Catalyst 6500 with CatOS ISCSI

Hi, I'm configuring a Catalyst 6500 with for ISCSI.
Following the recommendations I have to configure: portfast, jumbo frames, flow control and disable unicast storm control
- Portfast: on the server and ISCSI SAN ports
>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
set spantree portfast
- Jumbo frames: Set port jumbo
- Flow Control:
> set port flow control receive desired
Questions:
1. Where I have to configure flow control? only on the SAN ports and NIC servers? or server ports too?
2. Unicast Storm control: how can i configure this option?
Thanks

We are having the same exact problem. We've done what you've tried with no luck also. Strange thing is that in another building we have the same setup but only with a 6148V blade and that Tandberg has no issues. We're using a 6148AF with the one we're having problems with. We've tried with a 6348 blade and it works fine. I'm thinking it's something with the 6148AF firmware (ver. 8.2(2)).
Were you able to solve your problem?

Similar Messages

Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP mod end can't switch to RP to start download the IOS using Xmodem, though it shouldn't work in ROMmon SP omde but the xmodem is not gving the

Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP modw and I can't switch to RP to start download the IOS using Xmodem, though Xmodem shouldn't work in ROMmon SP mode but the it's not gving the
not executable message, the slot0: and disk0: are not accessable can't see the files inside, when I try the dir slot0: or dir disk0: it says it can't be opened and when I try to boot from them there's noting as well, what can I do to load an IOS image to the booflash: or slot0: ,each time I load the image using Xmodem at the end it gives me *** System received a Software forced crash ***
signal=0x17, code=0x5, context=0x0
When I run the command:
rommom1> boot bootflash:
boot: cannot determine first file name on deice "bootflash:"
rommon2> boot slot0:
boot: cannot open "slot0:"
boot: cannot dtermine first file name on device "slot0:"
BTW System Bootstrap, version 7.1
I''m looking to format the PCMCIA using a PC and format it to FAT16 and copy the boot image into it and then try to load from the PCMCIA afterward if it works I'll format it using the Supervisor engine 2.
Any one have another new idea I can use, thanks in advance

This is a potentially complex issue.
Is this SUP configured to run as IOS native or CatOS Hybrid?
While in ROMMON can you do the 'dev' command and see whad drives are recognized. Then 'dir' the drives that the SUP recognizes.
Can you provide the screen captures as it boots?
You would be bette served by hacing a TAC case.

LMS 4.2.3: Catalyst 6500 with SUP-2T is invisible in Inventory

Catalyst 6506 with SUP-2T (s2t54-advipservicesk9-mz.SPA.151-1.SY1.bin) was discovered by LMS, but he is invisible in Inventory. I see this switch on Topology and Cisco View is working fine, but I never seen him in Hardware Summary Tab for example. How to fix this problem ?

That's odd.
I'd imagine your system package updates are current given that you're on 4.2.3. Just in case, you would check via Admin > System > Software Center >Device Update. Check the Inventory Config And Image Management check box, and click Check for Updates.
Once that's confirmed, please let us know does it show up at all in the DCR Inventory? (Reference) If not, what if you add it manually there?

EtherChannel load-balance on Catalyst 6500 running CatOS

I know EtherChannel load balancing can use either MAC addresses, IP addresses, or the TCP port numbers.
1 Can I config it to make sure every port under the same Channel group has the same traffic utilization?
2 If one of the Etherchannel physical port has traffic more than its physical bandwidth, why switch can't use another Etherchannel physical port to share the traffic?

Normally it will fairly well balance the traffic . There is no way to make sure each channel is exactly the same utilization wise . You can look at how it is load balanced and make a change from say mac to ip address if it looks like you aren't getting the balance you want . It would be very rare that you are going to fill one port on the channel without filling the rest almost the same .Exceptions would be if you most of your traffic is headed to one place like a certain server , even then if you used ip addresses in both directions as the load balance I think it would balance out pretty good. If it got to that point where one link was almost filled you would have to think about adding another port to the channel . This is a real good page http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml

Telnet problem of Cat6509 with CatOS 6.4 (8)

When telnet to a Catalyst 6509 with CatOS 6.4 (8), first nothing appeared, then press enter, showed the screen with 2 "Enter pasword:". This behavior prevent Cisco works from updating configuration to these devices. Does anyone have the idea how to resolve this problem?
Thak you in advance.

Take a look at the following bug
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCed45576
You will need to upgrade CAT OS to get past this bug.

Cisco Catalyst 6500 version 12.2(33)SXI13 configured as DHCP server for a VLAN responds to Windows 7 client with status code NOA

Can anyone help figure out why the Catalyst 6509 is not able to assign an IPv6 address? Thank you.
Cisco Catalyst 6500 version 12.2(33)SXI13 configured as DHCP server for a VLAN responds to Windows 7 client with status code NOADDRS-AVAIL(2). My configuration on the 6500 for the DHCPv6 server is:
ipv6 dhcp database disk0://DHCPV6-DB
ipv6 dhcp pool VLAN206IPV6
prefix-delegation pool VLAN206IPV6-POOL
dns-server 2620:B700:0:1001::53
domain-name global.bio.com
ipv6 local pool VLAN206IPV6-POOL 2620:B700:0:12C7::/65 65
interface Vlan206
description *** IPv6 Subnet ***
ip address 10.2.104.2 255.255.255.0
ipv6 address 2620:B700:0:12C7::2/64
ipv6 nd prefix 2620:B700:0:12C7::/64 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server VLAN206IPV6
standby version 2
standby 0 ip 10.2.104.1
standby 0 preempt
standby 6 ipv6 2620:B700:0:12C7::1/64
standby 6 preempt
I'm getting a result from my debug as follows:
Apr 10 16:28:02.873 PDT: %LINK-3-UPDOWN: Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:02.873 PDT: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:02.877 PDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Received SOLICIT from FE80::5D5E:7EBD:CDBF:2519 on Vlan206
Apr 10 16:28:03.861 PDT: IPv6 DHCP: detailed packet contents
Apr 10 16:28:03.861 PDT: src FE80::5D5E:7EBD:CDBF:2519 (Vlan206)
Apr 10 16:28:03.861 PDT: dst FF02::1:2
Apr 10 16:28:03.861 PDT: type SOLICIT(1), xid 8277025
Apr 10 16:28:03.861 PDT: option ELAPSED-TIME(8), len 2
Apr 10 16:28:03.861 PDT: elapsed-time 101
Apr 10 16:28:03.861 PDT: option CLIENTID(1), len 14
Apr 10 16:28:03.861 PDT: 00010001195FD895F01FAF10689E
Apr 10 16:28:03.861 PDT: option IA-NA(3), len 12
Apr 10 16:28:03.861 PDT: IAID 0x0FF01FAF, T1 0, T2 0
Apr 10 16:28:03.861 PDT: option UNKNOWN(39), len 32
Apr 10 16:28:03.861 PDT: option VENDOR-CLASS(16), len 14
Apr 10 16:28:03.861 PDT: option ORO(6), len 8
Apr 10 16:28:03.861 PDT: DOMAIN-LIST,DNS-SERVERS,VENDOR-OPTS,UNKNOWN
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Option IA-NA(3) is not supported yet
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Sending ADVERTISE to FE80::5D5E:7EBD:CDBF:2519 on Vlan206
Apr 10 16:28:03.861 PDT: IPv6 DHCP: detailed packet contents
Apr 10 16:28:03.861 PDT: src FE80::21D:E6FF:FEE4:4400
Apr 10 16:28:03.861 PDT: dst FE80::5D5E:7EBD:CDBF:2519 (Vlan206)
Apr 10 16:28:03.861 PDT: type ADVERTISE(2), xid 8277025
Apr 10 16:28:03.861 PDT: option SERVERID(2), len 10
Apr 10 16:28:03.865 PDT: 00030001001DE6E44400
Apr 10 16:28:03.865 PDT: option CLIENTID(1), len 14
Apr 10 16:28:03.865 PDT: 00010001195FD895F01FAF10689E
Apr 10 16:28:03.865 PDT: option STATUS-CODE(13), len 15
Apr 10 16:28:03.865 PDT: status code NOADDRS-AVAIL(2)
Apr 10 16:28:03.865 PDT: status message: NOADDRS-AVAIL

Hello,
maybe hitting the following bug.
Pv6 Address Assignment Support for IPv6 DHCP Server
CSCse81385
Hope this helps

Two Nexus 5020 vPC etherchannel with Two Catalyst 6500 VSS

Hi,
we are fighting with an 40 Gbps etherchannel between 2 Nx 5000 and 2 Catalyst 6500 but the etherchannel never comes up. Here is the config:
NK5-1
interface port-channel30
description Trunk hacia VSS 6500
switchport mode trunk
vpc 30
switchport trunk allowed vlan 50-54
speed 10000
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30
NK5-2
interface port-channel30
description Trunk hacia VSS 6500
switchport mode trunk
vpc 30
switchport trunk allowed vlan 50-54
speed 10000
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
Catalyst 6500 VSS
interface Port-channel30
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
interface TenGigabitEthernet2/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet2/1/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet1/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet1/1/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
The "Show vpc 30" is as follows
N5K-2# sh vpc 30
vPC status
id     Port        Status Consistency Reason                     Active vlans
30     Po30        down* success     success                    -
But the "Show vpc Consistency-parameters vpc 30" is
N5K-2# sh vpc consistency-parameters vpc 30
    Legend:
        Type 1 : vPC will be suspended in case of mismatch
Name                             Type Local Value            Peer Value
Shut Lan                              1     No                     No
STP Port Type                    1     Default                Default
STP Port Guard                  1     None                   None
STP MST Simulate PVST 1     Default                Default
mode                                    1     on                     -
Speed                                  1     10 Gb/s                -
Duplex                                   1     full                   -
Port Mode                            1     trunk                  -
Native Vlan                           1     1                      -
MTU                                       1     1500                   -
Allowed VLANs                    -     50-54                  50-54
Local suspended VLANs    -     -                      -
We will apreciate any advice,
Thank you very much for your time...
Jose

Hi Lucien,
here is the "show vpc brief"
N5K-2# sh vpc brief
Legend:
                (*) - local vPC is down, forwarding via vPC peer-link
vPC domain id                   : 5
Peer status                     : peer adjacency formed ok
vPC keep-alive status           : peer is alive
Configuration consistency status: success
Per-vlan consistency status     : success
Type-2 consistency status       : success
vPC role                        : secondary
Number of vPCs configured       : 2
Peer Gateway                    : Disabled
Dual-active excluded VLANs      : -
Graceful Consistency Check      : Enabled
vPC Peer-link status
id   Port   Status Active vlans
1    Po5    up     50-54
vPC status
id     Port        Status Consistency Reason                     Active vlans
30     Po30        down* success     success                    -
31     Po31        down* failed      Consistency Check Not      -
                                      Performed
*************************************************************************+
*************************************************************************+
N5K-1# sh vpc brief
Legend:
                (*) - local vPC is down, forwarding via vPC peer-link
vPC domain id                   : 5
Peer status                     : peer adjacency formed ok
vPC keep-alive status           : peer is alive
Configuration consistency status: success
Per-vlan consistency status     : success
Type-2 consistency status       : success
vPC role                        : primary
Number of vPCs configured       : 2
Peer Gateway                    : Disabled
Dual-active excluded VLANs      : -
Graceful Consistency Check      : Enabled
vPC Peer-link status
id   Port   Status Active vlans
1    Po5    up     50-54
vPC status
id     Port        Status Consistency Reason                     Active vlans
30     Po30        down* failed      Consistency Check Not      -
                                      Performed
31     Po31        down* failed      Consistency Check Not      -
                                      Performed
I have changed the lacp on both devices to active:
On Nexus N5K-1/-2
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30 mode active
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30 mode active
On Catalyst 6500
interface TenGigabitEthernet2/1/2-3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
switchport mode trunk
channel-protocol lacp
channel-group 30 mode active
interface TenGigabitEthernet1/1/2-3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
switchport mode trunk
channel-protocol lacp
channel-group 30 mode active
Thanks for your time.
Jose

IDSM on catalyst 6500 to provide IOS Inline mode support

I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan??? Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
Any urgent reply will be much grateful...
Many Thanks in advance

Hi Mubin,
If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment. All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN. Assuming you have something like this to start:
VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
To do this you'll need to perform the following steps:
1. Designate a new VLAN to use as a helper VLAN for your current server VLAN. I'll use 201 for this example and assume your current server VLAN is 200.
Create the helper VLAN on the switch:
switch# conf t
switch(config)# vlan 201
2. Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
sensor# conf t
sensor(config)# service interface
sensor(config-int)# phsyical-interface GigabitEthernet0/7
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 200
sensor(config-int-phy-inl-sub)# vlan2 201
sensor(config-int-phy-inl-sub)# description Server-Helper pair
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
3. Configure the switch to trunk the helper and server VLANs to the IDSM-2 module. I assume the module is in slot 5 in the example. Replace the 5 with the correct slot for your deployment:
switch# conf t
switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
switch(config)# intrusion-detection module 5 data-port 1 autostate include
*Warning! This next step may cause an outage if everything is configured correctly. You'll probably want to schedule a window to do this.*
4. Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created. To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201. I assume the current server gateway is 192.168.1.1/24
switch# conf t
switch(config)#int vlan 200
switch(config-int)#no ip addr
switch(config-int)#int vlan 201
switch(config-int)#ip addr 192.168.1.1 255.255.255.0
switch(config-int)#exit
switch(config)#exit
switch# wr mem
Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected. Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
Best Regards,
Justin

Replacement catalyst 6500 switches under redundancy environment

Hi everyone,
I plan to replace old core catalyst 6500 switches with new ones for the purpose of reinforcement.
Now two core catalyst 6500 switches are working under redundancy environment.
There are many catalyst 6500 switches as distribution switch connect to each core catalyst
6500 switches as attached.
I think there are two ways to replace core catalyst 6500 switches.
[One]
Replacing one core catalyst 6500 switches first, then one week later, replacing another core
catalyst 6500 switch. And all traffic will be handled another core catalyst 6500 switch automatically
by EIGRP routing during replacement.
Advantage:
One another core catalyst 6500 switch continues operating even if the replacement fail.
Disadvantage:
Two core catalyst 6500 switches will operate in a different version (CatOS, MSFC IOS) for one week.
Any problem might be happened due to this issue.
[Two]
Replacing both core catalyst 6500 switches at the same time.
Advantage:
Replacement will be finished at one time
Disadvantage:
If the replacement fail, whole network goes to down and it cause critical situation.
I have to replace successfully so I would like know good information about this, such as
best practice, case study and so on.
Your information would be greatly appreciated.
Best regards,

Hi,
If I were you, I will go for option 1.
This option will give us the time to observe the traffic pattern, time to get the network and EIGRP to stabilize and even to check for any issues on the IOS part.
This will give you time frame to work out for any issue if it happens in between the weeks time.This will gibe you tha time to see for any imcompatibilty issues as such.
HTH, Please rate if it does.
-amit singh

Connection of LC/APC fiber patch cords to Cisco Catalyst 6500 $ Cisco Access 3750 Switches

I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"

Thank you, but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.
So what type of transceiver should I use to connect LC/APC patch cord to cisco switches? Is there another type or SFP+ still can be used?

QoS on Catalyst 6500

We have the following QoS config running on Edge, Distributions and Cores and got the following error.
âpriority command is not supported in output direction for this interface
Configuration failed on: Port-channelâ
We had opened a TAC case and they said â PFC QoS does not support these policy map class commands:
bandwidth
priority
queue-limit
random-detect
set qos-group
service-policy
How can we prioritize voip traffic. On our monitoring application, it says queues empty. Even if the priority command is not working there should be traffic in the queue.Different version of supervisors in Distribution (sup720) and COREs (Sup2).
Any suggestions? Attached document gives Config details.

Are your Access Layer switches also 6500s? What Supervisor(s) are running in your 6500s & what CatOS or CatIOS are you running?
It sounds like you are redefining your trust boundary at every layer (Access, Distribution, Core). Did you get a chance to look over this SRND document?
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.pdf
Here's an example of our L2 6513 with a WS-X6724 which has 1p3q8t for QoS Scheduling:
interface GigabitEthernet1/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
logging event link-status
logging event bundle-status
logging event trunk-status
wrr-queue bandwidth 5 25 70
wrr-queue queue-limit 5 25 40
wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 2 80 100 100 100 100 100 100 100
wrr-queue random-detect min-threshold 3 50 60 70 80 90 100 100 100
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
wrr-queue random-detect max-threshold 3 60 70 80 90 100 100 100 100
wrr-queue cos-map 1 1 1
wrr-queue cos-map 2 1 0
wrr-queue cos-map 3 1 4
wrr-queue cos-map 3 2 2
wrr-queue cos-map 3 3 3
wrr-queue cos-map 3 4 6
wrr-queue cos-map 3 5 7
priority-queue cos-map 1 5
udld port
mls qos trust dscp
rmon collection stats 6001 owner monitor
channel-group 2 mode desirable non-silent
interface Port-channel2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust dscp
We also use NetMRI and you're correct, because the Cat 6500 PFC performs classification, marking, mapping, and policing functions, but the queuing and dropping policies are administered by the line cards, there are no MIBs for NetMRI to poll.
HTH
Steve

Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
Note that the host 6500 is running native IOS 12.2(18)SXE.
Thanks for any assistance.

A tranparent firewall is a fairly good comparison.
Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
So you have the following pairs:
10/510, 11/511, 12/512, etc...
300/800, 301/801, 302/802, etc....
You set up the sensor port to trunk all 40 vlans:
set trunk 5/7 10-20,300-310,510-520,800-810
(Then clear all other vlans off that trunk to keep things clean)
In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

Modules Gbic Catalyst 6500

I have a peculiar problem with two gbic modules of Catalyst 6500.
First problem, I have a gbic port in module 7, which was a trunkport to Catalyst 2950, that does not allow conection to switch Catalyst 2950, and besides it harmed the yield of Catalyst 6500. I have to disconnect the optical fiber cable so that everything returned to normality.
Second problem. A port gbic in module 8, I let work and I disconnect of the network to one of the servants, by such reason I had to connect the fiber cable in another one gbic of he himself I module.
My question is: is necessary to change I modulate 7 and 8 not to have network problems on watch? or single to change gbic affected in each one of the modules?
Thank you,

Failure to get GBIC up during installation could be as a result of system requirements not met, incorrect cable installed, lack of power to the device, configuration errors or hardware failure. Verify that the GBIC cable is connected to another active network device and that the port is not shut down. Replace cable with a known good cable. Make sure GBICs are matched on either side of the connection. Make sure the flow control and port negotiation settings are consistent on both sides of the link. There may be incompatibilities in the implementation of these features if the switches being connected are from different vendors. If in doubt, turn these features off on both switches. Swap GBIC to a different slot. Also, try using a spare GBIC to see if it works. For more information, refer to Troubleshooting link :
http://www.cisco.com/en/US/products/hw/switches/ps628/products_installation_guide_chapter09186a00800d7681.html

15.1(2)SY1 on Catalyst 6500

Hi,
We are planning to upgrade two of our Catalyst 6500 switches to version 15.1(2)SY1 Advanced IP Services.
The switches have dual supervisors and are currently running version 12.2(33)SXI11, but we have faced some issues and also would also like to enable some new features (e.g. BFD). The switches are running a fairly simple configuration with OSPF, MPLS and MP-BGP with about 30 VRFs.
Are you aware of any major issues with 15.1(2)SY1 and would discourage the planned upgrade? I am aware that the version was only released in December, but since there are many bug fixes I thought this version might be better than e.g. 15.1(2)SY.
Thanks in advance for your help!
Best regards,
Harry

We replaced all (~ x20) our Sup720 (SXI4a) with Sup2T during late 2012 & running with Advance Enterprise 15.0(1)SY image. We did not have any issues with that code & still many of our distribution switches running on that code.
Then we upgraded two core switches with 15.1(1)SY mid last year another two core switches to 15.1(2)SY late last year to accomodate WS-X6904-40G. With both of these new code we had couple of bugs still not proper fix
CSCue58955: sup2t: LC file systems are not destroyed in Active upon reset"%SNMP-3-INPUT_QFULL_ERR: Packet dropped
There is workaround for this, but that will impact netflow data if you are using that.
For me 15.0(1)SY, is much better for Enterprise environment (based on my experience) compare to the two latest. But due to certain limitation we have to go for this newer codes whether you like it or not.
These bugs may be not related to you if you are not runing Sup2T, anyway just thought to share this experience
HTH
Rasika
**** Pls rate all useful responses ****

Connecting Nexus 5548 to Catalyst 6500 VS S720 - 10 G

good day,
Could anyone out-there please assit me with basic connectivity/configuration of the 2 devices for the 2 devcies communicate e.g be able to ping each other managemnet interfaces.
Nexus Configuration:
vrf context management
ip route 0.0.0.0/0 10.200.1.4
vlan 1
interface mgmt0
ip address 10.200.1.2/16
Catalyst 6500:
interface Vlan1
description Nexus
ip address 10.200.1.4 255.255.0.0
interface TenGigabitEthernet5/4
switchport
Note: I am able to get all the devices throught SH CDP NEIG command. assist please.

Nexus# sh ip int mgmt0
IP Interface Status for VRF "management"(2)
mgmt0, Interface status: protocol-up/link-up/admin-up, iod: 2,
IP address: 10.13.37.201, IP subnet: 10.13.37.128/25
IP broadcast address: 255.255.255.255
IP multicast groups locally joined: none
IP MTU: 1500 bytes (using link MTU)
IP primary address route-preference: 0, tag: 0
IP proxy ARP : disabled
IP Local Proxy ARP : disabled
IP multicast routing: disabled
IP icmp redirects: enabled
IP directed-broadcast: disabled
IP icmp unreachables (except port): disabled
IP icmp port-unreachable: enabled
IP unicast reverse path forwarding: none
IP load sharing: none
IP interface statistics last reset: never
IP interface software stats: (sent/received/forwarded/originated/consumed)
Unicast packets : 0/83401/0/20/20
Unicast bytes : 0/8083606/0/1680/1680
Multicast packets : 0/18518/0/0/0
Multicast bytes : 0/3120875/0/0/0
Broadcast packets : 0/285/0/0/0
Broadcast bytes : 0/98090/0/0/0
Labeled packets : 0/0/0/0/0
Labeled bytes : 0/0/0/0/0
Nexus# sh cdp nei
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute
Device-ID Local Intrfce Hldtme Capability Platform Port ID
3560 mgmt0 178 S I WS-C3560-24PS Fas0/23
6500 Eth1/32 135 R S I WS-C6509-E Ten5/4
Nexus# ping 10.13.37.201 vrf management
PING 10.13.37.201 (10.13.37.201): 56 data bytes
64 bytes from 10.13.37.201: icmp_seq=0 ttl=255 time=0.278 ms
64 bytes from 10.13.37.201: icmp_seq=1 ttl=255 time=0.174 ms
64 bytes from 10.13.37.201: icmp_seq=2 ttl=255 time=0.169 ms
64 bytes from 10.13.37.201: icmp_seq=3 ttl=255 time=0.165 ms
64 bytes from 10.13.37.201: icmp_seq=4 ttl=255 time=0.165 ms
--- 10.13.37.201 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.165/0.19/0.278 ms
Nexus# ping 10.13.37.202
PING 10.13.37.202 (10.13.37.202): 56 data bytes
ping: sendto 10.13.37.202 64 chars, No route to host
Request 0 timed out
ping: sendto 10.13.37.202 64 chars, No route to host
Request 1 timed out
ping: sendto 10.13.37.202 64 chars, No route to host
Request 2 timed out
ping: sendto 10.13.37.202 64 chars, No route to host
Request 3 timed out
ping: sendto 10.13.37.202 64 chars, No route to host
Request 4 timed out
--- 10.13.37.202 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
Nexus# ping 10.13.37.203
PING 10.13.37.203 (10.13.37.203): 56 data bytes
ping: sendto 10.13.37.203 64 chars, No route to host
Request 0 timed out
ping: sendto 10.13.37.203 64 chars, No route to host
Request 1 timed out
ping: sendto 10.13.37.203 64 chars, No route to host
Request 2 timed out
ping: sendto 10.13.37.203 64 chars, No route to host
Request 3 timed out
ping: sendto 10.13.37.203 64 chars, No route to host
Request 4 timed out
--- 10.13.37.203 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
3560#ping 10.13.37.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.13.37.201, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Note: Now I want to be able to ping Nexus (10.13.37.201) from the 6509 (10.13.37.203), and again be able to ping both the 3560 (10.13.37.202) and 6509 (10.13.37.203) from the Nexus please. How can I do that. I can ping nexus from 3560 as shown above.

Catalyst 6500 with CatOS ISCSI

Similar Messages

Maybe you are looking for