Cisco

Download as pdf or txt
Download as pdf or txt
You are on page 1of 139
At a glance
Powered by AI
The document covers tasks for configuring Nexus 7K and 5K switches including configuring hostnames, checking OS, modules, features, interfaces, configuring trunk ports, checkpoints and rollbacks.

The main tasks covered include configuring hostnames, checking operating system, modules, features and interfaces, configuring trunk ports, checkpoints and rollbacks.

Show commands like show version, show module, show feature, show interface are used to check operating system, modules, features and interfaces on Nexus switches.

Cisco Nexus Switch Configuration

Authored By:

Khawar Butt Comprehensive Coverage of


Penta CCIE # 12353
CCDE # 20110020 the Cisco Nexus Switch

Email: [email protected]
Page 1 of 139
Cisco Nexus Switch Configuration

Module 1 –
Configuring Nexus Module 1 – Configuring Nexus 7K & 5K
Switches
7K & 5K Switches

Email: [email protected]
Page 2 of 139
Lab 1- Introduction to the Nexus
Operating System (NX-OS)

Nexus 7K - 1

E 3/13-14 E 3/23-24

E 1/13-14 E 1/23-24

E 1/10-11 E 1/10-11

Nexus 5K - 1 Nexus 5K - 2

Task 1
Configure the Switches with Hostnames of the switches based on the following:

• Nexus 7K - N7K-1
• Nexus 5K-1 - N5K-1
• Nexus 5K-2 - N5K-2

Nexus 7K-1 Nexus 5K-1

Hostname N7K-1 Hostname N5K-1

OR OR

Switchname N7K-1 Switchname N5K-1


N5K-2

Hostname N5K-1

Email: [email protected]
Page 3 of 139
OR

Switchname N5K-2

Task 2
Find out the operating system that is running on the Nexus devices.

Nexus 7K-1 Nexus 5K-1

Show version Show version


Nexus 5K-2

Show version

Task 3
Figure out the modules installed in your Nexus devices.

Nexus 7K-1 Nexus 5K-1

Show module Show module


Nexus 5K-2

Show module

Task 4
Find out the features available on your Nexus devices.

Nexus 7K-1 Nexus 5K-1

Show feature Show feature


Nexus 5K-2

Show feature

Task 5
Find out the features that are enabled by default.

Nexus 7K-1 Nexus 5K-1

Show feature | include enabled Show feature | include enabled


Nexus 5K-2

Show feature | include enabled

Email: [email protected]
Page 4 of 139
Task 6
Find the status of the interface and its characteristics. What type of Ethernet
Interface is it (Gigabit, Ten G or 100G)?

Nexus 7K-1 Nexus 5K-1

Show interface ethernet 3/13 Show interface ethernet 3/13


Nexus 5K-2

Show interface ethernet 3/13

Task 7
Find out the System Image files that are present in the Devices.

Nexus 7K-1 Nexus 5K-1

Dir Dir
Nexus 7K-2

Dir
Note: System Image files can be updated from remote servers using FTP,
SCP, SFTP or TFTP. Use the copy command to accomplish this.

Copy tftp://x.x.x.x/xxxxxx.bin bootflash:xxxxxx.bin

NX-OS offers a 120-day grace period license. To enable this license, use
the following command:

License grace-period

To upgrade the license to full, download the license file from Cisco and
copy it to the device bootflash using a TFTP server. Once the license file
is copied, use the following command to install it on the device:

Install license bootflash:xxxxxx.lic

Email: [email protected]
Page 5 of 139
Task 8
Configure a checkpoint of your config file

Nexus 7K-1 Nexus 5K-1

Checkpoint CK1 Checkpoint CK1


Nexus 5K-2

Checkpoint CK1

Task 9
Change the Hostname of the devices to the following:
• Nexus 7K-1 - Bangalore
• Nexus 5K-1 - Delhi
• Nexus 5K-2 - Dubai

Nexus 7K-1 Nexus 5K-1

Switchname Bangalore Switchname Delhi


Nexus 5K-2

Swtichname Dubai

Task 10
Revert the Switch back the running-config to the checkpoint created.

Nexus 7K-1

Rollback running-config checkpoint CK1


Nexus 5K-1

Rollback running-config checkpoint CK1


Nexus 5K-2

Rollback running-config checkpoint CK1

Email: [email protected]
Page 6 of 139
Lab 2 – Configuring Trunking & VLANs
(Builds on Lab 1)

Task 1
Configure the interfaces that connect N7K-1 to N5K-1 and N5K-2 as Trunk
ports. Only use the ports shown in the Diagram (Lab1).

N7K-1

Interface E 3/13 - 14 , E 3/23 - 24


Switchport
Switchport mode trunk
No shutdown
N5K-1 N5K-2

Interface E 1/13 - 14 Interface E 1/23 - 24


Switchport Switchport
Switchport mode trunk Switchport mode trunk

Task 2
Configure VLANs and assign ports to these vlans based on the following table:

• VLAN 10 - N7K-1 - 4/23 , N5K-1 E 1/21 , N5K-2 E 1/29


• VLAN 20 - N7K-1 - 4/24 , N5K-1 E 1/22 , N5K-2 E 1/30

N7K-1

VLAN 10
VLAN 20
!
interface E 4/23
switchport
switchport mode access
Switchport access vlan 10
!
interface E 4/24
switchport
switchport mode access
Switchport access vlan 20
N5K-1

VLAN 10
VLAN 20

Email: [email protected]
Page 7 of 139
!
interface E 1/21
switchport
switchport mode access
Switchport access vlan 10
!
interface E 1/22
switchport
switchport mode access
Switchport access vlan 20
N5K-2

VLAN 10
VLAN 20
!
interface E 1/29
switchport
switchport mode access
Switchport access vlan 10
!
interface E 1/30
switchport
switchport mode access
Switchport access vlan 20

Task 3
Only VLANs 10 thru 20 should be allowed to cross the trunk links.

N7K-1

Interface E 3/13 - 24 , E 3/23 - 24


Switchport trunk allowed vlan 10-20
N5K-1

Interface E 1/13 - 14
Switchport trunk allowed vlan 10-20
N5K-2

Interface E 1/13 - 14
Switchport trunk allowed vlan 10-20

Email: [email protected]
Page 8 of 139
Lab 3 – Configuring Etherchannels
(Builds on Lab 2)

Task 1
Configure the Ports connecting N5K-1 and N5K-2 to be part of an
Etherchannel. The Etherchannel should use an Industry standard protocol.

N5K-1

Feature LACP
!
Interface E 1/10 - 11
Channel-group 12 mode active
N5K-2

Feature LACP
!
Interface E 1/10 - 11
Channel-group 12 mode active

Task 2
Configure the Port-Channel to be a trunk.

N5K-1

Inteface Port-channel 12
Switchport
Switchport mode trunk
N5K-2

Inteface Port-channel 12
Switchport
Switchport mode trunk

Task 3
Configure the Load Balancing mechanism method to be done based on a
combination of the Source and Destination IP.

N5K-1

Port-channel load-balance ethernet src-dst-ip-vlan


N5K-2

Email: [email protected]
Page 9 of 139
Port-channel load-balance ethernet src-dst-ip-vlan

Task 3
Verify the Etherchannel status.

N5K-1

Show port-channel summary


N5K-2

Show port-channel summary

Explanation:

An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet


links bundled into a single logical link.

If a link within an EtherChannel fails, traffic previously carried over that failed
link changes to the remaining links within the EtherChannel. A trap is sent for
a failure, identifying the switch, the EtherChannel, and the failed link.

Inbound broadcast and multicast packets on one link in an EtherChannel are


blocked from returning on any other link of the EtherChannel.

NOTE: All interfaces in each Etherchannel must be the same speed and
duplex, same trunking encapsulation or the same access vlan ID, also the STP
cost for each port must be the same and none of the Etherchannel ports can be
involved in SPAN, RSPAN configuration or neither 802.1X.

Understanding Port-Channel Interfaces


You create an EtherChannel for Layer 2 interfaces differently from Layer 3
interfaces. Both configurations involve logical interfaces.
• With Layer 3 interfaces, you manually create the logical interface by using
the interface port-channel global configuration command.
• With Layer 2 interfaces, the logical interface is dynamically created.
• With both Layer 3 and 2 interfaces, you manually assign an interface to the
EtherChannel by using the channel-group interface configuration command.
This command binds the physical and logical ports together

An Etherchannel on a Nexus switch can be configured either as manual or


LACP.

Email: [email protected]
Page 10 of 139
Lab 4 – Configuring Switch Virtual
Interfaces (SVI)
(Builds on Lab 3)

Task 1
Enable the SVI feature on the Nexus Switches.

N7K-1 N5K-1

Feature interface-vlan Feature interface-vlan


N5K-2

Feature interface-vlan

Task 2
Configure the SVI's on the Nexus switches based on the following table:

• N7K-1 - VLAN 10 - 10.1.10.1/24 , VLAN 20 - 10.1.20.1/24


• N7K-1 - VLAN 10 - 10.1.10.11/24 , VLAN 20 - 10.1.20.11/24
• N7K-2 - VLAN 10 - 10.1.10.12/24 , VLAN 20 - 10.1.20.12/24

N7K-1

Interface VLAN 10
Ip address 10.1.10.1/24
No shut
!
Interface VLAN 20
Ip address 10.1.20.1/24
No shut
N5K-1

Interface VLAN 10
Ip address 10.1.10.11/24
No shut
!
Interface VLAN 20
Ip address 10.1.20.11/24
No shut
N5K-2

Interface VLAN 10

Email: [email protected]
Page 11 of 139
Ip address 10.1.10.12/24
No shut
!
Interface VLAN 20
Ip address 10.1.20.12/24
No shut

Task 3
Make sure the devices are pingable within the same VLANs.

N7K-1 N5K-1

Ping 10.1.10.11 Ping 10.1.10.1


Ping 10.1.20.11 Ping 10.1.20.1
Ping 10.1.10.12 Ping 10.1.10.12
Ping 10.1.20.12 Ping 10.1.20.12
N5K-2

Ping 10.1.10.1
Ping 10.1.20.1
Ping 10.1.10.11
Ping 10.1.20.11

Email: [email protected]
Page 12 of 139
Lab 5 – Configuring Port Security
(Builds on Lab 4)

Task 1
Configure N5K-1 such that only MAC 0010.1111.2222 can connect to Port E
1/21. If another port tries to connect to these ports they should be shudown.

N5K-1

Interface E 1/21
Switchport port-security
Switchport port-security mac 0010.1111.2222

Task 2
Configure N5K-2 such that only MAC 0010.2222.4444 can connect to Port E
1/29. If another port tries to connect to these ports they should be shudown.

N5K-2

Interface E 1/29
Switchport port-security
Switchport port-security mac 0010.2222.4444

Task 3
Configure Port security on N7K-1 ports E 4/23 & 4/24. You would like to learn
the MAC address dynamically and copy it to the running-configuration file.

N7K-1

Interface E 4/23-24
Switchport port-security
Switchport port-security mac sticky

Task 4
Configure E 1/22 in VLAN 10 on N5K-1. Enable Port security for this port such
that 5 MAC address can be connected to it. Configure 2 MAC Address (0001-
1010-AB12 and 0001-1010-AB13) statically. The rest of the MAC addresses
can be learned dynamically.

N5K-1

Interface E 1/22
Switchport

Email: [email protected]
Page 13 of 139
Switchport mode access
Switchport access vlan 10
Switchport port-security
Switchport port-security max 5
Switchport port-security mac 0001.1010.AB12
Switchport port-security mac 0001.1010.AB13
Switchport port-security mac sticky

Task 5
Configure the N5K-1 such that it tries to bring up the Port-security error
disabled port automatically after 4 minutes.

N5K-1

errdisable recovery cause psecure-violation


errdisable recovery interval 240

Email: [email protected]
Page 14 of 139
Lab 6 – Preventing the Rogue DHCP
Server Attack using the DHCP Snooping
(Builds on Lab 5)
Feature
Task 1
All the SALES users will be in the SALES VLAN (100). Create this VLAN. Assign
ports E 1/5 – 9 on N5K-2 to this VLAN.

N5K-2

VLAN 100
Names SALES
!
Interface E 1/5 – 9
switchport
Switchport mode access
Switchport access vlan 100

Task 2
The DHCP server resides on the E 1/4 on N5K-2. Assign this port to the SALES
VLAN.

N5K-2

Interface E 1/4
switchport
Switchport mode access
Switchport access vlan 100

Task 3
Enable the DHCP Snooping Feature on the Nexus N5K-2.

N5K-2

Feature dhcp-snooping

Task 4
Make sure the switch only allows DHCP replies from port E 1/4 on N5K-2.

N5K-2

Ip dhcp snooping

Email: [email protected]
Page 15 of 139
Ip dhcp snooping vlan 100
!
Interface E 1/4
Ip dhcp snooping trust

Email: [email protected]
Page 16 of 139
Lab 7 – Configuring Dynamic ARP
Inspection (DAI)
(Builds on Lab 6)

Task 1
Configure N5K-2 such that it intercepts all packets received on untrusted ports
in VLAN 100. It should verify valid IP-MAC mappings against the DHCP
Snooping Database. This database was created by enabling DHCP Snooping for
VLAN 100 in a previous lab.

N5K-2

Ip arp inspection vlan 100


!
Interface E 1/4
Ip arp inspection trust

Email: [email protected]
Page 17 of 139
Lab 8 – Configuring the Source Guard
Feature
(Builds on Lab 7)

Task 1
There is a Server connected to port E 1/3 on N5K-2. Turn on the IP Source
Guard feature on SW2 such that only this server connects up to E 1/3. This
Server has a MAC address of 0001.1010.1020 and an IP address of 192.1.50.7.
This server should be in VLAN 100 and has a static IP Assignment.

N5K-2

ip source binding 192.1.50.7 0001.1010.1020 vlan 100 interface E 1/3


!
Interface E 1/3
Switchport
Switchport mode access
Switchport access vlan 100
Ip verify source

Task 2
Enable the source guard feature for the rest of the devices in this VLAN as well.
Use the DHCP binding database to verify the information.

N5K-2

Interface E 1/4 - 9
Ip verify source dhcp-snooping-vlan

Email: [email protected]
Page 18 of 139
Lab 9 – Configuring Storm Control
(Builds on Lab 8)

Task 1

Configure N5K-2 port E 1/14 such that broadcast and multicast traffic do not
use more than 50% of the Interface bandwidth.

N5K-2

Interface E 1/14
Storm-control broadcast level 50.00
Storm-control multicast level 50.00

Email: [email protected]
Page 19 of 139
Lab 10 – Configuring IP ACLs
(Builds on Lab 9)

Task 1

Configure an ACL to only allow Telnet & SSH traffic coming into port E 4/23 on
N7K-1

N7K-1

Ip access-list CONTROL
Permit tcp any any eq 23
Permit tcp any any eq 22
!
Interface E 4/23
Ip access-group CONROL in

Email: [email protected]
Page 20 of 139
Lab 11 – Configuring MAC ACLs
(Builds on Lab 10)

Task 1
There is a MAC Address 0001.0012.2222 trying to attack VLAN 100 by sending
a broadcast storm. You have traced this packet to port E 1/6 on N5K-2. Block
this MAC address on E 1/6 on N5K-2. Do not use Storm control or VACL to
accomplish this task.

N5K-2

mac access-list MAC-BLOCK-STORM


deny host 0001.0012.2222 any
permit any any
!
Interface F 0/13
Mac access-group MAC-BLOCK-STORM in

Email: [email protected]
Page 21 of 139
Lab 12 – Configuring VLAN ACLs (VACL)
(Builds on Lab 11)

Task 1
You have been requested to implement the following policy on N7K-1:

• Deny IGMP in VLAN 10

• Deny TFTP in VLAN 20

• There is a MAC address 0001.0012.2222 trying to attack VLAN 10. Block


this MAC address from accessing any device in VLAN 10.

N7K-1

Ip Access-list VACL-10
permit igmp any any
!
Ip Access-list VACL-20
permit udp any any eq 69
!
Mac access-list MAC-VACL-10
Permit host 0001.0012.2222 any
!
Ip access-list IP-PERMIT
Permit ip any any
!
Vlan access-map VLAN10 10
Match ip addr VACL-10
Action drop
Vlan access-map VLAN10 20
Match mac addr MAC-VACL-10
Action drop
Vlan access-map VLAN10 100
Match ip address IP-PERMIT
Action forward
!
Vlan access-map VLAN20 10
Match ip addr VACL-20
Action drop
Vlan access-map VLAN20 100
Match ip address IP-PERMIT

Email: [email protected]
Page 22 of 139
Action forward
!
Vlan filter VLAN10 vlan-list 10
Vlan filter VLAN20 vlan-list 20

Email: [email protected]
Page 23 of 139
Lab 13 – Configuring SPAN & ERSPAN
(Builds on Lab 12)

Task 1
There is a protocol analyzer connected to N7K-1 port E 4/5. You received a
request to monitor and analyze all packets for VLAN's 10 & 20 on N7K-1.
Configure N7K-1 to send all traffic from VLANs 10 & 20 to Port E 4/5.

N7K-1

Interface E 4/5
Switchport
Switchport montior
No shut
!
Monitor session 1
Source vlan 10 rx
Source vlan 20 rx
Destination Interface E 4/5
No shut

Task 2
There is a protocol analyzer connected to N5K-2 port E 1/5. You received a
request to monitor and analyze all packets for VLAN 10 on N7K-1. Configure
N7K-1 to send all traffic from VLAN 10 to Port E 1/5 on N5K-2. The
communication between the 2 sessions should be IP based.

N7K-1

monitor session 1 type erspan-source rx


source vlan 10 rx
destination ip 10.1.20.12
erspan-id 100
vrf default
no shut
N5K-2

interface E 1/5
switchport
switchport monitor
no shut
!

Email: [email protected]
Page 24 of 139
monitor session 2 type erspan-destination
source ip 10.1.20.1
destination interface E 1/5
erspan-id 100
vrf default
no shut

Email: [email protected]
Page 25 of 139
Lab 14 – Private VLANs
(Builds on Lab 13)

Task 1
Configure VLANs on N5K-1 based on the following:

 Vlan 100 : Private-Vlan Primary


 Vlan 110 : Private-Vlan Community
 Vlan 120 : Private-Vlan Isolated

N5K-1

Vlan 100
Private-vlan primary
!
Vlan 110
Private-vlan community
!
Vlan 120
Private-vlan isolated

Task 2
Configure VLAN 100 to be the primary VLAN for VLANs 110 & 120.

N5K-1

Vlan 100
Private-vlan association add 110,120

Task 3
Configure N5K-1 such that the following is accomplished:

• PC1, connected to E 1/5, should be able to communicate to all other


devices.
• PC2 and PC3, connected to E 1/6 & 7 respectively, should be able to
communicate to each other and PC1 but should not have access to PC4
or PC5.
• PC4 and PC5, connected to E 1/8 & 9 respectively, should only be able
to communicate to PC1. They should not be able to communicate to each
other or PC2 or PC3.

N5K-1

Email: [email protected]
Page 26 of 139
Interface E 1/5
Switchport mode private-vlan promiscuous
Switchport private-vlan mapping 100 add 110 , 120
!
Interface E 1/6-7
Switchport
Switchport mode private-vlan host
Switchport private-vlan host-assoc 100 110
!
Interface E 1/7-8
switchport
Switchport mode private-vlan host
Switchport private-vlan host-assoc 100 120
on

Email: [email protected]
Page 27 of 139
Lab 15 – Remote Management
(Builds on Lab 14)

Task 1
Configure N7K-1 for Remote Management using Telnet. Configure a local
username admin with a password of admin. Telnet should use the local
database for authentication.

N7K-1

Feature telnet
!
Username admin password admin
!
Line vty 0 4
Login local

Task 2
Configure N5K-1 & N5K-2 for Remote Management using SSH. Configure a
local username admin with a password of admin. SSH should use the local
database for authentication.

N5K-1

Username admin password admin


!
line vty 0 4
Login local
N5K-2

Username admin password admin


!
line vty 0 4
Login local

Email: [email protected]
Page 28 of 139
Cisco Nexus Switch Configuration

Authored By:

Khawar Butt
Penta CCIE # 12353 Module 2 – Configuring Spanning Tree
CCDE # 20110020 Protocol (STP) on Nexus Switches

Email: [email protected]
Page 29 of 139
Lab 1- Configuring Root Bridges in a
Rapid PVST Network
(Builds on Previous Module)

Nexus 7K - 1

E 3/13-14 E 3/23-24

E 1/13-14 E 1/23-24

E 1/10-11 E 1/10-11

Nexus 5K - 1 Nexus 5K - 2

Task 1
Although the default STP mode is Rapid PVST, make sure you set all 3
switches to Rapid PVST manually.

N7K-1

Spanning-tree mode rapid-pvst


N5K-1

Spanning-tree mode rapid-pvst


N5K-2

Spanning-tree mode rapid-pvst

Task 2
Configure N7K-1 as the root bridge for VLANs 1 - 20. Configure N5K-1 as the
secondary for VLANs 1-10 and N5K-2 as the secondary for VLANs 11-20.

Email: [email protected]
Page 30 of 139
N7K-1

Spanning-tree vlan 1-20 root primary

Or

Spanning-tree vlan 1-20 priority 0


N5K-1

Spanning-tree vlan 1-10 root secondary

Or

Spanning-tree vlan 1-10 priority 4096


N5K-2

Spanning-tree vlan 11-20 root secondary

Or

Spanning-tree vlan 11-20 priority 4096

Task 3
Verify STP information for VLAN 10 & 20 by using the show spanning-tree
vlan XX commands on all 3 switches.

N7K-1

Show spanning-tree vlan10

Note: Check the Root ID and make sure N7K-1 is the root bridge for all VLAN.
N5K-1

Show spanning-tree vlan10

Note: Check the Root ID and make sure N7K-1 is the root bridge for all VLAN.
N5K-2

Show spanning-tree vlan10

Note: Check the Root ID and make sure N7K-1 is the root bridge for all VLAN.

Email: [email protected]
Page 31 of 139
Lab 2 – Tuning STP Startup Times
(Builds on Lab 1)

Task 1
Create a VLAN 5 on N7K-1 & N5K-1. Assign port E 4/25 – E 4/26 on N7K-1 to
VLAN 5. Assign port E 1/25 – E 1/27 on N5K-1 to VLAN 5.

N7K-1

VLAN 5
!
Interface E 4/25 – 26
switchport
Switchport mode access
Switchport access vlan 5
N5K-1

VLAN 5
!
Interface E 1/25 – 27
switchport
Switchport mode access
Switchport access vlan 5

Task 2
Users in VLAN 5 are complaining about the time it usually takes for an
interface to come up after they have plugged in the network cable. Configure
the TOTAL link startup delay until the port becomes forwarding to 16 seconds.
Configure N7K-1 to accomplish this without jumping any state.

N7K-1

Spanning-tree vlan 5 forward-time 8

Task 3
Verify that the Timers have changed for VLAN 5 by using the show spanning-
tree vlan 5 command on N7K-1 & N5K-1 Nexus switches.

N7K-1

show spanning-tree vlan 5

Email: [email protected]
Page 32 of 139
Explanation:

Forwarding delay is the time spent by a port in the learning and listening
states.

By default it has a value of 15 seconds so a normal port without portfast


enable on it usually takes 50 seconds to start forwarding packets because it
goes through learning (15 seconds) plus listening (15 seconds) and maximum
age time (which is 20 seconds by default) when changing the forwarding delay
to 8 the time the port for the first time a desktop is plugged into a port in a
switch it would take 8 + 8 + 20 (if it’s using the default value) so it would takes
36 seconds instead of 50 seconds in that case.

Email: [email protected]
Page 33 of 139
Lab 3 – Configuring Edge Ports
(Builds on Lab 2)

Task 1
Configure the port range from E 1/25 – 26 on N5K-1 in a way that, the link will
come up as soon as someone plugs in a network cable into these ports
bypassing STP learning/listening states.

N5K-1

Interface E 1/25-26
Spanning-tree port type edge

Task 2
Verifying the setting by using the show spanning-tree interface E 1/XX

N5K-1

show spanning-tree interface E 1/XX

Email: [email protected]
Page 34 of 139
Lab 4 - Configuring BPDU Guard & BPDU
Filter

(Builds on Lab 3)

Task 1
The IT departament just found out that someone in the lobby area just plugged
in a switch into port E 1/25 on N5K-1. Configure a command on the
appropriate ports on N5K-1 such that if someone connects a hub or a switch to
any of the 2 edge ports configured in the previous lab, the port will be disabled.
Also make sure that after 4 minutes the disabled port comes up automatically.

N5K-1

Interface E 1/25 - 26
Spanning-tree bpduguard enable
!
Errdisable recovery cause bpduguard
Errdisable recovery interval 240

Task 2
Verify the errdisable recovery feature by using the show errdisable revovery
command.

N5K-1

show errdisable recovery

Task 3
Configure N5K-1 port E1/27 such that this port won’t send or receive any
BDPU packets.

N5K-1

Interface E 1/27
Spanning-tree bpdufilter enable

Email: [email protected]
Page 35 of 139
Lab 5 – Configuring Root Guard

(Builds on Lab 4)

Task 1
N5K-2 will be connected to N2K-2 in the future on Ports E 1/1 & 2. Make sure
that you prevent a superior BPDU from being processed on these ports.

N5K-2

Interface E 1/1-2
Spanning-tree guard root

Email: [email protected]
Page 36 of 139
Lab 6 – Configuring Loop Guard / UDLD

(Builds on Lab 5)

Task 1
Protect the Port Channel between N5K-1 & N5K-1 from unidirectional link
failures without using the UDLD feature.

N5K-1

Interface Port-channel 12
Spanning-tree guard root

Task 2
Protect the Trunk links between N7K-1 & N5K-2 from unidirectional link
failures using the UDLD Aggressive feature.

N7K-1

Interface E 3/23-24
udld aggressive
N5K-2

Interface E 1/23-24
udld aggressive

Email: [email protected]
Page 37 of 139
Lab 7 – Configuring Bridge Assurance on
Network Port Types
(Builds on Lab 6)

Task 1
Configure the Trunk links between N7K-1 and N5K-1 such that they maintain
a bidirectional Keepalive using BPDU.

N7K-1

Spanning-tree bridge assurance


!
Interface E 3/13-14
Spanning-tree port type network
N5K-1

Spanning-tree bridge assurance


!
Interface E 1/13-14
Spanning-tree port type network

Note: The Bridge assurance feature also is an automatic pruning feature. If a


particular VLAN does not have ports on the switch, the bridge assurance
feature puts the VLAN into a blocking state. If the VLAN is defined, Bridge
Assurance can detect the presence of BPDUs and allow it move into forwarding
state.

Email: [email protected]
Page 38 of 139
Lab 8 – Configuring Port Profiles
(Builds on Lab 7)

Task 1
Ports E 1/25 -27 need to be assigned to VLAN 15 on N5K-2. The Ports need to
have BPDUGuard & BPDUFilter features enabled. Make sure they skip the STP
Listening & Learning States. Use Port Profiles to accomplish this task.

N5K-2

VLAN 15
!
Port-profile VLAN15
Switchport
Switchport mode access
Switchport access vlan 15
Spanning-tree port type edge
Spanning-tree bpdufilter enable
Spanning-tree bpduguard enable
No shutdown
State enabled
!
Interface E 1/25 -27
Inherit port-profile VLAN15
Exit

Email: [email protected]
Page 39 of 139
Lab 9 – Configuring MSTP

(Builds on Lab 8)

Task 1
Re-Configure all three Nexus switches to run STP in MST Mode.

N7K-1 N5K-1

Spanning-tree mode mst Spanning-tree mode mst


N5K-2

Spanning-tree mode mst

Task 2
Configure MST based on the following requirements:

• There should be two instances of STP, instance 1 and 2


• Instance 1 should handle VLANs 1 thru 10
• Instance 2 should handle VLAN 11 thru 20
• N7K-1 should be the root bridge for both instances.
• N5K-1 should be the secondary root bridge Instance 1.
• N5K-2 should be the secondary root bridge Instance 2.
• MST configuration should use the following:
o Name : KB-NEXUS
o Revision : 10

N7K-1 N5K-1

Spanning-tree mode mst Spanning-tree mode mst


! !
Spanning-tree mst configuration Spanning-tree mst configuration
Revision 10 Revision 10
Name KB-NEXUS Name KB-NEXUS
Instance 1 vlan 1-10 Instance 1 vlan 1-10
Instance 2 vlan 11-20 Instance 2 vlan 11-20
! !
Spanning-tree mst 1 priority 0 Spanning-tree mst 1 priority 4096
Spanning-tree mst 2 priority 0
N5K-2

Spanning-tree mode mst


!

Email: [email protected]
Page 40 of 139
Spanning-tree mst configuration
Revision 10
Name KB-NEXUS
Instance 1 vlan 1-10
Instance 2 vlan 11-20
!
Spanning-tree mst 2 priority 4096

Email: [email protected]
Page 41 of 139
Cisco Nexus Switch Configuration

Authored By:

Khawar Butt
Penta CCIE # 12353 Module 3 – Configuring Virtual Device
CCDE # 20110020 Context (VDC) & Virtual Port Channels
(VPC)

Email: [email protected]
Page 42 of 139
Lab 1- Configuring Virtual Device
Contexts (VDC)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

Task 1
Connect to 7K1. Configure the admin username with a password of Cciedc01.
Configure it with a hostname of 7K1.

N7K-1

Configure the password on the setup wizard as : Cciedc01


!
!
Hostname 7K1

Email: [email protected]
Page 43 of 139
Task 2
Configure 2 VDCs on 7K1 using the following information:

• VDC 2: Name : 7K2 ID: 2


• Interfaces : E 3/1-2, E 3/21-24, E 4/20-21, E 4/24
• VDC 3: Name : 7K3 ID: 3
• Interfaces : E 3/17-18, E 3/29-30, E 4/15-16

N7K-1

vdc 7K2 id 2
allocate interface E 3/1-2, E 3/21-24
allocate interface E 4/20-21, E 4/24
!
vdc 7K3 id 3
allocate interface E 3/17-18, E 3/29-32
allocate interface E 4/15-16

Note : When you allocate interfaces to VDCs, they are allocated based on Port-
groups. Press Yes when prompted to allocate all members of the port-group.

Task 3
Verify the Creation of the VDCs by using the sh run vdc and sh vdc
membership commands.

N7K-1

Show run VDC


(Displays the configuration commands for the VDCs)
!
Show VDC membership
(Displays the ports that are members of the VDCs, including the ones that were
not specified by you in the command)

Task 4
Configure alias for switching to VDC 7K2 and VDC 7K3 from the default VDC
as VDC2 & VDC3 respectively.

N7K-1

cli alias name VDC2 switchto vdc 7K2


cli alias name VDC3 switchto vdc 7K3

Email: [email protected]
Page 44 of 139
Task 5
Switch to 7K2 using the appropriate alias you created. Configure the password
for the admin account as Cciedc01. Configure a alias for the Switchback
command as SB. Switchback to the default VDC. Use the alias that you created
to switchback.

N7K-1

VDC2
N7K-2

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB

Task 6
Switch to 7K3 using the appropriate alias you created. Configure the password
for the admin account as Cciedc01. Configure a alias for the Switchback
command as SB. Switchback to the default VDC. Use the alias that you created
to switchback.

N7K-1

VDC3
N7K-3

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB

Task 7
Configure the prompt to only display the current VDC.

N7K-1

no vdc combined-hostname

Email: [email protected]
Page 45 of 139
Lab 2 – Configuring Virtual Port Channels
(VPC) on a Nexus 7K
(Builds on Lab 1)

Nexus 7K - 1

E 4/12 E 4/3

VPC 23

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

Task 1
We will be configuring a vPC to 7K1 to 7K2 & 7K3 based on the above diagram.
Enable the vPC & LACP features on 7K2 & 7K3.

N7K-2

Feature vpc
Feature lacp
N7K-3

Feature vpc
Feature lacp

Task 2
Configure the parameters for the vPC Peer keepalive link based on the
following:

• 7K2

Email: [email protected]
Page 46 of 139
• VRF Name: PKL-23
• Interface: 4/21
• IP Address: 10.1.23.2/24
• 7K3
• VRF Name: PKL-23
• Interface: 4/16
• IP Address: 10.1.23.3/24

N7K-2

vrf context PKL-23


!
interface E 4/21
vrf member PKL-23
ip address 10.1.23.2/24
no shut
N7K-3

vrf context PKL-23


!
interface E 4/16
vrf member PKL-23
ip address 10.1.23.3/24
no shut

Task 3
Configure a vPC Domain between 7K2 & 7K3. Use 23 as the Domain ID. Use
the Interfaces and VRFs from the previous step to configure the vPC Peer
Keepalive link. Make 7K3 as the Primary vPC device.

N7K-2

vpc domain 23
peer-keepalive destination 10.1.23.3 source 10.1.23.2 vrf PKL-23
N7K-3

vpc domain 23
role priority 300
peer-keepalive destination 10.1.23.2 source 10.1.23.3 vrf PKL-23

Task 4
Configure the Port-channel port type as Network. This will enable the Bridge
Assurance Fault tolerance feature. Use this port channel as the vPC Peer Link.
Use the following parameters:

Email: [email protected]
Page 47 of 139
• 7K2
• Port-Channel #: 23
• Interfaces: 3/1-2
• Port Type: Network
• 7K3
• Port-Channel #: 23
• Interface: 3/17-18
• Port Type: Network

N7K-2

int e 3/1-2
channel-group 23 mode active
no shut
!
int port-channel 23
spanning-tree port type network
switch mode trunk
vpc peer-link
N7K-3

int e 3/17-18
channel-group 23 mode active
no shut
!
int port-channel 23
switch mode trunk
spanning-tree port type network
vpc peer-link

Task 5
Verify the status of the vPC Port Channel. Also, make sure the vPC Peer
keepalive link is up. Use the Show VPC command to verify it.

N7K-2

Show VPC

vPC domain id : 23
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
.

Email: [email protected]
Page 48 of 139
.
.
.
vPC Peer-Link status
------------------------------------------------------
id Port Status Active vlans
-- ----- -------- ----------------------------------
1 Po23 up 1
N7K-3

Show VPC

vPC domain id : 23
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
.
.
.
.
vPC Peer-Link status
------------------------------------------------------
id Port Status Active vlans
-- ----- -------- ----------------------------------
1 Po23 up 1

Task 6
Configure a vPC from 7K2 & 7K3 towards 7K1. Configure it as a L2 Trunk Port
Channel. Use 12 as the Port-channel ID. Use E 4/20 on 7K2 & E 4/15 on 7K3
as the vPC member ports.

N7K-2

int E 4/20
switchport
channel-group 12 mode active
no shut
!
int port-channel 12
switchport mode trunk
vpc 23
7K3

int E 4/15

Email: [email protected]
Page 49 of 139
switchport
channel-group 12 mode active
no shut
!
int port-channel 12
switchport mode trunk
vpc 23

Task 7
Enable the LACP feature on 7K1. Configure a normal Port-Channel on 7K1.
Configure it as a L2 Trunk Port Channel. Use 23 as the Port-channel ID. Use E
4/3 & E 4/12 on 7K1 as the member ports.

N7K-1

feature lacp
!
int E 4/3 , E 4/12
switchport
channel-group 23 mode active
no shut
!
int port-channel 23
switchport mode trunk

Task 8
Verify the status of the Port Channel on 7K1. Use the normal Show port-
channel summary command to verify it.

show port-channel summary

P - Up in Port-channel (member)
S - Switched
U - Up (Port-Channel)
.
.
.
Group Port- Type Protocol Member Ports
Channel
23 Po23(SU) Eth LACP Eth4/3(P) Eth4/12(P)

Email: [email protected]
Page 50 of 139
Cisco Nexus Switch Configuration

Authored By:

Khawar Butt
Penta CCIE # 12353 Module 4 – Configuring Nexus as Layer 3
CCDE # 20110020 Routing Device

Email: [email protected]
Page 51 of 139
Lab 1- Configuring Base Topology for
Routing Protocols
Physical /L2 Topology

Nexus 7K - 1 Nexus 7K-1

E 4/12 E 4/20

E 3/13

E 1/13
VLAN 30

E 1/10 E 1/10

Nexus 5K - 2 Nexus 5K - 1

Task 1
Connect to 7K1. Configure the admin username with a password of Cciedc01.
Install the Grace Period License. Configure it with a hostname of R1.

7K-1

Configure the password on the setup wizard as : Cciedc01


!
license grace-period
!
Hostname R1

Task 2
Configure a VDC on 7K1 using the following information:

• VDC 2: Name : R2 ID: 2


• Interfaces : E 3/13, E 4/20

7K-1

Email: [email protected]
Page 52 of 139
vdc R2 id 2
limit-resource module-type f1 m1
allocate interface E 3/13 , E 4/20

Note : When you allocate interfaces to VDCs, they are allocated based on Port-
groups. Press Yes when prompted to allocate all members of the port-group.

Task 3
Verify the Creation of the VDC by using the sh run vdc and sh vdc membership
commands.

7K-1

Show run VDC


(Displays the configuration commands for the VDCs)
!
vdc R1 id 1
.
allocate interface Ethernet4/1-19,Ethernet4/21-48
!
vdc R2 id 2
.
allocate interface Ethernet3/21-22
allocate interface Ethernet4/20

Show VDC membership


(Displays the ports that are members of the VDCs, including the ones that were
not specified by you in the command)

Task 4
Configure alias for switching to VDC R2 from the default VDC as R2.

7K-1

cli alias name R2 switchto vdc R2

Task 5
Switch to R2 using the appropriate alias you created. Configure the password
for the admin account as Cciedc01. Configure a alias for the Switchback
command as SB. Switchback to the default VDC. Use the alias that you created
to switchback.

7K-1

Email: [email protected]
Page 53 of 139
R2
7K-2

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB

Task 6
Configure the password for the admin account as Cciedc01 on 5K1 & 5K2.
Configure the Hostname of 5K1 as R3 & 5K2 as R4.

5K1

Configure the password on the setup wizard as : Cciedc01


!
Hostname R3
5K2

Configure the password on the setup wizard as : Cciedc01


!
Hostname R4

Task 7
Configure the prompt to only display the current VDC.

7K-1

no vdc combined-hostname

Email: [email protected]
Page 54 of 139
Logical Topology

R1 R2

E 4/12 192.1.12.0/24 E 4/20

VLAN 20

192.1.23.0/24

VLAN 20
192.1.34.0/24

VLAN30 VLAN30

R4 R3

Task 8
Configure VLANs and assign ports to them to create the logical topology based
on the Logical Topology Diagram. Use the following to accomplish this task:

• 7K2(R2):
• VLAN 20 : Interface : E 3/13
• 5K1(R3):
• VLAN 20 : Interface : E 3/13
• VLAN 30 : Interface : E 1/10
• 5K2(R4):
• VLAN 30 : Interface : E 1/10

7K2 (R2)

Vlan 20
!
Interface E 3/13
Switchport mode access
Switchport access vlan 20
No shut
5K1 (R3)

Email: [email protected]
Page 55 of 139
Vlan 20
Vlan 30
!
Interface E 3/13
Switchport mode access
Switchport access vlan 20
No shut
!
Interface E 1/10
Switchport mode access
Switchport access vlan 30
No shut
5K2 (R4)

Vlan 30
!
Interface E 1/10
Switchport mode access
Switchport access vlan 30
No shut

Task 9
Configure a VRF that will be used for L3 Forwarding. Name the VRF as DATA.
Assign the Interface to the Data VRF and configure IP addresses on the them
based on the following:
• 7K1(R1):
• VRF : DATA Interface : E 4/12 IP Address : 192.1.12.1/24
• VRF : DATA Interface : Loop 0 IP Address : 1.1.1.1/8
• 7K2(R2):
• VRF : DATA Interface : E 4/20 IP Address : 192.1.12.2/24
• VRF : DATA Interface : VLAN20 IP Address : 192.1.23.2/24
• VRF : DATA Interface : Loop 0 IP Address : 2.2.2.2/8
• 5K1(R3):
• VRF : DATA Interface : VLAN20 IP Address : 192.1.23.3/24
• VRF : DATA Interface : VLAN30 IP Address : 192.1.34.3/24
• VRF : DATA Interface : Loop 0 IP Address : 3.3.3.3/8
• 5K2(R4):
• VRF : DATA Interface : VLAN30 IP Address : 192.1.34.4/24
• VRF : DATA Interface : Loop 0 IP Address : 4.4.4.4/8

7K1 (R1)

VRF Context DATA


!

Email: [email protected]
Page 56 of 139
Interface E 4/12
Vrf member DATA
IP address 192.1.12.1 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 1.1.1.1 255.0.0.0
7K2 (R2)

Feature interface-vlan
!
VRF Context DATA
!
Interface E 4/20
Vrf member DATA
IP address 192.1.12.2 255.255.255.0
No shut
!
Interface VLAN 20
Vrf member DATA
Ip address 192.1.23.2 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 2.2.2.2 255.0.0.0
5K1(R3)

Feature interface-vlan
!
VRF Context DATA
!
Interface VLAN20
Vrf member DATA
IP address 192.1.23.3 255.255.255.0
No shut
!
Interface VLAN 30
Vrf member DATA
IP address 192.1.34.3 255.255.255.0
No shut
!
Interface loopback 0

Email: [email protected]
Page 57 of 139
Vrf member DATA
Ip address 3.3.3.3 255.0.0.0
5K2(R4)

Feature interface-vlan
!
VRF Context DATA
!
Interface VLAN 30
Vrf member DATA
IP address 192.1.34.4 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 4.4.4.4 255.0.0.0

Task 10
Verify IP Connectivity by pinging directly connected interfaces.

7K1(R1)

Ping 192.1.12.2 vrf DATA


7K2(R2)

Ping 192.1.12.1 vrf DATA


Ping 192.1.23.3 vrf DATA
5K1(R3)

Ping 192.1.23.2 vrf DATA


Ping 192.1.34.4 vrf DATA
5K2(R4)

Ping 192.1.34.4 vrf DATA

Note: Save the configurations on all the routers. Don't save during the Labs so
that you can reload the topology between different Routing Protocol sections.

Email: [email protected]
Page 58 of 139
Lab 2 – Configuring Static Routing on
Nexus 5K & 7K
(Builds on Lab 1)

R1 R2

E 4/12 192.1.12.0/24 E 4/20

VLAN20

192.1.23.0/24

VLAN20
192.1.34.0/24

VLAN30 VLAN30

R4 R3

Task 1
Configure R1 & R4 with default gateways pointing towards R2 & R3
respectively.

7K1(R1)

Vrf context DATA


Ip route 0.0.0.0/0 192.1.12.2
5K2(R4)

Vrf context DATA


Ip route 0.0.0.0/0 192.1.34.3

Email: [email protected]
Page 59 of 139
Task 2
Verify IP Connectivity by pinging 2.2.2.2 network from R1 & 3.3.3.3 from R4.

7K1(R1)

Ping 2.2.2.2 vrf DATA


5K2(R4)

Ping 3.3.3.3 vrf DATA

Task 3
Configure R2 & R3 with static routes to achieve full reachability based on the
following table:

• 7K2(R2):
• VRF : DATA Network : 1.0.0.0/8 Next-Hop : 192.1.12.1
• VRF : DATA Network : 3.0.0.0/8 Next-Hop : 192.1.23.3
• VRF : DATA Network : 4.0.0.0/8 Next-Hop : 192.1.23.3
• VRF : DATA Network : 192.1.34.0/24 Next-Hop : 192.1.23.3
• 5K1(R3):
• VRF : DATA Network : 1.0.0.0/8 Next-Hop : 192.1.23.2
• VRF : DATA Network : 2.0.0.0/8 Next-Hop : 192.1.23.2
• VRF : DATA Network : 4.0.0.0/8 Next-Hop : 192.1.34.4
• VRF : DATA Network : 192.1.12.0/24 Next-Hop : 192.1.23.2

7K2(R2)

Vrf context DATA


Ip route 1.0.0.0/8 192.1.12.1
Ip route 3.0.0.0/8 192.1.23.3
Ip route 4.0.0.0/8 192.1.23.3
Ip route 192.1.34.0/24 192.1.23.3
5K1(R3)

Vrf context DATA


Ip route 1.0.0.0/8 192.1.23.2
Ip route 2.0.0.0/8 192.1.23.2
Ip route 4.0.0.0/8 192.1.34.4
Ip route 192.1.12.0/24 192.1.23.2

Email: [email protected]
Page 60 of 139
Task 4
Verify IP Connectivity by pinging 1.1.1.1 network from R4 & 4.4.4.4 from R1.

7K1(R1)

Ping 4.4.4.4 vrf DATA


5K2(R4)

Ping 1.1.1.1 vrf DATA

Email: [email protected]
Page 61 of 139
Lab 3 – Configuring EIGRP on Nexus 5K
& 7K - Basic
Physical /L2 Topology

Nexus 7K - 1 Nexus 7K-1

E 4/12 E 4/20

E 4/43

E 4/44

VLAN 30

E 3/4 E 3/2

Nexus 7K-1 Nexus 7K-1

Task 1
Connect to 7K1. Configure the admin username with a password of Cciedc01.
Install the Grace Period License. Configure it with a hostname of R1.

7K-1

Configure the password on the setup wizard as : Cciedc01


!
license grace-period
!
Hostname R1

Task 2
Configure the following VDC's on the 7K using the following information:

• VDC 2: Name : R2 ID: 2


• Interfaces : E 4/20 , E 4/43
• VDC 2: Name : R3 ID: 3
• Interfaces : E 3/2, E 4/44

Email: [email protected]
Page 62 of 139
• VDC 2: Name : R4 ID: 4
• Interfaces : E 3/4 , E 4/7

7K-1

vdc R2 id 2
allocate interface E 4/20 , E 4/43
!
vdc R3 id 3
allocate interface E 3/2 , E 4/44
!
vdc R4 id 4
allocate interface E 3/4 , E 4/7

Note : When you allocate interfaces to VDCs, they are allocated based on Port-
groups. Press Yes when prompted to allocate all members of the port-group.

Task 3
Verify the Creation of the VDC by using the sh run vdc and sh vdc membership
commands.

7K-1

Show run VDC


(Displays the configuration commands for the VDCs)

Show VDC membership


(Displays the ports that are members of the VDCs, including the ones that were
not specified by you in the command)

Task 4
Configure alias's for switching to VDC R2, R3 & R4 from the default VDC as
R2, R3 & R4 respectively.

7K-1

cli alias name R2 switchto vdc R2


cli alias name R3 switchto vdc R3
cli alias name R4 switchto vdc R4

Task 5
Switch to R2, R3 & R4 using the appropriate alias's you created. Configure the
password for the admin account as Cciedc01. Configure a alias for the

Email: [email protected]
Page 63 of 139
Switchback command as SB. Switchback to the default VDC. Use the alias
that you created to switchback.

7K-1

R2
7K-2

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB
7K-3

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB
7K-4

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB

Task 6
Configure the prompt to only display the current VDC.

7K-1

no vdc combined-hostname

Email: [email protected]
Page 64 of 139
Logical Topology

R1 R2

E 4/12 192.1.12.0/24 E 4/20

E 4/43

192.1.23.0/24

E 4/44

192.1.34.0/24

VLAN 30 VLAN 30

R4 R3

Task 7
Configure VLANs and assign ports to them to create the logical topology based
on the Logical Topology Diagram. Use the following to accomplish this task:

• 7K3(R3):
• VLAN 30 : Interface : E 3/2
• 7K4(R4):
• VLAN 30 : Interface : E 3/4

7K3 (R3)

Vlan 30
!
Interface E 3/2
Switchport mode access
Switchport access vlan 30
No shut
7K4 (R4)

Vlan 30
!
Interface E 3/4
Switchport mode access

Email: [email protected]
Page 65 of 139
Switchport access vlan 30
No shut

Task 8
Configure a VRF that will be used for L3 Forwarding. Name the VRF as DATA.
Assign the Interface to the Data VRF and configure IP addresses on the them
based on the following:
• R1:
• VRF : DATA Interface : E 4/12 IP Address : 192.1.12.1/24
• VRF : DATA Interface : Loop 0 IP Address : 1.1.1.1/8
• R2:
• VRF : DATA Interface : E 4/20 IP Address : 192.1.12.2/24
• VRF : DATA Interface : E 4/43 IP Address : 192.1.23.2/24
• VRF : DATA Interface : Loop 0 IP Address : 2.2.2.2/8
• R3:
• VRF : DATA Interface : E 4/44 IP Address : 192.1.23.3/24
• VRF : DATA Interface : VLAN30 IP Address : 192.1.34.3/24
• VRF : DATA Interface : Loop 0 IP Address : 3.3.3.3/8
• R4:
• VRF : DATA Interface : VLAN30 IP Address : 192.1.34.4/24
• VRF : DATA Interface : Loop 0 IP Address : 4.4.4.4/8

R1

VRF Context DATA


!
Interface E 4/12
Vrf member DATA
IP address 192.1.12.1 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 1.1.1.1 255.0.0.0
R2

VRF Context DATA


!
Interface E 4/20
Vrf member DATA
IP address 192.1.12.2 255.255.255.0
No shut
!
Interface E 4/43

Email: [email protected]
Page 66 of 139
Vrf member DATA
Ip address 192.1.23.2 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 2.2.2.2 255.0.0.0
R3

Feature interface-vlan
!
VRF Context DATA
!
Interface E 4/44
Vrf member DATA
IP address 192.1.23.3 255.255.255.0
No shut
!
Interface VLAN 30
Vrf member DATA
IP address 192.1.34.3 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 3.3.3.3 255.0.0.0
R4

Feature interface-vlan
!
VRF Context DATA
!
Interface VLAN 30
Vrf member DATA
IP address 192.1.34.4 255.255.255.0
No shut
!
Interface loopback 0
Vrf member DATA
Ip address 4.4.4.4 255.0.0.0

Task 9
Verify IP Connectivity by pinging directly connected interfaces.

Email: [email protected]
Page 67 of 139
R1

Ping 192.1.12.2 vrf DATA


R2

Ping 192.1.12.1 vrf DATA


Ping 192.1.23.3 vrf DATA
R3

Ping 192.1.23.2 vrf DATA


Ping 192.1.34.4 vrf DATA
R4

Ping 192.1.34.4 vrf DATA

Note: Save the configurations on all the routers. Don't save during the Labs so
that you can reload the topology between different Routing Protocol sections.

Task 10
Enable the EIGRP feature on all 4 Devices.

R1

Feature eigrp
R2

Feature eigrp
R3

Feature eigrp
R4

Feature eigrp

Task 11
Configure EIGRP on R1, R2, R3 & R4 in AS 100. Enable the Loopbacks under
EIGRP 100. Use NEXUS as the Instance Name. Set the EIGRP Router ID based
on XX.XX.XX.XX, where X is the Router #.

R1

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA

Email: [email protected]
Page 68 of 139
autonomous-system 100
router-id 11.11.11.11
!
Interface E 4/12
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS
R2

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA
autonomous-system 100
router-id 22.22.22.22
!
Interface E 4/20
Ip router eigrp NEXUS
!
Interface E 4/43
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS
R3

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA
autonomous-system 100
router-id 33.33.33.33
!
Interface E 4/44
Ip router eigrp NEXUS
!
Interface VLAN 30
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS
R4

Router EIGRP NEXUS


address-family ipv4 unicast

Email: [email protected]
Page 69 of 139
vrf DATA
autonomous-system 100
router-id 44.44.44.44
!
Interface VLAN 30
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS

Task 12
Verify IP Connectivity by pinging 4.4.4.4 network from R1 & 1.1.1.1 from R4.

R1

Show ip route vrf DATA


!
Ping 4.4.4.4 vrf DATA
R4

Show ip route vrf DATA


!
Ping 1.1.1.1 vrf DATA

Task 13
Configure EGIRP Authentication between R2 - R4. R1 - R2 should not be
authenticated. Use a Key of Cciedc01 with a Key ID of 12353.

R2

Key Chain NEXUS


Key 12353
Key-string Cciedc01
!
Interface E 4/43
Ip authentication mode eigrp NEXUS MD5
Ip authentication key-chain eigrp NEXUS NEXUS
R3

Key Chain NEXUS


Key 12353
Key-string Cciedc01
!
Router EIGRP NEXUS

Email: [email protected]
Page 70 of 139
Address-family ipv4 unicast
Vrf DATA
Authentication mode MD5
Authentication key-chain NEXUS
R4

Key Chain NEXUS


Key 12353
Key-string Cciedc01
!
Router EIGRP NEXUS
Address-family ipv4 unicast
Vrf DATA
Authentication mode MD5
Authentication key-chain NEXUS

Task 14
Verify EIGRP Authentication.

RX

Shosw ip eigrp NEXUS vrf DATA


!
IP-EIGRP AS 100 ID 44.44.44.44 VRF DATA
Process-tag: NEXUS
Instance Number: 1
Status: running
Authentication mode: md5
Authentication key-chain: NEXUS
Metric weights: K1=1 K2=0 K3=1 K4=0 K5=0
IP proto: 88 Multicast group: 224.0.0.10
Int distance: 90 Ext distance: 170
Max paths: 8
Number of EIGRP interfaces: 2 (1 loopbacks)
Number of EIGRP passive interfaces: 0
Number of EIGRP peers: 1
Graceful-Restart: Enabled
Stub-Routing: Disabled
NSF converge time limit/expiries: 120/0
NSF route-hold time limit/expiries: 240/0
NSF signal time limit/expiries: 20/0
Redistributed max-prefix: Disabled

Task 15

Email: [email protected]
Page 71 of 139
Make sure the Routers don't send EIGRP updates on the Loopback Interfaces.

R1

Interface Loopback0
Ip passive-interface eigrp NEXUS
R2

Interface Loopback0
Ip passive-interface eigrp NEXUS
R3

Interface Loopback0
Ip passive-interface eigrp NEXUS
R4

Interface Loopback0
Ip passive-interface eigrp NEXUS

Task 16
Verify that Passive Interfaces have been set.

RX

Shosw ip eigrp NEXUS vrf DATA


!
IP-EIGRP AS 100 ID 44.44.44.44 VRF DATA
Process-tag: NEXUS
Instance Number: 1
Status: running
Authentication mode: md5
Authentication key-chain: NEXUS
Metric weights: K1=1 K2=0 K3=1 K4=0 K5=0
IP proto: 88 Multicast group: 224.0.0.10
Int distance: 90 Ext distance: 170
Max paths: 8
Number of EIGRP interfaces: 2 (1 loopbacks)
Number of EIGRP passive interfaces: 1
Number of EIGRP peers: 1
Graceful-Restart: Enabled
Stub-Routing: Disabled
NSF converge time limit/expiries: 120/0
NSF route-hold time limit/expiries: 240/0
NSF signal time limit/expiries: 20/0

Email: [email protected]
Page 72 of 139
Redistributed max-prefix: Disabled

Email: [email protected]
Page 73 of 139
Lab 4 – Configuring EIGRP on Nexus 5K
& 7K - Advanced
(Builds on Lab 3)

R1 R2

E 4/12 192.1.12.0/24 E 4/20

E 4/43

192.1.23.0/24

E 4/44

192.1.34.0/24

VLAN 30 VLAN 30

R4 R3

Task 1
Configure Loopback Interfaces on R1 based on the Table. Enable them under
EIGRP.

• 7K1(R1):
• VRF : DATA Loopback 201: 201.1.4.0/24
• VRF : DATA Loopback 202: 201.1.5.0/24
• VRF : DATA Loopback 203: 201.1.6.0/24
• VRF : DATA Loopback 204: 201.1.7.0/24

R1

Interface Loopback 201


Vrf member DATA
Ip address 201.1.4.1 255.255.255.0
Ip router eigrp NEXUS
!
Interface Loopback 202
Vrf member DATA

Email: [email protected]
Page 74 of 139
Ip address 201.1.5.1 255.255.255.0
Ip router eigrp NEXUS
!
Interface Loopback 203
Vrf member DATA
Ip address 201.1.6.1 255.255.255.0
Ip router eigrp NEXUS
!
Interface Loopback 204
Vrf member DATA
Ip address 201.1.7.1 255.255.255.0
Ip router eigrp NEXUS

Task 2
Verify IP Connectivity by pinging 201.1.4.1 network from R4.

R4

Show ip route vrf DATA


!
Ping 201.1.4.1 vrf DATA

Task 3
Summarize the 201.1.X.0 routes on R1 towards R2.

R1

Interface E 4/12
Ip summary-address eigrp NEXUS 201.1.4.0 255.255.252.0

Task 4
Verify that the appropriate route is getting propagated. (Only the 201.1.4.0/22)

RX

Show ip route vrf DATA | include 201.1.

Task 5
Make sure the R2 don't send EIGRP Queries towards R1.

R1

Router EIGRP NEXUS


Address-family ipv4 unicast

Email: [email protected]
Page 75 of 139
Vrf DATA
Stub

Task 6
Verify that R1 is a stub router by using the Show ip eigrp neighbor detail
command on R2.

R2

Show ip eigrp neighbor detail vrf DATA

Note: Don't save during the Labs. Reload the routers. It should reload with just
the IP Configuration saved during Lab 3.

Email: [email protected]
Page 76 of 139
Lab 5 – Configuring OSPF on Nexus 5K &
7K - Basic
(Builds on Lab 3)

R1 R2

E 4/12 192.1.12.0/24 E 4/20

E 4/43

192.1.23.0/24

E 4/44

192.1.34.0/24

VLAN 30 VLAN 30

R4 R3

Task 1
Enable the OSPF feature on all 4 Devices.

R1

Feature ospf
R2

Feature ospf
R3

Feature ospf
R4

Feature ospf

Task 2

Email: [email protected]
Page 77 of 139
Configure OSPF on R1, R2, R3 & R4. Enable the Loopbacks under OSPF Area
0. Use 1 as the Instance Name. Set the OSPF Router ID based on
XX.XX.XX.XX, where X is the Router #.

R1

Router OSPF 1
vrf DATA
router-id 11.11.11.11
!
Interface E 4/12
Ip router ospf 1 area 0
!
Interface Loopback 0
Ip router ospf 1 area 0
R2

Router OSPF 1
vrf DATA
router-id 22.22.22.22
!
Interface E 4/20
Ip router ospf 1 area 0
!
Interface E 4/43
Ip router ospf 1 area 0
!
Interface Loopback 0
Ip router ospf 1 area 0
R3

Router OSPF 1
vrf DATA
router-id 33.33.33.33
!
Interface E 4/44
Ip router ospf 1 area 0
!
Interface VLAN 30
Ip router ospf 1 area 0
!
Interface Loopback 0
Ip router ospf 1 area 0
R4

Email: [email protected]
Page 78 of 139
Router OSPF 1
Vrf DATA
Router-id 44.44.44.44
!
Interface VLAN 30
Ip router ospf 1 area 0
!
Interface Loopback 0
Ip router ospf 1 area 0

Task 3
Verify IP Connectivity by pinging 4.4.4.4 network from R1 & 1.1.1.1 from R4.

R1

Show ip route vrf DATA


!
Ping 4.4.4.4 vrf DATA
R4

Show ip route vrf DATA


!
Ping 1.1.1.1 vrf DATA

Task 4
Configure Clear Text OSPF Authentication between R1 & R2. Use a Key of
Cciedc01.

R1

Interface E 4/12
Ip ospf authentication
Ip ospf authentication-key Cciedc01
R2

Interface E 4/20
Ip ospf authentication
Ip ospf authentication-key Cciedc01

Email: [email protected]
Page 79 of 139
Task 5
Configure MD5 OSPF Authentication between R2 - R4. R1 - R2 should not be
authenticated. Use a Key of Cciedc01 with a Key ID of 1.

R2

Interface E 4/43
Ip ospf authentication message-digest
Ip ospf message-digest-key 1 md5 Cciedc01
R3

Interface E 4/44
Ip ospf authentication message-digest
Ip ospf message-digest-key 1 md5 Cciedc01
!
Interface VLAN 30
Ip ospf authentication message-digest
Ip ospf message-digest-key 1 md5 Cciedc01
R4

Interface VLAN 30
Ip ospf authentication message-digest
Ip ospf message-digest-key 1 md5 Cciedc01

Task 5
Verify OSPF Authentication.

R1

Show ip ospf interface E 4/12

Ethernet4/12 is up, line protocol is up


IP address 192.1.12.1/24, Process ID 1 VRF DATA, area 0.0.0.0
Enabled by interface configuration
State BDR, Network type BROADCAST, cost 40
Index 1, Transmit delay 1 sec, Router Priority 1
Designated Router ID: 22.22.22.22, address: 192.1.12.2
Backup Designated Router ID: 11.11.11.11, address: 192.1.12.1
1 Neighbors, flooding to 1, adjacent with 1
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
Hello timer due in 00:00:06
Simple authentication
Number of opaque link LSAs: 0, checksum sum 0

Email: [email protected]
Page 80 of 139
R2

Show ip ospf interface E 4/20


!
Ethernet4/20 is up, line protocol is up
IP address 192.1.12.2/24, Process ID 1 VRF DATA, area 0.0.0.0
Enabled by interface configuration
State DR, Network type BROADCAST, cost 40
Index 1, Transmit delay 1 sec, Router Priority 1
Designated Router ID: 22.22.22.22, address: 192.1.12.2
Backup Designated Router ID: 11.11.11.11, address: 192.1.12.1
1 Neighbors, flooding to 1, adjacent with 1
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
Hello timer due in 00:00:05
Simple authentication
Number of opaque link LSAs: 0, checksum sum 0
------
Show ip ospf interface E 4/43
!
Ethernet4/43 is up, line protocol is up
IP address 192.1.23.2/24, Process ID 1 VRF DATA, area 0.0.0.0
Enabled by interface configuration
State BDR, Network type BROADCAST, cost 40
Index 3, Transmit delay 1 sec, Router Priority 1
Designated Router ID: 33.33.33.33, address: 192.1.23.3
Backup Designated Router ID: 22.22.22.22, address: 192.1.23.2
1 Neighbors, flooding to 1, adjacent with 1
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
Hello timer due in 00:00:03
Message-digest authentication, using key id 1
Number of opaque link LSAs: 0, checksum sum 0

Task 6
Make sure they appear in the remote routing tables with the appropriate
masks.

R1

Interface Loopback0
Ip ospf network point-to-point
R2

Interface Loopback0
Ip ospf network point-to-point

Email: [email protected]
Page 81 of 139
R3

Interface Loopback0
Ip ospf network point-to-point
R4

Interface Loopback0
Ip ospf network point-to-point

Note: Don't save during the Labs. Reload the routers. It should reload with just
the IP Configuration saved during Lab 3.

Email: [email protected]
Page 82 of 139
Lab 6 – Configuring OSPF on Nexus 5K &
7K - Advanced
(Builds on Lab 3)

R1 R2

E 4/12 192.1.12.0/24 E 4/20

Area 10
E 4/43

192.1.23.0/24 Area 0

E 4/44

192.1.34.0/24

VLAN30 VLAN30

R3

R3
R4 Area 20

Task 1
Enable the OSPF feature on all 4 Devices.

R1

Feature ospf
R2

Feature ospf
R3

Feature ospf
R4

Feature ospf

Task 2

Email: [email protected]
Page 83 of 139
Configure OSPF on R1, R2, R3 & R4. Enable the Interfaces in the appropriate
Area based on the following table & figure. Use 1 as the Instance Name. Set the
OSPF Router ID based on XX.XX.XX.XX, where X is the Router #. Advertise the
Loopbacks with the Interface masks.

• OSPF Area 10 : R1 - Loopback 0 , E 4/12, R2 - Loopback 0 , E 4/20


• OSPF Area 0 : R2 - VLAN 20, R3 - VLAN 20
• OSPF Area 20 : R3 - Loopback 0 , VLAN 30, R4 - Loopback 0 , VLAN 30

R1

Router OSPF 1
Vrf DATA
Router-id 11.11.11.11
!
Interface E 4/12
Ip router ospf 1 area 10
!
Interface Loopback 0
Ip router ospf 1 area 10
Ip ospf network point-to-point
R2

Router OSPF 1
Vrf DATA
Router-id 22.22.22.22
!
Interface E 4/20
Ip router ospf 1 area 10
!
Interface E 4/43
Ip router ospf 1 area 0
!
Interface Loopback 0
Ip router ospf 1 area 10
Ip ospf network point-to-point
R3

Router OSPF 1
Vrf DATA
Router-id 33.33.33.33
!
Interface E 4/44
Ip router ospf 1 area 0

Email: [email protected]
Page 84 of 139
!
Interface VLAN 30
Ip router ospf 1 area 20
!
Interface Loopback 0
Ip router ospf 1 area 20
Ip ospf network point-to-point
R4

Router OSPF 1
Vrf DATA
Router-id 44.44.44.44
!
Interface VLAN 30
Ip router ospf 1 area 20
!
Interface Loopback 0
Ip router ospf 1 area 20
Ip ospf network point-to-point

Task 3
Verify IP Connectivity by pinging 4.4.4.4 network from R1 & 1.1.1.1 from R4.

R1

Show ip route vrf DATA


!
Ping 4.4.4.4 vrf DATA
R4

Show ip route vrf DATA


!
Ping 1.1.1.1 vrf DATA

Task 4
Configure Loopback Interfaces on R2 & R4 based on the Table. Redistribute
these routes into OSPF using Redistribute Connected. These routes should
appear in OSPF as external routes.

• 7K2(R2):
• VRF : DATA Loopback 201: 202.1.4.0/24
• VRF : DATA Loopback 202: 202.1.5.0/24
• VRF : DATA Loopback 203: 202.1.6.0/24
• VRF : DATA Loopback 204: 202.1.7.0/24

Email: [email protected]
Page 85 of 139
• 5K2(R4):
• VRF : DATA Loopback 201: 204.1.4.0/24
• VRF : DATA Loopback 202: 204.1.5.0/24
• VRF : DATA Loopback 203: 204.1.6.0/24
• VRF : DATA Loopback 204: 204.1.7.0/24

R2

Interface Loopback 201


Vrf member DATA
Ip address 202.1.4.1 255.255.255.0
!
Interface Loopback 202
Vrf member DATA
Ip address 202.1.5.1 255.255.255.0
!
Interface Loopback 203
Vrf member DATA
Ip address 202.1.6.1 255.255.255.0
!
Interface Loopback 204
Vrf member DATA
Ip address 202.1.7.1 255.255.255.0
!
route-map RC permit 10
match interface loopback201 loopback202 loopback203 loopback204
!
Router ospf 1
Vrf DATA
Redistribute direct route-map RC
R4

Interface Loopback 201


Vrf member DATA
Ip address 204.1.4.1 255.255.255.0
!
Interface Loopback 202
Vrf member DATA
Ip address 204.1.5.1 255.255.255.0
!
Interface Loopback 203
Vrf member DATA
Ip address 204.1.6.1 255.255.255.0
!

Email: [email protected]
Page 86 of 139
Interface Loopback 204
Vrf member DATA
Ip address 204.1.7.1 255.255.255.0
!
route-map RC permit 10
match interface loopback201 loopback202 loopback203 loopback204
!
Router ospf 1
Vrf DATA
Redistribute direct route-map RC

Task 5
Verify IP Connectivity by pinging 204.1.4.1 network from R1 & 202.1.4.1 from
R1.

R1

Show ip route vrf DATA


!
Ping 204.1.4.1 vrf DATA
R4

Show ip route vrf DATA


!
Ping 202.1.4.1 vrf DATA

Task 6
Summarize the 202.1.X.0 and the 204.1.X.0 networks on the appropriate
routers.

R2

Router ospf 1
Vrf DATA
Summary-address 202.1.4.0 255.255.252.0
R4

Router ospf 1
Vrf DATA
Summary-address 204.1.4.0 255.255.252.0

Task 7
Verify IP Connectivity by pinging 202.1.4.1 network from R1. Also, verify that
the routes are getting summarized.

Email: [email protected]
Page 87 of 139
R1

Show ip route vrf DATA


!
Ping 202.1.4.1 vrf DATA
R3

Show ip route vrf DATA


!
Ping 202.1.4.1 vrf DATA

Task 8
Configure Area 10 as a Totally Stubby area.

R1

Router ospf 1
Vrf DATA
Area 10 stub
R2

Router ospf 1
Vrf DATA
Area 10 stub no-summary

Task 9
Verify IP Connectivity by pinging 202.1.4.1 network from R1. Also, verify that
Inter-Area & External Routes are not getting sent to R1.

R1

Show ip route vrf DATA


!
Ping 202.1.4.1 vrf DATA

Task 10
Configure Area 20 as a NSSA-Totally Stubby Area.

R3

Router ospf 1
Vrf DATA
Area 20 nssa no-summary

Email: [email protected]
Page 88 of 139
R4

Router ospf 1
Vrf DATA
Area 20 nssa

Task 11
Verify IP Connectivity by pinging 202.1.4.1 network from R4. Also, verify that
Inter-Area & External Routes from the backbone are not getting sent to R4.

R2

Show ip route vrf DATA


R4

Show ip route vrf DATA


!
Ping 202.1.4.1 vrf DATA

Note: Don't save during the Labs. Reload the routers. It should reload with just
the IP Configuration saved during Lab 3.

Email: [email protected]
Page 89 of 139
Lab 7 – Configuring BGP on Nexus 5K &
7K
(Builds on Lab 1)

R1 R2

E 4/12 192.1.12.0/24 E 4/20

E 4/43

192.1.23.0/24

E 4/44

192.1.34.0/24

VLAN 30 VLAN 30

R4 R3

BGP Logical Topology

R3

R1 R2 R4

AS 100 AS 200

Email: [email protected]
Page 90 of 139
Task 1
Enable the BGP & OSPF features on all 4 Devices.

R1

Feature bgp
Feature ospf
R2

Feature bgp
Feature ospf
R3

Feature bgp
Feature ospf
R4

Feature bgp
Feature ospf

Task 2
Configure BGP between R1 & R2 based on the BGP Logical Topology. Advertise
the Loopback 0 Interfaces under BGP.

R1

router bgp 100


vrf DATA
address-family ipv4 unicast
network 1.0.0.0/8
neighbor 192.1.12.2
remote-as 200
R2

router bgp 200


vrf DATA
address-family ipv4 unicast
network 2.0.0.0/8
neighbor 192.1.12.1
remote-as 100

Task 3
Verify IP Connectivity by pinging 2.2.2.2 network from R1 & 2.2.2.2 from R1.

Email: [email protected]
Page 91 of 139
R1

Show ip route vrf DATA


!
Ping 2.2.2.2 source 1.1.1.1 vrf DATA
R2

Show ip route vrf DATA


!
Ping 1.1.1.1 source 2.2.2.2 vrf DATA

Task 4
Secure the BGP relationship between R1 & R2. Use Cciedc01 as the key.

R1

router bgp 100


vrf DATA
neighbor 192.1.12.2
password Cciedc01
R1

router bgp 200


vrf DATA
neighbor 192.1.12.1
password Cciedc01

Task 5
Configure Loopback 10 on R2, R3 & R4 using the 10.X.X.X/32 format.
Configure OSPF as the IGP in AS 200. Enable OSPF in Area 0 on the internal
links in Area 0 and the Loopback 10 networks. These will be used to setup the
iBGP relationships.

R2

Router ospf 1
Vrf DATA
Router-id 22.22.22.22
!
Interface E 4/43
Ip router ospf 1 area 0
!
Interface Loopback 10

Email: [email protected]
Page 92 of 139
Vrf member DATA
Ip address 10.2.2.2 255.255.255.255
Ip router ospf 1 area 0
R3

Router ospf 1
Vrf DATA
Router-id 33.33.33.33
!
Interface E 4/44
Ip router ospf 1 area 0
!
Interface VLAN 30
Ip router ospf 1 area 0
!
Interface Loopback 10
Vrf member DATA
Ip address 10.3.3.3 255.255.255.255
Ip router ospf 1 area 0
R4

Router ospf 1
Vrf DATA
Router-id 44.44.44.44
!
Interface VLAN 30
Ip router ospf 1 area 0
!
Interface Loopback 10
Vrf member DATA
Ip address 10.4.4.4 255.255.255.255
Ip router ospf 1 area 0

Task 6
Verify IP Connectivity by using the Show ip route vrf DATA command on R2,
R3 & R4.

R2

Show ip route vrf DATA


R3

Show ip route vrf DATA


R4

Email: [email protected]
Page 93 of 139
Show ip route vrf DATA

Task 7
Configure an iBGP neighbor relationship between R2 & R3. Configure the
neighbor relationship based on Lookback 10. Advertise Loopback 0 in BGP on
R3. Change the Next-hop attribute on R2 towards R3.

R2

router bgp 200


vrf DATA
neighbor 10.3.3.3
remote-as 200
Update-source loopback 10
address-family ipv4 unicast
Next-hop-self
R3

router bgp 200


vrf DATA
address-family ipv4 unicast
network 3.0.0.0/8
neighbor 10.2.2.2
remote-as 200
Update-source loopback 10

Task 8
Verify reachability to the 1.0.0.0 network from 3.0.0.0.

R1

Show ip route vrf DATA


!
Ping 3.3.3.3 source 1.1.1.1 vrf DATA
R3

Show ip route vrf DATA


!
Ping 1.1.1.1 source 3.3.3.3 vrf DATA

Task 9

Email: [email protected]
Page 94 of 139
Configure an iBGP neighbor relationship between R3 & R4. Configure the
neighbor relationship based on Lookback 10. Advertise Loopback 0 in BGP on
R4. Configure R3 as a Route Reflector for R2 & R4.

R3

Router BGP 200


Vrf DATA
Neighbor 10.4.4.4
remote-as 200
Update-source loopback 10
Address-family ipv4 unicast
Route-reflector-client
Neighbor 10.2.2.2
Address-family ipv4 unicast
Route-reflector-client
R4

Router BGP 200


Vrf DATA
Address-family ipv4 unicast
Network 4.0.0.0/8
Neighbor 10.3.3.3
remote-as 200
Update-source loopback 10

Task 11
Verify reachability to the 1.0.0.0 network from 4.0.0.0.

R1

Show ip route vrf DATA


!
Ping 4.4.4.4 source 1.1.1.1 vrf DATA
R4

Show ip route vrf DATA


!
Ping 1.1.1.1 source 4.4.4.4 vrf DATA

Note: Don't save during the Labs. Reload the routers. It should reload with jsut
the IP Configuration saved during Lab 3.

Email: [email protected]
Page 95 of 139
Lab 8 – Configuring PIM Sparse Mode on
Nexus 5K & 7K - Static RP
(Builds on Lab 3)

R1 R2

E 4/12 192.1.12.0/24 E 4/20

E 4/43

192.1.23.0/24

E 4/44

192.1.34.0/24

VLAN 30 VLAN 30

R4 R3

Task 1
Enable the EIGRP & PIM feature on all 4 Devices.

R1

Feature eigrp
Feature PIM
R2

Feature eigrp
Feature PIM
R3

Feature eigrp
Feature PIM
R4

Feature eigrp
Feature PIM

Email: [email protected]
Page 96 of 139
Task 2
Configure EIGRP on R1, R2, R3 & R4 in AS 100. Enable the Loopbacks under
EIGRP 100. Use NEXUS as the Instance Name. Set the EIGRP Router ID based
on XX.XX.XX.XX, where X is the Router #.

R1

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA
autonomous-system 100
!
Interface E 4/12
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS
R2

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA
autonomous-system 100
!
Interface E 4/20
Ip router eigrp NEXUS
!
Interface E 4/43
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS
R3

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA
autonomous-system 100
!
Interface E 4/44
Ip router eigrp NEXUS
!
Interface VLAN 30

Email: [email protected]
Page 97 of 139
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS
R4

Router EIGRP NEXUS


address-family ipv4 unicast
vrf DATA
autonomous-system 100
!
Interface VLAN 30
Ip router eigrp NEXUS
!
Interface Loopback 0
Ip router eigrp NEXUS

Task 3
Verify IP Connectivity by pinging 4.4.4.4 network from R1 & 1.1.1.1 from R4.

R1

Show ip route vrf DATA


!
Ping 4.4.4.4 vrf DATA
R4

Show ip route vrf DATA


!
Ping 1.1.1.1 vrf DATA

Task 4
Configure R1 to be the RP for Multicast groups 224.1.1.0/24, and R4 to be the
RP for the groups 224.4.4.0/24. These two RPs should use their Loopback 0
interface for this purpose.

R1

Vrf context DATA


Ip pim rp-address 1.1.1.1 group-list 224.1.1.0/24
Ip pim rp-address 4.4.4.4 group-list 224.4.4.0/24
!
Interface Loopback0
Ip pim sparse-mode

Email: [email protected]
Page 98 of 139
!
Interface E 4/12
Ip pim sparse-mode
R2

Vrf context DATA


Ip pim rp-address 1.1.1.1 group-list 224.1.1.0/24
Ip pim rp-address 4.4.4.4 group-list 224.4.4.0/24
!
Interface Loopback0
Ip pim sparse-mode
!
Interface E 4/20
Ip pim sparse-mode
!
Interface E 4/43
Ip pim sparse-mode
R3

Vrf context DATA


Ip pim rp-address 1.1.1.1 group-list 224.1.1.0/24
Ip pim rp-address 4.4.4.4 group-list 224.4.4.0/24
!
Interface Loopback0
Ip pim sparse-mode
!
Interface E 4/44
Ip pim sparse-mode
!
Interface VLAN 30
Ip pim sparse-mode
R4

Vrf context DATA


Ip pim rp-address 1.1.1.1 group-list 224.1.1.0/24
Ip pim rp-address 4.4.4.4 group-list 224.4.4.0/24
!
Interface Loopback0
Ip pim sparse-mode
!
Interface VLAN 30
Ip pim sparse-mode

Email: [email protected]
Page 99 of 139
Task 5
Configure R1 Loopback 0 and R4 loopback to to join the following Multicast
groups:

R1 – 224.1.1.1, 224.1.1.2, 224.1.1.3


R4 – 224.4.4.1, 224.4.4.2, 224.4.4.3

R1 R4

Interface Loopback0 Interface Loopback0


Ip igmp join-group 224.1.1.1 Ip igmp join-group 224.4.4.1
Ip igmp join-group 224.1.1.2 Ip igmp join-group 224.4.4.2
Ip igmp join-group 224.1.1.3 Ip igmp join-group 224.4.4.3

Task 6
Verify the configuration by using the Show ip pim rp command.

R2

Show ip pim rp
R3

Show ip pim rp

Email: [email protected]
Page 100 of 139
Cisco Nexus Switch Configuration

Authored By:

Khawar Butt
Penta CCIE # 12353 Module 5 – Configuring Advanced vPCs
CCDE # 20110020 & FEX

Email: [email protected]
Page 101 of 139
Lab 1- Configuring vPC on Nexus 7K
Switches

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24 E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0

Task 1
Connect to 7K1. Configure the admin username with a password of Cciedc01.
Configure it with a hostname of 7K1.

7K-1

Configure the password on the setup wizard as : Cciedc01


!
!
Hostname 7K1

Email: [email protected]
Page 102 of 139
Task 2
Configure 2 VDCs on 7K1 using the following information:

• VDC 2: Name : 7K2 ID: 2


• Interfaces : E 3/1-2, E 3/21-24, E 4/20-21, E 4/24
• VDC 3: Name : 7K3 ID: 3
• Interfaces : E 3/17-18, E 3/29-30, E 4/15-16

7K-1

vdc 7K2 id 2
allocate interface E 3/1-2, E 3/21-24
allocate interface E 4/20-21, E 4/24
!
vdc 7K3 id 3
allocate interface E 3/17-18, E 3/29-32
allocate interface E 4/15-16

Note : When you allocate interfaces to VDCs, they are allocated based on Port-
groups. Press Yes when prompted to allocate all members of the port-group.

Task 3
Verify the Creation of the VDCs by using the sh run vdc and sh vdc
membership commands.

7K-1

Show run VDC


(Displays the configuration commands for the VDCs)
!
Show VDC membership
(Displays the ports that are members of the VDCs, including the ones that were
not specified by you in the command)

Task 4
Configure alias for switching to VDC 7K2 and VDC 7K3 from the default VDC
as VDC2 & VDC3 respectively.

7K-1

cli alias name VDC2 switchto vdc 7K2


cli alias name VDC3 switchto vdc 7K3

Email: [email protected]
Page 103 of 139
Task 5
Switch to 7K2 using the appropriate alias you created. Configure the password
for the admin account as Cciedc01. Configure a alias for the Switchback
command as SB. Switchback to the default VDC. Use the alias that you created
to switchback.

7K-1

VDC2
7K-2

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB

Task 6
Switch to 7K3 using the appropriate alias you created. Configure the password
for the admin account as Cciedc01. Configure a alias for the Switchback
command as SB. Switchback to the default VDC. Use the alias that you created
to switchback.

7K-1

VDC3
7K-3

Configure the password on the setup wizard as : Cciedc01


!
!
cli alias name SB switchback
!
SB

Task 7
Configure the prompt to only display the current VDC.

7K-1

no vdc combined-hostname

Task 8

Email: [email protected]
Page 104 of 139
We will be configuring a vPC to 7K1 to 7K2 & 7K3 based on the above diagram.
Enable the vPC & LACP features on 7K2 & 7K3.

7K-2

Feature vpc
Feature lacp
7K-3

Feature vpc
Feature lacp

Task 9
Configure the parameters for the vPC Peer keepalive link based on the
following:

• 7K2
• VRF Name: PKL-23
• Interface: 4/21
• IP Address: 10.1.23.2/24
• 7K3
• VRF Name: PKL-23
• Interface: 4/16
• IP Address: 10.1.23.3/24

7K-2

vrf context PKL-23


!
Interface E 4/21
vrf member PKL-23
ip address 10.1.23.2/24
no shut
7K-3

vrf context PKL-23


!
Interface E 4/16
vrf member PKL-23
ip address 10.1.23.3/24
no shut

Task 10

Email: [email protected]
Page 105 of 139
Configure a vPC Domain between 7K2 & 7K3. Use 23 as the Domain ID. Use
the Interfaces and VRFs from the previous step to configure the vPC Peer
Keepalive link. Make 7K3 as the Primary vPC device.

7K-2

vpc domain 23
peer-keepalive destination 10.1.23.3 source 10.1.23.2 vrf PKL-23
7K-3

vpc domain 23
role priority 300
peer-keepalive destination 10.1.23.2 source 10.1.23.3 vrf PKL-23

Task 11
Configure the Port-channel port type as Network. This will enable the Bridge
Assurance Fault tolerance feature. Use this port channel as the vPC Peer Link.
Use the following parameters:

• 7K2
• Port-Channel #: 23
• Interfaces: 3/1-2
• Port Type: Network
• 7K3
• Port-Channel #: 23
• Interface: 3/17-18
• Port Type: Network

7K-2

Interface E 3/1-2
channel-group 23 mode active
no shut
!
Interface port-channel 23
spanning-tree port type network
switch mode trunk
vpc peer-link
7K-3

int e 3/17-18
channel-group 23 mode active
no shut
!

Email: [email protected]
Page 106 of 139
Interface port-channel 23
switch mode trunk
spanning-tree port type network
vpc peer-link

Task 12
Verify the status of the vPC Port Channel. Also, make sure the vPC Peer
keepalive link is up. Use the Show VPC command to verify it.

7K-2

Show VPC

vPC domain id : 23
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
.
.
.
.
vPC Peer-Link status
------------------------------------------------------
id Port Status Active vlans
-- ----- -------- ----------------------------------
1 Po23 up 1
7K-3

Show VPC

vPC domain id : 23
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
.
.
.
.
vPC Peer-Link status
------------------------------------------------------
id Port Status Active vlans
-- ----- -------- ----------------------------------
1 Po23 up 1

Email: [email protected]
Page 107 of 139
Task 13
Configure a port-channel from 7K2 & 7K3 towards 7K1 using vPC. Configure it
as a L2 Trunk Port Channel. Use 12 as the Port-channel ID. Use E 4/20 on
7K2 & E 4/15 on 7K3 as the vPC member ports.

7K-2

Interface E 4/20
switchport
channel-group 12 mode active
no shut
!
Interface port-channel 12
switchport mode trunk
vpc 23
7K3

Interface E 4/15
switchport
channel-group 12 mode active
no shut
!
Interface port-channel 12
switchport mode trunk
vpc 23

Task 14
Enable the LACP feature on 7K1. Configure a normal Port-Channel on 7K1.
Configure it as a L2 Trunk Port Channel. Use 23 as the Port-channel ID. Use E
4/3 & E 4/12 on 7K1 as the member ports.

7K-1

feature lacp
!
Interface E 4/3 , E 4/12
switchport
channel-group 23 mode active
no shut
!
Interface port-channel 23
switchport mode trunk

Task 15

Email: [email protected]
Page 108 of 139
Verify the status of the Port Channel on 7K1. Use the normal Show port-
channel summary command to verify it.

7K-1

show port-channel summary

P - Up in Port-channel (member)
S - Switched
U - Up (Port-Channel)
.
.
.
Group Port- Type Protocol Member Ports
Channel
23 Po23(SU) Eth LACP Eth4/3(P) Eth4/12(P)

Note: In this setup, 7K-2 & 7K-3 are seen as one logical switch by 7K1. The
following is the logical diagram.

Nexus 7K - 1

Port Channel 23

Port Channel 12

Nexus 7K-2 Nexus 7K - 3

Port Channel 23

vPC Peer Link

Email: [email protected]
Page 109 of 139
Lab 2 – Configuring vPC with Nexus 5K
Switches
(Builds on Lab 1)

Task 1
Configure a port-channel from 7K2 & 7K3 towards 5K1 using vPC. Configure it
as a L2 Trunk Port Channel. Use 523 as the Port-channel ID. Use E 3/21-22
Ports on 7K2 & E 3/31-32 Ports on 7K3 as the vPC member ports.

7K-2

Interface E 3/21 - 22
channel-group 523 mode active
no shut
!
Interface port-channel 523
switchport mode trunk
vpc 523
7K-3

Interface E 3/31 - 32
channel-group 523 mode active
no shut
!
Interface port-channel 523
switchport mode trunk
vpc 523

Task 2
Enable the LACP feature on 5K1. Configure a normal Port-Channel on 5K1.
Configure it as a L2 Trunk Port Channel. Use 523 as the Port-channel ID. Use
E 1/15-16 & E 1/21-22 on 5K1 as the member ports.

5K-1

feature lacp
!
Interface E 1/15-16 , E 1/21-22
switchport
channel-group 523 mode active
no shut

Email: [email protected]
Page 110 of 139
!
int port-channel 523
switchport mode trunk

Task 3
Verify the status of the Port Channel on 5K1. Use the normal Show port-
channel summary command to verify it.

5K-1

show port-channel summary

P - Up in Port-channel (member)
S - Switched
U - Up (Port-Channel)
.
.
.
Group Port- Type Protocol Member Ports
Channel
523 Po523(SU) Eth LACP Eth1/15(P) Eth1/16(P) Eth1/21(P) Eth1/22(P)

Task 4
Configure a port-channel from 7K2 & 7K3 towards 5K2 using vPC. Configure it
as a L2 Trunk Port Channel. Use 524 as the Port-channel ID. Use E 3/23-24
Ports on 7K2 & E 3/29-30 Ports on 7K3 as the vPC member ports.

7K-2

Interface E 3/23 - 24
channel-group 524 mode active
no shut
!
Interface port-channel 524
switchport mode trunk
vpc 524
7K-3

Interface E 3/29 - 30
channel-group 524 mode active
no shut
!
Interface port-channel 524
switchport mode trunk

Email: [email protected]
Page 111 of 139
vpc 524

Task 5
Enable the LACP feature on 5K2. Configure a normal Port-Channel on 5K2.
Configure it as a L2 Trunk Port Channel. Use 524 as the Port-channel ID. Use
E 1/23-24 & E 1/29-30 on 5K2 as the member ports.

5K-2

feature lacp
!
Interface E 1/23-24 , E 1/29-30
switchport
channel-group 524 mode active
no shut
!
Interface port-channel 524
switchport mode trunk

Task 6
Verify the status of the Port Channel on 5K2. Use the normal Show port-
channel summary command to verify it.

5K-2

show port-channel summary

P - Up in Port-channel (member)
S - Switched
U - Up (Port-Channel)
.
.
.
Group Port- Type Protocol Member Ports
Channel
524 Po524(SU) Eth LACP Eth1/23(P) Eth1/24(P) Eth1/29(P) Eth1/30(P)

Email: [email protected]
Page 112 of 139
Note: In this setup, 7K-2 & 7K-3 are seen as one logical switch by the 5K
devices. The following is the logical diagram.

Nexus 7K - 1

Port Channel 23

Port Channel 12

Nexus 7K-2 Nexus 7K - 3

Port Channel 23
vPC Peer Link

Port Channel 523 Port Channel 524

Port Channel 523


Port Channel 524

Nexus 5K - 1 Nexus 5K - 2

Email: [email protected]
Page 113 of 139
Lab 3 – Configuring vPC between Nexus
5K switches to setup a Back-to-Back vPC
(Builds on Lab 2)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24
E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0

Task 1
We will be configuring a vPC configuration between 5K1 to 5K2 based on the
above diagram. Enable the vPC feature on 5K2 & 5K2.

5K-1

Feature vpc

Email: [email protected]
Page 114 of 139
Feature lacp
5K-2

Feature vpc
Feature lacp

Task 2
Configure the parameters for the vPC Peer keepalive link based on the
following:

• 5K1
• Interface: Mgmt 0
• IP Address: 10.1.112.1/24
• 5K2
• Interface: Mgmt 0
• IP Address: 10.1.112.2/24

5K-1

Interface mgmt 0
ip address 10.1.112.1/24
no shut
5K-2

Interface mgmt 0
ip address 10.1.112.2/24
no shut

Task 3
Configure a vPC Domain between 5K1 & 5K2. Use 12 as the Domain ID. Use
the Interfaces from the previous step to configure the vPC Peer Keepalive link.
Make 5K1 as the Primary vPC device.

5K-1

vpc domain 12
peer-keepalive destination 10.1.112.2
role priority 300
5K-2

vpc domain 12
peer-keepalive destination 10.1.112.1

Email: [email protected]
Page 115 of 139
Task 4
Configure the Port-channel port type as Network. This will enable the Bridge
Assurance Fault tolerance feature. Use this port channel as the vPC Peer Link.
Use the following parameters:

• 5K-1
• Port-Channel #: 12
• Interfaces: 1/10-11
• Port Type: Network
• 5K-2
• Port-Channel #: 12
• Interface: 1/10-11
• Port Type: Network

5K-1

Interface E 1/10-11
channel-group 12 mode active
no shut
!
Interface port-channel 12
spanning-tree port type network
switch mode trunk
vpc peer-link
5K-2

Interface E 1/10-11
channel-group 12 mode active
no shut
!
Interface port-channel 12
switch mode trunk
spanning-tree port type network
vpc peer-link

Task 5
Verify the status of the vPC Port Channel. Also, make sure the vPC Peer
keepalive link is up. Use the Show VPC command to verify it.

5K-1

Show VPC

vPC domain id : 12

Email: [email protected]
Page 116 of 139
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
.
.
.
.
vPC Peer-Link status
------------------------------------------------------
id Port Status Active vlans
-- ----- -------- ----------------------------------
1 Po12 up 1
5K-2

Show VPC

vPC domain id : 12
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
.
.
.
.
vPC Peer-Link status
------------------------------------------------------
id Port Status Active vlans
-- ----- -------- ----------------------------------
1 Po12 up 1

Task 6
Disable the old vPC based port-channel (523) on the 7K devices (7K2 & 7K3).
Create a new vPC port-channel (75) using ports E 3/21-24 as member ports on
7K-2. Use ports E 3/29-32 on 7K-3. Use VPC id of 75 for this port-channel.

7K-2

no Interface port-channel 523


!
Interface E 3/21 - 24
channel-group 75 mode active
!
Interface port-channel 75
vpc 75

Email: [email protected]
Page 117 of 139
7K-3

no Interface port-channel 523

Interface E 3/29 - 32
channel-group 75 mode active
!
Interface port-channel 75
vpc 75

Task 7
Disable the old vPC based port-channels (723-724) on the 5K devices (5K1 &
5K2). Create a new vPC port-channel (75) using ports E 1/21-22 , E 1/15-16
as member ports on 5K-1. Use ports E 1/23-24, E 1/29-30 on 5K-2. Use VPC
id of 75 for this port-channel.

5K-1

no Interface port-channel 524


!
Interface E 1/21 - 22 , e 1/15 - 16
channel-group 75 mode active
!
Interface port-channel 75
vpc 75
5K-2

No Interface port-channel 524


!
Interface E 1/23 - 24 , e 1/29 -30
channel-group 75 mode active
!
Interface port-channel 75
vpc 75

Email: [email protected]
Page 118 of 139
Note: In this setup, 7K-2 & 7K-3 are seen as one logical switch by the 5K
devices and vice versa. The following is the logical diagram.

Nexus 7K - 1

Port Channel 23

Port Channel 12

Nexus 7K-2 Nexus 7K - 3

Port Channel 23
vPC Peer Link

Port Channel 75

Port Channel 75

Port Channel 12
vPC Peer Link
Nexus 5K - 1 Nexus 5K - 2

Email: [email protected]
Page 119 of 139
Lab 4 – Configuring FEX -
Using Static Pinning
(Builds on Lab 3)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24
E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0
E 1/1-2 E 1/1-2
E 1/3-4 E 1/3-4

Nexus 5K - 2
Nexus 2K - 1

Server

Email: [email protected]
Page 120 of 139
Task 1
We will be connecting the Nexus 2K switches as Fabric Extensions for the
Nexus 5K switches. Enable the FEX feature on 5K-1.

5K-1

Feature fex

Task 2
We will configure Ports E 1/1 & E 1/2 as FEX ports from 5K-1 towards 2K-1.
Use 101 as the FEX Identifier.

5K-1

Interface E 1/1-2
switchport mode fex
fex associate 101

Task 3
Use the Show Fex command to verify the port status. It will initially show the
ports as connected before going to online.

5K-1

Show Fex

FEX FEX FEX FEX


Number Description State Model Serial
----------------------------------------------------------------------------------------
101 FEX0101 Online N2K-C2232PP-10GE SSI162200CH
--- -------- Discovered N2K-C2232PP-10GE SSI16210D25

Email: [email protected]
Page 121 of 139
Task 4
By default, only 1 of the links is used. You can use the Show Fex command to
verify this.

5K-1

Show Fex detail

FEX: 101 Description: FEX0101 state: Online


FEX version: 5.1(3)N2(1c) [Switch version: 5.1(3)N2(1c)]
FEX Interim version: 5.1(3)N2(1c)
Switch Interim version: 5.1(3)N2(1c)
Extender Serial: SSI162200CH
Extender Model: N2K-C2232PP-10GE, Part No: 73-12533-05
Card Id: 82, Mac Addr: 0c:d9:96:08:1d:42, Num Macs: 64
Module Sw Gen: 12594 [Switch Sw Gen: 21]
post level: complete
pinning-mode: static Max-links: 1
.
.
.

Task 5
Change the number of Links for Fex to 2 to load share the traffic over the 2
links. It will equally share the physical ports based on the number of links
connecting the 5K to the 2K switches.

5K-1

fex 101
pinning max-links 2

Task 6
Verify the use of both links based on the Show Fex detail command.

5K-1

Show Fex detail

FEX: 101 Description: FEX0101 state: Online


FEX version: 5.1(3)N2(1c) [Switch version: 5.1(3)N2(1c)]
FEX Interim version: 5.1(3)N2(1c)
Switch Interim version: 5.1(3)N2(1c)
Extender Serial: SSI162200CH

Email: [email protected]
Page 122 of 139
Extender Model: N2K-C2232PP-10GE, Part No: 73-12533-05
Card Id: 82, Mac Addr: 0c:d9:96:08:1d:42, Num Macs: 64
Module Sw Gen: 12594 [Switch Sw Gen: 21]
post level: complete
pinning-mode: static Max-links: 2
.
.
.

Email: [email protected]
Page 123 of 139
Lab 5 – Configuring FEX -
Using Port Channels
(Builds on Lab 4)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24
E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0
E 1/1-2 E 1/1-2
E 1/3-4 E 1/3-4

Nexus 5K - 2
Nexus 2K - 1

Server

Email: [email protected]
Page 124 of 139
Task 1
We will be connecting the Nexus 2K switches as Fabric Extensions for the
Nexus 5K switches. Enable the FEX feature on 5K-2.

5K-2

Feature fex

Task 2
We will configure Ports E 1/1 & E 1/2 as FEX ports from 5K-2 towards 2K-1.
We will be using Port Channels to take advantage of Dynamic Pinning and Load
Balancing. Use 102 as the FEX Identifier. Use 102 as the Port Channel ID.

5K-2

Interface E 1/1-2
channel-group 102 mode on
!
Interface port-channel 102
switchport mode fex-fabric
fex associate 102

Task 3
Use the Show Fex command to verify if the port is online. It will take a couple
of minutes to come online.

5K-2

FEX FEX FEX FEX


Number Description State Model Serial
------------------------------------------------------------------------------------------
102 FEX0102 Online N2K-C2232PP-10GE SSI16210D

Email: [email protected]
Page 125 of 139
Task 4
You can use the show fex detail command to verify that the Port-channel is
being used to connect to the 2K2 Fex.

5K-2

show fex detail

FEX: 102 Description: FEX0102 state: Online


FEX version: 5.1(3)N2(1c) [Switch version: 5.1(3)N2(1c)]
FEX Interim version: 5.1(3)N2(1c)
Switch Interim version: 5.1(3)N2(1c)
Extender Serial: SSI16210D25
Extender Model: N2K-C2232PP-10GE, Part No: 73-12533-05
Card Id: 82, Mac Addr: 0c:d9:96:08:27:02, Num Macs: 64
Module Sw Gen: 12594 [Switch Sw Gen: 21]
post level: complete
pinning-mode: static Max-links: 1
Fabric port for control traffic: Eth1/1
FCoE Admin: false
FCoE Oper: true
FCoE FEX AA Configured: false
Fabric interface state:
Po101 - Interface Up. State: Active
Eth1/1 - Interface Up. State: Active
Eth1/2 - Interface Up. State: Active
.
.
.

Email: [email protected]
Page 126 of 139
Lab 6 – Configuring FEX -
Using vPC
(Builds on Lab 5)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24
E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0
E 1/1-2 E 1/1-2
E 1/3-4 E 1/3-4

Nexus 5K - 2
Nexus 2K - 1

Server

Email: [email protected]
Page 127 of 139
Pre-requisite Configuration:
We will be configuring the Nexus 2K switches to see the Nexus 5K switches as
one logical switch using vPCs. We have already configured a vPC Peer Keepalive
Link and Port-Channel between 5K-1 & 5K-2 in Lab3. We are using a Domain-
id of 12.

Task 1
Re-Configure Ports E 1/1-2 on 5K-1 to be part of an Port-Channel. This port
channel will be used to connect the 5K devices to 2K1. Use Port-channel ID as
501. Use 101 as the FEX ID. Use a vPC ID of 10 for the Port Channel. Also,
configure the cross-links E 1/3-4 on 5K-2 as a port channel to connect to 2K1
to the 5K switches. Use the same ID's as you did on 5K1.

5K-1

Interface E 1/1-2
No switchport mode fex-fabric
No Fex associate 101
!
Interface E 1/1-2
channel-group 501 mode on
!
Interface port-channel 501
switchport mode fex-fabric
fex associate 101
vpc 10
5K-2

Interface E 1/3-4
channel-group 501 mode on
!
Interface port-channel 501
switchport mode fex-fabric
fex associate 101
vpc 10

Email: [email protected]
Page 128 of 139
Task 2
Use the Show Fex command to verify if the ports are online on both the 5K
switches. It will take a couple of minutes to come online.

5K-1

Show Fex

FEX FEX FEX FEX


Number Description State Model Serial
---------------------------------------------------------------------------------------------
101 FEX0101 Online N2K-C2232PP-10GE SSI162200CH
5K-2

Show fex

FEX F EX FEX FEX


Number Description State Model Serial
----------------------------------------------------------------------------------------------
101 FEX0101 Online N2K-C2232PP-10GE SSI162200CH

Task 3
Re-Configure Ports E 1/1-2 on 5K-2 to be part of an Port-Channel 502. This
port channel will be used to connect the 5K devices to 2K2. Use Port-channel
ID as 502. Use 102 as the FEX ID. Use a vPC ID of 20 for the Port Channel.
Also, configure the cross-links E 1/3-4 on 5K-1 as a port channel to connect to
2K2 to the 5K switches. Use the same ID's as you did on 5K2.

5K-2

Interface E 1/1-2
No channel-group 102 mode on
!
No interface port-channel 102
!
Interface E/1-2
channel-group 502 mode on
int port-channel 502
switchport mode fex-fabric
fex associate 102
vpc 20
5K-1

Interface E 1/3-4

Email: [email protected]
Page 129 of 139
channel-group 502 mode on
!
Interface port-channel 502
switchport mode fex-fabric
fex associate 102
vpc 20

Task 4
Use the Show Fex command to verify if the ports are online on both the 5K
switches. It will take a couple of minutes to come online.

5K-1

Show Fex

FEX FEX FEX FEX


Number Description State Model Serial
---------------------------------------------------------------------------------------------
102 FEX0102 Online N2K-C2232PP-10GE SSI16210D25
5K-2

Show fex

FEX FEX FEX FEX


Number Description State Model Serial
----------------------------------------------------------------------------------------------
102 FEX0102 Online N2K-C2232PP-10GE SSI16210D25

Email: [email protected]
Page 130 of 139
Note: In this setup, 5K-1 & 5K-2 are seen as one logical switch by the 2K
devices. The following is the logical diagram of the entire topology.

Nexus 7K - 1

Port Channel 23

Port Channel 12

Nexus 7K-2 Nexus 7K - 3

Port Channel 23
vPC Peer Link

Port Channel 75

Port Channel 75

Port Channel 12
vPC Peer Link
Nexus 5K - 1 Nexus 5K - 2

Port Channel 501 Port Channel 502

Nexus 2K - 1 Nexus 2K - 2

Server

Email: [email protected]
Page 131 of 139
Lab 7 – Configuring Enhanced vPC to
Connect the Server with Redundancy
(Builds on Lab 5)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24
E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0
E 1/1-2 E 1/1-2
E 1/3-4 E 1/3-4

Nexus 5K - 2
Nexus 2K - 1

Server

Email: [email protected]
Page 132 of 139
Task 1
To allow the Server to configure NIC Teaming/Trunking so that it has complete
redundancy, we need to setup the Ports facing the Server as Edge Trunks. This
type of complete redundancy upto the server level is known as Enhanced vPC.
Configure the ports connected the FEX 2K1 towards the server as Spanning-
tree port type Edge trunk on any 5K.

5K-1

Interface E 101/1/20 , E 102/1/21


spanning-tree port type edge trunk

Task 2
Server side will configure NIC Teaming for the 2 ports connecting into the 2
Nexus 2K switches.

Email: [email protected]
Page 133 of 139
Lab 8 – Configuring FCoE on the Nexus
Switch to Connect to Storage Network
(Builds on Lab 5)

Nexus 7K - 1

E 4/12 E 4/3

E 4/20 E 4/15

Nexus 7K-2 E 3/1-2 E 3/1-2 Nexus 7K - 3

E 4/21 E 4/16

E 3/21-22 E 3/23-24
E 3/31-32 E 3/29-30

E 1/21-22 E 1/15-16 E 1/23-24 E 1/29-30

Nexus 5K - 1 Nexus 5K - 2
E 1/10-11 E 1/10-11

Mgmt 0 Mgmt 0
E 1/1-2 E 1/1-2
E 1/3-4 E 1/3-4

Nexus 5K - 2
Nexus 2K - 1

Server

Email: [email protected]
Page 134 of 139
Task 1
Enable the FCoE Feature on both the Nexus 5K switches. Configure the FEX
Links 101 for FCoE on 5K-1. Configure FEX Link 102 for FCoE on 5K-2.

5K-1

feature fcoe
!
Fex 101
Fcoe
5K-2

feature fcoe
!
Fex 102
Fcoe

Task 2
Configure VFC ports ports towards the server on 5K1 & 5K2. Configure VFC
101 on 5K-1. The server is connected to E 101/1/20. Configure the swithcport
mode as F. Configure VFC 102 on 5K-2. The server is connected to E
102/1/21. Configure the swithcport mode as F.

5K-1

Interface vfc 101


bind interface E 101/1/20
switchport mode F
5K-2

Interface vfc 102


bind interface E 102/1/21
switchport mode F

Email: [email protected]
Page 135 of 139
Task 3
Configure VSAN 100 on 5K1 and attach it to VFC 101. Configure VSAN 200 on
5K2 and attach it to VFC 102.

5K-1

vsan database
vsan 100
vsan Interface vfc 101
5K-2

vsan database
vsan 200
vsan 200 Interface vfc 102

Task 4
Configure VLAN 100 & 200 as FCoE VSAN on 5K1 & 5K2.

5K-1

vlan 100
fcoe vsan 100
5K-2

vlan 200
fcoe vsan 200

Email: [email protected]
Page 136 of 139
Task 5
Verify that the FCoE VLANs are operational by using the show vlan fcoe
command on both the 5K Switches.

5K-1

sh vlan fcoe

Original VLAN ID Translated VSAN ID Association State


---------------------- ------------------------- ---------------------

100 100 Operational


5K-2

Original VLAN ID Translated VSAN ID Association State


---------------------- ------------------------- ---------------------

200 200 Operational

Task 6
Once you are done configuring the FCoE VSAN, bring the VFC interfaces up on
both switches.

5K-1

Interface vfc 101


no shut
5K-2

Interface vfc 102


no shut

Email: [email protected]
Page 137 of 139
Task 7
Configure the E 101/1/20 port on 5K1 as a trunk and allow the fcoe vlan 100
and data vlan on it. Configure the E 102/1/21 port on 5K1 as a trunk and
allow the fcoe vlan 200 and data vlan on it.

5K-1

Interface e 101/1/20
switchport mode trunk
switchport trunk allowed vlan 100
5K-2

Interface E 102/1/21
switchport mode trunk
switchport trunk allowed vlan 200

Task 8
Verify that the VSANs are up on the VFC Interface.

5K-2

vfc102 is trunking (Not all VSANs UP on the trunk)


Bound interface is Ethernet102/1/21
Hardware is Ethernet
Port WWN is 20:65:00:2a:6a:6d:90:3f
Admin port mode is F, trunk mode is on
snmp link state traps are enabled
Port mode is TF
Port vsan is 200
Trunk vsans (admin allowed and active) (1,200)
Trunk vsans (up) (200)
Trunk vsans (isolated) ()
Trunk vsans (initializing) (1)
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1586 frames input, 290244 bytes
0 discards, 0 errors
23 frames output, 2440 bytes
0 discards, 0 errors
last clearing of "show interface" counters never
Interface last changed at Tue Jan 13 05:18:43 2009

Email: [email protected]
Page 138 of 139
Task 9
Also verify the flogi entry is in the FLOGI Database by using the sh flogi
database command.

5K-2

show flogi database

-------------------------------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
-------------------------------------------------------------------------------------------------------
vfc102 200 0xb00000 20:00:a4:4c:11:13:56:d3 10:00:a4:4c:11:13:56:d3

Total number of flogi = 1.

Email: [email protected]
Page 139 of 139

You might also like