VDC with the Nexus 7K's
VDC's are like IOS XR SDR (Secure Domain Router) and ASA Firewall contexts
VDC's virtualize the control plane protocols of the Nexus 7K's
Management and control planes
Unlike VLAN's and VRF's
Separate control plan per VDC
Separate control plane per VDC
VLAN 10 in VDC 1 is not the same as VSAN 10 in VDC 2
OSPF PID 1 in VDC 1 is not OSPF PID 1 in VDC 2
These are separate Linux processes
Logical roles in one chassis
Core and Aggregation (Distribution) in the same switch
Shared Environment access to own VDC's to make changes
Test Lab Environment
Some features cannot co-exist in the same VDC
No OTV and VLAN (SVI's) in the same VDC
FCOE requires it's own VDC (FCOE VDC does not count towards your VDC total with SUP 1/2/2E (from the NX-OS and Cisco Nexus Switching Next-Generation Data Center Architecture 2nd Edition)
The FCOE license also doesn't require the VDC license
F2 modules in their own VDC
SUP 1 4 Max VDC's
SUP 2 4 + 1 Management VDC's
SUP 2E 8 +1 Management VDC's (this requires an additional license)
No internal cross VDC communication
No route leaking (like in VRF's)
Physical cable can connect disparate VDC's together if needed.
Always exists Cannot be removed (even VDC 0 in N5K)
Manages all other VDC's
Controls the resources allocations
VLAN's, VRF's, Routing Table memory etc....
Can be in the data plane, but it's not recommended.
Should be used for management only
All ports are in the default VDC by default until you assign them to another VDC
If there is a global command to be issued, it must be performed in the default VDC. Such as
VDC Creation, deletion, and suspend
resource allocation - interfaces, memory, etc....
NX-OS upgrade across all VDC's
ISSU or EPLD upgrades to enable new features
Ethanalyzer - control plane traffic
Feature-Set installation N2K's, FabricPath, FCOE, etc...
Control Plan Policing CoPP
Port Channel load balancing hash
Hardware FDS check control
ACL Capture feature
System wide QoS
VDC's are defined in global configuration or the default VDC
Default VDC number + VDC Name
You can change this default with "no vdc combine-hostname"
VDC's have their on MAC address from the backplane SPROM (Serial Programmable Read Only Memory)
This is used for STP bridge ID
Pool can be verified from the "show sprom backplane"
Unique MAC address
Port Grouping is unique per line card Port Group
M1= 4 Port odd/even 1,3,5,7 Group one 2,4,6,8 Group two etc.....
F1 = 2 Port 1,2 Group 1 3,4 Group 2 etc....
The NX-OS parser checks to ensure that the entire port group is allocated automatically
Limiting VDC Resources
Can have defined limits
Such as VLAN's, VRF's M1 modules only , F1 modules only
"limit-rsource under VDC configuration mode
"vdc resource template" in the global
Templates don't automatically re-apply if a change is made
All changes to VDC's are disruptive
Rate Mode per Module
"Rate Mode" Shared or dedicated
Unallocated or unsupported interface types automatically go to VDC0 (Default)
"show vdc membership"
"show vdc resources"
VLAN's, VRF's, SPAN etc....
Limit-Resource under vdc configuration mode
vdc resource template in global configuration mode
If not configured, it will assign maximum to all VDC's
Moving between VDC's
Default VD Admin
switchto = needed for initial setup of non-default VDC's
switchback= return to default VDC
Similar to "changeto context" in ASA firewalls
VDC Management CMP
This is complete separate linux box
Could reboot the switch and have access to the switch
Out of band mgmt interface
Physical mgmt0 interface overlaps between all VDC's
Separate IP and MAC addresses per VDC
Traffic cannot leak between mgmt0 ports
In a mgmt0 VRF
"freature telnet" and "feature ssh" are off by default
Each VDC has it's own local user DB
Separate IP + MAC address per VDC
VDC User rights
VDC-Admin = All read/write for that particular VDC
VDC-Operator= read only access to that particular VDC
From this user rights you cannot switchback to the default VDC
Commands for current user rights
"show user information"
VDC High Availability
What happens to a VDC when it crashes
RESTART vdc, BRINGDOWN vdc, RELOAD supervisor, SWITCHOVER to standby supervisor
HA Policy will be different depend on on single SUP or dual SUP chassis
'show vdc detail"
Can configure different VDC polices for different VDC's
enter configuration mode config t
vdc N7k-1-1 is the default and shows you the the help
This will create the VDC( this will take awhile upwards 1-2 minutes)
After this will land you in that VDC contexts where you can allocate interfaces
"allocate interface e1/9-16"
It will ask if you want to remove form the current VDC
"allocate interface e2/9"
It will tell you that it will include the other ports in the port's assigned to the ASIC group for that allocation
As you can see form the output above it included ports 2/9-10 as it's a F1 module with port groupings broken up into 2 ports each
Boot-order = 1 (default vdc =0 and will always boot first)
You can configure for dual or single supervisors
"ha-policy singe-sup bringdown dual-sup switchover"
You can define both in the command so when you install an secondary supervisor into the chassis
When you switchto VDC N7K1-2 it will land you into the setup script
Will ask you if you want to configured strong password policy and such
Will will also configured a user for the VDC 2 local DB
Saving the configuration
"copy running-config startup-config"
"copy running-config startup-config vdc-all"
this shows the different directories for each VDC
If you logged into the VDC 2 you can only save that config and NOT vdc-all