Data Center:Network:Cisco:Nexus:Virtual Device Contexts (VDC)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] welcome back we're going to now talk about in our CCIE data center Nexus switching main class we're going to talk about VD C's or virtual device contexts so virtual device contexts are really used to virtualize the physical Hardware of the Nexus 7 k platform now these are loosely analogous to STRs or secure domain routers in iOS X R or contexts in a Cisco aasa adaptive security appliance or firewall one of the things is that V DC's also virtualize the control plane protocols that are used in this 7000 series switch so these are not analogous to VLANs or V ahrefs in any way ok what we are actually doing is separating the complete control plane per VDC now what we're doing with this we're not actually virtualizing the operating system so this is not similar to running virtual guest machines on you know like a hypervisor type platform like VMware so this is not multiple instances of the Linux server that is controlling the entire 7000 switch what this is is dividing everything up into the separate virtualized control plane and actually moving the different data data resources the data plane resources the physical ports within a given within a given blade we can actually partition up the individual ports to these different virtual device contexts and what I mean by that we talked earlier about the port groupings and we're going to show how when we create and provision our VDCs our virtual device contacts how they we'll follow the port grouping follow the asic or switch on ship that they're mapped to so we can't really break the ASIC boundary up but we can break an individual module up into different port groupings and break those port groupings up into different VDCs so with the separate control plane function one of the things that we want to discuss is the fact that VLAN 10 let's just say as an example VLAN is in in VDC 1 the first virtual device context that we might and I'll probably stop saying virtual device context at some point and just keep saying VDC VLAN 10 or VLAN 20 or VLAN 1000 whatever we create in one VDC is not equal to the same VLAN number in another video now this would only be if we are not linking these VD C's together and we're going to take a look in just a moment at some use cases and why we might want to actually link these individual VDCs together we'll take a look at some different topologies we'll take a look at our physical topology behind me here in a moment and show how we've done it for most of our pre provisioning for most of the demonstration and command-line really activities that we're going to be going in throughout the week but then we'll also take a look at why you might want to do it in a few different topologies in a production or even a lab environment so if we want to link VDCs together if we want to actually use data plane traffic between them then we do actually have to provide a physical cable and cable really even if we're have cut up the individual resources within a card in two different VDCs we need to then change the or we need to connect the line cards together with a physical cable so if we're connecting to VDC together then all of a sudden of course we will probably be trunking and then VLAN 10 does equal VLAN 10 in each VDC because we are you know really joining those two VDCs together for whatever purpose we had but with manouse the sin sort of a multi-tenant environment one of the use cases we'll go over in a moment then I could actually reuse all of my VLAN IDs and they are completely separate from one another the control planes are completely isolated and actually the processes are completely isolated as well so if I'm running let's say OSPF process ID 1 in VDC 1 and we'll probably give it a name but the way that the system is going to refer to it is really going to be numerically by its ID of 1 or 2 etc this is not going to be OSPF process ID 1 in VDC 2 or VDC 3 or 4 or 5 or 6 or etc and not only is this not the same process ID from the control plane the management configuration command line but there actually is a separate Linux process that's going to be running for the OSPF process or for EIG RP or for whatever function it is that we might be doing so let's take a look at why might we want to use VDCs so one of the things is I might have logical rolls per physical chassis so for instance I might want to take and distribute out the very expensive resources of the hardware chassis itself the multiple redundant supervisors as Brian talked about earlier we are in most designs going to have redundant power supplies redundant supervisors read so the control plane mechanisms the redundant line cards m-series and f-series and we you know with these boxes costing so much but possibly wanting to perform different functions on them we might want to do something like well let's just say we'll come over here to our white board and we'll say I've got one physical box which will denote with some dash lines and you'll have to forgive me because of the different members of my family that are artistic I am NOT one of the most so this is our physical Nexus 7000 Nexus 7 K and within here we might partition off different resources so I might say I'm going to create what looks like a separate physical switch so an n7 k switch and maybe we'll give it the VDC of 1 and I'm going to create maybe I actually have another let's come down here and I'm going to create n7 k 2 and i actually wanted to have one of the things i wanted to have is just gonna erase this real quick i wanted to actually have two physical chassis x' as well as you typically would so let me just draw this dotted line down here so we've got my first physical platform and I've got my nexus 7 k second physical platform that we'll just sketch out here briefly and so I've got my Nexus 7 k3 and Nexus 7 K for now the naming for this particular diagram is not what we're going to stick with for the rest of the for the rest of the class in fact I'll show that but maybe I want to basically have my core layer between two physical chassis x' here I'm going to use Nexus 7 k 1 and Nexus 7 K 3 for instance and then I might want to separate out my aggregation layer rolls so I actually and we'll we'll talk about in the use cases and one of the reasons why I might actually want to do this with something briefly called OTV but I might want to have my routing on my layer 3 routing done at the at the layer of aggregation so from aggregation down to my access switches down to my Nexus 5 K switches I might want to and typically would use traditionally layer 2 switching only so I've got down here not pictured yet I'll go ahead and add in here five K's and of course those 5 KS may have Nexus 2 K X's or fabric extenders and they may have multiple links going up but the idea is that I can partition off virtual portions of my nexus 7 k for use in different logical roles in the data center okay so core aggregation or distribution being two really words the same thing on the same box that might be one reason another reason might be for multi-tenancy so maybe I'm running a shared hosting environment a large data center and I might want to have or I do have hopefully if I have any business multiple tenants in there so I might want to take a single nexus 7,000 maybe a 7,000 18 switch and partition off maybe I'll partition entire cards maybe I'll partition portions of those cards for use with different tenants everything is completely separated the control plane functions what those tenants are allowed to do maybe I'm going to give them access to their own VDC I won't give them access to a special video that we'll look at in a moment called the default VDC which has really rights over the rest of the box but they have rights to telnet or SSH preferably into their VDC and provision or set up routing and switching for whatever features and functions they need and everything is separate if for some reason customer one and we've installed the licenses let's say customer one turns on every feature known to man and ends up crashing a few of the processes or maybe even possibly the VDC for some reason gets brought down it shouldn't depending on how we configure high-availability something we'll take a look at in the command line in a moment it shouldn't affect the rest of the tenants that have other VDCs on that same physical switch so multi tendencies is certainly a reason another reason might be a test lab environment as we mentioned they're very expensive devices you know if you happen to have any in your data center or workplace and I might want to reserve one or two VD C's on my physical switch to be able to test out certain features maybe currently I'm running multi chassis ether channel or V PC something we'll be talking about a lot more in depth and I want to possibly transition to a fabric path Network for a layer two you know lots of links or transparent interconnection of lots of links type of an environment where I'm not even running spanning tree at all I want to test this out in kind of an isolated environment does it really make sense to buy a whole nother switch just to test that out well maybe it depends on your environment but maybe you don't have those kind of funds available and you certainly don't want to put something into production that hasn't been tested so a test lab environment is another really good use case for a VDC also some features as we began to talk about an allude to just previously can't coexist in the same VDC so one of them is things like Oh TV or overlay transport virtualization basically my layer to data center interconnect between multiple data centers I want to have true layer two bridging or layer 2 VPN between data centers I can't actually have that currently in the same VDC that I have feature interface VLAN turned on and I actually have switch virtual interfaces or interface VLANs defined it's not supported most use cases that I've or most production cases that I've seen run OTV they do this at the aggregation layer where it's still that layer to boundary and then they route in the core but you know there can there certainly are different arguments for maybe even creating almost a new services layer just for OTV so really I have my aggregation layer aggregating all my access switches going up to the core layer and in between those I have branched off on either side one for each physical nexus 7,000 switch so to Chasse YZ we're always going to have redundant jassi's even I've got branched off a VDC on each side just for OTV and then my SV eyes are still in my main core VDCs okay something else is f2 series cards so one of the things that we're gonna take a look at is allocating resources in the VDCs and the fact that I can allocate m1 m2 and even f1 series cards in the same VDC I however today cannot allocate a f2 card in anything but its own VDC so that's one reasons for wanting to do this if I want to run what's known as a storage VDC or Fibre Channel over Ethernet FCoE I actually need a standalone VDC just for that reason and I can only have one storage BD c per box it does count against my overall VDC a number that I'm licensed for or have hardware to physically support and that will be going on we'll be going into that a lot later in specifically the next class the storage class so just taking a look at some of the VDC limitations we really have for VDCs that are available to us in a soup one card and we are running a soup one card it's what the lab lists so it's what we're going to be doing in most of our presentation and most of our demonstration and command line in the soup - and soup 2e we have something called +1 so in the soup - and by default in the soup 2e we get 4 V DC's plus one admin VDC so this is and and I guess I should go back to the soup one and say in my default see something we're gonna take a look a little bit more look at the limitations on here in just a moment excuse me we we can only do certain things in that default base VDC well customers complain to Sisko and said I basically I don't want to give especially if I'm running in some sort of a multi-tenant environment I don't want to give someone access to a VDC where they could potentially step on other people's toes in fact even if we just think about it in a lab type environment for our particular instance we're gonna be renting racks out to you we wouldn't want to give any student access to the default VDC because then they could potentially take down the whole rest of the box if we're letting another student work on another VDC for instance and so cisco listened to that and said we'll create an admin VDC in the soup to where it truly only has access to allocating of resources allocating of cpu some of the things that we're gonna take a look at control pane policing setting up system-wide QoS on the box etc and then the rest of the VDCs will actually be data plain data passing VDCs so the default VDC in a soup one is a full data plain VDC it passes all data you know we allocate resources that we want to use actually as data plane traffic there as well as provisioning all of the resources for the rest of the system in soup - that's abstracted and it makes it for a really nice thing soup 2e has the capability to go up to 8 VDCs but it is an additional license to get there and that's that asterisks we have to have that additional license to add four more VDCs to the base 4 + 1 now we already mentioned this there's no internal cross communication between VDC s so there is no route leaking like we might experience in VRS if it you know if we have control plane separation in a router vrf or even in a cat 6500 v RFS we can route or we can you know route out to the global table and we can do nap between these there is no such communication there's no real backdoor between data planes or control planes for that matter in VDCs they are a full logical separation short of being a separate hypervisor VMware guest they almost act just like that okay so if we want to connect these we do actually have to have physical cables so one of the things we'll talk about and actually let's just go ahead and take a look at the the topology I have behind me specifically for the for the different VDCs that we're going to be creating so here we have this is the physical topology that Brian began showing earlier we've got our Nexus 7000 and really this is the switch that we're using here okay so this is an example of the physical switch what we're going to end up doing is we want to use it for multiple purposes and to that end we're gonna break this out into 3 additional VDCs I think I was touching the screen at the same time so we're gonna have the physical chassis and then we're going to have n7k one the way what that we've numbered this is n7k pretty standard naming convention across the nexus platform and 5 K and 2 K denotes the platform capability or the platform model number itself and so what we've said is n 7 k 1 - and then I'll state something like - - this is the second video n 7 k 1 - 3 this is the third VDC and 7 K 1 - 4 this is the fourth VD and then the way we're going to do this since we have two physical chassis x' is we decided to call the second one n 7 k - - and we could have said n 7 k 2 - 1 + 7 k 2 - two three and four the the one or the two in this position being the switch physical switch number the reason we decided to call it five through eight you'll see later when we talk about VPC or when we talk about fabric path and basically creating switch IDs we wanted to create a very clear and quick delineation and separation between the the numbering of each of these switches so we've basically got 1 through 8 okay so we have n7k 1 - 1 through 4 and n7k - 5 through 8 so we'll be referring to them often as 7k 1 or 7 k 2 7 K 3 7 k 4 that's all one physical chassis in our lab and then n 7 k 5 6 7 & 8 those are for VDCs in the second chassis okay so also if I take a look at these four physicals sorry these this one physical switch here is the domain for this one physical switch if I want to look at partitioning these out into VD C's like I have and I want to connect them together notice that none of the port numbers overlap so I don't have n 7k 1 - 1 I've got Ethernet 1 / 1 through - that does not or could not possibly connect to Ethernet 1 1 through 2 in a different video so one of the things that VDCs do not do is reuse port numbering so if I say I want to allocate let's say Ethernet 1 / 1 through 8 so Ethernet one being module 1 and 1 through 8 being the ports of 1 through 8 if I want to allocate those to VDC 1 which all ports are allocated to the default VDC by default for the sake of you at the sake of read-up being redundant if I want to allocate the next eight set of ports which is what we're going to do it does not then reuse the numbering it doesn't say okay well since you're allocated to VDC two I'm going to call that port 1 / 1 through 8 or 1 / 1 through yeah once that's / 1 through aches we're non-canonical accounting it's going to retain the port numbering so it's going to be e 1 / 9 through you know whatever 17 so if I want to connect Ethernet 1 1 to the second VDC I actually have to run a physical cable to the other really to the same blade in the same chassis but I am logically separating these now in the scope of the CCIE lab this could be something Brian I talked about it obviously nobody's seen it yet we don't know but this could be something that they could even test you on they would have to have everything cabled it has been for many many years now that the candidates have absolutely no contact with and probably aren't even in the same building unless you happen to be in let's say San Jose or you know wherever they have the physical setup and probably San Jose in Brussels you have no physical contact with or probably even ability to see the hardware you won't be cabling you won't be responsible for physical troubleshooting or anything of that nature but they could have everything physically cabled and simply not have the VDCs yet defined or the resources the Ethernet ports allocated to the particular VDC so this could be one level of complication or you know just a level of difficulty in the exam is that if you just by default went ahead and and said no shutdown on all the ports then you might all of a sudden see you know really some some some problem traffic you know a lot of ports blocked really you're plugged into your own switch but as soon as I reallocate these ports to a different VDC as far as the switch goes it thinks it's talking to a completely separate switch there's nothing in the background that says oh you're actually talking to the same switch so let's go ahead and go back to the command are sorry to our slides and we're going to go to the command line and allocate these BD C's in a little while so back on the slides we're gonna say that the default VDC one always exists and cannot be removed this actually is true in the Nexus 5k as well there is a VDC one in the Nexus 5k it's just that there aren't any additional VDCs additional VDC SR a specific feature or function of the 7k platform the default VDC is used to create and manage the other BD sees it controls all port allocations as we've mentioned all ports as I just mentioned as well are allocated to the default VDC at initialization it's going to control other resource allocations such as maximum number of VLANs verse routing table memory I can actually be very specific on ipv4 unicast and differentiate that from ipv6 unicast or multicast per VDC so I can create equal or unequal load balances of different things even such as CPU access so a minimum it's almost like quality of service for CPU I can basically say that in a time of congested interrupts and trying to talk to the the physical CPU that this VDC gets a minimum of this percentage share access to the CPU in the soup one it can be used for normal data playing operations and it's recommended for management of the chassis only which is why in the soup 2 they went ahead and changed this some of the default VDC only tasks so there are some tasks that can only be performed in the default VDC and there's actually a number of them some of them are VDC creation deletion and suspend so as I mentioned let's say you have a lab environment or a multi-tenant environment and you don't want students or customers respectively trampling on other students or customers configurations or pasa the downing VDCs deleting them reallocating resources unless someone has access to the default VDC there's no risk of that happening you have to be in the default VDC to create delete or suspend another VDC you have to be in the default to allocate interfaces memory or CPU guaranteed share you have to be there to do OS upgrades and that happens of course across VDCs in service upgrades or EPL DS basically tax specific things that can add new features and tak directed as well 'if analyzer captures that has to be done in the default VDC feature set installation for things only for some things such as fabric path FCoE or adding next defects basically Nexus 2000 fix or fabric extender the remote line cards control plane policing can only be done in the default VDC port channel load balancing I can create port channels and utilize them in other VDCs but if I want to change the default load balancing hash mechanism then I need to be in the default Hardware IDs check control ACL capture function enabling and system-wide QoS and we'll talk about some of these in a lot more detail such as system-wide QoS in the QoS section or port channel load balancing hash operations in the multi chassis ether channel or V PC so creating VD sees were defined in the global there's no separate admin mode in the soup 1 ok the host name is actually kind of interesting it's derived by default from the default VDC host name plus the actual VDC host so if I'm in VDC host or VDC 2 and maybe I've called it VDC n7k 1-2 and we'll see this in just a moment if I'm my default VDC was n7k 1-1 my new host name when I'm in that second me DC will be n7k one - one - n7k one - two a little confusing it can be so there's actually a feature that you can turn off no VDC combined hostname so that's kind of a nice feature that you might wish to utilize okay so allocating VDC interfaces we as we've mentioned they have to follow the ASIC or switch on chip groupings we cannot I can't just allocate port 1/1 if it falls in a four port odd contiguous or even contiguously named group okay so each line card has different limitations based on the ASIC we showed and talked about those earlier with the the iPad app the Cisco catalog 3d and showed how those kind of map to the individual Asics so for instance the EM 132 XP - 12 card that the lab has and we have in our lab has a four port odd contiguous or even contiguous port numbering meaning port one three five and seven because those are all on the top of the card they use the top riser card and that's where the ASIC is there in Group one okay they share their dedicated bandwidth of ten gig and if I wanted let's say port two four six or eight so if I wanted to move eath 1/1 only to a new video it will let me do it from a configuration standpoint but it will also tell me that it went ahead and did me a favor and basically followed the ASIC architecture and it went ahead and moved those other three ports for me I can't split them up even if I wanted to the F 132 XP - 15 has a two port contiguous port groups I didn't say even contiguous or odd contiguous so it's not odd numbers or even numbers it truly is one port one and two are part of the same port group port 3 and 4 are part of the same fork group port group excuse me etc okay and as we just mentioned the parser is going to automatically check and allocate if we make a mistake or just are lazy in our typing and we'll demonstrate that in a moment so VDC resources can have defined limits so I can as I mentioned I can cut up and limit VLANs vrf I can limit the number of port channels span an ER span that can be done I notice we said eath analyzer can only be done in the VDC different than span and ER span as Brian just demonstrated ipv4 ipv6 unicast and multicast and even module type as I mentioned I can create I have to create a VDC all by itself if I want to have to type but I can create a VDC that only allows M two cards or only allows M one and M two but no F series I can be this granular if I have an use case or a need so these are configured with the limit resource command and VDC resource template in global so I can actually create a template that applies these especially if I have maybe you know eight VDCs and I want to create the same thing across all of them I can create a template apply that to the VDC the only thing to note is that if I make a change to the template it does not automatically reapply that to the VDC I basically need to go and of course this would be disruptive anytime I'm making changes to a video it's going to be system disruptive so this would be something that I would do at the outset the the deployment of my Nexus 7000 switch or even possibly at a scheduled maintenance window where I really plan on taking that particular switch down you know some things like in service software upgrades I can switch over to another supervisor and make upgrades we'll be talking about those later and still run all of my data forwarding functions because of the distributed line cards even control plane functions and routing protocols and things on the their supervisor when I'm changing VD sees this is really going to be a disruptive process so this is something you'll want to do a hard maintenance window so moving between the VDCs if I want to I can from the default VDC the admin user can switch to other VD sees and really I only can use the Bolden here switch to command if I'm in the default VDC if I'm in and this is similar to the change to context command in an a sa if I'm in I was in the default VDC I switched to another VDC I can then issue the switch back command I cannot issue the switch back command from another VDC to the default if I SSH directly into that other VDC that's not supported that's a you know there's no backdoor operation where I could go into my designated secondarily created VDC and then try to backdoor and get back into the admin VDC it is secure there and of course I'm going to need to use the switch to command for setup of the non default VDCs my initial setup for management of the VDCs there is something called the cmp interface the connectivity management process or interface and this is actually only in the soup one it was a great idea it seemed like a really smart logical idea but really nobody used it so cisco basically cut it out of soup 2 + 2 e but this is basically the same as console access to the supervisor with the difference being that it's actually running a completely separate image so when we talk about the actual image that runs the actual universal image that Brian talked about earlier there's really two parts to it the kickstart which gets me the Linux kernel booted up and then the full image which brings up all of my different possible features that I can run and the cmp actually has its own kickstart and full image that I can essentially it's really a second Linux box running in a very small there's no features that I can do except for control the rest of the platform and the idea is that I could even not only perform ISS use in service software upgrades but I could even reboot the box and still have a full access to you know portion of the switch a layer three access to the switch so this would also be connected to the management switch or possibly a different out-of-band management switch if I wanted alongside the physical management interface now speaking of that there's the physical management 0 interface this is actually a feature that overlaps between all VDCs so I'm actually going to give there's basically a logical separation here of this physical port so there's one physical management 0 interface per supervisor only the active supervisor is well active at that time and I'm going to actually logically partition that physical management 0 interface up so I'm going to be able to give it a different IP address and the box will automatically assign it a one-off separate MAC address per VDC but one other thing to note is that traffic does not leak between management 0 ports so if I have a management 0 port on supervisor 1 and I have 4 VDCs I essentially have for logical management 0 interfaces but it's still one physical port so I'm not going to really be able to for instance ping I can't ping from management 0 in the management vrf from VDC 1 over to the management 0 which is the same physical interface on VDC 4 even though they have different IP addresses in different MAC addresses ok so this is a limitation or really something that the system prevents you from doing also management access to the box is really off by default when I first get in through the console if I want to be able to tell net shudder I know or possibly SSH preffer preferred into the box I'm actually going to need to turn on even nice features like Brian said even something as simple as an interface VLAN I have to really turn on the feature for they really tried to create or keep the processes isolated from each other as much as possible to prevent any unexpected things from happening so HVDC also has its own local user database we're gonna talk next about user rights and then we're gonna go create some of these VDCs so the non default VDC users have two possible default roles VDC admin and VDC operator admin has all readwrite access but only to that VDC the the VDC operator has read-only access to that particular VDC there is also and and as we mentioned before if I SSH or telnet into a particular VDC and I authenticate with those users I can't switch back to the default VDC there is no backdoor also the default VDC users if I switch to a non default VDC they inherit the readwrite operations of the same user level so in the default VDC instead of being called VDC admin and VDC operator for the role based access control something that we're gonna be talking a lot more about in the security section and even custom our back or role based access control features and commands and things that we can do custom I basically have that admin and operator in the default but it's called network admin and network - operator roles okay and they as they switch to a non default VDC they inherit all the VDC admin or VDC operator roles respectively so they they inherit their same level of admin or operator role based and this is not vice-versa so in other words if i'm of VDC admin i'm not going to inherit network admin rights so taking a look at VDC high-availability what to do if for some reason and in ty VDC crashes all the processes in that BDC crash well we have different options some being restart that VDC bring down that VDC and don't necessarily bring it back up not automatically but has to be done manually reload the supervisor or switch over to the standby supervisor we're gonna take a look at when these might occur so the high availability policy can be different first of all depending on soup single soup if I happen to and you know of course we would never do this but if I happen to only have one supervisor in the switch then I'm going to have a particular policy for single soup what what I should do or if I have dual supervisors so for instance I would never want to and I don't even think it's an option I would never want to reload the supervisor just because of EDC crashed if I have a backup supervisor if I have a standby I would want to switch over to the standby supervisor right but if I only had a single supervisor then all of a sudden it makes sense that I may want to especially if this is the default VDC I may want to actually reload the entire supervisor even if that causes Network disruption and shame on you for not having a backup supervisor but it is something that we can configure and an option I also have the ability to configure different policies different high availability policies under each VDC configuration so let's take a look at some of this we're going to go ahead and connect in to our n7k one and let's just take a look at show run by to fall so show run I've got my VDC n7k 1-1 now I think it was called switch by default but we've gone ahead and renamed that particular VDC notice the ID this is how the rest of the switch is going to refer to this as ID 1 there's different things that we'll talk about throughout the week one of them that we may go - probably in the QoS section for sure I know we'll attach to an individual module I can actually attach to the individual line cards and when I do things like at a hardware level and you can be dangerous then so you have to be very careful when you're actually talking directly to the hardware kind of bypassing the supervisor but aside from being careful while we're in there if we want to refer to a portion or feature or take a look at maybe a show command is what will really only be doing if we attach to a module we have to also specify what VDC that particular port is in when we're talking directly to the hardware we could be talking to a port that is not in the default VDC but when we attach to that module we're in the default VDC we have to change to the new non default VDC when we're attached directly to the module but we have to specify what VDC by its numerical ID so it is important to remember the numerical idea of basically 1 through 4 in our soup 1 here ok so we can also see from this command line we've got a number of default commands by default I have limit resource for module type 2 m1 f1 and the m1 excel this is basically the extended extended forwarding tables for layer 2 layer 3 because Brian had already done or I think you did this yeah and just the I was trying to remember it was this switch or that the second 7'k it turned on feature set fabric path once I do that then I can from this particular VDC I can allow other VD C's to use that feature set fabric path FCoE being some of those I can also and this is what we'll certainly do right now is I can allocate these interfaces so we've got these if effect if I do a show module I can see that I have my my module 1 is 32 ports 10 gigabit it's my m1 32 XP module and module 2 is my 1/10 gigabit which is my f1 32 port module so looking back at the allocate interfaces all of them Ethernet module 1 and port 1 through 32 and Ethernet module 2 port 1 through 32 are currently allocated to the default VDC we're going to go cut those up then I also have my limit resource VLAN I have my minimum number of VLANs and maximum monitor session so for my span and my ER span destinations the minimum maximum number of Vee ahrefs minimum maximum number of port channels that that particular VDC can use and even things like you for and u6 unicast ipv4 unicast ipv6 and multicast of those same two versions how much memory can be used and keep in mind that without the excel modules and the extended licensing everything is a license in Nexus then I really have limited amounts of memory if you take it into consideration you know against maybe a an ASR or type router or something limited amounts of memory that I'm going to be using for forwarding tables unless as I mentioned I have those larger excel cards and or you know m1 m2 excel cards and the enhanced licensing ok so let's go ahead and we're just going to create some VD C's here so let's go ahead and we'll say VDC and we're gonna create one of the things that nx-os does that I kind of like is if I've created a naming convention it actually brings that into context sensitive command completion so I could actually say n7k 1 - and use that as my prefects and I'm gonna say - - and it's creating the VDC give it a moment it asks politely for while it's waiting notice we had that VDC combined hostname in here I'm gonna leave that on while we switched to another VDC and then I'll come back and I'll take that off and we will see how that has changed things because of the time it's gonna take to create the VDCs as we mentioned earlier it for being such a really high powerful high performance box surprising how long it takes to do a few of these features like creative EDC or bring them up that's something else that we can do per VDC is specify the boot order it actually brings all of the processes up necessary to run the VDC in a particular order and by default it's in numerically ascending order so here we can do things like allocate our resources so we can allocate interfaces and so let's just say for instance we want to allocate interface Ethernet 1/9 through 16 is what we're going to use for VDC 2 and it informs us that moving the ports are going to basically cause them to be removed from the first VDC and could cause a service disruption we'll say yes it takes a little bit of time to move them not nearly as long as creating the resource itself the VDC resource and then we'll say the same thing for Ethernet to our f1 card ports 9 through 16 but let's actually just say port 9 ok so let's do a show run and notice that here in my first video ok T interfaces Ethernet 1 through 8 and then it picked back up at 17 through 32 so we had changed 9 through 16 well for two I had 1 through 8 and then I had moved port 9 but it actually moved port 9 and 10 leaving only the next port being 211 so if I take a look at VDC n7k 1-2 it moved as I told it 9 through 16 because I follow two-port grouping for the first one but for the second one I only said 2 - 9 it went ahead and moved 10 because it's a two-port contiguous port grouping I will go ahead and move 2 through 16 because that's actually what we're going to be using for the second BDC so we've basically broken up out of a 32 port divided by 4 which happens to be the port group mapping but also happens to be so four ports to a port group mapping and M card two ports to a port group mapping in the F card we also have four VDCs so we're basically allocating eight ports per VDC per line card okay so this should have taken effect and I now have 9 through 16 on both eath 1 and module Ethernet - ok notice I have the boot order here so the default VDC is always going to come up first there's nothing we can do about that and it really wouldn't make any sense to change the boot order for the second VDC until I've created an additional VDC and we notice that we can limit resources for all the different things that we talked about the module type so I could say module type F - only if I wanted by default it does put them all in the same M 1 F 1 M 1 Excel module type allocation okay so really this is all that we need to do except for looking at within the VDC except for looking at the high availability policy so let's say high availability policy and we're first going to start with single soup so what happens if this particular this particular box or system only has a single soup well we have the option to bring down the VDC altogether and have to manually bring it back up assuming it's not the default VDC we can reload the supervisor because we only have one or we can simply try to restart that non-default VDC so let's say we want to bring down not that that's necessarily the best policy but just as a non-default example bring down the VDC in the case of a VDC crash and if we happen to have a dual soup and the reason it allows us to go ahead and provision this is because when it's doing the command structure it's not necessarily looking in context - how many supervisors do you have installed and maybe later I add a second supervisor I can go ahead and pre provision the high availability policy for when I actually add that so for a dual soup maybe I want to restart it the default is as you might imagine to switch over to the other supervisor so let's do show run VDC and I can see that I've got the high availability policy for single soup is bring down it did not include the dual soup policy reason being is that I already have that that is the default already okay so let's go ahead and I'm just going to end out of my configuration and I'm now going to switch to VDC and I'm gonna switch to VDC - and it's now in the initial configuration dialog so this is a completely separate system do I want to enforce a cure password or password strength check no I don't what's the password for admin enter it again do I want to enter the initial configuration dialog of course we never do and notice the host name okay so if I wanted to do something like let's say turn on feature for telnet notice that it's not an option here let's go ahead and switch back to the default VDC and of course I wasn't in config T so that actually could have had a little bit to do with it let me switch to that VDC again config T feature telnet I can configure telnet for one VDC and I could go to a different VDC and allocate let's say SSH only okay but it is per VDC that I need to turn these on so I can end out and then I'll do a switch back notice that there is no switch to command as we mentioned from one VDC I cannot switch to another VDC so I can switch back what happens if I tell not directly into you know what I haven't set up the management IP address yet so let's go ahead and switch to that BDC again and do show IP interface brief or just show interface brief and the management interface is not configured yet so let's go ahead and go into the interface management 0 and we'll configure the IP address of 192.168.0.0 on something like that ok so we'll do this slash 24 and no shut that and I should be able to show CDP neighbor and be able to see from management 0 my DC RAC management switch and should be able to tell that to that second device now now I don't have my users defined so I did have in 7 K 1-1 I had a user defined for mark and we have one for Brian or if I was just setting up from the beginning I of course would have to add these but here I'm gonna have the one that I had just set up from the console from the default VDC really in the console of the box in the default VDC and then switch to the second VDC I created I set up that single user there is going to be the add by default user I just have to get in with that and I can get a little script there that does logging Monitor 7 for debugging but other than that I if I'd notice I I can't really switch back so I might tell it to switch back I have the command there because the parser doesn't differentiate between whether I tell met it in or consult in but I'm not actually going back to the default VDC so if I want to set up my users I actually have to go set up all those users separately as we mentioned a separate user database so here I will go ahead and switch back I switched over to this first tab where I was in the default VDC and switched to the second DB DC and I'll go ahead and say config T and no VDC combined hostname so now I'll end out and I will switch to VDC and I'll choose - - and notice now that my hostname is nice neat concise and it even went ahead and changed it on my telnet session even while I was sitting there telling it it in so nice feature there will probably run for the rest of the class with no VDC combined hostname ok I can exit out or switch back I'm in the default VDC 1 - 1 so let's take talk about saving the configuration if I want to first of all there is no shortcut for right okay so this is it's been say cisco has been saying they're gonna deprecated it and do away with it in iOS for a long time it's still there in most iOS platforms it is not an option in nx-os I do need to copy run start I can do copy run start or I can say the whole running - config start up - config and I also have another option I can either hit carriage return and if I do so it will only save this VDC currently I'm in the default VDC - NVRAM but I can also say VDC all I can give it that argument and save all VDCs to a binary file now actually if we take a look let me just back up here a little bit so it doesn't perform this config if I do show boot flash sorry Jer boot flesh I can actually see that I have different directories for the different VDC so there really are separate places in flash even an envy gram that the different configurations for the different VDCs are kept so if I'm over here in Talmud it into the 7k 1 dash to the 2nd me DC which for all intents purposes is a completely separate switch I can woops actually I want to be back out here and I just want to say copy run config to startup config notice I don't have the VDC all so again I'm isolated I'm in a sandbox I'm securely partitioned off from the rest of the box and I can't affect any default operations for the switch including saving everyone's config at once it is a very nice feature from the default VDC to be able to do copy run start for VDC all and it does take a little bit of time to go ahead and generate this configuration I've got a little hash marks here indicator of when it's doing it even once it gets to 100% we'll notice that now it's taking a little bit of time to actually write it - that was really just a compilation of the configurations for all VDCs and now it's writing it to the NVRAM [Music]

Info

Channel: IT-TALK IT-TALK

Views: 3,853

Rating: undefined out of 5

Keywords:

Id: O9-UFFA9GzQ

Channel Id: undefined

Length: 59min 37sec (3577 seconds)

Published: Fri Nov 23 2018