Nexus 1010v interfaces, port-channel, Catalyst 6500E VSS
I'm installing a pair of 1010v-X appliances using flexible network option 5 on version 4.2(1)SP1(5.1).
I have all interfaces grouped into a single port channel 6. All interfaces uplink to a pair of Catalyst 6506Es in a VSS (Sup2T).
My question relates to the VSS configuration.
For example, do I set up one port-channel on the VSS and put all 12 interfaces in it? Or, do I set up two port-channels on the VSS and put the active 1010v-X in one port-channel and the standby into another port-channel?
Do I set dot1q trunking up on the port-channel(s) on the VSS?
Thanks.
Hi,
What version of IOS are you running on the ASAs?
see table-12-3 in this link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
Also, since the 4500x are in VSS mode, you need to bundle one link from each switch and use LACP.
HTH
Similar Messages
-
Interface port-channel btw N2K and Brocade VDX
Dear all,
I tried to configure a port-channel between a nexus 2K (2FEX) and a brocade VDX (VDX6710).
As you seen below, my configuration :
N2K
Po10
switchport access vlan 200
Eth101/1/6
switchport access vlan 200
channel-group 10 mode active (used LACP)
Eth102/1/6
switchport access vlan 200
channel-group 10 mode active (used LACP)
VDX
interface Port-channel 27
vlag ignore-split
speed 1000
switchport
switchport mode access
switchport access vlan 200
spanning-tree shutdown
no shutdown
interface GigabitEthernet 21/0/31
channel-group 27 mode active type standard
lacp timeout long
no shutdown
interface GigabitEthernet 22/0/31
channel-group 27 mode active type standard
lacp timeout long
no shutdown
Unfortunately, we can't up the link for interfaces and so the port-channel.
We have the next message from the N5K for FEX :
%ETHPORT-5-IF_ADMIN_UP: Interface Ethernet101/1/6 is admin up .
%ETHPORT-5-SPEED: Interface Ethernet101/1/6, operational speed changed to 1 Gbps
%ETHPORT-5-IF_DUPLEX: Interface Ethernet101/1/6, operational duplex mode changed to Full
%ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Ethernet101/1/6, operational Receive Flow Control state changed to off
%ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Ethernet101/1/6, operational Transmit Flow Control state changed to on
%ETHPORT-5-IF_UP: Interface Ethernet101/1/6 is up in mode access
%ETHPORT-5-IF_DOWN_NONE: Interface Ethernet101/1/6 is down (None)
%ETHPORT-5-IF_DOWN_ERROR_DISABLED: Interface Ethernet101/1/6 is down (Error disabled. Reason:BPDUGuard)
Any idea about the configuration ?
Thanks for your help.
MatthieuFexes are really made to connect hosts and not switches . So the ports should not see bpdu's so bpduguard is err-disabling the ports.
Spanning Tree Protocol
HIFs go down with the BPDUGuard errDisable message
HIFs go down accompanied with the message, BPDUGuard errDisable.
Possible Cause
By default, the HIFs are in STP edge mode with the BPDU guard enabled. This means that the HIFs are supposed to be connected to hosts or non-switching devices. If they are connected to a non-host device/switch that is sending BPDUs, the HIFs become error-disabled upon receiving a BPDU.
Solution
Enable the BPDU filter on the HIF and on the peer connecting device. With the filter enabled, the HIFs do not send or receive any BPDUs. Use the following commands to confirm the details of the STP port state for the port: -
Cisco Nexus 9300 Virtual Port Channel Support
Hi,
As I am new to Nexus 9300 and I was wondering if the switch may support virtual port channel (VPC)? I was wondering if there may be any feature matrix to compare it against the 9500/N7Ks/N5Ks
Any suggestion is appreciated.
Thanks.Hi Marvin,
Appreciate for the information. I believe the customer is in the process of moving to ACI gradually however the setup I will be making will be classical ethernet setup which is similar to VSS setup whereby the N9300 would make use of VPC to connect to catalyst 3K/6K switch. I have illustrated it below for reference:
Catalyst 6500 Non-VSS (Core)
|----(VPC)---|
N9300 ----- N9300 (Aggregation/Distribution)
|----(VPC)---|
Catalyst 3K switch (Access)
Appreciate for clarrifiying the support for VPC for Nexus 9300 as I made a search on feature navigator for "Virtual Port Channel" which only listed the N7K platforms.
Thanks. -
ASA5580 port channel to 6509 VSS
Hi All,
I hope this is the correct location for this.
Anyway, here's the situation I'm trying to configure several VLANs on my ASA to uniquely allocate to contexts, the VLANs will be trunked from my VSS.
Unfortunately I'm not clear on how to achieve this, the configuration guide for 8.4 talks about multiple contexts and routed setups all which don't appear to apply exactly. I've configured the port channel at both ends and I've configured sub-interfaces on the port channel and assigned VLAN IDs. These sub-interfaces are then allocated to the contexts to set 'ip address' etc. I've not been able to successfully test this configuration and I am concerned that it is incorrect..
If anyone has any advice or suggestions I would be grateful?
Many thanks.Well the good news is that I have been able to test my configuration.
Using an infrequently utilised VLAN I disabled the current interface and brought up an allocated port on the new ASA which I successfully pinged the subinterface ip of (configured via a context of the ASA). The complication was using the correct VRF as the source!
All is good ready for the cut-over.
Regards. -
UCS FI 6248 to Nexus 5548 San port-channel - not working
Hi all,
I'm sure I am missing something fairly obvious and stupid but I need several sets of eyes and help.
Here is the scenario:
I want to be able to create san port-channels between the FI and Nexus. I don't need to trunk yet as I can't even get the channel to come up.
UCS FI 6248:
Interfaces fc1/31-32
Nexus 5548
interfaces fc2/15-16
FI is in end-host mode and Nexus is running NPIV mode with fport-channel-trunk feature enabled.
I'm going to output the relevants configurations below.
Nexus 5548:
NX5KA(config)# show feature | include enabled
fcoe 1 enabled
fex 1 enabled
fport-channel-trunk 1 enabled
hsrp_engine 1 enabled
interface-vlan 1 enabled
lacp 1 enabled
lldp 1 enabled
npiv 1 enabled
sshServer 1 enabled
vpc 1 enabled
interface san-port-channel 133
channel mode active
no switchport trunk allowed vsan all
switchport trunk mode off
interface fc2/15
switchport trunk mode off
channel-group 133 force
no shutdown
interface fc2/16
switchport trunk mode off
channel-group 133 force
no shutdown
NX5KA# show vsan membership
vsan 1 interfaces:
fc2/13 fc2/14
vsan 133 interfaces:
fc2/15 fc2/16 san-port-channel 133
vsan 4079(evfp_isolated_vsan) interfaces:
vsan 4094(isolated_vsan) interfaces:
NX5KA# show san-port-channel summary
U-Up D-Down B-Hot-standby S-Suspended I-Individual link
summary header
Group Port- Type Protocol Member Ports
Channel
133 San-po133 FC PCP (D) FC fc2/15(D) fc2/16(D)
UCS Fabric Interconnect outputs:
UCS-FI-A-A(nxos)# show san-port-channel summary
U-Up D-Down B-Hot-standby S-Suspended I-Individual link
summary header
Group Port- Type Protocol Member Ports
Channel
133 San-po133 FC PCP (D) FC fc1/31(D) fc1/32(D)
UCS-FI-A-A(nxos)#
UCS-FI-A-A(nxos)# show run int fc1/31-32
!Command: show running-config interface fc1/31-32
!Time: Fri Dec 20 22:58:51 2013
version 5.2(3)N2(2.21b)
interface fc1/31
switchport mode NP
channel-group 133 force
no shutdown
interface fc1/32
switchport mode NP
channel-group 133 force
no shutdown
UCS-FI-A-A(nxos)#
UCS-FI-A-A(nxos)# show run int san-port-channel 133
!Command: show running-config interface san-port-channel 133
!Time: Fri Dec 20 22:59:09 2013
version 5.2(3)N2(2.21b)
interface san-port-channel 133
channel mode active
switchport mode NP!Command: show running-config interface san-port-channel 133
!Time: Sat May 16 04:59:07 2009
version 5.1(3)N1(1)
interface san-port-channel 133
channel mode active
switchport mode F
switchport trunk mode off
Changed it as you suggested...
Followed the order of operations for "no shut"
Nexus FC -> Nexus SAN-PC -> FI FC -> FI SAN-PC.
Didn't work:
NX5KA(config-if)# show san-port-channel summary
U-Up D-Down B-Hot-standby S-Suspended I-Individual link
summary header
Group Port- Type Protocol Member Ports
Channel
133 San-po133 FC PCP (D) FC fc2/15(D) fc2/16(D)
NX5KA(config-if)#
Here is the output as you requested:
NX5KA(config-if)# show int san-port-channel 133
san-port-channel 133 is down (No operational members)
Hardware is Fibre Channel
Port WWN is 24:85:00:2a:6a:5a:81:00
Admin port mode is F, trunk mode is off
snmp link state traps are enabled
Port vsan is 133
1 minute input rate 1256 bits/sec, 157 bytes/sec, 0 frames/sec
1 minute output rate 248 bits/sec, 31 bytes/sec, 0 frames/sec
3966 frames input, 615568 bytes
0 discards, 0 errors
0 CRC, 0 unknown class
0 too long, 0 too short
2956 frames output, 143624 bytes
0 discards, 0 errors
46 input OLS, 41 LRR, 73 NOS, 0 loop inits
257 output OLS, 189 LRR, 219 NOS, 0 loop inits
last clearing of "show interface" counters never
Member[1] : fc2/15
Member[2] : fc2/16
NX5KA(config-if)#
NX5KA(config-if)# show int brief
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
fc2/13 1 auto on sfpAbsent -- -- --
fc2/14 1 auto on sfpAbsent -- -- --
fc2/15 133 F off init swl -- 133
fc2/16 133 F off init swl -- 133 -
My port channel is not coming up can you review my port channel configuration.
SWITCH#
interface Port-channel12
switchport access vlan 513
switchport mode access
endHello,
how are your participating interfaces configured ? They should look like this (assuming you use interfaces FastEthernet0/1 and FastEthernet0/2 for your channel on both devices):
3550-1#
interface FastEthernet0/1
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface FastEthernet0/2
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface Port-channel12
switchport access vlan 513
switchport mode access
3550-2#
interface FastEthernet0/1
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface FastEthernet0/2
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface Port-channel12
switchport access vlan 513
switchport mode access
Do you have physical connectivity at all ?
Regards,
GP -
Nexus 1000v - port-channel "refresh"
Hi All,
My question is, does anyone have any information on this 1000v command:
Nexus-1000v(config)# port-channel internal device-id table refresh
I am looking for a way for the port-channel interface to be automatically removed from the 1000v once the VEM has been deleted, currently the port-channel interface does not disappear when the VEM has been removed. This seems to be causing problems once the same VEM is re-added later on. Ports are getting sent into quarantine states and ending up in invalid states (eg. NoPortProfile state when there is actually a port-profile attached).
Anyway, if anyone can explain the above command or tell me how to find out more, it would be great, I can't find it documented anywhere and the context-sensitive help in the NXOS is vague at best.Brendan,
I don't have much information on that command, but I do know it wont remove any unused port channels. They have to be manually deleted if they're no longer needed.
The port Channel ID will remain even after a VEM is removed in case the assigned VEM comes back. When a VEM is decommisioned permanently, I'll do a "no vem x" to also remove the Host entry for that VEM from the VSM. This way the module slot # can be re-assigned to the next new VEM inserted. After adding/removing VEMs just do a "show port-channel summary" to see any unused Port Channel IDs, and delete them. It's a quick & painless task.
I would hope this wouldn't be a common issue - how often are you deleting/removing VEMs?
Regards,
Robert -
Nexus 6K: Port-Channel Load-Balance
Hi all,
I configured "port-channel load-balance ethernet source-dest-mac" on Nexus 6001. But when I use "show run all | in load-balance", it displays module 1 and module 2 are still using source-dest-ip for port-channel load-balance. And for command "show port-channel load-balance" and "show port-channel load-balance forwarding-path interface", it still shows switch using MAC for hash algorithm. The NXOS is 6.0(2)N1(2a).
Does anybody know:
- What is the function of "port-channel load-balance ethernet source-dest-ip module" and in which situation this command will be effective?
- It shows "port-channel load-balance ethernet source-dest-ip module" command for both module 1 and 2. Module 1 is N6K Supervisor and module 2 is 4xQSFP Ethernet Module. Is it possible to set different load-balance algorithm to these 2 modules?
# show run all | in load-balance
port-channel load-balance ethernet source-dest-mac
port-channel load-balance ethernet source-dest-ip module 1
port-channel load-balance ethernet source-dest-ip module 2
# show port-channel load-balance
Port Channel Load-Balancing Configuration:
System: source-dest-mac
Port Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: source-dest-mac
IP: source-dest-mac
# show port-channel load-balance forwarding-path interface port-channel 30 vlan 150 src-ip 172.25.228.6 dst-ip 172.25.226.97
Missing params will be substituted by 0's.
Load-balance Algorithm on switch: source-dest-mac
crc_hash: 977 Polynomial: CRC10b Outgoing port id Ethernet1/2
Param(s) used to calculate load-balance:
seed: 0x701
dst-mac: 0000.0000.0000
src-mac: 0000.0000.0000
# show module
Mod Ports Module-Type Model Status
1 48 Norcal 64 Supervisor N6K-C6001-64P-SUP active *
2 10 Nexus 4xQSFP Ethernet Module N6K-C6001-M4Q ok
Mod Sw Hw World-Wide-Name(s) (WWN)
1 6.0(2)N2(3) 1.0 --
2 6.0(2)N2(3) 1.0 --Hi all,
I configured "port-channel load-balance ethernet source-dest-mac" on Nexus 6001. But when I use "show run all | in load-balance", it displays module 1 and module 2 are still using source-dest-ip for port-channel load-balance. And for command "show port-channel load-balance" and "show port-channel load-balance forwarding-path interface", it still shows switch using MAC for hash algorithm. The NXOS is 6.0(2)N1(2a).
Does anybody know:
- What is the function of "port-channel load-balance ethernet source-dest-ip module" and in which situation this command will be effective?
- It shows "port-channel load-balance ethernet source-dest-ip module" command for both module 1 and 2. Module 1 is N6K Supervisor and module 2 is 4xQSFP Ethernet Module. Is it possible to set different load-balance algorithm to these 2 modules?
# show run all | in load-balance
port-channel load-balance ethernet source-dest-mac
port-channel load-balance ethernet source-dest-ip module 1
port-channel load-balance ethernet source-dest-ip module 2
# show port-channel load-balance
Port Channel Load-Balancing Configuration:
System: source-dest-mac
Port Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: source-dest-mac
IP: source-dest-mac
# show port-channel load-balance forwarding-path interface port-channel 30 vlan 150 src-ip 172.25.228.6 dst-ip 172.25.226.97
Missing params will be substituted by 0's.
Load-balance Algorithm on switch: source-dest-mac
crc_hash: 977 Polynomial: CRC10b Outgoing port id Ethernet1/2
Param(s) used to calculate load-balance:
seed: 0x701
dst-mac: 0000.0000.0000
src-mac: 0000.0000.0000
# show module
Mod Ports Module-Type Model Status
1 48 Norcal 64 Supervisor N6K-C6001-64P-SUP active *
2 10 Nexus 4xQSFP Ethernet Module N6K-C6001-M4Q ok
Mod Sw Hw World-Wide-Name(s) (WWN)
1 6.0(2)N2(3) 1.0 --
2 6.0(2)N2(3) 1.0 -- -
Hi
I was trying to configure two 6800x switches as a VSS pair, Ive done this on 4500x switches before and worked a treat. when setting up a L2 port-channel, for some reason it puts the ports into routed mode and does not allow me to build a L2 port-channel.
So I add the following config for the port-channel
Interface port-channel 10
Description VSL_Link
switchport
switch virtual link 2
no shut
Interface range Tengig 1/1 – 1/2
Description VSL_Link
switchport mode trunk
channel-group 10 mode on
Now as soon as I type the channel-group 10 mode on, it gives an error
"Command rejected (Port-channel10): Either port is L2 and port-channel is L3, or vice-versa"
I managed to create a L2 port-channel on a 4500x, will the 6800x only allow me to create a l3 port channel.Hi
I tried this config on the 4500x and it worked, now I have also added the switchport mode trunk command to both the port-channel and interface and still getting the same error.
When I do sh int status, the ports are showing as routed
I cleared the config and first set both interface as trunks, then when I do the channel-group 10 mode on command, it accepts the command an automatically creates the port-channel, but the interfaces show as routed.
This is my first time using a 6880x, when i logged into it, the default hostname is set to Router. I was expecting it to be named Switch, not that the hostname affects the config but makes me wonder, is the config different for the 6880x as opposed to other L3 switches -
Nexus port channel load balance
Hi
I just want to clarify one setting for the port channel load balance on Nexus 6k switch. If I use the load balance option source-dest-ip-only, will following four converstions be load balanced?
10.10.10.1 -> 192.168.1.1
10.10.10.2 -> 192.168.1.1
10.10.10.1 -> 192.168.1.1
10.10.10.1 -> 192.168.1.2
Thanks. LeoHi Leo,
I think there may be typo in your question as I only see three conversations and not four. That aside I've not seen the Nexus port-channel load balancing sufficiently well documented to be able to give you the exact answer.
In their configuration guides Cisco only include the following statement:
Cisco NX-OS load balances traffic across all operational interfaces in a port channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
There is other documentation that states the load balancing algorithm uses a CRC-8 based polynomial, but as we don't know exactly which parts of the frame are used in the calculation, I don't see it's possible to calculate the answer and so derive the link that will be used for a given conversation.
While I've not seen full documentation regarding the science used in the calculation, what Cisco have done is provide a command on the switch CLI that will allow you to determine which link of a port-channel will be used.
If you run the command show port-channel load-balance forwarding-path interface port-channel vlan src-ip dst-ip then one of the parts of the output is the member link of the port-channel that will be used for that flow.
You can find full details of the options for the show port-channel load-balance command in the command reference.
One other point to remember is that the load balancing across a port-channel is unidirectional, and the hashing might be completely different for the return flow of a conversation. For example it is entirely possible that traffic from A to B could use one link of a port-channel, while the return traffic from B to A for the same conversation could use a different link.
In general I would use the source-dest-port option for load balancing on the Nexus switches as this will obviously include the Layer-4 port numbers in the calculation, and so give you a better distribution of flows across all member links.
Regards -
Hi All,
I have a scenario where I have two nexus 5596 as upstream and have vPC in between. downstream is the server hooking to the upstrean both nexus devices.
On Both the Nexus switch the port channel is down and the VPC is also down. The physical interfaces are up and passing traffic to the server.
My understanding is if the server NIC's are teamed, even the switches should also have the portchannle to work properly.
But since portchannel and vpc both are down in both the switches
1. how the switch is passing traffic.
2. I checked the configs for portchannel formation on phy ports which looks good to me still po is down. Why?
3. I understand as port channel is down so vPC is down ( correct me if I am wrong).
I have attached the diagram & below are the logs for ur reference:
The output on Nexus5596 2 device is same as on Nexus5596 1
Nexus5596 1#Sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 106
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 29
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
vPC Peer-link status
id Port Status Active vlans
1 Po4 up 1-2,713-718,999
vPC status
id Port Status Consistency Reason Active vlans
9 Po9 up success success 2,713-718
701 Po701 down* success success -
702 Po702 down* success success -
Nexus5596 1# sh port-channel su
Group Port- Type Protocol Member Ports
Channel
4 Po4(SU) Eth LACP Eth1/27(P) Eth1/28(P)
9 Po9(SU) Eth LACP Eth1/29(P) Eth1/30(P) Eth1/31(P)
Eth1/32(P)
701 Po701(SD) Eth LACP Eth1/1(I)
702 Po702(SD) Eth LACP Eth1/2(I)
Nexus5596 1#sh run int e1/1
interface Ethernet1/1
description snrkdc1285_1/0
switchport mode trunk
switchport trunk native vlan 713
switchport trunk allowed vlan 713-718
spanning-tree port type edge trunk
no snmp trap link-status
channel-group 701 mode active
Nexus5596 1# sh int e1/1 status
Port Name Status Vlan Duplex Speed Type
Eth1/1 snrkdc1285_1/0 connected trunk full 10G 10Gbase-SR
Thanks,
SagarReza - My bad I mistakenly mentioned e1/10 in diagram but it is e1/1 for po701
Since these are L2 switches SH IP INT BR shows only mgmt Ip
Please find the requested outputs as below.
nexus5596 1#sh run int po701
interface port-channel701
description snrkdc1285
switchport mode trunk
switchport trunk native vlan 713
switchport trunk allowed vlan 713-718
spanning-tree port type edge trunk
speed 10000
no snmp trap link-status
vpc 701
nexus5596 2# sh run int po701
interface port-channel701
description snrkdc1285
switchport mode trunk
switchport trunk native vlan 713
switchport trunk allowed vlan 713-718
spanning-tree port type edge trunk
speed 10000
no snmp trap link-status
vpc 701
nexus5596 1#sh int br
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
Eth1/1 713 eth trunk up none 10G(D) --
Eth1/2 713 eth trunk up none 10G(D) --
Port-channel VLAN Type Mode Status Reason Speed Protocol
Interface
Po4 1 eth trunk up none a-10G(D) lacp
Po9 2 eth trunk up none a-10G(D) lacp
Po701 713 eth trunk down No operational members 10G(D) lacp
Po702 713 eth trunk down No operational members 10G(D) lacp
nexus5596 2#sh int br
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
Eth1/1 713 eth trunk up none 10G(D) --
Eth1/2 713 eth trunk up none 10G(D) --
Port-channel VLAN Type Mode Status Reason Speed Protocol
Interface
Po4 1 eth trunk up none a-10G(D) lacp
Po9 2 eth trunk up none a-10G(D) lacp
Po701 713 eth trunk down No operational members 10G(D) lacp
Po702 713 eth trunk down No operational members 10G(D) lacp -
Port-Channel binding on vfc interface
Hi there,
I am currently setting up a CNA / Nexus test configuration in a Blade Server chassis.
I am using a Fujitsu CEE switch in the chassis in between CNA and Nexus.
The FJ switch is connected to the Nexus via a port-channel with 8 member ports.
And here comes my problem. I normally bind physical interfaces to my vfcs
When I now try to bind the logical port-channel interface to my vfc it says this is only possible if the channel contains not more than one member port.
If this would work all my CNA WWPNs would be mapped to a single vfc interface.
What now?
I have 18 blades each equipped with one CNA . Means on both of my Nexus fabrics I have to configure 18 vfcs and bind the 36 WWPNs manually to them.
This is really kind of annoying.
Does anybody now if this will be fixed with a future firmware release or if there is any workaround available that makes life easier?
Thanks a lot in advance!You will need to bind the MAC address of the servers to vFC since you cannot bind the same physical interface to multiple vFCs. I am not aware of any alternate upcoming solutions for this. I have seen many many customers do this with Nexus 4000's in IBM bladecenters which houses the servers.
-
ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface
Hi All,
I am having problem when configure port channel on asa5550
IOS ver asa914-k8.bin also in ver 9.02 and 8.47.
Please let me know how can I solve this problem.
UK-LON-FW(config)# int port-channel 3
UK-LON-FW(config-if)# vlan 245
^
ERROR: % Invalid input detected at '^' marker.
UK-LON-FW(config-if)# nameif secure
ERROR: nameif not allowed on empty etherchannel interface.
UK-LON-FW(config-if)#
here is my interfaces configuration:
interface GigabitEthernet0/0
description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz
channel-group 2 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz
channel-group 2 mode on
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.10.51.18 255.255.254.0
interface GigabitEthernet1/0
description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
description LAN Failover Interface
no nameif
no security-level
no ip address
interface GigabitEthernet1/3
description STATE Failover Interface
no nameif
no security-level
no ip address
interface Port-channel1
description outside zone
no nameif
no security-level
no ip address
interface Port-channel1.5
description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8
vlan 5
nameif outside
security-level 0
ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6
interface Port-channel2
description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2
no nameif
no security-level
no ip address
interface Port-channel2.105
description dmz
vlan 105
nameif dmz
security-level 50
ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194
interface Port-channel3
description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4
no nameif
security-level 100
ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2
UK-LON-FW(config-if)#Hi Marvin,
Thank you for your answer. I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right. Verson 9.x doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).
https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr
Also, you can see the 8.4 release notes were you can see that it is not supported:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232
Interface Features
EtherChannel support (ASA 5510 and higher)
You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel . -
Policy maps on port-channel sub-interfaces
We're trying to implement an enterprise QoS policy and I'm wondering how we can apply our QoS policy maps to several different sub-interfaces on a port-channel. In our case, we have both LAN and WAN connections that connect as VLANs on a switch and terminate as sub-interfaces on a port-channel that combines two Gigabit Ethernet interfaces on our router. The LAN connection will need to have a ingress service-policy to classify traffic as it comes from a customer LAN, and the WAN connections will have to have an egress service-policy to place the traffic classes into LLQ and CBWFQ queues as it leaves the router. Could I put both the ingress and egress service-policies on the physical router interface, or should I put them on the port-channel interface? Or should I apply them to the individual sub-interfaces? For example, I could put the ingress classification service-policy on the LAN sub-interface connection.
Any thoughts or insight would be helpful. Thanks.I can't put it as input because :
gw-a(config-subif)#service-policy input policy_upload
Traffic Shaping feature not supported in input policy.
Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
gw-a#show policy-map interface Port-channel 1.2
Port-channel1.2
Service-policy output: policy_upload
Class-map: class-default (match-any)
624006 packets, 842239036 bytes
5 minute offered rate 12774000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 100000, bc 400, be 400
target shape rate 100000 -
Catalyst 3750G and WLC 440x - Port Channel - Configuration - Best Pactice
What is the best practice to use when configuring port channel between Catalystr 3750G switch stack and WLC 4402 / 4404 Wireless Lan Controllers:
a) Negotiate to LACP
b) Negotiate to PAgP
or
c) Hard-code to Port Channel without any negotiation.
Any pointers to any useful links - much appreciated and configuration example as well.Answer is 'C'... channel-mode on
Configuring Neighbor Devices to Support LAG
The controller's neighbor devices must also be properly configured to support LAG.
â¢Each neighbor port to which the controller is connected should be configured as follows:
interface GigabitEthernet
switchport
channel-group mode on
no shutdown
â¢The port channel on the neighbor switch should be configured as follows:
interface port-channel
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan
switchport trunk allowed vlan
switchport mode trunk
no shutdown
Here is a link that explains it. Hope this answers your question:
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42mint.html#wp1116136
Here is a Best Practice doc:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml
Maybe you are looking for
-
Streaming large text/html data to browser using JSP.
Current Implementation of my code using JRUN: JSP program on request from browser does the following: i)calls legacy system function that writes output to socket ii) calls a java bean function which 1) collect data from socket and
-
Yet again my iMac wouldn't start up. I had this problem a while ago and it went in for repair, they couldn't find anything wrong, but had come across this problem before and replaced some power related part. Today I left my iMac in sleep mode , came
-
How to use ans E\external camera as choice in ichat ?
I have a macbook pro with a built in isight. I've tried using two other cameras as video source with no luck. both are cannon mini viedo cameras, The first camera I needed to get a firewire adaptor for. from a dv port of a camera to the firewire port
-
Libelf missing when running Launchy or gnome-do
Hi All, I am getting the following error when trying to run launchy of gnome-do ... (I have recently crossed to the dark side (gnome) from kde4 ;-) gnome-do Gtk-Message: Failed to load module "gnomebreakpad": libelf.so.0: cannot open shared object fi
-
Error when moving an object around the art board (Video)
So I have a grouped object which I was about to move into place when I started getting this odd error, including a error message. Here is a video of the issue: http://youtu.be/8o1E_oF5D0I Error message: Can't move the objects. The requested transform