traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

prep for new grimoire

Browse source
This commit is contained in:
traveler 2026-04-12 09:39:57 -05:00
parent a72eb28f9e
commit 2aff30ab71
165 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

77
Work/C9300GX-Port_Breakout.md
View file

@ -1,77 +0,0 @@
---
title: Nexus Upgrade port Breakout
description:
published: true
date: 2026-02-20T19:24:28.054Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:55:53.800Z
---
# Nexus 9300 Port Migration — Old to New Architecture
## Switch 1 — AT1EU-NEXUS-1
| Old Port | Description | New Port | Device | Device Port |
|---|---|---|---|---|
| Ethernet1/2 | Trunk FAS 2750 | — | Catalyst | T1/1/3 |
| Ethernet1/3 | Trunk FAS 2750 | — | Catalyst | T1/1/4 |
| Ethernet1/9 | Trunk A70-A | Ethernet1/5/1 | A70 | — |
| Ethernet1/10 | Trunk A70-A | Ethernet1/5/3 | A70 | — |
| Ethernet1/11 | Trunk A70-B | Ethernet1/5/2 | A70 | — |
| Ethernet1/12 | Trunk A70-B | Ethernet1/5/4 | A70 | — |
| Ethernet1/17 | Trunk 500e-X1 | Ethernet1/26 (10G) | Firewall | X1 |
| Ethernet1/23 | Access L3 HLCI JAVELIN (Allow STP-BPDU) | — | Catalyst | T1/1/5 |
| Ethernet1/24 | Access L3 HLCI ROCK(L3)MLS (Allow STP-BPDU) | — | Catalyst | T1/1/6 |
| Ethernet1/25 | Trunk 6554-1:25 | Ethernet1/1/1 | UCS 6554-1 | 1/25 |
| Ethernet1/26 | Trunk 6554-1:26 | Ethernet1/1/3 | UCS 6554-1 | 1/26 |
| Ethernet1/27 | Trunk 6554-2:27 | Ethernet1/1/2 | UCS 6554-2 | 1/27 |
| Ethernet1/28 | Trunk 6554-2:28 | Ethernet1/1/4 | UCS 6554-2 | 1/28 |
| Ethernet1/45 | Trunk 9300 | Ethernet1/24 (10G) | Catalyst 9300 | T1/1/1 |
| Ethernet1/46 | Trunk 9300 | Ethernet1/25 (10G) | Catalyst 9300 | T1/1/2 |
| Ethernet1/47 | Trunk Peer-Link (Allow STP) | Ethernet1/27 | NEXUS-2 Peer | — |
| Ethernet1/48 | Trunk Peer-Link (Allow STP) | Ethernet1/28 | NEXUS-2 Peer | — |
> **Legend:** `—` in New Port column indicates the connection moves to the listed Device/Port with no renumbered Nexus port. 25G breakout ports (1/1/x and 1/5/x) are carved from 100G uplinks via `interface breakout module 1 port X map 25g-4x`.
---
## Switch 2 — AT1EU-NEXUS-2
| Old Port | Description | New Port | Device | Device Port |
|---|---|---|---|---|
| Ethernet1/2 | Trunk FAS 2750-A | — | Catalyst | T2/1/3 |
| Ethernet1/3 | Trunk FAS 2750-B | — | Catalyst | T2/1/4 |
| Ethernet1/9 | Trunk A70-A | Ethernet1/5/1 | A70 | — |
| Ethernet1/10 | Trunk A70-A | Ethernet1/5/3 | A70 | — |
| Ethernet1/11 | Trunk A70-B | Ethernet1/5/2 | A70 | — |
| Ethernet1/12 | Trunk A70-B | Ethernet1/5/4 | A70 | — |
| Ethernet1/16 | Access NetApp XFER | — | Catalyst | T2/1/7 |
| Ethernet1/17 | Trunk 500e-X1 | Ethernet1/26 (10G) | Firewall | X1 |
| Ethernet1/22 | Access L4 HLCI JAVELIN (Allow STP-BPDU) | — | Catalyst | T2/1/5 |
| Ethernet1/24 | Access L4 HLCI ROCK(L4)MLS (Allow STP-BPDU) | — | Catalyst | 21/1/6 |
| Ethernet1/25 | Trunk 6554-2:25 | Ethernet1/1/1 | UCS 6554-2 | 1/25 |
| Ethernet1/26 | Trunk 6554-2:26 | Ethernet1/1/3 | UCS 6554-2 | 1/26 |
| Ethernet1/27 | Trunk 6554-1:27 | Ethernet1/1/2 | UCS 6554-1 | 1/27 |
| Ethernet1/28 | Trunk 6554-1:28 | Ethernet1/1/4 | UCS 6554-1 | 1/28 |
| Ethernet1/45 | Trunk 9300 | Ethernet1/24 (10G) | Catalyst 9300 | T1/1/2 |
| Ethernet1/46 | Trunk 9300 | Ethernet1/25 (10G) | Catalyst 9300 | T2/1/2 |
| Ethernet1/47 | Trunk Peer-Link (Allow STP) | Ethernet1/27 | NEXUS-1 Peer | — |
| Ethernet1/48 | Trunk Peer-Link (Allow STP) | Ethernet1/28 | NEXUS-1 Peer | — |
> **Legend:** `—` in New Port column indicates the connection moves to the listed Device/Port with no renumbered Nexus port. 25G breakout ports (1/1/x and 1/5/x) are carved from 100G uplinks via `interface breakout module 1 port X map 25g-4x`.
---
## Summary of Changes
| Change Type | Details |
|---|---|
| **Breakout (100G → 4x25G)** | Ports 1, 5 on both switches broken out to 25G sub-interfaces for UCS FI and A70 storage connectivity |
| **UCS 6554 FI connections** | Old Ethernet1/251/28 (fixed 1/x ports) → New Ethernet1/1/11/1/4 (breakout sub-ports) |
| **A70 Storage connections** | Old Ethernet1/91/12 (fixed 1/x ports) → New Ethernet1/5/11/5/4 (breakout sub-ports) |
| **9300 Uplinks** | Old Ethernet1/451/46 → New Ethernet1/241/25 (10G, connecting to Catalyst T1/1/1T1/1/2) |
| **500e Firewall** | Old Ethernet1/17 → New Ethernet1/26 (10G, firewall X1) |
| **Peer-Link** | Old Ethernet1/471/48 → New Ethernet1/271/28 (both switches) |
| **Moved to Catalyst** | FAS 2750, HLCI JAVELIN, HLCI ROCK, and (Sw2 only) NetApp XFER ports migrated off the Nexus to a downstream Catalyst switch |

797
Work/C9300GX_2_Build.md
View file

@ -1,797 +0,0 @@
---
title: C9300GX Initial Build
description:
published: true
date: 2026-02-19T20:54:08.096Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:50:41.541Z
---
# AT1EU-NEXUS-2 — Cisco Nexus 9300 Configuration
## Overview
AT1EU-NEXUS-2 is the **secondary** switch in a vPC pair (role priority 10 — same as primary; tie broken by MAC address). It runs NX-OS 10.3(7) and shares vPC domain 1 with AT1EU-NEXUS-1. The vPC peer-link (Po10) spans Eth1/2728, and out-of-band management (mgmt0 at 192.168.0.2) is used for the vPC peer-keepalive path.
**Key roles of this switch:**
- vPC secondary (role priority 10, tie-broken by system MAC)
- STP root peer (same priorities as NEXUS-1 — `peer-switch` ensures both act as root)
- Layer 3 gateway for Vlan502 (Atom VRF, IP 15.0.2.122/24)
- NTP master (stratum 3)
- Same upstream/storage/compute port-channel topology as NEXUS-1
---
## Cut-and-Paste Configuration
```
conf t
switchname AT1EU-NEXUS-2
! --- QoS: Jumbo Frame Policy ---
policy-map type network-qos JUMBO
class type network-qos class-default
mtu 9216
! --- VDC Resource Limits ---
vdc AT1EU-NEXUS-2 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
! --- Features ---
feature nxapi
feature bash-shell
feature scp-server
cfs eth distribute
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature telemetry
! --- RBAC ---
role name network-ro
rule 2 permit command show running config
rule 1 permit read
! --- Users ---
username admin password 5 $5$FIEALE$VdyvYPq0DyT./Pw59UUWC9bPs1coNfermExTM9MF6BB role network-admin
ssh key rsa 2048
! --- Banner ---
banner motd ^
********************* DOD NOTICE AND CONSENT BANNER *************************
* You are accessing a U.S. Government (USG) Information System (IS) that is *
* provided for USG-authorized use only. By using this IS (which includes any*
* device attached to this IS), you consent to the following conditions: *
*-The USG routinely intercepts and monitors communications on this IS for *
* purposes including, but not limited to, penetration testing, COMSEC *
* monitoring, network operations and defense, personnel misconduct (PM), *
* law enforcement (LE), and counterintelligence (CI) investigations. *
*-At any time, the USG may inspect and seize data stored on this IS. *
*-Communications using, or data stored on, this IS are not private, are *
* subject to routine monitoring, interception, and search, and may be *
* disclosed or used for any USGauthorized purpose. *
*-This IS includes security measures (e.g., authentication and access *
* controls) to protect USG interests--not for your personal benefit or *
* privacy. *
*-Notwithstanding the above, using this IS does not constitute consent to *
* PM, LE or CI investigative searching or monitoring of the content of *
* privileged communications, or work product, related to personal *
* representation or services by attorneys, psychotherapists, or clergy, and *
* their assistants. Such communications and work product are private and *
* confidential. See User Agreement for details. *
************************ POC: SIL Network Team ****************************
^
! --- SSH ---
ssh ciphers aes256-gcm
! --- DNS & Domain ---
ip domain-lookup
ip domain-name atom.dev use-vrf Atom
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 use-vrf Atom
! --- RADIUS ---
radius-server host 15.0.11.68 key 7 "V1P-jaynmv" authentication accounting
radius-server host 15.32.11.68 key 7 "V1P-jaynmv" authentication accounting
aaa group server radius NETMAN_RADIUS
server 15.0.11.68
server 15.32.11.68
use-vrf Atom
! --- Management ACL ---
ip access-list SWITCH_MGMT
10 permit ip 15.0.11.150/32 any log
20 permit ip 15.0.11.151/32 any log
30 permit ip 15.32.2.154/32 any log
40 permit ip 15.0.2.154/32 any log
50 permit ip 15.32.2.1/32 any log
60 permit ip 15.0.2.1/32 any log
70 permit ip 15.0.2.2/32 any log
80 permit ip 15.0.11.47/32 any log
90 permit ip 15.32.11.45/32 any log
93 permit ip 15.32.11.150/32 any log
100 deny ip any any log
! --- System QoS ---
system qos
service-policy type network-qos JUMBO
copp profile strict
! --- SNMP ---
snmp-server user admin network-admin auth sha 043A9864CA85100D231AA42F8FA9734C2B5C027F2B74 priv aes-128 365AD478C4A00B497D76B703D3AE75414E3C3C4B386A localizedV2key
snmp-server host 15.0.2.188 traps version 3 priv at-sw-svc
snmp-server host 15.0.11.80 traps version 3 priv testsnmp
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
! --- NTP ---
ntp server 15.0.0.9 prefer use-vrf Atom key 123
ntp server 15.32.0.9 prefer use-vrf Atom key 125
ntp server 15.32.0.30 use-vrf management
ntp server 115.0.0.9 use-vrf management key 125
ntp source-interface Vlan502
ntp authenticate
ntp authentication-key 125 md5 pz5-lihj 7
ntp trusted-key 125
ntp logging
ntp master 3
! --- AAA ---
aaa authentication login default group NETMAN_RADIUS local
aaa authentication login console group NETMAN_RADIUS local
aaa accounting default group NETMAN_RADIUS local
system default switchport
no ip source-route
! --- VLANs ---
vlan 1-2,8,10,12,66,85,100-103,107-108,121-124,129-130,142-143,145-146,148-150,153,157-158,188,305,321,323,340,342,349,353,374,382,501-502,504-505,549,551,559,562-563,600,611,660-661,667-668,672-673,697-698,701-702,704-710,720-722,724,727,740,750-751,772,777,800-802,804,814,820-823,905,1051,1127,1129,1160-1161,1551,1559-1560,1670-1674,1720-1722,1800-1802,1814-1817,1862,1865,1870-1871
vlan 1882-1883,1885,1905,3563,3965
vlan 2
name TEST_CLUS_COMM
vlan 8
name FP_Test1
vlan 10
name NESS_BOX_TRANSIT
vlan 12
name FP_Test2
vlan 66
name NATIVE_VLAN
vlan 85
name NESS-Temp
vlan 101
name iscsi_csv
vlan 102
name iscsi_boot
vlan 107
name Test
vlan 108
name NET_TEST_NET
vlan 121
name Atom_Backup
vlan 124
name Admin_iSCSI
vlan 143
name Secman_Storage
vlan 146
name Foxhound_Storage
vlan 150
name iscsi
vlan 153
name Javelin(L4)
vlan 157
name GNext_Storage
vlan 158
name NESS_Storage
vlan 188
name JASON_NFS
vlan 321
name ATOM_Backup
vlan 323
name AT-vServer
vlan 340
name ucs_test
vlan 342
name MadHatter_SVM_Mgmt
vlan 349
name Rock_SVM3_Mgmt
vlan 353
name Javlin_SVM
vlan 374
name Rock_Backup_Mgmt
vlan 382
name Darrin_User
vlan 501
name MGMT
vlan 502
name Atom_User2
vlan 504
name Commvault_Testing
vlan 505
name NETAPP_SNAP
vlan 549
name WDS
vlan 551
name L4_User
vlan 559
name Victory_WS_L4
vlan 562
name Brace(L3)_User
vlan 563
name Brace
vlan 667
name Britt_Test
vlan 668
name RockTesters(L4)_User
vlan 672
name GTRI_User
vlan 673
name VDI(L5)
vlan 701
name MH_L3_DATA_HLCI
vlan 702
name MH_L4_DATA_HLCI
vlan 704
name Legacy-704
vlan 705
name Legacy-705
vlan 706
name Legacy-706
vlan 707
name Legacy-707
vlan 708
name Legacy-708
vlan 709
name Legacy-709
vlan 710
name Legacy-710
vlan 721
name GTRI_JAVELIN_L4-721
vlan 740
name NETMAN
vlan 750
name l4_secman
vlan 751
name Secman_DMP-751
vlan 777
name FTD1010_TSHOOT
vlan 804
name FH_L4_HLCI
vlan 814
name ROCK_L4_MLS
vlan 820
name GNext_User
vlan 821
name GNext_Sentris
vlan 822
name GNext_VPX
vlan 823
name GNext_VDA
vlan 905
name Rock_(L4)
vlan 1051
name IP_SEC_1010
vlan 1127
name Vic_Storage
vlan 1551
name Services(L3)_User
vlan 1559
name Victory(L3)_User
vlan 1670
name BigTen_User
vlan 1671
name Victory_DMP-1671
vlan 1672
name VIC_VDI
vlan 1673
name Victory_Sentris
vlan 1720
name Javelin(L3)_User
vlan 1721
name GTRI_JAVELIN_L3-1721
vlan 1722
name Victory_VDI-1722
vlan 1800
name Foxhound(L3)_User
vlan 1801
name FH_L3_DATA_HLCI
vlan 1815
name ServMan_User
vlan 1870
name AT1EU-JavelinCoop(L3)_User
vlan 1883
name NESS_User
vlan 1885
name NESS_Client
vlan 1905
name Rock(L3)_User
vlan 3563
name Brace_User
vlan 3965
name V3E_DEV_HOST
! --- Spanning Tree ---
spanning-tree port type edge bpduguard default
spanning-tree port type edge bpdufilter default
spanning-tree port type network default
spanning-tree vlan 1,66 priority 8192
spanning-tree vlan 2,100-102,107-108,121-123,129,142,145,148-150,153,305,323,340,353,382,501-502,505,549,551,562-563,600,611,660-661,667-668,672,697-698,701-702,704-710,720-722,724,727,750,772,800-802,804,814,905,1127,1129,1160-1161,1551,1559-1560,1670,1672-1673,1720-1721,1800-1802,1814-1817,1862,1865,1870-1871,1882,1905,3563,3965 priority 24576
spanning-tree vlan 3-65,67-99,103-106,109-120,124-128,130-141,143-144,146-147,151-152,154-304,306-322,324-339,341-352,354-381,383-500,503-504,506-548,550,552-561,564-599,601-610,612-659,662-666,669-671,673-696,699-700,703,711-719,723,725-726,728-749,751-771,773-799,803,805-813,815-904,906-1126,1128,1130-1159,1162-1550,1552-1558,1561-1669,1671,1674-1719,1722-1799,1803-1813,1818-1861,1863-1864,1866-1869,1872-1881,1883-1904,1906-3562,3564-3964,3966-3967 priority 0
! --- VRF ---
vrf context Atom
ip domain-name atom.dev
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128
ip route 0.0.0.0/0 15.0.2.254
vrf context management
! --- Port-Channel Load Balance ---
port-channel load-balance src-dst ip-l4port-vlan
! --- vPC Domain ---
vpc domain 1
peer-switch
role priority 10
peer-keepalive destination 192.168.0.1 source 192.168.0.2
delay restore 150
peer-gateway
auto-recovery
! --- SVI ---
interface Vlan502
no shutdown
vrf member Atom
no ip redirects
ip address 15.0.2.122/24
no ipv6 redirects
! --- Port-Channels ---
interface port-channel3
description //Trunk 500e X1
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 3
interface port-channel10
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
vpc peer-link
interface port-channel124
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-4094
spanning-tree port type normal
spanning-tree guard root
mtu 9216
vpc 124
interface port-channel125
description //Trunk UCS-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 125
interface port-channel126
description //Trunk UCS-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 126
interface port-channel127
description //Trunk AFF300-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 127
interface port-channel128
description //Trunk AFF300-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 128
interface port-channel129
description //Trunk FAS 2750-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
vpc 129
interface port-channel130
description //Trunk Fas 2750-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
vpc 130
interface port-channel131
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 131
interface port-channel132
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 132
! --- Breakout Ports (100G -> 4x25G) ---
int e1/1 - 26
shutdown
exit
interface breakout module 1 port 1 map 25g-4x
interface breakout module 1 port 5 map 25g-4x
! --- Physical Interfaces: Breakout (UCS/A70) ---
interface Ethernet1/1/1
description //Trunk 6554-2:25
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 126 mode active
no shutdown
interface Ethernet1/1/2
description //Trunk 6554-2:26
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 126 mode active
no shutdown
interface Ethernet1/1/3
description //Trunk 6554-1:27
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 125 mode active
no shutdown
interface Ethernet1/1/4
description //Trunk 6554-1:28
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 125 mode active
no shutdown
interface Ethernet1/5/1
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/2
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/3
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
interface Ethernet1/5/4
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
! --- Physical Interfaces: Standard Ports ---
interface Ethernet1/23
description //Access Netapp XFER
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
udld enable
no shutdown
interface Ethernet1/24
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
channel-group 124 mode active
no shutdown
interface Ethernet1/25
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
channel-group 124 mode active
no shutdown
interface Ethernet1/26
description //Trunk 500e-X1
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
udld enable
channel-group 3 mode active
no shutdown
interface Ethernet1/27
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
channel-group 10 mode active
no shutdown
interface Ethernet1/28
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
channel-group 10 mode active
no shutdown
! --- Bulk Disabled Ports ---
int e1/3/1-4,e1/7/1-4,e1/11/1-4,e1/13-22
description //Disabled access
switchport access vlan 67
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard enable
spanning-tree guard root
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
udld enable
shutdown
! --- Management Interface ---
interface mgmt0
vrf member management
ip address 192.168.0.2/24
icam monitor scale
! --- Console & VTY ---
line console
exec-timeout 5
line vty
session-limit 4
exec-timeout 5
access-class SWITCH_MGMT in
! --- Logging ---
logging ip access-list cache entries 8001
logging logfile LOG_FILE 6 size 4096
logging server 15.0.2.146 6
logging server 15.0.2.222 6
logging level authpri 6
```
---
## Configuration Explanation
### Platform & Global Settings
Identical platform and global settings to NEXUS-1: NX-OS 10.3(7), Jumbo MTU QoS policy (9216 bytes), strict CoPP, AES256-GCM SSH, IP source-route disabled.
### VDC Resource Limits
Same as NEXUS-1.
### Features Enabled
Identical feature set to NEXUS-1.
### Authentication & Access Control
Identical RADIUS configuration, management ACL, and AAA settings to NEXUS-1. VTY exec-timeout is 5 minutes (vs. 0 on NEXUS-1 — worth standardizing).
### NTP
Two additional NTP servers compared to NEXUS-1: `15.32.0.30` (management VRF) and `115.0.0.9` (management VRF). Uses NTP key 125 (vs. key 123 on NEXUS-1). NTP source is Vlan502. Also acts as NTP master stratum 3.
### SNMP
SNMPv3 with SHA/AES-128. Has an additional trap target (15.0.11.80) compared to NEXUS-1. RMON events 15 configured identically.
### VLANs
Substantially the same VLAN database as NEXUS-1 with minor differences: VLAN 103 (Netapp_XFER) and VLAN 130 (SIL_SNAPMIRROR) are not present on NEXUS-2; VLAN 563 (Brace) is present on NEXUS-2 but not NEXUS-1. These discrepancies should be reviewed and aligned.
### Spanning Tree
Identical STP priorities to NEXUS-1. With `peer-switch` enabled in the vPC domain, both switches advertise the same STP bridge ID, making the pair appear as a single root to downstream devices.
### VRF & Routing
Same `Atom` VRF with default route to 15.0.2.254. Vlan502 SVI is at 15.0.2.122/24 (vs. 15.0.2.121 on NEXUS-1).
### vPC Domain
- **Domain:** 1
- **Role Priority:** 10 (same as NEXUS-1; system MAC determines actual secondary role)
- **Peer-link:** Po10 (Eth1/2728), `spanning-tree port type network`
- **Peer-keepalive:** mgmt0, destination 192.168.0.1, source 192.168.0.2
- **Options:** `peer-switch`, `peer-gateway`, `auto-recovery`, 150-second restore delay
- **vPC members:** Po3Po4, Po124Po132 (mirrored from NEXUS-1)
> **Note:** Po124 (9300) uses `switchport trunk allowed vlan 2-4094` on NEXUS-2 (includes VLAN 67) while NEXUS-1 uses `2-66,68-4094` (excludes VLAN 67). This inconsistency should be reviewed.
### Physical Interfaces
- **Breakout mapping:** Ports 1, 5, 9 broken out as 4x25G — same as NEXUS-1.
- **Eth1/1/11/1/2 → Po126 (UCS-B):** The UCS FI cross-connection is intentionally reversed vs NEXUS-1 (NEXUS-1 Eth1/1/11/1/2 go to Po125/UCS-A). This is correct behavior for dual-homed UCS FI connectivity.
- **Eth1/271/28:** vPC peer-link → Po10
- **Eth1/241/25:** 9300 uplink → Po124
- **Eth1/26:** 500e-X1 → Po3
- **Eth1/23:** NetApp XFER standalone (not in a port-channel)
- **Disabled ports:** Same hardening policy as NEXUS-1
### Logging
Syslog to 15.0.2.146 and 15.0.2.222, both at severity 6. Note NEXUS-1 logs to 15.0.2.146 at severity 2 — this discrepancy should be reviewed.
---
## Notable Differences Between NEXUS-1 and NEXUS-2
| Parameter | NEXUS-1 | NEXUS-2 |
|---|---|---|
| mgmt0 IP | 192.168.0.1 | 192.168.0.2 |
| Vlan502 IP | 15.0.2.121 | 15.0.2.122 |
| vPC keepalive dest | 192.168.0.2 | 192.168.0.1 |
| NTP key used | 123 | 125 |
| Additional NTP servers | — | 15.32.0.30, 115.0.0.9 (mgmt VRF) |
| VTY exec-timeout | 0 (no timeout) | 5 min |
| Logging 15.0.2.146 severity | 2 | 6 |
| Po124 allowed VLANs | 2-66,68-4094 | 2-4094 |
| vPC peer-link physical ports | Eth1/4748 | Eth1/2728 |
| HLCI port VLANs (Eth1/9/x) | L3 (701, 1801, 1721, 1814) | L4 (702, 721, 804, 814) |
| Additional SNMP trap target | — | 15.0.11.80 |
| VLAN 103 (Netapp_XFER) | Present | Absent |
| VLAN 130 (SIL_SNAPMIRROR) | Present | Absent |
| VLAN 563 (Brace) | Absent | Present |

899
Work/Cisco/NTP_ESS9300.md
View file

@ -1,899 +0,0 @@
---
title: ESS9300 NTP
description:
published: true
date: 2026-03-31T21:25:14.679Z
tags:
editor: markdown
dateCreated: 2026-03-31T21:25:08.700Z
---
# Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide
## Overview
This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting.
---
## NTP Configuration
### Basic NTP Server Configuration
```cisco
configure terminal
! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer
ntp server 10.1.1.11
ntp server 192.0.2.1
! Configure NTP source interface (optional but recommended)
ntp source GigabitEthernet1/1
! Alternatively, use management interface if configured
! ntp source GigabitEthernet0/0
! Set timezone (adjust to your location)
clock timezone EST -5 0
! Configure daylight saving time (if applicable)
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
! Save configuration
end
write memory
```
### NTP Authentication (Recommended for Production)
```cisco
configure terminal
! Enable NTP authentication
ntp authenticate
! Create authentication keys (key ID 1-65535)
ntp authentication-key 1 md5 YourSecureKey123
ntp authentication-key 2 md5 AnotherSecureKey456
! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2
! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer key 1
ntp server 10.1.1.11 key 2
end
write memory
```
### NTP Access Control (Security Best Practice)
```cisco
configure terminal
! Define access control for NTP
! peer: Allow time sync from these sources
! serve: Respond to time requests from these sources
! serve-only: Respond to requests but don't sync from them
! query-only: Allow status queries only
ntp access-group peer 10
ntp access-group serve 20
ntp access-group query-only 30
! Create access lists
access-list 10 remark NTP Peers - Allow sync
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 20 remark NTP Serve - Respond to requests
access-list 20 permit 10.0.0.0 0.255.255.255
access-list 30 remark NTP Query - Status queries only
access-list 30 permit 192.168.0.0 0.0.255.255
end
write memory
```
### NTP Master Configuration (Switch as Time Source)
```cisco
configure terminal
! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8
! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest, typically atomic clocks)
! Use stratum 8-15 for internal masters
end
write memory
```
### Advanced NTP Configuration
```cisco
configure terminal
! Update calendar from NTP (hardware clock sync)
ntp update-calendar
! Disable NTP on specific interfaces (if needed)
interface GigabitEthernet1/10
ntp disable
exit
! Configure NTP broadcast (server mode)
interface GigabitEthernet1/1
ntp broadcast
exit
! Configure NTP broadcast client (client mode)
interface GigabitEthernet1/2
ntp broadcast client
exit
! Configure NTP logging
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
end
write memory
```
---
## Verification Commands
### Check NTP Status
```cisco
! Show NTP status summary
show ntp status
! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10
! ntp uptime is 86400 (1/100 of seconds), resolution is 4016
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.5234 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s
! system poll interval is 64, last update was 25 sec ago
```
### Check NTP Associations
```cisco
! Show all NTP associations (peers)
show ntp associations
! Detailed view
show ntp associations detail
! Column descriptions:
! * = synchronized, + = candidate, # = selected, - = outlier
! address: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval (seconds)
! reach: reachability (377 octal = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! disp: dispersion/jitter (ms)
```
### Check Clock and Time
```cisco
! Display current time
show clock
! Display detailed clock information
show clock detail
! Show calendar (hardware clock)
show calendar
```
### Check NTP Configuration
```cisco
! Show all NTP configuration
show ntp config
! Show running NTP configuration
show running-config | include ntp
show running-config | include clock
```
### Check NTP Authentication
```cisco
! Show authentication keys (hashed)
show ntp authentication-keys
! Show authentication status
show ntp status | include authentication
```
---
## Common Configuration Examples
### Example 1: Industrial Network Configuration
```cisco
configure terminal
! Use site NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
ntp server 10.100.1.12
! Use primary uplink as source
ntp source GigabitEthernet1/1
! Central Standard Time
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
! Sync hardware clock
ntp update-calendar
! Enable timestamps
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
end
write memory
```
### Example 2: Secure Configuration with Authentication
```cisco
configure terminal
! Enable NTP authentication
ntp authenticate
ntp authentication-key 10 md5 Ind_NTP_K3y_2024
ntp trusted-key 10
! Configure authenticated servers
ntp server 10.100.1.10 prefer key 10
ntp server 10.100.1.11 key 10
! Access control
ntp access-group peer 10
ntp access-group query-only 30
access-list 10 remark NTP Peers
access-list 10 permit 10.100.1.0 0.0.0.255
access-list 30 remark NTP Query
access-list 30 permit 10.100.0.0 0.0.255.255
! Source and timezone
ntp source GigabitEthernet1/1
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp update-calendar
service timestamps log datetime msec localtime show-timezone
end
write memory
```
### Example 3: Redundant Time Source with Fallback
```cisco
configure terminal
! Primary NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
! Fallback to public NTP if internal servers fail
ntp server 129.6.15.28
ntp server 132.163.96.1
! Use as master only if all external sources fail
ntp master 10
ntp source GigabitEthernet1/1
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp update-calendar
end
write memory
```
---
## Troubleshooting Guide
### Issue: NTP Not Synchronizing
**Symptoms:**
- `show ntp status` shows "Clock is unsynchronized"
- No asterisk (*) appears in `show ntp associations`
- "unsynchronized" appears in status output
**Troubleshooting Steps:**
1. **Verify NTP servers are configured:**
```cisco
show running-config | include ntp server
```
2. **Check network connectivity to NTP servers:**
```cisco
ping 10.1.1.10
ping 10.1.1.10 source GigabitEthernet1/1
traceroute 10.1.1.10
```
3. **Verify NTP packets are being exchanged:**
```cisco
show ntp associations detail
! Check 'reach' value - should be 377 (octal) = all attempts successful
! Check 'when' value - should be recent (< poll interval)
```
4. **Check for authentication mismatches:**
```cisco
show ntp status
! Look for authentication errors
debug ntp all
! Watch for authentication failures
undebug all
```
5. **Verify access lists aren't blocking NTP:**
```cisco
show access-lists
! NTP uses UDP port 123
! Verify ACLs allow UDP 123 traffic
```
6. **Check for large time offset:**
```cisco
show ntp associations detail
! If offset > 1000 seconds, manually set clock first
clock set 14:30:00 15 January 2024
```
7. **Verify source interface is up:**
```cisco
show ip interface brief | include GigabitEthernet1/1
! Source interface must be up/up
```
### Issue: High Offset or Jitter
**Symptoms:**
- Time drifts significantly
- High offset values in `show ntp associations`
- Inconsistent time across devices
**Troubleshooting Steps:**
1. **Check network latency and stability:**
```cisco
ping 10.1.1.10 repeat 100
! Look for:
! - Packet loss (should be 0%)
! - High round-trip time (> 100ms problematic)
! - Variable latency (jitter)
```
2. **Verify stratum levels:**
```cisco
show ntp associations
! Stratum (st) should be:
! - < 10 for reliable servers
! - Lower is better (1 = atomic clock, 2 = GPS)
! - Your switch should be stratum +1 from source
```
3. **Increase number of NTP servers:**
```cisco
! Use at least 3 servers for best accuracy
! NTP uses voting algorithm to select best time source
configure terminal
ntp server 10.1.1.12
ntp server 10.1.1.13
```
4. **Check upstream NTP server health:**
```cisco
show ntp associations detail
! Verify servers show:
! - condition = 'sys.peer' or 'candidate'
! - reach = 377
! - Low dispersion (disp)
```
5. **Monitor polling interval:**
```cisco
show ntp associations
! Poll interval should stabilize at 64-1024 seconds
! Frequent changes indicate instability
```
### Issue: Authentication Failures
**Symptoms:**
- Peers show as unreachable despite network connectivity
- NTP status shows authentication errors
- Reach value remains 0
**Troubleshooting Steps:**
1. **Verify authentication is enabled:**
```cisco
show ntp status | include authentication
! Should show: "authentication enabled"
```
2. **Check authentication keys are configured:**
```cisco
show ntp authentication-keys
! Verify key IDs exist
```
3. **Verify trusted keys:**
```cisco
show running-config | include ntp trusted-key
! Keys must be marked as trusted
```
4. **Confirm server configuration uses correct key:**
```cisco
show running-config | include ntp server
! Verify key ID matches trusted key
```
5. **Debug authentication:**
```cisco
debug ntp authentication
debug ntp validity
! Watch for authentication failures
! Look for key mismatches
undebug all
```
6. **Temporarily disable authentication to test:**
```cisco
configure terminal
no ntp authenticate
! Test if synchronization works without auth
! Then re-enable:
ntp authenticate
```
### Issue: Time Correct but Timezone Wrong
**Symptoms:**
- NTP shows synchronized
- Time is off by exact number of hours
- Logs show incorrect time
**Troubleshooting Steps:**
1. **Verify timezone configuration:**
```cisco
show running-config | include clock timezone
! Ensure timezone offset is correct for your location
```
2. **Check daylight saving time:**
```cisco
show clock detail
! Verify DST rules are correct
! Look for summer-time configuration
```
3. **Reconfigure timezone if needed:**
```cisco
configure terminal
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
```
4. **Verify timestamps in logs:**
```cisco
show running-config | include service timestamps
! Should include 'localtime' and 'show-timezone'
```
### Issue: Hardware Clock Not Updating
**Symptoms:**
- `show clock` shows correct time
- `show calendar` shows old time
- Time resets after reload
**Troubleshooting Steps:**
1. **Verify update-calendar is configured:**
```cisco
show running-config | include ntp update-calendar
```
2. **Manually update calendar:**
```cisco
ntp update-calendar
! Or manually:
clock update-calendar
```
3. **Check calendar after sync:**
```cisco
show calendar
show clock
! Should match within a few seconds
```
4. **Configure automatic update:**
```cisco
configure terminal
ntp update-calendar
end
write memory
```
### Issue: NTP Works but Stops After Time
**Symptoms:**
- NTP synchronizes initially
- Loses sync after hours/days
- Reach value degrades over time
**Troubleshooting Steps:**
1. **Check for network instability:**
```cisco
show ntp associations detail
! Monitor 'reach' value over time
! Should remain at 377
```
2. **Verify interface stability:**
```cisco
show interface GigabitEthernet1/1
! Check for errors, resets, or flapping
```
3. **Check for routing changes:**
```cisco
show ip route 10.1.1.10
! Verify consistent route to NTP server
```
4. **Monitor NTP server health:**
```cisco
! Check if NTP server itself is stable
show ntp associations detail
! Look for increasing dispersion
```
5. **Check for memory or CPU issues:**
```cisco
show processes cpu sorted
show processes memory sorted
! High CPU or memory can affect NTP
```
---
## Best Practices
### Redundancy
- Configure at least **3 NTP servers** for optimal accuracy and fault tolerance
- Use diverse network paths to NTP servers when possible
- Consider geographic diversity for enterprise deployments
- Use both on-site and off-site NTP sources
### Security
- **Always use NTP authentication** in production industrial environments
- Implement access control lists to restrict NTP access
- Use MD5 authentication keys with strong passwords
- Regularly rotate authentication keys (annually recommended)
- Monitor for NTP-based attacks (amplification, spoofing)
### Performance
- Use `prefer` keyword on the most reliable/accurate server
- Choose NTP servers with low stratum (2-4 is ideal for enterprise)
- Select geographically close servers to minimize latency
- Avoid using stratum 1 servers directly (use stratum 2 instead)
- Ensure stable network path to NTP servers
### Industrial Environment Considerations
- Account for temperature variations in industrial settings
- Use ruggedized NTP appliances in harsh environments
- Consider GPS-based NTP servers for isolated sites
- Implement redundant time sources for critical applications
- Test NTP resilience during network outages
### Maintenance
- Regularly verify NTP synchronization status (daily)
- Monitor offset and jitter values (weekly)
- Review NTP logs for anomalies
- Update authentication keys periodically
- Document your NTP server hierarchy
- Test failover scenarios
### Time Initialization
- When first configuring, manually set clock to within 1000 seconds
- NTP will refuse to sync if initial offset is too large
- Use `clock set` command before enabling NTP on new switches
- Allow 10-15 minutes for initial synchronization
- Monitor stabilization with `show ntp associations`
---
## Monitoring and Logging
### Regular Health Checks
```cisco
! Daily verification
show ntp status | include Clock
show ntp associations | include "\*"
! Weekly detailed check
show ntp associations detail
show clock detail
! Check for errors
show logging | include NTP
```
### Enable SNMP Monitoring
```cisco
configure terminal
! Enable SNMP for NTP monitoring
snmp-server enable traps ntp
! Configure SNMP trap receiver
snmp-server host 10.1.1.100 version 2c YourCommunity
end
write memory
```
### Syslog Monitoring
```cisco
configure terminal
! Configure syslog server
logging host 10.1.1.50
! Set logging level
logging trap informational
! Enable timestamps
service timestamps log datetime msec localtime show-timezone
end
write memory
```
### EEM Script for NTP Monitoring
```cisco
configure terminal
! Create EEM applet to monitor NTP
event manager applet NTP-Monitor
event timer watchdog time 300
action 1.0 cli command "enable"
action 2.0 cli command "show ntp status | include Clock"
action 3.0 regexp "unsynchronized" "$_cli_result"
action 4.0 if $_regexp_result eq 1
action 4.1 syslog msg "NTP ALERT: Clock is unsynchronized"
action 4.2 cli command "show ntp associations"
action 5.0 end
end
write memory
```
---
## Debug Commands
### NTP Debugging
```cisco
! Enable NTP debugging (use with caution in production)
debug ntp all
debug ntp authentication
debug ntp events
debug ntp packets
debug ntp validity
! Disable debugging
undebug all
! Or
no debug all
```
### Conditional Debugging
```cisco
! Debug specific NTP server
debug ntp packets 10.1.1.10
! View debug output
terminal monitor
! Then enable debugging
```
**Warning:** Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete.
---
## Quick Reference Commands
| Command | Purpose |
|---------|---------|
| `show ntp status` | Display synchronization status |
| `show ntp associations` | List all NTP peers and sync status |
| `show ntp associations detail` | Detailed peer statistics |
| `show clock` | Current system time |
| `show clock detail` | Time with timezone and DST info |
| `show calendar` | Hardware clock time |
| `show running-config \| include ntp` | Display NTP configuration |
| `show running-config \| include clock` | Display time configuration |
| `show ntp authentication-keys` | List configured auth keys |
| `ntp update-calendar` | Sync hardware clock from system |
| `clock update-calendar` | Alternative calendar sync |
| `clock set HH:MM:SS DD Month YYYY` | Manually set system time |
---
## IOS-XE Specific Features
### NTP Broadcast
The ESS 9300 running IOS-XE supports NTP broadcast mode:
```cisco
! Server sends periodic broadcasts
interface GigabitEthernet1/1
ntp broadcast
exit
! Client receives broadcasts
interface GigabitEthernet1/2
ntp broadcast client
exit
```
### NTP Multicast
```cisco
! Server sends to multicast group
interface GigabitEthernet1/1
ntp multicast 224.0.1.1
exit
! Client receives multicast
interface GigabitEthernet1/2
ntp multicast client 224.0.1.1
exit
```
### IPv6 NTP Support
```cisco
configure terminal
! IPv6 NTP server
ntp server 2001:db8::10 prefer
! IPv6 source interface
ntp source Vlan100
end
write memory
```
---
## Appendix: Public NTP Servers
### NIST (US Government)
- `129.6.15.28` - NIST, Gaithersburg, Maryland
- `129.6.15.29` - NIST, Gaithersburg, Maryland
- `132.163.96.1` - NIST, Boulder, Colorado
- `132.163.96.2` - NIST, Boulder, Colorado
### US Naval Observatory
- `192.5.41.40` - tick.usno.navy.mil
- `192.5.41.41` - tock.usno.navy.mil
### NTP Pool Project
- `0.pool.ntp.org`
- `1.pool.ntp.org`
- `2.pool.ntp.org`
- `3.pool.ntp.org`
### Regional Pools
- `0.north-america.pool.ntp.org`
- `0.us.pool.ntp.org`
**Note:** For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy.
---
## Integration with Industrial Protocols
### PTP (Precision Time Protocol) Coexistence
The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices:
- Use **PTP for sub-microsecond precision** (automation, motion control)
- Use **NTP for general timekeeping** (logging, AAA, management)
- Keep NTP and PTP on separate VLANs if possible
- Use NTP for non-critical devices
- Reserve PTP for time-critical industrial applications
### Synchronization with PLCs and SCADA
```cisco
! Configure NTP to serve time to industrial devices
configure terminal
ntp master 3
ntp source GigabitEthernet1/1
! Allow SCADA network to query time
ntp access-group serve 20
access-list 20 permit 10.50.0.0 0.0.255.255
end
write memory
```
---
## Differences from Nexus NX-OS
Key differences when coming from Nexus switches:
| Feature | Nexus (NX-OS) | ESS 9300 (IOS-XE) |
|---------|---------------|-------------------|
| VRF syntax | `use-vrf management` | Not required (use `source` instead) |
| Feature enable | `feature ntp` | Not required (built-in) |
| Calendar sync | N/A | `ntp update-calendar` |
| Save config | `copy run start` | `write memory` or `copy run start` |
| Auth key type | MD5 with type 7 | MD5 (auto-encrypted) |
| Interface naming | `mgmt0` | `GigabitEthernet0/0` |
---
## Document Information
**Target Platform:** Cisco Catalyst ESS 9300 (IE-9300)
**Operating System:** IOS-XE
**IOS-XE Versions:** 17.x
**Last Updated:** March 2026
**Document Purpose:** Configuration reference and troubleshooting guide for industrial Ethernet environments
For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version.

518
Work/Cisco/Nexus_NTP.md
View file

@ -1,518 +0,0 @@
---
title: NTP Deep dive on the Nexus
description: Config and troubleshoot
published: true
date: 2026-03-31T20:46:08.474Z
tags:
editor: markdown
dateCreated: 2026-03-31T20:45:58.287Z
---
# Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide
## Overview
This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation.
---
## NTP Configuration
### Basic NTP Server Configuration
configure terminal
! Enable NTP feature (if not already enabled)
feature ntp
! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer use-vrf management
ntp server 10.1.1.11 use-vrf management
ntp server 192.0.2.1 use-vrf default
! Configure NTP source interface (optional but recommended)
ntp source-interface mgmt0
! Set timezone (adjust to your location)
clock timezone EST -5 0
! Configure daylight saving time (if applicable)
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
! Save configuration
copy running-config startup-config
### NTP Authentication (Recommended for Production)
configure terminal
! Enable NTP authentication
ntp authenticate
! Create authentication keys
ntp authentication-key 1 md5 YourSecureKey123 7
ntp authentication-key 2 md5 AnotherSecureKey456 7
! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2
! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer use-vrf management key 1
ntp server 10.1.1.11 use-vrf management key 2
copy running-config startup-config
### NTP Access Control (Security Best Practice)
configure terminal
! Define access control for NTP
! peer: Allow sync and queries
! serve: Respond to queries only
! serve-only: Respond to queries but don't sync
! query-only: Allow queries only
ntp access-group peer PeerACL
ntp access-group serve ServeACL
ntp access-group query-only QueryACL
! Create ACLs
ip access-list NTP-Peers
10 permit ip 10.1.1.0/24 any
20 deny ip any any
ip access-list NTP-Serve
10 permit ip 10.0.0.0/8 any
20 deny ip any any
copy running-config startup-config
### NTP Master Configuration (Switch as Time Source)
configure terminal
! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8
! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest)
copy running-config startup-config
### Logging NTP Events
configure terminal
! Enable logging for NTP
ntp logging
! Adjust logging level if needed
logging level ntp 6
copy running-config startup-config
---
## Verification Commands
### Check NTP Status
! Show NTP status summary
show ntp status
! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.0023 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
### Check NTP Peers
! Show all NTP peers and their status
show ntp peers
! Column descriptions:
! * = synchronized, + = candidate, # = selected
! remote: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval
! reach: reachability (377 = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! jitter: dispersion (ms)
### Check NTP Statistics
! Show detailed peer statistics
show ntp peer-status
! Show specific peer details
show ntp peer 10.1.1.10
### Check NTP Authentication
! Verify authentication keys
show ntp authentication-keys
! Check authentication status
show ntp authentication-status
### Check Time Configuration
! Display current clock settings
show clock detail
! Show timezone configuration
show running-config | include clock
---
## Common Configuration Examples
### Example 1: Enterprise Configuration with Multiple Servers
configure terminal
feature ntp
! Use company NTP servers in management VRF
ntp server 10.10.1.10 prefer use-vrf management
ntp server 10.10.1.11 use-vrf management
ntp server 10.10.1.12 use-vrf management
! Use public NTP as backup in default VRF
ntp server 129.6.15.28 use-vrf default
ntp server 132.163.96.1 use-vrf default
ntp source-interface mgmt0
clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
ntp logging
copy running-config startup-config
### Example 2: Secure Configuration with Authentication
configure terminal
feature ntp
ntp authenticate
ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7
ntp trusted-key 10
ntp server 10.10.1.10 prefer use-vrf management key 10
ntp server 10.10.1.11 use-vrf management key 10
ntp access-group peer NTP-PEERS
ip access-list NTP-PEERS
10 permit ip 10.10.1.0/24 any
20 deny ip any any log
ntp source-interface mgmt0
ntp logging
clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
copy running-config startup-config
---
## Troubleshooting Guide
### Issue: NTP Not Synchronizing
**Symptoms:**
- `show ntp status` shows "Clock is unsynchronized"
- No asterisk (*) appears in `show ntp peers`
**Troubleshooting Steps:**
1. **Verify NTP feature is enabled:**
show feature | include ntp
! If disabled:
configure terminal
feature ntp
2. **Check network connectivity to NTP servers:**
ping 10.1.1.10 vrf management
traceroute 10.1.1.10 vrf management
3. **Verify NTP packets are being exchanged:**
show ntp peer-status
! Check 'reach' column - should be 377 (binary 11111111)
! Check 'when' column - should be recent (< poll interval)
4. **Check for authentication mismatches:**
show ntp authentication-status
! Verify keys match between switch and server
5. **Verify correct VRF is configured:**
show running-config | include "ntp server"
! Ensure use-vrf matches your management connectivity
6. **Check firewall/ACL blocking UDP port 123:**
! NTP uses UDP port 123
show ip access-lists
7. **Verify time offset isn't too large:**
! If offset > 1000 seconds, NTP may refuse to sync
! Manually set clock closer to correct time:
clock set 14:30:00 15 January 2024
### Issue: High Offset or Jitter
**Symptoms:**
- Time drifts significantly
- High offset values in `show ntp peers`
**Troubleshooting Steps:**
1. **Check network latency:**
ping 10.1.1.10 vrf management repeat 100
! Look for packet loss and high/variable latency
2. **Verify stratum levels:**
```cisco
show ntp peers
! Stratum should be < 10 for reliable servers
! Lower stratum = more accurate
```
3. **Increase number of NTP servers:**
```cisco
! Use at least 3 servers for best accuracy
! NTP uses voting algorithm with multiple sources
```
4. **Check for upstream NTP issues:**
```cisco
show ntp peer-status
! Verify your NTP servers are synchronized
```
### Issue: Authentication Failures
**Symptoms:**
- Peers show as unreachable despite network connectivity
- Authentication errors in logs
**Troubleshooting Steps:**
1. **Verify authentication is configured on both ends:**
```cisco
show ntp authentication-status
```
2. **Check key ID and values match:**
```cisco
show ntp authentication-keys
! Key number and MD5 hash must match server
```
3. **Verify trusted keys are configured:**
```cisco
show running-config | include "ntp trusted-key"
```
4. **Temporarily disable authentication to test:**
```cisco
configure terminal
no ntp authenticate
! Test connectivity
! Re-enable after testing:
ntp authenticate
```
### Issue: NTP Working but Time Still Wrong
**Symptoms:**
- `show ntp status` shows synchronized
- Clock shows incorrect time
**Troubleshooting Steps:**
1. **Verify timezone configuration:**
```cisco
show running-config | include clock
! Ensure timezone matches your location
```
2. **Check daylight saving time settings:**
```cisco
show clock detail
! Verify DST is configured if applicable
```
3. **Confirm NTP server time is correct:**
```cisco
show ntp peers
! Check offset - should be small (< 100ms typically)
```
### Issue: Cannot Add NTP Server
**Symptoms:**
- Configuration commands rejected
- "Invalid VRF" error
**Troubleshooting Steps:**
1. **Verify VRF exists:**
```cisco
show vrf
! Common VRFs: management, default
```
2. **Check if management interface is configured:**
```cisco
show running-config interface mgmt0
! Ensure IP address and VRF are configured
```
3. **Verify source interface exists:**
```cisco
show interface mgmt0 brief
```
---
## Best Practices
### Redundancy
- Configure at least **3 NTP servers** for optimal accuracy and redundancy
- Use diverse network paths to NTP servers when possible
- Consider using both internal and external NTP sources
### Security
- **Always use NTP authentication** in production environments
- Implement access control lists to limit NTP queries
- Use `use-vrf management` to isolate NTP traffic
- Monitor NTP logs for unusual activity
### Performance
- Use `prefer` keyword on the most reliable/accurate server
- Choose NTP servers with low stratum (2-4 is ideal)
- Select geographically close servers to minimize latency
- Avoid using stratum 1 servers directly (use stratum 2)
### Maintenance
- Regularly verify NTP synchronization status
- Monitor offset and jitter values
- Update authentication keys periodically
- Document your NTP server hierarchy
### Time Initialization
- When first configuring, manually set clock to within 1000 seconds of actual time
- NTP will refuse to sync if offset is too large initially
- Use `clock set` command before enabling NTP on new switches
---
## Monitoring and Logging
### Regular Health Checks
```cisco
! Daily verification
show ntp status | include "Clock is"
show ntp peers | include "\*"
! Weekly detailed check
show ntp peer-status
show clock detail
```
### Enable SNMP Monitoring
```cisco
configure terminal
! Enable SNMP for NTP monitoring
snmp-server enable traps ntp
! Configure SNMP trap receiver
snmp-server host 10.1.1.100 traps version 2c YourCommunity
copy running-config startup-config
```
### Syslog Monitoring
```cisco
configure terminal
! Ensure NTP logging is enabled
ntp logging
! Configure syslog server
logging server 10.1.1.50 6 use-vrf management
! Set appropriate logging level
logging level ntp 6
copy running-config startup-config
```
---
## Quick Reference Commands
| Command | Purpose |
|---------|---------|
| `show ntp status` | Display synchronization status |
| `show ntp peers` | List all NTP peers and sync status |
| `show ntp peer-status` | Detailed peer statistics |
| `show clock detail` | Current time and configuration |
| `show feature \| include ntp` | Verify NTP feature enabled |
| `show running-config \| include ntp` | Display NTP configuration |
| `show ntp authentication-keys` | List configured auth keys |
| `clear ntp statistics` | Reset NTP statistics |
---
## Appendix: Public NTP Servers
### NIST (US Government)
- `129.6.15.28` - NIST, Gaithersburg, Maryland
- `132.163.96.1` - NIST, Boulder, Colorado
### US Naval Observatory
- `192.5.41.40` - tick.usno.navy.mil
- `192.5.41.41` - tock.usno.navy.mil
### NTP Pool Project
- `0.pool.ntp.org`
- `1.pool.ntp.org`
- `2.pool.ntp.org`
- `3.pool.ntp.org`
**Note:** For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly.
---
## Document Information
**Target Platform:** Cisco Nexus 93180
**NX-OS Versions:** 7.x, 9.x, 10.x
**Last Updated:** March 2026
**Document Purpose:** Configuration reference and troubleshooting guide
For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version.

289
Work/Ducky/ess9300_upgrade.md
View file

@ -1,289 +0,0 @@
---
title: Voyager SW10GG Upgrade
description: Cisco ESS 9300
published: true
date: 2026-03-19T15:24:41.320Z
tags:
editor: markdown
dateCreated: 2026-03-19T15:24:35.613Z
---
# Cisco ESS9300 — IOS XE Software Upgrade Guide
---
## Platform Overview
The Cisco Embedded Services 9300 (ESS9300) is a ruggedized, embedded-form-factor switch running **Cisco IOS XE**. It shares its software lineage with the Catalyst 9300 family and uses the same IOS XE upgrade methodology. Software image files are stored on the system board flash device (`flash:`). The ESS9300 supports two boot modes:
- **Install Mode** *(recommended)* — software is expanded into discrete package files; supports rollback and clean uninstall
- **Bundle Mode** — the switch boots directly from a monolithic `.bin` file
> **Note:** All procedures in this guide use Install Mode. Cisco recommends Install Mode for all IOS XE upgrades on the ESS9300 platform. Verify your current boot mode before proceeding.
---
## 1. Pre-Upgrade Checks
### Verify Current Software Version and Boot Mode
```
show version
show boot
```
Confirm the `BOOT variable` points to `flash:packages.conf` (Install Mode). If it shows a `.bin` filename, you are in Bundle Mode — see the Bundle Mode section at the end of this document before proceeding.
### Check Switch Health
```
show module
show environment all
show logging last 100
```
Resolve any hardware faults, environmental alarms, or persistent log errors before proceeding.
### Check FPGA Version (xFSU Consideration)
If you intend to use Extended Fast Software Upgrade (xFSU) to minimize downtime, check FPGA eligibility:
```
show xfsu eligibility
```
> **Note:** `show xfsu eligibility` is available in IOS XE 17.8 and later. All fields must report `Yes` or `Eligible` for xFSU to proceed. If the FPGA is unsupported, a standard install with reload is required first.
### Verify Flash Space
IOS XE images for the ESS9300 platform typically require **11.5 GB** of free flash space. Check available space and remove inactive packages if necessary:
```
dir flash:
install remove inactive
```
### Backup the Running Configuration
```
copy running-config startup-config
copy running-config flash:backup-config.txt
```
---
## 2. Obtain the IOS XE Image
1. Navigate to [https://software.cisco.com](https://software.cisco.com) and log in. A valid Cisco service contract is required.
2. Go to **Downloads → Switches → Industrial Ethernet Switches → Embedded Services 9300 Series**.
3. Select the target IOS XE release. Download the appropriate `cat9k_iosxe.xx.xx.xx.SPA.bin` image.
4. Record the **MD5 checksum** from the download page for later verification.
> **Upgrade Path:** Confirm that your current IOS XE release and the target release form a supported direct upgrade path. Certain version combinations require an intermediate stepping-stone upgrade. Review the target release notes and the IOS XE Migration Guide for IIoT Switches before proceeding.
---
## 3. Transfer the Image to the Switch
### Option A — SCP from Windows PC (OpenSSH)
Verify the OpenSSH Server service is running on your PC:
```
net start sshd
```
From the switch CLI, pull the image from the Windows PC:
```
copy scp://YourUsername@<PC-IP>/C:/path/to/<image>.bin flash: vrf management
```
> **Tip:** Place the image in a short, space-free path such as `C:\ios\` to avoid syntax errors.
### Option B — TFTP
From the switch CLI:
```
copy tftp://<TFTP-Server-IP>/<image>.bin flash: vrf management
```
### Option C — USB Drive
Format a USB drive as FAT32 and copy the image to the root. Insert into the switch USB port, then from the CLI:
```
copy usbflash0:<image>.bin flash:
```
Verify the USB is recognized:
```
dir usbflash0:
```
---
## 4. Verify the Image Integrity
Confirm the image is present on flash:
```
dir flash:
```
Verify the MD5 checksum against the value from the Cisco download page:
```
verify /md5 flash:<image>.bin
```
Do not proceed if the checksum does not match — re-transfer the image.
---
## 5. Set the Boot Variable (Install Mode)
Ensure the boot variable is correctly configured before proceeding:
```
configure terminal
no boot system
boot system flash:packages.conf
end
write memory
```
Verify:
```
show boot
```
The `BOOT variable` line must read `flash:packages.conf`.
---
## 6. Install and Activate the New Image
### Standard Install (Requires Reload)
Run the following command to stage, activate, and commit the new image. The switch will prompt for a reload — respond `y` to confirm:
```
install add file flash:<image>.bin activate commit
```
The process will:
1. Expand the `.bin` into package files on flash
2. Activate the new packages
3. Prompt for a reload
4. Commit the new version as the running baseline on first successful boot
> **Important:** Do not interrupt the process or remove power during installation or reload. The entire operation typically completes within 1015 minutes.
### Extended Fast Software Upgrade — xFSU (Reduced Downtime, IOS XE 17.8+)
If the switch passed the `show xfsu eligibility` check, xFSU can be used to minimize traffic downtime during the upgrade:
```
install add file flash:<image>.bin activate xfsu commit
```
> xFSU keeps the data plane forwarding during the control plane reload. Residual traffic loss is typically under 3 minutes. xFSU is not equivalent to ISSU — a brief reload still occurs.
For IOS XE 17.3 and 17.6 (pre-17.8 syntax):
```
install add file flash:<image>.bin activate reloadfast commit
```
---
## 7. Post-Upgrade Verification
After the switch reloads, confirm the upgrade was successful:
```
show version
show boot
show module
show environment all
show interface status
show logging last 50
```
Confirm that:
- The IOS XE version matches the target release
- `BOOT variable` still shows `flash:packages.conf`
- All modules, interfaces, and environmental readings are normal
- No new faults or errors appear in the system log
---
## 8. Clean Up Old Installation Files
Once the upgrade is confirmed stable, remove inactive packages to reclaim flash space:
```
install remove inactive
```
Confirm when prompted.
---
## Bundle Mode Upgrade (Alternative)
If the switch is currently running in Bundle Mode (boots from a `.bin` file), use the following procedure instead of the Install Mode steps above:
```
configure terminal
no boot system
boot system flash:<new-image>.bin
end
write memory
reload
```
After reloading, verify with `show version`. Bundle Mode does not support rollback. Cisco recommends transitioning to Install Mode going forward by setting the boot variable to `flash:packages.conf` and running `install add file flash:<image>.bin activate commit`.
---
## ROMMON Upgrade (If Required)
On the first boot of a new IOS XE release, the primary SPI flash ROMMON is upgraded automatically if a newer bootloader version is included in the release. This is expected behavior.
The golden SPI flash ROMMON requires a manual upgrade and is only necessary in specific recovery scenarios:
```
upgrade rom-monitor capsule golden switch active
```
The golden ROMMON update takes effect on the next reload. Refer to the release notes to determine whether a ROMMON upgrade is applicable to your target release.
---
## Emergency Recovery
If the switch fails to boot or is stuck at the ROMMON prompt, use the following recovery procedure:
1. Connect a terminal to the console port (RJ-45 or USB-mini, 9600 baud / 8N1).
2. Connect port **Gi1/3** to a PC running a TFTP server with a valid IOS XE image at the TFTP root.
3. If the switch is in a boot loop, hold the front-panel button for approximately 5 seconds to break the cycle and stop at the `switch:` prompt.
4. From the ROMMON prompt, configure network parameters and boot the recovery image:
```
switch: boot emgy0:<image>.SPA.bin
```
---
## Key Reminders
- Schedule upgrades during a **maintenance window**. The ESS9300 does not have a redundant supervisor — traffic will be interrupted during the reload unless xFSU is used.
- The boot loader (ROMMON) may be automatically upgraded on the first boot of a new IOS XE release. This is normal and does not indicate a failure.
- Smart Licensing Using Policy (SLUP) is enforced in newer IOS XE releases. Licenses remain in evaluation mode until the device is registered with Cisco Smart Software Manager (CSSM) or a satellite server.
- Starting with IOS XE 17.10, legacy SSH key exchange and MAC algorithms were removed from the default cipher list. If SSH access is disrupted post-upgrade, use the `ip ssh server algorithm kex` and `ip ssh server algorithm mac` commands to restore required algorithms.
- If the switch uses an FPGA profile (e.g., for PRP or CTS IPv6), review the FPGA profile behavior in the target release notes. Profile configurations may need to be reselected after upgrade before writing to startup-config.

248
Work/Ducky/ess_3300.md
View file

@ -1,248 +0,0 @@
---
title: Voyager SW26G Upgrade
description: Cisco ESS 3300 Upgrade
published: true
date: 2026-03-19T15:46:20.810Z
tags:
editor: markdown
dateCreated: 2026-03-19T15:46:15.200Z
---
# Cisco ESS3300 — IOS XE Software Upgrade Guide
---
## Platform Overview
The Cisco Embedded Services 3300 (ESS3300) is a ruggedized, embedded-form-factor switch running **Cisco IOS XE**. Software images are stored on the system board flash device (`flash:`). The ESS3300 supports two boot modes:
- **Install Mode** *(recommended)* — software is expanded into discrete package files; supports rollback
- **Bundle Mode** — the switch boots directly from a monolithic `.bin` file
> **Note:** All procedures in this guide use Install Mode. Cisco recommends Install Mode for all IOS XE upgrades. Verify your current boot mode before proceeding.
---
## 1. Pre-Upgrade Checks
### Verify Current Software Version and Boot Mode
```
show version
show boot
```
Confirm the `BOOT variable` points to `flash:packages.conf` (Install Mode). If it shows a `.bin` file, you are in Bundle Mode — see the Bundle Mode section at the end of this document before proceeding.
### Check Switch Health
```
show module
show environment all
show logging last 100
```
Resolve any hardware faults, fan alarms, or recurring log errors before proceeding.
### Verify Flash Space
IOS XE images typically require **11.5 GB** of free flash space. Check available space and clean up inactive packages if necessary:
```
dir flash:
install remove inactive
```
Confirm the space is sufficient before copying the new image.
### Backup the Running Configuration
```
copy running-config startup-config
copy running-config flash:backup-config.txt
```
---
## 2. Obtain the IOS XE Image
1. Navigate to [https://software.cisco.com](https://software.cisco.com) and log in. A valid Cisco service contract is required.
2. Go to **Downloads → Switches → Industrial Ethernet Switches → Embedded Services 3300 Series**.
3. Select the target IOS XE release. Download the appropriate `.bin` image for the ESS3300 platform.
4. Record the **MD5 checksum** from the download page for later verification.
> **Upgrade Path:** Verify that your current release and target release form a supported direct upgrade path. Some versions require an intermediate "stepping stone" release. Refer to the release notes for the target version before proceeding.
---
## 3. Transfer the Image to the Switch
### Option A — SCP from Windows PC (OpenSSH)
Verify the OpenSSH Server service is running on your PC:
```
net start sshd
```
Enable SCP server on the switch:
```
feature scp-server
```
From the switch CLI, pull the image from the Windows PC:
```
copy scp://YourUsername@<PC-IP>/C:/path/to/<image>.bin flash: vrf management
```
> **Tip:** Place the image in a short path with no spaces, such as `C:\ios\`, to avoid syntax issues.
### Option B — TFTP
From the switch CLI:
```
copy tftp://<TFTP-Server-IP>/<image>.bin flash: vrf management
```
### Option C — USB Drive
Format the USB drive as FAT32 and copy the image to the root of the drive. Insert the drive into the switch USB port, then from the CLI:
```
copy usbflash0:<image>.bin flash:
```
---
## 4. Verify the Image Integrity
Confirm the image copied successfully:
```
dir flash:
```
Verify the MD5 checksum matches the value from the Cisco download page:
```
verify /md5 flash:<image>.bin
```
Do not proceed if the checksum does not match — re-transfer the image.
---
## 5. Set the Boot Variable (Install Mode)
Ensure the boot variable is correctly set to `packages.conf` before installing:
```
configure terminal
no boot system
boot system flash:packages.conf
end
write memory
```
Verify:
```
show boot
```
The `BOOT variable` line should read `flash:packages.conf`.
---
## 6. Install and Activate the New Image
Run the install command to stage, activate, and commit the new image in a single operation. The switch will reload automatically when prompted — respond `y` to confirm:
```
install add file flash:<image>.bin activate commit
```
The process will:
1. Expand the `.bin` into package files on flash
2. Activate the new packages
3. Prompt for a reload
4. Commit the new version as the running baseline on first boot
> **Important:** Do not interrupt the process or remove power during installation or reload.
---
## 7. Post-Upgrade Verification
After the switch reloads, verify the upgrade was successful:
```
show version
show boot
show module
show environment all
show interface status
```
Confirm that:
- The IOS XE version matches the target release
- `BOOT variable` still shows `flash:packages.conf`
- All modules and interfaces are in the expected state
- No new errors appear in the system log (`show logging last 50`)
---
## 8. Clean Up Old Installation Files
Once the upgrade is confirmed stable, remove inactive packages to reclaim flash space:
```
install remove inactive
```
Confirm when prompted.
---
## Bundle Mode Upgrade (Alternative)
If the switch is running in Bundle Mode (boots from a `.bin` file), use the following procedure instead of the Install Mode steps above:
```
configure terminal
no boot system
boot system flash:<new-image>.bin
end
write memory
reload
```
After reloading, verify with `show version`. Note that Bundle Mode does not support rollback. Cisco recommends converting to Install Mode going forward.
---
## Emergency Recovery
If the switch is stuck at the `switch:` ROMMON prompt or is in a boot loop, use the emergency recovery procedure:
1. Connect a terminal to the console port (RJ-45 or USB-mini, 9600 baud / 8N1).
2. Connect port **Gi1/3** to a PC running a TFTP server with a valid IOS XE image at the TFTP root.
3. If in a boot loop, hold the front-panel button for approximately 5 seconds to break the cycle and stop at the `switch:` prompt.
4. From the `switch:` prompt, boot the emergency install image:
```
switch: boot emgy0:<image>.SPA.bin
```
---
## Key Reminders
- Schedule upgrades during a **maintenance window**. The ESS3300 has no redundant supervisor — traffic will be interrupted during the reload.
- In a stacked or redundant deployment, upgrade the secondary/standby unit first, then the primary.
- The boot loader (ROMMON) may be automatically upgraded on the first boot of a new IOS XE release. This is expected behavior and does not indicate a failure.
- Smart Licensing requires registration after upgrading to a release that introduces Smart Licensing Using Policy (SLUP). Existing licenses remain in evaluation mode until registered.
- Starting with IOS XE 17.10, certain legacy SSH key exchange and MAC algorithms were removed from the default list. Review the target release notes if SSH access is affected post-upgrade.

165
Work/Nexus-upgrade.md
View file

@ -1,165 +0,0 @@
---
title: Nexus Upgrade
description:
published: true
date: 2026-02-19T20:37:41.384Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:37:32.957Z
---
# Cisco Nexus C9300GX-CD — NX-OS Upgrade Guide
---
## 1. Pre-Upgrade Checks
### Verify Current Version and Switch Health
```
show version
show module
show environment
show logging last 100
```
### Check Bootflash Space
Ensure at least 2GB of free space is available:
```
dir bootflash:
```
### Save Your Running Configuration
```
copy running-config startup-config
copy running-config bootflash:backup-config.txt
```
### Check Upgrade Compatibility
Verify your current and target NX-OS versions are a supported upgrade path using Cisco's [Nexus 9000 Upgrade and ISSU Matrix](https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/). Some versions require intermediate "stepping stone" upgrades.
---
## 2. Download the NX-OS Image
1. Go to [https://software.cisco.com](https://software.cisco.com) and log in (a valid service contract is required).
2. Navigate to **Downloads****Switches****Data Center Switches****Nexus 9000 Series**.
3. Select your target NX-OS release and download the appropriate image (e.g., `nxos64-cs.10.5.4.M.bin`).
4. Note the **MD5 checksum** listed on the download page for later verification.
---
## 3. Transfer the Image to the Switch
### Option A: Using Windows OpenSSH Server (SCP)
#### Verify OpenSSH Server is Running on Windows
Open PowerShell or Command Prompt and run:
```
net start sshd
```
Or in PowerShell:
```powershell
Start-Service sshd
```
Confirm the firewall rule exists for port 22:
```
netsh advfirewall firewall show rule name="OpenSSH Server (sshd)"
```
Find your PC's IP address:
```
ipconfig
```
#### Enable SCP Server on the Switch
```
feature scp-server
```
#### Pull the File from the Switch CLI
From the switch, use the `copy` command to pull the file from your Windows PC:
```
copy scp://Phil@192.168.0.3/C:/Users/Phil.SIL-PC49/Desktop/9300GX/nxos64-cs.10.5.4.M.bin bootflash: vrf management
```
> **Tip:** If the path is long or contains spaces, move the file to a simple location like `C:\nxos\` first:
> ```
> copy scp://YourUsername@192.168.0.x/C:/nxos/nxos64-cs.10.5.4.M.bin bootflash: vrf management
> ```
---
## 4. Verify the Image
Confirm the file is on bootflash:
```
dir bootflash:
```
Verify the MD5 checksum matches what Cisco published:
```
show file bootflash:nxos64-cs.10.5.4.M.bin md5sum
```
---
## 5. Pre-Install Compatibility Check
Run the incompatibility check before upgrading to identify any configuration or feature conflicts:
```
show incompatibility-all nxos bootflash:nxos64-cs.10.5.4.M.bin
```
Review the output carefully and resolve any flagged issues before proceeding.
---
## 6. Perform the Upgrade
### Disruptive Upgrade (Recommended — Requires Maintenance Window)
The switch will reload. This is the simplest and most reliable method:
```
install all nxos bootflash:nxos64-cs.10.5.4.M.bin
```
### Non-Disruptive ISSU (In-Service Software Upgrade)
Data plane stays up; control plane resets (~120 seconds). Must confirm version compatibility first:
```
install all nxos bootflash:nxos64-cs.10.5.4.M.bin non-disruptive
```
> The `install all` command performs a final compatibility check and prompts for confirmation before making any changes.
---
## 7. Post-Upgrade Verification
```
show version
show module
show environment
show interface status
```
Confirm the new NX-OS version is running and all modules/interfaces are healthy.
---
## 8. Clean Up Old Images (Optional)
Once you have confirmed a successful upgrade, remove the old image to free bootflash space:
```
delete bootflash:nxos64-cs.<old_version>.bin
```
---
## Key Tips
- Always schedule upgrades during a **maintenance window**, even for ISSU, as the C9300GX has a single supervisor.
- In a **vPC pair**, upgrade the **secondary switch first**, then the primary.
- Never interrupt power during the upgrade process.
- Keep a backup of your configuration before starting.

715
Work/Nexus_1_Build.md
View file

@ -1,715 +0,0 @@
---
title: C9300GX-1 Build
description:
published: true
date: 2026-02-19T20:47:10.482Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:45:10.926Z
---
# AT1EU-NEXUS-1 — Cisco Nexus 9300 Configuration
## Overview
AT1EU-NEXUS-1 is the **primary** switch in a vPC pair (role priority 10, lower = preferred). It runs NX-OS 10.3(7) and forms a vPC domain with AT1EU-NEXUS-2. The two switches share a vPC peer-link (Po10) across Eth1/4748, and use out-of-band management (mgmt0 at 192.168.0.1) for the vPC peer-keepalive path.
**Key roles of this switch:**
- vPC primary (role priority 10)
- STP root bridge for management/native VLANs (priority 8192 for VLANs 1, 66)
- Layer 3 gateway for Vlan502 (Atom VRF, IP 15.0.2.121/24)
- NTP master (stratum 3)
- Upstream connections: 500e-X1 (Po3), 500e-X2 (Po4), 9300 (Po124)
- Storage connections: AFF300-A (Po127), AFF300-B (Po128), FAS2750-A (Po129), FAS2750-B (Po130), A70-A (Po131), A70-B (Po132)
- Compute connections: UCS-A (Po125), UCS-B (Po126)
---
## Cut-and-Paste Configuration
```
conf t
switchname AT1EU-NEXUS-1
! --- QoS: Jumbo Frame Policy ---
policy-map type network-qos JUMBO
class type network-qos class-default
mtu 9216
! --- VDC Resource Limits ---
vdc AT1EU-NEXUS-1 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
! --- Features ---
feature nxapi
feature bash-shell
feature scp-server
cfs eth distribute
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature telemetry
! --- RBAC ---
role name network-ro
rule 2 permit read
rule 1 permit command show running-config
! --- Users ---
username admin password 5 $5$MFJCIC$AJyskD7vdoVFKK5cTS2lO20omFL4XFrgqNB94qDA5Z2 role network-admin
ssh key rsa 2048
! --- Banner ---
banner motd ^
********************* DOD NOTICE AND CONSENT BANNER *************************
* You are accessing a U.S. Government (USG) Information System (IS) that is *
* provided for USG-authorized use only. By using this IS (which includes any*
* device attached to this IS), you consent to the following conditions: *
*-The USG routinely intercepts and monitors communications on this IS for *
* purposes including, but not limited to, penetration testing, COMSEC *
* monitoring, network operations and defense, personnel misconduct (PM), *
* law enforcement (LE), and counterintelligence (CI) investigations. *
*-At any time, the USG may inspect and seize data stored on this IS. *
*-Communications using, or data stored on, this IS are not private, are *
* subject to routine monitoring, interception, and search, and may be *
* disclosed or used for any USGauthorized purpose. *
*-This IS includes security measures (e.g., authentication and access *
* controls) to protect USG interests--not for your personal benefit or *
* privacy. *
*-Notwithstanding the above, using this IS does not constitute consent to *
* PM, LE or CI investigative searching or monitoring of the content of *
* privileged communications, or work product, related to personal *
* representation or services by attorneys, psychotherapists, or clergy, and *
* their assistants. Such communications and work product are private and *
* confidential. See User Agreement for details. *
************************ POC: SIL Network Team ****************************
^
! --- SSH ---
ssh ciphers aes256-gcm
! --- DNS & Domain ---
ip domain-lookup
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128
ip domain-name atom.dev use-vrf Atom
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 use-vrf Atom
! --- RADIUS ---
radius-server host 15.0.11.68 key 7 "V1P-jaynmv" authentication accounting
radius-server host 15.32.11.68 key 7 "V1P-jaynmv" authentication accounting
aaa group server radius NETMAN_RADIUS
server 15.0.11.68
server 15.32.11.68
use-vrf Atom
! --- Management ACL ---
ip access-list SWITCH_MGMT
10 permit ip 15.0.11.150/32 any log
20 permit ip 15.0.11.151/32 any log
30 permit ip 15.32.2.154/32 any log
40 permit ip 15.0.2.154/32 any log
50 permit ip 15.32.2.1/32 any log
60 permit ip 15.0.2.1/32 any log
70 permit ip 15.0.2.2/32 any log
80 permit ip 15.0.11.47/32 any log
90 permit ip 15.32.11.45/32 any log
93 permit ip 15.32.11.150/32 any log
100 deny ip any any log
! --- System QoS ---
system qos
service-policy type network-qos JUMBO
copp profile strict
! --- SNMP ---
snmp-server user admin network-admin auth sha 042F64DB5D2E0D40DF543D6A00495F1F18F9DD5FED7B priv aes-128 00540CF9793F282ED96D666B110B00753FC3F269E964 localizedV2key
snmp-server host 15.0.2.188 traps version 3 priv at-sw-svc
snmp-server enable traps config ccmCLIRunningConfigChanged
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
! --- NTP ---
ntp server 15.0.0.9 prefer use-vrf Atom key 123
ntp server 15.32.0.9 prefer use-vrf Atom key 125
ntp source-interface Vlan502
ntp authenticate
ntp authentication-key 123 md5 pz5yamz 7
ntp trusted-key 123
ntp logging
ntp master 3
! --- AAA ---
aaa authentication login default group NETMAN_RADIUS local
aaa authentication login console group NETMAN_RADIUS local
aaa accounting default group NETMAN_RADIUS local
system default switchport
no ip source-route
! --- VLANs ---
vlan 1-2,8,10,12,66,85,100-103,107-108,121-124,129-130,142-143,145-146,148-150,153,157-158,188,305,321,323,340,342,349,353,374,382,501-502,504-505,549,551,559,562-563,600,611,660-661,667-668,672-673,697-698,701-702,704-710,720-722,724,727,740,750-751,772,777,800-802,804,814,820-823,905,1051,1127,1129,1160-1161,1551,1559-1560,1670-1674,1720-1722,1800-1802,1814-1817,1862,1865,1870-1871
vlan 1882-1883,1885,1905,3563,3965
vlan 2
name TEST_CLUS_COMM
vlan 8
name FP_Test1
vlan 10
name NESS_BOX_TRANSIT
vlan 12
name FP_Test2
vlan 66
name NATIVE_VLAN
vlan 85
name NESS_Temp
vlan 100
name migration
vlan 101
name iscsi_csv
vlan 102
name iscsi_boot
vlan 103
name Netapp_XFER
vlan 107
name Test
vlan 108
name NET_TEST_NET
vlan 121
name Atom_Backup
vlan 123
name storage
vlan 124
name Admin_iSCSI
vlan 130
name SIL_SNAPMIRROR
vlan 143
name Secman_Storage
vlan 146
name Foxhound_Storage
vlan 150
name iscsi
vlan 153
name Javelin(L4)
vlan 157
name GNext_Storage
vlan 158
name Ness_Storage
vlan 188
name JASON_NFS
vlan 321
name ATOM_Backup
vlan 323
name AT-vServer
vlan 340
name ucs_test
vlan 342
name MadHatter_SVM_Mgmt
vlan 349
name Rock_SVM3_Mgmt
vlan 353
name Javlin_SVM
vlan 374
name Rock_Backup_Mgmt
vlan 382
name Darrin_User
vlan 501
name MGMT
vlan 502
name Atom_User2
vlan 504
name Commvault_Test
vlan 505
name NETAPP_SNAP
vlan 549
name WDS
vlan 551
name L4_User
vlan 559
name Victory_WS_L4
vlan 562
name Brace(L3)_User
vlan 667
name Britt_Test
vlan 668
name RockTesters(L4)_User
vlan 672
name GTRI_User
vlan 673
name VDI(L5)
vlan 701
name MH_L3_DATA_HLCI
vlan 702
name MH_L4_DATA_HLCI
vlan 704
name Legacy-704
vlan 705
name Legacy-705
vlan 706
name Legacy-706
vlan 707
name Legacy-707
vlan 708
name Legacy-708
vlan 709
name Legacy-709
vlan 710
name Legacy-710
vlan 721
name GTRI_JAVELIN_L4-721
vlan 740
name NETMAN
vlan 750
name l4_secman
vlan 751
name Secman_DMP-751
vlan 777
name FTD1010_TSHOOT
vlan 804
name FH_L4_HLCI
vlan 814
name Rock_L4
vlan 820
name GNext_User
vlan 821
name GNext_Sentris
vlan 822
name GNext_VPX
vlan 823
name GNext_VDA
vlan 905
name Rock_(L4)
vlan 1051
name IP_SEC_1010
vlan 1127
name Vic_Storage
vlan 1551
name Services(L3)_User
vlan 1559
name Victory(L3)_User
vlan 1670
name BigTen_User
vlan 1671
name Victory_DMP-1671
vlan 1672
name VIC_VDI
vlan 1673
name Victory_Sentris
vlan 1720
name Javelin(L3)_User
vlan 1721
name GTRI_JAVELIN_L3-1721
vlan 1722
name Victory_VDI-1722
vlan 1800
name Foxhound(L3)_User
vlan 1801
name FH_L3_DATA_HLCI
vlan 1814
name ROCK_L3_MLS
vlan 1815
name ServMan_User
vlan 1870
name AT1EU-JavelinCoop(L3)_User
vlan 1883
name NESS_User
vlan 1885
name NESS_Client
vlan 1905
name Rock(L3)_User
vlan 3563
name Brace_User
vlan 3965
name V3E_DEV_HOST
! --- Spanning Tree ---
spanning-tree port type edge bpduguard default
spanning-tree port type edge bpdufilter default
spanning-tree port type network default
spanning-tree vlan 1,66 priority 8192
spanning-tree vlan 2,100-102,107-108,121-123,129,142,145,148-150,153,305,323,340,353,382,501-502,505,549,551,562-563,600,611,660-661,667-668,672,697-698,701-702,704-710,720-722,724,727,750,772,800-802,804,814,905,1127,1129,1160-1161,1551,1559-1560,1670,1672-1673,1720-1721,1800-1802,1814-1817,1862,1865,1870-1871,1882,1905,3563,3965 priority 24576
spanning-tree vlan 3-65,67-99,103-106,109-120,124-128,130-141,143-144,146-147,151-152,154-304,306-322,324-339,341-352,354-381,383-500,503-504,506-548,550,552-561,564-599,601-610,612-659,662-666,669-671,673-696,699-700,703,711-719,723,725-726,728-749,751-771,773-799,803,805-813,815-904,906-1126,1128,1130-1159,1162-1550,1552-1558,1561-1669,1671,1674-1719,1722-1799,1803-1813,1818-1861,1863-1864,1866-1869,1872-1881,1884-1904,1906-3562,3564-3964,3966-3967 priority 0
spanning-tree vlan 1883 priority 4096
! --- VRF ---
vrf context Atom
ip domain-name atom.dev
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128
ip route 0.0.0.0/0 15.0.2.254
vrf context management
! --- Port-Channel Load Balance ---
port-channel load-balance src-dst ip-l4port-vlan
! --- vPC Domain ---
vpc domain 1
peer-switch
role priority 10
peer-keepalive destination 192.168.0.2 source 192.168.0.1
delay restore 150
peer-gateway
auto-recovery
! --- SVI ---
interface Vlan1
interface Vlan502
no shutdown
vrf member Atom
no ip redirects
ip address 15.0.2.121/24
no ipv6 redirects
! --- Port-Channels ---
interface port-channel3
description //Trunk 500e X1
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
vpc 3
interface port-channel10
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
vpc peer-link
interface port-channel124
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type normal
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
no lacp suspend-individual
vpc 124
interface port-channel125
description //Trunk UCS-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
vpc 125
interface port-channel126
description //Trunk UCS-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
vpc 126
interface port-channel127
description //Trunk AFF300-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 127
interface port-channel128
description //Trunk AFF300-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 128
interface port-channel129
description //Trunk FAS 2750-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
vpc 129
interface port-channel130
description //Trunk Fas 2750-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
vpc 130
interface port-channel131
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 131
interface port-channel132
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 132
! --- Breakout Ports (100G -> 4x25G) ---
int e1/1 - 26
shutdown
exit
interface breakout module 1 port 1 map 25g-4x
interface breakout module 1 port 5 map 25g-4x
! --- Physical Interfaces: Breakout (UCS/A70) ---
interface Ethernet1/1/1
description //Trunk 6554-1:25
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 125 mode active
no shutdown
interface Ethernet1/1/2
description //Trunk 6554-1:26
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 125 mode active
no shutdown
interface Ethernet1/1/3
description //Trunk 6554-2:27
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 126 mode active
no shutdown
interface Ethernet1/1/4
description //Trunk 6554-2:28
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 126 mode active
no shutdown
interface Ethernet1/5/1
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/2
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/3
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
interface Ethernet1/5/4
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
!
! --- Bulk Disabled Ports ---
int e1/3/1-4,e1/7/1-4,e1/11/1-4,e1/13-23
description //Disabled access
switchport access vlan 67
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard enable
spanning-tree guard root
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
udld enable
shutdown
! --- Management Interface ---
interface mgmt0
vrf member management
ip address 192.168.0.1/24
icam monitor scale
! --- Console & VTY ---
line console
exec-timeout 5
line vty
session-limit 4
exec-timeout 0
access-class SWITCH_MGMT in
! --- Logging ---
logging ip access-list cache entries 8001
logging logfile LOG_FILE 6 size 4096
logging server 15.0.2.146 2
logging server 15.0.2.222 6
logging level authpri 6
intersight use-vrf Atom
```
---
## Configuration Explanation
### Platform & Global Settings
Running NX-OS 10.3(7) with a Jumbo MTU QoS policy (9216 bytes) applied globally via `system qos`. IP source-route is disabled. SSH is restricted to AES256-GCM ciphers. CoPP is set to strict for control-plane protection.
### VDC Resource Limits
Standard resource limits for a single-VDC 9300 — up to 4094 VLANs, 4096 VRFs, and 511 port-channels.
### Features Enabled
`nxapi`, `bash-shell`, `scp-server`, `udld`, `interface-vlan`, `lacp`, `vpc`, `lldp`, `telemetry`, and CFS Ethernet distribution for vPC.
### Authentication & Access Control
RADIUS authentication via two servers (15.0.11.68 and 15.32.11.68) in the `NETMAN_RADIUS` group, using the `Atom` VRF. AAA fallback is local. VTY access is restricted to the `SWITCH_MGMT` ACL (specific management host IPs only, with a deny-all default). VTY timeout is 0 (no timeout — note this differs from NEXUS-2 which uses 5 minutes).
### NTP
Two NTP servers in the Atom VRF (preferred) with MD5 authentication. NTP source is Vlan502. This switch acts as NTP master stratum 3.
### SNMP
SNMPv3 with SHA auth and AES-128 privacy. Traps sent to 15.0.2.188. RMON events configured for severity levels 15.
### VLANs
Approximately 200 VLANs are defined, covering storage (iSCSI, NFS, SnapMirror), compute (UCS, HLCI workloads), management, user, and VDI segments. VLAN 66 is the native VLAN; VLAN 67 is the unused/quarantine access VLAN for disabled ports.
### Spanning Tree
STP is configured with global edge/bpduguard and bpdufilter defaults for access ports, and network type for uplinks. This switch holds STP root priority 8192 for VLANs 1 and 66, making it the root for those VLANs. Most production VLANs are set to priority 24576 (secondary root). Unused VLANs are set to priority 0 (disabled from becoming root).
### VRF & Routing
A single non-default VRF `Atom` carries the management/user traffic with a default route to 15.0.2.254. Vlan502 (`Atom_User2`) is the L3 gateway SVI at 15.0.2.121/24.
### vPC Domain
- **Domain:** 1
- **Role Priority:** 10 (primary)
- **Peer-link:** Po10 (Eth1/4748), `spanning-tree port type network`
- **Peer-keepalive:** mgmt0, destination 192.168.0.2, source 192.168.0.1
- **Options:** `peer-switch`, `peer-gateway`, `auto-recovery`, 150-second restore delay
- **vPC members:** Po3 (500e-X1), Po4 (500e-X2), Po124 (9300), Po125 (UCS-A), Po126 (UCS-B), Po127 (AFF300-A), Po128 (AFF300-B), Po129 (FAS2750-A), Po130 (FAS2750-B), Po131 (A70-A), Po132 (A70-B)
### Port-Channel Load Balancing
`src-dst ip-l4port-vlan` — distributes traffic based on source/destination IP, L4 port, and VLAN for optimal flow distribution.
### Physical Interfaces
- **Ports 1/11/26:** Shut down as a group first, then individual interfaces are re-configured. Ports 1, 5, and 9 are broken out as 4x25G sub-interfaces.
- **Eth1/1/11/1/4:** 25G breakout ports to UCS 6554 FIs → Po125/Po126
- **Eth1/5/11/5/4:** 25G breakout ports to A70 storage arrays → Po131/Po132
- **Eth1/241/25, 1/451/46:** 9300 uplink → Po124 (4-link LACP)
- **Eth1/26:** 500e-X1 → Po3
- **Eth1/18:** 500e-X2 → Po4
- **Eth1/471/48:** vPC peer-link → Po10
- **Eth1/531/54:** AFF300-A/B → Po127/Po128
- **Eth1/21/3:** FAS2750 → Po129/Po130
- **Disabled ports:** Placed in VLAN 67, bpduguard enabled, storm-control, UDLD, unicast block — shutdown
### Logging
Syslog to 15.0.2.146 (severity 2) and 15.0.2.222 (severity 6). Local log file `LOG_FILE` at severity 6. ACL hit caching configured for 8001 entries.