Cisco Switching/Routing :: 3570 / Multi-process OSPF Redistribution And Failover?
Feb 7, 2013
I have two ospf processes running on a single 3570 edge router that has a dedicated transport circuit back to our network core. We are adding an additional "transport" only circuit into a new location that is also apart of the second ospf process backbone which will connect back to our core. There will also be a 3750 for this new circuit termination. Currently we are only redistributing ospf process 2 into ospf process 1 (1 = core backbone).
#router ospf 1
#redistribute ospf 2 subnet
We have no need to have ospf process 1 redistributed into the process 2 tables. That being said, when we add an additional transport ciruit, or path back to our core backbone, will this configuration present any issues with the redistribution process and failover.
I am having a problem reaching a soho linksys e1000 router through a second hop cisco 2900 router.Here is a brief topology of the network: I am using OSPF area 100 for all networks except for
192.168.2.0 on R1 to E1000 which is RIPv2 R1 directly connects to R2 with a point-to-point serial on network 192.168.12.0 /30 with ip 192.168.1.13 R1 directly connects to a a switchport using network 192.168.2.0 /24 with ip 192.168.1.75 R3 directly connects to a switchport using network 192.168.1.128.0 /25 with ip 192.168.1.129 R3 directly connects to a different cisco router using ethernet on network 192.168.1.0 with ip 192.168.1.1 E1000 directly connects to a switchport using network 192.168.2.0 /24 with ip 192.168.2.1
The switch has a vlan ip on 192.168.1.128 /25?I can ping from R1 to E1000?I can ping from R3 to R1 192.168.2.75? I can't ping from R3 to E1000 192.168.2.1?show ip route on R2 indicates that network 192.168.2.0 is reachable via the serial connection on 192.168.1.12?I have redistributed rip to ospf area 100 and OSPF to RIP on R1?I am wondering why R1 can reach E1000 on network 192.168.2.0, and why R3 can reach R1s 192.168.2.0 newtork, but R3 can't reach the E1000.There is an R2 router than can reach R1 and also cannot reach E1000, but I assume it's for the same reasons R3 can't, so I've omitted the remainder of that topology for this question.
I'm looking to redistribute static routes in to OSPF on a Nexus 7k. To do this I'll be using a route-map with a match statement. My question is can you match routes using an ACL, a prefic-list or both. The reason that I ask is that in some docs I've read it states the following:
IP access lists—(For policy-based routing only). Match based on source or destination IP address, protocol, or QoS parameters. This tends to indicate that you can't use IP access lists for the match criteria for redistribution.
Ok I didn't setup my OSPF on my 7010. Today I found out that any static route I put into my 7010 gets sent into to my MPLS network. My 6509's you have to "Tag" the static rout for this to happen. Was under the impression the same was necessary for the 7010 or at least it had to "match" an access list. How can I fix the below so that by default all static routes are not resdistributed into OSPF? [CODE]...
I have 2 ASBR routers, AGFR01RTR03 and AGFR02RTR03, performing OSPF to OSPF redistribution in both ways for the same ***. They also do summarization for our private addressing scheme. It is all working just fine for that part (neighbors, summarization, redistribution).
Let's focus on AGDC01RTR01 with a specific entry here (IP subnet is fake) :
Routing entry for 220.127.116.11/25 Known via "ospf 1000", distance 110, metric 300, type inter area Last update from 10.2.244.76 on GigabitEthernet5/1, 1d03h ago Routing Descriptor Blocks: * 10.2.244.76, from 10.2.1.249, 1d03h ago, via GigabitEthernet5/1 Route metric is 300, traffic share count is 1
I've been reading the documentation for the new 3750v2 switch, and I'm wondering is the IPBase license supports FULL OSPF. The product sheet notes that it supports OSPF in the IPBase license, but then further down the page it notes that for advanced routing functions (EIGRP,OSPF) you need the IPServices license. Are there any limitations to the OSPF process on a 3750v2 with the IPBase license?
We are cutting over from 6500 IOS to Nexus 7000 and have hit "Maximum ospf feature instance limit reached." as we configured up the 7 existing ospf processes - the limit is 4. These existing processes are for various vrf contexts we have. I see you can run multiple vrf contexts under one process - but how does that work in a mixed environment where the ospf neighbours are still ios 6500s? They still expect to see different ospf process id per vrf.
Currently the OSPF network consist of 2 segment route via static route.One is AREA 0 and another AREA 10.Both network are seperate entity, only static route to route between 2 networks.But the static route do not provide the dynamically and flexibility, I plan to run routing between 2 networks via VLAN160 and VLAN162.
I still want to manitnace it was 2 different OSPFrouting domain.Can I run OSPF with differrent OSPF porcess ID?
We are currently running ISIS and recently we have purchased 2 WS-C3750X-24. Unfortunately 3750 do not support ISIS and we have decide to use redistribution between ISIS and OSPF. We are using Stack feature so consider 3750 as one chassis.
Router A and Router B are ISIS neighbors. As first step we have setup redistribution between Router A and Switch 3750
Router A Configuration router isis net 49.0000.0000.0000.0001.00 metric-style wide [ code]...
I am facing two issues in BGP both the topology and Config files.Because the link between Vail and Telluride runs iBGP, both routers will learn about the networks in AS 300 and AS 400 through native BGP only and both AS's do reach each other. Both routers are also running OSPF with Aspen and BGP routes are redistributed into OSPF domain. Now, Aspen knows about the networks in AS 300 and AS 400. Now suppose the link between Vail and Telluride fails, both AS 300 and AS 400 can't reach each other anymore. The only solution to this is to redistribute OSPF routes to BGP on Vail and Telluride. But when i did this, only routes with "O" learned by Tahoe and Alta. In other words, Tahoe sees only 192.168.1.220, 192.168.1.196 and Alta sees only the same routes. Why the redistribution from OSPF to BGP didn't advertise the O E2 routes?
This actually was discussed before but i still can't get it. It is not an actual issue.It is about "Syncronization". I know that we've said many times to turn on Sync. when we do redistribution from BGP to an IGP to make sure that the routes are installed correctly in the IGP routing table. However, as you notice in the configuration, i didn't enable Sync. on Vail and Telluride for a long time and redistribution still works fine.
I have two core switches - 4506E, and i noticed there are frequent cpu spikes on both of the cores switches. As its spikes intermitendly i couldnt able to anlyze the issue. I need inputs on the following,
1) Is there any Free CPU process monitoring tools to identify which process is spiking ?
2) Troubleshooting techniques to identify the issue.
I have a video feed coming into my 3570. It comes in at 5 minute input rate 18777000 bits/sec, 1695 packets/sec. However, the uplink to the router is much different, 5 minute output rate 130000 bits/sec, 28 packets/sec. I am in a lab and about ready to go into testing phase for a project when we discovered this problem, as this video feed is not veiwable on the other end.
Below is the config and capture from the switch.
BLOSSw1#sh int g1/0/6GigabitEthernet1/0/6 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is a44c.112f.3506 (bia a44c.112f.3506) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 4/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters 15:16:25 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute
i've got a stack of 3750's configured, everything is working fine, but the web interface for the stack will only present the web based express configuration page. I can't get it to go away. what needs to be done to clear whatever flag or register that causes this behavior. the cli is fine, it's not trying to force epxress setup there, only in the web interface. will reloading the software image fix this?
I am in the process of migrating our existing server farm subnets to our new Nexus server farm and I discovered something I wasn’t expecting. My intention is to migrate our existing legacy server farm which is comprised of for paired 3750 switches off of our core 6509s and onto the Nexus and connect them to the 2232s via multi gig port-channel connections, two port channels per switch stack.
NOTE this is expected to be a temporary move as next year we intend to install additional N2Ks and move servers over to these directly. But to minimize the outage/downtime it will be better to move the subnets and switchs all at once.
These connections would be grouped 1 gig connections as port channels, one from each switch into one of the two 2232s.
Problem I discovered is Cisco does not intend to have switches connected to the Nexus and it immediately disables the ports when they see BPDUs.
I found a config that does work and it does fail over from one port-channel connection to the other but with the limitation that when the original port channel comes back online it does not fail back over to the original one, an acceptable situation for us. But I am wondering if Cisco would support this design if we did experience issues down the road.
The only issue I really see is to get it to work the config is different on the two N5Ks, see the pert config below for the connections. Both are running the same OS
augs1-ba-ar17# sh ver Cisco Nexus Operating System (NX-OS) Software TAC support: [URL]
OK. I think Im going crazy here. Im studying OSPF and I'm working on the DR/BDR election process. I have a topology where three devices (RIDs 18.104.22.168, 22.214.171.124, and 126.96.36.199) are on the same ethernet segment so they need to elect a DR. 188.8.131.52 is a switch and Im using a SVI for the OSPF interface. Van't get the darn thing to show up in the post but here is the topology.URl After OSPF came up, I noticed that router2 was selected as the DR and that switch1 was selected as the BDR. I thought initially that it was a matter of timing and that perhaps router2 just came up first and the slower SVI interface came up second. Shutdown the interfaces, cleared the OSPF process, and set the OSPF router priority on the VLAN interface to 10.
I want to configure multilink between two Cisco 7206 routers POS interfacesafter configuring both sides.Router 1interface Multilink5 ip address. [code]. I can see both sides through show cdp, also ospf process goes to FULL stateBut traffic is not flow between interfaces, and i can not even ping router's own ip address.When i delete network statement from ospf process, i can ping router's own interface and both routers can ping each other.
Is there a known bug for Nexus 7K version 6.0(4) related to route redistribution?I have few vlan interfaces and being redistributed to the BGP.vlan interfaces are all up ang pingable.After configuring redistribution, vlan route is not in the bgp table.sho ip bgp is saying "path invalid"
BGP routing table entry for 10.165.101.192/28, version 26302 Paths: (3 available, best #3) Flags: (0x180c0021) on new-list, is not in urib, need resync with RIB, exported, has label vpn: version 47719, (0x100002) on xmit-list local label: 492294
I currently have a set of firewalls in active standby configuration running an ospf process injecting a default route into the rest of my network.I noticed when i was testing the failover that the asa's do not actually pass the route tables on failover, thus forcing the need to wait for routes to converge and for the default route to be advertised back into the network. This of course is not acceptable.
Is there a way around this or do I have to setup static default routes on every device in my network. I am trying to avoid setting up default routes on all of the devices because due to the setup of my network I have equal cost links configured in the event of hardware or link failure. So the devices then see an advertised default route from multiple paths.
I have two switches and two ASA in active/standby as connected below. These devices are running OSPF 128 in one area (Area 0).I'm pinging from both laptops to each other both ways. The ASA has the latest "8.6.1-5" image. I've configured the firewall failover polltime to 1s with holdtime of 4s. Pings both ways OK.
I fail the primary firewall (ASA-ACTIVE). I get a 4 seconds ping loss which is expected (holdtime) however after 10 seconds of pings I get another outage which last anywhere between 5 and 15 seconds. I've done a fair amount of debugging and I did notice that the second outage occurs with the OSPF neighbor goes from "loading" to "full". This doesn't make any sense because the routing table is fully populated when going to “full”.
When perfoming a manual fail back (type failover active on ASA-ACTIVE), pings goes on for approximately 10seconds and then an outage between 5 to 15 seconds. Agsin this outage occurs when OSPF neighbor goes from "loading" to "full".I've tried debugging on the switches and found nothing.
I'm currently working on setting up 2 ASA 5510's with redundancy/failover. I'm not an expert when it comes to the ASA's so I'm not 100% sure if I can do what I need to.I have 2 inside networks that need to remain separate, a DMZ network,and an outside network. Since each network connects via ethernet to one of the 4 ethernet ports on the ASA 5510's, all 4 ethernet ports on the ASA 5510 will be in use. If I wanted to setup one firewall as Active and the other as standby, how would I go about doing that? Do I need a direct ethernet connection between the 2 firewalls to use something such as HSRP? Or would the Standby firewall be able to tell if the Active firewall is OK since they would both be connected on each of their interfaces to the same networks?
I am getting this error on my PIX 535 with 8.0.4 code. The error is Error : OSPF/RIP cannot be enabled on failover interface, I am getting this error while trying to enable RIP on the firewall. The context is single mode and failover is enabled. When I am disabling the failover the Firewall is accepting the RIP configurations.
Have a 1921 that has 3 eth connections (1 LAN, and 2 WAN) - I have 2 seperate OSPF processes (2 areas) on the WAN Ints - both upstream WAN's are sending defaults back to the 1921, and the 1921 is sending it's LAN range to them.
I have ip ospf cost 150 set on the "failover" WAN connection interface (Both on the 1921 and upstream), but the 1921 is preferring the default route from the "failover"?
The default routes are both being received by the 1921, but it's preferring the "failover" Int with the ip ospf cost 150 configured?
I have a network with several catalyst 2960 switches and one catalyst 3750. I have created two VLAN and set up the proper routing and everything is working fine there. I have a client/server application that used multicast in the initial start up for the client to determine available servers, the issue is one of my clients is on a different VLAN then the server. I am able to route the multicast using MVR as long as both the server and the client are plugged into the 3750 by creating a static route, making the server a source port and the client a receive port. Unfortunately I need the client and the server plugged in to different 2960s. My question is how do I establish multicast routing between the two and perferably do it dynamically (always route multicast traffic from one VLAN to another).
We are in the process of switching our infrastructure of our routing/firewalls/vpns over to cisco. We are switching our first location and one of the issues I'm struggling with is windows authentication pass-through for internally hosted web pages. Meaning, user inside our network has the 2921 as their default gateway, they try to access a web page that is hosted on the internal network but is secured with windows authentication. In the past, because they are logged into the domain internally, the website authenticates and loads. After switching to the Cisco, it asks for a password even though they are logged in.
Because its the web server that actually authenticates I'm not sure why the router isn't allowing that to happen, but I can't think of anything else that could be causing this behavior.
I have a process whick take all the CPU on two differents Stack of WS-C3750G in version 12.2.53(SE2):
XFRPALSN02R#sh proc cpu sorted CPU utilization for five seconds: 97%/3%; one minute: 95%; five minutes: 95% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 307 5450059 4167397 1307 86.74% 83.63% 83.35% 0 hulc nrgyz PD di XFRPALSN02R#sh proc cpu sorted CPU utilization for five seconds: 96%/3%; one minute: 96%; five minutes: 96% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 307 7779608 5947379 1308 86.26% 85.75% 85.30% 0 hulc nrgyz PD di
in both case some times i obtain lowing traffic on interface and highest cpu - to 100% after clear cef linicard i obtain growing traffic and cpu 0%
#sh proc cpu s CPU utilization for five seconds: 87%/83%; one minute: 91%; five minutes: 96% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 7 1711512 87883 19474 4.06% 0.84% 0.89% 0 Check heaps
I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.What is the best way to prevent VLANs from talking to each other?At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????
We are setting up a test lab in our DMZ. The path to the internet is basically like this. Anything past the firewall is irrelevant. For this lab lets assume it is vlan 300.
LAB SW ---> DMZ-SW ---> ASA FW ---> INTERNET LAB IP Range = 172.16.300.0 /24 GW = 172.16.300.1 (On FW int) Trunked all the way through.
I have an int vlan set up on the LAB SW. It is being trunked to DMZ SW. DMZ trunks it to ASA FW where there is a failover with a redundant switch.On the ASA the interface 0/2 is a subinterface 0/2.300 being used as the default gateway.
I have DHCP running in a specific range on the LAB SW and do get an ip address when plugged in. I cannot ping the default gateway on the ASA FW.The GW is defined using default-router command for 172.16.300.1 i.e. default-router 172.16.300.1?
We are running ospf on the firewall. There appears to be a pattern with ospf and a similar subnet setup elsewhere. I was wondering based off of this info would configuring ospf for 172.16.300.0/24 allow me to ping the GW from a client on the LAB SW.Secondly. I trunked 300 on the DMZ SW but I didnt add the vlan to the configuration. i.e. conf t <enter> vlan 300 <enter> Does this really matter? Or is having the vlan in the configuration only pertain to access mode on interfaces?