Importing Configuration in the Switch Profile

In an earlier post (Dual-Homed FEXes and Switch Profiles) I wrote about the switch profiles and how to use them to configure dual-homed FEXes. I mentioned that it is possible to import existing configurations into the switch profiles. Now I was really attempting it in practice.

When importing configurations I constantly struck myself to the error message that the verification was failed. I could not find where I was doing wrong. As in the CCIE lab exam the devil was again in the details. I was checking the configuration guide and concluded that I was doing everything correctly. But not exactly according to the instructions. Let me walk you through the process I did.

I had configured the “cfs ipv4 distribute” and the switch profile basic information as told in the mentioned blog post. The profile was ready for use on both switches because I was already using it for some configurations:

n5k-1# sh run switch-profile

switch-profile SWITCH_PROFILE
  sync-peers destination 192.168.77.12

  interface Ethernet100/1/44
    description This is for testing

I had some simple configurations on both switches that I wanted to import:

n5k-1# sh run int e100/1/45
...
interface Ethernet100/1/45
  switchport access vlan 30

So I went to the switch profile and imported the interface configuration, and then committed:

n5k-1# conf sync
Enter configuration commands, one per line.  End with CNTL/Z.
n5k-1(config-sync)# switch-profile SWITCH_PROFILE
Switch-Profile started, Profile ID is 1
n5k-1(config-sync-sp)# import int e100/1/45
n5k-1(config-sync-sp-import)# sh switch-profile buffer

switch-profile  : SWITCH_PROFILE
----------------------------------------------------------
Seq-no  Command
----------------------------------------------------------
1       interface Ethernet100/1/45
1.1       switchport access vlan 30

n5k-1(config-sync-sp-import)# commit
Failed: Verify Failed

What was going on? I checked the status:

n5k-1(config-sync-sp-import)# sh switch-profile status

switch-profile  : SWITCH_PROFILE
----------------------------------------------------------

Start-time: 275329 usecs after Wed Jun 20 15:51:07 2012
End-time: 576664 usecs after Wed Jun 20 15:51:08 2012

Profile-Revision: 2
Session-type: Import-Commit
Session-subtype: -
Peer-triggered: No
Profile-status: -

Local information:
----------------
Status: Verify Success
Error(s):

Peer information:
----------------
IP-address: 192.168.77.12
Sync-status: In sync
Status: Verify Failure
Error(s):
Following commands failed mutual-exclusion checks:
interface Ethernet100/1/45
         switchport access vlan 30

It said that there was problem with the peer. Well, I configured it as well:

n5k-2# conf sync
Enter configuration commands, one per line.  End with CNTL/Z.
n5k-2(config-sync)# switch-profile SWITCH_PROFILE
Switch-Profile started, Profile ID is 1
n5k-2(config-sync-sp)# import int e100/1/45
n5k-2(config-sync-sp-import)# commit
Failed: Verify Failed
n5k-2(config-sync-sp-import)# sh switch-profile status

switch-profile  : SWITCH_PROFILE
----------------------------------------------------------

Start-time: 501759 usecs after Wed Jun 20 15:54:23 2012
End-time: 869233 usecs after Wed Jun 20 15:54:24 2012

Profile-Revision: 2
Session-type: Import-Commit
Session-subtype: -
Peer-triggered: No
Profile-status: -

Local information:
----------------
Status: Verify Success
Error(s):

Peer information:
----------------
IP-address: 192.168.77.11
Sync-status: In sync
Status: Verify Failure
Error(s):
Following commands failed mutual-exclusion checks:
interface Ethernet100/1/45
        switchport access vlan 30

Now it said that the first switch was having mutex failures!

This went on for a while when I was trying everything.

And then it struck to me: In the configuration guide (Nexus 5000 Series System Management Configuration Guide) it says, in this order:

1. Ensure configurations are the same on both switches.
2. Configure the switch-profile with same name on both switches.
3. Enter the import running config command on both switches.
4. Enter the switch-profile name buffer command to ensure all configurations are correctly imported on both switches.
5. Remove unwanted configuration settings by editing the buffer.
6. Enter the commit command on both switches.
7. Enter the sync-peers destination IP-address command to configure the peer switch on both switches.
8. Enter the switch-profile name status command to ensure both switches are synchronized.

You see what I missed?

I configured the sync-peers before the import and commit! That’s just because I had the switch profile in use already. Let’s remove sync-peers and try again:

n5k-1(config-sync-sp-import)# exit
n5k-1(config-sync)# switch-profile SWITCH_PROFILE
Switch-Profile started, Profile ID is 1
n5k-1(config-sync-sp-import)# no sync-peers destination 192.168.77.12
n5k-1(config-sync-sp-import)# commit
Verification successful...
Proceeding to apply configuration. This might take a while depending on amount
of configuration in buffer.
Please avoid other configuration changes during this time.
Commit Successful

It worked! Now I just had to repeat that for the other switch, and then restore the sync-peers commands. Here is the successful switch profile after the operations:

n5k-1(config-sync)# sh run switch-profile

switch-profile SWITCH_PROFILE
  sync-peers destination 192.168.77.12

  interface Ethernet100/1/44
    description This is for testing

  interface Ethernet100/1/45
    switchport access vlan 30

By the way: When configuring dual-homed FEX ports it is essential that the FEX port configuration on both Nexus switches is identical, otherwise the port may be disabled. When I was testing this interface configuration import I didn’t experience any connectivity loss during the changes so I would say that importing the configuration is a safe operation in that respect. If you think or see otherwise, please comment below.