Ask the Expert: LAN Switching - Page 3

ciscomoderator · ‎03-09-2012

With Matt Blanshard

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask your toughest layer 2 questions to two of the technical leaders of the San Jose LAN Switching team, Matt Blanshard. Learn more about Spanning Tree, VTP, Trunking, Resilient Ethernet Protocol, IGMP Snooping, Private VLANS, Q-in-Q Tunneling, QoS, various switching platforms including all desktop switches, Metro Ethernet switches, 4500 and 6500 switches, Blade Center switches, and Nexus 7000 switches.

Matt Blanshard began his Cisco career as an intern in 2007. He is now a technical leader at the Cisco Technical Assistance Center on the LAN Switching team. He holds a bachelor's degree from the University of Phoenix in computer science, and has CCNA certification.

Remember to use the rating system to let Matt know if you have received an adequate response.

Matt might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through March 23rd, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Matthew Blanshard · ‎03-16-2012

I am pretty sure it is because of the fact that 4500 doesn't support MPLS and only routes IP. On the 6500/Nexus they do MPLS so can route non-ip traffic.

-Matt

QFX527518 · ‎03-21-2012

i can't open case.

if change the cat6500 to cat 4507R0,and the ios is cat4500-entservices-mz.122-31.sga2..bin,all the vm can work normal.so,i think the cat6500 and the ios have some different int the IEEE802.3.

John Peterson · ‎03-17-2012

Hi Matt,

I would really apperciate any advise on this.

https://supportforums.cisco.com/message/3589591#3589591

I've already posted this question on the lan and switching board.

Hi,
We have a 4 site network all linked in with leased lines. Two of the sites have MS Network Load Balancer which have a unicast IP address but when the switch does a arp the NLB send out a multicast mac. We were not able to ping these NLB before, I found out that I needed to add a static entry in the L3 device which solved the problem. 
Recently, the network has been running extremely slow and a network output shows of tcp re-transmission packets, different mac-address associated with different ip address and a extremely large amount of 'TCP Segment of a reassembled PDU' , some T'CP Acked lost segment, TCP out of order and TCP DUP ACK.
We have crossed checked the devices ip and mac address to the output and some packets do not match. 
In addition to this we are seeing large amounts multicast traffic on the network which is sent to the NLB, which can only be noticed by the multicast mac address as the ip address is a class c. What I find strange is, all the multicast, tcp errors traffic is sent to the NLB, when surely only the NLB should be sending multicast traffic as it would be replying to ARP request? 
The multicast packets have a souce of a class a, b, or c ip address but we can only see that there are multicast as this is determined by the mac-address.
For the network load balances, should all the L2 and L3 devices directly connected to the NLB have a static ARP entry in its CAM?
Also, having a static entry in the directly connected switch, enable the directly connected switch to send out the NLB mac address when other switch request the Mac address for the NLB?
Would appreciate any throughts.

Matthew Blanshard · ‎03-19-2012

Hello John,

On Cisco devices that are doing the layer-3 routing you will need to use a static ARP entry for Microsoft NLB nodes running in multicast mode. Since this is a violation of the 802.3 ethernet RFC Cisco has chosen to implement strict adeherence to this standard and not allow dynamic ARP entries to work for this.

Do you have static mac address entries for the NIC's on the NLB cluster? Nobody should be sending out packets sourced from the multicst cluster mac.

-Matt

John Peterson · ‎03-19-2012

Hi Matt,

Thank you for taking the time out to respond.

I have inserted a static arp on the default gateway of the NLB nodes. I have been advised to insert static mac address in the mac-address table on every switch on L2 aswell, is this needed as we have multi vendor network with over 35 switches. If it is then is there any feature which Cisco switches can help in?

The NLB Cluster is within a vmware switch and we could put static macs entries but I was thinking of placing them in the Cisco switch which is directly connected to the v switch and then the hosts?

It seems that a packet is send to the correct device but then another device with the same L3 address is responding, the packet is being dropped by the receiver and then the correct source is then sending a re-transmission tcp packet?

Matthew Blanshard · ‎03-20-2012

Hello John,

You might find this document a good read. It explains what's needed to best use NLB with Cisco switches.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

-Matt

John Peterson · ‎03-20-2012

Hi Mat,

Thank for your reply, I have read through this link and I have implemented the solution.

My concern was, I don't want to go around to every switch and add static mac entry some of which are non cisco switches. Is there any way where I can add a command in the cisco switches which then populates other devices which are directly or non directly connected?

Thanks

Matthew Blanshard · ‎03-20-2012

Unfortunately there's no way to transfer the configuration down to the other switches. If you can run the Microsoft NLB in igmp mode you can do away with the static MAC addresses since the Microsoft NLB server will send IGMP joins, allowing IGMP snooping to add dynamic entries to the switch. Then all you would need is a static ARP and the rest would be dynamic. This is the closest you can get to Microsoft NLB working dynamically.

-Matt

johnnylingo · ‎03-17-2012

Have a hardware related question, specifically on the 6500 and 4900M platforms.

What we've been seeing often with hardware failures is an ASIC going bad, for example ports 9,10,11,12 on a WS-X6716-10GE will fail but the other ports continue to work fine. Usually this is clear in the logs by this message:

TestUnusedPortLoopback Port(s)[4] failed. System operation continues

However, we've seen a few cases where UDLD will disable a port for an unknown reason. The "show module" command shows the module to be "Ok/Pass", so we replace cables and gbics and shut / no shut the port. However, UDLD still re-disables the port. Rebooting the module ultimately clears the problems.

My specific questions are:

Other than "show module", is there any type of in-depth status report or diagnostic test we can do to look down at the hardware (specically ASIC level)?
On the 6500 w/ SUP720, there is the command "show platform hardware capacity fabric" will display utilization for each module, broken down with 2 x 20GB channels per module. Is there an equivilent command on the 4900M?
Better yet, is there way to break down utlization by ASIC? We have a lot of WS-X6716-10GE and WS-X4908-10GE modules and are looking for an easy way to look at the oversubscription statistics so we can plan for future growth.

Matthew Blanshard · ‎03-20-2012

Hello Johnny,

Unfortunately this information is not publicly available. If you private message me I can explain the process to get this information.

For #2 you can use show fabric utilization to see the individual channels usage. Unfortunately there is no equivalent on the 4900M.

-Matt

Carlos190 · ‎03-19-2012

Hi,

Could you please explain about the use of vrf in Nexus, why is it necessary for issuing ping and traceroutes among others, and whether you know the reason why it was designed that way in Nexus.

Thanks

Matthew Blanshard · ‎03-19-2012

Hello Carlos,

I am not following you. VRF is not required for any interface except the management port. For any other interface it works just the same as in IOS except for the subtle command differences.

-Matt

zyang · ‎03-19-2012

Hi Matthew,

CCNA newbie here. Just wanted to ask a network design question..

Say you have 2 floors and each floor has 4 vlans on a layer3 switch. They're all connected to a core layer3 switch.

My question is what is the best way of networking them?

Right now the company that I'm in has it set up where the gateways for each vlan is setup on the core switch. And trunk links are setup connected to the core switch. This is setup I think is ok, except when 2 users on different vlans on the same switch need to transfer files over, they will always use the trunk link. Granted that this happens once in a while, still I don't think it's a good use of bandwidth when they can be routed internally on the switch.

I was thinking a better way for this situation was that where the trunks are, you would assign IPs to the port and do the same for the core switch. Then have the vlan gateways internally on the switch. Although even if we do have a lot of users transfering data between each other, I don't think we will just change the network design. Though we are going to be moving to a new building, and it is something to think about.

So which is a better method? Given the same situation, how do most companies design their networks? Is there a SOP (standard operating procedure) for something like this?

Thanks very much.

Matthew Blanshard · ‎03-20-2012

Hello Zhi,

If it was my network I would use layer-3 interfaces and routing between the floor switches and the core switch. There is no SOP for something and it really boils down to what you prefer

-Matt

Carlos190 · ‎03-19-2012

Thanks for replying, I want to understand the reason why to issue a ping or traceroute from a Nexus has to include now the command vrf. Eg: ping x.x.x.x vrf management - in the case of the network I work at.