Private-VLAN using Nexus 7010 and 2248TP FEX
I have a Nexus 7010 with several 2248TP FEX modules.
I am trying to configure a Private VLAN on one of the FEX host ports.
I see in the documentation you can't do promiscous but I can't even get the host only configuration to take.
Software
BIOS: version 3.22.0
kickstart: version 6.0(2)
system: version 6.0(2)
sho run | inc private
feature private-vlan
vlan 11
name PVLAN_Primary
private-vlan primary
private-vlan association 12
vlan 12
name PVLAN_Secondary
private-vlan isolated
7010(config)# int e101/1/48
7010(config-if)#
7010(config-if)# switchport mode ?
access Port mode access
dot1q-tunnel Port mode dot1q tunnel
fex-fabric Port mode FEX fabric
trunk Port mode trunk
Switchport mode private-vlan doesn't even show up!!!!!!
If I try this command it says its not allowed on the FEX port.
7010(config-if)# switchport private-vlan host-association 11 12
ERROR: Requested config not allowed on fex port
What am I doing wrong?????
Todd
Have you found a solution to this?
-Jeremy
Similar Messages
-
Hi,
We are currently seeing issues on a ESX Host using 10G Fibre dual connectivity to a pair of Nexus 7010's using vPC for the port channel to this ESX host which was working fine , up to this weekend. No changes had been made on the Nexus or ESX host.
We have changed the hardware path for the believed fault on a vmnic which when part of the virtual switch cause VM's on the Host to stop pinging, although we still see a CDP neighborship with the ESX from the Nexus, but changing fibre and Nexus ports has not worked.
As part of the testing , the vmware guy was removing this 'faulty' vmnic from the Virtual switch , which is part of an ether channel bundle his end. My first question is, how does the Nexus detect a link leaving the bundle for the ESX host , when the actual physical link is still up , and all they have done is software removed it from on the ESX, as the Nexus will still attempt to push traffic across both bundled links. I know there is the Cisco 1000V software , which can be used at an extra price, but is this the only option.
Any help will be gladly welcome.Hi
How the switch detects a link 'moving out' of the Etherchannel would depend on how you have configured it...
If you have used 'channel-group x mode on' under the physical ports in the channel, then it will not detect the change, and you will get problems. The solution is to ensure the config of the channel on both ends (server/switch) is consistent in this case. An inconsistent config will cause you connectivity issues.
If the switch automatically negotiates the Etherchannel (i.e. you are using LACP, and the server supports LACP) then it should detect the change.
Regards
Aaron
Please rate helpful posts... -
How to download MIB for NXOS or platform Nexus 7010 and Nexus 7004
Hello,
I need to monitor my Nexus 7004 and 7010 by my SNMP Agent, but I can't find the way to donload the required MIBs.
For information I'm running the folling images:
bootflash:///n7000-s2-dk9.6.2.6b.bin
bootflash:///n7000-s1-dk9.6.1.5.bin
By advance thanks for the support
GildasThe module you are running requires a minimum software version of 5.1.
You are currently running 5.0.3 which is why the module is not
recognized.
Below is a link that explains this:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/data_s
heet_c78-605482.html
Product Specification
Table 3 lists the specifications for the Cisco Nexus 7000 32-Port 10 Gigabit Ethernet
Module with XL Option.
Table 3. Product Specifications
Item
Specifications
System
Product compatibility
Supported in all Cisco Nexus 7000 Series chassis
Software compatibility
Cisco NX-OS Software Release 5.1 or later (minimum requirement)
You would need to upgrade you software.
Hope this helps.
Regards
Muhammed M -
Nexus 1000V private-vlan issue
Hello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
Thank you in advance
LucasControl vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host. -
if we have a primary vlan 100 associate with it
vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
andPrivate vlan's are all on the same subnet, so from what you are writing I see:
100-------------------------------
| | |
| | |
11 12 13
Fa0/2 fa/03 fa0/4
and you want to route to Vlan 50, correct?
In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device. -
Nexus 7010 fabric extender timing out
Hello -
We have a Nexus 7010 and we are testing out using the fabric extenders for a need. We have a demo 2224 unit and have it connected to our M132XP-12 10G blade in the 7K but the FEX won't come online. I would have figured a possible software incompatability but looking at the supported list for that as well as hardware everything seems to be in order. This is what the status shows after it spends about 15 mins in the image download state.
FEX: 111 Description: FEX0111 state: Offline
FEX version: 4.2(1)N2(1a) [Switch version: 5.1(2)]
FEX Interim version: 4.2(1)N2(1a)
Switch Interim version: 5.1(2)
Module Sw Gen: 21 [Switch Sw Gen: 21]
pinning-mode: static Max-links: 1
Fabric port for control traffic: Eth2/20
Fabric interface state:
Po11 - Interface Up. State: Active
Eth2/20 - Interface Up. State: Active
Fex Port State Fabric Port Primary Fabric
This is looped in the log details until it times out:
04/25/2011 15:31:41.986978: Module register received
04/25/2011 15:31:41.987713: Registration response sent
04/25/2011 15:31:41.987889: Requesting satellite to download image
04/25/2011 15:32:00.105031: Module register received
04/25/2011 15:32:00.105779: Registration response sent
04/25/2011 15:32:00.105956: Requesting satellite to download image
04/25/2011 15:32:20.191181: Module register received
04/25/2011 15:32:20.191957: Registration response sent
04/25/2011 15:32:20.192144: Requesting satellite to download image
We ran a debug during this and these entries are displayed when looking for errors.
2011 Apr 25 15:30:31.443745 fex: Reg resp: Failed to get card info for swcardid 132
2011 Apr 25 15:30:35.472721 fex: Cardinfo: Unknown card id to get (132)
2011 Apr 25 15:30:35.472753 fex: Reg resp: Failed to get card info for swcardid 132
2011 Apr 25 15:30:41.495302 fex: Cardinfo: Unknown card id to get (132)
I'm still doing some more searching which so far hasn't turned up much, wanted to see if anyone has some other insight??
Thanks!Hi Jack -
Thanks for the response. Unfortunately, yes that is already complete. I was hoping that would be an easy fix. When we upgraded to 5.1(2) we did the 5.1 EPLD. I ran the install all impact command noted below for the 5.1 EPLD just to make sure it didn't report anything else as needing upgrade.
sho install all impact epld bootflash:n7000-s1-epld.5.1.1.img
Compatibility check:
Module Type Upgradable Impact Reason
1 LC Yes disruptive Module Upgradable
2 LC Yes disruptive Module Upgradable
5 SUP Yes disruptive Module Upgradable
1 Xbar Yes disruptive Module Upgradable
2 Xbar Yes disruptive Module Upgradable
3 Xbar Yes disruptive Module Upgradable
1 FAN Yes disruptive Module Upgradable
2 FAN Yes disruptive Module Upgradable
3 FAN Yes disruptive Module Upgradable
4 FAN Yes disruptive Module Upgradable
Copy complete, now saving to disk (please wait)...
Retrieving EPLD versions... Please wait.
Images will be upgraded according to following table:
Module Type EPLD Running-Version New-Version Upg-Required
1 LC Power Manager 4.008 4.008 No
1 LC IO 1.006 1.006 No
1 LC Forwarding Engine 1.006 1.006 No
1 LC SFP 1.004 1.004 No
2 LC Power Manager 4.008 4.008 No
2 LC IO 1.016 1.016 No
2 LC Forwarding Engine 1.006 1.006 No
2 LC FE Bridge(1) 186.006 186.006 No
2 LC FE Bridge(2) 186.006 186.006 No
2 LC Linksec Engine(1) 2.006 2.006 No
2 LC Linksec Engine(2) 2.006 2.006 No
2 LC Linksec Engine(3) 2.006 2.006 No
2 LC Linksec Engine(4) 2.006 2.006 No
2 LC Linksec Engine(5) 2.006 2.006 No
2 LC Linksec Engine(6) 2.006 2.006 No
2 LC Linksec Engine(7) 2.006 2.006 No
2 LC Linksec Engine(8) 2.006 2.006 No
5 SUP Power Manager 3.009 3.009 No
5 SUP IO 3.028 3.028 No
5 SUP Inband 1.008 1.008 No
5 SUP Local Bus CPLD 3.000 3.000 No
5 SUP CMP CPLD 6.000 6.000 No
1 Xbar Power Manager 2.010 2.010 No
2 Xbar Power Manager 2.010 2.010 No
3 Xbar Power Manager 2.010 2.010 No
1 FAN Fan Controller (1) 0.007 0.007 No
1 FAN Fan Controller (2) 0.007 0.007 No
2 FAN Fan Controller (1) 0.007 0.007 No
2 FAN Fan Controller (2) 0.007 0.007 No
3 FAN Fan Controller (1) 0.007 0.007 No
3 FAN Fan Controller (2) 0.007 0.007 No
4 FAN Fan Controller (1) 0.007 0.007 No
4 FAN Fan Controller (2) 0.007 0.007 No -
I am looking to design a solution for a customer and they run a very tight hosting environment with Nexus 1000V switches and want to setup private vlans as they are running out of vlans
I need to find some info on if it is possible to trunk a private vlan between 2 nexus switches
Or any info on private vlans on Nexus 1000V
Thanks
RogerHello Roger,
Yes, pVLANs can be trunked between switches. A good discussion can be found here. Have you considered VXLAN as an alternative to pVLANs? VXLAN allows up to 16M segments definied though they differ slightly from pVLAN in that all VMs in a VXLAN segment can communicate.
Matthew -
Hi,
I was about to purchase a 3560 for my home lab to do private VLANS because I read that 3550s do not supprt pvlan. Till my suprise i can see the commands to do a private-vlan configuration on my 3550:
(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
twoway-community Configure the VLAN as a two way community private VLAN
Can any tell me why everyone says their not supported though the commands are availble?
Thanks in advance
BartHi Bart,
The IOS is obviously compiled from a common code base that is shared also for Catalyst 3560 and similar platforms. That is why you see the commands actually present. However, if you try to define a Private VLAN (either primary or secondary) and exit the VLAN configuration mode, you will get a platform error message, indicating the switch hardware could not be programmed for the Private VLAN operation.
Private VLANs require hardware support, and if the underlying platform has no hardware provisions for supporting Private VLANs, they will not be available even if the switch IOS itself has the management features built in, as is in your case. True, the Private VLAN management commands should have not been enabled in the IOS for your platform but it's just the way it is...
Best regards,
Peter -
Hello everyone,
Here is my issue. We have a Nexus 7010 and for the third time now slot 3 will not allow a module to run in it. This is what we have done so far. RMA'd the module and the chassis. When the module is put into another slot it comes up without any issue. The only difference between this chassis and the other one we have is that we only have 2 of the 3 power supplies in it. The chassis itself has 2 sup mods and 3 48 port 10 gig mods. On a side note after we RMA'd the chassis slot 3 worked fine until we configured the new VDC and allocated the card to it. Any help will be appreciated.Yes I am still have this issue. Here is the output you asked for.
show diagnostic result module all
Current bootup diagnostic level: complete
Module 1: 1/10 Gbps Ethernet Module
Test results: (. = Pass, F = Fail, I = Incomplete,
U = Untested, A = Abort, E = Error disabled)
1) ASICRegisterCheck-------------> .
2) PrimaryBootROM----------------> .
3) SecondaryBootROM--------------> .
4) EOBCPortLoopback--------------> .
5) OBFL--------------------------> .
6) PortLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
U U U U U U U U U U U U U U U U
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
U U U U U U U U U U U U U U . .
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
. . . . . . . . . . . U U U . U
7) RewriteEngineLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
. U U U U U U U U U U U U U U U
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
U U U U U U U U U U U U U U U U
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
U U U U U U U U U U U U U U U U
8) SnakeLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
9) FIPS:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
U U U U U U U U U U U U U U U U
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
U U U U U U U U U U U U U U U U
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
U U U U U U U U U U U U U U U U
10) BootupPortLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Current bootup diagnostic level: complete
Module 5: Supervisor Module-2 (Active)
Test results: (. = Pass, F = Fail, I = Incomplete,
U = Untested, A = Abort, E = Error disabled)
1) ASICRegisterCheck-------------> U
2) USB---------------------------> .
3) NVRAM-------------------------> .
4) RealTimeClock-----------------> .
5) PrimaryBootROM----------------> .
6) SecondaryBootROM--------------> .
7) CompactFlash------------------> .
8) ExternalCompactFlash----------> U
9) PwrMgmtBus--------------------> .
10) SpineControlBus---------------> .
11) SystemMgmtBus-----------------> .
12) StatusBus---------------------> .
13) StandbyFabricLoopback---------> U
14) ManagementPortLoopback--------> .
15) EOBCPortLoopback--------------> .
16) OBFL--------------------------> .
Current bootup diagnostic level: complete
Module 6: Supervisor Module-2 (Standby)
Test results: (. = Pass, F = Fail, I = Incomplete,
U = Untested, A = Abort, E = Error disabled)
1) ASICRegisterCheck-------------> .
2) USB---------------------------> .
3) NVRAM-------------------------> .
4) RealTimeClock-----------------> .
5) PrimaryBootROM----------------> .
6) SecondaryBootROM--------------> .
7) CompactFlash------------------> .
8) ExternalCompactFlash----------> U
9) PwrMgmtBus--------------------> U
10) SpineControlBus---------------> .
11) SystemMgmtBus-----------------> U
12) StatusBus---------------------> U
13) StandbyFabricLoopback---------> .
14) ManagementPortLoopback--------> .
15) EOBCPortLoopback--------------> .
16) OBFL--------------------------> .
Current bootup diagnostic level: complete
Module 8: 1/10 Gbps Ethernet Module
Test results: (. = Pass, F = Fail, I = Incomplete,
U = Untested, A = Abort, E = Error disabled)
1) ASICRegisterCheck-------------> U
2) PrimaryBootROM----------------> .
3) SecondaryBootROM--------------> .
4) EOBCPortLoopback--------------> .
5) OBFL--------------------------> .
6) PortLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
U U U U . . U U U U U U . . U .
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
U U . . . . . . . . . . . . . .
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
. . . . . . . . U U U U U U U U
7) RewriteEngineLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
. U U U U U U U U U U U U U U U
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
U U U U U U U U U U U U U U U U
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
U U U U U U U U U U U U U U U U
8) SnakeLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
. . . . . . . . U U U U U U U U
9) FIPS:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
U U U U U U U U U U U U U U U U
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
U U U U U U U U U U U U U U U U
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
U U U U U U U U U U U U U U U U
10) BootupPortLoopback:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Port 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Port 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
. . . . . . . . U U U U U U U U
show module
Mod Ports Module-Type Model Status
1 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25E testing
5 0 Supervisor Module-2 N7K-SUP2 active *
6 0 Supervisor Module-2 N7K-SUP2 ha-standby
8 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
Mod Sw Hw
1 6.2(2a) 1.0
3 6.2(2a) 1.0
5 6.2(2a) 1.1
6 6.2(2a) 1.0
8 6.2(2a) 1.0
ISSCSW7010RE-4# show module
Mod Ports Module-Type Model Status
1 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25E testing
5 0 Supervisor Module-2 N7K-SUP2 active *
6 0 Supervisor Module-2 N7K-SUP2 ha-standby
8 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
Mod Sw Hw
1 6.2(2a) 1.0
3 6.2(2a) 1.0
5 6.2(2a) 1.1
6 6.2(2a) 1.0
8 6.2(2a) 1.0
Mod Online Diag Status
1 Pass
3 Untested
5 Pass
6 Pass
8 Pass
Xbar Ports Module-Type Model Status
1 0 Fabric Module 2 N7K-C7010-FAB-2 ok
2 0 Fabric Module 2 N7K-C7010-FAB-2 ok
3 0 Fabric Module 2 N7K-C7010-FAB-2 ok
4 0 Fabric Module 2 N7K-C7010-FAB-2 ok
5 0 Fabric Module 2 N7K-C7010-FAB-2 ok
Xbar Sw Hw
1 NA 1.5
2 NA 1.5
3 NA 1.5
4 NA 1.5
5 NA 1.5
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25E testing
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25E initializing
Mod Ports Module-Type Model Status
1 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
3 48 1/10 Gbps Ethernet Module pwr-cycld
5 0 Supervisor Module-2 N7K-SUP2 active *
6 0 Supervisor Module-2 N7K-SUP2 ha-standby
8 48 1/10 Gbps Ethernet Module N7K-F248XP-25E ok
Mod Power-Status Reason
3 pwr-cycld Unknown. Issue show system reset mod ...
Mod Sw Hw
1 6.2(2a) 1.0
5 6.2(2a) 1.1
6 6.2(2a) 1.0
8 6.2(2a) 1.0
Mod MAC-Address(es) Serial-Num
1 e4-c7-22-17-c0-8c to e4-c7-22-17-c0-bf JAF1802ANEA
5 84-78-ac-1c-fa-0f to 84-78-ac-1c-fa-21 JAF1721AQPC
6 84-78-ac-14-cb-16 to 84-78-ac-14-cb-28 JAF1713BAKS
8 e8-ed-f3-38-7b-08 to e8-ed-f3-38-7b-3b JAF1733ARPG
Mod Online Diag Status
1 Pass
5 Pass
6 Pass
8 Pass
Xbar Ports Module-Type Model Status
1 0 Fabric Module 2 N7K-C7010-FAB-2 ok
2 0 Fabric Module 2 N7K-C7010-FAB-2 ok
3 0 Fabric Module 2 N7K-C7010-FAB-2 ok
4 0 Fabric Module 2 N7K-C7010-FAB-2 ok
5 0 Fabric Module 2 N7K-C7010-FAB-2 ok
Xbar Sw Hw
1 NA 1.5
2 NA 1.5
3 NA 1.5
4 NA 1.5
5 NA 1.5
2014 Aug 5 11:49:19 -MAF %$ VDC-2 %$ %PLATFORM-2-MOD_DETECT: Module 3 detected () Module-Type 1/10 Gbps Ethernet Module Model N7K-F248XP-25E
2014 Aug 5 11:49:19 MAF %$ VDC-2 %$ %PLATFORM-2-MOD_PWRUP: Module 3 powered up (
2014 Aug 5 11:49:19 %$ VDC-1 %$ %PLATFORM-2-MOD_DETECT: Module 3 detected ) Module-Type 1/10 Gbps Ethernet Module Model N7K-F248XP-25E
2014 Aug 5 11:49:19 %$ VDC-1 %$ %PLATFORM-2-MOD_PWRUP: Module 3 powered up () -
Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010
I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI;
2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
3. All Vlans are trunked between switches
4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.Hello Emcmanamy, Bruce,
Thanks for your feedback.
Just like you, I have been facing the same problematic last months with my customer.
Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
You can configure a host interface as an isolated or community access port only.
We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.
This ability is documented here =>
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
You cannot configure a host interface as a promiscuous port.
You cannot configure a host interface as a private VLAN trunk port.
Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
All these conditions are not met on a N5K interface.
Best regards.
Karim -
Hi all, need advice on OSPF and private vlans
Hi all.
I have a project to complete and need some help on the possible solution I can use.
Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
Any help and advice would be greatly appreciated.
Cheers
SteveSteve
Thanks, that helps.
GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
It's good that area 7 is only for these users and not mixed up with other users.
So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
Can you confirm the above ?
In terms of keeping them separate there are 2 possible choices. You can either -
1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way. So it may well be worth going back to find out exactly what "segregating" user traffic means.
I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
Jon -
Private Vlan and Switchport Protected
Dear All,
My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
Thanks.
C.K.Hi C.k.,
I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
Try that and let us know.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
HTH,
-amit singh -
Private VLAN and ASA subinterfaces
Gents,
I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
If private VLANs can't be used with ASA subinterfaces, what solution can be done in this scanario ?
Thanks,I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
To see how to configure it, check out this guide (a long in depth read but worth it):
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
Regards,
Ian
If I hepled please rate me. -
Private vlans and 2960 and 3560 switch
Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?
Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network??? -
Port-channel L2 problem with Fabric Interconnect and Nexus 7010
Hi,
i using port-channel from both fabric interconnect to N7k with 3 cables per Fabric Interconnect.
but, my problem is when i creating port-channel, Fabric Interconnect don't support mode ON dan rate-mode share in Interface 10G Nexus 7010.
I was trying :
1. I using non dedicated port in Nexus 7010.
- rate-mode share
- channel-group 1 mode active
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was suspended
2. I using non dedicated port in Nexus 7010
- rate-mode share
- channel group 1 mode on
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was came up, but in Fabric interconnect was failed.
3. I using dedicated port in Nexus 7010
- rate-mode share
- channel group 1 mode active
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was suspended
4. I using dedicated port in Nexus 7010
- rate-mode dedicated
- channel group 1 mode active
- switchport mode trunk
when i using this option, the port-channel in Nexus 7010 was came up and running well.
but, the problem is my costumer do not want using a dedicated rate-mode. if i using dedicated mode the only available port is 8 interfaces instead of 32 ports. i want to using rate-mode share in nexus 7010.
is there any way to configuring port-channel using mode on in fabric interconnect ? i was trying using CLI to create port-channel in Fabric interconect but i cannot configure the channel group protocol.
i attach the topology of N7K with Fabric interconnect.
regards,
Berwin HHi Manish,
the issue was solved, i was fix it last week.
the solution is:
i enable the license grace-priode (since my license is Enterprise so cannot create VDC) then i create a VDC (ex: VDC 2) so i allocate the interface on all module
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
N7K-M132XP-12 to VDC 2. after that i delete VDC 2 then all interface back to VDC 1 (default vdc). then i enable the rate-mode share in dedicated port and bundle into port-channel and its working.
i dont know why it must move to VDC first then it will working, maybe cisco can explain the reasons.
So here the result of my port-channel :
SVRN7KFARM-HO-01# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
Group Port- Type Protocol Member Ports
Channel
1 Po1(SU) Eth LACP Eth1/1(P) Eth1/2(P) Eth1/3(P)
Eth1/4(P) Eth1/25(P)
2 Po2(SU) Eth LACP Eth1/9(P) Eth1/10(P) Eth1/11(P)
Eth1/12(P) Eth1/26(P)
3 Po3(SU) Eth LACP Eth1/17(P) Eth1/18(P)
4 Po4(SU) Eth NONE Eth10/32(P) Eth10/34(P) Eth10/35(P)
Eth10/36(P)
Thanks.
Berwin H
Maybe you are looking for
-
Vendor ageing analysis by material
hi guru's, i need report for vendor ageing analysis by material. In my case if i select a material (eg cement ) it should give list of vendor with invoice due list ... thank's in advance
-
Hi. In attached file ut20140505-165117-416.xml you will find a field called Data. I need to create a txt file based on tghe Data fields. The attached file should create the out.txt file How would a content conversion setting look to accomplish that?
-
Randomly Records are missing from R/3 to BW
Hi all, I have a Employee Cube, which maintains Daily time sheet (Empid, workingday, Working Hours etc..) of each employee. For Employee Cube, deltas are running daily basis. In R/3 side all data is available. Problem is I missed randomly some data
-
How do i extract Delimited falt file-Sender File adapter FCC Parameters
Hello, I'm trying to extract data from a flat file. The file is built as tab delimited. I cant find the option of tab delimited in the XI Sender File adapter FCC Parameters. How do i extract tab delimited file? Please Advice, Rajesh
-
From this morning my exchange mail account has no content in any of my mail. It is the same on my iMac. Both my iPad and iphone is still seeing the content so I assume it is OS Lion that has the problem. Any experience or help would be appreciated. I