Cisco Switching/Routing :: ERSPAN Source On Nexus 5548 And Destination On Catalyst 6500
Aug 9, 2012
I'm trying to get ERSPAN working with an ERSPAN source on a Nexus 5548 and the ERSPAN destination on a Catalyst 6500.
The configuration on the Nexus is as follows:
ip address 192.168.2.133/32
If I do a netdr capture I can see ERSPAN traffic sourced from the Nexus reaching the C6500, but there doesn't appear to be anything sent out the ERSPAN destination inerface (Gi4/6) and there's nothing being received by the probe connected to that interface. I know the traffic seen with netdr is definitely the ERSPAN traffic sourced from the Nexus as I've changed the TTL and DSCP values within the monitor session on the Nexus and can see those changes reflected on the C6500 netdr capture. The attached is a screen grab of the show netdr capture started with debug netdr capture soure-ip-address 192.168.2.133.
When I look at the interface I see it shown as up/down (monitoring), but no output or counters clocking up. If I run a local SPAN session on the C6500 it works fine.
I've tried changing the destination IP address from that assigned to the C6500 Loopback interface to an IP address assigned to a physical interface, but that still doens't work.
The hardware in the C6500 is WS-SUP720-BASE Hw version 3.2 with WS-F6K-PFC3B Hw version 2.4. The IOS version is 12.2(33)SXI6.
i would like to monitor traffic between multiple source ports to multiple destination ports on a nexus 7k. i lknow when you set up monitor session is between source and destination (laptop or traffic analyser) but is there a way i can set up between source and multiple destination ports and capture that traffic ?
Basically I am trying to use Wireshark to do a packet capture on a Nexus 5010. I want to do a monitor session on on the switch so I can capture from a source port to a destination port on the same switch. I can configure the source port but when I go to configure the destination port I get "ERROR: Eth102/1/4: Configuration not allowed on fex interface". I have tried to reconfigure this port as a switchport but "switchport mode access" command does not take. I don't want to make any changes to any other ports but this one.
I'm attempting to create an erspan session between a Nexus 5000 and 6500 to get traffic from a FEX interface on the 5000 over to a sniffer off of the 6500. The Nexus and 6500 are directly connected with a 10G link, but I added a separate 1G link between the two for the erpsan traffic. I created a routed interface on the 6500, and and SVI on the Nexus. The Erspan session came up, and looked ok from both sides, but as soon as we got a burst of traffic this morning the CPU on the 6500 spiked to 99%. I used 'debug netdr capture rx' to determine the traffic was coming in from the erspan port and subsequently shut down the new interface on the 6500. why this caused a CPU spike? Here are the relevant configs from each device:
The diagram below is the configuration we are looking to deploy, that way because we do not have VSS on the 6500 switches so we can not create only one Etherchannel to the 6500s.Our blades inserted on the UCS chassis have INTEL dual port cards, so they do not support full failover.
Questions I have are.
- Is this my best deployment choice? - vPC highly depend on the management interface on the Nexus 5000 for the keep alive peer monitoring, so what is going to happen if the vPC brakes due to: - one of the 6500 goes down - STP? - What is going to happend with the Etherchannels on the remaining 6500? - the Management interface goes down for any other reason - which one is going to be the primary NEXUS?
Below is the list of devices involved and the configuration for the Nexus 5000 and 65000.
· 2 Cisco Catalyst with two WS-SUP720-3B each (no VSS) · 2 Cisco Nexus 5010 · 2 Cisco UCS 6120xp · 2 UCS Chassis - 4 Cisco B200-M1 blades (2 each chassis) - Dual 10Gb Intel card (1 per blade)
We have HSRP between NexusA and NexusB with access layer switches connecting to the core using VPC, We are trying to setup a VAM server Voice recording for Siemens phones. We need to span all voice vlan and point it to the VAM server the VAM server connects to a 3750 Stack considering the amount of traffic multiple span session can generate I plan to move the server to the Nexus directly and run a Local Span Session.
1- As we have two Nexus running HSRP and VAM server only connects physically to one NexusA (I can run local span on that nexusA) the Second NexusB is not directly connected to the VAM server I plan to run ERSPAN so if this is the best design and which path will the span traffic take from Nexus B to NexusA will it go through the access layer switches depending on the vlans allowed on the uplinks or will it go through the 20 Gig uplink between the two Nexus allowing all vlans (VPN peer links) ? WE have approximately 10 voice vlans, Do we an example config for ERSPAN session where the source are vlans (As I am for fimilliar with RSPAN) ?
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.
We have 2 6513 switches with SUP720/PFC3A and various POE modules and a 6748-GE-TX facing our servers. Additionally, we have a 4Gbps portchannel trunk interconnecting the switches. We have approximately 300 Nortel IP 1140e phones in use between the two switches.For the purpose of call recording, we've attempted to mirror the voice vlan using various approaches and have been met with limited success. We mirrored the VLAN using tx, rx, and both. When using both we appear to get duplicate packets at the destination interface.We seem to lose packets completely going in one direction or another for a given call. Packets are lost before they get to the destination interface?
I have Nexus 5548UP, Version version 5.0(3)N2(2b), with a flat configured network. Customer has put several IP subnets on one Vlan. In one subnet is an Siemens SPS wich connects to a Server. This SPS is not reachable since I send a ping from the N5k, then everything works fine. Sniffering that port no arp requests from the N5k are captured. That hapens with every device (Siemens SPS) in the network. Every other clients and server are working fine and there are no problems.
I have a Nexus 5548 Recently restart itself for no reason I ran the command:
sh system reset-reason ----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) --- 1) At 469203 usecs after Sat May 11 14:02:07 2013 Reason: Reset triggered due to HA policy of Reset Service: eth_port_sec hap reset Version: 5.1(3)N1(1a)
sh processes log details
Start type: SRV_OPTION_RESTART_STATELESS (23) Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2) Last heartbeat 6.09 secs ago RLIMIT_AS: 189894144 System image name: n5000-uk220.127.116.11.N1.1a.bin
I've been searching in Google/Cisco about the eth_port_sec hap reset and cannot find any reason, just something about the same error but in different technology:
CSCub36000 #SNMP polling on eth_port_security objects no longer causes an eth_port_sec hap reset.I just to want to be sure, is the same reason...Or do you know something than can cause it on a Nexus Switch?
We have just purchased and installed the L3 daughter card for our 5548UPs and have also installed the L3 Enterprise Services pkg. The problem is, I cannot enable the EIGRP feature even though we have the Ent Svc lic. After doing a little more research, I see that the Lan Base lic is required to enable the L3 card and many of the L3 features (the card is currently in an "offline" state).
From what I have read on this board, the Lan Base lic is a free license that should be included with the L3 daughter card -- however, Cisco licensing will not issue me that license without a sales order (even though a Nexus engineer said it was included, the licensing group will not issue with an official sales order). Well, our vendor ordered the card and the Ent Svcs lic but for some reason we were never sent a PAK for the LAN Base lic.
using the 55xx as a L3 Distribution switch or even as a Core. By enabling the L3 features does it allow you enabled L3 SVI's for VLAN interfaces or are there interfaces on the daughter card that are used for routing instead?
The Nexus 5548 is running 5.1.3.N2.1a and has the L3 daughter card (N55-D160L3)I have the EIGRP feature enabled. By the way, when doing a 'sh feature' four EIGRP features show up like this: [code] To create the L3 SVI, I go into config mode and attempt to type 'interface vlan 10'. but this doesn't work. These are the only options under the keyword 'interface':
- ethernet - loopback - mgmt - port-channel
I must be missing something simple but can't seem to see what that is. What do I need to do in order to create an L3 SVI on this 5548?
I want to configure management for some Nexus 5548's?I wanted to manage the switches via an SVI. I have read the following document which gives details about the Management SVI but doesn't answer all questions.[URL]I am not running any layer 3 functionality on the switch, no layer3 license (which it mentions in the above link) Will I still be able to create a management SVI. I know I will need to enable the feature 'interface-vlan' to setup a Management SVI, does that require a license?
I encountered problem while trying to copy file from Nexus 5548 to my ftp server (proteus - 192.168.12.220 - the Nexus switch is able to resolve name proteus correctly to 192.168.12.220). See below the working and not working scenarios. I have serached through Cisco Bug Database but unable to find any related bug associated to this problem. This Nexus is running the following NX-OS version.
n5000-uk9-kickstart.5.1.3.N1.1a.bin n5000-uk18.104.22.168.N1.1a.bin Working (without specifying the username and full path)
We have two 5548 switches connected to a pair of 6509 running in VSS mode. I am trying to understand the benefit of having bridge assurance on the uplink ports.
If we have the command spanning-tree port type network enabled we cannot do a non disruptive upgrade. If there is bridge assurance on the uplink it warns you of this. Yet if I do not run bridge assurance on the uplinks I can do a upgrade without any disruption.
Why in god would I enable bridge assurance on this VPC link if I cannot do a non disruptive upgrade?
I need to upgrade the code on our two Nexus 5548's in order to facilitate the installation of a few FEX's, but due to the fact that seemingly all of my port-channels are in the STP DESG forwarding state, an ISSU upgrade is not possible. Everything connected directly to our 5548's are utilizing VPC's, including an HP Blade chassis, and several Netapp devices. If I follow the normal upgrade route, should I experience an outage, or should the secondary switch just continue passing traffic?
I'm trying to setup SNMPv3 on a Nexus 5548. We are using SNMPv3 on 3750's without any issue, but haveing issues getting it setup on the Nexus.I have been using the following link for the setup following it line by line. [URL]The part that I'm having issues with is when I try to enforce SNMP message encryption on a per user basis. When I issue snmp-server user (username) enforcePriv, I get warning: unable to update CLI users database. reason: role does not exist grounp not found.
I am setting up a new environment with 2 5548's and some 2248TP-1GE Fex's and Im running into an issue. I have the peer link and peer-keepalive link that appear to be good. When I configure the fex and vpc for the fex manually on each switch without pre-provisioning the slot the fex comes online and everything appears to be good. I can see all the ineterfaces when doing a sh int br and the sh fex detail shows all good. When I do the exact same thing but pre-provision the slot the fex stays in an offline state. Ive tried disabling the port(s) connected to the fex while configuring everything then enabling them but same thing. [code]
regarding PVLANs and the Nexus, my understanding is that we cannot configure Private VLANs on a FEX trunk port with a NX-OS release older than 5.1(3)N2(1) for the Nexus5548... Is there any known workaround for this limitation (appart from performing a SW upgrade)?
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
I am trying to install SFP-GE-T module on Nexus 5548UP Switch, but is giving the ‘SFP validation Failed’ error. The details of the switch is given below
Model : N5K-C5548UP-FA
The interface is configured with speed 1000 before inserting the module, still we are getting the same error. PFA logs for more details We have 8 Nos of SFP-GE-T modules , all are giving same error. We tried to insert the module on onboard as well as expansion module.
The same module is working fine on Cisco 3750X-24T-L Switch As per the Hardware installation guide , SFP-GE-T transciever is supported on N5K platform. Please extend your support in configuring SFP-GE-T module on N5K platform? We tried with SFP-GE-S module on the same switch , and the same is found working fine.
I am trying to interconnect a pair of Nexus 5548 at adjacent sites, using 2 2960-S switches at each site, the reason being that the Multimode Fiber between the sites will only support 100mb and I need this up while I finish having SMF laid.
I have attached a diagram, just debating whether to use etherchannel or vPC - would like to hear some opinions...
Assume the interconnect between the 5548's needs to be 802.1q trunk
just a simple question. Is it possible to use a nexus 5548 UP switch as a layer 3 router between different vlans on the switch without the layer 3 card ? Or is there no 5548 as a router with the layer 3 card ?
My Nexus is a 5548-UP model, NX-OS version : 5.1(3)N2(1b)
I try to debug an OSPF and an ICMP problem using the debug ip ospf command and the debug icmp command but not output appear on the terminal. As the switch is remote, I entered the terminal monitor command of course.
SG01NX01# terminal monitor SG01NX01# debug ip ospf 1 packets SG01NX01# show debug
We would like to add another Nexus5k to this topology. However, it has to be a zero downtime infrastructure add-on. When setting up the keep-alive, peer-link, vPC and vdc domain, will there be any upset in network traffic on the current N5k?Also, are the Nexus5k configurations synchronized or are they independent from one another? Before setting up the new 5k, should i configure it to teh 6509's, and vPC's to the Nexus2k's before setting up peer-link?
We inserted GLC-T modules and on Nexus 5548 they are showing SFP validation Failed , as per Cisco doc GLC-T is support . Since we have 28 such modules and all after inserting showing same error. please see the below details. I also try configuring speed and inserting modules but no result ..let me know whether my GLC-T module is supported on Nexus 5548
INMUMFDS1SWCORE01# show module Mod Ports Module-Type Model Status --- ----- -------------------------------- ---------------------- ------------ 1 32 O2 32X10GE/Modular Supervisor N5K-C5548P-SUP active * 2 16 O2 16X10GE Ethernet Module N55-M16P ok 3 0 O2 Daughter Card with L3 ASIC N55-D160L3 ok
We are planning to have attach topology with nexus 5548 using vpc. Let me know if this i possible. I want to configure dual NIC linux server using LACP active mode to connect to two 5548 in VPC for redudancy as well as use of full access layer bandwidth. On nexus this will be access port in single port channel in single VPC link.
I've just plugged in 4 Nexus5548 switches and ran through the initial setup without any issues. However, the fans seem to be stuck on full speed. At the moment they're the loudest thing in the server room.
I know this isn't the most recent OS however I was hoping to avoid updating if necessary as I don’t have the service agreement linked to my account and can’t download the update without it. Is there anything else I can try first or anything I have missed?
Software BIOS: version 3.5.0 loader: version N/A kickstart: version 5.1(3)N1(1a) system: version 5.1(3)N1(1a) power-seq: Module 1: version v1.0 Module 3: version v2.0 uC: version v22.214.171.124 SFP uC: Module 1: v126.96.36.199 BIOS compile time:
We are trying to connect 2 nexus 5558UP (5.1.(3)N1(1)) with 10G-SFP+-LR interfaces. The interfaces are not genuine cisco's (smartoptics) but as far as we can tell, they are accepted by the hardware. If we take a look at the optical levels, we can see that the switches can see eachother (double-checked by bringing down one interface to see if optical levels really disappears) on optical level, well within limits. I found a notice about changing debounce timers but this doesn't work, setting it to 0 or 1000 doesn't make a difference. Copies of the different show int commands can be found at the end of this text.
Wim Holemans Network Services University of Antwerp
swnxds01-enable# sh int eth1/3 transc details Ethernet1/3(code)