07-29-2011 02:33 PM - edited 03-07-2019 01:28 AM
With Matt Blanshard and Jane Gao
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask your toughest layer 2 questions to two of the technical leaders of the San Jose LAN Switching team, Matt Blanshard and Jane Gao. Learn more about Spanning Tree, VTP, Trunking, Resilient Ethernet Protocol, IGMP Snooping, Private VLANS, Q-in-Q Tunneling, QoS, various switching platforms including all desktop switches, Metro Ethernet switches, 4500 and 6500 switches, Blade Center switches, and Nexus 7000 switches.
Matt Blanshard began his Cisco career as an intern in 2007. He is now a technical leader at the Cisco Technical Assistance Center on the LAN Switching team. He holds a bachelor's degree from the University of Phoenix in computer science, and has CCNA certification.
Jane Gao is a technical leader in the Lan Switching Technical Assistance Center (TAC) team in San Jose. She has been working with LAN switching technologies and supporting Cisco switching platforms Jane's Bio since 2009. Ms. Gao was previously a technical leader in the Wireless TAC team in San Jose. Prior to joining Cisco Ms. Gao was working in software development. She has a Master of Science degree in Computer Science from DePaul University in Chicago.
Remember to use the rating system to let Matt and Jane know if you have received an adequate response.
They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Lan Switching and Routing discussion forum shortly after the event. This event lasts through August 12, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
08-08-2011 12:42 PM
Hello Joesph,
On the 3560/3750 the concept of shared round robin is introduced (srr). This means that to answer your question it depends on conditions at the time. If there is no congestion on the link it will use available bandwidth from another queue and send the packet out. If there is congestion on the link then it will be buffered/dropped as there is no more available bandwidth for that queue. When we are talking about delaying packets on switches that is really not an option due to the high rate of speed which they switch packets and the shallow buffers used to maintain a high rate of packet switching.
-Matt
08-08-2011 05:20 PM
Matt,
Thank you for your response, but I not sure you understood my question, although you may have indirectly answered it, "If there is congestion on the link then it will be buffered/dropped as there is no more available bandwidth for that queue."
Suppose I set a FastEthernet interface to srr-queue bandwidth limit 10, then suppose there's a transient burst of 20 Mbps, will the 3560 egress buffer the burst (assuming there's available buffering) and "meter" the traffic at 10 Mbps (plus or minus the hardware capability) or will it immediately drop all burst packets/frames even if there are available egress buffers?
08-11-2011 12:48 PM
Hello Joseph,
I am sorry if my reply was not clear. By using the bandwidth command it will buffer the 20mb burst as long as the link is not congested and the buffer is available. It will not meter the bandwidth strictly at 10mbps.
-Matt
08-08-2011 07:11 AM
Hi,
I was trying to download the CISCO-ENVMON-MIB.oid file from the Cisco website and was unsuccessful. Is there a way to get the OIDs for this MIB? Please let me know. Thanks!
Bill
08-08-2011 12:47 PM
08-08-2011 11:01 AM
Hi Jane,
Can you please provide me info about ip arp inspection like where should we choose it and why abd on which
ports should we enable it?
Thanks
MAhesh
08-09-2011 01:08 PM
MAhesh,
I'm assuming that you are referring to DAI (Dynamic ARP inspection), which does the following:
- Intercept all ARP requests and responses on untrusted ports
- Verify that each ARP packet has valid IP-to-MAC binding before updating local cache and before forwarding the packet to its destination
- Drops invalid ARP packets
Please note that DAI relies on the DHCP snooping database to verifty that the ARPs are valid. Like DHCP snooping, this only happens on untrusted interfaces. When designing where your trusted and untrusted interfaces reside for DAI, use the same logic as for DHCP snooping. Usually if you trust for DHCP snooping, you will trust for ARP inspection as well.
In your case, if you are having issues with DHCP snooping database on certain switch, it could pose a potential issue when DAI is enabled on that particular switch.
regards
Jane
08-10-2011 07:17 AM
Hi Jane,Hi Matt,
I am a master student of IT, and I am looking for a Master thesis topic in Network Security(Routing and switching).
I will do my master thesis in a coompany and its main focus on cisco products.....and I am working in Network Infrastructre Department.
So can you please give me a Master thesis topic.
Regards
08-10-2011 07:47 PM
Why port-security is not supported on L2 port-channel interface? Is there any plans to support this in future?
08-11-2011 02:50 PM
Hi Pavel,
Good question. There are some complications when implementing port security on a port channel. Using LACP as an example, each physical port must have its own MAC address, and there's another MAC used for the "virtual" interface which is used for LACPDUs. This may either be another unique MAC or may be the MAC of one of the member ports. However this is not constrained by the standard and depending on vendor implementation.
Take for example the case of a 2 link PortChannel between two devices:
SWA ========= SWB
In this case, Switch A Ethernet1/1 connects to SwitchB Ethernet1/1 and SwitchA Ethernet2/1 connects to SwithB Ethernet2/1.
In order to successfully deploy Port Security between the two devices, one would need to enable Port Security with either 2 or 3 MAC addresses depending on whether the neighbor device uses a unique address or not.
Different vendors are free to use a unique MAC or not for the control channel.
Should an operator concerned with security allow 2 MAC addresses or 3 in this case?
The answer varies depending on the equipment vendor on the other side . . .
The bigger problem is what if one of the Ethernet links isn't yet in an operational state and the neighboring device is misconfigured (intentionally or otherwise). e.g. lets say that SwitchB was connected to SwitchC. Lets say that SwitchC is connected to SwitchB Ethernet1/2 and that link comes up before SwitchB Ethernet2/1:
SWA ========== SWB --------- SWC
If the link to SwitchC is in the same VLAN as the link from SwitchA to SwitchB (i.e. SwitchB is operating both links at L2), AND the link to SwitchC became operationally active prior to SwitchB Ethernet2/1, then Port Security has just allowed L2 to extend beyond where it was intended.
In this case, Port Security is no longer offering the security it was intended to provide. SwitchB can no longer bring up one of its Port Channel members since Port Security will now block that MAC address from sending traffic.
Port security on port channels is already supported on N7K (4.2 release and onwards). It is also under discussion for some other platforms (e.g. 6500).
regards
Jane
08-11-2011 07:23 PM
Thanks for reply!
But i think if we use channel-group x mode on - there is no problems.
Little adition in question
1st: Your example is not clear to me:
"The bigger problem is what if one of the Ethernet links isn't yet in an operational state and the neighboring device is misconfigured (intentionally or
otherwise)." - What device is misconfigured? A,B,C? Can you explain this example more detailed and post runnning config on the A,B,C devices?
2nd: "Using LACP as an example, each physical port must have its own MAC address, and there's another MAC used for the "virtual" interface which is used for LACPDUs. This may either be another unique MAC or may be the MAC of one of the member ports. However this is not constrained by the standard and depending on vendor implementation." - How this is implemented in Cisco?
3rd: What about servers? I mean SW====SRV. Is there any problems with port-security when we connect server and switch? Can we use mode on (not LACP or PAGP) in this case?
08-12-2011 12:37 AM
Pavel,
1.
I do believe that with "mode on" only, the implementation will be a lot easier for port security over L2 etherchannel. However with the current releases it will either disallow you from configuring it, or simply ignore the configuration when the port security is enabled on the etherchannel interface, on the platforms that do not support it.
Here's one example for such misconfig I have seen that caused problem on etherchannel: a switch is connected to a UCS with two Fabrics, and the ports in the portchannel need to be on the same Fabric which was not the case. Therefore only one of the links comes up and stays up, the other link flapped.
The diagram is a general example, but the idea is that any error condition that could cause one of the links between SWA and SWB to come up later than the link between SWB and SWC would be an issue here for port security. Hope this clarifies.
2.
Cisco always uses a unique MAC address for this control channel so as to ensure that the address does not change regardless of whatever member ports are added/removed from the bundle.
3.
I believe that it would not work with the current implementations if port security is not supported on the etherchannel, for the reasons mentioned in 1 above.
regards
Jane
08-12-2011 01:11 AM
1. About 1st - very tricky example! If we have only one interface in portchannel witch is up we se next output:
SwitchB#sh etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Gi1/0/1(P)
So where is the problem with port-security? gi1/0/1 logically terminates on Po1, and on Po1 configured with port-security. So where is the problem when we have only one interface that logically terminates on Po1.
I do not understand. Can you explain step by step behavior of the problem?
2. And what about rate-limit commands support on Catalyst family switches?
08-12-2011 12:13 PM
Pavel,
The samples mentioned above wouldn't apply to this scenario, i.e. either mode on or portchannel with a single interface. They are to provide one of the explanations for why port security is not supported on L2 etherchannel as with an individual interface.
It's not apparent to be an issue with specific scenarios as you mentioned, but in order to support port security over L2 etherchannel, we'll have to cover all the cases properly.
Can you please explain a bit more on your rate-limit question?
regards
Jane
08-11-2011 05:14 AM
hi Matt & Jane,
Could you please tell me if there's an SNMP oid that can retrieve the packets/second stats from a 3560/3750 switch interface?
This is what I'm looking for:
3750#show interface gi1/0/3 | inc packets/sec
5 minute input rate 166038000 bits/sec, 19352 packets/sec
5 minute output rate 20808000 bits/sec, 12335 packets/sec
I tried looking for it but couldn't find it.
It looks like you can get other stats such as accumulative / total packets from IF-MIB:ifTable, but not packets/sec.
If it's available under IF-MIB, what's the exact oid or string value?
thanks,
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide