3-DC/Nexus Operating System (NX-OS) Command Line Interface (CLI).

In this post i will talk about some information about the NX-OS Command Line Interface (CLI) so that we can know what are the features that are supported by the Nexus  switches and how to configure them using NX-OS CLI (if possible) as the CLI commands i will provide are either based on UNL titanium image or real Nexus devices.

NX-OS has different concept and hierarchy than of Classic IOS, the old Classic IOS has the concept of “from zero IOS to all-in-one IOS”, which means that Cisco offers you different versions of IOS, at which the first IOS version offers the very basic features that just allow you to run basic operation, till the most advanced IOS version that offers the all-in-one IOS, an example, Cisco offer IP base, IP services, SP services, enterprise services, advanced security, advanced enterprise services, … and so on. This concept allows you to choose the IOS version based on your design or implementation which is based on what actually you want to deploy in your network, and based on this info you can determine which IOS version you need to install, as an example, assume that you just want to run simple IPv4 routing with no need for IPv6, this means that you can use the IP Base version as it will be perfect for your needs, if you need to have some security features, so this version can’t help you, and at this case you need more advanced version to apply your needs such as advanced security, advanced IP services and advanced enterprise services (that support the top most security features), so i think you got the point about this part.

The IOS-XE and modern IOS supports the concept of all-in-one (universal) IOS, which means that it supports everything (Routing, security, Voice, …) but are not enabled, why ? as this requires from you to buy the license you want based on your needs, so the configuration commands are available but you can’t use them because you need to request the license that should activate these commands.

In NX-OS, we can say that it is similar to the universal IOS, which means that the NX-OS has all the features programmed in the NX-OS but you still need to buy the license that should enables the functionality you need. Is this all what we need ? No, once you buy and activate the License, you still need to globally enable the specific feature you want to deploy, because if you don’t enable the specific feature you want to deploy, you will find that neither the configuration commands nor the verification (show) commands related to the feature you want to deploy are available as valid CLI commands. NX-OS allows you to perform the initial switch configuration like that is provided by Cisco IOS, which allows you to configure some basic configurations in the form of dialog or questions and answers, at the first, NX-OS ask you if you want to configure the basic functionality using the “basic configuration dialog” as the following figure from Cisco webstite:

Enter the password for "admin":
Confirm the password for "admin":
---- Basic System Configuration Dialog VDC: 1 ----
This setup utility will guide you through the basic configuration of the system. Setup 
configures only enough connectivity for management of the system. 
Please register Cisco Nexus7000 Family devices promptly with your supplier. Failure to 
register may affect response times for initial service calls. Nexus7000 devices must be 
registered to receive entitled support services. 
Press Enter at anytime to skip a dialog. Use ctrl-c at anytime to skip the remaining 
dialogs.
Would you like to enter the basic configuration dialog (yes/no):

Then NX-OS will ask you some questions so that you can configure the basic functionality of the switch such as the following:
1-Configure new username and password.
2-Define role for this user: (network-operator|network-admin|vdc-operator|vdc-admin)
[network-operator] and i will mention later the roles of each user.
3-Configure SNMP community.
4-Configure Switch name.
5-Enabling grace period license, and i will mention later the meaning of the grace period license.
6-Configure the IPv4 address and its subnet mask of the Mgmt0 interface.
7-Configure IPv4 default gateway that can be reachable via the Mgmt0 interface.
and other functionalities that you can configure as well.

As mentioned, to configure certain feature, you have to know this feature belongs to which license so that you can purchase for this license, and if you need to test some configurations you can enable the features without buying the license (only just for testing) using the “grace period license” feature that allows you to enable the different features, configure them and verify their full operation and this is only for 120 days, so once you enable the grace period license feature, the NX-OS will disable this feature, this means that once the 120 days expired you can’t use it anymore and all the configurations for the features you enabled for testing are removed, then you are forced to purchase for the license you want. If you enabled this feature on Nexus 7K, it will be applicable only for the Admin VDC.

The grace period license feature can be enabled using the following command:

Nx-OS-N7K#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Nx-OS-N7K(config)#license grace-period

Nexus switch has two images, Kick start and system image, so when we power on the switch, the kick start image is loaded first as it is used to provide the linux kernel, basic switch drivers and some initial file system so that the system image can be loaded next and provide the services and functionality supported by this image, so that it can run the Layer 2, Layer 3, up to Layer 7 services and the more advanced features mentioned in the first post 1-DC/Nexus Operating System (NX-OS) overview that are supported by NX-OS.

NX-OS has some differences regarding the CLI, at which it allows you to go directly to the privilege/exec mode (NX-OS-N7K#) when you login not the user/exec mode as Cisco IOS, also allows you to enable and disable the features that exists in the license you have purchased and you don’t need to deploy using “feature” to enable it and “no feature” global configuration command to disable it, so if the feature is enabled, the configuration and the verification commands related to this feature will be available as CLI commands, but if the feature is disabled, the commands are not available.

All the interfaces at Nexus switches are labeled “Ethernet” from the CLI point of view, this means that all the interfaces regardless of their operational speed (100Mbps, 1Gbps, 10Gbps, 40Gbps or 100 Gbps) are labeled “Ethernet”, so the interface name has no indication about its operational speed.

As mentioned in the first Nexus post 1-DC/Nexus Operating System (NX-OS) overview, NX-OS allows configuring Virtual Device Context (VDC) that allows you to partition the physical switch into multiple virtual switches, and when you login the Nexus switch, you entered the default VDC which is the VDC no. 1.

Now, let’s talk about the NX-OS CLI for the different modes we have (Exec, Global configuration, interface configuration mode, ….)

1-Privilge/Exec mode:

When we login the switch, the NX-OS allows us to enter directly to the privilege/exec mode instead of user/exec mode, as we already know from the IOS, we can issue the following commands at this mode :

  • Show information about enabled features, interfaces statistics, kickstart and system images,  CPU processing or whatever you want on the N-X-OS using “show” commands:
NX-OS-N7K# show feature | include enabled
interface-vlan 1 enabled 
sshServer 1 enabled 
vtp 1 enabled 
NX-OS-N7K#
NX-OS-N7K# show interface Ethernet2/1
Ethernet2/1 is up
admin state is up, Dedicated Interface
 Hardware: 10/100/1000 Ethernet, address: 5000.0001.0001 (bia 5000.0001.0001)
 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, medium is broadcast
 Port mode is access
 1000 Mb/s full-duplex,
 Beacon is turned off
 Auto-Negotiation is turned off
 Input flow-control is off, output flow-control is off
 Auto-mdix is turned off
 Switchport monitor is off 
 EtherType is 0x8100 
 EEE (efficient-ethernet) : n/a
 Last link flapped 00:01:32
 Last clearing of "show interface" counters never
 2 interface resets
 Load-Interval #1: 0 seconds
 0 seconds input rate 0 bits/sec, 0 packets/sec
 0 seconds output rate 0 bits/sec, 0 packets/sec
 Load-Interval #2: 0 seconds
 0 seconds input rate 0 bits/sec, 0 packets/sec
 0 seconds output rate 0 bits/sec, 0 packets/sec
 RX
 0 unicast packets 0 multicast packets 0 broadcast packets
 0 input packets 0 bytes
 0 jumbo packets 0 storm suppression packets
 0 runts 0 giants 0 CRC/FCS 0 no buffer
 0 input error 0 short frame 0 overrun 0 underrun 0 ignored
 0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
 0 input with dribble 0 input discard
 0 Rx pause
 TX
 0 unicast packets 0 multicast packets 0 broadcast packets
 0 output packets 0 bytes
 0 jumbo packets
 0 output error 0 collision 0 deferred 0 late collision
 0 lost carrier 0 no carrier 0 babble 0 output discard
 0 Tx pause
NX-OS-N7K# show boot current

kickstart variable = bootflash:/titanium-d1-kickstart.7.0.1.ZD.0.216.bin
system variable = bootflash:/titanium-d1.7.0.1.ZD.0.216.bin
Boot POAP Disabled
No module boot variable set
NX-OS-N7K#
NX-OS-N7K# show processes cpu sort

CPU utilization for five seconds: 6%/1%; one minute: 9%; five minutes: 10%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
----- ----------- -------- ----- ------ ------ ------ --- -----------
 6 5240 1103 4 1.58% 1.73% 1.11% - events/0
 3284 7140 2164 3 0.99% 1.23% 1.21% - port_client
 7535 1280 532 2 0.79% 0.32% 0.18% S0 vsh
 3249 630 755 0 0.19% 0.19% 0.12% - sysinfo
 3283 1150 18846 0 0.19% 0.25% 0.18% - ori_fwd
--More--

and so on.

  • Make debug for the control plane protocols events, packet forwarding and other things can be debugged as well.
NX-OS-N7K# debug spanning-tree bpdu_tx interface Ethernet2/2
NX-OS-N7K# undebug 2018 Jan 14 01:08:00.814318 stp: MST[0]:-TX> Ethernet2/2 BPDU Prot:0 Vers:3 Type:2
2018 Jan 14 01:08:00.814395 stp: MST[0]: Role :Desg Flags[AFL] Age:0
2018 Jan 14 01:08:00.814406 stp: RemHops:20
2018 Jan 14 01:08:00.814416 stp: MST[0]: CIST_root:32768.5000.0001.002f Cost :0
2018 Jan 14 01:08:00.814427 stp: MST[0]: Reg_root :32768.5000.0001.002f Cost :0
2018 Jan 14 01:08:00.814436 stp: MST[0]: Bridge_ID:32768.5000.0001.002f Port_ID:33026
2018 Jan 14 01:08:00.814445 stp: MST[0]: max_age:20 hello:2 fwdelay:15
2018 Jan 14 01:08:00.814454 stp: MST[0]: V3_len:96 region:MST-IP-FOR-EXPERTS rev:20Num_mrec: 2
2018 Jan 14 01:08:00.814464 stp: MST[1]:-TX> Ethernet2/2 MREC
2018 Jan 14 01:08:00.814474 stp: MST[1]: Role :Desg Flags[AFL] RemHops:20
2018 Jan 14 01:08:00.814484 stp: MST[1]: Root_ID :32769.5000.0001.002f Cost :0
2018 Jan 14 01:08:00.814496 stp: MST[1]: Bridge_ID:32769.5000.0001.002f Port_id:33026
2018 Jan 14 01:08:00.814505 stp: MST[2]:-TX> Ethernet2/2 MREC
2018 Jan 14 01:08:00.814514 stp: MST[2]: Role :Desg Flags[AFL] RemHops:20
2018 Jan 14 01:08:00.814523 stp: MST[2]: Root_ID :32770.5000.0001.002f Cost :0
2018 Jan 14 01:08:00.814533 stp: MST[2]: Bridge_ID:32770.5000.0001.002f Port_id:33026
2018 Jan 14 01:08:00.814545 stp: vb_vlan_shim_send_bpdu(2118): VDC 1 Vlan 1 port Ethernet2/2 enc_type 2 len 134 
NX-OS-N7K# undebug all
NX-OS-N7K# debug ip packet protocol icmp
NX-OS-N7K# 2018 Jan 14 01:14:18.227853 netstack: [3368] (default) Rcvd packet on Vlan2 (mbuf_prty 0): s=2.2.2.2, d=7.7.7.1, proto=1 (icmp), ip_len=100, id=0027, ttl=255 
2018 Jan 14 01:14:18.227941 netstack: [3368] (default) Send packet on Vlan2 (mbuf_prty 0): s=7.7.7.1, d=2.2.2.2, nh=2.2.2.2, proto=1 (icmp), ip_len=100, id=0027, ttl=255 
2018 Jan 14 01:14:18.227974 netstack: [3368] (default) sending out on member Ethernet2/2

NX-OS-N7K# undebug all
  • Delete file.
NX-OS-N7K# delete bootflash:TEST.txt
Do you want to delete "/TEST.txt" ? (yes/no/abort) [y] y
NX-OS-N7K#
  • Display directories or files stored at the different locations
NX-OS-N7K# dir bootflash:
 16565 Jun 17 12:42:08 2014 20140617_123941_poap_4132_init.log
 1715 Jun 17 22:30:02 2014 20140617_222839_poap_4443_init.log
 16384 Jun 17 12:37:15 2014 lost+found/
 4733 Jan 14 01:00:02 2018 mts.log
 54 Jan 04 05:25:06 2018 reload_replay.cfg
 4096 Jun 17 12:39:29 2014 scripts/
 32557568 Jun 14 10:09:05 2014 titanium-d1-kickstart.7.0.1.ZD.0.216.bin
 103565618 Jun 14 10:09:06 2014 titanium-d1.7.0.1.ZD.0.216.bin
 1804 Jan 14 01:01:04 2018 vlan.dat

Usage for bootflash://sup-local
 332378112 bytes used
 2865561600 bytes free
 3197939712 bytes total
NX-OS-N7K#
  • Test Layer 3 reachability using “ping” command.
NX-OS-N7K# ping 7.7.7.2
PING 7.7.7.2 (7.7.7.2): 56 data bytes
64 bytes from 7.7.7.2: icmp_seq=0 ttl=254 time=2.882 ms
64 bytes from 7.7.7.2: icmp_seq=1 ttl=254 time=1.776 ms
64 bytes from 7.7.7.2: icmp_seq=2 ttl=254 time=1.635 ms
64 bytes from 7.7.7.2: icmp_seq=3 ttl=254 time=1.671 ms
64 bytes from 7.7.7.2: icmp_seq=4 ttl=254 time=1.613 ms

--- 7.7.7.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 1.613/1.915/2.882 ms
NX-OS-N7K#
  • Check the Layer 3 path to certain destination using “traceroute” command.
NX-OS-N7K# traceroute 2.2.2.2
traceroute to 2.2.2.2 (2.2.2.2), 30 hops max, 40 byte packets
 1 7.7.7.2 (7.7.7.2) 2.093 ms * 1.842 ms
NX-OS-N7K#

And more commands are supported under the privilege/exec mode as well, and not logical to mention all of them 🙂 🙂

 

2-Global Configuration mode:

When we enter the global configuration mode, we can issue commands that for sure affect the entire switch, for this reason this mode is called by “Global”, this means that when we enter the Global configuration mode, we can either make configurations that affect the switch globally, as well we can enter another more specific configuration mode to make another configurations that affect specific functionality or services. As we already know from the IOS, we can enter the global configuration mode using “configure terminal” command at the privilege/exec mode, and we can issue the following commands at this mode :

  • Configure the switch hostname.
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# hostname NX-OS-N7K
  • Configure banner.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# banner motd #Welcome To NX-OS#
NX-OS-N7K(config)# show banner motd 
Welcome To NX-OS
NX-OS-N7K(config)#
  • Configure boot variable for kickstart and system images.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# boot kickstart bootflash:titanium-d1-kickstart.7.0.1.ZD.0.216.bin
Performing image verification and compatibility check, please wait....
NX-OS-N7K(config)# boot system bootflash:titanium-d1.7.0.1.ZD.0.216.bin
Performing image verification and compatibility check, please wait....
NX-OS-N7K(config)#
  • Enter interface configuration mode.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# interface Ethernet2/1
NX-OS-N7K(config-if)# switchport mode trunk
  • Enable the features.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# feature eigrp
  • As well we can issue “show” commands at the global configuration mode directly without using “do-exec”  keyword before the “show” command which is used by Cisco IOS to make some show commands at  global configuration mode.
NX-OS-N7K(config)# show ip interface brief 
IP Interface Status for VRF "default"(1)
Interface IP Address Interface Status
Vlan7 7.7.7.1 protocol-up/link-up/admin-up 
NX-OS-N7K(config)#

And more commands are supported under the global configuration mode as well.

 

3-Interface Configuration mode:

As we already know, we enter the interface configuration mode to make some modification for the configuration related to this specific interface we need to modify. As mentioned before, the Ethernet interfaces are just labeled “Ethernet” from CLI point of view so its name has no indication about its operational speed, so from naming point of view we can’t determine what is the operational speed for this interface, we can know its operational speed by issuing “show interface Ethernet X/Y status” as the following:

NX-OS-N7K# show interface Ethernet2/1 status

--------------------------------------------------------------------------------
Port Name Status Vlan Duplex Speed Type
--------------------------------------------------------------------------------
Eth2/1 -- connected trunk full 1000 
NX-OS-N7K#

We can issue the following commands at this mode:

  • Change interface speed.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# interface Ethernet2/1
NX-OS-N7K(config-if)# speed 1000
  • Change interface duplex.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# interface Ethernet2/1
NX-OS-N7K(config-if)# duplex full
  • Change interface switchport mode.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# interface Ethernet2/10
NX-OS-N7K(config-if)# switchport
NX-OS-N7K(config-if)# switchport mode access
  • Change interface IP address.
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# interface Ethernet2/10
NX-OS-N7K(config-if)# no switchport 
NX-OS-N7K(config-if)# ip address 192.168.1.1/24

We can use either the prefix length notation or dotted decimal notation to define the subnet mask for the IP address we need to assign to the routed/Layer 3 interface, this means that we can use either (ip address 192.168.1.1/24) or (ip address 192.168.1.1 255.255.255.0).

  • Change interface description
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# interface Ethernet2/10
NX-OS-N7K(config-if)# description --- Connected to NX-OS-N7K-2 Ethernet2/10 ---

And more commands are supported under the interface configuration mode as well.

 

Now, let’s talk about the methods we can use to manage the Nexus switch:

1-Controller Processor or Supervisor Engine:

As mentioned before at the first Nexus post, the Controller processor or the Supervisor engine is the part responsible for both Control plane and management plane, this means that this component (CP or SE) is the responsible for the two important planes that allows us to run the required functionality and services for the different protocols and features supported by the NX-OS (Control plane) and allows us as well to manage the switch itself by different methods (Management plane). As mentioned before most of Nexus switches support the installation of dual supervisor engines at which one of them run as the Active engine, while the other is in the standby mode and both of them are fully redundant because of the SSO, so that if we need to make software upgrade, we can use the ISSU feature, so that we can make the standby engine to become the active and make upgrade for the previous active, and then swap the roles to upgrade the standby one, this means from both control and management planes they are fully redundant, so if one failed for any possible reason, so we still can manage the switch via the other engine. The CP or SE provide management plane using either in-band or out-of-band connection, at which the in-band connection means that the management traffic is carried with the normal users traffic and passed over the normal network paths, while the out-of-band connection means that the management traffic has its own management network and passed over its dedicated network paths away from the normal users traffic, this means that it is completely isolated from the control and  data plane,  the normal traffic are isolated from management traffic, so we can access the switch via its dedicated interface called by “Management0 or MGMT0”. MGMT0 interface can be operational at different speeds 10/100/1000 Mbps. The MGMT0 interface is member in the VRF “management” to ensure 100% isolation from the default control and data plane. NX-OS allows virtualization of management plane only at Nexus 7K switches because of the VDC feature. As we already know, the devices running IOS can be managed by multiple common ways such as Telnet, SSH and SNMP that we will talk about in the next sections.

2-Telnet:

As we already know, the telnet is the most popular protocol used for remote access purpose, at which we can use it to remotely access the Nexus switch, it use TCP as its transport layer protocol. NX-OS support both Telnet client and Server, this means that we can telnet to another device from the NX-OS CLI using Telnet client, as well we can telnet to the NX-OS itself using the Telnet server, the Telnet server use TCP port 23,  but as we know, the Telnet establish non-secure remote access connection between the client and the server, for this reason it is recommended to use SSH instead as it support secure connection between the client and the server. The Telnet Server is disable by default on NX-OS. The following commands used to configure the Telnet server feature on the NX-OS:

NX-OS-N7K# show telnet server 
telnet service not enabled
NX-OS-N7K#
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# feature telnet 
NX-OS-N7K(config)# show telnet server 
telnet service enabled
NX-OS-N7K(config)#

Based on the previous output, we can deduce that the Telnet Server feature is disabled by default, then we enabled it by enabling the Telnet feature on the global configuration mode.

3-SSH:

SSH is also the most popular protocol used for remote access purpose that is used to establish secured connection between the client and the server, as well NX-OS support both SSH Client and Server, this means that we can SSH to another device from the NX-OS CLI using SSH client, as well we can SSH to the NX-OS itself using the SSH server. SSH supports different methods for authentication, RADIUS, TACACS+ and locally defined username and passwords, by default it generates RSA key-pair of length 1024 bits, as well the SSH version must match between the SSH server and client to work. The SSH server feature is enabled by default on NX-OS. The following commands used to configure the SSH server feature and generate the SSH RSA key-pair on the NX-OS:

NX-OS-N7K# show ssh server 
ssh version 2 is enabled
NX-OS-N7K#
NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
NX-OS-N7K(config)# show ssh server 
ssh is not enabled
NX-OS-N7K(config)# ssh key rsa 2048 force 
deleting old rsa key.....
generating rsa key(2048 bits).....
.
generated rsa key
NX-OS-N7K(config)# feature ssh
NX-OS-N7K(config)# show ssh server 
ssh version 2 is enabled
NX-OS-N7K(config)# show ssh key rsa 
**************************************
rsa Keys generated:Sun Jan 14 01:34:52 2018

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9fU1X4FBaJGBtieqBO6xmNm7NJ8SZLFVueLAMGWOq
aUbfhrqqc8lzj3wkxfsggb4YTC97xh5eoJdJGVnyubLJS4jTkqCo4gAzGSDKbkd15/HUSXtt3M4kv07p
rOaPbrPw1Lz0K9z9KXoq9oN96yxopvD9+tF+25SGA60PP66XN9O2MP1c58+DMVSMZO1TtWz6Oxd0Qnad
Ak+0iKb/7t+FCSE6rAwZRp4c/1S7k6sisEuWFcbgCSJi+E46Czm6tt/8s8yJd677czX1jVTPA1Rx7i/C
Vrj7vYXx41+F4SX9hIcNnFewIfPeCFg8JDzNjF+Didaz1ybgnULYShrtsn0j

bitcount:2048
fingerprint:
88:1f:90:d8:aa:68:30:fd:42:40:72:a0:e0:6c:bd:25
**************************************
NX-OS-N7K(config)#
NX-OS-N7K(config)# username test password Cisc0-NX-0$

Based on the previous output, we can deduce that the SSH server feature is enabled by default, so i disabled it to enabled it again and define the SSH RSA key-pair, as well i defined username and password so that the SSH can use this locally defined username and password database to authenticate the user trying to SSH to this NX-OS switch.

4-Simple Network Management Protocol (SNMP):

The SNMP is considered as an application layer protocol that is used by the NX-OS for management purpose, at which we have two entities, one act as SNMP agent and one as SNMP server, this means that the SNMP server is an SNMP-based tool that is used to manage the SNMP agent (IOS, IOS-XE, NX-OS,..), the SNMP is used by the SNMP server for multiple purposes, the purposes maybe for read only or read/write, which means that if you need to collect information about any component of the NX-OS, so all what you need is to read information, this means that you need  read-only privilege and no need for read/write privilege, but if you need to configure the NX-OS via SNMP-based tool using SNMP, so for sure you need read/write privilege, for this reason SNMP provide these two modes of privilege for the different purposes you want. SNMP has different versions SNMPv1, SNMPv2c and SNMPv3 and each version support certain level of security either support authentication or not, and support encryption or not, SNMPv3 is the only version that support both authentication and encryption, so the recommended SNMP implementation is SNMPv3 as the information exchanged between the SNMP manager and SNMP agent must be secured, so that SNMPv3 is the only version that support both confidentiality and integrity. The following commands used to configure the SNMP:

NX-OS-N7K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS-N7K(config)# snmp-server community COMMUNITY_RO ro
NX-OS-N7K(config)# snmp-server community COMMUNITY_RW rw
NX-OS-N7K(config)# snmp-server user TEST auth md5 PASSWORD_MD5 priv PASSWORD_DES 
NX-OS-N7K(config)# snmp-server host 1.1.1.1 version 2c COMMUNITY_HOST
NX-OS-N7K# show snmp community 
Community Group / Access context acl_filter 
_________ ______________ _______ __________ 
COMMUNITY_RO network-operator 
COMMUNITY_RW network-admin 
NX-OS-N7K#
NX-OS-N7K# show snmp user 
______________________________________________________________
 SNMP USERS 
______________________________________________________________

User Auth Priv(enforce) Groups acl_filter 
____ ____ _____________ ______ __________ 
TEST md5 des(no) network-operator

______________________________________________________________
 NOTIFICATION TARGET USERS (configured for sending V3 Inform) 
______________________________________________________________

User Auth Priv 
____ ____ ____ 
admin md5 des

(EngineID 128:0:0:9:3:0:0:0:0:0:0)

NX-OS-N7K#
NX-OS-N7K# show snmp host 
-------------------------------------------------------------------
Host Port Version Level Type SecName 
 
-------------------------------------------------------------------
1.1.1.1 162 v2c noauth trap COMMUNITY_HOST 
 
NX-OS-N7K#

Based on the previous output, i configured the SNMP read-only and read/write communities (COUMMUNITY_RO) and (COUMMUNITY_RW) respictivly, as well configure SNMP username (TEST) and two passwords, one for authentication (PASSWORD_MD5) and one for encryption (PASSWORD_DES), also define the SNMP version (2c) and community (COUMMUNITY_HOST) for certain host (1.1.1.1) so that these settings override the global SNMP settings.

5-Connectivity Management Processor (CMP):

The CMP is considered as another dedicated interface that is used for out-of-band management purpose, at which it is independent from operating system as it has its own dedicated processor and memory, it is available only on Nexus 7K Supervisor Engine 1. We can use the CMP for complete management and monitoring that is independent from the operating system running on the controller processor Supervisor engine, so that we can manage every module in the chassis, and can make complete system reload (including Supervisor engine) and see what is running behind the scenes during the boot process so that we can see the boot messages during the entire boot process, because as we mentioned before the CMP connectivity is independent from the CP or SE as it has its own dedicated processor and memory.
The following shows the commands used to connect to the switch via the CMP interface:

NX-OS-N7K# attach cmp
Connected
Escape character is '~,'
NX-OS-N7K-cmp#  

The following commands used  to configure the IP address and default gateway for the CMP-MGMT interface:

NX-OS-N7K# configure terminal 
NX-OS-N7K(config)# interface cmp-mgmt module 5
NX-OS-N7K(config-if-cmp)# ip address 192.0.2.1/16
NX-OS-N7K(config-if-cmp)# ip default-gateway 192.0.2.10 

The following shows the command used to connect to the CP of the switch from the CMP interface:

NX-OS-N7K-cmp5# attach cp
This command will disconnect the front-panel console on
this supervisor, and will
clear all console attach sessions on the CP -
proceed(y/n)? y
NX-OS-N7K#

 

Hope that the post is helpful.

Regards

Mostafa Hamza

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s