Professional Documents
Culture Documents
Christian Hasse
chhasse@cisco.com
25.03.2010
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Agenda
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Introduction
Session Objectives
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Agenda
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Elements of the Evolving Data Centre Access
Evolving Access Layer
Core/Aggregation Layer
Core
MDS
Nexus 7000
Nexus 5000/7000
Access Layer
10 GigE/FCOE
FCOE
Nexus 2000
NEXUS
blade2 blade2 blade2 blade2
NEXUS NEXUS
slot 2 slot 2 slot 2 slot 2
blade3 blade3 blade3
VM VM
slot 3 slot 3 blade3
VM VM VM VM
slot 3 slot 3
blade4
slot 4 blade4
slot 4 blade4
slot 4 blade4
slot 4
NEXUS
blade5 blade5 blade5 blade5
slot 5 slot 5 slot 5 slot 5
VM VM
blade6
slot 6 blade6
slot 6 blade6
slot 6 blade6
slot 6
1000v
blade7
1000v 1000v
blade7
slot 7 slot 7 blade7
slot 7 blade7
slot 7
VM VM
blade8
VM VM VM VM
blade8
slot 8 slot 8 blade8
slot 8 blade8
slot 8
1000v
VM VM
VM VM
blade1
slot 1
VM VM
blade2
slot 2
blade3
slot 3
blade1
slot 1
blade2
slot 2
blade3
slot 3
blade1
slot 1
VM VM
blade2
slot 2
blade3
slot 3
blade1
slot 1
blade2
slot 2
blade3
slot 3
VM VM
blade4
slot 4 blade4
slot 4 blade4
slot 4 blade4
slot 4
blade5 blade5 blade5 blade5
slot 5 slot 5 slot 5 slot 5
blade6
slot 6 blade6
slot 6 blade6
slot 6 blade6
slot 6
blade7
slot 7 blade7
slot 7 blade7
slot 7 blade7
slot 7
blade8
slot 8 blade8
slot 8 blade8
slot 8 blade8
slot 8
1G and 10GE Rack 1G and 10GE Blade N4K - DCB Blade 10GE Blade
Mount Servers Servers (HP) UCS Compute UCS Compute
Switch Pod Pod
Pass-Thru IBM/Dell
HP/IBM/Dell
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Elements of the Evolving Data Centre Access
Nexus Data Center Access Technologies
VM VM VM VM
Nexus
1000V
VEM
vSphere
Network interconnect
concepts
Network Protocols
part of the design
Enhanced Spanning Tree FCoE
Provisioning Ethernet
Fibre
Channel
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Agenda
Elements of the Evolving Data Centre
Access
Nexus Layer 2 Foundations
Virtualized Access Layer Design
vPC Design Principles
Extending vPC from access to aggregation
Nexus 2000 Fabric Extender – Physical
Virtualization
Nexus 1000v – Embedded Virtual Switching
Nexus 4000 – Unified I/O
Summary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Nexus Layer 2 Foundations
A Closer Look at Layer 2
Do’s:
Use MST for large scale Layer2 environments:
With MST CPU load is relatively low even with large number of trunks/VLAN
Check documented VLAN/STP scale numbers for target releases prior to make
your design decision:
MST (Supported)
NR N R
Network Ports
PVST (Not supported, but interoperable) All Send BPDUs
NX-OS always uses Extended System ID N N
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Nexus Layer 2 Foundations
Dispute Mechanism
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Nexus Layer 2 Foundations
Bridge Assurance
Specifies transmission of BPDUs
on all ports of type “network”. Stopped receiving
BPDUs!
Requires configuration, best Root
Malfunctioning
practice is to set global default to BPDUs switch
type “network”, default is
“normal” Network Network
issues
BPDUs
In summary BA is the concept of Blocked
BA Inconsistent
IGPs hellos applied to STP Network Network
Stopped receiving
BPDUs!
Edge Edge
interface port-channel200
switchport mode trunk
switchport trunk allowed vlan 200-202
spanning-tree port type network
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Nexus Layer 2 Foundations
Root Guard Prevents Unwanted Changes to STP Topology
Secondary Root
Enable Root Guard on links Root Bridge
Bridge
connecting to access layer to
protect from edge switches
becoming root and causing sub-
N N
interface Ethernet1/32
description dc10-5020-4
switchport mode trunk
switchport trunk allowed vlan 15,98,180-183
spanning-tree port type network
spanning-tree guard root
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Nexus Layer 2 Foundations
Spanning Tree Design Considerations – VLANs and MST
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Nexus Layer 2 Foundations
Spanning Tree Design
N Network port
E Edge or portfast port type
Data Center Core
- Normal port type
B BPDUguard
R Rootguard
L Loopguard
HSRP UDLD
HSRP Layer 3
ACTIVE STANDBY
Aggregation
N N Secondary
Primary
Root
Root
-
Layer 2 (STP + BA +UDLD)
N N N N N N -
R
R R R R R R R
Layer 2 (STP + BA + Root guard + UDLD)
N N
Access
N N N L
N L
E E E E E
B B B B B
Layer 2 (STP + BPDUguard)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
vPC Design principles
Feature Overview
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
vPC Design principles
vPC and VSS Comparison
vPC VSS
(Virtual Port Channels) (Virtual Switching System)
Independent Configs
Switch Configuration Single Configuration
(w/ consistency checker)
Maximum Physical Nodes 2 2
Yes on the Nexus 7000,
ISSU Support Disruptive
non-disruptive ISSU
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
vPC Design principles
vPC Terminology (common to Nexus 5000/7000)*
vPC peer – a vPC switch, one of a pair
vPC member port – one of a set of ports
vPC peer-keepalive vPC peer-link
(port channels) that form a vPC
link
vPC – the combined port channel between
CFS protocol
the vPC peers and the downstream device
vPC peer-link – Link used to synchronize
vPC peer state between vPC peer devices, must be
10GbE
vPC
vPC
vPC vPC peer-keepalive link – the keepalive
member
member link between vPC peer devices, i.e., backup
port
port to the vPC peer-link
vPC VLAN – one of the VLANs carried
over the peer-link and used to
vPC communicate via vPC with a peer device.
non-vPC non-vPC VLAN – One of the STP VLANs
device
not carried over the peer-link
CFS – Cisco Fabric Services protocol, used
*vPC is within the context of a VDC (applies only to N7k)
for state synchronization and configuration
validation between vPC peer devices
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
vPC Design principles
vPC Roles Primary (but Secondary
may be (but may be
Two Nexus running vPC appear as a Operational Operational
Secondary) Primary)
single STP entity
vPC Role defines which of the two
vPC peers processes BPDUs
7k01 7k02
Role matters for the behavior with
peer-link failures!
Role is defined under the domain
configuration
5k01
Lower priority wins if not, lower 5k02
system mac wins
Role is non-preemptive so
Operational Role is what matters
Operational Role may different from
the priorities configured under the
domain Primary (but Secondary
may be (but may be
Operational Operational
Secondary) Primary) 20
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
vPC Design principles
Building a vPC domain - Deployment Steps
Following steps are needed to build a vPC (Order does Matter!)”
1. Configure globally a vPC domain on both vPC devices
2. Configure a Peer-Keepalive link on both vPC peer switches (make sure is operational)
NOTE: When a vPC domain is configured the keepalive must be operational to allow a
vPC domain to successfully form.
3. Configure (or reuse) an interconnecting port-channel between the vPC peer switches
4. Configure the inter-switch channel as Peer-link on both vPC devices (make sure is
operational)
5. Configure (or reuse) Port-channels to dual-attached devices
6. Configure a unique logical vPC and join port-channels across different vPC peers
vPC peer
Standalone
Port-channel vPC vPC member port
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
vPC Design principles
Building a vPC domain – Peer-Keepalive (1 of 2)
Definition: vPC peer-keepalive link
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
vPC Design principles
Building a vPC domain – Peer-Keepalive (2 of 2)
Cautions/Additional Recommendations:
On the Nexus 7000 when using supervisor management interfaces to carry the
vPC peer-keepalive, do not connect them back to back between the two
switches.
Use the management interface only if you have an out-of-band management
network (management switch in between).
vPC_PL
vPC_PL
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
vPC Design principles
Building a vPC domain – Peer-link requirements
Definition: vPC peer-link
Standard 802.1Q Trunk : Can Carry vPC and non vPC VLANs*
Carries Cisco Fabric Services messages
Carries flooded and/or orphan port traffic from attached devices
Carries STP BPDUs, HSRP Hellos, IGMP updates, etc.
Requirements:
Member ports must be 10GE interfaces
Peer-link are point-to-point. No other device should be inserted
between the vPC peers.
Recommendations (strong ones!)
Minimum 2x 10GbE ports on separate cards for best resiliency.
On Nexus 7000 is recommended a Dedicated 10GbE ports (not
shared mode ports)
*It is Best Practice to split vPC and non-vPC
VLANs on different Inter-switch Port-Channels.
5020 (config)# interface port-channel 10
5020 (config-if)# switchport mode trunk
5020 (config-if)# switchport trunk allowed <BETTER TO ALLOW ALL VLANS>
5020 (config-if)# vpc peer-link
5020 (config-if)# spanning-tree port type network
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
vPC Design principles
vPC Forwarding Rule
To achieve the “optimal usage of peer-link goal, learning on the Peer Link is
such that the MAC addresses learned on a peer’s vPC port are learned on
“local” vPC ports instead of Peer-link
This is done by disabling learning in the hardware on Peer-link ports. The
MAC addresses learned on a switch’s non vPC ports are notified to the peer
switch via CFSoE in address update messages indicating the interface on
which it is learned.
When the update message is received from the peer, the local switch will
update the local MAC table with the destination of
The local vPC port if it was learned on an vPC port on the peer switch
The Peer-link port if it was learned on a non vPC port (Orphan Port)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
vPC Design principles
Example of Forwarding
vPC1 vPC2
MACA MACB
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
vPC Design principles
vPC Control Plane – Consistency Check
Both switches in the vPC Domain maintain distinct
control planes
CFS provides for protocol state synchronization
between both peers (MAC Address table, IGMP
state, …)
System configuration must also be kept in sync
Currently a manual process with an automated
consistency check to ensure correct network Consistency
behavior Checks
Two types of consistency checks
Type 1 – Will put interfaces into suspend NX01 NX02
state to prevent invalid forwarding of
packets
Type 2 – Error messages to indicate
potential for undesired forwarding
behavior
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
vPC Design principles
Type 2 Consistency Check
Type 2 Consistency Checks are intended to
prevent undesired forwarding NX01 NX02
interface port-channel51
interface port-channel51
switchport mode trunk
switchport mode trunk
switchport trunk allowed vlan 100-105
switchport trunk allowed vlan 100-104
vpc 51
vpc 51
spanning-tree port type network
spanning-tree port type network
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
vPC Design principles
vPC consistency
jumbo frames
VLAN Mapping
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
vPC Design principles
Be mindful of Global Type-1 inconsistencies
You need to change MST on both NX01 and NX02
NX01 NX02
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
vPC Design principles
Attaching to a vPC Domain - STP Interoperability
STP Uses:
• Loop detection (failsafe to vPC)
• Non-vPC attached device
• Loop management on vPC addition/removal
Requirements:
• Needs to remain enabled, but doesn’t dictate vPC
member port state
• Logical ports still count, need to be aware of number of
VLANs/port-channels deployed!
Best Practices:
• Not recommended to enable Bridge Assurance feature
on vPC channels (i.e. no STP “network” port type).
Tracked by CSCsz76892. vPC
STP
vPC is running to manage
• Make sure all switches in you layer 2 domain are loops outside of vPC’s
running with Rapid-PVST or MST (IOS default is non- direct domain, or before
rapid PVST+), to avoid slow STP convergence (30+
secs) initial vPC configuration
• Remember to configure portfast (edge port-type) on
host facing interfaces to avoid slow STP convergence
(30+ secs)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
vPC Design principles
Attaching to a vPC Domain - ”My device can’t be dual attached!”
Recommendations (in order of preference):
1. ALWAYS try to dual attach devices using vPC (not applicable for routed links).
PROS: Ensures minimal disruption in case of peer-link failover and consistent behavior with vPC dual-
active scenarios. Ensures full redundant active/active paths through vPC.
CONS: None
2. If (1) is not an option – connect the device via a vPC attached access switch (could use VDC to create a
“virtual access switch”).
PROS: Ensures minimal disruption in case of peer-link failover and consistent behavior with vPC dual-
active scenarios. Availability limited by the access switch failure.
CONS: Need for an additional access switch or need to use one of the available VDCs. Additional
administrative burden to configure/manage the physical/Virtual Device
3. If (2) is not an option – connect device directly to (primary) vPC peer in a non-vPC VLAN* and provide
for a separate interconnecting port-channel between the two vPC peers.
PROS: Traffic diverted on a secondary path in case of peer-link failover
CONS: Need to configure and manage additional ports (i.e. port-channel) between the Nexus 7000
devices.
4. If (3) is not an option – connect device directly to (primary) vPC peer in a vPC VLAN
PROS: Easy deployment
CONS: VERY BAD. Bound to vPC roles (no role preemption in vPC) , Full Isolation on peer-link failure
when attached vPC toggles to a secondary vPC role.
* VLAN that is NOT part of any vPC and not present on vPC peer-link
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
vPC Design principles
Attaching to a vPC Domain - vPC and non-vPC VLANs (i.e. single attached .. )
P S P S
Orphan
Ports
P S
P S
P Primary vPC
S Secondary vPC
* Run the same STP mode as the vPC domain. Enable portfast/port type edge on host facing ports
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
vPC Design principles
Attaching to a vPC Domain - vPC and non-vPC VLANs (STP/vPC Hybrid)
Non vPC port-channel
P S SR PR
P S
1. All devices Dual Attached via vPC 2. Separate vPC and STP VLANs
SR PR
P S
P Primary vPC
S Secondary vPC
L Loopguard
UDLD
Primary Secondary
vPC vPC
vPC
HSRP Domain HSRP Layer 3
ACTIVE STANDBY
Aggregation
N N Secondary
Primary
Root Root
- - - - - - - - Layer 2 (STP + Rootguard)
R R R R R R R R
- -
Access
- - - - L L
E E E E E
B B B B B
Layer 2 (STP + BPDUguard)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
vPC Design principles
Attaching to a vPC Domain - 16-way Port-Channel (1 of 2)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
vPC Design principles
Attaching to a vPC Domain - 16-way Port-Channel (2 of 2)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Agenda
Elements of the Evolving Data Centre
Access
Nexus Layer 2 Foundations
Virtualized Access Layer Design
vPC Design Principles
Extending vPC from access to aggregation
Nexus 2000 Fabric Extender – Physical
Virtualization
Nexus 1000v – Embedded Virtual Switching
Nexus 4000 – Unified I/O
Summary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Extending vPC from access to aggregation
Double-sided vPC between N7K and N5K
DESIGN 1
1 2 3
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Extending vPC from access to aggregation
Double-sided vPC Nexus 7000/5000/2000 A/A
DESIGN 3
DESIGN 2
N7k01 N7k02
N7k01 N7k02
1 2 3 4
1 2 3 4
5 6 7 8
1 2 3 1 3
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Extending vPC from access to aggregation
domain-id same MAC (7k / 5k have same algorithm)
LAGID = [System-id for switch 1, Administrative-key-switch1 (channel-group-id), 0,
System-id for switch 2, Administrative-key-switch2 (channel-group-id), 0]
N7k01 N7k02
derived from domain-id
or
must have same “MAC” of switch system-mac command
system-id of “switch 2” =
[system priority, MAC address of the “switch”] N5k01 N5k02
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Extending vPC from access to aggregation
Loop Free access
Clear access VLANs to Clear access VLANs to
create a Loop Free Topology create a Loop Free Topology
SW01 SW02
SW01 SW02
N5k01 N5k02
Peer Link
primary secondary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Extending vPC from access to aggregation
Loop Free access Clear access VLANs to
create a Loop Free Topology
to:
http://wwwin-
eng.cisco.com/Eng/SAVBU/TechMkt
g/vpc-access-layer-wo-vpc-agg.ppt
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Extending vPC from access to aggregation
Multi-Layer vPC Logic equivalent
root
Root
vPC on the N7k
N5k01 N5k02
Peer Link
primary secondary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
Extending vPC from access to aggregation
Incorrect Configuration vPC at the Aggregation Layer
vPC at the Access Layer
root
Two Separate vPCs
vPC on the N7k One of the vPCs is blocking
Root
N7k01 N7k02
N5k01 N5k02
Peer Link
primary secondary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
Extending vPC from access to aggregation
Spanning-Tree Secondary Root Primary Root
bridge id 80c2 bridge id ac32
vPC vPC
Operational Operational
secondary Peer-link primary
RP DP
vPC
N7k01 N7k02
DP DP
up to up to
8 links 8 links
RP RP
Peer-link
root bridge is
vPC
RP DP
N5k01 N5k02 ac32
vPC vPC
Presentation_ID
operational
© 2006 Cisco Systems, Inc. All rights reserved. secondary
Cisco Confidential
operational primary 48
Extending vPC from access to aggregation
Nexus 7000 End of Row Access-Layer design
Design Benefits
Large VLAN Scale: 4K VLAN (per VDC)
Core
segmentation
Flexibility of connectivity options –
1/10GE, STP Network Port
High-density access with Nexus 7010
(even higher with 7018).
Carrier Class availability
Hardware High availability: dual
Access
VM VM
Nexus 7000
Positioning
1/10GE Blade Servers
Environments with existing structured
End of Row cabling (EoR/MoR)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
Extending vPC from access to aggregation
Nexus vPC Latest Enhancements
Several recent enhancements to vPC in 4.2
Some of these are specific to the L2/L3 boundary, for more
details:
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
Extending vPC from access to aggregation
Summary Checklist for vPC Design (1)
Choose between MST and Rapid PVST+
With MST be aware of the NXOS VLAN
range and of the Global Type-1
Inconsistencies, hence configure VLAN-to- N7k01 N7k02
region mappings from day 1
Connect the N7ks with redundant peer-links
across linecards
Connect the N5ks with redundant peer-links 1 2 3 4
1 2 3
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Extending vPC from access to aggregation
Summary Checklist for vPC Design (2)
Create a single Port-channel leveraging
LACP between Aggregation and Access
Ensure domain-id or system-mac
differs between Agg pair and Access N7k01 N7k02
pair
On the Nexus 5000 layer calculate and
check VLAN utilization keeping FCoE
and VSANs into account
1 2 3 4
Trim VLANs that are used for VSANs
from the uplinks going to a Nexus 7000
When available leverage LACP for N5k01 N5k02
teaming between servers and FEX/5k 5 6 7 8
Do not forget that putting a VLAN on a
vPC requires that that VLAN be on the N2k01 N2k02
Peer-link too
Make sure the configuration is not
causing Type-1 Inconsistencies
1 2 3
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Extending vPC from access to aggregation
Nexus 5000/7000 Scalability Numbers
Release Supported Scalability
* NOTE: Supported numbers of VLANs on vPCs are NOT related to an hardware or software limit but reflect
what has been currently validated by our QA. The BUs are planning to continuously increase these numbers
as soon as new data-points become available.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Agenda
Elements of the Evolving Data Centre
Access
Nexus Layer 2 Foundations
Virtualized Access Layer Design
vPC Design Principles
Extending vPC from access to aggregation
Nexus 2000 Fabric Extender – Physical
Virtualization
Nexus 1000v – Embedded Virtual Switching
Nexus 4000 – Unified I/O
Summary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Nexus Fabric Extender
Fabric Extended Terminology
Parent Switch: Acts as the Nexus 5000
combined Supervisor and
Switching Fabric for the virtual
switch
Fabric Links: Extends the
Switching Fabric to the remote
line card (Connects Nexus 5000 FEX100 FEX101
to Fabric Extender)
Host Interfaces (HIF)
Fabric connectivity between
Nexus 5000 and Nexus 2000
(FEX) can leverage either pinning
or port-channels
mgmt0 mgmt0
mgmt0 mgmt0
Peer-link
primary secondary
Peer-link
primary secondary
5k01 5k02 5k01 5k02
“fabric links” “fabric links”
vPC 1 vPC 2
FEX100 FEX120
HIF 2 ports HIF
FEX100 FEX120
HIF HIF
vPC
LACP is supported
Server 802.3ad not
2-GigE ports host port channel
supported in this topology
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Fabric Extender
BPDU “filtering” + guard (not an oxymoron)
Peer Keepalive
Errdisable
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
Fabric Extender
Port Type Edge (Portfast or Trunkfast)
Peer Keepalive
FEX100 FEX101
HIF HIF
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
Fabric Extender vPC HIF Ports
Do not Forget putting HIF VLANs on the peer-link
Peer Keepalive
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
Fabric Extender Mixed Topology
vPC is a per line card (FEX) behaviour
Management Network
mgmt0 mgmt0
5k01 5k02
primary secondary
FEX100 FEX120
FEX101 FEX121
2-GigE ports host port channel single attached servers and/or A/S
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
Fabric Extender Scaling
Nexus 2000 Single Homed (aka Straight Through)
Typical Redundant Deployment as of 4.0(1a)
FEX101
http://www.cisco.com/en/US/partner/products/ps9670/products_installation_and_configuration_guides_list.html
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
Fabric Extender Scaling
Port-Channels & vPC
Peer-link
primary secondary
5k01 5k02
5k01 5k02 5k01 5k02
“fabric links”
FEX100 FEX120
HIF HIF
eth2/1,2/2 eth2/3,2/4 eth2/1 eth2/2 2 ports
vPC
vPC
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62
Fabric Extender Scaling
Scalability for “Host” vPC Nexus 2000 straight-through
n5k01 n5k02
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
Fabric Extender Scaling
Nexus 2000 dual-homed
5k01 5k02
vPC Secondary
vPC Primary
Po10
max 12 FEXes
Summary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65
Cisco Nexus 1000V
Components
Cisco VSMs
vCentre Server
VM VM VM VM VM VM VM VM VM
#1 #2 #3 #4 #5 #6 #7 #8 #9
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
Connecting the Virtual Access Layers
Connecting Nexus 1000V to 2148T without vPC
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67
Connecting the Virtual Access Layers
Connecting Nexus 1000V to 2148T
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68
Connecting the Virtual Access Layers
Connecting Nexus 1000V to 2148T
vPC between a pair of N5K/N2K
allows symmetrical Etherchannels
One of the benefits of using port-
channels for connectivity is the
reduction in the amount of flooding /
broadcast that the software switch
has to drop
vPC MCEC
17 hashing algorithms available Bundles
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70
Agenda
Elements of the Evolving Data Centre
Access
Nexus Layer 2 Foundations
Virtualized Access Layer Design
vPC Design Principles
Extending vPC from access to aggregation
Nexus 2000 Fabric Extender – Physical
Virtualization
Nexus 1000v – Embedded Virtual Switching
Nexus 4000 – Unified I/O
Summary
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71
Unified Fabric
Where we started - Segregated Fabrics
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72
Unified Fabric with FCoE
Phase 1 – Where we have been
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73
Unified Fabric with FCoE
Phase 2 – Where we are today (FIP support)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 74
Unified Fabric with FCoE
Phase 2 – Adding the Nexus 4000 (Q4CY09)
Mezzanine CNAs can be installed within Blade
Enclosures, connecting up to Nexus 4000 Blade
Switches.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 75
Unified Fabric with FCoE
Phase 2 – Adding the Nexus 4000 (Q4CY09)
Nexus 4001I Switch Module
14 x 10G downlinks & 6 x10G uplink
ports
Dual-mode downlink ports (1G / 10G
to server)
RJ-45 Management interface
RS-232 Console port
Goes in high-speed slots in IBM
BCH or BCH-T
10G uplink ports Console
Max of Four 4001I per chassis
Support CX1 SFP+, SR, LSR optics Management Ejector Handles
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77
Unified Fabric with FCoE
FIP Snooping
FIP Capable
FIP Snooping – Nexus 4000
Topology SAN
Security (Protection from MAC
Address spoofing of FCoE end
devices “ENode”)
Spoofed MAC
Fibre Channel links are Point-to-Point 0E.FC.00.DD.EE.FF
Ethernet bridges can utilize ACLs to
provide the equivalent path control FCF
(equivalent of point-to-point) FCF MAC
FIP protocol allows for efficient 0E.FC.00.DD.EE.FF
automatic configuration of the ACLs
necessary to lock down the forwarding FIP
path (FIP Snooping) Snooping
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78
Data Center HA Design and FCoE
Ethernet, a historical perspective
Ethernet ? ? ?
The L2 network is a ?
?
communication pipe
Amorphous pipe, ? Switch Switch ?
amorphous end device
relationships
East-west vs. north-south Switch
?
traffic ratios are undefined ?
Maximum flexibility ?
?
? ?
Network designs fill the
void
Give shape to device roles,
client/server relationships, ? ?
availability semantics Client/server
relationships
?
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79
Data Center HA Design and FCoE
Fibre Channel, a historical perspective
Fibre Channel T0 T1 T2
The L2 network embeds most
services and provides end
device connectivity DNS FSPF
Switch
FSPF
Switch
Zone
targets)
FSPF
Switch
Zone
RSCN I5
Only north-south traffic, east- I0
west traffic mostly irrelevant I1
I4
Tailored to fit one function I2 I3
(limited flexibility)
Network designs build scale
and enhance availability I(c)
Everything else is Client/server
T(s)
predetermined relationships
I(c)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80
Data Center Access Architecture
FCoE High Availability Design Considerations
In a Unified I/O configuration (FCoE) Direct Attach Topology
we have two distinct topologies
LAN SAN A SAN B
Isolated access switches - SAN
‘A’ and SAN ‘B’
Combined access switches –
vPC supporting MCEC
FCF FCF
To ensure correct forwarding
behavior ‘vfc’ interface can only be Nexus 5000
associated with a vPC etherchannel
(only one physical interface per
switch)
Works with Gen-2 FIP enabled CNAs
ONLY
While the Port-channel is the same
on 5k1 and 5k2, the FCoE VLANs type edge trunk
are different.
FCoE VLANs are NOT carried on the
peer-link
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 81
Data Center Access Architecture
FCoE High Availability Design Considerations
Direct Attach Topology
A VLAN is dedicated for every VSAN
in the fabric. SAN A SAN B
LAN
The VLAN is signaled to the hosts
over FIP VLAN 10 ONLY
HERE!
The FCoE controller in the host tags
all subsequent FIP login and FCoE FCF FCF
frames with the signaled FCoE VLAN
VLAN 10,20
Nexus 5000
This does not require trunking to be
enabled at the host driver as tagging
is performed by the FCoE controller VLAN 10,30
on the host.
All ports in the FCoE network would
have to be enabled for trunking to be
able to carry VLAN tagged frames. !VLAN 20 is dedicated to carry
traffic for VSAN 2
(config)# vlan 20
(config-vlan)# fcoe vsan 2
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 82
Data Center Access Architecture
FCoE High Availability Design Considerations
Direct Attach Topology
Single initiator dual homed via a
Port-Channel to a single Nexus LAN SAN A SAN B
5000
No ability to isolate SAN ‘A’ and
SAN ‘B’
This is an unsupported
configuration FCF FCF
Not consistent with Fibre
Nexus 5000 Nexus 5000
Channel High Availability
design requirements
4G FC
Neither Direct Attach nor Multi-Hop
10G Ethernet
Capable CNAs currently supported
10G Unified I/O
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 83
Data Center Access Architecture
FCoE High Availability Design Considerations
FIP Capable Topology
Initial vPC is supported as it is SAN A SAN B
LAN
possible to isolate the SAN ‘A’
and SAN ‘B’ traffic between the
CNAs and first hop switches
No ability to isolate SAN ‘A’ and
SAN ‘B’ between the first and FcoE frames
FCF
second tier of switches load balanced
over the
This is an unsupported Etherchannel
NO SAN ‘A’
configuration and SAN ‘B’
Not consistent with Fibre FIP
Snooping
isolation
4G FC
10G Ethernet Multi-Hop Capable
10G Unified I/O
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84
Data Center Access Architecture
FCoE and Nexus 4000 Design Considerations
4G FC Blade Chassis
10G Ethernet Multi-Hop Capable
10G Unified I/O
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 85
Data Center Access Architecture
Nexus 4000 – Ethernet Only
‘B’ topologies
No server side vPC is currently
supported
10G Ethernet
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 86
Multi-Hop Unified Fabric Configuration
FCoE Multi-Hop Configuration
Nexus 5000 FIP Capable Topology
• Switching mode for FC traffic
• VSAN 1 Mapped to VLAN 30 for FCoE LAN SAN A SAN B
• VFC interface will bind to MAC Address of
Blade Server
• Port-Channel downlink to N4K will be “mode
trunk” (all vlans will be allowed)
N5K-1 N5K-2
Nexus 4000
FCF FCF
4G FC Blade Chassis
10G Ethernet Multi-Hop Capable
10G Unified I/O
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 87
Multi-Hop Unified Fabric Configuration
N5K1 – Enabled FCoE and vPC
n5k-1(config)# feature lacp
n5k-1(config)# interface port-channel 1
n5k-1(config-if)#switchport mode trunk
n5k-1(config-if)#switchport trunk allow vlan except 30-31
n5k-1(config-if)# interface ethernet 1/17 - 18
n5k-1(config-if-range)#switchport mode trunk N5K-1 N5K-2
n5k-1(config-if-range)#switchport trunk allow vlan except 30-31
n5k-1(config-if-range)# channel group 1 mode active
n5k-1(config)# interface port-channel 300
n5k-1(config-if-range)#switchport mode trunk
n5k-1(config)# interface ethernet 1/9 - 10
n5k-1(config-if-range)#switchport mode trunk
n5k-1(config-if-range)# channel group 300 mode active
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 88
Multi-Hop Unified Fabric Configuration
N4K1 – Enabled Uplinks and FIP Snooping
n4k-1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
n4k-1(config)# feature lacp
n4k-1(config)# feature fip-snooping
n4k-1(config)# interface port-channel 10
n4k-1(config-if)#switchport mode trunk N5K-1 N5K-2
n4k-1(config-if)#fip-snooping port-mode fcf
n4k-1(config-if)# interface ethernet 1/15 - 16
n4k-1(config-if-range)#switchport mode trunk
n4k-1(config-if-range)#fip-snooping port-mode fcf
n4k-1(config-if-range)# channel group 10 mode active
n4k-1(config)# vlan 30
n4k-1(config-vlan)# fip-snooping
n4k-1(config-vlan)# show running-config vlan 30
version 4.1(2)E1(1)
vlan 30
fip-snooping enable N4K-1 N4K-2
n4k-1(config-vlan)# interface ethernet 1/4
n4k-1(config-if)#switchport mode trunk
n4k-1(config-if)#spanning-tree port type edge trunk
n4k-1(config-if)# show fip-snooping vlan-discovery
Legend:
-------------------------------------------------------------------------------
Interface VLAN FIP MAC
Blade Center
-------------------------------------------------------------------------------
Eth1/4 1 00:c0:dd:04:0d:11
Blade Center
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 91
Summary
Assembling the New Data Centre Edge
Core/Aggregation Layer
Core
MDS
Nexus 7000
Nexus 5000/7000
Access Layer
10 GigE/FCOE
FCOE
Nexus 2000
NEXUS
blade2 blade2 blade2 blade2
NEXUS NEXUS
slot 2 slot 2 slot 2 slot 2
blade3 blade3 blade3
VM VM
slot 3 slot 3 blade3
VM VM VM VM
slot 3 slot 3
blade4
slot 4 blade4
slot 4 blade4
slot 4 blade4
slot 4
NEXUS
blade5 blade5 blade5 blade5
slot 5 slot 5 slot 5 slot 5
VM VM
blade6
slot 6 blade6
slot 6 blade6
slot 6 blade6
slot 6
1000v
blade7
1000v 1000v
blade7
slot 7 slot 7 blade7
slot 7 blade7
slot 7
VM VM
blade8
VM VM VM VM
blade8
slot 8 slot 8 blade8
slot 8 blade8
slot 8
1000v
VM VM
VM VM
blade1
slot 1
VM VM
blade2
slot 2
blade3
slot 3
blade1
slot 1
blade2
slot 2
blade3
slot 3
blade1
slot 1
VM VM
blade2
slot 2
blade3
slot 3
blade1
slot 1
blade2
slot 2
blade3
slot 3
VM VM
blade4
slot 4 blade4
slot 4 blade4
slot 4 blade4
slot 4
blade5 blade5 blade5 blade5
slot 5 slot 5 slot 5 slot 5
blade6
slot 6 blade6
slot 6 blade6
slot 6 blade6
slot 6
blade7
slot 7 blade7
slot 7 blade7
slot 7 blade7
slot 7
blade8
slot 8 blade8
slot 8 blade8
slot 8 blade8
slot 8
1G and 10GE Rack 1G and 10GE Blade N4K - DCB Blade 10GE Blade
Mount Servers Servers (HP) UCS Compute UCS Compute
Switch Pod Pod
Pass-Thru IBM/Dell
HP/IBM/Dell
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 92
Additional Resources
Public References
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 93
Key Takeaways
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 94
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 95