Sup 720 ignoring ACLs

Similar Messages

• 6509E VSS w/Quad-Sup 720 - Traffic Forwarding Issue

  Hello all,
  I ran into an interesting problem yesterday evening while performing a quad-sup upgrade to an existing dual-sup 6509E VSS architecture. Unfortunately, the expiration of my maintenance window forced me to roll back the changes before I had the opportunity to truly discover the root issue, however, I wanted to post my experience on Support Forums with the hope that someone else has run into it before.
  The customer I was working with has an existing dual-sup (720) environment operating in VSS mode. Both sup's were installed an operational in slot 5 of each chassis. The switch ID's had been assigned as 1 and 2, and the VSL was comprised of the two 10GE interfaces connected between each of the sup modules (1/5/4-2/5/4 and 1/5/5-2/5/5). The customer wanted to increase their intra-chassis redundancy by installing two additional sup 720 modules in slot 6 of each chassis, and adding these 10GE interfaces to the VSL.
  The overall upgrade went very well. I began by physically installing an additional sup 720 in slot 6 of the VSS standby chassis, and the sup module came up into RPR-Warm status (which is the desired state). I then physically installed an additional sup 720 in the VSS active chassis, and it too came up into RPR-Warm status. After reviewing the VSS redundancy state, I determined that everything looked good, and proceeded to add the additional 10GE links (1/6/4-2/6/4 and 1/6/5-2/6/5) into the VSL configuration. I then physically connected the additional VSL links (but shifted them around as to achieve diversity between the chassis (1/5/4-2/5/4, 1/5/5-2/6/5, 1/6/4-2/6/4, 1/6/5-2/5/5). I then reviewed the VSL link state and EtherChannel state, and everything looked great.
  At that point, we were pretty much done with the switch configuration, and proceeded to verify that server/network resources were not affected. I found that there seemed to be an issue sending traffic across the VSL. For example, some physical servers connected to switch ID 1 were having a difficult time communicating to physical servers connected to switch ID 2 (this customer is still working on dual-homing hosts). I looked at all of the obvious things - physical VSL interfaces, EtherChannel status, etc., and everything looked good. I then proceeded to remove physical VSL interfaces from the configuration, eliminating those that were added that evening (e.g., all interfaces except the original 1/5/4-2/5/4 were removed) - nothing. At this point, I was 10 minutes from the expiration of the maintenance window and was forced to roll back. It wasn't until the newly added sup's were physically removed from the chassis that the issue subsided. That said, I was able to conclude that the VSL wasn't the problem at all, but perhaps the installation of the sup's was??
  All of the sup 720's were running 12.2(33)SXI6 code, which I had verified to be a safe harbor version (although there are known bugs, none appear to be related to this issue).
  Has anyone run into this issue before? Any thoughts would be appreciated!

  You bring up VSS outside of the current environemnt. Create all vlans with a spanning tree priority higher than the existing.
  Create all the vlan interfaces and leave them shutdown.
  Connect the existing core to the new VSS core. Make sure that all vlans are properly crossing the trunk between old and new cores. Depending on how you're routing is set up, you might need to create a vlan to use for routing updates only.
  At this point, you can start changing spanning tree priorities to move the root of the vlans to the vss. Once these have been moved, you can start to manipulate hsrp.
  Whichever switch has the backup interface, shut those interfaces down. After this is done, shut the vlan inteface on the old core and no shut on the vss. Since vss doesn't use hsrp, it's hard to manipulate the vss since you want the vlan interface to be the previous standby ip.
  Flipping the vlan intefaces shouldn't cause any issues. I've done this method several times in large hospitals with no issues.
  Once you have the vss running, you can move the access switches 1 link at a time. Make sure you're running rapid pvst.
  The method I've used for this is to create a port channel on both the access switch and the vss. On the vss, you can assign the interfaces into the port channel immediately. On the access switch, disconnect one of the interfaces that goes to the old core. Add the disconnected inteface into the port channel then plug it back in. It should come up as the only member of the etherchannel. After you verify this link is up properly, perform the same with the second uplink on the access switch. When you plug it in, it should join the channel and you should be fine. With rapid pvst, nothing should be noticeable when the links block and unblock.

• Sup 720 unlabelled Red LED

  I have a pair of 6513s with a pair of Supervisors in each and on one of the standby (Sup 720) front panel is a RED LED. This LED has no label and is just to the left of the Console port. I have checked reference documents and this LED is not mentioned? Any idea? Thanks

  Hi
  I feel the sup mite have got stuck up in rommon prompt and requires manual boot command to boot it up..
  once it gets booted up check out the valid ios file in the disk0 or disk1 and configure the boot system command accordingly.
  once you are thru with that save the config and check with show bootvar to verify whether the changes got replicated or not..
  regds

• Sup 720 Fabric questions

  Hi,
  If you use a 6509-E with a Sup 720 this gives you a 720 Aggregate switch fabric which is broken down across all of teh 9 slots. However each slot only has 2 x 20 Gbps interfaces, so if you plugged in a 48 10/100/1000 you will not be able to get the full 48 Gbps throughput.
  I know it is probably impossible to generate so much traffic but i am curious as the modules are marketed as non-blocking?
  does anybody have some infor on this
  Thanks

  Fabric channels run at 20 Gbps Full Duplex, so 20 Gbps in / 20 Gbps out, so the claim is 40 Gbps in full duplex and 80 Gbps/slot with dual fabric channels
  Search for 80 Gbps:
  http://www.cisco.com/en/US/products/hw/modules/ps4835/products_data_sheet09186a00801dce34.html

• MPLS support GEC on 7600 with SUP-720-3BXL ?

  Hi all
  Could someone let me know does 7600 with SUP-720-3BXL support full MPLS, MPLS-TE, QoS, ... on Gigabit Ethernet channel interface ?
  Which port interface (LAN/WAN, ...) does 7600/SUP-720-3BXL support full MPLS features ?
  And does 10GBASE XENPAR Modules support full MPLS features ?
  thanks you

  The Cisco 7200 Series offers numerous LAN and WAN interfaces for diverse connectivity requirements. Modular processors for the Cisco 7200 Series provide flexibility as their need grows. The three onboard Gigabit Ethernet interfaces,in the Cisco 7301 VAM2+ security router bundle provides the same high performance.For further information verify the following URL:
  http://www.cisco.com/en/US/products/hw/routers/ps341/prod_bulletin0900aecd80205255.html

• 6500 sup 720 with MPLS, GRE and FWSM problem

  We have 6500 sup 720 with MPLS configured and FWSM in transparent  mode. We also terminate GRE tunnels on the same 6500.
  After implementing the command “mls mpls tunnel-recir” GRE tunnels are hardware switched (which we want them to be), but we don’t have any more connection from locations thru GRE tunnels to servers behind FWSM.
  Does anybody have idea how to solve this problem?

  Hi,
  not sure what you mean exactly.
  the command “mls mpls tunnel-recir” is needed to avoid packets corruption in cases where the Supervisor engine is handling both the GRE header encapsulation and the MPLS label stack imposition. Since it cannot do it in one single shot (without causing random corruption) recirculation is needed. Nevertheless its presence does not influence whether the GRE traffic is handled in hardware or in software. Even without it, IF THE GRE TUNNELS ARE CORRECTLY CONFIGURED (meaning that each GRE tunnels has its unique source address etc.), the traffic is handled in hardware.
  However since you say that after you enabled it you don't have connectivty anymore I suppose that some issue related to recirculation is happening (i.e. traffic ends up in the wrong internal vlan after recirculation).
  Unfortunately the support forum is not meant to help in this case as in-depth troubleshooting is required. For that you need a TAC case.
  regards,
  Riccardo

• Difference between RSP-720 and SUP-720 on 7600

  Hi all,
  I wonder what's the big difference between RSP-720 and SUP-720. both have almost the same feature set, performance and also same price. Anyone can explain in detail?
  This can also be applied to difference between 6500 and 7600 and narrow difference between routers and switches these days.

  There are tons of differences between the RSP and the SUP 720.
  http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8057f3b6.html
  Look @ the " Hardware Enhancements over Supervisor Engine 720" section
  The 6500 and 7600 are diverging in terms of software release support on 12.2(33)SX* for 6500 and 12.2(33)SR* for 7600 which means the feature sets will be diametrically opposite.
  E.g. VSS on Cat6k's is not available on 7600's

• Sup 720 & Sup 32 with WS-X6408-GBIC

  I have an old 6509 with sup 1 and some WS-X6408-GBIC. Now i will upgarde to Sup 720 or Sup 32.
  I need to confirm if WS-X6408-GBIC ( no A) is compatible with the new sups? specially with the shared Bus limitation on the module.

  Ran your configuration through dynamic config tool (www.cisco.com/dprg) and it doesnt show support for that gbic blade. The closest i can find is 6408A.
  HTH
  PS: please remember to rate helpful posts!

• 6506, 6509 Chassis Exchange along with SUP 720-3B and SUP 2T-10G

  Hi friends,
  I have a situation which looks straight forward but since I have not done this before, I thought I should put this here to have some ideas and gottchas related suggestions to look for.
  Situation 1:
  Basically I have a situation where there is an existing 6506 chassis with SUP32-GE-3B. for some business reasons we have to replace that with a 6509 chassis with SUP720-3B keeping the configuration intact.
  Situation 2:
  In another situation, we need to replace an existing standalone chassis 6509 with SUP-2T-10G with a pair of 6506 with SUP-2T-10G on each running VSS. Is there any gottachas around this work?
  Also, while I was trying to boot the spare 6506 with SUP-2T card, it constantly went to monitor mode with the following error messages
  System Bootstrap, Version 12.2(50r)SYS3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 2012 by cisco Systems, Inc.
  PYRAMID platform with 2097152 Kbytes of main memory
  rommon 1 >
  rommon 1 > boot
  PCMCIA bootdisk: device is not initialized
  open: read error...requested 0x4 bytes, got 0x0
  trouble reading device magic number
  boot: cannot open "bootdisk:"
  boot: cannot determine first file name on device "bootdisk:"
  rommon 2 >
  Any suggestions for this? It looks like the bootflash memory is missing from the SUP. I am not sure if this flash is usually onboard on this SUP or it should be like an external PCMCIA card. 
  Look forward for your help and suggestions.
  Thanks in advance.
  Regards,
  Mohit

  Hi SJ
  The 16-port 10 Gigabit Ethernet module is interoperable with all models of the Cisco Catalyst 6500 Series Virtual Switching Supervisor Engine 720 with 10 Gigabit Ethernet uplinks or Cisco Catalyst 6500 Series Supervisor Engine 720, including VS-S720-10G-3C, VS-S720-10G-3CXL, WS-Sup720, WS-Sup720-3B, and WS-Sup720-3BXL. When mixing DFCs in the same chassis, the chassis will operate in the mode of the lowest common denominator.
  see link below
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_bulletin_cisco_catalyst_6500_series_16port_10gigabit_ethernet_module.html 
  Regards,
  Yaseen

• Windows rename on SMB share ignores ACLs

  We're getting ready to put ACLs on our file server into production use, and I was checking to make sure that the file sharing experience for Windows users via SMB mounts would match what OS X users see via AFP mounts to the same shared folders and files.
  I've discovered that when Windows users rename files and folders via SMB mounts, the permissions are controlled by the POSIX privileges of the enclosing folder, and ACLs privileges appear to be completely ignored. I have a simple test case where I prepare a shared test folder that grants a particular user full access via an ACL, but no access via POSIX (this is deliberate). Via AFP on an OS X system, the user can do whatever they want on the share, as you'd expect. They have no problems renaming or deleting items; their ACL privileges are properly observed. However, when the same user logs onto a Windows system and access the share via SMB, if they create a folder or file, they won't be able to rename it. The only way to get around that appears to be to grant them POSIX read/write privileges on the enclosing folder (not on the item itself). For this one operation, it would appear that POSIX privileges are observed, but ACLs are being ignored. [This has been submitted to Apple as a Bug Report (Problem ID 6143881).]
  We're running OS X Server 10.5.2, but plan to upgrade to OS X Server 10.5.4 once our ACLs are running in a production setting. I wonder if other folks see the same problem with renaming files or folders in Windows with SMB shares in OS X Server 10.5.4.
  On my server, on an AFP+SMB share, I create a test folder with the following privileges:
  ls -led path/to/testfolder # Show POSIX settings & ACLs for test folder
  drwx------+ 2 root wheel 68 Aug 12 11:25 testfolder
  0: user:myuser allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit
  These privileges can be set via the following commands. Within an AFP+SMB share, create a test folder as follows:
  sudo mkdir -p /path/to/testfolder
  cd /path/to/testfolder
  sudo chmod -R -N . # Remove any inherited ACLs from testfolder
  sudo chmod u=rw+X,go= . # Set POSIX privileges to octal 700
  sudo chown root:wheel . # Set POSIX owner & group
  sudo chmod +a "user:myuser allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit"
  From Windows, navigate to the testfolder on the SMB share. You can do this as a Network Place, Mapped Network Drive, or by explicitly navigating to
  \\myserver\myshare\path\to\testfolder
  Create a new folder in Windows Explorer. It will come up by default named "New Folder". Try to rename it and you'll get a Windows error: "Error Renaming File or Folder. Cannot rename New Folder: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."
  Run the Note Pad accessory. Create a file in the testfolder named "Foo.txt". Try to rename it in Windows Explorer. Same problem.
  If you perform equivalent operations on an OS X System via AFP mount to the same test folder, you won't have any problems; the ACL privileges will be correctly granted.
  The only workaround I've been able to come up with to grant Windows users "rename" privileges on our SMB mounts is to do so by enabling read/write POSIX privileges on the enclosing folder ("testfolder"). You can either:
  1) Make the user the POSIX owner of the enclosing folder, and grant the owner read/write access, or
  2) Set the POSIX group to a group the user is a member in, grant that group read/write access, or
  3) Enable POSIX world read/write access (careful!).
  Without POSIX read/write privileges to the enclosing folder, it would appear that Windows users on SMB shares can't rename files or folders. Interestingly, they can upload folder hierarchies with arbitrarily named files and folders and won't run into problems; it's specifically when items are renamed when they already exist that you may run into problems.

  Just an FYI: I received a response to my bug report. Apple reports that this problem has probably already been addressed in OS X Server 10.5.3, so it's likely this issue will disappear when I update my server from 10.5.2 to 10.5.4.
  If you look at http://support.apple.com/kb/HT1142, there's this item:
  File Services
  The smb.conf file is updated to include the line "acl check permissions = no" in order to provide expected permissions behavior for Windows clients connecting to the SMB service.

• Cisco 6500 with SUP 720 - Invalid boot Image

  Diagnostic sanity check on the 6500 reports Invalid boot image "bootdisk:<output omitted>
  The boot statement on the 6500 is :-
  boot system bootdisk:<filename.bin> and the 6500 boots fine.
  Please advise.
  Thank You.

  Hi ,
  I have found bug which is internally found by cisco.The bug is CSCsc98471 and following are details of bug .
  The command "show diagnostic sanity" checks amongst other things, if the current bootstring is matching pointing to an existing file.
  Since ION bootstring format has been extended (assuming an installed image) this check fails although the bootstring is correct.
  Can be easily reproduced by entering the "show diagnostic sanity" command.
  6500-6#show diagnostic sanity
  Pinging default gateway 172.26.197.33
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.26.197.33, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
  Could not verify boot image "sup-bootdisk:/newsys/s72033/base/s72033-adventerprisek9_wan_dbg-vm," specified in the boot string.
  6500-6#show bootvar
  BOOT variable = sup-bootdisk:/newsys/s72033/base/s72033-adventerprisek9_wan_dbg-vm,12;
  6500-6#dir sup-bootflash:/newsys/s72033/base/
  Directory of sup-bootdisk:/newsys/s72033/base/
  84 -rwx 1375696 Jan 5 2006 20:51:24 -08:00 imf.tar
  85 -rwx 12873200 Jan 5 2006 20:51:22 -08:00 s72033-adventerprisek9_wan_dbg-vm
  It is found in 12.2(18.09.20)SX3.39.
  *** open a TAC case so that the same bug is fixed in 12.2(18)SXF4.
  Hope it helps you.Plz rate it.
  Thanks,
  satish

• 6509 upgrade sup 720 to 2t - wism1 not working

  Hi,
  after upgrading to 2t supervisor our wism controller is not working properly.
  I can connect to it via service ip address but via management I can't.
  status is ok, on line diagnostic is ok... but all AP are not working.
  on 6509 we are runing
  bootdisk:s2t54-adventerprisek9-mz.SPA.151-2.SY.bin
  on wism:
  System Information
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.0.240.0
  RTOS Version..................................... 7.0.240.0
  Bootloader Version............................... 7.0.240.0
  Emergency Image Version.......................... 7.0.240.0
  Build Type....................................... DATA + WPS
  Mod Ports Card Type                              Model              Serial No.
    1   16  CEF720 16 port 10GE                    WS-X6716-10GE     
    2    6  Firewall Module                        WS-SVC-FWM-1      
    3   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9  
    5    5  Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G      
  Mod MAC addresses                       Hw    Fw           Sw           Status
    1  f866.f220.08 to f86.f220.07   1.0   12.2(18r)S1  15.1(2)SY    Ok
    2  0023.3d.e174 to 00.334d.e17b   4.5   7.2(1)       4.1(9)       Ok
    3  0025.87.d73a to 025.84.d749   2.3   12.2(14r)S5  15.1(2)SY    Ok
    5  5057.a8.1d to 505a8.1d18   1.5   12.2(50r)SYS 15.1(2)SY    Ok
  Mod  Sub-Module                  Model              Serial       Hw     Status
    1  Distributed Forwarding Card WS-F6K-DFC4-E        1.2    Ok
    3  Centralized Forwarding Card WS-SVC-WISM-1-K9-D   2.1    Ok
    5  Policy Feature Card 4       VS-F6K-PFC4          2.1    Ok
    5  CPU Daughterboard           VS-F6K-MSFC5         2.1    Ok
  Mod  Online Diag Status
    1  Pass
    2  Pass
    3  Pass
    5  Pass
  is there problem with ios incapability or am I doing something wrong.
  regards,
  Ivan

  Ok i think the problem is in:
  Port-channel1          unassigned      YES unset  down                  down   
  Port-channel2          unassigned      YES unset  down                  down   
  WiSM Controller 2 in Slot 3 not configured
  Operational Status of the Controller : Oper-Up
  Service VLAN                         : 702
  Service Port                         : 10
  Service Port Mac Address             : 0023.eb01.c322
  Service IP Address                   : 10.7.2.12
  Management IP Address                : 10.7.3.20
  Software Version                     : 7.0.240.0
  Port Channel Number                  : 0
  WCP Keep Alive Missed                : 0
  i just need to figure this out :-))
  Thx.

• How many VRF-Lite Routing Instances can a 6509-E with a 720-Sup module run?

  I know that in a 4500 style switch it supports a maximum of 64 VRF-lite routing instances. However what is the maximum amount of VRF-Lite routing instances can a 6509-E switch support with a Sup-720 sup module?

  Sup 720  supports 1024 VRF Lites
  see table-1 in this link:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html
  HTH

• Does Cat6 SUP720 support port acl?

  Hi
  We have a network using Cat4 and Cat6 for server connections.
  We have decided to use acl on the l2 ports to block certain traffics.
  It works fine on the cat4, but it does not work on cat6.
  Is it a supported feature on cat6?
  Thanks

  Hey,
  Are you using Cat OS or IOS on Sup 720?
  I think on Cat OS you cannot use the ACL on L2 ports.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/acc_list.htm#wp1020508
  HTH,
  -amit singh

• Why is the WiSM2 not recomended in the Sup slots?

  I have a situation where a customer doesn't have the required power units installed in theior 6500 for me to provision a WiSM2.
  They use a VSS paiur with a single Sup720 in each. They have no intention of adding a second Sup to each chassis.
  I need to justify why they can't use slot 6 (which has power reserverd) if I am to get them to upgrade the PSU's. The documentation I've found says it is supported but not recomended. Does anyone know of any cast iron reason why this is not recomended.
  Cheers in advance
  Rhodri

  WiSM2 Power Requirements
  http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp73014
  WiSM2, Initial System Configuration with Sup 720
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml#init-syst
  Configuring Sup720 or 2T and WiSM-2  communication in a VSS mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bb2500.shtml#t6