[c-nsp] Catalyst vs. Nexus
Lincoln Dale
ltd at cisco.com
Wed Sep 9 08:51:29 EDT 2009
hi Todd,
a few of the cisco folks that are subscribed to cisco-nsp focus on the
Nexus range & we're a pretty friendly bunch.
there's a few things below that aren't quite correct. see inline
below...
On 09/09/2009, at 8:43 PM, Todd, Douglas M. wrote:
> A few other thoughts on the Nexus difference from a 6500 based on my
> experience
> since I am still learning the 7K platform:
>
> 1) MPLS the 7K is VRF Light syle
actually, at this point in time, MPLS is not available on N7K. the
current shipping M1 forwarding engine based I/O modules are capable of
MPLS which will be enabled in a future release.
w.r.t. VRFs, everything on NX-OS is vrf aware. NX-OS is similar to IOS
CLI in look-and-feel but one fundamental difference is that there is
no 'global' routing table like there is in IOS. everything is a vrf.
> 2) Application of an access-list by doing a tftp->run (with out
> removing the acl
> which is applied to the interface) is extremely taxing in the system
> and very
> slow. The Nexus seems to recompile the ACL after each line there are
> work
> arounds vs have the acl upload completely and recompile once.
ACLs as entered in a "config terminal" session are applied to hardware
the moment you hit enter on an individual line - yes.
the system is smart enough to do 'inline' ACL processing if you have
an ACL that makes appropriate use of sequence numbers in it.
if you're just wholesale uploading a replacement ACL in bulk, then
suggest you use "configure session" where you can ask the system to
'verify' the ACL will fit in CL-TCAM resources then 'apply' it.
using configure sessions would not 'tax' it or iteratively recompute
it on every new ACL line you enter.
see <http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/system_management/configuration/guide/sm_7sessionmgr.html
>
ACLs are always committed in an atomic manner on N7K provided you have
CL-TCAM resources to do so.
>
> 3) Nexus STP is RSTP not pvst+
N7Ks STP is PVRST(+) or MST - same as what you would have on a
Catalyst platform.
the only thing that isn't there (intentionally) is the ability to
configure N7K as a legacy 802.1D STP - although as dictated by the
standards, N7K can talk legacy 802.1D to legacy bridges - but you
cannot intentionally configure it to behave in that legacy manner.
this is actually a good thing. :)
> 4) The TACACS implimentation of this platform seems incomplete.
> TACACS is useable, but local-admin accounts must be configured and
> used
> for configuration.
this isn't quite true. RBAC (roles based access control) is applied
to all management access, whether you're managing via CLI, SNMP or
Netconf/XML. this is a divergence from the historic IOS 'priv level
15' / "enable" type mechanisms but there is no reason why you cannot
assign a RBAC role from an AAA server whether that be via TACACS+ or
RADIUS.
by default, a priv-level of 15 from an AAA server maps a user to the
predefined RBAC role of network-admin or vdc-admin automatically.
alternatively you can have the AAA server provide the relevant AV-Pair
to provide the RBAC role(s) a given user is in.
the documentation chapter on AAA on cisco.com provides the details for
all of the above.
see <http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4.2_chapter3.html#con_1235748
>
>
> 5) The layout of the configuration is different (as someone mentioned)
> Features must be enabled (ie., ospf,tacacs must be enabled by using
> 'feature ???') if ospf feature is not enabled, it can't be used
> until it's
> enabled (not configured).
yep - thats intentional. services are 'conditional' on NX-OS. until
you enable the 'feature' the process for that feature is not running,
consuming RAM or even part of the CLI parser chain.
> OSPF is configured mostly under the interface (passive-interface,
> process # vs globally)
there is the historic way of doing it too, if you wish to (e.g.
'network' statements globally) - but the general feedback has been
that interface-centric is more intuitive for many things.
> 6) QoS you specify the queueing structure (ie., 1P2q4T) and not the
> queueing or
> scheduling or thresholds. Obviously there is the ability to tweak
> the QoS, but
> the base config viewing is much simpler
IOS is moving towards this level of QoS configuration too. within
Cisco parlence this is referred to as MQC (Modular QoS CLI).
>
cheers,
lincoln.
More information about the cisco-nsp
mailing list