[c-nsp] No SVI throughput/bandwidth counters on Catalyst 4948

Rick Ernst cnsp at shreddedmail.com
Tue Nov 17 11:33:33 EST 2009 

I started deploying Catalyst 4948 switches as TOR devices about 3 months
ago.  The policing and packet-handling have been behaving quite nicely.
Physical ports are mapped to SVIs and the SVIs have policers attached.  The
primary reason for SVIs is to allow a paired 4948 to act as an HSRP partner
across a dot1q trunk for the individual interfaces.

Up until last night, everything seemed to be working fine.  We moved our
Checkpoint firewall from behind the core down to behind aggregation (new
mantra; no customers attach at the core - everybody is a customer.  We had
some ad-hoc stuff attached to the core that I'm slowly pruning).

>From spot-checking, all of the SVIs and physical interfaces report bits/sec
and packets/sec properly, other than the new interfaces I lit up for the
firewall.  Only the physical port interfaces show activity on
bits/packets/sec.  I am, however, seeing L3 Switched counters.  The only
differences I can think of are; a) firewall isn't policed, and b) Checkpoint
does weird stuff with unicast-IP-on-multicast-MAC for its load-balancing and
failover.  I added a policer to the firewall interface, and added the magic
static arp on (that Checkpoint uses) to an existing interface and the
behavior didn't change.  Checkpoint interface is weird, others are OK.

Any suggestions on what to look for?

Thanks,

-----

--> Working:

interface GigabitEthernet1/1
 switchport access vlan 101
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable
end

#show int g1/1
GigabitEthernet1/1 is up, line protocol is up (connected)
  5 minute input rate 215000 bits/sec, 53 packets/sec
  5 minute output rate 258000 bits/sec, 47 packets/sec

interface Vlan101
 description Normal customer
 ip address x.y.34.226 255.255.255.248
 no ip redirects
 no ip proxy-arp
 standby 101 ip x.y.34.225
 standby 101 timers 5 15
 standby 101 priority 110
 standby 101 preempt
 service-policy input BW_12M
 service-policy output BW_12M
end

#show int vlan 101
Vlan101 is up, line protocol is up
  5 minute input rate 210000 bits/sec, 55 packets/sec
  5 minute output rate 236000 bits/sec, 46 packets/sec
  L3 in Switched: ucast: 487633 pkt, 188595448 bytes - mcast: 0 pkt, 0 bytes
  L3 out Switched: ucast: 439823 pkt, 245564925 bytes - mcast: 0 pkt, 0
bytes


--> Weird:

interface GigabitEthernet1/46
 description Checkpoint Firewall "A"
 switchport access vlan 146
 switchport mode access
 spanning-tree portfast
end

#show int g1/46
GigabitEthernet1/46 is up, line protocol is up (connected)
  5 minute input rate 25263000 bits/sec, 3476 packets/sec
  5 minute output rate 15737000 bits/sec, 5351 packets/sec


interface Vlan146
 description Checkpoint Firewall "A"
 ip address x.y.1.82 255.255.255.248
 no ip redirects
 no ip proxy-arp
 standby 146 ip x.y.1.81
 standby 146 timers 5 15
 standby 146 priority 110
 standby 146 preempt
end

#show int vlan 146
Vlan146 is up, line protocol is up
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L3 in Switched: ucast: 94104774 pkt, 91006951231 bytes - mcast: 0 pkt, 0
bytes
  L3 out Switched: ucast: 44127262 pkt, 16712790232 bytes - mcast: 0 pkt, 0
bytes

More information about the cisco-nsp mailing list