Chalk Talk: Ten Things that Make NX-OS Awesome!

Document

Apr 4, 2013 9:16 PM
Apr 4th, 2013

NX-OS, the operating system that powers the Cisco Nexus family of switches, is turning 5 years old this April. Since its inception, NX-OS has been extended to run on eight families of switches and the Cisco UCS Fabric Interconnects. The features supported run the complete gamut from large modular platforms like the Nexus 7000 through fixed configuration switches like the Nexus 5500 and include virtual switches like the Nexus 1000v. NX-OS also is fluent in multiple protocols like Ethernet, Fibre Channel, Fibre Channel over Ethernet, FabricPath, MPLS, OTV, LISP and a rich set of traditional Layer 2 and Layer 3 networking protocols. With all of that capability under one OS, I thought it’d be fun to list out the ten things that make NX-OS awesome.

  1. The first thing that makes NX-OS so powerful is its extensibility. This OS is based on Linux and takes into account principles of modern, modular operating systems with its approach to the internal architecture. The modularity of NX-OS is precisely the reason why it can run on so many platforms and provide a consistent user experience from a configuration and management aspect. You can go from one platform to another and have a consistent CLI no matter if it is a powerhouse Nexus 7000 or an Ultra-Low Latency Nexus 3548. It’s the same NX-OS kernel that drives them both.

  2. The second aspect of NX-OS ties into the modularity but is focused on software stability and security. I’m referring to the conditional nature of features, like OSPF or FabricPath in NX-OS. These features must be enabled by customers. No big deal you might say, but the cool part is that NX-OS doesn’t load the CLI or start the process in memory until the feature is enabled. This preserves memory and CPU resources but also from a security aspect, offers a more narrow attack vector. It is hard to exploit a potential issue with say, OSPF, if OSPF isn’t loaded and running on the switch. So we solve multiple issues with just this one capability!

  3. The third topic I always get interest from customers in is the ability to do In Service Software Upgrade (ISSU). ISSU enables the ability to upgrade the operating system with no packet loss. This opens a whole new world of opportunity for network operators to maintain their networks, keep software current, add new software features and do it without disruption to the business. This is inherently due to the architecture of NX-OS and Nexus switches to have a separation of control plane (OSPF, STP, FabricPath, etc) and the data plane (your email, database and web traffic passing through the switch). This separation means we can upgrade the control plane without impacting the data plane. Check the documentation for your platform for details on ISSU support as not every system can take full advantage of this capability. Also equally cool and in the same thought process, we can do ISSD (In Service Software Downgrades) as well!

  4. The fourth topic is one of my favorite features and I’ve written about it before – Virtual Device Contexts (VDCs). VDCs are a feature available on the Nexus 7000 family and allow you to segment your switch into 8 virtual switches with the Supervisor 2E. The virtualization done with VDCs is quite comprehensive in that interfaces, memory and other system-wide resources are allocated to a VDC and dedicated for that virtual context. Even further, you can configure VRFs, MPLS, VLANs and other virtualization technologies *inside* a VDC, so virtualization inside virtualization. This is a very, very powerful capability and industry leading.

  5. The fifth thing that makes NX-OS awesome is a feature that spans three of the switching platforms, FabricPath. FabricPath is a Cisco innovation that allows customers to scale Layer 2 domains and remove many of the barriers and complexity associated with traditional STP topologies like logical port count and simplifies the configuration dramatically. Customers in a STP configuration typically have multiple lines of commands for each layer of the network that are focused on deploying STP guards – loopguard, rootguard, BPDU guard, etc. While each of these capabilities helps control STP, it adds additional configuration points and work. FabricPath doesn’t need all of these as its control plane protocol is based on IS-IS and has intelligence built in similar to a routing protocol. This bring capabilities like Time to Live (TTL) and a link state database that scales nicely. With the success we’ve seen firsthand with customers, it is a real benefit to their network.

  6. The sixth feature in NX-OS I love to talk about is Overlay Transport Virtualization (OTV). OTV is another Cisco innovation on the Nexus 7000 and now ASR 1000 that empowers customers to extend Layer 2 domains across an IP infrastructure in a safe and sane manner. What do I mean by that?! When I look at other L2 extension technologies, many of them extend STP and as such, that means the two data centers now have some fate sharing in that a bad STP day in one data center can cause a bad STP day in the other. OTV does not do this as it has a control plane protocol that advertises MAC addresses as they are learned and by default does not forward STP BPDUs across the overlay. I have had the opportunity to work with multiple customers on solving challenges like data center migration or implementation of an active/active data center configuration with OTV. It simply works.

  7. The seventh capability in NX-OS is one that originated on the Nexus 7000 but has since been added to other products in the Catalyst line of switches is Cisco TrustSec (CTS). CTS is an umbrella name for a suite of technologies that provide next-generation security features on the network include Source Group Tags (SGTs) and 802.1AE MACSEC encryption. SGTs allow security policy to be represented by a tag and enforced in hardware without requiring miles of access control lists (ACLs). While that is obviously cool, MACSEC is really a great feature more customers can use. The implementation of IEEE 802.1AE MACSEC provides 128-bit AES hardware based encryption at the data link layer. This encrypts all frames that traverse a point to point link and has saved many customers a lot of money instead of using external hardware encryptors. The Nexus 7000 M1, M2 and F2e modules support MACSEC.

  8. The eighth feature in NX-OS that I like to discuss with customers is Fabric Extender, or FEX. Fabric Extenders are a great, cost effective way for customers to build very large access layers by placing a FEX at the top of a rack to connect servers into and then using a few strands of fiber to connect back to the parent switch. This saves a ton of money in cabling costs, which if you look at them during a data center build, can become staggering. Cost savings aside, FEX are all centrally managed from the parent switch, which means fewer devices to manage individual software images, backup configuration files, etc. in the data center. The Nexus 5000, 5500, 6000 and 7000 all support FEX and there are variety of options to meet the different demands customer networks have.

  9. The ninth feature of NX-OS is the ability to do cool things from the command line. While that is pretty broad, let’s think about how many times you want to see a device’s log file but only want the last few entries and don’t want to scroll through the whole thing? Try this command:

N7K-1# show log last 10

2013 Apr 13 23:15:19 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:19 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

2013 Apr 13 23:15:26 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:26 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

2013 Apr 13 23:19:13 N7K-1 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on 10.89.15.82@pts/0

2013 Apr 13 23:26:06 N7K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 10.89.15.82 - sshd

2013 Apr 14 15:06:32 N7K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 10.89.15.143 - sshd

2013 Apr 16 02:55:48 N7K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user rfuller from 10.89.12.4 - sshd

N7K-1#

Now you can just see the last 10 entries, or whatever number you are looking for. Let’s take this a step further and use UNIX grep to be specific about what words we want to see.

N7K-1# show log | i OFFLINE

2013 Apr 12 21:26:11 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 2 is now offline

2013 Apr 12 21:26:30 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 3 is now offline

2013 Apr 13 23:09:57 N7K-1 %VDC_MGR-2-VDC_OFFLINE: vdc 6 is now offline

N7K-1#

What if we wanted to be more specific and see just logs for VDC 6?

N7K-1# show log | grep "vdc 6"

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to updating

2013 Apr 13 23:15:33 N7K-1 %VDC_MGR-5-VDC_STATE_CHANGE: vdc 6 state changed to active

N7K-1#

Also, NX-OS does command accounting on the system by default so every command is tracked. In the past, you needed to have a TACACS or RADIUS server configured to get this level of accounting. This ability has come in handy in cases where someone says they didn’t type a command, but actually did.  Of course this can be combined with grep to further filter the output.

N7K-1# show accounting log | grep "no shut"

Fri Apr 12 11:08:58 2013:type=update:id=vsh.1408:user=root:cmd=configure terminal ; interface mgmt0 ; no shutdown (REDIRECT)

Fri Apr 12 11:08:58 2013:type=update:id=vsh.1408:user=root:cmd=configure terminal ; interface mgmt0 ; no shutdown (SUCCESS)

There are so many options and the grep and egrep commands work on every command in the CLI! Pretty cool, eh?

10. The last and tenth capability in NX-OS I wanted to share is one I wish every customer knew and it involves directing output to a file. NX-OS can be very verbose in the output it generates with some commands and it can be a huge time saver to redirect the output to a file. For example you want to copy the logfile but it is very long. Try this.

       

N7K-1# show log > chalklog.txt

N7K-1# dir bootflash: | i chalk

   2696204   Apr 17 01:14:40 2013  chalklog.txt

N7K-1#

Note how I also used the pipe “I” to find the file and just show it? What about a show tech-support? These can be hundreds of MB (yes, I said Mega Bytes with a capital B!) of output that TAC might ask for to help troubleshoot an issue. You could do term len 0 and then capture the output in your terminal emulator – that will work, but it will take a lot of time. Try using the redirect function instead.

N7K-1# show tech-support > chalktech.txt

Show tech brief will take 4-6 minutes to complete. Please Wait ...

N7K-1# dir bootflash: | i chalktech

   99244120   Apr 17 01:19:20 2013 chalktech.txt

N7K-1#

This is a 99MB file and it took a few moments to create. Now I can copy it using FTP, SCP, USB and more for analysis and save a ton of time.

I hope these 10 items give you reason to consider NX-OS and showed you some new features you may not have been aware of. If you already have NX-OS, maybe you picked up a few tips for the CLI that can be helpful as well. It is a very exciting operating system and with it just turning 5, it’s exciting to think about what it will be capable of doing in the next 5 years! Happy Birthday, NX-OS!

ShowCover.asp.jpg

NX-OS   and Cisco Nexus Switching: Next-Generation Data Center Architectures, 2nd   Edition

By   Ron   Fuller, David Jansen, Matthew McPherson.

Series:   Networking Technology

Published:   March 15, 2013

SBN-10:   0-13-288356-2

ISBN-13:   978-0-13-288356-6

Published   by Cisco Press.

This article is featured in the April 2013 issue of the Cisco TS Newsletter.  Are you subscribed?

Average Rating: 5 (1 ratings)

Comments

sean_evershed Sat, 04/27/2013 - 19:01

I agree that NX-OS is a rock solid OS.

However from a customer's perspective I would like to see support for the following ten features to make it truly awesome:

1. OSI Layer3 vPC.

2. EIGRP Unequal cost balancing.

3. Increased support for multicast routing. Currently the N7K platform only supports sparse mode.

4. IPv6 VRRP.

5. Support for long range 40 Gbps fibre modules.

7. OSPF down bit support.

8. IPsec authentication for OSPFv3

9. Bring back the wr alias.

10. The publication of a Medianet QoS design guide for NX-OS.

http://www.cisco.com/en/US/netsol/ns930/networking_solutions_design_guidances_list.html

Ron Fuller Sun, 04/28/2013 - 13:25 (reply to sean_evershed)

Hi Sean,

Thank you for the feedback.  I would suggest you contact your Cisco account team for details on the timeframe of supporting these features as many are on our near and long term roadmap.

Also, for the wr alias, while not in NX-OS, you can easily create it by using the cli alias command as below:

cli alias name wr copy run start vdc-all

Regarding plans for additional multicast modes, we have no intention of bringing dense mode back and would be interested in your use case.

On the topic of QoS design, NX-OS doesn't support Medianet but we do have a rich QoS implementation that is discussed in Cisco Live sessions, the Cisco.com documentation as well as the NX-OS book.

Hope that helps!

Ron Fuller

sean_evershed Sun, 04/28/2013 - 21:11 (reply to Ron Fuller)

Fantastic, thanks Ron for the clarification, especially concerning Medianet.

I recommend your excellent book on NX-OS to all my friends and colleagues who work on NX-OS platforms.

Cheers

Sean

Actions

Login or Register to take actions

This Document

Posted April 4, 2013 at 9:16 PM
Stats:
Comments:3 Avg. Rating:5
Views:4600 Contributors:2
Shares:0

Related Content