Blog‎ > ‎

VDC's with the Nexus 7K's

posted Oct 16, 2013, 8:31 PM by Rick McGee   [ updated Mar 18, 2014, 9:33 PM ]
VDC with the Nexus 7K's
VDC's are like IOS XR SDR (Secure Domain Router) and ASA Firewall contexts
VDC's virtualize the control plane protocols of the Nexus 7K's
    Management and control planes
    Unlike VLAN's and VRF's
    Separate control plan per VDC
Separate control plane per VDC
    VLAN 10 in VDC 1 is not the same as VSAN 10 in VDC 2
    OSPF PID 1 in VDC 1 is not OSPF PID 1 in VDC 2
        These are separate Linux processes
Why VDC's 
    Logical roles in one chassis
    Core and Aggregation (Distribution) in the same switch
        Shared Environment access to own VDC's to make changes 
    Test Lab Environment
VDC's Caveats
    Some features cannot co-exist in the same VDC
        No OTV and VLAN (SVI's) in the same VDC
        FCOE requires it's own VDC (FCOE VDC does not count towards your VDC total with SUP 1/2/2E (from the NX-OS and Cisco Nexus Switching Next-Generation Data Center Architecture 2nd Edition)
        The FCOE license also doesn't require the VDC license
        F2 modules in their own VDC

SUP 1 4 Max VDC's 
SUP 2 4 + 1 Management VDC's 
SUP 2E 8 +1 Management VDC's (this requires an additional license)
No internal cross VDC communication
    No route leaking (like in VRF's)
    Physical cable can connect disparate VDC's together if needed.
Default VDC
    Always exists Cannot be removed (even VDC 0 in N5K)
    Manages all other VDC's         
    Controls the resources allocations
        VLAN's, VRF's, Routing Table memory etc....
    Can be in the data plane, but it's not recommended. 
        Should be used for management only
    All ports are in the default  VDC by default until you assign them to another VDC
   If there is a global command to be issued, it must be performed in the default VDC. Such as
        VDC Creation, deletion, and suspend
        resource allocation - interfaces, memory, etc....
        NX-OS upgrade across all VDC's
        ISSU or EPLD upgrades to enable new features
        Ethanalyzer - control plane traffic
        Feature-Set installation N2K's, FabricPath, FCOE, etc...
        Control Plan Policing CoPP
        Port Channel load balancing hash
        Hardware FDS check control
        ACL Capture feature
        System wide QoS
Creating VDC's
    VDC's are defined in global configuration or the default VDC
VDC Naming
    Default VDC number + VDC Name
        You can change this default with "no vdc combine-hostname"
VDC's have their on MAC address from the backplane SPROM (Serial Programmable Read Only Memory)
    This is used for STP bridge ID
    Pool can be verified from the "show sprom backplane"
    Unique MAC address
Port Grouping is unique per line card Port Group
    M1= 4 Port odd/even 1,3,5,7 Group one 2,4,6,8 Group two etc.....
    F1 = 2 Port 1,2 Group 1 3,4 Group 2 etc....
    The NX-OS parser checks to ensure that the entire port group is allocated automatically 
Limiting VDC Resources 
    Can have defined limits
    Such as VLAN's, VRF's M1 modules only , F1 modules only 
Configure with....
    "limit-rsource under VDC configuration mode
    "vdc resource template" in the global
        Templates don't automatically re-apply if a change is made
        All changes to VDC's are disruptive 

Rate Mode per Module
    "Rate Mode" Shared or dedicated
    Unallocated or unsupported interface types automatically go to VDC0 (Default)
VDC Command
    "show vdc membership"
    "show vdc resources"
        VLAN's, VRF's, SPAN etc....
Configure As
    Limit-Resource under vdc configuration mode
    vdc resource template in global configuration mode
    If not configured, it will assign maximum to all VDC's
Moving between VDC's
    Default VD Admin
            switchto = needed for initial setup of non-default VDC's
            switchback= return to default VDC
    Similar to "changeto context" in ASA firewalls

VDC Management CMP
    This is complete separate linux box 
    Could reboot the switch and have access to the switch 
    Out of band mgmt interface
Physical mgmt0 interface overlaps between all VDC's 
    Separate IP and MAC addresses per VDC
    Traffic cannot leak between mgmt0 ports
    In a mgmt0 VRF
    "freature telnet" and "feature ssh" are off by default
 Each VDC has it's own local user DB
Console Access
    Default VDC
    Separate IP + MAC address per VDC
VDC User rights
    Non-Default VDC
        VDC-Admin = All read/write for that particular VDC
        VDC-Operator= read only access to that particular VDC
            From this user rights you cannot switchback to the default VDC
        Network-Admin= VDC-Admin
Commands for current user rights
    "where detail"   
    "show user information"
VDC High Availability
    What happens to a VDC when it crashes
        RESTART vdc, BRINGDOWN vdc, RELOAD supervisor, SWITCHOVER to standby supervisor
    HA Policy will be different depend on on single SUP or dual SUP chassis

    Configure ha-policy
    'show vdc detail"
    Can configure different VDC polices for different VDC's

This is the default VDC with all modules allocated to that VDC it has all VLAN's u4route (unicast routes) m4route (multicast routes) assigned to it.
    When creating additional VDC's you would take away form the default VDC's allocations 
Configure VDC's 
   enter configuration mode config t 
    vdc N7k-1-1 is the default and shows you the the help 
    "vdc n7K1-2" 
        This will create the VDC( this will take awhile upwards 1-2 minutes)
    After this will land you in that VDC contexts where you can allocate interfaces
        "allocate interface e1/9-16"
            It will ask if you want to remove form the current VDC
        "allocate interface e2/9"    
            It will tell you that it will include the other ports in the port's assigned to the ASIC group for that allocation 

As you can see form the output above it included ports 2/9-10 as it's a F1 module with port groupings broken up into 2 ports each
Boot-order = 1 (default vdc =0 and will always boot first)

You can configure for dual or single supervisors 
    "ha-policy singe-sup bringdown dual-sup switchover" 
        You can define both in the command so when you install an secondary supervisor into the chassis

When you switchto VDC N7K1-2 it will land you into the setup script 
    Will ask you if you want to configured strong password policy and such
    Will will also configured a user for the VDC 2 local DB

Saving the configuration 
    "copy running-config startup-config"
    "copy running-config startup-config vdc-all"

dir bootflash:
this shows the different directories for each VDC
    If you logged into the VDC 2  you can only save that config and NOT vdc-all