Catalyst 3850, VLAN access map example (VACL, layer 2)
Hello there:
Trying to get a simple VLAN access map example working (VACL, layer 2). Want to allow hosts 10.0.0.2 to SSH to 10.0.0.3 (both in vlan 10), but deny all other connectivity from 10.0.0.2 to 10.0.0.3.
access-list test permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
vlan access-map test
match ip address test
action forward
vlan filter test vlan-list 10
However, 10.0.0.2 cannot see 10.0.0.3 whatsoever, w/ this VACL enabled (connectivity works w/ VACL disabled).
From what I've read, there is an implicit deny all at the end, if I understand correctly.
I've played with other variations as well, but without any luck.
What am I missing here?
Also, is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
Thank you.
Hi,
You have a problem in that your ACL currently allows the SSH traffic from 10.0.0.2 to 10.0.0.3 but the responses are not allowed to flow back from 10.0.0.3 to 10.0.0.2. That is the most probable reason your VACL does not work as expected.
This modification should correct the behavior:
ip access-list extended TestACL
permit tcp host 10.0.0.2 host 10.0.0.3 eq 22
permit tcp host 10.0.0.3 eq 22 host 10.0.0.2
deny ip host 10.0.0.2 host 10.0.0.3
deny ip host 10.0.0.3 host 10.0.0.2
permit ip any any
vlan access-map TestVACL
match ip address TestACL
action forward
vlan filter TestVACL vlan-list 10
Here, I've made sure that SSH traffic between 10.0.0.2 as a client and 10.0.0.3 as a server is allowed, any other traffic between these two is denied, and every other communication is allowed. Would you mind testing out this modification?
is there a way to debug this using logs or debug statements? Nothing shows up in the logs.
None that I know of. This filtering is done in hardware, independently from CPU, so the CPU has no insight into what's going on in the TCAM during packet filtering.
Best regards,
Peter
Similar Messages
-
Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question
Hello there:
Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
We have several 10GB connections to servers.
We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
No ip phones, no POE.
Inter-VLAN connectivity/throughput and security are priorities.
Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
Thank you.If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job. If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers. These memory buffers get swamped when servers do non-stop traffic.
Ideally, Cisco recommends the Nexus solution to connect servers to. One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
In a DC environment, if you have a lot of VM stuff, then stick with Layer 2. V-Motion and Layer 3 don't go hand-in-hand. -
Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)
Hello,
I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
well as the Wireless solution.
At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
between the two switches and their integrated controller.
Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
state of their connections to the WLAN infrastructure.
To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
subnets need to be assigned to the SSIDs.
As such, I have the following questions:
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
the solution as per the next question. Please advise which is a better option?
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
Regards,
AmirHi Amir,
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
MO is not required (it is only for very large scale deployments)
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Yes, documents are hard to find :(
These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
http://mrncciew.com/2014/05/06/configuring-new-mobility/
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
HTH
Rasika
*** Pls rate all useful responses **** -
About Catalyst 3850 Wireless Multicast
Hello
i'm testing for catalyst 3850 wireless multicast, and i've tried several configurations but it's always fault. I took a pc with the wired as the multicast video source, and another pc as the receiver with wireless, the two pc in the same vlan, for example, vlan 10. the followed is the detail configuration about 3850.
<omitted>
ip routing
ip multicast-routing
ip multicast auto-enable
ip igmp snooping querier
interface Vlan6 ------The Access Point Vlan and it's the same vlan as wireless management vlan
description TO-Wireless_AP
ip address 192.168.6.254 255.255.255.0
ip pim sparse-dense-mode
interface Vlan10 ----The video source vlan and the wireless receiver client vlan.
description TO-EXSi
ip address 192.168.10.254 255.255.255.0
ip pim sparse-dense-mode
wireless mobility controller
wireless management interface Vlan6
wireless multicast
wlan VideoStream 3 VideoStream
client vlan 10
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown
ap capwap multicast 239.100.1.1
<omitted>
The video multicast group address is 239.100.1.1, here are some show command results.
show ip mroute
(*, 239.100.1.1), 00:01:13/stopped, RP 10.1.1.1, flags: SPF
Incoming interface: GigabitEthernet1/0/1, RPF nbr 10.0.0.2
Outgoing interface list: Null
(192.168.10.6, 239.100.1.1), 00:01:13/00:01:46, flags: PFT
Incoming interface: Vlan10, RPF nbr 0.0.0.0
Outgoing interface list: Null
(*, 239.255.255.250), 01:21:59/00:02:05, RP 10.1.1.1, flags: SJC
Incoming interface: GigabitEthernet1/0/1, RPF nbr 10.0.0.2
Outgoing interface list:
Vlan5, Forward/Sparse-Dense, 01:21:59/00:02:05
(*, 224.0.1.40), 01:21:59/00:02:02, RP 10.1.1.1, flags: SJCL
Incoming interface: GigabitEthernet1/0/1, RPF nbr 10.0.0.2
Outgoing interface list:
Vlan5, Forward/Sparse-Dense, 01:21:59/00:02:02
show ip igmp snooping wireless mgid
Total number of L2-MGIDs = 3
Total number of MCAST MGIDs = 0
Wireless multicast is Enabled in the system
Vlan bcast nonip-mcast mcast mDNS-br mgid Stdby Flags
1 Disabled Disabled Enabled Enabled Disabled 0:0:1:0
5 Disabled Disabled Enabled Enabled Disabled 0:0:1:0
6 Disabled Disabled Enabled Enabled Disabled 0:0:1:0
7 Disabled Disabled Enabled Enabled Enabled 0:0:1:0
8 Disabled Disabled Enabled Enabled Enabled 0:0:1:0
9 Disabled Disabled Enabled Enabled Disabled 0:0:1:0
10 Disabled Disabled Enabled Enabled Enabled 0:0:1:0
1002 Enabled Enabled Enabled Enabled Disabled 0:0:1:0
1003 Enabled Enabled Enabled Enabled Disabled 0:0:1:0
1004 Enabled Enabled Enabled Enabled Disabled 0:0:1:0
1005 Enabled Enabled Enabled Enabled Disabled 0:0:1:0
Index MGID (S, G, V)
The C3850 software version is Version 03.03.03SE RELEASE SOFTWARE (fc2), and i've tried the Version 03.02.02SE, it's the same result. if the multicast not worked, i can't do the Videostream function demo next step.if video multicast group is 239.100.1.1, then same group cannot be configured for AP mcast -mcast mode communication.
Try this:
config t
no ap capwap multicast 239.100.1.1
ap capwap multicast 239.10.10.10
regards,
sudha -
Hello,
Here is the config for Catalyst 3560 found under the link below.
I would like to do same setting on Catalyst 3850.
http://itknowledgeexchange.techtarget.com/network-engineering-journey/how-to-configure-per-vlan-qos-in-cisco-3550-and-3560/
mls qos
interface fa0/2
mls qos vlan-based
class-map INT
match input-interface fa0/2
policy-map NESTED_POLICE
class INT
policy 12800 1600 exceed-action drop
class-map HTTP
match protocol http
policy-map PARENT_MARK
class HTTP
set dscp af11
service-policy NESTED_POLICE
interface vlan 10
service-policy input PARENT_MARK
But commands like "mls qos", "mls qos vlan-based" and "match input-interface " doesn't work on 3850.
There is no helpful Cisco manual for it.
Could anyone help me?
Thanks in advance,
TaroHello Paul,
Thank you for the attention.
Here is the information.
#sh ver
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.01.SE RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 20-Mar-13 17:10 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: C3850 Boot Loader (C3850-HBOOT-M) Version 1.1, RELEASE SOFTWARE (P)
SW01 uptime is 21 weeks, 6 days, 14 hours, 27 minutes
Uptime for this control processor is 21 weeks, 6 days, 14 hours, 30 minutes
System returned to ROM by reload at 22:27:58 JST Wed Jan 8 2014
System restarted at 22:27:52 JST Wed Jan 8 2014
System image file is "flash:packages.conf"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices
cisco WS-C3850-24T (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FOC1717V01B
24 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
250456K bytes of Crash Files at crashinfo-2:.
1609272K bytes of Flash at flash:.
1609272K bytes of Flash at flash-2:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of Dummy USB Flash at usbflash0-2:.
0K bytes of at webui:.
Base Ethernet MAC Address : 44:ad:d9:6d:4e:00
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC17163HB8
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1717V01B
Switch Ports Model SW Version SW Image Mode
1 32 WS-C3850-24T 03.02.01.SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24T 03.02.01.SE cat3k_caa-universalk9 INSTALL
Switch 02
Switch uptime : 21 weeks, 6 days, 14 hours, 31 minutes
Base Ethernet MAC Address : 20:bb:c0:01:86:80
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC17163HCM
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1717V01K
Configuration register is 0x102
SW01#sh sdm prefer
Showing SDM Template Info
This is the Advanced template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 8192
Overflow IGMP and Multicast groups: 512
Directly connected routes: 32768
Indirect routes: 8192
Security Access Control Entries: 3072
QoS Access Control Entries: 2816
Policy Based Routing ACEs: 1024
Netflow ACEs: 1024
Input Microflow policer ACEs: 256
Output Microflow policer ACEs: 256
Flow SPAN ACEs: 256
Tunnels: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created. -
Problem Cisco Catalyst 3850 input errors
Ive installed two stacked Catalyst 3850s. Connected to these two switches I have a SAN 6210 Equallogic Dell ESX .
The interfaces on the switches is bundels with Port-channel. MTU size 9198. On swich one its no problem but on switch two I see input errors on these interface.
If I move the cables from switch two to one then its ok...
I have two 10G going to the SAN. And 4 ESX server with 2 ISCSI each.
interface Port-channel21
description ESX1 ISCSI SAN
switchport access vlan 21
switchport mode access
flowcontrol receive desired
spanning-tree portfast
spanning-tree bpduguard enable
Port-channel21 is up, line protocol is up (connected)
Hardware is EtherChannel, address is
Description: ESX1 ISCSI SAN
MTU 9198 bytes, BW 2000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 17/255, rxload 16/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is
input flow-control is off, output flow-control is unsupported
Members in this channel: Gi1/0/25 Gi1/0/34
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:07:12, output never, output hang never
Last clearing of "show interface" counters 1d21h
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 128760000 bits/sec, 8233 packets/sec
5 minute output rate 137021000 bits/sec, 7343 packets/sec
520088013 packets input, 1454135312 bytes, 0 no buffer
Received 1088 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
1534 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
564793180 packets output, 978716517 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped outHi and Sorry Just copied and past the part that I thought was the problem. It seems that MTU size on switch two in the stack still has MTU 1500......
So here is the lot....
This interface is OK
sh controllers ethernet-controller g1/0/25
Transmit GigabitEthernet1/0/25 Receive
2373084674113 Total bytes 2700589618458 Total bytes
1259517537 Unicast frames 1355829627 Unicast frames
2373055994149 Unicast bytes 2700589410330 Unicast bytes
314726 Multicast frames 0 Multicast frames
25604588 Multicast bytes 0 Multicast bytes
44657 Broadcast frames 3252 Broadcast frames
3075376 Broadcast bytes 208128 Broadcast bytes
0 System FCS error frames 0 IpgViolation frames
0 MacUnderrun frames 0 MacOverrun frames
0 Pause frames 0 Pause frames
0 Cos 0 Pause frames 0 Cos 0 Pause frames
0 Cos 1 Pause frames 0 Cos 1 Pause frames
0 Cos 2 Pause frames 0 Cos 2 Pause frames
0 Cos 3 Pause frames 0 Cos 3 Pause frames
0 Cos 4 Pause frames 0 Cos 4 Pause frames
0 Cos 5 Pause frames 0 Cos 5 Pause frames
0 Cos 6 Pause frames 0 Cos 6 Pause frames
0 Cos 7 Pause frames 0 Cos 7 Pause frames
0 Oam frames 0 OamProcessed frames
0 Oam frames 0 OamDropped frames
423237 Minimum size frames 78563 Minimum size frames
593742624 65 to 127 byte frames 338414660 65 to 127 byte frames
1416083 128 to 255 byte frames 4836098 128 to 255 byte frames
558097 256 to 511 byte frames 1505992 256 to 511 byte frames
5464138 512 to 1023 byte frames 6457219 512 to 1023 byte frames
472854085 1024 to 1518 byte frames 834470341 1024 to 1518 byte frames
80781 1519 to 2047 byte frames 257961 1519 to 2047 byte frames
2891352 2048 to 4095 byte frames 13701476 2048 to 4095 byte frames
14353508 4096 to 8191 byte frames 8698824 4096 to 8191 byte frames
168093015 8192 to 16383 byte frames 147411745 8192 to 16383 byte frames
0 16384 to 32767 byte frame 0 16384 to 32767 byte frame
0 > 32768 byte frames 0 > 32768 byte frames
0 Late collision frames 0 SymbolErr frames
0 Excess Defer frames 0 Collision fragments
0 Good (1 coll) frames 0 ValidUnderSize frames
0 Good (>1 coll) frames 0 InvalidOverSize frames
0 Deferred frames 0 ValidOverSize frames
0 Gold frames dropped 0 FcsErr frames
0 Gold frames truncated
0 Gold frames successful
0 1 collision frames
0 2 collision frames
0 3 collision frames
0 4 collision frames
0 5 collision frames
0 6 collision frames
0 7 collision frames
0 8 collision frames
0 9 collision frames
0 10 collision frames
0 11 collision frames
0 12 collision frames
0 13 collision frames
0 14 collision frames
0 15 collision frames
0 Excess collision frames
LAST UPDATE 4870 msecs AGO
This interface have problem. It is in portchannel with g1/0/25. Ive got more interfaces and port-channels showing the same behavior for switch two in my cluster.
sh controllers ethernet-controller g2/0/25
Transmit GigabitEthernet2/0/25 Receive
925460044357 Total bytes 201085804055 Total bytes
702370104 Unicast frames 184041790 Unicast frames
925449913241 Unicast bytes 201085599895 Unicast bytes
118823 Multicast frames 0 Multicast frames
9171804 Multicast bytes 0 Multicast bytes
14251 Broadcast frames 3190 Broadcast frames
959312 Broadcast bytes 204160 Broadcast bytes
0 System FCS error frames 0 IpgViolation frames
0 MacUnderrun frames 0 MacOverrun frames
0 Pause frames 0 Pause frames
0 Cos 0 Pause frames 0 Cos 0 Pause frames
0 Cos 1 Pause frames 0 Cos 1 Pause frames
0 Cos 2 Pause frames 0 Cos 2 Pause frames
0 Cos 3 Pause frames 0 Cos 3 Pause frames
0 Cos 4 Pause frames 0 Cos 4 Pause frames
0 Cos 5 Pause frames 0 Cos 5 Pause frames
0 Cos 6 Pause frames 0 Cos 6 Pause frames
0 Cos 7 Pause frames 0 Cos 7 Pause frames
0 Oam frames 0 OamProcessed frames
0 Oam frames 0 OamDropped frames
155980 Minimum size frames 3226 Minimum size frames
92357460 65 to 127 byte frames 52503630 65 to 127 byte frames
542363 128 to 255 byte frames 660137 128 to 255 byte frames
1843346 256 to 511 byte frames 500600 256 to 511 byte frames
6158096 512 to 1023 byte frames 1116353 512 to 1023 byte frames
601445933 1024 to 1518 byte frames 129261034 1024 to 1518 byte frames
0 1519 to 2047 byte frames 319527 1519 to 2047 byte frames
0 2048 to 4095 byte frames 0 2048 to 4095 byte frames
0 4096 to 8191 byte frames 0 4096 to 8191 byte frames
0 8192 to 16383 byte frames 0 8192 to 16383 byte frames
0 16384 to 32767 byte frame 0 16384 to 32767 byte frame
0 > 32768 byte frames 0 > 32768 byte frames
0 Late collision frames 0 SymbolErr frames
0 Excess Defer frames 0 Collision fragments
0 Good (1 coll) frames 0 ValidUnderSize frames
0 Good (>1 coll) frames 319524 InvalidOverSize frames
0 Deferred frames 3 ValidOverSize frames
0 Gold frames dropped 0 FcsErr frames
0 Gold frames truncated
0 Gold frames successful
0 1 collision frames
0 2 collision frames
0 3 collision frames
0 4 collision frames
0 5 collision frames
0 6 collision frames
0 7 collision frames
0 8 collision frames
0 9 collision frames
0 10 collision frames
0 11 collision frames
0 12 collision frames
0 13 collision frames
0 14 collision frames
0 15 collision frames
0 Excess collision frames -
Cisco Catalyst 3850 as ntp master
Hi All,
I have 2 x Cisco Catalyst 3850 stacked together. What are your recommendations if I use the C3850 as a ntp master for all edge switches connected in my network? All edge switches must be authenticated if it needs NTP sychronization. But other than that, what are the downsides?
For example,
1. I heard that switches do not have an internal clock so is a poor device to be a centralized NTP master.
2. I have also read that switches also have slow CPU processors that may lack the processing required.
3. Its NTP sychronization will use external NTP servers which are resolved into IP addresses (e.g. pool.ntp.org). IP address can change. What other more reliable NTP sources are there?
4. Any other thoughts and comments are most welcome.Firstly, DO NOT use the command "ntp master". Cisco do not recommend using this commands because this will confuse the NTP propagation inside the network.
Next, all Cisco devices do not have a dedicated clock. All appliances need to get SNTP/NTP time synch from somewhere. This "somewhere" could either be a dedicated GPS-based NTP server and/or a time synch somewhere out in the internet.
You can also use the command "ntp update-calendar". This new command allows appliances to take regular "snapshot" of the time and save it into the NVRAM. In case there was a reboot or a power failure, the appliance's time is not too far away instead of waiting 5 to 10 minutes for SNTP/NTP to synch. -
PORT_ACCESS
TCP|*|*|192.168.1.121|* \
$C$[IMTA_LIB:conn_throttle.so,throttle,$1,1]\
$N421$ Too$ Many$ Connection$E
Anyone has any idea what does these lines do? Especially, I would like to know whether $1 refers to the 1st "*" or the 2nd "*" ??I suggest having a look at the improved documentation for 6.1:
http://docs.sun.com/source/817-6266/filter.html
A particular IP address can be limited to how often it connects to the MTA by using the shared library, conn_throttle.so in the Port Access mapping table. Limiting connections by particular IP addresses may be useful for preventing excessive connections used in denial-of-service attacks.
conn_throttle.so is a shared library used in a PORT_ACCESS mapping table to limit MTA connections made too frequently from particular IP addresses. All configuration options are specified as parameters to the connection throttle shared library as follows:
$[msg_svr_base/lib/conn_throttle.so,throttle,IP-address,max-rate]
IP-address is the dotted-decimal address of the remote system. max-rate is the connections per minute that shall be the enforced maximum rate for this IP-address.
The routine name throttle_p may be used instead of throttle for a penalizing version of the routine. throttle_p will deny connections in the future if they�ve connected too many times in the past. If the maximum rate is 100, and 250 connections have been attempted in the past minute, not only will the remote site be blocked after the first 100 connections in that minute, but they�ll also be blocked during the second minute. In other words, after each minute, max-rate is deducted from the total number of connections attempted and the remote system is blocked as long as the total number of connections is greater than the maximum rate.
If the IP-address specified has not exceeded the maximum connections per minute rate, the shared library callout will fail.
If the rate has been exceeded, the callout will succeed, but will return nothing. This is done in a $C/$E combination as in the example:
PORT_ACCESS
TCP|*|25|*|* \
$C$[msg_svr_base/lib/conn_throttle.so,throttle,$1,10] \
$N421$ Connection$ not$ accepted$ at$ this$ time$E
Where,
$C continues the mapping process starting with the next table entry; uses the output string of this entry as the new input string for the mapping process.
$[msg_svr_base/lib/conn_throttle.so,throttle,$1,10] is the library call with throttle as the library routine, $1 as the server IP Address, and 10 the connections per minute threshold.
$N421$ Connection$ not$ accepted$ at$ this$ time rejects access and returns the 421 SMTP code (transient negative completion) along with the message �Connection not accepted at this time.�
$E ends the mapping process now. It uses the output string from this entry as the final result of the mapping process. -
Hi all,
I've just been testing using Cisco IP Phones with the Linksys SRW224P switch (which do not support CDP and automatic voice VLAN assignment). It's all pretty straightforward, however, I found I needed to enable the "PC Voice VLAN Access" setting for the IP phone to get the PC (attached to the phone) communicating on the network. With this setting disabled, the PC cannot communicate on the network, even if the correct data VLAN ID is configured in the "PC VLAN" setting on the phone. This same issue is also replicated if I disable CDP on a Cisco switch and manually configure the voice VLAN ID on the phone.
Any ideas as to why this is the case? My understanding of the PC Voice VLAN Access setting is that it enables an attached PC to access the voice VLAN (i.e. tag frames with the voice VLAN ID and send on the voice VLAN, and receive frames on the voice VLAN). The traditional port mirroring issues associated with this setting aren't an issue nowadays, as you now have the additional "Span to PC Port" setting to control this.Hi Eric,
Please make sure you are sniffing the correct interface. For example, if you have more than one interface (such as Wireless Ip address or VPN
connection) select the one you want to sniff. Please check the following link, it shows you how to set up a sniffer capture using wireshark:
http://wiki.wireshark.org/CaptureSetup
Regards,
Teresa.
If you find this post helpful, please rate! :) -
Hello,
While checking the VPC consistency for layer 1 on a port-channel interface, the output shows that "Vlan xlt mapping" is enabled in the peer and not locally.
However my vPC is up and this mismatch is not being treated as an inconsistency.
Since we are going to migrate a service to this new C7010 pair, just want to confirm what this feature really means and is it going to affect when traffic goes live,
BIOS: version 2.12.0
kickstart: version 6.2(6)
system: version 6.2(6)
Mod Ports Module-Type Model Status
1 24 10 Gbps Ethernet Module N7K-M224XP-23L ok
5 0 Supervisor Module-2 N7K-SUP2E active *
10 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
sh vpc consistency-parameters vpc 527
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
STP Port Type 1 Default Default
STP Port Guard 1 Default Default
STP MST Simulate PVST 1 Default Default
lag-id 1 [(1, 0-23-4-ee-be-66, [(1, 0-23-4-ee-be-66,
820f, 0, 0), (fa0, 820f, 0, 0), (fa0,
0-23-4-ee-be-1, 820f, 0-23-4-ee-be-1, 820f,
0, 0)] 0, 0)]
mode 1 active active
Speed 1 10 Gb/s 10 Gb/s
Duplex 1 full full
Port Mode 1 trunk trunk
Native Vlan 1 1 1
MTU 1 1500 1500
LACP Mode 1 on on
Interface type 1 port-channel port-channel
Admin port mode 1 trunk trunk
Vlan xlt mapping 1 Enabled -
vPC+ Switch-id 1 1001 1001
vPC card type 1 Clipper Clipper
Allowed VLANs -
Local error VLANs - - -Can anyone please guide on what vlan-xlt-mapping means on a vpc peer adjacency
-
Catalyst 3850 indirecttly connected ap
Does the Cisco Catalyst 3850 with version 3.06.01 support indirectly connected access points?
Wich does version the switch need to support this feature?
Thanks...Duplicate post.
Go HERE. -
Alternate Access Mapping not working for Zone : Intranet
One of our client want to set Alternate Access Mappint (intranet) with url "intranet.theirDomain.com" with local IP address.
is it possible?
subsequest to my previous question (
http://social.technet.microsoft.com/Forums/sharepoint/en-US/3f39711e-301a-40e8-aa7a-855fa2c268b1/alternate-access-mapping-not-working?forum=sharepointadmin )
I want to ask one more question
Can we configure "intranet.theirDomain.com" with local IP address for any other zone?
or
If there is ".com" within the url then it can't be configured for InTRAnet?
Thanks
S H A J A NThe names for the zones don't matter. You could use the 'extranet' zone for another intranet name if you wanted, the names are just to make it a bit more friendly for beginners.
What you describe sounds routine, you create a web application with a name, then use an AAM to allow users to access it with a more friendly name. Frequently you end up creating
http://intranet.domain.com and
http://intranet as an AAM, or vice versa.
You can use .com for an intranet site, you would need to add the site as an A Host record in your DNS server so that traffic is sent to your internal server rather than out into the wider world. -
Alternative Access Mapping not working "You're not connected to a network"
Hi *,
i want to set up alternate access mapping in my sharepoint 2013 development environment.
My SharePoint is reachable through http://sp2013.
I created a second web application with listens on port 8080. When i open http://sp2013:8080 everything works fine and i can see my root site collection.
Next i added through "Add internal Urls" a new url -> http://sp2013test to the default zone.
Next i edited the bindings in the iss application for this web application and added http://sp2013test listening to port 80:
But i does not work! I get the message "You’re not connected to a network" from the ie.
I dont want have to call my WebApps through ports. I want to have WebApplication which i can call through clear names like http://customerWebApp1, http://customer2WebApp. All via Port 80.
Whats wrong here?
Best Regards
Bog
Developers Field Notes | www.bog1.deHi Bob,
For you issue, try to map web application URLs to the local loopback address. For that you need to update host file at the path:(C:\Windows\System32\drivers\etc\hosts)
Here is a link about Setup Multiple SharePoint Web Applications on Port 80 with Https Binding on Port 443, you can use as a reference:
http://onlinecoder.blogspot.com/2012/10/setup-multiple-sharepoint-web.html
Best Regards
Lisa Chen -
Alternate Access Mapping not working
I am trying to configure alternate access mapping in sp2013.
My default url for site is https://intranet
My client has given a url https://intranet.theirDomain.com
When I ping "intranet.theirDomain.com" on their local machine it is returning IP: 192.168.0.87
When I ping "intranet", it is giving IP: 192.168.0.86
I have edited the Public Zone URL as follows
Default: https://intranet
Intranet: https://intranet.theirDomain.com
In IIS the following bindings are there.
https intranet 443 *
https intranet.theirDomain.com 443 *
But still https://intranet.theirDomain.com is not working
https://intranet is working.
I hope all are configured correctly.
Or doing any wrong? please guide me.
S H A J A NIt sounds like the 'intranet' A record in the theirDomain.com zone isn't pointed at the correct IP address (192.168.0.86).
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Connection of LC/APC fiber patch cords to Cisco Catalyst 6500 $ Cisco Access 3750 Switches
I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"Thank you, but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.
So what type of transceiver should I use to connect LC/APC patch cord to cisco switches? Is there another type or SFP+ still can be used?
Maybe you are looking for
-
Some macs don't appear in shared menu
I've got an iMac, mac mini, and a dual core all running on an airport network. When I am on my Tower the other machines sometimes disappear out of the shared menu in the finder window. They are on and awake, yet I can't share files. Files sharing is
-
How to inactivate the 'Complex Search' button when using Logical Database
Hy experts I m using Logical Database for a select and you know that for an GET event by default in selection screen it appears some selection fields for every GET event..I manage to hide the ones that don't interest me but I have a little problem: I
-
Flash Crashing Browsers on Macbook Air
A couple of days ago my bowsers started crashing with the message that a Flash Plugin has cuased an error. It happens on both Safari and FireFox. I have tried the Flash uninstaller. but when I reinstall the same thing happens. I have tried uninstalli
-
Genius could not complete purchase in store
I went into the local Apple store (Frisco, TX) today to pick up a 128GB iPhone 6. Waited in line about 30 minutes. Was assigned Shane to work with. Everything goes smoothly. Verifies account, etc. However, he was unable to select my data plan whe
-
IS-H Events for Patient Change
Hy all! My external application needs to be informed by IS-H in case of new patients or patient change. Are there such events available in IS-H? If yes: How can I configure such events? What interface has my application to provide? Thanks in advance!