[c-nsp] Catalyst vs. Nexus

Lincoln Dale ltd at cisco.com
Wed Sep 9 08:51:29 EDT 2009 

hi Todd,
a few of the cisco folks that are subscribed to cisco-nsp focus on the  
Nexus range & we're a pretty friendly bunch.
there's a few things below that aren't quite correct.  see inline  
below...

On 09/09/2009, at 8:43 PM, Todd, Douglas M. wrote:

> A few other thoughts on the Nexus difference from a 6500 based on my  
> experience
> since I am still learning the 7K platform:
>
> 1) MPLS the 7K is VRF Light syle

actually, at this point in time, MPLS is not available on N7K.  the  
current shipping M1 forwarding engine based I/O modules are capable of  
MPLS which will be enabled in a future release.

w.r.t. VRFs, everything on NX-OS is vrf aware. NX-OS is similar to IOS  
CLI in look-and-feel but one fundamental difference is that there is  
no 'global' routing table like there is in IOS.  everything is a vrf.

> 2) Application of an access-list by doing a tftp->run (with out  
> removing the acl
> which is applied to the interface) is extremely taxing in the system  
> and very
> slow. The Nexus seems to recompile the ACL after each line there are  
> work
> arounds vs have the acl upload completely and recompile once.

ACLs as entered in a "config terminal" session are applied to hardware  
the moment you hit enter on an individual line - yes.
the system is smart enough to do 'inline' ACL processing if you have  
an ACL that makes appropriate use of sequence numbers in it.

if you're just wholesale uploading a replacement ACL in bulk, then  
suggest you use "configure session" where you can ask the system to  
'verify' the ACL will fit in CL-TCAM resources then 'apply' it.
using configure sessions would not 'tax' it or iteratively recompute  
it on every new ACL line you enter.

see <http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/system_management/configuration/guide/sm_7sessionmgr.html 
 >

ACLs are always committed in an atomic manner on N7K provided you have  
CL-TCAM resources to do so.

>
> 3) Nexus STP is RSTP not pvst+

N7Ks STP is PVRST(+) or MST - same as what you would have on a  
Catalyst platform.
the only thing that isn't there (intentionally) is the ability to  
configure N7K as a legacy 802.1D STP - although as dictated by the  
standards, N7K can talk legacy 802.1D to legacy bridges - but you  
cannot intentionally configure it to behave in that legacy manner.

this is actually a good thing. :)


> 4) The TACACS implimentation of this platform seems incomplete.
> 	TACACS is useable, but local-admin accounts must be configured and  
> used
> for configuration.

this isn't quite true.  RBAC (roles based access control) is applied  
to all management access, whether you're managing via CLI, SNMP or  
Netconf/XML.  this is a divergence from the historic IOS 'priv level  
15' / "enable" type mechanisms but there is no reason why you cannot  
assign a RBAC role from an AAA server whether that be via TACACS+ or  
RADIUS.

by default, a priv-level of 15 from an AAA server maps a user to the  
predefined RBAC role of network-admin or vdc-admin automatically.
alternatively you can have the AAA server provide the relevant AV-Pair  
to provide the RBAC role(s) a given user is in.

the documentation chapter on AAA on cisco.com provides the details for  
all of the above.
see <http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4.2_chapter3.html#con_1235748 
 >

>
> 5) The layout of the configuration is different (as someone mentioned)
> 	Features must be enabled (ie., ospf,tacacs must be enabled by using
> 'feature ???') if ospf feature is not enabled, it can't be used  
> until it's
> enabled (not configured).

yep - thats intentional.  services are 'conditional' on NX-OS.  until  
you enable the 'feature' the process for that feature is not running,  
consuming RAM or even part of the CLI parser chain.

> 	OSPF is configured mostly under the interface (passive-interface,
> process # vs globally)

there is the historic way of doing it too, if you wish to (e.g.  
'network' statements globally) - but the general feedback has been  
that interface-centric is more intuitive for many things.

> 6) QoS you specify the queueing structure (ie., 1P2q4T) and not the  
> queueing or
> scheduling or thresholds.  Obviously there is the ability to tweak  
> the QoS, but
> the base config viewing is much simpler

IOS is moving towards this level of QoS configuration too.  within  
Cisco parlence this is referred to as MQC (Modular QoS CLI).

>


cheers,

lincoln.

More information about the cisco-nsp mailing list