Hi Sven, I had not exactly the same but similar issues but with 7606 - see http://www.mail-archive.com/cisco-nsp@puck.nether.net/msg26651.html. I learned from TAC that the issue was with the fact that I used it in combination with VRFs and the traffic got incorrectly punted into 7606 MSFC CPU where there are hardware rate limiters (show mls rate-limit).
Anyway, try upgrading the 6509 I am sure some old SXD code has number of bugs around this. -pavel On Tue, Jan 26, 2010 at 2:06 PM, Sven 'Darkman' Michels <s...@darkman.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, rest, > > sorry for coming back on the topic. I had now the time to play with the setup > a bit more and run into a problem: pvlans are not working well. > > The config: > having a core router 6509 with a port channel on two gigE Ports (Gi3/13 and > 15) > configured as follow: > interface Port-channel1 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 330-349 > switchport mode trunk > no ip address > flowcontrol receive on > flowcontrol send on > end > > both ports have the following config: > interface GigabitEthernet3/13 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 330-349 > switchport mode trunk > no ip address > flowcontrol receive on > flowcontrol send on > no cdp enable > channel-group 1 mode on > > The PVLAN is 334,335: > interface Vlan334 > ip address xx.xx.xx.1 255.255.255.0 > ip verify unicast source reachable-via rx > no ip redirects > ip sticky-arp ignore > no ip proxy-arp > no ip mroute-cache > private-vlan mapping 335 > end > > VLan config: > vlan 334 > name ISOLATOR-FOR-335 > private-vlan primary > private-vlan association 335 > end > > vlan 335 > name ISOLATED-BY-334 > private-vlan isolated > end > > VLAN335 has no interface, of course. > > Po1 is connected to a 3560G switch, Ports 49 and 50 configured as Po1 on the > Switch: > > interface Port-channel1 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 330-336 > switchport mode trunk > ip arp inspection trust > ip dhcp snooping trust > end > > interface GigabitEthernet0/49 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 330-336 > switchport mode trunk > ip arp inspection trust > udld port > channel-group 1 mode on > ip dhcp snooping trust > end > > (same for 50). > > and the vlan config: > vlan 334 > name transport-335 > private-vlan primary > private-vlan association 335 > end > > vlan 335 > name lan > private-vlan isolated > end > > And the lan port: > interface GigabitEthernet0/41 > switchport private-vlan host-association 334 335 > switchport mode private-vlan host > switchport nonegotiate > speed auto 10 100 > no cdp enable > spanning-tree bpduguard enable > ip dhcp snooping limit rate 10 > end > > its just a small device connected to check if ping works fine so far. > > Now the problem: ping from 6509: > > c6509#ping ip xx.xx.xx.13 repeat 5 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds: > ..!.! > Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms > c6509#ping ip xx.xx.xx.13 repeat 5 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds: > ....! > Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms > > This is far away from beeing good :( > > The interesting thing: I have vlan336 on the same setup as normal vlan, > where a small dmz is located. This one works perfectly: no loss, ping > is okay... So it seems to be a problem related to the pvlan itself, not > to the setup, right? > I also shutted one port for the channel to see if that helps, but no luck :( > > I've no more ideas, beside removing the Portchannel and try again, which would > be sad... > > Thanks and regards, > Sven > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkte6MUACgkQQoCguWUBzBye5gCfSslgfNCokmM2Qizd5wpoiHvE > AKEAoJZluXFPj7CpI/k8sube4R4s5des > =urBf > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/