Uplink Nexus 5010 to 6509 and management

Unanswered Question
Jul 16th, 2009
User Badges:

I have looked around online on Cisco's site and scanned over the Nexus 5000 document and I cant seem to find the answers Im looking for. The document I am referring to can be found at http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide.html

I have two questions:

1) Are there any guides to connecting the 5000's to 6509's which would be serving as the core? If not can someone point me in the right direction.

2) I have configured the management port on the 5000. In order to access the CLI of the switch without a console cable do I need to have the management port connected to my infrastructure or can I ssh/telnet to the switch by just having it uplinked via Fiber back to the 6509's?

Thank you kindly

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
nate-miller Mon, 07/20/2009 - 07:00
User Badges:
  • Bronze, 100 points or more

What version of code on the 6500s?

If you are running SXH code, you can utilize the Bridge assurance functionality, which is a new spanning-tree functionality.

Other than that, best-practice spanning tree designs still hold true; it's not much more than a bit L2 switch in this scenario.

If you have multiple 5ks, you could pair them together and leverage virtual port channels up to the 6500s.

In order to use the management interface 'inline', you need to enable the "feature interface-vlan", and you could then put an ip address on one of the VLANs that is being distributed by the 5k. You can't reach the management interface inline from the normal switching path.

There currently isn't a way to write a security-minded ACL around your management interface or vtys, so if you add this address, keep in mind that password security is your only option- you can't restrict traffic to/from certain networks, etc.

Robert Rowland III Tue, 09/08/2009 - 04:18
User Badges:

Also since the 5Ks can be seen ... kind of ... like a single 5K with vPC you can cross-connect / dual home your 5Ks to 6500s with vPCs.

On 6509-1 create portchannel 10, on 6509-2 create portchannel 20 and on both 5Ks create portchannels 10 & 20 and connect them to both 6500s.

I am then running GLBP on the 6500s instead of HSRP to use both routers.

pzpgd1mlf Sat, 03/27/2010 - 15:43
User Badges:

I had implemented that scenario, but had to disable spanning-tree port type network command from the N5K, because both upstream ports could not go to forwarding state, Bridge Assurance kept them as blocking and the N5K could not interact with the 6509's through the vPCs. N5K configured with MST and 6509's with PVST. Anyway, as soon as I disabled BA, both upstream entered in FWD and vPCs were successfully formed.

So, I left BA enabled only on the point to point (peer) link as per configuration guide's instruction and did not have any issue there.

Please, share any experience with Bridge Assurance


joeharb Mon, 10/25/2010 - 14:10
User Badges:

We have a simialar implemtation we are trying to get working.  We have 2 6509's that run HSRP and have a port channel between the 2.  6500#1 is root for spanning tree.  We have connected 2 5k's to them using port channels:


port channel 100

  consists of interface gig 4/13 which connects to 5K#1 and interface gig 4/14 which connects to 5K#2


port channel 100

  consists of interface gig 4/13 which connects to 5K#1 and interface gig 4/14 which connects to 5K#2

5k's both have port channel 1 and 2 configured and a Vpc for both.

The Vpc status looks good but it appears the port channel from the 6500#2 has all the vlans in a blocking state.  From the 5K port channel 2 (going to the 6500#2 is in a DESG state for all vlans.  I noticed this when I attempted to do an upgrade to the 5.X code today there we had a disruptive upgrade.  My main question is can the Vpc design allow both 6500's to be in a forwarding state to the 5K's?  The only link that has BA configured is the peer link.



ckallam Thu, 05/06/2010 - 05:59
User Badges:

What is the minimum code on the 6500 to portchannel 10-Gbps? I am running on 12.2(18)SXF15a and can only run on gig ports.

  Dot1x:                 yes
  Model:                 NO IDPROM
  Type:                  unknown
  Speed:                 10,100,1000,auto
  Duplex:                half,full
  Trunk encap. type:     802.1Q,ISL
  Trunk mode:            on,off,desirable,nonegotiate
  Channel:               yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:           rx-(off,on,desired),tx-(off,on,desired)
  Membership:            static
  Fast Start:            yes
  QOS scheduling:        rx-(1q4t), tx-(1q4t)
  CoS rewrite:           yes
  ToS rewrite:           yes
  Inline power:          no
  SPAN:                  source/destination
  UDLD                   no
  Link Debounce:         no
  Link Debounce Time:    no
  Ports on ASIC:         UNAVAILABLE
  Port-Security:         yes

ckallam Thu, 05/06/2010 - 12:37
User Badges:

Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  1   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL12330BKM
  4    8  CEF720 8 port 10GE with DFC            WS-X6708-10GE      SAL123418MN
  5    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE      SAL11370JSY
  6    2  Supervisor Engine 720 (Active)         WS-SUP720-BASE     SAL1201BZUC
  9   16  SFM-capable 16 port 1000mb GBIC        WS-X6516A-GBIC     SAL08196XHD

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  1  0022.55ec.69a8 to 0022.55ec.69d7   3.0   12.2(18r)S1  12.2(18)SXF1 Ok
  4  0023.045e.fbe8 to 0023.045e.fbef   1.6   12.2(18r)S1  12.2(18)SXF1 Ok
  5  001d.4542.17b0 to 001d.4542.17b3   2.6   12.2(14r)S5  12.2(18)SXF1 Ok
  6  0019.e7d4.3e5c to 0019.e7d4.3e5f   4.0   8.4(2)       12.2(18)SXF1 Ok
  9  000f.f780.d2bc to 000f.f780.d2cb   4.1   7.2(1)       8.5(0.46)RFW Ok

Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
  1  Centralized Forwarding Card WS-F6700-CFC       SAL1230Y8RY  4.1    Ok
  4  Distributed Forwarding Card WS-F6700-DFC3C     SAL123304FZ  1.0    Ok
  5  Distributed Forwarding Card WS-F6700-DFC3B     SAL1115LPP0  4.6    Ok
  6  Policy Feature Card 3       WS-F6K-PFC3A       SAL1201C3KH  2.6    Ok
  6  MSFC3 Daughterboard         WS-SUP720          SAL1201C1TQ  3.1    Ok

Mod  Online Diag Status
---- -------------------
  1  Pass
  4  Pass
  5  Pass
  6  Pass
  9  Pass

#sh ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(18)SXF15a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Tue 21-Oct-08 00:04 by kellythw
Image text-base: 0x40101040, data-base: 0x42DDBE30

ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(18)SXF15a, RELEASE SOFTWARE (fc1)

pa-core-6509 uptime is 1 year, 11 weeks, 2 days, 23 hours, 49 minutes
Time since pa-core-6509 switched to active is 1 year, 11 weeks, 2 days, 23 hours, 48 minutes
System returned to ROM by s/w reset at 08:16:27 UTC Tue Oct 28 2008 (SP by bus error at PC 0x401A4578, address 0x0)
System image file is "disk0:s72033-advipservicesk9_wan-mz.122-18.SXF15a.bin"


This Discussion