Cisco Switching/Routing :: Upload Large ACLs To NX-OS Nexus 7009?
Feb 3, 2013
We are migrating from Catalyst 6509 IOS platforms to Nexus 7009. There's the normal differences in commands which is well doucumented. We do have some quite large files containing ACLs varying from 10's of lines to several 1000's of lines. Our normal upload would be done using tftp and then issuing the command 'conf net' on the the 6509. This is no longer the way to do this on NX-OS. I've tried copy ftp: running-config which works fine for small files but for big ones it takes a long time, in some cases I've see it takes 20-30 minutes. The initilal tftp uplaod to the 7009 seems OK but the copy into the running-config is the bit that takes time and initially I thought I'd killed the 7009!! It did finally come back to the prompt. Are the 7009's simply not designed for large ACLs? I did try the configure session (Session Manager) but I couldn't see a way of uploading a file. I tried creating a new session and then exiting it, copying in a file of the same format and then commiting it but it didn't seem to acknowledge the file (checksum?).
I need to upgrade my core switches at one of our locations (two 7009s with dual sups) from 6.0.1 to 6.1.2. After looking through the release notes it appears that this will be a disruptive upgrade?how long should I expect for the disruption? Are we talking a 7009 boot cycle (10 - 15 minutes) or something longer?How many disruptions can I expect? I suspect 1 per chassis during the failover to the standby but I'd like to validate.Is there any compelling reason to upgrade the EPDL? From what I can see, again from the release notes, this is only necessary with F2 cards if I were to upgrade to Sup2s . I'm in a healthcare environment and this upgrade will be affecting one of our major campuses so the more info I can get to the managers the more accepting they will be for the disruptions.
I need to figure out the max power consumption of 7009. The issue is, at this point i am not sure what modules will be used, so just to give an estimate, how we calculate the max power consumption of nexus 7009 ?
I wanted to know that in nexus 7009, can i use mix of F2/M1/M2 series line cards ? will they work with each other ? Lets say i have F2 line card and M2 line card, will servers attached to them will communicate with each other ?
We have Nexus 7009 switch and want to configure the span session
We are using F2 and M2 card both are in seperate differeent VDC.And out server is connected to M2 card on eth 4/6 and want to monitor the traffic from vlan 161Which is made on F2 card.
We are looking to deploy two Nexus 7009 cores at our two datacenters. They are approximately 2 miles apart. We are hoping to have 10G Dark Fiber between the buildings and therefore dedicate a pair for FCOE between the cores using 10G Long Range SFP's. I read that the Nexus 5000 series had a limit of ~3 km for FCOE. Does the same hold true for the 7000 series? I thought I read somehwere that the buffers were larger on the 7000 series and therefore would be able to do ~30 km.
I wanted to know if any has the Nexus 7009 chassis installed into a 600 wide rack with the sides fitted and if they are experiencing heat issues?
My client will be replacing their aging 6509 chassis with 7009 devices, but the physicals dont tally with the install guidelines for the 7009 series chassis. The current install of the 6509s does not tally with the recommended install guidelines for those either, but they have not expereienced any heat issues...
The 7009 will be fitted with 2xSUP2E, 3x48portSFP-F2E cards and 2x10GSFP-M2 cards with 2x6K PSUs. I am genuinely concerned they may cook these devices, but space restrictions look like vetoing the upgrade to 800 wide racks. Likewise moving to 7010 chassis may prove tricky due to existing other installs within the racks limiting vertical space.
We've gotten two Nexus 7009's in and I'm starting to configure them when I found I couldn't add VDCs. I found there was no license installed but the only licenses I found that came with them are "Cisco DCNM for LAN Enterprise Lic for one Nexus 7000 Chassis". So my question is this - do I need to configure a DCNM server to get the license pushed to these two 7009s or should there be another PAK for each chassis that I can register and get my enterprise services?
we've been using IOS for a long time, but are relatively new to NX-OS. We've got a central syslog server that all our devices log to. No matter what we do, we can't get our Nexus switches to log there. Here's my current attempt:
Nexus 7009, NX-OS 6.0(1)
# sh logging server Logging server: enabled {redacted} server severity: debugging server facility: local7 server VRF: default
[code].....
The default VRF is working. I see log entries in the logfile, but nothing arrives at the syslog server. It's not a config issue on the server, because tcpdump shows that no packets arrive from the IP for loopback 0.
Is there any challenge to upgrade core switch 6500 series from Nexus 7009 which runs NxOS, because i have 3750X series switches connected at distribution and access layer in my network topology??
Is there any challenge if we place NxOS in core and IOS in distribution and Access layer??? how we are able to match sh run config in existing 6500 switch to Nexus 7009 NXOS?
I have a nexus 7009 that used to work connecting via SSH. However now I cannot connect to it via ssh. It appears the SSH is connects but doing a show users from the console shows nothing connected other than the console connection.
I was uploading a big 2gb file to my FTP server, it was all going good and I managed to upload the whole thing hassle free. After I finish I log out, and return about 3 hours later and try to log back in, to no avail.WinSCP gives me the following error:
We have Nexus7009 at client network but due to limitation of Nexus switches that they can not be directly integrate Nexus with RSA so client has purchased cisco ACS for the AAA. We are able to do the authentication and authorization via ACS.However clients wants to further integrate the ACS with RSA so that authentication should happen via RSA and authorization should happen ACS. Is that possible ? if yes, how can i configure the ACS ?
I have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check pass; user unknown - aaad
We have a vPC cluster of two Nexus 7009 that needs to be connected with a VSS cluster of two Catalyst 6509s. The VSS has been working fine for a while and the vPC cluster is new equipment.
Attached there is a detailed diagram of the connections; the VSS cluster connects the interfaces Ten1/2/8 and Ten 2/2/8 using the PortChannel 28 going to the the vPC cluster to the interfaces Eth 4/18 of each switch.
Both the vPC and the VSS are well configured; last night we tried to brought up the connection between the two clusters but only the first interface comes up within the etherchannel; the secondary one did not come up and shows (not receiving LACP packets).
We know Layer 1 is fine because if we remove the interface from the EtherChannel it does come up; but causes some STP loop and bring the network down; thus the solution is to form a EtherChannel.
At the VSS Clúster we see LACP packets being sent with sh lacp counters but we DO NOT see LACP packets being received in the interface of the secondary Nexus.
Right now, this is not possible to troubleshoot since it is a production enviroment; so I'm looking for problems with the configuration or recommendations to follow in order to apply them tomorrow night during a new maintenance window.
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
I am trying to create an ACL that walls off a VLAN and only allows it to the internet. This is on a 3750G, currently the 3750G I am attempting this on is in a stack. I have another 3750G that is a standalone.
The first way I attempted this was to create two access-lists: access-list 101 permit tcp 10.249.1.0 0.0.0.255 any eq 80 access-list 102 permit tcp any 10.249.1.0 0.0.0.255 established
Let's call the 10.249.1.0 VLAN 2. I applied this to the VLAN2 interface, 101 out, 102 in. It didn't work. If I place a deny statement with nothing else, that works.
The second attempt was this: access-list 101 deny ip 10.249.1.0 0.0.0.255 any access-list 101 permit ip any any
I applied this to a VLAN I wanted to block VLAN2's traffic from reaching, let's call that one VLAN 3.
This lets all traffic from any VLAN (including the one I'm trying to block). If I remove the "permit ip any any", then all VLANs are denied. Which I understand is correct due to the implied deny all. What I don't understand is why it isn't applying the ACL to the specific VLAN.
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec [Code]...
We are facing issue of continous packet discards On nexus4001L link (int po2) to Nexus5020 switch. Nexus4001L is installed in IBM blade center server and we have FCOE enabled in this setup. [code]
I have been tasked to replace the existing Cat 6500 and 3750 switches by Nexus 7000 and Nexus 2000.I was told initially my boss plans to get 2 x Nexus 7000 and then eventually blow up to 4 x Nexus 7000s.For Nexus, is there a list of tasks / points that i need to consider for building the initial design?
Can i just link the Nexus 7000 like the following?
N7k-A ========= N7k-B | | lots of N2ks lots of N2ks
we are planning a Nexus datacenter project with this layout:Our experiences with Nexus switches are not so large until now and the manuals are very extensive.Both N5K´s should be connected directly with all 4 N2K switches. I did not find a layout like this in the manuals. Only a design,where only 2 N2K are connected to one N5K, with this fex config:Now I´m not sure if it is right to make a config like this with the same slots and fex´s or with different slots and fex´s.
We have a brand new 2 x 3750-X stack running 15.0(1)SE3 with C3KX-NM-10Gs installed in each switch. An HP C-Class server enclosure with Virtual Connect Flex-10 modules is connected to each of the 10G ports using twin ax cables and they seem to behave OK apart from some random packet drop which appears to be within the enclosure and not without.
However, when we were investigating this, we found a little oddity ... even though we have jumbo frame support enabled on the 3750-Xs, we are getting a significant "Valid frames, too large" received count on the interface, and a "Too large" transmitted count. I've looked around and can't find a definitive reason for this count to go up - it doesn't seem to be a jumbo frames thing, more an unexpected-additional-field-in-a-header type thing, like when you have a V LAN tag in a DTP frame. Any thoughts as to why I might be getting these from a new server enclosure?
SW-STACK-CORE-3750X#sho int t2/1/1 controller TenGigabitEthernet2/1/1 is up, line protocol is up (connected) Hardware is Ten Gigabit Ethernet, address is a44c.116e.55b5 (bia a44c.116e.55b5) [ code]....
I have an 1841 and started to run into an issue which can be resolved but looking to see what you guys prefer to do in this situation. We allow users to connect the laptop via ethernet and wireless to our network at the same time as well as an iPad or any other wireless technology. With that said, for the most part each user has two IP's at any given point. The issue comes in is that I have a large amount of IP exclusions for servers, printers, switches, etc on the exclude list. I am starting to see that the 255 address are not enough to make a long story short. I am also using the 1841 to handle another range for the voice network, which has no isues. What is the best way to fix this issue? Can I run a virtual VLAN off that 1841 for everyone to use and then have the servers, switches, printers, etc on another one? I want to assume no, as both interfaces are used on the back of the 1841 for the two VLANS running now. Or is the only way to handle this with this device to say that as a policy you can only connect assigned company hardware to the network?
A question concerning the use of REP for IE-3000-4TC switches:
In figure 14 of REP pdf URL can you explain why this creates a loop in the system? From the document, I thought REP and RSTP could talk to each other so why does this create a loop if they are exchanging information between each other? Also, if, in figure 14, the two switches in the STP domain that connect to the REP ring, were also connected to each other, would there still be a loop in the system?
Also, what is the recommended max diameter a REP ring should be. I thought I read some place 130 nodes is ok, but I'm looking to confirm this.
Our office lan network is in 192.168.0.0/16 with 300 nodes and 30 server .Since its a large broadcast domain some times it takes large time for copying files.How can we avoid this problem with out changing the subnet.Also how to avoid broadcast storm.we are using cisco 2950 series switch.
we have two 6509E, as our core switches. Recently I noticed that on some connections I have a high output queue drop rate.
These 4 x 2 interfaces (gigabit) are connected to our blade encolure, consisting of 4 x WS-CBS3120X-S. The utilization of the links is really quite low, when I see the increase of the drops. (~=60Mbps). All the links are fiber (SFP) and the distance between the core switches and the enclosure is about 15-20m.
I am not aware of any service degradation on the part of the servers. No CRCs, collisions etc, on the interfaces, apart from the drops.
The line card is a WS-X6748-SFP, but other interfaces don't seem to be experiencing any problems.
I have been searching the message boards and wasn't having much luck. I am running some monitoring sessions on my 6509 and on the VLAN I am monitoring, I am experiencing a really large packet loss. If we hook up a laptop to the destination port and run wireshark we are seeing between 80% and 90% packet loss. I dont see the packet loss on the show port command, but I do on the show int vlan command.
The config is as follows:
Session 2 --------- Type : Local Session Source VLANs : RX Only : 500
[Code].....
I was doing some reading on Egress vs Ingress and I am wondering if the Egress SPAN replication state could be causing the packet loss that we are seeing or does the ingress & learn command override that?
