TLS change from 100mb ong g1/2 to 1gig on sup720 g5/1
Here is my issue I have a 6509 loaded with the following cards.
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
3 6 Firewall Module WS-SVC-FWM-1
4 6 Firewall Module WS-SVC-FWM-1
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
7 8 Intrusion Detection System WS-SVC-IDSM-2
8 8 Intrusion Detection System WS-SVC-IDSM-2
9 2 IPSec VPN Accelerator WS-SVC-IPSEC-1
We changed from a 100mb to a 1gig tls connection between two of our sites. When we did this everything seemed to be working fine going out. Our testers failed to do the outside in tests which we found to be having an issue with only web traffic later in the day.
Quick breakdown of traffic flow. Three Context firewalls Internet connection Network monitoring connection VPN connection and two department connections.
The Primary Context firwall consists of a VPN interface DMZ interface Outside and Inside interfaces. This then gets dropped into the msfc to route to one of the other two contexts depending on which department the traffic is flowing to. Currently the second two contexts are setup to be wide open and they both travel across a trunk port using the TLS.
When we switched from the 100mb tls which was plugged into an rj45 port on the first 48port switch to the 1000gb tls which was plugged into an SFP plugged into 5/1 the primary Sup720 everything seemed to be working. Just some external connections coming in from the web and some connections in from the DMZ interface on the Primary Context.
Steps we took in attempt to resolve this problem was to clear the arp-cache and clear routes thinking it had something to do with cef but neither worked. So we switched back to the 100mb tls and everything came right back up.
If anyone has some suggestions Id really appreciate it.
Re: TLS change from 100mb ong g1/2 to 1gig on sup720 g5/1
Well solved my problem,
After doing some traffic captures we found that the second tls connection was limiting mtu size of our trunk interface not allowing us to get anything through that was larger than 1496. Basically our tls wasn't allowing taged traffic that was above the standard ethernet mtu size.
Our TLS provider will be fixing the issue now that we pinpointed the problem.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...