First Published: 2014-08-22 Last Updated: 2015-12-03
This document describes the features, limitations, and restrictions for the Cisco Nexus 1000V for VMware Release 5.2(1)SV3(1.1). It also explains how to find information about bugs. The following table lists the change history for this document.
Added information about the access-class command in the Access Lists section.
The Cisco Nexus 1000V for VMware provides a distributed, Layer 2 virtual switch that extends across many virtualized hosts. The Cisco Nexus 1000V manages a data center defined by the vCenter Server. Each server in the data center is represented as a line card in the Cisco Nexus 1000V and can be managed as if it were a line card in a physical Cisco switch.
The Cisco Nexus 1000V consists of the following components:
Virtual Supervisor Module (VSM), which contains the Cisco CLI, configuration, and high-level features.
Virtual Ethernet Module (VEM), which acts as a line card and runs in each virtualized server to handle packet forwarding and other localized functions.
Software Compatibility with VMware
The servers that run the Cisco Nexus 1000V VSM and VEM must be in the VMware Hardware Compatibility list. This release of the Cisco Nexus 1000V supports vSphere 5.5, 5.1, and 5.0 release trains. For additional compatibility information, see the Cisco Nexus 1000V Compatibility Information.
Note All virtual machine network adapter types that VMware vSphere supports are supported with the Cisco Nexus 1000V. Refer to the VMware documentation when choosing a network adapter. For more information, see the VMware Knowledge Base article #1001805.
Software Compatibility with Cisco Nexus 1000V
This release supports hitless upgrades from Release 4.2(1)SV2(1.1) and later releases. For additional information, see the Cisco Nexus 1000V Software Upgrade Guide.
New Software Features
This section describes the new software features in Cisco Nexus 1000V 5.2(1)SV3(1.1).
The Border Gateway Protocol (BGP) control plane feature enables the Cisco Nexus 1000V to exchange the VXLAN information collected on the VSM-VTEP flood list across VSMs. The Cisco Nexus 1000V supports BGP peering among eight VSMs to allow VXLAN segments to reach across servers. BGP runs on the VSM and can exchange VXLAN information with the BGP on any other Cisco Nexus 1000V. The Cisco Nexus 1000V can also be used as a route reflector to exchange VTEP list between VSMs.
Support for Installing VXLAN Gateway as a Virtual Machine (VM)
Ensure that the port profiles and bridge domains are configured on the VSM. The VSM is connected to vCenter and that all the configurations are pushed from VSM to vCenter. The image is available on the VMware host where the VXLAN is created.
Distributed NetFlow with VXLAN Support
NetFlow lets you evaluate IP traffic and understand how and where it flows. NetFlow gives visibility into traffic transiting the virtual switch by characterizing IP traffic based on its source, destination, timing, and application information. This information is used to assess network availability and performance, assist in meeting regulatory requirements (compliance), and help with troubleshooting. NetFlow gathers data that can be used in accounting, network monitoring, and network planning.
With Distributed NetFlow, the switch sends NetFlow export packets directly from the VEMs to the collectors. It no longer sends export packets through the VSM mgmt0 interface, significantly improving scalability.
With VXLAN support, NetFlow can collect the VXLAN segment ID from its flows. It can also collect Layer 2 fields such as the EtherType, source and destination MAC address, and VLAN ID.
Bridge Protocol Data Unit (BPDU) Guard Support
The Cisco Nexus 1000V does not support Spanning Tree Protocol; STP BPDUs are dropped by the Cisco Nexus 1000V. Linux VMs can create bridges within OS to handle NIC failover; these bridges depend on STP communication with neighboring switches. Because the Cisco Nexus 1000V does not support STP, spurious STP BPDUs from virtual machines can cause network loops and upstream internetwork topology recomputation. Enabling BPDU guard causes the Cisco Nexus 1000V to detect these spurious BPDUs and shut down the virtual machine adapters (the origination BPDUs), thereby avoiding loops.
IGMP Multicast Offload
Prior to 5.2(1)SV3(1.1), VEM modules depended on VSM to support IGMP multicast. From 5.2(1)SV3(1.1), VEMs can perform IGMP mrouter detection, IGMP member addition, and deletion without VSM support. IGMP snooping works even when a VEM module is shown as “offline” in VSM.
Management 0 Interface: You can configure IPv6 or IPv4 on management 0 interface of Cisco Nexus 1000V VSM.
Secure Shell: Secure Shell (SSH) server enables an SSH client to make a secure encrypted connection for initiating text-based shell sessions on remote machines in a secure way. You can now configure IPv6 or IPv4 on management 0 interface of Cisco Nexus 1000V VSM to enable a user to login to Nexus 1000V VSM console through SSH.
Telnet: Telnet protocol enables you to set up TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then pass the keystrokes from one device to the other. You can now configure IPv6 or IPv4 on the management 0 interface of Cisco Nexus 1000V VSM to enable a user to login to Nexus 1000V VSM console through Telnet.
SVS connection: Software Virtual Switch (SVS) is basically a connection between vCenter Server and a virtual switch. You can now use IPv6 or IPv4 to establish a connection between vCenter Server and Cisco Nexus 1000V management 0 interface.
Syslog: Syslog is a standard for logging system messages. Syslog is used for system management, security auditing, and debugging messages. You can now configure IPv6 or IPv4 on the Syslog Server and management 0 interface of Cisco Nexus 1000V switch to enable Nexus 1000V switch to export syslogs from the VSM to the Syslog Server.
SNMP: Simple Network Management Protocol (SNMP) is a management protocol for managing devices on IP networks. You can now configure IPv6 or IPv4 on the SNMP Server and management 0 interface of Cisco Nexus 1000V switch to enable the SNMP operations.
NTP: Network Time Protocol (NTP) is a protocol for clock synchronization. You can configure IPv6 on the Cisco Nexus 1000V VSM and NTP server, to enable VSM to synchronize time with NTP server.
AAA: Authentication, authorization, and accounting (AAA) is a framework for managing access to computer resources and enforcing security policies. You can configure IPv6 or IPv4 on AAA/TACACS server and Cisco Nexus 1000V management 0 interface to enable a user to login to Nexus 1000V VSM using the credentials based on RADIUS/TACACS server settings.
IP Name Server/DNS: Domain name servers are used to map an IP address to a host name. You can configure Cisco Nexus 1000V to use one or more domain name servers that use IPv6 or IPv4 addresses.
Port Channels: A port channel bundles physical links into a channel group to create a single logical link that provides aggregated bandwidth and load balances the traffic across all the operational interfaces. Port channel load balancing uses MAC addresses, IP addresses, or Layer 4 port numbers to select a link. Cisco Nexus 1000v port channels support load balance based on IPv6 and IPv4 addresses.
Cisco TrustSec Enforcement Capability
The Cisco TrustSec security architecture enables you to build secure networks by establishing clouds of trusted network devices. Each device in the cloud is authenticated by its neighbors. Communication on the links between devices in the cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. Cisco TrustSec uses the device and user identification information that is acquired during authentication for classifying or tagging the packets as they enter the network. These packets are tagged on ingress to the Cisco TrustSec network so that they can be identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic
High Availability Enhancements for Platform-Specific Domain ID Detection
If you configure or install a VSM with the same domain ID when a VSM pair is already in place, a domain ID collision occurs. In releases earlier than 5.2(1)SV3(1.1), this collision breaks high availability (HA) between the existing HA pair. In 5.2(1)SV3(1.1), the rogue VSM does not affect the existing VSM HA pair because the source MAC addresses of the VSM HA packets are validated and the rogue VSM packets are dropped.
License Versioning and Advanced License 3.0
The Cisco Nexus 1000V supports Essential and Advanced license editions. Beginning with Cisco Nexus 1000V Release 5.2(1)SV3(1.1), the Advanced license supports License Edition 3.0. The License Edition 3.0 is required and must be installed to enable and provision the new features, such as VXLAN BGP Control Plane, IPv6 ACL, BPDU Guard, and Traffic Storm Control, and to scale above 128 VEM modules.
Layer 3 Security
Layer 3 Security (L3Sec) is a framework that secures the internal control plane communications (control and packet traffic) between Cisco Nexus 1000V VSM and VEM modules in a more robust way than in previous releases.
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast, multicast, or unknown unicast traffic storm on physical interfaces.
Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering of traffic based on source and destination addresses, and inbound and outbound traffic to a specific interface. IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control.
VXLAN MAC Distribution (VXLAN MD)
MAC distribution uses unicast to distribute MAC, thereby reducing MAC update messages and improving scale.
Feature privilege allows command authorization in NX-OS to behave as the IOS command would behave. Feature privilege supplements the standard NX-OS role-based access control (RBAC) with IOS privilege level authorization, mapping privilege levels to user roles.
Changed Software Features
This section describes the changed software features in Cisco Nexus 1000V 5.2(1)SV3(1.1).
Virtual Service Domain (VSD)
VSD is no longer supported as of this release. You must remove the VSD feature before upgrading to Release 5.2(1)SV3(1.1).
Domain ID Range
The domain ID range has been reduced from 1–4094 to 1–1023. An upgrade to 5.2(1)SV3(1.1) succeeds even if the domain ID value is greater than 1023.
The maximum number of MACs supported is 10 per interface.
When you update the feature level in VSM after upgrading from 4.2(1)SV2(2.1) to 5.2(1)SV3(1.1), sticky entries do not take effect.
If you have more than 10 static MAC addresses prior to 5.2(1)SV3(1.1), only 10 are programmed from the 4.2(1)SV2(2.1) to 5.2(1)SV3(1.1) upgrade.
Burnt-in MACs are secured as static.
Any port detach event causes sticky MACs to be removed.
The following command has been enhanced to display the secure MAC addresses on a per VEM module basis:
– show port-security address module <module-number>
The following commands are deprecated:
– show port-security
– show port-security address
– show resource-availability port-security macs
MAC spoofing detection and violation is local to VEM and is not available across VEM modules.
When an interface has already reached a maximum configured count of secure MAC addresses, adding additional static MAC addresses violates the maximum port count and puts the port in error disable state.
VXLAN UDP Port Number Configuration
The VXLAN user datagram protocol (UDP) port is used in VXLAN encapsulation. You must permit this port through any intermediate firewall.
In Cisco Nexus 1000V for VMware Release 4.2(1)SV2(2.1) and earlier, the default UDP port number was 8472. Beginning with Release 5.2(1)SV3(1.1), the default UDP port number has changed to the recently IANA-approved UDP port number 4789. This change affects the Cisco Nexus 1000V for VMware software installation, upgrade, and VXLAN configuration in the following ways:
When you upgrade to Release 5.2(1)SV3(1.1) from an earlier release that has VXLAN configured, the switch retains the UDP port number of 8472. You are not required to change the UDP number to the IANA approved UDP port number 4789; however if you decide to change it, make sure that the VEMs are upgraded to the Release 5.2(1)SV3(1.1) as well. Otherwise the vxlan udp port command is not available and you cannot change the UDP number.
When you upgrade to Release 5.2(1)SV3(1.1) from an earlier release that does not have VXLAN configured, and then you configure VXLAN, the switch is configured with the default, IANA approved UDP port number 4789.
When you perform a fresh Cisco Nexus 1000V for VMware installation of Release 5.2(1)SV3(1.1) and you configure VXLAN, the switch is configured with the default, IANA approved UDP port number 4789.
You can change the UDP port number at any time using the vxlan udp port command. However, when upgrading to Release 5.2(1)SV3(1.1) from an earlier release, ensure that the VSM and VEMs are at the same release before using the vxlan udp port command. Otherwise the vxlan udp port command is not available and you cannot change the UDP number.
Deprecated and Removed Features
Support of the vCenter plug-in is deprecated in this release. The Cisco Virtual Switch Update Manager has replaced vCenter plug-in functionality.
Limitations and Restrictions
This section describes the limitations and restrictions of the Cisco Nexus 1000V for VMware.
Configuration Scale Limits
Table 1 shows the Cisco Nexus 1000V configuration scale limits.
Table 1 Configuration Scale Limits for Cisco Nexus 1000V
250 (includes gateways)
Total vEth ports
Ports per port profile
VXLANs (bridge domains)
VXLAN gateway pairs
512 per gateway
VXLAN mappings per trunk
512 per bridge domain
2 per VXLAN control plane
MAC address per VLAN
DHCP IP bindings
ACEs per ACL
6 instances per port
Net Flow policies
64 monitor sessions
QoS policy maps
QoS class maps
QoS class maps/policy maps
QoS instances (ingress and egress)
Port security MACs
5 MACs per port
Source interfaces per session
32 physical Eths or port channels
Source VLANs per session
Destination interfaces per session
SPAN sessions per source interface
Source profiles per session
Destination profiles per session
2000 IPSGT mappings
128 ACEs per SGACL
8 SXP peers
Number of VSMs per VC
Domain ID range
VSG Release 5.2(1)VSG2(1.2) Limitations
In Release 5.2(1)SV3(1.1), when VSG solutions using version 5.2(1)VSG2(1.2) are deployed, the following scale limitations apply and supersede the scale numbers shown in Table 1:
In Release 5.2(1)SV3(1.1), when AVS solutions are deployed, the following scale limitations apply and supersede the scale numbers shown in Table 1:
Table 3 Configuration Scale Limits for Cisco Application Virtual Switch
Top of Rack
300 vEth ports per VEM
40 VEM modules
VDP Release 5.2(1)SV3(1.1) Limitations
In Release 5.2(1)SV3(1.1), when VDP solutions are deployed, the following scale limitations apply and supersede the scale numbers shown in Table 1:
Table 4 Configuration Scale Limits for VSI Discovery Protocol
Number of VEM Modules
300 vEth ports per VEM
4000 vEth ports
128 per DVS
Configuration Container Names Must Be Unique
All Cisco Nexus 1000V VSM configuration containers—port profiles, bridge domains, ACLs, class maps, policy maps, and so on—must have unique names.
In earlier releases you could create two configuration containers (for example, two port profiles) with the same name but different case sensitivity; for example, vmotion and VMOTION.
In the current release, you cannot create two configuration containers (for example, two port profiles) with the same name but different case sensitivity. During an upgrade, one of the port profiles with a duplicate name is deleted, which moves the corresponding ports in vCenter into quarantined state.
For example, do not create bridge domains with the same name (one uppercase, one lowercase) that point to different segments. (See Example 1 and Example 2.)
Example 1 Uppercase Example
VSM-DAOX-DVS1# show bridge-domain VXLAN14095
Bridge-domain VXLAN14095 (0 ports in all)
Segment ID: 12333 (Manual/Active)
MAC Distribution: Disable
BGP control mode: Enable
Group IP: NULL
Encap Mode: VXLAN*
State: UP Mac learning: Enabled
Example 2 Lowercase Example
VSM-DAOX-DVS1# show bridge-domain vxlan14095
Bridge-domain vxlan14095 (0 ports in all)
Segment ID: 14095 (Manual/Active)
MAC Distribution: Disable
BGP control mode: Enable
Group IP: 188.8.131.52
Encap Mode: VXLAN*
State: UP Mac learning: Enabled
Single VMware Data Center Support
The Cisco Nexus 1000V for VMware can be connected to a single VMware vCenter Server data center object. Note that this virtual data center can span multiple physical data centers.
Each VMware vCenter can support multiple Cisco Nexus 1000V VSMs per vCenter data center.
Implementing VDP on the Cisco Nexus 1000V has the following limitations and restrictions:
The Cisco Nexus 1000V supports the Cisco DFA-capable VDP based on the IEEE Standard 802.1 Qbg, Draft 2.2, and does not support the Link Layer Discovery Protocol (LLDP). Therefore, the EVB type, length, value are not originated or processed by the Cisco Nexus 1000V.
The VDP implementation in the current release supports a matching LLDP-less implementation on the bridge side, which is delivered as part of the Cisco DFA solution. For more information on the Cisco DFA, see the Cisco DFA Solutions Guide.
Timer-related parameters are individually configurable in the station and in the leaf.
Connectivity to multiple unclustered bridges is not supported in this release.
IPv6 addresses in filter format are not supported in this release.
VDP is supported for only segmentation-based port profiles. VDP for VLAN-based port profiles is not supported in this release.
The dynamic VLANs allocated by VDP are local to the VEM; they should not be configured on the Cisco Nexus 1000V VSM.
VDP is supported on VMware ESX releases 5.0, 5.1, and 5.5 in this release.
Fabric forwarding mode is not supported under the VLAN configuration.
If the ERSPAN source and destination are in different subnets, and if the ERSPAN source is an L3 control VM kernel NIC attached to a Nexus 1000V VEM, you must enable proxy-ARP on the upstream switch.
If you do not enable proxy-ARP on the upstream switch (or router, if there is no default gateway), ERSPAN packets are not sent to the destination.
VMotion of VSM
VMotion of VSM has the following limitations and restrictions:
VMotion of VSM is supported for both the active and standby VSM VMs. For high availability, we recommend that the active VSM and standby VSM reside on separate hosts.
If you enable Distributed Resource Scheduler (DRS), you must use the VMware anti-affinity rules to ensure that the two virtual machines are never on the same host, and that a host failure cannot result in the loss of both the active and standby VSM.
VMware VMotion does not complete when using an open virtual appliance (OVA) VSM deployment if the CD image is still mounted. To complete the VMotion, either click Edit Settings on the VM to disconnect the mounted CD image, or power off the VM. No functional impact results from this limitation.
If you are adding one host in a DRS cluster that is using a vSwitch to a VSM, you must move the remaining hosts in the DRS cluster to the VSM. Otherwise, the DRS logic does not work, the VMs that are deployed on the VEM could be moved to a host in the cluster that does not have a VEM, and the VMs lose network connectivity.
For more information about VMotion of VSM, see the Cisco Nexus 1000V Software Installation Guide.
ACLs have the following limitations and restrictions:
VLAN-based ACLs (VACLs) are not supported.
ACLs are not supported on port channels.
The access-class command is not supported on the vty interface. Use management interface ACL for any access-list requirements.
The NetFlow configuration has the following limitations and restrictions:
NetFlow Sampler is not supported.
NetFlow Exporter format V9 is supported.
NetFlow Exporter format V5 is not supported.
NetFlow is not supported on port channels.
The NetFlow cache table has the following limitation:
Immediate and permanent cache types are not supported.
Port security has the following limitations and restrictions:
Port security is enabled globally by default.
The feature/no feature port-security command is not supported.
In response to a security violation, you can shut down the port.
Port profiles have the following limitations and restrictions:
There is a limit of 255 characters in a port-profile command attribute.
We recommend that if you are altering or removing a port channel, you should migrate the interfaces that inherit the port channel port profile to a port profile with the desired configuration, rather than editing the original port channel port profile directly.
When you remove a port profile that is mapped to a VMware port group, the associated port group and settings within the vCenter Server are also removed.
Policy names are not checked against the policy database when ACL/NetFlow policies are applied through the port profile. It is possible to apply a nonexistent policy.
The port profile name can be up to 80 alphanumeric characters, is not case-sensitive, and must be unique for each port profile on the Cisco Nexus 1000V. The port profile name can include the following three special characters: period (.), underscore (_), hyphen (-).
Only SSH version 2 (SSHv2) is supported.
In Release 5.2(1)SV3(1.1), only LACP offload to VEM is supported. Upgrades from previous releases to this release changes LACP to offload mode by default.
Cisco NX-OS Commands Might Differ from Cisco IOS
Be aware that the Cisco NX-OS CLI commands and modes might differ from those commands and modes used in the Cisco IOS software.
For information about CLI commands, see the Cisco Nexus 1000V Command Reference.
No Spanning Tree Protocol
The Cisco Nexus 1000V for VMware forwarding logic is designed to prevent network loops; therefore, it does not use the Spanning Tree Protocol. Packets that are received from the network on any link connecting the host to the network are not forwarded back to the network by the Cisco Nexus 1000V.
Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is enabled globally by default.
CDP runs on all Cisco-manufactured equipment over the data link layer and does the following:
Advertises information to all attached Cisco devices.
Discovers and views information about those Cisco devices.
– CDP can discover up to 256 neighbors per port if the port is connected to a hub with 256 connections.
If you disable CDP globally, CDP is also disabled for all interfaces.
For more information about CDP, see the Cisco Nexus 1000V System Management Configuration Guide.
DHCP Not Supported for the Management IP
DHCP is not supported for the management IP. The management IP must be configured statically.
Upstream Switch Ports
We recommend that you configure spanning-tree port type edge on upstream switches for faster convergence.
The following commands are available to use on Cisco upstream switch ports in interface configuration mode:
spanning-tree portfast trunk
spanning-tree portfast edge trunk
When the maximum transmission unit (MTU) is configured on an operationally up interface, the interface goes down and comes back up.
Supported MTU values vary according to underlying physical NIC capability.
Layer 3 VSG
When a VEM communicates with the Cisco Virtual Security Gateway (VSG) in Layer 3 mode, an additional header with 94 bytes is added to the original packet. You must set the MTU to a minimum of 1594 bytes to accommodate this extra header for any network interface through which the traffic passes between the Cisco Nexus 1000V and the Cisco VSG. These interfaces can include the uplink port profile, the proxy ARP router, or a virtual switch.
Copy Running-Config Startup-Config Command
When you are using the copy running-config startup-config command, do not press the PrtScn key. If you do, the command aborts.
SNMP User Accounts Must Be Reconfigured After an Upgrade
If you are upgrading from a release earlier than 5.2(1)SV3(1.1), the SNMP engine ID changes internally to a unique engine ID. You must reconfigure all SNMP user accounts to work with the new engine ID. Until the SNMP user accounts are reconfigured, all SNMPv3 queries fail. This restriction is associated with the defect CSCuo12696.
After an upgrade, the engine ID is shown as 128:0:0:9:3:2:0:12:0:0:0, as follows:
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Return.
Step 4 To search for bugs in the current release:
a. In the Search For field, enter Cisco Nexus 1000V for VMware and press Return. (Leave the other fields empty.)
b. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.
To export the results to a spreadsheet, click the Export Results to Excel link.
The Cisco Management Information Base (MIB) list includes Cisco proprietary MIBs and many other Internet Engineering Task Force (IETF) standard MIBs. These standard MIBs are defined in Requests for Comments (RFCs). To find specific MIB information, you must examine the Cisco proprietary MIB structure and related IETF-standard MIBs supported by the Cisco Nexus 1000V Series switch.
The MIB Support List is available at the following FTP site:
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Internet Protocol (IP) addresses used in this document are for illustration only. Examples, command display output, and figures are for illustration only. If an actual IP address appears in this document, it is coincidental.