Руководство По Проектированию для Cisco Cisco Nexus 5010 Switch
Design Guide
© 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 15
In order to switch from the default VDC to the others, you can use the following command:
NXOS : #switchto vdc <name>
NXOS : #switchback
Notice that a user who starts a session with a non-default VDC (VDC > 1) cannot hop to other VDCs.
To allocate interfaces to a VDC, use the following commands:
NXOS : (config)# vdc <name>
NXOS : (config-vdc)# allocate interface ethernet <port/number>
NXOS : (config)# show vdc membership
From VDC 1, VDCs 2–4 can be restarted from the default VDC with the command:
NXOS: (config)# vdc <name> restart
This command shuts down local services running on that specific VDC (spanning tree, Hot Standby Router Protocol
[HSRP], routing, and so on) and then brings them back up with their last saved configuration. Within the context of
the VDC itself, the administrator can achieve the same result by issuing the reload command, which will reload the
VDC, leaving the other VDCs unaffected (as long as this is a non-default VDC—that is, VDC > 1).
[HSRP], routing, and so on) and then brings them back up with their last saved configuration. Within the context of
the VDC itself, the administrator can achieve the same result by issuing the reload command, which will reload the
VDC, leaving the other VDCs unaffected (as long as this is a non-default VDC—that is, VDC > 1).
Currently, the VDC concept is implemented only on the Cisco Nexus 7000 Series.
The concept of VDC is most relevant at the aggregation layer of data center designs, while at the access layer the
use of VLANs provides segmentation at the data plane layer. The reason for using VDCs at the aggregation layer is
that if an attacker manages to get hold of the control plane of the router (through the default gateway), the attacker
will not be able to hop into adjacent VDCs.
use of VLANs provides segmentation at the data plane layer. The reason for using VDCs at the aggregation layer is
that if an attacker manages to get hold of the control plane of the router (through the default gateway), the attacker
will not be able to hop into adjacent VDCs.
At the access layer, this threat does not exist, provided that the management of the access layer device is out of
band—that is, it uses, for example, the mgmt0 interface of a Cisco Nexus 5000 Series that may be connected to the
default VDC of the Cisco Nexus 7000 Series. This is not to say that there will never be VDCs as an option for access
layer devices, but of all devices, the ones that benefit the most are the ones at the aggregation layer.
band—that is, it uses, for example, the mgmt0 interface of a Cisco Nexus 5000 Series that may be connected to the
default VDC of the Cisco Nexus 7000 Series. This is not to say that there will never be VDCs as an option for access
layer devices, but of all devices, the ones that benefit the most are the ones at the aggregation layer.
Role-Based Access
Role-based access lets you specify the actions a user can perform on a given Cisco Nexus system. In the case of a
Cisco Nexus 7000 Series, there are by default four different user roles:
Cisco Nexus 7000 Series, there are by default four different user roles:
●
network-admin:
Read-write privileges for the default VDC, so this user has higher privileges than all others.
The network-admin can jump from VDC 1 into any of the other VDCs, as well as create and destroy VDCs.
●
network-operator:
Read privileges for the default VDC.
●
vdc-admin:
Read-write privileges for a VDC. This role exists only within a given VDC.
●
vdc-operator:
Read access to a VDC.
The difference between vdc-admin and network-admin is not significant on devices that do not implement VDCs (or in
other words, on devices that implement only VDC1): the Cisco Nexus 5000 Series and Cisco Nexus1000V Series
Switches.
other words, on devices that implement only VDC1): the Cisco Nexus 5000 Series and Cisco Nexus1000V Series
Switches.
For more information about role-based access on the Cisco Nexus 7000 Series, visit:
For more information about role-based access on the Cisco Nexus 5000 Series, visit:
Roles can be propagated across a Cisco Nexus infrastructure by using the Cisco Fabric Service Protocol over IP
(CFSoIP) to define role-based access as a client to the CFS protocol.
(CFSoIP) to define role-based access as a client to the CFS protocol.