Hit a wall with Nexus vPC keepalive over L3 port-channel Networking

---

• Hit a wall with Nexus vPC keepalive over L3 port-channel
• Port mode question
• Not allowed to change port link type
• Multiple CCNA's?
• Unable to traverse VLANs
• How to enable Routing on 2960G(L3 Switch)?
• Are most enterprise customers stupid?
• Cisco 2960G won't boot from new IOS
• How to capture all east-west traffic?
• Looking for advice setting up Solarwinds at work.
• 3850 Swap
• HP ProCurve One Services Modules

Hit a wall with Nexus vPC keepalive over L3 port-channel Posted: 21 Apr 2018 09:19 AM PDT First off, I apologize; this is the first time I'm getting to try and configure a nexus vPC peerlink and kpa and I'm only asking here after having spent hours reading docs and trying different things. I can't seem to ping the ip in my kpa link and I can't bring the kpa link up.   I have two Nexus 7706's in the following configuration Eth1/23-24 & Eth2/23-24 are the peer-link and Eth5/48 & Eth6/48 are the KPA link, bundled in Layer 3 port-channel. (Everything is mirrored on the other N77k)   To add an additional layer of difficulty, I can typically only run 1 N77k at a time. The room they are in has BARELY enough power to support both without tripping breakers and the temp rises to 100 degrees F as soon as I power both N77ks on. (This is just a staging area, the final location is under construction and won't have these issues) These factors are outside of my control, so I can only run both for a limited time. Right now one is powered off while I work on this over the weekend. I realize this severely restricts troubleshooting a link that's supposed to have 2 sides, but I will have to wait until I'm back in the office to power the other one up.   Here is my config: I've created an additional vdc and named it CORE. I have allocated all interfaces to this vdc. From within the vdc CORE I have: feature lacp feature vpc vrf context vpc-keepalive ip route 0.0.0.0/0 192.168.100.1 vpc domain 1 role priority 1 peer-keepalive destination 192.168.100.20 source 192.168.100.10 vrf vpc-keepalive no layer3 peer-router syslog peer-gateway layer3 peer-router ip arp synchronize interface port-channel1 description VPC-PEER-LINK switchport switchport mode trunk spanning-tree port type network storm-control broadcast level 10.00 vpc peer-link ip arp inspection trust interface port-channel100 description VPC-PKA no switchport vrf member vpc-keepalive ip address 192.168.100.10/24 interface Ethernet1/23 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet1/24 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet2/23 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet2/24 switchport switchport mode trunk storm-control broadcast level 10.00 channel-group 1 mode active no shutdown interface Ethernet5/48 no switchport storm-control broadcast level 10.00 channel-group 100 mode active no shutdown interface Ethernet6/48 no switchport storm-control broadcast level 10.00 channel-group 100 mode active no shutdown   When I power both switches on, the po1 comes up just fine, but not po100. N77k-CSW-01-CORE# show vpc peer-keepalive vPC keep-alive status : Suspended (Destination IP not reachable) --Send status : Success --Last send at : 2018.04.21 03:27:23 172 ms --Sent on interface : --Receive status : Failed --Last update from peer : (106962) seconds, (834) msec vPC Keep-alive parameters --Destination : 192.168.100.20 --Keepalive interval : 1000 msec --Keepalive timeout : 5 seconds --Keepalive hold timeout : 3 seconds --Keepalive vrf : vpc-keepalive --Keepalive udp port : 3200 --Keepalive tos : 192   N77k-CSW-02-CORE# sh int po100 status -------------------------------------------------------------------------------- Port Name Status Vlan Duplex Speed Type -------------------------------------------------------------------------------- Po100 VPC-PKA noOperMem routed auto auto -- N77k-CSW-02-CORE# sh int po1 status -------------------------------------------------------------------------------- Port Name Status Vlan Duplex Speed Type -------------------------------------------------------------------------------- Po1 VPC-PEER-LINK connected trunk full a-40G --   N77k-CSW-01-CORE# sh ip route vrf vpc-keepalive IP Route Table for VRF "vpc-keepalive" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%<string>' in via output denotes VRF <string> N77k-CSW-01-CORE# N77k-CSW-01-CORE# ping 192.168.100.10 vrf vpc-keepalive PING 192.168.100.10 (192.168.100.10): 56 data bytes ping: sendto 192.168.100.10 64 chars, No route to host Request 0 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 1 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 2 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 3 timed out ping: sendto 192.168.100.10 64 chars, No route to host Request 4 timed out --- 192.168.100.10 ping statistics --- 5 packets transmitted, 0 packets received, 100.00% packet loss   I think the issue lies somewhere with the No route to host error when the pings drop, but I don't know how to resolve that. I specified a static route of 0.0.0.0/0 192.168.100.1 under the vrf context vpc-keepalive, but I don't think this gateway actually exists anywhere. I thought "Hey, maybe I need to create an SVI with a gateway of that 192.168.100.1, but that didn't work either. N77k-CSW-01-CORE(config)# int vlan 100 N77k-CSW-01-CORE(config-if)# ip address 192.168.100.1/24 % IP address is configured/resolved as the next hop of a static route N77k-CSW-01-CORE(config-if)# exit N77k-CSW-01-CORE(config)# vrf context vpc-keepalive N77k-CSW-01-CORE(config-vrf)# no ip route 0.0.0.0/0 192.168.100.1 N77k-CSW-01-CORE(config-vrf)# exit N77k-CSW-01-CORE(config)# int vlan100 N77k-CSW-01-CORE(config-if)# ip address 192.168.100.1/24 % 192.168.100.1/24 overlaps with address configured on port-channel100   So that's where I'm at. I'm kinda at a standstill and still researching around. Right now the KPA port-channel is down because the 2nd N77k is powered off, but I had the same issue when it was powered on. If anyone has any suggestions or can point out where I'm being a bonehead, I'd really appreciate it. Again, I apologize for asking, but I'm stuck and could use a little guidance. submitted by /u/Prophet_60091_ [link] [comments]

Port mode question Posted: 21 Apr 2018 08:11 AM PDT Hi. Just curious as to what is better. Setting all ports as 'access' on a switch or 'bridge'? It seems the HPE switch i have when i reset factory defaults sets all 52 ports to bridge mode. Where as a different HP switch sets all 48 to access. This is on a flat network no vLan. submitted by /u/1stTimeMeMe [link] [comments]

Not allowed to change port link type Posted: 21 Apr 2018 11:48 AM PDT Trying to change vLan 1 ports to access instead of bridge. The rules are being accepted but not applied on save. system-view interface tengigabyteethernet1/0/49 port link-type access quit It takes the command with no errors but does not apply it. I am taking a guess that since its for a single default vlan they all have to change? I cant figure out how to globally apply this to all ports on vlan 1.. HP 5900 submitted by /u/1stTimeMeMe [link] [comments]

Multiple CCNA's? Posted: 21 Apr 2018 10:43 AM PDT So, I had a CCNA many years ago (when you took a test, and got a CCNA, there was no differentiation). So, I've got 20+ years experience on all sorts of network gear (Racal Datacom, Bay Networks, HP, Cisco, Juniper, Extreme, Palo Alto, etc.). I left a job after 12 years, and wondering if having multiple CCNA certificates makes sense - CCNA R&S, Wireless, Security, Data Center and Cloud, specifically. I feel it would show that I am a generalist, and can drill down into any issue that comes up. Thoughts? /I did recently achieve some HPE/Aruba certs, but spent more than 20 years working on Cisco gear. submitted by /u/ro_thunder [link] [comments]

Unable to traverse VLANs Posted: 21 Apr 2018 06:57 AM PDT Huge networking noob here. I've mainly been a SysAdmin most of my career but have recently had to run double duty so would appreciate any help/guidance you can provide for a novice. I have an Aruba 5406R as my aggregation switch, which was recently replaced. Since then I'm unable to traverse VLANs or reach my default gateway (Fortigate firewall @ 10.3.0.10) from any VLAN other than VLAN 1. This was recently refreshed Procurve 5406 ZL to Aruba 5406 ZL2. The only thing thing that changed in the hardware replacement was the config. The IP of the switch & router ID changed from 10.3.0.3 to 10.3.1.1 to clean up some sloppy IP management. Here's a snippet of my config. I'm at a complete loss as to why VLAN4 can't reach VLAN 1. *trunk B21-B22 trk1 lacp *trunk B23-B24 trk2 lacp *trunk D21-D22 trk3 lacp *trunk D19-D20 trk4 lacp *trunk B19-B20 trk5 lacp *logging facility syslog *logging severity warning *include-credentials *timesync sntp *time timezone -300 *no web-management *ip default-gateway 10.3.0.10 *ip route 0.0.0.0 0.0.0.0 10.3.0.10 distance 250 *ip router-id 10.3.1.1 *ip routing *router ospf *area backbone *redistribute connected *enable *exit *vlan 1 *name "Admin" *no untagged A1-A24,B1-B18,D1-D5,D17 *untagged D6-D16,D18,D23-D24,Trk1-Trk5 *ip address 10.3.1.1 255.255.252.0 *ip ospf 10.3.1.1 area backbone *exit *vlan 4 *name "Academic" *untagged A1-A24,B1,B3,B5,B7,B9,B11,B15,B17-B18 *tagged Trk1-Trk5 *ip address 10.3.4.1 255.255.252.0 *ip helper-address 10.3.2.1 *ip helper-address 10.3.2.21 *ip forward-protocol udp 10.3.2.21 4011 *ip forward-protocol udp 10.3.2.21 tftp *ip ospf 10.3.4.1 area backbone *exit *vlan 10 *name "Voice" *untagged D1-D5 *tagged A1-A24,B1-B18,D6-D18,D23-D24,Trk1-Trk5 *no ip address *voice *exit submitted by /u/_maph_ [link] [comments]

How to enable Routing on 2960G(L3 Switch)? Posted: 21 Apr 2018 04:42 AM PDT I took this switch from work, and it in fact is capable of Static Routing. However, I believe the version required is 12.2(55) and up, and mine is 12.2(44). The switch also has LANBASE license. Currently, the 'sdm prefer lan-base' command is not available. I've never upgraded a Switch before, what's the process for it? Do you have to pay? This is just for lab purposes so I can expand my Networking knowledge. Thanks submitted by /u/OswaldoLN [link] [comments]

Are most enterprise customers stupid? Posted: 20 Apr 2018 09:30 PM PDT After watching this https://youtu.be/RGf3NelUsOs , I agree with this guy to a certain degree. I see a lot of enterprise IT people buying very expensive products to solve really basic problems. Sometimes these tools work well but the cheaper alternatives work better but still the IT managers buy the most expensive. Why do you think this is the case submitted by /u/muxie2007 [link] [comments]

Cisco 2960G won't boot from new IOS Posted: 21 Apr 2018 12:35 PM PDT I am trying to upgrade the IOS on my switch, and it won't let me. I altered the boot system to boot from a file in the flash. I have already tftp'd the new IOS to the switch's flash and saved the configuration, but still, the old IOS startsup... This is the show boot command https://gyazo.com/2b54b76404fba34fccf3fd19bbf643ee EDIT: The IOS file is a .tar not .bin, is that why this doesn't work? submitted by /u/OswaldoLN [link] [comments]

How to capture all east-west traffic? Posted: 21 Apr 2018 02:12 PM PDT As the title suggests, literally all. One example to give, is if I ping bob's computer, which is on the same vlan as me—those packets won't leave our access switch at all. How does one go about making sure *all traffic can be pulled into each of our tools and analyzers? I don't think any switch really supports SPAN of literally every port on the switch. There's always be limitations. Like if I SPAN a layer 2 vlan, I only capture ingress traffic, etc. Is it an impossible task? I was thinking one way might be "pvlan everything" every access port network wide is an Isolated Port, to force all their traffic up through the uplink where in-line network taps can nab it. Thoughts? submitted by /u/thosewhocannetworkd [link] [comments]

Looking for advice setting up Solarwinds at work. Posted: 20 Apr 2018 06:12 PM PDT So I recently started my first networking based job as a NOC op. I love it. I'm learning a ton, and get to work on many different projects in the department. Today my supervisor said they want me to be in charge of setting up Solarwinds for our networks. We currently do not have a monitoring solution for the networking gear in our local facility, but we monitor solarwinds for other facilities. This sounds like a pretty intensive project, and definitely more advanced than what I've ever by assigned to, but I'm very excited to take this on. Anybody have experience setting up a network monitoring solution? Any advice would be awesome! submitted by /u/D-M-S-R [link] [comments]

3850 Swap Posted: 21 Apr 2018 02:48 AM PDT Today we tried to replace a stacked set of 3850-12-S with a single 3850-48-E, however we couldn't get any network access to the users. We were able to see all the neighbors on the network and ping the device once we plugged it up. We verified the configs multiple times and even took a template from the same model and changed the IPs and trunks around to meet our needs. I think there might be an issue with the switch, we were unable to upgrade it to the newest version even after clearing up memory in the flash. Anyone have any ideas what could be causing this issue? Thanks for the help! submitted by /u/wallstreet1124 [link] [comments]

HP ProCurve One Services Modules Posted: 20 Apr 2018 10:44 PM PDT Hey All, I have a 5406zl. I've read about the One Services Modules and Advanced Services Modules. It sounds like these either come pre-installed with software (VMware, Hyper-V, Avaya SBC, etc), or you can choose a product from the cli. My question is... Has anyone tried to install their own operating system on these? They are just compute modules with a cpu/memory/hdd... Should totally be possible to just install Windows Server 2016 on one? Wondering if anyone has looked into this. Thanks! submitted by /u/certifiedsysadmin [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States