Table Of Contents
Cisco Nexus1000V Release Notes, Release 4.0(4)SV1(1)
Contents
Introduction
Software Compatibility
Limitations and Restrictions
Configuration Limits
VMware Lab Manager
Access Lists
Netflow
Port Security
Port Profile
Telnet Enabled by Default
SSH Support
Cisco NX-OS Commands May Differ from Cisco IOS
Layer 2 Switching
No Spanning Tree Protocol
MAC Address Table
Maximum Allowed VLANs and MAC Addresses per VLAN
Cisco Discovery Protocol
DHCP Not Supported for the Management IP
LACP
Caveats
MIB Support
Related Documentation
Cisco Nexus1000V Release Notes, Release 4.0(4)SV1(1)
Updated: May 10, 2013
OL-19420-01
This document describes the features, caveats, and limitations for the Cisco Nexus 1000V Release 4.0(4)SV1(1) software. Use this document in combination with documents listed in the "Related Documentation" section.
Contents
This document includes the following information about Release 4.0(4)SV1(1) of the Cisco Nexus 1000V.
•
Introduction
•Software Compatibility
•Limitations and Restrictions
•Caveats
•MIB Support
•Related Documentation
Introduction
The Cisco Nexus 1000V provides a distributed, layer 2 virtual switch that extends across many virtualized hosts. The Cisco Nexus 1000V manages a Datacenter defined by the vCenter Server. Each server in the Datacenter is represented as a linecard in Cisco Nexus 1000V and can be managed as if it were a line card in a physical Cisco switch.
Cisco Nexus 1000V consists of the following two components:
•Virtual Supervisor Module (VSM), which contains the Cisco CLI, configuration, and high-level features
•Virtual Ethernet Module (VEM), which acts as a Line Card and runs in each virtualized server to handle packet forwarding and other localized functions, and is compatible with any upstream physical access layer switch that is Ethernet standard's compliant. This includes Catalyst and Nexus switches from Cisco as well as switches from other network vendors.
Software Compatibility
The servers running the Cisco Nexus 1000V VSM and VEM must be in the VMware Hardware Compatibility List (HCL) . This is a requirement for running the ESX 4.0 software, VMWare vSphere 4.0 Enterprise Plus.
Limitations and Restrictions
•Configuration Limits
•Access Lists
•Netflow
•Port Security
•Port Profile
•Telnet Enabled by Default
•SSH Support
•Cisco NX-OS Commands May Differ from Cisco IOS
•Layer 2 Switching
•Cisco Discovery Protocol
•DHCP Not Supported for the Management IP
•LACP
Configuration Limits
Use the following configuration limits with Cisco Nexus 1000V:
|
Component
|
Supported Limit
|
|
Maximum Modules:
|
66 |
Virtual Ethernet (VEM) |
64 |
|
Virtual Supervisor (VSM |
2 |
|
Hosts |
64 |
|
Active VLANs across all VEMs |
512 |
|
MACs over VLAN within a VEM |
1024 (1K) |
|
vEthernet interfaces per port profile |
1024 (1K) |
|
PVLAN |
256 |
Distributed Virtual Switches (DVS) per vCenter |
12 |
| |
Per DVS
|
Per Host
|
vEthernet interfaces |
2K |
216 |
Port Profiles |
256 |
|
System Port Profiles |
|
16 |
Port Channel |
256 |
8 |
Physical Trunks |
512 |
|
Physical NICs |
|
32 |
vEthernet Trunks |
256 |
8 |
ACL |
128 |
161 |
ACEs per ACL |
128 |
161 |
ACL Interfaces |
1024 |
128 |
NetFlow Policies |
32 |
8 |
NetFlow Interfaces |
256 |
32 |
SPAN/ERSPAN Sessions |
64 |
4 |
QoS Policy-Map |
128 |
16 |
QoS Class-Map |
1024 |
128 |
QoS Interfaces |
1024 |
128 |
Port Security |
1024 |
216 |
MultiCast Groups |
512 |
64 |
VMware Lab Manager
VMware Lab Manager does not support using the Cisco Nexus 1000V.
Access Lists
ACLs have the following limitations and restrictions:
Limitations:
•IPV6 ACL rules are not supported.
•VLAN-based ACLs (VACLs) are not supported.
Restrictions:
•IP ACL rules for TCP and UDP traffic cannot use logical operator neq (not equal to) to filter traffic based on port numbers.
•IP ACL rules do not support the following:
–established TCP connections filtering option
–fragments option
–addressgroup option
–portgroup option
–interface ranges
•Control VLAN traffic between the VSM and VEM does not go through ACL processing.
Netflow
The Netflow configuration has the following support, limitation, and restrictions:
•L2 match fields are not supported.
•Netflow Sampler is not supported.
•Netflow Exporter format V9 is supported
•Netflow Exporter format V5 is not supported.
•Multicast traffic type is not supported. Cache entries are created for multicast packets but packet/byte count does not reflect replicated packets.
The Netflow cache table has the following limitation:
•Immediate and Permanent cache types are not supported.
Note The cache size configured using the CLI defines the number of entries and not the size in bytes. The configured entries are allocated for each processor in the ESX host and the total memory allocated depends on the number of processors.
Port Security
Port Security has the following support, limitations, and restrictions:
•The Port Security feature is enabled globally by default.
The CLI command feature/no feature port-security is not supported.
•In response to a security violation, you can shut down the port
•Port Security Violation Actions that are supported on a Secure port are Shutdown and Protect. The Restrict Violation Action is not supported.
•Port Security is not supported on the PVLAN promiscuous ports.
Port Profile
Port profiles have the following restrictions or limitations:
•If you attempt to remove a port profile that is in use, that is, one that has already been auto-assigned to an interface, the Cisco Nexus 1000V generates an error message and does not allow the removal.
•When you remove a port profile that is mapped to a VMware port group, the associated port group and settings within the vCenter Server are also removed.
•Policy names are not checked against the policy database when ACL/Netflow policies are applied through port profile. It is possible to apply a non-existent policy.
Telnet Enabled by Default
The Telnet server is enabled by default.
For more information about Telnet, see the Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(1).
SSH Support
Only SSH version 2 (SSHv2) is supported.
For more information, see the Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(1).
Cisco NX-OS Commands May Differ from Cisco IOS
Be aware that the Cisco NX-OS CLI commands and modes may differ from those used in Cisco IOS.
For information about the CLI, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
Layer 2 Switching
This section lists the Layer 2 switching limitations and restrictions and includes the following topics:
•No Spanning Tree Protocol
•MAC Address Table
•Maximum Allowed VLANs and MAC Addresses per VLAN.
For detailed information about Layer 2, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide, Release 4.0(4)SV1(1).
No Spanning Tree Protocol
Its forwarding logic is designed to prevent network loops so the Cisco Nexus 1000V does not need to participate in Spanning Tree Protocol. Packets received from the network on any link connecting the host to the network are not forwarded back to the network by the Cisco Nexus 1000V.
MAC Address Table
The following are limitations and restrictions for the MAC address table:
•The forwarding table for each VLAN in a VEM can store up to 1024 MAC addresses.
For detailed information about Cisco Nexus 1000V MAC address table, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide, Release 4.0(4)SV1(1).
Maximum Allowed VLANs and MAC Addresses per VLAN
The following are the allowable number of VLANs and MAC addresses per VLAN that can be configured:
|
Feature
|
Maximum Limit
|
VLANs across all VEMs |
512 |
MAC addresses per VLAN within a VEM |
1024 (1K) |
For detailed information about Cisco Nexus 1000V VLAN configuration, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide, Release 4.0(4)SV1(1).
Cisco Discovery Protocol
Cisco Discovery Protocol (CDP) runs over the data link layer and is used by the Cisco Nexus 1000V to advertise information to all Cisco devices it attaches to, and, in turn, to discover and view information about those Cisco devices. CDP runs on all Cisco-manufactured equipment.
Cisco Discovery Protocol (CDP) has the following configuration guidelines and limitations:
•CDP can discover up to 256 neighbors per port if the port is connected to a hub with 256 connections.
•The CDP feature is enabled globally by default.
•If disabled globally on the Cisco Nexus 1000V, then CDP is also disabled for all interfaces.
For more information about Cisco Discovery Protocol, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).
DHCP Not Supported for the Management IP
DHCP is not supported for the management IP. The management IP must be configured statically.
LACP
Link Aggregation Control Protocol is an IEEE standard protocol that aggregates Ethernet links into an Etherchannel.
Cisco Nexus 1000V has the following restrictions for enabling LACP on ports carrying the Control and Packet VLANs:
Note These restrictions do not apply to other data ports using LACP.
•At least two ports must be configured as part of the LACP channel.
•The upstream switch ports must be configured in spanning-tree portfast mode. The LACP negotiation causes upstream switchports to bounce as per protocol before starting the port aggregation process.
Without spanning-tree portfast on upstream switch ports, it takes ~30 seconds to recover these ports on the upstream switch, and since they are carrying Control and Packet VLANs, VSM loses connectivity to the VEM.
The following commands are available to use on Cisco upstream switch ports in interface configuration mode:
spanning-tree portfast
spanning-tree portfast trunk
spanning-tree portfast edge trunk
Caveats
The following are descriptions of the caveats in Cisco Nexus 1000V Release 4.0(4)SV1(1).
|
Bug ID
|
Caveat
|
CSCsq66077 |
Headline: Shutting an Ethernet interface in Cisco Nexus 1000V VSM is not reflected in the Cat6K. Symptom: After shutting down an Ethernet interface for an uplink port on the VSM, the physical network interface attached to it on the VEM and the switch port attached to the physical NIC do not shut down as expected. The output of the following command shows the interface as shut down: show interface ethX/Y The output of the following command shows that the NIC is up: esxcfg-nics -l Conditions: This happens on any ESX platform running Cisco NX-OS. Workaround: Use the shutdown command on the interface of the upstream switch. This brings down both the link on the upstream switch and the ESX physical NIC. Further Problem Description: The VEM sets the uplink port in the DOWN state, so that no traffic flows through that port. It is only the physical NIC attached to that DVS port which is not brought down. |
CSCsw32257 |
Headline: Shutting down a VSM VEthernet interface is not reflected in the VM. Symptom: After you shut down a VEthernet port on the VSM, it does not appear to be down from the VM. Conditions: The VM Guest OS, connected to the Cisco Nexus 1000V through a vEthernet port, does not see a link going down. A shutdown command on the VSM VEthernet interface shuts down the interface and stops traffic forwarding. Workaround: You can use the GuestOS utilities to bring down the interface. In a Linux system, for example, use the ifconfig down eth0 command. Further Problem Description: |
CSCsw49458 |
Headline: A change to the speed or duplex settings on a physical NIC causes module flap. Symptom: The port bounces and the module flaps after changing speed or duplex settings on an Ethernet interface. Conditions: The speed and duplex settings on Ethernet interfaces do not work on an interface carrying system VLANs. Workaround: Avoid configuring speed or duplex settings in a VSM connected to an upstream switch. Further Problem Description: None. |
CSCsx11210 |
Headline: Unable to add match criteria in a QoS class map after changing to match-any. Symptom: Adding match criteria does not work after changing a class map to match-any. Conditions: If you create a class map with match-all packet length as the only criteria, then changing the map to match-any prevents you from adding new match criteria.
n1000v(config)# class-map c1
n1000v(config-cmap-qos)# match packet length 1028
n1000v(config-cmap-qos)# exit
n1000v(config)# class-map match-any c1
n1000v(config-cmap-qos)# match packet length 1038
n1000v(config-cmap-qos)# show class-map c1
class-map type qos match-any c1
Workaround: Always verify a class map configuration using the show class-map command. If the map is not correct, delete the criteria using the no match command and then add it again.
n1000v(config)# class-map match-any c1
n1000v(config-cmap-qos)# no match packet length 1028
n1000v(config-cmap-qos)# match packet length 1028, 1038
Further Problem Description: None. |
CSCsx68200 |
Headline: Attempting to rename a port-group causes the port group to be deleted and a new port group to be created. Symptom: When you use the following command to rename a port group, the existing port group is deleted and a new port group is created with the new name. switch (config-port-prof)# vmware port-group new-name Conditions: Attempt to change the name of a port group. Workaround: None Further Problem Description: Deleting and creating a new port group may also cause the related NICs to be moved into the Quarantine port groups.
2009 May 20 10:26:39 switch %VMS-3-DVPG_NICS_MOVED: '6' nics have been moved from
port-group 'WebApp' to 'Unused_Or_Quarantine_Veth'
In this case, the NICs must again be re-associated with the port-group. |
CSCsy25906 |
Headline: Error logged after changing the system port profiles for VMNIC with control VLAN Symptom: If you change the system port profile for a physical adapter carrying the control VLAN, the following system logs are generated: ETH_PORT_CHANNEL-3-COMPAT_CHECK_FAILURE PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE Conditions: Port profiles sys1 and sys2 are configured as channel-group and have the control VLAN configured as part of the system VLANs. Two physical adapters are attached to port profile sys1. From the vSphere client, change the adapters from port profile sys1 to port profile sys2 in a single step. Workaround: Do not change the system port profile attached to a physical adapter in a single step. Instead, use the following procedure: 1. From the vSphere client, remove the adapters from the port profile sys1. 2. Click OK. 3. Add the adapters to port profile sys2. Further Problem Description: None |
CSCsy88176 |
Headline: Inaccurate show policy-map interface output if there are numerous policy-maps Symptom: When displaying the statistics for multiple policy-maps, the results may not reflect accurate statistics. Conditions: Multiple large policies are configured on a single VEM, especially if they use complex match-any conditions. Workaround: Instead of displaying all policy maps at once, use the following command to display them one at a time: show policy-map interface name Further Problem Description: The syslog alerts you that too much data is being returned at one time. |
CSCsz03271 |
Headline: The same ACL cannot be used multiple times in a QoS policy-map. Symptom: When an ACL policy is used more than once in a QoS policy-map, the system fails to apply it to an interface. Conditions: Using the same ACL multiple times in a single policy-map. Workaround: Do not use the same ACL in different class-maps that are referenced in a single QoS policy. Instead, create and reference a new ACL with same set of rules. Further Problem Description: None |
CSCsz15398 |
Headline: Performance impact when AIPC link goes down and comes back up Symptom: Ports go into the errDisabled state and EthPM timeout system messages are generated after the control traffic link goes down and comes back up. Conditions: A large number of interfaces (greater than 256 interfaces spread across 8 VEMs) are configured with ACL or QoS policies. Workaround: View module states using the show module command. Once all modules in the system are active, do one of the following: •If the number of errDisabled interfaces is limited, enter the following command sequence: –switch (config-if)# shutdown –switch (config-if)# no shutdown •If there is a particular VEM (or a few VEMs) that have interfaces in the errDisabled state, force a module removal and re-insert (one by one for all affected modules). This can be done by shutting the port on the upstream switch that connects to the VEM uplink for 10 seconds. •If there is no difference between the switch running-configuration and startup-configuration, you can reload the VSM using the reload command. Further Problem Description: None |
CSCsz21291 |
Headline: Port security configured in the port profile is pushing stale data
(sw port-sec maximum number). Symptom: The maximum secure MAC address count configured through the port profile is not applied to a vEthernet interface. Conditions: One of the following is true for the vEthernet interface: •It is not up. •It does not have port security enabled. Workaround: Re-configure the maximum secure address count when the interface is up and port security is enabled on the interface. Further Problem Description: None |
CSCsz21693 |
Headline: Reload of iVISOR host removes the VIB package. Symptom: Rebooting an ESXi host causes it to not show up in the VSM. Conditions: This occurs if you load the N1KV VEM code onto the host before adding the host to vSphere Server. Workaround: Do one of the following: •Add the ESXi host to vSphere before installing Cisco Nexus 1000V VEM software. •Reboot the host after installing Cisco Nexus 1000V VEM software but before adding the host to vSphere. Further Problem Description: None |
CSCsz24042 |
Headline: Static MAC entries for VMs are not updated upon VLAN change Symptom: A private VLAN host virtual interface changed to a regular interface keeps the static MAC address in the running configuration. Conditions: You configure a virtual interface as a private VLAN host and then change it to a regular interface.
switch (config)# port-profile pvlan153
n1000v(config-port-prof)# vmware port-group
n1000v(config-port-prof)# switchport mode private-vlan host
n1000v(config-port-prof)# switchport private-vlan host-association 156 153
n1000v(config-port-prof)# no shutdown
n1000v(config-port-prof)# state enabled
switch (config)# port-profile pvlan153
n1000v(config-port-prof)# switchport mode access
Workaround: When you change an interface from a private VLAN host interface to a regular interface, you must manually remove the static MAC from the configuration.
switch (config)# no mac address-table static 0050.5692.1b66 vlan 156 interface
Vethernet1
Further Problem Description: None |
CSCsz38042 |
Headline: show vlan private-vlan does not show promiscuous trunk information Symptom: The show vlan private-vlan command output does not show private-vlan promiscuous trunk port information. Conditions: The show vlan private-vlan command output does not list the interfaces associated with the private VLAN if it is configured as private VLAN promiscuous trunk port. Workaround: Use show interface switchport or show running-config, Further Problem Description: If the interface is configured as a private VLAN host port and private VLAN promiscuous access port, the show vlan private-vlan command output shows the secondary VLAN, the primary VLAN and interfaces associated with those private VLANs.
switch# show vlan private-vlan
Primary Secondary Type Ports
------- --------- --------------- ----------------------------------------! 152
157 community Eth3/4
|
CSCsz48343 |
Headline: Link up message while powering up VM (vnic not up) Symptom: As a guest operating system is booting, the vEthernet interface shows as link up for a few seconds, then down, and then it finally remains up. Conditions: Powering up guest operating system. Workaround: Use a flexible adapter and install VMware tools. Further Problem Description: If the adapter type is flexible and you have VMware tools installed the Cisco Nexus 1000V VSM indicates the link for a vEthernet interface is up during the virtual machine boot. |
CSCsz63126 |
Headline: No switchport mode trunk - change modes to access and not to default Symptom: After configuring the switchport mode on an Ethernet interface, the no switchport mode command leaves the switchport mode access config setting on the interface, overriding the policy inherited by the port-profile. There is no way to remove it. Conditions: Configuring the switchport mode on an Ethernet interface. Workaround: If the switchport mode setting has not been saved in the startup-config yet, the VSM can be reloaded to remove the setting. If it has been saved in the startup-config, there is no way to remove it. Further Problem Description: None |
CSCsz99235 |
Headline: Installing a permanent license file does not add new licenses to the license pool. Symptom: After installing a new license file on the VSM, the count of licenses is not increased to show that new licenses were added. Conditions: Adding a permanent license file without removing an evaluation license file. Workaround: Before installing a new license file, you must first transfer the evaluation licenses from the VEMs back to the VSM license pool and then uninstall the evaluation license from the VSM. Further Problem Description: None |
CSCta05268 |
Headline: Modules do not come up for a VSM with a VEM port channel running in vPC-HM. Symptom: The output of the show l2 <control VLAN number> command shows dynamic for the VM Eth0 MAC. Conditions: After the VSM connects to the VEM, for example, when the VSM is reloaded. Workaround: Migrate the VSM VM to a vSwitch or another host without vPC-HM. Further Problem Description: When a VSM and VEM reconnect, the L2 table entries and port channel are deleted and the physical links carry the same VLANs. This causes broadcast packets from the VSM to go out through one upstream switch and come back through another. Therefore, the Eth0 MAC of the VSM VM is learned on a physical interface and the module never comes up. |
CSCte28866 |
Headline: Configuring a Cisco Nexus 1000V with the vlan dot1Q tag native command does not result in the desired behavior. Symptom: The traffic on the native VLAN is not tagged when sent across a trunk. Conditions: Configuring a Cisco Nexus 1000V with the vlan dot1Q tag native command. Workaround: There is currently no workaround. Disabling the native VLAN tagging on the upstream network infrastructure could alleviate the need to use the vlan dot1Q tag native command on the Cisco Nexus 1000V. |
MIB Support
The Cisco Management Information Base (MIB) list includes Cisco proprietary MIBs and many other Internet Engineering Task Force (IETF) standard MIBs. These standard MIBs are defined in Requests for Comments (RFCs). To find specific MIB information, you must examine the Cisco proprietary MIB structure and related IETF-standard MIBs supported by the Cisco Nexus 1000V Series switch.
The MIB Support List is available at the following FTP site:
ftp://ftp.cisco.com/pub/mibs/supportlists/nexus1000v/Nexus1000VMIBSupportList.html
Related Documentation
Cisco Nexus 1000V includes the following documents available on Cisco.com:
General Information
Cisco Nexus 1000V Release Notes, Release 4.0(4)SV1(1)
Cisco Nexus 1000V and VMware Compatibility Information, Release 4.0(4)SV1(1)
Install and Upgrade
Cisco Nexus 1000V Software Installation Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Virtual Ethernet Module Software Installation Guide, Release 4.0(4)SV1(1)
Configuration Guides
Cisco Nexus 1000V License Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Getting Started Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Interface Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Layer 2 Switching Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V High Availability and Redundancy Reference, Release 4.0(4)SV1(1)
Reference Guides
Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1)
Cisco Nexus 1000V MIB Quick Reference
Troubleshooting and Alerts
Cisco Nexus 1000V Troubleshooting Guide, Release 4.0(4)SV1(1)
Cisco Nexus 1000V Password Recovery Guide
Cisco NX-OS System Messages Reference
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.
Feedback