Nexus 5548 acl in config sync
Hello, I have a following problem. When configuring ip acl in config-sync mode I get following message: "Error: Cannot configure acl rule without seq no." Is this a bug or a feature? I'm running 5.1(3)N1(1)
sounds more like a bug. i see a bug being filed on it internally (not customer viewable yet). CSCtz27923. I will make it customer viewable shortly.
thanks, vinayak
Similar Messages
-
Nexus 5548 reboots after config change
Hi all,
A customer configured his nexus 5000 with the basic configuration. This incudes also ssh (generate a certificate)
After that the switch reboots all the time.
I would like to test it tomorrow without the startup config. Is it possible to reboot the n5k without the startup config ? And is there also a ROM mode ? I don't found any docs on Cisco...
Thanks
Udo
Sent from Cisco Technical Support iPad AppAre you using the "ip arp synchronize", "peer-gateway" and "peer-switch" features? Those all help mitigate aspects of traffic flow that could be related to what you're seeing.
-
5548 Config Sync issue - Suspended by vPC
I have 2 UCS 6120 fabric interconnects which both have VPCs to 2 x 5548s. First fabric interconnect uses Po260 & vPC 260 and second fabric interconnect uses Po261 & vPC 261. I used config sync to add "spanning-tree port type edge trunk" to int po 260 & 261. The commit worked properly, peers are in sync, etc. The problem is when I committed the command, int po 260 & 261 on the secondary 5548 went into "suspended by vPC". I can't figure out why they did this, the configurations are the same and all vPC consistency checks pass. To fix the issue, all I had to do was bounce the port-channel on the secondary 5548 (shut/no shut) after which it came back online. I only did this to Po260 so Po261 is still down so that I can troubleshoot further. Please see below:
vPC domain id : 70
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 7
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po255 up 1,10-13,26-29,151-156,180-181,200,318,331,399-417,
419-422,424-431,433-436,438-443,446-448,450,452-45
3,455-458,460-465,467-471,480-494,498-499,503,602-
633,644-657,659,663-664,698-701,800,805,850-851,89
0-891,899-904,906,908,912-950,952-958,975,987-988, ....
vPC status
id Port Status Consistency Reason Active vlans
171 Po171 up success success 1,10-13,26-
29,151-156,
180-181,200
,318,331,39
9-417,41....
260 Po260 up success success 10-13,26-29
,663-664,89
0-891
261 Po261 down* success success -
sh int po 261
port-channel261 is down (suspended by vpc)
Any help would be appreciatedYes, I did check that and all parameters match as follows:
5548-2# sh vpc consistency-parameters int po 261
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
Shut Lan 1 No No
STP Port Type 1 Edge Trunk Port Edge Trunk Port
STP Port Guard 1 None None
STP MST Simulate PVST 1 Default Default
lag-id 1 [(7f9b, [(7f9b,
0-23-4-ee-be-46, 8105, 0-23-4-ee-be-46, 8105,
0, 0), (8000, 0, 0), (8000,
0-5-73-d4-d5-fc, 1, 0, 0-5-73-d4-d5-fc, 1, 0,
0)] 0)]
mode 1 active active
Speed 1 10 Gb/s 10 Gb/s
Duplex 1 full full
Port Mode 1 trunk trunk
Native Vlan 1 10 10
MTU 1 1500 1500
Admin port mode 1
Allowed VLANs - 10-13,26-29,663-664,89 10-13,26-29,663-664,89
0-891 0-891
Local suspended VLANs - - - -
I'm using configuration synchronization on my Nexus 5k pair. But I've got a couple of Nexus 7k switches on the horizon.
But I can't seem to find anything about config-sync being supported on the 7k platform. Is anyone using config-sync on the Nexus 7k platform??
Thanks.I don't think this is a supported feature on the Nexus 7000's.
HTH,
Manny. -
Nexus 5595 7.0(5)N1(1) - Config Sync / CFS Issue
Hello,
Posting this fix as it may help anyone facing the same issue.
We recently installed 2 x Nexus 5596 into our DC with the management connections running across 6500 VSS switches. We have the same setup in another DC and all worked fine. However, with the new installation we upgraded to 7.0(5)N1(1) and hit a problem with the config-sync not working across the mgmt0 interfaces. However, the Peer was reachable over mgmt0 as VPc was up and we could ping / SSH no problem.
We also have the necessary ‘cfs ipv4 distribute’ enabled. Output of issue below:
switch-profile : Tcprofile
Peer-IP-address : 192.168.1.28
Peer-sync-status : Not yet merged
Merge Flags: pending_merge:1 rcv_merge:0 pending_validate:0
Peer-status : Peer not reachable
We tried various things such as removing the ‘cfs ipv4 distribute’ and re-enabling but this didn't fix the problem. So spoke to a Cisco engineer who suggested the 6500 could be blocking multicast and therefore stoppping CFS traffic across our management Vlan. Apparently there have been some changes to CFS in the latest NXOS.
So the fix was simple in the end. We just enabled PIM on our 6500 SVI and Config Sync sprang into life. See below:
interface vlan x
description Management Vlan
ip pim sparse-dense-mode
Hope this helpsHi, I have upgraded from 5.2.1.N1.4 to 7.1.0.N1.1b.
There were many bugs.
I found we can't upgraded to 7.1.0 from NX-OS prior to 7.0 in Cisco official.
So, I have upgraded to 7.0.5N1.1 then to 7.1.0N1.1b.
In result, some part of startup-config such as logging server is lost.
I'm going to try to upgrade in same process a few times.
Sincerery -
Nexus 5K Config-Sync : Things to look out for
I've looked through the Cisco config guides for setting up Config sync and have successfully used it to configure dual-homed FEX's ports.
Is there anything I should be aware of that can cause issues?
I enabled config sync on an existing pair of 5Ks. In other words, the 5Ks already have existing configurations on them before I enabled config sync.Hi,
According to the this link, you still have to configure the single port in switch profile. Config sync is used when your devices are connected to both 5ks, so you don't have configure the same thing twice. If your device is going to be singly attached, there is no need for config sync.
Guidelines and Limitations
The guidelines for configuration synchronization are as follows:
•You must configure the following interfaces in a switch profile:
–Port-channel interfaces
–Ports that are not channel-group members
•You must configure all port-channel members outside the switch profile in configuration terminal mode.
•You must follow configurations in a specified order.
•Depending on the type of vPC topology (active/active or straight-through) and the type of configuration that is needed (port channel, nonport channel, FEX, QoS, and so on), you must use the switch profile mode or the configuration terminal mode. See the "At-A-Glance Configuration Modes" section to identify what mode is used for different types of configurations.
Configuration synchronization has the following configuration limitations:
•FCoE in vPC Topologies—FCoE configurations are not supported in switch profiles because configurations are typically different on peer switches. If you enable FCoE on a vPC peer switch, you must not configure the port channel in the switch profile.
• Feature Commands—The feature feature name commands that enable a conditional feature are not supported in switch profiles. You should independently configure these commands on each peer switch in configuration terminal mode.
•Configuration Rollback and Conditional Features—With configuration synchronization, when a conditional feature is present in a checkpoint and not in the running configuration, a configuration rollback to that checkpoint fails. The workaround is to reconfigure the conditional feature ("feature xyz") before the configuration rollback is executed. This workaround also applies to the vpc domain command and the peer-keepalive command in vpc-domain mode.
link:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/operations/n5k_config_sync_ops.html#wp1035414
HTH -
Nexus 5548 not responding to snmp
I've got a Nexus 5548 running 6.0(2)N2(3). It does not use the mgmt interface or management vrf. It's using a vlan interface for all my management access.
I have a simple snmp config set up:
snmp-server community mystring
My SNMP server is directly connected (no firewalls, no acls). I can ping my nexus from the SNMP host, but can't get SNMP replies.
I've done an SNMP debug, nothing happens when I run an snmpwalk. I also checked show snmp, and it's showing no SNMP input packets.
Could this have something to do with trying to use the management vrf? Or something simple I'm missing?
ThanksHa wow -- "sh run snmp" pointed me to the problem. There was a command:
no snmp-server protocol enable
That must be a default, I never entered that. Anyway a 'snmp-server protocol enable' fixed it. I should have caught that. Although an hour with TAC also didn't notice it hehe.
Thanks! -
Telephony Issues on Nexus 5548
Dear Viewers,
I have Nexus 5548 devices in one of my client data centers and i have one 3750 switch to which all of these Avaya voice servers connect.
The 3750 switch was initially connected through a L2 Link to a 6509 catalyst switch and the telephony applications were working correctly.
The problem arises when i move this 3750 layer 2 link to a Nexus 5548 (OS version 5.1(3)N1 switch. All telephony calls coming from the outside (External calls) are not working as required but the internal calls work as usual.
What is odd is that when i migrate this L2 link back to the 6509 switch, all works as usual. This is just a layer 2 connection and i am wondering why this is not possible.
The vlan is accepted on all relevant trunks. I also deactivated igmp snooping on this voice vlan on the Nexus 5548 thinking it would help but in vain.
Any ideas and suggestions are welcome.
regards.
AlainThis is my radius config...... on a 5K
radius-server timeout 7
radius-server host 10.28.42.20 key 7 "Password" auth-port 1645 acct-port 1646 authentication accounting
radius-server host 10.28.42.21 key 7 "Password" auth-port 1645 acct-port 1646 authentication accounting
aaa group server radius Radius-Servers
server 10.28.42.20
server 10.28.42.21
aaa authentication login default group Radius-Servers
ip radius source-interface Vlan1
aaa authentication login default fallback error local
And it is currently working. On the radius server i also had to do this to make the users admins once logged in:
https://supportforums.cisco.com/document/137181/nexus-integration-admin-access-free-radius -
TACACS Nexus 5548 Authorization
I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.
Any help would be greatly appreciated.Hello,
Hope the attached document points you into the right direction.
Regards. -
Hi all,
I'm new to EEM and we are investigating using it to solve some issues that we are having, However, I can't seem to find any definitive information which tells me whether EEM is available in the nexus 5548 switches. Can anyone here help to confirm if this is the case? If not yet avalable for the 5548s, are there any indications as to when it might become available?
thanks,
RamMight want to try the 6.0(2)N1(2) and later code. I have it loaded on a N6004 and EEM is available there. It is of course the NX-OS flavor of EEM but it is there.
N6K-Switch# show ver | grep 'System version'
System version: 6.0(2)N1(2)
N6K-Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N6K-Switch(config)# event manager ?
applet Create/Modify an Event Manager Policy
environment Configure an environment variable
policy Register a script policy and activate it
N6K-Switch(config)# event manager
Mike -
Help please with TACACS authentication from a Nexus 5548
I cannot get login working via TACACS from my Nexus 5548. I've tried creating a group and a single server with key etc.
Config is simple:
tacacs-server key 7 ************
ip tacacs source-interface Vlanx
aaa group server tacacs+ tacacs
server 10.x.y.z
The test aaa command shows it's authenticating:
NEX01# test aaa server tacacs+ 10.x.y.z <username> <password)
user has been authenticated
Debug shows this:
NEX01# 2011 Jun 8 12:31:03 NEX01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user <username> from 10.x.y.z- login[1691]
Am I doing something glaringly wrong here?
Any advice is greatly appreciated.
Thank you.Hi Paul,
Looks like may be the packet dont have the route ACS when you try to login .
Can you share sh run of the switch ?
Also do you see failed attempt on tacacs server side. ?
Can you ping tacacs server with source interface Vlanx?
Thanks
Waris Hussain -
Hello
I am trying to add a vlan to my pair of Nexus 5K with the confi-sync, but I recieve a really strange error comming from the peer switch
switch-profile : S1-S2
Peer-IP-address : x.x.x.2
Peer-sync-status : In sync
Peer-status : Commit Failure
Peer-error(s) : Invalid username: user does not exist
Does anybody know what does it mean ?
Thank you in advance
Regards
LucasMy guess is that on the other Nexus switch the username/password/privilege information is different. Check out this document that has a lot of details on config-sync and the ways it can go wrong...
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/operations/n5k_config_sync_ops.html#wp1051910
Hope it helps
Peter -
Hi,
We want to upgrade our pair of Nexus 5548 to the new NX-OS 5.1(3)N2(1a) from the 5.0(3)N1(1c) version. We would like to use the ISSU procedure. But when we execute the command "show spannig-tree issu-impact" we get the following output:
No Active Topology change Found!
Criteria 1 PASSED !!
No Ports with BA Enabled Found!
Criteria 2 PASSED!!
List of all the Non-Edge Ports
Port VLAN Role Sts Tree Type Instance
Ethernet2/8 1803 Desg FWD PVRST 1803
The 1803 vlan is only used for the peer-keepalive link and it only exists on these two Nexus. So one of the two Nexus needs to be the STP root. That makes the ports on that vlan to be in designated-forwarding state, which is not supported for the ISSU:
sh run int e2/8
!Command: show running-config interface Ethernet2/8
!Time: Fri Jun 8 17:04:33 2012
version 5.0(3)N1(1c)
interface Ethernet2/8
switchport access vlan 1803
speed 1000
That is the only port that belongs to that VLAN and it is directly connected to the other Nexus 5548. So the only way we see to avoid this port of being in designated-forwarding state is to apply the "no spanning-tree vlan 1803" command. Would it be a problem?
We can imagine that introducing the "spanning-tree port type edge" should not be a good idea, shouldn´t it?
Thank you very much for your help!
JosuHi,
Reviewing all the prerequisites for the ISSU, we have seen the following:
SSU and Layer 3
Cisco Nexus 5500 Platform switches support Layer 3 functionality. However, the system cannot be upgraded with the ISSU process (non disruptive upgrade) when Layer 3 is enabled. It is required to unconfigure all Layer 3 features to be able to upgrade in a non disruptive way with an ISSU.
We have the interface-vlan feature enabled. But it is only used for two interfaces:
- interface-vlan 510 --> It is only used in order connect to the switch
- interface-vlan 1803 --> The one used for the keepalive
We could administratevely shutdown the interface-vlan 510. But we could not do so with the interface-vlan 1803, since it is used for the keepalive. If we execute "no feature interface-vlan", would the keepalive stop working?
When we execute "sh install all impact ..." command the Nexus does not tell anything about this feature. Is really recommended to disable it? Is it needed for the ISSU procedure?
Thank you very much in advance!!
JOSU -
Nexus 5548 and Define static route to forward traffic to Catalyst 4500
Dear Experts,
Need your technical assistance for the Static routing in between Nexus 5548 and Catalyst 4500.
Further I connected both Nexus 5548 with Catalyst 4500 as individual trunk ports because there is HSRP on Catalyst 4500. So I just took 1 port from each nexus 5548, make it trunk with the Core Switch (Also make trunk from each Switch each port). Change the speed on Nexus to 1000 because other side on Catalyst 4500 line card is 1G RJ45.
*Here is the Config on Nexus 5548 to make port a Trunk:*
N5548-A/ N5548-B
Interface Ethernet1/3
Switchport mode trunk
Speed 1000
Added the static route on both nexus for Core HSRP IP: *ip route 0.0.0.0/0 10.10.150.39 (Virtual HSRP IP )*
But I could not able to ping from N5548 Console to core Switch IP of HSRP? Is there any further configuration to enable routing or ping?
Pleas suggestHello,
Please see attached config for both Nexus 5548. I dont have Catalyst 4500 but below is simple config what I applied:
Both Catalyst 4500
interface gig 3/48
switchport mode trunk
switchport trunk encap dot1q
On Nexus 5548 Port 1/3 is trunk
Thanks,
Jehan -
UCS FI 6248 to Nexus 5548 San port-channel - not working
Hi all,
I'm sure I am missing something fairly obvious and stupid but I need several sets of eyes and help.
Here is the scenario:
I want to be able to create san port-channels between the FI and Nexus. I don't need to trunk yet as I can't even get the channel to come up.
UCS FI 6248:
Interfaces fc1/31-32
Nexus 5548
interfaces fc2/15-16
FI is in end-host mode and Nexus is running NPIV mode with fport-channel-trunk feature enabled.
I'm going to output the relevants configurations below.
Nexus 5548:
NX5KA(config)# show feature | include enabled
fcoe 1 enabled
fex 1 enabled
fport-channel-trunk 1 enabled
hsrp_engine 1 enabled
interface-vlan 1 enabled
lacp 1 enabled
lldp 1 enabled
npiv 1 enabled
sshServer 1 enabled
vpc 1 enabled
interface san-port-channel 133
channel mode active
no switchport trunk allowed vsan all
switchport trunk mode off
interface fc2/15
switchport trunk mode off
channel-group 133 force
no shutdown
interface fc2/16
switchport trunk mode off
channel-group 133 force
no shutdown
NX5KA# show vsan membership
vsan 1 interfaces:
fc2/13 fc2/14
vsan 133 interfaces:
fc2/15 fc2/16 san-port-channel 133
vsan 4079(evfp_isolated_vsan) interfaces:
vsan 4094(isolated_vsan) interfaces:
NX5KA# show san-port-channel summary
U-Up D-Down B-Hot-standby S-Suspended I-Individual link
summary header
Group Port- Type Protocol Member Ports
Channel
133 San-po133 FC PCP (D) FC fc2/15(D) fc2/16(D)
UCS Fabric Interconnect outputs:
UCS-FI-A-A(nxos)# show san-port-channel summary
U-Up D-Down B-Hot-standby S-Suspended I-Individual link
summary header
Group Port- Type Protocol Member Ports
Channel
133 San-po133 FC PCP (D) FC fc1/31(D) fc1/32(D)
UCS-FI-A-A(nxos)#
UCS-FI-A-A(nxos)# show run int fc1/31-32
!Command: show running-config interface fc1/31-32
!Time: Fri Dec 20 22:58:51 2013
version 5.2(3)N2(2.21b)
interface fc1/31
switchport mode NP
channel-group 133 force
no shutdown
interface fc1/32
switchport mode NP
channel-group 133 force
no shutdown
UCS-FI-A-A(nxos)#
UCS-FI-A-A(nxos)# show run int san-port-channel 133
!Command: show running-config interface san-port-channel 133
!Time: Fri Dec 20 22:59:09 2013
version 5.2(3)N2(2.21b)
interface san-port-channel 133
channel mode active
switchport mode NP!Command: show running-config interface san-port-channel 133
!Time: Sat May 16 04:59:07 2009
version 5.1(3)N1(1)
interface san-port-channel 133
channel mode active
switchport mode F
switchport trunk mode off
Changed it as you suggested...
Followed the order of operations for "no shut"
Nexus FC -> Nexus SAN-PC -> FI FC -> FI SAN-PC.
Didn't work:
NX5KA(config-if)# show san-port-channel summary
U-Up D-Down B-Hot-standby S-Suspended I-Individual link
summary header
Group Port- Type Protocol Member Ports
Channel
133 San-po133 FC PCP (D) FC fc2/15(D) fc2/16(D)
NX5KA(config-if)#
Here is the output as you requested:
NX5KA(config-if)# show int san-port-channel 133
san-port-channel 133 is down (No operational members)
Hardware is Fibre Channel
Port WWN is 24:85:00:2a:6a:5a:81:00
Admin port mode is F, trunk mode is off
snmp link state traps are enabled
Port vsan is 133
1 minute input rate 1256 bits/sec, 157 bytes/sec, 0 frames/sec
1 minute output rate 248 bits/sec, 31 bytes/sec, 0 frames/sec
3966 frames input, 615568 bytes
0 discards, 0 errors
0 CRC, 0 unknown class
0 too long, 0 too short
2956 frames output, 143624 bytes
0 discards, 0 errors
46 input OLS, 41 LRR, 73 NOS, 0 loop inits
257 output OLS, 189 LRR, 219 NOS, 0 loop inits
last clearing of "show interface" counters never
Member[1] : fc2/15
Member[2] : fc2/16
NX5KA(config-if)#
NX5KA(config-if)# show int brief
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
fc2/13 1 auto on sfpAbsent -- -- --
fc2/14 1 auto on sfpAbsent -- -- --
fc2/15 133 F off init swl -- 133
fc2/16 133 F off init swl -- 133
Maybe you are looking for
-
Hello, I have some problems with hard drive on my laptop. Sometimes everything freezes for few seconds (usually during start-up, but sometimes after I login) and I get some errors. After that, everything seems to be working fine. Part of dmesg with e
-
I'm Not sure how to open my photoshop from CC?
-
Extractors in CRM returning 0 records
hello evryone, could anyone please let me know, if they have come across these Extractors such as 0CRM_CONTACT_OUT,0CRM_OPPT_H,0CRM_OPPT_I how do they really work, upon some requirement i need these datasources in use. when i try to extractor check i
-
What do I need to upgrade my CS2 to CS5?
I have Adobe CS2 and would like to upgrade it to a more current version. Do I have to buy the whole thing new or can I just by an upgrade disc? Can I buy a CS5 upgrade or do I have to purchase CS3 then 4 ect?
-
Does SharePoint BI 2013 have something similar to "loop and reduce" present in QlikView?
I am using Power Pivot as backend and SPBI 2013 as frontend to build a dashboard. I want to know if there is something similar to "loop and reduce" of QlikView, present in SharePoint BI.