Layer 2 Switching
This chapter describes how to identify and resolve problems that relate to Layer 2 switching and includes the following sections:
Information About Layer 2 Ethernet Switching
The Cisco Nexus1000V is a distributed Layer 2 virtual switch that extends across many virtualized hosts.
It consists of two components:
- The Virtual Supervisor Module (VSM), which is also known as the control plane (CP). The VSM acts as the supervisor and contains the Cisco CLI, configuration, and high-level features.
- The Virtual Ethernet Module (VEM), which is also known as the data plane (DP). The VEM acts as a line card and runs in each virtualized server to handle packet forwarding and other localized functions.
Port Model
This section includes the following topics:
Viewing Ports from the VEM
The Cisco Nexus1000V differentiates between virtual and physical ports on each of the VEMs. Figure 12-1 shows how ports on the Cisco Nexus1000V switch are bound to physical and virtual VMware ports within a VEM.
Figure 12-1 VEM View of Ports
On the virtual side of the switch, three layers of ports are mapped together:
- Virtual NICs—Three types of Virtual NICs are in VMware. The virtual NIC (vnic) is part of the VM and represents the physical port of the host that is plugged into the switch. The virtual kernel NIC (VTEP) is used by the hypervisor for management, VMotion, iSCSI, network file system (NFS), and other network access needed by the kernel. This interface carries the IP address of the hypervisor itself and is also bound to a virtual Ethernet port. The vswif (not shown) appears only in CoS-based systems and is used as the VMware management port. Each type maps to a virtual Ethernet port within the Cisco Nexus1000V.
- Virtual Ethernet Ports (VEth)—A vEth port is a port on the Cisco Nexus 1000V. The Cisco Nexus 1000V has a flat space of vEth ports 0..N. The virtual cable plugs into these vEth ports that are moved to the host running the VM.
Virtual Ethernet ports are assigned to port groups.
- Local Virtual Ethernet Ports (lveth)—Each host has a number of local vEth ports. These ports are dynamically selected for vEth ports that are needed on the host.
These local ports do not move and are addressable by the module/port number method.
On the physical side of the switch, from bottom to top, is the following:
- Each physical NIC in VMware is represented by an interface called a vmnic. The vmnic number is allocated during VMware installation, or when a new physical NIC is installed, and remains the same for the life of the host.
- Each uplink port on the host represents a physical interface. It acts like an lveth port, but because physical ports do not move between hosts, the mapping is 1:1 between an uplink port and a vmnic.
- Each physical port added to the Cisco Nexus1000V switch appears as a physical Ethernet port, just as it would on a hardware-based switch.
The uplink port concept is handled entirely by VMware and is used to associate port configuration with vmnics. There is no fixed relationship between the uplink number and vmnic number. These can be different on different hosts and can change throughout the life of the host. On the VSM, the Ethernet interface number, such as ethernet 2/4, is derived from the vmnic number, not the uplink number.
Viewing Ports from the VSM
Figure 12-2 shows the VSM view ports.
Figure 12-2 VSM View of Ports
Port Types
The following types of ports are available:
- vEths can be associated with any one of the following:
– VNICs of a Virtual Machine on the ESX host.
– VTEPs of the ESX Host
– VSWIFs of an ESX COS Host.
- Eths (physical Ethernet interfaces)—Correspond to the Physical NICs on the ESX host.
- Po (port channel interfaces)—The physical NICs of an ESX Host can be bundled into a logical interface. This logical bundle is referred to as a port channel interface.
For more information about Layer 2 switching, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide.
Layer 2 Switching Problems
This section describes how to troubleshoot Layer 2 problems and lists troubleshooting commands. This section includes the following topics:
Verifying a Connection Between VEM Ports
You can verify a connection between two vEth ports on a VEM.
Step 1 View the state of the VLANs associated with the port. If the VLAN associated with a port is not active, the port may be down. In this case, you must create the VLAN and activate it.
switch# show vlan v lan-id
Step 2 View the state of the ports on the VSM.
switch# show interface brief
Step 3 Display the ports that are present on the VEM, their local interface indices, VLAN, type (physical or virtual), port mode and port name.
switch# module vem module-number execute vemcmd show port
The key things to look for in the output are as follows:
- State of the port.
- CBL.
- Mode.
- Attached device name.
- The LTL of the port that you are trying to troubleshoot. It will help you to identify the interface quickly in other VEM commands where the interface name is not displayed.
- Make sure that the state of the port is up. If not, verify the configuration of the port on the VSM.
Step 4 View the VLANs and port lists on a particular VEM.
switch# module vem module-number execute vemcmd show bd
If you are trying to verify that a port belongs to a particular VLAN, make sure that you see the port name or LTL in the port list of that VLAN.
Verifying a Connection Between VEMs
You can verify a connection between vEth ports on two separate VEMs.
Step 1 Check if the VLAN associated with the port is created on the VSM.
switch# show vlan
Step 2 Check if the ports are up in the VSM.
switch# show interface brief
Step 3 On the VEM, check if the CBL state of the two ports is set to the value of 1 for forwarding (active).
switch# module vem 3 execute vemcmd show port
Step 4 On the VEM, check if the two vEth ports are listed in the flood list of the VLAN with which they are trying to communicate.
switch# module vem 3 execute vemcmd show bd
Step 5 Verify that the uplink switch to which the VEMs are connected is carrying the VLAN to which the ports belong.
Step 6 Find out the port on the upstream switch to which the PNIC (that is supposed to be carrying the VLAN) on the VEM is connected to.
switch# s how cdp neighbors
Example :
switch#
show cdp neighbors
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
Device ID Local Intrfce Hldtme Capability Platform Port ID
swordfish-6k-2 Eth5/2 168 R S I WS-C6506-E Gig1/38
The PNIC (Eth 5/2) is connected to swordfish-6k-2 on port Gig1/38.
Step 7 Log in to the upstream switch and make sure that the port is configured to allow the VLAN that you are looking for.
switch
# show running-config interface gigabitEthernet 1/38
Building configuration...
Current configuration : 161 bytes
interface GigabitEthernet1/38
description Srvr-100:vmnic1
switchport trunk allowed vlan 1,60-69,231-233
As this output shows, VLANs 1,60-69, 231-233 are allowed on the port. If a particular VLAN is not in the allowed VLAN list, make sure to add it to the allowed VLAN list of the port.
Isolating Traffic Interruptions
You can isolate the cause for no traffic passing across VMs on different VEMs.
Step 1 In the output of the show port-profile name command, verify the following information:
- The control and packet VLANs that you configured are present (in the example, these are 3002 and 3003).
- If the physical NIC in your configuration carries the VLAN for the VM, that VLAN is also present in the allowed VLAN list.
switch# show port-profile name alluplink
switchport trunk allowed vlan 1,80,3002,610,620,630-650
evaluated config attributes:
switchport trunk allowed vlan 1,80,3002,3003,610,620,630-650
Step 2 Inside the VM, verify that the Ethernet interface is up.
ifconfig –a
If not, delete that NIC from the VM, and add another NIC.
Step 3 Using any sniffer tool, verify that ARP requests and responses are received on the VM interface.
Step 4 On the upstream switch, look for the association between the IP and MAC address:
debug arp
show arp
ARP packet debugging is on
11w4d: RARP: Rcvd RARP req for 0050.56b7.3031
11w4d: RARP: Rcvd RARP req for 0050.56b7.3031
11w4d: RARP: Rcvd RARP req for 0050.56b7.4d35
11w4d: RARP: Rcvd RARP req for 0050.56b7.52f4
11w4d: IP ARP: rcvd req src 10.78.1.123 0050.564f.3586, dst 10.78.1.24 Vlan3002
11w4d: RARP: Rcvd RARP req for 0050.56b7.3031
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.78.1.72 - 001a.6464.2008 ARPA
Internet 7.114.1.100 - 0011.bcac.6c00 ARPA Vlan140
Internet 41.0.0.1 - 0011.bcac.6c00 ARPA Vlan410
Internet 7.61.5.1 - 0011.bcac.6c00 ARPA Vlan1161
Internet 10.78.1.5 - 0011.bcac.6c00 ARPA Vlan3002
Internet 7.70.1.1 - 0011.bcac.6c00 ARPA Vlan700
Internet 7.70.3.1 - 0011.bcac.6c00 ARPA Vlan703
Internet 7.70.4.1 - 0011.bcac.6c00 ARPA Vlan704
Internet 10.78.1.1 0 0011.bc7c.9c0a ARPA Vlan3002
Internet 10.78.1.15 0 0050.56b7.52f4 ARPA Vlan3002
Internet 10.78.1.123 0 0050.564f.3586 ARPA Vlan3002
Step 5 You have completed this procedure.
Layer 2 Switching Troubleshooting Commands
You can use the commands in this section to troubleshoot problems related to the Layer 2 MAC address configuration.
|
|
show mac address-table |
Displays the MAC address table to verify all MAC addresses on all VEMs controlled by the VSM. See Example 12-1 on page 12-8 . |
show mac address-table module module-number |
Displays all the MAC addresses on the specified VEM. |
show mac address-table static HHHH.WWWW.HHHH |
Displays the MAC address table static entries. See Example 12-2 on page 12-9 . |
show mac address-table address HHHH.WWWW.HHHH |
Displays the interface on which the MAC address specified is learned or configured.
- For dynamic MAC addresses, if the same MAC address appears on multiple interfaces, each of them is displayed separately.
- For static MAC addresses, if the same MAC address appears on multiple interfaces, only the entry on the configured interface is displayed.
|
show mac address-table static | inc veth |
Displays the static MAC address of vEthernet interfaces in case a VEM physical port learns a dynamic MAC addrress and the packet source is in another VEM on the same VSM. See Example 12-3 on page 12-9 . |
show running-config vlan vlan-id |
Displays VLAN information in the running configuration. |
show vlan [ all-ports | brief | id vlan-id | name name | dot1q tag native ] |
Displays VLAN information as specified. See Example 12-4 on page 12-9 . |
show vlan summary |
Displays a summary of VLAN information. |
show interface brief |
Displays a table of interface states. See Example 12-5 on page 12-10 . |
module vem module-numbe r execute vemcmd show port |
On the VEM, displays the port state on a particular VEM. This command can only be used from the VEM. See Example 12-6 on page 12-10 . |
module vem module-numbe r execute vemcmd show bd |
For the specified VEM, displays its VLANs and their port lists. See Example 12-7 on page 12-11 . |
module vem module-number execute vemcmd show trunk |
For the specified VEM, displays the VLAN state on a trunk port.
- If a VLAN is forwarding (active) on a port, its CBL state should be 1.
- If a VLAN is blocked, its CBL state is 0.
See Example 12-8 on page 12-11 . |
module vem module-number execute vemcmd show l2 vlan-id |
For the specified VEM, displays the VLAN forwarding table for a specified VLAN. See Example 12-9 on page 12-11 . |
show interface interface_id mac |
Displays the MAC addresses and the burn-in MAC address for an interface. |
Example 12-1 show mac address-table Command
Note The Cisco Nexus 1000V MAC address table does not display multicast MAC addresses.
Tip The “Module” indicates the VEM on which this MAC address is seen.
The “N1KV Internal Port” refers to an internal port created on the VEM. This port is used for control and management of the VEM and is not used for forwarding packets.
switch# show mac address-table
VLAN MAC Address Type Age Port Module
---------+-----------------+-------+---------+------------------------------+---------
1 0002.3d11.5502 static 0 N1KV Internal Port 3
1 0002.3d21.5500 static 0 N1KV Internal Port 3
1 0002.3d21.5502 static 0 N1KV Internal Port 3
1 0002.3d31.5502 static 0 N1KV Internal Port 3
1 0002.3d41.5502 static 0 N1KV Internal Port 3
1 0002.3d61.5500 static 0 N1KV Internal Port 3
1 0002.3d61.5502 static 0 N1KV Internal Port 3
1 0002.3d81.5502 static 0 N1KV Internal Port 3
3 12ab.47dd.ff89 static 0 Eth3/3 3
342 0002.3d41.5502 static 0 N1KV Internal Port 3
342 0050.568d.5a3f dynamic 0 Eth3/3 3
343 0002.3d21.5502 static 0 N1KV Internal Port 3
343 0050.568d.2aa0 dynamic 9 Eth3/3 3
Example 12-2 show mac address-table address Command
Tip This command shows all interfaces on which a MAC is learned dynamically.
In this example, the same MAC appears on Eth3/3 and Eth4/3.
switch# show mac address-table address 0050.568d.5a3f
VLAN MAC Address Type Age Port Module
---------+-----------------+-------+---------+------------------------------+---------
342 0050.568d.5a3f dynamic 0 Eth3/3 3
342 0050.568d.5a3f dynamic 0 Eth4/3 4
Total MAC Addresses: 1
Example 12-3 show mac address-table static | inc veth Command
switch# show mac address-table static | inc veth
460 0050.5678.ed16 static 0 Veth2 3
460 0050.567b.1864 static 0 Veth1 4
Example 12-4 show vlan Command
Tip This command shows the state of each VLAN created on the VSM.
---- -------------------------------- --------- -------------------------------
1 default active Eth3/3, Eth3/4, Eth4/2, Eth4/3
---- -------------------------------- --------- -------------------------------
---- -------------------------------- --------- -------------------------------
-------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
Example 12-5 show interface brief Command
switch# show interface brief
--------------------------------------------------------------------------------
Port VRF Status IP Address Speed MTU
--------------------------------------------------------------------------------
mgmt0 -- up 172.23.232.143 1000 1500
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
--------------------------------------------------------------------------------
Eth3/4 1 eth trunk up none 1000(D) --
Eth4/2 1 eth trunk up none 1000(D) --
Eth4/3 1 eth trunk up none 1000(D) --
Example 12-6 module vem module- number execute vemcmd show port Command
Tip Look for the state of the port.
~ # module vem 3 execute vemcmd show port
LTL IfIndex Vlan Bndl SG_ID Pinned_SGID Type Admin State CBL Mode Name
8 0 3969 0 2 2 VIRT UP UP 1 Access l20
9 0 3969 0 2 2 VIRT UP UP 1 Access l21
10 0 115 0 2 0 VIRT UP UP 1 Access l22
11 0 3968 0 2 2 VIRT UP UP 1 Access l23
12 0 116 0 2 0 VIRT UP UP 1 Access l24
13 0 1 0 2 2 VIRT UP UP 0 Access l25
14 0 3967 0 2 2 VIRT UP UP 1 Access l26
16 1a030100 1 T 0 0 2 PHYS UP UP 1 Trunk vmnic1
17 1a030200 1 T 0 2 2 PHYS UP UP 1 Trunk vmnic2
Example 12-7 module vem module-numbe r execute vemcmd show bd Command
Tip If a port belongs to a particular VLAN, the port name or LTL should be in the port list for the VLAN.
~ # module vem 5 execute vemcmd show bd
Number of valid BDS: 8
BD 1, vdc 1, vlan 1, 2 ports
Portlist:
16 vmnic1
17 vmnic2
BD 100, vdc 1, vlan 100, 0 ports
Portlist:
BD 110, vdc 1, vlan 110, 1 ports
Portlist:
16 vmnic1
BD 111, vdc 1, vlan 111, 1 ports
Portlist:
16 vmnic1
BD 112, vdc 1, vlan 112, 1 ports
Portlist:
16 vmnic1
BD 113, vdc 1, vlan 113, 1 ports
Portlist:
16 vmnic1
BD 114, vdc 1, vlan 114, 1 ports
Portlist:
16 vmnic1
BD 115, vdc 1, vlan 115, 2 ports
Portlist:
10 l22
16 vmnic1
Example 12-8 module vem module-number execute vemcmd show trunk Command
Tip If a VLAN is active on a port, its CBL state should be 1.
If a VLAN is blocked, its CBL state is 0.
~ # module vem 5 execute vemcmd show trunk
Trunk port 16 native_vlan 1 CBL 1
vlan(1) cbl 1, vlan(110) cbl 1, vlan(111) cbl 1, vlan(112) cbl 1, vlan(113) cbl 1, vlan(114) cbl 1,vlan(115) cbl 1, vlan(116) cbl 1, vlan(117) cbl 1, vlan(118) cbl 1, vlan(119) cbl 1,
Trunk port 17 native_vlan 1 CBL 0
vlan(1) cbl 1, vlan(117) cbl 1,
Example 12-9 module vem module-number execute vemcmd show l2 Command
~ # module vem 5 execute vemcmd show l2
Bridge domain 115 brtmax 1024, brtcnt 2, timeout 300
Dynamic MAC 00:50:56:bb:49:d9 LTL 16 timeout 0
Dynamic MAC 00:02:3d:42:e3:03 LTL 10 timeout 0
Troubleshooting Microsoft NLB Unicast Mode
Microsoft Network Load Balancing (MS-NLB) is a clustering technology offered by Microsoft as part of the Windows server operating systems. Clustering enables a group of independent servers to be managed as a single system for higher availability, easier manageability, and greater scalability.
For more information about Microsoft Network Load Balancing, see this URL:
http://technet.microsoft.com/en-us/library/bb742455.aspx
Note Access to third-party websites identified in this document is provided solely as a courtesy to customers and others. Cisco Systems, Inc. and its affiliates are not in any way responsible or liable for the functioning of any third-party website, or the download, performance, quality, functioning, or support of any software program or other item accessed through the website, or any damages, repairs, corrections, or costs arising out of any use of the website or any software program or other item accessed through the website. Cisco's End User License Agreement does not apply to the terms and conditions of use of a third-party website or any software program or other item accessed through the website.
Limitations and Restrictions
A syslog is generated if one of the following configurations exists when you try to disable automatic static MAC learning for MS-NLB because they do not support this feature:
- PVLAN port
- Ports configured with unknown unicast flood blocking (UUFB)
- Ports configured with switchport port-security mac-address sticky
Disabling Automatic Static MAC Learning on a vEthernet Interface
You must disable automatic static MAC learning before you can successfully configure NLB on a vEthernet (vEth) interface.
In interface configuration mode enter the following commands:
switch(config)# int veth 1
switch(config-if)# no mac auto-static-learn
In port profile configuration mode enter the following commands:
switch(config)# port-profile type vethernet ms-nlb
switch(config-port-prof)# no mac auto-static-learn
Checking Status on a VSM
If the NLB unicast mode configuration does not function, check the status of the Virtual Supervisor Module (VSM).
Confirm that the no mac auto-static-learn command is listed in the vEth and/or port profile configurations.
Step 1 In interface configuration mode, generate the VSM status.
switch(config-if)# show running-config int veth1
inherit port-profile vm59
description Fedora117, Network Adapter 2
vmware dvport 32 dvswitch uuid "ea 5c 3b 50 cd 00 9f 55-41 a3 2d 61 84 9e 0e c4"
Step 2 In port profile configuration mode, generate the VSM status.
switch(config-if)# show running-config port-profile ms-nlb
port-profile type vethernet ms-nlb
switchport access vlan 59
Checking the Status on a VEM
If the NLB unicast mode configuration does not function, check the status of the Virtual Ethernet Module (VEM). Check the following:
- Confirm that the MS-NLB vEths are disabled.
- Confirm that the MS-NLB shared-MAC (starting with 02:BF) is not listed in the Layer 2 (L2) MAC table.
Step 1 Generate the VEM status.
~ # vemcmd show port auto-smac-learning
LTL VSM Port Auto Static MAC Learning
Step 2 Generate the Layer 2 MAC address table for VLAN 59.
Bridge domain 15 brtmax 4096, brtcnt 6, timeout 300
VLAN 59, swbd 59, ""
Flags: P - PVLAN S - Secure D - Drop
Type MAC Address LTL timeout Flags PVLAN
Dynamic 00:15:5d:b4:d7:02 305 4
Dynamic 00:15:5d:b4:d7:04 305 25
Dynamic 00:50:56:b3:00:96 51 4
Dynamic 00:50:56:b3:00:94 305 5
Dynamic 00:0b:45:b6:e4:00 305 5
Dynamic 00:00:5e:00:01:0a 51 0
Configuring MS NLB for Multiple VM NICs in the Same Subnet
When MS NLB VMs have more than one port on the same subnet, a request is flooded, which causes both ports to receive it. The server cannot manage this situation.
As a workaround for this situation, enable Unknown Unicast Flood Blocking (UUFB).
Enabling UUFB
To enable UUFB, enter these configuration commands, one on each line. At the end, press Cntl-Z.
switch# configure terminal
switch (config)# uufb enable
This configuration conceals the requests from the non-NLB ports and allows the system to function as it expected.
Disabling UUFB for VMs That Use Dynamic MAC Addresses
Issues might occur for VMs that use dynamic MAC addresses, other than those MAC addresses assigned by VMware. For ports that host these types of VMs, disable UUFB. To disable UUFB, enter the following commands:
switch(config)# int veth3
switch(config-if)# switchport uufb disable
Troubleshooting BPDU Guard
BPDU Guard is one of the Spanning Tree Protocol (STP) enhancements. This feature enhances switch network reliability, manageability, and security. It prevent loops and broadcast radiation. We recommend that you enable BPDU guard on access ports so that any end user devices on these ports that have BPDU guard enabled cannot influence the topology. Any malfunctioning device connected to a virtual Ethernet port can flood the Layer 2 network with unwanted BPDUs and causes STP to break down. When you enable BPDU guard on the access-ports, it shuts down the port in the event that it receives a BPDU. To bring up a port disabled by BDPU guard, you must remove the device from the network and then restart the port by entering the shut/no shut command.
BPDU Guard Troubleshooting Commands
You can use the commands in this section to troubleshoot problems related to the Layer 2 MAC address configuration.
Example 12-10 show switch edition Command
switch(config)# show switch edition
Switch Edition: ADVANCED (3.0)
Name State Licensed In version
--------------------------------------------------------
Dynamic 00:00:5e:00:01:0a 51 0
Example 12-11 show spanning-tree bpduguard info Command
switch(config)# show spanning-tree bpduguard info
Global spanning-tree bpduguard status: Enabled
Example 12-12 show run interface name Command
switch(config-if)# show run interface veth77
description fedora20-i386-70, Network Adapter 2
spanning-tree bpduguard enable
Example 12-13 show interface virtual spanning-tree bpduguard status Command
switch(config)# show interface virtual spanning-tree bpduguard status
Example 12-14 show system internal cdm info port-profile name Command
switch(config-if)# show system internal cdm info port-profile name vm
spanning-tree bpduguard enable
switchport access vlan 59
Example 12-15 show system internal cdm info interface name Command
switch(config-if)# show system internal cdm info interface vethernet 77
spanning-tree bpduguard enable
Example 12-16 vemcmd show card Command
Card UUID type 2: 35958c78-bce9-11e0-bd1d-30e4dbc2c276
Global BPDU Guard: Disabled
Example 12-17 vemcmd show port bpdugard Command
switch# vemcmd show port bpduguard
~ # vemlog debug sfport_orch all
~ # echo "debug sfcdmagent all" > /tmp/dpafifo
~ # echo "debug sfportagent all" > /tmp/dpafifo
# vemlog debug sflayer2 all
~ # echo "debug sfportagent all" > /tmp/dpafifo