--- title: C9300GX Initial Build description: published: true date: 2026-02-19T20:53:59.281Z tags: editor: markdown dateCreated: 2026-02-19T20:50:41.541Z --- # AT1EU-NEXUS-2 — Cisco Nexus 9300 Configuration ## Overview AT1EU-NEXUS-2 is the **secondary** switch in a vPC pair (role priority 10 — same as primary; tie broken by MAC address). It runs NX-OS 10.3(7) and shares vPC domain 1 with AT1EU-NEXUS-1. The vPC peer-link (Po10) spans Eth1/27–28, and out-of-band management (mgmt0 at 192.168.0.2) is used for the vPC peer-keepalive path. **Key roles of this switch:** - vPC secondary (role priority 10, tie-broken by system MAC) - STP root peer (same priorities as NEXUS-1 — `peer-switch` ensures both act as root) - Layer 3 gateway for Vlan502 (Atom VRF, IP 15.0.2.122/24) - NTP master (stratum 3) - Same upstream/storage/compute port-channel topology as NEXUS-1 --- ## Cut-and-Paste Configuration ``` conf t switchname AT1EU-NEXUS-2 ! --- QoS: Jumbo Frame Policy --- policy-map type network-qos JUMBO class type network-qos class-default mtu 9216 ! --- VDC Resource Limits --- vdc AT1EU-NEXUS-2 id 1 limit-resource vlan minimum 16 maximum 4094 limit-resource vrf minimum 2 maximum 4096 limit-resource port-channel minimum 0 maximum 511 limit-resource m4route-mem minimum 58 maximum 58 limit-resource m6route-mem minimum 8 maximum 8 ! --- Features --- feature nxapi feature bash-shell feature scp-server cfs eth distribute feature udld feature interface-vlan feature lacp feature vpc feature lldp feature telemetry ! --- RBAC --- role name network-ro rule 2 permit command show running config rule 1 permit read ! --- Users --- username admin password 5 $5$FIEALE$VdyvYPq0DyT./Pw59UUWC9bPs1coNfermExTM9MF6BB role network-admin ssh key rsa 2048 ! --- Banner --- banner motd ^ ********************* DOD NOTICE AND CONSENT BANNER ************************* * You are accessing a U.S. Government (USG) Information System (IS) that is * * provided for USG-authorized use only. By using this IS (which includes any* * device attached to this IS), you consent to the following conditions: * *-The USG routinely intercepts and monitors communications on this IS for * * purposes including, but not limited to, penetration testing, COMSEC * * monitoring, network operations and defense, personnel misconduct (PM), * * law enforcement (LE), and counterintelligence (CI) investigations. * *-At any time, the USG may inspect and seize data stored on this IS. * *-Communications using, or data stored on, this IS are not private, are * * subject to routine monitoring, interception, and search, and may be * * disclosed or used for any USGauthorized purpose. * *-This IS includes security measures (e.g., authentication and access * * controls) to protect USG interests--not for your personal benefit or * * privacy. * *-Notwithstanding the above, using this IS does not constitute consent to * * PM, LE or CI investigative searching or monitoring of the content of * * privileged communications, or work product, related to personal * * representation or services by attorneys, psychotherapists, or clergy, and * * their assistants. Such communications and work product are private and * * confidential. See User Agreement for details. * ************************ POC: SIL Network Team **************************** ^ ! --- SSH --- ssh ciphers aes256-gcm ! --- DNS & Domain --- ip domain-lookup ip domain-name atom.dev use-vrf Atom ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 use-vrf Atom ! --- RADIUS --- radius-server host 15.0.11.68 key 7 "V1P-jaynmv" authentication accounting radius-server host 15.32.11.68 key 7 "V1P-jaynmv" authentication accounting aaa group server radius NETMAN_RADIUS server 15.0.11.68 server 15.32.11.68 use-vrf Atom ! --- Management ACL --- ip access-list SWITCH_MGMT 10 permit ip 15.0.11.150/32 any log 20 permit ip 15.0.11.151/32 any log 30 permit ip 15.32.2.154/32 any log 40 permit ip 15.0.2.154/32 any log 50 permit ip 15.32.2.1/32 any log 60 permit ip 15.0.2.1/32 any log 70 permit ip 15.0.2.2/32 any log 80 permit ip 15.0.11.47/32 any log 90 permit ip 15.32.11.45/32 any log 93 permit ip 15.32.11.150/32 any log 100 deny ip any any log ! --- System QoS --- system qos service-policy type network-qos JUMBO copp profile strict ! --- SNMP --- snmp-server user admin network-admin auth sha 043A9864CA85100D231AA42F8FA9734C2B5C027F2B74 priv aes-128 365AD478C4A00B497D76B703D3AE75414E3C3C4B386A localizedV2key snmp-server host 15.0.2.188 traps version 3 priv at-sw-svc snmp-server host 15.0.11.80 traps version 3 priv testsnmp rmon event 1 log trap public description FATAL(1) owner PMON@FATAL rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL rmon event 3 log trap public description ERROR(3) owner PMON@ERROR rmon event 4 log trap public description WARNING(4) owner PMON@WARNING rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO ! --- NTP --- ntp server 15.0.0.9 prefer use-vrf Atom key 123 ntp server 15.32.0.9 prefer use-vrf Atom key 125 ntp server 15.32.0.30 use-vrf management ntp server 115.0.0.9 use-vrf management key 125 ntp source-interface Vlan502 ntp authenticate ntp authentication-key 125 md5 pz5-lihj 7 ntp trusted-key 125 ntp logging ntp master 3 ! --- AAA --- aaa authentication login default group NETMAN_RADIUS local aaa authentication login console group NETMAN_RADIUS local aaa accounting default group NETMAN_RADIUS local system default switchport no ip source-route ! --- VLANs --- vlan 1-2,8,10,12,66,85,100-103,107-108,121-124,129-130,142-143,145-146,148-150,153,157-158,188,305,321,323,340,342,349,353,374,382,501-502,504-505,549,551,559,562-563,600,611,660-661,667-668,672-673,697-698,701-702,704-710,720-722,724,727,740,750-751,772,777,800-802,804,814,820-823,905,1051,1127,1129,1160-1161,1551,1559-1560,1670-1674,1720-1722,1800-1802,1814-1817,1862,1865,1870-1871 vlan 1882-1883,1885,1905,3563,3965 vlan 2 name TEST_CLUS_COMM vlan 8 name FP_Test1 vlan 10 name NESS_BOX_TRANSIT vlan 12 name FP_Test2 vlan 66 name NATIVE_VLAN vlan 85 name NESS-Temp vlan 101 name iscsi_csv vlan 102 name iscsi_boot vlan 107 name Test vlan 108 name NET_TEST_NET vlan 121 name Atom_Backup vlan 124 name Admin_iSCSI vlan 143 name Secman_Storage vlan 146 name Foxhound_Storage vlan 150 name iscsi vlan 153 name Javelin(L4) vlan 157 name GNext_Storage vlan 158 name NESS_Storage vlan 188 name JASON_NFS vlan 321 name ATOM_Backup vlan 323 name AT-vServer vlan 340 name ucs_test vlan 342 name MadHatter_SVM_Mgmt vlan 349 name Rock_SVM3_Mgmt vlan 353 name Javlin_SVM vlan 374 name Rock_Backup_Mgmt vlan 382 name Darrin_User vlan 501 name MGMT vlan 502 name Atom_User2 vlan 504 name Commvault_Testing vlan 505 name NETAPP_SNAP vlan 549 name WDS vlan 551 name L4_User vlan 559 name Victory_WS_L4 vlan 562 name Brace(L3)_User vlan 563 name Brace vlan 667 name Britt_Test vlan 668 name RockTesters(L4)_User vlan 672 name GTRI_User vlan 673 name VDI(L5) vlan 701 name MH_L3_DATA_HLCI vlan 702 name MH_L4_DATA_HLCI vlan 704 name Legacy-704 vlan 705 name Legacy-705 vlan 706 name Legacy-706 vlan 707 name Legacy-707 vlan 708 name Legacy-708 vlan 709 name Legacy-709 vlan 710 name Legacy-710 vlan 721 name GTRI_JAVELIN_L4-721 vlan 740 name NETMAN vlan 750 name l4_secman vlan 751 name Secman_DMP-751 vlan 777 name FTD1010_TSHOOT vlan 804 name FH_L4_HLCI vlan 814 name ROCK_L4_MLS vlan 820 name GNext_User vlan 821 name GNext_Sentris vlan 822 name GNext_VPX vlan 823 name GNext_VDA vlan 905 name Rock_(L4) vlan 1051 name IP_SEC_1010 vlan 1127 name Vic_Storage vlan 1551 name Services(L3)_User vlan 1559 name Victory(L3)_User vlan 1670 name BigTen_User vlan 1671 name Victory_DMP-1671 vlan 1672 name VIC_VDI vlan 1673 name Victory_Sentris vlan 1720 name Javelin(L3)_User vlan 1721 name GTRI_JAVELIN_L3-1721 vlan 1722 name Victory_VDI-1722 vlan 1800 name Foxhound(L3)_User vlan 1801 name FH_L3_DATA_HLCI vlan 1815 name ServMan_User vlan 1870 name AT1EU-JavelinCoop(L3)_User vlan 1883 name NESS_User vlan 1885 name NESS_Client vlan 1905 name Rock(L3)_User vlan 3563 name Brace_User vlan 3965 name V3E_DEV_HOST ! --- Spanning Tree --- spanning-tree port type edge bpduguard default spanning-tree port type edge bpdufilter default spanning-tree port type network default spanning-tree vlan 1,66 priority 8192 spanning-tree vlan 2,100-102,107-108,121-123,129,142,145,148-150,153,305,323,340,353,382,501-502,505,549,551,562-563,600,611,660-661,667-668,672,697-698,701-702,704-710,720-722,724,727,750,772,800-802,804,814,905,1127,1129,1160-1161,1551,1559-1560,1670,1672-1673,1720-1721,1800-1802,1814-1817,1862,1865,1870-1871,1882,1905,3563,3965 priority 24576 spanning-tree vlan 3-65,67-99,103-106,109-120,124-128,130-141,143-144,146-147,151-152,154-304,306-322,324-339,341-352,354-381,383-500,503-504,506-548,550,552-561,564-599,601-610,612-659,662-666,669-671,673-696,699-700,703,711-719,723,725-726,728-749,751-771,773-799,803,805-813,815-904,906-1126,1128,1130-1159,1162-1550,1552-1558,1561-1669,1671,1674-1719,1722-1799,1803-1813,1818-1861,1863-1864,1866-1869,1872-1881,1883-1904,1906-3562,3564-3964,3966-3967 priority 0 ! --- VRF --- vrf context Atom ip domain-name atom.dev ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 ip route 0.0.0.0/0 15.0.2.254 vrf context management ! --- Port-Channel Load Balance --- port-channel load-balance src-dst ip-l4port-vlan ! --- vPC Domain --- vpc domain 1 peer-switch role priority 10 peer-keepalive destination 192.168.0.1 source 192.168.0.2 delay restore 150 peer-gateway auto-recovery ! --- SVI --- interface Vlan502 no shutdown vrf member Atom no ip redirects ip address 15.0.2.122/24 no ipv6 redirects ! --- Port-Channels --- interface port-channel3 description //Trunk 500e X1 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 switchport block unicast vpc 3 interface port-channel10 description //Trunk Peer - Allow STP switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type network vpc peer-link interface port-channel124 description //Trunk 9300 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-4094 spanning-tree port type normal spanning-tree guard root mtu 9216 vpc 124 interface port-channel125 description //Trunk UCS-A switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 switchport block unicast vpc 125 interface port-channel126 description //Trunk UCS-B switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard disable spanning-tree guard root mtu 9216 switchport block unicast vpc 126 interface port-channel127 description //Trunk AFF300-A switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 switchport block unicast vpc 127 interface port-channel128 description //Trunk AFF300-B switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 switchport block unicast vpc 128 interface port-channel129 description //Trunk FAS 2750-A switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 vpc 129 interface port-channel130 description //Trunk Fas 2750-B switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 vpc 130 interface port-channel131 description //Trunk A70-A switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 vpc 131 interface port-channel132 description //Trunk A70-B switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 vpc 132 ! --- Breakout Ports (100G -> 4x25G) --- int e1/1 - 26 shutdown exit interface breakout module 1 port 1 map 25g-4x interface breakout module 1 port 5 map 25g-4x ! --- Physical Interfaces: Breakout (UCS/A70) --- interface Ethernet1/1/1 description //Trunk 6554-2:25 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 switchport block unicast channel-group 126 mode active no shutdown interface Ethernet1/1/2 description //Trunk 6554-2:26 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 switchport block unicast channel-group 126 mode active no shutdown interface Ethernet1/1/3 description //Trunk 6554-1:27 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 switchport block unicast channel-group 125 mode active no shutdown interface Ethernet1/1/4 description //Trunk 6554-1:28 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 switchport block unicast channel-group 125 mode active no shutdown interface Ethernet1/5/1 description //Trunk A70-A switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 channel-group 131 mode active no shutdown interface Ethernet1/5/2 description //Trunk A70-A switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 channel-group 131 mode active no shutdown interface Ethernet1/5/3 description //Trunk A70-B switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 channel-group 132 mode active no shutdown interface Ethernet1/5/4 description //Trunk A70-B switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 channel-group 132 mode active no shutdown ! --- Physical Interfaces: Standard Ports --- interface Ethernet1/23 description //Access Netapp XFER switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 storm-control broadcast level 99.00 storm-control unicast level 99.00 switchport block unicast udld enable no shutdown interface Ethernet1/24 description //Trunk 9300 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 channel-group 124 mode active no shutdown interface Ethernet1/25 description //Trunk 9300 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-4094 spanning-tree port type edge trunk spanning-tree guard root mtu 9216 channel-group 124 mode active no shutdown interface Ethernet1/26 description //Trunk 500e-X1 switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type edge trunk spanning-tree bpduguard enable spanning-tree guard root mtu 9216 switchport block unicast udld enable channel-group 3 mode active no shutdown interface Ethernet1/27 description //Trunk Peer - Allow STP switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type network channel-group 10 mode active no shutdown interface Ethernet1/28 description //Trunk Peer - Allow STP switchport mode trunk switchport access vlan 67 switchport trunk native vlan 66 switchport trunk allowed vlan 2-66,68-4094 spanning-tree port type network channel-group 10 mode active no shutdown ! --- Bulk Disabled Ports --- int e1/3/1-4,e1/7/1-4,e1/11/1-4,e1/13-22 description //Disabled access switchport access vlan 67 switchport trunk native vlan 66 spanning-tree port type edge spanning-tree bpduguard enable spanning-tree guard root storm-control broadcast level 99.00 storm-control unicast level 99.00 switchport block unicast udld enable shutdown ! --- Management Interface --- interface mgmt0 vrf member management ip address 192.168.0.2/24 icam monitor scale ! --- Console & VTY --- line console exec-timeout 5 line vty session-limit 4 exec-timeout 5 access-class SWITCH_MGMT in ! --- Logging --- logging ip access-list cache entries 8001 logging logfile LOG_FILE 6 size 4096 logging server 15.0.2.146 6 logging server 15.0.2.222 6 logging level authpri 6 ``` --- ## Configuration Explanation ### Platform & Global Settings Identical platform and global settings to NEXUS-1: NX-OS 10.3(7), Jumbo MTU QoS policy (9216 bytes), strict CoPP, AES256-GCM SSH, IP source-route disabled. ### VDC Resource Limits Same as NEXUS-1. ### Features Enabled Identical feature set to NEXUS-1. ### Authentication & Access Control Identical RADIUS configuration, management ACL, and AAA settings to NEXUS-1. VTY exec-timeout is 5 minutes (vs. 0 on NEXUS-1 — worth standardizing). ### NTP Two additional NTP servers compared to NEXUS-1: `15.32.0.30` (management VRF) and `115.0.0.9` (management VRF). Uses NTP key 125 (vs. key 123 on NEXUS-1). NTP source is Vlan502. Also acts as NTP master stratum 3. ### SNMP SNMPv3 with SHA/AES-128. Has an additional trap target (15.0.11.80) compared to NEXUS-1. RMON events 1–5 configured identically. ### VLANs Substantially the same VLAN database as NEXUS-1 with minor differences: VLAN 103 (Netapp_XFER) and VLAN 130 (SIL_SNAPMIRROR) are not present on NEXUS-2; VLAN 563 (Brace) is present on NEXUS-2 but not NEXUS-1. These discrepancies should be reviewed and aligned. ### Spanning Tree Identical STP priorities to NEXUS-1. With `peer-switch` enabled in the vPC domain, both switches advertise the same STP bridge ID, making the pair appear as a single root to downstream devices. ### VRF & Routing Same `Atom` VRF with default route to 15.0.2.254. Vlan502 SVI is at 15.0.2.122/24 (vs. 15.0.2.121 on NEXUS-1). ### vPC Domain - **Domain:** 1 - **Role Priority:** 10 (same as NEXUS-1; system MAC determines actual secondary role) - **Peer-link:** Po10 (Eth1/27–28), `spanning-tree port type network` - **Peer-keepalive:** mgmt0, destination 192.168.0.1, source 192.168.0.2 - **Options:** `peer-switch`, `peer-gateway`, `auto-recovery`, 150-second restore delay - **vPC members:** Po3–Po4, Po124–Po132 (mirrored from NEXUS-1) > **Note:** Po124 (9300) uses `switchport trunk allowed vlan 2-4094` on NEXUS-2 (includes VLAN 67) while NEXUS-1 uses `2-66,68-4094` (excludes VLAN 67). This inconsistency should be reviewed. ### Physical Interfaces - **Breakout mapping:** Ports 1, 5, 9 broken out as 4x25G — same as NEXUS-1. - **Eth1/1/1–1/1/2 → Po126 (UCS-B):** The UCS FI cross-connection is intentionally reversed vs NEXUS-1 (NEXUS-1 Eth1/1/1–1/1/2 go to Po125/UCS-A). This is correct behavior for dual-homed UCS FI connectivity. - **Eth1/27–1/28:** vPC peer-link → Po10 - **Eth1/24–1/25:** 9300 uplink → Po124 - **Eth1/26:** 500e-X1 → Po3 - **Eth1/23:** NetApp XFER standalone (not in a port-channel) - **Disabled ports:** Same hardening policy as NEXUS-1 ### Logging Syslog to 15.0.2.146 and 15.0.2.222, both at severity 6. Note NEXUS-1 logs to 15.0.2.146 at severity 2 — this discrepancy should be reviewed. --- ## Notable Differences Between NEXUS-1 and NEXUS-2 | Parameter | NEXUS-1 | NEXUS-2 | |---|---|---| | mgmt0 IP | 192.168.0.1 | 192.168.0.2 | | Vlan502 IP | 15.0.2.121 | 15.0.2.122 | | vPC keepalive dest | 192.168.0.2 | 192.168.0.1 | | NTP key used | 123 | 125 | | Additional NTP servers | — | 15.32.0.30, 115.0.0.9 (mgmt VRF) | | VTY exec-timeout | 0 (no timeout) | 5 min | | Logging 15.0.2.146 severity | 2 | 6 | | Po124 allowed VLANs | 2-66,68-4094 | 2-4094 | | vPC peer-link physical ports | Eth1/47–48 | Eth1/27–28 | | HLCI port VLANs (Eth1/9/x) | L3 (701, 1801, 1721, 1814) | L4 (702, 721, 804, 814) | | Additional SNMP trap target | — | 15.0.11.80 | | VLAN 103 (Netapp_XFER) | Present | Absent | | VLAN 130 (SIL_SNAPMIRROR) | Present | Absent | | VLAN 563 (Brace) | Absent | Present |