JOINT EtherChannel Question

Similar Questions

• Question of investment and JOINT redundancy

  Hi, the JOINT-2 supports any kind of redundancy Protocol?

  I can't see anything in the configuration guide.

  If I wanted to place a redundant pair outside a pair of firewalls, how I managed the redundancy of them.

  My other question is, is it better to place the METHOD outside the firewall external face or inside?

  Thank you, Dom

  Please see the attachment for a few design guidelines.

  Concerning

  Farrukh

• Ethernet VMware with Cisco EtherChannel and Trunking Question

  Hello

  Trying to get our etherchannels works correctly with our network administrator. Here is our config with a few questions.

  1. as it is to create the trunk between switch and host directly, can I use spanning tree portfast chest edge ?

  2. when don't we use no ip address and when not for this configuration? I see online showing examples with and without it.

  3. in some articles, he described in access mode , while in others he said dot1q trunk mode. See here for the access mode. Admin think it should use dot1q.

  4 Etherchannel is fully support and preferred extending from links on maps, right? Not all of the links on the same card?

  5 is this the case in order to change the load balancing algorithm in vmware first or first to the work of cisco? I did first vmware. (IP-hash)

  It's on a series with 4 cards/blades 6500 switch.

  !
  interface Port-channel200
   switchport
   switchport access vlan 81
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 69,81,172,896
   switchport mode trunk
   switchport nonegotiate
  !
  interface GigabitEthernet2/35
   switchport
   switchport access vlan 81
   switchport trunk allowed vlan 69,81,172,896
   switchport mode trunk
   switchport nonegotiate
   spanning-tree portfast edge
   channel-group 200 mode on
  !
  interface GigabitEthernet8/10
   switchport
   switchport access vlan 81
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 69,81,172,896
   switchport mode trunk
   switchport nonegotiate
   spanning-tree portfast edge
   channel-group 200 mode on
  

  DITGUY2012 wrote:

  Wow Josh. If only you had written documentation. That's the trouble with him. People like me get final instructions, because we're not the guys from network 24 x 7. Great documentation would be layout, the reasons to go this way or that way you did just. That being said, here's my summary based on this discussion.

  1. we have several VLANS that descends from 3 links on the etherchannel. Thus, we should use mode trunk because there is not a single.

  2. we have an another etherchannel with just 1 vlan (vmotion), but in all of two links. This should be the access mode. Or is it still trunk because it's the multiple links?

  3. I don't know what crash dump logger is, or how it applies to my situation.

  4. I saw the bpduguard setting before what exactly is the syntax to use for us? 6500 series.

  5. I don't know if our switch would deliver on that port. How can I tell? At this moment I have switchport setting in there.

  Thank you!

  No problem for reference, the other question of documentation is one of the languages. Their word etherchannel on HP networking hardware, 'trunk' and has nothing to do with the discussion of port "access vs circuit", which they call "tag unidentified vs.

  1 Yes

  2. you would certainly make an access port.

  3. If your server never begins to have a problem with break, VMware can a copy of the accident for the debug log. You can see an article on setting up here: put in place the collector of Dump ESXi 5.0 | VMware vSphere Blog - VMware Blogs.

  4 I'm sorry I'm not familiar with this model

  5. I think if the switchport parameter is here and connectivity seems to work, you can consider yourself safe

• Question about blade locking JOINT

  We currently have a cisco 6509 with a blade ID managed by Cisco

  Secure Policy Manager. I have three related issues. If I want to

  to activate the blocking feature identified in the CSPM, that is to say: be able to

  automatically block certain types of alerts for a defined period,

  can I perform this function by directing the internal MSFC routing module to

  manage the blocking feature, or do I have to run this function

  with a router or an external firewall. Related question, if we can use the MSFC

  routing module, how do the quick change (road first, spend the rest) type

  feature affect this ability. Are there performance benefits

  to choose one method rather than the other.

  Thank you

  Mike

  The blade of the IDS can be configured in CSPM for blocking on the MSFC that is similar to any other router IOS. It has been tested and is fully supported.

  Alternatively, you can also configure the blade IDS to perform the blocking directly on the controller using Vlan ACL.

  Regarding:

  Related question, if we can use the MSFC

  routing module, how do the quick change (road first, spend the rest) type

  feature affect this ability. Are there performance benefits

  to choose one method rather than the other.

  Every time that the ACL on the MSFC are affected (by a user or the blade IDS), the current stream is double-checked against the new ACL. Feature so it wise works very well with the quick change.

  However, I can't comment on performance when you use the MSFC or another device.

• Mixed Joint Parliamentary Assembly question strategy legacy

  Table: A, b
  
  Class: A, B, C
  
  @Entity
  @Table (name = "A")
  @Inheritance (strategy = InheritanceType.JOINED)
  @DiscriminatorColumn (name = ' type')
  Abstract Class a.
  
  @Entity
  @Table (name = "B")
  @DiscriminatorValue ('B')
  @PrimaryKeyJoinColumn)
  Class B extends A
  
  
  @Entity
  @DiscriminatorValue ("C")
  Class C extends A
  
  
  A - b's * @Inheritance (strategy = InheritanceType.JOINED) * and A-C its * @Inheritance (strategy = InheritanceType.SINGLE_TABLE) * by default. When I try to run some test that TopLink identifies the class C as strategy mixed but expects C to have its own table, as the super class A is specified with the strategy attached. Not sure, otherwise how would work mixed strategy!
  
  Any help would be greatly appreciated.
  
  TX
  K

  Hello

  My understanding is that all classes should use the inheritance strategy defined in its parent class - there is no way to have two strategies on a single parent class.

  If you aim to get 3 classes (A, B and C) to use two tables (A, B) you could try rather to specifying the root (A) to use SINGLE_TABLE. B will be then automatically has an entry in the table and class B can then be set to use the B chart as well by adding the annotation @SecondaryTable (name = "B"), specifying the joincolumn if primary key field names are different. A and C will then only use table, B will use the table for inherited attributes and the join to Table B - be sure to explicietly define the table to use in all the mappings on B you want to use table B, otherwise I think that the table will assume that it is the primary table.

  Best regards
  Chris

• SCPI format questions

  Hello

  Im working with SCPI but I am having a few problems to clarify some points of the IEEE 488.2 and SCPI 99 folder, I hope someone here can have the knowledge to help.

  My questions concern mainly the separators of unit and command message headers

  (1) certain documents I have looked at have specified from all units of message with a colon, others seem to show examples where this is not necessary... is there a reason for this? which is correct?

  for example:

  (Note the colon between command; and SUBSystem2)

  :SUBSystem:COMMand;:SUBSystem2:COMMand2;
  

  or

  :SUBSystem:COMMand;SUBSystem2:COMMand2;
  

  (2) some examples in the document of the SCPI 99 seem to suggest that do not use the previous two points allows the following commands of the same control channel, or level in the tree, do not require a reiteration of this path for each command, is that correct?

  for example:

  :SUBSystem1:COMMand1_1;COMMand1_2;
  

  is equal to

  :SUBSystem1:COMMand1_1;:SUBSystem1:COMMand1_2;
  

  ??

  (3) If a joint command (those starting with a *) will be preceded by a colon?

  Thank you very much

  wolf99 wrote:

  Hello

  Im working with SCPI but I am having a few problems to clarify some points of the IEEE 488.2 and SCPI 99 folder, I hope someone here can have the knowledge to help.

  My questions concern mainly the separators of unit and command message headers

  (1) certain documents I have looked at have specified from all units of message with a colon, others seem to show examples where this is not necessary... is there a reason for this? which is correct?

  for example:

  (Note the colon between command; and SUBSystem2)

  :SUBSystem:COMMand;
  

  :

  SUBSystem2:COMMand2;
  

  or

  :SUBSystem:COMMand;SUBSystem2:COMMand2;
  

  (2) some examples in the document of the SCPI 99 seem to suggest that do not use the previous two points allows the following commands of the same control channel, or level in the tree, do not require a reiteration of this path for each command, is that correct?

  for example:

  :SUBSystem1:COMMand1_1;COMMand1_2;
  

  is equal to

  :SUBSystem1:COMMand1_1;:SUBSystem1:COMMand1_2;
  

  ??

  (3) If a joint command (those starting with a *) will be preceded by a colon?

  Thank you very much

  It's been a while since I did the SCPI, but here's what I'm quickly collecting some of my old code.  And some instruments are slightly different, so check with the instrument before diving head first.

  1 & 2.  The colon is the beginning of a level of command.  No no not the colon allows the instrument to know that the command is at the same level hierarhcial.  So, Yes, you are right with #2.  However, some instruments will take orders without the colon.  Power supplies, for example, have sometimes 5.0 VOLT set to 5V, even if the voltage is several layers deep in the set command.

  3 no colon needed for special orders such as * RST and * IDN?.

• JOINT-2 update: which restarts?

  I need to upgrade the JOINT-2 Modules in my 6513 switches worm. 4.x to 5.0.1. (a significant modernization). The procedures show that "the system will restart at the end of the upgrade... ». My question is which system will restart? Will just restart JOINT-2 module or the whole switch?

  Just the JOINT - 2, not the switch.

• JOINT-2, using a lot of memory

  Hello.

  I question obout JOINT-2 that is using 98% of the memory.

  Output sh worm:

  With the help of 1944629248 of 1979682816 memory available bytes (98% of use)

  With 4.3 G off bytes 17 G of disk space available (27% of use)

  It is normal that it is using 98% of memory durning normal operation or there is a problem?

  If this is not normal if you please tell me how I can trobuleshoot what is wrong with it.

  This message is misleading, because it includes the memory allocated for the system process as well as the memory allocated for the cache. Because cache

  memory is really "free". It is available for allocation at any time.

  It's actually a bug in cosmetics that you use in.

  If you want to check during periods of what you believe to be the high memory usage, you can connect as the user of the service

  (if you have not created a user of the service you can do this through):

  1. log in using the account "cisco", the prompt will look like:

  probe #.

  2. Enter configure terminal mode:

  probe # configure terminal

  3. create the service account:

  username Sensor (config) # service password xxx privilege service

  Then connect on the sensor as the user of the service and run the command 'free. ' What 'sh worm' reports is the column "used."

  The "Mem: ' row, column" used"is the amount of memory (in kilobytes) that reports the"show version"command." However, this total includes the amount 'cached '.

  The formula to calculate the actual memory used is:

  ((used-Cached) / total) * 100 = percentage of memory used.

• Questions about the upgrade to the 4.0 unit

  Hi all

  I have a few questions before the server upgrade to 4.0 to 3.1.3 and install a new Server 4.0. We currently have 7 servers unit all current 3.1.3 running with digital networks. We are planning to upgrade a Server 4.0 and install a new server with 4.0 costs. This is the beginning of the upgrade of the entire company and my questions are the following:

  1 will update the AD schema during the installation/upgrade to 4.0 problems with the 3.1.3 other servers?

  2 since there isn't that one account of the unit currently with the 3.1.3 configuration, creating 4 new accounts unit cause any problem or should I / can I use the current to the unityadmin the unit account or one of the other 3 new accounts? I would like to start over again with 4 new accounts and not use the current service account and migrate to new accounts during the upgrade other servers.

  3. is there a problem to have 3.1.3 servers running jointly with 4.0 servers in general?

  My impression is that this is very well that I would no problem to start the 3.1.3 servers alongside with 4.0 servers, there should be no problem to use new accounts of the unit and this update of the AD schema should not be a problem for the old servers, but I want to make sure before doing the update/install.

  Oh, it's all run with Exchange 2000.

  Thanks for your time!

  Keith

  (1) it is backward compatible

  (2) creation of 4 new accounts will be fine.

  (3) you can run 3.1 (x) alongside with 4.x

  H. M.

• Connection JOINT-2 problem

  Dear friends,

  We have JOINT-2 mod on 6509 chasis, up to few days back, we were able to ssh and connect the switch to JOINT, but for a few days, we get the error below.

  Disconnected. no available supported authentication methods

  (server sent: public key interactive keyboard)

  Note: no configuration has been changed.

  Tried to change the ssh client (LSVCCs, PuTTY) still no luck.

  Please advice.

  Syed Salmat saublens,

  By resetting the box gets fixed for while due service cids restarted and rooted in your question appear to be a problem with this service. In this case I suggest you is freshly reimage the appliance or try 9,0000 soft last E4.

  Path to get the software:

  Cisco.com

  Downloads home > Products > Cisco Interfaces and Modules > Services Modules > Catalyst 6500 Series Intrusion (JOINT-2) Services Module detection system >

  Steps to follow:

  http://www.Cisco.com/c/en/us/TD/docs/security/IPS/6-0/Configuration/Guide/CLI/cliguide/cliImage.html#wp1031992

  Johan,

  TAC Support Engineer Cisco
  Team security/FW/IPS

• How a loop shape in a misconfigured Etherchannel?

  Dear friends,

  It is a question frequently observed and practically proven that if both switches are interconnected by a number of parallel links that are grouped in an Etherchannel on a switch (of course, using the mode on ) while being unbundled on the second switch, a loop of Layer2 may well be created. However, I do not understand the exact mechanism of the formation of this loop.

  I am well aware of the basic principles behind: I know that STP treats interface Port-Channel as a single interface, and all Member links grouped in that Etherchannel share the same role/State PLEASE. I also understand that a frame of broadcast/multicast/unknown unicast sent by a port in the Etherchannel will reach the switch in front and cross flooded all the other links, arriving finally at the switch with the Etherchannel configuration.

  And right there, that is where my understanding ends: the framework came back and its destination is still unknown. However, from the point of view of the switch, the frame came in through a specific Port-Channel interface. If this switch flooding the frame, there he will flood through all ports except the port through which the framework was, which means that the frame will never sent through the Port-Channel. How the loop is created, then?

  Thank you so much for helping me with this!

  Best regards

  Peter

  Peter,

  The packages will be flooded with all interfaces for unknown broadcast/unicast packets with the exception of the interface when the flood came.

  In a 2 switch topology, switch A (which has the bundle) will flood the package on the members of the group waiting B switch to receive the package on its package.

  However, switch B will not receive the package on one of its physical interfaces and may experience flooding to B switch off its other physical interface connected which causes the STP loop.

  Kind regards

  Edison.

• Redundancy for JOINT unique on two separate chassis

  EtherChannel Protocol can be used to provide redundant active / standby for single JOINT on two different chassis.

  Rgds.

  Failover will be based on how your FWSM mac address is learned by the devices of "inside". In normal operation the FWSM PRIMARY will be active so that all traffic will pass through the present JOINT on this base Sw. When FWSM failovers all traffic will pass through the FWSM SECONDARY and module JOINT in the second frame.

  Concerning

  Farrukh

• What happens when JOINT-2 performance is exceeded

  Hello

  We have JOINT-2 with about 20 pairs of vlan inline in the test environment. What happens to online traffic ourselves, said a flow of 500 Mbps? Falls of traffic or is it transmitted without IPS inspection.

  If you exceed the capacity of the sensor monitoring, then the packets that cannot be monitored will be abandoned by the sensor.

  NOTE: 500Mbps isn't a number of absolute performance for the sensor. It's a level of performance that the sensor has been testeed to be able to manage for certain types of traffic used in the performance test. We don't know exactly how much traffic the sensor will be able to manage to your network. The JOINT-2 will probably handle around 500 Mbps is a lot and even most customer networks. However, the networks vary, and in some networks, it can handle quite a bit less traffic and other networks can handle even more.

  So the question is not what will happen if you send more than 500 Mbps, but rather what will happen if you send more traffic than what the sensor is able to monitor. And the answer is that all traffic that cannot be monitored because of the limitations of performance will be dropped by the sensor.

  The only time where the packets are forwarded without inspection is if sensorApp has ceased to monitor all packets (a reconfiguration or an upgrade is in progress, or the process of sensorApp crashed) AND the functionality of the software workaround August kicks. Which case all packets will be forwarded without analysis.

• Cisco JOINT and IPS hardware bypass

  Hi all

  I have a question about the Cisco JOINT, ASA - AIP - SSM (IPS) and material of the IPS 4200 bypass unit series. Please let me know if the material fails in both cases how to cross traffic. Is there any circumvention of integrated equipment built in the same

  Concerning

  Ankur

  Sorry for the late reply. I've been on vacation for a week.

  ByPass hardware is not available for the JOINT-2 no matter if you use inline vlan pairs or couples inline interface.

  For devices need special interface cards or a hardware bypass switch separate, and none of them are available on the JOINT-2.

  You must configure your network so that there is a second way around the JOINT 2 JOINT-2 failure.

  This can be done with a standard network cable.

  Suppose you have your JOINT-2 configured for inline vlan VLAN 10 matching and 20.

  Configure a standard switchport as an access port on vlan 10.

  Set up an another standard switchport as an access port on vlan 20.

  Now using a standard network cable connect these 2 all switch ports.

  Stop your JOINT-2 and traffic should now be passed through this network cable and your network connectivity must be maintained.

  Bring your JOINT-2 backup, and now spanning tree runs and will choose the JOINT-2 or the network as the main way and the other cable will set in a State of block.

  Run ' show vlan spanning-tree 10 ' and ' show vlan spanning tree 20 "to determine if the cable ports or port JOINT-2 is in a BLK State.»

  If the cable ports are in a State BLK, then you don't need to modify the spanning tree.

  If the JOINT-2 port is in a State BLK, then you need to change the spanning tree cost and/or priority for JOINT-2 port by using the following commands:

  -[No] port-channel channel_number-STP intrusion detection doesn't cost port_cost

  Defines the cost of port tree covering for the data port on the specified module. Without the option restore shipping tree covering for the data port on the module specified in the default value.

  -[not] port-channel channel_number spanning tree priority priority intrusion detection

  Sets the priority of the port spanning tree for the data port on the specified module. Without the option restores the priority of port spanning tree for the data port on the module specified in the default value.

  To learn more about spanning-tree and how these parameters interact with spanning tree you can look through this section of the user guide for the switch or to search cisco.com for documentation of spanning tree:

  http://www.Cisco.com/en/us/partner/docs/switches/LAN/catalyst6500/IOS/12.2Sx/configuration/guide/spantree.html

  NOTE: Your switch must be configured for rapid PVST for failover more rapid. Work with your administrator to switch to determine which spanning tree Protocol is used on your switch. The JOINT-2 does not work with STDS to ensure that STD is not used.

• installation of update of signature for JOINT-2 AIP - SSM

  Hi every one, im not sure about this issue but I think its beter ask you experts.i want to know that if I update the signature for example for my JOINT-2 can I install this update of GIS on my AIP - SSM--> assume that software IPS on both devices are same and I also installed the license key valid on AIP - SSM.now can I do this or not? and I know that if you do not license installed on JOINT-2 you cannot install any point of GIS on JOINT-2 but this topic AIP - SSM? I want to say I can install updated GIS on AIP - SSM without installed the license key valid on AIP - SSM? Thank you

  There are 3 main types of Signature updates.

  (1) IPS sensor Signature Update

  (2) updates of Signature CSM for IPS sensors

  (3) signing IOS IPS updates

  The IPS Signature Update file name is in the form: IPS-GIS-Sxxx-req - Ey.pkg

  That's probably what you are referrnig to in your message. This file can be installed on ANY device IDS/IPS or Module.

  Here, the requirement is not the platform but rather the level of the engine. The part "req - Ey" in the file name indicates that the sensor has already run the 'y' the software engine level.

  If a file IPS-GIS-S436-req - E3.pkg can be installed on any IDS/IPS device or Module as long as the software on this sensor is a version of the 'E3 '.

  The CSM updates are updates of signature for the Cisco Security Manager. They contain special files that SCM uses to update, and then also included in the JLC update is the update of real sensor described above. CSM unpackages the CSM update, updates and then uses this file embedded to upgrade the actual sensor.

  The third type of file is for routers IOS loaded with the special IOS software that has the distinction of IOS IPS where the router itself (instead of a separate module of the IDS/IPS) keeps track of the signature.

  These updates to the signing IOS IPS settle on the real router and are not installed on the Modules or the sensor IDS/IPS devices.

  So to answer your question, yes the same Signature Update for your JOINT-2 is the exact same Signature Update for your SSM modules.

  The same exact file is available through several different paths on cisco.com. But no matter which way cisco.com you have downloaded the file, you can always install it on all the Modules and the IDS/IPS Appliances.

  With respect to licensing, the license works the same on all Modules and the IDS/IPS Appliances. A license must be on the sensor for the Signature Update to apply.

  NOTE: A trial license is available at cisco.com for new sensors to allow you to get everything set up properly for your sensor to be covered by a service contract and get the standard license for the service contract.