The Cisco Data Center certification track is quite new and I read that a lot of people fail on their first attempt(s). To get the CCNA-level of Data Center, you need to pass two exams: 640-911 DCICN and 640-916 DCICT. After giving a first look at the objectives for DCICN, it looked to me like CCNA Routing & Switching but on the Nexus platform. Well, after my first attempt to pass the exam, I realized that it requires a lot more studying and that the official books do not completely cover the exam objectives. In this post, I’ll try to explain what I studied to pass the exam.
About the exam
To prepare for the DCICN (640-911) exam, I bought the 640-911 Official Certification Guide from Cisco Press and went trough the book completely. To verify the topics and information, I also had a look at the book from Todd Lammle. Going trough both books made me think that the DCICN-exam is just CCNA R&S on the Nexus platform. Since I already have a CCNA Routing & Switching and passed from the first attempt on both exams, I just focused on studying the differences between IOS & Nexus and took some practice on that. Offcourse, I alos repeated details of basic networking concepts and did some practice exams supplied with the book.
As it turns out, both books really don’t prepare you enough for the exam. There is a whole list of topics that isn’t even briefly mentioned in the books. Probably the exam changed over time, became a lot more difficult and had some new topics introduced.
After finding out the above information the hard way, I decided to read a little more about the exam and it’s objectives. A lot of information and people that had the exact same experience as me can be found on the CCNA Data Center study group. This is the first place you should start, to my idea. Especially the posts about people that failed their 640-911 and learned what to do extra to pass, helped me a lot.
If you’re new to Cisco and have no prior experience on working with Cisco devices, the exam will be hard. I don’t really think it’s a good starting point. To my idea it’s like all contents of a CCNA R&S plus a lot of detailed information about Nexus (really detailed) and understanding most concepts (not detailed) of the 640-916 (DCICT) exam.
Exam theory preparation
To prepare for my second attempt, I created a summary of the information which I gathered everywhere around. Part of it comes out of both books which I mentioned above, part of it comes from what other people experienced and a lot of information I gathered by just searching on Google or the Cisco website. A good basic understanding of routing and switching concepts is required to use this information but I think it still can be valuable for people preparing for the exam.
By only studying the information in this post, you won’t get there. You really need to completely understand basic network concepts (switch/hub/router, collision domains/broadcast domains, VLAN, OSI layer differences, subnetting…). Knowing basic information about IOS and the differences between IOS and Nexus isn’t bad either.
Layer 1 (bits)
Ethernet standard distances:
name | medium | speed | max distance |
---|---|---|---|
10BASE-2 | coax (thinnet) | 10 Mb/s | 185 m |
10BASE-5 | coax (thicknet) | 10 Mb/s | 500 m |
10BASE-T | copper | 10 Mb/s | 100 m |
100BASE-T | copper | 100 Mb/s | 100 m |
1000BASE-T | copper | 1 Gb/s | 100 m |
1000BASE-FX | fiber | 1 Gb/s | 2 km |
1000BASE-SX | fiber | 1 Gb/s | 220 m |
10GBASE-T | copper | 10 Gb/s | 30 m |
Passive Twinax | fiber | multiple | 5 m |
Active Twinax | fiber | multiple | 10 m |
If auto-negotiation is disabled at one side of a link, the slowest speed of both ends is used and when the speed is 10 or 100 Mb/s, half duplex is implied. On higher speed, full duplex is used.
SFP modules:
- SFP(+): normal SFP-module (up to 10 Gb/s), requires 2 pairs
- QSFP+: SPF for 40 Gb/s+, requires 4 pairs, can be converted to 4xSFP+ with a breakout cable
- QSFP BiDi: allow 40G on 10G cabling (2 wire pairs)
Layer 2 (frames)
A Mac-address is 48 b (written as 6 times 2 hex characters) and the first half is the OUI (Organization Unique Identifier).
When the MAC-address table of a switch gets full, the switch will flood all new frames, for which the destination isn’t in the table, out of all ports. For entries that exist in the table, the switch behaves normal. The following message appears in the log: STM_LIMIT_REACHED.
When too many new MAC-addresses get learned in a short amount of time, the switch stops learning new MAC-addresses and the following message appears in the log: STM_LEARNING_OVERLOAD. After 120 seconds, learning should be automatically resumed.
ARP operates at layer 2 (it is used to find the L2-address that matches a given L3-address)
CDP operates at layer 2
Nexus commands related to basic L2:
Show the MAC-addres table:
1 2 3 4 |
switch1# show mac address-table VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+------+------+----+------------ * 1 000c.29c6.b255 dynamic 10 F F Eth2/1 |
Add a static entry to the table:
1 2 3 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# mac address-table static 000c.2946.8dff vlan 1 interface ethernet 2/2 |
Clear the dynamic entries (solution when the table got full):
1 |
switch1# clear mac address-table dynamic |
VLAN:
- 1 to 4094, >1005= extended VLAN (nit in the VLAN DB)
- VLAN IDs 1 and 1002 to 1005 (=default, not removable)
- PVID=default VLAN ID (default: VLAN ID 1)
- VLAN-configuration is always in running/start-up config, except for a VTP client
- bootflash::/vlan.dat contains (in some cases) a copy of the VLAN-information (not sure why)
Show vlan information:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
switch1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Eth2/3, Eth2/4 10 test active Eth2/2, Eth2/3, Eth2/4 1002 fddi-default act/lshut Eth2/3, Eth2/4 1003 token-ring-default act/lshut Eth2/3, Eth2/4 1004 fddinet-default act/lshut Eth2/3, Eth2/4 1005 trnet-default act/lshut Eth2/3, Eth2/4 switch1# show vlan summary Number of existing VLANs : 6 Number of existing user VLANs : 6 Number of existing extended VLANs : 0 switch1# show vlan internal usage VLANs DESCRIPTION ------------------- ----------------- 3968-4031 Multicast 4032-4035,4048-4059 Online Diagnostic 4036-4039,4060-4087 ERSPAN 4042 Satellite 4040 Fabric scale 3968-4095 Current |
Configure SVI (routing between VLAN’s):
1 2 3 4 5 6 7 8 9 10 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# feature interface-vlan switch1(config)# interface vlan 200 switch1(config-if)# ip address 192.168.99.10/24 switch1(config-if)# show ip int brief IP Interface Status for VRF "default"(1) Interface IP Address Interface Status Vlan200 192.168.99.10 protocol-down/link-down/admin-down Eth2/1 192.168.100.10 protocol-up/link-up/admin-up |
Trunking:
- ISL is not supported on nexus
- 802.1Q is the default encapsulation (no need to configure it)
Configure a trunk:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
switch1(config)# int e2/3 switch1(config-if)# switchport switch1(config-if)# switchport mode trunk switch1(config-if)# switchport trunk native vlan 200 switch1(config-if)# switchport trunk allowed vlan ? <1-4094> VLAN IDs of the allowed VLANs when this port in trunking mode add Add VLANs to the current list all All VLANs except All VLANs except the following none No VLANs remove Remove VLANs from the current list switch1# show int e2/3 switchport Name: Ethernet2/3 Switchport: Enabled Switchport Monitor: Not enabled Operational Mode: trunk Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 200 (Vlan not created) Trunking VLANs Allowed: 1-4094 Pruning VLANs Enabled: 2-1001 Administrative private-vlan primary host-association: none Administrative private-vlan secondary host-association: none Administrative private-vlan primary mapping: none Administrative private-vlan secondary mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: non |
VTP (VLAN Trunking Protocol):
- disabled by default (feature vtp needed)
- domain name and password are case sensitive
- by default there is an update (same revision) every 5 minutes
- does not support extended VLAN’s
- VTP pruning: limit broadcasts to switches that have ports in a VLAN
Configure VTP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
switch1(config)# feature vtp switch1(config)# vtp mode server switch1(config)# vtp domain jensd switch1(config)# vtp password jensd.be switch1(config)# vtp version 2 switch1(config)# show vtp status VTP Status Information ---------------------- VTP Version : 2 (capable) Configuration Revision : 2 Maximum VLANs supported locally : 1005 Number of existing VLANs : 6 VTP Operating Mode : Server VTP Domain Name : jensd VTP Pruning Mode : Disabled (Operationally Disabled) VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 Digest : 0x92 0x81 0x5E 0x8B 0x81 0x4A 0x12 0xFD Configuration last modified by 0.0.0.0 at 11-11-15 21:26:24 Local updater ID is 0.0.0.0 (no valid interface found) Preferred interface name is (mandatory) VTP version running : 2 switch1(config)# show vtp password VTP password: jensd.be |
Spanning tree (STP):
More information: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html
name | IEEE | VLAN aware | remark |
---|---|---|---|
STP | 802.1D | no | oldest implementation |
RSTP | 802.1W | no | faster |
MSTP | 802.1S | yes | one instance for all VLAN's |
(R)PVST+ | Cisco | yes | one instance per VLAN |
default on IOS: 802.1d PVST+
default on NX-OS: 802.1w RPVST+
Terminology:
- Root bridge: lowest bridge ID
- Root port: port with the lowest cost to the rood bridge for a bridge (if equal: lowest portnumber)
- Designated port: lowest cost to the root bridge for a segment
- Edge port: port to an end-user (no BPDU expected)
- Network port: port to another switch (BPDU expected)
- BPDU: Bridge Protocol Data Unit (by default: every 2 seconds)
- Bridge ID: 8 B (priority + MAC)
- Priority: default 32768 on Cisco, must be a multiple of 4096 + VLAN ID (sys-id-ext)
STP status:
STP | RSTP | default time | purpose |
---|---|---|---|
Disabled | Discarding | - | disabled |
Blocking | Discarding | - | only BDPU's are allowed |
Listening | Discarding | 15 s | transition state |
Learning | Learning | 15 s | only learning MAC-addresses |
Forwarding | Forwarding | - | normal behavior |
STP port costs:
- 10G = 2
- 1G = 4
- 100M = 19
- 10M = 100
Configure STP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# spanning-tree vlan 200 priority 4096 switch1(config)# spanning-tree mode mst rapid-pvst switch1(config)# int e2/3 switch1(config-if)# spanning-tree port type edge network normal switch1(config)# show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: VLAN0001, VLAN0010 Port Type Default is disable Edge Port [PortFast] BPDU Guard Default is disabled Edge Port [PortFast] BPDU Filter Default is disabled Bridge Assurance is enabled Loopguard Default is disabled Pathcost method used is short STP-Lite is enabled Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 0 0 0 1 1 VLAN0010 0 0 0 1 1 ---------------------- -------- --------- -------- ---------- ---------- 2 vlans 0 0 0 2 2 switch1(config)# show spanning-tree root Root Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- ------- ----- --- --- ---------------- VLAN0001 32769 000c.2946.8d23 0 2 20 15 This bridge is root VLAN0010 32778 000c.2946.8d23 0 2 20 15 This bridge is root |
Portchannel:
- All ports in a portchannel must be in the same VDC
- All ports in a portchannel must be configured similar (speed/duplex)
- LACP (802.1ax):
- dynamic active: self-initiate LACP
- dynamic passive: listen for LACP on the other side
- static on: no LACP
- on + active = no link
Configure port-channel:
1 2 3 4 5 6 7 8 9 10 11 12 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# interface port-channel 1 switch1(config-if)# int e2/6-7 switch1(config-if-range)# switchport switch1(config-if-range)# switchport mode trunk switch1(config-if-range)# channel-group 1 mode ? active Set channeling mode to ACTIVE on Set channeling mode to ON passive Set channeling mode to PASSIVE switch1# show port-channel switch1# show int port-channel 1 |
Layer 3 (packets)
An IPv4 header is 20 B
IPv4 classes:
class | range | binary start | default subnet mask | private range (RFC 1918) | remark |
---|---|---|---|---|---|
A | 1-126 | 0 | /8 | 10.0.0.0/8 | - |
A | 127 | 0 | /8 | - | loopback and diagnostics |
B | 128-191 | 10 | /16 | 172.16.0.0/12 | - |
C | 192-223 | 110 | /24 | 192.168.0.0/24 | - |
D | 224-239 | 1110 | - | - | IPv4 multicast |
E | 240-254 | 1111 | - | - | unused (experimental) |
An IPv6 header is 40 B
IPv6 address types:
name | adresses | purpose |
---|---|---|
Global | 2000::/3 | public (RFC 3587) |
Unique-local | FC00::/7 | not routable over the internet (RFC 4193) |
Link-local | FE80::/10 | not routable (RFC 3927) |
Multicast | FF00::/8 | multicast |
IPv6 doesn’t have broadcast, only multicast and anycast (multiple devices with the same IP, the closest will respond).
Nexus commands related to L3 addressing:
Show IP-addresses:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
switch1# show ip int IP Interface Status for VRF "default" Ethernet2/1, Interface status: protocol-up/link-up/admin-up, iod: 36, IP address: 192.168.100.10, IP subnet: 192.168.100.0/24 IP broadcast address: 255.255.255.255 IP multicast groups locally joined: none IP MTU: 1500 bytes (using link MTU) IP primary address route-preference: 0, tag: 0 IP proxy ARP : disabled IP Local Proxy ARP : disabled IP multicast routing: disabled IP icmp redirects: enabled IP directed-broadcast: disabled IP Forwarding: disabled IP icmp unreachables (except port): disabled IP icmp port-unreachable: enabled IP unicast reverse path forwarding: none IP load sharing: none IP interface statistics last reset: never IP interface software stats: (sent/received/forwarded/originated/consumed) Unicast packets : 4/18/0/4/4 Unicast bytes : 408/1730/0/408/336 Multicast packets : 0/72/0/0/10 Multicast bytes : 0/11434/0/0/400 switch1# show ip int brief IP Interface Status for VRF "default"(1) Interface IP Address Interface Status Eth2/1 192.168.100.10 protocol-up/link-up/admin-up |
Show ARP-table:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
switch1# show ip arp Flags: * - Adjacencies learnt on non-active FHRP router + - Adjacencies synced via CFSoE # - Adjacencies Throttled for Glean D - Static Adjacencies attached to down interface IP ARP Table for context default Total number of entries: 1 Address Age MAC Address Interface 192.168.100.20 00:08:22 000c.29c6.b255 Ethernet2/1 switch1# show ip arp detail Flags: * - Adjacencies learnt on non-active FHRP router + - Adjacencies synced via CFSoE # - Adjacencies Throttled for Glean IP ARP Table for context default Total number of entries: 1 Address Age MAC Address Interface Physical Interface 192.168.100.20 00:08:25 000c.29c6.b255 Ethernet2/1 Ethernet2/1 |
Show routing table (see further for more specific info):
1 2 3 4 5 6 7 8 9 10 11 |
switch1# show ip route IP Route Table for VRF "default" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%<string>' in via output denotes VRF <string> 192.168.100.0/24, ubest/mbest: 1/0, attached *via 192.168.100.10, Eth2/1, [0/0], 00:28:11, direct 192.168.100.10/32, ubest/mbest: 1/0, attached *via 192.168.100.10, Eth2/1, [0/0], 00:28:11, local |
Routing:
More information: http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html
Two similar routes: lowest AD wins
More specific route: AD is not important
Administrative distance:
type | AD |
---|---|
direct | 0 |
static | 1 |
EIGRP summary | 5 |
EIGRP | 90 |
OSPF | 110 |
RIP | 120 |
EIGRP external | 170 |
RIP:
- Distance vector RP
- Uses split horizon
- Distributes the complete routing table every 30 seconds
- Uses route poisoning (hop count of 16=invalid)
- on Nexus: only RIPv2 (IPv4) and RIPng (IPv6), auto-summarization is disabled
- RIPv1:
- clasfull
- uses broadcasts
- no authentication
- RIPv2
- classless
- uses multicast (224.0.0.9)
- MD5 authentication is supported
- RIPng
- supports prefixes
- uses multicast (FF02::9)
- uses IPsec as authentication
Configure RIP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# feature rip switch1(config)# router rip testRIP switch1(config-router)# address-family ipv4 unicast switch1(config-router-af)# int e2/2 switch1(config-if)# no switchport switch1(config-if)# ip router rip testRIP switch1(config-if)# show ip rip Process Name "rip-testRIP" VRF "default" RIP port 520, multicast-group 224.0.0.9 Admin-distance: 120 Updates every 30 sec, expire in 180 sec Collect garbage in 120 sec Default-metric: 1 Max-paths: 8 Process is up and running Interfaces supported by ipv4 RIP : Ethernet2/2 |
EIGRP:
- Advanced Distance Vector RP
- Classless
- Max hopcount is 255 (default:100)
- Metric is determined by K-values:
- bandwidth (default)
- delay (default)
- reliability
- load
- Communication over RTP
- Multicast on 224.0.0.10
- Path selection; DUAL (Diffusing Update Algorithm)
- Needs to form a neighbor relationship:
- receive a hello from the neighbor
- AS matches
- K-values match
- EIGRPv6 uses FF02::A as multicast address
EIGRP terminology:
- AD: Advertised Distance: metric received from the neighbor
- FD: Feasible Distance: metric from neighbor + own metric/cost to the neighbor
- Successor: best route to a network
- FS: Feasible Successor: backup route (AD<FD)
Configure EIGRP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# feature eigrp LAN_ENTERPRISE_SERVICES_PKG license not installed. eigrp feature will be shutdow n after grace period of approximately 120 day(s) switch1(config)# router eigrp testEIGRP switch1(config-router)# autonomous-system 100 switch1(config-router)# int e2/2 switch1(config-if)# no switchport switch1(config-if)# ip router eigrp testEIGRP switch1(config-if)# show ip eigrp IP-EIGRP AS 100 ID 192.168.100.10 VRF default Process-tag: testEIGRP Instance Number: 1 Status: running Authentication mode: none Authentication key-chain: none Metric weights: K1=1 K2=0 K3=1 K4=0 K5=0 IP proto: 88 Multicast group: 224.0.0.10 Int distance: 90 Ext distance: 170 Max paths: 8 Number of EIGRP interfaces: 1 (0 loopbacks) Number of EIGRP passive interfaces: 0 Number of EIGRP peers: 0 Graceful-Restart: Enabled Stub-Routing: Disabled NSF converge time limit/expiries: 120/0 NSF route-hold time limit/expiries: 240/0 NSF signal time limit/expiries: 20/0 Redistributed max-prefix: Disabled switch1(config-if)# show ip eigrp topology IP-EIGRP Topology Table for AS(100)/ID(192.168.100.10) VRF default |
OSPF:
- Link-state RP
- Classless
- Max hopcount is unlimited
- Metric is determined by bandwidth
- OSPFv2 (IPv4): multicast on 224.0.0.5 and 224.0.0.6
- OSPFv3 (IPv6): multicast on FF02::5 and FF02::6
OSPF terminology:
- Backbone area (0): all other areas need to connect to this ear
- ABR: Area Border Router: connection between area and area 0
- ASBR: Autonomous System Border Router: connection to different AS
- RID: Router ID: highest IP of all interfaces (can be force by using a loopback interface)
- LSA: Link State Advertisements: updates between adjacencies
- DR: Designated Router: distributes the updates (LSA), has the highest priority or the highest RID if priority is a tie
- BDR: Backup Designated Router: standby for DR
Configure OSPF:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# feature ospf LAN_ENTERPRISE_SERVICES_PKG license not installed. ospf feature will be shutdown after grace period of approximately 120 day(s) switch1(config)# router ospf testOSPF switch1(config-router)# int e2/2 switch1(config-if)# no switchport switch1(config-if)# ip router ospf testOSPF area 0 switch1(config-if)# show ip ospf Routing Process testOSPF with ID 192.168.100.10 VRF default Routing Process Instance Number 1 Stateful High Availability enabled Graceful-restart is configured Grace period: 60 state: Inactive Last graceful restart exit status: None Supports only single TOS(TOS0) routes Supports opaque LSA Administrative distance 110 Reference Bandwidth is 40000 Mbps SPF throttling delay time of 200.000 msecs, SPF throttling hold time of 1000.000 msecs, SPF throttling maximum wait time of 5000.000 msecs LSA throttling start time of 0.000 msecs, LSA throttling hold interval of 5000.000 msecs, LSA throttling maximum wait time of 5000.000 msecs Minimum LSA arrival 1000.000 msec LSA group pacing timer 10 secs Maximum paths to destination 8 Number of external LSAs 0, checksum sum 0 Number of opaque AS LSAs 0, checksum sum 0 Number of areas is 1, 1 normal, 0 stub, 0 nssa Number of active areas is 0, 0 normal, 0 stub, 0 nssa Install discard route for summarized external routes. Install discard route for summarized internal routes. Area BACKBONE(0.0.0.0) (Inactive) Area has existed for 00:00:03 Interfaces in this area: 1 Active interfaces: 0 Passive interfaces: 0 Loopback interfaces: 0 No authentication available SPF calculation has run 0 times Last SPF ran for 0.000000s Area ranges are Number of LSAs: 0, checksum sum 0 switch1(config-if)# show ip ospf neighbors |
ACL:
- ACL’s have an implicit deny at the end
- Nexus supports only named extended ACL
Configure ACL:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# ip access-list denyftp switch1(config-acl)# deny tcp any host 10.10.1.1 eq ftp switch1(config-acl)# permit ip any any switch1(config-acl)# int e2/2 switch1(config-if)# ip access-group denyftp in switch1(config-if)# ip access-list denytelnet switch1(config-acl)# deny tcp any 192.168.100.0 0.0.0.255 eq 23 sswitch1(config-acl)# deny tcp any 10.10.25.0/22 eq 23 switch1(config-acl)# permit ip any any switch1(config-acl)# int e2/2 switch1(config-if)# ip access-group denytelnet in switch1(config-if)# show run | begin access-list ip access-list denyftp 10 deny tcp any 10.10.1.1/32 eq ftp 20 permit ip any any ip access-list denytelnet 10 deny tcp any 192.168.100.0/24 eq telnet 20 deny tcp any 10.10.25.0/22 eq telnet 30 permit ip any any ... switch1(config)# exit switch1# show access-lists denyftp IP access list denyftp 10 deny tcp any 10.10.1.1/32 eq ftp 20 permit ip any any |
Layer 4 (frames)
TCP header: 20 B
UDP header: 8 B
Nexus platform
Abbreviations:
short | full | meaning |
---|---|---|
VRF | Virtual Routing and Forwarding | Multiple routing tables in one device (default VRF and management VRF) |
ISSU | In-Service Software Upgrades | Non-disruptive software upgrade (requires dual supervisors) |
PSS | Persistent Storage Services | Saves the state/condition of running services on a regular basis = checkpoint for recovery |
MTS | Message and Transaction Service | |
SVI | Switch Virtual Interface | Virtual L3-interface per VLAN – Allows inter-vlan communication |
VDC | Virtual Device Context | allow separate instances on one device (VLAN's are VDC unique) |
UDLD | UniDirectional Link Detection | Monitors physical connections and detects one-way traffic (Layer 2) |
PIM | Protocol Independent Multicast | Layer 3 |
CDP | Cisco Discovery Protocol | Layer 2 |
FEX | Fabric Extender | Kind of an remote line card (see further) |
NFE | Network Forwarding Engine | |
GOLD | Generic Online Diagnostics | |
POAP | PowerOn Auto Provisioning | Possibility to deploy device configuration |
Ports:
No more speed in the portname as in IOS. All ports are Ethernet <slot>/<port>
Unified ports (UP-switches) can be used for Ehternet or Fibre Channel
A port on a Nexus switch can be in L2 or L3 mode (depending on the Nexus model) to put a port in L2-mode (let’s the port behave like a port on IOS) and optionally put the port in a VLAN:
1 2 3 4 5 6 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# interface ethernet 2/2 switch1(config-if)# switchport switch1(config-if)# switchport mode access switch1(config-if)# switchport access vlan 10 |
Users and roles:
Default roles:
- network-admin: full read-write on the switch
- network-operator: read-only
Add a user:
1 2 3 4 5 6 7 8 9 10 |
switch1(config)# username test ? <CR> expire Expiry date for this user account(in YYYY-MM-DD format) keypair Generate SSH User Keys password Password for the user role Role which the user is to be assigned to ssh-cert-dn Update cert dn sshkey Update ssh key for the user for ssh authentication switch1(config)# username test password test role network-admin |
Features:
Certain features (or processes) on the switch need to be explicitly enable before they can be used.
Show status of a feature:
1 2 3 4 5 |
switch1(config)# show feature | i rip rip 1 disabled rip 2 disabled rip 3 disabled rip 4 disabled |
Enable a feature:
1 2 3 4 5 6 |
switch1(config)# feature rip switch1(config)# show feature | i rip rip 1 enabled (not-running) rip 2 enabled (not-running) rip 3 enabled (not-running) rip 4 enabled (not-running) |
Disable a feature:
1 2 3 4 5 6 |
switch1(config)# no feature rip switch1(config)# show feature | i rip rip 1 disabled rip 2 disabled rip 3 disabled rip 4 disabled |
Processes:
Different processes are running on the switch. To monitor the status:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
switch1(config)# show processes PID State PC Start_cnt TTY Process ----- ----- -------- ----------- ---- ------------- 1 S 41520eb8 1 - init 2 S 0 1 - kthreadd 3 S 0 1 - migration/0 4 S 0 1 - ksoftirqd/0 5 S 0 1 - watchdog/0 6 S 0 1 - events/0 7 S 0 1 - khelper 8 S 0 1 - netns 9 S 0 1 - kblockd/0 ... |
Status can be S=started or NR (not ready)
Boot-process:
More information:
- http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_–_Troubleshooting_Installs,_Upgrades,_and_Reboots
- http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/initconfig.html#pgfId-1051615
- http://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/50421-config-register-use.html
- Golden BIOS (9600baud)
- Check check-sum of the upgradable BIOS
- If 2 is ok -> go to 3
- if 2 is not ok -> boot the golden BIOS
- if Ctrl Shift 6 is received within 2 seconds -> boot the golden BIOS
- if Ctrl C is received -> go to BIOS config
- Boot the upgradable BIOS
- Start the loader
- if Ctrl Shift R (of Ctrl Shift L) is received -> go to the loader prompt
- Boot the kickstart image
- if Ctrl ] is received -> go to the switch (boot) prompt
- Load the system image
- CLI and operations are ready
Start a kickstart-image from the loader prompt:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Loader Version 1.2(2) loader> dir bootflash: lost+found n5000-uk9-kickstart.5.0.2.N2.1.bin n5000-uk9.5.0.2.N2.1.bin mts.log scripts 20151006_174658_poap_2393_init.log vlan.dat 20151027_185542_poap_2746_init.log S1-running-config loader> boot n5000-uk9-kickstart.5.0.2.N2.1.bin Booting kickstart image: n5000-uk9-kickstart.5.0.2.N2.1.bin.... ............................................................................... .......Image verification OK ... |
Start a system image from the switch (boot) prompt:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
switch(boot)# dir 14027 Oct 06 2015 17:50:30 20151006_174658_poap_2393_init.log 0 Oct 27 2015 18:55:42 20151027_185542_poap_2746_init.log 1579 Nov 07 2015 12:04:10 S1-running-config 16384 Oct 06 2015 17:45:48 lost+found/ 7909 Nov 11 2015 03:38:50 mts.log 4096 Oct 06 2015 17:46:46 scripts/ 28248064 Jun 26 2014 00:17:35 n5000-uk9-kickstart.5.0.2.N2.1.bin 87184240 Jun 26 2014 00:17:37 n5000-uk9.5.0.2.N2.1.bin 664 Nov 11 2015 03:39:32 vlan.dat Usage for bootflash: filesystem 149213184 bytes used 1364643840 bytes free 1594875904 bytes total switch(boot)# load n5000-uk9.5.0.2.N2.1.bin Uncompressing system image: bootflash:/n5000-uk9.5.0.2.N2.1.bin Wed Nov 11 04:51 :21 UTC 2015 ... |
Nexus switches (not sure if all of them) don’t have a power switch and start booting as soon as they receive power.
bootflash: consists of the following:
- 2 MB flash: upgradable BIOS and golden BIOS image
- 1 GB flash: configuration files, kickstart images, systems images, and other files.
Filesystem:
Directory navigation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
switch1# pwd bootflash: switch1# mkdir testdir switch1# cd testdir switch1# dir Usage for bootflash:// 230240256 bytes used 1364635648 bytes free 1594875904 bytes total switch1# cd .. switch1# pwd bootflash: switch1# rmdir testdir Do you want to delete "/testdir" ? (yes/no/abort) [y] y |
File management:
1 2 3 4 5 6 7 8 |
switch1# show ip int brief > testfile switch1# show file testfile IP Interface Status for VRF "default"(1) Interface IP Address Interface Status Eth2/1 192.168.100.10 protocol-up/link-up/admin-up switch1# delete testfile Do you want to delete "/testfile" ? (yes/no/abort) [y] y |
Zip:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
switch1# show running-config > runconf switch1# gzip runconf switch1# dir 805 Nov 11 20:45:11 2015 runconf.gz Usage for bootflash:// 230252544 bytes used 1364623360 bytes free 1594875904 bytes total switch1# gunzip runconf.gz switch1# dir 1918 Nov 11 20:45:11 2015 runconf Usage for bootflash:// 230252544 bytes used 1364623360 bytes free 1594875904 bytes total |
Licenses:
Every Nexus device has a unique switch ID:
1 |
switch1# show license host-id |
When a license is not available, a license grace-period can be activated and features can be tested for 120 days.
1 2 3 |
switch1# con Enter configuration commands, one per line. End with CNTL/Z. switch1(config)# license grace-period |
License management:
1 2 |
switch1(config)# install license bootflash:license_file.lic switch1# show license usage |
Licenses overview:
This table took me quite some time to make and probably it’s not 100% correct but at least it helped me to put 100’s of lines of information for every model/series in a small overview.
Nexus hardware:
I found this one of the hardest things to master. Probably because I don’t support learning all these hardware and feature details by heart. In a real life situation, you look these things up using Google or the Cisco website. Even if you know the details by heart, it’s a good thing to check if nothing has changed or a new type/version exists.
In order to be able to remember this huge pile of information, I tried to create some rules or overview because remembering all details for all models is almost impossible.
LED’s generic rule:
- No light = no power / no link
- Green = status is good
- Amber = booting or disabled
- Amber blinking = fault
- Blue = identification
More information:
- http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/hw/installation/guide/nexus_5000_hig/LEDs.html
- http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n7k_hig_book/n7k_LEDs.html
Naming convention:
This naming convention is not documented but I noticed that you can more or less use it as a general rule. The letters are used in the line card names and switch model names.
Speed:
- G = 1G
- X = 10G
- F = 40G
- C = 100G
Connection type:
- T = RJ45
- S = SFP
- P = SFP+
- Q = QSFP+
- K/L = CPAC
- 2 = X2
Hardware overview:
As with the licenses, this overview also took me really a lot of time to complete. I’m actually surprised that such simple matrix is nowhere to find on the internet. Most of the information is verified but it is possible that there are some mistakes in the table.
More information:
- http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration_limits/limits_521/nexus_5000_config_limits_521.html
- http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/Data_Sheet_C78-437762.html
- http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/guide_c07-673997.html
- http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/configuration_limits/b_N5500_Verified_Scalability_602N11/b_N5500_Config_Limits_602N11_chapter_01.html
Hopefully the above information helps somebody to study for the exam or to find some information that is related to Nexus/Data Center.
Really informative mate. Appreciate your time
Thanks for the info, this was extremely helpful! I had no idea about the boot-up process and config-register questions. There were about 15/65 questions on my exam related to those 2 topics….. And thanks for taking the time to create the license and product info charts. I printed those out and memorized them as best as I could, helped out big time!
A million thanks, what you have done is amazing, it will really helpful who all are preparing for 640-911. Please post if you have for 640-916 too….
Hey please can you tell me , how many questions are there in 640-911 exam ? and all questions are objectives or it may contain any other labs like ccna routing & switching exam?
On the “Start a kickstart-image from the loader prompt:” section,
It shows you just type
loader> n5000-uk9-kickstart.5.0.2.N2.1.bin
You just type the .bin file name? you dont type Load or boot in front of it?
I cant seem to find the proper info on this type of issue. Everything I pull down from Cisco says use the “install all” command followed by the kickstart.bin file then the sytem image.bin file all on the same line in that order.
Hi,
Good catch. You need to type boot, followed by the kickstart image. I’ve corrected this in my post.
To remember: boot an image at the loader prompt and load an image at the boot prompt :)
Hey please can anyone tell me , how many questions are there in 640-911 exam ? and all questions are objectives or it may contain any other labs like ccna routing & switching?
Hi,
There are 65 questions on the exam. All questions come from the objectives but as you can read in my post, you should take the objectives very broad. Knowledge of CCNA R&S is a plus but that’s because the objectives overlap broadly.
Hi Jensd,
Thanks for valuable information, I just like to confirm if any LAB Questions for 640-911 exam or all are Objective Type ?
Thx Jens for the enhanced summary of the 640-911 exam. I noticed that there is a screenshot missing under the text: “Disable a feature:”
Hi Rob,
Thanks for letting me know, I’ve updated the post with the missing information. Good luck on the exam :)
This afternoon passed with 942 ;-)
Thanks,
very useful i passed today
u have to add Boot-process for 5000 series method, u have here 7000 method only but u put the useful links for that any way.
Good luck
hey Jens,
I am preparing for my 640-911 exam this month. Does the exam include only multiple choices questions and sim-lets (Hotspot topologies) or it also includes labs where you have to enter Nx-Os command line and troubleshoot according to a scenario?
Your blog is fantastic btw.
Thanks,
Kostas
Great read. I’m due to take mine in three weeks. How much of the DCICT knowledge crosses over into the DCICN exam? Wherever I read, I see contradiction!
Great Job! It is well done and planning to take my exam in 2 weeks. I am planning to take this exam in two weeks. Is there any hot spot or simulate questions or just multiple choice only?
Fantastic job!….and nothing drives the information home like creating a page like this, Jensd!
Many thanks for your guidance, and I hope to get your thoughts on the DCICT in time.
Pingback: 640-911: Introducing Cisco Data Center Networking DCICN - Exam Resources - Chris Stark's Blog
I believe that the ip address range of class c private network is 192.168.0.0/16 Please double check
I am writing the exam today. Hope everything goes well. I have not taken much effort to study the hardware features. Fingers crossed
Thanks a lot jens!!! I am going through this with 4 hours to the test.
Again, Fantastic Job!!
Any possibility of getting this in .pdf form. That way I can study when I don’t have internet access.
Thanks,
Jeff
In Layer1 (bits), is “1000BASE-FX” accurate? Should it be “100BASE-FX” – Fiber @ 2km distance at 100Mb/s?
Your study notes are fantastic, thank you so much! I am getting my CCNA Data Ctr certification completed before the new tests are required (4/11/17), and this was a tremendous help! I look forward to your notes for the 640-916 exam which I will take in 2 weeks. Thank you again! Awesome job!
Hi Paul,
Please share your experiences.
Did you meet new topics or questions?
Could you give me an estimation for the current dump accurate?
I learned a lot, but I am afraiding.
I will attend on the next week to the 640-911.
The new version of 640-916 is more useful with the ACI topics and I am waiting for that one.
Thanks in advance.
Aren’t twinax for copper ?