How to interconnect two vrfs in the same switch Catalyst 6500

In a virtualized Data Centre environment, service is provided to customers with isolation in mind using vlans, vrfs and context based services in physical appliances such as firewalls, loadbalancers and Intrusion detection amd also as virtual appliances inside hypervisors.

When this level of virtualization is achieved, it is common that your requirement also increases and some impossible things are demanded. One of these situations are the interconnection of two vrfs in the same switch.

As you know, there can only be one layer3 vlan interface inside a 6500 chassis provided by the supervisor.

The following are solutions to interconnect two vrfs:

• Use an external firewall or router to route the traffic (bad option)
• Cross over cable in two ports (Most common)
• GRE connection between VRFs.
• Use RD for this requirement

The one that I find more stable is the crossover cable or fiber but it depends on a physical component which can fail.

The most clean solution is the GRE connection, but I have never tested in prodution.

Redistribute BGP to RIP

In order to redistribute BGP to RIP you will have to specify the metric of the routes when they arrive to rip engine otherwise they will have 255 distance and will not show up in the routing table. By default, the routes will be unreachable.

A examepl below:

router rip
 passive-interface default
 !
 address-family ipv4 vrf bank1
  redistribute bgp 64111 metric 1
  network 192.168.25.0
  neighbor 192.168.25.10
  no auto-summary
  version 2
 exit-address-family

10Gbps interface with Twin-ax cooper cable SFP-H10GB-CU3M

The twin ax cable SFP-H10GB-CU3M appear in a 3750 like this:

Te1/1/1   SERVER    connected    trunk        full    10G SFP-10GBase-CX1

Implement RIP in VRF

It is possible to implement RIP in VRF . Here's an example:


router rip
 passive-interface Vlan1300
 !
 address-family ipv4 vrf client1
  network 192.168.1.0
  no auto-summary
  version 2
 exit-address-family
!

Available commands in Cisco IOS

It is possible to browse on available commands in a cisco catalyst or router.
Just type the comand:
show parser dump all

show parser dump all | grep tranceiver

15 debug transceiver detail
15 debug transceiver info
15 debug transceiver error
1 show interfaces transceiver detail module Number
1 show interfaces transceiver detail
1 show interfaces transceiver threshold violations module Number
1 show interfaces transceiver threshold violations
1 show interfaces transceiver calibration module Number
1 show interfaces transceiver calibration
1 show interfaces transceiver properties module Number
1 show interfaces transceiver properties
1 show interfaces transceiver module Number
1 show interfaces transceiver
1 show interfaces transceiver detail module Number
1 show interfaces transceiver detail
1 show interfaces transceiver threshold violations module Number
1 show interfaces transceiver threshold violations
1 show interfaces transceiver calibration module Number
1 show interfaces transceiver calibration
1 show interfaces transceiver properties module Number

SFF8472-5-THRESHOLD_VIOLATION: Rx power high warning; Operating value:

SFF8472-5-THRESHOLD_VIOLATION: Te1/1/1: Rx power high warning; Operating value:  -0.4 dBm, Threshold value:  -1.0 dBm.

This is a strange problem. Normally, fiber problems have high atenuation. This problem ocurres because the signal is too strong, probably due to a fiber cable that is too small Solution: Change the fiber size. If does not work change the SFP.

Cisco ASA Log commands to buffer or logging server

The goal is to force ASA to log a line to buffer or to syslog server when ever a cli command is issued.
One solution is to change the log message 111008 to the level that you want to log in buffer or in trap.

An example:

logging enable
logging timestamp
logging buffer-size 128000
logging monitor alerts
logging buffered alerts
logging trap alerts
logging history alerts
logging facility 15
logging device-id hostname
logging host MGMT 1.1.1.1
logging message 111008 level alerts

Traffic generation with 10Gbps ports

This post will detail the test results of throughput traffic between 2 servers with 10Gbps ports.

The results were quite impressive: 10Gbps wire speed!

More update soon!

How to get vlan usage list via SNMP in Nexus 5000 or 7000

The goal is to get the vlans in use from Cisco Nexus but without having a Layer3 associated with it.

Previously, with IOS, The Layer3 and Layer2 vlans where shown when pooling the mib .iso.3.6.1.2.1.2.2.1.2. With Nexus, using the same mib will only pool the interfaces and Layer3 interfaces (SVIs).

Now, with Nexus, currently it is not possible to pool the vlan table with SNMP.

Currently, in a Nexus 5000, this is the output of the snmpwalk:




snmpwalk -v 1 -c public 10.1.1.1 1.3.6.1.2.1.31.1.1.1.1
IF-MIB::ifName.1 = STRING: Vl1
IF-MIB::ifName.2500 = STRING: Vl2500
IF-MIB::ifName.5001 = STRING: Po1
IF-MIB::ifName.10101 = STRING: Gi0/1
IF-MIB::ifName.10102 = STRING: Gi0/2
IF-MIB::ifName.10103 = STRING: Gi0/3
IF-MIB::ifName.10104 = STRING: Gi0/4
IF-MIB::ifName.10105 = STRING: Gi0/5
IF-MIB::ifName.10106 = STRING: Gi0/6
IF-MIB::ifName.10107 = STRING: Gi0/7
IF-MIB::ifName.10108 = STRING: Gi0/8
IF-MIB::ifName.10109 = STRING: Gi0/9
IF-MIB::ifName.10110 = STRING: Gi0/10
IF-MIB::ifName.10111 = STRING: Gi0/11
IF-MIB::ifName.10112 = STRING: Gi0/12
IF-MIB::ifName.10113 = STRING: Gi0/13
IF-MIB::ifName.10114 = STRING: Gi0/14
IF-MIB::ifName.10115 = STRING: Gi0/15
IF-MIB::ifName.10116 = STRING: Gi0/16
IF-MIB::ifName.10117 = STRING: Gi0/17
IF-MIB::ifName.10118 = STRING: Gi0/18
IF-MIB::ifName.10119 = STRING: Gi0/19
IF-MIB::ifName.10120 = STRING: Gi0/20
IF-MIB::ifName.10121 = STRING: Gi0/21
IF-MIB::ifName.10122 = STRING: Gi0/22
IF-MIB::ifName.10123 = STRING: Gi0/23
IF-MIB::ifName.10124 = STRING: Gi0/24
IF-MIB::ifName.10125 = STRING: Gi0/25
IF-MIB::ifName.10126 = STRING: Gi0/26
IF-MIB::ifName.10127 = STRING: Gi0/27
IF-MIB::ifName.10128 = STRING: Gi0/28
IF-MIB::ifName.10129 = STRING: Gi0/29
IF-MIB::ifName.10130 = STRING: Gi0/30
IF-MIB::ifName.10131 = STRING: Gi0/31
IF-MIB::ifName.10132 = STRING: Gi0/32
IF-MIB::ifName.10133 = STRING: Gi0/33
IF-MIB::ifName.10134 = STRING: Gi0/34
IF-MIB::ifName.10135 = STRING: Gi0/35
IF-MIB::ifName.10136 = STRING: Gi0/36
IF-MIB::ifName.10137 = STRING: Gi0/37
IF-MIB::ifName.10138 = STRING: Gi0/38
IF-MIB::ifName.10139 = STRING: Gi0/39
IF-MIB::ifName.10140 = STRING: Gi0/40
IF-MIB::ifName.10141 = STRING: Gi0/41
IF-MIB::ifName.10142 = STRING: Gi0/42
IF-MIB::ifName.10143 = STRING: Gi0/43
IF-MIB::ifName.10144 = STRING: Gi0/44
IF-MIB::ifName.10145 = STRING: Gi0/45
IF-MIB::ifName.10146 = STRING: Gi0/46
IF-MIB::ifName.10147 = STRING: Gi0/47
IF-MIB::ifName.10148 = STRING: Gi0/48
IF-MIB::ifName.10149 = STRING: Gi1/1
IF-MIB::ifName.10150 = STRING: Gi1/2
IF-MIB::ifName.10151 = STRING: Gi1/3
IF-MIB::ifName.10152 = STRING: Gi1/4
IF-MIB::ifName.10201 = STRING: Te1/1
IF-MIB::ifName.10202 = STRING: Te1/2
IF-MIB::ifName.10501 = STRING: Nu0
IF-MIB::ifName.10502 = STRING: Fa0

and the vlans created in Layer2 are:
sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Po1, Eth1/14, Eth1/15, Eth1/16
                                                Eth1/18, Eth1/19, Eth1/20
                                                Eth1/22, Eth1/23, Eth1/24
                                                Eth1/26
2500 MANAGEMENT                       active    Po1
2003 SERVICE A                        active    Po1
2004 SERVICE B                        active    Po1
2005 SERVICE C                        active    Po1
2006 SERVICE D                        active    Po1

Only vlan 1 and 2500 is pooled because have a Layer3 interface.

The test was done in a Nx5k. The same behavior happens for Nexus 7000.

In order to get the vlan list, you will have to walk in another mib:
snmpwalk -v 1 -c public 10..1.1.1 SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1

SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1 = STRING: "default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.2003 = STRING: "SERVICE A"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.2004 = STRING: "SERVICE B"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.2005 = STRING: "SERVICE C"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.2006 = STRING: "SERVICE D"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.2500 = STRING: "MANAGEMENT"

service unsupported-transceiver

Some unsupported transceivers can be used in Cisco 3750. Obviously, Cisco wont support it!

c3750(config)#service unsupported-transceiver
 Warning: When Cisco determines that a fault or defect can be traced to
the use of third-party transceivers installed by a customer or reseller,
then, at Cisco's discretion, Cisco may withhold support under warranty or
a Cisco support program. In the course of providing support for a Cisco
networking product Cisco may require that the end user install Cisco
transceivers if Cisco determines that removing third-party parts will
assist Cisco in diagnosing the cause of a support issue.

c3750(config)#

Change MTU size in a 3750 port

The Catalyst 3750 cannot change the MTU per port. It can only be done globally in the switch with the command "system mtu 1526". For it to take effect you have to reload the switch.
10/100 ports: Max is 1998
1G: 9000 bytes



C3750#sh system mtu

System MTU size is 1524 bytes
System Jumbo MTU size is 1524 bytes
System Alternate MTU size is 1524 bytes
Routing MTU size is 1500 bytes

Unable to read configuration. Try again later.

CISCO6500#wr
Unable to read configuration. Try again later.

CISCO6500#


This is caused by high activity on CLI. Probably, a sh run is taking place or any other action that locks the executation of the CLI cmd.

high CPU usage on cisco catalyst 6500 with itasca process

In a Cisco 6500 switch with ACE, if the process itasca is consumming too much CPU, it can be caused by logging supervisor command on ACE.

This command will dump the logging of ACE into the supervisor and consumes RP resources.

To resolve this remove the cmd "logging supervisor " from ACE configuration and make ACE send the logging to a log server directly.
 
--------------
 
The same problem was seen with logging generated by the switch itself.
The fix was: 
no logging on

At least, until the problem is found, the cpu was back to normal.

Before:
SWITCH# proc cpu sort
CPU utilization for five seconds: 99%/1%; one minute: 99%; five minutes: 99%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  62     2749624    243589      11287 86.82% 83.39% 84.82%   0 itasca
 131       11100     21481        516  0.47%  0.60%  0.67%   4 SSH Process
 499   5563701363409673472          0  0.39%  0.44%  0.45%   0 Port manager per
 
After: 
SWITCHh #sh proc cpu sort
CPU utilization for five seconds: 5%/1%; one minute: 9%; five minutes: 30%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 499   5563783763409717288          0  0.79%  0.94%  0.87%   0 Port manager per
 560     40374923186106614          1  0.31%  0.31%  0.31%   0 HSRP Common
 273   2786680721058539466        263  0.31%  0.36%  0.41%   0 IP Input

 

ACE30 Monitoring with SNMP

I have been preparing some KPI for ACE30 blades which can give me a macro status of all services provided in several contexts inside ACE.

The goal is to measure these KPIs with SNMP using MRTG for example, builing a graph.
The interesting mibs that can be monitored are:
- Number of connection currently in use per context
- Traffic in and out of the ACE30 blade (16G connection to the backplane)
- CPU

Regarding the number of connections, you have to do it per context based. So, you will need an IP address in each context for snmp pooling proposes.
In my MRTG I am using the mib:

enterprises.9.9.480.1.1.2.1.8.7.100.101.102.97.117.108.116.3

As for traffic, the best way (till now) is to browse your interfaces with "snmp mib ifindex ifmib" and get the interface id to the ACE30. It will come up as a TenG interface.

How port-channel works in cisco switches

Port-channel is a feature to aggregate 2 links in an interconnection to another switch. It is very usefull in the following cenarios: - Increasing the throughput by adding another link. For example, in a port-channel of 2 Gbps, if you need more throughput, you just have to add aother link to the port-channel. There is no downtime altough the hashing of the port-channel will change. - Very efecient for link upgrade cenario as you will not have STP rotation.

Things you should know about port-channel that are not very clear in documentation: - The maximum flow in a port-channel is the maximum link throught that you have. This is beacause the best Cisco equipments can do is IP Hashing. This means, that each IP will be associated to only one port. This means that any flow from any to that IP behing it will always have 1Gbps throughput. - Aggregation protocols are very important such as LACP. It will add keeplive checks up to the port-channel to garantee that it is still up. LACP fast can detect a failure really fast. - High CPU can bring down aggregation protocols, which could end in link down catastrophic cenarios.

CSM force failover

To perform CSM failover, execute the following comand on active unit: clear module contentSwitchingModule 4 ft active

CSM Redirect serverfarm

In some cenarios, you might want to convert your loadbalancer into a redirect engine. Some reasons for that are: - Controlling http to https redirect - During maintenance period you can redirect the website to another location during webserver down time. - Migration cenarios. The script to execute this is: module ContentSwitchingModule 3 serverfarm MYFARM_80 nat server no nat client redirect-vserver MYFARM_RED webhost relocation https://newsite.com inservice ! vserver MYFARM_80 virtual 10.1.1.140 tcp 80 serverfarm MYFARM_80 persistent rebalance inservice !