Cisco Switching/Routing :: Intra-VLAN Traffic Not Passing Back To Nexus 5k
Mar 28, 2013
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender
HostB - VLAN200 - connected to 5k extender
HostC - VLAN100 - connected to 2960 off our core
HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
I have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
Has anything changed in the way of defaults for creating a trunk port and spanning-tree between a 3750x and the newer 2960s? I have one of each I just took out of the box and applied my standard switch configuration template but I cannot get my VLANs that are configured on my 3750X to appear on the 2960S. I find nothing that is blocking and everything seems to be forwarding and I am running out of things to check.
We want to get L2 traffic amount (bit/byte) passing through a cisco switch (6500/3560 ...) for a specific VLAN. it can be via SNMP or CLI ...How can we do that?
I have some specific traffic that I am attempting to pull off of VLAN 310 at the router, apply a route-map that sends this specific traffic back down to the switch on VLAN 55 (and the private address) and once it hits the switch apply a route-map on that VLAN 55 interface directing the same traffic over to the 72.x.x.9 address which goes through a FAP box back up to the router on another interface.
I have attached the config information, I know this isnt the best practice way to do this however right now this is how I have to do this.When runing a trace from the net traffic stops at .2 and when running a trace from my test /30 it stops at .2 as well. I am not sure what to do at this point
I was reading a QoS walkthrough earlier to try to solve my problem and I noticed that in IOS, you can specify "match vlan" in a class map. This is not available in NX-OS. I'm not doing any routing on the 5K so I cannot match on ACL, and port where traffic is received is a trunk sharing other types of traffic I'd like to classify elsewise.
I have a couple of Nexus 5ks that I want to put QOS on for the servers running behind it but also have voice running across it. Voice doesn't play well with jumbo frames so I'd like to put QOS only on the voice vlan.
I am working in my lab and I was adding a new L2/3 vlan
vlan 555 name test
int vlan 555 ip address 1.1.1.1/24 no shut
I have also ensured that this vlan is added to the port channel going to my Nexus5K's. I added the vlan to the 5K's and also ensured that vlan 555 is traversing the peer link. all is good there. I have also placed a device on a interface on the 2k as a access switchport on vlan 555
Here is my problem, the L3 interface will NOT come up on the 7K
LAB-DSW01# sh ip int brie IP Interface Status for VRF "default"(1) Interface IP Address Interface Status Vlan555 1.1.1.1 protocol-down/link-down/admin-up
I have gone throug just about everything I can think of and I am still unable to get this L3 interface to come up. I have other L3 interfaces on this device that are configured exactly the sameway without any issue at all. All the existing interfaces are working properly, it's jut this new interface that I am trying to add.
I am running version 6.0.1 on the 7K and 5.2.1.N1.4 on the 5K.
you find attached my network architecture with 2 Nexus 7010 on core layer and 2 Nexus 5020 on distribution layer, each one with 1 N2148T fabric extender switch. PC-A1 and PC-A2 are connected to one N2148T, PC-B1 is connected to the other N2148T. Nexus-7000-1 is HSRP Active for all VLANs, Nexus-7000-2 is HSRP standby. PC-A1 and PC-A2 are connected to VLAN A, PC-B1 is connected to VLAN B. PC-A1 and PC-A2 have the same default gateway correspondent to IP HSRP on VLAN A. It happens that PC-A1 is able to ping PC-B1 while PC-A2 is unable to ping PC-B1. If I issue a traceroute from PC-A2 I see Nexus-7000-2’s physical IP address as the first hop even if Nexus-7000-2 is HSRP standby. After the first hop the traceroute is lost. If I shutdown Port-channel 20 on Nexus-5000-2, PC-A2 starts to ping PC-B1.I can’t understand what’s wrong in this architecture.
I am seeing an issue that after deleting/recreating one of the VDC in Nexus 7K, VLAN is not been able to be configured within the VDC although it is not actually a reserved VLAN. Could it be anything missing in the license installation? the version of the image is NX-OS 6.1.2
I have the need for private vlans in isolated mode to backup some hosts on a secured network. We are using Cisco Nexus 5020 with the fex 2148 for copper-ports - and I tried to implement this setup: [code]
The Cisco Nexus 2000 Fabric Extender does not support PVLANs over VLAN trunks used to connect to another switch. The PVLAN trunks are only used on inter-switch links but the FEX ports are only meant to connect to servers. Since it is not a valid configuration to have an isolated secondary VLAN as part of a Fabric Extender port configured as a VLAN trunk, all frames on isolated secondary VLANs are pruned from going out to a FEX.
the "only" limitation should be the trunk option - but as far as I can see from the output from my nexus this is not correct .We are running NXOS: [code]
regarding QOS on Nexus 7000. Our Nexus 7000's form a collapsed distribution/core layer, our access layer switches are are a mixture of Cisco 3750 & Cisco 4507. 3750 switches will connect to Nexus switches via 1Gb uplink, 4507 switches will connect via 10Gb uplinks. Each Nexus will be connected via 20Gb port channel, all servers connect to the Nexus switches via 1Gb links. We're implementing a new telephone system soon which will be using VOIP so I need to configure the switches to perform QOS. The IP phones will mark the RTP traffic with DSCP value EF and call signaling traffic CS3. I'm fine configuring qos on the access layer switches, its just the Nexus switches which I'm not sure about.
Do I actually need to configure any QOS parameters on the Nexus switches so they will prioritise the VOIP traffic. If my understanding the Nexus switches will trust the DSCP values and assign the traffic to the relevent queues?
Just for information VOIP is the only traffic I will be marking QOS values
OSPF is the routing protocol. Everything works fine.New requirement (exchange 2010 MAPI & DAG subnets)
192.168.5.0 <--> 192.168.30.0 & 10.10.30.0 : Communication should fail 10.10.5.0/24<--> 192.168.30.0 & 10.10.30.0 : Fail Replica@DC <--> Replica@DC: work Replicas --> Rest of the nw- not that of an issue.
Iam thinking of adding a Extended ACLs on Replica-Exchange (DC & DR) and servers Vlan interfaces to block bidirectional communication.
CORE1 &2:
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 deny ip 10.10.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 permit ip any any !access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.5.0 0.0.0.255
[code]....
Similar to the same on DR as well. I wanted to see if ACL is the way to go or any other suggested methods with OSPF being the routing protocol.
I am not able to create more than 256 VLAN in Cisco Nexus 5010 switch. While creating I am getting "No VLAN resources available for VLAN creation" Details below -
Switch model - 5010 Software : NX OS 4.0 (1a)
Error Message: Nexus_5010(config)# vlan 417 ERROR: No VLAN resource available for VLAN creation.
I have 2 NEXUS switches in VPC. When I create/delete a VLAN gets updated in the same switch, but the VLAN information does not get propagated to the neighboring switch. Revision number remains the same even if I modify the VLAN. Had also tried changing the VTP status to transparent mode & reverting it to client mode but no luck.Have double confirmed on the VTP domain names & password. However the same setup in different location which works perfectly fine.
I currently have two Nexus 5548UP switches in my environment running the latest code (n5000-uk9.5.1.3.N1.1a.bin). Both of these switches are connected via a VPC Peer Link (two ports on each switch in an Ether Channel) and a VPC-Keep Alive Link (a dedicated port). Hosts connect to each switch via a VPC for both IPV4 and FCOE.
As of right now, everything works. I currently have a stack of two 3750 switches that each Nexus is connected to. This stack is doing all the Intra-VLAN Layer 3 Routing for the Nexus Switches. However, I plan to get rid of the 3750s, and move the Layer 3 Routing the Nexus 5548's, so the backplane is 10 Gig instead of 1 Gig.. I have the Layer 3 Daughter Card installed in both switches, as well as the LAN_BASE license.
So, at the moment, I am trying to find the best way to accomplish Layer 3 Routing on these two switches. Since the Nexus switches are not stacked, and the FCOE portion of HA is taking care of by the Multipathing agent on each host, I believe am just concerned with providing Intra-VLAN routing in an HA build where if one switch goes down, VLANs still route through the other switch.
Again, since the Nexus switches are not stacked, I am guessing the best way to handle this is with HSRP, but my experience with that has always been with routers that have a switch in the middle. Can I make HSRP work without having a switch between the Nexus switches? Can I track the VPC peer link, or how do I do it? I guess I am looking for a sample config.
Let's pretend I had two VLANs:
VLAN 20: 10.20.20.254 - GW and 10.20.20.0/24 VLAN 40 10.40.40.254 - GW and 10.40.40.0/24
And I wanted the Nexus switches to route these VLANs regardless of which switch was up / down..
Yesterday I configured the 7010 Nexus switch. I created a VDC and allocated few ports and configured VLAN for testing. After enabling feature interface-vlan i was allowed to configured L3 interface for the vlan. I assigned ip address and connected few server to check the reachability but it says Destination Host Unreachable.
Having problem pinging from Host A on ESX1 to Host B on ESX2. Each host are assigned the same port-profile. If I put 2 host's on the same ESX machine using the same port-profile, they are able to ping each other.
n1kv-vsm# sh port-profile name xxx-prod-40port-profile xxx-prod-40 description: type: vethernet status: enabled capability l3control: no pinning control-vlan: - pinning packet-vlan: - system vlans: 1 port-group: xxxl-prod-40 max ports: 32 inherit: config attributes: switchport mode private-vlan host switchport private-vlan host-association 40 400 no shutdown evaluated config attributes: switchport mode private-vlan host switchport private-vlan host-association 40 400 no shutdown assigned interfaces: Vethernet3 Vethernet4 System-uplink profile is trunking all vlans.
I have a Cisco 8510msr that is connected back to back with a 7206vxr across a 155Meg connection.I receive lots of Output drops on the 7206vxr interface facing the atm switch. When I do the following command:-
kwdair9#sh atm int atm 1/0Interface ATM1/0:AAL enabled: AAL5 , Maximum VCs: 4096, Current VCCs: 27 Maximum Transmit Channels: 0Max. Datagram Size: 4528PLIM Type: SONET - 155000Kbps, TX clocking: LINECell-payload scrambling: ONsts-stream scrambling: ON797522 input, 881483 output, 203946630 IN fast, 223768062 OUT fast, 0 out dropVBR-NRT : 110288 Avail bw = 44712 <====
I only have 44megConfig. is ACTIVEkwdair9# I only get 44Meg of the available 155Meg.There is no QOS on the router and the only commands I can find that vaguely see that refer to QOS are on the ATM switch:-
atm address 47.0091.8100.0000.0007.0d87.b201.0007.0d87.b201.00atm router pnnino aesa embedded-number left-justifiednode 1 level 56 lowest redistribute atm-static?why this is acting like a DS3 link and not a 155Meg link?
I have two site that has a copper wire ( 2 wire) connection between each router ( No Telco in between ). Now I want to use 1921 router with HWIC-4SHDSL-E card to connect these two site together. Can I use attach configuration to make the connection reference from the diagram ?
I have 2650XM router and 2620 Router Both routers have built in WIC T1 CSU/DSU cards
2620Router --
2620Router#sh int se0/0 Serial0/0 is down, line protocol is down Hardware is PQUICC with Fractional T1 CSU/DSU Description: DTE side MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set
[code]....
My question is that cisco website says there are two type of cable connections for this type of config --which are --T1 CSU/DSU ConfigurationSet one CSU/DSU to clock source internal, and the other CSU/DSU to clock source line. The linecode, framing, data-coding, and timeslots must be set the same on both CSU/DSUs.Four-Wire 56k CSU/DSU Configuration For my network connection which type of config i should use??Secondly i try to connect these ports by normal crossover cable it did not work.So for this type of connection i know i need T1 cross over cable-- which has RJ 48 connections at both sides.I check cable from ebay which is RJ45 RJ48 cross over -- will this cable work in my router to router connection.
I have 1 2611xm router and 1 2801 router. For my own lab purpose, i want to configure them back to back to support voice services. I don't know what configuration will be required at each end. in 2611xm, i have NM-2V and its also detecting the card, so i hope it will work ? also what commands i need to run on both ends .
I'm trying to change a vlan on a port-channel but I am getting this error when I apply the change:" error: command is not mutually exclusive",I have done this in the past but I cannot remember exactly what I should type to apply the change.
I have defined a trunk between a nexus 5k and cat 3750 as a pvlan trunk - now I would like to add redundance and performance and tried to establish a vpc between my par of nexus's and the 3750 stack - but the nexus tell me that the port-channel doesn't support pvlan's - and then - ehh - do I get any benefits of running the trunk as a pvlan trunk at all?
Does one can use a Vacl to monitor network traffic on a nexus 3064 much like you can on the 6500s? If so, any performance tradeoffs or caveats to be aware of ?
So I took a laptop with wireshark and plugged it into a nexus 5000 port that is configured as a trunk with 3 vlans allowed on it. The laptop was seeing all kinds of traffic on the wire, most of it was not involving my laptop.
For example: Server A VLAN 10= 10.10.10.1 Server B VLAN 20= 10.20.20.1 and wireshark laptop is plugged into a trunk port which is allowing those vlan's. The vlan's are routable.
10.10.10.3 is seeing the entire conversation when 10.10.10.1 backs up 10.20.20.1 even though it has no reason to see it. It is as if the trunk is spanning traffic to the laptop port. No span is setup however. It's really weird. This is not just broadcast traffic, but actual tcp taffic between Server A and B. Why would a trunk port see traffic between 2 other servers talking to each other on the vlan.
I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?
We are currently using two Nexus 5548UP's as our Datacenter Network Core. I have a pretty simple objective: I would like to enable Jumbo Frames on a single VLAN only(VLAN 65). This VLAN is used strictly for backups. I do not want to enable Jumbo Frames on the other VLANs(VLANs 1-10). Im not sure what the best way to do this is.....or if it is even possible but I am hoping to get some configuration examples.
I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI; 2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148) 3. All Vlans are trunked between switches 4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration.
