[c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

Pavel Skovajsa pavel.skovajsa at gmail.com
Tue Jan 26 09:40:02 EST 2010


On Tue, Jan 26, 2010 at 3:15 PM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pavel,
>
> Pavel Skovajsa schrieb:
>> Hi Sven,
>>
>> I had not exactly the same but similar issues but with 7606 - see
>> http://www.mail-archive.com/cisco-nsp@puck.nether.net/msg26651.html. I
>> learned from TAC that the issue was with the fact that I used it in
>> combination with VRFs and the traffic got incorrectly punted into 7606
>> MSFC CPU where there are hardware rate limiters (show mls rate-limit).
>
> But since i don't use VRFs, this might be something similar?
>
> i checked the rate limit, but i'm not familar with the output... maybe you
> can see something:
> #show mls rate-limit
>  Sharing Codes: S - static, D - dynamic
>  Codes dynamic sharing: H - owner (head) of the group, g - guest of the group
>
>   Rate Limiter Type       Status     Packets/s   Burst  Sharing
>  ---------------------   ----------   ---------   -----  -------
>         MCAST NON RPF   Off                  -       -     -
>        MCAST DFLT ADJ   On              100000     100  Not sharing
>      MCAST DIRECT CON   Off                  -       -     -
>        ACL BRIDGED IN   Off                  -       -     -
>       ACL BRIDGED OUT   Off                  -       -     -
>           IP FEATURES   Off                  -       -     -
>          ACL VACL LOG   On                2000       1  Not sharing
>           CEF RECEIVE   Off                  -       -     -
>             CEF GLEAN   Off                  -       -     -
>      MCAST PARTIAL SC   On              100000     100  Not sharing
>        IP RPF FAILURE   On                 100      10  Group:0 S
>           TTL FAILURE   Off                  -       -     -
>  ICMP UNREAC. NO-ROUTE   On                 100      10  Group:0 S
>  ICMP UNREAC. ACL-DROP   On                 100      10  Group:0 S
>         ICMP REDIRECT   Off                  -       -     -
>           MTU FAILURE   Off                  -       -     -
>       MCAST IP OPTION   Off                  -       -     -
>       UCAST IP OPTION   Off                  -       -     -
>           LAYER_2 PDU   Off                  -       -     -
>            LAYER_2 PT   Off                  -       -     -
>       LAYER_2 PORTSEC   Off                  -       -     -
>             IP ERRORS   On                 100      10  Group:0 S
>           CAPTURE PKT   Off                  -       -     -
>            MCAST IGMP   Off                  -       -     -
>  MCAST IPv6 DIRECT CON   Off                  -       -     -
>  MCAST IPv6 ROUTE CNTL   Off                  -       -     -
>  MCAST IPv6 *G M BRIDG   Off                  -       -     -
>  MCAST IPv6 SG BRIDGE   Off                  -       -     -
>  MCAST IPv6 DFLT DROP   Off                  -       -     -
>  MCAST IPv6 SECOND. DR   Off                  -       -     -
>  MCAST IPv6 *G BRIDGE   Off                  -       -     -
>        MCAST IPv6 MLD   Off                  -       -     -
>  IP ADMIS. ON L2 PORT   Off                  -       -     -
>

Actually the correct command is "show mls rate-limit usage".
The easiest way to find out whether this is something connected to CPU
punt is to configure " no mls rate-limit unicast ip icmp unreachable
no-route", however this may have some impact on production device, if
you have any situation where traffic matches no-route situation in
hardware and gets punted to CPU and overwhelming it......

As another idea you can try to "localize" the issue to the 6509 only
simply by taking a free port on 6509 and testing PVLAN end-user port
on that one.


>
>> Anyway, try upgrading the 6509 I am sure some old SXD code has number
>> of bugs around this.
>
> By upgrading you mean a newer software release, i hope? ;)

Exactly....
....also forgot to mention that for PVLANs to work you need to use
golden RJ45 connectors :) ... joking

-pavel

>
> Thanks again!
>
> Regards,
> Sven
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkte+P4ACgkQQoCguWUBzBxVwACdF8AE7fZcd/pWnTEylqhrOPAZ
> TLEAnAx1xOXWx5hS4akjsWKAj6OktlMO
> =o1at
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list