Ready for Cisco Live US 2017

Finally..again…I am going to Las Vegas for Cisco Live!

I’ll be traveling from Amsterdam and will arrive at 7:30pm. I’ll be staying at the Luxor, right next to the Manadalay Bay convention center. It will be a 15 minute walk every day to get there.

So of course I’m wearing my fitbit 🙂

Today I’ll meetup with some Brazilian friends and have (probably) some steak for dinner 🙂

tomorrow I have a 8 hour session called: TECCCDE-3005: CCDE: The Cisco Certified Design Expert

Because I am preparing for the CCDE exam this is the perfect session (they say)

So keep an eye on my blog, as I will be posting a lot this week!!

Michel van Kessel

Download ACI firmware via WGET

In release 1.1(4e) was a bug present that caused issues with uploading/downloading firmware via the GUI.

A workaround is using WGET from the APIC CLI and download the firmware from a http server to the /tmp directory

After downloading just use the “firmware repository” command to add the firmware to the repository.

After doing this, you can use the GUI to upgrade the firmware for the APIC and switches, as you were used to.

Example

apic1# cd /tmp
apic1# ls
bootflash flashenc logrotate.status snmpd2.pid vrf-init.log vrf-set-spineproxy.log
apic1# pwd
/tmp

apic1# wget http://10.249.112.134/aci/aci-n9000-dk9.11.2.1k.bin
–2016-01-03 16:50:06– http://10.249.112.134/aci/aci-n9000-dk9.11.2.1k.bin
Connecting to 10.249.112.134:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 558322599 (532M) [application/octet-stream]
Saving to: `aci-n9000-dk9.11.2.1k.bin’

58% [======================================================================================> ] 327,484,640 1.81M/s eta 2m 5s h100%[====================================================================================================================================================>] 558,322,599 1.81M/s in 5m 0s

2016-01-03 16:55:06 (1.77 MB/s) – `aci-n9000-dk9.11.2.1k.bin’ saved [558322599/558322599]

apic1# firmware
repository upgrade
apic1# firmware repository
add delete
apic1# firmware repository add aci-n9000-dk9.11.2.1k.bin
Syncing… might take a bit if the image is large or many pending filesystem buffers
Firmware image aci-n9000-dk9.11.2.1k.bin is added to the repository

 

Nexus STP-Lite feature (Nexus 7000)

STP Lite

FCoE does not require full Spanning Tree Protocol (STP) because FCoE has no bridging functionality, which means that no STP loops are created in the network. STP Lite on FCoE interfaces ensures rapid convergence across the network by sending an agreement Bridge Protocol Data Unit (BPDU) whenever it receives a proposal BPDU. The FCoE link sends the identical agreement BPDU in response to either an Multiple Spanning Tree (MST) or a Per VLAN Rapid Spanning Tree Plus (PVRST+) proposal BPDU. Additionally, STP Lite suppresses the MAC address flushing function for FCoE VLANs.

STP Lite is enabled automatically by default across the entire device for FCoE VLANs as soon as the first FCoE VLAN comes up. At the same time, the system automatically converts all FCoE links as the STP-type normal ports. This feature runs only in FCoE VLANs.

show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010
Port Type Default is disable
Edge Port [PortFast] BPDU Guard Default is enabled
Edge Port [PortFast] BPDU Filter Default is enabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is long
STP-Lite is enabled

Name Blocking Listening Learning Forwarding STP Active
———————- ——– ——— ——– ———- ———-
VLAN0010 0 0 0 4 4
———————- ——– ——— ——– ———- ———-
1 vlan 0 0 0 4 4

MDS IVR commands

9222i(config-if)# show interface port-channel 1
port-channel 1 is trunking
Hardware is GigabitEthernet
Port WWN is 24:01:00:05:9b:28:54:00
Admin port mode is auto, trunk mode is on
snmp link state traps are enabled
Port mode is TE
Port vsan is 1
Speed is 2 Gbps
Trunk vsans (admin allowed and active) (1,97-98,209)
Trunk vsans (up) (209)
Trunk vsans (isolated) (1,97-98)
Trunk vsans (initializing) ()
5 minutes input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
5 minutes output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
492 frames input, 65052 bytes
492 Class F frames input, 65052 bytes
0 Class 2/3 frames input, 0 bytes
0 Reass frames
0 Error frames timestamp error 0
494 frames output, 63728 bytes
494 Class F frames output, 63728 bytes
0 Class 2/3 frames output, 0 bytes
9222i(config-if)# show interface port-channel 1 brief

——————————————————————————-
Interface Vsan Admin Status Oper Oper IP
Trunk Mode Speed Address
Mode (Gbps)
——————————————————————————-
port-channel 1 1 on trunking TE 2 —
P9-9222i(config-if)#
P9-9222i(config-if)# show vsan 209
vsan 209 information
name:VSAN0209 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:up

9222i(config-if)# show in
in-order-guarantee incompatibility-all inventory
inactive-if-config install
incompatibility interface
9222i(config-if)# show interface port-channel 1
port-channel 1 is trunking
Hardware is GigabitEthernet
Port WWN is 24:01:00:05:9b:28:54:00
Admin port mode is auto, trunk mode is on
snmp link state traps are enabled
Port mode is TE
Port vsan is 1
Speed is 2 Gbps
Trunk vsans (admin allowed and active) (1,97-98,209)
Trunk vsans (up) (209)
Trunk vsans (isolated) (1,97-98)
Trunk vsans (initializing) ()
5 minutes input rate 4288 bits/sec, 536 bytes/sec, 3 frames/sec
5 minutes output rate 3272 bits/sec, 409 bytes/sec, 3 frames/sec
1546 frames input, 215392 bytes
1546 Class F frames input, 215392 bytes
0 Class 2/3 frames input, 0 bytes
0 Reass frames
0 Error frames timestamp error 0
1548 frames output, 156732 bytes
1548 Class F frames output, 156732 bytes
0 Class 2/3 frames output, 0 bytes
0 Error frames
Member[1] : fcip1
Member[2] : fcip2

9222i(config-if)# conf t
9222i(config)# 2014 Feb 27 18:33:14 P9-9222i %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on 10.2.8.91@pts/0
9222i(config)# feature ivr
9222i(config)# ivr nat
P9-9222i(config)# 2014 Feb 27 18:33:43 P9-9222i %IVR-5-FCID_NAT_MODE_ACTIVATED: FCID network address translation (NAT) mode has been activated
9222i(config)# ivr distribute
9222i(config)# 2014 Feb 27 18:33:51 P9-9222i %IVR-5-VSAN_TOPOLOGY_ACTIVATED: Inter-VSAN Topology has been activated
9222i(config)# ivr vsan-topology auto
fabric is now locked for configuration. Please ‘commit’ configuration when done.
9222i(config)# ivr commit
commit initiated. check ivr status
P9-9222i(config)# show ivr

Inter-VSAN Routing is enabled

Inter-VSAN enabled switches
—————————

AFID VSAN DOMAIN CAPABILITY SWITCH WWN
——————————————————————-
1 1 0x 1( 1) 0000001f 20:00:00:05:9b:28:54:00 *
1 97 0x61( 97) 0000001f 20:00:00:05:9b:28:54:00 *
1 98 0xed(237) 0000001f 20:00:00:05:9b:28:54:00 *
1 209 0x8a(138) 0000001f 20:00:00:05:73:d3:77:80
1 209 0xd1(209) 0000001f 20:00:00:05:9b:28:54:00 *

Total: 5 IVR-enabled VSAN-Domain pairs

Inter-VSAN topology status
————————–

Current Status: Inter-VSAN topology is ACTIVE, AUTO Mode
Last activation time: Thu Feb 27 18:34:14 2014

Inter-VSAN zoneset status
————————-
name : master-ivr
state : activation success
last activate time : Thu Feb 27 18:33:51 2014

Fabric distribution status
———————–
fabric distribution enabled
Last Action Time Stamp : Thu Feb 27 18:34:13 2014
Last Action : Commit
Last Action Result : Success
Last Action Failure Reason : none

Inter-VSAN NAT mode status
————————–
FCID-NAT is enabled
Last activation time : Thu Feb 27 18:33:43 2014

AAM mode status
————————–
AAM is disabled

License status
—————–
Built-in

Sharing of tcam space across xE ports disabled
9222i(config)#

short UDLD note

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links.

quick note on “max pinning-links”

Pinning max-links <2-4> comes into play when you do static pinning. i.e. the FETs (fabric extender transceivers or links between 2K and parent switch) are not in a port-channel.

 

For a 48 port FEX:

 

pinning max-links 1 : 1 group of 48 hosts to 1 FET links

pinning max-links 2 : 2 groups of 24 hosts to 2 FET links

pinning max-links 3 : 3 groups of 18 hosts to 3 FET links

pinning max-links 4 : 4 groups of 12 hosts to 4 FET links

 

So, all 48 ports will be associated with 1 FET if 1 uplink is used and max-links is 1. So subscription ratio will be 48 * 1 gbps per 10 gbps uplink : 48:10 = 4.8:1

For max-links 2, subscription: 24:20 = 1.2:1

 

So, to sum it up, a good practice is to use a port-channel for a FEX uplink. A better option depending on whether you have a 5K or a 7K is to use a vPC as an uplink.

FCoE Best Practices and Examples

Whenever possible use the Nexus 5K/6K in NPV mode. Also for interop cases. Be aware! NPV feature erases almost all configs on the switch. mgmt0 will be intact.

DCNM is the right tool to facilitate management. 

Storage VDC is used on Nexus 7K for FcoE. traffic is split based on ethertype on shared ports. 

VDC best practice structure on N7K with FCoE is 3 VDC’s. (Admin, Ethernet, Storage)

“where” command is helpful command

Enable lldp and lacp features

Enable QoS and policy for FCoE. 

FCoE host ports are ALWAYS trunk

Allocate FCoE VLAN’s range from LAN VDC. 

Storage VDC can shutdown vfc interface without affecting LAN. Other way around, interface goes down. 6.2.x adds warning on LAN VDC. 

vfc port can bind to port-channel. 

Nexus 5K and 7K have different bandwith %. (50/50, 80/20, 70/30) 

vPC to host with FCoE is supported on 5K and 6K

FCoE with Dual-Homed FEX is supported on 55xx 

in VPC+ (FabricPath) design, the FCoE VLAN is NOT FabricPath, but CE VLAN

Multihop FCoE is supported, also in UCS. A hop is to or between FCF switches. FCoE-NPV is not a hop. 

Converged FCoE ISL is not supported on the Nexus 7K. Dedicated FCoE ISL is supported on N5K/6K/7K

on the host interface, the native VLAN carries FIP traffic.