SlideShare ist ein Scribd-Unternehmen logo

Nexus 1000v part ii

Als PPTX, PDF herunterladen
Krunal Shah
Krunal Shah

Nexus 1000v

TechnologieBusiness
1 von 25
Nexus 1000v www.silantia.com1  IGMP Snooping  DHCP Snooping  Dynamic ARP Inspection (DAI)  IP Source Guard  Port Security  Access Control Lists (ACL)  Private VLANs (PVLAN)
Nexus 1000v IGMP snooping www.silantia.com2  Nexus 1000v VEM can snoop IGMP conversation between VM adapter and router (default gateway).  Nexus 1000v is full IGMP snooping bridge but it cannot perform IGMP querier job. ip igmp snooping ! Enables at global level vlan 200 ip igmp snooping ! Enables per vlan IGMP snooping ip igmp snooping explicit-tracking ip igmp snooping mrouter interface ethernet 2/1 ! vEths are not supported as router ports ip igmp snooping static-group 230.0.0.1 interface vethernet 21 show ip igmp snooping vlan 200
Nexus 1000v Layer 2 Security feature www.silantia.com3  Works exactly similar to Layer 2 security features in physical switches.  Security features requires Nexus 1000v Advanced License.  Layer 2 security is important in Virtual Desktop Infrastructure type of environment where each virtual machine is a user desktop.  Unmanaged VMs can bring down the whole Layer 2 network if it is not protected at VEM level.
Nexus 1000v Port-security www.silantia.com4  MAC-to-Port Mapping  Don't allow any MAC addresses other than those mapped to pass traffic  Static = Static MAC-to-Port Mapping  Dynamic = Learn the MAC, map to the port, then don't allow anyone ELSE  Can also age this dynamic mapping out  Sticky = Same as dynamic, but store mapping VSM  Violations Shutdown = Shuts port down. Simple, done.  Restrict = Drops traffic from any Other MAC addresses  Protect = Basically drops traffic from any other MACs like Restrict, but first it learns the MAC of the 1st violator and logs him (still drops his traffic too)and doesn't learn any other violators' MACs
Nexus 1000v Port-security www.silantia.com5  You can configure port security only on Layer 2 interfaces  Details about port security and different types of interfaces or ports are as follows:  Access ports  You can configure port security on interfaces that you have configured as Layer 2 access ports  On an access port, port security applies only to the access VLAN  Trunk ports  You can configure port security on interfaces that you have configured as Layer 2 trunk ports  The device allows VLAN maximums only for VLANs associated with the trunk port  SPAN ports  You can configure port security on SPAN source ports but not on SPAN destination ports
Nexus 1000v DHCP snooping www.silantia.com6  DHCP snooping functions like a firewall between untrusted hosts and trusted DHCP servers by doing the following:  Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.  Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.  Dynamic ARP Inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.  When you enable DHCP snooping, by default, all vEthernet (vEth) ports are untrusted and all Ethernet
Nexus 1000v DHCP snooping www.silantia.com7  DHCP operations are categorized into four basic phases:  IP Discovery  IP Lease Offer  IP Request  IP Lease Acknowledgement  Only DHCP messages that come from a server that is connected to a trusted port are accepted.  Any DHCP message on UDP port 68 that is data from the server to the client that is received on an untrusted port is dropped. Nexus 1000v VEM builds and maintains the DHCP snooping binding database, which contains information about clients with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from clients.
Nexus 1000v DHCP snooping www.silantia.com8  Configuration  Enable the DHCP feature. feature dhcp  Enable DHCP snooping globally. ip dhcp snooping  Enable DHCP snooping on at least one VLAN.By default, DHCP snooping is disabled on all VLANs. Ensure that the  ip dhcp snooping vlan vlan-list  DHCP server is connected to the device using a trusted interface. N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip dhcp snooping trust  Configuring the Rate Limit for DHCP Packets N1KV-VSM(config-if)#[no] ip dhcp snooping limit rate rate
Nexus 1000v DHCP snooping www.silantia.com9  Configuration  Error disable detection and recovery errdisable detect cause dhcp-rate-limit Enables DHCP error-disabled detection. errdisable recovery cause dhcp-rate-limit  Enables DHCP error-disabled detection. errdisable recovery interval time interval  Sets the DHCP error-disabled recovery interval, where time interval is the number of seconds from 30 to 65535.
Nexus 1000v DHCP snooping www.silantia.com10  Verification N1KV-VSM# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on the following VLANs: 100,200,250-252 DHCP snooping is operational on the following VLANs: 100,200,250-252 Insertion of Option 82 is disabled Verification of MAC address is enabled DHCP snooping trust is configured on the following interfaces: Interface Trusted Pkt Limit ------------ ------- --------- Vethernet1 No Unlimited Vethernet2 No Unlimited Vethernet3 Yes 15 Vethernet4 No Unlimited Vethernet5 No Unlimited
Nexus 1000v DHCP snooping www.silantia.com11  Verification N1KV-VSM# show ip dhcp snooping statistics Packets processed 0 Packets forwarded 0 Total packets dropped 0 Packets dropped from untrusted ports 0 Packets dropped due to MAC address check failure 0 Packets dropped due to Option 82 insertion failure 0 Packets dropped due to o/p intf unknown 0 Packets dropped which were unknown 0 Packets dropped due to service dhcp not enabled 0 Packets dropped due to no binding entry 0 Packets dropped due to interface error/no interface 0 Packets dropped due to max hops exceeded 0
Nexus 1000v Dynamic ARP inspection www.silantia.com12  DAI ensures that only valid ARP requests and responses are relayed by intercepting all ARP requests and responses on untrusted ports and verifying that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination.  DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.  DAI is supported on vEthernet interfaces and private VLAN ports
Nexus 1000v Dynamic ARP inspection www.silantia.com13  Configuration: N1KV-VSM(config)# ip arp inspection vlan # N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip arp inspection trust  Verification switch# show ip arp inspection interfaces vethernet 3 Interface Trust State Pkt Limit Burst Interval ------------- ----------- --------- ---------------- Vethernet9 Untrusted 30 5
Nexus 1000v Dynamic ARP inspection www.silantia.com14  Rate limiting ip arp inspection limit {rate pps [burst interval l bint] | none}  Configures the specified ARP inspection limit on the interface or the port profile as follows.  rate—Specifies that allowable values are between 1 and 2048 packets per second (pps).  The untrusted interface default is15 packets per second.  The trusted interface default is15 packets per second.  burst interval—Specifies that allowable values are between 1 and 15 seconds (the default is 5 seconds).  none—Specifies an unlimited number of packets per second.
Nexus 1000v Dynamic ARP inspection www.silantia.com15  Can enable additional validation checks  ip arp inspection validate ?  src-mac: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses  dst-mac: Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses  ip: Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses  arp access-list UNK-SW  permit ip host 10.0.0.1 mac host 0000.0000.0001  ip arp inspection filter UNK-SW vlan 10  Error disable  Port may go into error disable when ARP inspection is violated. N1KV-VSM(config)# errdisable detect cause arp-inspection N1KV-VSM(config)# errdisable recovery cause arp-inspection  You can shut no shut port or configure error disable recovery to recover automatically.
Nexus 1000v IP Source Guard www.silantia.com16  IP SG is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings  Entries in DHCP snooping binding table.  Static IP source entries that you configure.  You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping.  When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:  DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.  IP traffic from a source whose static IP entries are configured in the Cisco Nexus 1000V.
Nexus 1000v IP Source Guard www.silantia.com17  Configuration: (can be done under port-profile) N1KV-VSM(config)# interface vethernet 31 N1KV-VSM(config-if)# ip verify source dhcp- snooping-vlan  Verification: switch (config-if)# show ip verify source interface vethernet 3 Filter Mode(for static bindings): IP-MAC IP source guard is enabled on this interface. Interface Filter-mode IP-address Mac-address Vlan ---------- ----------- ---------- ----------- ---- Vethernet3 active 1.182.56.137 00:50:56:82:56:3e 1053  Adding Static entry in for IP SG. N1KV-VSM(config)# ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface vethernet 3
Nexus 1000v DAI and IPSG www.silantia.com18
Nexus 1000v ACL www.silantia.com19  Two types of ACLs are supported in Nexus 1000v  IP ACL- Applied only to IP traffic  MAC ACL – Applied only to Non IP traffic  Order of ACL application  Ingress port ACL  Egress port ACL  MAC ACL supports following additional filtering options. Layer 3 protocol VLAN ID Class of Service (CoS)
Nexus 1000v IP ACL www.silantia.com20  IP ACL supports following additional filtering options.  Layer 4 protocol  TCP and UDP ports  ICMP types and codes  IGMP types  Precedence level  Differentiated Services Code Point (DSCP) value  TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set  All ACL are configured via CLI on VSM and when ACLs are applied to port-profile or veth/ethernet port it will be processed at VEM level.
Nexus 1000v IP ACL www.silantia.com21  Configuration example: ip access-list DENY_OSPF 10 deny ip any 224.0.0.5/32 20 deny ip any 224.0.0.6/32 30 permit ip any any ip access-list DENY_TELNET 10 deny tcp any 150.10.2.1/32 eq telnet 20 permit ip any any port-profile type veth SERVERFARM1 ip access-group DENY_TELNET in
Nexus 1000v Private VLANs www.silantia.com22  Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN pairs.  All VLAN pairs in a private VLAN share the same Primary VLAN. The secondary VLAN ID differentiates one subdomain from another.  All members in the private VLAN share a common address space, which is allocated to the primary VLAN.  Private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. (uplink ports in case of Nexus 1000v)
Nexus 1000v Private Vlans www.silantia.com23  Enable private vlan and configure primary and secondary vlans feature private-vlan vlan 153 private-vlan primary private-vlan association 154-155 vlan 154 private-vlan community vlan 155 private-vlan isolated
Nexus 1000v Private Vlans www.silantia.com24 ! Private vlan configured on port-profile port-profile type vethernet pv154 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 154 no shutdown state enabled ! You can configure private vlan on Veth port itself. port-profile type vethernet pv155 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 155 no shutdown state enabled !
Nexus 1000v Private Vlans www.silantia.com25 Create uplink port-profile carrying private vlans. port-profile type ethernet pcpvtrunk vmware port-group switchport mode private-vlan trunk promiscuous switchport private-vlan mapping trunk 153 154-155 switchport private-vlan trunk allowed vlan 153-155 channel-group auto mode on mac-pinning no shutdown state enabled

Empfohlen

Nexus 1000v
Nexus 1000vNexus 1000v
Nexus 1000vKrunal Shah
 
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...Rassul Ismailov
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
 
KPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_finalKPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_finalFisal Anwari
 
Day 14.2 configuringvla ns
Day 14.2 configuringvla nsDay 14.2 configuringvla ns
Day 14.2 configuringvla nsCYBERINTELLIGENTS
 
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000VASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000VASBIS SK
 
Olive Introduction for TOI
Olive Introduction for TOIOlive Introduction for TOI
Olive Introduction for TOIJohnson Liu
 
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEXVMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEXDavid Pasek
 

Empfohlen

Nexus 1000v
Nexus 1000vNexus 1000v
Nexus 1000vKrunal Shah
 
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...
BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v Virtual Switch on ...Rassul Ismailov
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
 
KPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_finalKPUCC-Rs instructor ppt_chapter3_final
KPUCC-Rs instructor ppt_chapter3_finalFisal Anwari
 
Day 14.2 configuringvla ns
Day 14.2 configuringvla nsDay 14.2 configuringvla ns
Day 14.2 configuringvla nsCYBERINTELLIGENTS
 
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000VASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000VASBIS SK
 
Olive Introduction for TOI
Olive Introduction for TOIOlive Introduction for TOI
Olive Introduction for TOIJohnson Liu
 
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEXVMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEXDavid Pasek
 
App Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslApp Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslHussein Elmenshawy
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingFabian Vandendyck
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANsNetProtocol Xpert
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5Nil Menon
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingJohnson Liu
 
VXLAN
VXLANVXLAN
VXLANSAliyev1
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Jide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
At8000 s configurando vla_ns
At8000 s configurando vla_nsAt8000 s configurando vla_ns
At8000 s configurando vla_nsNetPlus
 
CCNA- part 9 vlan
CCNA- part 9 vlanCCNA- part 9 vlan
CCNA- part 9 vlanSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Ccna Quick Notes –VLANs
Ccna Quick Notes –VLANsCcna Quick Notes –VLANs
Ccna Quick Notes –VLANsCCNAResources
 
Storm-Control
Storm-ControlStorm-Control
Storm-ControlNetProtocol Xpert
 
Lab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingLab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingMuhd Mu'izuddin
 
vlan
vlanvlan
vlanSunrise Dawn
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlanMohammed Umair
 
Vxlan frame format and forwarding
Vxlan frame format and forwardingVxlan frame format and forwarding
Vxlan frame format and forwardingMohammed Umair
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Conrad Cruz
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN RoutingNetwax Lab
 
Vlan Types
Vlan TypesVlan Types
Vlan TypesIT Tech
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2christian nieto
 

Weitere ähnliche Inhalte

Was ist angesagt?

App Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslApp Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslHussein Elmenshawy
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingFabian Vandendyck
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5Nil Menon
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingJohnson Liu
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
At8000 s configurando vla_ns
At8000 s configurando vla_nsAt8000 s configurando vla_ns
At8000 s configurando vla_nsNetPlus
 
Ccna Quick Notes –VLANs
Ccna Quick Notes –VLANsCcna Quick Notes –VLANs
Ccna Quick Notes –VLANsCCNAResources
 
Lab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingLab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingMuhd Mu'izuddin
 
Vxlan frame format and forwarding
Vxlan frame format and forwardingVxlan frame format and forwarding
Vxlan frame format and forwardingMohammed Umair
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Conrad Cruz
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN RoutingNetwax Lab
 
Vlan Types
Vlan TypesVlan Types
Vlan TypesIT Tech
 

Was ist angesagt? (20)

App Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid TranslApp Note Vlan Br Vlanid Transl
App Note Vlan Br Vlanid Transl
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast Tunneling
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 Switching
 
VXLAN
VXLANVXLAN
VXLAN
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
 
At8000 s configurando vla_ns
At8000 s configurando vla_nsAt8000 s configurando vla_ns
At8000 s configurando vla_ns
 
CCNA- part 9 vlan
CCNA- part 9 vlanCCNA- part 9 vlan
CCNA- part 9 vlan
 
Ccna Quick Notes –VLANs
Ccna Quick Notes –VLANsCcna Quick Notes –VLANs
Ccna Quick Notes –VLANs
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Lab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routingLab 6.4.1 InterVLAN routing
Lab 6.4.1 InterVLAN routing
 
vlan
vlanvlan
vlan
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlan
 
Vxlan frame format and forwarding
Vxlan frame format and forwardingVxlan frame format and forwarding
Vxlan frame format and forwarding
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN Routing
 
Vlan Types
Vlan TypesVlan Types
Vlan Types
 

Andere mochten auch

Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2christian nieto
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
CCNA
CCNACCNA
CCNAniict
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Peter R. Egli
 
Address resolution protocol
Address resolution protocolAddress resolution protocol
Address resolution protocolasimnawaz54
 
CCNA Router and IOS Basics
CCNA Router and IOS BasicsCCNA Router and IOS Basics
CCNA Router and IOS BasicsDsunte Wilson
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsDsunte Wilson
 
TCP-IP Reference Model
TCP-IP Reference ModelTCP-IP Reference Model
TCP-IP Reference ModelMukesh Tekwani
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationDsunte Wilson
 

Andere mochten auch (20)

Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
 
Layer 3 redundancy hsrp
Layer 3 redundancy hsrpLayer 3 redundancy hsrp
Layer 3 redundancy hsrp
 
CISCO HSRP VRRP GLBP
CISCO HSRP VRRP GLBPCISCO HSRP VRRP GLBP
CISCO HSRP VRRP GLBP
 
Ccna introduction
Ccna introductionCcna introduction
Ccna introduction
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
CCNA
CCNACCNA
CCNA
 
IPV4 Frame Format
IPV4 Frame FormatIPV4 Frame Format
IPV4 Frame Format
 
Networking Basic and Cisco History
Networking Basic and Cisco History Networking Basic and Cisco History
Networking Basic and Cisco History
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)
 
Address resolution protocol
Address resolution protocolAddress resolution protocol
Address resolution protocol
 
CCNA Router and IOS Basics
CCNA Router and IOS BasicsCCNA Router and IOS Basics
CCNA Router and IOS Basics
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
CCNA TCP/IP
CCNA TCP/IPCCNA TCP/IP
CCNA TCP/IP
 
IPv6
IPv6IPv6
IPv6
 
TCP-IP Reference Model
TCP-IP Reference ModelTCP-IP Reference Model
TCP-IP Reference Model
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch Configuration
 
Chap 10 igmp
Chap 10 igmpChap 10 igmp
Chap 10 igmp
 
IGMP
IGMPIGMP
IGMP
 
Arp and rarp
Arp and rarpArp and rarp
Arp and rarp
 

Ähnlich wie Nexus 1000v part ii

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingMarton Kiss
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCisco Russia
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or ContainersMarian Marinov
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...NetProtocol Xpert
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2Juli Yaret
 
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 AnswersCcna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answersccna4discovery
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 

Ähnlich wie Nexus 1000v part ii (20)

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
Otv notes
Otv notesOtv notes
Otv notes
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
 
Switch security
Switch securitySwitch security
Switch security
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
 
Firewall
FirewallFirewall
Firewall
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2
 
Ch6
Ch6Ch6
Ch6
 
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 AnswersCcna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answers
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
Firewalls
FirewallsFirewalls
Firewalls
 

Mehr von Krunal Shah

Ucs security part2
Ucs security part2Ucs security part2
Ucs security part2Krunal Shah
 
Ucs rbac aaa-backu-ps
Ucs rbac aaa-backu-psUcs rbac aaa-backu-ps
Ucs rbac aaa-backu-psKrunal Shah
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Krunal Shah
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center supportKrunal Shah
 

Mehr von Krunal Shah (7)

Vpc notes
Vpc notesVpc notes
Vpc notes
 
Ucs security part2
Ucs security part2Ucs security part2
Ucs security part2
 
Ucs rbac aaa-backu-ps
Ucs rbac aaa-backu-psUcs rbac aaa-backu-ps
Ucs rbac aaa-backu-ps
 
Ha nsf notes
Ha nsf notesHa nsf notes
Ha nsf notes
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notes
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
 

Kürzlich hochgeladen

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Kürzlich hochgeladen (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Nexus 1000v part ii

  • 1. Nexus 1000v www.silantia.com1  IGMP Snooping  DHCP Snooping  Dynamic ARP Inspection (DAI)  IP Source Guard  Port Security  Access Control Lists (ACL)  Private VLANs (PVLAN)
  • 2. Nexus 1000v IGMP snooping www.silantia.com2  Nexus 1000v VEM can snoop IGMP conversation between VM adapter and router (default gateway).  Nexus 1000v is full IGMP snooping bridge but it cannot perform IGMP querier job. ip igmp snooping ! Enables at global level vlan 200 ip igmp snooping ! Enables per vlan IGMP snooping ip igmp snooping explicit-tracking ip igmp snooping mrouter interface ethernet 2/1 ! vEths are not supported as router ports ip igmp snooping static-group 230.0.0.1 interface vethernet 21 show ip igmp snooping vlan 200
  • 3. Nexus 1000v Layer 2 Security feature www.silantia.com3  Works exactly similar to Layer 2 security features in physical switches.  Security features requires Nexus 1000v Advanced License.  Layer 2 security is important in Virtual Desktop Infrastructure type of environment where each virtual machine is a user desktop.  Unmanaged VMs can bring down the whole Layer 2 network if it is not protected at VEM level.
  • 4. Nexus 1000v Port-security www.silantia.com4  MAC-to-Port Mapping  Don't allow any MAC addresses other than those mapped to pass traffic  Static = Static MAC-to-Port Mapping  Dynamic = Learn the MAC, map to the port, then don't allow anyone ELSE  Can also age this dynamic mapping out  Sticky = Same as dynamic, but store mapping VSM  Violations Shutdown = Shuts port down. Simple, done.  Restrict = Drops traffic from any Other MAC addresses  Protect = Basically drops traffic from any other MACs like Restrict, but first it learns the MAC of the 1st violator and logs him (still drops his traffic too)and doesn't learn any other violators' MACs
  • 5. Nexus 1000v Port-security www.silantia.com5  You can configure port security only on Layer 2 interfaces  Details about port security and different types of interfaces or ports are as follows:  Access ports  You can configure port security on interfaces that you have configured as Layer 2 access ports  On an access port, port security applies only to the access VLAN  Trunk ports  You can configure port security on interfaces that you have configured as Layer 2 trunk ports  The device allows VLAN maximums only for VLANs associated with the trunk port  SPAN ports  You can configure port security on SPAN source ports but not on SPAN destination ports
  • 6. Nexus 1000v DHCP snooping www.silantia.com6  DHCP snooping functions like a firewall between untrusted hosts and trusted DHCP servers by doing the following:  Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.  Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.  Dynamic ARP Inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.  When you enable DHCP snooping, by default, all vEthernet (vEth) ports are untrusted and all Ethernet
  • 7. Nexus 1000v DHCP snooping www.silantia.com7  DHCP operations are categorized into four basic phases:  IP Discovery  IP Lease Offer  IP Request  IP Lease Acknowledgement  Only DHCP messages that come from a server that is connected to a trusted port are accepted.  Any DHCP message on UDP port 68 that is data from the server to the client that is received on an untrusted port is dropped. Nexus 1000v VEM builds and maintains the DHCP snooping binding database, which contains information about clients with leased IP addresses.  Uses the DHCP snooping binding database to validate subsequent requests from clients.
  • 8. Nexus 1000v DHCP snooping www.silantia.com8  Configuration  Enable the DHCP feature. feature dhcp  Enable DHCP snooping globally. ip dhcp snooping  Enable DHCP snooping on at least one VLAN.By default, DHCP snooping is disabled on all VLANs. Ensure that the  ip dhcp snooping vlan vlan-list  DHCP server is connected to the device using a trusted interface. N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip dhcp snooping trust  Configuring the Rate Limit for DHCP Packets N1KV-VSM(config-if)#[no] ip dhcp snooping limit rate rate
  • 9. Nexus 1000v DHCP snooping www.silantia.com9  Configuration  Error disable detection and recovery errdisable detect cause dhcp-rate-limit Enables DHCP error-disabled detection. errdisable recovery cause dhcp-rate-limit  Enables DHCP error-disabled detection. errdisable recovery interval time interval  Sets the DHCP error-disabled recovery interval, where time interval is the number of seconds from 30 to 65535.
  • 10. Nexus 1000v DHCP snooping www.silantia.com10  Verification N1KV-VSM# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on the following VLANs: 100,200,250-252 DHCP snooping is operational on the following VLANs: 100,200,250-252 Insertion of Option 82 is disabled Verification of MAC address is enabled DHCP snooping trust is configured on the following interfaces: Interface Trusted Pkt Limit ------------ ------- --------- Vethernet1 No Unlimited Vethernet2 No Unlimited Vethernet3 Yes 15 Vethernet4 No Unlimited Vethernet5 No Unlimited
  • 11. Nexus 1000v DHCP snooping www.silantia.com11  Verification N1KV-VSM# show ip dhcp snooping statistics Packets processed 0 Packets forwarded 0 Total packets dropped 0 Packets dropped from untrusted ports 0 Packets dropped due to MAC address check failure 0 Packets dropped due to Option 82 insertion failure 0 Packets dropped due to o/p intf unknown 0 Packets dropped which were unknown 0 Packets dropped due to service dhcp not enabled 0 Packets dropped due to no binding entry 0 Packets dropped due to interface error/no interface 0 Packets dropped due to max hops exceeded 0
  • 12. Nexus 1000v Dynamic ARP inspection www.silantia.com12  DAI ensures that only valid ARP requests and responses are relayed by intercepting all ARP requests and responses on untrusted ports and verifying that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination.  DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.  DAI is supported on vEthernet interfaces and private VLAN ports
  • 13. Nexus 1000v Dynamic ARP inspection www.silantia.com13  Configuration: N1KV-VSM(config)# ip arp inspection vlan # N1KV-VSM(config)# port-profile profilename N1KV-VSM(config-port-profile)# ip arp inspection trust  Verification switch# show ip arp inspection interfaces vethernet 3 Interface Trust State Pkt Limit Burst Interval ------------- ----------- --------- ---------------- Vethernet9 Untrusted 30 5
  • 14. Nexus 1000v Dynamic ARP inspection www.silantia.com14  Rate limiting ip arp inspection limit {rate pps [burst interval l bint] | none}  Configures the specified ARP inspection limit on the interface or the port profile as follows.  rate—Specifies that allowable values are between 1 and 2048 packets per second (pps).  The untrusted interface default is15 packets per second.  The trusted interface default is15 packets per second.  burst interval—Specifies that allowable values are between 1 and 15 seconds (the default is 5 seconds).  none—Specifies an unlimited number of packets per second.
  • 15. Nexus 1000v Dynamic ARP inspection www.silantia.com15  Can enable additional validation checks  ip arp inspection validate ?  src-mac: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses  dst-mac: Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses  ip: Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses  arp access-list UNK-SW  permit ip host 10.0.0.1 mac host 0000.0000.0001  ip arp inspection filter UNK-SW vlan 10  Error disable  Port may go into error disable when ARP inspection is violated. N1KV-VSM(config)# errdisable detect cause arp-inspection N1KV-VSM(config)# errdisable recovery cause arp-inspection  You can shut no shut port or configure error disable recovery to recover automatically.
  • 16. Nexus 1000v IP Source Guard www.silantia.com16  IP SG is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings  Entries in DHCP snooping binding table.  Static IP source entries that you configure.  You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping.  When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:  DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.  IP traffic from a source whose static IP entries are configured in the Cisco Nexus 1000V.
  • 17. Nexus 1000v IP Source Guard www.silantia.com17  Configuration: (can be done under port-profile) N1KV-VSM(config)# interface vethernet 31 N1KV-VSM(config-if)# ip verify source dhcp- snooping-vlan  Verification: switch (config-if)# show ip verify source interface vethernet 3 Filter Mode(for static bindings): IP-MAC IP source guard is enabled on this interface. Interface Filter-mode IP-address Mac-address Vlan ---------- ----------- ---------- ----------- ---- Vethernet3 active 1.182.56.137 00:50:56:82:56:3e 1053  Adding Static entry in for IP SG. N1KV-VSM(config)# ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface vethernet 3
  • 18. Nexus 1000v DAI and IPSG www.silantia.com18
  • 19. Nexus 1000v ACL www.silantia.com19  Two types of ACLs are supported in Nexus 1000v  IP ACL- Applied only to IP traffic  MAC ACL – Applied only to Non IP traffic  Order of ACL application  Ingress port ACL  Egress port ACL  MAC ACL supports following additional filtering options. Layer 3 protocol VLAN ID Class of Service (CoS)
  • 20. Nexus 1000v IP ACL www.silantia.com20  IP ACL supports following additional filtering options.  Layer 4 protocol  TCP and UDP ports  ICMP types and codes  IGMP types  Precedence level  Differentiated Services Code Point (DSCP) value  TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set  All ACL are configured via CLI on VSM and when ACLs are applied to port-profile or veth/ethernet port it will be processed at VEM level.
  • 21. Nexus 1000v IP ACL www.silantia.com21  Configuration example: ip access-list DENY_OSPF 10 deny ip any 224.0.0.5/32 20 deny ip any 224.0.0.6/32 30 permit ip any any ip access-list DENY_TELNET 10 deny tcp any 150.10.2.1/32 eq telnet 20 permit ip any any port-profile type veth SERVERFARM1 ip access-group DENY_TELNET in
  • 22. Nexus 1000v Private VLANs www.silantia.com22  Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN pairs.  All VLAN pairs in a private VLAN share the same Primary VLAN. The secondary VLAN ID differentiates one subdomain from another.  All members in the private VLAN share a common address space, which is allocated to the primary VLAN.  Private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. (uplink ports in case of Nexus 1000v)
  • 23. Nexus 1000v Private Vlans www.silantia.com23  Enable private vlan and configure primary and secondary vlans feature private-vlan vlan 153 private-vlan primary private-vlan association 154-155 vlan 154 private-vlan community vlan 155 private-vlan isolated
  • 24. Nexus 1000v Private Vlans www.silantia.com24 ! Private vlan configured on port-profile port-profile type vethernet pv154 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 154 no shutdown state enabled ! You can configure private vlan on Veth port itself. port-profile type vethernet pv155 vmware port-group switchport mode private-vlan host switchport private-vlan host-association 153 155 no shutdown state enabled !
  • 25. Nexus 1000v Private Vlans www.silantia.com25 Create uplink port-profile carrying private vlans. port-profile type ethernet pcpvtrunk vmware port-group switchport mode private-vlan trunk promiscuous switchport private-vlan mapping trunk 153 154-155 switchport private-vlan trunk allowed vlan 153-155 channel-group auto mode on mac-pinning no shutdown state enabled