Initial Configuration
This chapter provides Cisco NX-OS best practices that are that typically configured when a Cisco Nexus 7000 Series switch is powered up for the first time and the user is connected to the RS-232 console port on the active supervisor module.
This chapter includes the following sections:
•Setup Utility (First Time Setup)
•Global Configuration Parameters
•Power Budget
•Cisco NX-OS Licensing
Setup Utility (First Time Setup)
Introduced: Cisco NX-OS Release 4.0(1)
The Setup Utility is automatically executed when a Cisco Nexus 7000 chassis is powered up for the first time, or if the configuration is erased with the write erase command, and the chassis is reloaded (The Setup Utility can also be manually executed any time using the setup Exec command). The Setup Utility was created to assist the administrator with some initial configuration parameters, but is not required and can be bypassed if the administrator chooses to do so. The following table contains the parameters that can be configured using the Setup Utility. If the Setup Utility is bypassed, the value in the Default Value column will be automatically configured. The Initial Startup Parameters are always required.
Table 2-1 Required Initial Startup Parameters
Initial Startup Parameter (Required)
|
|
Enforce Secure Password Standard |
yes |
Admin Password |
no default |
Table 2-2 Optional Startup Utility
Startup Utility (Optional)
|
|
Create another login account |
no |
Configure read-only SNMP community string |
no |
Configure read-write SNMP community string |
no |
Enter switch name |
no default |
Enable License Grace Period |
no |
Out-of-band (mgmt0) management configuration |
yes |
Mgmt0 IPV4 address |
no default |
Mgmt0 IPv4 netmask |
no default |
Configure the default gateway |
yes |
IPv4 address of the default gateway |
no default |
Configure advanced IP options |
no |
Enable Telnet service |
no |
Enable SSH service |
yes |
Type of SSH Key (dsa/rsa) |
RSA |
Number of RSA Key bits |
1024 |
Configure the NTP server |
no |
Configure the Default Interface Layer (L3/L2) |
L3 |
Configure the default switchport interface state (shut/no shut) |
shutdown |
Configure best practices CoPP profile (strict/moderate/lenient/none) |
strict |
Configure CMP processor on current sup (Slot 5) |
yes |
CMP IPv4 address |
no default |
IPv4 address of the default gateway |
no default |
Configure CMP processor on current sup (Slot 6) |
yes |
CMP IPv4 address |
no default |
IPv4 address of the default gateway |
no default |
Global Configuration Parameters
This section provides Cisco NX-OS best practices that are recommended when configuring global parameters related to general system management.
Terminal CLI Access (SSHv2)
Introduced: Cisco NX-OS Release 4.0(1)
Cisco NX-OS software supports SSHv2 and Telnet for remote terminal CLI access. SSHv2 is enabled by default and is preferred since it increases security with encryption. If SSHv2 is disabled, it can be enabled with the feature ssh command (The feature ssh command is not displayed in the running-configuration when it is enabled). SSHv2 uses a 1024 bit RSA key by default. The ssh key command can be used to create a new or stronger RSA/DSA key. If a key is already configured, the force option can be used to overwrite the existing key.
n7000(config)# feature ssh
n7000(config)# ssh key rsa 2048
|
Note In Cisco NX-OS Release 4.0(1) SSHv2 was enabled with the service ssh command. It was changed to feature ssh in Cisco NX-OS Release 4.1(2).
|
Hostname
Introduced: Cisco NX-OS Release 4.0(1)
A recognizable hostname should be configured to identify the Cisco Nexus 7000 Series device when administrators access the CLI. If Virtual Device Contexts (VDCs) are configured, a unique hostname should be configured per VDC.
n7000(config)# hostname N7K-1-Core-L3
Boot Variables
Introduced: Cisco NX-OS Release 4.0(1)
Boot variables specify what version of Cisco NX-OS software boots after a system has been reloaded. The boot variables should always be configured to ensure the expected version of Cisco NX-OS software is booted if an unplanned chassis reload occurs. A kickstart and system image are required to properly boot a Cisco Nexus 7000 Series switch. (The image version numbers have to match.) Cisco NX-OS images can be booted from bootflash: or slot0: (bootflash: is recommended since the memory cannot be removed from the supervisor module). In the following example, Cisco NX-OS Release 5.1(1) kickstart and system boot variables are configured for both supervisor modules in the chassis (default behavior) since the sup-1 and sup-2 options have been omitted.
n7000(config)# boot kickstart bootflash:n7000-s1-kickstart.5.1.1.bin
n7000(config)# boot system bootflash:n7000-s1-dk9.5.1.1.bin
MOTD Login Banner
Introduced: Cisco NX-OS Release 4.0(1)
A Message Of The Day (MOTD) login banner is recommended to notify users they are attempting to log into a device. This banner will be displayed prior to the user authentication process and serves as a warning to deter unauthorized users from attempting to log in. The end delimiter character cannot be used within the contents of the banner. The following example uses a capital Z. (Production devices should have a more detailed disclaimer.)
n7000(config)# banner motd Z
Enter TEXT message. End with the character 'Z'.
> Authorized Access Only!
Password Strength-Check
Introduced: Cisco NX-OS Release 4.1(2)
The Password Strength-Check feature is enabled by default to force users to configure secure passwords when configuring users in the local database for authentication. We recommend that you keep the Password Strength-Check feature enabled. If it is disabled, it can be enabled with the following global configuration command.
n7000(config)# password strength-check
Power Budget
Introduced: Cisco NX-OS Release 4.0(1)
The power budget can be monitored and managed using the show environmental power command. Cisco NX-OS Release 5.0(2a) introduced real-time power draw for the fan trays and all I/O modules released in Cisco NX-OS Release 5.x software. The configured power redundancy mode determines how the available power is allocated (See the next section for details on the power redundancy mode.)
n7000# show environment power
Supply Model Output Capacity Status
------- ------------------- ----------- ----------- --------------
1 N7K-AC-6.0KW 786 W 6000 W Ok
2 N7K-AC-6.0KW 830 W 6000 W Ok
3 ------------ 0 W 0 W Absent
Module Model Draw Allocated Status
------- ------------------- ----------- ----------- --------------
3 N7K-M108X2-12L 395 W 650 W Powered-Up
4 N7K-M108X2-12L 382 W 650 W Powered-Up
5 N7K-SUP1 N/A 210 W Powered-Up
6 N7K-SUP1 N/A 210 W Powered-Up
Xb1 N7K-C7010-FAB-1 N/A 60 W Powered-Up
Xb2 N7K-C7010-FAB-1 N/A 60 W Powered-Up
Xb3 N7K-C7010-FAB-1 N/A 60 W Powered-Up
Xb4 N7K-C7010-FAB-1 N/A 60 W Powered-Up
Xb5 N7K-C7010-FAB-1 N/A 60 W Powered-Up
fan1 N7K-C7010-FAN-S 116 W 720 W Powered-Up
fan2 N7K-C7010-FAN-S 116 W 720 W Powered-Up
fan3 N7K-C7010-FAN-F 11 W 120 W Powered-Up
fan4 N7K-C7010-FAN-F 11 W 120 W Powered-Up
N/A - Per module power not available
Power Supply redundancy mode (configured) Redundant
Power Supply redundancy mode (operational) Redundant
Total Power Capacity (based on configured mode) 6000 W
Total Power of all Inputs (cumulative) 12000 W
Total Power Output (actual draw) 1616 W
Power Redundancy Mode
Introduced: Cisco NX-OS Release 4.0(1)
The recommended power redundancy mode will vary per Cisco Nexus 7000 Series chassis depending on the number of power supplies and the number of inputs and associated input voltage (110v/220v). Each redundancy mode provides different power allocations to allow the administrator to select the mode that is best suited for their installation. The default mode is ps-redundant, which is recommended for most installations. Use caution when configuring combined mode, since power redundancy will not be available for the chassis.
Table 2-3 Power Redundancy Mode
|
|
combined |
This mode does not provide power redundancy for the chassis - All input power is available to the chassis. (Power is not reserved for backup as with the other modes) |
insrc-redundant |
Input Source (GRID) Redundancy - The available power is based on the lesser of the two grids through the power supplies. The difference (50%) is reserved for backup. |
ps-redundant |
Power Supply Redundancy - Provides an extra power supply in the event one fails or is removed from the chassis. |
redundant |
Input Source (GRID) + Power Supply Redundancy - The available power is the lesser of the available power for the power supply mode and input source voltage. The difference (50%) is reserved for backup. |
n7000(config)# power redundancy-mode redundant
Powering Off Unused I/O and Fabric Modules
Introduced: Cisco NX-OS Release 4.0(1)
We recommend that you power off all I/O (Ethernet) and fabric modules that are not in use to reduce unnecessary power draw. We also recommend that you power off all I/O and fabric modules slots that are not installed to give the administrator control when powering them up. This reduces risk by preventing newly installed modules from powering up outside of a change control window.
n7000(config)# poweroff module 1
n7000(config)# poweroff xbar 4
n7000(config)# poweroff module 3
NOTICE: module <3> status is either absent or not powered up (or denied)... Proceeding
anyway
Cisco NX-OS Licensing
This section contains a brief explanation of the Cisco NX-OS licensing model and installation procedure. Always install all required licenses to avoid unnecessary network outages that can occur if a licensed feature is enabled and the grace period expires.
Installation Process
Introduced: Cisco NX-OS Release 4.0(1)
The Cisco NX-OS licensing model allows features to be enabled on a pay as you grow basis. When you purchase a Cisco NX-OS license, you obtain a license file based on the chassis host ID that gets installed on a specific chassis. (Cisco NX-OS software allows Layer-2 connectivity with basic Layer-3 functionality by default.) If you do not have a license for a specific feature, a 120-day grace period can be enabled using the global license grace-period configuration command. (The grace period is not recommended for production networks.) After 120 days, all features that are enabled that require a license that is not installed on the chassis are automatically removed from the running-configuration.
See the latest Cisco Nexus 7000 Series Licensing Configuration Guide for a list of features that are included with each license type.
When two supervisor modules are installed in a chassis, the chassis is the only component that requires a new license to be reissued and reinstalled if it is replaced. All other components including a supervisor module can be replaced without having to reissue or reinstall the license. If only one supervisor module is installed in a chassis, a new license will have to be reinstalled from a backup copy if the supervisor module or the chassis is replaced.
Licenses are installed per chassis in the default VDC (1). Installing a license is a non-disruptive procedure.
Summary Installation Steps:
1. Obtain the chassis host ID, which is used to generate the license, by entering the show license host-id command.
2. Locate the Product Authorization Key (PAK) and go to the Product License Registration web page on cisco.com
3. Follow the instructions to generate the license file and download it.
4. Transfer the license file the Cisco Nexus 7000 Series supervisor module (i.e. bootflash: or slot0:)
5. Install the license using the following install license Exec command.
n7000# install license bootflash:license_file.lic
Installing license ..done
Verifying the License Status
Introduced: Cisco NX-OS Release 4.0(1)
The Cisco NX-OS license status can be verified using the following command.
n7000# show license usage
Feature Ins Lic Status Expiry Date Comments
--------------------------------------------------------------------------------
SCALABLE_SERVICES_PKG No - Unused -
TRANSPORT_SERVICES_PKG No - Unused -
LAN_ADVANCED_SERVICES_PKG No - Unused -
LAN_ENTERPRISE_SERVICES_PKG No - Unused -
--------------------------------------------------------------------------------
Backing Up a License File
Introduced: Cisco NX-OS Release 4.0(1)
You should always keep your license files in a safe location in the event they have to be reinstalled. If you don't have a license file for a particular chassis, you can create a backup copy for the chassis if it already has the license installed. Once the backup file is created, it should be transferred to safe location.
n7000# copy licenses bootflash:license_file.tar