Nexus 3548 ACL Logging
"show ip access-list", IOS displays matches against each statement within the ACL and you can see counters incrementing or not, useful in troubleshooting. Nexus 3548 does not display any counters with the same command!
I must be missing something because I cannot find a logging command that will simply add hits with command "show IP access-list <name>" (Nexus 3548)
Is there an alternative?
After reading Cisco ACL docs I managed to configure and get ACL logging working fine on my lab 3548:
test# sh log ip access-list cache
Source IP Destination IP S-Port D-Port Interface Protocol Hits
10.170.x.x 10.x.x.x 0 0 mgmt0 (6)TCP 98
Software
BIOS: version 1.9.0
loader: version N/A
kickstart: version 6.0(2)A4(3)
system: version 6.0(2)A4(3)
Power Sequencer Firmware:
Module 1: version v2.1
BIOS compile time: 10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
kickstart compile time: 11/21/2014 9:00:00 [11/21/2014 19:29:20]
system image file is: bootflash:///n3500-uk9.6.0.2.A4.3.bin
system compile time: 11/21/2014 9:00:00 [11/21/2014 21:09:06]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Intel(R) Pentium(R) CPU @ 1.50GHz
with 3805876 kB of memory.
However in my other live Nexus 3548 "show log ip access-list cache" is not available from the command line with the following software version:
-n35# show log ip access-list cache
^
% Invalid command at '^' marker.
Software
BIOS: version 1.9.0
loader: version N/A
kickstart: version 6.0(2)A1(1b)
system: version 6.0(2)A1(1b)
Power Sequencer Firmware:
Module 1: version v2.1
BIOS compile time: 10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
kickstart compile time: 9/5/2013 14:00:00 [09/05/2013 23:37:16]
system image file is: bootflash:///n3500-uk9.6.0.2.A1.1b.bin
system compile time: 9/5/2013 14:00:00 [09/06/2013 03:25:01]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
I've researched the command line reference and found nothing to suggest version 6.0(2)A1(1b) this OAL feature is not supported......anyways the live 3548 I can see statistics per-entry command under each ACL (these ACL's are not bound to any VLAN interfaces). show ip access-list shows no hits against any of the ACL's
My 1st question why is the OAL ACL cache is not supported on my live version?
2nd q - Why there are no hits when the statistics per-entry command is configured under each ACL when I know there are thousands of hits per minute?
NB: The ip access-group in statements are applied to the Interface port number NOT interface VLAN
example
interface Ethernet1/6
description ** hello **
ip access-group test in
switchport access vlan 885
speed 1000
no negotiate auto
Similar Messages
-
Help with multiple nat translation on a Cisco Nexus 3548
Hi All,
I need a little help with a NAT configuration on a cisco Nexus 3548 version 6.0(2)A4(3).
What currently have is as follows:
internal network: 192.168.4.0/24
nexus router (routerA):
LAN Side: vlan104 interface 192.168.4.201/24
WAN Side: Eth1/48 interface 172.24.101.2/24
remote network: 159.43.48.32/27
remote gateway: 172.24.101.1/24
use ACL's to ensure that only specific traffic is allowed out and in.
allow a specific connection from a different internal network (192.168.3.0/24) to talk to port 159.43.48.34:1025
Clients on the internal network 192.168.4.0, need to be able to connect to services (port 14002, port 8101) running on 159.43.48.34, but they must be SNAT'ed through the WAN interface as coming from 159.43.65.81
Currently we have this working but the internal lan clients need to know how to get to 159.43.48.34/27 and therefore we need to route this network in our internal network.
What we really want is to do is provide an address such as 192.168.4.203 for internal clients to use for connectivity to the various services, and then this address would be SNAT'ed to 159.43.65.81 over the WAN. We still want to secure the traffic in both directions.
In the past i've been able to do this with inside and outside nat's and i haven't had to configure an interface on the router for the internal address, it has just been "stood up" by the nat rules. For example (this is how i've done it before):
LAN interface
ip nat outside
WAN interface
ip nat inside
ip nat inside source static159.43.65.81 192.168.4.203
ip nat outside source static 159.43.65.81 192.168.4.203
but, trying to implement this sort of config on the Nexus isn't working.
I am wondering if the Nexus behaves differently than ios based routers.
I'd appreciate any help to get this config working.
Thanks in advance,
LesLes
The issue with an "ip nat outside ..." static is that from the inside routing is done before NAT.
So what happens is that the destination IP is 192.168.4.203 and the Nexus will do a route lookup, see it is directly connected so it won't forward the packet to the outside interface so it doesn't get translated.
If you enter "ip nat outside source static 159.43.48.34 192.168.4.203" then on IOS it adds a host specific route to the routing table for 192.168.4.203 as directly connected.
So you do a ping from a 192.168.3.x client it looks like it is working but actually the L3 device is simply responding and the packet never gets to the server.
Apologies for the long winded explanation but NXOS might behave differently and I wanted you to know what to look for.
So with IOS there is the "add-route" option at the end of the NAT statement and if you use this it would add a host specific route into the routing table like this -
192.168.4.203 255.255.255.255 159.43.48.34
this is a recursive route ie. the device must know how to get to 159.43.48.34 but your Nexus should.
What the above does is make sure any packets arriving at the Nexus for 192.168.4.203 get routed to the outside interface and so are translated.
So firstly see if that option is available with your NAT statement ie.
"ip nat outside source static 159.43.48.34 192.168.4.203 add-route"
if it isn't then try adding just the static statement without it and then have a look at the routing table. If it hasn't put in a host specific route showing as directly connected which it may not, as it may behave differently, then you can manually add a route ie.
192.168.4.203 255.255.255.255 <next hop IP>
note that the next hop IP doesn't have to be the server here it could just be the next hop from the Nexus switch. All you are trying to do is get the packet routed to the outside interface.
Hope that makes sense.
Edit - one thing I haven't tried is to use a different IP subnet for NAT ie. one that is still part of your internal range but unused and then having a route on the Nexus, in your case, pointing to the outside interface and you redistribute this subnet into your IGP. Then you add the NAT statement.
What may happen is it still adds a host specific route showing as directly connected but it may not because the Nexus wouldn't actually have a directly connected interface for that subnet.
I suspect it would though.
If it did work then it would still mean you didn't need to advertise the public IP internally.
If I get the chance I'll test it later today.
Jon -
NEXUS 3548 with 24 Port License
Ive a 3548 box with 24port Lic,My concern is about the functionality of the remaining 24 Ports.Will there be a problem with the rest of the 24 ports while in production.
NX3548# sh inventory
NAME: "Chassis", DESCR: "Nexus 3548 Chassis"
PID: N3K-C3548P-10G , VID: V02 , SN: XXXXXXXXXX
NAME: "Module 1", DESCR: "48x10GE Supervisor"
PID: N3K-C3548P-10G , VID: V02 , SN: XXXXXXXXXX
NX3548# SH LICense usage
Feature Ins Lic Status Expiry Date Comments
Count
24P_LIC_PKG Yes - Unused Never -
24P_UPG_PKG No - Unused -
LAN_BASE_SERVICES_PKG Yes - Unused Never -
ALGO_BOOST_SERVICES_PKG No - Unused -
LAN1K9_ENT_SERVICES_PKG No - Unused -
LAN_ENTERPRISE_SERVICES_PKG No - Unused -Hello Dhanesh,
thanks for your reply.
We have 2 3548 licensed exactly as your Nexus.
After a reboot of the two Nexus the first 4 ports (of the two) had problems (no input packets, only ouput packets, so unusable). There was connected devices with GLC-T, so they worked at 1 G, not 10G.
We opened a TAC Case about this and, after remote session and many analysis, the engineer decided to replace the two devices.
Despite this I have still some doubt.
I found the discussion below and I post some logs of one of the Nexus, we use the 10 G not in a contiguous way.
Thanks and regards
https://supportforums.cisco.com/discussion/12073821/nexus-3548-24-port-license-what-ports-use
371) Event:E_DEBUG, length:55, at 552701 usecs after Sat Mar 14 20:02:11 2015
[825307441] Couldn't send grace period data: No route to host
372) Event:E_DEBUG, length:58, at 255834 usecs after Sat Mar 14 19:02:57 2015
[825307441] Couldn't fetch grace enabled status: no such pss key
373) Event:E_DEBUG, length:55, at 819209 usecs after Sat Mar 14 19:02:18 2015
[825307441] Couldn't send grace period data: No route to host
374) Event:E_DEBUG, length:44, at 818664 usecs after Sat Mar 14 19:02:18 2015
[825307441] Failed to get VDC map: no such pss key
375) Event:E_DEBUG, length:44, at 818270 usecs after Sat Mar 14 19:02:18 2015
[825307441] Transient read error in glob_refresh()
376) Event:E_DEBUG, length:60, at 813122 usecs after Sat Mar 14 19:02:18 2015
[825307441] Expiry date for feature LAN_BASE_SERVICES_PKG: 3650000
377) Event:E_DEBUG, length:50, at 773120 usecs after Sat Mar 14 19:02:18 2015
[825307441] Expiry date for feature 24P_LIC_PKG: 3650000
378) Event:E_DEBUG, length:30, at 716563 usecs after Sat Mar 14 19:02:08 2015
[825307441] checking confcheck config
N3K-DC-1# sh int status
Port Name Status Vlan Duplex Speed Type
Eth1/1 *** FREE *** sfpAbsent 1 full 1000 --
Eth1/2 *** FREE *** sfpAbsent 1 full 1000 --
Eth1/3 *** FREE *** sfpAbsent 1 full 1000 --
Eth1/4 *** FREE *** sfpAbsent 1 full 1000 --
Eth1/5 UCS_UPLINK_FABRIC_ connected trunk full 10G SFP-H10GB-CU5M
Eth1/6 UCS_UPLINK_FABRIC_ connected trunk full 10G SFP-H10GB-CU5M
Eth1/7 -- sfpAbsent 1 full 10G --
Eth1/8 -- sfpAbsent 1 full 10G --
Eth1/9 -- sfpAbsent 1 full 10G --
Eth1/10 -- sfpAbsent 1 full 10G --
Eth1/11 -- connected trunk full 1000 1000base-T
Eth1/12 -- connected trunk full 1000 1000base-T
Eth1/13 -- sfpAbsent 1 full 10G --
Eth1/14 -- sfpAbsent 1 full 10G --
Eth1/15 -- sfpAbsent 1 full 10G --
Eth1/16 -- sfpAbsent 1 full 10G --
Eth1/17 -- sfpAbsent 1 full 10G --
Eth1/18 -- sfpAbsent 1 full 10G --
Eth1/19 -- sfpAbsent 1 full 10G --
Eth1/20 -- sfpAbsent 1 full 10G --
Eth1/21 -- sfpAbsent 1 full 10G --
Eth1/22 -- sfpAbsent 1 full 10G --
Eth1/23 -- sfpAbsent 1 full 10G --
Eth1/24 -- sfpAbsent 1 full 10G --
Eth1/25 -- sfpAbsent 1 full 10G --
Eth1/26 -- sfpAbsent 1 full 10G --
Eth1/27 -- sfpAbsent 1 full 10G --
Eth1/28 -- sfpAbsent 1 full 10G --
Eth1/29 -- sfpAbsent 1 full 10G --
Eth1/30 -- sfpAbsent 1 full 10G --
Eth1/31 *** FREE *** notconnec 1 full 1000 1000base-T
Eth1/32 -- sfpInvali 1 full 10G 1000base-T
Eth1/33 -- sfpAbsent 1 full 10G --
Eth1/34 -- sfpAbsent 1 full 10G --
Eth1/35 -- sfpAbsent 1 full 10G --
Eth1/36 -- sfpAbsent 1 full 10G --
Eth1/37 -- sfpAbsent 1 full 10G --
Eth1/38 -- sfpAbsent 1 full 10G --
Eth1/39 -- sfpAbsent 1 full 10G --
Eth1/40 -- sfpAbsent 1 full 10G --
Eth1/41 -- sfpAbsent 1 full 10G --
Eth1/42 -- sfpAbsent 1 full 10G --
Eth1/43 -- notconnec 1 full 10G 10Gbase-SR
Eth1/44 -- notconnec 1 full 10G 10Gbase-SR
Eth1/45 C3850-CORE [Port-C connected trunk full 10G 10Gbase-SR
Eth1/46 C3850-CORE [Port-C connected trunk full 10G 10Gbase-SR
Eth1/47 vPC PeerLink [Port connected trunk full 10G SFP-H10GB-CU3M
Eth1/48 vPC PeerLink [Port connected trunk full 10G SFP-H10GB-CU3M
Po2 C3850-CORE connected trunk full 10G --
Po3 3750-DC connected trunk full a-1000 --
Po4 UCS_UPLINK_FABRIC_ connected trunk full 10G --
Po10 vPC PeerLink connected trunk full 10G --
mgmt0 -- connected routed full a-1000 -- -
Nexus 3548 6.0(2)A1(1) within Prime Infrastructure 2.0
Hi there,
I am trying to introduce some Nexus 3548 in my Prime Infrastructure 2.0.
For my 3048 running 6.0(2)U1(1a), no problem, they are discovered well and showing no error in the Device Work Center.
My 3548 are unrecognised (NXOS 6 too).
Is this an expected bahaviour ?
Regards,
FredHello,
Take a thorough look at realease notes for this version and before. This is the only way.
If your doubt is only about VPC and FEX features, it is totally supported, just be aware that upgrade is disruptive.
Regards.
Richard -
Unable to enable sflow feature on Nexus 3548
When I try to enable sflow via "feature sflow" command on the nexus 3548 switches running 6.0(2)A1(1C) I receive:
Error: while enabling/disabling service: sflow, err: service not found (0x401e0005)
Any input would be greatly appreciated.
Thank youRyan,
Thanks for the reply... it appears to be supported on the 3000, but not the 3524, which, in my opinion is fairly stupid... I know, I know, "its an architecture thing!", but really, Cisco, you couldn't have considered that customers would want this type of visibility in this switch?? Really?!?!
Anyway, thanks for the info... have you found a work-around or similar product that provides you similar visibility? -
Nexus 3548 reload after Jumbo Frames
I have a Nexus 3548... I know the Catalyst switches require a reload after enabling jumbo frames but does a Nexus require a reload?
Also, is there a way to verify other then doing a int counter detail command?
Thanks in advance.
RSAs for the verify, If I run "sh queuing int eth1/6" as per instructions I get Ambiguous command pointing to the "n" in "int"
-
Hi all,
My name is Harry from China shanghai and I have a trouble in Cisco Nexus 3548 switch the system reload at 2 min after shutdown .
How can i do it please help me.
System info
N3548# sh inventory
NAME: "Chassis", DESCR: "Nexus 3548 Chassis"
PID: N3K-C3548P-10G , VID: V00 , SN: FOC1625R004
NAME: "Module 1", DESCR: "48x10GE Supervisor"
PID: N3K-C3548P-10G , VID: V00 , SN: FOC16245CPU
NAME: "Fan 1", DESCR: "Chassis fan module"
PID: NXA-FAN-30CFM-F , VID: N/A , SN: N/A
NAME: "Fan 2", DESCR: "Chassis fan module"
PID: NXA-FAN-30CFM-F , VID: N/A , SN: N/A
NAME: "Fan 3", DESCR: "Chassis fan module"
PID: NXA-FAN-30CFM-F , VID: N/A , SN: N/A
NAME: "Fan 4", DESCR: "Chassis fan module"
PID: NXA-FAN-30CFM-F , VID: N/A , SN: N/A
NAME: "Power supply 1", DESCR: "AC power supply"
PID: N2200-PAC-400W , VID: V04 , SN: DTN1707P1VV
NAME: "Power supply 2", DESCR: "AC power supply"
PID: N2200-PAC-400W , VID: V04 , SN: DTN1707P1VS
N3548#
N3548#
N3548# sh ser
^
% Invalid command at '^' marker.
N3548# sh version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
BIOS: version 1.9.0
loader: version N/A
kickstart: version 6.0(2)A4(3)
system: version 6.0(2)A4(3)
Power Sequencer Firmware:
Module 1: version v2.1
BIOS compile time: 10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
kickstart compile time: 11/21/2014 9:00:00 [11/21/2014 19:29:20]
system image file is: bootflash:///n3500-uk9.6.0.2.A4.3.bin
system compile time: 11/21/2014 9:00:00 [11/21/2014 21:09:06]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Intel(R) Pentium(R) CPU @ 1.50GHz
with 3805876 kB of memory.
Processor Board ID FOC16245CPU
Device name: N3548
bootflash: 2007040 kB
Kernel uptime is 0 day(s), 0 hour(s), 3 minute(s), 4 second(s)
Last reset at 30232 usecs after Fri Dec 19 21:29:56 2014
Reason: Power down due to temperature sensor policy trigger
System version: 6.0(2)A4(3)
Service:
plugin
Core Plugin, Ethernet Plugin
--More--2014 Dec 19 21:28:11 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 105 seconds due to major temperature alarm
2014 Dec 19 21:28:16 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 100 seconds due to major temperature alarm
2014 Dec 19 21:28:21 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 95 seconds due to major temperature alarm
2014 Dec 19 21:28:26 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 90 seconds due to major temperature alarm
2014 Dec 19 21:28:31 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 85 seconds due to major temperature alarm
2014 Dec 19 21:28:36 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 80 seconds due to major temperature alarm
2014 Dec 19 21:28:41 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 75 seconds due to major temperature alarm
2014 Dec 19 21:28:46 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 70 seconds due to major temperature alarm
2014 Dec 19 21:28:51 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 65 seconds due to major temperature alarm
2014 Dec 19 21:28:56 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 60 seconds due to major temperature alarm
2014 Dec 19 21:29:01 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 55 seconds due to major temperature alarm
2014 Dec 19 21:29:06 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 50 seconds due to major temperature alarm
2014 Dec 19 21:29:11 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 45 seconds due to major temperature alarm
2014 Dec 19 21:29:16 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 40 seconds due to major temperature alarm
2014 Dec 19 21:29:21 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 35 seconds due to major temperature alarm
2014 Dec 19 21:29:26 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 30 seconds due to major temperature alarm
2014 Dec 19 21:29:31 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 25 seconds due to major temperature alarm
2014 Dec 19 21:29:36 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 20 seconds due to major temperature alarm
2014 Dec 19 21:29:41 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 15 seconds due to major temperature alarm
2014 Dec 19 21:29:46 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 10 seconds due to major temperature alarm
2014 Dec 19 21:29:51 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 5 seconds due to major temperature alarmSangeeth,
The first thing that you will want to verify is the physical condition of
the switch. The Nexus 7010 chassis used a front-to-back airflow model. see
the diagram below for a reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n
7k_hig_book/n7k_sys_specs.html#wp1039713
You will want to ensure that there is nothing blocking the intake or
exhaust vent of the switch. Also look at the front intake fan to see if
there is dust, or some other material that has accumulated that could be
impeding air intake.
Also verify if there is a device that is exhausting hot air towards the
intake of the switch.
2)
In case if you already checked the colling you can give the below try:-
Please remove and thoroughly clean the air filter located on the front of the Nexus 7010.
Find below the instructions for cleaning the Nexus 7010 air filter:
Cleaning or Replacing the Air Filter for the Cisco Nexus 7010 Chassis
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n
7k_hig_book/n7k_replacing.html#wp1454429
HTH
Regards
Inayat
***********Please rate if this info is helpfull.********* -
Nexus 3548 couldn`t enable vPC feature
Hello All,
I have to implement to 2 Nexus 3548 switches for a customer. The customer like to use it as core-switch (small LAN) and also like to run VPC feature. Now I have tried to active it, but I got the follow error message:
Enter configuration commands, one per line. End with CNTL/Z.
chefan-swi01(config)# feature vpc
Error: vPC feature is not supported
Is their a way to get VPC working on these plattform?
Software
BIOS: version 1.9.0
loader: version N/A
kickstart: version 5.0(3)A1(1)
system: version 5.0(3)A1(1)
power-seq: Module 1: version v2.1
BIOS compile time: 10/13/2012
kickstart image file is: bootflash:/n3500-uk9-kickstart.5.0.3.A1.1.bin
kickstart compile time: 11/2/2012 1:00:00 [11/02/2012 09:53:29]
system image file is: bootflash:/n3500-uk9.5.0.3.A1.1.bin
system compile time: 11/2/2012 1:00:00 [11/02/2012 10:27:12]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Intel(R) Pentium(R) CPU @ 1 with 4140896 kB of memory.
Processor Board ID FOC17480ZHN
Device name: chefan-swi01
bootflash: 2007040 kB
Thx a lot for any suggestions.
Kind Regards, FerdiSeems to be an error on the Nexus 3k product page. We had a customer who purchased these for VPC support.
http://www.cisco.com/en/US/products/ps11541/index.html
Nexus 3500 Features
Ultra-Low Latency
Line-rate layer 2 and 3 switching at ultra-low latencies
Ideal for high-performance trading workloads
Mission-Critical Features
Network Address Translation (NAT)
Virtual Port Channel
IEEE-1588 PTP -
Thoughs on interconnecting Nexus 3548 and 3750 switches
Hi,
I have two nexus 3548 switches.
I have created port-group 1 on both switches to group eth1/47 with eth1/48.
I have 4 sfps, 2 per switch. to connect to a single 3750 that I want to group together as well.
So I have gi1/0/31 going to eth1/1 on nexus1 and gi1/0/32 going to eth1/2 on nexus1
I have gi1/0/33 goin to eth1/1 on nexus2 and gi1/0/32 goin to eth1/2 on nexus2
When I create the port group on the 3750 do I create one group with all 4 ports or will I have to create 2, one per nexus switch?
ThanksThanks for the replies. I finally got to test the hardware and config yesterday.
Just so I am clear. the vpc and peer to peer links are only for interconnecting the two Nexus switches. I think I got that right. sho VPC br seems to say it is up. I am using Po5
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po5 up 1
Next do I create a port channel on Nex1 and Nex2 for the two ports that connect to the 3750 (Po6 for example) or do I add the two links to the 3750s to Po5 ? I thought I add them to Po 5 but since I am mixing 1000 and 10G ports it doesnt seem to like it. -
Nexus 3548 Switch doesn't recognize command " vtp mode Server / Client"
Hi Community.
I have a brand new Nexus 3548 switch. And I did the vtp setup:
vtp version 2
vtp password ******
vtp domain *****
Every thing is ok, but If I use the command "vtp mode server" the switch doesn't know that command. Even it doesn't know the "vtp mode" subcommand?
What's the problem ?
Best regards patrickThe Nexus 3548 supports only Transparent mode:
Step 5 vtp mode {transparent| off} Sets the VTP mode to transparent or off.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/layer_2_switching/b_Cisco_N3548_Layer_2_Switching_Config_503A1.pdf
I have no clue why.
Patrick -
Question about Nexus 3548 vPC setup
Hi.
We have just installed our two first Nexus 3548 switches in our Catalyst environment. We want to set up a vPC domain between the Nexuses, to use for connections to storage and other equipment.
I have read the guide at http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-685753.html and tried setting it up. I created a vPC domain on both switches like this:
nexus1:
vpc domain 1
role priority 2000
system-priority 4000
peer-keepalive destination 192.168.105.40 source 192.168.105.39 vrf default
nexus2:
vpc domain 1
system-priority 4000
peer-keepalive destination 192.168.105.39 source 192.168.105.40 vrf default
The switches are connected with a port-channel consisting of 2x 10GE. The IP addresses above are the ones we use for managing the switches. When I configure the port-channel as "vpc peer-link", the vpc status looks OK:
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po2 up 1,6,100,102,106
The problem I have is that I lose connection to nexus2 when I bring up the vPC. I can no longer access it on its IP (192.168.105.40). I cannot ping it from nexus1 either. The Nexus switches are connected to our core switches, which are Catalyst 6509. nexus1 is connected to coreswitch1 using a portchannel of 2xGE and nexus2 is connected to coreswitch2 the same way. A spanning-tree cost has been set on the uplink from nexus2, to make spanning tree block that uplink, and allow traffic between the nexuses to go over the 2x 10GE portchannel instead of over the core switches. I have attached a drawing of this.
Maybe I shouldn't use the management IP:s for peer keepalive? Does the peer keepalive need to be on a different physical link than the peer-link?
Regards,
JohanWe are not using the management ports for management, but an ordinary Vlan Interface in the default vrf, as seen below. We can of course change that and instead use the mgmt0 port if that is the best approach.
vrf context management
vlan configuration 1,100
vlan 1
vlan 100
name DMMgmtPriv
vpc domain 1
role priority 2000
system-priority 4000
peer-keepalive destination 192.168.105.40 source 192.168.105.39 vrf default
interface Vlan1
interface Vlan100
no shutdown
no ip redirects
ip address 192.168.105.39/23 -
Hello,
We recently had a power supply failure in one of our Nexus 7000s, and I noticed that the syslog for the Platform is only present in the default VDC, and not in any of the other VDCs syslogs. Is this by design, or is there a logging level I can turn up in another VDC to capture this log? Thanks for any input
syslog from default VDC -
2013 Mar 18 23:10:34 %PLATFORM-2-PS_CAPACITY_CHANGE: Power supply PS3 changed i
ts capacity. possibly due to power cable removal/insertion (Serial number xxxxxxxx)
nothing in the VDC where I would like to get the logging
default VDC logging level -
xxx7K02# show log level platform
Facility Default Severity Current Session Severity
platform 5 5
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
xxx7K02#
loggging from the specific VDC where we have management tools.
xxx-LOW# show log level platform
Facility Default Severity Current Session Severity
platform 5 5
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
xxx-LOW#Hello Carl,
What version of code are you running on your Nexus 7k?
The expected behavior is:
"When a hardware issue occurs, syslog messages are sent to all VDCs."
http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/virtual_device_context/configuration/guide/vdc_mgmt.html#wp1170241
Dave -
Hello together,
we try to log hits to ACL entries to a syslog server.
We have an access list which blocks HSRP packets. We seen them in 'show logg ip access-list cache'
show logging ip access-list cache
Source IP Destination IP S-Port D-Port Interface Protocol Hits
10.131.100.4 10.151.89.200 59275 2256 port-channel2 (17)UDP 5
10.131.100.5 10.151.89.200 49899 2256 port-channel1 (17)UDP 5
10.131.100.3 224.0.0.102 1985 1985 port-channel1 (17)UDP 160
But we don't see this HSRP entry in the syslog server. The other two entries are visible in the syslog server.
Is there a difference between "normal" data plane traffic and traffic for the control plane for the logging point of view?
And is there a way to make also the control packets visible
Thanks,
UdoHi Udo,
What version of code are you using. Also, can you tell me in what direction are you blocking hsrp? for the other two lines that are working, are you blocking those entries or are you permitting with the log statement included, and is that acl ingress or egress?
Maybe including the two acl's used, and the interface for which these acls were configured, we can take a look in more detail. -
Nexus 5000 command/log accounting
Good afternoon gentlemen
I need to configure the same as shown below in Nexus 5000 switches. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
#IOS commands
no logging console
logging buffered 307200 informational
service timestamps log datetime localtime show-timezone
logging trap debugging
login on-failure log
login on-success log
archive
log config
logging enable
logging size 500
hidekeys
notify syslog contenttype plaintext
By now, I only found the command "show accounting log". But no way to export to a syslog server I think.
If you guys have an idea please answear
Regards
ChristianGood afternoon gentlemen
I need to configure the same as shown below in Nexus 5000 switches. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
#IOS commands
no logging console
logging buffered 307200 informational
service timestamps log datetime localtime show-timezone
logging trap debugging
login on-failure log
login on-success log
archive
log config
logging enable
logging size 500
hidekeys
notify syslog contenttype plaintext
By now, I only found the command "show accounting log". But no way to export to a syslog server I think.
If you guys have an idea please answear
Regards
Christian -
Dynamic Access Policy ACL Logging
We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.
When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)? These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
Also, is your default policy at that bottom of this list deny access?
Maybe you are looking for
-
Getting data into 4S from a different smart phone or Windows Outlook?
I didn't think it would be this hard. I was using a Windows mobile 6.5 smart phone syncing to Outlook in Bootcamp (or Parallels) on my MacBookPro. I assumed that I would be able to transfer all my pda data over. I went to the Apple store yesterday &
-
How to changes Object in different system
Hi All, All BW objects are owned by BWQ i want to make all the object are owned to BWD(Bcoz this is copied system). Is there any transaction i have to use.. please help me guyz. Thanks DST
-
Logic won't open the projects.
I can't get the projects to open. I am on chap. 4 of the apple tutorial and today the projects won't load. It worked fine yesterday. I trashed my preferences, that didn't help. Logic shows on the menu bar, but the projects don't open and I have to fo
-
Function of the users in Oracle10g !
Dear Friends , Would any body plz tell me in Oracle10g , what is the function of each user ? For example , OUTLN user uses for the Stored Procedure , like this , what are the other users function ? SQL> select username from dba_users; USERNAME MGMT_V
-
Load xml-data in given table (thru xsl)
hi there i have an xml-file which should be loaded into a given table, the validation is done via xsl-file until now, i was able to use an oracle warehouse builder procedure which does. since i use the same data in another database without owb, i am