MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-10-2016 12:45 PM
if I try to connect a new access switch (Summit X440-48) to the core switch (BD8006) I read after some minutes the following entry in the log file:
MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
MSM-A: Added an ACL to port 4:1, srcIP 0.0.0.0 to destIP 10.72.50.100, protocol udp
After that several servers are not reachable (but the new access switch is reachable via ping). If I disconnect the new switch everything is fine.
So what is wrong?
MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
MSM-A: Added an ACL to port 4:1, srcIP 0.0.0.0 to destIP 10.72.50.100, protocol udp
After that several servers are not reachable (but the new access switch is reachable via ping). If I disconnect the new switch everything is fine.
So what is wrong?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-13-2016 12:31 PM
Hi Matthias,
"trusted-port" won't block the packets from the new switch to reach the Core CPU. That's a little bit risky and should be tried in a MW or non-critical period. Since you have already opened a case, please hold this action and follow GTAC instructions.
Regarding the ELRP, I believe the GTAC suspects that could be any loop related to the new switch. Even something with bad HW or wrong LAG HW programming.
Please share the solution provided when you get the GTAC case closed.
Thank you.
"trusted-port" won't block the packets from the new switch to reach the Core CPU. That's a little bit risky and should be tried in a MW or non-critical period. Since you have already opened a case, please hold this action and follow GTAC instructions.
Regarding the ELRP, I believe the GTAC suspects that could be any loop related to the new switch. Even something with bad HW or wrong LAG HW programming.
Please share the solution provided when you get the GTAC case closed.
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-11-2016 11:35 AM
Hi Henrique,
show configuration "dosprotect"
#
# Module dosprotect configuration.
#
enable dos-protect
Everytime I had only one active uplink. Ether connected to Core1 or Core2. Each time withthe same result.
What happend if I configure the port as a trusted port? The "bad" packets are still enter the core and CPU is busy?
Meanwhile I have opend a case perhaps there is a broken hardware.
They told me I shoud to following steps:
disable dos-protect
enable elrp-client
configure elrp-client one-shot ports all log
And/or I should capture the packets on port 3:4.
But I don't know where a loop should be because the whole network is working without the new switch.
BR,
Matthias
show configuration "dosprotect"
#
# Module dosprotect configuration.
#
enable dos-protect
Everytime I had only one active uplink. Ether connected to Core1 or Core2. Each time withthe same result.
What happend if I configure the port as a trusted port? The "bad" packets are still enter the core and CPU is busy?
Meanwhile I have opend a case perhaps there is a broken hardware.
They told me I shoud to following steps:
disable dos-protect
enable elrp-client
configure elrp-client one-shot
And/or I should capture the packets on port 3:4.
But I don't know where a loop should be because the whole network is working without the new switch.
BR,
Matthias
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-11-2016 11:20 AM
Hi Matthias, thank you for the outputs. I don't see any config issue.
What's the configuration for DosProtect? Could you please share the output for "show configuration dosprotect" for both Core switches?
When you see this issue, are you connecting just the uplink to Core1 or both?
I would try to connect to both Core switches with only sharing configuration on the New_SW, without any vlan/IP configuration to the uplink ports. Also, you could try to connect to Core2 only and see the results.
I'm wondering if that could be just a burst and not a constant high traffic rate from the New_SW. If that's true, than you could try adding the New_SW port as a trusted_port to the Core switch using the following command:
"config dos-protect trusted-ports add-ports 3:4"
You can monitor the switch CPU with "top" command.
What's the configuration for DosProtect? Could you please share the output for "show configuration dosprotect" for both Core switches?
When you see this issue, are you connecting just the uplink to Core1 or both?
I would try to connect to both Core switches with only sharing configuration on the New_SW, without any vlan/IP configuration to the uplink ports. Also, you could try to connect to Core2 only and see the results.
I'm wondering if that could be just a burst and not a constant high traffic rate from the New_SW. If that's true, than you could try adding the New_SW port as a trusted_port to the Core switch using the following command:
"config dos-protect trusted-ports add-ports 3:4"
You can monitor the switch CPU with "top" command.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-11-2016 03:21 AM
Hi,
yes, that is corect.
Config Core1:
****************
create mlag peer "CORE2"
configure mlag peer "CORE2" ipaddress 1.1.1.2 vr VR-Default
enable mlag port 3:1 peer "CORE2" id 1
enable mlag port 3:2 peer "CORE2" id 2
enable mlag port 3:3 peer "CORE2" id 3
enable mlag port 3:4 peer "CORE2" id 4
enable mlag port 3:5 peer "CORE2" id 5
enable mlag port 3:7 peer "CORE2" id 7
enable mlag port 3:8 peer "CORE2" id 8
enable mlag port 3:10 peer "CORE2" id 10
enable mlag port 3:11 peer "CORE2" id 11
enable mlag port 3:13 peer "CORE2" id 13
enable mlag port 3:17 peer "CORE2" id 17
enable mlag port 3:18 peer "CORE2" id 18
enable mlag port 3:19 peer "CORE2" id 19
enable mlag port 3:20 peer "CORE2" id 20
enable mlag port 3:21 peer "CORE2" id 21
enable mlag port 3:23 peer "CORE2" id 23
enable mlag port 3:24 peer "CORE2" id 24
enable mlag port 4:2 peer "CORE2" id 42
enable mlag port 7:2 peer "CORE2" id 72
enable sharing 4:1 grouping 4:1, 7:1 algorithm address-based L2
Config Core2:
****************
create mlag peer "CORE1"
configure mlag peer "CORE1" ipaddress 1.1.1.1 vr VR-Default
enable mlag port 3:1 peer "CORE1" id 1
enable mlag port 3:2 peer "CORE1" id 2
enable mlag port 3:3 peer "CORE1" id 3
enable mlag port 3:4 peer "CORE1" id 4
enable mlag port 3:5 peer "CORE1" id 5
enable mlag port 3:7 peer "CORE1" id 7
enable mlag port 3:8 peer "CORE1" id 8
enable mlag port 3:10 peer "CORE1" id 10
enable mlag port 3:11 peer "CORE1" id 11
enable mlag port 3:13 peer "CORE1" id 13
enable mlag port 3:15 peer "CORE1" id 15
enable mlag port 3:17 peer "CORE1" id 17
enable mlag port 3:18 peer "CORE1" id 18
enable mlag port 3:19 peer "CORE1" id 19
enable mlag port 3:20 peer "CORE1" id 20
enable mlag port 3:21 peer "CORE1" id 21
enable mlag port 3:23 peer "CORE1" id 23
enable mlag port 3:24 peer "CORE1" id 24
enable mlag port 4:2 peer "CORE1" id 42
enable mlag port 7:2 peer "CORE1" id 72
enable sharing 4:1 grouping 4:1, 7:1 algorithm address-based L2
All other access switch are working without any issue.
yes, that is corect.
Config Core1:
****************
create mlag peer "CORE2"
configure mlag peer "CORE2" ipaddress 1.1.1.2 vr VR-Default
enable mlag port 3:1 peer "CORE2" id 1
enable mlag port 3:2 peer "CORE2" id 2
enable mlag port 3:3 peer "CORE2" id 3
enable mlag port 3:4 peer "CORE2" id 4
enable mlag port 3:5 peer "CORE2" id 5
enable mlag port 3:7 peer "CORE2" id 7
enable mlag port 3:8 peer "CORE2" id 8
enable mlag port 3:10 peer "CORE2" id 10
enable mlag port 3:11 peer "CORE2" id 11
enable mlag port 3:13 peer "CORE2" id 13
enable mlag port 3:17 peer "CORE2" id 17
enable mlag port 3:18 peer "CORE2" id 18
enable mlag port 3:19 peer "CORE2" id 19
enable mlag port 3:20 peer "CORE2" id 20
enable mlag port 3:21 peer "CORE2" id 21
enable mlag port 3:23 peer "CORE2" id 23
enable mlag port 3:24 peer "CORE2" id 24
enable mlag port 4:2 peer "CORE2" id 42
enable mlag port 7:2 peer "CORE2" id 72
enable sharing 4:1 grouping 4:1, 7:1 algorithm address-based L2
Config Core2:
****************
create mlag peer "CORE1"
configure mlag peer "CORE1" ipaddress 1.1.1.1 vr VR-Default
enable mlag port 3:1 peer "CORE1" id 1
enable mlag port 3:2 peer "CORE1" id 2
enable mlag port 3:3 peer "CORE1" id 3
enable mlag port 3:4 peer "CORE1" id 4
enable mlag port 3:5 peer "CORE1" id 5
enable mlag port 3:7 peer "CORE1" id 7
enable mlag port 3:8 peer "CORE1" id 8
enable mlag port 3:10 peer "CORE1" id 10
enable mlag port 3:11 peer "CORE1" id 11
enable mlag port 3:13 peer "CORE1" id 13
enable mlag port 3:15 peer "CORE1" id 15
enable mlag port 3:17 peer "CORE1" id 17
enable mlag port 3:18 peer "CORE1" id 18
enable mlag port 3:19 peer "CORE1" id 19
enable mlag port 3:20 peer "CORE1" id 20
enable mlag port 3:21 peer "CORE1" id 21
enable mlag port 3:23 peer "CORE1" id 23
enable mlag port 3:24 peer "CORE1" id 24
enable mlag port 4:2 peer "CORE1" id 42
enable mlag port 7:2 peer "CORE1" id 72
enable sharing 4:1 grouping 4:1, 7:1 algorithm address-based L2
All other access switch are working without any issue.
