Cisco Nexus 1000V Release Notes, Release 5.2(1)SV3(4.1c)
This document describes the features, caveats, and limitations for the Cisco Nexus 1000V Release 5.2(1) SV3 (4.1c).
history of this document.
July 22, 2020 |
Initial Release of the document. |
This document includes the following sections:
Software Compatibility with VMware
Software Compatibility with Cisco Nexus 1000V
Cisco Nexus 1000V Confguration Scale Limits
Cisco VSG Configuration Scale Limits
Cisco AVS Configuration Scale Limits
VDP Configuration Scale Limits
Important Notes and Limitations
Accessibility Features in Cisco Nexus 1000V
Communications, Services, and Additional Information
The Cisco Nexus 1000V for VMware provides a distributed, Layer 2 virtual switch that extends across multiple virtualized hosts. The Cisco Nexus 1000V manages a data center defined by the vCenter Server. Each server in the data center is represented as a line card in the Cisco Nexus 1000V and can be managed as if it were a line card in a physical Cisco switch.
The Cisco Nexus 1000V consists of the following components:
· Virtual Supervisor Module (VSM), which contains the Cisco CLI, configuration, and high-level features.
· Virtual Ethernet Module (VEM), which acts as a line card and runs in each virtualized server to handle packet forwarding and other localized functions.
Note: Nexus 1000V syslog messages do not include hostname field.
The servers that run the Cisco Nexus 1000V VSM and VEM must be in the VMware Hardware Compatibility list. This release of the Cisco Nexus 1000V supports vSphere 6.5U1g release train. For additional compatibility information, see the Cisco Nexus 1000V and VMware Compatibility Information.
Note:
· VSM hardware versions 7, 8, 9, and 10 are supported. VSM hardware version 11 is not supported.
· The Cisco Nexus 1000V supports all virtual machine network adapter types that VMware vSphere supports. Refer to the VMware documentation when choosing a network adapter. For more information, see the VMware Knowledge Base article #1001805.
This release supports hitless upgrades from Release 5.2(1)SV3(4.1) and later. For more information, see the Cisco Nexus 1000V Installation and Upgrade Guide.
New Content for this Release
Defect fixes for customer issues and security issues are added in this release. See the Resolved Bugs section.
The following topics provide configuration scale number information:
· Cisco Nexus 1000V Configuration Scale Limits
· Cisco VSG Configuration Scale Limits
· Cisco AVS Configuration Scale Limits
· VDP Configuration Scale Limits
The following table lists the configuration scale limit information for the Cisco Nexus 1000V Advanced edition.
Note: The scale limits for the Cisco Nexus 1000V Essential edition are half of what is stated in the following table.
Feature |
VEM |
DVS |
Other |
Hosts/DVS |
— |
250 (includes gateways) |
— |
Total vEth Ports |
1000 |
10,240 |
— |
Ports per port profile |
1024 |
2048 |
— |
Port Profiles |
6144 |
6144 |
— |
Physical NICs |
32 |
2000 |
— |
Physical Trunks |
32 |
2000 |
— |
vEthernet Trunks |
32 |
1024 |
— |
Port Channels |
8 |
1024 |
— |
Active vLANs |
4094 |
4094 |
— |
VXLANS (Bridge Domains) |
6144 |
6144 |
— |
VXLAN mappings per trunk |
512 |
— |
— |
VXLAN VNI |
1044 |
6144 |
— |
VTEPs |
4 |
1024 |
512 per bridge domain |
BGP Peers |
8 VSM |
— |
— |
Route Reflectors |
— |
— |
2 per VXLAN control plane |
MAC addresses |
32,000 |
— |
— |
MAC address per VLAN |
4094 |
4094 |
— |
DHCP IP Bindings |
1024 |
10,240 |
— |
ACLs |
128 |
128 |
— |
ACEs per ACL |
— |
128 |
— |
ACL Instances |
6000 |
42000 |
6 instances per port |
NetFlow Policies |
320000 flows |
64 monitor sessions 64 records 64 exporters |
— |
QoS Policy Maps |
— |
128 |
— |
Qos class |
— |
1024 |
— |
QoS class maps/ policy maps |
— |
— |
64 |
QoS instances (egress and ingress) |
— |
9000 |
— |
Multicast groups |
1024 |
1024 |
— |
PVLANs |
512 |
512 |
— |
Port security MACs |
2048 |
24000 |
5 MACs per port |
SPAN/ERSPAN sessions |
64 |
64 |
— |
Source interfaces per session |
— |
128 vEths or 32 physical Eths or port channels |
— |
Source VLANs per session |
— |
32 |
— |
Destination interfaces per session |
— |
32 |
— |
Span sessions per source interface |
— |
4 |
— |
Source profiles per session |
— |
16 |
— |
Destination profiles per session |
— |
8 |
— |
Cisco Trustsec |
— |
· 6000 IP-SGT mappings · 4000 IP-Subnet-SGT mappings · 128 SGACLs · 128 ACEs per SGACL · 8 SXP peers |
— |
Number of VSMs per VC |
— |
|
64 |
Domain ID range |
— |
|
1-1023 |
802.1x vEthernet Ports |
130 |
1000 (Maximum number of vEthernet ports that can be authenticated at a time) |
N/A |
In this release, when Cisco Virtual Security Gateway (VSG) solutions using version 5.2(1)VSG3(3.1) are deployed, the following scale limitations apply and supersede the scale numbers shown in Cisco Nexus 1000V Configuration Scale Limits section.
Feature |
VEM |
DVS |
Number of VEM Modules |
VSG |
512 vEth ports per VEM |
10,000 vEth ports with up to 6000 vEth ports protected by VSG |
250 per DVS |
In this release, when Cisco Application Virtual Switch (AVS) solutions are deployed, the following scale limitations apply and supersede the scale numbers shown in Cisco Nexus 1000V Configuration Scale Limits section.
Feature |
VEM |
Top of Rack |
AVS |
300 vEth ports per VEM |
40 VEM modules |
In this release, when VSI Discovery Protocol (VDP) solutions are deployed, the following scale limitations apply and supersede the scale numbers shown in Cisco Nexus 1000V Configuration Scale Limits section.
Feature |
VEM |
DVS |
Number of VEM Modules |
VDP |
300 vEth ports per VEM |
4000 vEth ports |
128 per DVS |
The following topics provide important notes and limitations.
Using VSM Control0 Interface as the SVS Control Interface
If the Cisco Nexus 1000V SVS domain is configured to use layer-3 control mode in an environment where the VSM control0 interface is not in the same IP subnet as the packet/control VMKernel interface on the ESXi hosts, it is necessary to configure a static route on the VSM in the default VRF. A static route is required so that the VSM has a known route to the subnet(s) used by the ESXi host VMK interfaces used for Nexus 1000V packet/control. A default static route is ignored and you need to configure a specific static route that includes all the destination networks used by ESXi host VMK packet/control interfaces. A static route that is more specific than a default "/0" route is required to route packets/traffic between the VSM and VEM. For example, the following two static routes can be used as a direct replacement of a default static route:
ip route 0.0.0.0/1 <vsm-control0-def-gw-ip>
ip route 128.0.0.0/1 <vsm-control0-def-gw-ip>
Where <vsm-control0-def-gw-ip> is the IP address of the default gateway for the VSM control0 interface subnet.
Attention: When upgrading, check the configuration of the existing Cisco Nexus 1000V, if a default static route is used in the default VRF, make sure that you add a specific static route in the default VRF for the traffic to VMK network to use control0 interface gateway. Failing to make this configuration change will cause all VEMs that are not in the same subnet as the VSM control0 interface to go offline.
Configuration Container Names Must Be Unique
All Cisco Nexus 1000V VSM configuration containers—port profiles, bridge domains, ACLs, class maps, policy maps, and so on—must have unique names.
In releases earlier than 5.2(1)SV3(1.1), you could create two configuration containers (for example, two port profiles) with the same name but different case sensitivity; for example, vmotion and VMOTION.
In later releases, you cannot create two configuration containers (for example, two port profiles) with the same name but different case sensitivity. During an upgrade, one of the port profiles with a duplicate name is deleted, which moves the corresponding ports in vCenter into quarantined state.
For example, do not create bridge domains with the same name (one uppercase, one lowercase) that point to different segments. See the following examples:
This is an example of an uppercase name:
switch# show bridge-domain VXLAN14095
Bridge-domain VXLAN14095 (0 ports in all)
Segment ID: 12333 (Manual/Active)
Mode: Unicast-only
MAC Distribution: Disable
BGP control mode: Enable
Group IP: NULL
Encap Mode: VXLAN*
State: UP Mac learning: Enabled
This is an example of a lowercase name:
switch# show bridge-domain vxlan14095
Bridge-domain vxlan14095 (0 ports in all)
Segment ID: 14095 (Manual/Active)
Mode: Unicast-only
MAC Distribution: Disable
BGP control mode: Enable
Group IP: 237.1.1.196
Encap Mode: VXLAN*
State: UP Mac learning: Enabled
802.1X Security Support
802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to an NX-OS device port.
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
· Maximum number of vEthernet ports for 8021.x mode per VEM is 130.
· Number of vEthernet ports that can be authenticated at an instance depends on the limitations of Radius server on the VSM side.
· If the reauthentication timer is used, the reauthentication timer intervals across the various port profiles should be configured so that the number of ports that are triggered for reauthentication at any instance do not exceed the number of ports supported on the RADIUS server.
· Maximum number of ports suggested for 802.1x port-profile with reauthentication enabled is 400.
· The show dot1x all summary command does not display vEthernet ports in a sorted manner.
· If vEthernet ports are in guest VLAN, the show int brief command in VSM displays the port status as authorization pending. This is expected behavior as this command still shows 802.1x state. However, the corresponding ports can be in forwarding state since it is enabled in guest VLAN.
· Port security configuration does not work with 802.1x.
· Ethernet ports (physical VEM ports) are not supported in 802.1x.
· Cisco Anyconnect Network Access module, Cisco ISE version 2.1 and VMware virtual desktop infrastructure are compatible with 802.1x implementation.
· 802.1x single host mode is not compatible with trunk interfaces.
· Guest VLAN mode can work together with headless mode. If VEM operates in headless mode (without VSM), a port-profile configured with guest VLAN mode can use the configuration to place the ports in guest VLAN mode. When the VSM connectivity is resumed, such ports move back to regular 802.1x authentication cycles.
· Inaccessible authentication bypass and 802.1x open authentication mode are not supported.
Single VMware Data Center Support
The Cisco Nexus 1000V for VMware can be connected to a single VMware vCenter Server data center object. Note that this virtual data center can span multiple physical data centers.
Each VMware vCenter can support multiple Cisco Nexus 1000V VSMs per vCenter data center.
VDP
Implementing VDP on the Cisco Nexus 1000V has the following limitations and restrictions:
· The Cisco Nexus 1000V supports the Cisco DFA-capable VDP based on the IEEE Standard 802.1 Qbg, Draft 2.2, and does not support the Link Layer Discovery Protocol (LLDP). Therefore, the EVB type, length, and value are not originated or processed by the Cisco Nexus 1000V.
· The VDP implementation in the current release supports a matching LLDP-less implementation on the bridge side, which is delivered as part of the Cisco DFA solution. For more information on the Cisco DFA, see the Cisco DFA Solutions Guide.
· Timer-related parameters are individually configurable in the station and in the leaf.
· Connectivity to multiple unclustered bridges is not supported in this release.
· IPv6 addresses in filter format are not supported in this release.
· VDP is supported for only segmentation-based port profiles. VDP for VLAN-based port profiles is not supported in this release.
· The dynamic VLANs allocated by VDP are local to the VEM; they should not be configured on the Cisco Nexus 1000V VSM.
Custom TCP/IP Stack
Cisco Nexus 1000V VEM does not support ESXi custom TCP/IP stack and control traffic through the custom TCP/IP stack.
DFA
Fabric forwarding mode is not supported under the VLAN configuration.
ERSPAN
If the ERSPAN source and destination are in different subnets, and if the ERSPAN source is an L3 control VM kernel NIC attached to a Cisco Nexus 1000V VEM, you must enable proxy-ARP on the upstream switch.
If you do not enable proxy-ARP on the upstream switch (or router, if there is no default gateway), ERSPAN packets are not sent to the destination.
VMotion of VSM
VMotion of VSM has the following limitations and restrictions:
· VMotion of VSM is supported for both the active and standby VSM VMs. For high availability, we recommend that the active VSM and standby VSM reside on separate hosts.
· If you enable Distributed Resource Scheduler (DRS), you must use the VMware anti-affinity rules to ensure that the two VMs are never on the same host, and that a host failure cannot result in the loss of both the active and standby VSM.
· VMware VMotion does not complete when using an open virtual appliance (OVA) VSM deployment if the CD image is still mounted. To complete the VMotion, either click Edit Settings on the VM to disconnect the mounted CD image, or power off the VM. No functional impact results from this limitation.
· If you are adding one host in a DRS cluster that is using a vSwitch to a VSM, you must move the remaining hosts in the DRS cluster to the VSM. Otherwise, the DRS logic does not work, the VMs that are deployed on the VEM could be moved to a host in the cluster that does not have a VEM, and the VMs lose network connectivity.
For more information about VMotion of VSM, see the Cisco Nexus 1000V Installation and Upgrade Guide.
Access Lists
ACLs have the following limitations and restrictions:
· VLAN-based ACLs (VACLs) are not supported.
· ACLs are not supported on port channels.
· The access-class command is not supported on the vty interface. Use management interface ACL for any access-list requirements.
NetFlow
The NetFlow configuration has the following limitations and restrictions:
· NetFlow Sampler is not supported.
· NetFlow Exporter format V9 is supported.
· NetFlow Exporter format V5 is not supported.
· NetFlow is not supported on port channels.
· The NetFlow cache table does not support immediate or permanent cache types.
Port Security
Port security has the following limitations and restrictions:
· Port security is enabled globally by default.
· The feature/no feature port-security command is not supported.
· In response to a security violation, you can shut down the port.
Port Profiles
Port profiles have the following limitations and restrictions:
· There is a limit of 255 characters in a port-profile command attribute.
· We recommend that if you are altering or removing a port channel, you should migrate the interfaces that inherit the port channel port profile to a port profile with the desired configuration, rather than editing the original port channel port profile directly.
· When you remove a port profile that is mapped to a VMware port group, the associated port group and settings within the vCenter Server are also removed.
· Policy names are not checked against the policy database when ACL/NetFlow policies are applied through the port profile. It is possible to apply a nonexistent policy.
· The port profile name can be up to 80 alphanumeric characters, is not case-sensitive, and must be unique for each port profile on the Cisco Nexus 1000V. The port profile name cannot contain any spaces. The port profile name can include all the ASCII special characters except the forward slash (/), backslash (\), percent (%), and question mark (?).
Note: If there are any existing port profiles (created in earlier Cisco Nexus 1000V releases) with names that contain a forward slash (/), backslash (\), percent (%), or question mark (?), you can continue to use them in this release.
SSH Support
Only SSH version 2(SSHv2) is supported.
Mixed-Mode Upgrade Support
Starting with Release 5.2(1)SV3(1.15), Cisco Nexus 1000V deployment supports a configuration where the VSM version can be the same or later than the VEM version. With the mixed-mode upgrade functionality, you can upgrade the VSM without upgrading the VEM and reduce the overhead involved in the Cisco Nexus 1000V upgrade. For more information on mixed-mode upgrade support, see the Cisco Nexus 1000V Installation and Upgrade Guide.
LACP
Only LACP offload to VEM is supported. Upgrades from earlier releases to this release change LACP to offload mode by default.
Cisco NX-OS Commands Might Differ from Cisco IOS
Be aware that the Cisco NX-OS CLI commands and modes might differ from those commands and modes used in the Cisco IOS software.
No Spanning Tree Protocol
The Cisco Nexus 1000V for VMware forwarding logic is designed to prevent network loops; therefore, it does not use the Spanning Tree Protocol. Packets that are received from the network on any link connecting the host to the network are not forwarded back to the network by the Cisco Nexus 1000V.
No Support for VXLAN Gateway
Starting with Cisco Nexus 1000V Release 5.2(1)SV3(1.15), the VXLAN Gateway feature is not supported.
Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is enabled globally by default.
CDP runs on all Cisco-manufactured equipment over the data link layer and does the following:
· Advertises information to all attached Cisco devices.
· Discovers and views information about those Cisco devices.
o CDP can discover up to 256 neighbors per port if the port is connected to a hub with 256 connections.
Note: If you disable CDP globally, CDP is also disabled for all interfaces.
For more information about CDP, see the Cisco Nexus 1000V System Management Configuration Guide.
DHCP Not Supported for the Management IP
DHCP is not supported for the management IP. The management IP must be configured statically.
Upstream Switch Ports
We recommend that you configure spanning-tree port type edge on upstream switches for faster convergence.
The following commands are available to use on Cisco upstream switch ports in interface configuration mode:
· spanning-tree portfast
· spanning-tree portfast trunk
· spanning-tree portfast edge trunk
Interfaces
When the maximum transmission unit (MTU) is configured on an operationally up interface, the interface goes down and comes back up.
Supported MTU values vary according to underlying physical NIC capability.
Layer 3 VSG
When a VEM communicates with the Cisco VSG in Layer 3 mode, an additional header with 94 bytes is added to the original packet. You must set the MTU to a minimum of 1594 bytes to accommodate this extra header for any network interface through which the traffic passes between the Cisco Nexus 1000V and the Cisco VSG. These interfaces can include the uplink port profile, the proxy ARP router, or a virtual switch.
Copy Running-Config Startup-Config Command
When you are using the copy running-config startup-config command, do not press the PrtScn key. If you do, the command aborts.
SNMP User Accounts Must Be Reconfigured After an Upgrade
If you are upgrading from a release earlier than 5.2(1)SV3(1.5), the SNMP engine ID changes internally to a unique engine ID. You must reconfigure all the SNMP user accounts to work with the new engine ID. Until the SNMP user accounts are reconfigured, all SNMPv3 queries fail. This restriction is associated with the defect CSCuo12696 and CSCvb16199.
After an upgrade, use the show snmp user command to view the engine ID:
switch# show snmp user
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________
User Auth Priv
admin md5 des
(EngineID 128:0:0:9:3:2:0:12:0:0:0)
Complete the following steps to reconfigure SNMP user accounts. Reconfiguring an SNMP user account involves deleting and recreating a new SNMP username and password. Note that paswd123 is an example that represents the SNMP user password.
Procedure
Step 1 Delete the username. For example:
switch(config)# no snmp user admin auth md5 paswd123 engineID 128:0:0:9:3:2:0:12:0:0:0
Step 2 Use one of the following options to recreate the SNMP username and password. For example:
Option 1
switch(config)# snmp user admin auth md5 paswd123
Option 2
switch(config)# snmp-server user admin auth md5 paswd123 priv aes-128 paswd123
Step 3 Confirm that the engine ID has been updated. For example:
Option 1
switch# show snmp user
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
admin md5 no network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
_____________________________________________________________
User Auth Priv
Option 2
switch(config)# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
admin md5 aes-128(no) network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
_____________________________________________________________
User Auth Priv
Step 4 Verify that the engine ID is unique. For example:
switch# show snmp engineID
Local SNMP engineID: [Hex] 8000000903005056A0544E
[Dec] 128:000:000:009:003:000:080:086:160:084:078
Viewing the Distributed Virtual Switch Version in the VMware vSphere Web Client GUI
You can use the VMware vSphere Web Client GUI to view which distributed virtual switch (DVS) version you are using.
Procedure
Step 1 Log in to the VMware vSphere Web Client.
Step 2 Under Home > Inventory > Networking, expand the data center folder and select the DVS.
Step 3 Click the Summary tab; the DVS version is displayed in the General area.
Viewing the Distributed Virtual Switch Version in the Virtual Supervisor Module CLI
You can use the Virtual Supervisor Module (VSM) CLI to view which DVS version you are using.
Procedure
Step 1 Log in to the VSM CLI in EXEC mode.
Step 2 Enter the show svs connections command.
Step 3 The command output shows the DVS version; for example:
switch# show svs connections
connection vc:
hostname: -
ip address: 10.197.135.64
ipv6 address: -
remote port: 80
transport type: ipv4
protocol: vmware-vim https
certificate: default
datacenter name: dc1
admin:
max-ports: 12000
DVS uuid: 50 1a bb c1 3a 92 00 ce-72 8f 4e 91 40 48 b1 f0
dvs version: 5.0.0
config status: Enabled
operational status: Connected
sync status: Complete
version: VMware vCenter Server 6.5.0 build-4944578
vc-uuid: 9bc4215b-e927-4701-8173-9fede105fcda
ssl-cert: self-signed or not authenticated
sv331_812_ip_155#
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.
Use the Bug Search Tool to search for a specific bug or to search for all bugs in a release.
Procedure
Step 1 Go to http://tools.cisco.com/bugsearch
Step 2 In the Log In screen, enter your registered Cisco.com username and password, and then click Log In. The Bug Search page opens.
Note: If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.
Step 4 To search for bugs in the current release:
1. In the Search For field, enter Cisco Nexus 1000V for VMware and press Enter. (Leave the other fields empty.)
2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by status, severity, modified date, and so forth.
Tip : To export the results to a spreadsheet, click the Export Results to Excel link.
Bug ID |
Description |
Cisco IOS, IOS XE, and NX-OS Software SGT Exchange Protocol Denial of Service Vulnerability. |
|
Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability. |
|
SNMP ACL is causing VSM to crash consistently. |
All product documents are accessible except for images, graphics, and some charts. If you would like to receive the product documentation in audio format, braille, or large print, contact accessibility@cisco.com.
The Cisco Management Information Base (MIB) list includes Cisco proprietary MIBs and many other Internet Engineering Task Force (IETF)-standard MIBs. These standard MIBs are defined in Requests for Comments (RFCs). To find specific MIB information, you must examine the Cisco proprietary MIB structure and related IETF-standard MIBs supported by the Cisco Nexus 1000V Series switch.The MIB Support List is available at the following FTP site: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus1000v/Nexus1000VMIBSupportList.html
· To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
· To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
· To submit a service request, visit Cisco Support.
· To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
· To obtain general networking, training, and certification titles, visit Cisco Press.
· To find warranty information for a specific product or product family, access Cisco Warranty Finder
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2020 Cisco Systems, Inc. All rights reserved.