Nexus 3548 ACL Logging

Similar Messages

• Help with multiple nat translation on a Cisco Nexus 3548

  Hi All,
  I need a little help with a NAT configuration on a cisco Nexus 3548 version 6.0(2)A4(3).
  What currently have is as follows:
  internal network: 192.168.4.0/24
  nexus router (routerA):
    LAN Side: vlan104 interface 192.168.4.201/24
    WAN Side: Eth1/48 interface 172.24.101.2/24
    remote network: 159.43.48.32/27
    remote gateway: 172.24.101.1/24
  use ACL's to ensure that only specific traffic is allowed out and in.
  allow a specific connection from a different internal network (192.168.3.0/24) to talk to port 159.43.48.34:1025
  Clients on the internal network 192.168.4.0, need to be able to connect to services (port 14002, port 8101) running on 159.43.48.34, but they must be SNAT'ed through the WAN interface as coming from 159.43.65.81
  Currently we have this working but the internal lan clients need to know how to get to 159.43.48.34/27 and therefore we need to route this network in our internal network.
  What we really want is to do is provide an address such as 192.168.4.203 for internal clients to use for connectivity to the various services, and then this address would be SNAT'ed to 159.43.65.81 over the WAN. We still want to secure the traffic in both directions.
  In the past i've been able to do this with inside and outside nat's and i haven't had to configure an interface on the router for the internal address, it has just been "stood up" by the nat rules. For example (this is how i've done it before):
  LAN interface
  ip nat outside
  WAN interface
  ip nat inside
  ip nat inside source static159.43.65.81 192.168.4.203
  ip nat outside source static 159.43.65.81 192.168.4.203
  but, trying to implement this sort of config on the Nexus isn't working.
  I am wondering if the Nexus behaves differently than ios based routers.
  I'd appreciate any help to get this config working.
  Thanks in advance,
  Les

  Les
  The issue with an "ip nat outside ..." static is that from the inside routing is done before NAT.
  So what happens is that the destination IP is 192.168.4.203 and the Nexus will do a route lookup, see it is directly connected so it won't forward the packet to the outside interface so it doesn't get translated.
  If you enter "ip nat outside source static 159.43.48.34 192.168.4.203" then on IOS it adds a host specific route to the routing table for 192.168.4.203 as directly connected.
  So you do a ping from a 192.168.3.x client  it looks like it is working but actually the L3 device is simply responding and the packet never gets to the server.
  Apologies for the long winded explanation but NXOS might behave differently and I wanted you to know what to look for.
  So with IOS there is the "add-route" option at the end of the NAT statement and if you use this it would add a host specific route into the routing table like this -
  192.168.4.203 255.255.255.255 159.43.48.34
  this is a recursive route ie. the device must know how to get to 159.43.48.34 but your Nexus should.
  What the above does is make sure any packets arriving at the Nexus for 192.168.4.203 get routed to the outside interface and so are translated.
  So firstly see if that option is available with your NAT statement ie.
  "ip nat outside source static 159.43.48.34 192.168.4.203 add-route"
  if it isn't then try adding just the static statement without it and then have a look at the routing table. If it hasn't put in a host specific route showing as directly connected which it may not, as it may behave differently, then you can manually add a route ie.
  192.168.4.203 255.255.255.255 <next hop IP>
  note that the next hop IP doesn't have to be the server here it could just be the next hop from the Nexus switch. All you are trying to do is get the packet routed to the outside interface.
  Hope that makes sense.
  Edit - one thing I haven't tried is to use a different IP subnet for NAT ie. one that is still part of your internal range but unused and then having a route on the Nexus, in your case, pointing to the outside interface and you redistribute this subnet into your IGP. Then you add the NAT statement.
  What may happen is it still adds a host specific route showing as directly connected but it may not because the Nexus wouldn't actually have a directly connected interface for that subnet.
  I suspect it would though.
  If it did work then it would still mean you didn't need to advertise the public IP internally.
  If I get the chance I'll test it later today.
  Jon

• NEXUS 3548 with 24 Port License

  Ive a 3548 box with 24port Lic,My concern is about the functionality of the remaining 24 Ports.Will there be a problem with the rest of the 24 ports while in production.
  NX3548# sh inventory
  NAME: "Chassis", DESCR: "Nexus 3548 Chassis"
  PID: N3K-C3548P-10G    , VID: V02 , SN: XXXXXXXXXX
  NAME: "Module 1", DESCR: "48x10GE Supervisor"
  PID: N3K-C3548P-10G    , VID: V02 , SN: XXXXXXXXXX
  NX3548# SH LICense usage
  Feature                      Ins  Lic   Status Expiry Date Comments
                                   Count
  24P_LIC_PKG                   Yes   -   Unused Never       -
  24P_UPG_PKG                   No    -   Unused             -
  LAN_BASE_SERVICES_PKG         Yes   -   Unused Never       -
  ALGO_BOOST_SERVICES_PKG       No    -   Unused             -
  LAN1K9_ENT_SERVICES_PKG       No    -   Unused             -
  LAN_ENTERPRISE_SERVICES_PKG   No    -   Unused             -

  Hello Dhanesh,
  thanks for your reply.
  We have 2 3548 licensed exactly as your Nexus.
  After a reboot of the two Nexus the first 4 ports (of the two) had problems (no input packets, only ouput packets, so unusable). There was connected devices with GLC-T, so they worked at 1 G, not 10G.
  We opened a TAC Case about this and, after remote session and many analysis, the engineer decided to replace the two devices.
  Despite this I have still some doubt.
  I found the discussion below and I post some logs of one of the Nexus, we use the 10 G not in a contiguous way.
  Thanks and regards
  https://supportforums.cisco.com/discussion/12073821/nexus-3548-24-port-license-what-ports-use
  371) Event:E_DEBUG, length:55, at 552701 usecs after Sat Mar 14 20:02:11 2015
      [825307441] Couldn't send grace period data: No route to host
  372) Event:E_DEBUG, length:58, at 255834 usecs after Sat Mar 14 19:02:57 2015
      [825307441] Couldn't fetch grace enabled status: no such pss key
  373) Event:E_DEBUG, length:55, at 819209 usecs after Sat Mar 14 19:02:18 2015
      [825307441] Couldn't send grace period data: No route to host
  374) Event:E_DEBUG, length:44, at 818664 usecs after Sat Mar 14 19:02:18 2015
      [825307441] Failed to get VDC map: no such pss key
  375) Event:E_DEBUG, length:44, at 818270 usecs after Sat Mar 14 19:02:18 2015
      [825307441] Transient read error in glob_refresh()
  376) Event:E_DEBUG, length:60, at 813122 usecs after Sat Mar 14 19:02:18 2015
      [825307441] Expiry date for feature LAN_BASE_SERVICES_PKG: 3650000
  377) Event:E_DEBUG, length:50, at 773120 usecs after Sat Mar 14 19:02:18 2015
      [825307441] Expiry date for feature 24P_LIC_PKG: 3650000
  378) Event:E_DEBUG, length:30, at 716563 usecs after Sat Mar 14 19:02:08 2015
      [825307441] checking confcheck config
  N3K-DC-1# sh int status
  Port          Name               Status    Vlan      Duplex  Speed   Type
  Eth1/1        *** FREE ***       sfpAbsent 1         full    1000    --
  Eth1/2        *** FREE ***       sfpAbsent 1         full    1000    --
  Eth1/3        *** FREE ***       sfpAbsent 1         full    1000    --
  Eth1/4        *** FREE ***       sfpAbsent 1         full    1000    --
  Eth1/5        UCS_UPLINK_FABRIC_ connected trunk     full    10G     SFP-H10GB-CU5M
  Eth1/6        UCS_UPLINK_FABRIC_ connected trunk     full    10G     SFP-H10GB-CU5M
  Eth1/7        --                 sfpAbsent 1         full    10G     --
  Eth1/8        --                 sfpAbsent 1         full    10G     --
  Eth1/9        --                 sfpAbsent 1         full    10G     --
  Eth1/10       --                 sfpAbsent 1         full    10G     --
  Eth1/11       --                 connected trunk     full    1000    1000base-T
  Eth1/12       --                 connected trunk     full    1000    1000base-T
  Eth1/13       --                 sfpAbsent 1         full    10G     --
  Eth1/14       --                 sfpAbsent 1         full    10G     --
  Eth1/15       --                 sfpAbsent 1         full    10G     --
  Eth1/16       --                 sfpAbsent 1         full    10G     --
  Eth1/17       --                 sfpAbsent 1         full    10G     --
  Eth1/18       --                 sfpAbsent 1         full    10G     --
  Eth1/19       --                 sfpAbsent 1         full    10G     --
  Eth1/20       --                 sfpAbsent 1         full    10G     --
  Eth1/21       --                 sfpAbsent 1         full    10G     --
  Eth1/22       --                 sfpAbsent 1         full    10G     --
  Eth1/23       --                 sfpAbsent 1         full    10G     --
  Eth1/24       --                 sfpAbsent 1         full    10G     --
  Eth1/25       --                 sfpAbsent 1         full    10G     --
  Eth1/26       --                 sfpAbsent 1         full    10G     --
  Eth1/27       --                 sfpAbsent 1         full    10G     --
  Eth1/28       --                 sfpAbsent 1         full    10G     --
  Eth1/29       --                 sfpAbsent 1         full    10G     --
  Eth1/30       --                 sfpAbsent 1         full    10G     --
  Eth1/31       *** FREE ***       notconnec 1         full    1000    1000base-T
  Eth1/32       --                 sfpInvali 1         full    10G     1000base-T
  Eth1/33       --                 sfpAbsent 1         full    10G     --
  Eth1/34       --                 sfpAbsent 1         full    10G     --
  Eth1/35       --                 sfpAbsent 1         full    10G     --
  Eth1/36       --                 sfpAbsent 1         full    10G     --
  Eth1/37       --                 sfpAbsent 1         full    10G     --
  Eth1/38       --                 sfpAbsent 1         full    10G     --
  Eth1/39       --                 sfpAbsent 1         full    10G     --
  Eth1/40       --                 sfpAbsent 1         full    10G     --
  Eth1/41       --                 sfpAbsent 1         full    10G     --
  Eth1/42       --                 sfpAbsent 1         full    10G     --
  Eth1/43       --                 notconnec 1         full    10G     10Gbase-SR
  Eth1/44       --                 notconnec 1         full    10G     10Gbase-SR
  Eth1/45       C3850-CORE [Port-C connected trunk     full    10G     10Gbase-SR
  Eth1/46       C3850-CORE [Port-C connected trunk     full    10G     10Gbase-SR
  Eth1/47       vPC PeerLink [Port connected trunk     full    10G     SFP-H10GB-CU3M
  Eth1/48       vPC PeerLink [Port connected trunk     full    10G     SFP-H10GB-CU3M
  Po2           C3850-CORE         connected trunk     full    10G     --
  Po3           3750-DC            connected trunk     full    a-1000  --
  Po4           UCS_UPLINK_FABRIC_ connected trunk     full    10G     --
  Po10          vPC PeerLink       connected trunk     full    10G     --
  mgmt0         --                 connected routed    full    a-1000  --

• Nexus 3548 6.0(2)A1(1) within Prime Infrastructure 2.0

  Hi there,
  I am trying to introduce some Nexus 3548 in my Prime Infrastructure 2.0.
  For my 3048 running 6.0(2)U1(1a), no problem, they are discovered well and showing no error in the Device Work Center.
  My 3548 are unrecognised (NXOS 6 too).
  Is this an expected bahaviour ?
  Regards,
  Fred

  Hello,
  Take a thorough look at realease notes for this version and before. This is the only way.
  If your doubt is only about VPC and FEX features, it is totally supported, just be aware that upgrade is disruptive.
  Regards.
  Richard

• Unable to enable sflow feature on Nexus 3548

  When I try to enable sflow via "feature sflow" command on the nexus 3548 switches running 6.0(2)A1(1C) I receive:
  Error: while enabling/disabling service: sflow, err: service not found (0x401e0005)
  Any input would be greatly appreciated.
  Thank you

  Ryan,
  Thanks for the reply... it appears to be supported on the 3000, but not the 3524, which, in my opinion is fairly stupid... I know, I know, "its an architecture thing!", but really, Cisco, you couldn't have considered that customers would want this type of visibility in this switch?? Really?!?!
  Anyway, thanks for the info... have you found a work-around or similar product that provides you similar visibility?

• Nexus 3548 reload after Jumbo Frames

  I have a Nexus 3548... I know the Catalyst switches require a reload after enabling jumbo frames but does a Nexus require a reload?
  Also, is there a way to verify other then doing a int counter detail command?
  Thanks in advance.
  RS

  As for the verify, If I run "sh queuing int eth1/6" as per instructions I get Ambiguous command pointing to the "n" in "int"

• Nexus 3548 temperature alarm

  Hi all,
      My name is Harry from China shanghai and  I have a trouble in Cisco Nexus 3548 switch  the system reload at 2 min after shutdown .
      How can i do it please help me.
  System info
  N3548# sh inventory 
  NAME: "Chassis", DESCR: "Nexus 3548 Chassis"
  PID: N3K-C3548P-10G    , VID: V00 , SN: FOC1625R004
  NAME: "Module 1", DESCR: "48x10GE Supervisor"
  PID: N3K-C3548P-10G    , VID: V00 , SN: FOC16245CPU
  NAME: "Fan 1", DESCR: "Chassis fan module"
  PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
  NAME: "Fan 2", DESCR: "Chassis fan module"
  PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
  NAME: "Fan 3", DESCR: "Chassis fan module"
  PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
  NAME: "Fan 4", DESCR: "Chassis fan module"
  PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
  NAME: "Power supply 1", DESCR: "AC power supply"
  PID: N2200-PAC-400W    , VID: V04 , SN: DTN1707P1VV
  NAME: "Power supply 2", DESCR: "AC power supply"
  PID: N2200-PAC-400W    , VID: V04 , SN: DTN1707P1VS
  N3548#               
  N3548# 
  N3548# sh ser
             ^
  % Invalid command at '^' marker.
  N3548# sh version 
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
  s_home.html
  Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.9.0
    loader:    version N/A
    kickstart: version 6.0(2)A4(3)
    system:    version 6.0(2)A4(3)
    Power Sequencer Firmware: 
               Module 1: version v2.1
    BIOS compile time:       10/13/2012
    kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
    kickstart compile time:  11/21/2014 9:00:00 [11/21/2014 19:29:20]
    system image file is:    bootflash:///n3500-uk9.6.0.2.A4.3.bin
    system compile time:     11/21/2014 9:00:00 [11/21/2014 21:09:06]
  Hardware
    cisco Nexus 3548 Chassis ("48x10GE Supervisor")
    Intel(R) Pentium(R) CPU  @ 1.50GHz
   with 3805876 kB of memory.
    Processor Board ID FOC16245CPU
    Device name: N3548
    bootflash:    2007040 kB
  Kernel uptime is 0 day(s), 0 hour(s), 3 minute(s), 4 second(s)
  Last reset at 30232 usecs after  Fri Dec 19 21:29:56 2014
    Reason: Power down due to temperature sensor policy trigger
    System version: 6.0(2)A4(3)
    Service: 
  plugin
    Core Plugin, Ethernet Plugin
  --More--2014 Dec 19 21:28:11 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 105 seconds due to major temperature alarm
  2014 Dec 19 21:28:16 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 100 seconds due to major temperature alarm
  2014 Dec 19 21:28:21 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 95 seconds due to major temperature alarm
  2014 Dec 19 21:28:26 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 90 seconds due to major temperature alarm
  2014 Dec 19 21:28:31 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 85 seconds due to major temperature alarm
  2014 Dec 19 21:28:36 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 80 seconds due to major temperature alarm
  2014 Dec 19 21:28:41 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 75 seconds due to major temperature alarm
  2014 Dec 19 21:28:46 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 70 seconds due to major temperature alarm
  2014 Dec 19 21:28:51 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 65 seconds due to major temperature alarm
  2014 Dec 19 21:28:56 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 60 seconds due to major temperature alarm
  2014 Dec 19 21:29:01 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 55 seconds due to major temperature alarm
  2014 Dec 19 21:29:06 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 50 seconds due to major temperature alarm
  2014 Dec 19 21:29:11 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 45 seconds due to major temperature alarm
  2014 Dec 19 21:29:16 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 40 seconds due to major temperature alarm
  2014 Dec 19 21:29:21 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 35 seconds due to major temperature alarm
  2014 Dec 19 21:29:26 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 30 seconds due to major temperature alarm
  2014 Dec 19 21:29:31 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 25 seconds due to major temperature alarm
  2014 Dec 19 21:29:36 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 20 seconds due to major temperature alarm
  2014 Dec 19 21:29:41 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 15 seconds due to major temperature alarm
  2014 Dec 19 21:29:46 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 10 seconds due to major temperature alarm
  2014 Dec 19 21:29:51 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 5 seconds due to major temperature alarm

  Sangeeth,
  The first thing that you will want to verify is the physical condition of 
  the switch. The Nexus 7010 chassis used a front-to-back airflow model. see 
  the diagram below for a reference: 
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n
  7k_hig_book/n7k_sys_specs.html#wp1039713 
  You will want to ensure that there is nothing blocking the intake or 
  exhaust vent of the switch. Also look at the front intake fan to see if 
  there is dust, or some other material that has accumulated that could be 
  impeding air intake. 
  Also verify if there is a device that is exhausting hot air towards the 
  intake of the switch. 
  2)
  In case if you already checked the colling you can give the below try:-
  Please remove and thoroughly clean the air filter located on the front of the Nexus 7010. 
  Find below the instructions for cleaning the Nexus 7010 air filter:
  Cleaning or Replacing the Air Filter for the Cisco Nexus 7010 Chassis
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n
  7k_hig_book/n7k_replacing.html#wp1454429
  HTH
  Regards
  Inayat
  ***********Please rate if this info is helpfull.*********

• Nexus 3548 couldn`t enable vPC feature

  Hello All,
  I have to implement to 2 Nexus 3548 switches for a customer. The customer like to use it as core-switch (small LAN) and also like to run VPC feature. Now I have tried to active it, but I got the follow error message:
  Enter configuration commands, one per line.  End with CNTL/Z.
  chefan-swi01(config)# feature vpc
  Error: vPC feature is not supported
  Is their a way to get VPC working on these plattform?
  Software
    BIOS:      version 1.9.0
    loader:    version N/A
    kickstart: version 5.0(3)A1(1)
    system:    version 5.0(3)A1(1)
    power-seq: Module 1: version v2.1
    BIOS compile time:       10/13/2012
    kickstart image file is: bootflash:/n3500-uk9-kickstart.5.0.3.A1.1.bin
    kickstart compile time:  11/2/2012 1:00:00 [11/02/2012 09:53:29]
    system image file is:    bootflash:/n3500-uk9.5.0.3.A1.1.bin
    system compile time:     11/2/2012 1:00:00 [11/02/2012 10:27:12]
  Hardware
    cisco Nexus 3548 Chassis ("48x10GE Supervisor")
    Intel(R) Pentium(R) CPU  @ 1 with 4140896 kB of memory.
    Processor Board ID FOC17480ZHN
    Device name: chefan-swi01
    bootflash:    2007040 kB
  Thx a lot for any suggestions.
  Kind Regards, Ferdi

  Seems to be an error on the Nexus 3k product page.  We had a customer who purchased these for VPC support.
  http://www.cisco.com/en/US/products/ps11541/index.html
  Nexus 3500 Features
  Ultra-Low Latency
  Line-rate layer 2 and 3 switching at ultra-low latencies
  Ideal for high-performance trading workloads
  Mission-Critical Features
  Network Address Translation (NAT)
  Virtual Port Channel
  IEEE-1588 PTP

• Thoughs on interconnecting Nexus 3548 and 3750 switches

  Hi,
  I have two nexus 3548 switches.
  I have created port-group 1  on both switches to group eth1/47 with eth1/48.
  I have 4 sfps, 2 per switch. to connect to a single 3750 that I want to group together as well.
  So I have gi1/0/31 going to eth1/1 on nexus1 and gi1/0/32 going to eth1/2 on nexus1
  I have gi1/0/33 goin to eth1/1 on nexus2 and gi1/0/32 goin to eth1/2 on nexus2
  When I create the port group on the 3750 do I create one group with all 4 ports or will I have to create 2, one per nexus switch?
  Thanks

  Thanks for the replies. I finally got to test the hardware and config yesterday.
  Just so I am clear. the vpc and peer to peer links are only for interconnecting the two Nexus switches. I think I got that right. sho VPC br seems to say it is up. I am using Po5
  vPC domain id : 1
  Peer status : peer adjacency formed ok
  vPC keep-alive status : peer is alive
  Configuration consistency status : success
  Per-vlan consistency status : success
  Type-2 consistency status : success
  vPC role : secondary
  Number of vPCs configured : 0
  Peer Gateway : Disabled
  Dual-active excluded VLANs : -
  Graceful Consistency Check : Enabled
  Auto-recovery status : Disabled
  vPC Peer-link status
  id Port Status Active vlans
  1 Po5 up 1
  Next do I create a port channel on Nex1 and Nex2 for the two ports that connect to the 3750 (Po6 for example) or do I add the two links to the 3750s to Po5 ? I thought I add them to Po 5 but since I am mixing 1000 and 10G ports it doesnt seem to like it.

• Nexus 3548 Switch doesn't recognize command " vtp mode Server / Client"

  Hi Community.
  I have a brand new Nexus 3548 switch. And I did the vtp setup:
  vtp version 2
  vtp password ******
  vtp domain *****
  Every thing is ok, but If I use the command "vtp mode server" the switch doesn't know that command. Even it doesn't know the "vtp mode" subcommand?
  What's the problem ?
  Best regards patrick

  The Nexus 3548 supports only Transparent mode:
  Step 5 vtp mode {transparent| off} Sets the VTP mode to transparent or off.
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/layer_2_switching/b_Cisco_N3548_Layer_2_Switching_Config_503A1.pdf
  I have no clue why.
  Patrick

• Question about Nexus 3548 vPC setup

  Hi.
  We have just installed our two first Nexus 3548 switches in our Catalyst environment. We want to set up a vPC domain between the Nexuses, to use for connections to storage and other equipment.
  I have read the guide at http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-685753.html and tried setting it up. I created a vPC domain on both switches like this:
  nexus1:
  vpc domain 1
    role priority 2000
    system-priority 4000
    peer-keepalive destination 192.168.105.40 source 192.168.105.39 vrf default
  nexus2:
  vpc domain 1
    system-priority 4000
    peer-keepalive destination 192.168.105.39 source 192.168.105.40 vrf default
  The switches are connected with a port-channel consisting of 2x 10GE. The IP addresses above are the ones we use for managing the switches. When I configure the port-channel as "vpc peer-link", the vpc status looks OK:
  vPC domain id                     : 1
  Peer status                       : peer adjacency formed ok
  vPC keep-alive status             : peer is alive
  Configuration consistency status  : success
  Per-vlan consistency status       : success
  Type-2 consistency status         : success
  vPC role                          : primary
  Number of vPCs configured         : 0
  Peer Gateway                      : Disabled
  Dual-active excluded VLANs        : -
  Graceful Consistency Check        : Enabled
  Auto-recovery status              : Disabled
  vPC Peer-link status
  id   Port   Status Active vlans
  1    Po2    up     1,6,100,102,106
  The problem I have is that I lose connection to nexus2 when I bring up the vPC. I can no longer access it on its IP (192.168.105.40). I cannot ping it from nexus1 either. The Nexus switches are connected to our core switches, which are Catalyst 6509. nexus1 is connected to coreswitch1 using a portchannel of 2xGE and nexus2 is connected to coreswitch2 the same way. A spanning-tree cost has been set on the uplink from nexus2, to make spanning tree block that uplink, and allow traffic between the nexuses to go over the 2x 10GE portchannel instead of over the core switches. I have attached a drawing of this.
  Maybe I shouldn't use the management IP:s for peer keepalive? Does the peer keepalive need to be on a different physical link than the peer-link?
  Regards,
  Johan

  We are not using the management ports for management, but an ordinary Vlan Interface in the default vrf, as seen below. We can of course change that and instead use the mgmt0 port if that is the best approach.
  vrf context management
  vlan configuration 1,100
  vlan 1
  vlan 100
    name DMMgmtPriv
  vpc domain 1
    role priority 2000
    system-priority 4000
    peer-keepalive destination 192.168.105.40 source 192.168.105.39 vrf default
  interface Vlan1
  interface Vlan100
    no shutdown
    no ip redirects
    ip address 192.168.105.39/23

• Nexus 7000 Platform Logging

  Hello,
  We recently had a power supply failure in one of our Nexus 7000s, and I noticed that the syslog for the Platform is only present in the default VDC, and not in any of the other VDCs syslogs. Is this by design, or is there a logging level I can turn up in another VDC to capture this log? Thanks for any input
  syslog from default VDC -
  2013 Mar 18 23:10:34  %PLATFORM-2-PS_CAPACITY_CHANGE: Power supply PS3 changed i
  ts capacity. possibly due to power cable removal/insertion (Serial number xxxxxxxx)
  nothing in the VDC where I would like to get the logging
  default VDC logging level -
  xxx7K02# show log level platform
  Facility        Default Severity        Current Session Severity
  platform                5                       5
  0(emergencies)          1(alerts)       2(critical)
  3(errors)               4(warnings)     5(notifications)
  6(information)          7(debugging)
  xxx7K02#
  loggging from the specific VDC where we have management tools.
  xxx-LOW# show log level platform
  Facility        Default Severity        Current Session Severity
  platform                5                       5
  0(emergencies)          1(alerts)       2(critical)
  3(errors)               4(warnings)     5(notifications)
  6(information)          7(debugging)
  xxx-LOW#

  Hello Carl,
  What version of code are you running on your Nexus 7k?
  The expected behavior is:
  "When a hardware issue occurs, syslog messages are sent to all VDCs."
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/virtual_device_context/configuration/guide/vdc_mgmt.html#wp1170241
  Dave

• N7k: ACL log

  Hello together,
  we try to log hits to ACL entries to a syslog server.
  We have an access list which blocks HSRP packets. We seen them in 'show logg ip access-list cache'
  show logging ip access-list cache
  Source IP        Destination IP     S-Port  D-Port    Interface   Protocol          Hits
  10.131.100.4     10.151.89.200      59275   2256      port-channel2 (17)UDP            5     
  10.131.100.5     10.151.89.200      49899   2256      port-channel1 (17)UDP            5     
  10.131.100.3     224.0.0.102        1985    1985      port-channel1 (17)UDP            160 
  But we don't see this HSRP entry in the syslog server. The other two entries are visible in the syslog server.
  Is there a difference between "normal" data plane traffic and traffic for the control plane for the logging point of view?
  And is there a way to make also the control packets visible
  Thanks,
  Udo

  Hi Udo,
  What version of code are you using.  Also, can you tell me in what direction are you blocking hsrp?  for the other two lines that are working, are you blocking those entries or are you permitting with the log statement included, and is that acl ingress or egress?
  Maybe including the two acl's used, and the interface for which these acls were configured, we can take a look in more detail.

• Nexus 5000 command/log accounting

  Good afternoon gentlemen
  I need to configure the same as shown below in Nexus 5000 switches. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
  #IOS commands
  no logging console
  logging buffered 307200 informational
  service timestamps log datetime localtime show-timezone
  logging trap debugging
  login on-failure log
  login on-success log
  archive
     log config
        logging enable
        logging size 500
        hidekeys
        notify syslog contenttype plaintext
  By now, I only found the command "show accounting log". But no way to export to a syslog server I think.
  If you guys have an idea please answear
  Regards
  Christian

  Good afternoon gentlemen
  I need to configure the same as shown below in Nexus 5000 switches. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
  #IOS commands
  no logging console
  logging buffered 307200 informational
  service timestamps log datetime localtime show-timezone
  logging trap debugging
  login on-failure log
  login on-success log
  archive
     log config
        logging enable
        logging size 500
        hidekeys
        notify syslog contenttype plaintext
  By now, I only found the command "show accounting log". But no way to export to a syslog server I think.
  If you guys have an idea please answear
  Regards
  Christian

• Dynamic Access Policy ACL Logging

  We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.

  When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)?  These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
  Also, is your default policy at that bottom of this list deny access?