2. Nexus 1000v IGMP snooping
www.silantia.com2
Nexus 1000v VEM can snoop IGMP conversation between
VM adapter and router (default gateway).
Nexus 1000v is full IGMP snooping bridge but it cannot
perform IGMP querier job.
ip igmp snooping ! Enables at global level
vlan 200
ip igmp snooping ! Enables per vlan IGMP snooping
ip igmp snooping explicit-tracking
ip igmp snooping mrouter interface ethernet 2/1
! vEths are not supported as router ports
ip igmp snooping static-group 230.0.0.1 interface vethernet 21
show ip igmp snooping vlan 200
3. Nexus 1000v Layer 2 Security feature
www.silantia.com3
Works exactly similar to Layer 2 security features in physical
switches.
Security features requires Nexus 1000v Advanced License.
Layer 2 security is important in Virtual Desktop Infrastructure
type of environment where each virtual machine is a user
desktop.
Unmanaged VMs can bring down the whole Layer 2 network if
it is not protected at VEM level.
4. Nexus 1000v Port-security
www.silantia.com4
MAC-to-Port Mapping
Don't allow any MAC addresses other than those
mapped to pass traffic
Static = Static MAC-to-Port Mapping
Dynamic = Learn the MAC, map to the port, then don't
allow anyone ELSE
Can also age this dynamic mapping out
Sticky = Same as dynamic, but store mapping VSM
Violations
Shutdown = Shuts port down. Simple, done.
Restrict = Drops traffic from any Other MAC addresses
Protect = Basically drops traffic from any other MACs like
Restrict, but first it learns the MAC of the 1st violator and logs
him (still drops his traffic too)and doesn't learn any other
violators' MACs
5. Nexus 1000v Port-security
www.silantia.com5
You can configure port security only on Layer 2 interfaces
Details about port security and different types of interfaces or
ports are as follows:
Access ports
You can configure port security on interfaces that you have
configured as Layer 2 access ports
On an access port, port security applies only to the access VLAN
Trunk ports
You can configure port security on interfaces that you have
configured as Layer 2 trunk ports
The device allows VLAN maximums only for VLANs associated with
the trunk port
SPAN ports
You can configure port security on SPAN source ports but not on
SPAN destination ports
6. Nexus 1000v DHCP snooping
www.silantia.com6
DHCP snooping functions like a firewall between
untrusted hosts and trusted DHCP servers by doing the
following:
Validates DHCP messages received from untrusted sources
and filters out invalid response messages from DHCP
servers.
Builds and maintains the DHCP snooping binding database,
which contains information about untrusted hosts with leased
IP addresses.
Uses the DHCP snooping binding database to validate
subsequent requests from untrusted hosts.
Dynamic ARP Inspection (DAI) and IP Source Guard
also use information stored in the DHCP snooping
binding database.
When you enable DHCP snooping, by default, all
vEthernet (vEth) ports are untrusted and all Ethernet
7. Nexus 1000v DHCP snooping
www.silantia.com7
DHCP operations are categorized into four basic phases:
IP Discovery
IP Lease Offer
IP Request
IP Lease Acknowledgement
Only DHCP messages that come from a server that is connected to a
trusted port are accepted.
Any DHCP message on UDP port 68 that is data from the server to
the client that is received on an untrusted port is dropped. Nexus
1000v VEM builds and maintains the DHCP snooping binding
database, which contains information about clients with leased IP
addresses.
Uses the DHCP snooping binding database to validate subsequent
requests from clients.
8. Nexus 1000v DHCP snooping
www.silantia.com8
Configuration
Enable the DHCP feature.
feature dhcp
Enable DHCP snooping globally.
ip dhcp snooping
Enable DHCP snooping on at least one VLAN.By default,
DHCP snooping is disabled on all VLANs. Ensure that the
ip dhcp snooping vlan vlan-list
DHCP server is connected to the device using a trusted
interface.
N1KV-VSM(config)# port-profile profilename
N1KV-VSM(config-port-profile)# ip dhcp snooping trust
Configuring the Rate Limit for DHCP Packets
N1KV-VSM(config-if)#[no] ip dhcp snooping limit rate
rate
9. Nexus 1000v DHCP snooping
www.silantia.com9
Configuration
Error disable detection and recovery
errdisable detect cause dhcp-rate-limit
Enables DHCP error-disabled detection.
errdisable recovery cause dhcp-rate-limit
Enables DHCP error-disabled detection.
errdisable recovery interval time interval
Sets the DHCP error-disabled recovery interval, where time interval is
the number of seconds from 30 to 65535.
10. Nexus 1000v DHCP snooping
www.silantia.com10
Verification
N1KV-VSM# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on the following VLANs:
100,200,250-252
DHCP snooping is operational on the following VLANs:
100,200,250-252
Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust is configured on the following
interfaces:
Interface Trusted Pkt Limit
------------ ------- ---------
Vethernet1 No Unlimited
Vethernet2 No Unlimited
Vethernet3 Yes 15
Vethernet4 No Unlimited
Vethernet5 No Unlimited
11. Nexus 1000v DHCP snooping
www.silantia.com11
Verification
N1KV-VSM# show ip dhcp snooping statistics
Packets processed 0
Packets forwarded 0
Total packets dropped 0
Packets dropped from untrusted ports 0
Packets dropped due to MAC address check failure 0
Packets dropped due to Option 82 insertion failure 0
Packets dropped due to o/p intf unknown 0
Packets dropped which were unknown 0
Packets dropped due to service dhcp not enabled 0
Packets dropped due to no binding entry 0
Packets dropped due to interface error/no interface 0
Packets dropped due to max hops exceeded 0
12. Nexus 1000v Dynamic ARP inspection
www.silantia.com12
DAI ensures that only valid ARP requests and responses are
relayed by intercepting all ARP requests and responses on
untrusted ports and verifying that each of these intercepted
packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet
to the appropriate destination.
DAI depends on the entries in the DHCP snooping binding
database to verify IP-to-MAC address bindings in incoming
ARP requests and ARP responses.
DAI is supported on vEthernet interfaces and private VLAN
ports
13. Nexus 1000v Dynamic ARP inspection
www.silantia.com13
Configuration:
N1KV-VSM(config)# ip arp inspection vlan #
N1KV-VSM(config)# port-profile profilename
N1KV-VSM(config-port-profile)# ip arp
inspection trust
Verification
switch# show ip arp inspection interfaces vethernet 3
Interface Trust State Pkt Limit Burst Interval
------------- ----------- --------- ----------------
Vethernet9 Untrusted 30 5
14. Nexus 1000v Dynamic ARP inspection
www.silantia.com14
Rate limiting
ip arp inspection limit {rate pps [burst
interval l bint] | none}
Configures the specified ARP inspection limit on the
interface or the port profile as follows.
rate—Specifies that allowable values are between 1 and 2048
packets per second (pps).
The untrusted interface default is15 packets per second.
The trusted interface default is15 packets per second.
burst interval—Specifies that allowable values are between 1
and 15 seconds (the default is 5 seconds).
none—Specifies an unlimited number of packets per second.
15. Nexus 1000v Dynamic ARP inspection
www.silantia.com15
Can enable additional validation checks
ip arp inspection validate ?
src-mac: Checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP body for ARP requests and responses
dst-mac: Checks the destination MAC address in the Ethernet header against
the target MAC address in the ARP body for ARP responses
ip: Checks the ARP body for invalid and unexpected IP addresses. Addresses
include 0.0.0.0, 255.255.255.255, and all IP multicast addresses
arp access-list UNK-SW
permit ip host 10.0.0.1 mac host 0000.0000.0001
ip arp inspection filter UNK-SW vlan 10
Error disable
Port may go into error disable when ARP inspection is violated.
N1KV-VSM(config)# errdisable detect cause arp-inspection
N1KV-VSM(config)# errdisable recovery cause arp-inspection
You can shut no shut port or configure error disable recovery to recover automatically.
16. Nexus 1000v IP Source Guard
www.silantia.com16
IP SG is a per-interface traffic filter that permits IP traffic only
when the IP address and MAC address of each packet
matches one of two sources of IP and MAC address bindings
Entries in DHCP snooping binding table.
Static IP source entries that you configure.
You can enable IP Source Guard on Layer 2 interfaces that
are not trusted by DHCP snooping.
When you initially enable IP Source Guard, all inbound IP
traffic on the interface is blocked except for the following:
DHCP packets, which DHCP snooping inspects and then forwards or
drops, depending upon the results of inspecting the packet.
IP traffic from a source whose static IP entries are configured in the
Cisco Nexus 1000V.
17. Nexus 1000v IP Source Guard
www.silantia.com17
Configuration: (can be done under port-profile)
N1KV-VSM(config)# interface vethernet 31
N1KV-VSM(config-if)# ip verify source dhcp-
snooping-vlan
Verification:
switch (config-if)# show ip verify source interface vethernet 3
Filter Mode(for static bindings): IP-MAC IP source guard is
enabled on this interface.
Interface Filter-mode IP-address Mac-address Vlan
---------- ----------- ---------- ----------- ----
Vethernet3 active 1.182.56.137 00:50:56:82:56:3e 1053
Adding Static entry in for IP SG.
N1KV-VSM(config)# ip source binding 10.5.22.17
001f.28bd.0013 vlan 100 interface vethernet 3
19. Nexus 1000v ACL
www.silantia.com19
Two types of ACLs are supported in Nexus 1000v
IP ACL- Applied only to IP traffic
MAC ACL – Applied only to Non IP traffic
Order of ACL application
Ingress port ACL
Egress port ACL
MAC ACL supports following additional filtering options.
Layer 3 protocol
VLAN ID
Class of Service (CoS)
20. Nexus 1000v IP ACL
www.silantia.com20
IP ACL supports following additional filtering options.
Layer 4 protocol
TCP and UDP ports
ICMP types and codes
IGMP types
Precedence level
Differentiated Services Code Point (DSCP) value
TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
All ACL are configured via CLI on VSM and when ACLs are
applied to port-profile or veth/ethernet port it will be processed
at VEM level.
21. Nexus 1000v IP ACL
www.silantia.com21
Configuration example:
ip access-list DENY_OSPF
10 deny ip any 224.0.0.5/32
20 deny ip any 224.0.0.6/32
30 permit ip any any
ip access-list DENY_TELNET
10 deny tcp any 150.10.2.1/32 eq telnet
20 permit ip any any
port-profile type veth SERVERFARM1
ip access-group DENY_TELNET in
22. Nexus 1000v Private VLANs
www.silantia.com22
Private VLANs partition a regular VLAN domain into
subdomains and can have multiple VLAN pairs.
All VLAN pairs in a private VLAN share the same Primary
VLAN. The secondary VLAN ID differentiates one
subdomain from another.
All members in the private VLAN share a common address
space, which is allocated to the primary VLAN.
Private VLANs can span multiple switches. A trunk port
carries the primary VLAN and secondary VLANs to a
neighboring switch. (uplink ports in case of Nexus 1000v)
23. Nexus 1000v Private Vlans
www.silantia.com23
Enable private vlan and configure primary
and secondary vlans
feature private-vlan
vlan 153
private-vlan primary
private-vlan association 154-155
vlan 154
private-vlan community
vlan 155
private-vlan isolated
24. Nexus 1000v Private Vlans
www.silantia.com24
! Private vlan configured on port-profile
port-profile type vethernet pv154
vmware port-group
switchport mode private-vlan host
switchport private-vlan host-association 153 154
no shutdown
state enabled
! You can configure private vlan on Veth port itself.
port-profile type vethernet pv155
vmware port-group
switchport mode private-vlan host
switchport private-vlan host-association 153 155
no shutdown
state enabled
!
25. Nexus 1000v Private Vlans
www.silantia.com25
Create uplink port-profile carrying private vlans.
port-profile type ethernet pcpvtrunk
vmware port-group
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk 153 154-155
switchport private-vlan trunk allowed vlan 153-155
channel-group auto mode on mac-pinning
no shutdown
state enabled