Re: [c-nsp] Nexus 7010 SVI issues

[Tim Stevenson]

VLAN created & interfaces assigned is not good enough. To confirm, at 
least one interface (access or trunk) assigned to that vlan is in the 
UP and STP forwarding state?


You can do a sh spanning vlan X to check.

Tim

At 11:25 AM 7/9/2011, Renelson Panosky opined:


Yes, the vlan are created on the layer 2 and have interfaces assign to them.

Renelson



On Sat, Jul 9, 2011 at 12:54 PM, Quinn Snyder  wrote:

> depending on code version, i've seen the n7k not create the layer-2
> vlan associated with the svi, even allowing you to place it on a
> trunk.
>
> can you confirm that the layer-2 vlan is in place and created?
>
> regards,
> q.
>
> -= sent via ipad. please excuse brevity, spelling, and grammar =-
>
> On Jul 9, 2011, at 8:52, Renelson Panosky  wrote:
>
> > I have a couple nexus pod up and running so i just created two more SVI
> in
> > my Nexus 7010 with the following configuratons.  All my other SVIs are
> > configured exactly the same way and all of them are UP UP but the two new
> > one i just add.  They are  all added to all my trunks and all my trunks
> are
> > UP UP.  I do know on some devices in the IOS platform the SVI will not
> come
> > up until you put a node on it (plug something in oe of the ports assign
> to
> > that vlan.) but int he same token some the other SVIs have no nodes on
> them
> > and they are UP UP and i can ping them.  Any input would be greatly
> > apprecisted
> >
> >
> > interface Vlan2
> >  no shutdown
> >  description XXX
> >  no ip redirects
> >  ip address 10.100.XX.XX/25
> >  ip router eigrp 100
> >  ip passive-interface eigrp 100
> >  hsrp 2
> >preempt delay minimum 30
> >priority 110
> >ip 10.XXX.XX.XX
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > 
https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at 
http://puck.nether.net/pipermail/cisco-nsp/

>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/





Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759

The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

[Matthew North]

See my email below and Fortinet blade doc, 250 per 5001 fortigate blade so yes 
in a filled chassis of forigate blades you could get up to 3000 vdoms. (get 500 
vdoms per blade with license upgrade on 5001b)
But I agree, talk to your sales rep. The numbers I gave is what my company 
tested/recommended  by the vendors that runs in our production environments.

fortinet.com/doc/FGT5000Series.pdf



On Jul 9, 2011, at 12:22 PM, Derick Winkworth  wrote:

> From Fortinets website:
> 
> #
> 
> Chassis-based models can support up to 3000 VDOMs
> #
> 
> Talked to Fortinet rep and confirmed it.  its not that they "recommend" 250, 
> its 
> just that beyond 250 there is no support for some of the advanced features 
> Fortinet considers their special sauce (e-mail scanning, etc).
> 
> I'm pretty sure the actual maximum number of allowed VRs/zones on a 3k SRX is 
> 1000.  Or it will be soon.  I'll verify that later this evening.  The number 
> of 
> LSYS is in fact 32. However you don't get all those zones/vrs/nats/FW rules 
> per 
> lsys, those are just spread out across the LSYS...
> 
> The ASA I think can support up to 500 contexts now, but with contexts enabled 
> I'm hearing there is no crypto support.  I'm not sure this is an impediment 
> for 
> us but I can see it being an issue for folks.
> 
> 
> 
> Derick Winkworth
> CCIE #15672 (RS, SP), JNCIE-M #721
> http://blinking-network.blogspot.com
> 
> 
> 
> 
> 
> From: Matthew M North 
> To: Chandler Bassett 
> Cc: dwinkwo...@att.net; juniper-...@puck.nether.net; cisco-nsp@puck.nether.net
> Sent: Thu, July 7, 2011 9:57:21 PM
> Subject: Re: [c-nsp] Firewalls "as-a-service" in an MPLS infrastructure...
> 
>>> Fortinet does thousands of thier VDOMs (virtual-firewalls) on a single 
>>> unit...
> 
> Thousands->no.
> They do 250 VDOMs on the high end units (3000 series), 500 VDOMs I
> heard on the 5001B (with some special licensing, haven't see or tested
> yet, they recommend max 250).
> 
> Juniper SRX you can use VRs & security zones. On Junos 10.4+ get 250 VRs.
> 5800 you can get 500 VRs. Have gotten # for lsys yet.
> 
> 
> On Thu, Jul 7, 2011 at 2:35 PM, Chandler Bassett  wrote:
>> I thought the ASA blade was for the 6500's?
>> 
>> On Wed, Jul 6, 2011 at 11:47 AM, Derick Winkworth wrote:
>> 
>>> Thoughts on this blog entry?
>>> I wonder if Cisco will support BGP on ASA soon.. I know people have been
>>> asking for it.  It would be nice if it had something Netconf on it too...
>>> The new ASA blade is coming out for Nexus I hear, anyone know how many
>>> virtual-firewalls it will support?  Juniper's SRX will do LSYS soon.. 32 per
>>> box.  That seems like a low number. Fortinet does thousands of thier VDOMs
>>> (virtual-firewalls) on a single unit...
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> ___
> juniper-nsp mailing list juniper-...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 7010 SVI issues

[Renelson Panosky]

Yes, the vlan are created on the layer 2 and have interfaces assign to them.

Renelson



On Sat, Jul 9, 2011 at 12:54 PM, Quinn Snyder  wrote:

> depending on code version, i've seen the n7k not create the layer-2
> vlan associated with the svi, even allowing you to place it on a
> trunk.
>
> can you confirm that the layer-2 vlan is in place and created?
>
> regards,
> q.
>
> -= sent via ipad. please excuse brevity, spelling, and grammar =-
>
> On Jul 9, 2011, at 8:52, Renelson Panosky  wrote:
>
> > I have a couple nexus pod up and running so i just created two more SVI
> in
> > my Nexus 7010 with the following configuratons.  All my other SVIs are
> > configured exactly the same way and all of them are UP UP but the two new
> > one i just add.  They are  all added to all my trunks and all my trunks
> are
> > UP UP.  I do know on some devices in the IOS platform the SVI will not
> come
> > up until you put a node on it (plug something in oe of the ports assign
> to
> > that vlan.) but int he same token some the other SVIs have no nodes on
> them
> > and they are UP UP and i can ping them.  Any input would be greatly
> > apprecisted
> >
> >
> > interface Vlan2
> >  no shutdown
> >  description XXX
> >  no ip redirects
> >  ip address 10.100.XX.XX/25
> >  ip router eigrp 100
> >  ip passive-interface eigrp 100
> >  hsrp 2
> >preempt delay minimum 30
> >priority 110
> >ip 10.XXX.XX.XX
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 7010 SVI issues

[Quinn Snyder]

depending on code version, i've seen the n7k not create the layer-2
vlan associated with the svi, even allowing you to place it on a
trunk.

can you confirm that the layer-2 vlan is in place and created?

regards,
q.

-= sent via ipad. please excuse brevity, spelling, and grammar =-

On Jul 9, 2011, at 8:52, Renelson Panosky  wrote:

> I have a couple nexus pod up and running so i just created two more SVI in
> my Nexus 7010 with the following configuratons.  All my other SVIs are
> configured exactly the same way and all of them are UP UP but the two new
> one i just add.  They are  all added to all my trunks and all my trunks are
> UP UP.  I do know on some devices in the IOS platform the SVI will not come
> up until you put a node on it (plug something in oe of the ports assign to
> that vlan.) but int he same token some the other SVIs have no nodes on them
> and they are UP UP and i can ping them.  Any input would be greatly
> apprecisted
>
>
> interface Vlan2
>  no shutdown
>  description XXX
>  no ip redirects
>  ip address 10.100.XX.XX/25
>  ip router eigrp 100
>  ip passive-interface eigrp 100
>  hsrp 2
>preempt delay minimum 30
>priority 110
>ip 10.XXX.XX.XX
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

[Derick Winkworth]

>From Fortinets website:

#

Chassis-based models can support up to 3000 VDOMs
#

Talked to Fortinet rep and confirmed it.  its not that they "recommend" 250, 
its 
just that beyond 250 there is no support for some of the advanced features 
Fortinet considers their special sauce (e-mail scanning, etc).

I'm pretty sure the actual maximum number of allowed VRs/zones on a 3k SRX is 
1000.  Or it will be soon.  I'll verify that later this evening.  The number of 
LSYS is in fact 32. However you don't get all those zones/vrs/nats/FW rules per 
lsys, those are just spread out across the LSYS...

The ASA I think can support up to 500 contexts now, but with contexts enabled 
I'm hearing there is no crypto support.  I'm not sure this is an impediment for 
us but I can see it being an issue for folks.



Derick Winkworth
CCIE #15672 (RS, SP), JNCIE-M #721
http://blinking-network.blogspot.com





From: Matthew M North 
To: Chandler Bassett 
Cc: dwinkwo...@att.net; juniper-...@puck.nether.net; cisco-nsp@puck.nether.net
Sent: Thu, July 7, 2011 9:57:21 PM
Subject: Re: [c-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

>>Fortinet does thousands of thier VDOMs (virtual-firewalls) on a single unit...

Thousands->no.
They do 250 VDOMs on the high end units (3000 series), 500 VDOMs I
heard on the 5001B (with some special licensing, haven't see or tested
yet, they recommend max 250).

Juniper SRX you can use VRs & security zones. On Junos 10.4+ get 250 VRs.
5800 you can get 500 VRs. Have gotten # for lsys yet.


On Thu, Jul 7, 2011 at 2:35 PM, Chandler Bassett  wrote:
> I thought the ASA blade was for the 6500's?
>
> On Wed, Jul 6, 2011 at 11:47 AM, Derick Winkworth wrote:
>
>> Thoughts on this blog entry?
>> I wonder if Cisco will support BGP on ASA soon.. I know people have been
>> asking for it.  It would be nice if it had something Netconf on it too...
>> The new ASA blade is coming out for Nexus I hear, anyone know how many
>> virtual-firewalls it will support?  Juniper's SRX will do LSYS soon.. 32 per
>> box.  That seems like a low number. Fortinet does thousands of thier VDOMs
>> (virtual-firewalls) on a single unit...
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Nexus 7010 SVI issues

[Renelson Panosky]

I have a couple nexus pod up and running so i just created two more SVI in
my Nexus 7010 with the following configuratons.  All my other SVIs are
configured exactly the same way and all of them are UP UP but the two new
one i just add.  They are  all added to all my trunks and all my trunks are
UP UP.  I do know on some devices in the IOS platform the SVI will not come
up until you put a node on it (plug something in oe of the ports assign to
that vlan.) but int he same token some the other SVIs have no nodes on them
and they are UP UP and i can ping them.  Any input would be greatly
apprecisted


interface Vlan2
  no shutdown
  description XXX
  no ip redirects
  ip address 10.100.XX.XX/25
  ip router eigrp 100
  ip passive-interface eigrp 100
  hsrp 2
preempt delay minimum 30
priority 110
ip 10.XXX.XX.XX
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPv6 neighbor table via SNMP

[Phil Mayers]

On 07/08/2011 06:40 PM, Tom Ammon wrote:

Hi all,

I'm trying to get the IPv6 ND table via SNMP from my 6506E. When I
tried to snmpwalk it, here's what I got:

[root@marchingmenfs ~]# snmpwalk -v2c -c xx
inscc-rtr-core-a1-2.redhorn ip.ipNetToPhysicalTable
IP-MIB::ipNetToPhysicalTable = No Such Object available on this agent
at this OID

[root@marchingmenfs ~]# snmpwalk -v2c -c xx
inscc-rtr-core-a1-2.redhorn 1.3.6.1.2.1.4.35
IP-MIB::ipNetToPhysicalTable = No Such Object available on this agent
at this OID


Try:

CISCO-IETF-IP-MIB::cInetNetToMediaTable

The RFC table isn't in 6500 IOS yet AIUI.

Couple of points:

 1. Just like the IPv4 ARP table, walking this table is sloo once 
you exceed a few thousand entries, as the puny CPU on the sup720 has to 
numerically sort the OIDs. We use an "expect" script to get the v4/v6 
neighbours on our busier routers, as the CLI output comes back in 
internal/unsorted order, very much faster.


 2. You get "no such oid" if the table is empty, which I find happens a 
lot if there's virtually no IPv6 traffic! Not such a big problem these 
days, since Youtube content servers have  record, but make sure 
there's something in the neighbour table when you're testing.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/