Cisco 4500X + VSS + Trust Sec Switch to Switch Encryption
Hi,
actually im testing and evaluationg the Cisco 4500X switch as new distribution switch for our Company.... Now i have some issues with one of our requirements.
For security reasons i need to encrypt the links between the 4500X and the access switches in other buildings (no issue with Trust Sec)
But ... now i also need to encrypt the link between the two 4500X if i run VSS ... my question is .. is it possible to encrypt the VSL link with TrustSec Switch to Switch encryption?
BR,
Florian
Hi Frloian,
If you have 2 switches in different data centers than you do not need VSS. In fact this is very bad design as the whole concept of VSS is grasped on dual home design. In the essence the proper design of VSS system is to have every downsteram switch connected with one link to one VSS switch and other link to second VSS switch, so that when one VSS switch would fail other can take over. Please look at the VSS best practises:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109547-vss-best-practices.html#vss_best
Update:
There is possibility to encrypt VSL link, but only in 6500 sup2t environment:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/virtual_switching_systems.html#wp1341144
Similar Messages
-
Cisco 4500X VSS & MEC Cisco 2960X
Hi
I have Cisco 4500x VSS connect to MEC Cisco 2960X using LACP.
I encountered a problem about C2960X
Integration reason
1.C2960X Ten 1/0/2 link flapping interface error-disable . I am disable interface then enable interface , switch show SFP not Present .
Te1/0/2 notconnect 1 full 10G Not Present. (SPF plug-in Correct)
2.use CLI reload C2960X , Ten 1/0/1 ,Ten 1/0/2 notconnect SPF Not Present. (SPF plug-in Correct)
error message :
Dec 18 12:40:25.250: %SYS-5-CONFIG_I: Configured from console by console
Dec 18 12:41:48.888: % ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization. This product may contain software that was copied in violation of Cisco's license terms. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.
26F_guest_switch#show license
Index 1 Feature: lanlite
Period left: 0 minute 0 second
Index 2 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
3.C2960X power Cycle ,C2960X operation normal, ,but recurring problems every day.
I do not know where the problem , I have upgrade C2960X IOS but it had same problem.
Cisco 2960X IOS version: 15.2(3)E C2960X-UNIVERSALK9-M
Cisco 4500X IOS version: cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin
Thanks for your help,Hi Reza,
Thanks for your help
I can not confirm that because I have a few switch have the same problem.
C2960X 10G port 1 is connected to C4500X slot 1, Port 2 is connected to C4500X Slot2.
link flapping, On the switch port 2.
I need to do a more precise test to confirm the problem is C2960X or 4500VSS -
i configure vss on 4500x ,with one switch is active and the other switch go into recovery mode,with all port except the vsl links in the amber orange,shutdown,
i want to make two switch into active state,some one could help in this.
the configuration which i used is below
itch virtual domain 100
switch 1
exit
switch virtual domain 100
switch 2
exit
interface port-channel 10
switchport
switch virtual link 1
no shut
exit
interface port-channel 20
switchport
switch virtual link 2
no shut
exit
int range tengigabitethernet 1/15 - 16
switchport
switchport mode trunk
switchport nonegotiate
no shut
channel-group 10 mode on
int range tengigabitethernet 1/15 - 16
switchport
switchport mode trunk
switchport nonegotiate
no shut
channel-group 20 mode on
switch convert mode virtual
switch convert mode virtuali can share two core switch configuration which is there
please suggest if something which i misconfigured and need to be corrected.
TAKAFUL-CORE-01#show run
Building configuration...
Current configuration : 7510 bytes
! Last configuration change at 01:57:12 UTC Sun Aug 10 2014
version 15.2
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
hostname TAKAFUL-CORE-01
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin
boot-end-marker
vrf definition mgmtVrf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
username admin privilege 15 password 7 104F0D140C19
no aaa new-model
switch virtual domain 100
switch mode virtual
mac-address use-virtual
no dual-active detection pagp
no ip source-route
ip vrf Liin-vrf
no ip domain-lookup
ip dhcp pool management
network 10.2.20.0 255.255.255.0
default-router 10.2.20.2
option 43 ascii "10.2.20.1"
ip dhcp pool Data
network 10.3.30.0 255.255.255.0
default-router 10.3.30.2
dns-server 4.2.2.2 8.8.8.8
ip dhcp pool Voice
network 10.1.10.0 255.255.255.0
default-router 10.1.10.2
ip dhcp pool wireless
network 10.4.40.0 255.255.255.0
default-router 10.4.40.2
dns-server 4.2.2.2 8.8.8.8
no ip bootp server
ip device tracking
power redundancy-mode redundant
mac access-list extended VSL-BPDU
permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
permit any any 0x888E
mac access-list extended VSL-GARP
permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
permit any host 0180.c200.000e
mac access-list extended VSL-SSTP
permit any host 0100.0ccc.cccd
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576
redundancy
mode sso
vlan internal allocation policy ascending
class-map match-any VSL-MGMT-PACKETS
match access-group name VSL-MGMT
class-map match-any VSL-DATA-PACKETS
match any
class-map match-any VSL-L2-CONTROL-PACKETS
match access-group name VSL-DOT1x
match access-group name VSL-BPDU
match access-group name VSL-CDP
match access-group name VSL-LLDP
match access-group name VSL-SSTP
match access-group name VSL-GARP
class-map match-any VSL-L3-CONTROL-PACKETS
match access-group name VSL-IPV4-ROUTING
match access-group name VSL-BFD
match access-group name VSL-DHCP-CLIENT-TO-SERVER
match access-group name VSL-DHCP-SERVER-TO-CLIENT
match access-group name VSL-DHCP-SERVER-TO-SERVER
match access-group name VSL-IPV6-ROUTING
class-map match-any VSL-MULTIMEDIA-TRAFFIC
match dscp af41
match dscp af42
match dscp af43
match dscp af31
match dscp af32
match dscp af33
match dscp af21
match dscp af22
match dscp af23
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
match dscp ef
match dscp cs4
match dscp cs5
class-map match-any VSL-SIGNALING-NETWORK-MGMT
match dscp cs2
match dscp cs3
match dscp cs6
match dscp cs7
policy-map VSL-Queuing-Policy
class VSL-MGMT-PACKETS
bandwidth percent 5
class VSL-L2-CONTROL-PACKETS
bandwidth percent 5
class VSL-L3-CONTROL-PACKETS
bandwidth percent 5
class VSL-VOICE-VIDEO-TRAFFIC
bandwidth percent 30
class VSL-SIGNALING-NETWORK-MGMT
bandwidth percent 10
class VSL-MULTIMEDIA-TRAFFIC
bandwidth percent 20
class VSL-DATA-PACKETS
bandwidth percent 20
class class-default
bandwidth percent 5
interface Port-channel10
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 1
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
interface TenGigabitEthernet1/1/1
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/2
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/3
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/4
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/5
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/6
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/7
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/8
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/9
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/10
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/11
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/12
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/13
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/14
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet1/1/15
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 10 mode on
service-policy output VSL-Queuing-Policy
interface TenGigabitEthernet1/1/16
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 10 mode on
service-policy output VSL-Queuing-Policy
interface Vlan1
no ip address
shutdown
interface Vlan10
description IP Telephony VLAN
ip address 10.1.10.2 255.255.255.0
no ip redirects
interface Vlan20
description Automation & Management VLAN
ip address 10.2.20.2 255.255.255.0
no ip redirects
interface Vlan30
description Data VLAN
ip address 10.3.30.2 255.255.255.0
no ip redirects
interface Vlan40
description Wireless Users VLAN
ip address 10.4.40.2 255.255.255.0
no ip redirects
ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip http server
no ip http secure-server
ip access-list extended VSL-BFD
permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
permit ip any 224.0.0.0 0.0.0.255
snmp-server community ro RO
ipv6 access-list VSL-IPV6-ROUTING
permit ipv6 any FF02::/124
banner login ^CC
#### Login for authorized Takaful IT Personnel ONLY ####
TAKAFUL
#### Login for authorized Takaful IT Personnel ONLY ####
^C
banner motd ^CC
WARNING, unauthorised access to this network is prohibited.
Authorized access only
This system is the property of Takaful Company.^C
line con 0
privilege level 15
login local
stopbits 1
line vty 0 4
privilege level 15
login local
line vty 5 15
privilege level 15
login local
module provision switch 1
chassis-type 70 base-mac F40F.1B56.31D8
slot 1 slot-type 401 base-mac F40F.1B56.31D8
module provision switch 2
end
TAKAFUL-CORE-01#
TAKAFUL-CORE-02(recovery-mode)#show run
Building configuration...
Current configuration : 5641 bytes
! Last configuration change at 02:05:27 UTC Sun Aug 10 2014
version 15.2
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
hostname TAKAFUL-CORE-02
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin
boot-end-marker
vrf definition mgmtVrf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
no aaa new-model
switch virtual domain 100
switch mode virtual
mac-address use-virtual
no dual-active detection pagp
no ip source-route
ip vrf Liin-vrf
no ip domain-lookup
no ip bootp server
ip device tracking
vtp mode transparent
power redundancy-mode redundant
mac access-list extended VSL-BPDU
permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
permit any any 0x888E
mac access-list extended VSL-GARP
permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
permit any host 0180.c200.000e
mac access-list extended VSL-SSTP
permit any host 0100.0ccc.cccd
spanning-tree mode pvst
spanning-tree extend system-id
redundancy
mode sso
vlan internal allocation policy ascending
class-map match-any VSL-MGMT-PACKETS
match access-group name VSL-MGMT
class-map match-any VSL-DATA-PACKETS
match any
class-map match-any VSL-L2-CONTROL-PACKETS
match access-group name VSL-DOT1x
match access-group name VSL-BPDU
match access-group name VSL-CDP
match access-group name VSL-LLDP
match access-group name VSL-SSTP
match access-group name VSL-GARP
class-map match-any VSL-L3-CONTROL-PACKETS
match access-group name VSL-IPV4-ROUTING
match access-group name VSL-BFD
match access-group name VSL-DHCP-CLIENT-TO-SERVER
match access-group name VSL-DHCP-SERVER-TO-CLIENT
match access-group name VSL-DHCP-SERVER-TO-SERVER
match access-group name VSL-IPV6-ROUTING
class-map match-any VSL-MULTIMEDIA-TRAFFIC
match dscp af41
match dscp af42
match dscp af43
match dscp af31
match dscp af32
match dscp af33
match dscp af21
match dscp af22
match dscp af23
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
match dscp ef
match dscp cs4
match dscp cs5
class-map match-any VSL-SIGNALING-NETWORK-MGMT
match dscp cs2
match dscp cs3
match dscp cs6
match dscp cs7
policy-map VSL-Queuing-Policy
class VSL-MGMT-PACKETS
bandwidth percent 5
class VSL-L2-CONTROL-PACKETS
bandwidth percent 5
class VSL-L3-CONTROL-PACKETS
bandwidth percent 5
class VSL-VOICE-VIDEO-TRAFFIC
bandwidth percent 30
class VSL-SIGNALING-NETWORK-MGMT
bandwidth percent 10
class VSL-MULTIMEDIA-TRAFFIC
bandwidth percent 20
class VSL-DATA-PACKETS
bandwidth percent 20
class class-default
bandwidth percent 5
interface Port-channel20
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 2
interface FastEthernet1
vrf forwarding mgmtVrf
speed auto
duplex auto
interface TenGigabitEthernet2/1/1
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/2
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/3
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/4
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/5
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/6
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/7
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/8
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/9
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/10
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/11
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/12
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/13
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/14
switchport trunk native vlan 20
switchport mode trunk
interface TenGigabitEthernet2/1/15
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 20 mode on
service-policy output VSL-Queuing-Policy
interface TenGigabitEthernet2/1/16
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 20 mode on
service-policy output VSL-Queuing-Policy
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip access-list extended VSL-BFD
permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
permit ip any 224.0.0.0 0.0.0.255
ipv6 access-list VSL-IPV6-ROUTING
permit ipv6 any FF02::/124
line con 0
stopbits 1
line vty 0 4
login
length 0
module provision switch 1
module provision switch 2
chassis-type 70 base-mac 88F0.3104.0058
slot 1 slot-type 401 base-mac 88F0.3104.0058
end -
Cisco Network Assistant, unable to add a switch
I have a network running some 20 switches, two controllers and many AP's. All the devices that should be able to connect to cisco network assistant can successfully. However there is one switch that will show in neighbours but will give the message of “unable to connect to device” when I try and add it to the topology.
As far as I can see the config is identically to all other similar switches in the network. I can telnet from a switch (management VLAN) to the switch in question. However when I try to ping or telnet from the PC running network assistant (different subnet) I am unsuccessful. However I can ping/telnet to all other cisco device from this PC.
The switch is a WS-C3560-48TS and I have included the config for firstly the switch in question and another switch of the same model and config that works correctly. Any help would be greatly appreciated, thank you.
sho run
Building configuration...
Current configuration : 7363 bytes
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname wc3_switch_1
enable secret 5 $1$Fn0U$2rG6DadA8JSUzQzSNmMc4/
enable password 7 1511021F0725
username dis privilege 15 secret 5 $1$b3d.$S43CM1xtXyEtO5Rsil6Bn1
username admin privilege 15 password 7 0811185C224C543341
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
description ### Connected to Parkside-AP05 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/2
description ### Connected to Parkside-AP06 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/3
description ### Connected to Parkside-AP07 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/4
description ### Connected to Parkside-AP08 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/5
description ### Connected to Parkside-AP12 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/6
description ### Connected to Parkside-AP13 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/7
description ### Connected to Parkside-AP20 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/8
description ### Connected to Parkside-AP21 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/9
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/10
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/11
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/12
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/13
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/14
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/15
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/16
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/17
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/18
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/19
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/20
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/21
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/22
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/23
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/24
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/25
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/26
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/27
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/28
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/29
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/30
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/31
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/32
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/33
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/34
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/35
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/36
description ### Connected to Parkside-AP36 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/37
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/38
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/39
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/40
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/41
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/42
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/43
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/44
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/45
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/46
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/47
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/48
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface GigabitEthernet0/1
description *** Connected to WC2A_Core_Switch ***
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface GigabitEthernet0/2
description *** Connected to wc3_switch_2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface GigabitEthernet0/3
shutdown
interface GigabitEthernet0/4
shutdown
interface Vlan1
ip address 10.0.0.31 255.255.255.0
ip default-gateway 10.0.0.254
ip classless
ip http server
control-plane
line con 0
password 7 144711185D07
logging synchronous
login local
line vty 0 4
password 7 144711185D07
logging synchronous
login local
line vty 5 15
password 7 094F471A1A0A
no login
end
wc3_switch_2#sho run
Building configuration...
Current configuration : 7239 bytes
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname wc3_switch_2
enable secret 5 $1$Sfoj$a6AdO7PI0bP8ERhpWl3OP.
username dis privilege 15 secret 5 $1$D9c6$16yFzETOxBNHiPdTEqkxQ1
username admin privilege 15 password 7 133543002059550E78
no aaa new-model
ip subnet-zero
no ip domain-lookup
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
description ### Connected to Parkside-AP24 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/2
description ### Connected to Parkside-AP27 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/3
description ### Connected to Parkside-AP28 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/4
description ### Connected to Parkside-AP30 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/5
description ### Connected to Parkside-AP31 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/6
description ### Connected to Parkside-AP32 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/7
description ### Connected to Parkside-AP33 ###
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/8
description *** Curric4 VLAN Port ***
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/9
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/10
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/11
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/12
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/13
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/14
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/15
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/16
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/17
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/18
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/19
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/20
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/21
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/22
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/23
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/24
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/25
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/26
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/27
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/28
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/29
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/30
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/31
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/32
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/33
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/34
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/35
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/36
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/37
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/38
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/39
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/40
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/41
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/42
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/43
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/44
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/45
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/46
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/47
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface FastEthernet0/48
description *** Curric4 VLAN Port ***
switchport access vlan 6
spanning-tree portfast
interface GigabitEthernet0/1
description *** Connected to wc3_switch_1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface GigabitEthernet0/2
description *** Connected to wc3_switch_3 ***
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface GigabitEthernet0/3
shutdown
interface GigabitEthernet0/4
shutdown
interface Vlan1
ip address 10.0.0.32 255.255.255.0
ip default-gateway 10.0.0.254
ip classless
ip http server
control-plane
line con 0
password 7 135514015A0F
logging synchronous
login local
line vty 0 4
password 7 135514015A0F
logging synchronous
login local
line vty 5 15
no login
endThe switch configurations look pretty straightforward and mostly correct.
I notice that the problem switch has "ip routing" global command. Why is that necessary? You are only using it as a L2 switch, yes? If you use "ip routing" and have no routing process (ospf, eigrp, etc.) running you would need to add a static default route (ip route 0.0.0.0 etc.) and not use the "ip default-gateway" command. Otherwise the switch itself (the SVI) does not know how to leave the management VLAN routing-wise since it is the only L3 interface defined.
(I might also add "ip http authentication local" on each and I'd definitely disable telnet in favor of ssh) -
Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches
with Cisco Expert Vinayak Sudame
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
Remember to use the rating system to let Vinayak know if you have received an adequate response.
Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.Hi Vinayak,
Output of "show cfs internal ethernet-peer database"
Switch 1
ETH Fabric
Switch WWN logical-if_index
20:00:54:7f:ee:b7:c2:80 [Local]
20:00:54:7f:ee:b6:3f:80 16000005
Total number of entries = 2
Switch 2
ETH Fabric
Switch WWN logical-if_index
20:00:54:7f:ee:b6:3f:80 [Local]
20:00:54:7f:ee:b7:c2:80 16000005
Total number of entries = 2
Output of "show system internal csm info trace"
Switch 1 in which "show cfs peers" show proper output
Mon Jul 1 05:46:19.145339 (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
Mon Jul 1 05:46:19.145280 (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
Mon Jul 1 05:46:19.145188 (CSM_T) csm_sp_handle_local_verify_commit(4291):
Mon Jul 1 05:46:19.145131 csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
Mon Jul 1 05:46:19.145071 csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
Mon Jul 1 05:46:19.145011 csm_tl_lock(737):
Mon Jul 1 05:46:19.144955 (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
Mon Jul 1 05:46:19.143819 (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
Mon Jul 1 05:46:19.143761 (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
Mon Jul 1 05:46:19.143699 (CSM_T) csm_sp_get_peer_sync_rev(315):
Mon Jul 1 05:46:19.143641 (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
Mon Jul 1 05:46:19.143582 (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
Switch 2 in which "show cfs peers" does not show proper output
Mon Jul 1 06:13:11.885354 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
Mon Jul 1 06:13:11.884992 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
Mon Jul 1 06:13:11.884932 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
Mon Jul 1 06:13:11.884872 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
Mon Jul 1 06:13:11.884811 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
Mon Jul 1 06:13:11.884750 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
Mon Jul 1 06:13:11.884690 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
Mon Jul 1 06:13:11.884630 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
Mon Jul 1 06:13:11.884568 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
Mon Jul 1 06:13:11.884207 (CSM_EV) csm_sp_acfg_gen_handler(3011): Preparing config into /tmp/csm_sp_acfg_1733916569.txt
Mon Jul 1 06:13:11.878695 csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
Mon Jul 1 06:13:11.878638 (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
Mon Jul 1 06:12:29.527840 (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
Mon Jul 1 06:12:29.513255 (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
Mon Jul 1 06:12:29.513179 (CSM_EV) csm_sp_acfg_gen_handler(3011): Preparing config into /tmp/csm_sp_acfg_1733911262.txt
Mon Jul 1 06:12:29.508859 csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
Mon Jul 1 06:12:29.508803 (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
Mon Jul 1 05:53:17.651236 Collecting peer info
Mon Jul 1 05:53:17.651181 Failed to get the argumentvalue for 'ip-address'
Mon Jul 1 05:40:59.262736 DB Unlocked Successfully
Mon Jul 1 05:40:59.262654 Unlocking DB, Lock Owner Details:Client:1 ID:1
Mon Jul 1 05:40:59.262570 (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
Mon Jul 1 05:40:59.262513 DB Lock Successful by Client:1 ID:1
Mon Jul 1 05:40:59.262435 Recieved lock request by Client:1 ID:1
Mon Jul 1 05:40:41.741224 ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
Mon Jul 1 05:40:41.741167 ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
show cfs lock gives no output.
Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
Regards. -
Need that a Cisco Catalyst Express 500 behaves as cheap switch
Need that a Cisco Catalyst Express 500 behaves as cheap switch.
I happen to have a surplus of CE500 and i need to use one as a layer 2 cheap switch (unaware of lan and with port protection off).
How can i achive this?That's the thing, i'm sitting on several CE500, i'm not allowed to buy a cheap one right now, i have to use what i have, i know is too much but it should work and i read that it does, there is only one problem, i need to plug a access point to the CE500 that connect this section of my network to the rest.
I can't make the CE500 to work with this AP, a cheap switch i had there before worked properly. -
ISE Trust sec Question.
Hi Team,
Can someone give me a real time example or exaplin me in simple language "What is Trust SEC"?
MinakshiExample of trustsec use :
Cisco TrustSec capabilities are embedded in Cisco ®switches, wireless LAN (WLAN) controllers, routers, and firewalls. With TrustSec, when a user's traffic enters the network, it is classified according to characteristics such as user authentication, analysis of the device being used and it's network location. Based on these criteria, a user's endpoint is classified as a member of a particular security group; for example, it could be added to a group called Retail-Manager. Cisco switches and routers then propagate the security group information to policy-enforcement devices
Most Cisco switches and routers can transport this security group information with the user's traffic. This information is included by embedding a 16-bit Security Group Tag (SGT) value in each frame associated with the user device. The SGT can be transported over LAN, WAN and data center networks so that it is available for inspection and policy enforcement wherever appropriate.
To traverse networks or network devices that do not understand or support SGT propagation, a control-plane protocol, the SGT Exchange Protocol (SXP), allows Cisco TrustSec SGT information to be transported over any IP network to enforcement points.
Policy enforcement can be performed by Cisco firewalls, routers, or switches. The enforcement device reads the source SGT (denoting the Retail-Manager role, for example). It then evaluates the Retail-Manager's privileges to access the destination resource, which would also have an assigned SGT, such as PCI-Compliant Server or HR Database. It then determines whether the traffic should be allowed or denied.
If the enforcement device is a switch, it will apply security group ACLs (SG-ACLs). These are policies automatically downloaded from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control Server (ACS). SG-ACLs have the benefit of being processed at wire rate on many switch platforms. Because they are downloaded from ISE, they do not need to be provisioned to switches, as traditional Access Control Lists need to be.
If the enforcement device is a Cisco firewall, it will perform stateful firewall processing using the source and destination SGTs. The Cisco Adaptive Security Appliance (ASA) Software can also make additional inspection decisions based on the source and destination SGT values. For example, it can selectively pass traffic through additional intrusion prevention analysis or direct traffic to Cisco Cloud Web Security services based upon SGT values. -
Prime 2.1 and 4500X-VSS support?
Anyone with a Prime 2.1.2 that successfully archives configurations from a WS-C4500X-16 running VSS?
Error message after Configuration Archive:
No device package found for the specified device.
The software on the 4500X is 03.04.03SG.
Support for 4500X in PI 2.1.2:
Device Type
SYSOIDS
S/W Version
Software
Cisco Catalyst 4500X-16 SFP+ Switch
OID:1.3.6.1.4.1.9.1.1605
IOS
Cisco Catalyst 4500X-32 SFP+ Switch
OID:1.3.6.1.4.1.9.1.1606
IOS
TanksYes, all device packages are installed (including 7.0) and the Pi 2.1.2 patch.
Info from "ifm_config_archive.log" when trying Archive the Configuration:
[2014-12-09 19:58:11,300] [pool-37-thread-5] [service] [ERROR] - Thread Id : [9,460] : IFM_CONFIG_ARCHIVE_ERROR_DETAILS: [Error in fetching VLAN file] : IFM_CONFIG_ARCHIVE_ERROR: [com.cisco.ifm.config.archive.service.exceptions.XDEFeatureExecutionException: No device package found for the specified device.]'
Maybe the Prime don't know where to find the vlan.dat on the 4500X-VSS ?
#dir cat4000_flash:
Directory of cat4000_flash:/
1 -rw- 2236 <no date> vlan.dat
sysObjectID (1.3.6.1.2.1.1.2) is
.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.cat4xxxVirtualSwitch
That is not the expected and supported value "4500X-16" above
Update: Error on fetching running and startup config as well:
[2014-12-09 20:24:21,818] [pool-37-thread-9] [service] [ERROR] - Thread Id : [10,013] : IFM_CONFIG_ARCHIVE_ERROR_DETAILS: [Error in fetching RUNNINGCONFIG file] : IFM_CONFIG_ARCHIVE_ERROR: [com.cisco.ifm.config.archive.service.exceptions.XDEFeatureExecutionException: No device package found for the specified device.]
[2014-12-09 20:25:31,882] [pool-37-thread-9] [service] [ERROR] - Thread Id : [10,013] : IFM_CONFIG_ARCHIVE_ERROR_DETAILS: [Error in fetching STARTUPCONFIG file] : IFM_CONFIG_ARCHIVE_ERROR: [com.cisco.ifm.config.archive.service.exceptions.XDEFeatureExecutionException: No device package found for the specified device.] -
Cisco 4500X IOS upgrade through ISSU
Hi,
I am having 2 number of cisco 4500x switch and configured with VSS
so one switch is active and another switch is standby.
I am panning to upgrade IOS through ISSU
i read in document that it required auto boot enable in switch.
My switch current Configuration register = 0x2101
do i need to change config register or this will ok. If need to change then what will be auto boot and after IOS upgrade do i need to change it again.
Please help....Hello Tarun,
Please find below the steps to perform the ISSU:
ISSU Prerequisites
Before one can perform an ISSU, there are a few prerequisites one must verify for a successful ISSU. The following list explains what is initially required.
• Must be using a redundant Cisco Catalyst 4500 switch with symmetric hardware (that is, supervisors, memory, rommon, NFL daughter card, and so on).
• Both new and old Cisco IOS Software images must be preloaded to the file system on both supervisors.
• SSO must be configured and working properly.
• Config register must be configured to autoboot (that is, the value should have a "2" in the lowest byte).
45010R-203# sh bootvar | i register
Configuration register is 0x2102
Standby Configuration register is 0x2102
Several commands are available to verify if SSO is enabled:
4510R-203# sh module | b Redundancy
Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+-------------------
1 Standby Supervisor SSO Standby hot
2 Active Supervisor SSO Active
45010R-203# sh redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Secondary
Unit ID = 2
Redundancy Mode (Operational) = Stateful Switchover
Redundancy Mode (Configured) = Stateful Switchover
Redundancy State = Stateful Switchover
<snip>
4507R-ISSU# sh run | b redundancy
redundancy
mode sso
As a step prior to the beginning of the ISSU process, the new version of the Cisco IOS Software image needs to be loaded into both the active and standby supervisors' file systems. Both active and standby supervisor need to contain both the new and old images in the file system. In order to store both new and old images, the supervisors should be upgraded to contain sufficient amounts of flash memory prior to the ISSU process.
The new images can be downloaded into both supervisors using commands such as:
copy tftp: bootflash:
copy tftp: slavebootflash:
The example below illustrates this verification:
4510R-203#dir
Directory of bootflash:/
1 -rwx 13636500 Sep 6 2006 03:18:58 -08:00 cat4500-entservices-mz.122-31.SGA
2 -rwx 13747611 Sep 9 2006 03:19:58 -08:00 cat4500-entservices-mz.122-31.SGA1
4510R-203#dir slavebootflash:
Directory of slavebootflash:/
1 -rwx 13636500 Sep 6 2006 03:18:58 -08:00 cat4500-entservices-mz.122-31.SGA
2 -rwx 13747611 Sep 9 2006 03:19:58 -08:00 cat4500-entservices-mz.122-31.SGA1
Once this check is verified, one can now proceed with the ISSU process.
The ISSU process is started by typing the "issu loadversion" command on the active supervisor. This command directs the active supervisor to begin the ISSU process. The active supervisor, through intersupervisor communications, checks that the requested image has been downloaded into both the active and standby supervisors' file systems. If the required images are not present, the command is rejected, and an appropriate warning is generated.
If the "issu loadversion" command is successful, the switch transitions into the "Load Version" ISSU state. The standby supervisor will reset and boot with the new version of the Cisco IOS Software image loaded into the file system.
The following actions take place when the command is implemented:
1. The standby supervisor (B) is reset.
2. The standby supervisor (B) is booted with the new Cisco IOS Software image: Release 12.2(31)SGA1.
3. If both Cisco IOS Software images are declared as compatible, the standby supervisor moves into SSO mode and is fully stateful for all compatible clients and applications. Compatibility allows for in-service software upgrade or downgrade between two versions to succeed with minimal service effect.
4. If both Cisco IOS Software images are incompatible, the system moves into RPR mode, and the ISSU process is terminated with an appropriate message to the user. Images are declared incompatible when "required" clients or applications are not interoperable between two Cisco IOS Software releases.
5. Standby "B" reaches the standby HOT state.
6. The user has an option to abort the ISSU process by issuing the "issu abortversion" command.
7. The "issu loadversion" command also supports a "forced" option that allows the operator to force the system into entering RPR mode when incompatibility is detected.
Note: When performing an ISSU, disable manual switchovers. Performing manual switchovers during the issu process is strongly discouraged. The current implementation does not prevent it, but it does display a warning to the user.
An example of the CLI for implementing the issu loadversion command is displayed below.
On the active supervisor, one would issue the following command:
4510R-203#issu loadversion 1 bootflash:cat4500-entservices-mz.122-31.SGA1 2 slavebootflash: cat4500-entservices-mz.122-31.SGA1
Syntax - issu loadversion active-slot active-image-new standby-slot standby-image-new
The second step of the ISSU process is to perform the issu runversion CLI.
The user can issue the " issu runversion" command when:
1. The ISSU state is "Load Version"; this can be verified with the "show issu state detail" CLI.
2. The standby supervisor is running the new version of the software.
3. The standby supervisor has moved into the "Standby Hot " state.
The following actions take place when the " issu runversion" command is executed:
1. A switchover occurs; that is, the standby (B) becomes the new active, and the old active (A) is rebooted and comes up as a standby.
2. A timer called "Rollback Timer" is started with a previously configured value.
3. Move both supervisors to "Run Version" state.
4. If the command "issu acceptversion" is not issued before the "Rollback timer" fires, then the entire ISSU process is aborted via the automatic rollback.
5. If the active supervisor console connectivity is established and the "issu acceptversion" command is issued, then the rollback timer is stopped.
6. The user has an option to abort the ISSU process by issuing the "issu abortversion" command.
An example of the CLI for implementing the issu runversion command is displayed below:
On the active supervisor, one would issue the following command:
4510R-203#issu runversion 2 slavebootflash:cat4500-entservices-mz.122-31.SGA1
Syntax - issu runversion standby-slot [standby-image-new]
Prior to issuing the `issu acceptversion' command the system will be counting down the rollback timer. If `issu acceptversion' is not completed before rollback timer expires an automatic abort will occur. This command stops the "Rollback Timer." This command serves as a feedback mechanism. This is an optional command and can be skipped in the ISSU process with the "issu commitversion" CLI.
If this command is not issued within 45 minutes (default) from the time the standby supervisor moves into the "Standby Hot" state, it is assumed that the new active supervisor is not reachable and the entire ISSU process is rolled back to the previous version of the software. The acceptversion is not intended for long-term network operation. It is also important to note that none of the features available on the new version will work yet.
The following actions take place when the command is implemented:
1. The "Rollback Timer" is terminated. This means that the rollback timer is not looked at anymore. Therefore, the system can run in this state for an extended period.
2. The user has an option to abort the ISSU process by issuing the command "issu abortversion."
Aborting the ISSU process now causes the newly active supervisor (B) to fail over to the standby supervisor (A) running the old image and will also cause the rebooting supervisor (B) to load the original image. The issu acceptversion halts the rollback timer and helps ensure the ISSU process is not automatically aborted during the process.
An example of the CLI for implementing the issu acceptversion command is displayed below:
On the "New" active supervisor, one would issue the following command:
4510R-203#issu acceptversion 2
% Rollback timer stopped. Please issue the commitversion command.
Syntax - issu acceptversion active-slot-number
This is the last stage of the ISSU procedure. Once the user is satisfied with the new version of software, this must be committed by issuing the "issu commitversion" command. This command resets the standby supervisor and boots it with a new version of the software (same as the active supervisor). This concludes the ISSU process, and the new version of software is permanently committed on both supervisors. Since this is the conclusion of the ISSU process, the system can not be reverted back to the previous version of the software from this point onward as a part of this upgrade cycle. However, if for any reason users wish to go back to the previous version of the software, they can do so by starting a new upgrade/downgrade process.
The following actions take place if the command is implemented:
1. The standby supervisor (A) is reset and booted with the new version of Cisco IOS Software image.
2. The standby supervisor (A) moves into the "Standby Hot" state in SSO mode and is fully stateful for all clients/applications that are compatible.
3. Both supervisors are moved into "Final State," which is the same as "Initial State."
4. Users can initiate switchovers from this point onward.
An example of the CLI for implementing the issu commitversion command is displayed below:
4510R-203#issu commitversion 1
Syntax - issu commitversion standby-slot-number
ISSU Process: issu abortversion
One can abort the ISSU process at any stage manually (prior to issuing the issu commitversion command) by issuing the exec-level issu abortversion command. The ISSU process also aborts on its own if the software detects a failure.
If a user aborts the process after issuing the issu loadversion command, then the standby supervisor engine is reset and reloaded with the original software.
If the process is aborted after a user enters either the issu runversion or issu acceptversion command, then a second switchover is performed to the new standby supervisor engine that is still running the original software version.
The supervisor engine that had been running the new software is reset and reloaded with the original software version. The command is accepted only in "Load Version" or "Run Version" states. In "Load Version" state, the active supervisor is running an old image and the standby supervisor is running new image.
Syntax - issu abortversion active-slot [active-image-new]
Let me know if you have any questions. -
Cisco 6500 VSS , VSL Link Connection Issue
Hello Everyone
actually i have two Cisco 6509E with two VS-S720-10G and want to run VSS on them
i do all the config same as cisco recommend, but i get somethings wrong on them, 1st. on switch2 , under "switch virtual domain" when i enter switch2, its not accepot and 2nd. non of 10G link goes up & so VSL link always down
here is my config and show commands
SWITCH#1
==================================
switch virtual domain 10
switch mode virtual
switch 1 priority 110
mac-address use-virtual
redundancy
main-cpu
auto-sync running-config
mode sso
interface Port-channel1
no switchport
no ip address
switch virtual link 1
mls qos trust cos
no mls qos channel-consistency
interface TenGigabitEthernet1/5/4
no switchport
no ip address
mls qos trust cos
no cdp enable
channel-group 1 mode on
interface TenGigabitEthernet1/5/5
no switchport
no ip address
mls qos trust cos
no cdp enable
channel-group 1 mode on
======
SWITCH#2
switch virtual domain 10
switch mode virtual
switch 1 priority 110
redundancy
main-cpu
auto-sync running-config
mode sso
interface Port-channel2
no switchport
no ip address
switch virtual link 2
mls qos trust cos
no mls qos channel-consistency
interface TenGigabitEthernet2/5/4
no switchport
no ip address
mls qos trust cos
no cdp enable
channel-group 2 mode on
interface TenGigabitEthernet2/5/5
no switchport
no ip address
mls qos trust cos
no cdp enable
channel-group 2 mode on
Thank you all in advanceHello Dear Reza
at first, thanks for your replay
below you can find the Show Version of the SWITCH#1
6500-1#sh version
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9-M), Version 15.1(1)SY1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 01-May-13 13:16 by prod_rel_team
ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9-M), Version 15.1(1)SY1, RELEASE SOFTWARE (fc5)
6500-1 uptime is 6 minutes
Uptime for this control processor is 6 minutes
System returned to ROM by power cycle at 11:49:28 UTC Mon Nov 17 2014 (SP by power on)
System image file is "sup-bootdisk:s72033-adventerprisek9-mz.151-1.SY1.bin"
Last reload reason: reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco WS-C6509-E (R7000) processor (revision 1.6) with 983008K/65536K bytes of memory.
Processor board ID SMC18080014
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
1 Virtual Ethernet interface
99 Gigabit Ethernet interfaces
5 Ten Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
as you see i use "adventerprisek9-mz.151-1.SY1" but now downgrade it to "s72033-adventerprisek9_wan-mz.122-33.SXJ2" , so nothing change and EtherChannel still not up
below are the show commands:
VSS-Sw2#show etherchannel 2 summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator
M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
d - default port
w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(RD) - Te2/5/4(D) Te2/5/5(D)
Last applied Hash Distribution Algorithm: -
===========================
VSS-Sw2#sh etherchannel 2 port
Ports in the group:
Port: Te2/5/4
Port state = Down Not-in-Bndl
Channel group = 2 Mode = On Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = -
Age of the port in the current state: 0d:00h:00m:00s
Port: Te2/5/5
Port state = Down Not-in-Bndl
Channel group = 2 Mode = On Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = -
Age of the port in the current state: 0d:00h:00m:00s
Last applied Hash Distribution Algorithm: - -
Can not access FWSM via session command in cisco 6513 (VSS enabled)
Dear All,
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.
My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2
Switch Number: 2 Role: Virtual Switch Standby
Mod Ports Card Type Model Serial No.
2 6 Firewall Module WS-SVC-FWM-1 -----------
Mod MAC addresses Hw Fw Sw Status
2 0034.2fd7.3b04 to 0019.2fa7.3b0b 4.2 7.2(1) 2.3(4) Ok
Mod Online Diag Status
2 Pass
VSS#session switch 2 slot 2 pro 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.1.21 ...
% Connection timed out; remote host not responding
Can someone please let me know why I cannot access FWSM through session command ?
Whether this is because of older IOS ? If yes then how to upgrade its IOS ?
Is it possible to upgrade IOS via FWSM console ? if yes, please let me know.
Do i need to test on different slot ?
Look forward to hearing from someone.
Thanks & Regards
Ahmed...There is a limitation that FWSM running version older than 4.0.4 will not accept session from the switch if the FWSM is not seated into switch 1 AND if switch 1 is not active.
So to upgrade the FWSM you either need to use the console or put the FWSM physically in switch 1.
Thanks,
Jeroen -
Hi,
I am having an issue that the VSS is different for each switch and the trunking is not working, is there anyway to configure the trunking on the VSL port without breaking the VSS? I have set the trunking on both switches but somehow after the VSS connection is up the trunking is removed on the switch 2. The following are the snippet of the VSS configuration:
Switch 1:
interface Port-channel1
description *** VSS Port-Channel 1 ***
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 1
interface TenGigabitEthernet1/2/8
description *** VSS Links ***
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 1 mode on
service-policy output VSL-Queuing-Policy
Switch 2:
interface Port-channel2
switchport
switch virtual link 2
interface TenGigabitEthernet2/2/8
no lldp transmit
no lldp receive
no cdp enable
channel-group 2 mode on
service-policy output VSL-Queuing-Policy
Now I only have limited command on the Port-Channel 2:
SWITCH01(config)#int po2
SWITCH01(config-if)#?
virtual link interface commands (restricted):
default Set a command to its defaults
description Interface specific description
exit Exit from virtual link interface configuration mode
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
no Negate a command or set its defaults
service-policy Configure CPL Service Policy
shutdown Shutdown the selected interface
switch Configure switch link
Thanks in advance for any helpful comment.Hi,
You don't need to configure the VSL link as trunk:
just follow this config example:
Switch-1(config)# interface port-channel 10
Switch-1(config-if)# switch virtual link 1
Switch-1(config-if)# no shutdown (If the port is admin shutdown)
Switch-1(config)# interface tenGigabitEthernet 5/1
Switch-1(config-if)# channel-group 10 mode on
Switch-1(config-if)# no shutdown (If the port is admin shutdown)
Switch-2(config)# interface port-channel 25
Switch-2(config-if)# switch virtual link 2
Switch-2(config-if)# no shutdown (If the port is admin shutdown)
Switch-2(config-if)# interface tenGigabitEthernet 5/2
Switch-2(config-if)# channel-group 25 mode on
Switch-2(config-if)# no shutdown (If the port is admin shutdown)
link:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1-2/XE_340/configuration/guide/config/vss.html#wp1060298
HTH -
Microsoft NLB and Cisco 4500 VSS
Hi,
I have a pair of Cisco 4507 switches in VSS mode. An server (10.4.1.166) using Microsoft NLB MAC address (03bf.0a04.01a6) is connected to VSS Node 1 on port Gi1/6/43. The following is configured on the switch.
arp 10.4.1.166 03bf.0a04.01a6 ARPA
mac address-table static 03bf.0a04.01a6 vlan 31 interface Gi1/6/43
The second command appears differently in running-config but looks good in mac-address-table:
# show running-config | inc mac address
mac address-table static 03bf.0a04.01a6 vlan 31 interface Gi6/43
# show mac address static | inc 01a6
31 03bf.0a04.01a6 static Gi1/6/43
Now, from a PC I can ping the VIP address 10.4.1.166 when connected to VSS Node 1 or any other switch connecting to VSS Node1. If the PC attachment is to VSS Node 2 directly or indirectly, then the ping times out. Doing the same for all the rest of servers not using Microsoft NLB but connected to Node 1 only, is successful from anywhere.
Why is the traffic not traversing the the VSL link i.e. PC -> VSS Node 2 -> VSL -> VSS Node1 -> Server.
Thanks,
Rick.Thanks Reza, Please find the output of the commands below. The VSS switch looks to be good and working for all other services.
#show switch virtualExecuting the command on VSS member switch role = VSS Active, id = 1Switch mode : Virtual SwitchVirtual switch domain number : 1Local switch number : 1Local switch operational role: Virtual Switch ActivePeer switch number : 2Peer switch operational role : Virtual Switch StandbyExecuting the command on VSS member switch role = VSS Standby, id = 2Switch mode : Virtual SwitchVirtual switch domain number : 1Local switch number : 2Local switch operational role: Virtual Switch StandbyPeer switch number : 1Peer switch operational role : Virtual Switch Active# show switch virtual redundancyExecuting the command on VSS member switch role = VSS Active, id = 1 My Switch Id = 1 Peer Switch Id = 2 Last switchover reason = none Configured Redundancy Mode = Stateful Switchover Operating Redundancy Mode = Stateful SwitchoverSwitch 1 Slot 3 Processor Information :----------------------------------------------- Current Software state = ACTIVE Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 15.1(2)SG, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Wed 05-Dec-12 04:38 by prod_rel_team BOOT = bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin,1; Configuration register = 0x102 Fabric State = ACTIVE Control Plane State = ACTIVESwitch 2 Slot 3 Processor Information :----------------------------------------------- Current Software state = STANDBY HOT (switchover target) Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 15.1(2)SG, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Wed 05-Dec-12 04:38 by pro BOOT = bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin,1; Configuration register = 0x102 Fabric State = ACTIVE Control Plane State = STANDBYExecuting the command on VSS member switch role = VSS Standby, id = 2show virtual switch redundancy is not supported on the standbySKR_4507_01#show switch virtual link port-channelExecuting the command on VSS member switch role = VSS Active, id = 1Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, no aggregation due to minimum links not met m - not in use, port not aggregated due to minimum links not met u - unsuitable for bundling d - default port w - waiting to be aggregatedGroup Port-channel Protocol Ports------+-------------+-----------+-------------------15 Po15(SU) - Te1/3/1(P) Te1/4/1(P)16 Po16(SU) - Te2/3/1(P) Te2/4/1(P)Executing the command on VSS member switch role = VSS Standby, id = 2Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, no aggregation due to minimum links not met m - not in use, port not aggregated due to minimum links not met u - unsuitable for bundling d - default port w - waiting to be aggregatedGroup Port-channel Protocol Ports------+-------------+-----------+-------------------15 Po15(SU) - Te1/3/1(P) Te1/4/1(P)16 Po16(SU) - Te2/3/1(P) Te2/4/1(P)#show run int gi1/6/43interface GigabitEthernet1/6/43 switchport access vlan 31 switchport mode access spanning-tree portfast spanning-tree guard root
Regards,
Rick. -
Ciscoview Cisco 6509 VSS power supply LED indicators incorrect
Hello all
i am experiencing the following problem.
In the Ciscoview, the LED indicators of the power supply of Cisco 6509 VSS are represented incorrectly. All power inputs and fans are okay actually. however, in the ciscoview, there is only 1 green "INPUT OKAY" for each power supply. And "FAN OKAY" LEDS are off on Active chassis.
Any assistance would be greatly appreciated.
LMS 4.1
IOS Version 12.2(50)SY1
Device Package:
38.
Cat6000
12.0
Cat6000 Package
39.
Cat6000IOS
37.0
Cat6000IOS Device PackageCheck the PS at the back, is there a light? If there's no light, then you need to RMA the PS as it could be faulty.
If there's a light on the PS, then you need to RMA the switch. -
Switch to switch cross cable ?
Well yesterday i read in a cisco book saying that you should have a cross cable when connecting switch to switch & a straight cable when connecting workstation to a switch , but currently i have stright all through , switch to switch or switch to pc .
network seems to run fine, why is this ?
thanksHi Malutaru1234,
I think you have copied exactly the same lines from my first post without checking that Fasi74 had alraedy replied that he is having 1900 switch.
Also it is not necessary that he need to configure trunk between the 2 switches when connected via cross over cable becuase trunk is just to pass the information of more than 1 vlan. If you have single vlan in your network you can connect the 2 switches via access link also.
Regards,
Ankur
Maybe you are looking for
-
How to generate Email in OIM 11g r1 during recocillation
I want to generate Email id of user based on his first name and last name while creation of user. I am using OIM 11g R1 . Can anyone plz help me on this.
-
Trouble connecting iMac to wireless networked HP printer -- printer not seen in
HP Photosmart Premium 410 Operating System: OS X 10.9 I am trying to connect a new Mac with OSX 10.9.5 to an HP Photosmart Premium c410, which is on an existing home wireless network and functions properly with other (Windows) computers in the house.
-
I am using an old HP printer (842C Deskjet) which works fine as my LAN connected printer. I am about to replace the computer to which it's connected with one that probably does not have a parallel port to match the connector on the Deskjet. Is there
-
Hi, What do I need to do in order to have the audio files folder from a project always in an external hard drive, I've tried with an alias but it didn't work. Thanks in advance.
-
How do I sent units to inches in Pages using 10.9
I use 10.9 on a mac mini. When I go to set pages I must use metric units. I am more comfortable in inches, so how do I reset to to inches?