I am not sure this question was asked in this thread, but are you using a
custom COPP and not the default?
If you have a custom COPP you must apply the new policy with that name prefix
i.e. router-core-copp-acl-hsrp
Vs copp-acl-hsrp.
We do this on our 7 and 9ks so that any new code does not
Just use
conform drop violate drop
That's what we do.
jeff Fitzwater
EIS Network Systems & Monitoring
Princeton University
From: cisco-nsp on behalf of Drew Weaver
Sent: Friday, January 22, 2021 8:07 AM
To: 'cisco-nsp@puck.nether.net'
Subject: [c-nsp]
We had a problem when we first used redundant sups because we defined boot
config to be on disk0: .
The standby sup would constantly reboot until I removed that command and used
the boot from nvram.
Jeff Fitzwater
Princeton University
On Aug 17, 2014, at 5:35 AM, Ben Hammadi, Kayssar (NSN
the synch stuff
sees the different path?
Thanks
--Tammy
On 8/17/14, 7:11:45, Jeffrey G. Fitzwater wrote:
We had a problem when we first used redundant sups because we defined boot
config to be on disk0: .
The standby sup would constantly reboot until I removed that command and
used
We are planning on installing a second supervisor in one of our border 6500Es
thats connects to our 3 ISPs.
The systems runs both BGP for ISP peering and RIP for internal routing to core.
The sup is a 720-10G with VS-F6K-PFC3CXL running 122-33.SXJ5
Q1 Since BGP is NFS aware but only after
We are receiving this error and TAC is saying there is no workaround. WE are
running 6.2.6 on 7k with sup2E
CSCum74698 SYSMGR-2-TMP_DIR_FULL: System temporary directory usage is
unexpectedly high at 90%.
Does anybody know…
What happens when it reaches 100?
Will a sup switchover clear
I have a case where we think that IPv6 packets are causing problems on a
windows server connected to a port channel on one of our Nexus 7ks.
I would like to apply an PACL filter to block OUTBOUND IPV6 traffic to server,
but it looks like it can only be applied INBOUND.
I don’t want to do it at
An IPv4 ACL only deals with only IPv4, so I would need and outbound IPv6 or MAC
filter, but neither can be applied to outbound on port-channel.
Jeff F.
On Jun 13, 2014, at 9:52, Roland Dobbins rdobb...@arbor.net wrote:
On Jun 13, 2014, at 8:27 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
WE are running 6.1.2 on 7k 18 slot with sup2.
FDB appears to have stopped learning addresses, but some are in table and we
are not even close to limit.
Cleared mac address table but no change.
Switched to standby sup but no change.
Has anyone seen this issue ?
I currently have case
I believe I had asked the question about third party optics with the new NX-OS
6.2.2a, and found out that in this revision you MUST enter the command “service
unsupported-transceiver” to get them to be recognized. In previous versions
that command was enabled by default. Who knew!
There
Christina, are you running on sup-2E ? We are running many non-CISCO
transceivers on nexus 7k running 6.1.3 but when I did the upgrade to 6.2.2a NO
GOOD.
We also ran across issue with 6.2.2a on sup-2E that you cannot overwrite slot0:
file. Delete but no overwrite. TAC case open.
Jeff
I don’t see the “service unsupported-transceiver” command nor does it run (in
case its hidden). That would imply its not there on 7k 6.1.3 or 6.2.2a.
Can you imagine us doing an upgrade on one of our core 7k and having all the
transceivers fail.
Jeff
On Nov 19, 2013, at 12:25 PM, Gert
line cards. I just
accepted the fact that we will have to pay the Cisco tax.
Regards,
Christina
On 11/19/2013 02:45 PM, Jeffrey G. Fitzwater wrote:
Christina, are you running on sup-2E ? We are running many non-CISCO
transceivers on nexus 7k running 6.1.3 but when I did the upgrade
What sup and what EPLD ver.
Interesting !
Jeff
On Nov 19, 2013, at 3:10 PM, Tim Durack
tdur...@gmail.commailto:tdur...@gmail.com wrote:
service unsupported-transceiver works for us on 6.2.2a.
On Tue, Nov 19, 2013 at 2:49 PM, Jeffrey G. Fitzwater
jf...@princeton.edumailto:jf
:49 PM, Jeffrey G. Fitzwater
jf...@princeton.edumailto:jf...@princeton.edu wrote:
I don’t see the “service unsupported-transceiver” command nor does it run (in
case its hidden). That would imply its not there on 7k 6.1.3 or 6.2.2a.
Can you imagine us doing an upgrade on one of our core 7k
Of
Jeffrey G. Fitzwater
Sent: Tuesday, November 19, 2013 2:33 PM
To: Tim Durack
Cc: Gert Doering; Christina Klam; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Third party transceivers that fail only with new, NX-OS
6.2.2a on sup-2E
My error. Yes it does exist. Not sure what I did wrong
, at 4:24 PM, James Slepicka (c-nsp) cisco-...@slepicka.net
wrote:
Does the command exist in 6.1(3)? I don't have a box that I can test with.
-Original Message-
From: Jeffrey G. Fitzwater [mailto:jf...@princeton.edu]
Sent: Tuesday, November 19, 2013 3:19 PM
To: James Slepicka (c-nsp
Since CISCO TECH will probably not touch this because its not CISCO, I see if
anybody has solution.
We are running nx-os 6.1.3 on 7k with sup-2E on a new chassis that will go into
production soon. We wanted to run the 6.2.2a to fix some other issues with
logging and found out the channel
I need to rate limit some hosts to 5Mbps each outbound on a vlan on nexus 7k
running 6.2.
Without testing yet, I’am not sure it will rate limit per IP, but may aggregate
the rate per ACL since the policing applies to a single class-map.
I would hate to have to configure a class-map for each
Does anyone know if OIR has any effect on Spanning Tree ?
I know it stops the BUS briefly but thats it.
We had to remove a mod that had nothing connected but did still have config,
and we experienced many STP log messages relating to ROOT change from other
connect switches.
I could not
We have replaced all our sup-s with sup-2s and shipped back the sup-1s, but
kept the slot0: flash cards because they still had sensitive data. We have
been trying to format the flash cards using different DISK utilities and CLIs
but cannot seem to find anything that will work.
I used to do
We are running 6.1.2 on 7k and never seem to get traps when an optical trans.
goes out of range. We see the problem manually with the command show int
e2/15 trans det but no traps.
Any ideas?
Jeff Fitzwater
OIT Network Systems
Princeton University
TEST email
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
We have a 7k chassis that has a SUP-1 and FAB-1 that will be upgraded with
SUP-2 and FAB-2, but while I am testing in a spare chassis I don't want to
prohibit the spare modules from being used in chassis with SUP-1 if the EPLD is
incompatible.
Q1. Is the EPLD version that I load into an
Not sure about a 3825, but is the console in a VRF and you need to specify
what vrf you want to ping?
Jeff F.
On Jul 5, 2013, at 11:53 AM, Chris Knipe sav...@savage.za.org
wrote:
Hi All,
I can't believe I am doing this, but I am either missing something VERY
obvious, or I am in need
I would like to find out what routes are NOT in my route table and therefore
follow the DEFAULT path to 0.0.0.0.
I am running a 6500 sup-720-10G with SXI. Is there any CEF command that might
tell me this or is it something very simple I just missed.
Would show ip cef unresolved work ? I
wrote:
On (2013-07-02 20:19 +), Jeffrey G. Fitzwater wrote:
I would like to find out what routes are NOT in my route table and therefore
follow the DEFAULT path to 0.0.0.0.
Would show ip cef unresolved work ? I get nothing back when I run it but
maybe there is nothing to see.
What
In IOS when we had an L3 ACL with deny log-input the log entry would show
the VLAN and MAC SRC for ACE hit….
%SEC-6-IPACCESSLOGP: list router-in denied udp n.n.n.n(137) (Vlan176
00de.adee.675a) - n.n.n.n(137), 67 packets
But in NX-OS this does not appear possible with 6.1.2.
FIXES in
The logging is applied to an extended named ACL attached to a VLAN ACL via
access-group in.
On Jun 24, 2013, at 10:32 AM, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 24/06/13 15:29, Jeffrey G. Fitzwater wrote:
In IOS when we had an L3 ACL with deny log-input the log entry would
show
Forgot to mention this is on 6500 sup-720-10G running 12.2.33 SXI7
I believe that the logging statement in the ACE also forces the packet to be
punted.
Jeff
On Jun 24, 2013, at 10:32 AM, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 24/06/13 15:29, Jeffrey G. Fitzwater wrote:
In IOS
How should an igmp querier be configured if the interface is also configured
for HSRP?
In NX-OS 6.1.2 you must explicitly configure an IP for the querier.
---
vlan configuration (vlan#)
ip igmp snooping querier A.B.C.D
--
Do I use the VIP IP or the interface IP.
nexus 7k 6.1.2
Is there any way to show in log message, when you have and ACL with LOG option,
the actual name of the ACL?
Thanks for any help.
Jeff Fitzwater
OIT Network Systems
Princeton University
___
cisco-nsp mailing list
cisco 7k 6.1.2
We are seeing delays when ssh-ing to system just before the banner page comes
up.
Once session is up we see no delay.
It has become very consistent when we log-in recently and the delay is always
just before the banner is displayed.
Debugging of the SSH session at client
is established the reverse record for the IP might be requested causing a
delay.
You could also do an ethanalyzer capture in the main vdc in one session while
doing an SSH connection to the N7k and check what's happening.
Best regards,
Andras
On Mon, Mar 11, 2013 at 4:55 PM, Jeffrey G. Fitzwater
jf
How concerned should I be about the HW and FW revisions? 2.2 to 4.3 seems
pretty far apart.
Here are two CEF720 24 port 1000mb SFP WS-X6724-SFP modules. One is our
current running and the other is from used market for lab testing.
Mod MAC addresses Hw
I am trying to FTP xfer config file to server, which we have configured to only
allow the nexus loopback0 as SRC IP, but xfer fails because SRC is one of the
L3 VLAN IPs NOT loopback0.
How can I force FTP to use a certain IP interface, specifically from management
loopback?
So far I see no
Yes, but that's our plan B.
Thanks
Jeff F.
On Jan 30, 2013, at 09:44 , Jeffrey G. Fitzwater wrote:
I am trying to FTP xfer config file to server, which we have configured to
only allow the nexus loopback0 as SRC IP, but xfer fails because SRC is one
of the L3 VLAN IPs NOT loopback0.
How
Alan, there are many normal things that can cause this, like ARP broadcast,
unknown unicast especially in a large flat nets.
I would start there, but remember it might be normal.
Jeff Fitzwater
OIT Network Systems
Princeton University
wrote:
Hi,
Can someone please point me in the right
To: Jeffrey G. Fitzwater jf...@princeton.edumailto:jf...@princeton.edu
Cc: Michael Sprouffske msprouff...@yahoo.commailto:msprouff...@yahoo.com;
cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
Sent: Monday, January 28, 2013 12:50
nexus 7k with sup-1 5.2
How can I tell which MATCH statement within a CLASS-MAP is causing CoPP drops
shown in example below?
Here are the two I am concerned with. The CoPP stats were cleared 10 min prior
to this output.
--
class-map copp-system-class-normal
We have an veal 4500x with an 10GBase-LR SFP+ attached, which is now logging …
%SFF8472-5-THRESHOLD_VIOLATION: Te1/32: Rx power low alarm; Operating value:
-40.0 dBm, Threshold value: -18.4 dBm.
We havn't installed the fiber yet but it seemed a little odd that the port was
logging low power
We are looking at using the CISCO UCS blades but we have a problem with the
vlan ID we have in use not available on the UCS blade.
Is there any way to change the internal VLAN range (3968 to 4048) that is fixed
in in the USC blade code?
They fixed this problem for the NX-OS to allow it to be
It turns out it is some bug with adding this single entry into a long ACL. Once
we did a rebuild of ACL ( no access list foo then access-list foo ) all worked
fine. The singe ACE entry was added about two weeks ago and just last week
someone decided to poke at the port 19 and thats when we saw
We have within the last week noticed high CPU due to packets with DST of port
19 (chargen ) but NOT DST IP of router, being punted to CPU.
We set up monitor port with SRC of RP CPU and both directions and can clearly
see constant stream of DST port 19. We can't just block SRC IP or PORT since
How does DOM support fit into all this? CISCO SFP vs 3rd party? If a third
party tells you they support DOM, does that mean it works as advertised and the
values returned are correct.Is this a good reason to buy only CISCO?
Jeff Fitzwater
OIT Network Systems
Princeton University
On Jul
We are looking at OTV to mainly eliminate the tromboning of packets between out
two data centers which will soon both have 7013 nexus (only one 7018 the other
a 6513 soon to be upgraded).
The two data centers each have many L3 subnets and are extended to the other
data center using L2 trunks.
We have tried the following on our test FWSM setup and it appears to break our
original ACL used for blocking hosts.
Nothing in the docs I have read states one ACL overrides the other.
I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both
inbound and outbound traffic to
I am using MANUAL, so I then run the access-list commit config command.
On Apr 25, 2012, at 11:24 , Jeffrey G. Fitzwater wrote:
We have tried the following on our test FWSM setup and it appears to break
our original ACL used for blocking hosts.
Nothing in the docs I have read states one
I am trying to understand if ALL ARP (requests ) packets that a nexus 7K sees,
need to be punted to the CPU and therefor managed by COPP policies /
rate-limits?
Over the weekend we had a data loop that cooked the CPU and we are trying to
understand what packets that were control plane
I am running NX 5.2.1 on 7018 and have set logging level L2FM to 5
(notifications) in order to see the MAC-MOVES in logs. The problem I see is
that VLAN associated with the MAC is not part of the error message as it is
with 6500 IOS…
NX-OS
%L2FM-4-L2FM_MAC_MOVE: Mac 0014.4f82.9a60 has
I am trying to use the sup720-10G 10g port and another 10g port on a 6708-10G
module as an ether-channel pair.
Running IOS 12.2.SXI3
QOS enabled globally, but not enabled on 10G ports by default. If I do a show
mls qos it tells me that qos is NOT enabled on the 10G modules. (FIFO mode)
The
.
Jeff
On Jan 5, 2012, at 10:48 , Andrew Miehs wrote:
Hi Jeff,
On Thu, Jan 5, 2012 at 1:12 PM, Jeffrey G. Fitzwater
jf...@princeton.edumailto:jf...@princeton.edu wrote:
I am trying to use the sup720-10G 10g port and another 10g port on a 6708-10G
module as an ether-channel pair.
...
Group Port
the consistency
check.
I haven't tried it.
/chris
-Original Message-
From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
boun...@puck.nether.net] On Behalf Of David Prall
Sent: Thursday, January 05, 2012 1:28 PM
To: 'Chuck Church'; 'Jeffrey G. Fitzwater'
Cc: cisco-nsp
if the blade has to be replaced.
LR Mack McBride
Network Architect
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeffrey G. Fitzwater
Sent: Monday, October 31, 2011 1:00 PM
To: cisco-nsp@puck.nether.net
Subject: [c
Will the switching processor or routing processor on a sup720-3B incur more CPU
load if its switching mode is BUS vs dCEF?
It looks like it would be best for me to upgrade mod 3 to something that
supports a fabric connection.
If I run show fabric switching-mode on 6513 I get the following…
We would like to try a 3750E as a backup router should we have a catastrophic
failure of our current 6500 that has 3 ISP attached. This would only be used
as a temp ISP backup.
The 3750E would only need to connect to one ISP at 1G and only need DEFAULT to
peer.
Is there any issues with it
I am running SXI3 which has the SSH bug that stops SSH logins from working if
you change the HOSTNAME.
Well... I went and changed the hostname and now ssh fails and have to use
Telnet until I find a fix or reboot.
I have tried the procedure to remove the phantom key, but it is logging that it
Does anybody know that absolute answer, if a 3750X can or cannot stack with a
3750 or 3750E ?
I have heard both Yes and No from Cisco ?
Thanks for any info.
Jeff Fitzwater
OIT Network Telecommunications Systems
Princeton University
___
rights reserved. This document is Cisco
Public Information.
Jeff
Thanks to all for info.
On Oct 12, 2011, at 10:24 , Nick Hilliard wrote:
On 12/10/2011 13:56, Jeffrey G. Fitzwater wrote:
Does anybody know that absolute answer, if a 3750X can or cannot stack with a
3750 or 3750E ?
I have
If they allow vlan 50 into your trunk port, then THAT traffic will hit your
switch but will get dumped by your switch if you do NOT allow vlan 50; and I
believe the vlan 50 packets are counted as DISCARDED frames on that port. So
the pipe is more congested with vlan 50 traffic. (That is
either way though :) Let me know if you have some specific
examples and I can take a looksie at it.
-Kevin
On Fri, 16 Sep 2011, Jeffrey G. Fitzwater wrote:
I have been using the ( neighbor xxx.xxx.xxx.xxx prefix-lit myPrefix out )
to control what prefixes we announce to our ISPs.
I
61 matches
Mail list logo