21 KiB
21 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| C9300GX-1 Build | true | 2026-02-19T20:46:00.149Z | markdown | 2026-02-19T20:45:10.926Z |
AT1EU-NEXUS-1 — Cisco Nexus 9300 Configuration
Overview
AT1EU-NEXUS-1 is the primary switch in a vPC pair (role priority 10, lower = preferred). It runs NX-OS 10.3(7) and forms a vPC domain with AT1EU-NEXUS-2. The two switches share a vPC peer-link (Po10) across Eth1/47–48, and use out-of-band management (mgmt0 at 192.168.0.1) for the vPC peer-keepalive path.
Key roles of this switch:
- vPC primary (role priority 10)
- STP root bridge for management/native VLANs (priority 8192 for VLANs 1, 66)
- Layer 3 gateway for Vlan502 (Atom VRF, IP 15.0.2.121/24)
- NTP master (stratum 3)
- Upstream connections: 500e-X1 (Po3), 500e-X2 (Po4), 9300 (Po124)
- Storage connections: AFF300-A (Po127), AFF300-B (Po128), FAS2750-A (Po129), FAS2750-B (Po130), A70-A (Po131), A70-B (Po132)
- Compute connections: UCS-A (Po125), UCS-B (Po126)
Cut-and-Paste Configuration
conf t
switchname AT1EU-NEXUS-1
! --- QoS: Jumbo Frame Policy ---
policy-map type network-qos JUMBO
class type network-qos class-default
mtu 9216
! --- VDC Resource Limits ---
vdc AT1EU-NEXUS-1 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
! --- Features ---
feature nxapi
feature bash-shell
feature scp-server
cfs eth distribute
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature telemetry
! --- RBAC ---
role name network-ro
rule 2 permit read
rule 1 permit command show running-config
! --- Users ---
username admin password 5 $5$MFJCIC$AJyskD7vdoVFKK5cTS2lO20omFL4XFrgqNB94qDA5Z2 role network-admin
ssh key rsa 2048
! --- Banner ---
banner motd ^
********************* DOD NOTICE AND CONSENT BANNER *************************
* You are accessing a U.S. Government (USG) Information System (IS) that is *
* provided for USG-authorized use only. By using this IS (which includes any*
* device attached to this IS), you consent to the following conditions: *
*-The USG routinely intercepts and monitors communications on this IS for *
* purposes including, but not limited to, penetration testing, COMSEC *
* monitoring, network operations and defense, personnel misconduct (PM), *
* law enforcement (LE), and counterintelligence (CI) investigations. *
*-At any time, the USG may inspect and seize data stored on this IS. *
*-Communications using, or data stored on, this IS are not private, are *
* subject to routine monitoring, interception, and search, and may be *
* disclosed or used for any USGauthorized purpose. *
*-This IS includes security measures (e.g., authentication and access *
* controls) to protect USG interests--not for your personal benefit or *
* privacy. *
*-Notwithstanding the above, using this IS does not constitute consent to *
* PM, LE or CI investigative searching or monitoring of the content of *
* privileged communications, or work product, related to personal *
* representation or services by attorneys, psychotherapists, or clergy, and *
* their assistants. Such communications and work product are private and *
* confidential. See User Agreement for details. *
************************ POC: SIL Network Team ****************************
^
! --- SSH ---
ssh ciphers aes256-gcm
! --- DNS & Domain ---
ip domain-lookup
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128
ip domain-name atom.dev use-vrf Atom
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128 use-vrf Atom
! --- RADIUS ---
radius-server host 15.0.11.68 key 7 "V1P-jaynmv" authentication accounting
radius-server host 15.32.11.68 key 7 "V1P-jaynmv" authentication accounting
aaa group server radius NETMAN_RADIUS
server 15.0.11.68
server 15.32.11.68
use-vrf Atom
! --- Management ACL ---
ip access-list SWITCH_MGMT
10 permit ip 15.0.11.150/32 any log
20 permit ip 15.0.11.151/32 any log
30 permit ip 15.32.2.154/32 any log
40 permit ip 15.0.2.154/32 any log
50 permit ip 15.32.2.1/32 any log
60 permit ip 15.0.2.1/32 any log
70 permit ip 15.0.2.2/32 any log
80 permit ip 15.0.11.47/32 any log
90 permit ip 15.32.11.45/32 any log
93 permit ip 15.32.11.150/32 any log
100 deny ip any any log
! --- System QoS ---
system qos
service-policy type network-qos JUMBO
copp profile strict
! --- SNMP ---
snmp-server user admin network-admin auth sha 042F64DB5D2E0D40DF543D6A00495F1F18F9DD5FED7B priv aes-128 00540CF9793F282ED96D666B110B00753FC3F269E964 localizedV2key
snmp-server host 15.0.2.188 traps version 3 priv at-sw-svc
snmp-server enable traps config ccmCLIRunningConfigChanged
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
! --- NTP ---
ntp server 15.0.0.9 prefer use-vrf Atom key 123
ntp server 15.32.0.9 prefer use-vrf Atom key 125
ntp source-interface Vlan502
ntp authenticate
ntp authentication-key 123 md5 pz5yamz 7
ntp trusted-key 123
ntp logging
ntp master 3
! --- AAA ---
aaa authentication login default group NETMAN_RADIUS local
aaa authentication login console group NETMAN_RADIUS local
aaa accounting default group NETMAN_RADIUS local
system default switchport
no ip source-route
! --- VLANs ---
vlan 1-2,8,10,12,66,85,100-103,107-108,121-124,129-130,142-143,145-146,148-150,153,157-158,188,305,321,323,340,342,349,353,374,382,501-502,504-505,549,551,559,562-563,600,611,660-661,667-668,672-673,697-698,701-702,704-710,720-722,724,727,740,750-751,772,777,800-802,804,814,820-823,905,1051,1127,1129,1160-1161,1551,1559-1560,1670-1674,1720-1722,1800-1802,1814-1817,1862,1865,1870-1871
vlan 1882-1883,1885,1905,3563,3965
vlan 2
name TEST_CLUS_COMM
vlan 8
name FP_Test1
vlan 10
name NESS_BOX_TRANSIT
vlan 12
name FP_Test2
vlan 66
name NATIVE_VLAN
vlan 85
name NESS_Temp
vlan 100
name migration
vlan 101
name iscsi_csv
vlan 102
name iscsi_boot
vlan 103
name Netapp_XFER
vlan 107
name Test
vlan 108
name NET_TEST_NET
vlan 121
name Atom_Backup
vlan 123
name storage
vlan 124
name Admin_iSCSI
vlan 130
name SIL_SNAPMIRROR
vlan 143
name Secman_Storage
vlan 146
name Foxhound_Storage
vlan 150
name iscsi
vlan 153
name Javelin(L4)
vlan 157
name GNext_Storage
vlan 158
name Ness_Storage
vlan 188
name JASON_NFS
vlan 321
name ATOM_Backup
vlan 323
name AT-vServer
vlan 340
name ucs_test
vlan 342
name MadHatter_SVM_Mgmt
vlan 349
name Rock_SVM3_Mgmt
vlan 353
name Javlin_SVM
vlan 374
name Rock_Backup_Mgmt
vlan 382
name Darrin_User
vlan 501
name MGMT
vlan 502
name Atom_User2
vlan 504
name Commvault_Test
vlan 505
name NETAPP_SNAP
vlan 549
name WDS
vlan 551
name L4_User
vlan 559
name Victory_WS_L4
vlan 562
name Brace(L3)_User
vlan 667
name Britt_Test
vlan 668
name RockTesters(L4)_User
vlan 672
name GTRI_User
vlan 673
name VDI(L5)
vlan 701
name MH_L3_DATA_HLCI
vlan 702
name MH_L4_DATA_HLCI
vlan 704
name Legacy-704
vlan 705
name Legacy-705
vlan 706
name Legacy-706
vlan 707
name Legacy-707
vlan 708
name Legacy-708
vlan 709
name Legacy-709
vlan 710
name Legacy-710
vlan 721
name GTRI_JAVELIN_L4-721
vlan 740
name NETMAN
vlan 750
name l4_secman
vlan 751
name Secman_DMP-751
vlan 777
name FTD1010_TSHOOT
vlan 804
name FH_L4_HLCI
vlan 814
name Rock_L4
vlan 820
name GNext_User
vlan 821
name GNext_Sentris
vlan 822
name GNext_VPX
vlan 823
name GNext_VDA
vlan 905
name Rock_(L4)
vlan 1051
name IP_SEC_1010
vlan 1127
name Vic_Storage
vlan 1551
name Services(L3)_User
vlan 1559
name Victory(L3)_User
vlan 1670
name BigTen_User
vlan 1671
name Victory_DMP-1671
vlan 1672
name VIC_VDI
vlan 1673
name Victory_Sentris
vlan 1720
name Javelin(L3)_User
vlan 1721
name GTRI_JAVELIN_L3-1721
vlan 1722
name Victory_VDI-1722
vlan 1800
name Foxhound(L3)_User
vlan 1801
name FH_L3_DATA_HLCI
vlan 1814
name ROCK_L3_MLS
vlan 1815
name ServMan_User
vlan 1870
name AT1EU-JavelinCoop(L3)_User
vlan 1883
name NESS_User
vlan 1885
name NESS_Client
vlan 1905
name Rock(L3)_User
vlan 3563
name Brace_User
vlan 3965
name V3E_DEV_HOST
! --- Spanning Tree ---
spanning-tree port type edge bpduguard default
spanning-tree port type edge bpdufilter default
spanning-tree port type network default
spanning-tree vlan 1,66 priority 8192
spanning-tree vlan 2,100-102,107-108,121-123,129,142,145,148-150,153,305,323,340,353,382,501-502,505,549,551,562-563,600,611,660-661,667-668,672,697-698,701-702,704-710,720-722,724,727,750,772,800-802,804,814,905,1127,1129,1160-1161,1551,1559-1560,1670,1672-1673,1720-1721,1800-1802,1814-1817,1862,1865,1870-1871,1882,1905,3563,3965 priority 24576
spanning-tree vlan 3-65,67-99,103-106,109-120,124-128,130-141,143-144,146-147,151-152,154-304,306-322,324-339,341-352,354-381,383-500,503-504,506-548,550,552-561,564-599,601-610,612-659,662-666,669-671,673-696,699-700,703,711-719,723,725-726,728-749,751-771,773-799,803,805-813,815-904,906-1126,1128,1130-1159,1162-1550,1552-1558,1561-1669,1671,1674-1719,1722-1799,1803-1813,1818-1861,1863-1864,1866-1869,1872-1881,1884-1904,1906-3562,3564-3964,3966-3967 priority 0
spanning-tree vlan 1883 priority 4096
! --- VRF ---
vrf context Atom
ip domain-name atom.dev
ip name-server 15.0.2.128 15.0.2.129 15.32.2.128
ip route 0.0.0.0/0 15.0.2.254
vrf context management
! --- Port-Channel Load Balance ---
port-channel load-balance src-dst ip-l4port-vlan
! --- vPC Domain ---
vpc domain 1
peer-switch
role priority 10
peer-keepalive destination 192.168.0.2 source 192.168.0.1
delay restore 150
peer-gateway
auto-recovery
! --- SVI ---
interface Vlan1
interface Vlan502
no shutdown
vrf member Atom
no ip redirects
ip address 15.0.2.121/24
no ipv6 redirects
! --- Port-Channels ---
interface port-channel3
description //Trunk 500e X1
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
vpc 3
interface port-channel10
description //Trunk Peer - Allow STP
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type network
vpc peer-link
interface port-channel124
description //Trunk 9300
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type normal
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
no lacp suspend-individual
vpc 124
interface port-channel125
description //Trunk UCS-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
vpc 125
interface port-channel126
description //Trunk UCS-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
mtu 9216
vpc 126
interface port-channel127
description //Trunk AFF300-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 127
interface port-channel128
description //Trunk AFF300-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 128
interface port-channel129
description //Trunk FAS 2750-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
vpc 129
interface port-channel130
description //Trunk Fas 2750-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
vpc 130
interface port-channel131
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 131
interface port-channel132
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree guard root
mtu 9216
vpc 132
! --- Breakout Ports (100G -> 4x25G) ---
int e1/1 - 26
shutdown
exit
interface breakout module 1 port 1 map 25g-4x
interface breakout module 1 port 5 map 25g-4x
! --- Physical Interfaces: Breakout (UCS/A70) ---
interface Ethernet1/1/1
description //Trunk 6554-1:25
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 125 mode active
no shutdown
interface Ethernet1/1/2
description //Trunk 6554-1:26
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 125 mode active
no shutdown
interface Ethernet1/1/3
description //Trunk 6554-2:27
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 126 mode active
no shutdown
interface Ethernet1/1/4
description //Trunk 6554-2:28
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 126 mode active
no shutdown
interface Ethernet1/5/1
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/2
description //Trunk A70-A
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 131 mode active
no shutdown
interface Ethernet1/5/3
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
interface Ethernet1/5/4
description //Trunk A70-B
switchport mode trunk
switchport access vlan 67
switchport trunk native vlan 66
switchport trunk allowed vlan 2-66,68-4094
spanning-tree port type edge trunk
spanning-tree bpduguard enable
spanning-tree guard root
mtu 9216
channel-group 132 mode active
no shutdown
!
! --- Bulk Disabled Ports ---
int e1/3/1-4,e1/7/1-4,e1/11/1-4,e1/13-23
description //Disabled access
switchport access vlan 67
switchport trunk native vlan 66
spanning-tree port type edge
spanning-tree bpduguard enable
spanning-tree guard root
storm-control broadcast level 99.00
storm-control unicast level 99.00
switchport block unicast
udld enable
shutdown
! --- Management Interface ---
interface mgmt0
vrf member management
ip address 192.168.0.1/24
icam monitor scale
! --- Console & VTY ---
line console
exec-timeout 5
line vty
session-limit 4
exec-timeout 0
access-class SWITCH_MGMT in
! --- Logging ---
logging ip access-list cache entries 8001
logging logfile LOG_FILE 6 size 4096
logging server 15.0.2.146 2
logging server 15.0.2.222 6
logging level authpri 6
intersight use-vrf Atom
Configuration Explanation
Platform & Global Settings
Running NX-OS 10.3(7) with a Jumbo MTU QoS policy (9216 bytes) applied globally via system qos. IP source-route is disabled. SSH is restricted to AES256-GCM ciphers. CoPP is set to strict for control-plane protection.
VDC Resource Limits
Standard resource limits for a single-VDC 9300 — up to 4094 VLANs, 4096 VRFs, and 511 port-channels.
Features Enabled
nxapi, bash-shell, scp-server, udld, interface-vlan, lacp, vpc, lldp, telemetry, and CFS Ethernet distribution for vPC.
Authentication & Access Control
RADIUS authentication via two servers (15.0.11.68 and 15.32.11.68) in the NETMAN_RADIUS group, using the Atom VRF. AAA fallback is local. VTY access is restricted to the SWITCH_MGMT ACL (specific management host IPs only, with a deny-all default). VTY timeout is 0 (no timeout — note this differs from NEXUS-2 which uses 5 minutes).
NTP
Two NTP servers in the Atom VRF (preferred) with MD5 authentication. NTP source is Vlan502. This switch acts as NTP master stratum 3.
SNMP
SNMPv3 with SHA auth and AES-128 privacy. Traps sent to 15.0.2.188. RMON events configured for severity levels 1–5.
VLANs
Approximately 200 VLANs are defined, covering storage (iSCSI, NFS, SnapMirror), compute (UCS, HLCI workloads), management, user, and VDI segments. VLAN 66 is the native VLAN; VLAN 67 is the unused/quarantine access VLAN for disabled ports.
Spanning Tree
STP is configured with global edge/bpduguard and bpdufilter defaults for access ports, and network type for uplinks. This switch holds STP root priority 8192 for VLANs 1 and 66, making it the root for those VLANs. Most production VLANs are set to priority 24576 (secondary root). Unused VLANs are set to priority 0 (disabled from becoming root).
VRF & Routing
A single non-default VRF Atom carries the management/user traffic with a default route to 15.0.2.254. Vlan502 (Atom_User2) is the L3 gateway SVI at 15.0.2.121/24.
vPC Domain
- Domain: 1
- Role Priority: 10 (primary)
- Peer-link: Po10 (Eth1/47–48),
spanning-tree port type network - Peer-keepalive: mgmt0, destination 192.168.0.2, source 192.168.0.1
- Options:
peer-switch,peer-gateway,auto-recovery, 150-second restore delay - vPC members: Po3 (500e-X1), Po4 (500e-X2), Po124 (9300), Po125 (UCS-A), Po126 (UCS-B), Po127 (AFF300-A), Po128 (AFF300-B), Po129 (FAS2750-A), Po130 (FAS2750-B), Po131 (A70-A), Po132 (A70-B)
Port-Channel Load Balancing
src-dst ip-l4port-vlan — distributes traffic based on source/destination IP, L4 port, and VLAN for optimal flow distribution.
Physical Interfaces
- Ports 1/1–1/26: Shut down as a group first, then individual interfaces are re-configured. Ports 1, 5, and 9 are broken out as 4x25G sub-interfaces.
- Eth1/1/1–1/1/4: 25G breakout ports to UCS 6554 FIs → Po125/Po126
- Eth1/5/1–1/5/4: 25G breakout ports to A70 storage arrays → Po131/Po132
- Eth1/24–1/25, 1/45–1/46: 9300 uplink → Po124 (4-link LACP)
- Eth1/26: 500e-X1 → Po3
- Eth1/18: 500e-X2 → Po4
- Eth1/47–1/48: vPC peer-link → Po10
- Eth1/53–1/54: AFF300-A/B → Po127/Po128
- Eth1/2–1/3: FAS2750 → Po129/Po130
- Disabled ports: Placed in VLAN 67, bpduguard enabled, storm-control, UDLD, unicast block — shutdown
Logging
Syslog to 15.0.2.146 (severity 2) and 15.0.2.222 (severity 6). Local log file LOG_FILE at severity 6. ACL hit caching configured for 8001 entries.