Gratuitous ARP in Nexus 7000

Similar Messages

• Grat.ARP on Nexus 7000

  Hi we observed that if one of our Cluster is switching over( secondary is taking over the cluster IP adress) and sending Grat.ARP to announce the new MAC adress for the Cluster IP address, the Nexus does not update the ARP table based on a Grat.ARP.
  I am not absolutely sure it seems if the Grat.ARP hits the HSRP active Switch than it works, if it hits HSRP standby switch it does not work.
  Under vPC we have arp synchronize konfigured.
  The only way how we can bring it to workmis to clear the arp table.
  Any idea?
  Thx
  Hubert

  Hi Hubert,
  ok I see; but what about the cluster? Is it somehow related to vmware? which OS are we talking about?
  I insist on this point as usually server administrators are not too much into networking and they might give misleading info. I.E. the vmware heartbeat that control the IP floating mechanism (which happens in case of cluster failovers) relies on ARP probes and not on GARP. The 2 are pretty similar but a N7K ignores it if it is not destined to the local IP (which it is true for the active hsrp member only). It flags it as invalid packet and drops it... you can verify taking the following before and after the switchover from both n7k
  show ip arp statistics vlan
  often you see increasing value if you have many hosts in the vlan... so the outputs of this command is not definitive in all cases.
  Riccardo

• %ARP-3-DUP_VADDR_SRC_IP on two Nexus 7000 using HSRP

  Hi,
  I am receiving the error %ARP-3-DUP_VADDR_SRC_IP on two Nexus 7000 switch that is configured with HSRP.  I only see this error when the Nexus performs a failover to the HSRP standby unit.  I personally think this can be safely ignored,but wanted to get another opinion.
  I can generate the error when i initiate the failover of several SVIs that are configured for HSRP.  I do not see the error when failover doesn't happen.
  I haven't been unable to find any documentation for Nexus on this error.
  I have found documentation on this error for Catalyst switches and they seem to indicate a loop in the network.  I can confirm that there are no loops in the network.
  Has anyone else seen this happen on a Nexus?  Any links to documentation would be great too. 
  Thanks

  you have duplicate IP addres on some host connected to portchanel10
  probably some access layer switch is connected to your portchanel 10
  try to find port where this host is connected in access layer switch
  sh mac addr | i ac8f
  and dont forget to rate post

• Nexus 7000 - unexpected shutdown of vPC-Ports during reload of the primary vPC Switch

  Dear Community,
  We experienced an unusual behavior of two Nexus 7000 switches within a vPC domain.
  According to the attached sketch, we have four N7Ks in two data centers - two Nexus 7Ks are in a vPC domain for each data center.
  Both data centers are connected via a Multilayer-vPC.
  We had to reload one of these switches and I expected the other N7K in this vPC domain to continue forwarding over its vPC-Member-ports.
  Actually, all vPC ports have been disabled on the secondary switch until the reload of the first N7K (vPC-Role: primary) finished.
  Logging on Switch B:
  20:11:51 <Switch B> %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary
  20:12:01 <Switch B> %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed
  In case of a Peer-link failure, I would expect this behavior if the other switch is still reachable via the Peer-Keepalive-Link (via the Mgmt-Port), but since we reloaded the whole switch, the vPCs should continue forwarding. 
  Could this be a bug or are there any timers to be tuned?
  All N7K switches are running on NX-OS 6.2(8)
  Switch A:
  vpc domain 1
    peer-switch
    role priority 2048
    system-priority 1024
    peer-keepalive destination <Mgmt-IP-Switch-B>
    delay restore 360
    peer-gateway
    auto-recovery reload-delay 360
    ip arp synchronize
  interface port-channel1
    switchport mode trunk
    switchport trunk allowed vlan <x-y>
    spanning-tree port type network
    vpc peer-link
  Switch B:
  vpc domain 1
    peer-switch
    role priority 1024
    system-priority 1024
    peer-keepalive destination <Mgmt-IP-Switch-A>
    delay restore 360
    peer-gateway
    auto-recovery reload-delay 360
    ip arp synchronize
  interface port-channel1
    switchport mode trunk
    switchport trunk allowed vlan <x-y>
    spanning-tree port type network
    vpc peer-link
  Best regards

  Problem solved:
  During the reload of the Nexus 7K, the linecards were powerd off a short time earlier than the Mgmt-Interface. As a result of this behavior, the secondary Nexus 7K received at least one vPC-Peer-Keepalive Message while its peer-link was already powerd off. To avoid a split brain scenario, the VPC-member-ports have been shut down.
  Now we are using dedicated interfaces on the linecards for the VPC-Peer-Keepalive-Link and a reload of one N7K won't result in a total network outage any more.

• GLBP on Nexus 7000's

      We have GLBP configured on two Nexus 7000's using "load-balancing host-dependant" as our method of balancing. My question is, is there a quick way to determine which router each host is using. These are in production so any debugging is frowned on.
  Thanks
  David

  Available command to verify GLBP operation is following
  show glbp [group group-number]
  Displays the GLBP status for all or one group.
  show glbp capability
  Displays the GLBP capability for all or one group.
  show glbp interface interface-type slot/port
  Displays the GLBP status for an interface.
  show glbp interface interface-type slot/port [active] [disabled] [init] [listen] [standby]
  Displays the GLBP status for a group or interface for virtual forwarders in the selected state.
  show glbp interface interface-type slot/port [active] [disabled] [init] [listen] [standby] brief
  Displays a brief summary of the GLBP status for a group or interface for virtual forwarders in the selected state.
  But none of these will show you which host uses which AVF. In GLBP, Hosts still point to a default gateway IP address, but GLBP causes different hosts to send their traffic to one of up to four routers in a GLBP group. To do so, the GLBP Active Virtual Gateway (AVG) assigns each router in the group a unique virtual MAC address format 0007.B400.xxyy, where xx is the GLBP group number, and yy is a different number for each router (01, 02, 03, or 04). When a client ARPs for the (virtual) IP address of its default gateway, the GLBP AVG replies with one of the four possible virtual MACs. By replying to ARP requests with different virtual MACs, the hosts in that subnet will in effect balance the traffic across the routers, rather than send all traffic to the one active router. You can check ARP table of host and see the mac address of default gateway. But this is not an easy way.

• No gratuitous arp N1k when second subgroup comes up again

  Hello,
  we have an Nexus 1000v with PortChannel to no clustered upstream Switches.
  Port-Profile Configuration:
  config attributes:
    switchport mode trunk
    switchport trunk allowed vlan 2,6-7,64,150,607,630
    switchport trunk native vlan 1
    channel-group auto mode on sub-group cdp
    no shutdown
  If one Link goes down, the VM of this Link will change to the second Link. During this change i see a maximum of one lost Packet in the Ping to this VM.
  If the first Link still comes up, I see something that I don't understand.
  After 6-7 seconds I have 6-7 Packets lost in the Ping to the VM that changes the Link.
  The MAC of the VM will change from one Link to the other in the MAC-Address-Table on the Upstream Switches after this time.
  In the Documentation I read only about gratuitous arps, when the link fails.
  How can I reduce the Packet lost?

  I have one link from each host to each upstream switch in this port channel.
  This is a test system with two ESX-Hosts and two upstream switches (C2960G).
  Here the Configuration of the upstream switch Ports:
  interface GigabitEthernet0/2
  description esx-netz1_1
  switchport trunk allowed vlan 2,6,7,64,150,607,630
  switchport mode trunk
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  spanning-tree bpduguard enable
  In every Host I have four PNICs. Two for the channel, one for vMotion and one for the service console.

• High process in nexus 7000

  Hello,
  My name is Benjamin and I have problems with my Nexus 7000. It have high cpu process, I think that is not normal., what do you think?
  # sh process cpu sort
  PID    Runtime(ms)  Invoked   uSecs  1Sec    Process
  8259      1848785  56524183     32   27.6%  in.dcos-telnetd
  4717          231        96   2413   24.7%  netstack
  3536    402542882  64927941   6199    3.0%  platform
  4573    501774551  35371572  14185    1.0%  xbar_driver_usd
  4714          107        22   4871    1.0%  arp
      1       179754   5381666     33    0.0%  init
      2            2       300      9    0.0%  kthreadd
      3         3342    559942      5    0.0%  migration/0
      4      1936854  444724651      4    0.0%  ksoftirqd/0
      5       143477   2220884     64    0.0%  watchdog/0
      6         2042    349180      5    0.0%  migration/1
      7      1452663  372943404      3    0.0%  ksoftirqd/1
       1      111    111 11 1         1
      907878660006976000800707766999960776799987777777777678687773
      603310880008399000100504278989780308288903490180025795804831
  100 **      ***    *** ** *    **** *    ***
  90 **      *** *  *** ** *    *##* *    ***             *
  80 ** * *  *** ** *#***#**    *##* *    ###*  *  *   * ** * *
  70 ##*************##**##*******##*******###*******************
  60 ###########################################################
  50 ###########################################################
  40 ###########################################################
  30 ###########################################################*
  20 ###########################################################*
  10 ############################################################
      0....5....1....1....2....2....3....3....4....4....5....5....
                0    5    0    5    0    5    0    5    0    5
                 CPU% per minute (last 60 minutes)
                * = maximum CPU%   # = average CPU%

  I solved my issue, it was a bug problem:
  Some of the telnet sessions do not get cleared with recursive telnet
  Bug: CSCtk56774
  Workaround: to issue "clear user admin" command
  Regards

• Broadcom LiveLink : Receiving MAC flaps with Cisco Nexus 7000

  We are migrating from using two Nortel 8600's running VRRP at the distribution to Cisco Nexus 7K's using HSRP.  So we have a server connected to two 3750G switches which then connect to the Nexi (previously the 8600's).  As soon as we connected the 3750's to the Nexus and moved the gateway to Nexus, LiveLink forces all the servers to alternate traffic between NIC1 and NIC2. 
  Since LiveLink is a teaming application, it uses virtual mac for nic1 and nic2, but the virtual mac associated with the IP address moves to the active link.
  LiveLink is used to check the availability of the gateway by polling the gateway out of each interface using an ARP request.
  The problem does not exhibit itself in our Cisco VSS environment, and with Nortel's VRRP.  I tried running VRRP on the Nexus but no joy.
  Anyone know of a bug that could cause this issue?

  Unfortunately we have LiveLink enabled on most of our Windows servers in our data centers.  One of my colleagues sent me this bug issue.  I'm not sure if this is the cause, but it's worth trying.   We will update the NxOs (currently on 5.1.1) next week and see if that fixes the problem.
  •CSCtl85080
  Symptom: Incomplete Address Resolution Protocol (ARP) entries are observed on a Cisco Nexus 7000 Series switch, along with partial packet loss and a memory leak.
  Conditions: This symptom might be seen when ARP packets have a nonstandard size (that is, greater than 64 bytes).
  Workaround: This issue is resolved in 5.1.3.

• Gratuitous ARPs do not populate the router ARP Table

  Hello,
  In order to debug an ARP problem in a Firewall cluster environment, I connected a one-armed router on the public VLAN of the firewall cluster, in order to observe the ARP cache behaviour during a switchover. I configured a loopback interface on this router and  a default route to this loopback interface to simulate a real router.
  When a switchover occurs between firewall cluster members, the active member sends Gratuitous ARPs for all NATed IP addresses. In my environment, I have 110 NATed addresses configured on the firewall.
  By launching a "debug arp" on the one armed router,  I clearly see all 110 gratuitous ARPs arriving on the router, but the ARP cache of the router is NOT populated with the 110 entries...
  Note  : The command is configured on the one armed router :
  Router(config)# ip arp gratuitous local
  What can be the problem ? Is there any condition for a router to accept Gratuitous ARPs ?
  Thank you for any help
  Yves

  Hi
  Gratuitous arp is used when a host wants to inform the switch that the mac-address has changed eg.
  You have a cluster which has redundant connections and an IP to mac-address mapping. If the active NIC fails the IP address is moved across to the standby NIC but the standby NIC has a different mac-address. So the cluster sends out a gratuitous arp which informs the switch of the new IP to mac-address mapping.
  The reason you might not want to allow gratuitous arp is that you might not want your switch updating it's arp table based on annoucements from devices on the LAN as you could very easily spoof mac-addresses and corrupt the arp cache.
  HTH
  Jon

• Nexus 7000 Platform Logging

  Hello,
  We recently had a power supply failure in one of our Nexus 7000s, and I noticed that the syslog for the Platform is only present in the default VDC, and not in any of the other VDCs syslogs. Is this by design, or is there a logging level I can turn up in another VDC to capture this log? Thanks for any input
  syslog from default VDC -
  2013 Mar 18 23:10:34  %PLATFORM-2-PS_CAPACITY_CHANGE: Power supply PS3 changed i
  ts capacity. possibly due to power cable removal/insertion (Serial number xxxxxxxx)
  nothing in the VDC where I would like to get the logging
  default VDC logging level -
  xxx7K02# show log level platform
  Facility        Default Severity        Current Session Severity
  platform                5                       5
  0(emergencies)          1(alerts)       2(critical)
  3(errors)               4(warnings)     5(notifications)
  6(information)          7(debugging)
  xxx7K02#
  loggging from the specific VDC where we have management tools.
  xxx-LOW# show log level platform
  Facility        Default Severity        Current Session Severity
  platform                5                       5
  0(emergencies)          1(alerts)       2(critical)
  3(errors)               4(warnings)     5(notifications)
  6(information)          7(debugging)
  xxx-LOW#

  Hello Carl,
  What version of code are you running on your Nexus 7k?
  The expected behavior is:
  "When a hardware issue occurs, syslog messages are sent to all VDCs."
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/virtual_device_context/configuration/guide/vdc_mgmt.html#wp1170241
  Dave

• Dell Servers with Nexus 7000 + Nexus 2000 extenders

  << Original post by smunzani. Answered by Robert. Moving from Document section to Discussions>>
  Team,
  I would like to use some of the existing Dell Servers for new network design of Nexus 7000 + Nexus 2000 extenders. What are my options for FEC to the hosts? All references of M81KR I found on CCO are related to UCS product only.
  What's best option for following setup?
  N7K(Aggregation Layer) -- N2K(Extenders) -- Dell servers
  Need 10G to the servers due to dense population of the VMs. The customer is not up for dumping recently purchased dell boxes in favor of UCS. Customer VMware license is Enterprise Edition.
  Thanks in advance.

  To answer your question, the M81KR-VIC is a Mezz card for UCS blades only.  For Cisco rack there is a PCIe version which is called the P81.  These are both made for Cisco servers only due to the integration with server management and virtual interface functionality.
  http://www.cisco.com/en/US/prod/collateral/ps10265/ps10493/data_sheet_c78-558230.html
  More information on it here:
  Regards,
  Robert

• Ask the Expert: Basic Introduction and Troubleshooting on Cisco Nexus 7000 NX-OS Virtual Device Context

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions of Cisco expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and support for the Cisco NX-OS Software platform .
  The Cisco® Nexus 7000 Series Switches introduce support for the Cisco NX-OS Software platform, a new class of operating system designed for data centers. Based on the Cisco MDS 9000 SAN-OS platform, Cisco NX-OS introduces support for virtual device contexts (VDCs), which allows the switches to be virtualized at the device level. Each configured VDC presents itself as a unique device to connected users within the framework of that physical switch. The VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event. This event lasts through through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Vignesh
  Is there is any limitation to connect a N2K directly to the N7K?
  if i have a an F2 card 10G and another F2 card 1G and i want to creat 3 VDC'S
  VDC1=DC-Core
  VDC2=Aggregation
  VDC3=Campus core
  do we need to add a link between the different VDC's
  thanks

• LMS 4.2.2 Interface utilisation on Nexus 7000

  Hi All,
  I'm trying to poll some interfaces for their utilization on a nexus 7000 through LMS 4.2.2.
  When I create a poller fot the specific instances, the LMS recognises the instances, but after activating the poller I get the error "No Such Instance - The specified instance is not available".
  No info is displayed when I generate an interface utilization report for the specific nexus.
  When I activate the automonitor for interface utilization, the interfaces on the nexus are polled.
  On the cisco website there are some features listed which LMS does not support on the Nexus 7000, but polling is not in that list (neither in the supported feature list).
  Any tips?
  Thanks for your help.
  Joris

  Any Idea..??

• ESXi 4.1 NIC Teaming's Load-Balancing Algorithm,Nexus 7000 and UCS

  Hi, Cisco Gurus:
  Please help me in answering the following questions (UCSM 1.4(xx), 2 UCS 6140XP, 2 Nexus 7000, M81KR in B200-M2, No Nexus 1000V, using VMware Distributed Switch:
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned?
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct?
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES?
  I would really appreciate if someone can help me clear these lingering doubts of mine.
  God Bless.
  SiM

  Sim,
  Here are my thoughts without a 1000v in place,
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?   //Yes, for vPC to UCS the best practice is to bowtie uplink to (2) 7K or 5Ks.
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned? //The port channel will be configured on both the UCSM and the 7K. The pro of a port channel would be both bandwidth and redundancy. vPC would be prefered.
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct? //Without the 1000v, I always tend to leave to dvSwitch load balence behavior at the default of "route by portID". 
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES? UCS can perform L2 but Northbound should be performing L3.
  Cheers,
  David Jarzynka

• Privilege Level for Tacacs Account in Nexus 7000

  Hi,
  I have configured the Tacacs (ACS 4.2v) on Nexus 7000 (as mentioned below) and works fine but unlike IOS (6509) It's doesn't prompt that you are in userexec mode (>) and then need to type enable and password for full privilege.
  In n7k when I entered into "configure terminal" It won't allow me to access other commands.
  How to login into level 15 privilege mode after authenticating from tacacs
  (config)# show running-config tacacs+
  tacacs-server key 7 "xxxxx"
  tacacs-server host x.x.x.x key 7 "xxxx"
  aaa group server tacacs+ TacServer
      server x.x.x.x (same ip as tacacs-server host)
      use-vrf management
      source-interface Vlan2
  (config)# show running-config aaa
  aaa authentication login default group TacServer
  aaa authentication login console local
  aaa user default-role
  Here below are the commands accessible in "Terminal" currently
  (config)# ?
    no        Negate a command or set its defaults
    username  Configure user information.
    end       Go to exec mode
    exit      Exit from command interpreter
  isb.n7k-dcn-agg-1-sw(config)#

  Hi Jan.nielsen
  Issue is resolved but by another way.
  I have found the same resolution too of custom attirbute command but the Custom attribute Option for shell command wasn't available in ACS v4.2, so after enabling shell for users and by clicking exec--> Shell Exec and enabling priviledge level 15 in the same box of Shell options, It start working without any command