Networking, Security & Cloud Knowledge

Saturday, October 25, 2014

Cisco NEXUS switch and Virtualization

NX -OS  next generation operating system Featrue
Chapte 1 : New feature in Nexus
·         Modular
o   Enable particular module in nexus
o   E.g  Feature eigrp  or No feature eighrp to enable or disable eigrp

·         High availability à PSS - Persistence storage service: If BGP process crashes , it will not crash underlining operating system and that processes gracefully restart and it will have all state information before the crash.
·         Unified os for lan and san,
o    prior to this we had iOS  with IP protocol and SAN OS with Fiber channel protocl,
o   Reason for lan and san segregation
§  Security
§  Bandwidth
§  flow control
§  performance
o   Flow control:
§  LAN  - sender keep sending till receiver respond
§  SAN   - Receiver defines how much data transmitter can send

o   MX-OS 4.1 or higher run on MDS (multilayer director switch) as well as Nexus 7K as 5K.
o   Unification of lan and san using 10Gbps ethernet using FCoE

·         Role based access
o   Privilege levels access – method is in old ios
o   Views      - access based on view  - prior to nx-os
o   In nexus there is role based access
§  Eg:  username admin password Cisco 123 role {  network-admin | network-operaor | priv-0 -15 |vdc-admin | vdc-operator }
§  Vdc-admin or vdc operator option : In N7K we can have virtual Device  context (VDCs) and have separate admin for each context.

·         Cisco layered approach
o    scalability
o   resilient – failover














Chapter 2 : NEXUS Family:
The nexus 7000 series
·         Models:
o   7009  -2sup slots , 7 i/o module slots
o   7010 - 2sup slots, 8 i/o module slots
o   7018 - 2sup slots, 16 i/o module slots
·         L2/L3, DCP (data center bridging), FCoE
·         ISSu ( in service software upgrade)
·         VDCs (virtual device context)
·         Modularity
·         Separation of CP  (control plan) and DP (Data plan)
·         RBAC (role based Access control)
·         EEM  (Embedded event manager)
·         Call home
·         Dual supervision
·         Dual CMP (connectivity management processor) with own  memory , power and software. It provide lights out connectivity ( OOB )
·         Dual redundant central Arbiter of particular traffic – multiple path through architecture of devices.
·         Redundant fan module – hot swappable fan tray

Sup 1 is Eosale and EoL and replacement is Sup 2E ( dual quad-core cpu with 32GB RAM)


Licensing of software
1 default base license
2 enterprise lan license - for dynamic routing and multicast
3 advanced enterprise lan license - VDC, Cisco trust sec
4 mpls license  - mpls routing
5 transport service – OTV (Overlay transport virtualization)
6 enhance L2 services - fabric path

Command
Download license, store on boot flash and use following command
# install license    <-- install="" license="" o:p="" to="">
#Show license usage

Trial license: 120 day grace period for testing before buying license.

Modules: sup card, line card and fabric module

Fabric module support virtual output queuing.



Power Redundancy: with respect to  7010 we have similar option in UCS.
·         Combined power mode – no redundancy – all power supply work together.
·         Power supply redundancy  ( n +1)
·         Input source redundancy ( external power failure ) / grid power redundancy
·         Complete redundancy ( Power supply + input source
Nexus 7009 v6
Nexus 7009 v6.0(2) w/ SUP1, 10GE F1, 10GE M1
M1 module support L3 feature
F1 module is L2 feature
    Cisco fabric path similar to TRIL Transparent interconnection of lots of link

---------------------------------------------------------------------------
The Nexus 5000 series
5010   - throughput 520 gigbit per secon
5020
5548
5596  -  throughput  1.92 Tbps 

Common features in 5500 series
DCB –data center bridging
FCoE – Fiber channel over Ethernet
GEMS – generic expansion module slot – add FCoE

55XX L3 routing capability,
 routing can be enabled on
5548  with N55 –D160 L3 card.
5596 with N55-M160 L3
Port density is different in each model e.g in 5596 96 à 96 1 gig Ethernet port density

Nexus 5548 v5.1 (3)
Feature : unified port

------------------------------------------------------------------------------------------
The Nexus 2000 series
Function at Top or rack ToR, all c-series devices are connected to N2K device on ToR and N2K are managed by N5K device at EoR ( End of Rack)

2000 series are called a FEX – fabric extender

Redundancy using 2000 ToR and 5000 EoR



Model  nexus 2000 series  ( scalability ,oversubscription,  host port and fabric port )
·         2148  
o   4 X 10G fabric port,  1 port channel with max 4 port,  48 host port but no port channel, no FCoE
·         2224  
o   2 X 10G fabric port, 1 port channel port,  24 X 1G host port 24 port channel with max 8 port in one of the port channle, no FCoE
·         2248
o   4 X 10G fabric port, 1 port channel port,  48 X 1G host port 24 port channel , no FCoE

·         2232
o   8 X 10G fabric port, 1 port channel ,  32 X fiber optic host port 16port channel , only can supply FCoE on ToR location

---------------------------------------------------------------------------------------
Nexus 1000v v4.2   virtualized Ethernet module or supervisior moduel


















Chapter 3: MDS family (multilayer director switch)
9500 series
9124
9148
9222i


9500
·         TABLE:
Model   --  FC port density
9506  --     192
9509   --    336
9513 --     528
·         nonblocking - virtual output queuing
Requirement  for  SAN - not packet loss and low latency

·         high bandwidth  2.2 Tbs internal bandwidh / 160 gbps (16 ISL bundle)

·         Low latency – less than 20microsecond per hop

·         Mulit protocol  ( FC, FC0E, FICON, FCIP, iSCSI)

·         Scalable – VSAN (virtual storage Area network ) Cisco invension

·         Secure - port security

·         High availability – dual sup, dual clock, dual power


·         sup2 (no FCoE) and sup2-A (FCoE),  Intercross bar Fabric (traffic cop) in 9506 and 9509 in 9513 will have separate intercross bar fabric module

·         Licensing types of MDS – feature based and module based.

o   feature based
§  ENt –security
§   sanover ip – FCIP
§  main frame – FICON
o   -module based



-----------------------------------------------------------------------------------------------------------------

Cisco MDS 9124
24 port – 8 default and 16 on-demand port
NPV (n port virtualization)

Cisco MDS 9148
  16-32-48 base license

Cisco MDS 9222i
Flexible with expansion slot support vide verity of module
18 FC 4gbps Ethernet port used for FCIP / iSCSI

-------------------------------------------------------------------------------------------------------------

NEXUS switch and NX-OS
NEXUS architecture:
# sh ver
software
·         BIOS    version 2.12.0
·         Kickstart image- contains linux           7K kernel  version 6.2(2), 5K 5.1(3)
·         System – contain software component of NX  multilayer director switch
Hardware
·         Supervisor : intel xenon  ,  12 gb memory
Plug-in
·         Core plugin – contain nx os software component
·         Ethernet – L2 and  L3 software component
·         In future we will see – Storage plugin – for FCoE




























Chapter 4 : Monitoring Nexus Switch
Monitoring the Nexus
·         Rj 45 console is located on sup card.
·         Nexus 7000 with sup 1 engine with cmp (connectivity management processor) with dedicated O.S for OOB management access. Has led for notification and local authentication. Sup 2 don’t have this capability
·         To connect to cmp we use command # attach
o   Attach console | module | cmp
·         Remote acces:
o   Ssh v2 is enabled by default, ssh / telnet clinet & server capability , ip v4 and v6 supported
o   In cmp  use command  # ssh server enable or # telnet server enable
·         Management
o   Support concept of VRF, by default there are two VRF ( default and management vrf) exist in nexus switch.
o   Management interface is in management vrf. To test connectivity for management purpose is  # ping 10.10.10.10 vrf management
·         ISSU (in service software upgrade)
o   Upgrade with no disruption , data plane continue forwarding packet during upgrade proces
o   4.2.1
o   Kickstart, bios, system, fex (2000 series), i/o module bios and image
o   Started with 7000 series which has dual sup card, first upgrade standby sup engine, then upgrade second sup engine. This feature is also now supported in 5000 series which has single sup engine. Here control plane will be offline during upgrade. If 5500 series with L3 functionality it will not support ISSU.
o   Steps for 5000 series
§  Download appropriate software Cisco.com/go/fn (feature navigator)
§  Copy tftp à boot  flash
§  Show incompatibility  ( show incompatible with new image) ß pre upgrade command
§  Show install all impact ( shows impact of upgrade) ß pre upgrade command
§  Show install all status   ç post upgrade to verify installation status.
·         Control plane policing
o   Data plane
o   Mgmt plane – snmp
o   Control plan – L2 stp, LAcP, L3 ospf , bgp
§  CoPP control plan policing – restrict number of packet entering CP. There is  default CoPP, during installation it ask for strict , moderate, lenient or no default policy.
·         KEY  CLI command
o   Where – shows mode, which VDC
o   Show run ipqos | all   allà show everything including default
o   Sho run interface all
o   Show module
o   Show loggin







Chapter 5 vPC
vPC ( virtual port channel)
·          Used to bundle with uplink with two different uplink switch.
o   Virtual port channel peer
o   One of 7K become primary and other secondary
o   Orphan port – port not participating on vPC infrastructure
o   Member port – port participating in vPC
o   CFS – Cisco Fabric Service – used to synchronize stateful information
o   Peer keep-alive link – logical link work OOB path (no data or sycn message is sent over this link)
o   Limitation
§  Peer link should be 10 gig Ethernet port,  at least 2 used.
§  vPC is per VDC
§  L2 portcahnnel technology

o   Dual sided vPC 7K = 5K = 2K = c –series sever
o   Show vpc brief
§  Vpc domain id
§  Peer status
§  Keep alive status
§  vPC role
                      
o   show vpc peer-keepalive

§  keep alive tos 192 – binary representation of tos byte

§  Role – priority  ==== > lower is better

o   show vpc consistency-parameter interface port-channel 20


vPC (Virtual port-channel )
Overview
A virtual PortChannel (vPC) allows links that are physically connected to two different Cisco Nexus 7000 or 5000 Series devices to appear as a single PortChannel to a third device. The third device can be a Cisco Nexus 2000 Series Fabric Extender or a switch, server, or any other networking device. A vPC can provide Layer 2 multipathing, which allows you to create redundancy by increasing bandwidth, enabling multiple parallel paths between nodes and load-balancing traffic where alternative paths exist.
After you enable the vPC function, you create a peer keepalive link, which sends heartbeat messages between the two vPC peer devices.
The vPC domain includes both vPC peer devices, the vPC peer keepalive link, the vPC peer link, and all the PortChannels in the vPC domain connected to the downstream device. You can have only one vPC domain ID on each device.
A vPC provides the following benefits:
• Allows a single device to use a PortChannel across two upstream devices
• Eliminates Spanning Tree Protocol blocked ports
• Provides a loop-free topology
• Uses all available uplink bandwidth
• Provides fast convergence if either the link or a device fails
• Provides link-level resiliency
• Helps ensure high availability
The vPC not only allows you to create a PortChannel from a switch or server that is dual-homed to a pair of Cisco Nexus 7000 or 5000 Series Switches, but it can also be deployed along with Cisco Nexus 2000 Series Fabric Extenders.

The following list defines critical vPC concepts:
• vPC: vPC refers to the combined PortChannel between the vPC peer devices and the downstream device.
• vPC peer switch: The vPC peer switch is one of a pair of switches that are connected to the special PortChannel known as the vPC peer link. One device will be selected as the primary device, and the other will be the secondary device.
• vPC peer link: The vPC peer link is the link used to synchronize states between the vPC peer devices. The vPC peer link carries control traffic between two vPC switches and also multicast, broadcast data traffic. In some link failure scenarios, it also carries unicast traffic. You should have at least two 10 Gigabit Ethernet interfaces for peer links.
• vPC domain: This domain includes both vPC peer devices, the vPC peer keepalive link, and all the PortChannels in the vPC connected to the downstream devices. It is also associated with the configuration mode that you must use to assign vPC global parameters.
• vPC peer keepalive link: The peer keepalive link monitors the vitality of a vPC peer switch. The peer keepalive link sends periodic keepalive messages between vPC peer devices. The vPC peer keepalive link can be a management interface or switched virtual interface (SVI). No data or synchronization traffic moves over the vPC peer keepalive link; the only traffic on this link is a message that indicates that the originating switch is operating and running vPC.
• vPC member port: vPC member ports are interfaces that belong to the vPCs.

vPC configuration on the Cisco Nexus 5000 Series includes these steps:
• Enable the vPC feature.
• Create a vPC domain and enter vpc-domain mode.
• Configure the vPC peer keepalive link.
• (Optional) Configure system priority.
• (Optional) Configure vPC role priority.
• Create the vPC peer link.
• Move the PortChannel to vPC.

Chapter 6 : Fabric Path

·         Fabric Path Cisco version of TRILL

·         TRILL (transparent interconnection of lots of link) its replacement technology for STP.
In TRILL L3 routing intelligence is brought to L2 , thus keep L2 routing table.

·         IS-IS
·         Fabric path perfrom ECMP (Equal cost multiple path) , 16 – way equal cost multi path. ECMP with port channel technology 16 10gbps port channel will give 2.56 Tbs usable bandwidth.
·         Fabric path network appears as one single switch for STP running legacy  switch network.
·         Switch using legacy STP port is called as Classical Ethernet port and Fiber channel infrastructure port is called as FPP ( Fiber path port)
·         Enhancement in Fabric path ( modification from TRILL)
o   Conversational learning – learns only active mac address
·         Verification
o   Show mac address-table  will show destination hop fabric path device.
o   Show fabricpath route































Chapter 7 : OTV

OTV (Overlay Transport Virtualization)
Basic understanding of OTV
Today i am going to help you understand Why we need OTV?

Lets say, we have 3 switches (A,B,C). Switch A is connectec to B and Switch B is connected to Switch C. and Switch A has 2 vlans created on it, vlan 10 and 20. What if we want the the vlan 10 and 20 to be extended to Switch C over Switch B, We will have to simply create vlan 10 and 20 on both switch B and C and allow both the vlans on trunks connecting the switches, right? and its simple!!

If you look at this pic, we have two Datacenters, DC1 and DC2 which are geographicaly far away from each other, lets say one in Newyork and another one in Los Angles and there are some server which are there in both data centers,however, they sync their hearbeat over layer 2 only and doesnt work on layer 3. So,we have a requirment that we have to extend vlan 10 and 20 from DC1 to another data center, DC2!! You may call it Datacenter Interconnect (DCI).

can we do the same thing which we did to extend vlan from switch A to switch C in above example? Ofcourse Not!!, so what the are the solutions to achieve this?
Until OTV came into picture, we had few of the below options to achieve this:
-VPLS
-Dark Fiber (CWDM or DWDM)
-AToM
-L2TPv3

These are the services provided by Service Providers and they work on different mechanisms but basicaly what they do is, they provide you a layer 2 path between DC1 to DC2 similar to a trunk link between Switch A and Switch B. So what does that mean? If a broadcast is sent or a ARP request is sent, that will travel across the service provider to another data center in that VLAN? Ofcourse YES!! Your STP domain will also get extended over DCI. So, if a device in vlan 10 in DC1 is trying to communicate with another device which is also in DC1 but the ARP request will go all the way to DC2 switches on which that particular vlan is configured.

So, to avoid such problems, Cisco introduced OTV (Overlay Transport Virtualization) which is basicaly a DCI (data center interconnect) technology to be configured on Nexus Switches. Using OTV, we can extend Layer 2 between two or more datacenters over traditional L3 infrastructure provided by Service Provider, and we dont need a seperate L2 link for layer 2 extension and we will still be able to limit STP domain and unnecessary broadcast over WAN links. It can overlay multiple VLAN with a simple design. Basically what it does is that, Datacenters will be able to advertise their MAC addresses to each other(its called
Mac in IP" routing) and a decision can be made on the basis of MAC addresses whether that MAC address is local or in another data center and based on that, frame can be forwarded or limited to a particular data center only. OTV uses a control protocol to map MAC address destinations to IP next hops that are reachable through the normal L3 network core.
So, in Cisco's language "OTV can be thought of as MAC routing in which the destination is a MAC address, the next hop is an IP address, and traffic is encapsulated in IP so it can simply be carried to its MAC routing next hop over the core IP network. Thus a flow between source and destination host MAC addresses is translated in the overlay into an IP flow between the source and destination IP addresses of the relevant edge devices. This process is called encapsulation rather than tunneling as the encapsulation is imposed dynamically and tunnels are not maintained"

How this is implemented, that i will show in another simplified post!!Thank you!!










Chapter 8 :  Network Virtualization .

7K  with 5.X code
·         4 VDCs
·         VDCI ( default VDC, VDC 1) – control shared resources
·         VLANs / VRFs per VDC. Eg. Vlan 100 in each VDC will be separate.
·         Failure of protocol in one VDC will not affect same protocol in other VDC.
·         To create virtual interface we have to be that particular VDC.
·         Some IO module each port work independently and for some port grouping need to be done.
·         Role based access control.
o   Vdc admin from one user created context can not control other vdc.
o   To create vdc with advanced service license.
o   Configuration
§  Vdc test
§  Switch to vdc test
o   Verification
§  Show vdc
§  Show vdc membership (interface membership)
§  Show run vdc-all ( running configuration for all vdc)
§  Copy run start vdc-all
·         NVI ( network Interface virtualization)
o   Refers to FEX
o   VNtag à IEE802.1Qbh

2K – FEX
Physical port on 5K connecting to 2K = Fabric port
Bundle of 5 K connecting to 2K = F.P. Channle
Uplink on 2K connecting to 5K is called as FEX uplink
2K port connecting to server = FEX port






Virtualization in storage:

Device controlling virtualization.
1 host / server
2 physical disk system ( array-based)
3  network devices

Identify logical disk in SAN we use LUN ( logical unit number ) – sometime we refer logical disk as LUN but Lun is just numeric identifier.

In storage area we have to control the number of device accessing logical disk.  This id done by LUN masking using PWWN ( port world wide name). Also there is LUN mapping here we map logical disk to particular HBA host bus adapter in server.

Cisco developed LUN zoning, this technology is not dependant on storage vendor technology.

It is found in MDS switch and allows us to map logical disk to particular HBA.


Storage virtualization
Types: Block    Disk     Tape    File system     
Block: provide logical  volume of disk to user that is stored physically  somewhere.
Disk Virtualization  : providing disk out of large disk array,
Tape:
File system:  allow user to access a file.
File and record virtualization : presenting logical volume to particular user


It can be done : host level , network level or Array level

How we do it : in-band ( data and control going through same channel ) or  OOB ( data and control over separate channel)

Advantage of Network based
·         It is independent of server, OS, storage solution
·         Offloading virtualization.
Chapter 9 : Server virtualization

Before virtualization we had server sprawl (each entity or service had their own box or system), this is scalable but consume lots of power and administration work.


Aps      Aps      Aps
Os        Os        Os
--------------------------------------------------
Virtualization software – allocate hardware resources.
---------------------------------------------------
Rack mount server – CPU + RAM + NIC + Disk space


Benefit of Virtualization
-          Partitioning -  vm instance
-          Encapsulation  à everything is in set of files. We can take backup and manipulate this file to tweak the server
-          Isolation à
-          Hardware abstraction à we can move VM and move between hosts.
-          Cap EX / Op Ex
-          Capital expense – buying new hardware
-          Operational expense – spending for operation , like cooling and maintenance


Virtualization techniques: (based on how much modification done on guest OS)
Full – host os vs bare metal
Partial
Para-virtualization




VMware workstation 8 – type 2 – host OS, window 7 – VMware workstation 8

Hypervisor EXSi  - type 1
Bare metal - hypervisor –
EXS is old version of ESXi, EXS is Linux based kernel.



Vsphere 5.x software suite
   ESXi, Vsphere server, vsphere client, vshpere view product,



Microsoft Hyper – V server 2012

Citrix – Xen Server

Chapter 10 : Nexus 1000v

Chapter 11 : Storage Area Network

·         File-based vs Block-based
o   Eg. CIFS ( Common Internet File System)
o   Network File System (NFS)
o   This protocol has high latency and work over TCP/IP  and are chatty.
o   Suitable for MS office or print services
·         Block-based
o   SCSI
o   Many input output operations per second ( IOPS)
o   SCSI Parallel cable ( low latency, distance limitation)
o   iSCSI – transport of scsi over TCP (high latency)
o   FC – low latency and high B.W
o   FCoE – works on 10 gbps link
·         NFS ( network file system)
o   Client server environment
o   Unix client – service  mountd
o   Unix serve -  Volume   - portmatp / rpcbind
o   Mountd à portmap/rpcbind
o   Mount / automounter ( mount file on demand)
o   Once mound system we can use command like ls    à  NFSD
o   NFSv2 RFS 1094 32 bit stateless
o   NFSv3  rfs 1819 64 bit stateless
o   NFSv4 rfc 3530 statefull , security
·         SCSI
o   Host  à initiator
o   Storage à Target
o   Daisy chain but max 16 devices
o   Bus length 25 m
o   Max bw 320 mbps
·         FC
o   Overcome limitation of parallel scsi
o   16 million nodes
o   Loop ( token ring / modern day  switched transport (also called as fabric)
o   800 mbps  /  Fabric  8Gbps
o   6.2 miles
o   Multiple protocols.
·         SAN terminology
o   Initiator
o   HBA
o   Target
o   Smallest unit of data is word à encoded into 40 bit form by 8bit-10bit encoding process of FC, word get packaged into Frame (equivalent to ip packet in IP network), sequence is series of frame sending between nodes and are unidirectional.  Sequencing which happen during R / W operation are called as exchange ( similar to tcp session )
·         iSCSI
o   encapsulate scsi command and data over IP
o   TCP port 3260 – congestion control and in order deliver of  error free data in iSCSI environment
o   Distance concern is address
o   MDS 9222i and 9000 series provide transparent SCSI routing
·         DAS ( direct Access storage)
o   Limited mobility ( it often refer to capture storage)
·         SAN


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.