ccna-data-center-640-911-dcicn.pdf - CCIEME

CCNA Data Center - 640-911 DCICNIntroducing Cisco Data Center Networking (DCICN)

Video 1 - Mastering the OSI Model

Why???Building foundationsInteroperability between vendorsTeaching networkingMastering OSI model assists with troubleshooting in the data centre

What?ApplicationPresentationSessionTransportNetworkData LinkPhysical

Layers 1-4 - Data Center Network EngineerAnything else = Upper Layer

Physical = Cable/Hub/'Bitspitter' (see, touch but be careful of wireless!)

Data = Error Correction onto or from physical layer. (Switches - Nexus - next generation, powerhouse switches)MAC addressing - 48 bits in hexadecimal formatBridges - Adapt one section of network to another (Legacy)

Network = Router (Nexus 7700 - 18 slot Multilayer switch)

Transport = TCP or UDP (Reliable and Unreliable/Connectionless)

-----------------------------------------------------------------------

Session = Port Numbers/Separating 'sessions'

Presentation = Format layer. (JPEG for example)

Application = HTTP Application/FTP

As data moves down OSI layer, 'encapsulation' occurs. Each layer adds/modifies the traffic accordingly. 'DE encapsulation' oc curs as traffic progresses UP the OSI layer.

PDU = Overall Data in OSI

Layer 4 = SegmentLayer 3 = PacketLayer 2 = FrameLayer 1 = Bits/Signal

Each Layer is not aware of each layer! They only communicate with the same Layer on the opposite/target machine.

TCP/IP ModelApplication (Application, Presentation, Session)Transport (Transport)Internet (Network)Network Access (Data/Physical)

Exam TimeQ: What device operates at Layer 2 of the OSI?A: Switch and Bridge

Practice Exam - 640-911 on Amazon - Kevin Wallace oneexamamonth.com

Video 2 - Classic Network DevicesHubs - Repeater, Extender - Layer 1Extends physical distance of signal. Mitigates 'attenuation'.Single collision domain/Single broadcast domain.

Bridges - Creates additional collision domain. Can learn Layer 2 MAC addresses. Still a single broadcast domain. Segments network at La yer 2. Processing occurs in software not hardware.

Switches - Multiple collision domains/broadcast domains with VLANS. Hardware processing.

12 August 2014 14:24

CCNA Data Center Notes

Cisco Nexus 5000 Series - Parent/Central point of management.Cisco Nexus 2000 Series - Child/Top Of Rack Devices/Like line cards removed from a parent, close to server blades.They run the NXOS Operating System. (Next Generation)

Cisco Nexus 1000V - In a box! Software based virtual switch.Group collab project between Cisco and VMWare.Plugs into VMWare environment into rack of VM hosts.

Routers - Layer 3/Packets. Multiple collision domains/broadcast domains. By default a router will create additional broadcast domains, where a switch only creates VLAN1.

Cisco Nexus 5000 Series - Multilayer switch. Layer 2 and Layer 3 capabilities.

Exam TimeQ: 12 servers connected to a 2K switch, how many collision domains exist?A: 12

Q: Nexus 5K has 8 servers connected, how many broadcast domains by default?A: 1

Video 3 - A Brief History Of Ethernet

The HistoryThe StandardsConnectorsThe Future

Ethernet was born May 22, 1973 - David Boggs/Robert Metcalfe of Xerox.A memo was circulated announcing Ethernet on this date.

Why the name Ethernet? 'Luminiferous aether' the whole universe is actually connected! (See Wikipedia) 'A network that can co nnect everything'

3ethernet = 1st Ethernet speed of 3Mbps.

1977 - US Patent granted1982 - Ethernet version 21983 - IEEE standardises 802.3 (10BASE-5)2010 - 802.3ba - 40Gbps/100Gbps (Datacenter speeds!)

CSMA/CD

Carrier Sense Multiple Access/Collision Detection

Carrier Sense - Devices can be aware of each other.Multiple Access - Many devices can operate on the Ethernet at the same timeCollision - 2 devices that send at the same timeDetection - Detecting collision by backing off a random amount of time (JAM Signal)

Collisions are frowned upon in the modern network world. Switches eliminate collisions by creating a collision domain for eac h switch port. This is known as 'Micro segmentation'.

Speaking in the LAN

Unicast 1 to 1Broadcast 1 to ALLMulticast 1 to MANY/Target group/Subscribers

IPv6 - Broadcasts are dead. Multicasting completely replaces Broadcasting in IPv6.IPv6 uses ANYCAST (Load balancing concept. The routers decide which one of the nodes to send to)

The Frame Architecture


Ethernet v2 - Preamble 8 Bytes of alternating 1s and 0s to sync the signals of the communicating computers. Last 2 bits are set to 11.ET = Ether Type - Network Layer Protocol

802.3 - Preamble = 7 Bytes longSOF = Indicates transmission is about to start.L = LengthDSAP = Destination Service Access Point (Ether Type in 802.3a)SSAP (Ether Type in 802.3a)LLCPayloadFCS == Frame Check Sequence

LLC/MACEth2 = Data Link/Physical802.3 = 802.3 LLC - responsible for talking to upper layers/MAC Sub Layer

The MAC Address48 Bits in total length1 bit = BC Broadcast Bit1 bit = Local Bit22 bits = OUI Organisation Unique Identifier (IEE governed)24 bits = Vendor Assigned Bits

Overall burned in address. Globally unique.

MAC Address can be 'masked' and presented differently.

UTP = Unshielded Twisted PairPlastic outer jacket.8 twisted wires inside.1Gbps speeds

RJ45 - Registered Jack for EthernetRJ11 - Registered Jack for Phones

CAT1 = Telephony CommsCAT3 = 10BASE-T - 10MbpsCAT5 = FastEthernet - 100MbpsCAT5e = GigabitEthernet - 1GbpsCAT6 - 1GbpsCAT6a - High Noise Environments

Straight or Crossover

Like to Like = CrossoverUnlike to Unlike = Straight

Used to be a big deal. We now have Auto MDIX on modern equipment, which can auto detect the type of cable and therefore you c an use either type of cable.

Optical Fiber

Used in the modern datacenter

Single Mode - Longer distance and higher speeds/Cost!Multi Mode -

2 cables in fiber for communication in each direction

Lucent connector = LCSubscriber connector = SCMechanical Transfer Register Jack Connector MT-RJ


TransceiversModular interfaces/hot swappable

GBICS were original modular interfacesSFP are the modern modular interfaces

The Future100Gbps802.3 committee working on 4000Gbps Ethernet!!

Video 4 - Characterizing the Data Center Network

Data Center 1.0 - Taking all data and storing in mainframe central location. Users access from 'dumb' terminals. Consolidated approach.

Data Center 2.0 - Decentralization. Client to server approach. Some processing and intelligence on the client.

Data Center 3.0 - The latest generation of networking technologies. Takes all of the data from an organisation, located and hosted in a central ized datacenter. Consolidated approach but NOT a mainframe. LAN and SAN consolidated with FCoE. Lots of virtualisation with VMWare and Hyper -V. Lots of redundancy with HA mechanisms. No dumb terminals… Intelligent PCs.

Speed (Bandwidth - Gbps/10Gbps networks) FCoE traffic sent other Ethernet network with 10Gbps.-

Cost (Nexus hardware/software costs)-

Security-

Availability - 99.999% or even greater! Measure/metric of is DC resource available.-

Scalability - Growth of datacenter for any future requirement or new need.-

Reliability - Is the DC performing in the way we require?-

Topology-

Physical or Logical topology? Logical path for data flow, without the Physical details being known. DC1 to DC2 for example is a logical path, where the physical topology can be dramatically different.

-

Physical Topology examples… Bus/Ring/Dual-Ring/Star/Extended Star (This is the most popular topology for modern switched environments)-

Mesh/Full Mesh/Partial Mesh etc…-

Characterizing the DC

Video 5 - Number Conversion Fun

Decimal to BinaryBinary to DecimalHex to BinaryHex to Decimal

Decimal to BinaryDraw a conversion chart..

128 64 32 16 8 4 2 1

Decimal = 56

128 64 32 16 8 4 2 10 0 1 1 1 0 0 0

Therefore 56 in Binary = 00111000

Binary to Decimal

Binary = 10011101

128 64 32 16 8 4 2 11 0 0 1 1 1 0 1

128+16+8+4+1 = 157

Hex to Binary

'Base 16 system'

H D0 01 12 23 34 45 56 6


6 67 78 89 910 A11 B12 C13 D14 E15 F

4 Bits = 1 HEX CharacterNibble or a Shim

11111111 = 11111111 8 Bits = 2 HEX characters

0x = HEX

0x611

Converting this to Binary is simple!

0110 0001 0001 = 1 6 1 1 (4 bits per HEX character)

Hex to DecimalFrom the previous example…

2056 1024 512 256 128 64 32 16 8 4 2 1

0 1 1 0 0 0 0 1 0 0 0 1

Take the binary and then convert to decimal!

1024+512+16+1=1553

Exam Time

0x4AE to Decimal

We know that 0x indicates HEX. Therefore the requirement is to convert 4AE from Hex to Binary and then Binary to Decimal, bas ed on the above method.

8 4 2 1 8 4 2 1 8 4 2 1

0 1 0 0 1 0 1 0 1 1 1 0

2056 1024 512 256 128 64 32 16 8 4 2 1

0 1 0 0 1 0 1 0 1 1 1 0

1024+128+32+8+4+2=1198

Therefore 0x4AE = 1198 in Decimal.

In the exam the answers are multiple choice which may help! :)

Video 6 - Network Layer Addressing

IP-

IP addresses-

Public vs Private-

DHCP/DNS-

Tools-

Layer 3-

Connectionless/Best Effort (Layer 4 TCP communication offers reliability)-

Addressing-

Internet Protocol

32 Bit Identifier-

4 octets of 8 bits each-

Dotted Decimal Notation-

Hierarchical - A portion of the address identifies the network and a portion identifies the host-

A postcode is great analogy-

The IP Address

Class A - Large /8 1 - 126 (127 = 127 Loopback)-

Class B - Medium /16 - 128 - 191-

Class C - Small /24 192 - 223-

Address Classes


Class C - Small /24 192 - 223-

Class D - Multicast - 224-

Class E - Reserved for experimental purposes-

Example the 1st octet of an IP to identify the class of IP Address that it belongs to.

Formula for how many hosts = 2 raised to number of host bits - 2.

The Subnet MaskNetwork and Host bits within 32 bit address-

8 for Network and 24 for host with a Class A address-

We can use a custom network by using a subnet mask. The subnet mask defines what network the host belongs to.-

Reserved and Private AddressesRFC 1918 defined-

10.0.0.0/8 - Class A-

172.16.0.0/16 - 172.31.255.255/16 - Class B-

192.168.0.0/16 - 192.168.255.255/16 - Class C-

127.0.0.0/8 - Loopback-

169.254.0.0/16 - APIPA-

NAT/DHCP lecture4 steps to DHCP… DISCOVER, OFFER, REQUEST, ACK (DORA)

Lecture on ping and traceroute.

Video 7 - SubnettingSkip!

Video 8 - The TCP/IP Transport Layer

Network communication!

Connection orientated or Connectionless with TCP and UDP

Layer 4 in OSILayer 3 in TCP/IP Model

Session Multiplexing (Multitasking - Opening multiple web browsers for example)Segmentation at Layer 4Flow Control - We don’t want to overwhelm a machine by sending too much information! Fast sender/Slow receiver

Connection/ConnectlessQ: Why send data in an unreliable fashion? A: Reduction in overhead.If we require efficiency then use unreliable delivery with UDP (Voice traffic uses RTP to offer the reliability that Voice ne eds)-

If we want reliable delivery with a payload such as HTTP/WWW, then use TCP.-

Wireshark lecture - CBT Nuggets offer a Wireshark series

UDP headers are remarkably simple. Source Port/Destination Port/Length and Checksum. TCP headers are much more complex!

Passing to the transport layer from IP layer..

Protocol Fields:TCP = 6UDP = 17EIGRP = 88OSPF = 89BGP calls on TCP with a value of 6

Transport Layer to Application Layer..

TCP 21 - Maps to application layer with FTPTCP 23 - Maps to application layer with TELNETTCP 80 for WWW etc….

DNS 53 uses TCP and UDP!

UDP 69 for TFTP (Unreliable!)UDP 161 - SNMP

1 - 1023 - WKP = Well known port range - Reserved for fundamental applications used on the internet and governed by IANA1024-49151 - RPN - Registered Port Numbers governed by IANA49152-63535 - DAP - Dynamically Assigned Ports (Source Port example)

TCPThree Way HandshakeSYN, SYN-ACK, ACKFlow Control - Fast sender/Slow receiver. Buffer becomes full and receiver sends a not ready signal, advising sender to slow down.Sliding Windows - Windows size for sending information. Receiver tells sender to back down as too much data sent aggressively.Sequence Numbers - To ensure that pieces of information are arriving in the correct order.


Sequence Numbers - To ensure that pieces of information are arriving in the correct order.

Video 9 - The Frame Delivery ProcessFundamentals of 3 hosts communicating in a single VLAN 192.168.1.0/24-

ARP/MAC Learning etc…-

A wants to communicate to B using it's IP Address (From a DNS lookup)-

Is this IP in the same subnet? Yes… therefore no Default Gateway required and a Layer 2 broadcast is sent using ARP-

Is this IP in my local ARP table? No….-

PC A requires the MAC of host B (2 address concept)-

ARP is then send out onto broadcast domain (All bits turned on as a broadcast)-

Who is 192.168.1.2? From a MAC address perspective.-

Host C hears this and ignores as invalid, Host B receives this and responds with it's MAC address into the switch, which is f orwarded back to Host A for unicast communication to occur.

-

The switch is building this list of MAC addresses to physical ports in the CAM/MAC address table.-

The switch is also building an ARP table with IP and MAC bindings.-

From then onward, the switch can target the requests directly as it has learned ARP and MAC detail. (Efficient due to transpa rent switching. ARP is the key protocol here)

-

Layer 3 address is known, but Layer 2 is not, hence ARP!!-

Exam TimeQ: Your switch receives a frame and the dest MAC is not in its CAM table. What does it do?A: Flood the request out of all ports except the port the request was received on.

Q: What protocol resolves an IP to a MAC address in the LAN?A: ARP

Video 10 - Data Center LAN SwitchingVersus Early BridgesSwitching MethodsSome Data Center Switches (Video recorded August 2013)

Versus Early BridgesSimilarities:Operating at Layer 2Learn MAC address informationA collision domain per port1 broadcast domainBridge terminology still used today

Differences:Switches create a collision domain per switch port (Micro segmentation)Hardware processing as opposed to Software processing

Switching Methods'Cut-through' - Faster method, but leads to problematic frames due to collisions. Looks at destination for frame and send it. Potential to se nd erroneous frames.'Store and Forward' - Slower method as error checking and frame is then sent.

Switches in the Data CenterCisco Catalyst 6500 ChassisRuns Cisco CAT OS or IOS

Cisco.com - Switches- Data Center Switches - 6500 - Compare models:(Last number on model indicates the number of slots)


Cisco 1000v - The software switch from Cisco running NX-OS.Cisco 1100 Nexus is optional rack mounted appliance running virtual supervisor module. (VSM) Offering redundancy.

There is also an ASA firewall available on the Cisco 1000v.

Can be used with VMWare or Hyper-V.

Nexus 2000 Series Fabric Extender (FEX)This device needs to be managed by a parent device such as a Nexus 5000 series devices. (Also 6k/7k UCS Fabric Interconnect)

High Speed switching to a rack of rack mounted servers or blade mounted servers.

Nexus 3000High performance for trading environments. ZERO latency! Where transactions must be carried our extremely fast.

Nexus 4000Features a blade to integrate into IBM blade chassis.

Nexus 5000/6000/7000All can act as parent switches to 2K series.

FCoE supported. More on FCoE upcoming in series! Will allow storage area network to carry over the local area network. This r equires high throughput! (10Gbps)

Virtual Machine Fabric Extension - VM-FEX - Enables you to see traffic for individual VMs

Multiple VMs can cause visibility issues when the traffic exits via a chassis attached to a single pipe. Hence VM -FEX requirement. Huge disadvantage in legacy days… but mitigated using VM-FEX.

Video 11 - Introducing NX-OS Software

The architecture of NX-OS-

Process Recovery-

NX-OS 4.1 and Higher

'Converge the I/O' - Take the LAN and SAN traffic and converge them into FiberChannel Over Ethernet

LAN - 6500 - IOSSAN - MDS - SAN-OS

At 4.1v we take the LAN and SAN and run the NX-OS via Nexus.

LAN - 7K - NX-OSSAN - Nexus - NX-OS

Software ArchitectureBased on a Kernel of Linux 2.6-

Benefits of Linux plus dev and enhancements of Linux OS-

On top of Kernel we have 'modules': Layer 2 - STP, LACP, CDP - Layer 3 - OSPF, BGP, HSRP, GLBP etc..-

Layer 2Modules in NX-OS-

Forwarding of frames in hardware in Nexus device-


Forwarding of frames in hardware in Nexus device-

STP variations etc….-

LACP for Etherchannel for link aggregation-

vPC - Virtual PortChannel across different devices (Hub and Spoke example)-

MPLS - Forward frames based on labels -- Layer 2.5!-

FCoE-

STP Replacements: TRILL is superior to STP. (Fabric Path in NX-OS)-

OTV - Eliminate STP concepts across different geographical locations-

Layer 3IGPs - RIP (Exam heavy!!)-

EGP - BGP-

Multicast Routing - PIM Sparse Mode - Dense Mode is EOL.-

First Hop Reachability/Gateway Redundancy - HSRP, GLBP, VRRP-

LISP Locator ID Separation Protocol - Cisco owned. Break IP into 2 name spaces. (EID/RLOC)-

Security ModulesPort Security-

Network Admission Control-

802.1x - Switch act as authenticator. Passing onto ISE for example.-

Access Control List - Layer 2 and Layer 3-

Cisco Trust Sec - NEW! Add a tag to a frame/security marking. We can now use this security marking to treat the frame with the appropriate secu rity policy as it moves from node to node.

-

High AvailabilityISSU Cisco In Service Software Upgrade. Upgrade Nexus device without any interruption!-

SSO - Total Stateful Switchover of Supervisor Engine (SUP 1 - BRAIN, SUP 2 - BACKUP BRAIN!)-

Stateful Service Restart - BGP process maybe under attack and process fails, the process is stateful restarted and repaired.-

Graceful Restart - For routing protocols. 2 devices, 1 of them can forward across the routing, the adjacency also remains so no new neighbour di scover is required.-

Config-Sync - Make the configuration once, it will automatically sync to a peer device.-

CLI

Everything above is referred to as a 'module'.You can enable or disable modules.

'Feature eigrp' - Turns on EIGRP module'No feature eigrp' - Disables EIGRP

NX-OS Process RecoveryHSRP - Creating checkpoints and writing to PSS (Persistent Storage Service)If HSRP fails, NX-OS can restart it and HSRP checks in with the PSS service. All needed information is available to pick up where it left off.

Video 12 - NX-OS FeaturesSetup-

Config Sources-

UI-

Roles-

CLI Models-

Help-

'setup' can be executed to bring to Basic System Configuration Dialog.

Connect to Serial/Console port RJ45 to DB9 console with HyperTerminal/Putty/TeraTerm

AUX port is also present. Connect dialup modem to port and dial up to the port remotely.

Configure interface on Nexus and use SSH. We don't want to use TELNET in a production environment. :/This is an in band interface, best practice is to use out of band. Therefore there is a management interface dedicated on the Nexus called 'MGMT'.

SUP1 - CMP Connectivity Management Processor. Connects to Nexus device even if powered off or rebooted. Lights Out Management exampl e.

We can download a configuration to the Nexus using TFTP.

CDCNM - Cisco Data Center Network Manager - GUI based software for making vast or slight to a NX-OS device.

Role Based Access ControlNetwork-Operator - Junior AdminNetwork-Admin - God like/root etc…

*You need to know about these for CCNA Data Center

From the CLI enter global configuration using 'conf'

Username BELLAS pass cisco role network-admin/network-operator

'Show users'' to prove who is logged in

ConfHostname JOKE


Hostname JOKE

Permission Denied as they are within the 'network-operator' role

# Priv ModeConfigure(config) - Global ConfRouter ospf 1(config-router)

We must enable the modules in order to use them!

HELP

Content Sensitive Help-

Error Messages-

Markers are now used with an error message indicating where error exists in command.

Video 13 - Using the NX-OS

CLI HistoryEditing CommandsImportant Show CommandsSavingCheckpoints - NEW!

Show history - IOSShow cli history - NX-IOS

Ctrl + A - Beginning of lineCtrl + E - End of line

Ctrl + B - One char to the leftCtrl + F - One char to the right

Esc + B One word to the leftEsc + F One word to the right

Ctrl + D - Delete one char to the rightCtrl + P - Previous command in bufferCtrl + N - Next command in buffer

Tab - Autocomplete as per IOS

Important Show Commands

- Monitor- Verify- Troubleshoot

We can be in any mode in NX-OS issuing this commands!

- Show users- Show user-account- Show version- Show running-config- Show startup-config- Show module- Show inventory- Show interface status- Show mac-address-table

RAM to NVRAM = write/copy run start

Erase NVRAM - write erase

Checkpoints - new feature in NX-OS!!

CLI: checkpoint ? Followed by a name TEST'show checkpoint summary'Rolling back to a checkpoint: 'rollback running-config checkpoint TEST'

Video 14 - VLANs in the NX-OS LAN

VLAN lecture/concepts… reviews… No need for notesConfiguration in NX-OS

Nexus 5K/7K are capable of being a RP (Route Processor)


Creating Layer 2 VLANS in the database, same as with IOS.You can use the range concept to create a range of VLANs with vlan 10,20,30 - 100Show vlan brief to verify

Adding an access port to a VLAN is the same as IOSSwitchport mode accessSwitchport access vlan 10

Tip: Layer 2 information - show int eth2/1 switchport

Tip for contiguous and non-contiguous port commands: interface eth2/2,eth2/4,eth2/6-9This takes you into interface range for all of these ports. Interface range is no longer used on the CLI and is not as sensit ive as the IOS version with spacing and dashes etc…

Video 15 - 802.1Q Trunks in the Data Center

802.1q fundamentalsIn the NX-OS

802.1q frameDest/Src/Len/Ety/Data/FCS

Inject a tag into the frame - 4 bytes with 802.1q (Shim)VLAN ID CoS bits - 3 bits802.1p

Native VLAN - Untagged

Must match at both ends of 802.1q trunk (Native VLAN mismatch)

NX-OS Conf'Vlan dot1q tag native' - Enable tagging on the native VLAN. Best practice.

switchport mode trunk - As per IOSshow interface trunk

DTP has been toned down to access and trunk only. No more dynamic desirable/auto etc…

Video 16 - VTP in the Data CenterVTP lecture… Studied over and over in CCNA/CCNP R&S. Recap.

UCS B Series Chassis - VTP is not supported

4th mode of operation in VTP on NX-OS = VTP mode OFF!!

Server to Server both in NULL domain. If a 802.1q trunk exists and Switch A is set to domain NEXUS, the downstream switch wil l also join the NEXUS domain, unless authentication is set!

VTP Pruning

Prevents any traffic destined for a particular VLAN if not required. Prune the trunk and no traffic for the VLAN will flow ov er the trunk.

This is dynamic. If you add an access port to a particular VLAN, then that VLAN will be added to the trunk and unpruned.

Switchport allowed vlan - Manually trim VLAN traffic over trunks

VTP in NX-OSShow vtp statusNot enabled by default!Enable the module: 'feature vtp'

Vtpv2 disabled by default.Config Revision = 0 as per defaultDomain Name = NULL

Vtp domain NEXUSVtp password ciscoVtp version 2Vtp pruning - On Server and will be pushed down to ClientsVtp mode server/client/transparent/offAll dependent on a 802.1q trunk being available

*Lower the conf reg number to zero whenever you move a switch into a new VTP domain.Renaming the VTP domain is the easiest way of doing this, then naming back to original domain name.

Video 17 - Redundancy at Layer 2


Video 17 - Redundancy at Layer 2

STP 802.1dRSTP 802.1wMSTP 802.1sLAN Port Channels (Etherchannels)

Review of all Layer 2 redundant links/broadcast storm/loops etc…

STP review…

Spanning-tree port type edge/network/normal (RSTP only)

Portchannels review…

Video 18 - Routing in the Data Center

Fundamentals of routing…

- The basics- InterVLAN Routing- RIP- OSPF- EIGRP- BGP

Adding a static route: ip route 10.10.30.0/24 10.10.10.100 (Prefix notation is now supported)

Default route: 0.0.0.0/0 192.168.1.100 (Gateway of last resort)

The network command has gone from all routing protocols in NX-OS!

router rip MYRIPUnder interface: ip router rip MYRIP (This replaces the network command)

Consistency of all routing protocols in NX-OS.

Video 19 - ACLs in the NX-OS

Review OperationsConfiguration in NX-OS

Fundamentals of ACL behaviour and operation

1 ACL per protocol, per interface, per direction

ip-access-list TESTpermit tcp 172.16.0.0/16 any eq 80Permit tcp 172.16.0.0/16 any eq 25

Show access-listsThis will show the access list with sequence numbers.

'show access-lists summary' - NEW IN NX-OSThis will show where all access lists are configured and active.

NX-OS can check an ACL before it is applied! Anything in a configure session will not be applied to the Nexus OS.

Configure session ACLTESTIp access-list TEST2Permit ICMP any anyInt e2/2Ip access-group TEST2 in

Exit

Configure session ACLTESTVerify

If satisfied and verification was a success:Commit

This will inject the configuration into the Nexus OS.

Object GroupsConfObject-group ip address OURNETS192.168.1.0/24192.168.2.0/24


192.168.2.0/24192.168.3.0/24

Now we can use this within an access list:

Show object-group OURNETSVerify the object group

ip access-list TEST3Permit ip addrgroup OURNETS any

Show access-list expandedShow access-list TEST3 expanded

Exam Time

Deny telnet from 10.10.10.0/24 to anywhere!

Ip access-list DENYTELNETDeny tcp 10.10.10.0/24 any eq 23Permit ip any any

Under physical interface:Ip access-group DENYTELNET in

Video 20 - Introducing IPv6

AddressesNew FeaturesMore Information

Ipv4 = 32 bit addresses/dotted decimal notation

Ipv6 = 128 bit addresses/hexadecimal0000:0000:0000:0000:0000:0000:0000:0000

Any leading zeroes can be dropped within an IPv6 address.

Double colon = zero compressionOnly to be used once when consecutive zeroes exist

New FeaturesAdequate IP addressesNo NAT requirement in IPv6Auto configuration to self-generate an IP address (Eliminate DHCP)IPv6 - Secure - IPSec built in!Simple/EfficientBroadcast Packets eliminatedStandard sized header rather than a variable length headerTransition from IPv4 to IPv6. Both protocols living side by side.

Further reading on IPv6 - CBT Nuggets offers courses online.


ccna-data-center-640-911-dcicn.pdf - CCIEME

Documents

Transcript of ccna-data-center-640-911-dcicn.pdf - CCIEME