VDC with the Nexus 7K's VDC's are like IOS XR SDR (Secure Domain Router) and ASA Firewall contexts VDC's virtualize the control plane protocols of the Nexus 7K's Management and control planes Unlike VLAN's and VRF's Separate control plan per VDC Separate control plane per VDC VLAN 10 in VDC 1 is not the same as VSAN 10 in VDC 2 OSPF PID 1 in VDC 1 is not OSPF PID 1 in VDC 2 These are separate Linux processes Why VDC's Logical roles in one chassis Core and Aggregation (Distribution) in the same switch Multi-tenancy Shared Environment access to own VDC's to make changes Test Lab Environment  VDC's Caveats Some features cannot co-exist in the same VDC No OTV and VLAN (SVI's) in the same VDC FCOE requires it's own VDC (FCOE VDC does not count towards your VDC total with SUP 1/2/2E (from the NX-OS and Cisco Nexus Switching Next-Generation Data Center Architecture 2nd Edition) The FCOE license also doesn't require the VDC license F2 modules in their own VDC SUP 1 4 Max VDC's SUP 2 4 + 1 Management VDC's SUP 2E 8 +1 Management VDC's (this requires an additional license) No internal cross VDC communication No route leaking (like in VRF's) Physical cable can connect disparate VDC's together if needed. Default VDC Always exists Cannot be removed (even VDC 0 in N5K) Manages all other VDC's Controls the resources allocations VLAN's, VRF's, Routing Table memory etc.... Can be in the data plane, but it's not recommended. Should be used for management only All ports are in the default VDC by default until you assign them to another VDC If there is a global command to be issued, it must be performed in the default VDC. Such as VDC Creation, deletion, and suspend resource allocation - interfaces, memory, etc.... NX-OS upgrade across all VDC's ISSU or EPLD upgrades to enable new features Ethanalyzer - control plane traffic Feature-Set installation N2K's, FabricPath, FCOE, etc... Control Plan Policing CoPP Port Channel load balancing hash Hardware FDS check control ACL Capture feature System wide QoS Creating VDC's VDC's are defined in global configuration or the default VDC VDC Naming Default VDC number + VDC Name You can change this default with "no vdc combine-hostname" VDC's have their on MAC address from the backplane SPROM (Serial Programmable Read Only Memory) This is used for STP bridge ID Pool can be verified from the "show sprom backplane" Unique MAC address Port Grouping is unique per line card Port Group M1= 4 Port odd/even 1,3,5,7 Group one 2,4,6,8 Group two etc..... F1 = 2 Port 1,2 Group 1 3,4 Group 2 etc.... The NX-OS parser checks to ensure that the entire port group is allocated automatically Limiting VDC Resources Can have defined limits Such as VLAN's, VRF's M1 modules only , F1 modules only Configure with.... "limit-rsource under VDC configuration mode "vdc resource template" in the global Templates don't automatically re-apply if a change is made All changes to VDC's are disruptive Rate Mode per Module "Rate Mode" Shared or dedicated Unallocated or unsupported interface types automatically go to VDC0 (Default) VDC Command "show vdc membership" "show vdc resources" VLAN's, VRF's, SPAN etc.... Configure As Limit-Resource under vdc configuration mode vdc resource template in global configuration mode If not configured, it will assign maximum to all VDC's Moving between VDC's Default VD Admin switchto = needed for initial setup of non-default VDC's switchback= return to default VDC Similar to "changeto context" in ASA firewalls VDC Management CMP This is complete separate linux box Could reboot the switch and have access to the switch Out of band mgmt interface Physical mgmt0 interface overlaps between all VDC's Separate IP and MAC addresses per VDC Traffic cannot leak between mgmt0 ports In a mgmt0 VRF "freature telnet" and "feature ssh" are off by default Each VDC has it's own local user DB Console Access Default VDC Separate IP + MAC address per VDC VDC User rights Non-Default VDC VDC-Admin = All read/write for that particular VDC VDC-Operator= read only access to that particular VDC From this user rights you cannot switchback to the default VDC Default-VDC Network-Admin= VDC-Admin Network-Operator=VDC-Operator Commands for current user rights "where detail" "show user information"  VDC High Availability What happens to a VDC when it crashes Options RESTART vdc, BRINGDOWN vdc, RELOAD supervisor, SWITCHOVER to standby supervisor HA Policy will be different depend on on single SUP or dual SUP chassis Configure ha-policy boot-order 'show vdc detail" Can configure different VDC polices for different VDC's   This is the default VDC with all modules allocated to that VDC it has all VLAN's u4route (unicast routes) m4route (multicast routes) assigned to it. When creating additional VDC's you would take away form the default VDC's allocations  Configure VDC's enter configuration mode config t vdc N7k-1-1 is the default and shows you the the help "vdc n7K1-2" This will create the VDC( this will take awhile upwards 1-2 minutes) After this will land you in that VDC contexts where you can allocate interfaces "allocate interface e1/9-16" It will ask if you want to remove form the current VDC "allocate interface e2/9" It will tell you that it will include the other ports in the port's assigned to the ASIC group for that allocation  As you can see form the output above it included ports 2/9-10 as it's a F1 module with port groupings broken up into 2 ports each Boot-order = 1 (default vdc =0 and will always boot first)  You can configure for dual or single supervisors "ha-policy singe-sup bringdown dual-sup switchover" You can define both in the command so when you install an secondary supervisor into the chassis When you switchto VDC N7K1-2 it will land you into the setup script Will ask you if you want to configured strong password policy and such Will will also configured a user for the VDC 2 local DB Saving the configuration "copy running-config startup-config" or "copy running-config startup-config vdc-all" dir bootflash:  this shows the different directories for each VDC If you logged into the VDC 2 you can only save that config and NOT vdc-all |
Blog >