Re: [c-nsp] blackholed traffic on ether-channel
Just bought several C6880-X to replace some 6500 with Sup32. They will have a lot of LACP channels... Tried to search for the bug numbers mentioned below, the first one came back as not cisco inside only, the second one comes with an information page with the title : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy25743 C6880-X-LE: Contiguous 4 10G ports goes down and cannot be brought up As an solution the page points to 3 new software releases : Known Fixed Releases: (3) 15.2(1)SY1.118 15.3(1)IE101.312 15.4(1)IA1.22 Of these 3 releases none is available for download ? There is even no 15.3 of 15.4 train available in the download software page... Anyone has an idea where I can find a software release in which this problem is fixed so I can install this before activating these switches on our network ? Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp -Oorspronkelijk bericht- Van: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Namens Aaron DuShey Verzonden: woensdag 6 april 2016 20:40 Aan: selamat pagiCC: cisco-nsp Onderwerp: Re: [c-nsp] blackholed traffic on ether-channel Sorry for the earlier misfire. On Wed, Apr 6, 2016 at 10:55 AM, selamat pagi wrote: > Setup: > 4 port LACP channel, C6880 <-> Nexus 7k > > Recently we had the issue that most (not all) traffic was black-holed > on a C6880. > No interface counters, nor the port-channel status, nor an NMS pointed > to any abnormal behavior. > > Finally, the problem was resolved by shutting down a specific > interface on C6880. > It seems that one defect port affected the function of the entire > port-channel !! > FWIW We recently ran into a somewhat similar port-channel issue on 6880 15.2(1)SY1a. BU told us symptoms were possibly related to CSCuw08272/CSCuy25743. That issue is slated to be fixed in 15.2(1)SY2. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] nexus 5548 versus C4900M
We have a service cluster build around a C4900M : it concentrates a mix of 10G (intercampus) connections and 1G connections (some backup lines and central services such as DNS, VPN servers,...) This works fine but to be able to connect all these, I had to add the 20 port 10/100/1000 UTP card and the extra 8x 10G card (with X2 convertor to provide for fiber SFPs). At the time that seemed a good and reasonable priced solution. This C4900M only does L2 traffic for the moment but will do some minor static (500Mb) IPv4 L3 routing in the near future. Now I have to create a new, similar service cluster. The first idea was to copy the setup but as we are also looking at Nexus for our datacenter, I noticed the Nexus 5548UP. This gives you out-of-the-box 32 1G/10G ports and costs (based on the prices I have seen) 25% less than the above C4900M configuration. Anyone has a reason why we should stick to the C4900M (or maybe similar C4500 solution) and not put a Nexus in place, apart from the obvious differences between IOS and NXOS for management ? I think, when adding the L3 card to the Nexus, the 25% price difference will disappear but are there any limits you see (arp table, mac address table size, buffering, IPv6 support..) that would take the Nexus out of the picture ? Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] nexus material and coloured CWDM 10G SFP+
Recently we started using CWDM coloured 10G SFP+ interfaces (smartoptics) on our campus network (in 4900M with OneX convertors). This works just fine although Cisco probably will tell us that is not supported... I'm wondering if someone already did the same thing on nexus 5xxx switches, especially 5010 and 5548. We are planning to build a new backbone between different datacenters based on nexus material (5010 in 2 remote datacenters, 5548 in the central datacenter). We could use the transponders of our CWDM vendor and use local SR SFP+ interfaces but these transponders cost about 3x times more than coloured SFP+ interfaces (and these don't com cheap). Using coloured SFP+ interfaces moves control/monitoring of the fiber losses to the end device but we can live with that. Second question : can you read out fiber losses on a nexus ? (cfr show int transc in IOS) Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] changing buffer size on 4900M - discards
We are seeing discards on a newly installed 4900M, probably coming from the fact that most input to the C4900M is coming from routers connected to it on 10G lines and is going out on a 2G etherchannel, although the total load on the 2G channel is just about 250-300 Mb/s. The 2G connection goes to an IPS that will be replaced before the end of the year but until then I have to find a way around the discards. Based on the fact that the 4900M is normally mentioned as a switch with a good buffer capacity (compared to 37xx switches, see also threads of begin this week), I wonder if there is a way to change buffer size on the gigabit interfaces so that there will be less discards ? Anyone has a reference to a good document on buffer tuning (on 4900M) ? I know the 'buffers' command exists but for the moment I'm still trying to find out what buffers I should change (and into which values) to get rid of these discards. Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3750E cluster replacement
We have a network based on a VSS with 20G channels to 3750E-24 clusters top-of-rack. We are seeing a lot of discards on the cluster which connects to our NetApp SANs. I suspect this is because of the small buffers in the 3750E switches and the growth of our traffic to the SAN, especially ISCI traffic. I'm considering replacing this cluster with something else, but I'm not sure what to put there. I read that 4900M have larger buffer and this would offer the needed mix of 1G en 10G ports but you can't cluster these switches and seen the importance of the connected devices, this is not really an option. Buffering on nexus 55xx seems also better and there you have the vPc possibility. Do you consider this the way to go or has anyone else a suggestion for a (clustered) device to replace this 3750E cluster ? Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750E cluster replacement
We use clusters to protect us from hardware failures ; all servers and SAN are dual connected to both switches. We have plans to install nexus in another server room, we could install 5500s in both and use them as interconnect (replacing the interconnects now made with 3750E). Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp From: chandler.bass...@gmail.com [mailto:chandler.bass...@gmail.com] On Behalf Of Chandler Bassett Sent: dinsdag 26 juli 2011 13:14 To: Holemans Wim Cc: cisco-nsp Subject: Re: [c-nsp] 3750E cluster replacement Why's it important you maintain a cluster? You're absolutely correct, 3750's are weak ToR switches. I would go with the 5500 if you find yourself looking toward a wider nexus deployment in the next 18-36 months. On Tue, Jul 26, 2011 at 7:03 AM, Holemans Wim wim.holem...@ua.ac.bemailto:wim.holem...@ua.ac.be wrote: We have a network based on a VSS with 20G channels to 3750E-24 clusters top-of-rack. We are seeing a lot of discards on the cluster which connects to our NetApp SANs. I suspect this is because of the small buffers in the 3750E switches and the growth of our traffic to the SAN, especially ISCI traffic. I'm considering replacing this cluster with something else, but I'm not sure what to put there. I read that 4900M have larger buffer and this would offer the needed mix of 1G en 10G ports but you can't cluster these switches and seen the importance of the connected devices, this is not really an option. Buffering on nexus 55xx seems also better and there you have the vPc possibility. Do you consider this the way to go or has anyone else a suggestion for a (clustered) device to replace this 3750E cluster ? Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750E cluster replacement
We do run lacp on most of our server, nas, connections. We also need these 2G channels towards our SAN to accommodate for the accumulated ISCI traffic coming from different servers. 3750E also have only one power supply, so we cluster them and use port-channels to protect against hw/power failures. Even when replacing the 3750E with nexus 55xx (if needed combined with FEX) we intend to double them and have portchannels on both. Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Martin Barry Sent: dinsdag 26 juli 2011 14:12 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750E cluster replacement $quoted_author = Holemans Wim ; We use clusters to protect us from hardware failures ; all servers and SAN are dual connected to both switches. You don't need the clustering if you run active-backup. It's only LACP that requires a stack or virtual chassis. cheers Marty ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Console cables on new platforms
Nothing comes free with Cisco (unless this changed since we got our latest copy of the GPL in feb) : CAB-CONSOLE-USB=Console Cable 6 ft with USB Type A and mini-B 30,00$ CAB-CONSOLE-RJ45Console Cable 6ft with RJ45 and DB9F 30,00$ CAB-CONSOLE-USB Console Cable 6 ft with USB Type A and mini-B 30,00$ Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Franklin Sent: dinsdag 28 juni 2011 13:02 To: cisco-nsp Subject: Re: [c-nsp] OT: Console cables on new platforms So you basically need add another part-number(which on btw?) to your order and this cost you 0$. CAB-CONSOLE-RJ45 (RJ45 - DB9F) CAB-CONSOLE-USB Also CAB-AUX-RJ45 (RJ45-DB25M) if you want to hook up a modem. Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cpu spike every minute
We are seeing a cpu spike (and corresponding icmp respons latency) every minute on one of our 65XX. It is a 6506-E with Sup32-8G running IOS version ipbasek9-vz.122-18.SXF6. I checked al our mgmt processes (snmp requests, arp table copies,...) but found nothing that could lead to this behavior. Normal icmp respons times (seen from our mgmt station) are a couple msec but every minute this rises till 1000 ms and more. We also see a spike in cpu usage at the same time and I tried to determine what process uses all this cpu and got the following result : Normal : cpu around 11% ldus220#sh proc cpu | excl 0.0 CPU utilization for five seconds: 11%; one minute: 13%; five minutes: 14% PID 5Sec1Min 5Min Process 1 0.1%2.7% 3.7% kernel 12312 7.6%7.0% 7.4% ios-base 12329 1.8%1.6% 1.2% tcp.proc 12330 0.6%0.5% 0.5% udp.proc 12331 0.1%0.2% 0.2% iprouting.iosproc 12332 0.1%0.1% 0.1% cdp2.iosproc Hit : cpu above 40%, caused by kernel process ldus220#sh proc cpu | excl 0.0 CPU utilization for five seconds: 46%; one minute: 16%; five minutes: 14% PID 5Sec1Min 5Min Process 135.6%6.3% 4.5% kernel 12312 7.1%7.1% 7.4% ios-base 12329 1.0%1.5% 1.2% tcp.proc 12330 0.3%0.5% 0.5% udp.proc 12331 0.1%0.2% 0.2% iprouting.iosproc 12332 0.1%0.1% 0.1% cdp2.iosproc Using cpu detail, I can see it is process id 17 that is hit but I don't have a clue what this process does. How can I find what this process does and if it is internal kernel housekeeping that is causing this or an external cause ? ldus220#sh proc cpu detail | excl 0.0 CPU utilization for five seconds: 46%; one minute: 21%; five minutes: 18% PID/TID 5Sec1Min 5Min Process Prio STATECPU 133.9%5.7% 4.3% kernel26d20h 1 54.2% 79.5%81.6% [idle thread] 0 Ready 1355d 17 33.9%5.7% 4.2% 10 Running 6d07h 12312 7.3%9.8% 9.1% ios-base106d Any info or pointer to info would be appreciated. Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10G for 6506-E with Sup32-8Gb or replace with 4900M
We have 3 campus with on each campus a 6506-E/Sup720-10G as 'master router' and a 6506/E-Sup32-8gbit as backup router, in a HSRP config. In each router we also have GBIC boards to connect the different buildings. These Sup32 routers also act as L2 concentrator for part of each campus. Now we are thinking about connecting both routers to each other on each campus with a 10G connection. As the Sup32 don't have a 10G yet, we have multiple options to do so. We can add a 10G board to the chassis, replace the supervisor with a Sup720 or replace the whole router with a 4900M. If I take a look at listprices, I get 28000$ for Sup720, 2$ for 6704 (but these are Xenpacks), 37500$ for 6708 and 22000$ for 4900M (base + 10/100/1000 card, dual power). We have 65XX as routers because we had FWSM boards in them but these are not used anymore. Based on the price, it seems we best opt to replace the 6506-E/Sup32 with the 4900M option (there is also a difference in maintenance cost). With Twingig convertors this offers us a good combination of 10G and 1G SFP ports. For 7500$ we can add a second 8 port X2 board that gives us extra 10G/SFP-ports if needed. Has anyone had bad/good experience with using a 4900M as router, given the following environment : - Router acts as backup router, so in 99.xxx% of the time it only has to forward L2 traffic - Only static routes, no active routing protocol. - 40 vlans, 40 SVI's with ACLs on it - No IPv6 for the moment, but according to the specs, the 4900M should handle IPv6 in hardware just fine. - No Qos yet, but we are planning to implement that in 2011 I know we lose the netflow capability if the primary router fails, but we can live with that. All comments are welcome. Wim Holemans Network Services University of Antwerp Belgium ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange problem with Cat6500 freeze
Not exactly the same but we had an 'automatic' reboot on a Sup720 and Sup32 during a broadcast storm after upgrading tot SXI4a. Before the upgrade the machine kept running (unresponsive but running) until the cause of the broadcast storm was removed. Something seems to have changed in SXI4a Wim Holemans -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jens S Andersen Sent: maandag 13 december 2010 19:49 To: Robert Hass Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Strange problem with Cat6500 freeze Hi We har the exact same problem with 2 6503E/Sup32 routers after upgrading to SXI4a. We downgraded to SXI3, and the problem went away. Maybe it's a SXI4a 'feature'. -Jens Hi I have network where core-devices are Cisco Catalyst 6506-E with Sup32/PFC3B. I last month We had two times problem. One time first 6500 'freezes' and second time second 6500 'freezes' Freezes means machine was powered up, alarm was present (diode on supervisor), console wasn't responding at all, freeze 6500 created a lot of loops on all VLANs inside network (%SW_MATM-4-MACFLAP_NOTIF: Host .. in vlan XX is flapping between port XX and port XX), all ports connected to 'freeze' 6500 was UP, LACP for PortChannels went down. Hard reboot (power off + power on) helps both times. There wasn.t any crashdump in flash/bootflash/sup-bootdisk/disk. Most problem was caused by loop created by freeze 6500 - as all network was overloaded. How I could prevent these issue in future ? Maybe storm-control for broadcasts ? Did anybody occurred similar problem with 6500 ? After investigate both freezes was probably caused by radom disabled/enabled NetFlow ('ip flow ingress') on few SVIs. Some facts more about both 6500 configurations: - Both running 12.2(33)SXI4a IOS. Upgrade was done 1 month ago. - Before machines was running 12.2(33)SXH4 never occurred similar problem - eBGP (230k prefixes), 3-4 full table BGP peers + iBGP (20 peers rr-clients) - IS-IS - A little MLS QOS (policing) - 1-2 service-polcies on SVIs - Control Plane Policing implemented - Sometimes netflow v5 exporting from SVI - Load around 40% (show catalyst6000) + 1.5Mpps (sh platf hardw capa pfc) - Dual PSs - Only ports GE on Sup-32 heavy used - WS-X6408A-GBIC linecards but used only 1-2 ports with a little load (~50-200Mb) - ~300 VLANs - ~50 SVIs Robert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Jens S Andersen Email: j...@adm.aau.dk Aalborg University Telf: 9940 9464 Selma Lagerlöfs Vej 300, 4.2.59 Fax:9940 7593 9220 Aalborg Denmark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6506-E module provisioning
I've been searching the cisco website for this but didn't find an answer. We have a new 6506-E to replace an old one, and I'll have to move some modules between them as we don't have spare ones. Is there a way to 'provision' these modules in the config of the new router so I can just copy the old config to the new one and won't have to add the config for these modules after the cards have been switched ? The modules will move to the same slot in the new router. Greetings, Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750-E + CVR-X2-SFP10G + SFP-10G-SR = disappearing media
We have a similar setup but with X2 interfaces, so no X2 to SFP+ convertors and that works just fine. Have you checked the transceiver parameters ? Maybe they are not within limit causing a shutdown of the interface ? (temperature, input power, output power). The first batch of (non-cisco) X2 transceivers we got, all gave wrong information about thresholds e.d. After replacing them, everything was fine. sh int te1/0/1 transc detail should give you this info. We are running version 122-50.SE2. Wim Holemans Network/Security Manager University of Antwerp -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew White (MAWHI) Sent: dinsdag 11 mei 2010 0:03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 3750-E + CVR-X2-SFP10G + SFP-10G-SR = disappearing media Greetings, I have an open TAC case about this but I figured I'd ask here as well. I recently installed 10 3750-Es in 5 2-member stacks. Each stack has 2 uplinks to a 6509-VSS. I'm using X2 to SFP+ converters and 10G SFP+ modules on both ends of the links between the stacks and the VSS. In each stack I'm using interface Ten1/0/1 and Ten2/0/1. There is currently no real traffic on any of the links. The plan is to do a forklift upgrade of our existing production network and I've set the 3750/VSS up in a test environment. With the exception of two hosts talking iperf to each other, the network is quiet. The problem I'm seeing is this: after about 6 to 8 hours a 10G interface on the 3750 side will go down. Saying 'show int Ten2/0/1' will show the media type as Not Present: Full-duplex, 10Gb/s, link type is auto, media type is Not Present as opposed to: Full-duplex, 10Gb/s, link type is auto, media type is SFP-10GBase-SR I am seeing this behavior on three individual switches and in each case it is ten2/0/1 that fails. I've replaced the X2 converter, the SFP+ module and moved the converter to Ten2/0/2 but the symptoms persist. I RMA'd one of the switches and just installed the replacement, hopefully this will solve the problem. I also checked software compatibilty and the switches are running (C3750E-UNIVERSALK9-M), Version 12.2(53)SE2 Has anyone seen this before? -mtw ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] best ios version for VSS
We have a VSS running, L2 only for the moment. We plan to enable L3 (static routing only for the moment) next week (along with a FWSM board in each chassis). We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for the moment (I know this version has too much features for what we need for the moment) The problems we had with this version until now : - One of the supervisors rebooted spontaneously leaving no traces on why it restarted - ISSU (I don't remember what the version was we started the upgrade) didn't work, so I had to boot both chassis manually, giving a much higher downtime than expected - The activation of the first FWSM (inserted with power down for that specific module, followed by power up of the module), caused a crash and reboot of the supervisor of the chassis in with the FWSM was inserted. So anyone has comments on to which version we eventually should upgrade to before going to L3 ? (downtime will have a much larger impact from that moment on). I found on the cisco website there is a version 12.2.33-SXH6(ED) and a version 12.2.33-SXI3(ED) available. Greetings, Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
To answer all questions about versions e.d. We are running 3.1(4), not the latest I know, but people here are 'allergic' to network downtime and with semester exams coming up, I won't be able to upgrade before February. I removed the log option from the rule which should have given me 106023 messages in my logs but they don't show up ; the ACE is being hit however : access-list Internet-out line 24 extended deny ip any host x.x.x.x (hitcnt=13) 0x6e051e8c As far as I can tell, there is no queue problem : Logging Queue length limit : 1024 msg(s), 30947037 msg(s) discarded. Current 502 msg on queue, 512 msgs most on queue I raised the limit to 1024 yesterday and the number of discards stayed the same since then. There doesn't seem to be a caching problem either : fwcdep/fwcdep1# sh access-list | incl cache access-list cached ACL log flows: total 5, denied 3 (deny-flow-max 4096) I'll have to live with this until I can upgrade. Wim -Original Message- From: Andrew Yourtchenko [mailto:ayour...@cisco.com] Sent: woensdag 16 december 2009 19:35 To: Holemans Wim Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM logging problem On Wed, 16 Dec 2009, Holemans Wim wrote: It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. Any chances you'd have %FWSM-1-106101: Number of cached deny-flows for ACL log has reached limit somewhere ? Check on show access-list output: FWSM(config)# sh access-list | inc flows access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1) Here I've configured 1 flow. Once you reach the flow limit, the further logs are suppressed (AFAIK, with the logic being, that since the whole idea behind the log is to decrease the amount of logging messages, if we get a lot of hits, we are probably already under stress, so would not want to stress further by downgrading the logs to sending them per-packet). If you have a lot of ACEs that are marked with log keyword, this might be what you see. Decreasing the interval should help to keep the # of logs under max. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. For the specific ACE, you can remove the log keyword. Bit counter-intuitive as this might seem, it would not stop the logging for the denied sessions - just the messages will be different (firewall-style): %FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 8, code 0) by access-group foo [0x17a38302, 0x0] instead of: %FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) - inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0] That 106023 will be sent one-message-per-hit. So I think it should precisely fit what you are looking for. cheers, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM logging problem
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750G vs. Nexus for a SAN
What version of IOS does it run ? Base version or lite version ? Wim Holemans Network Services University of Antwerp -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett Sent: vrijdag 13 november 2009 5:17 To: Asbjorn Hojmark - Lists; Brian Landers Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN It is on the price list. $5300.. I have on in production and one on order for a customer.. Nice switch... Jim -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, November 09, 2009 9:31 AM To: Brian Landers Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN On Mon, 9 Nov 2009 09:05:34 -0500, you wrote: [Cat 2350G] Doesn't appear to be in the pricing tool yet, though? Every order goes on NPH and needs to go through the BU for approval. Pricing is 'known, but not public'. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] STP and RSTP interaction
Until now we used standard STP in our network with changed diameter parameters (diameters of 10,11,..) We plan to migrate to RSTP and as far as I tell from reading about it, this should be no problem if we start changing from the outside into the core. I now have to add a new part to our network and in this part I already enabled RSTP. I'm still hesitating to couple both networks as I don't have an idea how the RSTP part will interfere with the diameter of the existing network. If I'm right the 'coupling' interface of the new network will work in STP mode and the rest of the new network in RSTP. How does do I count this new network when calculating the new diameter ? Just as 1 switch ? Or do I count the full topology ? Anyone has done this before and can comment on this ? Other suggestions, experiences with the migration from STP to RSTP that may help ? Greeting, Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2801 as console server
I've been looking through the Cisco doc but didn't found what I was looking for, therefor this question : I transformed a 2801 router which we used as a dialin server to a console server. The config seems to work, I can do a telnet xxx 2018 to get access to serial port 0/1/1, also ssh -l user:portnumber works. But I still have 2 problems : -The escape character doesn't work when using ssh, also e.g. defining CTRL-Z as disconnect character doesn't work. The only way to stop the connection, is by killing it at the ssh client side. Is there another way to stop the ssh connection, just like the telnet escape character ? -Is there a way to access the async line from within the router itself ? So just a telnet/ssh to the router and then something like 'connect line XXX' ? The connect command on the router seems an equivalent of telnet for outgoing tcp sessions and I don't see another command that could do this. I'm running c2801-ipbasek9-mz.124-25a on the router. Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
Look in the log files for the following error : 160Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -Oorspronkelijk bericht- Van: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp@puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Stevesteve.tillin...@sourcemedia.com wrote: Have you tried sh local ? That should tell you if you're hitting the 10 user limit. Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
Just implemented it based on an example I received yesterday ; we don't deploy tacacs, so no problem there. Syslog doesn't work anymore for the moment but I didn't check yet if it is vrf aware. Thanks for everyone who answered my question. If I tried out the syslog config, I'll share the result on this list. Wim Holemans -Original Message- From: Alasdair McWilliam [mailto:alasda...@gmail.com] Sent: dinsdag 14 juli 2009 19:33 To: Buhrmaster, Gary Cc: Holemans Wim; Cisco NSP Subject: Re: [c-nsp] VSS out-of-band mgmt We have VSS deployed and it's management interface is on a mgmt-vrf. So far everything that needs a source interface seems to work, although I've not actually configured syslog yet, TACACS is now vrf aware. You have to define a specific AAA server group. Eg: tacacs-server host 1.1.1.1 key myacskey tacacs-server directed-broadcast ip tacacs source-interface VlanXYZ Then: aaa group server tacacs+ ACS-GROUP-NAME server 1.1.1.1 ip vrf forwarding mgmt-vrf ! aaa authentication login default group ACS-GROUP-NAME local-case I will note that you have to define each server with the tacacs-server command before you add it to the group otherwise it throws an error. Al On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote: Yes, a management VRF will do exactly what you want :-) Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
Tried syslog vrf awareness and yes : logging host 143.169.x.y vrf management did the trick we are running 122-33.SXI1 on this VSS cluster. Wim Holemans -Original Message- From: Alasdair McWilliam [mailto:alasda...@gmail.com] Sent: dinsdag 14 juli 2009 19:33 To: Buhrmaster, Gary Cc: Holemans Wim; Cisco NSP Subject: Re: [c-nsp] VSS out-of-band mgmt We have VSS deployed and it's management interface is on a mgmt-vrf. So far everything that needs a source interface seems to work, although I've not actually configured syslog yet, TACACS is now vrf aware. You have to define a specific AAA server group. Eg: tacacs-server host 1.1.1.1 key myacskey tacacs-server directed-broadcast ip tacacs source-interface VlanXYZ Then: aaa group server tacacs+ ACS-GROUP-NAME server 1.1.1.1 ip vrf forwarding mgmt-vrf ! aaa authentication login default group ACS-GROUP-NAME local-case I will note that you have to define each server with the tacacs-server command before you add it to the group otherwise it throws an error. Al On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote: Yes, a management VRF will do exactly what you want :-) Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VSS out-of-band mgmt
I have a VSS router that I want to do some out-of-band mgmt with. Is this possible with VRF-lite ? I would like to build a channel with the UTP ports on the sup720, give the VSS an address on this trunk but keep this interface out of the standard routing table. Can this be done with VRF-lite ? Or is there another way to do out-of-band mgmt of a VSS cluster? Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] network simulator
I'm looking for a (free) network simulator that allows me to simulate a small network (20 switches) with different vlans on it. I want to test different scenario's : what happens if this switch goes down or that link goes down, how do the packets flow in each scenario for the different vlans... Anyone has a good reference to such a product ? Free would be nice but is no absolute condition. Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] network simulator
Just found out through google, will give it a try tomorrow. Thanks, Wim Holemans From: Michal Prazenka [mailto:michal.praze...@gtsce.com] Sent: maandag 18 mei 2009 19:35 To: Holemans Wim Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] network simulator Have you tried GNS3? Michal Holemans Wim wrote / napísal(a): I'm looking for a (free) network simulator that allows me to simulate a small network (20 switches) with different vlans on it. I want to test different scenario's : what happens if this switch goes down or that link goes down, how do the packets flow in each scenario for the different vlans... Anyone has a good reference to such a product ? Free would be nice but is no absolute condition. Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VSS upgrade problems
I'm testing a VSS solution for our campus network, most things seem to work as expected. I ran however into problems when testing the eFSU upgrade procedure. The system came with ip base 12.33SXH4 on, I created the cluster with this version without problem (although the notes state that you should use at least ip services). I upgraded the system the traditional way to ip base 12.33 SXI without problem. The I decided to test the eFSU upgrade procedure (available from 12.33SXI) which should give no downtime at all (if all your connections are trunks to both chassis). I tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This however failed and kept my standby chassis continuously booting until I removed the VSS connection between both (I forgot to activate the issu rollback timer...) This were the messages i got 1) On the master : 01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant configuration: Active SP has (1048576/8192K) memory, Standby has (1048576/65536K). 01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant configuration: Active RP has (1048576/8192K) memory, Standby has (1048576/65536K). 01:01:48: %PFREDUN-SW2_SP-6-ACTIVE: Standby initializing for RPR mode 01:01:50: %ISSU-SW2_SP-4-FSM_INCOMP: Version of local ISSU client ISSU ifs client(110) in session 327962 is incompatible with remote side. 01:01:50: %RFS-SW2_SP-3-START_NEGO_SESSION: RFS nego (327962:262609) to [issu:rfs:Secondary RFS Server Port:0x305] failed: [ISSU_RC_NEGO_ERROR] 01:02:21: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: RF Client RFS RF(520) notification timeout 01:02:22: %VSLP-SW2_SP-3-VSLP_LMP_FAIL_REASON: Te2/5/4: Disabled by Peer Reload Request 01:02:22: %VSLP-SW2_SP-2-VSL_DOWN: Last VSL interface Te2/5/4 went down 01:02:22: %VSLP-SW2_SP-2-VSL_DOWN: All VSL links went down while switch is in ACTIVE role 01:02:23: %PFREDUN-SW2_SP-6-ACTIVE: Standby processor removed or reloaded, changing to Simplex mode 01:02:23: %RF-SW2_SP-3-NOTIF_TMO: Notification timer Expired for RF Client: RFS RF(520) 01:02:24: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: Proxy request to reload peer 2) On the slave : *Feb 3 10:48:12.695: %ISSU-SW1_SPSTBY-3-FSM_MISMATCH_MTU: ISSU nego failed for client ISSU ifs client(110) entity_id 113 session 65694 due to mismatch of mtu size 36 72. -Traceback= 40252F70 4025350C 40969458 417A050C 417A0578 40966980 40966BE0 40966FD8 409A8FFC 4042FD60 40447984 4088E6C0 4088E6AC *Feb 3 10:48:12.735: %ISSU-SW1_SPSTBY-4-FSM_INCOMP: Version of local ISSU client ISSU ifs client(110) in session 65694 is incompatible with remote side. *Feb 3 10:48:12.735: %RFS-SW1_SPSTBY-3-START_NEGO_SESSION: RFS nego (65694:65693) to [issu:rfs:65536:0x1] failed: [ISSU_RC_NEGO_ERROR] *Feb 3 10:48:43.551: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested - From Active Switch (Reload peer unit). *Feb 3 10:48:45.071: %VSLP-SW1_SPSTBY-3-VSLP_LMP_FAIL_REASON: 5/4 : Link down *Feb 3 10:48:45.071: %VSLP-SW1_SPSTBY-2-VSL_DOWN: Last VSL interface 5/4 went down *Feb 3 10:48:45.075: %VSLP-SW1_SPSTBY-2-VSL_DOWN: All VSL links went down while switch is in Standby role *Feb 3 10:48:45.083: %SATVS_IBC-SW1_SPSTBY-5-VSL_DOWN_SCP_DROP: VSL inactive - dropping cached SCP packet: (SA/DA:0x4/0x4, SSAP/DSAP:0x2/0x1, OP/SEQ:0x1E/0x13, SIG/INFO:0x1/0x501, eSA:.0500.) *Feb 3 10:48:46.127: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested by Delayed Reload. Reload Reason: Admin requested reload of the Standby during ISSU. *Feb 3 10:48:46.127: %OIR-SW1_SPSTBY-6-CONSOLE: Changing console ownership to switch processor Two things are strange : the message about the PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH because these are 2 identical supervisor boards, secondly the mtu mismatch error. I tried to find some info about the MTU error but neither the Cisco website neither google gave any info about this errors. Anyone has an idea or just a pointer to more detailed technical detail ? There is not that much documentation on the Cisco website about VSS... Any help would be appreciated, Greetings, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] upgrading stack of 3750E's
(I'm the one who posted the original question). Just tested it again with a second stack of 3750E's ; this gave the same result : Upgrading from 12.2.2(35) to 12.2.(46) and reload of second switch gave a Version Mismatch with left the second switch hanging. Only a reload of the master restored full functionality. After that, I replaced the ip base image with the one with encryption (k9 version), however same versionnumber 12.2(46). This went as described below, second one came back online and became again member of the stack without problem allowing reload of first one. So my conclusion is that the possibility to upgrade a stack without losing full connectivity is different for each upgrade and you can't tell in advance if it will result in a version mismatch or not. Feel free to comment if you have different experiences. Wim Holemans -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: maandag 26 januari 2009 19:38 To: Tony Varriale Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] upgrading stack of 3750E's On Mon, 2009-01-26 at 08:45 -0600, Tony Varriale wrote: This is how I normally do it. 1) archive software to first switch /overwrite (from TFTP) without reload. 2) archive software to second switch /overwrite without reload. 3) reload slot 1 4) wait until switch 1 is operational and you are happy 5) reload slot 2 Will this work? Wouldn't Stackwise see the two switches as incompatible? We've started using pairs of 3750E with a CX4 link between them and just plain rapid PVST+. Then we have some guarantees as to how the system functions during upgrades. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] upgrading stack of 3750E's
We are testing the following setup : 65XX-VSS - etherchannel - 3750E stack (2 switches) - teaming enabled servers This should give maximal uptime, overriding defects on the router or 3750E switches. We intend to use these switches in L2 mode only, managing them via the mgmt fa0 interface. I'm now looking into the upgrading procedure for the stack, but I can't seem to find a way to do an upgrade in which at least of the 3750E's stays operational, thus minimalizing down time. As far as I can tell from the doc, there is no way to upgrade e.g. the master switch, have it reload (keeping the second switch operational), and after the master becomes operational, (auto-)upgrade the second switch. Am I missing something or is this scenario really not possible ? Another scenario would be removing the switch from the stack (after bringing down all ports first via console), changing the ip address of the switch, bringing the mgmt port back online, do the upgrade, bring the power down, reconnect it to the stack and the power up it again. Given the fact that the stack cables are rather fragile, this doesn't seem the right way to do, unless it is possible to shut down the stack ports by a CLI command ? Anyone suggestions, pointers to alternative upgrade procedures,... Thanks, Wim Holemans Network Services University of Antwerp Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Virtual Routers
Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3750 stacks with many members
Got some personal mails all in support of the stacking, saw only negative mails on the list, interesting... Price difference between 2x 3750 and a 6504 is not so small and a 6504 with one supervisor is still a single point of failure where a cluster of 2 switches would give me redundancy. Everyone thanks for the answer, still not sure what we are going to do. Wim Holemans -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka Sent: maandag 17 november 2008 2:10 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Catalyst 3750 stacks with many members On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: As a result of that we do not put stacks any more. If we need more ports we simply join them using ethernet cables (and etherchannels) and manage independently of each other. It has always been my personal opinion that inter-switch trunking or migrating to a small, single-chassis, multi-line-card based platform (e.g., 6504-E) would offer far less headache than Stacking, and keep things simple. Given the feedback from folk on this thread so far, I think we did well to avoid stacks. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3750 stacks with many members
Could you/someone elaborate on 'failure of one part is a failure of the stack' ? I thought Cisco just pushed this construction to get more redundancy/uptime in the network ? We were planning to replace some single switches with a lot of dual-line channels with a cluster of 2 of these 36xx or 37xx switches so we could split the channels over 2 switches and have still connection when one of the switches failed. Reading the recent negative comments on switch stacking I start wondering if this is a wise decision... Wim Holemans Network Services University of Antwerp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jamie rishaw Sent: vrijdag 14 november 2008 20:55 To: Dale Shaw Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Catalyst 3750 stacks with many members Yeah.. Replace them. With Chassis(es). Stacks are just a bad idea. Failure of one part of the stack is a failure of the stack. A 65xx serves just as well, better even; cheaper, more reliably, and with less BS.. I'm in the middle of tossing (however many letters are, inclusive, between a and s) stacks, moving to 65xx chassis(es) with 10/100 // triplespeed blades... moving to paired '09's. Cue the happy singing birds and obama 'yes we chassis' glory in 3.. 2.. 1.. -j On Fri, Nov 14, 2008 at 12:19 PM, Dale Shaw [EMAIL PROTECTED][EMAIL PROTECTED] wrote: Hi all, We have a few large (6 member) cat3750 stacks in our environment, most in L2 edge/access roles, and most providing PoE to cisco IP phones. -- ..!google!arpa.com!j ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] rtr responder on 6500
We are setting up a testbed for IP SLA monitoring and I wanted to include our core 6500 switches into the test. For 2 of them this went without problem, on two others this doesn't work : I get the following error (after putting on debug) : RTR unable to set SO_STRICT_ADDR_BIND option I searched the Cisco website and also did a google search but this didn't give any results. Anyone an idea of what is going wrong here ? Both not-working routers have a SUP32, the working ones a SUP2 supervisor. Router1 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 WS-SUP32-GE-3B : rtr responder not working Router2 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 WS-X6K-SUP2-2GE : rtr responder working Router3 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 WS-SUP32-GE-3B : rtr responder not working Router4 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 WS-X6K-SUP2-2GE : rtr responder working Is it possible I need the ipservices version to do this ? Anyone a clue on what the error means ? The rtr responder command is accepted in all versions. Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM convertion
Anyone has a good reference on the steps to take to convert a standalone FWSM to the primary of a FAILOVER FWSM pair. Current FWSM is running 3.2.8 and has 2 transparent contexts. Are there any steps that will influence the current running FWSM (take it down or so) ? Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM failover transparent mode
Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
48 port 10/100/1000mb EtherModule WS-X6148-GE-TX Bought them without knowing about the 8port 1Gig limit ; We plan to replace this construction next year with a VSS solution, type of 65XX not yet chosen. Wim Holemans -Original Message- From: Eric Cables [mailto:[EMAIL PROTECTED] Sent: vrijdag 5 september 2008 18:59 To: Holemans Wim Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM failover transparent mode Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim [EMAIL PROTECTED] wrote: Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 ACE/FWSM Modules??????????
Can someone clarify the PAGP problem ? I had a discussion with someone of Cisco for a new design in one of our datarooms and we had chosen a VSS solution with dual 3750E stacks and 20Gig uplinks in each rack to the VSS chassis for max redundantie. According to our Cisco contact, this was a working solution. If however it is impossible to make channels between a 3750E cluster and both switches in a VSS, the complete design has to be redone... Wim Holemans Network Services University of Antwerp -Original Message- From: Mike Louis [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:19 PM To: Teller, Robert; Tony Varriale; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 6509 ACE/FWSM Modules?? Last time I checked the 3750 did not support the pagp extensions for vss. You would get an stp loop if you tried. Has this support changed? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco vulnerabilities
I got this via Qualys but haven't seen it on this list (hope I didn't miss it). So to be sure : The following vulnerabilities were added to the Vulnerability KnowledgeBase of the QualysGuard Web service between May 05, 2008 and May 11, 2008. QIDSev. Title ... 43134 P 3 Cisco IOS OSPF, MPLS VPN, and Supervisor 32, ... (CVE-2008-0537) 43135 P 3 Cisco IOS Multicast Virtual Private Network (... (CVE-2008-1156) Legend: V: Vulnerability P: Potential Vulnerability To view the Vulnerability KnowledgeBase, use the following URL: https://qualysguard.qualys.de/fo/tools/kbase.php ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Port down 6500 warning via syslog
I know I have seen this before, but I can't find the article. On most cisco IOS switches, you get syslog messages if a port goes down or up. On a 6500 this is not the case. But I remember seeing an article in which a way was shown how to enable this feature on 65XX IOS. Anyone has a pointer to this article or a short description on how to enable port down/up syslog messages ? Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port down 6500 warning via syslog
Thanks for all who answered to my question. The command is : logging event link-status default Wim Holemans -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim Sent: dinsdag 29 april 2008 10:38 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Port down 6500 warning via syslog I know I have seen this before, but I can't find the article. On most cisco IOS switches, you get syslog messages if a port goes down or up. On a 6500 this is not the case. But I remember seeing an article in which a way was shown how to enable this feature on 65XX IOS. Anyone has a pointer to this article or a short description on how to enable port down/up syslog messages ? Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] etherchannel problems
We just got bitten by a serious etherchannel problem : we have an 2 gig etherchannel link between 2 campus. Someone on the other end misconfigured an interface (typed 6/1 instead of 1/6) and had overwritten the allowed vlans on one of the interfaces. As a result of this, the interface was thrown out of the bundle (at that side only) BUT the interface stayed UP. On the other campus, both interfaces stayed in the bundle with very big problems as a result : the 6500 at that side considered both lines as valid and distributed the packets over both interfaces, sending half of the traffic in 'space'. If the interface had gone down as a result of the unbundling, there would have been no problem. We only use static channel settings, so not etherchannel negotiations between switches. Can this be solved with dynamic etherchannel bundling ? Or someone has another solution for this problem ? Wim Holemans Networkservices University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Max performance 6148(A--GE-TX boards
We have a bunch of 65XX with 6148-GE-TX or 6148A-GE-TX boards to connect a large number of servers and different etherchannels between them. When i checked the release notes for 12.2SX, i found the following lines : ... WS-X6148A-GE-TX *Number of ports: 48 Number of port groups: 6 Port ranges per port group: 1-8, 9-16, 17-24, 25-32, 33-40, 41-48 *The aggregate bandwidth of each port group is 1 Gbps. WS-X6148-GE-TX *Number of ports: 48 Number of port groups: 2 Port ranges per port group: 1-24, 25-48 Note WS-X6148-GE-TX, WS-X6148V-GE-TX, and WS-X6148-GE-45AF do not support these features: *More than 1 Gbps of traffic per EtherChannel ... Can anyone comment on this ? Does this mean we can get a max of 6 Gig throughput on a 6148A card and max 2 Gbit on a 6148 ? Or do these numbers only apply to etherchannels ? I don't seem to find the right performance figures for these cards. Thanks for you comments, Wim Holemans ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Temp sensors on 6500 48 10/100/1000 module
Can anyone tell me where the temp sensors on a WS-X6148-GE-TX board are physically located ? This is part of the env info : module 2 outlet temperature: 27C module 2 inlet temperature: 24C module 2 device-1 temperature: 25C module 2 device-2 temperature: 27C module 3 outlet temperature: 27C module 3 inlet temperature: 25C module 3 device-1 temperature: 25C module 3 device-2 temperature: 30C module 4 outlet temperature: 27C module 4 inlet temperature: 25C module 4 device-1 temperature: 25C module 4 device-2 temperature: 28C Module 2-4 are the same modules and all temp seem to be within limits but module 3 device-2 temp is rather high compared to the other temperatures. Can anyone tell me where this sensor is physical located on the board ? Front ? Back ? Left ? Right ? I also have a question about the fans : there is a command to show the fan status but what is the output if one of the fans fails ? Does it signal single fan failure or only full-fan failure ? Greetings, Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/