We saw in the first part what the components of NX-OS are, what the boot sequence is and a few other things.

It’s time for a more hands-on knowledge on how to configure some basic features of NX-OS without which the device will be unusable.

Administrative configurations

The hostname of a Nexus device is configured much like on IOS, but you can use ‘switchname’ command as well:

switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# hostname NX-1
NX-1(config)# switchname NX-2
NX-2(config)# end
NX-2#

In order to authenticate on a Nexus device, you will need a username and a password. To create a username, the procedure is as follows:

nexus-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-1(config)# username nexus-test-user password pass
nexus-1(config)# exit
nexus-1#

NX-OS provides you the capability to assign roles to the users. A role assigned to a username identifies what kind of actions a user can perform. There are many predefined roles, but only few of them are very common to be used. One is network-admin and if you don’t specify a role when a username is created, then this one is applied. A username with this role has access to all resources of the device. The other one is network-operator role and provides read-only access.

You can see what roles are predefined on the device like this:

nexus-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-1(config)# username nexus-test-user role ?
  network-admin     System configured role
  network-operator  System configured role
  priv-0            Privilege role
  priv-1            Privilege role
  priv-10           Privilege role
  priv-11           Privilege role
  priv-12           Privilege role
  priv-13           Privilege role
  priv-14           Privilege role
  priv-15           Privilege role
  priv-2            Privilege role
  priv-3            Privilege role
  priv-4            Privilege role
  priv-5            Privilege role
  priv-6            Privilege role
  priv-7            Privilege role
  priv-8            Privilege role
  priv-9            Privilege role
  vdc-admin         System configured role
  vdc-operator      System configured role

nexus-1(config)# username nexus-test-user role 
nexus-1(config)#

Let’s create a username with network-operator and try to save the configuration:

nexus-1(config)# username nexus-test-user role network-operator password pass
nexus-1(config)# exit
nexus-1# exit

User Access Verification
nexus-1 login: nexus-test-user
nexus-test-user
Password: pass

Last login: Fri Nov 13 16:04:59 on ttyS0
Cisco NX-OS Software
nexus-1# copy running-config startup-config
copy running-config startup-config
% Permission denied for the role
nexus-1#

In the first part, I was talking about CLI modes. In IOS, after you enter in the configuration mode, if you want to use a command that is part of EXEC mode, you have to use ‘do’ command.

You don’t need this anymore in NX-OS, but of course for those having the IOS habits, you can still use the ‘do’ command.

nexus-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-1(config)# show clock
16:14:40.569 UTC Fri Nov 13 2013
nexus-1(config)# do show clock
16:14:49.398 UTC Fri Nov 13 2013
nexus-1(config)# exit
nexus-1#

Device Interfaces

The mgmt0 interface on Nexus devices provides out-of-band management. You can configure IPv4 and IPv6 and operates at 10/100/1000M.

To be able to connect to a Nexus device over mgmt0 interface, you might need to add a default route. As I was saying the first part, the mgmt0 interface belongs to a separate vrf called ‘management’.

Here are the steps needed to configure the mgmt0 interface and a default route for vrf ‘management’:

nexus-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-1(config)# interface mgmt0
nexus-1(config-if)# vrf member management
nexus-1(config-if)# ip address 172.30.145.186/23
nexus-1(config-if)# exit
nexus-1(config)# vrf context management
nexus-1(config-vrf)# ip route 0.0.0.0/0 172.30.144.1
nexus-1(config-vrf)# exit
nexus-1(config)# exit
nexus-1#

Basically you should have this in the configuration:

  • for default route:
vrf context management
  ip route 0.0.0.0/0 172.30.144.1
  • for interface configuration:
interface mgmt0
  vrf member management
  ip address 172.30.145.186/23

Let’s try to connect through ssh from a remote PC to this Nexus device using the newly added IP address of mgmt0 interface:

root@PC# ssh admin@172.30.145.186 
The authenticity of host '172.30.145.186 (172.30.145.186)' can't be established.
RSA key fingerprint is 60:58:8e:eb:72:a8:38:d4:7e:4a:6a:56:f8:d2:39:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.30.145.186' (RSA) to the list of known hosts.
User Access Verification
Password: 
Cisco NX-OS Software
nexus-1#

You can check the stats for mgmt0 interface like for any other interface:

nexus-1# show interface mgmt0
show interface mgmt0
mgmt0 is up
admin state is up
  Hardware: Ethernet, address: 000c.29f5.3c59 (bia 000c.29f5.3c59)
  Internet Address is 172.30.145.186/23
  MTU 1500 bytes, BW 0 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  auto-duplex, auto-speed
  Auto-Negotiation is turned on
  Auto-mdix is turned off
  EtherType is 0x0000 
  1 minute input rate 6880 bits/sec, 7 packets/sec
  1 minute output rate 1112 bits/sec, 1 packets/sec
  Rx
    2772279 input packets 2081 unicast packets 768341 multicast packets
    2001857 broadcast packets 308968162 bytes
  Tx
    773284 output packets 766942 unicast packets 6332 multicast packets
    10 broadcast packets 48359843 bytes

nexus-1#

Let’s talk about the other interfaces. As I was saying, all physical network interfaces in NX-OS are called Ethernet. They can be used in Layer 2 mode or Layer 3 mode.

There are also the Switched Virtual Interfaces(SVI) which are the interfaces used to configure an IP address to a VLAN that is spanned across multiple Ethernet ports.

I have this topology:

As you can see, the Nexus devices have two links between them. We will use the first one(e2/1) as L3 and the second one will be configured as the switchport part of a VLAN and the IP address of the VLAN will be configured on SVI.

There is not much to discuss about Ethernet interfaces or SVI, so I will proceed to configure them.

nexus-1# show running-config interface e2/1

nexus-1# show running-config interface e2/1

!Command: show running-config interface Ethernet2/1
!Time: Fri Nov 13 16:56:48 2013

version 6.2(1)

interface Ethernet2/1
  no shutdown

nexus-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-1(config)# interface e2/1
nexus-1(config-if)# ip address 1.1.1.1/24
nexus-1(config-if)# end
nexus-1# show running-config interface e2/1

!Command: show running-config interface Ethernet2/1
!Time: Fri Nov 13 16:57:14 2013

version 6.2(1)

interface Ethernet2/1
  ip address 1.1.1.1/24
  no shutdown

nexus-1#

Let’s configure the other device as well and try to ping NEXUS-1 from NEXUS-2:

nexus-2# show running-config interface e2/1

!Command: show running-config interface Ethernet2/1
!Time: Fri Nov 13 16:57:35 2013

version 5.1(2)

interface Ethernet2/1
  no shutdown

nexus-2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-2(config)# interface e2/1
nexus-2(config-if)# ip address 1.1.1.2/24
nexus-2(config-if)# end
nexus-2# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Request 0 timed out
64 bytes from 1.1.1.1: icmp_seq=1 ttl=254 time=1.271 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=254 time=0.928 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=254 time=0.895 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=254 time=0.97 ms

--- 1.1.1.1 ping statistics ---
5 packets transmitted, 4 packets received, 20.00% packet loss
round-trip min/avg/max = 0.895/1.016/1.271 ms
nexus-2#

As you can see above, the ping is successful.

Let’s configure the next interface as L2 port and add a SVI so we can have reachability over the second interface.

There is one thing that needs to be done before you try to add a SVI interface, you would have to enable this feature:

nexus-1# show feature | include interface
interface-vlan        1         disabled
nexus-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-1(config)# feature interface-vlan
nexus-1(config)# end
nexus-1# show feature | include interface
interface-vlan        1         enabled 
nexus-1#

Let’s add one vlan, add interface e2/2 to be part of that vlan, configure an IP address on that SVI and try to ping the remote device:

nexus-2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
nexus-2(config)# vlan 100
nexus-2(config-vlan)# name VLAN_TEST
nexus-2(config-vlan)# exit
nexus-2(config)# int e2/2
nexus-2(config-if)# switchport
nexus-2(config-if)# switchport mode access
nexus-2(config-if)# switchport access vlan 100
nexus-2(config-if)# exit
nexus-2(config)# interface vlan100
nexus-2(config-if)# ip address 2.2.2.2/24
nexus-2(config-if)# end
nexus-2# ping 2.2.2.1
PING 2.2.2.1 (2.2.2.1): 56 data bytes
Request 0 timed out
64 bytes from 2.2.2.1: icmp_seq=1 ttl=254 time=1.171 ms
64 bytes from 2.2.2.1: icmp_seq=2 ttl=254 time=0.828 ms
64 bytes from 2.2.2.1: icmp_seq=3 ttl=254 time=0.995 ms
64 bytes from 2.2.2.1: icmp_seq=4 ttl=254 time=0.87 ms

--- 2.2.2.1 ping statistics ---
5 packets transmitted, 4 packets received, 20.00% packet loss
round-trip min/avg/max = 0.828/1.016/1.171 ms
nexus-2#

As you can see above, the ping was successful.

How do you access from Nexus a device that is reachable via the management interface?

The two Nexus devices from topology are in the same subnet:

nexus-1# show run interface mgmt0

!Command: show running-config interface mgmt0
!Time: Fri Nov 13 17:27:18 2013

version 6.2(1)

interface mgmt0
  vrf member management
  ip address 172.30.145.186/23

nexus-1#

nexus-2# sh run interface mgmt0

!Command: show running-config interface mgmt0
!Time: Fri Nov 13 17:27:41 2013

version 5.1(2)

interface mgmt0
  vrf member management
  ip address 172.30.145.187/23

nexus-2#

Let’s ping NEXUS-2 from NEXUS-1:

nexus-1# ping 172.30.145.187 vrf management
ping 172.30.145.187 vrf management
PING 172.30.145.187 (172.30.145.187): 56 data bytes
36 bytes from 172.30.145.186: Destination Host Unreachable
Request 0 timed out
64 bytes from 172.30.145.187: icmp_seq=1 ttl=254 time=1.159 ms
64 bytes from 172.30.145.187: icmp_seq=2 ttl=254 time=0.868 ms
64 bytes from 172.30.145.187: icmp_seq=3 ttl=254 time=0.914 ms
64 bytes from 172.30.145.187: icmp_seq=4 ttl=254 time=0.846 ms

--- 172.30.145.187 ping statistics ---
5 packets transmitted, 4 packets received, 20.00% packet loss
round-trip min/avg/max = 0.846/0.946/1.159 ms
nexus-1#

The key here is that you have to use the vrf management to reach a device via mgmt0 interface.

Viewing, saving and erasing configurations

You can view the interface by using the command ‘show running-config’. This will display the entire configuration. But sometimes, maybe you don’t want to see all configurations and you just need to view a specific configuration, for instance, only one interface. You can append to ‘show running-config’ that interface name.

The configuration can be saved only by using ‘copy running-config startup-config’:

nexus-2# copy running-config startup-config
copy running-config startup-config
[########################################] 100%
Copy complete, now saving to disk (please wait)...
nexus-2#

In case you want to restore the device to factory default configuration wise and you don’t want to delete the configuration line by line, you can delete the startup-config and reboot the device.

Well, this is kind of all about an initial configuration that you would need on a Nexus device.

By reaching this point of the article and after you read the first part, you should be familiar with:

  • boot sequence of a Nexus device
  • CLI modes
  • Interface configuration

References:

  1. CCNA Data Center: Introducing Cisco Data Center Networking – Todd Lammle & John Swartz
  2. NX-OS and Cisco NEXUS Switching – Ron Fuller, David Jansen, Matthew McPherson