Ask the Expert: Access LAN Switches (Cisco Catalyst 4500E, 3750-X, 3560-X, and 2960) - Page 4

ciscomoderator · ‎07-13-2012

With Nikolay Karpyshev

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about architecture and troubleshooting Access LAN Switches such as Cisco Catalyst 4500E, 3750-X, 3560-X, and 2960 with Cisco Expert Nikolay Karpyshev.

Nikolay Karpyshev is a Customer Support Engineer in the high touch technology support team (HTTS) at Cisco specialized in LAN Switching. Karpyshev supports the Cisco Switches Nexus 7000, Catalyst 6500, 3750, 3560, 4500, 2900, among others, and works as senior and escalation engineer. He was previously a part of Cisco Sales Associate program. He holds a specialist degree in Mathematics and Mechanics from Novosibirsk State University in Russia. Nikolay also holds these Cisco Certifications: CCNP, CCSP, and CCDP.

Remember to use the rating system to let Nikolay know if you have received an adequate response.

Nikolay might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community discussion forum shortly after the event. This event lasts through July 27, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Oleg Gnedykh · ‎07-18-2012

Hi Nikolay !!!

Cisco ME3400 Per-VLAN QoS

I want to limit the speed on a particular VLANs on trank-ports.

I'm created child and parent policy, and applyed it on the appropriate ONE interface.

And all OK, but only in one direction (of cours).

But this rule work correctly only on ONE interface, and nothing on the second interface :-(

class-map match-any vlan

match vlan 2

!

policy-map child1

class class-default

police cir 100000

!

policy-map 1

class vlan

service-policy child1

!
interface GigabitEthernet0/1

switchport trunk allowed vlan 2

switchport mode trunk

service-policy input 1

!
interface GigabitEthernet0/2

switchport trunk allowed vlan 2

switchport mode trunk

service-policy input 1

BUT "CONFERM PACKET" ONLY ON INTERFACE G0/2

Switch#sh policy-map interface

GigabitEthernet0/1

Service-policy input: 1

Class-map: vlan (match-any)

0 packets

Match: vlan 2

Service-policy : child1

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

police cir 100000 bc 8000

conform-action transmit

exceed-action drop

conform: 0 (packets) exceed: 0 (packets)

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

GigabitEthernet0/2

Service-policy input: 1

Class-map: vlan (match-any)

0 packets

Match: vlan 2

Service-policy : child1

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

police cir 100000 bc 8000

conform-action transmit

exceed-action drop

conform: 2214 (packets) exceed: 821 (packets)Class-map: class-default (match-any)0 packets, 0 bytes30 second offered rate 0 bps, drop rate 0 bps

Match: any

Switch#

PS: All ports have absolutely identical configuration

nkarpysh · ‎07-19-2012

Hi Oleg,

Can you please share the IOS version you use on ME3400. Please also share the port config from the devices connected to Gi0/1 and Gi0/2.

One mor etest I want you to run. Can you please create the dummy class "class vlanx" and put it above the "class vlan" in the config. E.G. like below:

class-map match-any vlanx

match vlan 3 ---------------------------- can be any VLAN different from 2 even if that is not allowed by trunk

class-map match-any vlan

match vlan 2

!

policy-map child1

class class-default

police cir 100000

!

policy-map 1

class vlanx

service-policy child1

class vlan

service-policy child1

Can you please apply this config to both port Gi0/1 and Gio/2 and see if you get counters on both for class VLAN. I want to check one known defect here.

Nik

HTH,
Niko

Oleg Gnedykh · ‎07-19-2012

Hi Nikolay!

Thank you very much for your paid attention!

Switch#sh ver

Cisco IOS Software, ME340x Software (ME340x-METROIPACCESSK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

I use tow ordinary devices to make one tag-port and one access-port (Dlink) for both sides. Tag-ports with VID2,3 I connected to Cisco g0/1 and g0/2. PCs connectetd to access ports.

I created your stand and tested traffic in both directions and from both VLANs.

As a result, I saw counters only on g0/2 in any cases.

I thought it trouble with port g0/1, but I saw counters on g0/1 when I turn off service-policy on g0/2 !!!

Switch#sh policy-map interface

GigabitEthernet0/1

Service-policy input: 1

Class-map: vlan (match-any)

0 packets

Match: vlan 2

Service-policy : child1

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

police cir 100000 bc 8000

conform-action transmit

exceed-action drop

conform: 0 (packets) exceed: 0 (packets)

Class-map: vlan3 (match-any)

0 packets

Match: vlan 3

Service-policy : child1

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

police cir 100000 bc 8000

conform-action transmit

exceed-action drop

conform: 0 (packets) exceed: 0 (packets)

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

GigabitEthernet0/2

Service-policy input: 1

Class-map: vlan (match-any)

0 packets

Match: vlan 2

Service-policy : child1

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

police cir 100000 bc 8000

conform-action transmit

exceed-action drop

conform: 27 (packets) exceed: 0 (packets)

Class-map: vlan3 (match-any)

0 packets

Match: vlan 3

Service-policy : child1

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

police cir 100000 bc 8000

conform-action transmit

exceed-action drop

conform: 189 (packets) exceed: 1619 (packets)

Class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

Switch#

This is "show" when I turn off polices on g0/2

Switch#sh policy-map in
GigabitEthernet0/1

Service-policy input: 1

Class-map: vlan (match-any)
0 packets
Match: vlan 2

Service-policy : child1

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
police cir 100000 bc 8000
conform-action transmit
exceed-action drop
conform: 0 (packets) exceed: 0 (packets)

Class-map: vlan3 (match-any)
0 packets
Match: vlan 3

Service-policy : child1

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
police cir 100000 bc 8000
conform-action transmit
exceed-action drop
conform: 173 (packets) exceed: 1536 (packets)

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Switch#

nkarpysh · ‎07-19-2012

Oleg,

Can you please open the new thread in LANSW are for this problem. It is getting hard to manage it here as we will get more questions for different topics in this thread and I may loose a track of this issue. Please send me the link to it via private message.

Regarding the test bed - can you please change the places of classes - put class for vlan 3 on top of class for VLAN2. There was a problem when top class never gave statistics but the bottom ones did thus I want to check/eliminate it.

Nik

HTH,
Niko

Jessica Deaken · ‎07-20-2012

Hello Nikolay,

I have been experiencing some high CPU issues in some of the 4500 and 3700s in my network. Can you kinldy provie some troubleshooting guidelines for High CPU issues?

Thanks a lot..

- Jessica

nkarpysh · ‎07-21-2012

Hi Jessica,

Thanks for your question.

When you troubleshoot High CPU problem on any catalyst switch you need first to understand dif CPU load is related to some services/processes or to the traffic hitting it. That split problem in two parts and analysis for both is different.

I have the links below which help to start TS for the platforms you mentioned:

3750:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/troubleshooting/cpu_util.html

4500:

http://www.cisco.com/en/US/customer/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml

Both share step-by-step process to verify all the details beyond the High CPU utilization. Start with those to understand first if CPU is processes or traffic driven and then continue TS of it.

If you want me to look closer to your problem please send me "show proc cpu sort | ex 0.00" to see what is happening and I will advise of the next commands later once I check this one.

Nik

HTH,
Niko

sr1482613 · ‎07-21-2012

Hello Nikolay.

There are many Cisco Catalyst Switches such as WS-C3750G-24-TS, WS-C2960-24PC, WS-C2960-24LC, and so on that installed in my customers' sites.

One of IT managers in my sites asked me about product numbering system.

Could you explain what the product numbering systme is ? What the product nembering system stands for ?

For example, in model name WS-C2960LC-S, WS-C2960-24TC-L and WS-C2960-48PST-L, what LC-S, LT-L and PST of model names stand for ?

Thanks

Hank.

nkarpysh · ‎07-22-2012

Hi Hank,

Naming convention may change from platform to platform. Most LAN routers and switches are four digit model numbers. The first two digits are the product series (e.g., 2900 series routers). For chassis-based Catalyst switches, the last two numbers denote the number of slots (e.g., 6509 nine slot chassis). You can have some letters after the chassis numbers which will denote sub-model and some major features within it.

If we talk about 3750 and 2950 - the next to digits after first 4 stands for the number of main ports. E.G. 24 port, 48 port, etc.

The first letter (or two) after number of ports always stands for the type of these ports:

T -- copper

P -- copper PoE

LP -- limited PoE

FP -- full PoE

S - SFP

D - 10GB port

The next Letter is referring the type of uplinks:

T - copper

S - SFP

C - dual purpose uplink (of above types)

F - SFP or SFP+ (limited number of ports)

D - 10GB uplink

The last number if present has different meaning for 3750 and 2960. In 3750 that means

L - LAN Base SW

S - IP BAse SW

E - IP Services SW

In 2960

L - LAN BASE SW
S - LAN Light SW

As you see there are some differences in naming's even between these platforms thus there are no unique guide for all platforms.

Below you can refer to some links which describe different models in some details:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/CatalystPoster_Final.pdf

http://www.cisco.com/en/US/partner/products/ps6406/prod_models_comparison.html

Nik

HTH,
Niko

Surya ARBY · ‎07-23-2012

Hi.

One of the previous question was around the management port on the SUP7E / 4500.

Right now the management port is fully supported in IOS XE 3.3.0 SG / IOS 15.1; but there is no management plane protection available !

I requested some help here : https://supportforums.cisco.com/thread/2157956

Is there any plan to implement Management Plane Protection soon ? It's sad we get a dedicated admin port which in fact we can't truly dedicate it for the administration processes.

nkarpysh · ‎07-23-2012

Hi Surya,

Manegement Plane Protection is not supporting Out Of Band management interfaces. That is specific only to regular interfaces you want to use fo management purposes.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1049319

Management interface use same VTY lines but just a different GRT. To restrict access only to the management port you can apply access-list to VTY line allowing only the sources from the management subnet. This will allo SSH/telnet only towards the management port - connection though other interfaces/subnets will be blocked.

Let me know if it helps.

Nik

HTH,
Niko

Surya ARBY · ‎07-23-2012

Thank you.

I'll try this morning; in fact without access-lists in the lines config; the SSH service still responds on all IPs of all VRF defined in the switch.

My fear is to have a customer located into a specific (client) VRF coming a source IP overlapping my management subnet.

nkarpysh · ‎07-24-2012

Hi Surya,

Management interfaces always use same VTY. Their goal is only to provide the separate routing table not to mix transport and management subnets. Thus you can created ACL specifically placing the management IP as destination for such connection. If you don't have any design breaches then customer wont be able to get into Management VRF GRT and route towards it.

Nik

HTH,
Niko

darren.g · ‎07-23-2012

Nikolay

I have a number of 3750-X switches which are about to be redeployed into a different data centre and re-configured - currently, I have two stacks of 2 switches each (WS-C3750X-24T-S in all cases).

I want to re-deploy them into a single stack of 4 switches (the split into two is due to the current racks in the existing data center being located in physically different areas of the building - new data center will have them adjacent to each other) to remove the bandwidth bottleneck between the two stacks of switches caused by 1 gig trunk links (stacking being faster than even 8 x 1 gig links in an ether channel).

All switches are running IOS 12.2(53r)SE1.

Is it worth me upgrading the IOS to the latest 15.0 stream (15.0.1SE3, according to my CCO account), given that everything in them works. Are there many additional features in this IOS upgrade which wuold make it worth upgrading, or should I just plod along with what I've got? I will be adding an extra C3K-NM-1G module into one of the switches, but since two of them have C3K-NM-10G modules in them I expect this should work OK. I know it's general wisdom to always run the latest IOS - but the 15.0 stream is listed as ED - not sure if I run any risks in upgrading or not.

Comments welcomed - even from you, Leo. :-)

Cheers

nkarpysh · ‎07-23-2012

Hi Darren,

This is really a topic for open discussion. It is hard to make some recomendation without having specific requirements. As I see current features you run are supported by the IOS you have. The only reason for upgrade I may see is to go to some solid release with some known defects fixed.

I would not recomend to go for the latest unless it has some major bug fixed which you hit or it has new feature you were waiting for.

Thus in terms of solid release I would vot for 12.2(55)SE5.

Anyway it is a subject for discussion and I will also appreciate if other guys will share their best practices.

Nik

HTH,
Niko

Leo Laohoo · ‎07-23-2012

Comments welcomed - even from you, Leo. :-)

Thanks Darren.

3750X? In a DC? I'll agree with Nikolay.

All my 3750X in the DC are running IOS version 12.2(55)SE5 after I rolled back from 15.0(1)SE2. I don't think I'm brave enough to go 15.0(1)SE3 for 3750X in a DC.