Comware Based
1748185 Members
3873 Online
108759 Solutions
New Discussion юеВ

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

 
Johan_Finland
Advisor

5120-48G EI & Cisco ASA 5510 - VLAN Issue

Hi !

Have 2 x 5120 (latest sw)  as core switch and and a ASA 5510 (8.2.5) that handels all VLAN routing (have had Procurve swtiches before in core without any problems).

Between VLAN there is very bad  performance, it is very slow, if I do and ICMP between two hosts in either VLAN it gives 10-15 ms. 

Between the tvo 5120  swtichecs I have a 10 GB fiber connection (not stacking) and also if I there try to do an ICMP between two host on the same VLAN (except Def VLAN) but one host are on one 5120 swtich and the other one on the other 5120 swtich then ICMP time are about 5 ms.

 

If I have port going to ASA 5510 set as "trunk" in the 5120 swtich then are also Def VLAN "slow", but if I have it set to "hybride" then Def VLAN acts "normal" ie under 1 ms.

 

SO Hybride mode is better but still not good. 

Everything was woring well whit ProCurve 2520 as core swtiches but since we need 10 GB between two places (50 m apart) then I was going for the 5120 swtich.

 

Also some device that I try to conenct to the 5120 swtich does not connect at all, for ex. a Dell laptop only shows "not connected", have tried different speeds and duplex but nowthing helps, at least other 3 devices I need to connect to this swhitch behave the same way.

 

But the most urgent thing is this delays between (and Inter VLAN) VLAN.

I have not "futures" enabeld, not Spanning tree or what so every, just normal VLAN.

 

Does anyone have any idea ?

 

HP Support have not helped much exetpt that maybe we could try to change the switches since not even upgrade of SW helped.

Im litte bit in panic since all systems now are working so slow....

In the ASA 5510 there Is not so much more I can change or could MTU size be a problem ? 

 

Any help please....

 

/Johan

21 REPLIES 21
sdide
Respected Contributor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Hi Johan,

 

you write:

 

"Between the tvo 5120  swtichecs I have a 10 GB fiber connection (not stacking) and also if I there try to do an ICMP between two host on the same VLAN (except Def VLAN) but one host are on one 5120 swtich and the other one on the other 5120 swtich then ICMP time are about 5 ms."

 

This makes me think your 10GBit/s link is somehow broken. First thing is to check the 10Gbit/s interface for errors and traffic. And could you post the configuration of both the 10G interfaces.

 

eg.

] display interface <ten-gig interfacenum>

] display curr interface <ten-gig-interfacenum>

 

on both the 5120'ies.

 

Regards

 

 

 

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
Johan_Finland
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Hi !

 

Here are the printout you requested:

That maybe can be the problem, I have not been able to test ICMP from all different VLANs on both switches becuse I dont have devices connected on the 5120-48G that belong to all different VLAN, mosyly only Def VLAN.

But it could confirm it becuse If I do ICMP from the 5120-24G switch to some device connected on same switch and same VLAN (ie it does not have to go via firewall/10G trunk) then there is no delays, and also if it is same VLAN and one device on the 5120-24G switch and the other device are on a ProCurve switch connected to port 23 and/or24 on this swtich then it also behave normal.

 

I was actually talking to HP support a cople hours ago and they have now decided to send a new swtich to see if that fixes the problem, if not then they will start investigation on the 10G SFP and them module in both 5120 switches to see if they can have some problem.

But they seems to be confident that the "main" 48G switch is the problem and probably have some hardware filure.

But during my 20 years in the IT it have never happened so that a prblem like this have been fixed with excahnge of the switch, the problems have alsways been in the software side and "bug", but I just have to be optimistic and hope it will solve the issue. But that I know in friday when I change switch.

 

But still if you/someone have some "other" ideas, please feel free to let me know and I will test it.

 

Below are the printouts;

 

5120-48G (ASA firewall connected on port 46, and 10G "trunk" on Ten gig 1/1/1)

 


<mhcore-1>display interface ten-gig 1/1/1
Ten-GigabitEthernet1/1/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: d07e-28c6-47b8
Description: Ten-GigabitEthernet1/1/1 Interface
Loopback is not set
Media type is optical fiber,Port hardware type is 10G_BASE_LR_SFP
10Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is force link
Flow-control is not enabled
The Maximum Frame Length is 9216
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
Allow jumbo frame to pass
PVID: 1
Port link-type: hybrid
Tagged VLAN ID : 2-6, 10
Untagged VLAN ID : 1
Port priority: 0
Last clearing of counters: Never
Peak value of input: 8995783 bytes/sec, at 2000-05-05 16:21:48
Peak value of output: 9134564 bytes/sec, at 2000-05-05 16:21:48
Last 300 seconds input: 176 packets/sec 57385 bytes/sec 0%
Last 300 seconds output: 187 packets/sec 80871 bytes/sec 0%
---- More ---- Input (total): 18802099 packets, 16119924624 bytes
---- More ---- 18743100 unicasts, 24814 broadcasts, 34185 multicasts, 0 pauses
---- More ---- Input (normal): 18802099 packets, - bytes
---- More ---- 18743100 unicasts, 24814 broadcasts, 34185 multicasts, 0 pauses
---- More ---- Input: 0 input errors, 0 runts, 0 giants, 0 throttles
---- More ---- 0 CRC, 0 frame, - overruns, 0 aborts
---- More ---- - ignored, - parity errors
---- More ---- Output (total): 19094166 packets, 16788701656 bytes
---- More ---- 19034100 unicasts, 40313 broadcasts, 19753 multicasts, 0 pauses
---- More ---- Output (normal): 19094166 packets, - bytes
---- More ---- 19034100 unicasts, 40313 broadcasts, 19753 multicasts, 0 pauses
---- More ---- Output: 0 output errors, - underruns, - buffer failures
---- More ---- 0 aborts, 0 deferred, 0 collisions, 0 late collisions
---- More ---- 0 lost carrier, - no carrier
---- More ----
<mhcore-1>
<mhcore-1>display curr interface
#
interface NULL0
#
interface Vlan-interface1
ip address .x.x.x.x 255.255.255.224
#
interface GigabitEthernet1/0/1
port access vlan 6
#
interface GigabitEthernet1/0/2
port access vlan 6
#
interface GigabitEthernet1/0/3
port access vlan 6
#
interface GigabitEthernet1/0/4
port access vlan 6
#
interface GigabitEthernet1/0/5
port access vlan 6
#
interface GigabitEthernet1/0/6
port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/7
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/8
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/9
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/10
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/11
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/12
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/13
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/14
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/15
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/16
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/17
---- More ---- #
---- More ---- interface GigabitEthernet1/0/18
---- More ---- #
---- More ---- interface GigabitEthernet1/0/19
---- More ---- #
---- More ---- interface GigabitEthernet1/0/20
---- More ---- #
---- More ---- interface GigabitEthernet1/0/21
---- More ---- #
---- More ---- interface GigabitEthernet1/0/22
---- More ---- #
---- More ---- interface GigabitEthernet1/0/23
---- More ---- #
---- More ---- interface GigabitEthernet1/0/24
---- More ---- #
---- More ---- interface GigabitEthernet1/0/25
---- More ---- #
---- More ---- interface GigabitEthernet1/0/26
---- More ---- #
---- More ---- interface GigabitEthernet1/0/27
---- More ---- #
---- More ---- interface GigabitEthernet1/0/28
---- More ---- #
---- More ---- interface GigabitEthernet1/0/29
---- More ---- #
---- More ---- interface GigabitEthernet1/0/30
---- More ---- #
---- More ---- interface GigabitEthernet1/0/31
---- More ---- #
---- More ---- interface GigabitEthernet1/0/32
---- More ---- #
---- More ---- interface GigabitEthernet1/0/33
---- More ---- #
---- More ---- interface GigabitEthernet1/0/34
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/35
---- More ---- #
---- More ---- interface GigabitEthernet1/0/36
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/37
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/38
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/39
---- More ---- port access vlan 5
---- More ---- #
---- More ---- interface GigabitEthernet1/0/40
---- More ---- #
---- More ---- interface GigabitEthernet1/0/41
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/42
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/43
---- More ---- #
---- More ---- interface GigabitEthernet1/0/44
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/45
---- More ---- #
---- More ---- interface GigabitEthernet1/0/46
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/47
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/48
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/49
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/50
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/51
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/52
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/1
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/2
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- return
<mhcore-1>

 

5120-24G (10 Gig "trunk" on 10 Gig 1/1/1):

 


<mh-core2>display interface ten-gig 1/1/1
Ten-GigabitEthernet1/1/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 4431-92e6-735c
Description: Ten-GigabitEthernet1/1/1 Interface
Loopback is not set
Media type is optical fiber,Port hardware type is 10G_BASE_LR_SFP
10Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is force link
Flow-control is not enabled
The Maximum Frame Length is 9216
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
Allow jumbo frame to pass
PVID: 1
Port link-type: hybrid
Tagged VLAN ID : 2-6, 10
Untagged VLAN ID : 1
Port priority: 0
Last clearing of counters: Never
Peak value of input: 12234612 bytes/sec, at 2000-05-08 03:21:45
Peak value of output: 12247904 bytes/sec, at 2000-05-08 03:25:15
Last 300 seconds input: 74 packets/sec 35107 bytes/sec 0%
Last 300 seconds output: 66 packets/sec 19892 bytes/sec 0%
---- More ---- Input (total): 76510027 packets, 73712639811 bytes
---- More ---- 76349096 unicasts, 97829 broadcasts, 38082 multicasts, 0 pauses
---- More ---- Input (normal): 76485007 packets, - bytes
---- More ---- 76349096 unicasts, 97829 broadcasts, 38082 multicasts, 0 pauses
---- More ---- Input: 0 input errors, 0 runts, 0 giants, 0 throttles
---- More ---- 0 CRC, 0 frame, - overruns, 0 aborts
---- More ---- - ignored, - parity errors
---- More ---- Output (total): 76496054 packets, 73132733248 bytes
---- More ---- 76091833 unicasts, 312621 broadcasts, 91600 multicasts, 0 pauses
---- More ---- Output (normal): 76496054 packets, - bytes
---- More ---- 76091833 unicasts, 312621 broadcasts, 91600 multicasts, 0 pauses
---- More ---- Output: 0 output errors, - underruns, - buffer failures
---- More ---- 0 aborts, 0 deferred, 0 collisions, 0 late collisions
---- More ---- 0 lost carrier, - no carrier
---- More ----
<mh-core2>
<mh-core2>display curr interface
#
interface NULL0
#
interface Vlan-interface1
ip address x.x.x.x.x 255.255.255.224
#
interface GigabitEthernet1/0/1
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/2
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/3
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/4
port access vlan 3
#
interface GigabitEthernet1/0/5
#
---- More ---- interface GigabitEthernet1/0/6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/7
---- More ---- #
---- More ---- interface GigabitEthernet1/0/8
---- More ---- #
---- More ---- interface GigabitEthernet1/0/9
---- More ---- #
---- More ---- interface GigabitEthernet1/0/10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/11
---- More ---- #
---- More ---- interface GigabitEthernet1/0/12
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/13
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/14
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/15
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/16
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/17
---- More ---- #
---- More ---- interface GigabitEthernet1/0/18
---- More ---- #
---- More ---- interface GigabitEthernet1/0/19
---- More ---- #
---- More ---- interface GigabitEthernet1/0/20
---- More ---- #
---- More ---- interface GigabitEthernet1/0/21
---- More ---- #
---- More ---- interface GigabitEthernet1/0/22
---- More ---- #
---- More ---- interface GigabitEthernet1/0/23
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/24
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/25
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/26
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/27
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/28
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/1
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/2
---- More ---- port link-type trunk
---- More ---- port trunk permit vlan 1
---- More ---- #
---- More ---- return
<mh-core2>
<mh-core2>

 

 

/Johan

Johan_Finland
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Now the switch have been changed and exactly as I expexted, still same problem.....

Maybe one small issue was fixed ( had a computer that did not get connected at all  and that now works).

 

But still there is long responsetime and now I have also tested internal communication within the switch between devicec connected on same VLAN on this 48 port switch and there are delays even then.

 

SO this is not only a fiber / fiber module - issue, it is something else. Now I also all communication on Defautl VLAN is slow againg (exact same configuration moved to new switch).  ie from 1-8 ms.

 

Now I must say that Im frustrated and have no clue what this problems are coming from.

 

Does someone have some ide what to try, I will attach the config for someone "wise" to look at if I have some settings somewhere that is wrong.

 

/Johan

jonare
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

I think I under stand the topology, but Im not sure.

 

Can you post the result of "display lldp ..." and wich port the ASA is conected.

You could also enable spanning tree and post the result, or maybe put the two switches in iRF.

 

Do you loose any packets or do you only experience higher latency than usuall ?

 

J.

Jon Are Endrerud
Johan_Finland
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Hi!

I Will post the lldp late today egen im able to access the switches.
But one question, what good des it do to enable irf and stp? There are 10 switches in total, 2 of the are 5120 switches and rest different ProCurve models and there is no way possible that there should exist any loops, in theory yes by not in reality because only place were that could be possible are between the two 5120 switches because there are a CAT6 cable going along side withe fiber cable but that is not in use, since I have myself built this network and connected all devices/switches and no one else are doing any changes without consulting me first.

Or could STP do something other "good stuff" then just prohibit loops ?
And how about IRF, what will that do except stack them together and make administration easier? Or does IRF also have something else that it brings "good stuff" to the functionality?

I just ask this questions because I have not so much experience with the function's so just try to understand why they should be used.

But I will come back late today with lldp info.

/Johan
Johan_Finland
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

And no I don't loose any packets, only high latency 3-15 Ms when pinging, between some devices less and between other higher, often it is higher when trying between diffrent VLANs.


/johan
jonare
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Im also new to Comware and the whole IRF thing, but after setting up 2 x 5900 in IRF the other day, config and monitoring became much easier.  Thats why i suggested IRF. STP gives a good picture of the topology.

 

I have alot of experience with the Provision based switched and Cisco ASA series. I have seen this behavior earlier, but its a good start to rule of diffrent kinds of loops.

 

If you have two devices connected to one of the Comware swithes or both, do you have high latency between these nodes ?

 

J.

 

 

 

 

Jon Are Endrerud
Johan_Finland
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Hi !

Attached are the lldp info from both switches, ASA is connected on port 46 on core 1 switch.

 

Now it seems that if I ping someting within same VLAN then i is pretty normal response time ie. <1 ms.

BUt as soon as I ping somehing (from a device connected on either swithc) and it needs to go to/via ASA firewall den the latency gets bigger, also if I ping the VLANs GW address that are on ASA.

 

So it seems that now it is back to that it is fraffice to/via ASA that is the problem.

From beginning before the switch was changed the ping from device on Def VLAN connected on core-1 swtich always had normal respnse time when pinging def gw on  Def VLAND, but that is not the case anymore, it is long response time there also, so it seems that the change of switch have changed somehing.... maybe if I now wold try to change to Trunk-model insted of Hybirde on the port to ASA ?

 

/Johan

jonare
Advisor

Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Ok, so the devices you are testing icmp againt, are they the same as before ?

 

If you look at icmp against diffrent provision units they may differ. For example ping agains the old Procurve 2600 series are almost always at 1ms, but ping to the newer 2530 may be between 1-30ms. This is not an indicator of error, but just evidence that the switch prioritize traffic. This is also true on Comware devices.

 

I dont remember what you wrote about diffrents vlans, but are your latency problemes only on default vlan 1 ? Or is it the same on all traffice traversing the ASA ?

 

What ASA firmware are you running and has it been booted after installation of the new switches. ASA 9.x has had several bugs that require reboot.

 

Also have you run bandwith tests or are you only looking at repons time using "ping".

 

Are you familiar with wireshark ?, It can be used in this situation to see traffic.

 

J

Jon Are Endrerud