Core Switches Configuration Running as a VSS

HQDCCSW01#sh running-config

Building configuration...

Current configuration : 14121 bytes

!

! Last configuration change at 12:59:46 BAH Sun Feb 9 2014 by admin

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service compress-config

service sequence-numbers

service counters max age 5

no service dhcp

!

hostname HQDCCSW01

!

boot-start-marker

boot system flash bootflash:cat4500e-universalk9.SPA.03.04.03.SG.151-2.SG3.bin

license boot level entservices

boot-end-marker

!        

!

vrf definition mgmtVrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 $1$7XzS$.tFbG1U2xPs8ht11VvTw./

!

username admin privilege 15 secret 5 $1$yIU1$bcq0.ES5HTowQzBTU03mo.

aaa new-model

aaa local authentication attempts max-fail 3

!

!

aaa session-id common

clock timezone BAH 3 0

!

switch virtual domain 10

switch mode virtual

mac-address use-virtual

!

udld enable

no ip source-route

no ip gratuitous-arps

ip icmp rate-limit unreachable 100

!

ip vrf Liin-vrf

!

no ip domain-lookup

ip domain-name HQ.com

no ip bootp server

!

!

!        

!

!

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause mac-limit

errdisable recovery cause unicast-flood

errdisable recovery cause arp-inspection

errdisable recovery interval 60

power redundancy-mode redundant

!

mac access-list extended VSL-BPDU

permit any 0180.c200.0000 0000.0000.0003

mac access-list extended VSL-CDP

permit any host 0100.0ccc.cccc

mac access-list extended VSL-DOT1x

permit any any 0x888E

mac access-list extended VSL-GARP

permit any host 0180.c200.0020

mac access-list extended VSL-LLDP

permit any host 0180.c200.000e

mac access-list extended VSL-MGMT

permit any host 00ff.d873.3de6

permit any host 00ff.7e1d.79e6

mac access-list extended VSL-SSTP

permit any host 0100.0ccc.cccd

!

!

!

!

!

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

spanning-tree vlan 1-2,5,8,51-53,100-101,200,254,300 priority 24576

!        

redundancy

mode sso

!

vlan internal allocation policy ascending

!

ip ssh time-out 20

ip ssh authentication-retries 5

ip ssh version 2

!

class-map match-any VSL-MGMT-PACKETS

  match access-group name VSL-MGMT

class-map match-any VSL-DATA-PACKETS

  match any

class-map match-any VSL-L2-CONTROL-PACKETS

  match access-group name VSL-DOT1x

  match access-group name VSL-BPDU

  match access-group name VSL-CDP

  match access-group name VSL-LLDP

  match access-group name VSL-SSTP

  match access-group name VSL-GARP

class-map match-any VSL-L3-CONTROL-PACKETS

  match access-group name VSL-IPV4-ROUTING

  match access-group name VSL-BFD

  match access-group name VSL-DHCP-CLIENT-TO-SERVER

  match access-group name VSL-DHCP-SERVER-TO-CLIENT

  match access-group name VSL-DHCP-SERVER-TO-SERVER

  match access-group name VSL-IPV6-ROUTING

class-map match-any VSL-MULTIMEDIA-TRAFFIC

  match  dscp af41

  match  dscp af42

  match  dscp af43

  match  dscp af31

  match  dscp af32

  match  dscp af33

  match  dscp af21

  match  dscp af22

  match  dscp af23

class-map match-any VSL-VOICE-VIDEO-TRAFFIC

  match  dscp ef

  match  dscp cs4

  match  dscp cs5

class-map match-any VSL-SIGNALING-NETWORK-MGMT

  match  dscp cs2

  match  dscp cs3

  match  dscp cs6

  match  dscp cs7

!

policy-map VSL-Queuing-Policy

class VSL-MGMT-PACKETS

    bandwidth percent 5

class VSL-L2-CONTROL-PACKETS

    bandwidth percent 5

class VSL-L3-CONTROL-PACKETS

    bandwidth percent 5

class VSL-VOICE-VIDEO-TRAFFIC

    bandwidth percent 30

class VSL-SIGNALING-NETWORK-MGMT

    bandwidth percent 10

class VSL-MULTIMEDIA-TRAFFIC

    bandwidth percent 20

class VSL-DATA-PACKETS

    bandwidth percent 20

class class-default

    bandwidth percent 5

!

interface Port-channel10

description *** VSS Connected to HQDCCSW02 ***

switchport

switchport mode trunk

switchport nonegotiate

switch virtual link 1

!

interface Port-channel11

description *** Uplink to Nexus 5000 DS ***

switchport

switchport mode trunk

!

interface Port-channel12

description *** VSS Connected to HQDCCSW01 ***

switchport

switchport mode trunk

switchport nonegotiate

switch virtual link 2

!

interface FastEthernet1

vrf forwarding mgmtVrf

no ip address

speed auto

duplex auto

!

interface TenGigabitEthernet1/1/1

description *** VSL Connected to HQDCCSW02 Port Te2/1/1 ***

switchport mode trunk

switchport nonegotiate

no lldp transmit

no lldp receive

no cdp enable

channel-group 10 mode on

service-policy output VSL-Queuing-Policy

!

interface TenGigabitEthernet1/1/2

description *** VSL Connected to HQDCCSW02 Port Te2/1/2 ***

switchport mode trunk

switchport nonegotiate

no lldp transmit

no lldp receive

no cdp enable

channel-group 10 mode on

service-policy output VSL-Queuing-Policy

!

interface TenGigabitEthernet1/1/3

description *** Connected to HQDCDSW01 Port Mgt Keepalive Link ***

switchport access vlan 300

switchport mode access

!

interface TenGigabitEthernet1/1/4

!

interface TenGigabitEthernet1/1/5

!

interface TenGigabitEthernet1/1/6

!

interface TenGigabitEthernet1/1/7

!

interface TenGigabitEthernet1/1/8

!

interface TenGigabitEthernet1/1/9

!

interface TenGigabitEthernet1/1/10

!

interface TenGigabitEthernet1/1/11

!

interface TenGigabitEthernet1/1/12

!

interface TenGigabitEthernet1/1/13

!        

interface TenGigabitEthernet1/1/14

!

interface TenGigabitEthernet1/1/15

description **** Connected to HQDCDSW01 Port Eth 1/27***

switchport mode trunk

channel-group 11 mode active

!

interface TenGigabitEthernet1/1/16

description **** Connected to HQDCDSW02 Port Eth 1/27***

switchport mode trunk

channel-group 11 mode active

!

interface TenGigabitEthernet2/1/1

description *** VSL Connected to HQDCCSW01 Port Te1/1/1 ***

switchport mode trunk

switchport nonegotiate

no lldp transmit

no lldp receive

no cdp enable

channel-group 12 mode on

service-policy output VSL-Queuing-Policy

!

interface TenGigabitEthernet2/1/2

description *** VSL Connected to HQDCCSW01 Port Te1/1/2 ***

switchport mode trunk

switchport nonegotiate

no lldp transmit

no lldp receive

no cdp enable

channel-group 12 mode on

service-policy output VSL-Queuing-Policy

!

interface TenGigabitEthernet2/1/3

description *** Connected to HQDCDSW02 Port Mgt Keepalive Link ***

switchport access vlan 300

switchport mode access

!

interface TenGigabitEthernet2/1/4

!

interface TenGigabitEthernet2/1/5

!

interface TenGigabitEthernet2/1/6

!        

interface TenGigabitEthernet2/1/7

!

interface TenGigabitEthernet2/1/8

!

interface TenGigabitEthernet2/1/9

!

interface TenGigabitEthernet2/1/10

!

interface TenGigabitEthernet2/1/11

!

interface TenGigabitEthernet2/1/12

!        

interface TenGigabitEthernet2/1/13

!

interface TenGigabitEthernet2/1/14

!

interface TenGigabitEthernet2/1/15

description **** Connected to HQDCDSW01 Port Eth 1/28***

switchport mode trunk

channel-group 11 mode active

!

interface TenGigabitEthernet2/1/16

description **** Connected to HQDCDSW02 Port Eth 1/28***

switchport mode trunk

channel-group 11 mode active

!

interface Vlan1

description *** Servers_Old VLAN Interface ***

ip address 200.1.1.250 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

!        

interface Vlan100

description *** New_Servers VLAN Interface ***

ip address 100.0.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan300

description *** Net_MGMT VLAN Interface ***

ip address 100.0.30.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

no ip http server

no ip http secure-server

!

ip access-list standard ACL_RESTRICTED_VTY_SSH

remark permit any - till project completion

permit any

deny   any log

!        

ip access-list extended VSL-BFD

permit udp any any eq 3784

ip access-list extended VSL-DHCP-CLIENT-TO-SERVER

permit udp any eq bootpc any eq bootps

ip access-list extended VSL-DHCP-SERVER-TO-CLIENT

permit udp any eq bootps any eq bootpc

ip access-list extended VSL-DHCP-SERVER-TO-SERVER

permit udp any eq bootps any eq bootps

ip access-list extended VSL-IPV4-ROUTING

permit ip any 224.0.0.0 0.0.0.255

!

!

!

!

!

!

ipv6 access-list VSL-IPV6-ROUTING

permit ipv6 any FF02::/124

!

line con 0

login authentication CONSOLE

stopbits 1

line vty 0 4

access-class ACL_RESTRICTED_VTY_SSH in

exec-timeout 30 0

login authentication VTY-SSH

transport input ssh

line vty 5 15

access-class ACL_RESTRICTED_VTY_SSH in

exec-timeout 30 0

login authentication VTY-SSH

transport input ssh

!

!

module provision switch 1

chassis-type 70 base-mac 24E9.B342.64D8

slot 1 slot-type 401 base-mac 24E9.B342.64D8

!

module provision switch 2

chassis-type 70 base-mac 885A.92CD.C5A8

slot 1 slot-type 401 base-mac 885A.92CD.C5A8

!

end

HQDCCSW01#sh cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

HQDCDSW02

                 Ten 2/1/16        170             S I C  N5K-C5548 Eth 1/28

HQDCDSW02

                 Ten 1/1/16        170             S I C  N5K-C5548 Eth 1/27

HQDCDSW02

                 Ten 2/1/3         176             S I C  N5K-C5548 mgmt0

HQDCDSW01

                 Ten 2/1/15        154             S I C  N5K-C5548 Eth 1/28

HQDCDSW01

                 Ten 1/1/15        154             S I C  N5K-C5548 Eth 1/27

HQDCDSW01

                 Ten 1/1/3         173             S I C  N5K-C5548 mgmt0

!

!

HQDCCSW01#sh interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan

Po10        on               802.1q         trunking      1

Po11        on               802.1q         trunking      1

Po12        on               802.1q         trunking      1

Port        Vlans allowed on trunk

Po10        1-4094

Po11        1-4094

Po12        1-4094

Port        Vlans allowed and active in management domain

Po10        1-2,5,8,51-53,100,200,300

Po11        1-2,5,8,51-53,100,200,300

Po12        1-2,5,8,51-53,100,200,300

Port        Vlans in spanning tree forwarding state and not pruned

Po10        none

Po11        1-2,5,8,51-53,100,200,300

Po12        none.

!

!

Nexus 5548Up-FA Configuration

sh running-config

!Command: show running-config

!Time: Wed Mar  4 11:52:41 2009

version 7.0(0)N1(1)

hostname HQDCDSW02

no feature telnet

cfs eth distribute

feature udld

feature lacp

feature vpc

feature lldp

feature vtp

feature fex

ip domain-lookup

class-map type control-plane match-any copp-system-class-rpf-fail

fex 101

  pinning max-links 1

  description "HQDCSFW02"

snmp-server user admin network-admin auth md5 0xfa9292e2f91a27373c56829b4ddc2a67

priv 0xfa9292e2f91a27373c56829b4ddc2a67 localizedkey

rmon event 1 log trap public description FATAL(1) owner PMON@FATAL

rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL

rmon event 3 log trap public description ERROR(3) owner PMON@ERROR

rmon event 4 log trap public description WARNING(4) owner PMON@WARNING

rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO

spanning-tree port type edge bpduguard default

spanning-tree loopguard default

vrf context management

  ip route 0.0.0.0/0 100.0.30.1

vpc domain 1

  peer-switch

  peer-keepalive destination 100.0.30.250

  peer-gateway

  auto-recovery

  ip arp synchronize

interface port-channel1

  description *** Connected to HQDCDSW01 (E1/1,E1/2) ***

  switchport mode trunk

  spanning-tree port type network

  vpc peer-link

interface port-channel11

  description *** Connected to 4500 CS *** 

  switchport mode trunk

  spanning-tree port type normal

  spanning-tree guard root

  vpc 11

interface port-channel101

  description *** UPLINK HQDCSFW02 ***

  switchport mode fex-fabric

  fex associate 101

interface Ethernet1/1

  description *** Connected to HQDCDSW01 (E1/1)

  switchport mode trunk

  channel-group 1 mode active

interface Ethernet1/2

  description *** Connected to HQDCDSW01 (E1/2)

  switchport mode trunk

  channel-group 1 mode active

interface Ethernet1/3

interface Ethernet1/4

interface Ethernet1/5

interface Ethernet1/6

interface Ethernet1/7

interface Ethernet1/8

interface Ethernet1/9

interface Ethernet1/10

interface Ethernet1/11

interface Ethernet1/12

interface Ethernet1/13

interface Ethernet1/14

interface Ethernet1/15

interface Ethernet1/16

interface Ethernet1/17

interface Ethernet1/18

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27

  description *** Connected to CS 4500 Port Te 1/1/16 ***

  switchport mode trunk

  channel-group 11 mode active

interface Ethernet1/28

  description *** Connected to CS 4500 Port Te 2/1/16 ***

  switchport mode trunk

  channel-group 11 mode active

interface Ethernet1/29

  description *** UPLINK HQDCSFW01 ***

  switchport mode fex-fabric

  fex associate 101

  channel-group 101

interface Ethernet1/30

  description *** UPLINK HQDCSFW01 ***

  switchport mode fex-fabric

  fex associate 101

  channel-group 101

interface Ethernet1/31

  description *** UPLINK HQDCSFW01 ***

  switchport mode fex-fabric

  fex associate 101

  channel-group 101

interface Ethernet1/32

  description *** UPLINK HQDCSFW01 ***

  switchport mode fex-fabric

  fex associate 101

  channel-group 101

interface mgmt0

  vrf member management

  ip address 100.0.30.251/24

interface Ethernet101/1/1

  switchport access vlan 100

  vpc orphan-port suspend

interface Ethernet101/1/2

interface Ethernet101/1/3

interface Ethernet101/1/4

interface Ethernet101/1/5

interface Ethernet101/1/6

interface Ethernet101/1/7

interface Ethernet101/1/8

interface Ethernet101/1/9

interface Ethernet101/1/10

interface Ethernet101/1/11

interface Ethernet101/1/12

interface Ethernet101/1/13

interface Ethernet101/1/14

interface Ethernet101/1/15

interface Ethernet101/1/16

interface Ethernet101/1/17

interface Ethernet101/1/18

interface Ethernet101/1/19

interface Ethernet101/1/20

interface Ethernet101/1/21

interface Ethernet101/1/22

interface Ethernet101/1/23

interface Ethernet101/1/24

interface Ethernet101/1/25

interface Ethernet101/1/26

interface Ethernet101/1/27

interface Ethernet101/1/28

interface Ethernet101/1/29

interface Ethernet101/1/30

interface Ethernet101/1/31

interface Ethernet101/1/32

line console

line vty

boot kickstart bootflash:/n5000-uk9-kickstart.7.0.0.N1.1.bin

boot system bootflash:/n5000-uk9.7.0.0.N1.1.bin

!

Dear Steve,

I enclosed the configuration of CS 4500X VSS & Nexus 5000. Could you please have a look on it & let me know what I am missing. I am suspecting that Nexus 5000 is not working as a layer 2 switch that is why it is not forward traffic to Core Switch 4500x VSS. It suppose to work as a layer 2 switch.

Hi Tabish,

What does your spanning tree look like? Can you post a show spanning-tree vlan 100 from both the Nexus and the 4500 switches?

Regards

Hi Steve,

I don't know why did I put (spanning-tree guard root) on nexus 5000 portchannel which is being used to connect nexus 5000 to Core Switch 4500x VSS.

When I did show spanning interface port-channel 11 on Nexus 500 it shows below output.

HQDCDSW01# sh spanning-tree interface port-channel 11

Vlan             Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

VLAN0100         Desg BKN*1         128.4106 (vPC) P2p *ROOT_Inc

Port 4106 (port-channel11, vPC) of VLAN0100 is broken  (Root Inconsistent)

   Port path cost 1, Port priority 128, Port Identifier 128.4106

   Designated root has priority 32868, address 0023.04ee.be01

   Designated bridge has priority 32868, address 002a.6a89.5f7c

   Designated port id is 128.4106, designated path cost 0

   Timers: message age 16, forward delay 0, hold 0

   Number of transitions to forwarding state: 2

   Link type is point-to-point by default

   Root guard is enabled

   BPDU: sent 4, received 1621

Thanks

Hi Tabish,

That was what I'd noticed and hence thought spanning tree was your problem. Glad you resolved it.

Regards

Hi steve,

I removed this command ( spanning-tree guard root) on nexus 5000 port-channel. Do I need to configure this on Core Switch 4500x portchannel which is being used to connect with nexus 5000.

Core Switch 4500x

interface Port-channel11

description *** Uplink to Nexus 5000 DS ***

switchport

switchport mode trunk

spanning-tree guard root ( or no need for this command)

!

Hi Tabish,

While root guard and the other spanning tree enhancements are of more use in an environment where STP is actively blocking links, they are still recommended in environments where technologies such as VSS are running.

In your environment you should configure spanning tree root guard on the Catalyst 4500 aggregation layer devices. As per the Spanning Tree Configuration Best Practices with VSS  section of the Cisco VSS design guide:

The root of the STP should always be the VSS. Use a statically-defined, hard-coded value for the spanning tree root so that no other switches in the network can claim the root for a given spanning tree domain. Use either Root Guard on a link of VSS-facing access-layer switch or enable it at access-layer switch user port (although the later does not prevent someone from replacing access-layer switch with another switch that can take over as root).

Regards

Hi Steve,

Now the hosts connected on nexus 2000 can ping their gateway which is on Core Switch 4500x as well as to each other different subnet but while doing testing I found that ping response time & TTL value is not stable. Response time is going up & down & TTL value is also high. There is no packet loss.

Please help & advise what could be the issue & what I can check.

Waiting for your prompt response.

Hi Tabish,

Can you paste an example of the ping results so we can see exactly what you mean in terms of the ping response time and TTL value variation?

If you could also provide an indication of where the ping source and destination are if it isn't obvious.

Regards

From windows machine which is connected on extender 2000 port to gateway which is on core switch 4500x mean SVI.



Sent from Cisco Technical Support iPhone App

Hi Tabish,

Please paste the output of the ping from the client so we can see exactly what you're referring to by "ping response time & TTL value is not stable". From what you've provided I've no idea if you're referring to a change in response time between 1ms and 2ms, or between 1ms and 200ms.

That aside, the ping response time for pings to the switch itself is generally not a problem. It's well known that Cisco platforms do not prioritise ping response; they're a router after all. If you search through these forums you'll see many questions around this subject e.g., Latency High when ping to SVI on 3850 Stack & 4500X VSS. What about when you ping other clients connected to the switch? Is that response time stable or do you see the same variation?

The more intriguing point is where you have said that the TTL value is not stable. If the TTL shown in the ping response between the same source and destination is not constant, then this would indicate the number of router hops is changing between subsequent pings. If that's the case we should be able to see those different router hops using a repeated traceroute (or tracert on Windows). Can you run a tracert between the same source and destination a number of times so we can see what the difference is?

For both the ping and tracert response, please paste the output of the commands to the post so that we're not just guessing about what you're seeing.

Regards