08-14-2015 01:44 PM - edited 03-08-2019 01:22 AM
Hello Everyone
I am reposting this question because it seems like the posts are generating more questions then answers and really need to get some expert guidance around this issue.
We have 2 3850 stacks in our corporate office. One stack is for users and the other is for severs. We have been having alot of false positive duplicate IPs errors on our servers and have been finding many others out there having issues with IPDT on 3850s. The recommendation is to disable. I want first fully understand this and second make sure I am not creating other issues down the line.
In our environment the server stack is the one that has the SVIs and does all layer 3. We also have several other stand alone switches that connect our blade servers to the server stack.
As an update I have change tracking delay to 10 and added command ip device tracking probe delay use-svi
First question:
In a multi switch environment which switch manages IP Device Tracking? When I do show IP device tracking all on each switch it seems that a lot of the IPs being tracked are not directly connected nor are they only on the layer 3 switch. Is there a way to control which switch does the tracking?
Second question:
If we turn this off using nmsp attach suppress on each interface what are the implications?
08-14-2015 02:32 PM
Hello
Can you post the config 3850 stacks?
res
Paul
08-14-2015 04:23 PM
Here is summarized config for server stack. This is our core for this site and handles all routing. This switch has all the SVIs for the user stack. Stacks are trunked together via 10 GB link.
The second config is the user stack which does not have any SVIs and only does layer 2.
Server stack:
version 15.0
no service pad
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
service compress-config
!
hostname sfn-sw1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
switch 1 provision ws-c3850-48t
switch 2 provision ws-c3850-48t
switch 3 provision ws-c3850-48t
!
flow record NETFLOW-RECORD-IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect counter bytes layer2 long
!
!
flow record NETFLOW-RECORD-OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
collect transport tcp flags
collect interface input
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
collect counter bytes layer2 long
!
!
flow exporter NTAexport
destination x.x.x.x
source Vlan2
transport udp 2055
template data timeout 60
!
!
flow monitor NETFLOW-MON-IN
exporter NTAexport
cache timeout active 60
record NETFLOW-RECORD-IN
!
!
flow monitor NETFLOW-MON-OUT
exporter NTAexport
cache timeout active 60
record NETFLOW-RECORD-OUT
!
ip routing
!
ip multicast-routing
ip domain-name ia-global.com
ip name-server x.x.x.x
ip name-server x.x.x.x
ip device tracking probe use-svi
ip device tracking probe delay 10
ip device tracking
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-0
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-0
revocation-check none
rsakeypair TP-self-signed-0
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 8192
!
redundancy
mode sso
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface Loopback0
ip address 10.2.255.5 255.255.255.0
ip mtu 1500
!
!
interface Port-channel18
description SFS-CITRIX-XS3 Team
switchport mode trunk
!
interface Port-channel19
description sfn-ucs-a
switchport mode trunk
!
interface Port-channel20
description sfn-ucs-b
switchport mode trunk
!
interface Port-channel21
description SFS-CITRIX-XS10 Team
switchport mode trunk
!
interface GigabitEthernet1/0/1
description Masergy MPLS
switchport mode access
ip flow monitor NETFLOW-MON-IN input
ip flow monitor NETFLOW-MON-OUT output
speed 100
duplex full
!
interface GigabitEthernet1/0/2
description ASA Lan
switchport access vlan 254
switchport mode access
ip flow monitor NETFLOW-MON-IN input
ip flow monitor NETFLOW-MON-OUT output
duplex full
!
interface GigabitEthernet1/0/3
description TMG
switchport access vlan 254
switchport mode access
!
interface TenGigabitEthernet3/1/1
description sfn-ucs-a
switchport mode trunk
channel-group 19 mode active
!
interface TenGigabitEthernet3/1/2
description sfn-ucs-a
switchport mode trunk
channel-group 19 mode active
!
interface Vlan1
ip address x.x.x.x 255.255.255.0
ip helper-address x.x.x.x
!
interface Vlan2
description Management
ip address x.x.x.x 255.255.255.0
ip helper-address x.x.x.x
!
interface Vlan3
description Data
ip address x.x.x.x 255.255.255.0
ip helper-address x.x.x.x
!
interface Vlan4
description Server VLAN
ip address x.x.x.x 255.255.255.0
interface Vlan5
description Printer VLAN
ip address x.x.x.x 255.255.255.0
!
interface Vlan6
description Voice VLAN
ip address x.x.x.x 255.255.255.0
interface Vlan7
description Video VLAN
ip address x.x.x.x 255.255.255.0
!
interface Vlan8
description iSCSI VLAN
ip address x.x.x.x 255.255.255.0
!
interface Vlan9
description BYOD
ip address x.x.x.x 255.255.255.0
ip pim dense-mode
!
interface Vlan10
description Guest VLAN
ip address x.x.x.x 255.255.255.0
!
interface Vlan11
description IA_WIFI
ip address x.x.x.x 255.255.255.0
!
interface Vlan12
ip address x.x.x.x 255.255.255.0
!
interface Vlan14
description Cluster
ip address x.x.x.x 255.255.255.0
!
interface Vlan15
description Live Migration
ip address x.x.x.x 255.255.255.0
!
interface Vlan254
description Internet Transit
ip address x.x.x.x 255.255.255.248
!
router ospf 1
redistribute static subnets route-map STATIC-TO-OSPF-MAP
network x.x.x.x
network x.x.x.x
network x.x.x.x
network x.x.x.x
default-information originate metric 1
!
no ip http server
ip http authentication aaa
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list standard STATIC-TO-OSPF
permit x.x.x.x
permit x.x.x.x
permit x.x.x.x
permit x.x.x.x
ip radius source-interface Vlan2
logging trap warnings
logging source-interface Vlan2
logging host x.x.x.x
arp x.x.x.x 0100.5e71.0446 ARPA
arp x.x.x.x 03bf.0a02.04a9 ARPA
!
route-map STATIC-TO-OSPF-MAP permit 10
match ip address STATIC-TO-OSPF
!
ntp server nist-time-server.eoni.com
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end
User Stack
This is the user stack which is only does layer 2 functions
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
!
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
switch 1 provision ws-c3850-48p
switch 2 provision ws-c3850-48p
ip routing
!
ip domain-name ia-global.com
ip name-server x.x.x.x
ip name-server x.x.x.x
ip device tracking probe use-svi
ip device tracking probe delay 10
ip device tracking
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-723753763
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-723753763
revocation-check nonexxxxx
!
!
crypto pki certificate chain TP-self-signed-723753763
certificate self-signed 01
xxxxx
quit
!
!
!
!
!
diagnostic bootup level minimal
identity policy webauth-global-inactive
inactivity-timer 3600
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 16384
!
redundancy
mode sso
!
lldp run
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface Loopback0
ip address 10.x.x.x 255.255.255.0
ip mtu 1500
Interfaces removed
interface Port-channel1
description Uplink to SFN-SW3
switchport mode trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description Reception 1
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.x.x.x 255.255.255.0
!
interface Vlan11
no ip address
!
interface Vlan12
no ip address
!
ip default-gateway 10.x.x.x
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.x.x.x
!
!
ip radius source-interface Vlan2
logging trap warnings
logging source-interface Vlan2
logging host 10.x.x.x
!
!
!
!
length 0
!
ntp server 10.x.x.x version 2
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end
sfn-sw2#
08-14-2015 04:32 PM
Something to note:
Another thing that has been happening which I thought was unrelated was that our management interfaces on our UCS environment have been crashing. While looking through some logs I found a new server build that did not have any static or DHCP addresses assigned came up with a duplicate IP with our UCS management IP. Very strange.
Thanks for looking at this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide