Nexus 7K and Multiple VDCs

l-mathews · ‎03-20-2013

Does Nexus 7K support Multiple VDCs sharing ports on a single line card. One of our cisco parnter engineers stated that cisco doenst recommend using same line card for multiple VDCs.

The second VDC (Non-Default VDC) will be used four our Outside, and DMZ Segment, and to phyiscally segregate our Firewall from our Internal/Inside Core Switch without using a physical DMZ Switch.

I know Cisco used the Nexus in this way in their PCI DSS 2.0 Compliance Document.

Module is N7K-M148GT-11L

Mod Ports Module-Type Model Status

--- ----- -------------------------------- ------------------ ------------

1 48 10/100/1000 Mbps Ethernet XL Mod N7K-M148GT-11L

Mod Ports Module-Type Model Status

--- ----- -------------------------------- ------------------ ------------

1 48 10/100/1000 Mbps Ethernet XL Mod N7K-M148GT-11L

Reza Sharifi · ‎03-20-2013

It is possible, but not recommended:

The Cisco Nexus 7000 Series has a fully distributed architecture in which every module is capable of independent forwarding decisions and is equipped with a local forwarding engine and hardware forwarding tables. When assigning interface resources, dedicating an entire module to a VDC helps ensure that other VDCs will not compete for the same Layer 2 and 3 table resources, which could affect local hardware forwarding. Assigning a module to a VDC also helps ensure that a module failure will be isolated to the particular context.

More info:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-701112.html

HTH

l-mathews · ‎03-20-2013

Can you be more specific? What does “..competing for Layer 2 and Layer 3 Table Resources, which could affect local hardware forwarding”

IF I am planning to use this 2^nd VDC as a DMZ VDC, segregating our Internal Core Switches from the DMZ & Outside Segment on our Firewall thereby removing the need of a dmz switch (currently our DMZ and Outside Segment connect through a separate DM Z Switch) what kind of issues would I run into?

Let me know, Thanks

l-mathews · ‎03-20-2013

As per the document you supplied we plan to use 2nd VDC (DMZ VDC) to:

Separate intranet from DMZ and extranet

Gregory Snipes · ‎03-20-2013

Good find,

Do you know if this applicable to F2 modules as well? As I read the guidance on the F2 module, the table recourses are associated with the SOCs on each blade. Therefore, as you move SOCs from one VDC to another (you have to move the whole SOC) the resources should go with it, ensure no contention for table space.

l-mathews · ‎03-20-2013

Gregory, when you say SOCs do you mean port-groups? I found documentation that specifies if you

configure 1 port in a port-group to separate VDC, all ports in that group will be belong to that VDC.

Gregory Snipes · ‎03-21-2013

Sort of, the design of the F2 module uses switch on chip (SOC) architecture. Each group of four ports has its own processor and table storage. Each SOC can: forward 720 mpps, store 32,768 routes, maintain 16,384 ACLs, and controls 4 ports on the module. This is the reason the F2 module has port groups, you can only move the SOCs between VDCs not individual ports, as they are permanently tied to a specific SOC.

l-mathews · ‎03-21-2013

I guess this applies to F1 Modules as well...correct

I have the following module, I plan to configure another VDC (besides the default one)

Mod Ports Module-Type Model Status

--- ----- -------------------------------- ------------------ ------------

1 48 10/100/1000 Mbps Ethernet Module N7K-M148GT-11 ok

I read this on CCO Nexus 7K Switching/VDC Configuration Guidelines Doc.