After performing maintenance job on the Cisco core switch, where CSS's interfaces are connected to, both CSS (master and standby) were not able to detect the the servers in the network. Even though at that point of time the core switch was already up, the servers were alive on the network and services were up.
To resolve the issue, I tried to restart CSS, it did not work. I had to shutdown, turn off both CSS and turn them on again after a short while.
Is this problem related to STP of the CSS or Core Switch? Mismatch of STP parameters with the Core switch? Clear Arp? Disable STP on CSS and turn on Port Fast? Enable preempt on Master?
Could you please publish the out put of the following command so as to check for the hit counts of DOS (denial-of-services) attack:
CSS11500(config)# show dos
You might get around this by modifying the SNMP settings:
snmp trap-type enterprise dos-illegal-attack trap-threshold X
...where X is the number of connections per second for which the CSS will generate a trap message like the one you describe.
The default setting is 1, meaning that any one packet matching the criteria would generate a trap.
I suggest you modify the value X to match up with your VRRP keepalive timers to avoid these messages.
According to the docs, the following DOS protection trap-types exist:
a.. dos-illegal-attack: Generates traps for illegal addresses, either source or destination. Illegal addresses are loopback source addresses, broadcast source addresses, loopback destination addresses, multicast source addresses, or source addresses that you own. The default trap threshold for this type of attack is one per second.
b.. dos-land-attack: Generates traps for packets that have identical source and destination addresses. The default trap threshold for this type of attack is one per second.
c.. dos-ping-attack: Generates traps when the number of pings exceeds the threshold value. The default trap threshold for this type of attack is 30 per second. Note that this does not track pings of death DoS attacks.
d.. dos-smurf-attack: Generates traps when the number of pings with a broadcast destination address exceeds the threshold value. The default trap threshold for this type of attack is one per second.
e.. dos-syn-attack: Generates traps when the number of TCP connections that are initiated by a source but not followed with an ACK frame to complete the three-way TCP handshake exceeds the threshold value. The default trap threshold for this type of attack is ten per second.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...