Nexus 3548 ACL Logging

"show ip access-list", IOS displays matches against each statement within the ACL and you can see counters incrementing or not, useful in troubleshooting. Nexus 3548 does not display any counters with the same command!
I must be missing something because I cannot find a logging command that will simply add hits with command "show IP access-list <name>" (Nexus 3548)
Is there an alternative?

After reading Cisco ACL docs I managed to configure and get ACL logging working fine on my lab 3548:
test# sh log ip access-list cache
Source IP        Destination IP     S-Port  D-Port    Interface   Protocol          Hits
10.170.x.x    10.x.x.x        0       0         mgmt0      (6)TCP            98
Software
  BIOS:      version 1.9.0
  loader:    version N/A
  kickstart: version 6.0(2)A4(3)
  system:    version 6.0(2)A4(3)
  Power Sequencer Firmware:
             Module 1: version v2.1
  BIOS compile time:       10/13/2012
  kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
  kickstart compile time:  11/21/2014 9:00:00 [11/21/2014 19:29:20]
  system image file is:    bootflash:///n3500-uk9.6.0.2.A4.3.bin
  system compile time:     11/21/2014 9:00:00 [11/21/2014 21:09:06]
Hardware
  cisco Nexus 3548 Chassis ("48x10GE Supervisor")
  Intel(R) Pentium(R) CPU  @ 1.50GHz
 with 3805876 kB of memory.
However in my other live Nexus 3548 "show log ip access-list cache" is not available from the command line with the following software version:
-n35# show log ip access-list cache
                           ^
% Invalid command at '^' marker.
Software
  BIOS:      version 1.9.0
  loader:    version N/A
  kickstart: version 6.0(2)A1(1b)
  system:    version 6.0(2)A1(1b)
  Power Sequencer Firmware:
             Module 1: version v2.1
  BIOS compile time:       10/13/2012
  kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
  kickstart compile time:  9/5/2013 14:00:00 [09/05/2013 23:37:16]
  system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
  system compile time:     9/5/2013 14:00:00 [09/06/2013 03:25:01]
Hardware
  cisco Nexus 3548 Chassis ("48x10GE Supervisor")
I've researched the command line reference and found nothing to suggest version 6.0(2)A1(1b) this OAL feature is not supported......anyways  the live 3548 I can see statistics per-entry command under each ACL (these ACL's are not bound to any VLAN interfaces). show ip access-list shows no hits against any of the ACL's
My 1st question why is the OAL ACL cache is not supported on my live version?
2nd q - Why there are no hits when the statistics per-entry command is configured under each ACL when I know there are thousands of hits per minute?
NB: The ip access-group in statements are applied to the Interface port number NOT interface VLAN
example
interface Ethernet1/6
  description ** hello **
  ip access-group test in
  switchport access vlan 885
  speed 1000
  no negotiate auto

Similar Messages

  • Help with multiple nat translation on a Cisco Nexus 3548

    Hi All,
    I need a little help with a NAT configuration on a cisco Nexus 3548 version 6.0(2)A4(3).
    What currently have is as follows:
    internal network: 192.168.4.0/24
    nexus router (routerA):
      LAN Side: vlan104 interface 192.168.4.201/24
      WAN Side: Eth1/48 interface 172.24.101.2/24
      remote network: 159.43.48.32/27
      remote gateway: 172.24.101.1/24
    use ACL's to ensure that only specific traffic is allowed out and in.
    allow a specific connection from a different internal network (192.168.3.0/24) to talk to port 159.43.48.34:1025
    Clients on the internal network 192.168.4.0, need to be able to connect to services (port 14002, port 8101) running on 159.43.48.34, but they must be SNAT'ed through the WAN interface as coming from 159.43.65.81
    Currently we have this working but the internal lan clients need to know how to get to 159.43.48.34/27 and therefore we need to route this network in our internal network.
    What we really want is to do is provide an address such as 192.168.4.203 for internal clients to use for connectivity to the various services, and then this address would be SNAT'ed to 159.43.65.81 over the WAN. We still want to secure the traffic in both directions.
    In the past i've been able to do this with inside and outside nat's and i haven't had to configure an interface on the router for the internal address, it has just been "stood up" by the nat rules. For example (this is how i've done it before):
    LAN interface
    ip nat outside
    WAN interface
    ip nat inside
    ip nat inside source static159.43.65.81 192.168.4.203
    ip nat outside source static 159.43.65.81 192.168.4.203
    but, trying to implement this sort of config on the Nexus isn't working.
    I am wondering if the Nexus behaves differently than ios based routers.
    I'd appreciate any help to get this config working.
    Thanks in advance,
    Les

    Les
    The issue with an "ip nat outside ..." static is that from the inside routing is done before NAT.
    So what happens is that the destination IP is 192.168.4.203 and the Nexus will do a route lookup, see it is directly connected so it won't forward the packet to the outside interface so it doesn't get translated.
    If you enter "ip nat outside source static 159.43.48.34 192.168.4.203" then on IOS it adds a host specific route to the routing table for 192.168.4.203 as directly connected.
    So you do a ping from a 192.168.3.x client  it looks like it is working but actually the L3 device is simply responding and the packet never gets to the server.
    Apologies for the long winded explanation but NXOS might behave differently and I wanted you to know what to look for.
    So with IOS there is the "add-route" option at the end of the NAT statement and if you use this it would add a host specific route into the routing table like this -
    192.168.4.203 255.255.255.255 159.43.48.34
    this is a recursive route ie. the device must know how to get to 159.43.48.34 but your Nexus should.
    What the above does is make sure any packets arriving at the Nexus for 192.168.4.203 get routed to the outside interface and so are translated.
    So firstly see if that option is available with your NAT statement ie.
    "ip nat outside source static 159.43.48.34 192.168.4.203 add-route"
    if it isn't then try adding just the static statement without it and then have a look at the routing table. If it hasn't put in a host specific route showing as directly connected which it may not, as it may behave differently, then you can manually add a route ie.
    192.168.4.203 255.255.255.255 <next hop IP>
    note that the next hop IP doesn't have to be the server here it could just be the next hop from the Nexus switch. All you are trying to do is get the packet routed to the outside interface.
    Hope that makes sense.
    Edit - one thing I haven't tried is to use a different IP subnet for NAT ie. one that is still part of your internal range but unused and then having a route on the Nexus, in your case, pointing to the outside interface and you redistribute this subnet into your IGP. Then you add the NAT statement.
    What may happen is it still adds a host specific route showing as directly connected but it may not because the Nexus wouldn't actually have a directly connected interface for that subnet.
    I suspect it would though.
    If it did work then it would still mean you didn't need to advertise the public IP internally.
    If I get the chance I'll test it later today.
    Jon

  • NEXUS 3548 with 24 Port License

    Ive a 3548 box with 24port Lic,My concern is about the functionality of the remaining 24 Ports.Will there be a problem with the rest of the 24 ports while in production.
    NX3548# sh inventory
    NAME: "Chassis", DESCR: "Nexus 3548 Chassis"
    PID: N3K-C3548P-10G    , VID: V02 , SN: XXXXXXXXXX
    NAME: "Module 1", DESCR: "48x10GE Supervisor"
    PID: N3K-C3548P-10G    , VID: V02 , SN: XXXXXXXXXX
    NX3548# SH LICense usage
    Feature                      Ins  Lic   Status Expiry Date Comments
                                     Count
    24P_LIC_PKG                   Yes   -   Unused Never       -
    24P_UPG_PKG                   No    -   Unused             -
    LAN_BASE_SERVICES_PKG         Yes   -   Unused Never       -
    ALGO_BOOST_SERVICES_PKG       No    -   Unused             -
    LAN1K9_ENT_SERVICES_PKG       No    -   Unused             -
    LAN_ENTERPRISE_SERVICES_PKG   No    -   Unused             -

    Hello Dhanesh,
    thanks for your reply.
    We have 2 3548 licensed exactly as your Nexus.
    After a reboot of the two Nexus the first 4 ports (of the two) had problems (no input packets, only ouput packets, so unusable). There was connected devices with GLC-T, so they worked at 1 G, not 10G.
    We opened a TAC Case about this and, after remote session and many analysis, the engineer decided to replace the two devices.
    Despite this I have still some doubt.
    I found the discussion below and I post some logs of one of the Nexus, we use the 10 G not in a contiguous way.
    Thanks and regards
    https://supportforums.cisco.com/discussion/12073821/nexus-3548-24-port-license-what-ports-use
    371) Event:E_DEBUG, length:55, at 552701 usecs after Sat Mar 14 20:02:11 2015
        [825307441] Couldn't send grace period data: No route to host
    372) Event:E_DEBUG, length:58, at 255834 usecs after Sat Mar 14 19:02:57 2015
        [825307441] Couldn't fetch grace enabled status: no such pss key
    373) Event:E_DEBUG, length:55, at 819209 usecs after Sat Mar 14 19:02:18 2015
        [825307441] Couldn't send grace period data: No route to host
    374) Event:E_DEBUG, length:44, at 818664 usecs after Sat Mar 14 19:02:18 2015
        [825307441] Failed to get VDC map: no such pss key
    375) Event:E_DEBUG, length:44, at 818270 usecs after Sat Mar 14 19:02:18 2015
        [825307441] Transient read error in glob_refresh()
    376) Event:E_DEBUG, length:60, at 813122 usecs after Sat Mar 14 19:02:18 2015
        [825307441] Expiry date for feature LAN_BASE_SERVICES_PKG: 3650000
    377) Event:E_DEBUG, length:50, at 773120 usecs after Sat Mar 14 19:02:18 2015
        [825307441] Expiry date for feature 24P_LIC_PKG: 3650000
    378) Event:E_DEBUG, length:30, at 716563 usecs after Sat Mar 14 19:02:08 2015
        [825307441] checking confcheck config
    N3K-DC-1# sh int status
    Port          Name               Status    Vlan      Duplex  Speed   Type
    Eth1/1        *** FREE ***       sfpAbsent 1         full    1000    --
    Eth1/2        *** FREE ***       sfpAbsent 1         full    1000    --
    Eth1/3        *** FREE ***       sfpAbsent 1         full    1000    --
    Eth1/4        *** FREE ***       sfpAbsent 1         full    1000    --
    Eth1/5        UCS_UPLINK_FABRIC_ connected trunk     full    10G     SFP-H10GB-CU5M
    Eth1/6        UCS_UPLINK_FABRIC_ connected trunk     full    10G     SFP-H10GB-CU5M
    Eth1/7        --                 sfpAbsent 1         full    10G     --
    Eth1/8        --                 sfpAbsent 1         full    10G     --
    Eth1/9        --                 sfpAbsent 1         full    10G     --
    Eth1/10       --                 sfpAbsent 1         full    10G     --
    Eth1/11       --                 connected trunk     full    1000    1000base-T
    Eth1/12       --                 connected trunk     full    1000    1000base-T
    Eth1/13       --                 sfpAbsent 1         full    10G     --
    Eth1/14       --                 sfpAbsent 1         full    10G     --
    Eth1/15       --                 sfpAbsent 1         full    10G     --
    Eth1/16       --                 sfpAbsent 1         full    10G     --
    Eth1/17       --                 sfpAbsent 1         full    10G     --
    Eth1/18       --                 sfpAbsent 1         full    10G     --
    Eth1/19       --                 sfpAbsent 1         full    10G     --
    Eth1/20       --                 sfpAbsent 1         full    10G     --
    Eth1/21       --                 sfpAbsent 1         full    10G     --
    Eth1/22       --                 sfpAbsent 1         full    10G     --
    Eth1/23       --                 sfpAbsent 1         full    10G     --
    Eth1/24       --                 sfpAbsent 1         full    10G     --
    Eth1/25       --                 sfpAbsent 1         full    10G     --
    Eth1/26       --                 sfpAbsent 1         full    10G     --
    Eth1/27       --                 sfpAbsent 1         full    10G     --
    Eth1/28       --                 sfpAbsent 1         full    10G     --
    Eth1/29       --                 sfpAbsent 1         full    10G     --
    Eth1/30       --                 sfpAbsent 1         full    10G     --
    Eth1/31       *** FREE ***       notconnec 1         full    1000    1000base-T
    Eth1/32       --                 sfpInvali 1         full    10G     1000base-T
    Eth1/33       --                 sfpAbsent 1         full    10G     --
    Eth1/34       --                 sfpAbsent 1         full    10G     --
    Eth1/35       --                 sfpAbsent 1         full    10G     --
    Eth1/36       --                 sfpAbsent 1         full    10G     --
    Eth1/37       --                 sfpAbsent 1         full    10G     --
    Eth1/38       --                 sfpAbsent 1         full    10G     --
    Eth1/39       --                 sfpAbsent 1         full    10G     --
    Eth1/40       --                 sfpAbsent 1         full    10G     --
    Eth1/41       --                 sfpAbsent 1         full    10G     --
    Eth1/42       --                 sfpAbsent 1         full    10G     --
    Eth1/43       --                 notconnec 1         full    10G     10Gbase-SR
    Eth1/44       --                 notconnec 1         full    10G     10Gbase-SR
    Eth1/45       C3850-CORE [Port-C connected trunk     full    10G     10Gbase-SR
    Eth1/46       C3850-CORE [Port-C connected trunk     full    10G     10Gbase-SR
    Eth1/47       vPC PeerLink [Port connected trunk     full    10G     SFP-H10GB-CU3M
    Eth1/48       vPC PeerLink [Port connected trunk     full    10G     SFP-H10GB-CU3M
    Po2           C3850-CORE         connected trunk     full    10G     --
    Po3           3750-DC            connected trunk     full    a-1000  --
    Po4           UCS_UPLINK_FABRIC_ connected trunk     full    10G     --
    Po10          vPC PeerLink       connected trunk     full    10G     --
    mgmt0         --                 connected routed    full    a-1000  --

  • Nexus 3548 6.0(2)A1(1) within Prime Infrastructure 2.0

    Hi there,
    I am trying to introduce some Nexus 3548 in my Prime Infrastructure 2.0.
    For my 3048 running 6.0(2)U1(1a), no problem, they are discovered well and showing no error in the Device Work Center.
    My 3548 are unrecognised (NXOS 6 too).
    Is this an expected bahaviour ?
    Regards,
    Fred

    Hello,
    Take a thorough look at realease notes for this version and before. This is the only way.
    If your doubt is only about VPC and FEX features, it is totally supported, just be aware that upgrade is disruptive.
    Regards.
    Richard

  • Unable to enable sflow feature on Nexus 3548

    When I try to enable sflow via "feature sflow" command on the nexus 3548 switches running 6.0(2)A1(1C) I receive:
    Error: while enabling/disabling service: sflow, err: service not found (0x401e0005)
    Any input would be greatly appreciated.
    Thank you

    Ryan,
    Thanks for the reply... it appears to be supported on the 3000, but not the 3524, which, in my opinion is fairly stupid... I know, I know, "its an architecture thing!", but really, Cisco, you couldn't have considered that customers would want this type of visibility in this switch?? Really?!?!
    Anyway, thanks for the info... have you found a work-around or similar product that provides you similar visibility?

  • Nexus 3548 reload after Jumbo Frames

    I have a Nexus 3548... I know the Catalyst switches require a reload after enabling jumbo frames but does a Nexus require a reload?
    Also, is there a way to verify other then doing a int counter detail command?
    Thanks in advance.
    RS

    As for the verify, If I run "sh queuing int eth1/6" as per instructions I get Ambiguous command pointing to the "n" in "int"

  • Nexus 3548 temperature alarm

    Hi all,
        My name is Harry from China shanghai and  I have a trouble in Cisco Nexus 3548 switch  the system reload at 2 min after shutdown .
        How can i do it please help me.
    System info
    N3548# sh inventory 
    NAME: "Chassis", DESCR: "Nexus 3548 Chassis"
    PID: N3K-C3548P-10G    , VID: V00 , SN: FOC1625R004
    NAME: "Module 1", DESCR: "48x10GE Supervisor"
    PID: N3K-C3548P-10G    , VID: V00 , SN: FOC16245CPU
    NAME: "Fan 1", DESCR: "Chassis fan module"
    PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
    NAME: "Fan 2", DESCR: "Chassis fan module"
    PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
    NAME: "Fan 3", DESCR: "Chassis fan module"
    PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
    NAME: "Fan 4", DESCR: "Chassis fan module"
    PID: NXA-FAN-30CFM-F   , VID: N/A , SN: N/A
    NAME: "Power supply 1", DESCR: "AC power supply"
    PID: N2200-PAC-400W    , VID: V04 , SN: DTN1707P1VV
    NAME: "Power supply 2", DESCR: "AC power supply"
    PID: N2200-PAC-400W    , VID: V04 , SN: DTN1707P1VS
    N3548#               
    N3548# 
    N3548# sh ser
               ^
    % Invalid command at '^' marker.
    N3548# sh version 
    Cisco Nexus Operating System (NX-OS) Software
    TAC support: http://www.cisco.com/tac
    Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
    s_home.html
    Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    Software
      BIOS:      version 1.9.0
      loader:    version N/A
      kickstart: version 6.0(2)A4(3)
      system:    version 6.0(2)A4(3)
      Power Sequencer Firmware: 
                 Module 1: version v2.1
      BIOS compile time:       10/13/2012
      kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
      kickstart compile time:  11/21/2014 9:00:00 [11/21/2014 19:29:20]
      system image file is:    bootflash:///n3500-uk9.6.0.2.A4.3.bin
      system compile time:     11/21/2014 9:00:00 [11/21/2014 21:09:06]
    Hardware
      cisco Nexus 3548 Chassis ("48x10GE Supervisor")
      Intel(R) Pentium(R) CPU  @ 1.50GHz
     with 3805876 kB of memory.
      Processor Board ID FOC16245CPU
      Device name: N3548
      bootflash:    2007040 kB
    Kernel uptime is 0 day(s), 0 hour(s), 3 minute(s), 4 second(s)
    Last reset at 30232 usecs after  Fri Dec 19 21:29:56 2014
      Reason: Power down due to temperature sensor policy trigger
      System version: 6.0(2)A4(3)
      Service: 
    plugin
      Core Plugin, Ethernet Plugin
    --More--2014 Dec 19 21:28:11 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 105 seconds due to major temperature alarm
    2014 Dec 19 21:28:16 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 100 seconds due to major temperature alarm
    2014 Dec 19 21:28:21 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 95 seconds due to major temperature alarm
    2014 Dec 19 21:28:26 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 90 seconds due to major temperature alarm
    2014 Dec 19 21:28:31 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 85 seconds due to major temperature alarm
    2014 Dec 19 21:28:36 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 80 seconds due to major temperature alarm
    2014 Dec 19 21:28:41 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 75 seconds due to major temperature alarm
    2014 Dec 19 21:28:46 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 70 seconds due to major temperature alarm
    2014 Dec 19 21:28:51 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 65 seconds due to major temperature alarm
    2014 Dec 19 21:28:56 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 60 seconds due to major temperature alarm
    2014 Dec 19 21:29:01 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 55 seconds due to major temperature alarm
    2014 Dec 19 21:29:06 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 50 seconds due to major temperature alarm
    2014 Dec 19 21:29:11 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 45 seconds due to major temperature alarm
    2014 Dec 19 21:29:16 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 40 seconds due to major temperature alarm
    2014 Dec 19 21:29:21 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 35 seconds due to major temperature alarm
    2014 Dec 19 21:29:26 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 30 seconds due to major temperature alarm
    2014 Dec 19 21:29:31 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 25 seconds due to major temperature alarm
    2014 Dec 19 21:29:36 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 20 seconds due to major temperature alarm
    2014 Dec 19 21:29:41 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 15 seconds due to major temperature alarm
    2014 Dec 19 21:29:46 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 10 seconds due to major temperature alarm
    2014 Dec 19 21:29:51 N3548 %$ VDC-1 %$ %PFMA-0-SYS_SHUTDOWN: System shutdown in 5 seconds due to major temperature alarm

    Sangeeth,
    The first thing that you will want to verify is the physical condition of 
    the switch. The Nexus 7010 chassis used a front-to-back airflow model. see 
    the diagram below for a reference: 
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n
    7k_hig_book/n7k_sys_specs.html#wp1039713 
    You will want to ensure that there is nothing blocking the intake or 
    exhaust vent of the switch. Also look at the front intake fan to see if 
    there is dust, or some other material that has accumulated that could be 
    impeding air intake. 
    Also verify if there is a device that is exhausting hot air towards the 
    intake of the switch. 
    2)
    In case if you already checked the colling you can give the below try:-
    Please remove and thoroughly clean the air filter located on the front of the Nexus 7010. 
    Find below the instructions for cleaning the Nexus 7010 air filter:
    Cleaning or Replacing the Air Filter for the Cisco Nexus 7010 Chassis
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/hw/nexus7000/installation/guide/n
    7k_hig_book/n7k_replacing.html#wp1454429
    HTH
    Regards
    Inayat
    ***********Please rate if this info is helpfull.*********

  • Nexus 3548 couldn`t enable vPC feature

    Hello All,
    I have to implement to 2 Nexus 3548 switches for a customer. The customer like to use it as core-switch (small LAN) and also like to run VPC feature. Now I have tried to active it, but I got the follow error message:
    Enter configuration commands, one per line.  End with CNTL/Z.
    chefan-swi01(config)# feature vpc
    Error: vPC feature is not supported
    Is their a way to get VPC working on these plattform?
    Software
      BIOS:      version 1.9.0
      loader:    version N/A
      kickstart: version 5.0(3)A1(1)
      system:    version 5.0(3)A1(1)
      power-seq: Module 1: version v2.1
      BIOS compile time:       10/13/2012
      kickstart image file is: bootflash:/n3500-uk9-kickstart.5.0.3.A1.1.bin
      kickstart compile time:  11/2/2012 1:00:00 [11/02/2012 09:53:29]
      system image file is:    bootflash:/n3500-uk9.5.0.3.A1.1.bin
      system compile time:     11/2/2012 1:00:00 [11/02/2012 10:27:12]
    Hardware
      cisco Nexus 3548 Chassis ("48x10GE Supervisor")
      Intel(R) Pentium(R) CPU  @ 1 with 4140896 kB of memory.
      Processor Board ID FOC17480ZHN
      Device name: chefan-swi01
      bootflash:    2007040 kB
    Thx a lot for any suggestions.
    Kind Regards, Ferdi

    Seems to be an error on the Nexus 3k product page.  We had a customer who purchased these for VPC support.
    http://www.cisco.com/en/US/products/ps11541/index.html
    Nexus 3500 Features
    Ultra-Low Latency
    Line-rate layer 2 and 3 switching at ultra-low latencies
    Ideal for high-performance trading workloads
    Mission-Critical Features
    Network Address Translation (NAT)
    Virtual Port Channel
    IEEE-1588 PTP

  • Thoughs on interconnecting Nexus 3548 and 3750 switches

    Hi,
    I have two nexus 3548 switches.
    I have created port-group 1  on both switches to group eth1/47 with eth1/48.
    I have 4 sfps, 2 per switch. to connect to a single 3750 that I want to group together as well.
    So I have gi1/0/31 going to eth1/1 on nexus1 and gi1/0/32 going to eth1/2 on nexus1
    I have gi1/0/33 goin to eth1/1 on nexus2 and gi1/0/32 goin to eth1/2 on nexus2
    When I create the port group on the 3750 do I create one group with all 4 ports or will I have to create 2, one per nexus switch?
    Thanks

    Thanks for the replies. I finally got to test the hardware and config yesterday.
    Just so I am clear. the vpc and peer to peer links are only for interconnecting the two Nexus switches. I think I got that right. sho VPC br seems to say it is up. I am using Po5
    vPC domain id : 1
    Peer status : peer adjacency formed ok
    vPC keep-alive status : peer is alive
    Configuration consistency status : success
    Per-vlan consistency status : success
    Type-2 consistency status : success
    vPC role : secondary
    Number of vPCs configured : 0
    Peer Gateway : Disabled
    Dual-active excluded VLANs : -
    Graceful Consistency Check : Enabled
    Auto-recovery status : Disabled
    vPC Peer-link status
    id Port Status Active vlans
    1 Po5 up 1
    Next do I create a port channel on Nex1 and Nex2 for the two ports that connect to the 3750 (Po6 for example) or do I add the two links to the 3750s to Po5 ? I thought I add them to Po 5 but since I am mixing 1000 and 10G ports it doesnt seem to like it.

  • Nexus 3548 Switch doesn't recognize command " vtp mode Server / Client"

    Hi Community.
    I have a brand new Nexus 3548 switch. And I did the vtp setup:
    vtp version 2
    vtp password ******
    vtp domain *****
    Every thing is ok, but If I use the command "vtp mode server" the switch doesn't know that command. Even it doesn't know the "vtp mode" subcommand?
    What's the problem ?
    Best regards patrick

    The Nexus 3548 supports only Transparent mode:
    Step 5 vtp mode {transparent| off} Sets the VTP mode to transparent or off.
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/layer_2_switching/b_Cisco_N3548_Layer_2_Switching_Config_503A1.pdf
    I have no clue why.
    Patrick

  • Question about Nexus 3548 vPC setup

    Hi.
    We have just installed our two first Nexus 3548 switches in our Catalyst environment. We want to set up a vPC domain between the Nexuses, to use for connections to storage and other equipment.
    I have read the guide at http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-685753.html and tried setting it up. I created a vPC domain on both switches like this:
    nexus1:
    vpc domain 1
      role priority 2000
      system-priority 4000
      peer-keepalive destination 192.168.105.40 source 192.168.105.39 vrf default
    nexus2:
    vpc domain 1
      system-priority 4000
      peer-keepalive destination 192.168.105.39 source 192.168.105.40 vrf default
    The switches are connected with a port-channel consisting of 2x 10GE. The IP addresses above are the ones we use for managing the switches. When I configure the port-channel as "vpc peer-link", the vpc status looks OK:
    vPC domain id                     : 1
    Peer status                       : peer adjacency formed ok
    vPC keep-alive status             : peer is alive
    Configuration consistency status  : success
    Per-vlan consistency status       : success
    Type-2 consistency status         : success
    vPC role                          : primary
    Number of vPCs configured         : 0
    Peer Gateway                      : Disabled
    Dual-active excluded VLANs        : -
    Graceful Consistency Check        : Enabled
    Auto-recovery status              : Disabled
    vPC Peer-link status
    id   Port   Status Active vlans
    1    Po2    up     1,6,100,102,106
    The problem I have is that I lose connection to nexus2 when I bring up the vPC. I can no longer access it on its IP (192.168.105.40). I cannot ping it from nexus1 either. The Nexus switches are connected to our core switches, which are Catalyst 6509. nexus1 is connected to coreswitch1 using a portchannel of 2xGE and nexus2 is connected to coreswitch2 the same way. A spanning-tree cost has been set on the uplink from nexus2, to make spanning tree block that uplink, and allow traffic between the nexuses to go over the 2x 10GE portchannel instead of over the core switches. I have attached a drawing of this.
    Maybe I shouldn't use the management IP:s for peer keepalive? Does the peer keepalive need to be on a different physical link than the peer-link?
    Regards,
    Johan

    We are not using the management ports for management, but an ordinary Vlan Interface in the default vrf, as seen below. We can of course change that and instead use the mgmt0 port if that is the best approach.
    vrf context management
    vlan configuration 1,100
    vlan 1
    vlan 100
      name DMMgmtPriv
    vpc domain 1
      role priority 2000
      system-priority 4000
      peer-keepalive destination 192.168.105.40 source 192.168.105.39 vrf default
    interface Vlan1
    interface Vlan100
      no shutdown
      no ip redirects
      ip address 192.168.105.39/23

  • Nexus 7000 Platform Logging

    Hello,
    We recently had a power supply failure in one of our Nexus 7000s, and I noticed that the syslog for the Platform is only present in the default VDC, and not in any of the other VDCs syslogs. Is this by design, or is there a logging level I can turn up in another VDC to capture this log? Thanks for any input
    syslog from default VDC -
    2013 Mar 18 23:10:34  %PLATFORM-2-PS_CAPACITY_CHANGE: Power supply PS3 changed i
    ts capacity. possibly due to power cable removal/insertion (Serial number xxxxxxxx)
    nothing in the VDC where I would like to get the logging
    default VDC logging level -
    xxx7K02# show log level platform
    Facility        Default Severity        Current Session Severity
    platform                5                       5
    0(emergencies)          1(alerts)       2(critical)
    3(errors)               4(warnings)     5(notifications)
    6(information)          7(debugging)
    xxx7K02#
    loggging from the specific VDC where we have management tools.
    xxx-LOW# show log level platform
    Facility        Default Severity        Current Session Severity
    platform                5                       5
    0(emergencies)          1(alerts)       2(critical)
    3(errors)               4(warnings)     5(notifications)
    6(information)          7(debugging)
    xxx-LOW#

    Hello Carl,
    What version of code are you running on your Nexus 7k?
    The expected behavior is:
    "When a hardware issue occurs, syslog messages are sent to all VDCs."
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/virtual_device_context/configuration/guide/vdc_mgmt.html#wp1170241
    Dave

  • N7k: ACL log

    Hello together,
    we try to log hits to ACL entries to a syslog server.
    We have an access list which blocks HSRP packets. We seen them in 'show logg ip access-list cache'
    show logging ip access-list cache
    Source IP        Destination IP     S-Port  D-Port    Interface   Protocol          Hits
    10.131.100.4     10.151.89.200      59275   2256      port-channel2 (17)UDP            5     
    10.131.100.5     10.151.89.200      49899   2256      port-channel1 (17)UDP            5     
    10.131.100.3     224.0.0.102        1985    1985      port-channel1 (17)UDP            160 
    But we don't see this HSRP entry in the syslog server. The other two entries are visible in the syslog server.
    Is there a difference between "normal" data plane traffic and traffic for the control plane for the logging point of view?
    And is there a way to make also the control packets visible
    Thanks,
    Udo

    Hi Udo,
    What version of code are you using.  Also, can you tell me in what direction are you blocking hsrp?  for the other two lines that are working, are you blocking those entries or are you permitting with the log statement included, and is that acl ingress or egress?
    Maybe including the two acl's used, and the interface for which these acls were configured, we can take a look in more detail.

  • Nexus 5000 command/log accounting

    Good afternoon gentlemen
    I need to configure the same as shown below in Nexus 5000 switches. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
    #IOS commands
    no logging console
    logging buffered 307200 informational
    service timestamps log datetime localtime show-timezone
    logging trap debugging
    login on-failure log
    login on-success log
    archive
       log config
          logging enable
          logging size 500
          hidekeys
          notify syslog contenttype plaintext
    By now, I only found the command "show accounting log". But no way to export to a syslog server I think.
    If you guys have an idea please answear
    Regards
    Christian

    Good afternoon gentlemen
    I need to configure the same as shown below in Nexus 5000 switches. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
    #IOS commands
    no logging console
    logging buffered 307200 informational
    service timestamps log datetime localtime show-timezone
    logging trap debugging
    login on-failure log
    login on-success log
    archive
       log config
          logging enable
          logging size 500
          hidekeys
          notify syslog contenttype plaintext
    By now, I only found the command "show accounting log". But no way to export to a syslog server I think.
    If you guys have an idea please answear
    Regards
    Christian

  • Dynamic Access Policy ACL Logging

    We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.

    When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)?  These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
    Also, is your default policy at that bottom of this list deny access?

Maybe you are looking for