the OSPF cost calculation is 40 Gbps. • Networks and interfaces are added to an OSPF instance under the interface configuration
mode. • An OSPF area can be configured using decimal or decimal dotted notation, but it is
always displayed in decimal dotted notation in the configuration and in the show command output.
• Passive interfaces are applied to the interface as opposed to under the OSPF router instance.
• If a router ID is not manually configured, the loopback 0 IP address is always preferred. If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration.
• Neighbor adjacency changes are not logged by default. The log-adjacency-changes CLI command is required under the OSPF instance.
• When interface authentication is configured, the OSPF key is encrypted with Data Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the service password command.
• When you rollover an OSPF authentication key in a combined Cisco NX-OS/Cisco IOS network, you should configure both keys on the Cisco NX-OS router to ensure that there is sufficient overlap between the old key and the new key for a smooth transition to the new key. You should configure the new key as a valid accept key on all the NX-OS and IOS routers before the new key becomes a valid generation key in the keychain. During the overlap period, Cisco NX-OS transmits the new OSPF key and accepts OSPF authenticated packets from both the old key and the new key.
• The NX-OS does not support distribute-lists used to remove OSPF routes from the routing table. The NX-OS does support inter-area LSA/route filtering using the filter-list command configured under the OSPF routing instance.
Learn Nexus Page 38
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an OSPF network.
• Four OSPF instances can be configured per virtual device context (VDC). • Numerous Virtual Route Forwarding (VRF) instances can be associated to an OSPF
instance. • If you remove the feature ospf command, all relevant OSPF configuration information is
also removed. • The shutdown command under the OSPF process can be used to disable OSPF while
retaining the configuration. Similar functionality can also be applied per interface with the ip ospf shutdown command.
• The show running-config ospf command displays the current OSPF configuration. • An OSPF instance can be restarted with the restart ospf <instance #> command. • Graceful Restart (RFC 3623) is enabled by default. • OSPF supports stateful process restarts if two supervisors are present. • You cannot configure multiple OSPF instances on the same interface. • An interface can support multi-area adjacencies using the multi-area option with the ip
router ospf interface command. • Secondary IP addresses are advertised by default, but can be suppressed per interface
with the ip router ospf <instance> area <#> secondaries none interface command. • By default all loopback IP address subnet masks are advertised in an LSA as a /32. The
loopback interface command ip ospf advertise-subnet can be configured to advertise the primary IP address subnet mask. (This command does not apply to secondary IP addresses. They will still be advertised as a /32.)
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS allows OSPF to be enabled and disabled globally, and it has a more interface-centric configuration that makes it easier to read.
Cisco IOS CLI Cisco NX-OS CLI Enabling the OSPF Feature
Cisco IOS Software does not have the ability feature ospf
Learn Nexus Page 39
to enable or disable OSPF. Configuring an OSPF Instance and Router ID router ospf 10
router-id 192.168.1.1
router ospf 10
router-id 192.168.1.1 Associating a Network with an OSPF Instance and Area
router ospf 10
network 192.168.1.0 0.0.0.255 area 1
interface Ethernet2/1
ip address 192.168.10.1/24
ip router ospf 10 area 1 Configuring a Passive Interface
router ospf 10
passive-interface GigabitEthernet2/1
network 192.168.1.0 0.0.0.255 area 1
interface Ethernet2/1
ip address 192.168.11.1/24
ip ospf passive-interface
ip router ospf 10 area 0 Configuring Interface Authentication (MD5)
interface GigabitEthernet2/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123
interface Ethernet2/1
ip address 192.168.10.1/24
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 3 a667d47acc18ea6b
ip router ospf 10 area 1 Configuring a Stub Area with the no summary Option router ospf 10
area 2 stub no-summary
router ospf 10
area 2 stub no-summary Creating a Not-So-Stubby Area (NSSA) and Generating a Default Route
Learn Nexus Page 40
router ospf 10
area 3 nssa default-information-originate
router ospf 10
area 3 nssa default-information-originate Configuring Inter-Area and External Summarization router ospf 10
area 0 range 159.142.0.0 255.255.0.0 summary-address 172.16.0.0 255.255.0.0
router ospf 10
area 0 range 159.142.0.0/16 summary-address 172.16.0.0/16
Generating a Default Route (Conditional) router ospf 10
default-information originate
router ospf 10
default-information originate Generating a Maximum Metric (Max-Metric) Value router ospf 10
max-metric router-lsa
router ospf 10
max-metric router-lsa
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting an OSPFv2 network configuration.
Cisco NX-OS OSPFv2 Cisco IOS Software OSPFv2 Command Description
show ip ospf show ip ospf Displays the running configuration show ip ospf border-routers
show ip ospf border-routers Displays a list of border routers
show ip ospf database show ip ospf database Displays OSPF database information show ip ospf interface show ip ospf interface
<int type> Displays OSPF database information show ip ospf interface detail - Displays additional packet statistics for each
interface
Learn Nexus Page 41
show ip ospf memory - Displays the memory allocated for OSPF show ip ospf neighbor show ip ospf
neighbors Displays neighbor-specific information show ip ospf neighbor detail
show ip ospf neighbor detail Displays details for each OSPF neighbor
show ip ospf policy statistics - Displays redistribution statistics for a
specified protocol show ip ospf request list
show ip ospf request list
Displays a list of link-state advertisements (LSAs) that have been requested
show ip ospf retransmission list show module Displays installed modules and their status show ip ospf route - Displays all routes learned through OSPF show ip ospf statistics show ip ospf statistics Displays OSPF LSA statistics show ip ospf summary-address
show ip ospf summary-address Displays OSPF-summarized networks
show ip ospf traffic show ip ospf traffic Displays OSPF-related packet counters show ip ospf vrf - Displays information for a specified OSPF
VRF instance
Learn Nexus Page 42
BGP BGPv4 is a standard Exterior Routing Protocol defined in RFC 4271, commonly used to exchange network reachability information between autonomous systems. This document covers the features required for basic connectivity. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• BGP CLI configuration and verification commands are not available until you enable the BGP feature with the feature bgp command.
• The BGP protocol requires an Enterprise Services license. • Autonomous system numbers can be configured as 16 or 32 bit values. • Address families need to be explicitly enabled (IE: IPv4 unicast, IPv6 unicast, etc…) • By default, eBGP supports 8 Equal Cost Paths and iBGP supports 1. The Cisco NX-OS
supports up to 16 Equal Cost Paths for both eBGP and iBGP. • Automatic Route Summarization and Synchronization are disabled by default. • BGP consists of a hierarchical configuration based on neighbors and address families. • If a router ID is not manually configured, the loopback 0 IP address is always preferred.
If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP address for the first physical interface in the configuration.
• Neighbor logging is not enabled by default under the BGP instance. Neighbor logging can be enabled with the log-neighbor-changes command.
• When neighbor authentication is configured, the BGP key is 3DES encrypted in the configuration. Cisco IOS Software requires the service password command to encrypt it in the configuration.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining a BGP network.
• One BGP instances can be configured per Virtual Device Context (VDC). • Numerous Virtual Route Forwarding (VRF) instances can be associated to a BGP
instance. • If the feature bgp command is removed, all relevant BGP configuration information is
also removed. • Network statements must be configured under their respective address-family
configuration mode when advertising them via BGP.
Learn Nexus Page 43
• The shutdown command under the BGP instance can be used to disable BGP while retaining the configuration.
• The show running-config bgp command displays the current BGP configuration. • A BGP instance can be restarted with the restart bgp <instance #> command. • Graceful Restart (RFC 3623) is enabled by default.
Configuration Comparison The following sample configuration code similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are three significant differences: The Cisco NX-OS allows BGP to be enabled and disabled globally. It utilizes a hierarchical configuration that makes it easier to read. The Cisco NX-OS does not enable any address families by default. Each address-family needs to be explicitly enabled. The following examples demonstrate this using the IPv4 unicast address family.
Cisco IOS CLI Cisco NX-OS CLI Enabling the BGP Feature
Cisco IOS Software does not have the functionality to enable or disable BGP. feature bgp
Configuring a BGP Instance and Router ID router bgp 10
bgp router-id 192.168.1.1
router bgp 10
router-id 192.168.1.1 Configuring a BGP Neighbor (Internal)
router bgp 10
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 update-source Loopback0
router bgp 10
neighbor 192.168.2.1 remote-as 10
update-source loopback0
address-family ipv4 unicast Configuring a BGP Neighbor (External) router bgp 10
neighbor 192.168.10.2 remote-as 11 router bgp 10
Learn Nexus Page 44
neighbor 192.168.10.2 remote-as 11
address-family ipv4 unicast Advertising a Network in an Address Family (IPv4)
router bgp 10
network 159.142.1.0 mask 255.255.255.0
network 159.142.254.0 mask 255.255.255.0
neighbor 192.168.10.2 remote-as 11
router bgp 10
address-family ipv4 unicast
network 159.142.1.0/24
network 159.142.254.0/24
neighbor 192.168.10.2 remote-as 11
address-family ipv4 unicast Configuring Neighbor Authentication (MD5)
router bgp 10
neighbor 192.168.10.2 remote-as 11
neighbor 192.168.10.2 password cisco123
router bgp 10
neighbor 192.168.10.2 remote-as 11
password 3 a667d47acc18ea6b
address-family ipv4 unicast Configuring an Aggregate Address (Summary-Only)
router bgp 10
network 159.142.1.0 mask 255.255.255.0
network 159.142.254.0 mask 255.255.255.0
aggregate-address 159.142.0.0 255.255.0.0 summary-only
neighbor 192.168.10.2 remote-as 11
router bgp 10
address-family ipv4 unicast
network 159.142.1.0/24
network 159.142.254.0/24
aggregate-address 159.142.0.0/16 summary-only
neighbor 192.168.10.2 remote-as 11
address-family ipv4 unicast
Learn Nexus Page 45
Generating a Default Route for a Neighbor
router bgp 10
neighbor 192.168.10.2 remote-as 11
neighbor 192.168.10.2 default-originate
router bgp 10
neighbor 192.168.10.2 remote-as 11
address-family ipv4 unicast
default-originate
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting a BGP network configuration.
Cisco NX-OS BGP Cisco IOS Software BGP Command Description
show ip bgp <option> show ip bgp Displays BGP Process and BGP table entries
show ip bgp x.x.x.x show ip bgp x.x.x.x Displays a specific network in the BGP table
show ip bgp x.x.x.x vrf - Displays a network in a specified VRF BGP table
show ip bgp x.x.x.x/len show ip bgp x.x.x.x mask Displays a specific prefix in the BGP table
show ip bgp x.x.x.x/len longer-prefix
show ip bgp x.x.x.x mask longer-prefix
Displays a prefix in the table with longer prefixes
show ip bgp all show ip bgp all Displays the BGP table for all protocol families
show ip bgp community <word>
show ip bgp community <#>
Displays routes with a specific regular expression
show ip bgp community <aa:nn> - Displays routes with a specific
community value show ip bgp community internet - Displays BGP routes advertised to the
Internet
Learn Nexus Page 46
show ip bgp community no-advertise
show ip bgp community no-advertise
Displays BGP routes not advertised to peers
show ip bgp community no-export
show ip bgp community no-export
Displays BGP routes not exported to next AS
show ip bgp community no-export-spoofed - Displays BGP routes not sent to outside
local AS show ip bgp dampening dampened-paths
show ip bgp dampening dampened-paths Displays all Dampened paths
show ip bgp dampening flap-statistics
show ip bgp dampening flap-statistics Displays flap statistics for BGP routes
show ip bgp dampening history-paths - Displays all history paths show ip bgp dampening parameters
show ip bgp dampening parameters
Displays all of the Dampening parameters
show ip bgp filter-list show ip bgp filter-list Displays all routes matching a specified filter list
show ip bgp flap-statistics - Displays all BGP route flap statistics show ip bgp ipv4 multicast <option>
show ip bgp ipv4 multicast <option>
Displays BGP IPv4 multicast address families
show ip bgp ipv4 unicast <option>
show ip bgp ipv4 unicast <option>
Displays BGP IPv4 unicast address families
show ip bgp neighbors show ip bgp neighbors Displays detailed neighbor information show ip bgp neighbors x.x.x.x
show ip bgp neighbors x.x.x.x
Displays detailed information for a neighbor
show ip bgp nexhop x.x.x.x - Displays all routes matching a specified next-hop
show ip bgp paths show ip bgp paths Displays all BGP paths show ip bgp peer-policy - Displays BGP peer policy by specified
name show ip bgp peer-session - Displays information about a peer
session show ip bgp peer-template show ip bgp unicast ipv4
template Displays information about a peer template
show ip bgp prefix-list show ip bgp prefix-list Displays routes matching a specified prefix-list
show ip bgp regexp show ip bgp regexp Displays routes matching a regular-expression
Learn Nexus Page 47
show ip bgp route-map show ip bgp route-map Displays BGP routes matching a route-map
show ip bgp summary show ip bgp summary Displays a summary list of neighbors and statistics
show ip bgp vrf show ip bgp vpnv4 vrf Displays information for a specified BGP VRF
Learn Nexus Page 48
BGP (Advanced) BGPv4 is a standard exterior routing protocol defined in RFC 4271, commonly used to exchange network reachability information between autonomous systems. This document discusses route reflectors, confederations, peer templates, route-map policies and the prefix-lists feature. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• When configuring route reflectors, the route-reflector-client command is assigned per neighbor under the neighbor-specific address family.
• When configuring confederations, the confederation is configured under the autonomous system without the leading bgp keyword.
• Cisco NX-OS uses a peer template instead of a peer group to reuse common BGP policies.
• Multiple policy templates can be applied to a single neighbor. Cisco IOS Software allows only one policy template per neighbor.
• Cisco NX-OS does not require a manual reset for a neighbor when its routing policy is modified. Cisco IOS Software requires a hard or soft reset depending on the neighbor capabilities exchanged.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining an advanced BGP network configuration.
• Peer and session templates define neighbor attributes such as security passwords, timers, and transport options.
• Peer templates and session templates have identical configuration capabilities with one exception: peer templates can configure address families.
• Peer and session templates are inherited by a neighbor through the BGP neighbor configuration mode.
• Only one peer template and session template can be inherited by a single BGP neighbor. • Peer templates can inherit session templates. • Session templates can inherit other session templates. • Policy templates define address-family policies for inbound or outbound polices,
including default-route origination, filter lists, route-map polices, prefix lists, etc. • Multiple policy templates can be assigned per neighbor. Policy templates are executed in
order based on the configured sequence number.
Learn Nexus Page 49
• Policy templates are inherited by a neighbor through the neighbor and address-family configuration mode.
• Route-map polices can configure BGP attributes such as as-path, community lists, community attributes, dampening, local preference, metric type, origin, and weight.
• Route-map polices can be applied per neighbor for inbound and outbound routing policies.
Configuration Comparison The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations are very similar with the exception of the hierarchy used in Cisco NX-OS.
Cisco IOS CLI Cisco NX-OS CLI Configuring a Route-Reflector
router bgp 10
no synchronization
network 192.168.11.1 mask 255.255.255.255
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 update-source Loopback0
neighbor 192.168.2.1 route-reflector-client
no auto-summary
router bgp 10
address-family ipv4 unicast
network 192.168.11.1/32
neighbor 192.168.2.1 remote-as 10
update-source loopback0
address-family ipv4 unicast
route-reflector-client
Configuring Confederations router bgp
no synchronization
bgp confederation identifier 10
router bgp 65534
confederation identifier 10
confederation peers 65535
Learn Nexus Page 50
bgp confederation peers 65535
network 192.168.11.1 mask 255.255.255.255
neighbor 192.168.10.2 remote-as 65535
no auto-summary
address-family ipv4 unicast
network 192.168.11.1/32
neighbor 192.168.10.2 remote-as 65535
address-family ipv4 unicast Configuring a Peer Template router bgp 10
no synchronization
network 192.168.11.1 mask 255.255.255.255
neighbor IBGP-Template peer-group
neighbor IBGP-Template password cisco123
neighbor IBGP-Template update-source Loopback0
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 peer-group IBGP-Template
no auto-summary
router bgp 10
address-family ipv4 unicast
network 192.168.11.1/32
template peer IBGP-Template
password 3 a667d47acc18ea6b
update-source loopback0
address-family ipv4 unicast
neighbor 192.168.2.1 remote-as 10
inherit peer IBGP-Template
Configuring a Policy Template router bgp 10
template peer-policy EBGP-Policy
default-originate
send-community
exit-peer-policy
no synchronization
router bgp 10
address-family ipv4 unicast
network 192.168.11.1/32
template peer-policy EBGP-Policy
send-community
default-originate
Learn Nexus Page 51
network 192.168.11.1 mask 255.255.255.255
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 inherit peer-policy EBGP-Policy
no auto-summary
neighbor 192.168.10.2 remote-as 20
address-family ipv4 unicast
inherit peer-policy EBGP-Policy 10
Configuring an Outbound Neighbor Route-Map Policy route-map EBGP-Policy permit 10
set as-path prepend 10 10 10
router bgp 10
no synchronization
network 192.168.11.1 mask 255.255.255.255
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 route-map EBGP-Policy out
no auto-summary
route-map EBGP-Policy permit 10
set as-path prepend 10 10 10
router bgp 10
address-family ipv4 unicast
network 192.168.11.1/32
neighbor 192.168.10.2 remote-as 20
address-family ipv4 unicast
route-map EBGP-Policy out
Configuring an Outbound Prefix-List ip prefix-list EBGP-Policy seq 5 permit 192.168.11.1/32
router bgp 10
no synchronization
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 prefix-list EBGP-Policy out
no auto-summary
ip prefix-list EBGP-Policy seq 5 permit 192.168.11.1/32
router bgp 10
neighbor 192.168.10.2 remote-as 20
address-family ipv4 unicast
prefix-list EBGP-Policy out
Learn Nexus Page 52
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting a BGP network configuration.
Cisco NX-OS BGP Cisco IOS Software BGP Command Description
show ip bgp <option> show ip bgp Displays BGP Process and BGP table entries
show ip bgp x.x.x.x show ip bgp x.x.x.x Displays a specific network in the BGP table
show ip bgp x.x.x.x vrf - Displays a network in a specified VRF BGP table
show ip bgp x.x.x.x/len show ip bgp x.x.x.x mask Displays a specific prefix in the BGP table
show ip bgp x.x.x.x/len longer-prefix
show ip bgp x.x.x.x mask longer-prefix
Displays a prefix in the table with longer prefixes
show ip bgp all show ip bgp all Displays the BGP table for all protocol families
show ip bgp community <word>
show ip bgp community <#>
Displays routes with a specific regular expression
show ip bgp community <aa:nn> - Displays routes with a specific
community value show ip bgp community internet - Displays BGP routes advertised to the
Internet show ip bgp community no-advertise
show ip bgp community no-advertise
Displays BGP routes not advertised to peers
show ip bgp community no-export
show ip bgp community no-export
Displays BGP routes not exported to next AS
show ip bgp community no-export-spoofed - Displays BGP routes not sent to outside
local AS show ip bgp dampening dampened-paths
show ip bgp dampening dampened-paths Displays all Dampened paths
show ip bgp dampening flap-statistics
show ip bgp dampening flap-statistics Displays flap statistics for BGP routes
show ip bgp dampening history-paths - Displays all history paths
Learn Nexus Page 53
show ip bgp dampening parameters
show ip bgp dampening parameters
Displays all of the Dampening parameters
show ip bgp filter-list show ip bgp filter-list Displays all routes matching a specified filter list
show ip bgp flap-statistics - Displays all BGP route flap statistics show ip bgp ipv4 multicast <option>
show ip bgp ipv4 multicast <option>
Displays BGP IPv4 multicast address families
show ip bgp ipv4 unicast <option>
show ip bgp ipv4 unicast <option>
Displays BGP IPv4 unicast address families
show ip bgp neighbors show ip bgp neighbors Displays detailed neighbor information show ip bgp neighbors x.x.x.x
show ip bgp neighbors x.x.x.x
Displays detailed information for a neighbor
show ip bgp nexhop x.x.x.x - Displays all routes matching a specified next-hop
show ip bgp paths show ip bgp paths Displays all BGP paths show ip bgp peer-policy - Displays BGP peer policy by specified
name show ip bgp peer-session - Displays information about a peer
session show ip bgp peer-template show ip bgp unicast ipv4
template Displays information about a peer template
show ip bgp prefix-list show ip bgp prefix-list Displays routes matching a specified prefix-list
show ip bgp regexp show ip bgp regexp Displays routes matching a regular-expression
show ip bgp route-map show ip bgp route-map Displays BGP routes matching a route-map
show ip bgp summary show ip bgp summary Displays a summary list of neighbors and statistics
show ip bgp vrf show ip bgp vpnv4 vrf Displays information for a specified BGP VRF
Learn Nexus Page 54
Multicast Multicast transmission (one-to-many) provides the capability for a source host to forward IP packets to an interested group of destination hosts , as opposed to using unicast transmission (one-to-one) or broadcast transmission (one-to-everyone in the broadcast domain). Multicast functionally is typically enabled using multiple protocols. This tech note includes the following Cisco NX-OS protocols: Protocol Independent Multicast (PIM), Internet Group Membership Protocol (IGMP) and Multicast Source Discovery Protocol (MSDP). Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• PIM and MSDP protocols require a LAN Enterprise Services license. • The global ip multicast-routing command does not exist and is not required to enable
multicast forwarding/routing. (It is required in Cisco IOS Software to enable multicast forwarding/routing)
• PIM command-line interface (CLI) configuration and verification commands are not available until you enable the PIM feature with the feature pim command.
• MSDP CLI configuration and verification commands are not available until you enable the MSDP feature with the feature msdp command.
• IGMP versions 2 and 3 are supported. IGMP version 1 and Version 3 Lite are not supported.
• An IGMP Snooping Querier is configured under the layer-2 VLAN with the ip igmp snooping querier CLI command (Physical L3 interfaces cannot be configured as IGMP Snooping Queriers). In Cisco IOS Software, an IGMP Snooping Querier is configured under the layer-3 interface.
• PIM version 2 Sparse Mode is supported. Cisco NX-OS does not support PIM version 1 Sparse Mode or Dense Mode. The NX-OS cannot fallback to Dense Mode operation.
• PIM is not supported on IP Tunnel interfaces. • When configuring a PIM Auto-RP Candidate or BSR RP-Candidate the NX-OS requires
a configured group-list (i.e. x.x.x.x/x), whereas Cisco IOS Software defaults to 224.0.0.0/4. An optional standard ACL can be configured to specify multicast groups in Cisco IOS Software.
• When configuring PIM Auto-RP Mapping-Agent's or Candidate-RP's, Cisco NX-OS uses a default scope of 32, whereas Cisco IOS Software requires it to be specified with the scope option (1-255).
• When configuring PIM Auto-RP, Cisco NX-OS multicast devices must be enabled to listen and/or forward RP advertisements with the ip pim auto-rp forward listen global CLI configuration command. Cisco IOS Software has to be configured for Sparse-Dense Mode or Sparse Mode with the global ip pim autorp listener CLI configuration command.
• When configuring PIM BSR, Cisco NX-OS multicast devices must be enabled to listen and/or forward RP advertisements with the ip pim bsr forward listen global CLI
Learn Nexus Page 55
configuration command. Cisco IOS Software doesn’t require additional configuration, but does not have the ability to enable/disable RP forwarding and listening capabilities.
• BSR-Candidate routers have a default priority of 64. Cisco IOS Software defaults to 0. The priority value can be configured between 0 – 255 in both operating systems using the priority option. A higher numeric value is preferred when comparing priorities.
• BSR RP-Candidate routers have a default priority of 192. Cisco IOS Software defaults to 0. The priority value can be configured between 0 – 255 in both operating systems using the priority option. The lower numeric value is preferred when comparing priorities.
• When configuring a Static-RP, the NX-OS does not have an override option like Cisco IOS Software that forces the Static-RP to be elected for it’s specified multicast group list. Cisco IOS Software prefers dynamically learned RP’s over Static RP’s if the override option is not configured.
• When comparing PIM Static-RP’s to dynamically learned RP’s (Auto-RP and BSR) during the election process: The RP with the most specific multicast group-list is elected. If the group-lists are identical, the router with the highest RP IP address is elected.
• When configuring a PIM domain border, the ip pim border interface CLI command prevents BSR and Auto-RP packets from being sent or received on an interface. The Cisco IOS Software command equivalent (ip pim bsr-border) only prevents BSR packets. Cisco IOS Software requires the ip multicast boundary interface command to prevent Auto-RP packets.
• PIM neighbor authentication (IPSec ah-md5) can be enabled to authenticate directly connected neighbors to increase security. Cisco IOS Software does not support this functionality.
• PIM neighbor logging can be enabled with the global ip pim log-neighbor-changes CLI command. (Cisco IOS Software enables PIM neighbor logging by default)
• The data in the MSDP Source-Active (SA) messages are cached by default, whereas Cisco IOS Software requires the global ip msdp cache-sa-state and ip msdp cache-rejected-sa CLI commands.
• PIM is configured with the Source Specific Multicast (SSM) group range 232.0.0.0/8 by default (ip pim ssm range 232.0.0.0/8).
• Beginning with NX-OS 5.0(2a), PIM supports Bidirectional Forwarding Detection (BFD) for rapid failure detection.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when designing, configuring, and maintaining multicast enabled networks.
• If you remove the feature pim command, all relevant PIM configuration information is also removed.
• If you remove the feature msdp command, all relevant MSDP configuration information is also removed.
Learn Nexus Page 56
• IGMP Snooping is enabled globally by default. It can be disabled globally, or per layer-2 VLAN with the no igmp snooping command.
• IGMP version 2 is enabled by default when PIM Sparse Mode is configured on an interface.
• PIM supports three modes of operation: Any Source Multicast (ASM), Single Source Multicast (SSM), Bidirectional Shared Tree (Bidr). The default mode is ASM. Bidr can be configured with the bidr option when configuring a RP.
• The Cisco NX-OS supports four types of PIM Rendezvous Points: Static, Bootstrap router (BSR), Auto-RP and Anycast-RP. (Do not configure Auto-RP and BSR in the same network)
• When configuring a PIM Static-RP, the group-list defaults to 224.0.0.0/4 if one is not specified.
• The Cisco NX-OS has two different CLI syntax options when configuring BSR and Auto RP's (New Cisco NX-OS syntax, and backwards compatible Cisco IOS Software syntax).
• The Cisco NX-OS supports multicast routing per layer-3 Virtual Routing and Forwarding (VRF) instance.
• PIM SSM and Bidr are not supported on Virtual Port-Channels (vPCs).
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are few significant differences: Cisco NX-OS does not require the global ip multicast-routing command, but does require PIM and MSDP to be enabled individually with the global feature CLI commands. The Cisco NX-OS has backwards compatible syntax with Cisco IOS Software when configuring PIM BSR and Auto-RP, but Cisco NX-OS requires RP forwarding and/or listening to be configured prior to learning or forwarding dynamic RP information. Both Cisco NX-OS and Cisco IOS Software support multicast routing within a VRF instance, but Cisco NX-OS requires global commands to be configured under the VRF context as opposed to using the vrf option as with Cisco IOS Software.
Cisco IOS CLI Cisco NX-OS CLI Enabling Multicast Forwarding
ip multicast-routing The Cisco NX-OS does not have a single global command to enable multicast forwarding/routing.
Enabling the PIM Feature
Learn Nexus Page 57
Cisco IOS Software does not have the ability to enable or disable PIM. feature pim
Configuring PIM Sparse Mode on an Interface interface TenGigabitEthernet1/1
ip address 192.168.10.1 255.255.255.0
ip pim sparse-mode
interface Ethernet1/1
ip address 192.168.10.1/24
ip pim sparse-mode Configuring a PIM Auto-RP
interface Loopback10
ip address 172.16.1.1 255.255.255.255
ip pim sparse-mode
ip pim send-rp-announce Loopback10 scope 32
ip pim send-rp-discovery Loopback10 scope 32
ip pim autorp listener
interface loopback10
ip address 172.16.1.1/32
ip pim sparse-mode
ip pim auto-rp rp-candidate loopback10 group-list 224.0.0.0/4
ip pim auto-rp mapping-agent loopback10
ip pim auto-rp forward listen
or
ip pim send-rp-announce loopback10 group-list 224.0.0.0/4
ip pim send-rp-discovery loopback10
ip pim auto-rp forward listen Configuring a PIM BSR RP interface Loopback10
ip address 172.16.1.1 255.255.255.255
ip pim sparse-mode
interface loopback10
ip address 172.16.1.1/32
ip pim sparse-mode
Learn Nexus Page 58
ip pim bsr-candidate Loopback10
ip pim rp-candidate Loopback10
ip pim bsr bsr-candidate loopback10
ip pim bsr rp-candidate loopback10 group-list 224.0.0.0/4
ip pim bsr forward listen
or
ip pim bsr-candidate loopback10
ip pim rp-candidate loopback10 group-list 224.0.0.0/4
ip pim bsr forward listen Configuring a PIM Static-RP ip pim rp-address 172.16.1.1 ip pim rp-address 172.16.1.1 Configuring a PIM Anycast-RP (BSR Example)
Cisco IOS Software does not have the ability to enable the PIM Anycast RP feature.
interface loopback0
ip address 192.168.10.1/32
ip pim sparse-mode
interface loopback10
description Anycast-RP-Address
ip address 172.16.1.1/32
ip pim sparse-mode
ip pim bsr bsr-candidate loopback0
ip pim bsr rp-candidate loopback10 group-list 224.0.0.0/4
ip pim anycast-rp 172.16.1.1 192.168.10.1
Learn Nexus Page 59
ip pim anycast-rp 172.16.1.1 192.168.10.2
ip pim bsr forward listen Configuring PIM Neighbor Authentication
Cisco IOS Software does not have the ability to enable neighbor authentication.
interface Ethernet1/1
ip address 192.168.10.1/24
ip pim sparse-mode
ip pim hello-authentication ah-md5 3 a667d47acc18ea6b
Configuring a PIM BSR Border on an Interface interface TenGigabitEthernet1/1
ip address 192.168.10.1 255.255.255.0
ip pim bsr-border
ip pim sparse-mode
ip multicast boundary 10
access-list 10 deny 224.0.1.39
access-list 10 deny 224.0.1.40
access-list 10 permit 224.0.0.0 15.255.255.255
interface Ethernet1/1
ip address 192.168.10.1/24
ip pim sparse-mode
ip pim border
Configuring PIM in a Non-Default VRF Instance
ip vrf production
ip multicast-routing vrf production
interface Loopback10
ip vrf forwarding production
vrf context production
ip pim rp-address 172.16.1.1 group-list 224.0.0.0/4
interface loopback10
vrf member production
Learn Nexus Page 60
ip address 172.16.1.1 255.255.255.255
ip pim sparse-mode
interface TenGigabitEthernet1/1
ip vrf forwarding production
ip address 192.168.10.1 255.255.255.0
ip pim sparse-mode
ip pim vrf production rp-address 172.16.1.1
ip address 172.16.1.1/32
interface Ethernet1/1
vrf member production
ip address 192.168.10.1/24
ip pim sparse-mode
Configuring IGMP Version 3 for an Interface interface TenGigabitEthernet1/1
ip address 192.168.10.1 255.255.255.0
ip pim sparse-mode
ip igmp version 3
interface Ethernet1/1
ip address 192.168.10.1/24
ip pim sparse-mode
ip igmp version 3 Configuring an IGMP Snooping Querier for a VLAN interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip igmp snooping querier
vlan 10
ip igmp snooping querier 192.168.10.1
Configuring MSDP (Anycast-RP) interface Loopback0
description MSDP Peer Address
ip address 192.168.1.1 255.255.255.255
interface Loopback10
interface loopback0
description MSDP Peer Address
ip address 192.168.1.1/32
interface loopback10
Learn Nexus Page 61
description PIM RP Address
ip address 1.1.1.1 255.255.255.255
ip pim rp-address 1.1.1.1
ip msdp peer 192.168.2.1 connect-source Loopback0
ip msdp cache-sa-state
description PIM RP Address
ip address 1.1.1.1/32
ip pim rp-address 1.1.1.1 group-list 224.0.0.0/4
ip msdp peer 192.168.2.1 connect-source loopback0
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting multicast network configurations.
Cisco NX-OS Multicast
Cisco IOS Software Multicast Command Description
show ip igmp groups show ip igmp groups Displays all IGMP attached group membership information
show ip igmp interface show ip igmp interface Displays IGMP information for all interfaces
show ip igmp interface brief - Displays a one line summary status per
interface show ip igmp interface int-type
show ip igmp interface int-type
Displays IGMP information for a specific interface
show ip igmp interface vrf name show ip igmp vrf name Displays IGMP information for a specific
VRF instance show ip igmp local-groups int-type - Displays IGMP local groups associated to
a specific interface show ip igmp local-groups vrf name - Displays IGMP local groups associated to
a specific VRF instance show ip igmp route - Displays IGMP attached group
membership information show ip igmp route - Displays IGMP attached group
Learn Nexus Page 62
x.x.x.x membership for a specific group show ip igmp route int-type - Displays IGMP attached group
membership for a specific interface show ip igmp route vrf name - Displays IGMP attached group
membership for a specific VRF instance show ip igmp snooping - Displays global and per interface IGMP
Snooping information show ip igmp snooping explicit-tracking
show ip igmp snooping explicit-tracking
Displays explicit tracking information for IGMPv3
show ip igmp snooping groups
show mac-address-table multicast igmp-snooping
Displays IGMP Snooping groups information
show ip igmp snooping mrouter
show ip igmp snooping mrouter Displays detected multicast routers
show ip igmp snooping otv - Displays IGMP Snooping OTV
information show ip igmp snooping querier - Displays IGMP Snooping querier
information show ip igmp snooping statistics
show ip igmp snooping statistics Displays packet/error counter statistics
show ip igmp snooping vlan # - Displays IGMP Snooping information per
specific VLAN - - - show ip msdp count show ip msdp count Displays MSDP SA cache counters show ip msdp mesh-group - Displays MSDP Mesh-Group members show ip msdp peer show ip msdp peer Displays all MSDP peers show ip msdp peer x.x.x.x show ip msdp peer x.x.x.x Displays a specific MSDP peer show ip msdp peer vrf name show ip msdp vrf name Displays MSDP peers related to a specific
VRF instance show ip msdp peer policy - Displays the MSDP peer policies show ip msdp peer route - Displays the MSDP route-cache show ip msdp sa-cache show ip msdp sa-cache Displays the MSDP SA route-cache show ip msdp source - Displays the MSDP learned sources and
Learn Nexus Page 63
associated statistics show ip msdp summary show ip msdp summary Displays the MSDP peer summary - - - show ip pim df show ip pim interface df Displays Bidr designated forwarders show ip pim df x.x.x.x show ip pim interface df
x.x.x.x Displays Bidr designated forwarders for a specific RP or group
show ip pim df vrf name - Displays Bidr designated forwarders for a
specific VRF instance show ip pim group-range - Displays the PIM group-ranges show ip pim group-range x.x.x.x - Displays a specific PIM group-range show ip pim group-range vrf name - Displays the PIM group-ranges for a
specific VRF instance show ip pim interface - Displays all PIM enabled interfaces show ip pim interface brief x.x.x.x - Displays a one line summary of all PIM
enabled interfaces show ip pim interface int-type
show ip pim interface int-type
Displays information for a specific PIM interface
show ip pim interface vrf name - Displays the PIM interfaces for a specific
VRF instance show ip pim neighbor show ip pim neighbor Displays all PIM neighbors show ip pim neighbor x.x.x.x
show ip pim neighbor x.x.x.x
Displays a specific PIM neighbor for a specific IP address
show ip pim neighbor interface int-type
show ip pim neighbor int-type
Displays a specific PIM neighbor for a specific interface
show ip pim neighbor vrf name - Displays PIM neighbors for a specific
VRF instance show ip pim oif-list x.x.x.x - Displays PIM OIF-List for a specific
multicast group address show ip pim policy statistics - Displays PIM statistics show ip pim route - Displays PIM routes show ip pim route x.x.x.x - Displays a specific PIM route show ip pim route vrf - Displays PIM routes for a specific VRF
Learn Nexus Page 64
name instance show ip pim rp show ip pim rp mapping Displays PIM RP information show ip pim rp x.x.x.x show ip pim rp x.x.x.x Displays information for a specific PIM
group address show ip pim rp vrf name - Displays information for PIM RP's in a
specific VRF instance show ip pim rp-hash x.x.x.x
show ip pim rp-hash x.x.x.x
Displays PIM RP-Hash value for a specific group
show ip pim statistics - Displays PIM packet statistics show ip pim statistics vrf name - Displays per packet statistics for a specific
VRF instance show ip pim vrf name show ip pim vrf name Displays detailed PIM information per
specific VRF instance - - - show ip mroute show ip mroute Displays the multicast routing table show ip mroute summary show ip mroute summary Displays the multicast routing table with
packet counts and bit rates show ip mroute x.x.x.x show ip mroute x.x.x.x Displays a specific multicast route show ip mroute vrf name show ip mroute vrf name Displays the multicast routing table for a
specific VRF instance - - -
show ip route rpf show ip rpf Displays the Reverse Path Forwarding (RPF) table used for multicast source lookup
Learn Nexus Page 65
Netflow NetFlow provides flow-based statistics collection that is useful for troubleshooting, traffic analysis, performance monitoring, and security threat prevention. Cisco NX-OS supports a flexible architecture that allows a user to collect different data for different applications per interface, whereas the Cisco IOS Software supports one flow mask and export pair for the entire chassis. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• NetFlow command-line interface (CLI) configuration and verification commands are not available until you enable the NetFlow feature with the feature netflow command.
• Two flow modes are supported: full and sampled. • Sampled mode supports packet-based sampling (1-64 out of 1-8192). • In sampled mode, the sampling occurs before the NetFlow cache is populated. • Each line-card module supports 512,000 NetFlow cache entries. • Layer 2 NetFlow based on MAC addresses is not supported at this time. • A flexible architecture is used that consist of flow records, flow exports, and flow
monitors. • Cisco NX-OS supports more key and non-key fields for creating flow records and can
collect additional information such as TCP flags and system uptime. • NetFlow Versions 5 and 9 Export features are supported (Version 9 is recommended). • A source interface must be configured for each flow export. • Cisco NX-OS defaults to User Datagram Protocol (UDP) port 9995 for NetFlow Data
Export. • Cisco NX-OS provides more granular aging timers (session timer and aggressive
threshold). • The default aging timer values are different than in Cisco IOS Software. • The NetFlow feature supports stateful process restarts.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and managing NetFlow.
• If the feature netflow command is removed, all relevant NetFlow configuration information is also removed.
Learn Nexus Page 66
• NetFlow consumes hardware resources (ternary content-addressable memory [TCAM], CPU, etc.), so understanding the resource utilization on a device is important before enabling NetFlow.
• Sampling mode preserves CPU and NetFlow cache entries in high-traffic environments. • A traffic direction needs to be specified when a flow monitor is applied to an interface. • The active-aging flow timeout is 1800 seconds by default • The inactive-aging flow timeout is 15 seconds by default. • The fast-aging flow timeout is disabled by default. • The aggressive-aging flow threshold is disabled by default. • TCP session aging is disabled by default.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. There are several significant differences: Cisco NX-OS allows NetFlow to be enabled and disabled globally, and it uses a more flexible architecture that allows different statistics to be collected for different applications. The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH.
Cisco IOS CLI Cisco NX-OS CLI Enabling the NetFlow Feature
Cisco IOS Software does not have the ability to enable or disable NetFlow. feature netflow
Configuring a NetFlow Flow Record (Custom)
Cisco IOS Softfware does not have the ability to create custom NetFlow records. A system wide flow mask is defined. The following example uses interface-full.
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
flow record Netflow-Record-1
description Custom-Flow-Record
match ipv4 source address
match ipv4 destination address
match transport destination-port
collect counter bytes
collect counter packets Configuring a NetFlow Flow Export
Learn Nexus Page 67
ip flow-export source GigabitEthernet2/2
ip flow-export version 9
ip flow-export destination 192.168.11.2 2000
flow exporter Netflow-Exporter-1
description Production-Netflow-Exporter
destination 192.168.11.2
source Ethernet2/2
version 9 Configuring a NetFlow Monitor with a Custom Record
Cisco IOS Software does not have the ability to create flow monitors that associate NetFlow records to NetFlow exporters.
flow monitor Netflow-Monitor-1
description Applied Inbound-Eth-2/1
record Netflow-Record-1
exporter Netflow-Exporter-1 Configuring a NetFlow Monitor with an Original Record
Cisco IOS Software does not have the ability to create flow monitors that associate NetFlow records to NetFlow exporters.
flow monitor Netflow-Monitor-2
description Use Predefined “Original-Netflow-Record”
record netflow-original
exporter Netflow-Exporter-1 Applying a NetFlow Monitor to an Interface interface gigabitethernet 6/1
ip flow ingress
interface Ethernet2/1
ip flow monitor Netflow-Monitor-1 input Adjusting NetFlow Timers
mls aging fast
mls aging long 120
mls aging normal 32
flow timeout active 120
flow timeout inactive 32
flow timeout fast 32 threshold 100
Learn Nexus Page 68
flow timeout session
flow timeout aggressive threshold 75 Configuring a NetFlow Sampler mls sampling packet-based 64 8000
mls flow int-full
mls nde sender version 5
sampler NF-Sampler-1
description Sampler-for-Int-Eth-2/1
mode 1 out-of 1000 Applying a NetFlow Sampler to an Interface
interface GigabitEthernet2/1
mls netflow sampling
interface Ethernet2/1
ip flow monitor NF-Mntr-1 input sampler NF-Sampler-1
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting NetFlow.
Cisco NX-OS Netflow Cisco IOS Software Netflow Command Description
show flow exporter show mls nde Displays the configured exporter maps show flow interface - Displays interfaces configured for NetFlow show flow monitor - Displays information about monitor maps show flow record - Displays information about record maps show flow timeout - Displays the NetFlow timeout value show hardware flow aging
show mls netflow aging
Displays the NetFlow table aging timeout value
show hardware flow entry
show mls netflow ip flow Displays flow-specific information
show hardware flow ip show mls netflow ip Displays the IP NetFlow table
Learn Nexus Page 69
show hardware flow sampler show mls sampling Displays the NetFlow sampling
configuration show hardware flow utilization module
show mls netflow table summary
Displays NetFlow table utilization per module
show sampler show flow-sampler Displays information about sampler maps
Learn Nexus Page 70
SPAN The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• Only Local SPAN is supported. • Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources. • 18 monitor sessions can be configured. Only two sessions can be active simultaneously. • Cisco NX-OS uses a hierarchical configuration based on the monitor session <#>
command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software Release 12.2(18)SXH and later.
• A single SPAN session can include mixed sources (Ethernet ports, Ethernet Port-Channels, RSPAN sources, VLANs, and the CPU control-plane interface).
• Destination SPAN ports must be configured as Layer 2 ports with the switchport command.
• Destination SPAN ports require the switchport monitor interface configuration command.
• The SPAN feature supports stateful and stateless process restarts.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature.
• Two active SPAN sessions are supported for all virtual device contexts (VDCs). • Monitor sessions are disabled by default. They can be enabled with the no shut
command. • The source traffic direction can be configured as rx, tx, or both. The default is both. • When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the
specified VLAN are sent to the destination. • The in-band control-plane interface to the CPU can be monitored only from the default
VDC. (All VDC traffic is visible.) • By default, SPAN does not copy the IEEE 802.1q tag from trunk sources. • A destination port can be configured in switchport access or trunk mode. (Trunk mode
allows you to tag traffic toward a destination or to perform destination VLAN filtering.) • A destination port does not participate in a spanning-tree instance. • A destination port can be configured in only one SPAN session at a time.
Learn Nexus Page 71
• A port cannot be configured as both a source and destination port. • 128 source interfaces can be configured per session. • 32 source VLANs can be configured per session. • 2 destination interfaces can be configured per session.
Configuration Comparison The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat configuration.
Cisco IOS CLI Cisco NX-OS CLI Configuring the Destination Switchport Mode
Cisco IOS Software does not require any destination port configuration.
interface Ethernet2/2
switchport
switchport monitor Configuring Destination Port Ingress Forwarding and Learning
monitor session 1 type local
destination interface Gi2/2 ingress learning
interface Ethernet2/2
switchport
switchport monitor ingress learning Configuring a SPAN Monitor (Ethernet Source and Destination)
monitor session 1 type local
source interface Gi2/1
destination interface Gi2/2
monitor session 1
source interface Ethernet2/1 both
destination interface Ethernet2/2
no shut Configuring a SPAN Monitor (VLAN Source)
Learn Nexus Page 72
monitor session 1 type local
source vlan 10 , 20
destination interface Gi2/2
monitor session 1
source vlan 10,20 both
destination interface Ethernet2/2
no shut Filtering VLANs for IEEE 802.1q Trunk Sources interface GigabitEthernet2/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10-20
switchport mode trunk
monitor session 1 type local
filter vlan 15 - 20
source interface Gi2/1
destination interface Gi2/1
no shutdown
interface Ethernet2/1
switchport
switchport mode trunk
switchport trunk allowed vlan 10-20
monitor session 1
source interface Ethernet2/1 both
destination interface Ethernet2/2
filter vlan 15-20
no shut
Configuring a SPAN Monitor (CPU Source) monitor session 1 type local
source cpu rp rx
destination interface Gi2/2
no shutdown
monitor session 1
source interface sup-eth0 rx
destination interface Ethernet2/2
no shut
Verification Command Comparison
Learn Nexus Page 73
The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.
Cisco NX-OS SPAN Cisco IOS Software SPAN Command Description
show interface show interface Displays destination port characteristics - - - show monitor session <#>
show monitor session <#> Displays a specific SPAN and monitor session
show monitor session all
show monitor session all Displays all SPAN and monitor sessions
show monitor range <#-#>
show monitor range <#-#> Displays a range of specified SPAN sessions
Learn Nexus Page 74
TACACS+, RADIUS, and AAA AAA used in combination with TACACS+ or RADIUS provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify network management because they use a central security database rather than local databases. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the TACACS+ feature with the feature tacacs+ command.
• The aaa new-model command is not required to enable AAA authentication, authorization, or accounting.
• The RADIUS vendor-specific attributes (VSA) feature is enabled by default. • Local command authorization can be performed when using role-based access control
(RBAC) without a AAA server. User roles can be associated with users configured on the AAA server using VSAs. Remote command authorization can be performed on a AAA server when using AAA with TACACS+.
• If no AAA server is available for authentication, the local database is automatically used for device access.
• The TACACS+ and RADIUS host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining TACACS+, RADIUS, and AAA services.
• Different AAA, TACACS+, and RADIUS policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC.
• If you remove the feature tacacs+ command, all relevant TACACS+ configuration information is also removed.
• 64 TACACS+ and 64 RADIUS servers can be configured per device. • AAA server groups are associated with the default Virtual Route Forwarding (VRF)
instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor or if the AAA server is in a non default VRF instance.
• An IP source interface can be associated with AAA server groups. • TACACS+ and RADIUS server keys can be specified for a group of servers or per
individual server.
Learn Nexus Page 75
• By default, TACACS+ uses TCP port 49, and RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting).
• Directed server requests are enabled by default for TACACS+ and RADIUS. • The local option can be used with AAA authorization to fallback to RBAC in the event a
AAA server is not available for command authorization. • Use the show running-config command with the aaa, tacacs+, or radius option to
display the current AAA configuration. Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.
Cisco IOS CLI Cisco NX-OS CLI Enabling TACACS+
Cisco IOS Software does not have the ability to enable or disable TACACS+. feature tacacs+
Configuring a TACACS+ Server with a Key
tacacs-server host 192.168.1.1 key cisco123 tacacs-server host 192.168.1.1 key 7 "fewhg123"
Specifying a Nondefualt TACACS+ TCP Port tacacs-server host 192.168.1.1 port 85 tacacs-server host 192.168.1.1 port 85 Specifying the TACACS+ Timeout Value (Global) tacacs-server timeout 10 tacacs-server timeout 10 Configuring a RADIUS Server with a Key
radius-server host 192.168.1.1 key cisco123 radius-server host 192.168.1.1 key 7 "fewhg123"
Specifying Nondefualt RADIUS UDP Ports radius-server host 192.16.1.1 auth-port 1645 acct-port 1646
radius-server 192.168.1.1 auth-port 1645 acct-port 1646
Learn Nexus Page 76
Specifying the RADIUS Timeout Value (Global) radius-server host 192.168.1.1 timeout 10 radius-server timeout 10 Configuring an AAA Server Group (TACACS+) aaa group server tacacs+ AAA-Servers
server 192.168.1.1
aaa group server tacacs+ AAA-Servers
server 192.168.1.1 Configuring an AAA Server Group (RADIUS) aaa group server radius AAA-Servers
server 192.168.1.1
aaa group server radius AAA-Servers
server 192.168.1.1 Configuring an AAA Server Group for a VRF Instance (RADIUS) aaa group server radius AAA-Servers
server 192.168.1.1
ip vrf forwarding management
aaa group server radius AAA-Servers
server 192.168.1.1
use-vrf management Configuring the AAA Server Group Dead Time (RADIUS) aaa group server radius AAA-Servers
deadtime 5
aaa group server radius AAA-Servers
deadtime 5 Enabling AAA Authentication with an AAA Server Group aaa new-model
aaa authentication login default group AAA-Servers
aaa authentication login default group AAA-Servers
Enabling AAA Authorization with an AAA Server Group aaa new-model
aaa authorization config-commands
aaa authorization commands 1 default group AAA-Servers
aaa authorization config-commands default group AAA-Servers
aaa authorization commands default group AAA-Servers
Enabling AAA Accounting with an AAA Server Group
Learn Nexus Page 77
aaa new-model
aaa accounting exec default start-stop group AAA-Servers
aaa accounting default group AAA-Servers
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting AAA, TACACS+, and RADIUS.
Cisco NX-OS AAA Cisco IOS Software AAA Command Description
show tacacs show tacacs Displays the TACACS+ server configuration for all servers
show tacacs <x.x.x.x> - Displays a specific TACACS+ server configuration
show tacacs server directed-request - Displays the status of the directed-request feature
(enabled or disabled) show tacacs server groups - Displays TACACS+ server groups show tacacs statistics <x.x.x.x> - Displays TACACS+ statistics for a specific server - - - show radius - Displays the RADIUS server configuration for all
servers show radius <x.x.x.x> - Displays a specific RADIUS server configuration show radius server directed-request - Displays the status of the directed-request feature
(enabled or disabled) show radius server groups
show radius server-group Displays RADIUS server groups
show radius statistics <x.x.x.x>
show radius statistics Displays RADIUS statistics for a specific server
- - - show aaa accounting - Displays the status of AAA accounting show aaa authentication - Displays the default and console login methods
Learn Nexus Page 78
show aaa authentication login error-enable - Displays the login error message status (enabled
or disabled) show aaa authentication login mschap -
Displays the status of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP; enabled or disabled)
show aaa authorization - Displays the AAA authorization configuration show aaa groups - Displays the AAA groups that are configured - - - show user-account - Displays a list of locally configured users show users show users Displays the users who are logged in
Learn Nexus Page 79
Layer-3 Virtualization Virtual Routing and Forwarding (VRF) provides an additional layer of network virtualization on top of virtual device contexts (VDCs). VRF provides separate unicast and multicast address space and associated routing protocols that make independent forwarding decisions. All unicast and multicast protocols support VRF. Important Cisco NX-OS and Cisco IOS Software Differences In Cisco NX-OS:
• Cisco NX-OS supports 200 VRF instances per VDC. • Two VRF instances are configured by default. The management port on the supervisor
module is assigned to the management VRF, and all I/O module ports are assigned to the default VRF.
• The default VRF is the default routing context for all show commands. • VRF instances can be enabled without any command-line interface (CLI) prerequisites.
Cisco IOS Software requires ip cef to be enabled globally before VRF instances can be configured.
• Multicast routing/forwarding can be configured per VRF instance without having to globally enable the VRF instance for multicast . Cisco IOS Software requires the global ip multicast-routing vrf <name> command per VRF instance.
• The CLI for enabling VRF routing for a protocol is consistent for all routing protocols, whereas Cisco IOS Software uses address families for Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Enhanced Interior Gateway Routing Protocol (EIGRP) and requires unique routing process IDs per VRF for Integrated Intermediate System-to-Intermediate System (ISIS) and Open Shortest Path First (OSPF).
• In Cisco NX-OS, numerous VRF instances can be assigned to a single routing protocol instance.
• IP static routes are configured under the specified vrf context. In Cisco IOS Software, all static routes are configured in global configuration mode with the vrf option.
• A VRF instance can be manually disabled with the shutdown command. Cisco IOS Software does not have the CLI capability to manually disable a VRF instance.
• If a VRF context is removed with the no vrf context <name> configuration command, the VRF context commands will be removed from the running configuration making the VRF non-functional, but all non context related VRF commands will remain in the running configuration. When a VRF is removed in Cisco IOS Software, the VRF instance and all related VRF commands are automatically removed from the running configuration, including any interface IP addresses previously associated to the VRF.
Learn Nexus Page 80
Things You Should Know The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining VRF instances.
• When you assign a VRF instance to an interface with an IP address previously configured, the interface IP address is automatically removed.
• Static routes or dynamic routing protocols can be configured for routing in a VRF instance (BGP, EIGRP, ISIS, OSPF, static routes, and RIPv2).
• IP troubleshooting tools such as ping and traceroute are VRF aware and require the name of a specific VRF instance if testing in the default VRF instance is not desired.
• The routing-context vrf command can be executed in EXEC mode to change the routing context to a non-default VRF instance. For example, typing routing-context vrf management changes the routing context, so all VRF related commands are executed in the management VRF as opposed to the default VRF.
• Network management–related services such as authentication, authorization and accounting (AAA), Call Home, Domain Name System (DNS), FTP, HTTP, NetFlow Network Time Protocol (NTP), RADIUS, Simple Network Management Protocol (SNMP), SSH, syslog, TACACS+, Telnet, Trivial File Transfer Protocol (TFTP), and XML are VRF aware.
Configuration Comparison The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. Sample code is provided only to illustrate how to enable VRF routing. The Cisco NX-OS CLI is simpler and more consistent since it allows multiple VRF instances to be assigned to a single routing protocol instance, whereas Cisco IOS Software uses different techniques depending on the routing protocol.
Cisco IOS CLI Cisco NX-OS CLI Creating a VRF
ip cef
ip vrf vrf-1 vrf context vrf-1
Assigning an Interface to a VRF interface Ethernet2/1 interface Ethernet2/1
Learn Nexus Page 81
ip vrf forwarding vrf-1
ip address 192.168.10.1 255.255.255.0
vrf member vrf-1
ip address 192.168.10.1/24 Enabling BGP in a VRF router bgp 10
address-family ipv4 vrf vrf-1
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 activate
network 192.168.1.1 mask 255.255.255.255
exit-address-family
router bgp 10
vrf vrf-1
address-family ipv4 unicast
network 192.168.1.1/32
neighbor 192.168.10.2 remote-as 20
address-family ipv4 unicast
Enabling EIGRP in a VRF router eigrp 10
address-family ipv4 vrf vrf-1
network 192.168.10.0
auto-summary
autonomous-system 10
exit-address-family!
interface Ethernet2/1
vrf member vrf-1
ip address 192.168.10.1/24
ip router eigrp 10
router eigrp 10
vrf vrf-1 Enabling ISIS in a VRF
interface Ethernet2/1
ip vrf forwarding vrf-1
ip address 192.168.10.1 255.255.255.0
ip router isis 10
interface Ethernet2/1
vrf member vrf-1
ip address 192.168.10.1/24
ip router isis 10
Learn Nexus Page 82
router isis 10
vrf vrf-1
net 49.0001.0000.0001.00
router isis 10
vrf vrf-1
net 49.0001.0000.0001.00
Enabling OSPF in a VRF
interface Ethernet2/1
ip vrf forwarding vrf-1
ip address 192.168.10.1 255.255.255.0
router ospf 10 vrf vrf-1
network 192.168.10.0 0.0.0.255 area 0
interface Ethernet2/1
vrf member vrf-1
ip address 192.168.10.1/24
ip router ospf 10
router ospf 10
vrf vrf-1 Enabling RIPv2 in a VRF interface Ethernet2/1
ip vrf forwarding vrf-1
ip address 192.168.10.1 255.255.255.0
router rip
address-family ipv4 vrf vrf-1
network 192.168.10.0
version 2
exit-address-family
interface Ethernet2/1
vrf member vrf-1
ip address 192.168.10.1/24
ip router rip 10
router rip 10
vrf vrf-1
Configuring Static Routes in a VRF ip route vrf vrf-1 192.168.2.0 255.255.255.0 192.168.10.2 vrf context vrf-1
Learn Nexus Page 83
ip route 192.168.2.0/24 192.168.10.2
Verification Command Comparison The following table compares some useful show commands for verifying and troubleshooting VRF instances.
Cisco NX-OS VRF Cisco IOS Software VRF Command Description
show vrf show ip vrf Displays a list of all configured VRF instances show vrf <name> show ip vrf <name> Displays a specific VRF instance show vrf <name> detail
show ip vrf detail <name> Displays details for a specific VRF instance
show vrf <name> interface - Displays the interface assignment for a specific
VRF instance show vrf default - Displays a summary of the default VRF
instance show vrf detail show ip vrf detail Displays details for all VRF instances show vrf interface show ip vrf interface Displays VRF interface assignments show vrf management - Displays a summary of the management VRF
instance - - - show ip route vrf all - Displays routes for all VRF instances show ip route vrf default - Displays routes for the default VRF instance show ip route vrf management - Displays routes for the management VRF
instance show ip route vrf <name>
show ip route vrf <name> Displays routes for a specific VRF instance
- - - show ip arp vrf <name>
show ip arp vrf <name>
Displays Address Resolution Protocol (ARP) entries for a specific VRF instance
Learn Nexus Page 84
- - - show ip bgp vrf <name>
show ip bgp vpnv4 vrf <name>
Displays BGP commands for a specific VRF instance
show ip eigrp vrf <name>
show ip eigrp vrf <name>
Displays EIGRP information for specific VRF instance
show ip isis vrf <name> show isis <#> Displays ISIS commands for a specific VRF
instance show ip ospf vrf <name> show ip ospf <#> Displays OSPF information for a specific VRF
instance show ip rip vrf <name>
show ip rip database vrf <name>
Displays RIP information for a specific VRF instance
show ip static-route vrf <name> - Displays static routes for a specific VRF
instance - - - show forwarding vrf <name>
show ip cef vrf <name>
Displays FIB information for a specific VRF (multiple sub-options)
- - - show routing vrf - Displays a subset of the show vrf commands show routing-context - Displays the current routing context