Having problem pinging from Host A on ESX1 to Host B on ESX2. Each host are assigned the same port-profile. If I put 2 host's on the same ESX machine using the same port-profile, they are able to ping each other.
n1kv-vsm# sh port-profile name xxx-prod-40port-profile xxx-prod-40 description: type: vethernet status: enabled capability l3control: no pinning control-vlan: - pinning packet-vlan: - system vlans: 1 port-group: xxxl-prod-40 max ports: 32 inherit: config attributes: switchport mode private-vlan host switchport private-vlan host-association 40 400 no shutdown evaluated config attributes: switchport mode private-vlan host switchport private-vlan host-association 40 400 no shutdown assigned interfaces: Vethernet3 Vethernet4
System-uplink profile is trunking all vlans.
We have a requirement for private VLANS for DMZ hosting within one of our datacentres. I just want to query how private VLANs would work in our environment.We have physical servers connected to fex ports (2 fex per rack for each 5k) of a 5548UP switch, virtual servers using the nexus 1000v (vmware hosts connected to fex ports) Out firewalls and load balancers are connected to an upstream pair of nexus 7ks using vPCs.My question is this, ordinarily the firewall would be in a promiscuous port but as these reside on a physically separate switch will the normal vPC trunk still be sufficient or would the "switchport mode private-vlan trunk promiscuous" be required on the vPC up to the northbound 7k.As these connections are already in production I do not want to affect the existing traffic that doesn’t use private VLANs.
I just installed a N1K (with code 4.2(1)SV1(4a)) and I was trying to setup a private vlan.
Example:
vlan 300 name PRI-VLAN private-vlan primary
[Code]....
I upgraded another n1k (that already had pvlan configured) to this version of code and it has the private vlan option. This was just installed yesterday so I don't have the license on it yet.
I have the need for private vlans in isolated mode to backup some hosts on a secured network. We are using Cisco Nexus 5020 with the fex 2148 for copper-ports - and I tried to implement this setup: [code]
The Cisco Nexus 2000 Fabric Extender does not support PVLANs over VLAN trunks used to connect to another switch. The PVLAN trunks are only used on inter-switch links but the FEX ports are only meant to connect to servers. Since it is not a valid configuration to have an isolated secondary VLAN as part of a Fabric Extender port configured as a VLAN trunk, all frames on isolated secondary VLANs are pruned from going out to a FEX.
the "only" limitation should be the trunk option - but as far as I can see from the output from my nexus this is not correct .We are running NXOS: [code]
I have defined a trunk between a nexus 5k and cat 3750 as a pvlan trunk - now I would like to add redundance and performance and tried to establish a vpc between my par of nexus's and the 3750 stack - but the nexus tell me that the port-channel doesn't support pvlan's - and then - ehh - do I get any benefits of running the trunk as a pvlan trunk at all?
I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI; 2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148) 3. All Vlans are trunked between switches 4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration.
According to Cisco, Nexus 1010 can host up to (6) Virtual Service blades. I can't find out how many Virtual Supervisor Modules and Virtual Ethernet Modules that make up one Nexus 1000v switches can be supported by each Virtual Service Blades. In other words, how many Nexus 1000v switches can be created with Nexus 1010 appliance?how to configure Nexus 1000v switches with vmware. without Nexus 1010, the standalone nexus 1000v switches was configured from vCenter as an OVF. But how to configure Nexus 1000v switches with vmware where nexus switches are hosted on Nexus 1010 appliance.
I have been assigned the task of trunking VLAN between a Nexus 3048 and a Force10 S4810. This would seem easy enough but I am really having a bear of a time getting it to work. I have devices configured on VLAN 602 on both sides but they just are not talking.
We have two Cisco switches with one 3560 and one 3750 we have created a new Vlan 4 with IP 10.1.3.x 255.255.255.0 - no shut then assigne to gi 2/0/46 on the 3560 Vlan 4 ip address 10.1.3.x 255.255.255.0 no shut then assign to FA0/45. All interfaces are up up along with the Vlan up up, we can ping the local IP address bu not able to pint the other switch.
I have a HP Procurve 5406 connected to a Cisco 3560 on a temporary cat5e connection and I have Mitel IP phones needing to go on the Cisco switch.Ive configured the HP Procurve port to TAGGING both VLAN 10 (data) and VLAN 20 (Voice). NO is selected for default VLAN 1.The Cisco is configured on the port with switchport encap dot1q and switchport mode trunk.
Ive configured an IP for interface VLAN 10 and i cannot ping it from across the network. The interfaces are up and happy. I have tried changing the VTP status from transparent to server (VTP pruning is off) ive tried setting allowed vlans 10,20. Still not a think. The worse thing is that i have a working Cisco switch with the HP procurve that i checked the config on and its the same! The only difference is that the media type is SX over SFP in that case.
p.s not that im at this stage yet but i initially configure the FastE ports as trunks with native vlans because i was using non-cisco phones. On a spare port i convigured the voice vlan 20 and i say on the mitel phone that it was looking on vlan20! I didnt expect that, i thought the Voice VLAN ID was carried on CDP enabled devices only.
regarding PVLANs and the Nexus, my understanding is that we cannot configure Private VLANs on a FEX trunk port with a NX-OS release older than 5.1(3)N2(1) for the Nexus5548... Is there any known workaround for this limitation (appart from performing a SW upgrade)?
We need to connect several DSLAMs on the 4900 switch, every DSLAM has 4 VLANs configured (VOIP service, MGMT, ADSL Private, ADSL Public), and sends the traffic for each service tagged with appropriate VLAN id according to the table:
On the DSLAM side it is very simple configuration, just a normal trunk with 4 VLANs transversing the link. On the 4900 I need to isolate the traffic for ADSL PRIVATE & PUBLIC service so DSLAMs connected to the same switch do not have L2 connectivity between them. For VOIP and MGMT they must communicate with each other. DSLAM acts also as a VOIP GW so it must communicate with other DSLAMs for VOIP service. Also VLAN 200 is configured on ME 4900 for switch management traffic.
This 4900 Switch connects to MPLS PE router, which offers L3 VPN service for VOIP & MGMT service, and L2 VPN for ADSL service (PPPoE traffic to BRAS). Fortunately we have ES+ linecard to support many ethernet features. I tried this config:
1) VOIP, DSLAM-MGMT, MPLS-MGMT configured as normal VLANs 2) ADSL PUBLIC & PRIVATE configured as isolated secondary VLANs, primary VLAN for ADSL PRIVATE is 2008, for PUBLIC 2308 3) Configure DSLAM facing ports on ME 4900 as private-vlan trunks 4) Configure ME 4900 uplink port to MPLS PE as a private-vlan promiscous trunk 5) Configure ethernet services on MPLS PE for each tag that comes from ME 4900 (ES+ cards are awesome, i love them:D ) 6) Apply L3 VPN service for VOIP and DSLAM-MGMT, and L2 VPN for ADSL service.
But at least this last command should list on spanning tree forwarding state also the ADSL VLANs or not?
Here is the output of the show interface switchport.
I have 2960 cisco switch. I want to configure private vlan. But it is not getting configured in cisco 2960. Is there any other way to configure that in switch.
know if Private Vlans are supported on the Cisco 4900m switch when set in VTP version 3 and VTP disabled?Most documents just specify VTY transparent mode without mentioning the version, trying not to assume since this is production.
I have a Cisco 3750 with private VLANS configured.. VLAN 2 is the "primary", VLAN 3 is "isolated" and VLAN 4 is "community". This is all working correctly, however I now have the need to another VLAN called "production". I need the production VLAN to be able to reach all the private VLAN hosts (community and Isolated), and vice versa
Is it possible to assign 2 ports to a vlan on this switch and have the 2 machines connected to those ports be able to see each other without having to go off of the switch? If so, how would it need to be setup on the switch?
I am looking into the possibility of using private vlan's for some dmz implementations however I do have what may be some very rudimentary questions. It seems straightforward how to configure the primary/secondary vlan configuration as well as associating them. However in my case I would be looking to configure the PVLAN on a 6500-vss platform acting as the router while all of the hosts which I would desire to have in the isolated vlan would be spread out across a number of older Cisco switches which only support "protected port" setup or Procurve switches all of which I do not have budget to replace with something newer. So in my scenario I would have a 6500 connected by trunk to multiple switches which only support a protected port setup such as a Procurve (top of rack) or a Cisco 2950. As the Procurve or 2950 would not support Private VLAN setup, do I then just configure the secondary vlan to be allowed across the trunk from the 6500, configure that vlan on the Procurve or 2950 (as vtp will not foward the info for the secondary vlan) and assign that vlan to the host port as well as setting it as a protected port and this will communicate just fine across the trunk to the router as well as stopping the protected port in top of rack switch 1 from being able to communicate to a protected port in top of rack 2,3,etc? If the above scenario is what needs to be done, do I just use a regular trunk or do I have to use a PVLAN trunk?
I was reading a QoS walkthrough earlier to try to solve my problem and I noticed that in IOS, you can specify "match vlan" in a class map. This is not available in NX-OS. I'm not doing any routing on the 5K so I cannot match on ACL, and port where traffic is received is a trunk sharing other types of traffic I'd like to classify elsewise.
I have a couple of Nexus 5ks that I want to put QOS on for the servers running behind it but also have voice running across it. Voice doesn't play well with jumbo frames so I'd like to put QOS only on the voice vlan.
I am working in my lab and I was adding a new L2/3 vlan
vlan 555 name test
int vlan 555 ip address 1.1.1.1/24 no shut
I have also ensured that this vlan is added to the port channel going to my Nexus5K's. I added the vlan to the 5K's and also ensured that vlan 555 is traversing the peer link. all is good there. I have also placed a device on a interface on the 2k as a access switchport on vlan 555
Here is my problem, the L3 interface will NOT come up on the 7K
LAB-DSW01# sh ip int brie IP Interface Status for VRF "default"(1) Interface IP Address Interface Status Vlan555 1.1.1.1 protocol-down/link-down/admin-up
I have gone throug just about everything I can think of and I am still unable to get this L3 interface to come up. I have other L3 interfaces on this device that are configured exactly the sameway without any issue at all. All the existing interfaces are working properly, it's jut this new interface that I am trying to add.
I am running version 6.0.1 on the 7K and 5.2.1.N1.4 on the 5K.
you find attached my network architecture with 2 Nexus 7010 on core layer and 2 Nexus 5020 on distribution layer, each one with 1 N2148T fabric extender switch. PC-A1 and PC-A2 are connected to one N2148T, PC-B1 is connected to the other N2148T. Nexus-7000-1 is HSRP Active for all VLANs, Nexus-7000-2 is HSRP standby. PC-A1 and PC-A2 are connected to VLAN A, PC-B1 is connected to VLAN B. PC-A1 and PC-A2 have the same default gateway correspondent to IP HSRP on VLAN A. It happens that PC-A1 is able to ping PC-B1 while PC-A2 is unable to ping PC-B1. If I issue a traceroute from PC-A2 I see Nexus-7000-2’s physical IP address as the first hop even if Nexus-7000-2 is HSRP standby. After the first hop the traceroute is lost. If I shutdown Port-channel 20 on Nexus-5000-2, PC-A2 starts to ping PC-B1.I can’t understand what’s wrong in this architecture.
I am seeing an issue that after deleting/recreating one of the VDC in Nexus 7K, VLAN is not been able to be configured within the VDC although it is not actually a reserved VLAN. Could it be anything missing in the license installation? the version of the image is NX-OS 6.1.2
I want to apply QoS policy on a particular VM for specified port range only. I have created following script file but that doesnt work. I mean it doesnt apply any policy on vm residing on Veth1.
config t ip access-list acl_in 101 deny tcp any any eq 443 exit
I am not able to create more than 256 VLAN in Cisco Nexus 5010 switch. While creating I am getting "No VLAN resources available for VLAN creation" Details below -
Switch model - 5010 Software : NX OS 4.0 (1a)
Error Message: Nexus_5010(config)# vlan 417 ERROR: No VLAN resource available for VLAN creation.
I have 2 NEXUS switches in VPC. When I create/delete a VLAN gets updated in the same switch, but the VLAN information does not get propagated to the neighboring switch. Revision number remains the same even if I modify the VLAN. Had also tried changing the VTP status to transparent mode & reverting it to client mode but no luck.Have double confirmed on the VTP domain names & password. However the same setup in different location which works perfectly fine.
I currently have two Nexus 5548UP switches in my environment running the latest code (n5000-uk9.5.1.3.N1.1a.bin). Both of these switches are connected via a VPC Peer Link (two ports on each switch in an Ether Channel) and a VPC-Keep Alive Link (a dedicated port). Hosts connect to each switch via a VPC for both IPV4 and FCOE.
As of right now, everything works. I currently have a stack of two 3750 switches that each Nexus is connected to. This stack is doing all the Intra-VLAN Layer 3 Routing for the Nexus Switches. However, I plan to get rid of the 3750s, and move the Layer 3 Routing the Nexus 5548's, so the backplane is 10 Gig instead of 1 Gig.. I have the Layer 3 Daughter Card installed in both switches, as well as the LAN_BASE license.
So, at the moment, I am trying to find the best way to accomplish Layer 3 Routing on these two switches. Since the Nexus switches are not stacked, and the FCOE portion of HA is taking care of by the Multipathing agent on each host, I believe am just concerned with providing Intra-VLAN routing in an HA build where if one switch goes down, VLANs still route through the other switch.
Again, since the Nexus switches are not stacked, I am guessing the best way to handle this is with HSRP, but my experience with that has always been with routers that have a switch in the middle. Can I make HSRP work without having a switch between the Nexus switches? Can I track the VPC peer link, or how do I do it? I guess I am looking for a sample config.
Let's pretend I had two VLANs:
VLAN 20: 10.20.20.254 - GW and 10.20.20.0/24 VLAN 40 10.40.40.254 - GW and 10.40.40.0/24
And I wanted the Nexus switches to route these VLANs regardless of which switch was up / down..
Yesterday I configured the 7010 Nexus switch. I created a VDC and allocated few ports and configured VLAN for testing. After enabling feature interface-vlan i was allowed to configured L3 interface for the vlan. I assigned ip address and connected few server to check the reachability but it says Destination Host Unreachable.
I'm trying to change a vlan on a port-channel but I am getting this error when I apply the change:" error: command is not mutually exclusive",I have done this in the past but I cannot remember exactly what I should type to apply the change.
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender HostB - VLAN200 - connected to 5k extender HostC - VLAN100 - connected to 2960 off our core HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
