Archive for the ‘Nexus’ Category

Much like on firewalls you can create object groups in Nexus, which you can utilize when you’re implementing ACLs


object-group ip address {OBJECTNAME}
{subnet/mask}
{subnet/mask}
{subnet/mask}...
exit

ip access-list {ACL_NAME} permit ip addrgroup {OBJECTNAME} [destination]

Makes like simple, huh? What about showing the access-list that has been configured with an object group? Well, under the show access-lists summary you won’t see this, you’ll need to “expand”

show access-lists {ACL_NAME} expanded


In Cisco IOS, this is a monumental pain in the ass if you have a lot of interfaces, typically you’re searching the running config by eye or, if you know how to script, you can send the output to text and filter it the information to get what you need. However, all that sucks because in NX-OS you can just do this

show access-lists summary

The output will give you not only what access-lists is tied to what interface, but also the direction the ACL is applied to. You’ll see the configured section and the active session. Just remember, you can configure the ACL on the interface, but if the interface is not IP enabled, or just plain down, it will not be listed in the active section.


Why do VTP in the data center? I have absolutely no explanation for this, it is generally just a bad idea to use VTP to begin with. Perhaps “easy” is one argument, but look at the problems you face with it:

  • Rogue switch with higher revision can screw the network
  • ON some IOS versions, if not all, the VLAN configuration doesn’t reside in the startup-config
  • Rogue switch can be used to gather VLAN information on the network, helping form an inside attack

In a data center you expect a highly available, reliable, and secure computing environment, this is something VTP simply doesn’t offer for a network in the data center. Look at the Nexus lineup, VTP is a feature which is disabled by default! What a great concept, finally! I’ll go ahead and just say it, if you’re using VTP in the data center, you’re just being lazy.


Just a quick tip for those looking. If you’re using 6.X code you can use the F2E for an internal OTV interface. You can actually get control plane traffic between two devices using an F2E, you’ll see the mac addresses in the: show otv route command; however, no encapsulation will occur. You will need to get an M-series card to perform OTV in a Nexus chassis.