Nexus 7010 ARP and COPP
Hellow Nexus Gurus,
I have had numerous instances where Broadcom NICs on Dell servers have started storming the LAN with directed ARP requests (unicast) for addresses off the subnet of the station sending the request. I've had stations send 2GB of ARP requests to the 7K in under a minute in some cases. Oddly this has not completely taken out the data center. It has only caused weird temporary outages to some servers throughout various subnets. I have no idea why the EDC wasnt taken out but I assume that many servers were saved due to the preconfigured COPP configuration.
class-map type control-plane match-any copp-system-class-redirect
match redirect arp-inspect
Can anyone explain the behavior above as well as what that class-map does?
Does anyone have a solution to prevent these unicast ARP storms in the future?
Any insight would be much appreciated.
/r
Rob
We are seeing issues with our Broadcom NIC, Dell, Hyper V servers with NIC teaming to seperate Nexus 2248's where random virtual servers will stop responding, sometimes the eventually start responding again sometimes we move them to a different chassis. Is that the kind of "weird temporary outages" you were experiencing? And how did you find the ARP storms?
Thanks
Similar Messages
-
Nexus 7010 - CM1 and CM2 slots??
Hello,
Does anybody know what the CM1 and CM2 slots are designed for on the N7K10 switch?
It's very hard to have any descritpion for these.
Regards,
Thibault.Hello Lucien,
Thanks a lot for your answer.
I tried to find some info on this module on the Cisco website but nothing...
Does this module actually exist?
Regards,
Thibault. -
Nexus 7010 Loses Config after power off
Recently we installed a pair of Nexus 7010's and we recently moved them to an APC rack better suited for their size. Upon powering them up we found out that the VDC's lost their configurations. The VDC's and the alloated resources were still there as well as the default VDC configuration but the other 2 we have configured had their configurations missing. We have been observing best practices and saving the configuration to NVRAM with the copy run start comand as well as the copy run start vdc-all commands yet the configurations were still lost.
Can anyone shed some light on what the problem may be?
Thank you in advance for your help!We had the same issue TAC told us to reset the supv
,,,,, you might want to save your config ;-) it worked for us -
Port-channel L2 problem with Fabric Interconnect and Nexus 7010
Hi,
i using port-channel from both fabric interconnect to N7k with 3 cables per Fabric Interconnect.
but, my problem is when i creating port-channel, Fabric Interconnect don't support mode ON dan rate-mode share in Interface 10G Nexus 7010.
I was trying :
1. I using non dedicated port in Nexus 7010.
- rate-mode share
- channel-group 1 mode active
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was suspended
2. I using non dedicated port in Nexus 7010
- rate-mode share
- channel group 1 mode on
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was came up, but in Fabric interconnect was failed.
3. I using dedicated port in Nexus 7010
- rate-mode share
- channel group 1 mode active
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was suspended
4. I using dedicated port in Nexus 7010
- rate-mode dedicated
- channel group 1 mode active
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was came up and running well.
but, the problem is my costumer do not want using a dedicated rate-mode. if i using dedicated mode the only available port is 8 interfaces instead of 32 ports. i want to using rate-mode share in nexus 7010.
is there any way to configuring port-channel using mode on in fabric interconnect ? i was trying using CLI to create port-channel in Fabric interconect but i cannot configure the channel group protocol.
i attach the topology of N7K with Fabric interconnect.
regards,
Berwin HHi Manish,
the issue was solved, i was fix it last week.
the solution is:
i enable the license grace-priode (since my license is Enterprise so cannot create VDC) then i create a VDC (ex: VDC 2) so i allocate the interface on all module
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
N7K-M132XP-12 to VDC 2. after that i delete VDC 2 then all interface back to VDC 1 (default vdc). then i enable the rate-mode share in dedicated port and bundle into port-channel and its working.
i dont know why it must move to VDC first then it will working, maybe cisco can explain the reasons.
So here the result of my port-channel :
SVRN7KFARM-HO-01# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
Group Port- Type Protocol Member Ports
Channel
1 Po1(SU) Eth LACP Eth1/1(P) Eth1/2(P) Eth1/3(P)
Eth1/4(P) Eth1/25(P)
2 Po2(SU) Eth LACP Eth1/9(P) Eth1/10(P) Eth1/11(P)
Eth1/12(P) Eth1/26(P)
3 Po3(SU) Eth LACP Eth1/17(P) Eth1/18(P)
4 Po4(SU) Eth NONE Eth10/32(P) Eth10/34(P) Eth10/35(P)
Eth10/36(P)
Thanks.
Berwin H -
Hi,
We are currently seeing issues on a ESX Host using 10G Fibre dual connectivity to a pair of Nexus 7010's using vPC for the port channel to this ESX host which was working fine , up to this weekend. No changes had been made on the Nexus or ESX host.
We have changed the hardware path for the believed fault on a vmnic which when part of the virtual switch cause VM's on the Host to stop pinging, although we still see a CDP neighborship with the ESX from the Nexus, but changing fibre and Nexus ports has not worked.
As part of the testing , the vmware guy was removing this 'faulty' vmnic from the Virtual switch , which is part of an ether channel bundle his end. My first question is, how does the Nexus detect a link leaving the bundle for the ESX host , when the actual physical link is still up , and all they have done is software removed it from on the ESX, as the Nexus will still attempt to push traffic across both bundled links. I know there is the Cisco 1000V software , which can be used at an extra price, but is this the only option.
Any help will be gladly welcome.Hi
How the switch detects a link 'moving out' of the Etherchannel would depend on how you have configured it...
If you have used 'channel-group x mode on' under the physical ports in the channel, then it will not detect the change, and you will get problems. The solution is to ensure the config of the channel on both ends (server/switch) is consistent in this case. An inconsistent config will cause you connectivity issues.
If the switch automatically negotiates the Etherchannel (i.e. you are using LACP, and the server supports LACP) then it should detect the change.
Regards
Aaron
Please rate helpful posts... -
Private-VLAN using Nexus 7010 and 2248TP FEX
I have a Nexus 7010 with several 2248TP FEX modules.
I am trying to configure a Private VLAN on one of the FEX host ports.
I see in the documentation you can't do promiscous but I can't even get the host only configuration to take.
Software
BIOS: version 3.22.0
kickstart: version 6.0(2)
system: version 6.0(2)
sho run | inc private
feature private-vlan
vlan 11
name PVLAN_Primary
private-vlan primary
private-vlan association 12
vlan 12
name PVLAN_Secondary
private-vlan isolated
7010(config)# int e101/1/48
7010(config-if)#
7010(config-if)# switchport mode ?
access Port mode access
dot1q-tunnel Port mode dot1q tunnel
fex-fabric Port mode FEX fabric
trunk Port mode trunk
Switchport mode private-vlan doesn't even show up!!!!!!
If I try this command it says its not allowed on the FEX port.
7010(config-if)# switchport private-vlan host-association 11 12
ERROR: Requested config not allowed on fex port
What am I doing wrong?????
ToddHave you found a solution to this?
-Jeremy -
In reviewing the Cisco Licensing Guide, there is a license part number for MPLS on the Nexus 7010. Part Number is N7K-MPLS1K9. Is there a corresponding part number for the Nexus 7710?
For the benefit of others, here is what we found. The N7K was hitting the bug CSCtg95381.
Symptom
Nexus 7000 may punt traffic to CPU; so that the traffic may experience random delay or drop.
Further looking, ARP is learned and FIB adjacency is in FIB adjacency table.
Conditions
The problem is caused by race condition. Some hosts have not responded to the ARP refresh sent by
N7k which in turn trigger to delete ARP entry due to expiry. As a result the route delete notification is
sent to URIB from the process. However there is still traffic coming to given IP address as a result the next packet that hit glean resulting in triggering ARP and hope ARP is learnt from the host this time.
Workaround
(s):
Clear ip route < host>.
Not totally explains why it was working for certain client-server combination but yet the workaround is holding well for end-points when implemented.
There would be no host route for the destination server in the adjacency manager on N7K-01. The only thing thats there is the subnet route pointing towards the vlan gateway address. Implementing the work-around, a new /32 route can now be seen in the adjacency manager for the server.
The bug is fixed in releases starting 5.1(5). Planning to upgrade to 5.2(3a).
Regards, Rashid. -
Critical Alarm for Nexus 7010 device
Hi Team,
We are getting Critical Alarm for the Data center device Nexus 7010 continuously from 28-Oct.
error (device hde1) in start_transaction: Journal has aborted - kernel
2012 Oct 29 10:00:18.227 DC-Core-Switch2 29 10:00:18 %KERN-2-SYSTEM_MSG: EXT3-fs
error (device hde1) in start_transaction: Journal has aborted - kernel
2012 Oct 29 10:28:37.497 DC-Core-Switch2 29 10:28:37 %KERN-2-SYSTEM_MSG: EXT3-fs
error (device hde1) in start_transaction: Journal has aborted - kernel
2012 Oct 29 10:28:42.398 DC-Core-Switch2 29 10:28:42 %KERN-2-SYSTEM_MSG: EXT3-fs
Also attaching the complete logs collected for this device and suggest if there is any Hardware related issue or some Software related issue.
Regards,
AshutoshHello
hde1 is the logflash device. Looks like there were IO errors and the kernel mounted the fs read-only. You can try to reload the device and if logflash will come back up fine after the reload, its a transient issue; if the issue comes back, the logflash device most likely is damaged bad and needs to be replaced. You will need to open a service request with TAC to get it replaced.
HTH,
Alex -
Nexus 7010 bgp state change alert not triggered to NNM
Hi ,
BGP state change alert not triggered to NNM on Nexus -7010 for Monitoring.
Details of the Device:
Nexus 7010 :
Software
BIOS: version 3.22.0
kickstart: version 5.1(3)
system: version 5.1(3)
BGP neighbor status :
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.1.2 4 65505 5089234 5194515 51359 0 0 6w2d 391
172.16.1.3 4 65505 5044293 5146859 51359 0 0 30w4d 378
172.31.11.3 4 15404 120744 114811 51359 0 0 1w6d 1
172.31.42.3 4 65501 5261796 5264413 51359 0 0 2d06h 0
Snmp trap enabled:
snmp-server user admin network-admin auth md5 0x690c4ede8a88ba7f2de791dbe7a77f0a
priv 0x690c4ede8a88ba7f2de791dbe7a77f0a localizedkey
snmp-server host 172.30.0.55 traps version 2c xxxx
snmp-server enable traps bgp
Downloaded cisco-bgp4-mib version, bgp4-mib tried and performed snmpwalk as given below
nnmsnmpwalk.ovpl -c xxx 172.31.15.130 .1.3.6.1.4.1.9.9.187.0.6
Error : No MIB objects contained under subtree
nnmsnmpwalk.ovpl -v 2 -c xxx 172.31.15.130 .1.3.6.1.2.1.15.3.
No MIB objects contained under subtree
Kindly advise to resolve the issue
Regards
HariYou can set an alert for Warning State. This is feasible.
Juke Chou
TechNet Community Support -
Nexus 7010 fabric extender timing out
Hello -
We have a Nexus 7010 and we are testing out using the fabric extenders for a need. We have a demo 2224 unit and have it connected to our M132XP-12 10G blade in the 7K but the FEX won't come online. I would have figured a possible software incompatability but looking at the supported list for that as well as hardware everything seems to be in order. This is what the status shows after it spends about 15 mins in the image download state.
FEX: 111 Description: FEX0111 state: Offline
FEX version: 4.2(1)N2(1a) [Switch version: 5.1(2)]
FEX Interim version: 4.2(1)N2(1a)
Switch Interim version: 5.1(2)
Module Sw Gen: 21 [Switch Sw Gen: 21]
pinning-mode: static Max-links: 1
Fabric port for control traffic: Eth2/20
Fabric interface state:
Po11 - Interface Up. State: Active
Eth2/20 - Interface Up. State: Active
Fex Port State Fabric Port Primary Fabric
This is looped in the log details until it times out:
04/25/2011 15:31:41.986978: Module register received
04/25/2011 15:31:41.987713: Registration response sent
04/25/2011 15:31:41.987889: Requesting satellite to download image
04/25/2011 15:32:00.105031: Module register received
04/25/2011 15:32:00.105779: Registration response sent
04/25/2011 15:32:00.105956: Requesting satellite to download image
04/25/2011 15:32:20.191181: Module register received
04/25/2011 15:32:20.191957: Registration response sent
04/25/2011 15:32:20.192144: Requesting satellite to download image
We ran a debug during this and these entries are displayed when looking for errors.
2011 Apr 25 15:30:31.443745 fex: Reg resp: Failed to get card info for swcardid 132
2011 Apr 25 15:30:35.472721 fex: Cardinfo: Unknown card id to get (132)
2011 Apr 25 15:30:35.472753 fex: Reg resp: Failed to get card info for swcardid 132
2011 Apr 25 15:30:41.495302 fex: Cardinfo: Unknown card id to get (132)
I'm still doing some more searching which so far hasn't turned up much, wanted to see if anyone has some other insight??
Thanks!Hi Jack -
Thanks for the response. Unfortunately, yes that is already complete. I was hoping that would be an easy fix. When we upgraded to 5.1(2) we did the 5.1 EPLD. I ran the install all impact command noted below for the 5.1 EPLD just to make sure it didn't report anything else as needing upgrade.
sho install all impact epld bootflash:n7000-s1-epld.5.1.1.img
Compatibility check:
Module Type Upgradable Impact Reason
1 LC Yes disruptive Module Upgradable
2 LC Yes disruptive Module Upgradable
5 SUP Yes disruptive Module Upgradable
1 Xbar Yes disruptive Module Upgradable
2 Xbar Yes disruptive Module Upgradable
3 Xbar Yes disruptive Module Upgradable
1 FAN Yes disruptive Module Upgradable
2 FAN Yes disruptive Module Upgradable
3 FAN Yes disruptive Module Upgradable
4 FAN Yes disruptive Module Upgradable
Copy complete, now saving to disk (please wait)...
Retrieving EPLD versions... Please wait.
Images will be upgraded according to following table:
Module Type EPLD Running-Version New-Version Upg-Required
1 LC Power Manager 4.008 4.008 No
1 LC IO 1.006 1.006 No
1 LC Forwarding Engine 1.006 1.006 No
1 LC SFP 1.004 1.004 No
2 LC Power Manager 4.008 4.008 No
2 LC IO 1.016 1.016 No
2 LC Forwarding Engine 1.006 1.006 No
2 LC FE Bridge(1) 186.006 186.006 No
2 LC FE Bridge(2) 186.006 186.006 No
2 LC Linksec Engine(1) 2.006 2.006 No
2 LC Linksec Engine(2) 2.006 2.006 No
2 LC Linksec Engine(3) 2.006 2.006 No
2 LC Linksec Engine(4) 2.006 2.006 No
2 LC Linksec Engine(5) 2.006 2.006 No
2 LC Linksec Engine(6) 2.006 2.006 No
2 LC Linksec Engine(7) 2.006 2.006 No
2 LC Linksec Engine(8) 2.006 2.006 No
5 SUP Power Manager 3.009 3.009 No
5 SUP IO 3.028 3.028 No
5 SUP Inband 1.008 1.008 No
5 SUP Local Bus CPLD 3.000 3.000 No
5 SUP CMP CPLD 6.000 6.000 No
1 Xbar Power Manager 2.010 2.010 No
2 Xbar Power Manager 2.010 2.010 No
3 Xbar Power Manager 2.010 2.010 No
1 FAN Fan Controller (1) 0.007 0.007 No
1 FAN Fan Controller (2) 0.007 0.007 No
2 FAN Fan Controller (1) 0.007 0.007 No
2 FAN Fan Controller (2) 0.007 0.007 No
3 FAN Fan Controller (1) 0.007 0.007 No
3 FAN Fan Controller (2) 0.007 0.007 No
4 FAN Fan Controller (1) 0.007 0.007 No
4 FAN Fan Controller (2) 0.007 0.007 No -
We currently have two Nexus 7010 with 5.0(2a) as system images.
We would need to know the correct upgrade path to 6.1(1). On the release notes it reads the path is from 4.2(8), 5.0(5) or 5.1(6) to 5.2(5) then to 6.1(1).
Also if ISSU is possible or, because we may need to upgrade EPLD, if there is no upgrade path to do a non-disruptive upgrade.You probably need to dig a little deeper to get a definitive answer (sup1 or 2, type of cards, etc..) but here is a diagram in the release notes for 6.1 found here:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/release/notes/61_nx-os_release_note.html
If this posts answers your question or is helpful, please consider rating it and/or marking as answered. -
Hello everybody,
Just a quick question, how do you restore a running-config (or a Nexus .bin file) to a Nexus 7010. Is it thesame process as the IOS base scenario. Please explain and help. Thank you in advance.
--chieCopy tftp: running-config should work. See below there are other options as well.
NX7K02-agg# copy ?
bootflash: Select source filesystem
core: Select source filesystem
debug: Select source filesystem
ftp: Select source filesystem
log: Select source filesystem
logflash: Select source filesystem
nvram: Select source filesystem
running-config Copy running configuration to destination
scp: Select source filesystem
sftp: Select source filesystem
slot0: Select source filesystem
startup-config Copy startup configuration to destination
system: Select source filesystem
tftp: Select source filesystem
usb1: Select source filesystem
usb2: Select source filesystem
volatile: Select source filesystem
NX7K02-agg# copy tftp: ?
bootflash: Select destination filesystem
debug: Select destination filesystem
log: Select destination filesystem
logflash: Select destination filesystem
nvram: Select destination filesystem
running-config Copy from source to running configuration
slot0: Select destination filesystem
startup-config Copy from source to startup configuration
system: Select destination filesystem
usb1: Select destination filesystem
usb2: Select destination filesystem
volatile: Select destination filesystem
NX7K02-agg# copy tftp: running-config -
Disruptive ISSU 6.1.4a- 6.2.8 on Nexus 7010 sup1 because of LACP timers.
Hi all.
The problem.
Today I updated my Nexus 7010 sup1 from 6.1.4a to 6.2.8.
I want did it in ISSU mode, but after impact check I got this:
Compatibility check is done:
Module bootable Impact Install-type Reason
1 yes non-disruptive rolling
2 yes non-disruptive rolling
3 yes non-disruptive rolling
4 yes non-disruptive rolling
5 yes disruptive reset Some LACP ports not in steady state or operating in 'rate fast' mode.
6 yes disruptive reset Some LACP ports not in steady state or operating in 'rate fast' mode.
7 yes non-disruptive rolling
8 yes non-disruptive rolling
9 yes non-disruptive rolling
10 yes non-disruptive rolling
Additional info for this installation:
Service "lacp" in vdc 1: LACP: Upgrade will be disruptive as 6 switch ports and 0 fex ports are not upgrade ready!!
Issue the "show lacp issu-impact" cli for more details.
(modified the impact to <Hitful> for module <6>)
Do you want to continue with the installation (y/n)? [n] y
I went on with yes and update script reboot both sups after updated all modules.
It was quite a surprise for me (yes I know I must see word "disruptive" opposite my sups 5 and 6). Because I already had done two ISSU updates on two nexuses (from 5.1.* ->5.2.7 and 5.2.7 -> 6.1.4a) and didn`t have any trouble with LACP timers. Is it a new feature of the 6.* train?
I have another Nexus that I want to update. And it also has same problem with LACP timers.
show install all impact give me the same disruptive result because of LACP.
Can I somehow suppress such ISSU behavior? In case of LACP. I don`t have vPC, just ordinal PC.
It is a way better if some LACP interfaces flap in process, than an almost 14 minutes of all 7010 chassis reboot that I had.
Although problem with LACP timers is that they must be the same on the switch side and on the other side. And in case of switches, linux boxes or HP VCs changing LACP timers isn`t a big problem. IT is a biggg problem in case of the Windows Server.
sh lacp interface ethernet 8/13
Interface Ethernet8/13 is up
Channel group is 13 port channel is Po13
Local Port: Eth8/13 MAC Address= 40-55-39-23-1e-c1
System Identifier=0x8000, Port Identifier=0x8000,0x80d
Operational key=12
LACP_Activity=active
LACP_Timeout=Long Timeout (30s)
Neighbor: 0x1
MAC Address= ac-16-2d-a4-f2-54
System Identifier=0xffff, Port Identifier=0xff,0x1
Operational key=17
LACP_Activity=active
LACP_Timeout=short Timeout (1s)
They must be the same and equal 30s for successful ISSUYou probably need to dig a little deeper to get a definitive answer (sup1 or 2, type of cards, etc..) but here is a diagram in the release notes for 6.1 found here:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/release/notes/61_nx-os_release_note.html
If this posts answers your question or is helpful, please consider rating it and/or marking as answered. -
MGTM0 Interface only in Admin VDC in Nexus 7010
Hi guys,
I created two new VDCs in a Nexus 7010 (NX-OS 6.2.6) and I can see the MGTM0 interface only in the Admin VDC
I wanted to see the MGTM0 in all VDCs.
Does someone get this problem too ?
My Best Regards,
Andre Gustavo LomonacoHi Reza,
Thanks for your reply.
If the user run the setup wizard, the interface mgtm0 will be created in VDC.
If the user don't run the setup wizard, the interface mgtm0 will not be created and you will need
to only use the interface mgtm 0 command to create the interface.
Thanks a lot -
How to do routing on N7K-F248XP-25E (Nexus 7010) ?
Hi all,
Please educate me the following scenario : I have Nexus 7010 with 2 L3 modules, N7K-M132XP-12L and N7K-M148GT-11L. Now to increase more ports for end devices, I add in the module N7K-F248XP-25E and believe it's for Layer 2 switching only. Is there a way to do routing on these L2 modules without having to go to the L3 modules ? Thanks for all help.Is there a way to do routing on these L2 modules without having to go to the L3 modules ?
No. If you have an M1/M2 card and routing is enabled, the F2E card will "step down" and do Layer 2 work. All Layer 3 work will be done by the M1/M2 card.
Maybe you are looking for
-
My acrobat plug in is not letting me view certain cites and says is disbaled. How do I fix this.
I am trying to use the website ATI and I have the recommened internet for it but when I launch it it says the acrobot plug in is disabled and I was wondering how to fix that,
-
Prepared=True Not working. Parse:Execute ration is one in tkprof report
Hello, DB Version 9.2.0 OS NT Provider: OraOLEDB 9.2.0.1.0 I have a small .NET application. I use bind variables all overe my application. But my parse:execute ratio is 1 for some of all SELECT statements. There are many softparses in my application.
-
Why is the actions panel not appearing?
I am unable to view the Actions Panel window in a document I've already done a lot of work in. It worked previously - I created an Actions Layer and was able to add action script, however, when I try to open it back up to edit the action script I wr
-
Universe overload migration failure
Hi All, Iu2019d like to ask your help concerning an issue that Iu2019m charge of resolving. It's concerning the migration of universe overload from a source to a destination. Two unviverse restrictions are applied on two groups in the source: Rest1->
-
Hello, I'm new to CQ5 and I'm following the "cq5_guide_developer" to practice my first project. It's very smooth until I want to download "cq5libs" from my local CQ5.5 server. Here are the content of the guide I'm following: Proceed as follows: In y