Nexus 7000

THIS PAGE IS WORK IN PROGRESS.. – May 25th 2011.

Terminology

Here’s some useful terms / TLA’s that may be mentioned below.. there’s an additional list on my glossary.

  • LIF – Logical InterFace is a unique index used on NX-OS and IOS systems to determine a physical (port) or logical (SVI, loopback or MET) interface.

    Troubleshooting Commands

    Interfaces

    sh sys internal eltmc info int … – Can be executed on a N7K module to get the configuration status of a physical interface and allow you to identify it’s LIF.
    module-2# sh sys internal eltmc info int e 2/9
    ELTM Detailed info for Interface Ethernet2/9
    cr_flags = INTF LIF , LIF = 16513 (0x4081), LTL = 1178 (0x49a)
    State = UP
    Layer = L3, Encap Vlan = 0
    local_port = 1, ldb_sharing = 0, ldb_base = 0xc809
    ldb_port_prop_flags = 0x0, dsm = 0, dnl = 0
    ilm_sharing = 1, ilm_base = 0x0
    Interface Features:
    ipv4_en = 1, ipv4_mcast_en = 1, df_mask = 0 ipsg_en = 0
    v4_table_id = 1 (0x1), v4_vpn_id = 1 (0x1)
    ipv6_en = 0, ipv6_mcast_en = 0
    v6_table_id = 2147483649 (0x80000001), v6_vpn_id = 1 (0x1)
    per_pkt_ls_en = 0, icmp_redirect = 1 ipv6_redirect = 1
    v4_same_if_check = 0, v6_same_if_check = 0
    mtu_index = 0 (0x0), new_mtu_index = 0 (0x0)
    mtu = 9216 (0x2400), port_trust = 0, bd = 3 (0x3)
    v4_rpf_mode = 0, v6_rpf_mode = 0, f_index = 0
    Input ACL Related:
    set_flags = 0x509
    acl_en = 3, qos_en = 0, acct_en = 0
    group_en = 0, l2_acl_en = 0, l2_cos_sel = 0
    recirc_id = 0, base_policer_id = 0, mut_map_index = 0
    trust_lif = 0, base_acct_id = 0
    label_a = 0(0x0), label_b = 2(0x2)
    Output ACL Related:
    set_flags = 0x0
    acl_en = 0, qos_en = 0, acct_en = 0
    group_en = 0, l2_acl_en = 0, l2_cos_sel = 0
    recirc_id = 0, base_policer_id = 0, mut_map_index = 0
    trust_lif = 0, base_acct_id = 0
    label_a = 0(0x0), label_b = 0(0x0)
    WCCP exclude label_a = 0(0x0), WCCP exclude label_b = 2(0x2)
    sub_type 0x0

    Forwarding Paths

    You can identify the Layer-2 forwarding path from any particular module on the N7K using show system internal forward

    Hardware Packet Losses

    You can identify where hardware is dropping packets due to back headers/checksums etc using the show hardware forwarding ip verify command:
    TBDAXR01# show hardware forwarding ip verify
    IPv4 and v6 IDS Checks Status Packets Failed
    -----------------------------+---------+------------------
    address source broadcast Enabled 0
    address source multicast Enabled 0
    address destination zero Enabled 0
    address identical Disabled --
    address reserved Disabled --
    address class-e Disabled --
    checksum Enabled 8
    protocol Enabled 0
    fragment Disabled --
    length minimum Enabled 0
    length consistent Enabled 0
    length maximum max-frag Enabled 0
    length maximum udp Disabled --
    length maximum max-tcp Enabled 0
    tcp flags Disabled --
    tcp tiny-frag Enabled 0
    version Enabled 0
    -----------------------------+---------+------------------
    IPv6 IDS Checks Status Packets Failed
    -----------------------------+---------+------------------
    length consistent Enabled 0
    length maximum max-frag Enabled 0
    length maximum udp Disabled --
    length maximum max-tcp Enabled 0
    tcp tiny-frag Enabled 0
    version Enabled 0

    TCAM Troubleshooting

    TCAM is programmed to store MACs, ACLs and features. You can view the configured ACLs/ACEs on a given VLAN using the sh sys int access-list vlan .. command. You can also identify which ACE’s are being hit using the statistics from sh sys int access-list vlan .. input statistics.

    ISSU – In-service Software Upgrade

    ISSU allows you to carryout upgrades on the Nexus 7000 while it’s in use by making use of all the redundancy that’s built in (fabrics, supervisors and the topological-redundancy you build into your network). It works by upgrading components one-at-a-time and then rebooting each component individually, with the idea being that during that component reboot the standby takes over.
    Before carrying out an ISSU, NX-OS runs a number of tests to check if it can carryout a non-disruptive upgrade. One sticking point on ISSU is spanning-tree. The command show spanning-tree issu will give you a list of STP-related reasons for not being able to carryout ISSU.
    AGG2-3-N5K#show spanning-tree issu
    For ISSU to Proceed, Check the Following Criteria :
    1. No Topology change must be active in any STP instance
    2. Bridge assurance(BA) should not be active on any port (except MCT)
    3. There should not be any Non Edge Designated Forwarding port (except MCT)
    4. ISSU criteria must be met on the VPC Peer Switch as well

    You can also check the compatibility of a system image with the show incompatibility system .. command – this will check if there are any features enabled that need to be disabled for the upgrade.
    AGG2-3-N5K# show incompatibility system bootflash:n5000-uk9.4.2.1.N2.1.bin
    No incompatible configurations