diff --git a/Work/C9300GX_2_Build.md b/Work/C9300GX_2_Build.md deleted file mode 100644 index cb77c61..0000000 --- a/Work/C9300GX_2_Build.md +++ /dev/null @@ -1,797 +0,0 @@ ---- -title: C9300GX Initial Build -description: -published: true -date: 2026-02-19T20:53:59.281Z -tags: -editor: markdown -dateCreated: 2026-02-19T20:50:41.541Z ---- - -# AT1EU-NEXUS-2 — Cisco Nexus 9300 Configuration - -## Overview - -AT1EU-NEXUS-2 is the **secondary** switch in a vPC pair (role priority 10 — same as primary; tie broken by MAC address). It runs NX-OS 10.3(7) and shares vPC domain 1 with AT1EU-NEXUS-1. The vPC peer-link (Po10) spans Eth1/27–28, and out-of-band management (mgmt0 at 192.168.0.2) is used for the vPC peer-keepalive path. - -**Key roles of this switch:** -- vPC secondary (role priority 10, tie-broken by system MAC) -- STP root peer (same priorities as NEXUS-1 — `peer-switch` ensures both act as root) -- Layer 3 gateway for Vlan502 (Atom VRF, IP 15.0.2.122/24) -- NTP master (stratum 3) -- Same upstream/storage/compute port-channel topology as NEXUS-1 - ---- - -## Cut-and-Paste Configuration - -``` -conf t -switchname AT1EU-NEXUS-2 - -! --- QoS: Jumbo Frame Policy --- -policy-map type network-qos JUMBO - class type network-qos class-default - mtu 9216 - -! --- VDC Resource Limits --- -vdc AT1EU-NEXUS-2 id 1 - limit-resource vlan minimum 16 maximum 4094 - limit-resource vrf minimum 2 maximum 4096 - limit-resource port-channel minimum 0 maximum 511 - limit-resource m4route-mem minimum 58 maximum 58 - limit-resource m6route-mem minimum 8 maximum 8 - -! --- Features --- -feature nxapi -feature bash-shell -feature scp-server -cfs eth distribute -feature udld -feature interface-vlan -feature lacp -feature vpc -feature lldp -feature telemetry - -! --- RBAC --- -role name network-ro - rule 2 permit command show running config - rule 1 permit read - -! --- Users --- -username admin password 5 $5$FIEALE$VdyvYPq0DyT./Pw59UUWC9bPs1coNfermExTM9MF6BB role network-admin -ssh key rsa 2048 - -! --- Banner --- -banner motd ^ -********************* DOD NOTICE AND CONSENT BANNER ************************* -* You are accessing a U.S. Government (USG) Information System (IS) that is * -* provided for USG-authorized use only. By using this IS (which includes any* -* device attached to this IS), you consent to the following conditions: * -*-The USG routinely intercepts and monitors communications on this IS for * -* purposes including, but not limited to, penetration testing, COMSEC * -* monitoring, network operations and defense, personnel misconduct (PM), * -* law enforcement (LE), and counterintelligence (CI) investigations. * -*-At any time, the USG may inspect and seize data stored on this IS. * -*-Communications using, or data stored on, this IS are not private, are * -* subject to routine monitoring, interception, and search, and may be * -* disclosed or used for any USGauthorized purpose. * -*-This IS includes security measures (e.g., authentication and access * -* controls) to protect USG interests--not for your personal benefit or * -* privacy. * -*-Notwithstanding the above, using this IS does not constitute consent to * -* PM, LE or CI investigative searching or monitoring of the content of * -* privileged communications, or work product, related to personal * -* representation or services by attorneys, psychotherapists, or clergy, and * -* their assistants. Such communications and work product are private and * -* confidential. See User Agreement for details. * -************************ POC: SIL Network Team **************************** -^ - -! --- SSH --- -ssh ciphers aes256-gcm - -! --- DNS & Domain --- -ip domain-lookup -ip domain-name atom.dev use-vrf Atom -ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 use-vrf Atom - -! --- RADIUS --- -radius-server host 15.0.11.68 key 7 "V1P-jaynmv" authentication accounting -radius-server host 15.32.11.68 key 7 "V1P-jaynmv" authentication accounting -aaa group server radius NETMAN_RADIUS - server 15.0.11.68 - server 15.32.11.68 - use-vrf Atom - -! --- Management ACL --- -ip access-list SWITCH_MGMT - 10 permit ip 15.0.11.150/32 any log - 20 permit ip 15.0.11.151/32 any log - 30 permit ip 15.32.2.154/32 any log - 40 permit ip 15.0.2.154/32 any log - 50 permit ip 15.32.2.1/32 any log - 60 permit ip 15.0.2.1/32 any log - 70 permit ip 15.0.2.2/32 any log - 80 permit ip 15.0.11.47/32 any log - 90 permit ip 15.32.11.45/32 any log - 93 permit ip 15.32.11.150/32 any log - 100 deny ip any any log - -! --- System QoS --- -system qos - service-policy type network-qos JUMBO -copp profile strict - -! --- SNMP --- -snmp-server user admin network-admin auth sha 043A9864CA85100D231AA42F8FA9734C2B5C027F2B74 priv aes-128 365AD478C4A00B497D76B703D3AE75414E3C3C4B386A localizedV2key -snmp-server host 15.0.2.188 traps version 3 priv at-sw-svc -snmp-server host 15.0.11.80 traps version 3 priv testsnmp -rmon event 1 log trap public description FATAL(1) owner PMON@FATAL -rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL -rmon event 3 log trap public description ERROR(3) owner PMON@ERROR -rmon event 4 log trap public description WARNING(4) owner PMON@WARNING -rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO - -! --- NTP --- -ntp server 15.0.0.9 prefer use-vrf Atom key 123 -ntp server 15.32.0.9 prefer use-vrf Atom key 125 -ntp server 15.32.0.30 use-vrf management -ntp server 115.0.0.9 use-vrf management key 125 -ntp source-interface Vlan502 -ntp authenticate -ntp authentication-key 125 md5 pz5-lihj 7 -ntp trusted-key 125 -ntp logging -ntp master 3 - -! --- AAA --- -aaa authentication login default group NETMAN_RADIUS local -aaa authentication login console group NETMAN_RADIUS local -aaa accounting default group NETMAN_RADIUS local -system default switchport -no ip source-route - -! --- VLANs --- -vlan 1-2,8,10,12,66,85,100-103,107-108,121-124,129-130,142-143,145-146,148-150,153,157-158,188,305,321,323,340,342,349,353,374,382,501-502,504-505,549,551,559,562-563,600,611,660-661,667-668,672-673,697-698,701-702,704-710,720-722,724,727,740,750-751,772,777,800-802,804,814,820-823,905,1051,1127,1129,1160-1161,1551,1559-1560,1670-1674,1720-1722,1800-1802,1814-1817,1862,1865,1870-1871 -vlan 1882-1883,1885,1905,3563,3965 -vlan 2 - name TEST_CLUS_COMM -vlan 8 - name FP_Test1 -vlan 10 - name NESS_BOX_TRANSIT -vlan 12 - name FP_Test2 -vlan 66 - name NATIVE_VLAN -vlan 85 - name NESS-Temp -vlan 101 - name iscsi_csv -vlan 102 - name iscsi_boot -vlan 107 - name Test -vlan 108 - name NET_TEST_NET -vlan 121 - name Atom_Backup -vlan 124 - name Admin_iSCSI -vlan 143 - name Secman_Storage -vlan 146 - name Foxhound_Storage -vlan 150 - name iscsi -vlan 153 - name Javelin(L4) -vlan 157 - name GNext_Storage -vlan 158 - name NESS_Storage -vlan 188 - name JASON_NFS -vlan 321 - name ATOM_Backup -vlan 323 - name AT-vServer -vlan 340 - name ucs_test -vlan 342 - name MadHatter_SVM_Mgmt -vlan 349 - name Rock_SVM3_Mgmt -vlan 353 - name Javlin_SVM -vlan 374 - name Rock_Backup_Mgmt -vlan 382 - name Darrin_User -vlan 501 - name MGMT -vlan 502 - name Atom_User2 -vlan 504 - name Commvault_Testing -vlan 505 - name NETAPP_SNAP -vlan 549 - name WDS -vlan 551 - name L4_User -vlan 559 - name Victory_WS_L4 -vlan 562 - name Brace(L3)_User -vlan 563 - name Brace -vlan 667 - name Britt_Test -vlan 668 - name RockTesters(L4)_User -vlan 672 - name GTRI_User -vlan 673 - name VDI(L5) -vlan 701 - name MH_L3_DATA_HLCI -vlan 702 - name MH_L4_DATA_HLCI -vlan 704 - name Legacy-704 -vlan 705 - name Legacy-705 -vlan 706 - name Legacy-706 -vlan 707 - name Legacy-707 -vlan 708 - name Legacy-708 -vlan 709 - name Legacy-709 -vlan 710 - name Legacy-710 -vlan 721 - name GTRI_JAVELIN_L4-721 -vlan 740 - name NETMAN -vlan 750 - name l4_secman -vlan 751 - name Secman_DMP-751 -vlan 777 - name FTD1010_TSHOOT -vlan 804 - name FH_L4_HLCI -vlan 814 - name ROCK_L4_MLS -vlan 820 - name GNext_User -vlan 821 - name GNext_Sentris -vlan 822 - name GNext_VPX -vlan 823 - name GNext_VDA -vlan 905 - name Rock_(L4) -vlan 1051 - name IP_SEC_1010 -vlan 1127 - name Vic_Storage -vlan 1551 - name Services(L3)_User -vlan 1559 - name Victory(L3)_User -vlan 1670 - name BigTen_User -vlan 1671 - name Victory_DMP-1671 -vlan 1672 - name VIC_VDI -vlan 1673 - name Victory_Sentris -vlan 1720 - name Javelin(L3)_User -vlan 1721 - name GTRI_JAVELIN_L3-1721 -vlan 1722 - name Victory_VDI-1722 -vlan 1800 - name Foxhound(L3)_User -vlan 1801 - name FH_L3_DATA_HLCI -vlan 1815 - name ServMan_User -vlan 1870 - name AT1EU-JavelinCoop(L3)_User -vlan 1883 - name NESS_User -vlan 1885 - name NESS_Client -vlan 1905 - name Rock(L3)_User -vlan 3563 - name Brace_User -vlan 3965 - name V3E_DEV_HOST - -! --- Spanning Tree --- -spanning-tree port type edge bpduguard default -spanning-tree port type edge bpdufilter default -spanning-tree port type network default -spanning-tree vlan 1,66 priority 8192 -spanning-tree vlan 2,100-102,107-108,121-123,129,142,145,148-150,153,305,323,340,353,382,501-502,505,549,551,562-563,600,611,660-661,667-668,672,697-698,701-702,704-710,720-722,724,727,750,772,800-802,804,814,905,1127,1129,1160-1161,1551,1559-1560,1670,1672-1673,1720-1721,1800-1802,1814-1817,1862,1865,1870-1871,1882,1905,3563,3965 priority 24576 -spanning-tree vlan 3-65,67-99,103-106,109-120,124-128,130-141,143-144,146-147,151-152,154-304,306-322,324-339,341-352,354-381,383-500,503-504,506-548,550,552-561,564-599,601-610,612-659,662-666,669-671,673-696,699-700,703,711-719,723,725-726,728-749,751-771,773-799,803,805-813,815-904,906-1126,1128,1130-1159,1162-1550,1552-1558,1561-1669,1671,1674-1719,1722-1799,1803-1813,1818-1861,1863-1864,1866-1869,1872-1881,1883-1904,1906-3562,3564-3964,3966-3967 priority 0 - -! --- VRF --- -vrf context Atom - ip domain-name atom.dev - ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 - ip route 0.0.0.0/0 15.0.2.254 -vrf context management - -! --- Port-Channel Load Balance --- -port-channel load-balance src-dst ip-l4port-vlan - -! --- vPC Domain --- -vpc domain 1 - peer-switch - role priority 10 - peer-keepalive destination 192.168.0.1 source 192.168.0.2 - delay restore 150 - peer-gateway - auto-recovery - -! --- SVI --- - -interface Vlan502 - no shutdown - vrf member Atom - no ip redirects - ip address 15.0.2.122/24 - no ipv6 redirects - -! --- Port-Channels --- -interface port-channel3 - description //Trunk 500e X1 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - switchport block unicast - vpc 3 - - -interface port-channel10 - description //Trunk Peer - Allow STP - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type network - vpc peer-link - -interface port-channel124 - description //Trunk 9300 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-4094 - spanning-tree port type normal - spanning-tree guard root - mtu 9216 - vpc 124 - -interface port-channel125 - description //Trunk UCS-A - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - switchport block unicast - vpc 125 - -interface port-channel126 - description //Trunk UCS-B - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard disable - spanning-tree guard root - mtu 9216 - switchport block unicast - vpc 126 - -interface port-channel127 - description //Trunk AFF300-A - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - switchport block unicast - vpc 127 - -interface port-channel128 - description //Trunk AFF300-B - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - switchport block unicast - vpc 128 - -interface port-channel129 - description //Trunk FAS 2750-A - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - vpc 129 - -interface port-channel130 - description //Trunk Fas 2750-B - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - vpc 130 - -interface port-channel131 - description //Trunk A70-A - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - vpc 131 - -interface port-channel132 - description //Trunk A70-B - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - vpc 132 - -! --- Breakout Ports (100G -> 4x25G) --- -int e1/1 - 26 - shutdown -exit -interface breakout module 1 port 1 map 25g-4x -interface breakout module 1 port 5 map 25g-4x - -! --- Physical Interfaces: Breakout (UCS/A70) --- -interface Ethernet1/1/1 - description //Trunk 6554-2:25 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - switchport block unicast - channel-group 126 mode active - no shutdown - -interface Ethernet1/1/2 - description //Trunk 6554-2:26 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - switchport block unicast - channel-group 126 mode active - no shutdown - -interface Ethernet1/1/3 - description //Trunk 6554-1:27 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - switchport block unicast - channel-group 125 mode active - no shutdown - -interface Ethernet1/1/4 - description //Trunk 6554-1:28 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - switchport block unicast - channel-group 125 mode active - no shutdown - -interface Ethernet1/5/1 - description //Trunk A70-A - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - channel-group 131 mode active - no shutdown - -interface Ethernet1/5/2 - description //Trunk A70-A - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - channel-group 131 mode active - no shutdown - -interface Ethernet1/5/3 - description //Trunk A70-B - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - channel-group 132 mode active - no shutdown - -interface Ethernet1/5/4 - description //Trunk A70-B - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - channel-group 132 mode active - no shutdown - - - -! --- Physical Interfaces: Standard Ports --- -interface Ethernet1/23 - description //Access Netapp XFER - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - storm-control broadcast level 99.00 - storm-control unicast level 99.00 - switchport block unicast - udld enable - no shutdown - -interface Ethernet1/24 - description //Trunk 9300 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - channel-group 124 mode active - no shutdown - -interface Ethernet1/25 - description //Trunk 9300 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-4094 - spanning-tree port type edge trunk - spanning-tree guard root - mtu 9216 - channel-group 124 mode active - no shutdown - -interface Ethernet1/26 - description //Trunk 500e-X1 - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type edge trunk - spanning-tree bpduguard enable - spanning-tree guard root - mtu 9216 - switchport block unicast - udld enable - channel-group 3 mode active - no shutdown - -interface Ethernet1/27 - description //Trunk Peer - Allow STP - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type network - channel-group 10 mode active - no shutdown - -interface Ethernet1/28 - description //Trunk Peer - Allow STP - switchport mode trunk - switchport access vlan 67 - switchport trunk native vlan 66 - switchport trunk allowed vlan 2-66,68-4094 - spanning-tree port type network - channel-group 10 mode active - no shutdown - -! --- Bulk Disabled Ports --- -int e1/3/1-4,e1/7/1-4,e1/11/1-4,e1/13-22 - description //Disabled access - switchport access vlan 67 - switchport trunk native vlan 66 - spanning-tree port type edge - spanning-tree bpduguard enable - spanning-tree guard root - storm-control broadcast level 99.00 - storm-control unicast level 99.00 - switchport block unicast - udld enable - shutdown - -! --- Management Interface --- -interface mgmt0 - vrf member management - ip address 192.168.0.2/24 - -icam monitor scale - -! --- Console & VTY --- -line console - exec-timeout 5 -line vty - session-limit 4 - exec-timeout 5 - access-class SWITCH_MGMT in - -! --- Logging --- -logging ip access-list cache entries 8001 -logging logfile LOG_FILE 6 size 4096 -logging server 15.0.2.146 6 -logging server 15.0.2.222 6 -logging level authpri 6 - - -``` - ---- - -## Configuration Explanation - -### Platform & Global Settings -Identical platform and global settings to NEXUS-1: NX-OS 10.3(7), Jumbo MTU QoS policy (9216 bytes), strict CoPP, AES256-GCM SSH, IP source-route disabled. - -### VDC Resource Limits -Same as NEXUS-1. - -### Features Enabled -Identical feature set to NEXUS-1. - -### Authentication & Access Control -Identical RADIUS configuration, management ACL, and AAA settings to NEXUS-1. VTY exec-timeout is 5 minutes (vs. 0 on NEXUS-1 — worth standardizing). - -### NTP -Two additional NTP servers compared to NEXUS-1: `15.32.0.30` (management VRF) and `115.0.0.9` (management VRF). Uses NTP key 125 (vs. key 123 on NEXUS-1). NTP source is Vlan502. Also acts as NTP master stratum 3. - -### SNMP -SNMPv3 with SHA/AES-128. Has an additional trap target (15.0.11.80) compared to NEXUS-1. RMON events 1–5 configured identically. - -### VLANs -Substantially the same VLAN database as NEXUS-1 with minor differences: VLAN 103 (Netapp_XFER) and VLAN 130 (SIL_SNAPMIRROR) are not present on NEXUS-2; VLAN 563 (Brace) is present on NEXUS-2 but not NEXUS-1. These discrepancies should be reviewed and aligned. - -### Spanning Tree -Identical STP priorities to NEXUS-1. With `peer-switch` enabled in the vPC domain, both switches advertise the same STP bridge ID, making the pair appear as a single root to downstream devices. - -### VRF & Routing -Same `Atom` VRF with default route to 15.0.2.254. Vlan502 SVI is at 15.0.2.122/24 (vs. 15.0.2.121 on NEXUS-1). - -### vPC Domain -- **Domain:** 1 -- **Role Priority:** 10 (same as NEXUS-1; system MAC determines actual secondary role) -- **Peer-link:** Po10 (Eth1/27–28), `spanning-tree port type network` -- **Peer-keepalive:** mgmt0, destination 192.168.0.1, source 192.168.0.2 -- **Options:** `peer-switch`, `peer-gateway`, `auto-recovery`, 150-second restore delay -- **vPC members:** Po3–Po4, Po124–Po132 (mirrored from NEXUS-1) - -> **Note:** Po124 (9300) uses `switchport trunk allowed vlan 2-4094` on NEXUS-2 (includes VLAN 67) while NEXUS-1 uses `2-66,68-4094` (excludes VLAN 67). This inconsistency should be reviewed. - -### Physical Interfaces -- **Breakout mapping:** Ports 1, 5, 9 broken out as 4x25G — same as NEXUS-1. -- **Eth1/1/1–1/1/2 → Po126 (UCS-B):** The UCS FI cross-connection is intentionally reversed vs NEXUS-1 (NEXUS-1 Eth1/1/1–1/1/2 go to Po125/UCS-A). This is correct behavior for dual-homed UCS FI connectivity. -- **Eth1/27–1/28:** vPC peer-link → Po10 -- **Eth1/24–1/25:** 9300 uplink → Po124 -- **Eth1/26:** 500e-X1 → Po3 -- **Eth1/23:** NetApp XFER standalone (not in a port-channel) -- **Disabled ports:** Same hardening policy as NEXUS-1 - - - -### Logging -Syslog to 15.0.2.146 and 15.0.2.222, both at severity 6. Note NEXUS-1 logs to 15.0.2.146 at severity 2 — this discrepancy should be reviewed. - - - ---- - -## Notable Differences Between NEXUS-1 and NEXUS-2 - -| Parameter | NEXUS-1 | NEXUS-2 | -|---|---|---| -| mgmt0 IP | 192.168.0.1 | 192.168.0.2 | -| Vlan502 IP | 15.0.2.121 | 15.0.2.122 | -| vPC keepalive dest | 192.168.0.2 | 192.168.0.1 | -| NTP key used | 123 | 125 | -| Additional NTP servers | — | 15.32.0.30, 115.0.0.9 (mgmt VRF) | -| VTY exec-timeout | 0 (no timeout) | 5 min | -| Logging 15.0.2.146 severity | 2 | 6 | -| Po124 allowed VLANs | 2-66,68-4094 | 2-4094 | -| vPC peer-link physical ports | Eth1/47–48 | Eth1/27–28 | -| HLCI port VLANs (Eth1/9/x) | L3 (701, 1801, 1721, 1814) | L4 (702, 721, 804, 814) | -| Additional SNMP trap target | — | 15.0.11.80 | -| VLAN 103 (Netapp_XFER) | Present | Absent | -| VLAN 130 (SIL_SNAPMIRROR) | Present | Absent | -| VLAN 563 (Brace) | Absent | Present |