思科Nexus_7000产品手册

1、Nexus 7000 NX-OS:用于数据中心的操作系统,目录,基本概述 初步启动系统验证 命令行界面（CLI）概述 接口配置 2层交换和生成树配置 路由协议配置 FHRP配置 验证IP转发 安全协议配置 系统管理协议配置 疑难解答工具,Nexus 产品线概述,数据中心方面,Nexus 5000,Nexus 2000,Nexus 1000v,NX-OS,Nexus 7000,高可用性 高性能(10GE) 40/100 GE Ready 统一的IO/DCB (Future),高性能 小体形 统一的 IO/DCB (FCoE) 虚拟交换机(FEX),IBM 刀片交换机 10 GE连通性 统一的IO

2、/DCB (FCoE),远程连接卡(FEX) 连接到Nexus 5000 1GE to 10GE过渡 简化的Mgmt,虚拟交换机 VMWare综合应用 NX-OS奇偶特征 简化Mgmt,Nexus 4000,Typical Nexus 7000 部署,L3 核心,L2 汇聚,序列中,万兆以太网,Nexus 7000 端到端,基本概述,Nexus 7010 (10-槽) 概述 Nexus 7018 (18-槽) 概述 管理引擎 以太网模块 交换矩阵 电源,Nexus 7010 - 10 槽 概述,Nexus系列之一 针对数据中心做优化 高密度 多达256个万兆接口，384 1G的接口 高性能 高

3、达1.4 Tbps的系统总带宽 高达80 Gbps的每插槽带宽 每插槽高达60 Mpps的吞吐量 高达480 Mpps的系统总吞吐量 未来可实现 高达4.1 Tbps的系统带宽（每槽230G）的初始功能模块 可扩展到8 + Tbps的系统带宽（500 + G每槽） 由前至后气流 所有组件冗余并支持热插拔 用于综合布线的专用组建 21 U,Nexus 7010 正面和背面视图,线卡插槽(8),风扇过滤器（可选）,模块顶掣,系统状态LEDs,线缆盖,交换矩阵（最多5）,电源（最多3）,矩阵风扇,模块顶掣,系统风扇,Nexus 7018 - 18 槽 概述,Nexus系列二 针对数据中心环境做优化

4、最高密度 多达512个万兆接口，768 1G的接口 高性能 高达2.8 Tbps的系统总带宽 高达80 Gbps的每插槽带宽 每插槽高达60 Mpps的吞吐量 高达960 Mpps的系统总吞吐量 未来可支持的 高达8.2 Tbps的系统带宽（每槽230克）的功能模块 可扩展到16 + Tbps的系统带宽 侧侧气流 所有组件冗余并支持热插拔 25U,Nexus 7018 正面和背面视图,线卡插槽 (1-8),线卡插槽 (11-18),管理引擎 (9-10),系统状态LEDs,交换矩阵（最多5）,电源（最多4个）,系统风扇托盘,电源进气,线卡散热孔,电源排气,设备尺寸和重量,17.3 in,Nex

5、us 7018,Nexus 7010,17.3 in,21 RU,25 RU,36.5 in,33.1 in,43.5 in,33.1 in,模块顶杠杆,管理引擎 交换矩阵 以太网,模块包含驱动杠杆，不仅帮助协调和安装模块，而且具有开关模块的功能。如果两个模块同时按下，自动关闭模块的供电。,支持杠杆的模块:,验证:,n7000# show module 1 Mod Ports Module-Type Model Status - - - - - 1 32 10 Gbps Ethernet Module N7K-M132XP-12 ok Chassis Ejector Support: Enab

6、led Ejector Status: Top ejector CLOSE, Bottom ejector CLOSE, Module HW does support ejector based shutdown.,管理模块,双核心Intel Xeon处理器 4 GB的内存 2 GB的闪存（8 GB的日志和2 GB的扩展） 2 MB NVRAM 1 10/100/1000自适应以太网口 1控制端口和辅助端口 1 CMP 10/100/1000 以太网口 3 USB 口 (2 host 1 device),管理引擎 I,前面板,控制口,辅助口,以太口,CMP 口,USB device口,USB

7、host口,Reset 按钮,状态灯,Log interface * n7000(config-role)# rule 5 permit command copy running-config startup-config,创建角色:,创建用户并分派角色:,n7000(config)# username ospf-admin password xxxxxxxx role ospf-admin,允许一个用户使用OSPF, 验证配置并保存配制。,如果一个用户的角色被修改, 这个更改不会生效直到用户登出并再次登陆。,验证RBAC配置,n7000# show role name ospf-admin

8、role: ospf-admin description: new role Vlan policy: permit (default) Interface policy: permit (default) vrf policy: permit (default) - Rule Perm Type Scope Entity - 5 permit command copy running-config startup-config 4 permit command config t ; interface * 3 permit read-write feature router-ospf 2 p

9、ermit command show running-config 1 permit command show interface *,规则是降序执行的(5 1),n7000# show user-account user:admin this user account has no expiry date roles:network-admin user:adminbackup this user account has no expiry date roles:network-operator user:ospf-admin this user account has no expiry

10、date roles:ospf-admin,帐户“ospf-admin” 被定义为 “ospf-admin” 角色,验证用户帐户和相关的角色:,验证一个特殊的角色:,下面的两个快照演示了两个非常有用的验证RBAC的命令。 类似show role feature和show role feature-group在验证RBAC时也非常有价值,角色: ospf-admin,配置和验证RADIUS,n7000# show radius retransmission count:1 timeout value:5 deadtime value:0 total number of servers:1 fol

11、lowing RADIUS servers are configured: 15.142.1.10: available for authentication on port:1812 available for accounting on port:1813 RADIUS shared secret:*,n7000(config)# radius host 15.142.1.10 key secret n7000(config)# aaa group server radius AAA-Server n7000(config-radius)# use-vrf management n7000

12、(config-radius)# server 159.142.1.10 n7000(config-radius)# aaa authentication login default group AAA-Server n7000(config)# aaa accounting default group AAA-Server,验证RADIUS服务 :,可选: 为RADIUS 提供计费服务,为RADIUS激活AAA “default” 验证,指定RADIUS使用的VRF,RADIUS 服务器地址和Key,配置RADIUS :,下面是一个基本的AAA/RADIUS配置，它可以为Console, T

13、ELNET and SSHv2 提供验证。同时计费系统也会传送计费信息到AAA服务器。,1个 RADIUS 服务在线,配置和验证TACACS+,n7000(config)# feature tacacs+ n7000(config)# tacacs-server host 159.142.1.10 warning: no key is configured for the host n7000(config)# tacacs-server key cisco123 n7000(config)# aaa group server tacacs+ AAA-Server n7000(config-t

14、acacs+)# use-vrf management n7000(config-tacacs+)# server 159.142.1.10 n7000(config)# aaa authentication login default group AAA-Server n7000(config)# aaa authorization commands default group AAA-Server local n7000(config)# aaa authorization config-commands default group AAA-Server local n7000(confi

15、g)# aaa accounting default group AAA-Server,配置TACACS+ :,验证TACACS+服务:,下面是一个简单的AAA/ TACACS +的配置，它非常类似于前面的RADIUS配置。首先应该激活TACACS+ 功能。TACACS+ 支持command1-alert;2-crit;3-err;4-warn;5-notif;6-inform;7-debug n7000(config)# logging server 159.142.1.10 7 use-vrf management,日志服务器159.142.1.10 可用,日志服务器属于“manageme

16、nt” VRF,指定日志服务器所在VRF,配置日志服务器:,验证日志服务器:,可以为不同的事件严重级别配置不同的日志服务器。通过use-vrf选项来指定日志服务器所在的VRF。,n7000# clear logging logfile,清除“logfile”,其他相关选项(“logfile” L4 Info - Protocol:Source Port:Destination Port IF - Interface: ()ethernet, (S)vi, (V)lan, (P)ortchannel, (T)unnel TCP Flags: Ack, Flush, Push, Reset, Sy

17、n, Urgent D IF SrcAddr DstAddr L4 Info PktCnt TCP Flags -+-+-+-+-+-+- I 3/11 192.168.010.018 192.168.011.002 000:00000:00069 0000008171 . . . . . . I 3/11 192.168.010.021 192.168.011.002 000:00000:00069 0000008171 . . . . . . I 3/11 192.168.010.023 192.168.011.002 000:00000:00069 0000008171 . . . .

18、. . I 3/11 192.168.010.025 192.168.011.002 000:00000:00069 0000008171 . . . . . .,NetFlow 缓存条目,在每个模块上验证NetFlow缓存是通过show hardware flow命令来完成的， 验证TCAM 也很常用。,指定模块,Note: The “show hardware flow ip detail module x” command displays additional non-key field information configurable via the “collect” comman

19、d.,n7000# show hardware flow utilization module 3 Flow Utilization: 0.04% (200/515090) ,Verifying TCAM Utilization:,验证TCAM 条目:,指定模块,使用了515,090中的200,NetFlow Flow Records的“Match” 选项,n7000(config-flow-record)# match ? ip IP attributes ipv4 IPv4 attributes transport Transport layer fields,n7000(config-f

20、low-record)# match ip ? protocol Protocol tos TOS,n7000(config-flow-record)# match ipv4 ? destination Destination Address source Source Address,n7000(config-flow-record)# match transport ? destination-port Transport destination port source-port Transport source port,源 和/或 目的L4 接口,源 和/或 目的地址,匹配IP协议 和

21、/或 TOS域,Flow Records的“Match” 选项定义一个关键域，它可以用来匹配需定义的流量，进出接口流量的方向将会被自动匹配。,匹配L3 、L4层信息,NetFlow Flow Records的“Collect” 选项,n7000(config-flow-record)# collect ? counter Counters to collect flow Flow identifying fields routing Routing attributes timestamp Timestamp fields transport Transport layer fields,n7

22、000(config-flow-record)# collect counter ? bytes Total number of bytes packets Total number of packets,n7000(config-flow-record)# collect routing ? destination AS destination forwarding-status Forwarding status of the packet next-hop Next hop address source AS source,n7000(config-flow-record)# colle

23、ct timestamp ? sys-uptime System uptime,n7000(config-flow-record)# collect transport ? tcp TCP layer fields,收集第一次 和/或 最后一次数据包的时间戳,收集 TCP Flags Flags = Ack, Flush, Push, Reset, Syn, Urgent,收集 BGP的AS源, AS目的地, AS 下一跳地址 和/或转发统计,收集字节 和/或 数据包统计,Flow Records的“Collect” 选项决定：对于一个流，那些非关键域信息将被收集。,NetFlow 验证Flo

24、w Records,n7000# show flow record Netflow-Record-1 Flow record Netflow-Record-1: Description: Custom-Flow-Record No. of users: 1 Template ID: 263 Fields: match ipv4 source address match ipv4 destination address match transport destination-port match interface input match interface output match flow

25、direction collect counter bytes collect counter packets,n7000# show flow record netflow-original Flow record netflow-original: Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 0 Template ID: 0 Fields: match ipv4 source address match ipv4 destination address match ip protocol

26、 match ip tos match transport source-port match transport destination-port match interface input match interface output match flow direction collect routing source as collect routing destination as collect routing next-hop address ipv4 collect transport tcp flags collect counter bytes collect counte

27、r packets collect timestamp sys-uptime first collect timestamp sys-uptime last,自定义的NetFlow记录:,原始的NetFlow记录:,使用show flow record 命令来验证“Flow Records”. 你也可以验证预选配置的 “netflow-original” 记录.,Note: 这些记录是前面的配置实例所配置的。,NetFlow Flow Export选项,n7000(config)# flow export Netflow-Exporter-1 n7000(config-flow-exporte

28、r)# ? description Provide a description for this Flow Exporter destination Specify the destination address dscp Optional DSCP exit Exit from command interpreter no Negate a command or set its defaults source Source Interface for this destination transport Transport Destination Port version Specify t

29、he export version,指定源接口,指定Export 版本5或9,指定目的地IP地址,配置Flow Export:,n7000(config)# flow export Netflow-Exporter-1 n7000(config-flow-exporter)# version 9 n7000(config-flow-exporter-version-9)# ? exit Exit from command interpreter no Negate a command or set its defaults option Version 9 Option Templates a

30、nd Data template Version 9 Template,版本9的Export选项:,配置一个“Flow Exporter” 来定义一个远程NetFlow收集器，这样NX-OS就知道了需要把NetFlow数据发送到哪里。,NetFlow 验证Flow Export,n7000# show flow export Flow exporter Netflow-Exporter-1: Description: Production-Netflow-Exporter Destination: 192.168.11.2 VRF: default (1) Source Interface E

31、thernet4/11 (192.168.11.1) Export Version 9 Exporter Statistics Number of Flow Records Exported 400 Number of Templates Exported 4 Number of Export Packets Sent 10 Number of Export Bytes Sent 11288 Number of Destination Unreachable Events 0 Number of No Buffer Events 0 Number of Packets Dropped (No

32、Route to Host) 0 Number of Packets Dropped (other) 0 Number of Packets Dropped (LC to RP Error) 0 Number of Packets Dropped (Output Drops) 0 Time statistics were last cleared: Tue Jan 13 02:03:00 2009,Export统计,目的IP地址和VRF,上次清除统计数据的时间,使用show flow export命令来验证已送到收集器的NetFlow记录。 Use the如果在排除故障的时候有必要这么做的话，

33、clear flow export name命令可以重置计数器的统计。,Note: “Aging Timers” 定义了什么时间NetFlow把数据送给收集器。,NetFlow 流量监视器选项,n7000(config)# flow monitor Netflow-Monitor-1 n7000(config-flow-monitor)# ? description Provide a description for this Flow Monitor exit Exit from command interpreter exporter Add an Exporter to use to e

34、xport records no Negate a command or set its defaults record Specify Flow Record to use,当创建“Flow Monitor”时，你必须指定“Flow Exporter” 和“Flow Record” 你可以为每个“Flow Monitor”指定一个到两个“Flow Exporters” 。如果你不创建一个自定义的 “Flow Record”那么你可以使用original NetFlow Records.,n7000# show flow monitor Flow Monitor Netflow-Monitor

35、-1: Description: Applied Inbound-Eth-3/11 Use count: 1 Flow Record: Netflow-Record-1 Flow Exporter: Netflow-Exporter-1,验证:,Flow Monitor选项:,Flow Exporter & Record选项,n7000(config)# flow monitor Netflow-Monitor-1 n7000(config-flow-monitor)# record ? WORD Name of record netflow Traditional NetFlow colle

36、ction schemes netflow-original Traditional IPv4 input NetFlow with origin As n7000(config-flow-monitor)# flow record Netflow-Record-1 n7000(config-flow-monitor)# exporter Netflow-Exporter-1,统计Flow Record and Exporter,指定Flow Exporter & Record 如果自定义的Flow Records不符合要求，那么这里就用“”netflow“”或者”netflow-origna

37、l”,NetFlow Interface IP Flow选项,n7000(config-if)# ip flow monitor Netflow-Monitor-1 ? input Apply Flow Monitor on input traffic output Apply Flow Monitor on output traffic n7000(config-if)# ip flow monitor Netflow-Monitor-1 input,验证:,应用“Flow Monitor” 到一个接口. Flow monitors可以被配置到ethernet, sub-interface,

38、 VLAN, port-channel和management interface.,指定一个方向 “input” 或者“output”,统计那些接口配置了flow monitors,相关monitor名称和方向。,配置接口:,你在每个接口上只能应用1个inbound和1个output “Flow Monitor” .,n7000# show flow interface Interface Ethernet3/11: Monitor: Netflow-Monitor-1 Direction: Input,NetFlow 配置Sampling,n7000(config)# sampler Net

39、flow-Sampler-1 n7000(config-flow-sampler)# description Sampler-for-Int-Eth-3/11 n7000(config-flow-sampler)# mode 1 out-of 1000,n7000(config)# interface ethernet 3/11 n7000(config-if)# ip flow monitor Netflow-Monitor-1 input sampler Netflow-Sampler-1,n7000# show sampler Sampler Netflow-Sampler-1: Des

40、cription: Sampler-for-Int-Eth-3/11 mode 1 out-of 1000,配置Sampling Map:,应用Sampling Map到接口:,验证Sampling Map:,n7000# show flow interface ethernet 3/11 Interface Ethernet3/11: Monitor: Netflow-Monitor-1 Direction: Input Traffic(IPv4): Sampler Netflow-Sampler-1,Sample 1 out of 1000 packets Range = 1-64 out

41、 of 1-8192,验证接口:,应用Sampler Map,Sampling可以配置按比率抽样检测数据包，这样可以保护硬件资源，例如CPU、 NetFlow cache tables (TCAM).,配置NetFlow Aging Timer,“Aging Timer”决定何时统计数据量超过上限并送到NetFlow collector处。,n7000(config)# flow timeout ? active Active or long timeout aggressive Aggressive aging fast Fast aging timeout inactive inactiv

42、e or normal timeout session Enable TCP session aging,配置老化选项:,n7000# show flow timeout Flow timeout values Active timeout: 1800 seconds Inactive timeout: 15 seconds Fast timeout: Disabled Session aging timeout: Disabled Aggressive aging timeout: Disabled,验证:,定义“Active” & “Inactive” Timeout 值,Active =

43、 60 4092 秒 Aggressive = 50 99% NetFlow Table使用量 Inactive = 15 4092 秒 Fast = 32 512 秒 / 1 4000 数据包,Aggressive 和Fast Timers通常被启用，以便加速老化过程来保护NetFlow hardware TCAM recourses.,NetFlow排错- Debugging,n7000# debug nfm ? all Configure all debug flags of nfm ddb Configure debugging of netflow ddb demux Configu

44、re debugging of nfm message demux deque Configure debugging of nfm message deque error Configure debugging of nfm error events Configure debugging of nfm events export Configure debugging of nfm export packets fsm Configure debugging of nfm FSM events ha Configure debugging of nfm HA lif Configure d

45、ebugging of netflow logical if configuration swcache Configure debugging of nfm software cache trace Configure debugging of nfm trace warning Configure debugging of nfm warning,当排查NetFlow错误时，下面的debug命令是非常有用的。,Debug实例:,n7000# debug nfm export nfm: nfm_export_pkt(2634): Starting to export data for exp

46、orter Netflow-Exporter-1 . nfm: nfm_export_pkt(2645): exporter Netflow-Exporter-1 is exporting a v9 packet nfm: nfm_v9_send_pkt(833): v9_hdr - length 1436 - count 53 nfm: nfm_v9_send_pkt(843): current sysUptime 31576744, current UNIXTime 1231814057 nfm: nfm_v9_send_pkt(861): record count 53, source_

47、id 0 x102, sequence number 18,排错工具,Switchport Analyzer (SPAN) Ethanalyzer 板载故障记录(OBFL) Locator-LED 为TAC Cases产生一个TAC-PAC 密码恢复流程,Switchport Analyzer(SPAN),可配置18个进程 只有2 进程是活动状态 以太口, Port-Channels口和Ethernet-CPU口可以被监控 目的端口可以是以太口或Port-Channe口 可以指定多个源和目的端口 目标端口不能被用在多个进程当中 现在只支持SPAN本地进程,SPAN 进程指南:,SPAN 可被用

48、于给源端口到目的端口的流量做一个镜象流量，以便提供给数据包分析器或对住机的具体应用和故障排除分析器进行管理。,配置SPAN,n7000(config)# interface ethernet 2/14 n7000(config-if)# switchport n7000(config-if)# switchport monitor,配置目标SPAN 接口:,Configure the Monitor (SPAN) Session:,n7000(config)# monitor session 1 n7000(config-monitor)# description Inbound(rx) SP

49、AN on Eth 2/13 n7000(config-monitor)# source interface ethernet 2/13 rx n7000(config-monitor)# destination interface ethernet 2/14 n7000(config-monitor)# no shut,Monitor (SPAN) Options:,n7000(config-monitor)# ? description Session description (max 32 characters) destination Destination configuration

50、 exit Exit from command interpreter filter Filter configuration no Negate a command or set its defaults shut Shut a monitor session source Source configuration,配置目标“monitor” 接口,对于802.1q TRUNK的VLAN filter,进程必须为活跃状态,Port = “ethernet”, “port-channel”, 或者 “sup-eth” Traffic = “rx”, “tx”, 或者 “both”,A SPAN

51、的目标接口需要配置成switchport monitor接口，同时进程应处于active状态。,验证SPAN,n7000# show monitor session 1 session 1 - description : Inbound(rx) SPAN on Eth 2/13 type : local state : up source intf : rx : Eth2/13 tx : both : source VLANs : rx : tx : both : filter VLANs : filter not specified destination ports : Eth2/14,验

52、证SPAN 进程:,验证目标接口类型:,n7000# show interface ethernet 2/14 Ethernet2/14 is up Hardware is 10/100/1000 Ethernet, address is 001b.54c0.fedd (bia 001b.54c0.fedd) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA Port mode is access full-duplex

53、, 1000 Mb/s Beacon is turned off Auto-Negotiation is turned on Input flow-control is off, output flow-control is off Auto-mdix is turned on Switchport monitor is on Last clearing of show interface counters never,交换口模式,运行的监控进程 = “up” Other options: = down (进程管理down) = down (没有硬件资源),源接口= rx,目标接口,Ethan

54、alyzer (Control Plane Traffic),Configured in “user-exec” mode Two interface options can be specified - “inband” or “mgmt” 10 packet capture limit by default Configurable up to 2.1 billion packets Packet contents scroll on the console by default Packet capture can be redirected to a destination file

55、- Recommended Brief or Detailed analysis available (Brief is enabled by default) User configurable Frame-Size, with Capturee and Display Filter options,Ethanalyzer is an internal CLI based protocol analyzer that captures packets on the CPU control plane (ingress or egress). Ethanalyzer is useful whe

56、n troubleshooting CPU and/or control plane related issues. The packets can be viewed using the CLI or exported to a Wireshark protocol analyzer on an external host for GUI analysis.,Ethanalyzer Guidelines:,Ethanalyzer Configuration,n7000# ethanalyzer local sniff-interface inband write bootflash:etha

57、nalyzer-data Capturing on inband 10,n7000# ethanalyzer local sniff-interface inband ? Redirect it to a file Redirect it to a file in append mode capture-filter Filter on ethanalyzer capture decode-internal Include internal system header decoding detailed-dissection Display detailed protocol information display-filter Display filter on frames captured dump-pkt Hex/Ascii dump the packet with possibly one line summary limit-captured-frames Maximum number of frames to be captured (default is 10) limit-frame-size Capture only a subset of a frame write Fil