The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure Internet Protocol version 4 (IPv4), which includes addressing, Address Resolution Protocol (ARP), and Internet Control Message Protocol (ICMP), on the Cisco Data Center Network Manager (DCNM) Cisco NX-OS device.
You can configure IP on the device to assign IP addresses to network interfaces. When you assign IP addresses, you enable the interfaces and allow communication with the hosts on those interfaces.
You can configure an IP address as primary or secondary on a device. An interface can have one primary IP address and multiple secondary addresses. All networking devices on an interface should share the same primary IP address because the packets that are generated by the device always use the primary IPv4 address. Each IPv4 packet is based on the information from a source or destination IP address. See the “Multiple IPv4 Addresses” section.
You can use a subnet to mask the IP addresses. A mask is used to determine what subnet an IP address belongs to. An IP address contains the network address and the host address. A mask identifies the bits that denote the network number in an IP address. When you use the mask to subnet a network, the mask is then referred to as a subnet mask. Subnet masks are 32-bit values that allow the recipient of IP packets to distinguish the network ID portion of the IP address from the host ID portion of the IP address.
The IP feature in the Cisco NX-OS system is responsible for handling IPv4 packets that terminate in the supervisor module, as well as forwarding of IPv4 packets, which includes IPv4 unicast/multicast route lookup, reverse path forwarding (RPF) checks, and software access control list/policy based routing (ACL/PBR) forwarding. The IP feature also manages the network interface IP address configuration, duplicate address checks, static routes, and packet send/receive interface for IP clients.
This section includes the following topics:
The Cisco NX-OS system supports multiple IP addresses per interface. You can specify an unlimited number of secondary addresses for a variety of situations. The most common are as follows:
Note If any device on a network segment uses a secondary IPv4 address, all other devices on that same network interface must also use a secondary address from the same network or subnet. The inconsistent use of secondary addresses on a network segment can quickly cause routing loops.
Networking devices and Layer 3 switches use Address Resolution Protocol (ARP) to map IP (network layer) addresses to (Media Access Control [MAC]-layer) addresses to enable IP packets to be sent across networks. Before a device sends a packet to another device, it looks in its own ARP cache to see if there is a MAC address and corresponding IP address for the destination device. If there is no entry, the source device sends a broadcast message to every device on the network.
Each device compares the IP address to its own. Only the device with the matching IP address replies to the device that sends the data with a packet that contains the MAC address for the device. The source device adds the destination device MAC address to its ARP table for future reference, creates a data-link header and trailer that encapsulates the packet, and proceeds to transfer the data. Figure 2-1 shows the ARP broadcast and response process.
When the destination device lies on a remote network which is beyond another device, the process is the same except that the device that sends the data sends an ARP request for the MAC address of the default gateway. After the address is resolved and the default gateway receives the packet, the default gateway broadcasts the destination IP address over the networks connected to it. The device on the destination device network uses ARP to obtain the MAC address of the destination device and delivers the packet. ARP is enabled by default.
The default system-defined CoPP policy rate-limits ARP broadcast packets bound for the supervisor module. The default system-defined CoPP policy prevents an ARP broadcast storm from affecting the control plane traffic, but does not affect bridged packets.
ARP caching minimizes broadcasts and limits wasteful use of network resources. The mapping of IP addresses to MAC addresses occurs at each hop (device) on the network for every packet sent over an internetwork, which may affect network performance.
ARP caching stores network addresses and the associated data-link addresses in memory for a period of time, which minimizes the use of valuable network resources to broadcast for the same address each time a packet is sent. You must maintain the cache entries since the cache entries are set to expire periodically because the information might become outdated. Every device on a network updates its tables as addresses are broadcast.
You must manually configure the IP addresses, subnet masks, gateways, and corresponding MAC addresses for each interface of each device when using static routes. Static routing enables more control but requires more work to maintain the route table. You must update the table each time you add or change routes.
Dynamic routing uses protocols that enable the devices in a network to exchange routing table information with each other. Dynamic routing is more efficient than static routing because the route table is automatically updated unless you add a time limit to the cache. The default time limit is 25 minutes but you can modify the time limit if the network has many routes that are added and deleted from the cache.
When a network is divided into two segments, a bridge joins the segments and filters traffic to each segment based on MAC addresses. The bridge builds its own address table, which uses MAC addresses only, as opposed to a device, which has an ARP cache that contains both IP addresses and the corresponding MAC addresses.
Passive hubs are central-connection devices that physically connect other devices in a network. They send messages out on all their ports to the devices and operate at Layer 1, but do not maintain an address table.
Layer 2 switches determine which port is connected to a device to which the message is addressed and send only to that port, unlike a hub, which sends the message out all its ports. However, Layer 3 switches are devices that build an ARP cache (table).
Reverse ARP (RARP) as defined by RFC 903 works the same way as ARP, except that the RARP request packet requests an IP address instead of a MAC address. RARP often is used by diskless workstations because this type of device has no way to store IP addresses to use when they boot. The only address that is known is the MAC address because it is burned into the hardware.
Use of RARP requires an RARP server on the same network segment as the router interface. Figure 2-2 illustrates how RARP works.
There are several limitations of RARP. Because of these limitations, most businesses use DHCP to assign IP addresses dynamically. DHCP is cost effective and requires less maintenance than RARP. The following are the most important limitations:
Proxy ARP enables a device that is physically located on one network appear to be logically part of a different physical network connected to the same device or firewall. Proxy ARP allows you to hide a device with a public IP address on a private network behind a router, and still have the device appear to be on the public network in front of the router. By hiding its identity, the router accepts responsibility for routing packets to the real destination. Proxy ARP can help devices on a subnet reach remote subnets without configuring routing or a default gateway.
When devices are not in the same data link layer network but in the same IP network, they try to transmit data to each other as if they are on the local network. However, the router that separates the devices does not send a broadcast message because routers do not pass hardware-layer broadcasts and the addresses cannot be resolved.
When you enable Proxy ARP on the device and it receives an ARP request, it identifies the request as a request for a system that is not on the local LAN. The device responds as if it is the remote destination for which the broadcast is addressed, with an ARP response that associates the device’s MAC address with the remote destination's IP address. The local device believes that it is directly connected to the destination, while in reality its packets are being forwarded from the local subnetwork toward the destination subnetwork by their local device. By default, Proxy ARP is disabled.
You can use local Proxy ARP to enable a device to respond to ARP requests for IP addresses within a subnet where normally no routing is required. When you enable local Proxy ARP, ARP responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly by the configuration on the device to which they are connected.
Gratuitous ARP sends a request with identical source IP address and destination IP address to detect duplicate IP addresses. Cisco NX-OS Release 4.0(3) and later releases support enabling or disabling gratuitous ARP requests or ARP cache updates.
When forwarding an incoming IP packet in a line card, if the Address Resolution Protocol (ARP) request for the next hop is not resolved, the line card forwards the packets to the supervisor (glean throttling). The supervisor resolves the MAC address for the next hop and programs the hardware.
The Cisco Nexus 7000 Series device hardware has glean rate limiters to protect the supervisor from the glean traffic. If the maximum number of entries is exceeded, the packets for which the ARP request is not resolved continues to be processed in the software instead of getting dropped in the hardware.
When an ARP request is sent, the software adds a /32 drop adjacency in the hardware to prevent the packets to the same next-hop IP address to be forwarded to the supervisor. When the ARP is resolved, the hardware entry is updated with the correct MAC address. If the ARP entry is not resolved before a timeout period, the entry is removed from the hardware
Path MTU discovery is a method for maximizing the use of available bandwidth in the network between the endpoints of a TCP connection. It is described in RFC 1191. Existing connections are not affected when this feature is turned on or off.
You can use ICMP to provide message packets that report errors and other information that is relevant to IP processing. ICMP generates error messages, such as ICMP destination unreachable messages, ICMP Echo Requests (which send a packet on a round trip between two hosts) and Echo Reply messages. ICMP also provides many diagnostic functions and can send and redirect error packets to the host. By default, ICMP is enabled.
Some of the ICMP message types are as follows:
Note ICMP redirects are disabled on interfaces where the local proxy ARP feature is enabled.
IPv4 supports Virtual Routing and Forwarding instances (VRFs). VRFs exist within virtual device contexts (VDCs). By default, Cisco NX-OS places you in the default VDC and default VRF unless you specifically configure another VDC and VRF.
The following table shows the licensing requirements for this feature:
IPv4 has the following configuration guidelines and limitations:
Table 2-1 lists the default settings for IP parameters.
|
|
---|---|
The following platforms support this feature but may implement it differently. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.
|
|
---|---|
You can access IP addressing for Layer 3 interfaces from the Interfaces feature selection.
For more information about the Data Center Network Manager features, see the Fundamentals Configuration Guide, Cisco DCNM for LAN, Release 5.x .
This section includes the following topics:
Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
You can assign a primary IP address for a network interface.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Step 1 From the Feature Selector pane, choose Interfaces > Physical > Ethernet.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device to display a list of slots.
Step 3 Double-click the slot to display a list of interfaces.
Step 4 Click the interface that you want to configure as a routed interface.
The system highlights the interface in the Summary pane, and tabs appear in the Details pane.
Step 5 From the Details pane, click the Port Details tab.
Step 6 From the Port Details tab, expand the Port Mode Settings section.
Step 7 From the Mode drop-down list, choose Routed.
The IP address information appears in the Details pane and Cisco NX-OS removes any Layer 2 configuration.
Step 8 (Optional) From the IPv4 Address Settings, set the Primary field to the IPv4 address for this routed interface.
Step 9 (Optional) Set the Net mask field to the network mask for this IPv4 address in dotted decimal notation.
Step 10 From the menu bar, choose File > Deploy to apply your changes to the device.
This example shows how to assign an IPv4 address:
switch(config)# interface ethernet 2/3
switch(config-if)# ip address 192.2.1.1 255.0.0.0
switch(config-if)# copy running-config startup-config
You can only add secondary IP addresses after you configure primary IP addresses.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Step 1 From the Feature Selector pane, choose Interfaces > Physical > Ethernet.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device to display a list of slots.
Step 3 Double-click the slot to display a list of interfaces.
Step 4 Click the interface that you want to configure as a routed interface.
The system highlights the interface in the Summary pane, and tabs appear in the Details pane.
Step 5 From the Details pane, click the Port Details tab.
Step 6 From the Port Details tab, expand the Port Mode Settings section.
Step 7 (Optional) From the IPv4 Address settings section, in the Secondary area, right-click and choose Add Secondary IP to add a secondary IP address.
Step 8 From the secondary area, in the IP address field, enter an IPv4 address.
Step 9 From the net mask field, enter the network mask for this IPv4 address in dotted decimal notation.
Step 10 (Optional) From the IPv4 Address settings section, in the Helper area, right-click and choose Add Helper IP to add a helper IP address.
Step 11 From the Helper area, in the IP address field, enter an IPv4 address.
Step 12 From the menu bar, choose File > Deploy to apply your changes to the device.
|
|
|
---|---|---|
Specifies the configured address as a secondary IPv4 address. |
||
You can configure a static ARP entry on the device to map IP addresses to MAC hardware addresses, including static multicast MAC addresses.
Ensure that you are in the correct VDC (or use the switchto vdc command).
|
|
|
---|---|---|
Associates an IP address with a MAC address as a static entry. |
||
This example shows how to configure a static ARP entry:
switch(config)# interface ethernet 2/3
switch(config-if)# ip arp 1 92.2.1.1 0019.076c.1a78
switch(config-if)# copy running-config startup-config
You can configure Proxy ARP on the device to determine the media addresses of hosts on other networks or subnets.
Ensure that you are in the correct VDC (or use the switchto vdc command).
|
|
|
---|---|---|
This example shows how to configure Proxy ARP:
switch(config)# interface ethernet 2/3
switch(config-if)# ip proxy-arp
switch(config-if)# copy running-config startup-config
Ensure that you are in the correct VDC (or use the switchto vdc command).
|
|
|
---|---|---|
This example shows how to configure Local Proxy ARP:
switch(config)# interface ethernet 2/3
Ensure that you are in the correct VDC (or use the switchto vdc command).
|
|
|
---|---|---|
Enables gratuitous ARP on the interface. Default is enabled. |
||
This example shows how to disable gratuitous ARP requests:
switch(config)# interface ethernet 2/3
Ensure that you are in the correct VDC (or use the switchto vdc command).
|
|
|
---|---|---|
Cisco NX-OS supports an Intrusion Detection System (IDS) that checks for IP packet verification. You can enable or disable these IDS checks.
To enable IDS checks, use the following commands in global configuration mode:
Use the show hardware forwarding ip verify command to display the IP packet verification configuration.
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.
A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is "exploded" as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.
If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet.
To enable IP directed broadcasts, use the following command in interface configuration mode:
|
|
---|---|
Enables the translation of a directed broadcast to physical broadcasts |
Cisco NX-OS software supports glean throttling rate limiters to protect the supervisor from the glean traffic.
You can enable IP glean throttling.
Note We recommend that you configure the IP glean throttle feature by using the hardware ip glean throttle command to filter the unnecessary glean packets that are sent to the supervisor for ARP resolution for the next hops that are not reachable or do not exist. IP glean throttling boosts software performance and helps to manage traffic more efficiently.
Ensure that you are in the correct VDC (or use the switchto vdc command).
|
|
|
---|---|---|
This example shows how to enable IP glean throttling:
You can limit the maximum number of drop adjacencies that will be installed in the FIB.
Ensure that you are in the correct VDC (or use the switchto vdc command).
2. hardware ip glean throttle maximum count
|
|
|
---|---|---|
Configures the number of drop adjacencies that will be installed in the FIB. |
||
The default value is 1000. The range is from 0 to 32767 entries. |
||
This example shows how to limit the maximum number of drop adjacencies that will be installed in the FIB:
You can configure a timeout for the installed drop adjacencies to remain in the FIB.
Ensure that you are in the correct VDC (or use the switchto vdc command).
2. hardware ip glean throttle timeout timeout-in-sec
This example shows how to configure a timeout for the drop adjacencies that will be installed in the
switch(config)# hardware ip glean throttle maximum timeout 300
You can generate a syslog if the number of packets that get dropped for a specific flow exceeds the configured packet count.
Ensure that you are in the correct VDC (or use the switchto vdc command).
2. hardware ip glean throttle syslog pck-count
This example shows how to generate a syslog if the number of packets that get dropped for a specific flow exceeds the configured packet count:
To display the IPv4 configuration information, perform one of the following tasks:
|
|
---|---|
This example shows how to configure an IPv4 address:
See the Basic Parameters chapter in the Interfaces Configuration Guide, Cisco DCNM for LAN, Release 6.x, for information on IP address fields.
For additional information related to implementing IP, see the following sections:
|
|
---|---|
Cisco Nexus 7000 Series NX-OS Unicast Routing Command Reference |
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
Table 2-2 lists the release history for this feature.