Nexus 7000 vPC suspended VLAN problem
I am trying to connect a Cat3560G switch to an N7K pair via a vPC. The VLANs I wish to trunk are being suspended, I am getting the following error messages:
2010 Jun 22 17:03:36 N7K-Core1 %ETHPORT-3-IF_ERROR_VLANS_SUSPENDED: VLANs 2,301 on Interface port-channel2 are being suspended. (Reason: Vlan is not allowed on Peer-link)
The VLANs do exist , but a STP instance isnt created for it (I am using RPVST);
N7K-Core1# sh vlan id 2
VLAN Name Status Ports
2 VLAN0002 active Po2, Po75
N7K-Core1# sh spanning-tree vlan 2
ERROR: Spanning tree instance(s) for vlan does not exist.
Port Vlans Err-disabled on Trunk
Eth1/9 none
Eth1/10 none
Eth1/17 2,301
Eth1/18 2,301
Eth1/25 2,301
Eth1/26 2,301
Eth2/2 none
Eth10/1 none
Eth10/2 2,301
Po2 2,301
Po75 2,301
Po99 none
The VLANs are allowed on the trunk (it by default allows all)
interface port-channel1
description * vPC Peer-Link *
vpc peer-link
spanning-tree port type network
I have turned off bridge assurance as a test but no no avail.
Any ideas?
I'm having the same issue between a pair of vPC'd 5020s going to a 6500 using a vPC.
All VLANs which are supposed to go over the trunk/vPC, are showing as err-disable on trunk. I've checked all configs and they are the same... allowed vlans match on all po interfaces and physical interfaces.
6509:
interface Port-channel78
description Connection to n5020s @ in the MDC
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 2240
switchport trunk allowed vlan 2002-2006,2010,2014,2018,2022,2024,2026,2240
switchport trunk allowed vlan add 2244,2248,2252,2254,4050,4052,4054
switchport mode trunk
end
N5020-1:
interface port-channel100
description Uplink to dist01 @ A building
switchport mode trunk
switchport trunk native vlan 2240
switchport trunk allowed vlan 2002-2006,2010,2014,2018,2022,2024
switchport trunk allowed vlan add 2026,2240,2244,2248,2252,2254,4050
switchport trunk allowed vlan add 4052,4054
vpc 100
N5020-2:
interface port-channel100
description Uplink to dist01 @ A building
switchport mode trunk
switchport trunk native vlan 2240
switchport trunk allowed vlan 2002-2006,2010,2014,2018,2022,2024
switchport trunk allowed vlan add 2026,2240,2244,2248,2252,2254,4050
switchport trunk allowed vlan add 4052,4054
vpc 100
All member ports reflect the correct config.
Both 5020s have the same config for the peer-link:
interface port-channel2
description VPC Peer-link
vpc peer-link
spanning-tree port type network
Output form 'show interface trunk"
n5020-1# sh int tru
Port Native Status Port
Vlan Channel
Eth1/1 2240 trnk-bndl Po100
Eth1/2 1 trnk-bndl Po200
Eth1/17 2240 trnk-bndl Po78
Eth1/18 2240 trnk-bndl Po78
Eth1/19 2240 trnk-bndl Po87
Eth1/20 2240 trnk-bndl Po87
Po78 2240 trunking --
Po87 2240 trunking --
Po100 2240 trunking --
Po200 1 trunking --
Port Vlans Allowed on Trunk
Eth1/1 2002-2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2254,4
050,4052,4054
Eth1/2 180-183
Eth1/17 180-183
Eth1/18 180-183
Eth1/19 2002-2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2254,4
050,4052,4054
Eth1/20 2002-2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2254,4
050,4052,4054
Po78 180-183
Po87 2002-2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2254,4
050,4052,4054
Po100 2002-2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2254,4
050,4052,4054
Po200 180-183
Port Vlans Err-disabled on Trunk
Eth1/1 2002-2004,2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2
254,4050,4052,4054
Eth1/2 180-183
Eth1/17 180-183
Eth1/18 180-183
Eth1/19 2002-2004,2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2
254,4050,4052,4054
Eth1/20 2002-2004,2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2
254,4050,4052,4054
Po78 180-183
Po87 2002-2004,2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2
254,4050,4052,4054
Po100 2002-2004,2006,2010,2014,2018,2022,2024,2026,2240,2244,2248,2252,2
254,4050,4052,4054
Po200 180-183
Port STP Forwarding
Eth1/1 none
Eth1/2 none
Eth1/17 none
Eth1/18 none
Eth1/19 none
Eth1/20 none
Po78 none
Po87 none
Po100 none
Po200 none
Thank you,
Chris Perkins
INX Inc.
Similar Messages
-
Nexus 7000 vPC modification - avoiding type1 inconsistencies
Hi Everyone,
I need to configure some features on a pair of Nexus 7000's running 4.2(6) - one of them is Root Guard.
I am aware that when I enable Root Guard on the first vPC peer, the vPC will go into suspended state until I configure the other vPC peer identically.
This is causing me a big service disruption headache as I need to do this for a whole Data Centre.
I see on the Nexus 5k, you can do port-profiles which seems to enabled config synchronisation across vPC peers - so I assume the vPC would stay up due to both peers receiving config at exactly the same time - but this feature is not available on Nexus 7k.
Does anybody know for sure if I were to create a scheduled job to run at the same time on both vPC peers with identical config content - i.e. apply Root Guard to vPC - would this prevent the vPC going into suspend state?
If not, do you know of any other ways to prevent vPC going into suspend?
Thanks in advance for any advice!Hi Raj,
thankyou for your response.
We have VPC between Core - Aggregation - all 7k and Aggregation to Access (5ks). VPC down from Core all the way to Access and also up all the way from Access to Core.
So from a STP point of view, the topology is a single switch for Core, Aggregation and Access - so no loops.
I agree this limits the potential for trouble if a switch is plugged into the access layer by mistake for example - but the customer is adamant they want it (RootGuard).
Thanks,
Oswaldo -
Nexus 5000 vPC suspended during reload delay period
Hi ,
after reloading on vPC-Peer-Switch be box comes up and all vPC-Member-Ports on the box are in suspended state until the reload delay time expired.
Unfortunately the link of the vPC-Member Ports are already up. This behaviour leads us in some problems if we connect a Cisco-UCS-FI with a LACP-Portchannel to a vPC on N5K.
Because the link of the suspended Port is up the FI detects the port also as up and running and set it to individual state, because of missing LACP-BPDUs, So at this time the FI hast two uplinks, one Port-Channel and one individual Ports. After 30 seconds the FI starts to repinning the servers over these two uplinks. Because the individual Port is not in forwarding state an the reloaded N5K until reload delay timer expired.
So during this period all the servers which are pinned to the individual Port are blackholed.
Possible Workarrounds
1. Creating a Pin-Group for the Port-Channel and pinning all Servers to this Pin-Group to avoid in case on channel-Member goes to individual state, any server is pinned to this individual Port . This could be a solution
2.Configuring the Port-Channel on FI for "suspend individual". Unfortunately I could not find a way to achive this. This would avoid that the individual Port is considered as possible uplink-port, so no pinning to the individual Port would happen.
3. Find a way that during the delay restore time on the suspended vPC-Member-Ports also the link is down. (In my opinion this would be the best way)
I am not sure if configuration of "individual suspend" on the vPC on the N5K would help.
any other ideas?
HubertWhat I really want is a command I can use to prevent VPC from turning off ports at all. I'd much rather have an active-active situation than have my entire network go down just because the primary VPC peer rebooted. VPC is not designed correctly to deal with that situation. And yes, it has happened. Multiple times with different VPC keepalive setups.
-
Nexus 7000 - unexpected shutdown of vPC-Ports during reload of the primary vPC Switch
Dear Community,
We experienced an unusual behavior of two Nexus 7000 switches within a vPC domain.
According to the attached sketch, we have four N7Ks in two data centers - two Nexus 7Ks are in a vPC domain for each data center.
Both data centers are connected via a Multilayer-vPC.
We had to reload one of these switches and I expected the other N7K in this vPC domain to continue forwarding over its vPC-Member-ports.
Actually, all vPC ports have been disabled on the secondary switch until the reload of the first N7K (vPC-Role: primary) finished.
Logging on Switch B:
20:11:51 <Switch B> %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary
20:12:01 <Switch B> %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed
In case of a Peer-link failure, I would expect this behavior if the other switch is still reachable via the Peer-Keepalive-Link (via the Mgmt-Port), but since we reloaded the whole switch, the vPCs should continue forwarding.
Could this be a bug or are there any timers to be tuned?
All N7K switches are running on NX-OS 6.2(8)
Switch A:
vpc domain 1
peer-switch
role priority 2048
system-priority 1024
peer-keepalive destination <Mgmt-IP-Switch-B>
delay restore 360
peer-gateway
auto-recovery reload-delay 360
ip arp synchronize
interface port-channel1
switchport mode trunk
switchport trunk allowed vlan <x-y>
spanning-tree port type network
vpc peer-link
Switch B:
vpc domain 1
peer-switch
role priority 1024
system-priority 1024
peer-keepalive destination <Mgmt-IP-Switch-A>
delay restore 360
peer-gateway
auto-recovery reload-delay 360
ip arp synchronize
interface port-channel1
switchport mode trunk
switchport trunk allowed vlan <x-y>
spanning-tree port type network
vpc peer-link
Best regardsProblem solved:
During the reload of the Nexus 7K, the linecards were powerd off a short time earlier than the Mgmt-Interface. As a result of this behavior, the secondary Nexus 7K received at least one vPC-Peer-Keepalive Message while its peer-link was already powerd off. To avoid a split brain scenario, the VPC-member-ports have been shut down.
Now we are using dedicated interfaces on the linecards for the VPC-Peer-Keepalive-Link and a reload of one N7K won't result in a total network outage any more. -
EtherChannel problem on Nexus 7000
Dear NetPro gurus,
One of my customer is trying to setup an EtherChannel (LACP) on a pair of Nexus 7000. However, doesn't matter what we do, the port Eth 1/17 always become suspended. We have tried swapping fiber cables and also swapping SFPs, but no help.
The 1st Nexus 7010 - called 'VIWLRCA'
The 2nd Nexus 7010 - called 'VIWLRCB'
Originally port eth 1/17 are left as 'normal' trunk port, and we can see eth 1/17 shows up fine under 'show interface brief'
viwlrca-PROD# sh run int eth 1/17
interface Ethernet1/17
switchport
switchport mode trunk
udld disable
no shutdown
viwlrca-PROD# sh run int eth 1/18
interface Ethernet1/18
switchport
switchport mode trunk
udld disable
channel-group 20 mode active
no shutdown
viwlrca-PROD# sh int brief
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
Eth1/17 1 eth trunk up none 10G(S) --
Eth1/18 1 eth trunk up none 10G(S) 20
Eth1/19 -- eth routed down SFP not inserted auto(S) --
Eth1/20 -- eth routed down SFP not inserted auto(S) --
Eth1/21 -- eth routed down Administratively down auto(S) --
Eth1/22 -- eth routed down Administratively down auto(S) --
Eth1/23 -- eth routed down Administratively down auto(S) --
Eth1/24 -- eth routed down Administratively down auto(S) --
Eth2/25 -- eth routed down Administratively down auto(D) --
Eth2/26 -- eth routed down Administratively down auto(D) --
Eth2/27 -- eth routed down SFP not inserted auto(D) --
Eth2/28 -- eth routed down SFP not inserted auto(D) --
Eth2/29 -- eth routed down SFP not inserted auto(D) --
Eth2/30 -- eth routed down SFP not inserted auto(D) --
Eth2/31 -- eth routed down SFP not inserted auto(D) --
Eth2/32 -- eth routed down SFP not inserted auto(D) --
viwlrca-PROD#
But as soon as I add the Eth 1/17 back onto PortChannel 20
The Eth 1/17 becomes "Suspended" straight away
viwlrca-PROD# sh int brief
Ethernet VLAN Type Mode Status Reason Speed Por
t
Interface Ch
Eth1/17 1 eth trunk down suspended auto(S) 20
Eth1/18 1 eth trunk up none 10G(S) 20
Eth1/19 -- eth routed down SFP not inserted auto(S) --
Eth1/20 -- eth routed down SFP not inserted auto(S) --
Eth1/21 -- eth routed down Administratively down auto(S) --
Eth1/22 -- eth routed down Administratively down auto(S) --
Eth1/23 -- eth routed down Administratively down auto(S) --
Eth1/24 -- eth routed down Administratively down auto(S) --
Eth2/25 -- eth routed down Administratively down auto(D) --
Eth2/26 -- eth routed down Administratively down auto(D) --
Eth2/27 -- eth routed down SFP not inserted auto(D) --
Eth2/28 -- eth routed down SFP not inserted auto(D) --
Eth2/29 -- eth routed down SFP not inserted auto(D) --
Eth2/30 -- eth routed down SFP not inserted auto(D) --
Eth2/31 -- eth routed down SFP not inserted auto(D) --
Eth2/32 -- eth routed down SFP not inserted auto(D) --
viwlrca-PROD#
viwlrca-PROD# sh port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
Group Port- Type Protocol Member Ports
Channel
20 Po20(SU) Eth LACP Eth1/17(s) Eth1/18(P)
viwlrca-PROD#
Config on Primary Nexus:-
viwlrca-PROD# sh run
!Command: show running-config
!Time: Tue Mar 22 06:04:26 2011
version 5.1(1a)
hostname PROD
cfs eth distribute
feature udld
feature interface-vlan
feature lacp
feature vpc
feature vtp
username admin password 5 $1$pkJaKHZW$Sx4wpDG5xXYkD.QfDk/Cg. role vdc-admin
no ip domain-lookup
ip domain-name vfc.com
crypto key param rsa label viwlrca-PROD.vfc.com modulus 2048
snmp-server user admin vdc-admin auth md5 0x05f7328e3b39a70be09abc3056ec2819 pri
v 0x05f7328e3b39a70be09abc3056ec2819 localizedkey
vrf context management
spanning-tree pathcost method long
spanning-tree port type edge bpduguard default
spanning-tree loopguard default
spanning-tree vlan 1-3967,4048-4093 priority 4096
interface Vlan1
interface Vlan161
ip address 172.30.161.2/24
interface Vlan162
ip address 172.30.162.2/24
interface Vlan163
ip address 172.30.163.2/24
interface Vlan164
ip address 172.30.164.2/24
interface Vlan165
ip address 172.30.165.2/24
interface Vlan190
ip address 172.30.190.2/24
interface port-channel20
switchport
switchport mode trunk
interface Ethernet1/17
switchport
switchport mode trunk
udld disable
channel-group 20 mode active
no shutdown
interface Ethernet1/18
switchport
switchport mode trunk
udld disable
channel-group 20 mode active
no shutdown
interface Ethernet1/19
interface Ethernet1/20
interface Ethernet1/21
interface Ethernet1/22
interface Ethernet1/23
interface Ethernet1/24
interface Ethernet2/25
interface Ethernet2/26
interface Ethernet2/27
interface Ethernet2/28
interface Ethernet2/29
interface Ethernet2/30
interface Ethernet2/31
interface Ethernet2/32
interface Ethernet2/33
interface Ethernet2/34
interface Ethernet2/35
interface Ethernet2/36
interface Ethernet3/25
interface Ethernet3/26
interface Ethernet3/27
interface Ethernet3/28
interface Ethernet3/29
interface Ethernet3/30
interface Ethernet3/31
interface Ethernet3/32
interface Ethernet3/33
interface Ethernet3/34
interface Ethernet3/35
interface Ethernet3/36
line vty
viwlrca-PROD#
Config for Secondary Nexus 7000
VIWLRCB-PROD# sh run
!Command: show running-config
!Time: Tue Mar 22 09:19:22 2011
version 5.1(1a)
hostname PROD
cfs eth distribute
feature interface-vlan
feature lacp
feature vpc
feature vtp
username admin password 5 $1$Lc486EOm$EtKhZWuxGjWWokfeuUsMk. role vdc-admin
no ip domain-lookup
ip domain-name vfc.com
crypto key param rsa label VIWLRCB-PROD.vfc.com modulus 2048
snmp-server user admin vdc-admin auth md5 0xeb607b54234985ed6740c5fdbb8d84c6 pri
v 0xeb607b54234985ed6740c5fdbb8d84c6 localizedkey
vrf context management
spanning-tree pathcost method long
spanning-tree port type edge bpduguard default
spanning-tree loopguard default
spanning-tree vlan 1-3967,4048-4093 priority 8192
interface Vlan1
interface port-channel20
switchport
switchport mode trunk
interface Ethernet1/17
switchport
switchport mode trunk
channel-group 20 mode active
no shutdown
interface Ethernet1/18
switchport
switchport mode trunk
channel-group 20 mode active
no shutdown
interface Ethernet1/19
interface Ethernet1/20
interface Ethernet1/21
interface Ethernet1/22
interface Ethernet1/23
interface Ethernet1/24
interface Ethernet2/25
interface Ethernet2/26
interface Ethernet2/27
interface Ethernet2/28
interface Ethernet2/29
interface Ethernet2/30
interface Ethernet2/31
interface Ethernet2/32
interface Ethernet2/33
interface Ethernet2/34
interface Ethernet2/35
interface Ethernet2/36
interface Ethernet3/25
interface Ethernet3/26
interface Ethernet3/27
interface Ethernet3/28
interface Ethernet3/29
interface Ethernet3/30
interface Ethernet3/31
interface Ethernet3/32
interface Ethernet3/33
interface Ethernet3/34
interface Ethernet3/35
interface Ethernet3/36
line vty
VIWLRCB-PROD#
Cheers,
HuntQuick troubleshoot:
Default all interfaces in newly created port-channel as well as the port-channel interface, then delete port-channel interface. Recreate port-channel without the LACP protocol:
interface e1/17,e1/18
switchport
channel-group 20 mode on
no shutdown
exit
interface port-channel20
switchport
switchport mode trunk
no shutdown
exit
show port-channel summ
show int trunk
HTH,
Sean -
Nexus 7000 with VPC and HSRP Configuration
Hi Guys,
I would like to know how to implement HSRP with the following setup:
There are 2 Nexus 7000 connected with VPC Peer link. Each of the Nexus 7000 has a FEX attached to it.
The server has two connections going to the FEX on each Nexus 7k (VPC). FEX's are not dual homed as far as I now they are not supported currently.
R(A) R(S)
| |
7K Peer Link 7K
| |
FEX FEX
Server connected to both FEX
The question is we have two routers connected to each of the Nexus 7k in HSRP (active and one is standby). How can I configure HSRP on the nexus switches and how the traffic will routed from the Standby Nexus switch to Active Nexus switch (I know HSRP works differently here as both of them can forward packets). Will the traffic go to the secondary switch and then via the peer link to the active switch and then to the active router ? (From what I read the packet from end hosts which will go via the peer link will get dropped)
Has anyone implemented this before ?
ThanksHi Kuldeep,
If you intend to put those routers on a non-vpc vlan, you may create a new inter-switch trunk between the N7K and allow that non-vpc vlan . However if those will be on a VPC vlan, best to create two links to the N7K pair and create a VPC, otherwise configure those ports as orphan ports which will leverage the VPC peer link .
HTH
Jay Ocampo -
AAA problems Nexus 7000 %AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user
Hi,
I'm having problems getting our Nexus 7000 to authenticate users from our Windows domain. If I set up a user within the ACS server and use the CiscoSecure database for password authentication it works fine.
In the logs on the nexus I receive the following messages when logging on using my windows account.
%AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user 16894. Error 0x404a0036 - login[20923]
%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user 16894 from 10.128.45.44 - login[20923]
We can log on to all other Cisco OS devices using windows domain accounts, its just the Nexus.
Any help much appreciated.
Thanks
DarrenNo errors the autnetication on the ACS is showing as passed. The problem is I get an access denied message from the nexus switch,
-
Nexus 7000 and 2000. Is FEX supported with vPC?
I know this was not supported a few months ago, curious if anything has changed?
Hi Jenny,
I think the answer will depend on what you mean by is FEX supported with vPC?
When connecting a FEX to the Nexus 7000 you're able to run vPC from the Host Interfaces of a pair of FEX to an end system running IEEE 802.1AX (802.3ad) Link Aggregation. This is shown is illustration 7 of the diagram shown on the post Nexus 7000 Fex Supported/Not Supported Topologies.
What you're not able to do is run vPC on the FEX Network Interface that connect up to the Nexus 7000 i.e., dual-homing the FEX to two Nexus 7000. This is shown in illustrations 8 and 9 of under the FEX topologies not supported on the same page.
There's some discussion on this in the forum post DualHoming 2248TP-E to N7K that explains why it's not supported, but essentially it offers no additional resilience.
From that post:
The view is that when connecting FEX to the Nexus 7000, dual-homing does not add any level of resilience to the design. A server with dual NIC can attach to two FEX so there is no need to connect the FEX to two parent switches. A server with only a single NIC can only attach to a single FEX, but given that FEX is supported by a fully redundant Nexus 7000 i.e., SE, fabrics, power, I/O modules etc., the availability is limited by the single FEX and so dual-homing does not increase availability.
Regards -
Catalyst 6500 - Nexus 7000 migration
Hello,
I'm planning a platform migration from Catalyst 6500 til Nexus 7000. The old network consists of two pairs of 6500's as serverdistribution, configured with HSRPv1 as FHRP, rapid-pvst and ospf as IGP. Futhermore, the Cat6500 utilize mpls/l3vpn with BGP for 2/3 of the vlans. Otherwise, the topology is quite standard, with a number of 6500 and CBS3020/3120 as serveraccess.
In preparing for the migration, VTP will be discontinued and vlans have been manually "copied" from the 6500 to the N7K's. Bridge assurance is enabled downstream toward the new N55K access-switches, but toward the 6500, the upcoming etherchannels will run in "normal" mode, trying to avoid any problems with BA this way. For now, only L2 will be utilized on the N7K, as we're avaiting the 5.2 release, which includes mpls/l3vpn. But all servers/blade switches will be migrated prior to that.
The questions arise, when migrating Layer3 functionality, incl. hsrp. As per my understanding, hsrp in nxos has been modified slightly to better align with the vPC feature and to avoid sub-optimal forwarding across the vPC peerlink. But that aside, is there anything that would complicate a "sliding" FHRP migration? I'm thinking of configuring SVI's on the N7K's, configuring them with unused ip's and assign the same virtual ip, only decrementing the prio to a value below the current standby-router. Also spanning-tree prio will, if necessary, be modified to better align with hsrp.
From a routing perspective, I'm thinking of configuring ospf/bgp etc. similar to that of the 6500's, only tweaking the metrics (cost, localpref etc) to constrain forwarding on the 6500's and subsequently migrate both routing and FHRP at the same time. Maybe not in a big bang style, but stepwise. Is there anything in particular one should be aware of when doing this? At present, for me this seems like a valid approach, but maybe someone has experience with this (good/bad), so I'm hoping someone has some insight they would like to share.
Topology drawing is attached.
Thanks
/UlrichIn a normal scenario, yes. But not in vPC. HSRP is a bit different in the vPC environment. Even though the SVI is not the HSRP primary, it will still forward traffic. Please see the below white paper.
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-516396.html
I will suggest you to set up the SVIs on the N7K but leave them in the down state. Until you are ready to use the N7K as the gateway for the SVIs, shut down the SVIs on the C6K one at a time and turn up the N7K SVIs. When I said "you are ready", it means the spanning-tree root is at the N7K along with all the L3 northbound links (toward the core).
I had a customer who did the same thing that you are trying to do - to avoid down time. However, out of the 50+ SVIs, we've had 1 SVI that HSRP would not establish between C6K and N7K, we ended up moving everything to the N7K on a fly during of the migration. Yes, they were down for about 30 sec - 1 min for each SVI but it is less painful and waste less time because we don't need to figure out what is wrong or any NXOS bugs.
HTH,
jerry -
Hi
We are having 2 nexus switches configured in the network as core with HSRP configured between them..The access switches are connected withdual 10G links to both core switches with VPC configured in Nexus..In both core switches 10G module is used for uplink termination..In one of the core switch for this 10 G module we get the follwoing error
Module-1 reported minor temperature alarm. Sensor=20 Temperature=101 MinThreshold=100 2011 Dec 22 08:10:19 CORE-SEC %PLATFORM-2-MOD_TEMPOK:
Module-1 recovered from minor temperature alarm. Sensor=20 Temperature=99 MinThreshold=100 even though the room temprature is 23 Degree still we get this error wherein as per the nexus documenation allowed room temparature is 0-40 Degree (Operating temperature: 32º to 104ºF (0º to 40ºC) `
show module`
Mod Ports Module-Type Model Status
1 8 10 Gbps Ethernet XL Module N7K-M108X2-12L ok
2 32 1/10 Gbps Ethernet Module N7K-F132XP-15 ok
3 48 10/100/1000 Mbps Ethernet XL Mod N7K-M148GT-11L ok
5 0 Supervisor module-1X N7K-SUP1 active *
As per the nexus module documentation for module1 the allwed temparature is 0-40degree wherein the actual room temparatue is 23degree..below is the exception message for module1
exception information --- exception instance 1 ----
Module Slot Number: 1
Device Id : 49
Device Name : Temperature-sensor
Device Errorcode : 0xc3114203
Device ID : 49 (0x31)
Device Instance : 20 (0x14)
Dev Type (HW/SW) : 02 (0x02)
ErrNum (devInfo) : 03 (0x03)
System Errorcode : 0x4038001e Module recovered from minor temperature alarm
Error Type : Minor error
PhyPortLayer :
Port(s) Affected :
DSAP : 39 (0x27)
UUID : 24 (0x18
Same module exists in second Nexus 7000 which is in same datacenter but not getting this alarm..
can anyone please suggest on the same..Software details are as below
Software
BIOS: version 3.22.0
kickstart: version 5.1(3)
system: version 5.1(3)
BIOS compile time: 02/20/10
kickstart image file is: bootflash:///n7000-s1-kickstart.5.1.3.bin
kickstart compile time: 12/25/2020 12:00:00 [03/11/2011 07:42:56]
system image file is: bootflash:///n7000-s1-dk9.5.1.3.bin
system compile time: 1/21/2011 19:00:00 [03/11/2011 08:37:35]Hi Sameer
Temperature alarm means that one particular sensor on the linecard warms up to 101 degree.
This can be caused by damaged sensor or problems with cooling in that particular part of chassis.
You can check temperature on the module using following command:
show environment temperature module 1
Tru to move the module to another slot. If the issue reoccure - open a TAC case.
HTH,
Alex -
Virtualized Lab Infrastructure - 3560G connecting to a Nexus 7000 - Help!
Hi all,
I've been struggling with the configuration for my small environment for a week or so now, and being a Cisco beginner, I'm worried about going down the wrong path, so I'm hoping someone on here would be able to help with my lab configuration.
As you can see from the graphic, I have been allocated VLANs 16-22 for my use, on the Nexus 7000. There are lots of other VLANs in use on the Nexus, by other groups, most of which are routable between one another. VLAN 99 is used for switch management, and VLAN 11, is where the Domain Controller, DHCP and Windows Deployment Server reside for the lab domain. Servers across different VLANs use this DC/DHCP/WDS set of servers. These VLANS route out to the internet successfully.
I have been allocated eth 3/26 on the Nexus, as my uplink connection to my own ToR 3560G. All of my servers, of which there are around 8 in total, are connected to the 3560. I have enabled IP routing on the 3560, and created VLANs 18-22, providing an IP on each. This config has been assigned to all 48 gigabit ports on the 3560 (using the commands in the graphic), and each Windows Server 2012 R2 Hyper-V host connects to the 3560 via 4 x 1GbE connections. On each Hyper-V host, the 4 x 1GbE ports are teamed, and a Hyper-V vSwitch is bound to that team. I then assign the VLAN ID at the vNIC level.
Routing between the VLANs is currently working fine - As a test, i can put 2 of the servers on different VLANs, each with their respective VLAN default gateway, and they can ping between one another.
My challenge is, I'm not quite sure what i need to do for the following:
1) How should I configure the uplink gi 0/52 on the 3560 to enable my VLANs to reach the internet?
2) How should I configure eth 3/26 on the Nexus?
3) I need to ensure that the 3560 is also on the management VLAN 99 so it can be managed successfully.
4) I do not want to route to VLAN 11, as i intend to have my own domain (DC/DNS/DHCP/WDS)
Any help or guidance you can provide would be much appreciated!
Thanks!
MattHi again Jon,
OK, been battling with it a little more.
Here's the config for the 3560:
Current configuration : 11643 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname CSP_DX_Cluster
no aaa new-model
vtp mode transparent
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 16,18-23,99
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 18
switchport trunk allowed vlan 18-22
switchport mode trunk
spanning-tree portfast trunk
<same through interface GigabitEthernet0/48>
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,99
switchport mode trunk
interface Vlan1
no ip address
interface Vlan16
ip address 10.0.6.2 255.255.255.252
interface Vlan18
ip address 10.0.8.1 255.255.255.0
interface Vlan19
ip address 10.0.9.1 255.255.255.0
interface Vlan20
ip address 10.0.12.1 255.255.255.0
interface Vlan21
no ip address
interface Vlan22
ip address 10.0.14.1 255.255.255.0
interface Vlan99
ip address 10.0.99.87 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.6.1
ip http server
control-plane
l
end
At the Nexus end, the port connecting to the 3560 is configured as:
interface Ethernet3/26
description DX_3560_uplink
switchport
switchport mode trunk
switchport trunk allowed vlan 16,99
no shutdown
Now, the problem I'm currently having, is that on the 3560, things route fine, between VLANs. However, from on a server within one of the VLANs, say, 18, trying to ping the default gateway of the 3560 fails. I can ping 10.0.6.2 which is the 3560-end of VLAN 16, but i can't get over to 10.0.6.1 and beyond. I suspect, it's relating to what you said about "the only thing missing is you also need routes on the Nexus switch for the IP subnets on your 3560 and the next hop IP would be 10.0.6.2 ie the vlan 16 SVI IP on the 3560"
I suspect that, in layman's (my terms!) terms, the Nexus simply doesn't know about the networks 10.0.8.1 (VLAN 18), 10.0.9.1 (VLAN 19) and so on.
So, i need routes on my Nexus to fix this. The problem is, I'm not quite sure what that looks like.
Would it be:
ip route 10.0.8.0 255.255.255.0 10.0.6.2
ip route 10.0.9.0 255.255.255.0 10.0.6.2 and so on?
To give a bit of history, prior to me creating VLANs 18-22 on the 3560, all VLANs originally existing on the Nexus. Everything routed fine out to the internet, for all of the VLANs (with the same subnet settings that i have configured, i.e. 10.0.8.x for VLAN 18 etc), so i'm presuming once I get the Nexus to understand that the IP subnets live on the 3560, traffic should flow successfully to the internet.
Should.... :-) -
Two Nexus 5020 vPC etherchannel with Two Catalyst 6500 VSS
Hi,
we are fighting with an 40 Gbps etherchannel between 2 Nx 5000 and 2 Catalyst 6500 but the etherchannel never comes up. Here is the config:
NK5-1
interface port-channel30
description Trunk hacia VSS 6500
switchport mode trunk
vpc 30
switchport trunk allowed vlan 50-54
speed 10000
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30
NK5-2
interface port-channel30
description Trunk hacia VSS 6500
switchport mode trunk
vpc 30
switchport trunk allowed vlan 50-54
speed 10000
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
Catalyst 6500 VSS
interface Port-channel30
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
interface TenGigabitEthernet2/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet2/1/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet1/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet1/1/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
The "Show vpc 30" is as follows
N5K-2# sh vpc 30
vPC status
id Port Status Consistency Reason Active vlans
30 Po30 down* success success -
But the "Show vpc Consistency-parameters vpc 30" is
N5K-2# sh vpc consistency-parameters vpc 30
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
Shut Lan 1 No No
STP Port Type 1 Default Default
STP Port Guard 1 None None
STP MST Simulate PVST 1 Default Default
mode 1 on -
Speed 1 10 Gb/s -
Duplex 1 full -
Port Mode 1 trunk -
Native Vlan 1 1 -
MTU 1 1500 -
Allowed VLANs - 50-54 50-54
Local suspended VLANs - - -
We will apreciate any advice,
Thank you very much for your time...
JoseHi Lucien,
here is the "show vpc brief"
N5K-2# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 5
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 2
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
vPC Peer-link status
id Port Status Active vlans
1 Po5 up 50-54
vPC status
id Port Status Consistency Reason Active vlans
30 Po30 down* success success -
31 Po31 down* failed Consistency Check Not -
Performed
*************************************************************************+
*************************************************************************+
N5K-1# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 5
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 2
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
vPC Peer-link status
id Port Status Active vlans
1 Po5 up 50-54
vPC status
id Port Status Consistency Reason Active vlans
30 Po30 down* failed Consistency Check Not -
Performed
31 Po31 down* failed Consistency Check Not -
Performed
I have changed the lacp on both devices to active:
On Nexus N5K-1/-2
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30 mode active
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30 mode active
On Catalyst 6500
interface TenGigabitEthernet2/1/2-3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
switchport mode trunk
channel-protocol lacp
channel-group 30 mode active
interface TenGigabitEthernet1/1/2-3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
switchport mode trunk
channel-protocol lacp
channel-group 30 mode active
Thanks for your time.
Jose -
ESXi 4.1 NIC Teaming's Load-Balancing Algorithm,Nexus 7000 and UCS
Hi, Cisco Gurus:
Please help me in answering the following questions (UCSM 1.4(xx), 2 UCS 6140XP, 2 Nexus 7000, M81KR in B200-M2, No Nexus 1000V, using VMware Distributed Switch:
Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?
Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned?
Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct?
Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES?
I would really appreciate if someone can help me clear these lingering doubts of mine.
God Bless.
SiMSim,
Here are my thoughts without a 1000v in place,
Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000? //Yes, for vPC to UCS the best practice is to bowtie uplink to (2) 7K or 5Ks.
Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned? //The port channel will be configured on both the UCSM and the 7K. The pro of a port channel would be both bandwidth and redundancy. vPC would be prefered.
Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct? //Without the 1000v, I always tend to leave to dvSwitch load balence behavior at the default of "route by portID".
Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES? UCS can perform L2 but Northbound should be performing L3.
Cheers,
David Jarzynka -
Using SNMP to monitor Nexus 7000 Series Supervisor Module
Hello,
I got a Nexus 7000 supervisor module recently, I met a SNMP problem for this module
I would like to know which specific OIDs to use to monitor the following using SNMP on a Nexus 7000 supervisor module:
- Port status
- CPU total utilization
- Power Supply status
- Chassis Fan status
etc.
The Nexus is quite different from other Cisco devices - any help will be appreciated!hope help, and
port status OID is ifOperStatus
CPU total utilization OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
[root@NET-MONITOR-1 ~]#
[root@NET-MONITOR-1 ~]# snmpwalk -On -v 2c -c 360buy 172.17.0.253 ifDescr.83886080
.1.3.6.1.2.1.2.2.1.2.83886080 = STRING: mgmt0
[root@NET-MONITOR-1 ~]#
[root@NET-MONITOR-1 ~]# snmpwalk -On -v 2c -c 360buy 172.17.0.253 ifOperStatus.83886080
.1.3.6.1.2.1.2.2.1.8.83886080 = INTEGER: up(1)
[root@NET-MONITOR-1 ~]#
[root@NET-MONITOR-1 ~]# snmpwalk -On -v 2c -c 360buy 172.17.0.253 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1
.1.3.6.1.4.1.9.9.109.1.1.1.1.6.1 = Gauge32: 21
[root@NET-MONITOR-1 ~]# -
Hi all,
I'm trying to configure rule based span on my Nexus 7000.
I want to monitor some vlans, but limit the traffic going to my monitor station by using frame-type ipv4 filter.
The link below explains how to configure it, but my nexus doesn't recognise the command "mode extended".
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1286697
Am I missing something? I'm running version 6.1.3.
Thanks,
Joris
NEXUS(config)# monitor session 1
NEXUS(config-monitor)# mode extended
^
% Invalid command at '^' marker.
NEXUS(config-monitor)# mode ?
*** No matching command found in current mode, matching in (exec) mode ***
connect Notify system on modem connection
restart Reenabling modem portHi Joris,
The rule based SPAN filtering was not introduced until NX-OS 6.2 so will not be available to you with NX-OS 6.1(3).
See the section SPAN in the NX-OS 6.2 release notes.
Regards
Maybe you are looking for
-
ICal displays twice the same date on the calendar
Ater upgrading to 10.6 and 10.6.1, iCal messed up previous calendars, duplicating a day in the calendar. Specifically, in my case, "Saturday, 17th October" appears twice, one after the other (in portuguese). This affects all future events, which now
-
I'd like to make IE8 by default to open pdf files instead of in Acrobat 9 window. Why do my pdf files open in Acrobat 9 window, even though i checked Display pdf in web browser? (it makes no difference if checked or unchecked anyway) thnx
-
Creating an Org. Structure in SolMan
Good Day All; Does anyone know if there is any u201Chow tou201D documentation for creating an u201COrg Structureu201D. Regards Don Newton
-
Performance of Time Capsule with Crashplan *and* FileVault 2
Hello! I am a current user of Crashplan with my Macbook Pro running FileVault 2. I am considering adding a Time Capsule as a secondary level of backup using Time Machine. Has anyone else run this setup? With Crashplan, Time Machine, and FileVault 2
-
BPM Access and modify the context
Hello, I want create a ivew that allows user modify the context of the process's while is not approved. How can i show the actual context of a process ? (I know the BPM reports in Visual composer but my aplication is much complex and i need more flex