[c-nsp] Re: cisco-nsp Digest, Vol 27, Issue 41
Adrian Pirciu
adrian.pirciu at rdsnet.ro
Thu Feb 10 03:31:07 EST 2005
Hi.
I would disable VTP Pruning. It may be a good idea but sometimes it
can bring problems like this one (basically, if you create a new vlan
on the server but there are no ports in that vlan somewhere beyond the
2950, the 6500 will prune the vlan and not forward it to the 2950,
thinking it is not needed there). As it can be seen, pruning is
enabled and some vlans (5,8,76) are pruned. This can explain that when
you are putting a port in the vlan (on the 2950) the 6500 "un-prunes"
the vlan toward the 2950.
Alban Dani wrote:
> Hi,
>
> here are some outputs:
>
> cat6509#sh interfaces gig 4/16 trunk
>
> Port Mode Encapsulation Status Native vlan
> Gi4/16 on 802.1q trunking 1
>
> Port Vlans allowed on trunk
> Gi4/16 1,5,8,13,17,21-22,27,41,43,63,68,70-71,73,76,83,101-102
>
> Port Vlans allowed and active in management domain
> Gi4/16 1,5,8,13,17,21-22,27,41,43,63,68,70-71,73,76,83,101-102
>
> Port Vlans in spanning tree forwarding state and not pruned
> Gi4/16 1,13,17,21-22,27,41,43,63,68,70-71,73,83,101-102
>
> *************
>
> cat6509.cc#sh vtp status
> VTP Version : 2
> Configuration Revision : 299
> Maximum VLANs supported locally : 1005
> Number of existing VLANs : 136
> VTP Operating Mode : Server
> VTP Domain Name : vtpdomain
> VTP Pruning Mode : Enabled
> VTP V2 Mode : Enabled
> VTP Traps Generation : Disabled
>
> *****************
>
> cat2950#sh vtp status
> VTP Version : 2
> Configuration Revision : 299
> Maximum VLANs supported locally : 250
> Number of existing VLANs : 136
> VTP Operating Mode : Client
> VTP Domain Name : vtpdomain
> VTP Pruning Mode : Enabled
> VTP V2 Mode : Enabled
> VTP Traps Generation : Enabled
>
> Maybe I have said this before but the show spanning-tree commands also
> show that everything is in order.
>
> I opened a tac case with cisco.. and I can feel its going nowhere.
>
> Alban
>
>
> On Wed, 9 Feb 2005 11:10:50 -0500 (EST),
> cisco-nsp-request at puck.nether.net <cisco-nsp-request at puck.nether.net>
> wrote:
>
>>Send cisco-nsp mailing list submissions to
>> cisco-nsp at puck.nether.net
>>
>>To subscribe or unsubscribe via the World Wide Web, visit
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>or, via email, send a message with subject or body 'help' to
>> cisco-nsp-request at puck.nether.net
>>
>>You can reach the person managing the list at
>> cisco-nsp-owner at puck.nether.net
>>
>>When replying, please edit your Subject line so it is more specific
>>than "Re: Contents of cisco-nsp digest..."
>>
>>Today's Topics:
>>
>> 1. RE: Vlans and catalyst 2950 (Oliver Boehmer (oboehmer))
>> 2. Re: Vlans and catalyst 2950 (Adrian Pirciu)
>> 3. Re: VPN failover / load sharing using IOS? (Luan Nguyen)
>> 4. Re: Cisco 3550 maximum number of routable interfaces limit?
>> (Matthew Crocker)
>>
>>----------------------------------------------------------------------
>>
>>Message: 1
>>Date: Wed, 9 Feb 2005 16:33:59 +0100
>>From: "Oliver Boehmer \(oboehmer\)" <oboehmer at cisco.com>
>>Subject: RE: [c-nsp] Vlans and catalyst 2950
>>To: "Alban Dani" <albcisco at gmail.com>, "Adrian Pirciu"
>> <adrian.pirciu at rdsnet.ro>
>>Cc: cisco-nsp at puck.nether.net
>>Message-ID:
>> <70B7A1CCBFA5C649BD562B6D9F7ED78474CA3B at xmb-ams-333.emea.cisco.com>
>>Content-Type: text/plain; charset="us-ascii"
>>
>>Alban,
>>
>>Did you enable vtp pruning? Can you send a "show trunk x/y" (CatOS) or
>>"show int xxx trunk" (IOS) on your Cat6k/core switch? It could be that
>>the 6k incorrectly pruned Vlan41 from the trunk. Workaround: disable vtp
>>pruning..
>>
>> oli
>>
>>Alban Dani <> wrote on Wednesday, February 09, 2005 4:24 PM:
>>
>>
>>>Hi there,
>>>
>>>we are using VTP. All the new Vlans are created on the 6509 which is
>>>the core.
>>>
>>>Here is the output of the show vlan on the cat2950:
>>>
>>>cat2950#sh vlan id 41
>>>VLAN Name Status Ports
>>>---- -------------------------------- ---------
>>>------------------------------- 41 Stevens
>>>active Fa0/6, Fa0/35, Fa0/46, Gi0/1 VLAN Type SAID MTU
>>>Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- -----
>>>---------- ----- ------ ------ -------- ---- -------- ------ ------
>>>41 enet 100041 1500 - - - - - 0
>>>0 Remote SPAN VLAN ----------------
>>>Disabled
>>>Primary Secondary Type Ports
>>>
>>>cat2950#sh spanning-tree vlan 41
>>>
>>>VLAN0041
>>> Spanning tree enabled protocol ieee
>>> Root ID Priority 24617
>>> Address 0009.b799.a680
>>> Cost 28
>>> Port 49 (GigabitEthernet0/1)
>>> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>>>
>>> Bridge ID Priority 32809 (priority 32768 sys-id-ext 41)
>>> Address 000b.fd53.9540
>>> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>>> Aging Time 300
>>>
>>>Interface Role Sts Cost Prio.Nbr Type
>>>---------------- ---- --- --------- --------
>>>-------------------------------- Fa0/35 Desg FWD 19
>>>128.35 P2p
>>>Fa0/46 Desg FWD 19 128.46 P2p
>>>Gi0/1 Root FWD 4 128.49 P2p
>>>
>>>Port Fa0/35 is trunked and Vlan 41 never makes it up this trunk unless
>>>as I have explained I put a port on cat2950 on that vlan and get some
>>>traffic in it.
>>>
>>>
>>>Thanks,
>>>
>>>Alban
>>>
>>>On Wed, 09 Feb 2005 10:58:15 +0200, Adrian Pirciu
>>><adrian.pirciu at rdsnet.ro> wrote:
>>>
>>>>Hello
>>>>
>>>>Alban Dani wrote:
>>>>
>>>>>Hello Matthew,
>>>>>
>>>>>I also am having a very wierd issue with vlans and 2950-s.
>>>>>
>>>>>We are running pst+.
>>>>>We have a 6509 in the core and everytime we try to get a new vlan
>>>>>passed through a chain of switches( all connected via dot1q trunks)
>>>>>that has a 2950 in it, it does not work. The only workaround we
>>>>>found so far is to go to a port on the given 2950 , set the port on
>>>>>the requried vlan and connect a machine to it and through some
>>>>>traffic. That makes the 2950 aware of that vlan.
>>>>
>>>>a 2950 will not pass traffic for the vlans not defined in its table.
>>>>When you put a port in a vlan, it automatically adds this vlan to the
>>>>config (sh vlan) and it starts forwarding traffic for that vlan which
>>>>explains the behaviour you describe.
>>>>
>>>>You can use VTP if you want to have a consistent vlan database
>>>>accross you network. Be careful though (there are some bat things
>>>>that can happen, read the documentation from www.cisco.com and they
>>>>are described).
>>>>
>>>>
>>>>
>>>>>If this was not enough, if the vlan in question does not see traffic
>>>>>for a couple of days the 2950 totally forgets about it.
>>>>
>>>>I am not aware of anything resembling this behaviour. Anybody ? Does
>>>>the vlan apper on "sh vlan" when this happens ?
>>>>
>>>>
>>>>>I am wondering if you ever found a solution to your problem and if
>>>>>so what was it?
>>>>>
>>>>>I have upgraded to the latest IOS but it did not help.
>>>>
>>>>i'm pretty sure it is not an IOS/switch related problem.
>>>>
>>>>
>>>>>thanks,
>>>>>
>>>>>Alban
>>>>>_______________________________________________
>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>--
>>>>adixor
>>>>
>>>
>>>_______________________________________________
>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>------------------------------
>>
>>Message: 2
>>Date: Wed, 09 Feb 2005 17:46:22 +0200
>>From: Adrian Pirciu <adrian.pirciu at rdsnet.ro>
>>Subject: Re: [c-nsp] Vlans and catalyst 2950
>>To: Alban Dani <albcisco at gmail.com>
>>Cc: cisco-nsp at puck.nether.net
>>Message-ID: <420A304E.4060502 at rdsnet.ro>
>>Content-Type: text/plain; charset=US-ASCII; format=flowed
>>
>>try creating a new vlan on the 6500 and then use sh vlan to see if it
>>is created automatically on the 29xx. If not, there is a vtp
>>configuration mismatch somewhere.
>>
>>add some outputs of "sh vtp status" on the 6500 and 29xx if you can
>>please.
>>
>>Alban Dani wrote:
>>
>>>Hi there,
>>>
>>>we are using VTP. All the new Vlans are created on the 6509 which is the core.
>>>
>>>Here is the output of the show vlan on the cat2950:
>>>
>>>cat2950#sh vlan id 41
>>>VLAN Name Status Ports
>>>---- -------------------------------- --------- -------------------------------
>>>41 Stevens active Fa0/6, Fa0/35, Fa0/46, Gi0/1
>>>VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
>>>---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
>>>41 enet 100041 1500 - - - - - 0 0
>>>Remote SPAN VLAN
>>>----------------
>>>Disabled
>>>Primary Secondary Type Ports
>>>
>>>cat2950#sh spanning-tree vlan 41
>>>
>>>VLAN0041
>>> Spanning tree enabled protocol ieee
>>> Root ID Priority 24617
>>> Address 0009.b799.a680
>>> Cost 28
>>> Port 49 (GigabitEthernet0/1)
>>> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>>>
>>> Bridge ID Priority 32809 (priority 32768 sys-id-ext 41)
>>> Address 000b.fd53.9540
>>> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>>> Aging Time 300
>>>
>>>Interface Role Sts Cost Prio.Nbr Type
>>>---------------- ---- --- --------- -------- --------------------------------
>>>Fa0/35 Desg FWD 19 128.35 P2p
>>>Fa0/46 Desg FWD 19 128.46 P2p
>>>Gi0/1 Root FWD 4 128.49 P2p
>>>
>>>Port Fa0/35 is trunked and Vlan 41 never makes it up this trunk unless
>>>as I have explained I put a port on cat2950 on that vlan and get some
>>>traffic in it.
>>>
>>>
>>>Thanks,
>>>
>>>Alban
>>>
>>>On Wed, 09 Feb 2005 10:58:15 +0200, Adrian Pirciu
>>><adrian.pirciu at rdsnet.ro> wrote:
>>>
>>>
>>>>Hello
>>>>
>>>>Alban Dani wrote:
>>>>
>>>>
>>>>>Hello Matthew,
>>>>>
>>>>>I also am having a very wierd issue with vlans and 2950-s.
>>>>>
>>>>>We are running pst+.
>>>>>We have a 6509 in the core and everytime we try to get a new vlan
>>>>>passed through a chain of switches( all connected via dot1q trunks)
>>>>>that has a 2950 in it, it does not work. The only workaround we found
>>>>>so far is to go to a port on the given 2950 , set the port on the
>>>>>requried vlan and connect a machine to it and through some traffic.
>>>>>That makes the 2950 aware of that vlan.
>>>>
>>>>a 2950 will not pass traffic for the vlans not defined in its table.
>>>>When you put a port in a vlan, it automatically adds this vlan to the
>>>>config (sh vlan) and it starts forwarding traffic for that vlan which
>>>>explains the behaviour you describe.
>>>>
>>>>You can use VTP if you want to have a consistent vlan database accross
>>>>you network. Be careful though (there are some bat things that can
>>>>happen, read the documentation from www.cisco.com and they are
>>>>described).
>>>>
>>>>
>>>>
>>>>
>>>>>If this was not enough, if the vlan in question does not see traffic
>>>>>for a couple of days the 2950 totally forgets about it.
>>>>
>>>>I am not aware of anything resembling this behaviour. Anybody ? Does
>>>>the vlan apper on "sh vlan" when this happens ?
>>>>
>>>>
>>>>
>>>>>I am wondering if you ever found a solution to your problem and if so
>>>>>what was it?
>>>>>
>>>>>I have upgraded to the latest IOS but it did not help.
>>>>
>>>>i'm pretty sure it is not an IOS/switch related problem.
>>>>
>>>>
>>>>
>>>>>thanks,
>>>>>
>>>>>Alban
>>>>>_______________________________________________
>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>--
>>>>adixor
>>>>
>>
>>--
>>adixor
>>
>>------------------------------
>>
>>Message: 3
>>Date: Wed, 09 Feb 2005 10:41:27 -0500
>>From: Luan Nguyen <luan.nguyen at mci.com>
>>Subject: Re: [c-nsp] VPN failover / load sharing using IOS?
>>To: Brian Feeny <signal at shreve.net>, Rodney Dunn <rodunn at cisco.com>
>>Cc: Cameron.Dry at didata.com.au, cisco-nsp at puck.nether.net
>>Message-ID: <008601c50ebd$d1b62470$89902799 at entserver01>
>>Content-Type: text/plain; charset=iso-8859-1
>>
>>I put a sample config for you to look at. My definition of a VPN is the
>>IPSEC transport mode( or tunnel) over the GRE. So if you have dual T1 with
>>their own address from different ISP, then you could build 2 VPNs, one for
>>each link. The LAN side - most of the time will be 1918 address? Then just
>>use EIGRP or static to create 2 routes equal cost over the 2 GRE tunnels.
>>If you only have one host talking to one host on the LAN side, then there
>>will not be load sharing per-destination. Per packet would do the job
>>though. These are T1 so you don't need that object tracking thing. If you
>>only have one host to one host then maybe do policy base routing base on the
>>type of traffics so you could load share somewhat.
>>
>>crypto isakmp policy 1001
>>
>> encr 3des
>>
>> hash sha
>>
>> authentication pre-share
>>
>> group 2
>>
>>crypto isakmp key connection1 address 1.1.1.1
>>
>>crypto isakmp key connection2 address 2.2.2.2
>>
>>!
>>
>>crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
>>
>> mode transport
>>
>>!
>>
>>crypto map CryptoMap1 local-address T1_1
>>
>>crypto map CryptoMap1 1024 ipsec-isakmp
>>
>> set peer 1.1.1.1
>>
>> set transform-set TRANS
>>
>> match address ACL_1
>>
>>!
>>
>>crypto map CryptoMap2 local-address T1_2
>>
>>crypto map CryptoMap2 1024 ipsec-isakmp
>>
>> set peer 2.2.2.2
>>
>> set transform-set TRANS
>>
>> match address ACL_2
>>
>>!
>>
>>interface Tunnel1
>>
>> description *To 2nd router - T1_1*
>>
>> bandwidth 1544
>>
>> ip unnumbered fa0/0 <--------Could use static ip like a.a.a.1 on one side
>>and a.a.a.2 on the other
>>
>>!*UNNUMBERED TO PRIVATE LAN*
>>
>> ip mtu 1440
>>
>> tunnel source X.X.X.X
>>
>> tunnel destination 1.1.1.1
>>
>> crypto map CryptoMap1
>>
>>!
>>
>>interface Tunnel2
>>
>> description *To 2nd router T1_2*
>>
>> bandwidth 1544
>>
>> ip unnumbered FastEthernet0/0
>>
>>!*UNNUMBERED TO PRIVATE LAN*
>>
>> ip mtu 1440
>>
>> tunnel source Y.Y.Y.Y
>>
>> tunnel destination 2.2.2.2
>>
>> crypto map CryptoMap2
>>
>>!
>>
>>interface WAN1
>>
>> ip address X.X.X.X 255.255.255.252
>>
>> description *WAN 1*
>>
>> no ip redirects
>>
>> no ip unreachables
>>
>> no ip proxy-arp
>>
>> duplex full
>>
>> speed 100
>>
>> crypto map CryptoMap1
>>
>>!
>>
>>interface WAN2
>>
>>ip address Y.Y.Y.Y 255.255.255.252
>>
>> description *WAN 2*
>>
>> no ip redirects
>>
>> no ip unreachables
>>
>> no ip proxy-arp
>>
>> duplex full
>>
>> speed 100
>>
>> crypto map CryptoMap2
>>
>>!
>>
>>interface FastEthernet0.0
>>
>> ip address Z.Z.Z.Z 255.255.255.0
>>
>> description *LAN 2*
>>
>> no ip redirects
>>
>> no ip unreachables
>>
>> no ip proxy-arp
>>
>> duplex full
>>
>>!
>>
>>ip access-list extended ACL_1
>>
>> permit gre host X.X.X.X host 1.1.1.1
>>
>>ip access-list extended ACL_2
>>
>> permit gre host Y.Y.Y.Y host 2.2.2.2
>>
>>!
>>
>>router eigrp 1
>>
>> passive-interface FastEthernet0/0
>>
>> network Z.Z.Z.0 0.0.0.255
>>
>> no auto-summary
>>
>>eigrp stub connected
>>
>>!
>>
>>ip route 1.1.1.1 255.255.255.255 WAN1_gateway_address
>>
>>Ip route 2.2.2.2 255.255.255.255 WAN_2_gateway address
>>
>>Hope that help.
>>
>>Luan
>>
>>----- Original Message -----
>>From: "Brian Feeny" <signal at shreve.net>
>>To: "Rodney Dunn" <rodunn at cisco.com>
>>Cc: <cisco-nsp at puck.nether.net>; "Luan Nguyen" <luan.nguyen at mci.com>;
>><Cameron.Dry at didata.com.au>
>>Sent: Wednesday, February 09, 2005 10:09 AM
>>Subject: Re: [c-nsp] VPN failover / load sharing using IOS?
>>
>>
>>>I haven't even gotten that information back yet. Are you talking about
>>>the SAA object tracking stuff?
>>>
>>>Since their would be load sharing one link could go down and it should
>>>be ok. In other words rather than a standby circuit, both circuits
>>>should be live. But since after the GRE's are up and even EIGRP in
>>>place, the actual IPSEC SA represents a single source/destination pair
>>>(as far as the level that GRE and EIGRP are at), then that will create
>>>a single flow over only one link.......which is fine I suppose. I may
>>>do up a diagram to give a clearer picture of what I am trying to
>>>accomplish. I am pretty sure whatever route I go the 1700's will work
>>>ok for this application.
>>>
>>>Brian
>>>
>>>On Feb 9, 2005, at 7:07 AM, Rodney Dunn wrote:
>>>
>>>
>>>>What are your ISP connections?
>>>>HDLC, PPP, *net, ?
>>>>
>>>>I've done a couple of desigs leveraging
>>>>HSRP with Object tracking of the wan
>>>>links for failover also.
>>>>
>>>>Rodney
>>>>
>>>>On Wed, Feb 09, 2005 at 12:18:40AM -0600, Brian Feeny wrote:
>>>>
>>>>>Actually, your right. But really the vpn is establishing a single
>>>>>source host to a single destination host, since whats really riding on
>>>>>top of the GRE layer is the VPN itself. Like you say, per destination
>>>>>balancing sort of makes it not work very well.
>>>>>
>>>>>Too bad cisco doesn't allow you to just define two vpn's and treat the
>>>>>result as two equal paths, that would be a bit better.
>>>>>
>>>>>Brian
>>>>>
>>>>>On Feb 8, 2005, at 11:59 PM, Luan Nguyen wrote:
>>>>>
>>>>>
>>>>>>It would work just like that I think. The router would just do
>>>>>>per-destination load share wouldn't it - unless you only have one
>>>>>>host
>>>>>>talking to one host? In our environment we have one spoke with dual
>>>>>>GRE
>>>>>>tunnels to 2 hubs with equal cost. Yours is a little different but
>>>>>>it
>>>>>>should work for load balancing just like that.
>>>>>>
>>>>>>Luan
>>>>>>
>>>>>>-----Original Message-----
>>>>>>From: cisco-nsp-bounces at puck.nether.net
>>>>>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
>>>>>>Sent: Wednesday, February 09, 2005 12:33 AM
>>>>>>To: Rodney Dunn
>>>>>>Cc: Cameron.Dry at didata.com.au; cisco-nsp at puck.nether.net
>>>>>>Subject: Re: [c-nsp] VPN failover / load sharing using IOS?
>>>>>>
>>>>>>
>>>>>>Rodney,
>>>>>>
>>>>>>I will definitely look into OER. But if I had 2 GRE tunnels, why
>>>>>>can't
>>>>>>I just point statics like in my example, for each remote subnet down
>>>>>>the tunnels? Wouldn't that load balance AND work for failover?
>>>>>>
>>>>>>Thanks,
>>>>>>
>>>>>>Brian
>>>>>>
>>>>>>On Feb 8, 2005, at 11:20 PM, Rodney Dunn wrote:
>>>>>>
>>>>>>
>>>>>>>There are really on two ways to do this:
>>>>>>>
>>>>>>>a) you announce some subset of routes down
>>>>>>> one gre tunnel from the headend and prefer
>>>>>>> them and the other subset over the backup tunnel
>>>>>>>
>>>>>>>that way if one tunnel goes away you will have failover.
>>>>>>>The drawback there is the load sharing isn't dynamic.
>>>>>>>
>>>>>>>The only way you can get dynamic loadsharing in
>>>>>>>this type of setup is OER.
>>>>>>>
>>>>>>>b) Do OER at the spoke side and let it load balance
>>>>>>> the traffic back towards the headend.
>>>>>>>
>>>>>>>They were going to put a sample of that in the OER
>>>>>>>deployment guide but I'm not sure they have gotten
>>>>>>>to it yet.
>>>>>>>
>>>>>>>http://www.cisco.com/go/oer
>>>>>>>
>>>>>>>Rodney
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>On Tue, Feb 08, 2005 at 10:31:43PM -0600, Brian Feeny wrote:
>>>>>>>
>>>>>>>>thanks, although that looks to be for sites with multiple routers
>>>>>>>>and
>>>>>>>>multiple links. Each of these sites is only going to have one
>>>>>>>>router,
>>>>>>>>that takes in 2 T1's. I don't think that will work in that
>>>>>>>>scenrio.
>>>>>>>>
>>>>>>>>Brian
>>>>>>>>
>>>>>>>>On Feb 8, 2005, at 10:07 PM, Cameron.Dry at didata.com.au wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>>Check out:
>>>>>>>>>
>>>>>>>>>http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/
>>>>>>>>>products_feature_
>>>>>>>>>guide09186a00800ed370.html
>>>>>>>>>
>>>>>>>>>Cameron
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>-----Original Message-----
>>>>>>>>>From: cisco-nsp-bounces at puck.nether.net
>>>>>>>>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>>>>>>>>signal at shreve.net
>>>>>>>>>Sent: Wednesday, 9 February 2005 11:50 AM
>>>>>>>>>To: 'cisco-nsp'
>>>>>>>>>Subject: [c-nsp] VPN failover / load sharing using IOS?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Has anyone done any type of VPN failover and/or load balancing
>>>>>>>>>using
>>>>>>>>>IOS?
>>>>>>>>>
>>>>>>>>>For example something like a 2 1700 routers, each with 2 T1 cards
>>>>>>>>>in
>>>>>>>>>them,
>>>>>>>>>Each T1 card would be connected to a different ISP, each with its
>>>>>>>>>own
>>>>>>>>>IP space
>>>>>>>>>(no BGP). Either T1 would be able to go down, and the VPN could
>>>>>>>>>re-establish
>>>>>>>>>itself over the remaining T1. Both T1's would be load balanced
>>>>>>>>>over
>>>>>>>>>for VPN
>>>>>>>>>connectivity.
>>>>>>>>>
>>>>>>>>>Is it possible to establish 2 VPN's, 1 over each link, with the
>>>>>>>>>same
>>>>>>>>>source/destination private networks defined, and have the router
>>>>>>>>>load
>>>>>>>>>balance these and also work in failover?
>>>>>>>>>
>>>>>>>>>Another thought, which is kind of ugly (but maybe not), is 2 GRE
>>>>>>>>>tunnels, and then dual static routes over the tunnels:
>>>>>>>>>
>>>>>>>>>Router 1 T1 #1 <----------------------- GRE Tunnel #1
>>>>>>>>>-------------------> Router 2 T1 #1
>>>>>>>>>Router 2 T1 #2 <------------------------ GRE Tunnel #2
>>>>>>>>>-------------------> Router 2 T1 #2
>>>>>>>>>
>>>>>>>>>ip route <insert vpn endpoint ip> 255.255.255.255 Tunnel1
>>>>>>>>>ip route <insert vpn endpoint ip> 255.255.255.255 Tunnel2
>>>>>>>>>
>>>>>>>>>Then establish the VPN on top of the above. I don't particular
>>>>>>>>>like
>>>>>>>>>the idea of building a tunnel on top of 2 other tunnels, so if
>>>>>>>>>anyone
>>>>>>>>>has experience in doing this type of setup, please share what you
>>>>>>>>>used
>>>>>>>>>to do it.
>>>>>>>>>
>>>>>>>>>Brian
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Brian Feeny, CCIE #8036, CISSP
>>>>>>>>>Network Engineer
>>>>>>>>>ShreveNet Inc.
>>>>>>>>>
>>>>>>>>>_______________________________________________
>>>>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>******************************************************************
>>>>>>>>>**
>>>>>>>>>*
>>>>>>>>>**
>>>>>>>>>*******
>>>>>>>>> - NOTICE FROM DIMENSION DATA AUSTRALIA
>>>>>>>>>This message is confidential, and may contain proprietary or
>>>>>>>>>legally
>>>>>>>>>privileged information. If you have received this email in error,
>>>>>>>>>please notify the sender and delete it immediately.
>>>>>>>>>
>>>>>>>>>Internet communications are not secure. You should scan this
>>>>>>>>>message
>>>>>>>>>and any attachments for viruses. Under no circumstances do we
>>>>>>>>>accept
>>>>>>>>>liability for any loss or damage which may result from your
>>>>>>>>>receipt
>>>>>>>>>of
>>>>>>>>>this message or any attachments.
>>>>>>>>>******************************************************************
>>>>>>>>>**
>>>>>>>>>*
>>>>>>>>>**
>>>>>>>>>*******
>>>>>>>>>
>>>>>>>>>_______________________________________________
>>>>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>>>
>>>>>>>>
>>>>>>>>Brian Feeny, CCIE #8036, CISSP
>>>>>>>>Network Engineer
>>>>>>>>ShreveNet Inc.
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>>_______________________________________________
>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>>
>>>
>>>Brian Feeny, CCIE #8036, CISSP
>>>Network Engineer
>>>ShreveNet Inc.
>>>
>>
>>------------------------------
>>
>>Message: 4
>>Date: Wed, 9 Feb 2005 11:10:12 -0500
>>From: Matthew Crocker <matthew at crocker.com>
>>Subject: Re: [c-nsp] Cisco 3550 maximum number of routable interfaces
>> limit?
>>To: "Adam Greene" <maillist at webjogger.net>
>>Cc: cisco-nsp at puck.nether.net
>>Message-ID: <961cc76a582262da43ae00e4e48fee56 at crocker.com>
>>Content-Type: text/plain; charset=US-ASCII; format=flowed
>>
>>We use a 3550 to aggregate our T1 traffic. We have a Seranoa WANPort
>>(IPeX) which terminates channelized DS-3s into 802.1q VLANs. We take
>>the GigE from the Seranoa and run it into a 3550. The 3550 config has
>>a 'interface VLAN' for each T1 customer, with ip subnet and static
>>routes assigned. The 3550 is a member in our OSPF area 0 announcing
>>customer routes. We have about 30 'Interface vlan' configured right
>>now passing about 16mbps of traffic without any problems. CEF is
>>running but I heard after 8 interfaces everything is punted to process
>>switched. We are at 1% CPU so I'm not sure about that either. I plan
>>on adding another 100 or so interfaces to this box, hopefully it
>>doesn't melt on me
>>
>>-matt
>>
>>On Feb 9, 2005, at 8:43 AM, Adam Greene wrote:
>>
>>
>>>This has been quite useful to me, too. We shied away from purchasing
>>>3550's
>>>a while back because we were looking to put up to 256 SVI's on whatever
>>>layer 3 switch we got. We went with the Extreme Summit series instead
>>>(200-24 and 48si).
>>>
>>>However, it's sounding like even with 256 SVI's, if I keep the routing
>>>table
>>>small (for example, our Extremes only have about 50 right now), we
>>>could
>>>still consider 3550's. In fact, since we may need to upgrade our
>>>Summit200-24 soon, this puts the 3550 back on the map for me.
>>>
>>>Anyone else doing lots of SVI's in an OSPF environment with relatively
>>>few
>>>routes?
>>>
>>>----- Original Message -----
>>>From: "Marcel Lammerse" <lammerse at xs4all.nl>
>>>To: "cisco-nsp" <cisco-nsp at puck.nether.net>
>>>Sent: Tuesday, February 08, 2005 12:26 AM
>>>Subject: Re: [c-nsp] Cisco 3550 maximum number of routable interfaces
>>>limit?
>>>
>>>
>>>
>>>>Thanks all, I know a lot more abot 3550 performance now :-)
>>>>
>>>>Marcel
>>>>
>>>>On Feb 7, 2005, at 9:46 PM, Mark Boolootian wrote:
>>>>
>>>>
>>>>>>show sdm prefer only shows you the current template and numbers from
>>>>>>the
>>>>>>published tables. I'm more interested in tcam resources actually
>>>>>>used/available on the live switches.
>>>>>
>>>>>You and me both. Surely you know about 'show tcam...'. I would
>>>>>prefer an interface that allowed me to say 'show tcam statistics'
>>>>>providing a matrix of utilization stats (including stats on routes).
>>>>>_______________________________________________
>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>>>
>>>>
>>>>_______________________________________________
>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>---
>>>>[This e-mail was scanned for viruses by Webjogger's AntiVirus
>>>>Protection
>>>
>>>System]
>>>
>>>>
>>>---
>>>[This e-mail was scanned for viruses by Webjogger's AntiVirus
>>>Protection System]
>>>
>>>_______________________________________________
>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>------------------------------
>>
>>_______________________________________________
>>cisco-nsp mailing list
>>cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>
>>End of cisco-nsp Digest, Vol 27, Issue 41
>>*****************************************
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
adixor
More information about the cisco-nsp
mailing list