Search this Blog

Thursday, June 28, 2012

How do you enable NetFlow on Catalyst 6506 with WS-SUP720-3B?


What are the steps to enable Netflow on a Supervisor Engine 720 with the following Policy Feature Card:  WS-F6K-PFC3B.
 
Is it better to configure it on the PFC or on the MSFC ? What are the differences?

* Enabling NetFlow on the PFC
To enable NetFlow statistics collection on the PFC, perform this task: 
mls netflow (Enables NetFlow on the PFC).
 
no mls netflow (Disables NetFlow on the PFC.)
 
* Enabling NetFlow on the MSFC
 
int Vlanxxx
 
ip flow-export ingress
ip route-cache flow

 
NetFlow and NDE on the MSFC

The NetFlow cache on the MSFC captures statistics for flows routed in software. The MSFC supports NetFlow aggregation for traffic routed in software.

NetFlow and NDE on the PFC

The NetFlow cache on the PFC captures statistics for flows routed in hardware. The PFC supports sampled NetFlow and NetFlow aggregation for traffic routed in hardware.

Having said the above, the Sup720 theoretically should switch all packets in hardware, so having the Netflow in PFC would be the way to go.  However, there might be some packets that gets software switched in which the Netflow and NDE in PFC will not catch.  The document does not say about not having support in configuring Netflow in both PFC and MSFC.

Please click here for the Netflow Data Export guide.
Please click here for Netflow Configuration guide. 


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, June 27, 2012

What are the minimum recommended Cisco NX-OS Releases for Cisco Nexus 7000 Series Switches?


Cisco recommends that customers with new Cisco Nexus 7000 Series deployments choose from the following minimum recommended releases:

• Within the NX-OS Release 5 train, the Cisco Nexus 7000 engineering team recommends running the latest NX-OS Release 5.2 software.

• Within the NX-OS Release 6 train, the Cisco Nexus 7000 engineering team recommends running the latest NX-OS Release 6.0 software.

Cisco recommends that customers with existing Cisco Nexus 7000 Series deployments upgrade to the following minimum recommended releases:

• Within the NX-OS Release 4 train:

–The most recent Cisco NX-OS Release 4.2 software is the recommended release for general features and functions.

–Cisco NX-OS Release 4.2(6) is the minimum recommended release for general features and functions.

• Within the NX-OS Release 5 train:

–The most recent Cisco NX-OS Release 5.2 software is the recommended release for general features and functions.

–Cisco NX-OS Release 5.1(5) is the minimum recommended release. However, future upgrades from Release 5.1(5) will be to the long-lived Release 5.2 train. Cisco strongly recommends that customers begin qualification of Release 5.2.

–For customers currently running Release 5.2 software, the minimum recommended software is 5.2(3a).

–For customers who have deployed OTV or FabricPath, the minimum recommended software is Release 5.2(3a).

• Within the NX-OS Release 6 train, Cisco NX-OS Release 6.0(2) is the minimum recommended release for customers requiring the hardware or software features introduced in the 6.x train.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, June 26, 2012

Reaching an IP inside global from the inside network

Is it possible to reach an IP Inside global address from the inside network (or LAN) on a cisco router when doing NAT?

The case is the following:

A client who doesn't have a DMZ told me he was having issues with his web application only from his LAN, meaning outside the LAN on the internet the application runs fine, the issue is the public IP Address is referenced on many links in the web application and when people is using the application from the LAN they cannot reach the public IP address because this is being nat-ed...

when packets to the public address reach the router inside interface i guess it is routing them instead of realizing that the public address is being statically nat-ed...

The configs are as follows:
 
interface FastEthernet4
desc WAN
ip address 190.120.14.2 255.255.255.248
ip nat outside
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.1.27 190.120.14.4
 
It has to some workaround to make this works...Again the problem is: clients in the LAN cannot reach statically nat-ed address defined as inside global, so the clients cannot reach the local web server using the public nat-ed address of the webserver.

You can use the NAT virtual interface by using the ip nat enable command on the interfaces and removing the ip nat outside/inside commands.

You also need to change your NAT statement from:

ip nat inside source list

To:

ip source list ......

I have seen many weird things using the NVI interface. It seems buggy with IOS and I feel it may depend on your router and or version of IOS. Currently I have everything configured but my NAT statement doesn't keep the overload portion of the command in the running config even though I entered it.

If you decide to go this route you can confirm you are using the NVI interface by using the command:

Show ip nat nvi translations

If you see entries here things are working correctly. You shouldnt see new entries under:

Show ip nat translations

I would like to work with you and anyone else on here to solve this problem. It sounds like many are still trying to find work arounds to browse to the inside global address to contact their internal server.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Saturday, June 16, 2012

Do the Catalyst 2960-S switches support Cisco pre-standard PoE?


We have a customer with Cisco 7940 and 7960 IP phones that they do not plan to replace. They do want a new LAN and are looking at the Catalyst. WS-C2960S-48FPD-L and WS-C2960S-24PD-L as access layer devices.
 
Can you please confirm that these switches support the Cisco pre-standard PoE required by the 7940 and 7960 IP phones.

1. PoE switch ports automatically supply power to these connected devices  (if the switch senses that there is no power on the circuit):
    •Cisco pre-standard powered devices (such as Cisco IP Phones and Cisco Aironet access points)
    •IEEE 802.3 af-compliant powered devices
    •IEEE 802.3 at-compliant powered devices (PoE+ on Catalyst 2960-S switches only)

    The switch detects a Cisco pre-standard or an IEEE-compliant powered  device when the PoE-capable port is in the no-shutdown state, PoE is  enabled (the default), and the connected device is not being powered by  an AC adaptor.

    After device detection, the switch determines the device power requirements based on its type:
    •A  Cisco pre-standard powered device does not provide its power  requirement when the switch detects it, so a Catalyst 2960 switch  allocates 15.4 W as the initial allocation for power budgeting; a  Catalyst 2960-S switch allocates 30 W (PoE+).

Please click here for Catalyst 2960 and 2960-S Software Configuration Guide, 12.2(55)SE

    Note that this guide is valid for all 2960-S switches.

2. Cisco switches with PoE capability automatically supply power to connected pre-standard powered devices, such as Cisco IP phones and Cisco Aironet access points, and to IEEE 802.3af-compliant powered devices if the switch senses that there is no power on the circuit. Please click here for Power over Ethernet (PoE) Power Requirements FAQ.

There are some things to be aware of, though:

1. The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.

2. A Cisco pre-standard powered device does not  provide its power requirement when the switch detects it, so a Catalyst 2960-S switch allocates 30 W (PoE+).
if you do not manually configure the cutoff-power  value, the switch automatically determines it by using CDP power  negotiation or the device IEEE classification and LLDP power  negotiation. If CDP or LLDP are not enabled, the default value of 30 W  is applied. However without CDP or LLDP, the switch does not allow  devices to consume more than 15.4 W of power because values from 15400  to 30000 mW are only allocated based on CDP or LLDP requests. If a  powered device consumes more than 15.4 W without CDP or LLDP  negotiation, the device might be in violation of the maximum current (Imax) limitation and might experience an Icut fault for drawing more current than the maximum. The port remains in  the fault state for a time before attempting to power on again. If the  port continuously draws more than 15.4 W, the cycle repeats.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, June 4, 2012

Router on a stick: 2811 with 3750, not propagating VLANs


We are trying to configure router on a stick with 2811 and 3750, but we just cannot get it to work - vlans are not getting propagated from 3750 to 2811:
 
3750:
 
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
speed 100
duplex full
...
 
3750#sh vtp s
VTP Version                     : running VTP2
Configuration Revision          : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 8
VTP Operating Mode              : Server
VTP Domain Name                 : NULL
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xEC 0x70 0xEB 0x0B 0x7D 0xC0 0xC4 0xDE
Configuration last modified by 192.168.1.205 at 3-2-93 18:33:32
Local updater ID is 192.168.1.205 on interface Vl1 (lowest numbered VLAN interface found)
3750#sh vtp c
VTP statistics:
Summary advertisements received    : 0
Subset advertisements received     : 0
Request advertisements received    : 0
Summary advertisements transmitted : 73
Subset advertisements transmitted  : 7
Request advertisements transmitted : 0
Number of config revision errors   : 0
Number of config digest errors     : 0
Number of V1 summary errors        : 0
 
VTP pruning statistics:
 
Trunk            Join Transmitted Join Received    Summary advts received from
                                                   non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Fa1/0/46            0                0                0      
Fa1/0/48            0                0                0
 
3750#sh int fa1/0/48 switchport
Name: Fa1/0/48
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 100 (SERVER)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
 
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
3750#
 
2811:
 
interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.1
encapsulation dot1Q 100 native
!
interface FastEthernet0/0.2
encapsulation dot1Q 102
!
interface FastEthernet0/0.3
encapsulation dot1Q 202
 
2811#sh vtp s
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 36
Number of existing VLANs        : 5
VTP Operating Mode              : Client
VTP Domain Name                 : NULL
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9A 0xC0 0x5E 0x60 0x9B 0xD6 0xE3 0x98
 
2811#sh vtp c
VTP statistics:
Summary advertisements received    : 0
Subset advertisements received     : 0
Request advertisements received    : 0
Summary advertisements transmitted : 0
Subset advertisements transmitted  : 0
Request advertisements transmitted : 0
Number of config revision errors   : 0
Number of config digest errors     : 0
Number of V1 summary errors        : 0
 
VTP pruning statistics:
 
Trunk            Join Transmitted Join Received    Summary advts received from
                                                   non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
2811#
 
IOS are 12.4. Tried both VTP1 and VTP2, empty and various domain names, client and transparent modes - all to no avail. I also tried deleting vlan.dat from 2811.


The show vtp commands output on the 2811 router would be interesting only if you had a switching module installed into it and created VLANs on that module. Otherwise, the show vlan-switch or show vtp command output is irrelevant. Also, the router does not speak VTP on its routed ports, that is why the VLANs are not propagating.

What you are creating right now are subinterfaces for selected VLANs. You do that on the 2811 without creating the VLANs explicitly - you simply directly refer to them on the individual subinterfaces.

So what you see is absolutely fine and normal. I am sure that the VLANs themselves work. Do not be worried by the VLANs not propagating from the switch to your router - they are not supposed to be propagated.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Saturday, June 2, 2012

C6509-E : EARL L3 ASIC: Non-fatal interrupt Netflow interrupt

For a while now we can see this log entry on our 6509-E device :
%EARL_L3_ASIC-SW1_DFC3-3-INTR_WARN: EARL L3 ASIC: Non-fatal interrupt Netflow interrupt
 
It appears every second. We are looking for information about that. But we are not able to find anything on the web.
Netflow config is :
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 10.139.16.196 9996
 
Switch config is the same on another device. That one doesn't get this log entry. Can you please help?

We did a "diagnostic level complete"  and then reseat the module 3 of the switch 1. But we still get the same error message every  second.

If the problem is persistent that would indicate bad memory on module 3used for netflow. It is  reporting a sigle bit parity error each time the suspect memory is addressed. ECC on the card is correcting the bit flip and alerting you of the event. I dont see this being a transient issue and I recommend you open a TAC case and have the module replaced.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */