traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Work/C9300GX_2_Build.md
Administrator 51056f845d docs: create Work/C9300GX_2_Build
2026-02-19 20:50:54 +00:00

910 lines
27 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: C9300GX Initial Build
description:
published: true
date: 2026-02-19T20:50:41.541Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:50:41.541Z
---
# AT1EU-NEXUS-2 — Cisco Nexus 9300 Configuration
## Overview
AT1EU-NEXUS-2 is the **secondary** switch in a vPC pair (role priority 10 — same as primary; tie broken by MAC address). It runs NX-OS 10.3(7) and shares vPC domain 1 with AT1EU-NEXUS-1. The vPC peer-link (Po10) spans Eth1/2728, and out-of-band management (mgmt0 at 192.168.0.2) is used for the vPC peer-keepalive path.
**Key roles of this switch:**
- vPC secondary (role priority 10, tie-broken by system MAC)
- STP root peer (same priorities as NEXUS-1 — `peer-switch` ensures both act as root)
- Layer 3 gateway for Vlan502 (Atom VRF, IP 15.0.2.122/24)
- NTP master (stratum 3)
- Same upstream/storage/compute port-channel topology as NEXUS-1
---
## Cut-and-Paste Configuration
```
version 10.3(7) Bios:version 07.71
switchname AT1EU-NEXUS-2
! --- QoS: Jumbo Frame Policy ---
policy-map type network-qos JUMBO
class type network-qos class-default
mtu 9216
! --- VDC Resource Limits ---
vdc AT1EU-NEXUS-2 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
! --- Features ---
feature nxapi
feature bash-shell
feature scp-server
cfs eth distribute
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature telemetry
! --- RBAC ---
role name network-ro
rule 2 permit command show running config
rule 1 permit read
! --- Users ---
username admin password 5 $5$FIEALE$VdyvYPq0DyT./Pw59UUWC9bPs1coNfermExTM9MF6BB role network-admin
ssh key rsa 2048
! --- Banner ---
banner motd ^
********************* DOD NOTICE AND CONSENT BANNER *************************
* You are accessing a U.S. Government (USG) Information System (IS) that is *
* provided for USG-authorized use only. By using this IS (which includes any*
* device attached to this IS), you consent to the following conditions: *
*-The USG routinely intercepts and monitors communications on this IS for *
* purposes including, but not limited to, penetration testing, COMSEC *
* monitoring, network operations and defense, personnel misconduct (PM), *
* law enforcement (LE), and counterintelligence (CI) investigations. *
*-At any time, the USG may inspect and seize data stored on this IS. *
*-Communications using, or data stored on, this IS are not private, are *
* subject to routine monitoring, interception, and search, and may be *
* disclosed or used for any USGauthorized purpose. *
*-This IS includes security measures (e.g., authentication and access *
* controls) to protect USG interests--not for your personal benefit or *
* privacy. *
*-Notwithstanding the above, using this IS does not constitute consent to *
* PM, LE or CI investigative searching or monitoring of the content of *
* privileged communications, or work product, related to personal *
* representation or services by attorneys, psychotherapists, or clergy, and *
* their assistants. Such communications and work product are private and *
* confidential. See User Agreement for details. *
************************ POC: SIL Network Team ****************************
^
! --- SSH ---
ssh ciphers aes256-gcm
! --- DNS & Domain ---
ip domain-lookup
ip domain-name atom.dev use-vrf Atom
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 use-vrf Atom
! --- RADIUS ---
radius-server host 15.0.11.68 key 7 "V1P-jaynmv" authentication accounting
radius-server host 15.32.11.68 key 7 "V1P-jaynmv" authentication accounting
aaa group server radius NETMAN_RADIUS
server 15.0.11.68
server 15.32.11.68
use-vrf Atom
! --- Management ACL ---
ip access-list SWITCH_MGMT
10 permit ip 15.0.11.150/32 any log
20 permit ip 15.0.11.151/32 any log
30 permit ip 15.32.2.154/32 any log
40 permit ip 15.0.2.154/32 any log
50 permit ip 15.32.2.1/32 any log
60 permit ip 15.0.2.1/32 any log
70 permit ip 15.0.2.2/32 any log
80 permit ip 15.0.11.47/32 any log
90 permit ip 15.32.11.45/32 any log
93 permit ip 15.32.11.150/32 any log
100 deny ip any any log
! --- System QoS ---
system qos
service-policy type network-qos JUMBO
copp profile strict
! --- SNMP ---
snmp-server user admin network-admin auth sha 043A9864CA85100D231AA42F8FA9734C2B5C027F2B74 priv aes-128 365AD478C4A00B497D76B703D3AE75414E3C3C4B386A localizedV2key
snmp-server host 15.0.2.188 traps version 3 priv at-sw-svc
snmp-server host 15.0.11.80 traps version 3 priv testsnmp
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
! --- NTP ---
ntp server 15.0.0.9 prefer use-vrf Atom key 123
ntp server 15.32.0.9 prefer use-vrf Atom key 125
ntp server 15.32.0.30 use-vrf management
ntp server 115.0.0.9 use-vrf management key 125
ntp source-interface Vlan502
ntp authenticate
ntp authentication-key 125 md5 pz5-lihj 7
ntp trusted-key 125
ntp logging
ntp master 3
! --- AAA ---
aaa authentication login default group NETMAN_RADIUS local
aaa authentication login console group NETMAN_RADIUS local
aaa accounting default group NETMAN_RADIUS local
system default switchport
no ip source-route
! --- VLANs ---
vlan 1-2,8,10,12,66,85,100-103,107-108,121-124,129-130,142-143,145-146,148-150,153,157-158,188,305,321,323,340,342,349,353,374,382,501-502,504-505,549,551,559,562-563,600,611,660-661,667-668,672-673,697-698,701-702,704-710,720-722,724,727,740,750-751,772,777,800-802,804,814,820-823,905,1051,1127,1129,1160-1161,1551,1559-1560,1670-1674,1720-1722,1800-1802,1814-1817,1862,1865,1870-1871
vlan 1882-1883,1885,1905,3563,3965
vlan 2
name TEST_CLUS_COMM
vlan 8
name FP_Test1
vlan 10
name NESS_BOX_TRANSIT
vlan 12
name FP_Test2
vlan 66
name NATIVE_VLAN
vlan 85
name NESS-Temp
vlan 101
name iscsi_csv
vlan 102
name iscsi_boot
vlan 107
name Test
vlan 108
name NET_TEST_NET
vlan 121
name Atom_Backup
vlan 124
name Admin_iSCSI
vlan 143
name Secman_Storage
vlan 146
name Foxhound_Storage
vlan 150
name iscsi
vlan 153
name Javelin(L4)
vlan 157
name GNext_Storage
vlan 158
name NESS_Storage
vlan 188
name JASON_NFS
vlan 321
name ATOM_Backup
vlan 323
name AT-vServer
vlan 340
name ucs_test
vlan 342
name MadHatter_SVM_Mgmt
vlan 349
name Rock_SVM3_Mgmt
vlan 353
name Javlin_SVM
vlan 374
name Rock_Backup_Mgmt
vlan 382
name Darrin_User
vlan 501
name MGMT
vlan 502
name Atom_User2
vlan 504
name Commvault_Testing
vlan 505
name NETAPP_SNAP
vlan 549
name WDS
vlan 551
name L4_User
vlan 559
name Victory_WS_L4
vlan 562
name Brace(L3)_User
vlan 563
name Brace
vlan 667
name Britt_Test
vlan 668
name RockTesters(L4)_User
vlan 672
name GTRI_User
vlan 673
name VDI(L5)
vlan 701
name MH_L3_DATA_HLCI
vlan 702
name MH_L4_DATA_HLCI
vlan 704
name Legacy-704
vlan 705
name Legacy-705
vlan 706
name Legacy-706
vlan 707
name Legacy-707
vlan 708
name Legacy-708
vlan 709
name Legacy-709
vlan 710
name Legacy-710
vlan 721
name GTRI_JAVELIN_L4-721
vlan 740
name NETMAN
vlan 750
name l4_secman
vlan 751
name Secman_DMP-751
vlan 777
name FTD1010_TSHOOT
vlan 804
name FH_L4_HLCI
vlan 814
name ROCK_L4_MLS
vlan 820
name GNext_User
vlan 821
name GNext_Sentris
vlan 822
name GNext_VPX
vlan 823
name GNext_VDA
vlan 905
name Rock_(L4)
vlan 1051
name IP_SEC_1010
vlan 1127
name Vic_Storage
vlan 1551
name Services(L3)_User
vlan 1559
name Victory(L3)_User
vlan 1670
name BigTen_User
vlan 1671
name Victory_DMP-1671
vlan 1672
name VIC_VDI
vlan 1673
name Victory_Sentris
vlan 1720
name Javelin(L3)_User
vlan 1721
name GTRI_JAVELIN_L3-1721
vlan 1722
name Victory_VDI-1722
vlan 1800
name Foxhound(L3)_User
vlan 1801
name FH_L3_DATA_HLCI
vlan 1815
name ServMan_User
vlan 1870
name AT1EU-JavelinCoop(L3)_User
vlan 1883
name NESS_User
vlan 1885
name NESS_Client
vlan 1905
name Rock(L3)_User
vlan 3563
name Brace_User
vlan 3965
name V3E_DEV_HOST
! --- Spanning Tree ---
spanning-tree port type edge bpduguard default
spanning-tree port type edge bpdufilter default
spanning-tree port type network default
spanning-tree vlan 1,66 priority 8192
spanning-tree vlan 2,100-102,107-108,121-123,129,142,145,148-150,153,305,323,340,353,382,501-502,505,549,551,562-563,600,611,660-661,667-668,672,697-698,701-702,704-710,720-722,724,727,750,772,800-802,804,814,905,1127,1129,1160-1161,1551,1559-1560,1670,1672-1673,1720-1721,1800-1802,1814-1817,1862,1865,1870-1871,1882,1905,3563,3965 priority 24576
spanning-tree vlan 3-65,67-99,103-106,109-120,124-128,130-141,143-144,146-147,151-152,154-304,306-322,324-339,341-352,354-381,383-500,503-504,506-548,550,552-561,564-599,601-610,612-659,662-666,669-671,673-696,699-700,703,711-719,723,725-726,728-749,751-771,773-799,803,805-813,815-904,906-1126,1128,1130-1159,1162-1550,1552-1558,1561-1669,1671,1674-1719,1722-1799,1803-1813,1818-1861,1863-1864,1866-1869,1872-1881,1883-1904,1906-3562,3564-3964,3966-3967 priority 0
! --- VRF ---
vrf context Atom
ip domain-name atom.dev
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128
ip route 0.0.0.0/0 15.0.2.254
vrf context management
! --- Port-Channel Load Balance ---
port-channel load-balance src-dst ip-l4port-vlan
! --- vPC Domain ---
vpc domain 1
peer-switch
role priority 10
peer-keepalive destination 192.168.0.1 source 192.168.0.2
delay restore 150
peer-gateway
auto-recovery
! --- SVI ---
interface Vlan1
interface Vlan502
no shutdown
vrf member Atom
no ip redirects
ip address 15.0.2.122/24
no ipv6 redirects
! --- Port-Channels ---
interface port-channel3
description //Trunk 500e X1
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 3
interface port-channel4
description //Trunk 500e X2
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 4
interface port-channel5
interface port-channel10
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
vpc peer-link
interface port-channel124
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-4094
spanning-tree port type normal
spanning-tree guard root
mtu 9216
vpc 124
interface port-channel125
description //Trunk UCS-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 125
interface port-channel126
description //Trunk UCS-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 126
interface port-channel127
description //Trunk AFF300-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 127
interface port-channel128
description //Trunk AFF300-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
switchport block unicast
vpc 128
interface port-channel129
description //Trunk FAS 2750-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
vpc 129
interface port-channel130
description //Trunk Fas 2750-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
vpc 130
interface port-channel131
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 131
interface port-channel132
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 132
! --- Breakout Ports (100G -> 4x25G) ---
int e1/1 - 26
shutdown
exit
interface breakout module 1 port 1 map 25g-4x
interface breakout module 1 port 5 map 25g-4x
interface breakout module 1 port 9 map 25g-4x
! --- Physical Interfaces: Breakout (UCS/A70) ---
interface Ethernet1/1/1
description //Trunk 6554-2:25
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 126 mode active
no shutdown
interface Ethernet1/1/2
description //Trunk 6554-2:26
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 126 mode active
no shutdown
interface Ethernet1/1/3
description //Trunk 6554-1:27
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 125 mode active
no shutdown
interface Ethernet1/1/4
description //Trunk 6554-1:28
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
channel-group 125 mode active
no shutdown
interface Ethernet1/5/1
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/2
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/3
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
interface Ethernet1/5/4
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
! --- Physical Interfaces: HLCI Access Ports ---
interface Ethernet1/9/1
description //Access L4 HLCI MAD HATTER - Allow STP BPDU
switchport access vlan 702
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard disable
spanning-tree bpdufilter disable
mtu 9216
storm-control broadcast level 40.00
storm-control unicast level 50.00
udld enable
no shutdown
interface Ethernet1/9/2
description //Access L4 HLCI JAVELIN - Allow STP BPDU
switchport access vlan 721
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard disable
spanning-tree bpdufilter disable
mtu 9216
storm-control broadcast level 40.00
storm-control unicast level 50.00
switchport block unicast
udld enable
no shutdown
interface Ethernet1/9/3
description //Access L4 HLCI FOXHOUND - Allow STP BPDU
switchport access vlan 804
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard disable
spanning-tree bpdufilter disable
storm-control broadcast level 40.00
storm-control unicast level 50.00
switchport block unicast
udld enable
no shutdown
interface Ethernet1/9/4
description //Access L4 HLCI Rock (MLS) - Allow STP BPDU
switchport access vlan 814
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard disable
spanning-tree bpdufilter disable
storm-control broadcast level 40.00
storm-control unicast level 50.00
switchport block unicast
udld enable
no shutdown
! --- Physical Interfaces: Standard Ports ---
interface Ethernet1/23
description //Access Netapp XFER
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
udld enable
no shutdown
interface Ethernet1/24
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
channel-group 124 mode active
no shutdown
interface Ethernet1/25
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
channel-group 124 mode active
no shutdown
interface Ethernet1/26
description //Trunk 500e-X1
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
switchport block unicast
udld enable
channel-group 3 mode active
no shutdown
interface Ethernet1/27
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
channel-group 10 mode active
no shutdown
interface Ethernet1/28
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
channel-group 10 mode active
no shutdown
! --- Bulk Disabled Ports ---
int e1/3/1-4,e1/7/1-4,e1/11/1-4,e1/13-22
description //Disabled access
switchport access vlan 67
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard enable
spanning-tree guard root
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
udld enable
shutdown
! --- Management Interface ---
interface mgmt0
vrf member management
ip address 192.168.0.2/24
icam monitor scale
! --- Console & VTY ---
line console
exec-timeout 5
line vty
session-limit 4
exec-timeout 5
access-class SWITCH_MGMT in
! --- Boot ---
boot nxos bootflash:/nxos64-cs.10.3.7.M.bin
! --- Logging ---
logging ip access-list cache entries 8001
logging logfile LOG_FILE 6 size 4096
logging server 15.0.2.146 6
logging server 15.0.2.222 6
logging level authpri 6
! --- Telemetry ---
telemetry
destination-profile
use-nodeid timba-6750aed76f7261301f12894a
destination-group timba-6750aed76f7261301f12894a-0
ip address 15.0.2.238 port 443 protocol HTTP encoding JSON
sensor-group timba-6750aed76f7261301f12894a-0
data-source NX-API
path "show system resources all-modules"
sensor-group timba-6750aed76f7261301f12894a-1
data-source NX-API
path "show module"
sensor-group timba-6750aed76f7261301f12894a-2
data-source NX-API
path "show environment power"
sensor-group timba-6750aed76f7261301f12894a-3
data-source NX-API
path "show interface fc regex *"
sensor-group timba-6750aed76f7261301f12894a-4
data-source DME
path sys/ch depth 1 query-condition query-target=subtree&target-subtree-class=eqptSensor
sensor-group timba-6750aed76f7261301f12894a-5
data-source DME
path sys/ch query-condition query-target=subtree&target-subtree-class=eqptSupC
sensor-group timba-6750aed76f7261301f12894a-6
data-source DME
path sys/ch query-condition query-target=subtree&target-subtree-class=eqptFt
sensor-group timba-6750aed76f7261301f12894a-7
data-source DME
path sys/intf query-condition query-target=subtree&target-subtree-class=ethpmPhysIf filter-condition updated(ethpmPhysIf.operSt)
subscription 578
dst-grp timba-6750aed76f7261301f12894a-0
snsr-grp timba-6750aed76f7261301f12894a-0 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-1 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-2 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-3 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-4 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-5 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-6 sample-interval 300000
snsr-grp timba-6750aed76f7261301f12894a-7 sample-interval 0
```
---
## Configuration Explanation
### Platform & Global Settings
Identical platform and global settings to NEXUS-1: NX-OS 10.3(7), Jumbo MTU QoS policy (9216 bytes), strict CoPP, AES256-GCM SSH, IP source-route disabled.
### VDC Resource Limits
Same as NEXUS-1.
### Features Enabled
Identical feature set to NEXUS-1.
### Authentication & Access Control
Identical RADIUS configuration, management ACL, and AAA settings to NEXUS-1. VTY exec-timeout is 5 minutes (vs. 0 on NEXUS-1 — worth standardizing).
### NTP
Two additional NTP servers compared to NEXUS-1: `15.32.0.30` (management VRF) and `115.0.0.9` (management VRF). Uses NTP key 125 (vs. key 123 on NEXUS-1). NTP source is Vlan502. Also acts as NTP master stratum 3.
### SNMP
SNMPv3 with SHA/AES-128. Has an additional trap target (15.0.11.80) compared to NEXUS-1. RMON events 15 configured identically.
### VLANs
Substantially the same VLAN database as NEXUS-1 with minor differences: VLAN 103 (Netapp_XFER) and VLAN 130 (SIL_SNAPMIRROR) are not present on NEXUS-2; VLAN 563 (Brace) is present on NEXUS-2 but not NEXUS-1. These discrepancies should be reviewed and aligned.
### Spanning Tree
Identical STP priorities to NEXUS-1. With `peer-switch` enabled in the vPC domain, both switches advertise the same STP bridge ID, making the pair appear as a single root to downstream devices.
### VRF & Routing
Same `Atom` VRF with default route to 15.0.2.254. Vlan502 SVI is at 15.0.2.122/24 (vs. 15.0.2.121 on NEXUS-1).
### vPC Domain
- **Domain:** 1
- **Role Priority:** 10 (same as NEXUS-1; system MAC determines actual secondary role)
- **Peer-link:** Po10 (Eth1/2728), `spanning-tree port type network`
- **Peer-keepalive:** mgmt0, destination 192.168.0.1, source 192.168.0.2
- **Options:** `peer-switch`, `peer-gateway`, `auto-recovery`, 150-second restore delay
- **vPC members:** Po3Po4, Po124Po132 (mirrored from NEXUS-1)
> **Note:** Po124 (9300) uses `switchport trunk allowed vlan 2-4094` on NEXUS-2 (includes VLAN 67) while NEXUS-1 uses `2-66,68-4094` (excludes VLAN 67). This inconsistency should be reviewed.
### Physical Interfaces
- **Breakout mapping:** Ports 1, 5, 9 broken out as 4x25G — same as NEXUS-1.
- **Eth1/1/11/1/2 → Po126 (UCS-B):** The UCS FI cross-connection is intentionally reversed vs NEXUS-1 (NEXUS-1 Eth1/1/11/1/2 go to Po125/UCS-A). This is correct behavior for dual-homed UCS FI connectivity.
- **Eth1/9/11/9/4:** L4 HLCI access ports (Mad Hatter, Javelin, Foxhound, Rock MLS) — note these are L4 VLANs (702, 721, 804, 814) vs. L3 VLANs on NEXUS-1, providing per-switch HLCI layer segregation.
- **Eth1/271/28:** vPC peer-link → Po10
- **Eth1/241/25:** 9300 uplink → Po124
- **Eth1/26:** 500e-X1 → Po3
- **Eth1/23:** NetApp XFER standalone (not in a port-channel)
- **Disabled ports:** Same hardening policy as NEXUS-1
### Telemetry
Same Timba streaming telemetry configuration as NEXUS-1, with a unique node ID. Multiple subscriptions push to 15.0.2.238:443 at 300-second intervals; interface state changes are event-driven (interval 0).
### Logging
Syslog to 15.0.2.146 and 15.0.2.222, both at severity 6. Note NEXUS-1 logs to 15.0.2.146 at severity 2 — this discrepancy should be reviewed.
### Boot
`bootflash:/nxos64-cs.10.3.7.M.bin`
---
## Notable Differences Between NEXUS-1 and NEXUS-2
| Parameter | NEXUS-1 | NEXUS-2 |
|---|---|---|
| mgmt0 IP | 192.168.0.1 | 192.168.0.2 |
| Vlan502 IP | 15.0.2.121 | 15.0.2.122 |
| vPC keepalive dest | 192.168.0.2 | 192.168.0.1 |
| NTP key used | 123 | 125 |
| Additional NTP servers | — | 15.32.0.30, 115.0.0.9 (mgmt VRF) |
| VTY exec-timeout | 0 (no timeout) | 5 min |
| Logging 15.0.2.146 severity | 2 | 6 |
| Po124 allowed VLANs | 2-66,68-4094 | 2-4094 |
| vPC peer-link physical ports | Eth1/4748 | Eth1/2728 |
| HLCI port VLANs (Eth1/9/x) | L3 (701, 1801, 1721, 1814) | L4 (702, 721, 804, 814) |
| Additional SNMP trap target | — | 15.0.11.80 |
| VLAN 103 (Netapp_XFER) | Present | Absent |
| VLAN 130 (SIL_SNAPMIRROR) | Present | Absent |
| VLAN 563 (Brace) | Absent | Present |
Reference in a new issue View git blame Copy permalink