Professional Documents
Culture Documents
Configuration Fundamentals.................................................................................................................... 3
Interface Configuration .......................................................................................................................... 10
Port-Channel ......................................................................................................................................... 15
HSRP...................................................................................................................................................... 20
DHCP Relay ............................................................................................................................................ 25
STP ........................................................................................................................................................ 28
EIGRP .................................................................................................................................................... 32
OSPF ...................................................................................................................................................... 37
BGP ....................................................................................................................................................... 42
BGP (Advanced) ..................................................................................................................................... 48
Multicast ............................................................................................................................................... 54
Netflow ................................................................................................................................................. 65
SPAN ..................................................................................................................................................... 70
TACACS+, RADIUS, and AAA ................................................................................................................... 74
Layer-3 Virtualization............................................................................................................................. 79
• When you first log into the NX-OS, you go directly into EXEC mode.
• Role Based Access Control (RBAC) determines a user’s permissions by default. NX-OS
5.0(2a) introduced privilege levels and two-stage authentication using an enable secret
that can be enabled with the global feature privilege configuration command.
• By default, the admin user has network-admin rights that allow full read/write access.
Additional users can be created with very granular rights to permit or deny specific CLI
commands.
• The Cisco NX-OS has a Setup Utility that allows a user to specify the system defaults,
perform basic configuration, and apply a pre-defined Control Plane Policing (CoPP)
security policy.
• The Cisco NX-OS uses a feature based license model. An Enterprise or Advanced
Services license is required depending on the features required. Additional licenses may
be required in the future.
• A 120 day license grace period is supported for testing, but features are automatically
removed from the running configuration after the expiration date is reached.
• The Cisco NX-OS has the ability to enable and disable features such as OSPF, BGP,
etc… using the feature configuration command. Configuration and verification
commands are not available until you enable the specific feature.
• Interfaces are labeled in the configuration as Ethernet. There aren’t any speed
designations.
• The Cisco NX-OS supports Virtual Device Contexts (VDCs), which allow a physical
device to be partitioned into logical devices. When you log in for the first time You are in
the default VDC (VDC 1).
• The Cisco NX-OS has two preconfigured VRF instances by default (management,
default). The management VRF is applied to the supervisor module out-of-band Ethernet
port (mgmt0), and the default VRF instance is applied to all other I/O module Ethernet
ports.
• SSHv2 server/client functionality is enabled by default. TELNET server functionality is
disabled by default. (The TELNET client is enabled by default and cannot be disabled.)
• VTY and Auxiliary port configurations do not show up in the default configuration
unless a parameter is modified (The Console port is included in the default
configuration). The VTY port supports 32 simultaneous sessions and the timeout is
disabled by default for all three port types.
• The default administer user is predefined as admin. An admin user password has to be
specified when the system is powered up for the first time, or if the running configuration
is erased with the write erase command and system is repowered.
• If you remove a feature with the global no feature configuration command, all relevant
commands related to that feature are removed from the running configuration.
• The NX-OS uses a kickstart image and a system image. Both images are identified in the
configuration file as the kickstart and system boot variables. The boot variables
determine what version of NX-OS is loaded when the system is powered on. (The
kickstart and system boot variables have to be configured for the same NX-OS version.)
• The show running-config command accepts several options, such as OSPF, BGP, etc…
that will display the runtime configuration for a specific feature.
• The show tech command accepts several options that will display information for a
specific feature.
Configuration Comparison
The following sample code show similarities and differences between the Cisco NX-OS software
and the Cisco IOS Software CLI.
c6500> n7000#
Enabling Features
login exec-timeout 15
• SVI command-line interface (CLI) configuration and verification commands are not
available until you enable the SVI feature with the feature interface-vlan command.
• Tunnel interface command-line interface (CLI) configuration and verification commands
are not available until you enable the Tunnel feature with the feature tunnel command.
• Interfaces support stateful and stateless restarts after a supervisor switchover for high
availability.
• Only 802.1q trunks are supported, so the encapsulation command isn't necessary when
configuring a layer-2 switched trunk interface. (Cisco ISL is not supported)
• An IP subnet mask can be applied using /xx or xxx.xxx.xxx.xxx notation when
configuring an IP address on a layer-3 interface.
• The CLI syntax for specifying multiple interfaces is different in Cisco NX-OS Software.
The range keyword has been omitted from the syntax (IE: interface ethernet 1/1-2)
• The out-of-band management ethernet port located on the supervisor module is
configured with the interface mgmt 0 CLI command.
no shutdown no shutdown
vlan 10 vlan 10
switchport switchport
no shutdown no shutdown
interface vlan 10
interface vlan 10
ip address 192.168.1.1./24
ip address 192.168.1.1 255.255.255.0
no shutdown
no shutdown
no shutdown
no shutdown no shutdown
Cisco IOS Software does not have the ability feature tunnel
to enable or disable Tunnel interfaces using
the feature command.
no shutdown
• A single Port-Channel cannot connect to two different VDCs in the same chassis.
• You cannot disable LaCP with the no feature lacp command if LaCP is configured for a
Port-Channel. LaCP must be disabled on all Port-Channels prior to disabling LaCP
globally.
• The show port-channel compatibility-parameters CLI command is very useful for
verifying interface parameters when configuring Port-Channels.
• The show port-channel load-balance forwarding-path CLI command can be used to
determine the individual link a flow traverses over a specific Port-Channel.
no shutdown no shutdown
switchport switchport
no shutdown no shutdown
no switchport no switchport
no shutdown no shutdown
no switchport
• HSRP command-line interface (CLI) configuration and verification commands are not
available until you enable the HSRP feature with the feature hsrp command.
• HSRP is hierarchical. All related commands for an HSRP group are configured under the
group number.
• The HSRP configuration commands use the format hsrp <option> instead of standby
<option>.
• The HSRP verification commands use the format show hsrp <option> instead of show
standby <option>.
• HSRP supports stateful process restart by default.
• The hello and hold-time timer ranges for the millisecond options are different. In Cisco
NX-OS, hello = 250 to 999 milliseconds, and hold time = 750 to 3000 milliseconds. In
Cisco IOS Software, hello = 15 to 999 milliseconds, and hold time = 50 to 3000
milliseconds.
• If you remove the feature hsrp command, all relevant HSRP configuration information
is also removed.
• HSRPv1 is enabled by default (HSRPv2 can be enabled per interface).
• HSRPv1 supports 256 group numbers (0 to 255). HSRPv2 supports 4096 group numbers
(0 to 4095).
• HSRPv1 and HSRPv2 are not compatible. However, a device can be configured to run a
different version on different interfaces.
• The show running-config hsrp command displays the current HSRP configuration.
• Configuration of more than one FHRP on an interface is not recommended.
• Object tracking is supported. Tracking can be configured for an interface’s line protocol
state, IP address state, and for IP route reachability (determining whether a route is
available in the routing table).
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS uses
a hierarchical configuration, and it uses the hsrp keyword instead of the standby keyword for
configuration and verification commands. Both enhancements make the configuration easier to
read.
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2/24
ip address 192.168.10.2 255.255.255.0
hsrp 0
standby 0 ip 192.168.10.1
ip 192.168.10.1
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2/24
ip address 192.168.10.2 255.255.255.0
hsrp 0
standby 0 ip 192.168.10.1
preempt
standby 0 priority 110
priority 110
standby 0 preempt
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2/24
ip address 192.168.10.2 255.255.255.0
hsrp 0
standby 0 ip 192.168.10.1
timers 1 3
standby 0 timers 1 3
ip 192.168.10.1
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2/24
ip address 192.168.10.2 255.255.255.0
hsrp 0
standby 0 ip 192.168.10.1
timers msec 250 msec 750
standby 0 timers msec 250 msec 750
ip 192.168.10.1
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2/24
ip address 192.168.10.2 255.255.255.0
hsrp 0
standby 0 ip 192.168.10.1
authentication md5 key-string cisco123
standby 0 authentication md5 key-string
cisco123
ip 192.168.10.1
interface Ethernet2/1
interface Ethernet2/1
ip address 192.168.10.2/24
ip address 192.168.10.2 255.255.255.0
hsrp 0
standby 0 ip 192.168.10.1
track 1 decrement 20
standby 0 track 1 decrement 20
ip 192.168.10.1
• DHCP command-line interface (CLI) configuration and verification commands are not
available until you enable the DCHP feature with the feature dhcp command.
• The DHCP service is not enabled by default, whereas it is enabled by default in Cisco
IOS Software.
• The DHCP-Relay command ip dchp relay address is equivalent to the ip helper-
address command in Cisco IOS Software.
• Only packets destined to User Datagram (UDP) port 67 (Bootps) and 68 (Bootpc) are
forwarded by the relay, whereas Cisco IOS Software forwards additional protocols
(Trivial File Transfer Protocol [TFTP], Domain Name System [DNS], Time, NetBios,
and Neighbor Discovery).
• The Cisco NX-OS cannot act as a DHCP server.
• If you remove the feature dhcp command, all relevant DHCP configuration information
is also removed.
• Prior to NX-OS 4.2(1), the service dhcp command enabled the DHCP Relay feature. In
NX-OS 4.2(1) the command was changed to ip dhcp relay.
• Sixteen DHCP Relay addresses can be configured per interface.
• DHCP packets are always forwarded through DHCP Relay in the same Virtual Route
Forwarding (VRF) instance assigned to the interface.
• Assign a DHCP Relay to every interface that may have a client, even if the server resides
in the same Layer-2 broadcast domain (VLAN). - This has been fixed in 4.2(1) software.
• DHCP Option 82 information can be configured with the ip dhcp relay information
option global command.
• The DHCP Relay configuration can be verified with the show ip dhcp relay address
command.
Spanning-Tree best practices are applicable to both Cisco NX-OS and Cisco IOS Software
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. The CLI is identical with the exception of the port type
terminology. The Cisco IOS uses the portfast designation, whereas Cisco NX-OS uses the port
type designation.
Configuring MST
or or
switchport switchport
or or
or or
switchport switchport
no spanning-tree mst simulate pvst global no spanning-tree mst simulate pvst global
switchport switchport
spanning-tree mst simulate pvst disable spanning-tree mst simulate pvst disable
• EIGRP command-line interface (CLI) configuration and verification commands are not
available until you enable the EIGRP feature with the feature eigrp command.
• The EIGRP protocol requires the Enterprise Services license.
• The EIGRP instance can consist of 20 characters. Cisco IOS Software supports numbers
1- 65536.
• Eight equal-cost paths are supported by default; Cisco NX-OS supports up to 16.
• Route auto-summarization is disabled by default.
• Networks and interfaces are added to an EIGRP instance under the interface
configuration mode.
• If a router ID is not manually configured, the loopback-0 IP address is always preferred.
If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback
interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP
address for the first physical interface in the configuration.
• A default route can be generated with the default-information originate command,
whereas Cisco IOS Software requires additional CLI commands to achieve similar
results.
• When interface authentication is configured, the EIGRP key is encrypted with Data
Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the
service password command.
• Distribute-lists used to filter routes from routing updates are applied under the interface
with the ip distribute-list eigrp command, as opposed to under the EIGRP router
instance.
• Four EIGRP instances can be configured per virtual device context (VDC).
• Numerous Virtual Route Forwarding (VRF) instances can be associated with an EIGRP
instance.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. There are three significant differences: Cisco NX-OS
allows EIGRP to be enabled and disabled globally, and it has a more interface-centric
configuration that makes it easier to read. In addition, Cisco NX-OS has the capability to
generate a default route, whereas Cisco IOS Software requires additional CLI commands to
achieve similar results.
interface Ethernet2/1
router eigrp 10
ip address 192.168.10.1/24
network 192.168.10.0
ip router eigrp 10
ip address 192.168.10.1/24
interface GigabitEthernet2/1 ip address
192.168.10.1 255.255.255.0 ip authentication ip router eigrp 10
mode eigrp 10 md5 ip authentication key-
chain eigrp 10 eigrp-key ip authentication mode eigrp 10 md5
interface Ethernet2/1
router eigrp 10
ip address 192.168.10.1/24
network 192.168.10.0
ip router eigrp 10
distribute-list prefix eigrp-10-list out
GigabitEthernet2/1 ip distribute-list eigrp 10 prefix-list eigrp-
10-list out
• OSPF command-line interface (CLI) configuration and verification commands are not
available until you enable the OSPF feature with the feature ospf command.
• The OSPF protocol requires the Enterprise Services license.
• The OSPF instance can consists of 20 characters, whereas the IOS supports numbers 1 –
65536.
• Eight equal-cost paths are supported by default. You can configure up to sixteen.
• The default reference bandwidth used in the OSPF cost calculation is 40 Gbps.
• Networks and interfaces are added to an OSPF instance under the interface configuration
mode.
• An OSPF area can be configured using decimal or decimal dotted notation, but it is
always displayed in decimal dotted notation in the configuration and in the show
command output.
• Passive interfaces are applied to the interface as opposed to under the OSPF router
instance.
• If a router ID is not manually configured, the loopback 0 IP address is always preferred.
If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback
interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP
address for the first physical interface in the configuration.
• Neighbor adjacency changes are not logged by default. The log-adjacency-changes CLI
command is required under the OSPF instance.
• When interface authentication is configured, the OSPF key is encrypted with Data
Encryption Standard 3 (3DES) in the configuration. Cisco IOS Software requires the
service password command.
• When you rollover an OSPF authentication key in a combined Cisco NX-OS/Cisco IOS
network, you should configure both keys on the Cisco NX-OS router to ensure that there
is sufficient overlap between the old key and the new key for a smooth transition to the
new key. You should configure the new key as a valid accept key on all the NX-OS and
IOS routers before the new key becomes a valid generation key in the keychain. During
the overlap period, Cisco NX-OS transmits the new OSPF key and accepts OSPF
authenticated packets from both the old key and the new key.
• The NX-OS does not support distribute-lists used to remove OSPF routes from the
routing table. The NX-OS does support inter-area LSA/route filtering using the filter-list
command configured under the OSPF routing instance.
• Four OSPF instances can be configured per virtual device context (VDC).
• Numerous Virtual Route Forwarding (VRF) instances can be associated to an OSPF
instance.
• If you remove the feature ospf command, all relevant OSPF configuration information is
also removed.
• The shutdown command under the OSPF process can be used to disable OSPF while
retaining the configuration. Similar functionality can also be applied per interface with
the ip ospf shutdown command.
• The show running-config ospf command displays the current OSPF configuration.
• An OSPF instance can be restarted with the restart ospf <instance #> command.
• Graceful Restart (RFC 3623) is enabled by default.
• OSPF supports stateful process restarts if two supervisors are present.
• You cannot configure multiple OSPF instances on the same interface.
• An interface can support multi-area adjacencies using the multi-area option with the ip
router ospf interface command.
• Secondary IP addresses are advertised by default, but can be suppressed per interface
with the ip router ospf <instance> area <#> secondaries none interface command.
• By default all loopback IP address subnet masks are advertised in an LSA as a /32. The
loopback interface command ip ospf advertise-subnet can be configured to advertise the
primary IP address subnet mask. (This command does not apply to secondary IP
addresses. They will still be advertised as a /32.)
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. There are two significant differences: Cisco NX-OS
allows OSPF to be enabled and disabled globally, and it has a more interface-centric
configuration that makes it easier to read.
Cisco IOS Software does not have the ability feature ospf
interface Ethernet2/1
router ospf 10
ip address 192.168.10.1/24
network 192.168.1.0 0.0.0.255 area 1
ip router ospf 10 area 1
interface Ethernet2/1
router ospf 10
ip address 192.168.11.1/24
passive-interface GigabitEthernet2/1
ip ospf passive-interface
network 192.168.1.0 0.0.0.255 area 1
ip router ospf 10 area 0
interface Ethernet2/1
interface GigabitEthernet2/1
ip address 192.168.10.1/24
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 3
a667d47acc18ea6b
ip ospf message-digest-key 1 md5 cisco123
ip router ospf 10 area 1
• BGP CLI configuration and verification commands are not available until you enable the
BGP feature with the feature bgp command.
• The BGP protocol requires an Enterprise Services license.
• Autonomous system numbers can be configured as 16 or 32 bit values.
• Address families need to be explicitly enabled (IE: IPv4 unicast, IPv6 unicast, etc…)
• By default, eBGP supports 8 Equal Cost Paths and iBGP supports 1. The Cisco NX-OS
supports up to 16 Equal Cost Paths for both eBGP and iBGP.
• Automatic Route Summarization and Synchronization are disabled by default.
• BGP consists of a hierarchical configuration based on neighbors and address families.
• If a router ID is not manually configured, the loopback 0 IP address is always preferred.
If loopback 0 does not exist, Cisco NX-OS selects the IP address for the first loopback
interface in the configuration. If no loopback interfaces exist, Cisco NX-OS selects the IP
address for the first physical interface in the configuration.
• Neighbor logging is not enabled by default under the BGP instance. Neighbor logging
can be enabled with the log-neighbor-changes command.
• When neighbor authentication is configured, the BGP key is 3DES encrypted in the
configuration. Cisco IOS Software requires the service password command to encrypt it
in the configuration.
• One BGP instances can be configured per Virtual Device Context (VDC).
• Numerous Virtual Route Forwarding (VRF) instances can be associated to a BGP
instance.
• If the feature bgp command is removed, all relevant BGP configuration information is
also removed.
• Network statements must be configured under their respective address-family
configuration mode when advertising them via BGP.
Configuration Comparison
The following sample configuration code similarities and differences between the Cisco NX-OS
and Cisco IOS Software CLIs. There are three significant differences: The Cisco NX-OS allows
BGP to be enabled and disabled globally. It utilizes a hierarchical configuration that makes it
easier to read. The Cisco NX-OS does not enable any address families by default. Each address-
family needs to be explicitly enabled. The following examples demonstrate this using the IPv4
unicast address family.
router bgp 10
router bgp 10
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 remote-as 10
update-source loopback0
neighbor 192.168.2.1 update-source
Loopback0
address-family ipv4 unicast
router bgp 10
router bgp 10
neighbor 192.168.10.2 remote-as 11
router bgp 10
router bgp 10
router bgp 10
neighbor 192.168.10.2 remote-as 11
neighbor 192.168.10.2 remote-as 11
password 3 a667d47acc18ea6b
neighbor 192.168.10.2 password cisco123
address-family ipv4 unicast
router bgp 10
router bgp 10
router bgp 10
neighbor 192.168.10.2 remote-as 11
neighbor 192.168.10.2 remote-as 11
address-family ipv4 unicast
neighbor 192.168.10.2 default-originate
default-originate
• Peer and session templates define neighbor attributes such as security passwords, timers,
and transport options.
• Peer templates and session templates have identical configuration capabilities with one
exception: peer templates can configure address families.
• Peer and session templates are inherited by a neighbor through the BGP neighbor
configuration mode.
• Only one peer template and session template can be inherited by a single BGP neighbor.
• Peer templates can inherit session templates.
• Session templates can inherit other session templates.
• Policy templates define address-family policies for inbound or outbound polices,
including default-route origination, filter lists, route-map polices, prefix lists, etc.
• Multiple policy templates can be assigned per neighbor. Policy templates are executed in
order based on the configured sequence number.
Configuration Comparison
The following sample code shows the configuration similarities and differences between the
Cisco NX-OS and Cisco IOS Software CLIs. The configurations are very similar with the
exception of the hierarchy used in Cisco NX-OS.
router bgp 10
router bgp 10
no synchronization
address-family ipv4 unicast
network 192.168.11.1 mask 255.255.255.255
network 192.168.11.1/32
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 update-source
update-source loopback0
Loopback0
address-family ipv4 unicast
neighbor 192.168.2.1 route-reflector-client
route-reflector-client
no auto-summary
Configuring Confederations
router bgp 10
router bgp 10
no synchronization
address-family ipv4 unicast
network 192.168.11.1 mask 255.255.255.255
network 192.168.11.1/32
neighbor IBGP-Template peer-group
template peer IBGP-Template
neighbor IBGP-Template password
cisco123
password 3 a667d47acc18ea6b
neighbor IBGP-Template update-source
update-source loopback0
Loopback0
address-family ipv4 unicast
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 remote-as 10
neighbor 192.168.2.1 peer-group IBGP-
Template
inherit peer IBGP-Template
no auto-summary
router bgp 10
router bgp 10
template peer-policy EBGP-Policy
address-family ipv4 unicast
default-originate
network 192.168.11.1/32
send-community
template peer-policy EBGP-Policy
exit-peer-policy
send-community
default-originate
no synchronization
no auto-summary
router bgp 10
router bgp 10
no synchronization
address-family ipv4 unicast
network 192.168.11.1 mask 255.255.255.255
network 192.168.11.1/32
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 remote-as 20
neighbor 192.168.10.2 route-map EBGP-
address-family ipv4 unicast
Policy out
route-map EBGP-Policy out
no auto-summary
• If you remove the feature pim command, all relevant PIM configuration information is
also removed.
• If you remove the feature msdp command, all relevant MSDP configuration information
is also removed.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. There are few significant differences: Cisco NX-OS does
not require the global ip multicast-routing command, but does require PIM and MSDP to be
enabled individually with the global feature CLI commands. The Cisco NX-OS has backwards
compatible syntax with Cisco IOS Software when configuring PIM BSR and Auto-RP, but Cisco
NX-OS requires RP forwarding and/or listening to be configured prior to learning or forwarding
dynamic RP information. Both Cisco NX-OS and Cisco IOS Software support multicast routing
within a VRF instance, but Cisco NX-OS requires global commands to be configured under the
VRF context as opposed to using the vrf option as with Cisco IOS Software.
interface loopback10
ip address 172.16.1.1/32
or
interface loopback0
ip address 192.168.10.1/32
ip pim sparse-mode
interface loopback10
description Anycast-RP-Address
Cisco IOS Software does not have the
ability to enable the PIM Anycast RP ip address 172.16.1.1/32
feature.
ip pim sparse-mode
interface Ethernet1/1
ip address 192.168.10.1/24
Cisco IOS Software does not have the
ability to enable neighbor authentication. ip pim sparse-mode
interface TenGigabitEthernet1/1
ip pim bsr-border
interface Ethernet1/1
ip pim sparse-mode
ip address 192.168.10.1/24
ip multicast boundary 10
ip pim sparse-mode
ip pim border
access-list 10 deny 224.0.1.39
interface Loopback10
interface loopback10
ip vrf forwarding production
vrf member production
ip pim sparse-mode
interface Ethernet1/1
ip pim sparse-mode
interface Vlan10
vlan 10
ip address 192.168.10.1 255.255.255.0
ip igmp snooping querier 192.168.10.1
ip igmp snooping querier
• NetFlow command-line interface (CLI) configuration and verification commands are not
available until you enable the NetFlow feature with the feature netflow command.
• Two flow modes are supported: full and sampled.
• Sampled mode supports packet-based sampling (1-64 out of 1-8192).
• In sampled mode, the sampling occurs before the NetFlow cache is populated.
• Each line-card module supports 512,000 NetFlow cache entries.
• Layer 2 NetFlow based on MAC addresses is not supported at this time.
• A flexible architecture is used that consist of flow records, flow exports, and flow
monitors.
• Cisco NX-OS supports more key and non-key fields for creating flow records and can
collect additional information such as TCP flags and system uptime.
• NetFlow Versions 5 and 9 Export features are supported (Version 9 is recommended).
• A source interface must be configured for each flow export.
• Cisco NX-OS defaults to User Datagram Protocol (UDP) port 9995 for NetFlow Data
Export.
• Cisco NX-OS provides more granular aging timers (session timer and aggressive
threshold).
• The default aging timer values are different than in Cisco IOS Software.
• The NetFlow feature supports stateful process restarts.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. There are several significant differences: Cisco NX-OS
allows NetFlow to be enabled and disabled globally, and it uses a more flexible architecture that
allows different statistics to be collected for different applications. The Cisco IOS Software
syntax shown here is from Cisco IOS Software Release 12.2(18)SXH.
version 9
Cisco IOS Software does not have the ability description Applied Inbound-Eth-2/1
to create flow monitors that associate
NetFlow records to NetFlow exporters. record Netflow-Record-1
exporter Netflow-Exporter-1
exporter Netflow-Exporter-1
interface Ethernet2/1
interface GigabitEthernet2/1
ip flow monitor NF-Mntr-1 input sampler
mls netflow sampling
NF-Sampler-1
• Two active SPAN sessions are supported for all virtual device contexts (VDCs).
• Monitor sessions are disabled by default. They can be enabled with the no shut
command.
• The source traffic direction can be configured as rx, tx, or both. The default is both.
• When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the
specified VLAN are sent to the destination.
• The in-band control-plane interface to the CPU can be monitored only from the default
VDC. (All VDC traffic is visible.)
• By default, SPAN does not copy the IEEE 802.1q tag from trunk sources.
• A destination port can be configured in switchport access or trunk mode. (Trunk mode
allows you to tag traffic toward a destination or to perform destination VLAN filtering.)
• A destination port does not participate in a spanning-tree instance.
• A destination port can be configured in only one SPAN session at a time.
Configuration Comparison
The following sample code shows the configuration similarities and differences between the
Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software
syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar
to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat
configuration.
interface Ethernet2/2
Cisco IOS Software does not require any
switchport
destination port configuration.
switchport monitor
interface Ethernet2/2
monitor session 1 type local
switchport
destination interface Gi2/2 ingress learning
switchport monitor ingress learning
monitor session 1
monitor session 1 type local
source interface Ethernet2/1 both
source interface Gi2/1
destination interface Ethernet2/2
destination interface Gi2/2
no shut
interface GigabitEthernet2/1
interface Ethernet2/1
switchport
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan 10-20
switchport mode trunk
monitor session 1
monitor session 1 type local
source interface Ethernet2/1 both
filter vlan 15 - 20
destination interface Ethernet2/2
source interface Gi2/1
filter vlan 15-20
destination interface Gi2/1
no shut
no shutdown
no shutdown no shut
• Different AAA, TACACS+, and RADIUS policies can be applied per virtual device
context (VDC). However, the console login policy only applies to the default VDC.
• If you remove the feature tacacs+ command, all relevant TACACS+ configuration
information is also removed.
• 64 TACACS+ and 64 RADIUS servers can be configured per device.
• AAA server groups are associated with the default Virtual Route Forwarding (VRF)
instance by default. Associate the proper VRF instance with the AAA server group if you
are using the management port on the supervisor or if the AAA server is in a non default
VRF instance.
• An IP source interface can be associated with AAA server groups.
• TACACS+ and RADIUS server keys can be specified for a group of servers or per
individual server.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very
similar.
aaa group server tacacs+ AAA-Servers aaa group server tacacs+ AAA-Servers
aaa group server radius AAA-Servers aaa group server radius AAA-Servers
aaa group server radius AAA-Servers aaa group server radius AAA-Servers
aaa group server radius AAA-Servers aaa group server radius AAA-Servers
deadtime 5 deadtime 5
aaa new-model
aaa authentication login default group AAA-
aaa authentication login default group AAA- Servers
Servers
aaa new-model
aaa authorization config-commands default
group AAA-Servers
aaa authorization config-commands
aaa authorization commands default group
aaa authorization commands 1 default
AAA-Servers
group AAA-Servers
Cisco IOS
Cisco NX-OS AAA Command Description
Software AAA
Displays the TACACS+ server configuration for
show tacacs show tacacs
all servers
Displays a specific TACACS+ server
show tacacs <x.x.x.x> -
configuration
show tacacs server Displays the status of the directed-request feature
-
directed-request (enabled or disabled)
show tacacs server
- Displays TACACS+ server groups
groups
show tacacs statistics
- Displays TACACS+ statistics for a specific server
<x.x.x.x>
- - -
Displays the RADIUS server configuration for all
show radius -
servers
show radius <x.x.x.x> - Displays a specific RADIUS server configuration
show radius server Displays the status of the directed-request feature
-
directed-request (enabled or disabled)
show radius server show radius
Displays RADIUS server groups
groups server-group
show radius statistics show radius
Displays RADIUS statistics for a specific server
<x.x.x.x> statistics
- - -
show aaa accounting - Displays the status of AAA accounting
show aaa authentication - Displays the default and console login methods
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco
NX-OS and Cisco IOS Software CLIs. Sample code is provided only to illustrate how to enable
VRF routing. The Cisco NX-OS CLI is simpler and more consistent since it allows multiple VRF
instances to be assigned to a single routing protocol instance, whereas Cisco IOS Software uses
different techniques depending on the routing protocol.
ip cef
vrf context vrf-1
ip vrf vrf-1
router bgp 10
router bgp 10
vrf vrf-1
address-family ipv4 vrf vrf-1
address-family ipv4 unicast
neighbor 192.168.10.2 remote-as 20
network 192.168.1.1/32
neighbor 192.168.10.2 activate
neighbor 192.168.10.2 remote-as 20
network 192.168.1.1 mask 255.255.255.255
address-family ipv4 unicast
exit-address-family
interface Ethernet2/1
interface Ethernet2/1
vrf member vrf-1
ip vrf forwarding vrf-1
ip address 192.168.10.1/24
ip address 192.168.10.1 255.255.255.0
ip router isis 10
ip router isis 10
net 49.0001.0000.0001.00
interface Ethernet2/1
interface Ethernet2/1
vrf member vrf-1
ip vrf forwarding vrf-1
ip address 192.168.10.1/24
ip address 192.168.10.1 255.255.255.0
ip router ospf 10
router ospf 10 vrf vrf-1
router ospf 10
network 192.168.10.0 0.0.0.255 area 0
vrf vrf-1
interface Ethernet2/1
ip address 192.168.10.1/24
router rip
ip router rip 10
address-family ipv4 vrf vrf-1
exit-address-family