Feature Comparison of the Nexus 7000 and Catalyst 6500 Series Switches

After looking at the Nexus 7000 series switches , I concluded they were a lot like the Catalyst 6500 series switches without the service modules.I reviewed the configuration guides for both devices for a comparison of what options each supported today. (These options will change in new OS versions.)
OverviewThe current focus of the Nexus 7000 is to provide high density 10Gb Ethernet switching for LAN traffic primarily in the data center. (Cisco is planning to provide unified I/O supporting SAN traffic on the Nexus 7000 in the future.) My understanding is that service modules or WAN modules in the high performance backplane of the Nexus 7000 would not be very cost effective, so that an external appliance or service layer should be used to provide these features. The NX-OS is based on the Cisco MDS 9000 SAN-OS Software, and focuses on modularity. As needed, you need to enable the features with the feature feature-name configuration command. In the NX-OS 4.1, the following features can be enabled:

feature bgp
feature cts
feature dhcp
feature dot1x
feature eigrp
feature eou
feature glbp
feature hsrp
feature interface-vlan
feature isis
feature lacp
feature msdp
feature netflow
feature ospf
feature ospfv3
feature pbr
feature pim
feature pim6
feature port-security
feature private-vlan
feature rip
feature scheduler
feature ssh
feature tacacs+
feature telnet
feature tunnel
featur udld
feature vpc
feature vrrp
feature vtp

(Some features are available through licensing, others are bundled in the base NX-OS.)
The focus of the Catalyst 6500 is for all purpose enterprise switching and routing, and it supports a multitude of interface types and service modules. The Catalyst 6500 is a work horse of switch. Typically all features in the operating system license are preloaded, and just need to be configured for your specific environment.

Option Summary of the Cisco Nexus 7000 and Catalyst 6500:

Option	Nexus 7000	Catalyst 6500
Operating System	NX-OS 4.0	12.2SXH
switch virtualization support	VDC	VSS
service module support	--	yes
NSF w/ SSO	yes	yes
enhanced Fast Software Upgrade	--	yes
sup engine redundancy	yes	yes
48 port 10/100/1000 Ethernet	yes	yes
four port 10GE linecard	--	yes
eight port 10GE linecard	--	yes
thirty-two port 10GE linecard	yes	--
T1/E1 WAN	--	yes
T3/E3 WAN	--	yes
HSSI	--	yes
T3/E3 ATM	--	yes
OC-3 ATM	--	yes
OC-3 Packet over SONET	--	yes
OC-12	--	yes
OC-48	--	yes
OC-192	--	yes
SONET	--	yes
centralized forwarding	--	yes
distributed forwarding	yes	yes
PoE for GE	--	yes
EtherChannel/Port Channel	yes	yes
Multichassis EtherChannel	yes	yes
VLANs	yes	yes
private VLANs	yes	yes
802.1Q tunneling	yes	yes
Layer 2 Tunneling Protocol	--	yes
RPVST	yes	yes
MST	yes	yes
MPLS	--	yes
AToMPLS	--	yes
FRoMPLS	--	yes
EoMPLS	--	yes
MPLS VPNs	--	yes
iBGP and eBGP	yes	yes
OSPF	yes	yes
EIGRP	yes	yes
ISIS	yes	yes
VRRP	yes	yes
HSRP	yes	yes
GLBP	yes	yes
IP Multicast	yes	yes
IGMPv1/v2/v3	yes	yes
IGMP Snooping	yes	yes
PIMv1/v2	yes	yes
MSDP	yes	yes
SSM	yes	yes
IPv6 routing	yes	yes
IPv6 Multicast routing	yes	yes
Policy Based Routing	yes	yes
QoS - LLQ	--	yes
NBAR	--	yes
VLAN ACLs	yes	yes
CoPP	yes	yes
DHCP Snooping	yes	yes
IP Source Guard	yes	yes
Dynamic ARP Inspection	yes	yes
802.1X Authentication	yes	yes
NetFlow v8	--	yes
NetFlow v9	yes	--
SPAN/RSPAN	yes	yes
Cisco TrustSec	yes	--

Deploying the Nexus 1000V

The Cisco Nexus 1000V is, of course, a Layer 2 distributed virtual switch for VMware vSphere built on Cisco NX-OS (the same operating system that drives the physical Nexus switches). It’s compatible with all switching platforms, meaning that it doesn’t require physical Nexus switches upstream in order to work. The Nexus 1000V brings policy-based VM connectivity, network and security property mobility, and a non-disruptive operational model.
The Nexus 1000V has two components: the Virtual Supervisor Module (VSM). Interestingly enough, the slide shows that the VSM can be a virtual or physical instance of NX-OS; there has been no formal announcement of which I know that has discussed using a physical instance of NX-OS as the VSM for the Nexus 1000V. The second component is the Virtual Ethernet Module (VEM), which is a per-host switching module that resides on each ESX/ESXi host. A VSM can support up to 64 VEMs in a distributed logical switch model, meaning that all VEMs are centrally managed by the VSM. Each VEM appears as a remote line card to the VSM.
The VEM is deployed using vCenter Update Manager (VUM) and supports both ESX and ESXi. The Nexus 1000V supports both 1Gbps and 10Gbps Ethernet uplinks and works with all types of servers (everything on the HCL) and upstream switches.
The Nexus 1000V supports a feature called virtual port channel host mode (vPC-HM). This feature allows the Nexus 1000V to use two uplinks (NICs in the server) connected to two different physical switches and treat them as a single logical uplink. This does not require any upstream switch support. Multiple instances of vPC-HM can be used; for example, you could use four Gigabit Ethernet uplinks, two to each physical switches, could be used to create two different vPC-HM uplinks for redundancy and separation of traffic.
For upstream switches that support VSS or VBS, you can configure the Nexus 1000V to use all uplinks as a single logical uplink. This requires upstream switch support but provides more bandwidth across all upstream switches. Of course, users can also create multiple port channels to upstream switches for traffic separation. There are lots of flexiblity in how the Nexus 1000V can be connected to the existing network infrastructure.
These network designs can be extrapolated to six NICs (uplinks), eight NICs, and more.
One interesting statement from the presenter was that Layer 8 (the Human layer) can create more problems than Layers 1 through 7.
Next, the presenter went through the use and configuration of the Cisco Nexus 1000V in DMZ environments. Key features for this use case include private VLANs (private VLANs can span both physical and virtual systems). Network professionals can also use access-conrol lists (ACLs) and remote port mirroring (ERSPAN) improve visibility and control over the virtual networking environment.
At this point, I left the session because it was clear that this session was more about educating users on the features of the Nexus 1000V and not about best practices on how to deploy the Nexus 1000V.

Red Pill or Blue Pill

Life is a matter of choice.The most difficult thing in life is to make a right choice.We are always scared to make the choice.Life may knocks down us,but it our choice to stand up or not.I decided to stand up and fight for my existence.I started my journey towards CCIE.The choice you take today 'll reflect your tomorrow.So are you ready to make the choice????

Virtualization Still Calls Data-Center Tune

As the latest VMworld begins its transformation from current event to memory, now probably is as good a time as any to reflect on what it all means, if anything, for the future of data centers, the IT industry, and various big-name vendors.
There has been a lot of talk about public, private, and hybrid clouds at VMworld, but I think that’s something of a side issue. Yes, certain enterprises and organizations will partake of cloud services, and, yes, many enterprises will adopt a philosophy of IT as service within their data centers. They’ll make data-center management and automation decisions accordingly.
Even so, at a practical level, it is virtualization that continues to drive meaningful change. The  robust growth of virtualization has introduced problems (optimists would call them opportunities), too. How do you automate it, how do you manage it, how do you control it so that it remains a business asset rather than a potential liability?
Reciprocal Choking
At a fundamental level, that’s the big problem that data centers, whether within enterprises or service providers, must solve. The ultimate solution might involve data- center convergence — the integration and logical unification of servers, storage, networking, and orchestration — but it’s not clear whether that is the only option, or whether the price of vendor lock-in is worth the presumed benefit. Most enterprise customers, for the time being, will resist the urge to have one throat to choke, if only because they fear the choking might be reciprocal.
Indeed, as the vendor community has reacted to the popular appeal of data-center virtualization, the spectacle has been fascinating to watch. Who will gain control?
It’s not a simple question to answer, because the vendors themselves won’t have the final say; nor will the industry’s intelligentsia and punditry, formidable as they may be. No, the final arbiters are those who own, run, and manage the data centers that are being increasingly virtualized. Will network managers, or at least those with a strong networking sensibility, reign supreme? Will the leadership emerge from the server, application, or storage side of the house? What sorts of relationships will  these customers have with the vendor community, and which companies will serve as trusted counsel?
Ownership of Key Customer Relationships
As virtualization, by necessity, breaks down walls and silos, entirely new customer relationships will develop and new conversations will occur. Which vendors will be best positioned to cultivate or further develop those relationships and lead those conversations?
Meanwhile, vendors are placing their bets on technologies, and on corporate structures and strategic priorities. HP is an interesting case. Its Enterprise Servers Storage and Networks (ESSN) seems increasingly titled toward storage and servers, with networking — though not an insignificant consideration — relegated increasingly to a commoditized, supporting role. Just look at the executive management at the top of ESSN, both at HP headquarters and worldwide. You’ll notice an increasingly pronounced storage orientation, from Dave Donatelli on down.
Cisco, meanwhile, remains a networking company. It will try to imbue as much intelligence (and account control) as possible into the network infrastructure, even though it might be packaged under the Unified Computing Systems (UCS) moniker. That might not be a bad bet, but Cisco really doesn’t have a choice. It doesn’t own storage, is a relative neophyte in servers, and doesn’t have Oracle’s database or application pedigree.
Dell’s Move
IBM and Dell will be interesting to watch. Dell clearly places a lot of emphasis on owning its own storage technology. It has its own storage offerings right up through the midrange of the market, and it tried hard to buy 3PAR before being denied by a determined HP, which had its own reasons for winning that duel.
Questions remain over the importance Dell attaches to networking. We should learn soon enough whether Dell will continue to partner, with Juniper and Brocade, or whether it will buy its way into the market. To the extent that Dell continues to maintain its networking partnerships, the company effectively will be saying that it deems networking a secondary priority in its data-center strategy. IBM already seems to have made that determination, though there’s always a possibility it will revisit its earlier decision.
This puts Juniper in an interesting position. It needs to continue to push toward its Project Stratus intelligent flat network, thereby enhancing its value to customers and its importance to Dell and IBM as a partner. Brocade faces a similar challenge in storage networking, though it still seems to have a lot of work ahead of it in repositioning the Ethernet-switching portfolio it obtained through its acquisition of Foundry Networks.
Microsoft Pays for Inattentiveness
I have not mentioned Microsoft. VMware threw down a gauntlet of sorts earlier this week when it suggested that the importance of Windows as an operating system had been undercut severely by the rise of virtualization. For the most part, I agree with that assessment. Microsoft has some big challenges ahead of it, and it has been attempting to distract us from its shortcomings by talking a lot about its cloud vision. But a vision, no matter how compelling, is thin gruel if it is not supported by follow through and execution. In virtualization, Microsoft was caught flat-footed, its gaze averted by commotion outside the data center and the enterprise, and it is paying a steep price for that inattentiveness now.
Even though marketing hype has pivoted and tilted toward the cloud, virtualization continues to recast the data center.

Companies slow to adopt NAC technology

Companies are showing little interest in expanding their interest in network access control even though many are interested in such technology.
According to a new report from Forrester, only 10 percent of organisations plan to implement the technology in the coming year. The research company said that security professionals were struggling to deliver business cases to justify the use of the technology
Those companies that are going down the NAC path are overwhelmingly opting for client-side technology. According to Forrester 27 percent of respondents report adoption of a client-side NAC technology. Report author, Usman Sindhu, claimed there were several reasons for this. "Client-side NAC technology is software-based, so IT and security professionals can more easily integrate and manageit," he wrote, adding that during the past 18 months, many security vendors have bundled NAC technology into their client security suite products, thus accelerating its adoption. We're seeing vendors like McAfee and Symantec using NAC as a feature in a suite or a bundled client security offering,"
Conversely, server-side NAC is less popular, only 17 percent of the respondents in the Forrester survey are interested in going down this route. These products include NAC technology integrated into routing and switching infrastructure or operating as separate NAC appliances. Security professionals struggle to make a business case for these devices because of the capital cost involved.

Sindhu makes four predictions for 2011. Firstly greater interest in NAC integrated into broader security offerings will flourish. He said that this had gone beyond security vendors themselves." For instance, Cisco and Juniper are keen on making NAC one feature in the infrastructure security stack. This trend is here to stay and will push other players to abandon the standalone NAC approach"
The second of Sindhu's predictions is that network access control will shift to the layered access control model. "Access control will encompass not only the network but also applications and mobile devices. The term "NAC" will not go away, but it will refer to network, application, and device access control. NAC solution vendors will work with partners to provide a layered access control where the focus is the user, not the device."
Sindhu's third prediction is that hybrid deployment modes will continue to be popular. "Security organisations don't have a clear preference for hardware-based versus software-based NAC deployments," he wrote, preferring to use a combination of deployments. He said that this trend would continue into 2011.
Finally, Sindhu said that in 2011, compliance-driven features will dominate the market. He said that companies would expand their compliance needs by taking on board employee-owned devices such as smartphones and tablets.

A new look at SAN Fabric Switching: Performance, Flexibility and VALUE

In the past, SAN Fabric switches filled a particular niche, offering stripped-down functionality to serve basic connectivity needs, while only director-class products offered greater performance and flexibility. Pure connectivity solutions, without scalability and performance options, are not acceptable in those environments any more. 

 With the introduction of Cisco MDS 9148 Fabric Switch, we’ve raised the bar for SAN Fabric solutions by providing a feature-rich, high performance (8-Gbps line rate) switch which scales non-disruptively in eight-port increments from 16 to 48 ports, all at an entry-level price point.  

The MDS 9148 offers similar value to director-class switches with enterprise features including VSANs, security, non-disruptive firmware updates, and NPV, providing mid-market customers with the versatility and capability needed to grow their businesses. 

Most importantly, not only does the “pay-as-you-grow” model reduce the initial investment, all advanced features continue to be delivered as part of Cisco’s standard SAN package, not as upgrades or separate licenses which add significant incremental costs to competitive solutions. 

To clarify, this Cisco solution is not only for mid-market customers.  Due to its redundancy (including dual power and dual fans), scalability and line rate performance, the MDS 9148 switch is an ideal candidate for deployment in top-of-rack architectures and departmental SANs at larger organizations as well.  The MDS 9148 is powered by NX-OS, a common OS that spans the MDS, Nexus and UCS 6100 families of products. Having a common OS among both storage and Ethernet switches decreases IT’s learning curve and enables greater staff flexibility in large IT organizations.

ESG tested our switch and validates our claims; the ESG Lab found that “the MDS 9148 is a rock-solid, feature-rich, 8-Gbps multilayer fabric switch that cost effectively delivers the benefits of SAN-attached connectivity to small- and medium-size businesses and enterprises looking for affordably powerful edge connectivity.” You can read their report here.
One of our partners in Europe, MTI, tested the MDS 9148 and found that that the VM optimization features in the MDS 9148 makes this an ideal platform of choice for Virtual Machine environments and is very easy to setup and manage. You can read the MTI test report here.

Bit Torrent Killed My Router

I'm a long time Vonage customer and I have a very old Vonage Motorola VT1005 VOIP Router that they gave me when I signed up way back in 2003. It turns out that this box can't handle all the action that Bit Torrent sends its way; something about a limited size of the NAT table not working with the large number of connections opened by Bit Torrent. Typically it needs to be reset at least once a day when any sort of Bit Torrent activity is going on.



The solution is to keep the poor VT1005 out of the way of all that traffic. Instead of using it as your main router, stick it behind something more up to the task, like an Apple Airport Extreme. Of course the VOIP functionality works best if there is no firewall between it and the network at large. The solution to this is to put the VT1005 in the DMZ of your main router. To do this you first need to make sure the VT1005 has a static IP address. You can set this on using the web interface of the VT1005. After that, go to the admin interface for your main router and set this new IP address as the DMZ IP address. On the Airport Extreme this setting is called Enable Default Host, as you can see in the image above.

There are a few other issues to be aware of when dealing with the VT1005. It has an advanced setting so you can disable NAT and put it in bridge mode. This seems like a good idea since it ought to avoid the NAT table explosion, but that solution seems to have the same daily reset issue. Also, it's a bit tricky to get back to the web interface of the VT1005 if you've put it into bridge mode. There is no way to get to the device after that! The trick is to directly connect your computer to the VT1005's PC port and set the IP address of your computer statically to 192.168.102.2 with the gateway set to 192.168.102.1. Then point your browser to http://192.168.102.1/ and you'll be able to change the NAT settings again. Finally, make sure you have the VT1005 set to use the factory MAC address. I was trying to fake out my ISP and set the MAC address to the same number as my Airport Extreme. This will work if you ISP gives you more than one IP address and you're in bridge mode (NAT disabled). But it won't work if the Vonage box is setup in your DMZ. Your router and the computer in the DMZ can't have the same MAC address or things just won't work.