HSRP Issues on VLAN interfaces

Similar Messages

• HSRP issues and flapping links and vlans

  Hi
  My network is having some issues to do with a certain vlan and HSRP. We have 2 x 6509 switches as the distribution switches and access layer stacks. HSRP is running between the 2 6509 switches.
  Solarwinds shows the following output when the issues occur
  29/11/2014 16:39:26 192.168.10.2 Warning 1166: 001179: Host 0060.d501.9bcf in vlan 101 is flapping between port Gi0/1 and port Fa0/1
  About the same time a number of ports on vlan 101 on an access switch start dropping and coming up again. This was followed by the two 6509 switches reporting a large number of vlans switch back and forth between active and standby state in HSRP causing considerable problems on the network. We pulled the plug on the access switch but it didn't resolve the problem.
  We had similar behaviour few days ago This time it continued until we shut down one of the 6509s. When we brought it up again la few hours later the problem didn't reoccur. The problem seems to be centred on our vlan 101
  Has anyone experienced these sort of issues before or give me a clue what the issue may be. Seems like issues with vlan 101 cause the hsrp states to change but vlan 101 is not used for hsrp.
  Thanks

  Hi,
  HSRP could be a victim here. Main issue could be related to spanning tree flapping or loop.
  HTH
  Amit

• Netflow on 6509 in Native Mode from Vlan Interface

  I'm trying to get a 6509-E, running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.
  2(33)SXI9, RELEASE SOFTWARE (fc2), to send netflow traffic from a vlan interface to a Solarwinds server.
  The server is not seeing all the vlan traffic, but does see all the traffic on the layer 2 ports (not netflow).
  I've seen that a command, ip flow ingress layer2-switched vlan, needs to be enabled, but the OS I have does not support that command.
  Or could it be that MLS is not configured except for a couple commands:
  mls netflow interface
  mls cef error action reset 
  netflow setup:
  Flow export v5 is enabled for main cache
    Export source and destination details :
    VRF ID : Default
      Source(1)       10.31.101.1 (Vlan52)
      Destination(1)  10.30.2.196 (2055)
    Version 5 flow records
    14927339 flows exported in 615072 udp datagrams
    0 flows failed due to lack of export packet
    0 export packets were sent up to process level
    0 export packets were dropped due to no fib
    0 export packets were dropped due to adjacency issues
    0 export packets were dropped due to fragmentation failures
    0 export packets were dropped due to encapsulation fixup failures
    0 export packets were dropped enqueuing for the RP
    0 export packets were dropped due to IPC rate limiting
    0 export packets were dropped due to Card not being able to export  
  interface:
  interface Vlan52
   description AN.VDI.stu
   ip address 10.31.101.1 255.255.255.0
   ip helper-address 10.31.149.200
   no ip redirects
   ip flow ingress
   ip flow egress
   ip pim neighbor-filter 98
   ip pim sparse-dense-mode
   ip cgmp

  Enabling MLS was the fix.
  mls netflow interface
  mls flow ip interface-full
  mls nde sender version 5
  mls cef error action reset   

• ACE - Query VLAN Interfaces Status

  Hi,
  I am wondering what the status of the query vlan interface means in the command 'show ft peer detail':
  Query Vlan IF State          : UP, Manual validation - please ping peer
  I am pretty sure that I did not see this status when I configured query vlan last time. Current version is A2(2.3).
  Unfortunately this status does not seem to be documented anywhere on CCO.
  I appreciate any help!
  Thanks,
  Daniel

  Hi Daniel,
  The FT Query VLAN interface is an optional, yet very good, feature to be used when using redundant ACE modules or appliances. Without it, if the FT VLAN was to go down, the standby ACE will no longer receive FT heartbeats from the active ACE and therefore take the active role.  However, if the active ACE is still running fine in the active role, then you don't want the standby ACE to take over as active because that will put them into an active/active scenario, which may lead to connectivity issues.
  This is where the FT Query VLAN interface comes in.  If the FT VLAN goes down, the standby ACE will notice this, but before taking the active role, it will ping it's peer IP address configured on the interface that is designated as the FT Query VLAN.  If the ping is successful, then it will stay in the standby role, thereby saving you some headaches.
  The status that you are seeing is the ACE's way of telling you that the interface is UP, but if you want to know if it can successfully ping the peer IP address, then you would have to manually ping the peer IP address from the CLI.  The ACE does not periodically check the ping connectivity through any automatic mechanism.  The automatic mechanism is only triggered by the FT VLAN going down.
  Does this help?
  Sean

• High VLAN Interface utilization (6500/sup720)

  Can anyone tell me why a VLAN interface would show 100% utilization for a givin VLAN? This is a sup720 we're talking about.
  I understand that the bandwidth of a virtual interface is 1Gig but I thought this was more related to routing metric.
  Users were actually seeing performance issues until we changed how the servers on this particular interface were replicating. Once we did this the VLAN interface utilization went down and performance went up.
  It doesn't make sense to me that the VLAN interface would limit the actual throughput of the various ports that are mapped to it. Throughput should be related to the switch module 61xx, 65xx, 67xx and how it interfaces to the backplan and the backplan speed itself.
  Any insights would be helpful......

  If the layer 3 SVI was showing 100% that means it had a lot of traffic that was being layer 3 processed switched instead of hardware switched . Normally most traffic is hardware switched within the ASICS and never even gets passed up to that layer . What would cause this I'm not sure .

• FWSM vlan interface

  Hello, quick question I hope someone can help with.
  Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
  For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
  As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
  The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
  Hope that makes sense, let me know if you have further questions.
  Thanks

  Thanks Marvin. You do understand the question, and it occurred to me after writing the above that I could just use a single FWSM inside interface and route in and out of each VRF via that 1 interface (All VRF's belong to a single customer, just required for segregation of internal traffic).
  The third 6500 running HSRP will be located in a DC 100km away connected via dual 1Gb circuits (3ms latency), and has it's own default route to a pair of ASA 5520's. If both FWSM's go down then the gateway will go live in the second site and traffic will be switched over our SP qinq tunnel to that gateway. Relevant BGP bits (MED), etc. will also be in place for seemless failover and traffic flow to and from the /23 pi range peered with the same ISP in each location..
  Thanks again.
  Chris

• EIGRP IPv6 and VLAN interfaces

  We've found that we have to set static link local IPs when two routers might peer over multiple VLAN interfaces.
  The issue is that the routers, 6500s with sup720s, utilize the same autoconfig'd link local address on each VLAN interface.   EIGRP IPv6 refuses to peer with the other router on multple VLANs when the link local are the same.
  Anyone else encounter this?   Did we miss a config option that would force unique link locals on different VLANs interfaces?
  Because of this issue, we've made it our best practice to configure static link local for all inter-router transits.

  HI Gary,
  I had a setup with SU720 on 2 7600s and I am able to enable the neighborship without any issues. I didnt configure static link local as below,
  Ryanair#show ipv6 int vlan 500  | inc FE
    IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
  Ryanair#sho ipv6 int vlan 501 | inc FE
    IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
  Ryanair#show ipv6 eigrp nei
  EIGRP-IPv6 neighbors for process 100
  H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                              (sec)         (ms)       Cnt Num
  1   Link-local address:     Vl501             11 00:15:51  816  4896  0  13
      FE80::222:55FF:FE17:25C0
  0   Link-local address:     Vl500             11 00:17:14    1   200  0  12
      FE80::222:55FF:FE17:25C0
  Ryanair#
  Can you let us know the version on oth the devices?.
  Regards,
  Nagendra

• PING TO ACE VLAN INTERFACES

  Hi,
  I am not able to ping the VLAN interfaces defined on the ACE devices unless directly connected to the subnet.
  I tried options - defining Access-list,service-policy.I can ping the servers behind the ACE but i cannt ping the ACE vlan interface.
  I captured the traffic on the ACE.I cannt see any traffic on the interfaces if i ping the VLAN ip address.I can see the traffic if i am pinging the host behind the ACE.
  Is there any option available to enable icmp on the interfaces.

  In order to ping the Vlan Interface you just need management policy applied to the vlan interface.
  Class-maps used in the management-policy
  defines the source addresses from where these management accesses are allowed.
  If you can ping the interfaces from locally connected subnets but not from the remote subnets then there could be 2 reasons.
  1. Some routing issues
  2. Source IPs in Management class maps are not defined.
  Following is an example of typical management policy
  #Allow telnet & SSH from these ip addresses
  #Allow ICMP from any source
  class-map type management match-any MGMT-CLASS
  10 match protocol telnet
  20 match protocol ssh
  30 match protocol icmp any
  policy-map type management first-match MGMT-POLICY
  class MGMT-CLASS
  permit
  interface vlan 10
  ip address x.x.x.x 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  interface vlan 20
  ip address y.y.y.y 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  Syed Iftekhar Ahmed

• C3750, SNMP, MRTG, Vlan Interface Counters..

  This question HAS to have been asked and answered a thousand times by now, but I've tried for the last half hour to find that info and can't
  For years now I've just accepted that I can't get correct traffic counts on Vlan interfaces on C3750 switches by snmp polling with MRTG.
  Has anyone out there either figured out how to do this or tracked down the reason why it's not possible?  I read one post that said the C3750 didn't support this.  But then I started thinking.  If it didn't support it then why is there an OID for it I can successfully poll?  I just get wrong information, not no information.  The count that it does give me seems to amount to the behavior of some kind of minimum traffic flow or keep alive activity, and the pattern doesn't seem to be affected much or at all by how much or little traffic is being carried by the Vlan.
  Anyone out there that's already pursued an explanation/resolution to this issue? 
  Thanks!
  -John Jackson

  So, So, does anyone have any idea why, if the IF-MIB counters don't  supply the correct count of the traffic that they're supposed to, Cisco  has provided working OID's for them at all?  What keeps getting me about this issue is that I keep hearing from everyone that this is simply a 'feature that is not supported' on this platform.  What I don't hear along with that, which I would expect, is an acknowledgement attributed to Cisco that yes, someone made a mistake, and that's why it doesn't work properly.  For Cisco to respond that way though seems like it would be opening itself up to the logical next thought - if it's broken, then fix it.  If Cisco knew the hardware wouldn't support this, why have they implemented the OID's for it at all?  If, as Joe is saying, the problem is not that the counters don't exist, it's just that you can't get at them, why is that??  If they exist, what would be the reason for making it so you couldn't get at them?  This seems like such a small issue, and why am I making such a fuss about it?  Well, I'm just tired of accepting a vague explanation about the issue, which I've been hearing from people for years now.  I'd really like for someone to indulge my curiosity and hit me with the full, detailed explanation of how we got to this point of having these switches give essentially wrong information and Cisco's explanation has just been to say that's acceptable.  I don't think it's acceptable.  I just can't imagine I can really possible bring about a change in that.
  -John

• 3550 VLAN Interfaces Problem

  I was setting up two VLAN interfaces for my 3550. I had two VLAN interfaces. One for VLAN 10 and one for VLAN 15. After configuring each VLAN Interface, VLAN 15 was down and wouldnt come up. VLAN 10 was up however. After issuing the no shutdown command for VLAN 15, it said VLAN 15 is not shutdown, but, when i checked the interface again, the VLAN interface was up. Now, I would think, if I had to do the no shutdown command on VLAN 15, why didnt I have to do that on the VLAN 10 interface? With switches, is the first VLAN interface automatically always up and all later VLAN interfaces automatically shut down.

  A 'feature' of all the newer Catalyst switches and newer IOS is that the logical VLAN interface will remain down until a port in that VLAN is up.
  The VTP config/status can also complicate this as a VTP client doesn't have the VLANs that the IOS config actually has because the VTP client hasn't learned the VLANs yet. In other words, the switch is in a state in which the IOS config puts a port in a VLAN that doesn't yet exist because VTP hasn't downloaded the VLAN database.
  Keep in mind that VTP requires an operating trunk and if it is 802.1q then the native VLANs must match (so a native VLAN other than 1 will not work if the VLAN database hasn't been dowloaded by VTP or has been corrupted).
  Not that you are running into the VTP issue, but in the effort of full disclosure...
  Hope that helps...

• Broadcast/multicast counters does not increase on vlan interface

  Hi,
  on a Cat6500 we try to monitor interface packet statistics via snmp, in detail we want to get information about the relation between unicast, multicast and broadcast packet counter.
  What we found out is that while on physical l2 interfaces all counters (ifHCInUcastPkts, ifHCInMulticastPkts, fHCInBroadcastPkts, ifHCOutUcastPkts, ifHCOutMulticastPkts, ifHCOutBroadcastPkts) are filled, on vlan interfaces multicast in/out and broadcast out packets stay zero whole the time. We use arp, hsrp, ospf and other well know broadcast and multicast based protocols.
  Does anybody know why this counters do not increase?
  Attached you find an excel sheet which shows an example of interface counter vs. vlan counter.
  many thanks in advance,
  Thorsten Steffen

  Hi jon,
  belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
  SWBB0#sh sdm prefer
  The current template is "desktop default" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  6K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    8K
      number of directly-connected IPv4 hosts:        6K
      number of indirect IPv4 routes:                 2K
    number of IPv6 multicast groups:                  64
    number of directly-connected IPv6 addresses:      74
    number of indirect IPv6 unicast routes:           32
    number of IPv4 policy based routing aces:         0
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.875k
    number of IPv6 policy based routing aces:         0
    number of IPv6 qos aces:                          0
    number of IPv6 security aces:                     60

• Could I use "vlan interface" as a tunnel source of DMVPN ?

  I have a router R2811 with a 9 port FE Switch module(HWIC-D-9ESW).
  Could I use vlan interface as a tunnel source when configuring DMVPN ?
  The vlan ports is on the 9 port FE Switch module.
  Because it's used now in production,I can't try it.

  Hello.
  I think there is no restriction on software routers like 2811.
  PS: using loopback could be a better idea.

• VLAN Interface Command

  Ok, I thought I had the reason for the VLAN interface command down. I thought it was either used for switch management or routing between VLANS? However, now I realized that some communication wont work with out this command which doesnt make sense. If I have a VLAN, then the switch will only switch packets to ports on the same VLAN. The only way, communication would work between VLANS is if I either enabled routing between VLANs with the VLAN Interface command, connected the switch to another multi-layer switch that did do routing between VLANS, or connected the switch to a router which routed between the VLANs.
  However, I just got this new 3550 switch in, configured the correct ports with the assigned VLANs, and the only way my cisco ip phone would work is if the VLAN Interface for my voice-ip VLAN was configured. The 3550 is connected to a 4507. Now, can someone tell my why this is? You shouldnt have to configure the VLAN Interface, right?(unless I wanted to route between VLANs, which could be done by the 4507)

  Sounds to me like you either dont have the dot1q trunk interface between your 4506 and 3550 working properly, or your 3550 is running the enhanced image which allows routing.
  It would be nice to see your config on both the 3550 and the 4500 to determine the reason. Just a stab at how it should be configured is that on your 4506, you have it running VTP server or transparent with the defined Data and Voice Vlan's. You have a port configured for trunking (which connects to the 3550). On your 3550, you have configured it as a vtp client or transparent and have verified that it has received (or if transparent VTP you have configured) the appropriate VLAN's. You than specified "interface VLAN #" or whatever number for switch management and configured the port that connects to the 4500 as a trunk. Your port connected to the port has the auxillary or voice vlan configured. If this is how your equipment is configured and it still does not work, than look for the line "ip routing" in your 3550 and negate it with "no ip routing".
  If still no worky worky, post your config.
  Cheers,

• WLC - 4402/4 - Vlan Interface Addressing

  I currently have 7 WLCs with the same Vlan interfaces defined across all 7 controllers. Does anyone know the best practice for addressing these interfaces on each of the WLCs. I currently have each unique Vlan interface assigned with the same IP address across all 7 WLCs. This is working. Should I leave it this way or should I assign each controller with a different address for the Vlan interface?

  The controllers, assuming you have it configured as such, act as dhcp relay agents. Presumably, if the router got the wrong mac address in its arp entry, the dhcp message would be lost.
  Clients could have taken a while before getting a dhcp addr (race condition for router arp entry) and not been able to work if dhcp was required.
  That said, I've seen the controllers work with the dhcp server set to 255.255.255.255 so the ip helper addresses on the routers would pick up the requests.

• Facing some issue regarding Requisition interface table

  I am facing some issue regarding Requisition interface table..
  Purpose: we have to massage data & create massage data & create Requisitions.
  Issue Detail:
  Before:
  Previously it was Auto Create Purchase Requisition
  On the move transaction form step 10 to 20, this step will trigger creation of requisition.
  and Creating Requisition successfully.
  After:     
  After stopping Auto Create Purchase Requisition functionality the Requisition interface data is not getting populated in the Requisition Interface tables as well.
  Please provide your inputs.

  It's standard functionality not to populate the req interface while you don't want to autocreate.
  Thanks,
  PS.