cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

Chalk Talk: Ten Things That Make NX-OS Awesome!

2196
Views
10
Helpful
1
Comments
Enthusiast

NX-OS, the operating system that powers the Cisco Nexus family of  switches, is turning 5 years old this April. Since its inception, NX-OS  has been extended to run on eight families of switches and the Cisco UCS  Fabric Interconnects. The features supported run the complete gamut  from large modular platforms like the Nexus 7000 through fixed  configuration switches like the Nexus 5500 and include virtual switches  like the Nexus 1000v. NX-OS also is fluent in multiple protocols like  Ethernet, Fibre Channel, Fibre Channel over Ethernet, FabricPath, MPLS,  OTV, LISP and a rich set of traditional Layer 2 and Layer 3 networking  protocols. With all of that capability under one OS, I thought it’d be  fun to list out the ten things that make NX-OS awesome.

  1. The first thing that makes NX-OS so powerful is its extensibility.  This OS is based on Linux and takes into account principles of modern,  modular operating systems with its approach to the internal  architecture. The modularity of NX-OS is precisely the reason why it can  run on so many platforms and provide a consistent user experience from a  configuration and management aspect. You can go from one platform to  another and have a consistent CLI no matter if it is a powerhouse Nexus  7000 or an Ultra-Low Latency Nexus 3548. It’s the same NX-OS kernel that  drives them both.

  2. The second aspect of NX-OS ties into the modularity but is focused on software stability and security.  I’m referring to the conditional nature of features, like OSPF or  FabricPath in NX-OS. These features must be enabled by customers. No big  deal you might say, but the cool part is that NX-OS doesn’t load the  CLI or start the process in memory until the feature is enabled. This  preserves memory and CPU resources but also from a security aspect,  offers a more narrow attack vector. It is hard to exploit a potential  issue with say, OSPF, if OSPF isn’t loaded and running on the switch. So  we solve multiple issues with just this one capability!

  3. The third topic I always get interest from customers in is the ability to do In Service Software Upgrade (ISSU).  ISSU enables the ability to upgrade the operating system with no packet  loss. This opens a whole new world of opportunity for network operators  to maintain their networks, keep software current, add new software  features and do it without disruption to the business. This is  inherently due to the architecture of NX-OS and Nexus switches to have a  separation of control plane (OSPF, STP, FabricPath, etc) and the data  plane (your email, database and web traffic passing through the switch).  This separation means we can upgrade the control plane without  impacting the data plane. Check the documentation for your platform for  details on ISSU support as not every system can take full advantage of  this capability. Also equally cool and in the same thought process, we  can do ISSD (In Service Software Downgrades) as well!

  4. The fourth topic is one of my favorite features and I’ve written about it before – Virtual Device Contexts (VDCs).  VDCs are a feature available on the Nexus 7000 family and allow you to  segment your switch into 8 virtual switches with the Supervisor 2E. The  virtualization done with VDCs is quite comprehensive in that interfaces,  memory and other system-wide resources are allocated to a VDC and  dedicated for that virtual context. Even further, you can configure  VRFs, MPLS, VLANs and other virtualization technologies *inside* a VDC,  so virtualization inside virtualization. This is a very, very powerful  capability and industry leading.

  5. The fifth thing that makes NX-OS awesome is a feature that spans three of the switching platforms, FabricPath.  FabricPath is a Cisco innovation that allows customers to scale Layer 2  domains and remove many of the barriers and complexity associated with  traditional STP topologies like logical port count and simplifies the  configuration dramatically. Customers in a STP configuration typically  have multiple lines of commands for each layer of the network that are  focused on deploying STP guards – loopguard, rootguard, BPDU guard, etc.  While each of these capabilities helps control STP, it adds additional  configuration points and work. FabricPath doesn’t need all of these as  its control plane protocol is based on IS-IS and has intelligence built  in similar to a routing protocol. This bring capabilities like Time to  Live (TTL) and a link state database that scales nicely. With the  success we’ve seen firsthand with customers, it is a real benefit to  their network.

  6. The sixth feature in NX-OS I love to talk about is Overlay Transport Virtualization (OTV).  OTV is another Cisco innovation on the Nexus 7000 and now ASR 1000 that  empowers customers to extend Layer 2 domains across an IP  infrastructure in a safe and sane manner. What do I mean by that?! When I  look at other L2 extension technologies, many of them extend STP and as  such, that means the two data centers now have some fate sharing in  that a bad STP day in one data center can cause a bad STP day in the  other. OTV does not do this as it has a control plane protocol that  advertises MAC addresses as they are learned and by default does not  forward STP BPDUs across the overlay. I have had the opportunity to work  with multiple customers on solving challenges like data center  migration or implementation of an active/active data center  configuration with OTV. It simply works.

  7. The seventh  capability in NX-OS is one that originated on the Nexus 7000 but has  since been added to other products in the Catalyst line of switches is Cisco TrustSec (CTS).  CTS is an umbrella name for a suite of technologies that provide  next-generation security features on the network include Source Group  Tags (SGTs) and 802.1AE MACSEC encryption. SGTs allow security policy to  be represented by a tag and enforced in hardware without requiring  miles of access control lists (ACLs). While that is obviously cool,  MACSEC is really a great feature more customers can use. The  implementation of IEEE 802.1AE MACSEC provides 128-bit AES hardware  based encryption at the data link layer. This encrypts all frames that  traverse a point to point link and has saved many customers a lot of  money instead of using external hardware encryptors. The Nexus 7000 M1,  M2 and F2e modules support MACSEC.

  8. The eighth feature in NX-OS that I like to discuss with customers is Fabric Extender,  or FEX. Fabric Extenders are a great, cost effective way for customers  to build very large access layers by placing a FEX at the top of a rack  to connect servers into and then using a few strands of fiber to connect  back to the parent switch. This saves a ton of money in cabling costs,  which if you look at them during a data center build, can become  staggering. Cost savings aside, FEX are all centrally managed from the  parent switch, which means fewer devices to manage individual software  images, backup configuration files, etc. in the data center. The Nexus  5000, 5500, 6000 and 7000 all support FEX and there are variety of  options to meet the different demands customer networks have.

  9. The ninth feature of NX-OS is the ability to do cool things from the command line.  While that is pretty broad, let’s think about how many times you want  to see a device’s log file but only want the last few entries and don’t  want to scroll through the whole thing? Try this command:

N7K-1# show log last 10

2013 Apr 13 23:15:19 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:19 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

2013 Apr 13 23:15:26 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:26 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

2013 Apr 13 23:19:13 N7K-1 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on 10.89.15.82@pts/0

2013 Apr 13 23:26:06 N7K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 10.89.15.82 - sshd

2013 Apr 14 15:06:32 N7K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 10.89.15.143 - sshd

2013 Apr 16 02:55:48 N7K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user rfuller from 10.89.12.4 - sshd

N7K-1#

Now  you can just see the last 10 entries, or whatever number you are  looking for. Let’s take this a step further and use UNIX grep to be  specific about what words we want to see.

N7K-1# show log | i OFFLINE

2013 Apr 12 21:26:11 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 2 is now offline

2013 Apr 12 21:26:30 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 3 is now offline

2013 Apr 13 23:09:57 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 6 is now offline

N7K-1#

What if we wanted to be more specific and see just logs for VDC 6?

N7K-1# show log | grep "vdc 6"

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

N7K-1#

Also,  NX-OS does command accounting on the system by default so every command  is tracked. In the past, you needed to have a TACACS or RADIUS server  configured to get this level of accounting. This ability has come in  handy in cases where someone says they didn’t type a command, but  actually did.  Of course this can be combined with grep to further  filter the output.

N7K-1# show accounting log | grep "no shut"

Fri Apr 12 11:08:58 2013:type=update:id=vsh.1408:user=root:cmd=configure terminal ; interface mgmt0 ; no shutdown (REDIRECT)

Fri Apr 12 11:08:58 2013:type=update:id=vsh.1408:user=root:cmd=configure terminal ; interface mgmt0 ; no shutdown (SUCCESS)

There are so many options and the grep and egrep commands work on every command in the CLI! Pretty cool, eh?

10. The last and tenth capability in NX-OS I wanted to share is one I wish every customer knew and it involves directing output to a file.  NX-OS can be very verbose in the output it generates with some commands  and it can be a huge time saver to redirect the output to a file. For  example you want to copy the logfile but it is very long. Try this.

N7K-1# show log > chalklog.txt

N7K-1# dir bootflash: | i chalk

   2696204   Apr 17 01:14:40 2013  chalklog.txt

N7K-1#

Note  how I also used the pipe “I” to find the file and just show it? What  about a show tech-support? These can be hundreds of MB (yes, I said Mega  Bytes with a capital B!) of output that TAC might ask for to help  troubleshoot an issue. You could do term len 0 and then capture the  output in your terminal emulator – that will work, but it will take a  lot of time. Try using the redirect function instead.

N7K-1# show tech-support > chalktech.txt

Show tech brief will take 4-6 minutes to complete. Please Wait ...

N7K-1# dir bootflash: | i chalktech

   99244120   Apr 17 01:19:20 2013 chalktech.txt

N7K-1#

This  is a 99MB file and it took a few moments to create. Now I can copy it  using FTP, SCP, USB and more for analysis and save a ton of time.

I  hope these 10 items give you reason to consider NX-OS and showed you  some new features you may not have been aware of. If you already have  NX-OS, maybe you picked up a few tips for the CLI that can be helpful as  well. It is a very exciting operating system and with it just turning  5, it’s exciting to think about what it will be capable of doing in the  next 5 years! Happy Birthday, NX-OS!

ShowCover.asp.jpg

NX-OS   and Cisco Nexus Switching: Next-Generation Data Center Architectures, 2nd   Edition

By   Ron   Fuller, David Jansen, Matthew McPherson.

Series:   Networking Technology

Published:   March 15, 2013

SBN-10:   0-13-288356-2

ISBN-13:   978-0-13-288356-6

Published   by Cisco Press.

This article is featured in the April 2013 issue of the Cisco TS Newsletter.  Are you subscribed?

1 Comment
Contributor

This is well explained.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here