Re: 5120-48G EI & Cisco ASA 5510 - VLAN Issue

Hi Johan,

you write:

"Between the tvo 5120  swtichecs I have a 10 GB fiber connection (not stacking) and also if I there try to do an ICMP between two host on the same VLAN (except Def VLAN) but one host are on one 5120 swtich and the other one on the other 5120 swtich then ICMP time are about 5 ms."

This makes me think your 10GBit/s link is somehow broken. First thing is to check the 10Gbit/s interface for errors and traffic. And could you post the configuration of both the 10G interfaces.

eg.

] display interface <ten-gig interfacenum>

] display curr interface <ten-gig-interfacenum>

on both the 5120'ies.

Regards

Hi !

Here are the printout you requested:

That maybe can be the problem, I have not been able to test ICMP from all different VLANs on both switches becuse I dont have devices connected on the 5120-48G that belong to all different VLAN, mosyly only Def VLAN.

But it could confirm it becuse If I do ICMP from the 5120-24G switch to some device connected on same switch and same VLAN (ie it does not have to go via firewall/10G trunk) then there is no delays, and also if it is same VLAN and one device on the 5120-24G switch and the other device are on a ProCurve switch connected to port 23 and/or24 on this swtich then it also behave normal.

I was actually talking to HP support a cople hours ago and they have now decided to send a new swtich to see if that fixes the problem, if not then they will start investigation on the 10G SFP and them module in both 5120 switches to see if they can have some problem.

But they seems to be confident that the "main" 48G switch is the problem and probably have some hardware filure.

But during my 20 years in the IT it have never happened so that a prblem like this have been fixed with excahnge of the switch, the problems have alsways been in the software side and "bug", but I just have to be optimistic and hope it will solve the issue. But that I know in friday when I change switch.

But still if you/someone have some "other" ideas, please feel free to let me know and I will test it.

Below are the printouts;

5120-48G (ASA firewall connected on port 46, and 10G "trunk" on Ten gig 1/1/1)

<mhcore-1>display interface ten-gig 1/1/1
Ten-GigabitEthernet1/1/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: d07e-28c6-47b8
Description: Ten-GigabitEthernet1/1/1 Interface
Loopback is not set
Media type is optical fiber,Port hardware type is 10G_BASE_LR_SFP
10Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is force link
Flow-control is not enabled
The Maximum Frame Length is 9216
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
Allow jumbo frame to pass
PVID: 1
Port link-type: hybrid
Tagged VLAN ID : 2-6, 10
Untagged VLAN ID : 1
Port priority: 0
Last clearing of counters: Never
Peak value of input: 8995783 bytes/sec, at 2000-05-05 16:21:48
Peak value of output: 9134564 bytes/sec, at 2000-05-05 16:21:48
Last 300 seconds input: 176 packets/sec 57385 bytes/sec 0%
Last 300 seconds output: 187 packets/sec 80871 bytes/sec 0%
---- More ---- Input (total): 18802099 packets, 16119924624 bytes
---- More ---- 18743100 unicasts, 24814 broadcasts, 34185 multicasts, 0 pauses
---- More ---- Input (normal): 18802099 packets, - bytes
---- More ---- 18743100 unicasts, 24814 broadcasts, 34185 multicasts, 0 pauses
---- More ---- Input: 0 input errors, 0 runts, 0 giants, 0 throttles
---- More ---- 0 CRC, 0 frame, - overruns, 0 aborts
---- More ---- - ignored, - parity errors
---- More ---- Output (total): 19094166 packets, 16788701656 bytes
---- More ---- 19034100 unicasts, 40313 broadcasts, 19753 multicasts, 0 pauses
---- More ---- Output (normal): 19094166 packets, - bytes
---- More ---- 19034100 unicasts, 40313 broadcasts, 19753 multicasts, 0 pauses
---- More ---- Output: 0 output errors, - underruns, - buffer failures
---- More ---- 0 aborts, 0 deferred, 0 collisions, 0 late collisions
---- More ---- 0 lost carrier, - no carrier
---- More ----
<mhcore-1>
<mhcore-1>display curr interface
#
interface NULL0
#
interface Vlan-interface1
ip address .x.x.x.x 255.255.255.224
#
interface GigabitEthernet1/0/1
port access vlan 6
#
interface GigabitEthernet1/0/2
port access vlan 6
#
interface GigabitEthernet1/0/3
port access vlan 6
#
interface GigabitEthernet1/0/4
port access vlan 6
#
interface GigabitEthernet1/0/5
port access vlan 6
#
interface GigabitEthernet1/0/6
port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/7
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/8
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/9
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/10
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/11
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/12
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/13
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/14
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/15
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/16
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/17
---- More ---- #
---- More ---- interface GigabitEthernet1/0/18
---- More ---- #
---- More ---- interface GigabitEthernet1/0/19
---- More ---- #
---- More ---- interface GigabitEthernet1/0/20
---- More ---- #
---- More ---- interface GigabitEthernet1/0/21
---- More ---- #
---- More ---- interface GigabitEthernet1/0/22
---- More ---- #
---- More ---- interface GigabitEthernet1/0/23
---- More ---- #
---- More ---- interface GigabitEthernet1/0/24
---- More ---- #
---- More ---- interface GigabitEthernet1/0/25
---- More ---- #
---- More ---- interface GigabitEthernet1/0/26
---- More ---- #
---- More ---- interface GigabitEthernet1/0/27
---- More ---- #
---- More ---- interface GigabitEthernet1/0/28
---- More ---- #
---- More ---- interface GigabitEthernet1/0/29
---- More ---- #
---- More ---- interface GigabitEthernet1/0/30
---- More ---- #
---- More ---- interface GigabitEthernet1/0/31
---- More ---- #
---- More ---- interface GigabitEthernet1/0/32
---- More ---- #
---- More ---- interface GigabitEthernet1/0/33
---- More ---- #
---- More ---- interface GigabitEthernet1/0/34
---- More ---- port access vlan 6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/35
---- More ---- #
---- More ---- interface GigabitEthernet1/0/36
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/37
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/38
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/39
---- More ---- port access vlan 5
---- More ---- #
---- More ---- interface GigabitEthernet1/0/40
---- More ---- #
---- More ---- interface GigabitEthernet1/0/41
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/42
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/43
---- More ---- #
---- More ---- interface GigabitEthernet1/0/44
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/45
---- More ---- #
---- More ---- interface GigabitEthernet1/0/46
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/47
---- More ---- port access vlan 3
---- More ---- #
---- More ---- interface GigabitEthernet1/0/48
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/49
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/50
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/51
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/52
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/1
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/2
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- return
<mhcore-1>

5120-24G (10 Gig "trunk" on 10 Gig 1/1/1):

<mh-core2>display interface ten-gig 1/1/1
Ten-GigabitEthernet1/1/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 4431-92e6-735c
Description: Ten-GigabitEthernet1/1/1 Interface
Loopback is not set
Media type is optical fiber,Port hardware type is 10G_BASE_LR_SFP
10Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is force link
Flow-control is not enabled
The Maximum Frame Length is 9216
Broadcast MAX-ratio: 100%
Unicast MAX-ratio: 100%
Multicast MAX-ratio: 100%
Allow jumbo frame to pass
PVID: 1
Port link-type: hybrid
Tagged VLAN ID : 2-6, 10
Untagged VLAN ID : 1
Port priority: 0
Last clearing of counters: Never
Peak value of input: 12234612 bytes/sec, at 2000-05-08 03:21:45
Peak value of output: 12247904 bytes/sec, at 2000-05-08 03:25:15
Last 300 seconds input: 74 packets/sec 35107 bytes/sec 0%
Last 300 seconds output: 66 packets/sec 19892 bytes/sec 0%
---- More ---- Input (total): 76510027 packets, 73712639811 bytes
---- More ---- 76349096 unicasts, 97829 broadcasts, 38082 multicasts, 0 pauses
---- More ---- Input (normal): 76485007 packets, - bytes
---- More ---- 76349096 unicasts, 97829 broadcasts, 38082 multicasts, 0 pauses
---- More ---- Input: 0 input errors, 0 runts, 0 giants, 0 throttles
---- More ---- 0 CRC, 0 frame, - overruns, 0 aborts
---- More ---- - ignored, - parity errors
---- More ---- Output (total): 76496054 packets, 73132733248 bytes
---- More ---- 76091833 unicasts, 312621 broadcasts, 91600 multicasts, 0 pauses
---- More ---- Output (normal): 76496054 packets, - bytes
---- More ---- 76091833 unicasts, 312621 broadcasts, 91600 multicasts, 0 pauses
---- More ---- Output: 0 output errors, - underruns, - buffer failures
---- More ---- 0 aborts, 0 deferred, 0 collisions, 0 late collisions
---- More ---- 0 lost carrier, - no carrier
---- More ----
<mh-core2>
<mh-core2>display curr interface
#
interface NULL0
#
interface Vlan-interface1
ip address x.x.x.x.x 255.255.255.224
#
interface GigabitEthernet1/0/1
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/2
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/3
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/4
port access vlan 3
#
interface GigabitEthernet1/0/5
#
---- More ---- interface GigabitEthernet1/0/6
---- More ---- #
---- More ---- interface GigabitEthernet1/0/7
---- More ---- #
---- More ---- interface GigabitEthernet1/0/8
---- More ---- #
---- More ---- interface GigabitEthernet1/0/9
---- More ---- #
---- More ---- interface GigabitEthernet1/0/10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/11
---- More ---- #
---- More ---- interface GigabitEthernet1/0/12
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 5 to 6 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- poe enable
---- More ---- #
---- More ---- interface GigabitEthernet1/0/13
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/14
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/15
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/16
---- More ---- port access vlan 10
---- More ---- #
---- More ---- interface GigabitEthernet1/0/17
---- More ---- #
---- More ---- interface GigabitEthernet1/0/18
---- More ---- #
---- More ---- interface GigabitEthernet1/0/19
---- More ---- #
---- More ---- interface GigabitEthernet1/0/20
---- More ---- #
---- More ---- interface GigabitEthernet1/0/21
---- More ---- #
---- More ---- interface GigabitEthernet1/0/22
---- More ---- #
---- More ---- interface GigabitEthernet1/0/23
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/24
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface GigabitEthernet1/0/25
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/26
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/27
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface GigabitEthernet1/0/28
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- shutdown
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/1
---- More ---- port link-type hybrid
---- More ---- port hybrid vlan 2 to 6 10 tagged
---- More ---- port hybrid vlan 1 untagged
---- More ---- #
---- More ---- interface Ten-GigabitEthernet1/1/2
---- More ---- port link-type trunk
---- More ---- port trunk permit vlan 1
---- More ---- #
---- More ---- return
<mh-core2>
<mh-core2>

/Johan

Now the switch have been changed and exactly as I expexted, still same problem.....

Maybe one small issue was fixed ( had a computer that did not get connected at all  and that now works).

But still there is long responsetime and now I have also tested internal communication within the switch between devicec connected on same VLAN on this 48 port switch and there are delays even then.

SO this is not only a fiber / fiber module - issue, it is something else. Now I also all communication on Defautl VLAN is slow againg (exact same configuration moved to new switch).  ie from 1-8 ms.

Now I must say that Im frustrated and have no clue what this problems are coming from.

Does someone have some ide what to try, I will attach the config for someone "wise" to look at if I have some settings somewhere that is wrong.

/Johan

I think I under stand the topology, but Im not sure.

Can you post the result of "display lldp ..." and wich port the ASA is conected.

You could also enable spanning tree and post the result, or maybe put the two switches in iRF.

Do you loose any packets or do you only experience higher latency than usuall ?

J.

Im also new to Comware and the whole IRF thing, but after setting up 2 x 5900 in IRF the other day, config and monitoring became much easier.  Thats why i suggested IRF. STP gives a good picture of the topology.

I have alot of experience with the Provision based switched and Cisco ASA series. I have seen this behavior earlier, but its a good start to rule of diffrent kinds of loops.

If you have two devices connected to one of the Comware swithes or both, do you have high latency between these nodes ?

J.

Hi !

Attached are the lldp info from both switches, ASA is connected on port 46 on core 1 switch.

Now it seems that if I ping someting within same VLAN then i is pretty normal response time ie. <1 ms.

BUt as soon as I ping somehing (from a device connected on either swithc) and it needs to go to/via ASA firewall den the latency gets bigger, also if I ping the VLANs GW address that are on ASA.

So it seems that now it is back to that it is fraffice to/via ASA that is the problem.

From beginning before the switch was changed the ping from device on Def VLAN connected on core-1 swtich always had normal respnse time when pinging def gw on  Def VLAND, but that is not the case anymore, it is long response time there also, so it seems that the change of switch have changed somehing.... maybe if I now wold try to change to Trunk-model insted of Hybirde on the port to ASA ?

/Johan

Ok, so the devices you are testing icmp againt, are they the same as before ?

If you look at icmp against diffrent provision units they may differ. For example ping agains the old Procurve 2600 series are almost always at 1ms, but ping to the newer 2530 may be between 1-30ms. This is not an indicator of error, but just evidence that the switch prioritize traffic. This is also true on Comware devices.

I dont remember what you wrote about diffrents vlans, but are your latency problemes only on default vlan 1 ? Or is it the same on all traffice traversing the ASA ?

What ASA firmware are you running and has it been booted after installation of the new switches. ASA 9.x has had several bugs that require reboot.

Also have you run bandwith tests or are you only looking at repons time using "ping".

Are you familiar with wireshark ?, It can be used in this situation to see traffic.

J

IT is same devices I test against.

At least we have seen latency problems between VLAN 1 and 2 (files copy takes too long time so we get problem with appications) and between 6 and 1 (printing is slow).

Maybe 1-30 i "Normal" if it priorotize traffice but I dont want any prio... I want it to work as it have done before, then everythign have shown under 1 ms when doing ping and then we have had no problem. Now when is shows up to 15 ms then we have problem, this is facts that I know and users are not happy...

I have not done an actual speedtest betwee devices.

Wireshark I have used a few times but Im not so good in analyzing that data, it is so much to go through.....

ASA is running ver 8.2.5 (did not have currage to go higher with only 256 memory and all core switches and ASA have been restarted several times, latest this morning I did it before doing some tests.

/Johan

Ok,

Can you do a "sh interfaces" on the asa. And get the stats for me ?

Hi !

Here it the interface info from ASA.

/Johan

Hi Everyone !

Have found the problem, it is a camera survailance server on VLAN 3 that is causing the problem.

As soon as the recording software are started on the server then the latency get high between all other VLANn.

BUt is it funny becuse it have never caused any problem before when connected to ProCurve switches 2510-24G, so I tried to move it back to that switch but the problems comes right away.

So now is the question, why ? Could it be becuse I have all the "trunks" betweens switches (except the port to ASA firewall) set to "hybride mode" ? Could "hybirde" mode cause problem ?

Maybe the Trunk mode on all ports that goes to a another switch  would fix it ? does anyone have some idea ?

I changed all ports earilier that goes to another switch to hybride becuse trunk mode made everything go slow also then for some reason.

But yesterday morning I changed the port to ASA firewall back to trunk from hybride and then i started to add tagging for VLANs one after one and it was then i saw the problem when comming to VLAN 3.

But all other ports that links to other switches (includeing 10 gb fiber) i have in Hybride mode.

It is not so nice to start doing changes just "to try" sinece everything is in production so therefore I would gladly have some "input" from someone that maybe have any idea regarding this behaivior.

What is casuing the recording softwar (running on WIndows XP) to do this ? can it be to big packets ? MTU size ?

Pleas come back to me if someone have any idea!

/Johan

It's a bit hard to advise anything without knowing what this "recording software" is, and it doesn't seem like you have enough information to be going ahead and changing anything in your production environment.

What kind of traffic does it generate? Is it multicast?
Have you configured your network for multicast?

Does it use jumbo frames?

What is the server's IP config?

What is the server's switchport's config? Is it an Access port or does it have 802.1q enabled? If so, then how many VLANs are on the port, should they be there? Does the server have an IP interface for each VLAN it can see from its switchport?

Maybe also capture traffic and see what it looks like.

Finally, why would anybody use "hybrid" mode?
Multiple untagged VLANs on the same port sounds both dumb and dangerous.

Just use Trunks.

Also, do you monitor your switches' CPU % and mem %?
If you do, I presume you would have told us if anything weird was happening.

If you don't, you need to.

Also set the switch logging to info/debug and see if anything interesting is happening.

Well, since Camera system is something that have been delivered by another company I dont know so much about it... And I have not been able to get hold of anyone at that company that know anything more "in depth" how it is "working".

If I had known this then I had wrote it here of course, it was therefor I asked the question here, maybe someoen have some "general knowledge" of camera recording systems.

And my bad also, I did not write how the port and server was configured but I thought that sine I did not write anything in specific then "people" would understand that it is configured as you normally configure a port and the ip settings/VLAN for a computer, ie. Port in switch is set to Untagged VLAN 3, no tagged traffic.

And regarding, multicast and jumbo frames, I have no clue about this, it was therefore I was asking questions..., where to start and how to do it.....

WHen starting recording software and latency gets higher, then CPU % in both core swtiches goes up with 2% (ie 10% > 12% and 15% > 17%) and as soon i stop the recording program the CPU % goes down by 2%.

THis is what I know at this point and maybe someone can tell me what is the most logical step next to do ?

/Johan

And also, ansert to your question " why would anyone use hybride mode on a port".... that was because alrealy from first day i installed the swtiches and move equipment over to new core switches I alreay then had this problem, all networks and VLANs was slow, especially between VLANS but also Def VLAN.

And then when I had to find the problem I of course tried different settings in trunkt ports and when I changed port that is going to ASA firewall from trunk mode > Hybride mode the the def. VLAN (where I have the servers) started to behave "Noramally", ie no latency......

SO then  I thought that the latency issu had to do with trunk mode was the problem and started to change trunk mode to Hybride mode on all ports going between switches....., so it therefore "I used Hybride mode".....

ANd if you have read everything in this post from beginngin you can see that I wrote:

"If I have port going to ASA 5510 set as "trunk" in the 5120 swtich then are also Def VLAN "slow", but if I have it set to "hybride" then Def VLAN acts "normal" ie under 1 ms."

And to last I jmust ask, why do you have to sound so "superior" Vince-Whirlwind in you writing ? is int the idea with forums to help??!, those who have knowledge and have maybe been in same situation can help othere..?!

I more get the feeling from you that "dont ask anything here if you dont knwo what you are talking about"... and that is not any nice feeling.....

/Johan

The switch CPU% is not as interesting as the ASA CPU%, seeing as the ASA is doing your routing.

Also the MEM% utilisation is important.

Personally, I would IRF the 5120s together and move the inter-VLAN routing to them - ASAs are not routers and they don't perform anywhere near as well as a decent Layer3 switch (which the 5120 is).

Multicast is quite likely how the system finds its cameras (or how the cameras find the system) - make sure you find out how it works and implement multicast config if relevant.

Hi !

My misstake to not think of CPU usage on the ASA; will check that.

But why does everyone want me to IFR them togheter..., I stil dont think that wil help this issue !?

And yes I knwo ASA are "Not the best router", a firewall is never best router but on the other hand, when it is a "small network", we are in total talking about around 100-150 devices connected (many of them not using any capacity or communication over VLAN on regular basis) then the ASAs "bad" routing function can not be the issuse.

And since It have been working well from 2007 until now with ASA as router then it clearly is a prblem with the 5120 switches !

To move routing function to 5120 switch would be best yes, but it is a big job to also move all ACLs to the switch in that case, since there are alot of ACLs between the VLANs so to do that is not my "first option", more like my last option.

Now we have decided to get a new camera recoring device instead of the "old" XP based system, that will come within ca couple of weeks so lets see what happens when that comes how it works.

One other option I do have is to move the VLAN 3 where the camera system is located to its own interfce in the ASA and run it as untagged instead of today when it is coming in the "trunk" from ASA.

I dont think that will help but can be tested.

As you said, it probably have somehting to do with multicast,..., in that case, what should be done in switches if camera system uses multicast `?

But on the other hand, if it would be multicast (or something else) why have not the prolem shown up when using ProCure switches in that case ? wouldnt the ProCurve switches also "sensiteive" to same problem ?

/Johan