Monday, January 04, 2010


Cisco Nexus OS script for private vlans

There are often times when you need to provide layer 2 isolation for servers that logically make sense to keep on the same subnet. A good example are web servers that reside in a dmz that perform the same function but do not have any reason to communicate with each other, just with the public and the common back end application services they are addressing through a firewall. In this scenerio you could either put each server in a /30 subnet and write specific ACL's for that subnet or simply make use of a larger subnet and utilize private vlans.

The Nexus OS allows you to build out private vlans to perform this function. There are two types of secondary vlans you can create in a private vlan. A secondary vlan is one that is bound behind a primary vlan which is how you can control the behavior of the vlan ports. The two secondary types are community (a port that is in a community can talk to those that are in its community) and isolated (it can only talk to itself.) The primary interface should be a promiscuous port so everyone in a community or isolated port can talk to it. In this situation you can build out as many community and isolated secondary pvlans as you require and simply assign them to a primary vlan that is associated with a specific subnet. There are a couple of items to be aware of, things like multicast applications (those that are participating in multicast have to be in the same community) and some other minor requirements for things like clustering which might require those ports to be promiscuous instead of just in a community.

Here is a short sample script you can use to get started.
! - Nexus 7000 script
! - configuring private vlans
! - enable pvlans feature
feature private-vlan
! - create primary vlan 100
vlan 100
private-vlan primary
! - to confirm that the vlan is a primary do
show vlan private-vlan
! - create a secondary community vlan
vlan 200
private-vlan community
! - create a secondary isolated vlan
vlan 201
private-vlan isolated
! - now associate the secondary vlans with the primary
vlan 100
private-vlan association 200-201
! - to see the pvlan mappings do
sh vlan private-vlan
! - to put a port in a private-vlan do
interface eth1/1
switchport mode private-vlan host
switchport private-vlan host-association 100 201
! - to see the port status do
show interface eth1/1 switchport
! - to set up a promiscuous port
interface eth2/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 200-201
! - to see the port status do
show interface eth2/1 switchport
! - to set up an SVI (Layer 3 interface) association
feature interface-vlan
interface vlan 100
private-vlan mapping 200-201
! - to see the state of the vlan interface
show vlan internal vlan-info

That should get things started for a private vlan configuration on a Cisco Nexus platform.
- Ed


Monday, December 28, 2009


So, what advatages are there to having a Cisco VSS configuration?

I've been in several discussions with clients who are trying to understand the benefit of Cisco VSS vs a Nexus 7k approach for new data center deployments. Cisco has some excellent information out there on differences between the two platforms but if you haven't been on the lookout to upgrade your network infrastructure you might have missed the discussion.

I think both the Cisco VSS and Nexus solutions address many of the frustrations that people who are building larger data centers with virtualization are looking for. Specifically, a way to get redundancy and high availability plus very large bandwidth into their server farms while not building out a massive layer 3 network which can cause limitations for virtualization solutions. One of the advantages for companies that are not doing virtualization (perhaps their applications require all the cpu and memory of the host server) is that the architecture works equally well for them.

Cisco has build some specific solutions around virtualization plus data center, this is their recent announcement of the UCS products. I am not going to bother discussing that in this post and if you want to know more about that I suggest reading Colin McNamara's blog - he covers it really well so no reason to repeat it here.

So why would you pick a Cisco VSS solution vs a Cisco Nexus solution. There isn't an obvious answer at first blush.

Here would be the short list of why VSS first. They would be:
1. Having staff who understand and are familiar with the Cisco 6500 series and support a lot of them already.
2. The requirement for having service modules in the solution, something VSS supports but Nexus does not.
3. Moving from an existing investment in 6500's with Sup720-10G's to a high available, redundant solution split across multiple chassis - gear reuse.
4. Want tight fault tolerance solutions with other Catalyst switching platforms.
5. Able to provide Multichassis EtherChannel (MEC) to downstream or upstream devices.

Here would be the short list of why Nexus first. They would be:
1. Running into throughput and performance problems with a 6500 solution at core or distribution. Especially due to service modules impacting performance.
2. Would like to move to having independent point devices for services like firewalling, load balancing, network analysis and wireless. Perhaps you like a different vendors load balancer or firewall product that run at much higher throughputs.
3. Moving to very high density 1 and 10G server solutions that can grow and scale for investment protection.
4. Moving to the next generation platform where Cisco will be investing research and dollars into.
5. Able to provide Multichassis EtherChannel (MEC) to downstream or upstream devices.

So, if you are building out a data center soon that will require a 5-7 year lifespan then I really suggest moving to the Nexus platform now. Cisco is making the pricing just as attractive as the 6500 series but you gain all the advantages of moving to the next generation of platform.

If your time horizon is shorter for changing out your data center network equipment then the Cisco 6500 VSS solution is a great transition product which allows the re-use of your 6500 chassis and investment in supervisors (if you have Sup720-10G's already) and service modules.

The reality is that you will likely have both within your data center if you are making reuse of service modules. You can then run those service modules in 6500 series with 10Gig to a core Nexus plaform with the 6500's running VSS MEC to the Nexus 7000's running vPC MEC.

Both solution will work to your downstream server farms for MEC and the VSS has been upgraded to support 512 Port-Channels in a single chassis, more than enough considering many servers are getting 4 x 1Gig ports or more channeled together to the network.
- Ed

Labels: ,

Thursday, August 27, 2009


VMworld 2009 - San Francisco next week

VMware's VMworld 2009 is next week in downtown San Francisco and I picked up an Expo pass (Solutions Exchange) to be able to drop in for a day to see all the exciting stuff happening in the virtualization world.
It looks like Cisco is going to have a huge showing at the event this year. There is a lot of buzz around UCS, Nexus 7000, 5000, 2000 and 1000v and the new Data Center 3.0 architecture. If you want to get your toes wet on some of the happenings with Cisco's involvement you should check out Colin McNamara's blog, he has been doing some great posts about all the happenings with UCS. Colin is also on twitter.
- Ed

Labels: , , ,

Sunday, February 01, 2009


Cisco Nexus 2000 Series is orderable

The Nexus 2000 is now orderable so Cisco DC vision is just about complete. When the Nexus 1000v is final than Cisco's vision for the data center will be a full leap ahead of everyone else in the industry. They will have a full product line that can bridge the gap between today's data center needs and support what your data center will look like for several years to come.
The remarkable thing is that Cisco pulled this off in 1 yr. The release of the Nexus 7000 was just over 1 yr ago and while definately early out of the gate it is remarkable the amount of engineering and resources that have gone into building out this new data center vision. Cisco is back in their element - everyone else better look out because the 800 gorrilla is on a rampage!
- Ed


This page is powered by Blogger. Isn't yours?

Creative Commons

Unless otherwise expressly stated, all original material of whatever nature created by Ed Horley and included in this weblog and any related pages, including the weblog's archives, is licensed under a Creative Commons License.