One Issue often seen when using OTV ADJACENCY SERVER is occasional flaps of ISIS Adjacency across the network and Local Site. Thi is usually seen when a large amount of Traffic is flowing through the Nexus.
There is a primary difference in the type of packet that is formed when using multicast in the Core vs using Adjacency Server Scenario where the packets are Unicast.
Here is how a packet looks when using Multicast in the Core.This capture is taken on the Core side of the Network.
The packet format is IP-GRE-MPLS-L2
Here is how a Packet looks when using Adjacency Server. This capture was taken on the Core side of the Network.
The Packet format is IP-UDP-DATA. Notice this packet is destined to UDP Port 8472.
Now if the CoPP policies are not updated correctly on the Nexus these Adjacency Server IS-IS Hello Packets are going to fall under the Default Copp Class and will be dropped when there are too many packets falling under the Default Policy.
This can be easily identified by observing the CoPP policy and checking to see if there is any Class matching the UDP port 8472. If there is none then this is most likely the cause of IS-IS flaps.
What we are looking for in the class-Map is something like this
ip access-list copp-system-p-acl-otv-as
permit udp any any eq 8472
Which is under this CLASS CRITICAL.
class-map type control-plane match-any copp-system-p-class-critical
match access-group name copp-system-p-acl-igmp
match access-group name copp-system-p-acl-msdp
match access-group name copp-system-p-acl-bgp
match access-group name copp-system-p-acl-eigrp
match access-group name copp-system-p-acl-rip
match access-group name copp-system-p-acl-rip6
match access-group name copp-system-p-acl-ospf
match access-group name copp-system-p-acl-pim
match access-group name copp-system-p-acl-bgp6
match access-group name copp-system-p-acl-ospf6
match access-group name copp-system-p-acl-pim6
match access-group name copp-system-p-acl-vpc
match access-group name copp-system-p-acl-mac-l2pt
match access-group name copp-system-p-acl-otv-as
If this is not present then we need to add this to make sure the IS-IS hellos are matched explicitly under this class.
Trying to connect my 2 L3 Nexus 9332 switches to 2 Dell 4148 switches with VPC on nexus and normal port channel on Dell. These Dell 4148 switches are connected to 2 Dell 5248 switches with VLT port channel on 4148 and normal port channel on 5248 in downst...
Are you an IT professional who has hands-on experience with Cisco vManage?
If yes, please participate in this quick online study. We'd like to understand how you find and use administrative settings in an SD-WAN solution to help us organize th...
Can a Cisco Isr 4431 be configured with a Ipsec IKEv2 Site to Site Tunnel to Azure? Looking at the feature list it appears that IPsec is available for IOS-XE but when looking at the crypto command on the router there does not appear to be...
Hi The scenario here is I have a VPDN tunnel from 1 broadband provider which is using an old RADIUS and then I have anew VPDN tunnel from a different broadband provider who I want to put on a new RADIUS server. The long term plan is to mo...
I have a pretty basic network setup in one office, we have an ASA at the edge with 3650G switch acting as the core. The ASA and switch have vlan 100 between them acting as a transit network of 10.1.100.x/24 and the switch has a handful of VLANS.&nbs...