This document describes the features, caveats, and limitations for the Cisco Nexus Data Broker software, Release 3.4.
Additional product documentation is listed in the “Related Documentation” section.
Release notes are updated with new information about restrictions and caveats. See the following website for the most recent version of this document:
Table 1 shows the online change history for this document.
Table 1 Online History Change
Date |
Description |
Oct 09, 2017 |
Created the release notes for the 3.4 release. |
January 8, 2018 |
Updated the supported APIC versions. |
January 9, 2018 |
Updated the support for NX-OS versions. |
Feb 22, 2018 |
Added hardware and software interoperability matrix for Nexus Data Broker. |
Aug 17, 2018 |
Updated information about running NDB as a service. |
Feb 24, 2019 |
Updated Known Caveats section and Open Caveats section. |
This document includes the following sections:
· Contents
· Caveats
Visibility into application traffic is important for infrastructure operations to maintain security and compliance, and to perform resource planning and troubleshooting. With the technological advances and growth in cloud-based applications, it has become imperative to gain increased visibility into the network traffic. Traditional approaches to gain visibility into network traffic are expensive and rigid, making it difficult for managers of large-scale deployments.
Cisco Nexus Data Broker with Cisco Nexus Switches provides a software-defined, programmable solution to aggregate copies of network traffic using SPAN or network taps for monitoring and visibility. As opposed to traditional network taps and monitoring solutions, this packet-brokering approach offers a simple, scalable and cost-effective solution well-suited for customers who need to monitor higher-volume and business-critical traffic for efficient use of security, compliance, and application performance monitoring tools.
Cisco Nexus Data Broker also provides management support for multiple disjointed Cisco Nexus Data Broker networks. You can manage multiple Cisco Nexus Data Broker topologies that may be disjointed using the same application instance. For example, if you have five data centers and want to deploy an independent Cisco Nexus Data Broker solution for each data center, you can manage all five independent deployments using a single application instance by creating a logical partition (network slice) for each monitored network.
1. Download the script named, ndb, based on the operating system (Ubuntu, CentOs, or Redhat). The service script is available at: https://github.com/datacenter/nexus-data-broker
2. Change the permissions for the ndb script file to 755. Use the chmod 755 ndb command. For example:
ndb-inst# chmod 755 ndb
3. Update the NDB location in the downloaded ndb script file.
NDB_PATH - /home/user/xnc
4. Copy the script to the following path in the operating system: /etc/init.d/.
5. Start, stop and restart the NDB using the following commands:
ndb-inst # ndb stop
ndb-inst # ndb start
ndb-inst # ndb restart
The 3.4 release supports the following operating systems for the full visibility software sensors:
Device Model |
Cisco Nexus Data Broker Minimum version |
Deployment Mode Supported |
Supported Use Cases |
Cisco Nexus 3000 Series |
Cisco Nexus Data Broker 3.0 or later |
Centralized and Embedded |
Tap/SPAN aggregation and |
Cisco Nexus 3100 platform |
Cisco Nexus Data Broker 3.0 or later |
Centralized and Embedded |
Tap/SPAN aggregation and |
Cisco Nexus 3164Q Switch |
Cisco Nexus Data Broker 3.0 or later |
Centralized and Embedded |
Tap/SPAN aggregation only |
Cisco Nexus 3500 Series |
Cisco Nexus Data Broker 3.0 or later |
Centralized and Embedded |
Tap/SPAN aggregation only |
Cisco Nexus 9300 platform |
Cisco Nexus Data Broker 3.0 or later |
Centralized and Embedded |
Tap/SPAN aggregation and |
Cisco Nexus 9500 platform |
Cisco Nexus Data Broker 3.0 or later |
Centralized only |
Tap/SPAN aggregation only |
Cisco Nexus 3200 switch |
Cisco Nexus Data Broker 3.0 or later |
Centralized and Embedded |
Tap/SPAN aggregation only |
Cisco Nexus 9200 switch |
Cisco Nexus Data Broker 3.1 or later |
Centralized and Embedded Note: Cisco Nexus 9200 Series switches support only one switch deployment. |
Tap/SPAN aggregation only |
Cisco Nexus 9300-EX switch |
Cisco Nexus Data Broker 3.1 or later |
Centralized and Embedded |
Tap/SPAN aggregation only |
This section lists the usage guidelines and limitations for the Cisco Nexus Data Broker. You must use the Google Chrome browser version 45.x or later to access the web-based user interface.
■ For a TACACS user to start NDB in embedded mode, the user should be logged in to the switch with network administrator privileges.
■ Export and import NDB Configuration feature is supported only for NDB embedded deployment. This feature is not supported for Port Group, Advance, UDF Filters, Production, and APIC SPAN session.
■ By default, NDB cluster URL is https://<NDBIP>:8443.
■ The browser supported by NDB is Google Chrome, version 45.x and later and FireFox version 45.x and later.
■ APIC versions supported are 1.1, 1.2, 2.0 & 3.0 series.
■ The switchport mode trunk command should be enabled on all the Nexus Data Broker managed intrefaces.
■ The spanning-tree bpdufilter enable command should be enabled for all the inter-switch ports for all the platform series.
■ Cisco Nexus Data Broker Embedded will be supported on NxOS 7.0(I4).1 onwards, and 7.0(3)I6.1 onwards.
■ The following features will not be supported in embedded mode deployment of Cisco Nexus Data Broker
— Configuring SPAN session
— Configuring copy device
— Configuring copy sessions
— Scheduling Configuration Backup
— Adding another NDB device
— Adding APIC for ACI SPAN Session
— Adding production device for SPAN session
■ HTTP access on port 8080 is disabled by default. Only HTTPS access on port 8443 is enabled. You can enable HTTP access by editing the tomcat.xml file. For more details, refer to Cisco Nexus Data Broker Configuration Guide.
■ The Cisco Nexus Data Broker assumes inter-switch link interfaces are configured to be layer 2 switch ports, and these interfaces are set to ‘switchport trunk’ by default.
■ Before installing or upgrading to Cisco NDB, Release 3.3 or later release, you need to configure TCAM region for IPv6 ACL in all devices that are going to be managed by the corresponding NDB release version.
■ Use minimum JRE version 1.8.0_45 for latest security fixes.
■ Cisco Nexus 9000 switches managed by Cisco Nexus Data Broker must have LLDP features enabled. Disabling LLDP may cause inconsistencies and require devices to be deleted and re-added.
■ When removing devices from the Cisco Nexus Data Broker, the device associated port definitions and connections should be removed first. Otherwise, the device might contain stale configurations created by the Cisco Nexus Data Broker.
■ For Cisco NX-API devices, there is a 3 minute wait after reload for the Cisco Nexus Data Broker configuration operations to begin (port definitions, connection creation/deletion and stats). This is to avoid any inconsistencies between Cisco Nexus Data Broker and device during the reload operation.
■ For secured communication between Nexus Data Broker and Device through HTTPS, start Nexus Data Broker in TLS mode. For more details, refer to Cisco Nexus Data Broker Configuration Guide.
■ The TLS KeyStore and TrustStore passwords are sent to the Cisco Nexus Data Broker so it can read the password-protected TLS KeyStore and TrustStore files only through HTTPS.
./xnc config-keystore-passwords [--user {user} --password {password} --url {url} --verbose --prompt --keystore-password {keystore_password} --truststore-password {truststore_password. Here default URL to be - https://Nexus_Data_Broker_IP:8443
■ A Cisco Nexus Data Broker instance can support either the OpenFlow or NX-API configuration mode, it does not support both configuration modes at an instance.
■ VLAN based IP filtering is not supported for Nexus Series switch with NxOS version 7.0(3)I6.1. Hence, the filtering fails when you filter the traffic for the following series of switches: 92160YC-X Switch,92300YC Swicth, 9272Q switch, 92304Q Switch, 9236C Switch.
■ For the NDB cluster deployment, the round trip delay across the various servers participating in the cluster should be less than 50 milliseconds. If the round trip delay is more, the NDB cluster behaves unexpectedly. The NDB server round trip delay should be less than 50 ms. If anything above that will have issue in NDB sync up with member servers.
■ For Cisco NDB Release 3.4, Cisco NX-OS Release versions 7.0(3)I5(1) and 7.0(3)I5(2) are not recommended for NXAPI or OpenFlow deployments.
The following tables provide the scalability limits for Cisco Nexus Data Broker for Centralized Deployment
Table 2 Scalability Limits for Cisco Nexus Data Broker
Description |
Small |
Medium |
Large |
Number of switches used for Tap and SPAN aggregation |
25 |
50 |
75 |
The following table lists the hardware and software ineteroperability matrix for NDB Release 3.4.
Table 2 Scalability Limits for Cisco Nexus Data Broker
Nexus Switch Model(s) |
Implementation Type |
Supported NX-OS Versions |
Open Flow Agent |
30xx/31xx |
OpenFlow |
6.0(2)U6(x) |
1.1.5 |
30xx/31xx |
OpenFlow |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
2.1.4 |
30xx |
NXAPI |
Not Supported |
Not Supported |
31xx |
NXAPI |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
3164 |
OpenFlow |
Not Supported |
Not Supported |
3164 |
NXAPI |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
32xx |
OpenFlow |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
2.1.4 |
32xx |
NXAPI |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
35xx |
OpenFlow |
6.0(2)A6(x) or 6.0(2)A8(x) |
1.1.5 |
35xx |
NXAPI |
Not Supported |
Not Supported |
92xx |
OpenFlow |
Not Supported |
Not Supported |
92xx |
NXAPI |
7.0(3)I4(2) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
93xx |
OpenFlow |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
2.1.4 |
93xx |
NXAPI |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
93xxx-EX |
OpenFlow |
Not Supported |
Not Supported |
93xxx-EX |
NXAPI |
7.0(3)I4(2) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
95xx |
OpenFlow |
Not Supported |
Not Supported |
95xx |
NXAPI |
7.0(3)I4(1) to 7.0(3)I4(7) and 7.0(3)I6(x) and 7.0(3)I7(1) |
NA |
This section lists the new and changed features in this release and includes the following topics:
Following new software features are available in this release:
· Support for range keyword in the NX-API based switches if a rule is created with range of ports in the filter.
· Support to create and restore a NDB configuration backup instantly during the pre-deployment phase, currently available in NX-OS, OpenFlow, and NX-AUX based switches.
· Support to configure selected fields for Filters, Port Configuration (Edge-Span, Edge-Tap, or Production), Port Groups, and Destination while in use (Connection and Redirection) using the NDB GUI. This feature is supported on the switches running in NX-OS, OpenFlow, or NX-AUX mode.
· Support to enable or disable an interface using the NDB GUI.
· Support to use customized script to perform basic installation processes such as enabling a feature, adding a banner message, or configuring TCAM carving.
· Support to change the NDB Web UI timeout period.
· Support to Domain name support for AAA servers.
· Support to clear statistics for the NX-API connection.
· Support to display Port level statistic on the connection topology.
· Support to configure sFlow using NDB GUI.
· Support to delete one or more backup instances using the NDB GUI.
· Support for a field description starting with a number.
· Support for editing description for Service node and Monitor device interfaces.
· Support for exporting and importing specific Nexus switch configurations including ISL connections.
· Support for PTP configuration for 9200 and 9300-EX series switches.
· Support to deny all ICMP traffic by default and specific rule for below types.
o router-advertisement
o nd-na
o nd-ns
o router-solicitation
· Support for IP Address and Port range for Auto Priority connection.
· Support to configure non-symmetric load balancing on a node using the NDB GUI with the following options:
o IP
o IP, GRE key
o IP and L4 port
o IP, L4 port and VLAN
o IP and VLAN
o L4 port
o MAC
Feature Limitations:
The following feature limitation apply for the Cisco Nexus Data Broker, Release 3.4:
· NDB embedded is not supported on Cisco Nexus 3000 series switches running 7.0(3)I5.1 and 7.0(3)I6.1 NXOS image.
· To avoid the stale flows (ACL) in the NX-API enabled switches, you need to uninstall the connections with port range filtering, upgrade to NDB Release 3.4 and then reinstall the connections.
This section contains lists of open and resolved caveats and known behaviors.
This section lists the open caveats. Click the bug ID to access the Bug Search tool and see additional information about the bug.
Description |
|
Node Id of the device group is not updated after upgrading from NDB release 3.X to 3.2 and above. |
|
Port configuration fails due to unsupported characters in description: Import. |
|
Cisco Nexus 9000 devices do not have an error pop up message for the connection installation of VLAN + Layer 3 filters. |
|
Export does not fetch Node configuration. |
|
Default-match-all filter supports additional ethertypes. |
|
PTP and Timestamp configuration fails for ports that are in the port-channel. |
|
Limitations in uploading a configuration that has redirections(bi-directional). |
|
Unable to remove MAC ACE using sequence number in Cisco NXOS I7(2) release. |
This section lists the resolved caveats. Click the bug ID to access the Bug Search tool and see additional information about the bug.
Bug ID |
Description |
Unnecessary syslog are being generated. |
|
Connection source ports are not listed on the Open Flow device. |
|
Upgrading to Cisco Nexus Data Broker 3.2 with an Cisco Nexus 9000 NX-API switch needs the IPv6 hardware CLI command on the switch. |
|
Switchport mode changes automatically from dot1q-tunnel to trunk on NDB Production ports. |
|
OpenFlow ports are in admin down state in the switch when the NDB restarts. |
This section lists the known caveats. Click the bug ID to access the Bug Search tool and see additional information about the bug.
Bug ID |
Description |
|
Disk space not reclaimed in switch I7.x versions while uninstalling Embedded NDB.
|
Module Serial number instead of Switch serial number in OF statistics. |
|
Unable to attach VLAN access list entry to the interface in NXOS Release 7.0(3)I6.1. |
|
Flows are not installing in switch with simple IPv6 match criteria. |
|
NXAPI w/TACACS authentication failing. |
|
Reconnecting the switch with NXOS I5.2 from NDB periodically. |
|
Device in NDB becomes suddenly disconnected - nginx_f crash. |
|
Openflow - Portchannel links are not seen on NDB, Release 2.1. |
|
Connections are not matched with the VLAN ID of source ports on ISL links with an IPv6 filter. |
The Cisco Nexus Data Broker documentation can be accessed from the following websites:
Nexus Data Broker Datasheet http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/nexus-data-broker/data_sheet_c78-729452.html?cachemode=refresh
General Documentation: http://www.cisco.com/c/en/us/support/cloud-systems-management/nexus-data-broker/tsd-products-support-series-home.html
The documentation includes installation information and release notes.
Table 6 Installation Documentation
Document |
Description |
Cisco Nexus Data Broker Embedded Deployment Guide |
Describes the deployment Nexus Data Broker on NxOS devices either as a separate NDB virtual service or as a application along with GuestShell+ virtual service |
Cisco Nexus Data Broker Centralized Deployment Guide |
Describes the deployment of Nexus Data Broker in a Linux VM that be used to manage multiple NxOS device for SPAN configuration |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2019 Cisco Systems, Inc. All rights reserved.