From nic.tjirkalli at za.verizonbusiness.com Fri Aug 1 01:44:49 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Fri, 1 Aug 2008 07:44:49 +0200 (SAST) Subject: [c-nsp] XR OS-SHMWIN-2-ERROR_ENCOUNTERED In-Reply-To: References: Message-ID: Howdy ho, > How much memory is installed in slot0 LC? Looks like you might not have > enough. yip looks like the issue > > Can you send a "show diag" poor card only has 512Meg route memory SLOT 0 (RP/LC 0): Cisco 12000 4-Port ISE ATM Over SONET OC3/STM-1 Single Mode/IR SC-SC connector MAIN: type 129, 800-24341-04 rev G0 dev 0 HW config: 0x00 SW key: 00-00-00 PCA: 73-7852-07 rev E0 ver 4 HW version 1.0 S/N SAD1220039U MBUS: Embedded Agent Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00 DIAG: Test count: 0x00000000 Test results: 0x00000000 FRU: Linecard/Module: 4OC3/ATM-IR-SC Route Memory: MEM-LC-512= Packet Memory: MEM-LC1-PKT-512= L3 Engine: 3 - ISE OC48 (2.5 Gbps) MBUS Agent Software version 2.56 (RAM) (ROM version is 2.23) Using CAN Bus A ROM Monitor version 1.8 Fabric Downloader version used 8.0 (ROM version is 5.5) Primary clock is CSC1 Board State is IOS-XR RUN Insertion time: Fri Jul 4 10:15:08 2008 (3w6d ago) DRAM size: 536870912 bytes FrFab SDRAM size: 268435456 bytes ToFab SDRAM size: 268435456 bytes 0 crashes since restart/fault forgive and from :- from :- http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.4/general/release/notes/reln_342.html The minimum memory requirements for Cisco XR 12000 Series Routers running Cisco IOS XR Software Release 3.4.2 are: .1-GB line card route memory on all Engine 3 line cards so this looks like the issue thanx for your response and help - much appreciated later > > Rich > > On 31/07/2008, at 8:19 PM, Nic Tjirkalli wrote: > >> >> >> Howdy ho, >> >> Have a CISCO GSR 12416/PRP running XR 3.6.1 >> >> >> and it has started continually whining about :- >> >> LC/0/0/CPU0:Jul 31 10:15:47.970 : fib_mgr[146]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:15:50.337 : l2fib[180]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:17.989 : fib_mgr[146]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:19.372 : l2fib[180]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:48.014 : fib_mgr[146]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:49.269 : l2fib[180]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> >> >> CCO says log a tac case, but was wondering if anybody had some ideas of >> what this error is and how to go about "fixing" it >> >> thanx >> >> >> >> >> --------------------------------------------------------------------- >> Mind Like A Steel Trap - Rusty And Illegal In 37 States. >> >> Nic Tjirkalli >> Verizon Business South Africa >> Network Strategy Team >> >> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >> is strictly confidential and intended only for use by the addressee unless >> otherwise indicated. >> >> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >> >> This e-mail is strictly confidential and intended only for use by the >> addressee unless otherwise indicated. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------------------------------------------- Reality is merely an illusion, albeit a very persistent one. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From arla at rn.dk Fri Aug 1 01:32:33 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Fri, 1 Aug 2008 07:32:33 +0200 Subject: [c-nsp] debugging and tracing on IP-Sec tunnel Message-ID: <8D68760F464FFD40A01BF2FB374E4A2886948A677C@SRVEXC02.aas.its.nja.dk> Hi Folks I need some advise regarding trace and debug on a tunnel with IPSec. We are using a provider to some kind off health service, these servers can be reached via a tunnel interface in our network and vise versa. My problem is that one server is out off reach on http traffic but not on ssh. If I deploy an access-list on the tunnel interface, I can see that the http-traffic is being forwarded via the tunnel interface. So how can I be sure that the IP-Sec interface also is forwarding the http traffic and not just ssh. crypto isakmp policy 10 encr 3des hash md5 authentication pre-share lifetime 43200 crypto isakmp key Klipklapklop4433saksen address xxxxxxxxx ! crypto ipsec security-association lifetime seconds 43200 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac ! crypto map MEDMAP 2 ipsec-isakmp description nja -> medcom set peer xxxxxxxxxxx set transform-set strong match address krypt-medcom interface Tunnel1 description GRE interface ip address xxx.xxx.xxx.xxx 255.255.255.252 ip mtu 1300 ip nat outside keepalive 10 3 tunnel source FastEthernet0/0 tunnel destination xxx.xxx.xxx.xxx ! interface FastEthernet0/0 description Outside - Internetrouter ip address xxx.xxx.xxx.xxx 255.255.255.128 speed 100 full-duplex crypto map MEDMAP From abalashov at evaristesys.com Fri Aug 1 02:00:08 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 01 Aug 2008 02:00:08 -0400 Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN? In-Reply-To: References: Message-ID: <4892A668.3010902@evaristesys.com> Andreas Sikkema wrote: > How do I add 310 as a prefix to the calls from port 3/3 so that dialpeer > 100 does not match and calls go to dialpeer 12 (or something functionally > similar)? To add translations based on a specific physical port, you have to add the translation profile to the voice-port for 3/3, so that the translation can happen before any dial-peer matching is done (that's the order of evaluation). Example: voice translation-rule 2 rule 1 /^\(.+\)/ /05500\1/ ! ! voice translation-profile FAX-TRANSLATIONS translate called 2 ! ... ! voice-port 4/1:D translation-profile incoming FAX-TRANSLATIONS no comfort-noise bearer-cap 3100Hz ! ... ! dial-peer voice 803 voip description FAX DIDs destination-pattern 05500T session protocol sipv2 session target ipv4:XXX.YYY.ZZZ.AAA session transport udp dtmf-relay rtp-nte codec g711ulaw fax rate 14400 bytes 255 fax protocol pass-through g711ulaw no vad -- This example stamps a prefix of 05500 on all calls that come in on T1 4/1, and then there is a dial peer that matches 05500 + anything. In this case, it's a VoIP peer, but it doesn't have to be. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From peter at rathlev.dk Fri Aug 1 03:39:22 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 01 Aug 2008 09:39:22 +0200 Subject: [c-nsp] debugging and tracing on IP-Sec tunnel In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2886948A677C@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2886948A677C@SRVEXC02.aas.its.nja.dk> Message-ID: <1217576362.8240.17.camel@svesken.sys.mjna.net> On Fri, 2008-08-01 at 07:32 +0200, Arne Larsen wrote: > I need some advise regarding trace and debug on a tunnel with IPSec. We > are using a provider to some kind off health service, these servers > can be reached via a tunnel interface in our network and vise versa. > My problem is that one server is out off reach on http traffic but not > on ssh. If I deploy an access-list on the tunnel interface, I can see > that the http-traffic is being forwarded via the tunnel interface. So > how can I be sure that the IP-Sec interface also is forwarding the > http traffic and not just ssh. You could place a sniffer on the outside to look for ESP packets. If there's a time window with no or little other traffic, you could be fairly certain that some generated HTTP traffic is what you see on the outside. An access-list in Fa0/0 should also work. It could be the same as you use for encrypting ("krypt-medcom"), which I presume allows GRE traffic from your end to the other end. Both are limited by the fact that the traffic is now encrypted, so it's harder to tell if what you see is really is what you expect. Of course there could be other problems: The other end of the tunnel not accepting the traffic (this specific peer usually sends unreachables though) or maybe PMTUd problems. If a simple telnet towards port 80 is working, but downloading pages isn't, adjust-mss might help. (We use "ip tcp adjust-mss 1355" on our tunnel towards this provider.) This is less probable if you have two similar servers working, but they might be behind different tunnels themselves in the other end. Mail me off list if you'd like me to test things from our end. :-) Regards, Peter From Stefan.Hegger at lycos-europe.com Fri Aug 1 06:03:51 2008 From: Stefan.Hegger at lycos-europe.com (Stefan Hegger) Date: Fri, 1 Aug 2008 12:03:51 +0200 Subject: [c-nsp] DPD dead peer detection Message-ID: <200808011203.51395.Stefan.Hegger@lycos-europe.com> Hi, probably someone can help me to answer the following question. I have a VPN router (Router_a) with 2 interfaces connected to 2 ISP's with 2 IP's and I have a homeoffice with a small VPN router (Router_b) connected to one ISP with one interface and one IP. Now I want to use DPD to check which route to use to connect from Router_b to Router_a. ISP1 is the default, ISP2 is backup. As far as I understand DPD is a keepalive to check if a peer is up and switches between peers and does not do anything with the routing. So it checks only if the key exchange works and peer is established within same tunnel. If it is like that, I can not use DPD to solve my problem and should use track and ip sla monitor. Best Stefan -- Stefan Hegger Internet System Engineer Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33312 G?tersloh Phone: Tel: +49 5241 8071 334 Fax: +49 5241 80671 334 Mobile: +49 170 1892720 Sitz der Gesellschaft: G?tersloh Amtsgericht G?tersloh, HRB 2157 Gesch?ftsf?hrer: Christoph Mohn From joost.greene at gmail.com Fri Aug 1 09:14:18 2008 From: joost.greene at gmail.com (Joost greene) Date: Fri, 1 Aug 2008 15:14:18 +0200 Subject: [c-nsp] Filtering telnet without ACL Message-ID: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost From lists at memetic.org Fri Aug 1 09:04:50 2008 From: lists at memetic.org (Adam Armstrong) Date: Fri, 01 Aug 2008 14:04:50 +0100 Subject: [c-nsp] Netflow / 3560 platform In-Reply-To: References: Message-ID: <489309F2.5080606@memetic.org> David Curran wrote: > Touche. I was speaking of the smaller catalyst platforms. However I'm not > sure its fair to real routers to call the Supervisors route processors. > That's like calling a Yugo a race car. Sure, you COULD race it... > Look at the specs of the RSP-720. It would be a lot faster at software forwarding than all of the devices mentioned earlier. (it'd probably be similar speed to the NPE-G2, I guess) The issue is that the switch architecture makes it very hard to accurately track and record the information needed for netflow. This information is stored in TCAM, which is already scarce enough on those platforms! adam. From peter at rathlev.dk Fri Aug 1 09:56:16 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 01 Aug 2008 15:56:16 +0200 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <1217598976.11771.2.camel@svesken.sys.mjna.net> On Fri, 2008-08-01 at 15:14 +0200, Joost greene wrote: > Someone challenged me with a question on how i can filter telnet access > to one router from all hosts except two of them WITHOUT using > access-lists or access-line under the VTY? any ideas? Control-plane policing could do it without interface ACLs or VTY access-classes, but it'd be a little hard to realise without access-lists at all. You could also disable telnet by not including it in the "transport input ..." configuration under line VTY. Like using just "transport input ssh" or something. This would disable telnet, but not SSH. Regards, Peter From sil at infiltrated.net Fri Aug 1 09:19:49 2008 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 1 Aug 2008 08:19:49 -0500 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <20080801131949.GA8073@infiltrated.net> On Fri, 01 Aug 2008, Joost greene wrote: > Hello, > > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? > > Regards, > Joost > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Route map... ip access-list extended NO_TELNET deny tcp any any eq 23 ! route-map BLOCK_TELNET 10 match ip address NO_TELNET set interface Null 0 ! ip local policy route-map BLOCK_TELNET -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI "Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny." Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB From saku+cisco-nsp at ytti.fi Fri Aug 1 10:04:58 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Fri, 1 Aug 2008 17:04:58 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <20080801140458.GA21900@mx.ytti.net> On (2008-08-01 15:14 +0200), Joost greene wrote: Hey, > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? I assume challenge was set, because asker knows how to do it. If not, then I think challenge should be, how to make router output PONIES. Anyhow, I think CoPP, rACL and policy-route would break the 'no acl' definition and wouldn't be acceptable solution. I think what would fit the rule, is MPLS LSR where you'd only have route back to couple management hosts and others couldn't telnet to the box, simply because box doesn't have route to them. Of course everyone in your IGP could telnet to the box also. -- ++ytti From korio at korio.org Fri Aug 1 10:38:55 2008 From: korio at korio.org (Iassen Anadoliev) Date: Fri, 1 Aug 2008 17:38:55 +0300 (EEST) Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> On Fri, August 1, 2008 4:14 pm, Joost greene wrote: > Hello, > > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? > > Regards, > Joost > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev From dcurran at nuvox.com Fri Aug 1 11:38:17 2008 From: dcurran at nuvox.com (David Curran) Date: Fri, 01 Aug 2008 11:38:17 -0400 Subject: [c-nsp] Netflow / 3560 platform In-Reply-To: <489309F2.5080606@memetic.org> Message-ID: Agreed, and not to beat a dead horse, but there are mechanisms to send full packets to the processor and still circulate packets via the switch path for forwarding. My point is that a switch that has a reported 720G throughput most likely does not have the processor to do netflow on all of that. That was my point about comparing a switch to a router. OK, I promise, I'm done ;) > From: Adam Armstrong > Date: Fri, 01 Aug 2008 14:04:50 +0100 > To: David Curran , > Subject: Re: [c-nsp] Netflow / 3560 platform > > David Curran wrote: >> Touche. I was speaking of the smaller catalyst platforms. However I'm not >> sure its fair to real routers to call the Supervisors route processors. >> That's like calling a Yugo a race car. Sure, you COULD race it... >> > Look at the specs of the RSP-720. It would be a lot faster at software > forwarding than all of the devices > mentioned earlier. (it'd probably be similar speed to the NPE-G2, I guess) > > The issue is that the switch architecture makes it very hard to > accurately track and record the information needed for netflow. This > information is stored in TCAM, which is already scarce enough on those > platforms! > > adam. This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From ben.steele at internode.on.net Fri Aug 1 19:54:01 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sat, 2 Aug 2008 09:24:01 +0930 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> Message-ID: <830144EC662F4019942F71E912AEF4CE@MOYAPENYA> I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) ----- Original Message ----- From: "Iassen Anadoliev" To: "Joost greene" Cc: Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL > > On Fri, August 1, 2008 4:14 pm, Joost greene wrote: >> Hello, >> >> Someone challenged me with a question on how i can filter telnet access >> to >> one router from all hosts except two of them WITHOUT using access-lists >> or >> access-line under the VTY? any ideas? >> >> Regards, >> Joost >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > Well if we assume that this is an ethernet network and the hosts are > within our broadcast domain I think you can use MQC = NBAR something like: > > class-map match-all PERMIT_TELNET > match protocol telnet > match class-map PERMIT_TELNET_HOSTS > exit > > class-map match-any PERMIT_TELNET_HOSTS > match source-address mac xxx.xxx.xxx > match source-address mac yyy.yyy.yyy > exit > > class-map DENY_TELNET > match protocol telnet > exit > > policy-map IN_FE0/0 > class PERMIT_TELNET > bandwidth remaining percent 100 > class DENY_TELNET > drop > > int fastether0/0 > service-policy input IN_FE0/0 > > -- > WWell by > Iassen Anadoliev > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Fri Aug 1 19:54:55 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sat, 2 Aug 2008 09:24:55 +0930 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> Message-ID: <4560D7C7AD2A47E0814DB3C15FF446DB@MOYAPENYA> I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) ----- Original Message ----- From: "Iassen Anadoliev" To: "Joost greene" Cc: Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL > > On Fri, August 1, 2008 4:14 pm, Joost greene wrote: >> Hello, >> >> Someone challenged me with a question on how i can filter telnet access >> to >> one router from all hosts except two of them WITHOUT using access-lists >> or >> access-line under the VTY? any ideas? >> >> Regards, >> Joost >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > Well if we assume that this is an ethernet network and the hosts are > within our broadcast domain I think you can use MQC = NBAR something like: > > class-map match-all PERMIT_TELNET > match protocol telnet > match class-map PERMIT_TELNET_HOSTS > exit > > class-map match-any PERMIT_TELNET_HOSTS > match source-address mac xxx.xxx.xxx > match source-address mac yyy.yyy.yyy > exit > > class-map DENY_TELNET > match protocol telnet > exit > > policy-map IN_FE0/0 > class PERMIT_TELNET > bandwidth remaining percent 100 > class DENY_TELNET > drop > > int fastether0/0 > service-policy input IN_FE0/0 > > -- > WWell by > Iassen Anadoliev > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From bitkraft at gmail.com Fri Aug 1 22:05:41 2008 From: bitkraft at gmail.com (Brian Spade) Date: Fri, 1 Aug 2008 19:05:41 -0700 Subject: [c-nsp] Netflow / 3560 platform In-Reply-To: References: <489309F2.5080606@memetic.org> Message-ID: <505b616c0808011905v4b5dfaa3ye24432b0718473a0@mail.gmail.com> Thanks for your responses. I thought it was Cisco's evil plan to make customers purchase the more expensive 650x line of switches for Netflow :-) /b On Fri, Aug 1, 2008 at 8:38 AM, David Curran wrote: > Agreed, and not to beat a dead horse, but there are mechanisms to send full > packets to the processor and still circulate packets via the switch path > for > forwarding. My point is that a switch that has a reported 720G throughput > most likely does not have the processor to do netflow on all of that. > > That was my point about comparing a switch to a router. OK, I promise, > I'm done ;) > > > > From: Adam Armstrong > > Date: Fri, 01 Aug 2008 14:04:50 +0100 > > To: David Curran , > > Subject: Re: [c-nsp] Netflow / 3560 platform > > > > David Curran wrote: > >> Touche. I was speaking of the smaller catalyst platforms. However I'm > not > >> sure its fair to real routers to call the Supervisors route processors. > >> That's like calling a Yugo a race car. Sure, you COULD race it... > >> > > Look at the specs of the RSP-720. It would be a lot faster at software > > forwarding than all of the devices > > mentioned earlier. (it'd probably be similar speed to the NPE-G2, I > guess) > > > > The issue is that the switch architecture makes it very hard to > > accurately track and record the information needed for netflow. This > > information is stored in TCAM, which is already scarce enough on those > > platforms! > > > > adam. > > > > This email and any attachments ("Message") may contain legally privileged > and/or confidential information. If you are not the addressee, or if this > Message has been addressed to you in error, you are not authorized to read, > copy, or distribute it, and we ask that you please delete it (including all > copies) and notify the sender by return email. Delivery of this Message to > any person other than the intended recipient(s) shall not be deemed a waiver > of confidentiality and/or a privilege. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jay at west.net Sat Aug 2 12:35:27 2008 From: jay at west.net (Jay Hennigan) Date: Sat, 02 Aug 2008 09:35:27 -0700 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080801140458.GA21900@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> Message-ID: <48948CCF.7070003@west.net> Saku Ytti wrote: > I assume challenge was set, because asker knows how to do it. Or the asker didn't know how to do it and it cost him some time and a few points, somewhere, in some lab... -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From ras at e-gerbil.net Sat Aug 2 15:20:49 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sat, 2 Aug 2008 14:20:49 -0500 Subject: [c-nsp] SNMP query mac-address-table on 6500/7600 IOS Message-ID: <20080802192049.GF4889@gerbil.cluepon.net> Is there a way to SNMP query the mac-address-table on a 6500/7600 sup720 running IOS (SXF, SRC, whatever)? There are some docs on the subject for lower end catalysts but I'm not getting any data under dot1dTpFdbTable or anything else useful from the bridge mib. I'll also settle for alternative ways to solve my problem... I'm trying to identify the actual physical port that a specific IP address (or mac address, since I already have that) is being sent to, when that IP address is routed via a L3 vlan iface that is trunked via multiple switchports. Querying the mac-address-table seems like the easiest way, except I can't seem to make it work via snmp. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From tbaranski at mail.com Sat Aug 2 15:31:09 2008 From: tbaranski at mail.com (Terry Baranski) Date: Sat, 2 Aug 2008 15:31:09 -0400 Subject: [c-nsp] DPD dead peer detection In-Reply-To: <200808011203.51395.Stefan.Hegger@lycos-europe.com> Message-ID: <000001c8f4d6$518ddf10$0200000a@pleth0ra> Stefan, You're right -- DPD is just a keepalive. It sounds like what you want is two "set peer" statements in Router-B's crypto-map. If you have recent enough code you can put the "default" command after the ISP1 peer statement to make it the primary. If not, I don't know of a way to always prefer one peer over the other -- in my experience the first peer in a crypto-map isn't always the one used (at the very least, the failover behavior seems to be non-revertive). I think you'll still want to use DPD in this scenario for reliable failure detection -- it should allow Router-B to switch peers faster during a failure. -Terry > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stefan Hegger > Sent: Friday, August 01, 2008 6:04 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] DPD dead peer detection > > > Hi, > > probably someone can help me to answer the following question. > > > I have a VPN router (Router_a) with 2 interfaces connected to > 2 ISP's with 2 > IP's and I have a homeoffice with a small VPN router > (Router_b) connected to > one ISP with one interface and one IP. > > Now I want to use DPD to check which route to use to connect > from Router_b to > Router_a. ISP1 is the default, ISP2 is backup. > > As far as I understand DPD is a keepalive to check if a peer > is up and > switches between peers and does not do anything with the > routing. So it > checks only if the key exchange works and peer is established > within same > tunnel. If it is like that, I can not use DPD to solve my > problem and should > use track and ip sla monitor. > > Best Stefan > -- > Stefan Hegger > Internet System Engineer > > Lycos Europe GmbH > Carl-Bertelsmann Str. 29 > Postfach 315 > 33312 G?tersloh > > Phone: > Tel: +49 5241 8071 334 > Fax: +49 5241 80671 334 > Mobile: +49 170 1892720 > > Sitz der Gesellschaft: G?tersloh > Amtsgericht G?tersloh, HRB 2157 > Gesch?ftsf?hrer: Christoph Mohn > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From felixnkansah at gmail.com Sat Aug 2 16:20:02 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sat, 2 Aug 2008 20:20:02 +0000 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? Message-ID: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> Hi, I am working on an MPLS proposal for a mobile carrier (with 2mil+ customers). I need to decide on what routers to use as PE and P for their backhaul between 5 sites. I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as PE/P. Please let me know what your expert opinion is on this matter. They require MPLS VPN, TE, and QoS. Regards, Felix From saku+cisco-nsp at ytti.fi Sat Aug 2 16:40:42 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sat, 2 Aug 2008 23:40:42 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> Message-ID: <20080802204042.GA8482@mx.ytti.net> On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti From rubensk at gmail.com Sat Aug 2 16:52:28 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sat, 2 Aug 2008 17:52:28 -0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> Message-ID: <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and 12000. ME6524 seems a good fit for this environment, J-2320/6350 could be the J-land options to explore (although ISR 38x5 are their counterparts at C-land, not the ME6524). Rubens On Sat, Aug 2, 2008 at 5:20 PM, Felix Nkansah wrote: > Hi, > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. > > Regards, > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Sat Aug 2 18:14:10 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sat, 2 Aug 2008 17:14:10 -0500 Subject: [c-nsp] SNMP query mac-address-table on 6500/7600 IOS In-Reply-To: <20080802192049.GF4889@gerbil.cluepon.net> References: <20080802192049.GF4889@gerbil.cluepon.net> Message-ID: <20080802221410.GH4889@gerbil.cluepon.net> On Sat, Aug 02, 2008 at 02:20:49PM -0500, Richard A Steenbergen wrote: > Is there a way to SNMP query the mac-address-table on a 6500/7600 sup720 > running IOS (SXF, SRC, whatever)? There are some docs on the subject for > lower end catalysts but I'm not getting any data under dot1dTpFdbTable or > anything else useful from the bridge mib. > > I'll also settle for alternative ways to solve my problem... I'm trying to > identify the actual physical port that a specific IP address (or mac > address, since I already have that) is being sent to, when that IP address > is routed via a L3 vlan iface that is trunked via multiple switchports. > Querying the mac-address-table seems like the easiest way, except I can't > seem to make it work via snmp. Sigh nevermind, found the problem. Seems you have to use a community of blah at vlanid to access the bridge mib. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From vikassharmas at gmail.com Sun Aug 3 02:14:57 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Sun, 3 Aug 2008 11:44:57 +0530 Subject: [c-nsp] mac-address auto support for FWSM Message-ID: Hi, Does FWSM support mac-address auto command? If yes which version? Regards, Vikas Sharma From christian at broknrobot.com Sun Aug 3 03:08:52 2008 From: christian at broknrobot.com (Christian Koch) Date: Sun, 3 Aug 2008 03:08:52 -0400 Subject: [c-nsp] mac-address auto support for FWSM In-Reply-To: References: Message-ID: i don't believe so.. On Sun, Aug 3, 2008 at 2:14 AM, Vikas Sharma wrote: > Hi, > > Does FWSM support mac-address auto command? If yes which version? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From haminu at cisco.com Sun Aug 3 03:13:33 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Sun, 3 Aug 2008 09:13:33 +0200 Subject: [c-nsp] mac-address auto support for FWSM In-Reply-To: References: Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04E6C2F8@xmb-ams-334.emea.cisco.com> Hi Upto 3.2 its not supported...I don't think its there... Hth hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch Sent: Sunday, August 03, 2008 10:09 AM To: Vikas Sharma Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] mac-address auto support for FWSM i don't believe so.. On Sun, Aug 3, 2008 at 2:14 AM, Vikas Sharma wrote: > Hi, > > Does FWSM support mac-address auto command? If yes which version? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From haminu at cisco.com Sun Aug 3 03:16:19 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Sun, 3 Aug 2008 09:16:19 +0200 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080802204042.GA8482@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04E6C2FA@xmb-ams-334.emea.cisco.com> Hi Saku It depends again on what services you are trying to provision...in all cases I have seen the 7600 a way to go ..wihout cost beign the hindrance :) Hth Hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Saturday, August 02, 2008 11:41 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Sun Aug 3 04:12:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 11:12:06 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> Message-ID: <20080803081205.GA22300@mx.ytti.net> On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: > AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software > releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit missing was L2 MPLS VPN's which is coming in release3 iirc. > 12000. ME6524 seems a good fit for this environment, J-2320/6350 could > be the J-land options to explore (although ISR 38x5 are their > counterparts at C-land, not the ME6524). QoS in PE and catalyst doesn't seem good fit to me. Unless you have dedicated port to each customer. But in view most all PE usages include customers in VLAN, in which case, to do any QoS, you need HQoS, which LAN cards can not do. They are cheap for a reason. While in LSR/P role, LAN cards are perfect fit. It's quite backwards really, you want 'WAN' cards to face your distribution and LAN cards are fine in all core, except if you want to do VPLS, in which case LER/PE needs WAN card to core too. WAN being SIP (be careful with ES20). -- ++ytti From gert at greenie.muc.de Sun Aug 3 04:57:15 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 3 Aug 2008 10:57:15 +0200 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080802204042.GA8482@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> Message-ID: <20080803085714.GW288@greenie.muc.de> Hi, On Sat, Aug 02, 2008 at 11:40:42PM +0300, Saku Ytti wrote: > no IPv6/uRPF Is this a hardware or software limitation? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From saku+cisco-nsp at ytti.fi Sun Aug 3 05:35:22 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 12:35:22 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803085714.GW288@greenie.muc.de> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <20080803085714.GW288@greenie.muc.de> Message-ID: <20080803093522.GA22667@mx.ytti.net> On (2008-08-03 10:57 +0200), Gert Doering wrote: > Hi, > > On Sat, Aug 02, 2008 at 11:40:42PM +0300, Saku Ytti wrote: > > no IPv6/uRPF > > Is this a hardware or software limitation? Hardware, but you can of course use ACLs. I /think/ EARL8 (Nexus7k) does lose+strict per interface and IPv6/uRPF. -- ++ytti From masood at nexlinx.net.pk Sun Aug 3 09:18:46 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sun, 3 Aug 2008 18:18:46 +0500 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080802204042.GA8482@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> Message-ID: <011101c8f56b$79494590$6bdbd0b0$@net.pk> MPLS VPN, TE and QoS, If all you need in one BOX than better you go for Juniper M Series. Juniper M10i or M120/320. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 1:41 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Sun Aug 3 09:04:07 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 16:04:07 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <011101c8f56b$79494590$6bdbd0b0$@net.pk> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <011101c8f56b$79494590$6bdbd0b0$@net.pk> Message-ID: <20080803130407.GA28665@mx.ytti.net> On (2008-08-03 18:18 +0500), Masood Ahmad Shah wrote: > MPLS VPN, TE and QoS, If all you need in one BOX than better you go for > Juniper M Series. Juniper M10i or M120/320. M10i is quite aging platform, displaying varying amount of issues. I'd say MX and M120 would be better picks. One particular example comes to mind is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. (PFC3B also suffers from this, but PFC3C with SXH should not, haven't tested though). > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti > Sent: Sunday, August 03, 2008 1:41 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? > > On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > > customers). > > > > I need to decide on what routers to use as PE and P for their backhaul > > between 5 sites. > > > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > > PE/P. > > > > Please let me know what your expert opinion is on this matter. They > require > > MPLS VPN, TE, and QoS. > > You should find out very carefully if or not you can live with LAN > card limitations. Without knowing specific of your QoS requirements, > it's very likely that you are terminating customers to subinterfaces, > effectively requiring HQoS which LAN cards do not do. > Other limitations that pop in my mind are, no vlan local significance, > no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, > no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups > in IPv6. > > If you find out that you can't live with LAN cards, the main attraction > of 7600/6500 goes away and you have much more options to choose from. > ASR1k, MX, M, GSR, CRS. > But if you are aware of all the catches with LAN interfaces and can > live/workaround them, it's very good value to your money. However, in my > book they suite much better LSR/P role than LER/PE role. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ++ytti From masood at nexlinx.net.pk Sun Aug 3 13:12:23 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sun, 3 Aug 2008 22:12:23 +0500 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803130407.GA28665@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <011101c8f56b$79494590$6bdbd0b0$@net.pk> <20080803130407.GA28665@mx.ytti.net> Message-ID: <013701c8f58c$1bc17930$53446b90$@net.pk> In case of Cisco, how about point to multipoint LSP's & multipoint to point LSP's? If you need scalable VPLS you may find JUNOS (juniper) better than IOS. Although both vendors are supporting LDP/RSVP-TE, but they have some layer 8-9 :) issues. One (Cisco) is supporting LDP while juniper is working extensively on RSVP-TE(BGP). -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 6:04 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-03 18:18 +0500), Masood Ahmad Shah wrote: > MPLS VPN, TE and QoS, If all you need in one BOX than better you go for > Juniper M Series. Juniper M10i or M120/320. M10i is quite aging platform, displaying varying amount of issues. I'd say MX and M120 would be better picks. One particular example comes to mind is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. (PFC3B also suffers from this, but PFC3C with SXH should not, haven't tested though). > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti > Sent: Sunday, August 03, 2008 1:41 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? > > On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > > customers). > > > > I need to decide on what routers to use as PE and P for their backhaul > > between 5 sites. > > > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > > PE/P. > > > > Please let me know what your expert opinion is on this matter. They > require > > MPLS VPN, TE, and QoS. > > You should find out very carefully if or not you can live with LAN > card limitations. Without knowing specific of your QoS requirements, > it's very likely that you are terminating customers to subinterfaces, > effectively requiring HQoS which LAN cards do not do. > Other limitations that pop in my mind are, no vlan local significance, > no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, > no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups > in IPv6. > > If you find out that you can't live with LAN cards, the main attraction > of 7600/6500 goes away and you have much more options to choose from. > ASR1k, MX, M, GSR, CRS. > But if you are aware of all the catches with LAN interfaces and can > live/workaround them, it's very good value to your money. However, in my > book they suite much better LSR/P role than LER/PE role. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sun Aug 3 12:19:09 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 3 Aug 2008 11:19:09 -0500 Subject: [c-nsp] router as bridge for netflow exports Message-ID: Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. From masood at nexlinx.net.pk Sun Aug 3 13:27:37 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sun, 3 Aug 2008 22:27:37 +0500 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <013701c8f58c$1bc17930$53446b90$@net.pk> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <011101c8f56b$79494590$6bdbd0b0$@net.pk> <20080803130407.GA28665@mx.ytti.net> <013701c8f58c$1bc17930$53446b90$@net.pk> Message-ID: <013801c8f58e$3cc76200$b6562600$@net.pk> I don't want to start another thread for MPLS TE along with best vendor but it's an important topic in mobile carrier's networks. There are currently two label distribution protocols that Cisco/Juniper support for Traffic Engineering: RSVP, CR-LDP. Although the two protocols provide a similar level of service, the way they operate is different, and the detailed function they offer is also not consistent. Network Engineer's need clear information to help them decide which protocol to implement in a Traffic Engineered MPLS network. Each protocol has its champions and detractors, and the specifications are still under development. Recognizing that the choice of label distribution protocol is crucial for the success of device manufacturers and network providers, making very difficult to identify which protocol is the right one to use in a particular environment. Traffic Engineering is never ending topic, but some comment/thoughts can make it more interesting.. Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Masood Ahmad Shah Sent: Sunday, August 03, 2008 10:12 PM To: 'Saku Ytti'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? In case of Cisco, how about point to multipoint LSP's & multipoint to point LSP's? If you need scalable VPLS you may find JUNOS (juniper) better than IOS. Although both vendors are supporting LDP/RSVP-TE, but they have some layer 8-9 :) issues. One (Cisco) is supporting LDP while juniper is working extensively on RSVP-TE(BGP). -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 6:04 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-03 18:18 +0500), Masood Ahmad Shah wrote: > MPLS VPN, TE and QoS, If all you need in one BOX than better you go for > Juniper M Series. Juniper M10i or M120/320. M10i is quite aging platform, displaying varying amount of issues. I'd say MX and M120 would be better picks. One particular example comes to mind is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. (PFC3B also suffers from this, but PFC3C with SXH should not, haven't tested though). > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti > Sent: Sunday, August 03, 2008 1:41 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? > > On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > > customers). > > > > I need to decide on what routers to use as PE and P for their backhaul > > between 5 sites. > > > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > > PE/P. > > > > Please let me know what your expert opinion is on this matter. They > require > > MPLS VPN, TE, and QoS. > > You should find out very carefully if or not you can live with LAN > card limitations. Without knowing specific of your QoS requirements, > it's very likely that you are terminating customers to subinterfaces, > effectively requiring HQoS which LAN cards do not do. > Other limitations that pop in my mind are, no vlan local significance, > no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, > no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups > in IPv6. > > If you find out that you can't live with LAN cards, the main attraction > of 7600/6500 goes away and you have much more options to choose from. > ASR1k, MX, M, GSR, CRS. > But if you are aware of all the catches with LAN interfaces and can > live/workaround them, it's very good value to your money. However, in my > book they suite much better LSR/P role than LER/PE role. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Sun Aug 3 13:44:23 2008 From: christian at broknrobot.com (Christian Koch) Date: Sun, 3 Aug 2008 13:44:23 -0400 Subject: [c-nsp] EOBC Tx Errors Message-ID: Can anyone tell me exactly what the ethernet out of band channel is used for and why I would be getting errors on it? box is 7609-S with RSP720 Thanks Christian From rubensk at gmail.com Sun Aug 3 15:23:31 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sun, 3 Aug 2008 16:23:31 -0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803081205.GA22300@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> Message-ID: <6bb5f5b10808031223r484641abs46c9cd23d1021e39@mail.gmail.com> >> 12000. ME6524 seems a good fit for this environment, J-2320/6350 could >> be the J-land options to explore (although ISR 38x5 are their >> counterparts at C-land, not the ME6524). > > QoS in PE and catalyst doesn't seem good fit to me. Unless you have > dedicated port to each customer. But in view most all PE usages > include customers in VLAN, in which case, to do any QoS, you > need HQoS, which LAN cards can not do. They are cheap for > a reason. "mls qos vlan-based" can be turned on to do PFC-QoS on VLANs... (at least on PFC3C, but I thought it was supported on other PFC3 releases). HQoS is nice for building services like "25% of the bandwidth has voice priority, if no voice traffic present you can go up to 100%, if more than 25% is voice than only 25% will have expedite forwarding", but if you provide simple CIR/PIR services per VLAN, differentiating needs by different VLANs, what could be achieved by HQoS that PFC-QoS would do only by dedicating a port ? Rubens Rubens From saku+cisco-nsp at ytti.fi Sun Aug 3 15:42:54 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 22:42:54 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <6bb5f5b10808031223r484641abs46c9cd23d1021e39@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> <6bb5f5b10808031223r484641abs46c9cd23d1021e39@mail.gmail.com> Message-ID: <20080803194254.GB1690@mx.ytti.net> On (2008-08-03 16:23 -0300), Rubens Kuhl Jr. wrote: > "mls qos vlan-based" can be turned on to do PFC-QoS on VLANs... (at > least on PFC3C, but I thought it was supported on other PFC3 > releases). > > HQoS is nice for building services like "25% of the bandwidth has > voice priority, if no voice traffic present you can go up to 100%, if > more than 25% is voice than only 25% will have expedite forwarding", > but if you provide simple CIR/PIR services per VLAN, differentiating > needs by different VLANs, what could be achieved by HQoS that PFC-QoS > would do only by dedicating a port ? Well consider I have TenGig connection to my distribution, and customers are terminated to VLAN subinterfaces. Now, obviously the router has no clue what is actual speed of each VLAN. So lets say I have 2M corporate connection in one VLAN. To guarantee voice quality for that 2M customer, I'd need first shape it to 2M then inside that 2M space, I'd need to prioritize VoIP. Of course, if at all possible, QoS should be done in the port facing the customer. Be it DSLAM port or Switch port, then you don't have to care about QoS in aggregation/PE level and can get significant cost savings. -- ++ytti From mtinka at globaltransit.net Sun Aug 3 19:05:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 4 Aug 2008 07:05:03 +0800 Subject: [c-nsp] LDP Graceful restart In-Reply-To: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com> References: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com> Message-ID: <200808040705.07913.mtinka@globaltransit.net> On Thursday 31 July 2008 20:25:15 Monika M wrote: > Does the graceful restart feature for LDP works in a > single route processor configuration? (similar to Routing > protocols?) We have seen it work as desired between multiple 7206-VXR units (which are, by no means, hardware/distributed routing platforms, but for all intents and purposes, have a single control plane). Here's some log output: Jul 27 00:26:41.874 MYT: %LDP-5-GR: GR session 192.168.0.1:0 (inst. 13): interrupted--recovery pending We have a couple of Junipers (M-series) that have LDP configured for GR, but those have been stable so I have no logs to offer :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From nmcnsp at packetarchitects.com Mon Aug 4 01:22:27 2008 From: nmcnsp at packetarchitects.com (Nihar Mehta) Date: Sun, 3 Aug 2008 22:22:27 -0700 Subject: [c-nsp] 6509 ACE/FWSM Modules?????????? In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com> References: <20080729184001.GD17128@ronin.4ever.de> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com> Message-ID: Cisco has published the following for design with ACE and FWSM. http://www.cisco.com/univercd/cc/td/doc/solution/*ace*_*fwsm*.pdf - Nihar On Tue, Jul 29, 2008 at 3:49 PM, Teller, Robert wrote: > I am working on implementing two 6509 chassis setup using vss and > ace/fwsm modules. Anyone know of any good books for the ACE and FWSM > modules? > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jmayer at loplof.de Mon Aug 4 01:58:07 2008 From: jmayer at loplof.de (Joerg Mayer) Date: Mon, 4 Aug 2008 07:58:07 +0200 Subject: [c-nsp] 6500 rfc 2674 support? In-Reply-To: <20080718221119.GA27323@wildfire.net.ic.ac.uk> References: <31DA323D-AE39-4AEA-8B76-3BB4B7CCBC29@princeton.edu> <20080718221119.GA27323@wildfire.net.ic.ac.uk> Message-ID: <20080804055807.GM21516@thot.informatik.uni-kl.de> On Fri, Jul 18, 2008 at 11:11:19PM +0100, Phil Mayers wrote: > > Is there another CISCO MIB that can be accessed without using > >indexing that contains the BRIDGE FDB with vlan info? > > > > > >It sure would be nice to have this work since all our other switches > >support it. We are trying to come up with an accurate way to model > >L2 VLANs . > > Granted that the @vlan is a (tiny) bit tedious to implement, what's > inaccurate about using the indexed mode? IIRC, it has been very inconvenient for us when using SNMPv3 because you need to add a new config line for each vlan (aka context). ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From stig.johansen at ementor.no Mon Aug 4 02:46:14 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 4 Aug 2008 08:46:14 +0200 Subject: [c-nsp] router as bridge for netflow exports References: Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B95@100NOOSLMSG004.common.alpharoot.net> Setup a sniffer and use netflow export on it. See f.ex. http://www.ntop.com/nProbe.html Best regards, Stig Meireles Johansen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: 3. august 2008 18:19 To: cisco-nsp at puck.nether.net Subject: [c-nsp] router as bridge for netflow exports Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From soonkian.wong at gmail.com Mon Aug 4 05:18:27 2008 From: soonkian.wong at gmail.com (Soon Kian) Date: Mon, 4 Aug 2008 17:18:27 +0800 Subject: [c-nsp] NPE-G2 Adjustable MTU Message-ID: <371cac6a0808040218k2857f2edoad0afba807dc50e@mail.gmail.com> Hi Guys, Has anyone successfully increase the interface MTU on the tunnel with MPLS VPN Inter-AS command "mpls bgp forwarding" configured at the same time ? So far I have tried several IOS feature, they can only support either but not both commands @ the same time. We are trying to establish Option'B NNI VPN using tunnel for backup purpose. Thanks in advance Cheers Soon Kian From aaronis at people.net.au Mon Aug 4 07:33:39 2008 From: aaronis at people.net.au (Aaron R) Date: Mon, 4 Aug 2008 19:33:39 +0800 Subject: [c-nsp] router as bridge for netflow exports In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B95@100NOOSLMSG004.common.alpharoot.net> Message-ID: <200808041133.m74BXlTY096312@puck.nether.net> Yep I have also used softflowd which is essentially the same thing. SPAN the port and away you go she generates netflows for you. http://www.mindrot.org/projects/softflowd/ Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stig Johansen Sent: Monday, August 04, 2008 2:46 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] router as bridge for netflow exports Setup a sniffer and use netflow export on it. See f.ex. http://www.ntop.com/nProbe.html Best regards, Stig Meireles Johansen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: 3. august 2008 18:19 To: cisco-nsp at puck.nether.net Subject: [c-nsp] router as bridge for netflow exports Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.12/1589 - Release Date: 8/3/2008 1:00 PM From david.freedman at uk.clara.net Mon Aug 4 09:49:35 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 04 Aug 2008 14:49:35 +0100 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: I think if I loosen the definition of "telnet" I can win here. "no transport input telnet" on the VTYs. Then connect your console/aux into your terminal server / DCN and access it via telnet. Dave. Joost greene wrote: > Hello, > > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? > > Regards, > Joost > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From haminu at cisco.com Mon Aug 4 09:43:40 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Mon, 4 Aug 2008 15:43:40 +0200 Subject: [c-nsp] 6509 ACE/FWSM Modules?????????? In-Reply-To: References: <20080729184001.GD17128@ronin.4ever.de><06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com> Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04EBDE06@xmb-ams-334.emea.cisco.com> I would say for Design reference this is really good and informative....you might wana take a look at it http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmig ration_09186a008078de90.pdf your first puzzle will be the logical placement of the module and the devices and the modes they are to operate, as the case is always : it depends but take a look at the file above. HTH Hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nihar Mehta Sent: Monday, August 04, 2008 8:22 AM To: Teller, Robert Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6509 ACE/FWSM Modules?????????? Cisco has published the following for design with ACE and FWSM. http://www.cisco.com/univercd/cc/td/doc/solution/*ace*_*fwsm*.pdf - Nihar On Tue, Jul 29, 2008 at 3:49 PM, Teller, Robert wrote: > I am working on implementing two 6509 chassis setup using vss and > ace/fwsm modules. Anyone know of any good books for the ACE and FWSM > modules? > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From haminu at cisco.com Mon Aug 4 10:03:22 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Mon, 4 Aug 2008 16:03:22 +0200 Subject: [c-nsp] LDP Graceful restart In-Reply-To: <200808040705.07913.mtinka@globaltransit.net> References: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com> <200808040705.07913.mtinka@globaltransit.net> Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04EBDE27@xmb-ams-334.emea.cisco.com> Your answer is Yes, logically you can have graceful restart on a router that does not have multiple RSP, but you will need to have the neighboring router to at least have the NSF/SSO feature .... Take a look at this link. http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_grac e_rstrt_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1088518 HTH Hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Monday, August 04, 2008 2:05 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LDP Graceful restart On Thursday 31 July 2008 20:25:15 Monika M wrote: > Does the graceful restart feature for LDP works in a single route > processor configuration? (similar to Routing > protocols?) We have seen it work as desired between multiple 7206-VXR units (which are, by no means, hardware/distributed routing platforms, but for all intents and purposes, have a single control plane). Here's some log output: Jul 27 00:26:41.874 MYT: %LDP-5-GR: GR session 192.168.0.1:0 (inst. 13): interrupted--recovery pending We have a couple of Junipers (M-series) that have LDP configured for GR, but those have been stable so I have no logs to offer :-). Cheers, Mark. From sf at lists.esoteric.ca Mon Aug 4 11:59:32 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Mon, 04 Aug 2008 11:59:32 -0400 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803081205.GA22300@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> Message-ID: <48972764.8050208@lists.esoteric.ca> > WAN being SIP (be careful with ES20). Would you mind elaborating on that? I'm leaning toward the ES20 at the moment for our needs.. -- Stephen Saku Ytti wrote: > On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: > >> AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software >> releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and > > I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit > missing was L2 MPLS VPN's which is coming in release3 iirc. > >> 12000. ME6524 seems a good fit for this environment, J-2320/6350 could >> be the J-land options to explore (although ISR 38x5 are their >> counterparts at C-land, not the ME6524). > > QoS in PE and catalyst doesn't seem good fit to me. Unless you have > dedicated port to each customer. But in view most all PE usages > include customers in VLAN, in which case, to do any QoS, you > need HQoS, which LAN cards can not do. They are cheap for > a reason. > While in LSR/P role, LAN cards are perfect fit. It's quite backwards > really, you want 'WAN' cards to face your distribution and LAN > cards are fine in all core, except if you want to do VPLS, > in which case LER/PE needs WAN card to core too. > > WAN being SIP (be careful with ES20). From maillist at webjogger.net Mon Aug 4 13:54:24 2008 From: maillist at webjogger.net (Adam Greene) Date: Mon, 4 Aug 2008 13:54:24 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? Message-ID: <03d501c8f65b$21714f70$12140a0a@GINKGO> Hi, I have a 2811 router running Advanced IP Services 12.4(19) which has been acting funny. First issue I had was after inserting (2) WIC-1ADSL cards the processor jumped to 99%. After shutting down the interfaces and rebooting, the router went back to normal. Now the router is becoming intermittently inaccessible via telnet, while still passing traffic through its interfaces. Total interfaces on unit: (2) WIC-1DSU-T1-V2 (2) WIC-1ADSL (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards The other thing we did recently is add the NM-HDV2-1T1/E1. Before adding these cards, we never had an issue. Running a "show controller serial x/x/x" and a "show buffer" through the Output Interpreter, I am told: "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. This is because, the input rate exceeds the ability of the receiver to handle data .... Paste the output of the show buffer command output into the Output Interpreter to check whether the buffers can be tuned. " "ERROR: Since its last reload, this router has created or maintained a relatively large number of 'h2p1 buffers' yet still has very few free buffers. The above symptoms suggest that a buffer leak has occurred." I'm wondering if a buffer leak could be the source of the issue. Maybe this wasn't a problem before the router had the new DSL cards and T1 network module, but now the new cards are claiming too much memory and the buffer leak is causing issues. We could try down or upgrading the IOS .... Thanks for advice, Adam From alexmoya at bellsouth.net Mon Aug 4 14:28:50 2008 From: alexmoya at bellsouth.net (Alex Moya) Date: Mon, 4 Aug 2008 14:28:50 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? In-Reply-To: <03d501c8f65b$21714f70$12140a0a@GINKGO> References: <03d501c8f65b$21714f70$12140a0a@GINKGO> Message-ID: How much men does the router have on it? Sent from my iPhone On Aug 4, 2008, at 1:54 PM, "Adam Greene" wrote: > Hi, > > I have a 2811 router running Advanced IP Services 12.4(19) which has > been acting funny. > > First issue I had was after inserting (2) WIC-1ADSL cards the > processor jumped to 99%. After shutting down the interfaces and > rebooting, the router went back to normal. > > Now the router is becoming intermittently inaccessible via telnet, > while still passing traffic through its interfaces. > > Total interfaces on unit: > (2) WIC-1DSU-T1-V2 > (2) WIC-1ADSL > (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards > > The other thing we did recently is add the NM-HDV2-1T1/E1. Before > adding these cards, we never had an issue. > > Running a "show controller serial x/x/x" and a "show buffer" through > the Output Interpreter, I am told: > > "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. > This is because, the input rate exceeds the ability of the receiver > to handle data .... Paste the output of the show buffer command > output into the Output Interpreter to check whether the buffers can > be tuned. " > > "ERROR: Since its last reload, this router has created or maintained > a relatively large number of 'h2p1 buffers' yet still has very few > free buffers. The above symptoms suggest that a buffer leak has > occurred." > > I'm wondering if a buffer leak could be the source of the issue. > Maybe this wasn't a problem before the router had the new DSL cards > and T1 network module, but now the new cards are claiming too much > memory and the buffer leak is causing issues. > > We could try down or upgrading the IOS .... > > Thanks for advice, > Adam > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Mon Aug 4 14:49:08 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Mon, 4 Aug 2008 11:49:08 -0700 Subject: [c-nsp] Adding vlan 1 to vlan-group In-Reply-To: References: <03d501c8f65b$21714f70$12140a0a@GINKGO> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EBE@tiger.deltadentalwa.com> Is there a configuration option that will allow me to add vlan 1 to a vlan group to be used with an ace module? When I try to do it I am receiving the following error message. svclc vlan-group 111 1 Vlan 1 can not be a secure vlan I am doing this for a temporary migration reasons. ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From stig.johansen at ementor.no Mon Aug 4 15:30:21 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 4 Aug 2008 21:30:21 +0200 Subject: [c-nsp] Adding vlan 1 to vlan-group References: <03d501c8f65b$21714f70$12140a0a@GINKGO> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EBE@tiger.deltadentalwa.com> Message-ID: <13A13E9CF0F76342A79031B9E558C0C5033F51BF@100NOOSLMSG004.common.alpharoot.net> Sure is.. it's called a cable, and runs from a port in your vlan 1 to a port in another vlan which you configure on your ACE-module. :) Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Teller, Robert Sendt: 4. august 2008 17:49 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] Adding vlan 1 to vlan-group Is there a configuration option that will allow me to add vlan 1 to a vlan group to be used with an ace module? When I try to do it I am receiving the following error message. svclc vlan-group 111 1 Vlan 1 can not be a secure vlan I am doing this for a temporary migration reasons. ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From maillist at webjogger.net Mon Aug 4 15:41:05 2008 From: maillist at webjogger.net (Adam Greene) Date: Mon, 4 Aug 2008 15:41:05 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? References: <03d501c8f65b$21714f70$12140a0a@GINKGO> Message-ID: <045001c8f66a$08c5dbd0$12140a0a@GINKGO> Cisco 2811 (revision 53.51) with 245760K/16384K bytes of memory. ----- Original Message ----- From: "Alex Moya" To: "Adam Greene" Cc: Sent: Monday, August 04, 2008 2:28 PM Subject: Re: [c-nsp] buffer leak in 12.4(19)? > How much men does the router have on it? > > Sent from my iPhone > > On Aug 4, 2008, at 1:54 PM, "Adam Greene" > wrote: > >> Hi, >> >> I have a 2811 router running Advanced IP Services 12.4(19) which has >> been acting funny. >> >> First issue I had was after inserting (2) WIC-1ADSL cards the >> processor jumped to 99%. After shutting down the interfaces and >> rebooting, the router went back to normal. >> >> Now the router is becoming intermittently inaccessible via telnet, >> while still passing traffic through its interfaces. >> >> Total interfaces on unit: >> (2) WIC-1DSU-T1-V2 >> (2) WIC-1ADSL >> (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards >> >> The other thing we did recently is add the NM-HDV2-1T1/E1. Before >> adding these cards, we never had an issue. >> >> Running a "show controller serial x/x/x" and a "show buffer" through >> the Output Interpreter, I am told: >> >> "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. >> This is because, the input rate exceeds the ability of the receiver >> to handle data .... Paste the output of the show buffer command >> output into the Output Interpreter to check whether the buffers can >> be tuned. " >> >> "ERROR: Since its last reload, this router has created or maintained >> a relatively large number of 'h2p1 buffers' yet still has very few >> free buffers. The above symptoms suggest that a buffer leak has >> occurred." >> >> I'm wondering if a buffer leak could be the source of the issue. >> Maybe this wasn't a problem before the router had the new DSL cards >> and T1 network module, but now the new cards are claiming too much >> memory and the buffer leak is causing issues. >> >> We could try down or upgrading the IOS .... >> >> Thanks for advice, >> Adam >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From alexmoya at bellsouth.net Mon Aug 4 16:30:43 2008 From: alexmoya at bellsouth.net (Alex Moya) Date: Mon, 4 Aug 2008 16:30:43 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? In-Reply-To: <045001c8f66a$08c5dbd0$12140a0a@GINKGO> References: <03d501c8f65b$21714f70$12140a0a@GINKGO> <045001c8f66a$08c5dbd0$12140a0a@GINKGO> Message-ID: <5E24C1D5-B31B-4A62-9BCF-52A8E01E11C2@bellsouth.net> Should work fine.You could have a bad card Sent from my iPhone On Aug 4, 2008, at 3:41 PM, "Adam Greene" wrote: > Cisco 2811 (revision 53.51) with 245760K/16384K bytes of memory. > > ----- Original Message ----- From: "Alex Moya" > > To: "Adam Greene" > Cc: > Sent: Monday, August 04, 2008 2:28 PM > Subject: Re: [c-nsp] buffer leak in 12.4(19)? > > >> How much men does the router have on it? >> Sent from my iPhone >> On Aug 4, 2008, at 1:54 PM, "Adam Greene" >> wrote: >>> Hi, >>> >>> I have a 2811 router running Advanced IP Services 12.4(19) which >>> has been acting funny. >>> >>> First issue I had was after inserting (2) WIC-1ADSL cards the >>> processor jumped to 99%. After shutting down the interfaces and >>> rebooting, the router went back to normal. >>> >>> Now the router is becoming intermittently inaccessible via >>> telnet, while still passing traffic through its interfaces. >>> >>> Total interfaces on unit: >>> (2) WIC-1DSU-T1-V2 >>> (2) WIC-1ADSL >>> (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards >>> >>> The other thing we did recently is add the NM-HDV2-1T1/E1. Before >>> adding these cards, we never had an issue. >>> >>> Running a "show controller serial x/x/x" and a "show buffer" >>> through the Output Interpreter, I am told: >>> >>> "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. >>> This is because, the input rate exceeds the ability of the >>> receiver to handle data .... Paste the output of the show buffer >>> command output into the Output Interpreter to check whether the >>> buffers can be tuned. " >>> >>> "ERROR: Since its last reload, this router has created or >>> maintained a relatively large number of 'h2p1 buffers' yet still >>> has very few free buffers. The above symptoms suggest that a >>> buffer leak has occurred." >>> >>> I'm wondering if a buffer leak could be the source of the issue. >>> Maybe this wasn't a problem before the router had the new DSL >>> cards and T1 network module, but now the new cards are claiming >>> too much memory and the buffer leak is causing issues. >>> >>> We could try down or upgrading the IOS .... >>> >>> Thanks for advice, >>> Adam >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From malitsky at netabn.com Mon Aug 4 18:35:57 2008 From: malitsky at netabn.com (Michael Malitsky) Date: Mon, 4 Aug 2008 17:35:57 -0500 Subject: [c-nsp] CPE for IPSEC Message-ID: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky From paul at paulstewart.org Mon Aug 4 20:45:13 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 4 Aug 2008 20:45:13 -0400 Subject: [c-nsp] DSCP / NAT Message-ID: <00f901c8f694$86c095a0$9441c0e0$@org> Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul From cchurc05 at harris.com Mon Aug 4 21:06:22 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 4 Aug 2008 20:06:22 -0500 Subject: [c-nsp] DSCP / NAT In-Reply-To: <00f901c8f694$86c095a0$9441c0e0$@org> References: <00f901c8f694$86c095a0$9441c0e0$@org> Message-ID: I thought that was the default action for most NATing devices? I'm pretty sure the 12.4 Cisco devices I've used all do that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Monday, August 04, 2008 8:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DSCP / NAT Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ddunkin at netos.net Mon Aug 4 21:11:56 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Mon, 4 Aug 2008 18:11:56 -0700 Subject: [c-nsp] DSCP / NAT References: <00f901c8f694$86c095a0$9441c0e0$@org> Message-ID: <56F5BC5F404CF84896C447397A1AAF207AF33B@MAIL.nosi.netos.com> Correct, it should just go straight through, NAT translates the address/port only. It should not touch the rest of the packet unless otherwise configured. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Monday, August 04, 2008 18:06 To: Paul Stewart; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DSCP / NAT I thought that was the default action for most NATing devices? I'm pretty sure the 12.4 Cisco devices I've used all do that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Monday, August 04, 2008 8:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DSCP / NAT Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From zivl at gilat.net Tue Aug 5 02:31:02 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 5 Aug 2008 09:31:02 +0300 Subject: [c-nsp] CPE for IPSEC In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> Message-ID: Check out about "Thales" -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 1:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From avayner at cisco.com Tue Aug 5 04:51:16 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 5 Aug 2008 10:51:16 +0200 Subject: [c-nsp] CPE for IPSEC In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501AC522D@xmb-ams-331.emea.cisco.com> Michael, A few questions: 1. I see you mention 225Mbps, but what is the packet-per-second rate? This is actually a more important factor, as router performance is usually PPS-rate based 2. Is 225M the total hub rate, or is it per spoke? In general, I would suggest getting the HW encryption option (VAM in the 7200 case) as it would provide a more deterministic latency as encryption would be done in dedicated HW. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 01:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sam_mailinglists at spacething.org Tue Aug 5 06:30:40 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 05 Aug 2008 11:30:40 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 Message-ID: <48982BD0.9030405@spacething.org> Hi, We have a pair of 4948s and some DDOS devices configured in this topology (this is an inheritated design btw!): SW1 SVI ---VLANA-- SW2 SVI | | DDOS Std DDOS Act | | SW1 (L2) --VLANB-- SW2 (L2) X | | | Inside ----VLANB--- Inside The Standby DDOS device does not pass traffic, but VLANs A and B are effectively bridged by the Active DDOS device on the right. The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they provide a HSRP address that the inside network has a default pointing towards. The CPU on the active side (SW2) is pegged at 99% and it's all in host learning. The log buffer reports: Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: (Suppressed 61591949 times)Packet received with my own MAC address (X:X:X:X:X:X) as source on port Gix/y in vlan B (Gix/y connects to the inside port on the DDOS appliance). I believe this is because the switches MAC tables aren't VRF aware and the only way to solve the CPU problem is to use physically seperate switches: i.e. replace the L2 portions in the diagram with separate L2 switches. Is my thinking correct? Is their another way? Thanks, Sam From p.mayers at imperial.ac.uk Tue Aug 5 07:12:46 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 05 Aug 2008 12:12:46 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <48982BD0.9030405@spacething.org> References: <48982BD0.9030405@spacething.org> Message-ID: <489835AE.1080006@imperial.ac.uk> Sam Stickland wrote: > Hi, > > We have a pair of 4948s and some DDOS devices configured in this > topology (this is an inheritated design btw!): > > SW1 SVI ---VLANA-- SW2 SVI > | | > DDOS Std DDOS Act > | | > SW1 (L2) --VLANB-- SW2 (L2) > X | > | | > Inside ----VLANB--- Inside > > The Standby DDOS device does not pass traffic, but VLANs A and B are > effectively bridged by the Active DDOS device on the right. What is a DDOS device? Do you mean IDS/IPS? > > The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they > provide a HSRP address that the inside network has a default pointing > towards. > > The CPU on the active side (SW2) is pegged at 99% and it's all in host > learning. The log buffer reports: > > Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: > (Suppressed 61591949 times)Packet received with my own MAC address > (X:X:X:X:X:X) as source on port Gix/y in vlan B > > (Gix/y connects to the inside port on the DDOS appliance). > > I believe this is because the switches MAC tables aren't VRF aware and MAC tables aren't VRF aware. They only need to be VLAN-aware. Frankly I'm surprised this isn't working; if the SW2(L2) are really at layer2 with no SVI, and no L2 control protocols passing the DDoS device e.g. spanning tree, CDP, LLDP etc. > the only way to solve the CPU problem is to use physically seperate > switches: i.e. replace the L2 portions in the diagram with separate L2 > switches. You could try changing the MAC address of the SVI e.g. to a locally assigned one: int VlanX mac-address H.H.H ...I'm not familiar with the C4k platform, but it's common that devices have a finite number of MAC addresses they can use. Also when I tried it on our 6500s I had problems where it didn't pick up the MAC change on an existing SVI until reboot, but would on a newly-created SVI. From sam_mailinglists at spacething.org Tue Aug 5 07:21:31 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 05 Aug 2008 12:21:31 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <489835AE.1080006@imperial.ac.uk> References: <48982BD0.9030405@spacething.org> <489835AE.1080006@imperial.ac.uk> Message-ID: <489837BB.3000701@spacething.org> Phil Mayers wrote: > Sam Stickland wrote: >> Hi, >> >> We have a pair of 4948s and some DDOS devices configured in this >> topology (this is an inheritated design btw!): >> >> SW1 SVI ---VLANA-- SW2 SVI >> | | >> DDOS Std DDOS Act >> | | >> SW1 (L2) --VLANB-- SW2 (L2) >> X | >> | | >> Inside ----VLANB--- Inside >> >> The Standby DDOS device does not pass traffic, but VLANs A and B are >> effectively bridged by the Active DDOS device on the right. > > What is a DDOS device? Do you mean IDS/IPS? Yup. >> >> The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they >> provide a HSRP address that the inside network has a default pointing >> towards. >> >> The CPU on the active side (SW2) is pegged at 99% and it's all in >> host learning. The log buffer reports: >> >> Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: >> (Suppressed 61591949 times)Packet received with my own MAC address >> (X:X:X:X:X:X) as source on port Gix/y in vlan B >> >> (Gix/y connects to the inside port on the DDOS appliance). >> >> I believe this is because the switches MAC tables aren't VRF aware and > > MAC tables aren't VRF aware. They only need to be VLAN-aware. > I'm aware of this, I was just stating my reasoning in a perhaps not to clear way :) > Frankly I'm surprised this isn't working; if the SW2(L2) are really at > layer2 with no SVI, and no L2 control protocols passing the DDoS > device e.g. spanning tree, CDP, LLDP etc. The have no SVI, but spanning-tree instances are running for VLANs A and B. > >> the only way to solve the CPU problem is to use physically seperate >> switches: i.e. replace the L2 portions in the diagram with separate >> L2 switches. > > You could try changing the MAC address of the SVI e.g. to a locally > assigned one: > > int VlanX > mac-address H.H.H > > ...I'm not familiar with the C4k platform, but it's common that > devices have a finite number of MAC addresses they can use. Also when > I tried it on our 6500s I had problems where it didn't pick up the MAC > change on an existing SVI until reboot, but would on a newly-created SVI. Unfortunately the C4k platform doesn't support changing the BIA addresses, but given the nature of the error I don't think it would help. I think it's caused by the layer 2 portion of the switches seeing traffic sourced from it's own SVI on ones it's ports, which is confusing the host learning. Sam From csirek at cooler.hu Tue Aug 5 06:56:45 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Tue, 05 Aug 2008 12:56:45 +0200 Subject: [c-nsp] Cat4948 free list memory parity error Message-ID: <489831ED.5010109@cooler.hu> Hi I got this messages but i did not found any info at cisco.com: Log: Aug 5 11:31:27 MET-DST: %C4K_SWITCHINGENGINEMAN-3-FREELISTMEMORYPARITY: Parity mismatch in freelist memory, flm addr=E425, reg bits=8000E425, total=2 System image file is "bootflash:cat4000-i9s-mz.122-25.EWA8.bin" cisco WS-C4948-10GE (MPC8540) processor (revision 5) with 262144K bytes of memory. Thanks, csirek From lists at daniels.id.au Tue Aug 5 07:44:40 2008 From: lists at daniels.id.au (Aaron Daniels - Lists) Date: Tue, 5 Aug 2008 21:44:40 +1000 Subject: [c-nsp] Extending MPLS over external providers cloud Message-ID: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Hello Guru's Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some smaller low bandwidth sites connected using DSL via an ISP. This external VRF terminates within a single VRF of ours. We are now looking at extending several of our VRF's to these remote DSL sites, so as far as I see it, we can either put LDP over a tunnel, or each vrf over a separate tunnel. At first glance I was thinking about LDP over DMVPN, which I will lab up over the next few days. Has anyone done something like this before? What methods have been tried and tested, etc, etc. All feedback welcome. Thanks, Aaron Daniels From ltd at cisco.com Tue Aug 5 08:47:02 2008 From: ltd at cisco.com (Lincoln Dale) Date: Tue, 05 Aug 2008 22:47:02 +1000 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <48982BD0.9030405@spacething.org> References: <48982BD0.9030405@spacething.org> Message-ID: <48984BC6.4070509@cisco.com> Sam Stickland wrote: > Hi, > > We have a pair of 4948s and some DDOS devices configured in this > topology (this is an inheritated design btw!): > > SW1 SVI ---VLANA-- SW2 SVI > | | > DDOS Std DDOS Act > | | > SW1 (L2) --VLANB-- SW2 (L2) > X | > | | > Inside ----VLANB--- Inside > [..] > I believe this is because the switches MAC tables aren't VRF aware and > the only way to solve the CPU problem is to use physically seperate > switches: i.e. replace the L2 portions in the diagram with separate L2 > switches. > > Is my thinking correct? Is their another way? logically speaking, VRFs are for L3 what VLANs are for L2. i don't think "replacing with seperate L2 switches" will fix it, i think you've got a L2 loop that needs fixing. cheers, lincoln. From rodunn at cisco.com Tue Aug 5 08:53:28 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 5 Aug 2008 08:53:28 -0400 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> References: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Message-ID: <20080805125328.GE19739@rtp-cse-489.cisco.com> LDP over point to point GRE is the most common way. Be careful with the MTU needed on the transport links because you are adding another 24 bytes of GRE overhead on top of the label stack. So if the transport is only 1500 bytes you will have issues. As for MPLSoDMVPN I've seen some discussions about it but haven't ever put it in the lab or seen it in production. Rodney On Tue, Aug 05, 2008 at 09:44:40PM +1000, Aaron Daniels - Lists wrote: > Hello Guru's > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > smaller low bandwidth sites connected using DSL via an ISP. This external > VRF terminates within a single VRF of ours. > We are now looking at extending several of our VRF's to these remote DSL > sites, so as far as I see it, we can either put LDP over a tunnel, or each > vrf over a separate tunnel. > At first glance I was thinking about LDP over DMVPN, which I will lab up > over the next few days. > > Has anyone done something like this before? What methods have been tried and > tested, etc, etc. > All feedback welcome. > > Thanks, > Aaron Daniels > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gulerozgur at yahoo.co.uk Tue Aug 5 08:57:06 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Tue, 5 Aug 2008 12:57:06 +0000 (GMT) Subject: [c-nsp] EOBC Tx Errors In-Reply-To: Message-ID: <27110.28490.qm@web25501.mail.ukl.yahoo.com> Hi Christian Have a look at this link... http://supportwiki.cisco.com/ViewWiki/index.php/How_to_display_the_EOBC_error_counters_in_the_Catalyst_6500_series_switches_and_a_definition_of_the_EOBC_interface /Ozgur --- On Sun, 3/8/08, Christian Koch wrote: From: Christian Koch Subject: [c-nsp] EOBC Tx Errors To: "cisco-nsp" Date: Sunday, 3 August, 2008, 6:44 PM Can anyone tell me exactly what the ethernet out of band channel is used for and why I would be getting errors on it? box is 7609-S with RSP720 Thanks Christian _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html From gulerozgur at yahoo.co.uk Tue Aug 5 09:07:23 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Tue, 5 Aug 2008 13:07:23 +0000 (GMT) Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <977486.34468.qm@web25504.mail.ukl.yahoo.com> ACL restriction might not rule out the prefix-list option. So i would go for the prefix list + route-map solution. --- On Fri, 1/8/08, Joost greene wrote: From: Joost greene Subject: [c-nsp] Filtering telnet without ACL To: cisco-nsp at puck.nether.net Date: Friday, 1 August, 2008, 2:14 PM Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html From sam_mailinglists at spacething.org Tue Aug 5 09:14:35 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 05 Aug 2008 14:14:35 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <48984BC6.4070509@cisco.com> References: <48982BD0.9030405@spacething.org> <48984BC6.4070509@cisco.com> Message-ID: <4898523B.7060604@spacething.org> Lincoln Dale wrote: > > > Sam Stickland wrote: >> Hi, >> >> We have a pair of 4948s and some DDOS devices configured in this >> topology (this is an inheritated design btw!): >> >> SW1 SVI ---VLANA-- SW2 SVI >> | | >> DDOS Std DDOS Act >> | | >> SW1 (L2) --VLANB-- SW2 (L2) >> X | >> | | >> Inside ----VLANB--- Inside >> [..] >> I believe this is because the switches MAC tables aren't VRF aware >> and the only way to solve the CPU problem is to use physically >> seperate switches: i.e. replace the L2 portions in the diagram with >> separate L2 switches. >> >> Is my thinking correct? Is their another way? > logically speaking, VRFs are for L3 what VLANs are for L2. > > i don't think "replacing with seperate L2 switches" will fix it, i > think you've got a L2 loop that needs fixing. Really? Where? Drawing out the diagram above as the spanning-tree topology stabilises it's: SW1 SVI ---VLANA-- SW2 SVI | DDOS Std DDOS Act | | SW1 (L2) --VLANB-- SW2 (L2) | | Inside ----VLANB--- Inside Far from ideal, I know, but I'm not sure there's a L2 loop here. Sam From dcurran at nuvox.com Tue Aug 5 09:23:07 2008 From: dcurran at nuvox.com (David Curran) Date: Tue, 05 Aug 2008 09:23:07 -0400 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Message-ID: Is there an actual requirement to run LDP/MPLS over these tunnels or are you simply looking to extend a VRF? If its the latter, Multi-VRF CE (or VRF-Lite, whatever) works very well. > From: Aaron Daniels - Lists > Date: Tue, 5 Aug 2008 21:44:40 +1000 > To: > Subject: [c-nsp] Extending MPLS over external providers cloud > > Hello Guru's > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > smaller low bandwidth sites connected using DSL via an ISP. This external > VRF terminates within a single VRF of ours. > We are now looking at extending several of our VRF's to these remote DSL > sites, so as far as I see it, we can either put LDP over a tunnel, or each > vrf over a separate tunnel. > At first glance I was thinking about LDP over DMVPN, which I will lab up > over the next few days. > > Has anyone done something like this before? What methods have been tried and > tested, etc, etc. > All feedback welcome. > > Thanks, > Aaron Daniels > > > > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From malitsky at netabn.com Tue Aug 5 09:31:05 2008 From: malitsky at netabn.com (Michael Malitsky) Date: Tue, 5 Aug 2008 08:31:05 -0500 Subject: [c-nsp] CPE for IPSEC References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> <67F7C1FAF83A074AA3520D8F155782A501AC522D@xmb-ams-331.emea.cisco.com> Message-ID: <79AF0C3901752A49881FE4CB31F7AA40D337EF@abn-borg2.NETABN.LOCAL> Arie, Thanks for the response. 200Mb is the aggregate bandwidth available on the WAN port at each site. Even if I knew what the typical traffic rates were today, the application group would change something tomorrow, so I have to design for the worst case - 390kpps using 64-byte packets. I phrased the original question the way I did because the specs for the ASA and VAM are written in bits-per-second rather than packets-per-second. In either case, I am curious how close does real world come to the specs? Thanks, Michael Malitsky -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Tue 8/5/2008 3:51 AM To: Michael Malitsky; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] CPE for IPSEC Michael, A few questions: 1. I see you mention 225Mbps, but what is the packet-per-second rate? This is actually a more important factor, as router performance is usually PPS-rate based 2. Is 225M the total hub rate, or is it per spoke? In general, I would suggest getting the HW encryption option (VAM in the 7200 case) as it would provide a more deterministic latency as encryption would be done in dedicated HW. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 01:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Tue Aug 5 09:33:25 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 5 Aug 2008 15:33:25 +0200 Subject: [c-nsp] CPE for IPSEC In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40D337EF@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> <67F7C1FAF83A074AA3520D8F155782A501AC522D@xmb-ams-331.emea.cisco.com> <79AF0C3901752A49881FE4CB31F7AA40D337EF@abn-borg2.NETABN.LOCAL> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501B30BA3@xmb-ams-331.emea.cisco.com> Michael, Would you also require any QOS policies (especially hierarchical policing with shaping)? Arie ________________________________ From: Michael Malitsky [mailto:malitsky at netabn.com] Sent: Tuesday, August 05, 2008 16:31 PM To: Arie Vayner (avayner); cisco-nsp at puck.nether.net Subject: RE: [c-nsp] CPE for IPSEC Arie, Thanks for the response. 200Mb is the aggregate bandwidth available on the WAN port at each site. Even if I knew what the typical traffic rates were today, the application group would change something tomorrow, so I have to design for the worst case - 390kpps using 64-byte packets. I phrased the original question the way I did because the specs for the ASA and VAM are written in bits-per-second rather than packets-per-second. In either case, I am curious how close does real world come to the specs? Thanks, Michael Malitsky -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Tue 8/5/2008 3:51 AM To: Michael Malitsky; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] CPE for IPSEC Michael, A few questions: 1. I see you mention 225Mbps, but what is the packet-per-second rate? This is actually a more important factor, as router performance is usually PPS-rate based 2. Is 225M the total hub rate, or is it per spoke? In general, I would suggest getting the HW encryption option (VAM in the 7200 case) as it would provide a more deterministic latency as encryption would be done in dedicated HW. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 01:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From billf at mu.org Tue Aug 5 13:06:17 2008 From: billf at mu.org (bill fumerola) Date: Tue, 5 Aug 2008 10:06:17 -0700 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <489837BB.3000701@spacething.org> References: <48982BD0.9030405@spacething.org> <489835AE.1080006@imperial.ac.uk> <489837BB.3000701@spacething.org> Message-ID: <20080805170617.GM6869@elvis.mu.org> On Tue, Aug 05, 2008 at 12:21:31PM +0100, Sam Stickland wrote: > Phil Mayers wrote: > >Sam Stickland wrote: > >>SW1 SVI ---VLANA-- SW2 SVI > >> | | > >>DDOS Std DDOS Act > >> | | > >>SW1 (L2) --VLANB-- SW2 (L2) > >> X | > >> | | > >>Inside ----VLANB--- Inside > >> > >>The Standby DDOS device does not pass traffic, but VLANs A and B are > >>effectively bridged by the Active DDOS device on the right. > > > >What is a DDOS device? Do you mean IDS/IPS? > Yup. these are two devices, not one with two interfaces, right? are they connected to each other in any way besides through the switch? e.g. for state sharing or other such. > >>The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they > >>provide a HSRP address that the inside network has a default pointing > >>towards. > >> > >>The CPU on the active side (SW2) is pegged at 99% and it's all in > >>host learning. The log buffer reports: > >> > >>Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: > >>(Suppressed 61591949 times)Packet received with my own MAC address > >>(X:X:X:X:X:X) as source on port Gix/y in vlan B > >> > >>(Gix/y connects to the inside port on the DDOS appliance). > > >Frankly I'm surprised this isn't working; if the SW2(L2) are really at > >layer2 with no SVI, and no L2 control protocols passing the DDoS > >device e.g. spanning tree, CDP, LLDP etc. > The have no SVI, but spanning-tree instances are running for VLANs A and B. > [...] > Unfortunately the C4k platform doesn't support changing the BIA > addresses, but given the nature of the error I don't think it would > help. I think it's caused by the layer 2 portion of the switches seeing > traffic sourced from it's own SVI on ones it's ports, which is confusing > the host learning. off-the-top-of-my-head: - which spanning tree version are you running? does the IDS participate? - redacted configs would be appropriate since the SVI configuration is so specific and not just the usual vlanX,no-vrf.. you mix "they have no SVI" and mentions of SVIs enough times that it's not clear where they really are or aren't and who/what is pointing to them - your diagram mixes L1,L2 and L3, it'd be nice to get a physical and logical diagram (and/or a redacted config) - fire up ye olde sniffer on the IDS box, it could very well be bridging more (or less!) than you think - speaking of bridging, is there a way to use .1q + routing w/ your IDS? - look into Loop Guard on both SW1 and SW2. also, to a lesser extent look into rootguard, bpduguard, and be sure spanning tree isn't oscilating - w/o the config, it's hard to say, but PVLANs may give you the seperation of traffic between ports you desire - VACLs on the IDS ports to permit the things you know about and log the things you don't may be useful combined w/ sniffing also, i've only used cat6.5k (hybrid & native) and not the 4948.. i dunno the exact capabilities of some of the features i mentioned (PVLAN, VACL). -- - bill fumerola / billf at FreeBSD.org From billf at mu.org Tue Aug 5 14:33:49 2008 From: billf at mu.org (bill fumerola) Date: Tue, 5 Aug 2008 11:33:49 -0700 Subject: [c-nsp] MPLS errors w/ no MPLS configured Message-ID: <20080805183349.GN6869@elvis.mu.org> anyone seeing these messages? Aug 1 02:35:58.924 UTC: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 Aug 3 15:38:32.708 UTC: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 i'm not sure how dangerous these messages are. on one hand, we're not running MPLS at all. on the other hand, i don't like errors that involve broken tables/memory & tracebacks. rtr1.lon#sh run | i mpls|MPLS no mpls traffic-eng auto-bw timers frequency 0 rtr1.lon#sh ver | i 12.[23] Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB11, RELEASE SOFTWARE (fc3) ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(26), RELEASE SOFTWARE (fc2) rtr1.lon# there are BGP neighbors, both internal and external, on this host. no address-family vpn tho. -- bill From ploopster at gmail.com Tue Aug 5 14:55:19 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Tue, 05 Aug 2008 14:55:19 -0400 Subject: [c-nsp] SA-ISA Message-ID: <4898A217.8090403@gmail.com> Is the SA-ISA supported on the VIP2-50 in a 7500-series router? If it isn't, will it work anyway? Thanks. Peace... Sridhar From saku+cisco-nsp at ytti.fi Tue Aug 5 15:42:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Tue, 5 Aug 2008 22:42:06 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <48972764.8050208@lists.esoteric.ca> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> <48972764.8050208@lists.esoteric.ca> Message-ID: <20080805194206.GA25049@mx.ytti.net> On (2008-08-04 11:59 -0400), Stephen Fulton wrote: > > WAN being SIP (be careful with ES20). > > Would you mind elaborating on that? I'm leaning toward the ES20 at the > moment for our needs.. My biggest pain, lack of vlan local significance, so if you have same VLAN on two different interfaces you need to terminate it to some unique SVI. And if you terminate it to SVI, and still want to benefit from ES20 QoS features, you need to do QoS on the EVC, and on EVC you have only very few match statements, namely match CoS, no match ACL or anything. On first thought, match CoS may be enough. But if you'd want to just shape all traffic to 5Mbps, you'd have to use 'class-default', as you can't use ACL with 'ANY'. And if you use class-default, you reduce the amount of VRF customers you can terminate on the box (you run out of the 4k VLAN sooner) and you reduce pps performance (additional lookup for first 512 VRF's). Also no uRPF/strict and uRPF/loose per interface. All these limitations puzzle me, as it appears to be SIP600, and SIP600 has vlan local significance and uRPF per port. Talk to your SE/AM, hopefully there is something new coming with same price and better feature parity with 'real' WAN cards. (+EVC magic) > > -- Stephen > > > Saku Ytti wrote: >> On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: >> >>> AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software >>> releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and >> >> I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit >> missing was L2 MPLS VPN's which is coming in release3 iirc. >> >>> 12000. ME6524 seems a good fit for this environment, J-2320/6350 could >>> be the J-land options to explore (although ISR 38x5 are their >>> counterparts at C-land, not the ME6524). >> >> QoS in PE and catalyst doesn't seem good fit to me. Unless you have >> dedicated port to each customer. But in view most all PE usages >> include customers in VLAN, in which case, to do any QoS, you need HQoS, >> which LAN cards can not do. They are cheap for a reason. >> While in LSR/P role, LAN cards are perfect fit. It's quite backwards >> really, you want 'WAN' cards to face your distribution and LAN >> cards are fine in all core, except if you want to do VPLS, >> in which case LER/PE needs WAN card to core too. >> >> WAN being SIP (be careful with ES20). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti From saku+cisco-nsp at ytti.fi Tue Aug 5 15:53:00 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Tue, 5 Aug 2008 22:53:00 +0300 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: References: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Message-ID: <20080805195300.GB25049@mx.ytti.net> On (2008-08-05 09:23 -0400), David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well. My vote on vrf-lite too. I fear we as a industry poop all over L3 MPLS VPN by doing stunts like this (I'm guilty too). And in a customer role, I would never trust on L3 MPLS VPN bought from operator, but would run my own VPN over IP tunnels on cheapest pure Internet DSL available. You should only talk MPLS (be it 'native', OptB or OptC) only to a router that is physically secured (not customers cabinet) and administered by fully trusted party (not competitor with whom you run e.g. OptB.) Main grief with having say OptB to untrusted physical location or managed by other organization is lack of label checking, so they can just inject any labels into the network and they will be forwarded. Sure, label space is large, but take a look what space assigned labels hold and that space is very small, and pushing packet to any VRF from site connected to your MPLS network is easy. Of course it's just unidirectional, but we can't ignore that, since then other people may ignore other 'irrelevant' security issue that is unidirectional, for the other direction, and you'd have fully compromised VRF. Possible remedies would be for CSCO and JNPR to implement OptB as RFC states, so that they'd only accept labels from OptB ASBR that were previously advertised to it via BGP. Then you'd only need to trust ASBR with the VRF's you're sharing with them, which is much easier to be done (they'd be screwing their own customer). For pure MPLS or OptC there is no remedy, you could randomize label assignment to make it unfeasible to inject traffic to every VRF, but it doesn't replace the need for trust. > > From: Aaron Daniels - Lists > > Date: Tue, 5 Aug 2008 21:44:40 +1000 > > To: > > Subject: [c-nsp] Extending MPLS over external providers cloud > > > > Hello Guru's > > > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > > smaller low bandwidth sites connected using DSL via an ISP. This external > > VRF terminates within a single VRF of ours. > > We are now looking at extending several of our VRF's to these remote DSL > > sites, so as far as I see it, we can either put LDP over a tunnel, or each > > vrf over a separate tunnel. > > At first glance I was thinking about LDP over DMVPN, which I will lab up > > over the next few days. > > > > Has anyone done something like this before? What methods have been tried and > > tested, etc, etc. > > All feedback welcome. > > > > Thanks, > > Aaron Daniels > > > > > > > > > > > > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti From ltd at cisco.com Tue Aug 5 21:58:22 2008 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 06 Aug 2008 11:58:22 +1000 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <4898523B.7060604@spacething.org> References: <48982BD0.9030405@spacething.org> <48984BC6.4070509@cisco.com> <4898523B.7060604@spacething.org> Message-ID: <4899053E.9000206@cisco.com> Sam Stickland wrote: > >>> believe this is because the switches MAC tables aren't VRF aware >>> and the only way to solve the CPU problem is to use physically >>> seperate switches: i.e. replace the L2 portions in the diagram with >>> separate L2 switches. >>> >>> Is my thinking correct? Is their another way? >> logically speaking, VRFs are for L3 what VLANs are for L2. >> >> i don't think "replacing with seperate L2 switches" will fix it, i >> think you've got a L2 loop that needs fixing. > Really? Where? i'd say its something evil that the DDoS devices are doing. what its doing is up for debate, but clearly that SW2 is indicating its receiving BACK packets its sending from the log message, clearly its working overtime on the MAC learning too given its at 99% CPU in that process moving mac addresses between ports . . . > Drawing out the diagram above as the spanning-tree topology stabilises > it's: > [..] > Far from ideal, I know, but I'm not sure there's a L2 loop here. my guess is the DDos boxes are eating/modifying BPDUs to allow STP to establish in the first place. purely a guess mind you, as i say, just going on the evidence of what the cisco switch is reporting & having done lots of 'testing' of these kinds of scenarios on other cisco boxes... cbeers, lincoln. From danletkeman at gmail.com Tue Aug 5 22:01:54 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 5 Aug 2008 21:01:54 -0500 Subject: [c-nsp] shaping http traffic on a 2821 Message-ID: Hello, I'm wondering if anyone has some good documentation or examples of shaping http traffic on a router. I have been ask to look into this for an educational institute where they don't want to add more bandwidth, but make better use of what they have. The connection is currently a 20mbit connection. I would also like to prioritize traffic so incoming requests to the http server and voip calls, get a higher priority. Thanks, Dan. From vikassharmas at gmail.com Tue Aug 5 23:00:23 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Wed, 6 Aug 2008 08:30:23 +0530 Subject: [c-nsp] Inter-AS option B - filter based on IPv4+ Labels? Message-ID: Hi, In Inter-AS - option B, I have an option of filtering with BGP attributes ASPATH, ext communities, RDs checks. Can I filter based on IPv4+ Labels? i.e. set route maps to filter and send only the desirable prefixes are injected into the BGP table and propagated using IPv4+ Labels to the adjacent ASBR? Can you point me the web page? If above it true then I can use standard BGP communities to filter the traffic between ASBRs in option B!!! Regards, Vikas Sharma From lists at daniels.id.au Tue Aug 5 23:14:29 2008 From: lists at daniels.id.au (lists at daniels.id.au) Date: Tue, 05 Aug 2008 22:14:29 -0500 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: References: Message-ID: <6332c15961358010eaa374277a6abd84@daniels.id.au> Hi David, On Tue, 05 Aug 2008 09:23:07 -0400, David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are > you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well. The requirement is simply to provide multiple VRF's (3 to 5) at any remote site, the vrf's will vary site-to-site based on local requirements. In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I have a cloud in the middle connecting several (20-30) DSL sites to a head office (hub and spoke), and the thought of having to manage multiple tunnels (one per vrf), per site is making me cringe.. Or am I missing something, is there some other way to more easily manage these multiple tunnels? Thanks, Aaron From andy.saykao at staff.netspace.net.au Tue Aug 5 23:19:06 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 6 Aug 2008 13:19:06 +1000 Subject: [c-nsp] MPLS affecting normal IP cache flows Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365482D@vic-cr-ex1.staff.netspace.net.au> Hi All, I've deployed MPLS across parts of our core network and everything appears to be working fine. I've also got MPLS VPN's going which is the main reason for us rolling out MPLs in the first place. However, I've run into a problem with netflow on one of the PE routers that affects normal IP flows when mpls is enabled on the interface. The PE router having this problems is a cisco 7206VXR (NPE-G1) running IOS Version 12.3(22). Other PE routers are not showing this problem but they are 7301's running a different IOS. What I'm finding is that when I enable "tag-switching ip" on interface Gi0/2 which forms part of our MPLS core (as seen below), the netflows for normal IP traffic isn't as it should be. Doing a "show ip cache flow" on the PE router only shows a few flows going through for normal IP traffic and we'd expect more IP cache flows to be going through because lots of customers hang off this PE router. When we remove the "tag-switching ip" from the interface, flows are back to normal. interface GigabitEthernet0/2 mtu 1500 ip address 203.10.110.x 255.255.255.224 ip route-cache flow load-interval 30 duplex full speed 1000 media-type rj45 no negotiation auto tag-switching mtu 1508 tag-switching ip no clns route-cache We are also seeing this in the file size on the netflow collector. After enabling mpls on interface Gi0/2 above on July 29th, you can see that from that time on the file size of flows being collected at 12pm is considerable less than what we would expect. > ls -la *12-2.bz2 -rw-r--r-- 1 root wheel 29224597 Jul 21 12:59 Netstat_2008072112-2.bz2 -rw-r--r-- 1 root wheel 30218681 Jul 22 12:59 Netstat_2008072212-2.bz2 -rw-r--r-- 1 root wheel 28635436 Jul 23 12:59 Netstat_2008072312-2.bz2 -rw-r--r-- 1 root wheel 26987099 Jul 24 12:59 Netstat_2008072412-2.bz2 -rw-r--r-- 1 root wheel 26003303 Jul 25 12:59 Netstat_2008072512-2.bz2 -rw-r--r-- 1 root wheel 4427493 Jul 26 12:59 Netstat_2008072612-2.bz2 -rw-r--r-- 1 root wheel 4758483 Jul 27 12:59 Netstat_2008072712-2.bz2 -rw-r--r-- 1 root wheel 28679702 Jul 28 12:59 Netstat_2008072812-2.bz2 -rw-r--r-- 1 root wheel 222144 Jul 29 12:59 Netstat_2008072912-2.bz2 -rw-r--r-- 1 root wheel 154352 Jul 30 12:59 Netstat_2008073012-2.bz2 -rw-r--r-- 1 root wheel 315422 Jul 31 12:59 Netstat_2008073112-2.bz2 -rw-r--r-- 1 root wheel 388378 Aug 1 12:59 Netstat_2008080112-2.bz2 -rw-r--r-- 1 root wheel 145880 Aug 2 12:59 Netstat_2008080212-2.bz2 -rw-r--r-- 1 root wheel 171154 Aug 3 12:59 Netstat_2008080312-2.bz2 -rw-r--r-- 1 root wheel 410493 Aug 4 12:59 Netstat_2008080412-2.bz2 -rw-r--r-- 1 root wheel 326936 Aug 5 12:59 Netstat_2008080512-2.bz2 Any ideas as to why enabling mpls would be affecting normal IP cache flows? I can only suspect that it's some IOS bug with the IOS we're running . Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ecables at gmail.com Tue Aug 5 23:54:33 2008 From: ecables at gmail.com (Eric Cables) Date: Tue, 5 Aug 2008 20:54:33 -0700 Subject: [c-nsp] shaping http traffic on a 2821 In-Reply-To: References: Message-ID: Just do a search for MQC (Modular QoS CLI) on cisco.com; you'll have plenty of material at your disposal. On Tue, Aug 5, 2008 at 7:01 PM, Dan Letkeman wrote: > Hello, > > I'm wondering if anyone has some good documentation or examples of > shaping http traffic on a router. I have been ask to look into this > for an educational institute where they don't want to add more > bandwidth, but make better use of what they have. The connection is > currently a 20mbit connection. I would also like to prioritize > traffic so incoming requests to the http server and voip calls, get a > higher priority. > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Eric Cables From arla at rn.dk Wed Aug 6 02:10:41 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Wed, 6 Aug 2008 08:10:41 +0200 Subject: [c-nsp] old 6513 chassis vs sup720 Message-ID: <8D68760F464FFD40A01BF2FB374E4A2886948A6788@SRVEXC02.aas.its.nja.dk> Hi Folks. I've got a 6513 chassis, and I believe that It's very old. Can I be sure that this supports sup720 ??. Is there a command that can verify this ?? /Arne From swmike at swm.pp.se Wed Aug 6 02:20:55 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 6 Aug 2008 08:20:55 +0200 (CEST) Subject: [c-nsp] old 6513 chassis vs sup720 In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2886948A6788@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2886948A6788@SRVEXC02.aas.its.nja.dk> Message-ID: On Wed, 6 Aug 2008, Arne Larsen / Region Nordjylland wrote: > I've got a 6513 chassis, and I believe that It's very old. Can I be sure > that this supports sup720 ??. Is there a command that can verify this ?? You need to check at least the PSUs and the fans to see if they're what's needed for SUP720. In my experience, not even Cisco will get it right all the time in what's needed to get an old chassis to work with SUP720. -- Mikael Abrahamsson email: swmike at swm.pp.se From oboehmer at cisco.com Wed Aug 6 02:28:24 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 6 Aug 2008 08:28:24 +0200 Subject: [c-nsp] MPLS affecting normal IP cache flows In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE0365482D@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE0365482D@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6818E@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Wednesday, August 06, 2008 5:19 AM: > Hi All, > > I've deployed MPLS across parts of our core network and everything > appears to be working fine. I've also got MPLS VPN's going which is > the main reason for us rolling out MPLs in the first place. > > However, I've run into a problem with netflow on one of the PE routers > that affects normal IP flows when mpls is enabled on the interface. > The PE router having this problems is a cisco 7206VXR (NPE-G1) running IOS > Version 12.3(22). Other PE routers are not showing this problem but > they are 7301's running a different IOS. > > What I'm finding is that when I enable "tag-switching ip" on interface > Gi0/2 which forms part of our MPLS core (as seen below), the netflows > for normal IP traffic isn't as it should be. Doing a "show ip cache > flow" on the PE router only shows a few flows going through for normal > IP traffic and we'd expect more IP cache flows to be going through > because lots of customers hang off this PE router. When we remove the > "tag-switching ip" from the interface, flows are back to normal. [..] > Any ideas as to why enabling mpls would be affecting normal IP cache > flows? I can only suspect that it's some IOS bug with the IOS we're > running . do you filter any LDP advertisements? If you just enable LDP on the interface (or TDP for that matter), "regular" IPv4 traffic will also be label-switched as LDP advertises labels for all non-BGP IPv4 prefixes in your RIB. Can you do a "show mpls forwarding-table " for a prefix you would expect to see in the cache? Do you see a incoming label (which is != Pop label)? oli From oboehmer at cisco.com Wed Aug 6 02:44:50 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 6 Aug 2008 08:44:50 +0200 Subject: [c-nsp] SA-ISA In-Reply-To: <4898A217.8090403@gmail.com> References: <4898A217.8090403@gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6819E@xmb-ams-333.emea.cisco.com> Sridhar Ayengar <> wrote on Tuesday, August 05, 2008 8:55 PM: > Is the SA-ISA supported on the VIP2-50 in a 7500-series router? If it > isn't, will it work anyway? it's not supported, and I strongly doubt it would work (definitly not when dCEF is enabled), but I wouldn't be surprised if it doesn't even come up. As far as I know, there is NO hardware encryption capabilities on the 7500 series.. oli From oboehmer at cisco.com Wed Aug 6 03:01:11 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 6 Aug 2008 09:01:11 +0200 Subject: [c-nsp] Inter-AS option B - filter based on IPv4+ Labels? In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D681B2@xmb-ams-333.emea.cisco.com> Vikas Sharma <> wrote on Wednesday, August 06, 2008 5:00 AM: > Hi, > > In Inter-AS - option B, I have an option of filtering with BGP > attributes ASPATH, ext communities, RDs checks. Can I filter based on > IPv4+ Labels? i.e. set route maps to filter and send only the > desirable prefixes are injected into the BGP table and propagated > using IPv4+ Labels to the adjacent ASBR? Can you point me the web > page? you can filter on the IP prefix "part" of the vpnv4 RD: update (match ip address ...), however this filter ignores the RD so a "deny 10.0.0.1" would filter 10.0.0.1 from all vpns using this address. If you have control over the vpn's address space (i.e. if those are your "own" VPNs), it would be an option. Filtering based on the VPN label is not possible (and would not make sense as the label is dynamically allocated). oli From stig.johansen at ementor.no Wed Aug 6 03:05:03 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Wed, 6 Aug 2008 09:05:03 +0200 Subject: [c-nsp] Extending MPLS over external providers cloud References: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: <13A13E9CF0F76342A79031B9E558C0C5033F525A@100NOOSLMSG004.common.alpharoot.net> You should look into running several DMVPN's (using a FVRF and IVRF, as it's called), one for each VRF you want to provide at the remote sites. If you have a total of 5 VRF's, you'll have a headend with 5 different DMVPN's in 5 different VRF's and all is done with dynamic routing and setup. The CE's should run Multi-VRF's. Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av lists at daniels.id.au Sendt: 6. august 2008 05:14 Til: David Curran Kopi: lists at daniels.id.au; cisco-nsp at puck.nether.net Emne: Re: [c-nsp] Extending MPLS over external providers cloud Hi David, On Tue, 05 Aug 2008 09:23:07 -0400, David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are > you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well. The requirement is simply to provide multiple VRF's (3 to 5) at any remote site, the vrf's will vary site-to-site based on local requirements. In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I have a cloud in the middle connecting several (20-30) DSL sites to a head office (hub and spoke), and the thought of having to manage multiple tunnels (one per vrf), per site is making me cringe.. Or am I missing something, is there some other way to more easily manage these multiple tunnels? Thanks, Aaron _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From perc69+cnsp at gmail.com Wed Aug 6 03:10:59 2008 From: perc69+cnsp at gmail.com (Per Carlson) Date: Wed, 6 Aug 2008 09:10:59 +0200 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <6332c15961358010eaa374277a6abd84@daniels.id.au> References: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: <746ca6da0808060010i5dc6120j327b6bc246a5c4b6@mail.gmail.com> On Wed, Aug 6, 2008 at 05:14, wrote: > ... here I > have a cloud in the middle connecting several (20-30) DSL sites to a head > office (hub and spoke), and the thought of having to manage multiple > tunnels (one per vrf), per site is making me cringe.. We have successfully used PPP/L2TP in a similar scenario (multiple VRF-Lites over one logical IP-interface). What you need is a CPE supporting "L2TP Client Initiated Tunneling"[1] (available from 12.3(2)T), and a PE able to terminate PPP/L2TP and running MPLS at the same time (we are using a 7200 running 12.2(31)SB/Enterprise for this). The L2TP-session is terminated in one VRF on the PE-router and the PPP-sessions are directed into other VRF's based on the RADIUS reply. Yup, you will need a RADIUS- (or TACACS+) server for this. [1] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html -- Pelle From ncnet at sbcglobal.net Wed Aug 6 03:30:10 2008 From: ncnet at sbcglobal.net (Larry Stites) Date: Wed, 06 Aug 2008 00:30:10 -0700 Subject: [c-nsp] old 6513 chassis vs sup720 In-Reply-To: Message-ID: DUAL WS-CAC2500W and WS-C6K-13SLT-FAN2 are minimum hardware requirements. on 8/5/08 11:20 PM, Mikael Abrahamsson wrote: > On Wed, 6 Aug 2008, Arne Larsen / Region Nordjylland wrote: > >> I've got a 6513 chassis, and I believe that It's very old. Can I be sure >> that this supports sup720 ??. Is there a command that can verify this ?? > > You need to check at least the PSUs and the fans to see if they're what's > needed for SUP720. > > In my experience, not even Cisco will get it right all the time in what's > needed to get an old chassis to work with SUP720. ~.~.~.~.~.~.~.~.~.~.~. Larry Stites NorCal Networks, Inc. Nevada City, CA 95959 530-320-4194 530-265-2588 fax From asturluismi at gmail.com Wed Aug 6 04:34:36 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 06 Aug 2008 10:34:36 +0200 Subject: [c-nsp] NAT issue with 7206 and c7200p-ik91s-mz.122-31.SB12 Message-ID: <1218011676.8499.9.camel@dsba-ipso> Hi all, I have a strange nat issue here, it seems not to work as it should be. #sh ip nat translations Then I tried to.. # no ip nat inside source list 13 pool nat_08 overload %Dynamic mapping in use, cannot remove # no ip nat pool nat_08 1.1.1.13 1.1.1.13 netmask 255.255.255.252 %Pool nat_08 in use, cannot destroy Why I can't remove those lines? I tried too to do a "clear ip nat translations" and "ip clear nat translations forced" without a success. I removed "ip nat inside" and "ip nat outside" commands from interfaces, with no effect at all, same result. Now, I also load a new "ip nat inside" rule over a new "ip nat pool" rule and I just see misses in my "sh ip nat stats", and "ip nat inside" and "ip nat outside" are correct! I will review "open caveats" for the release but in the mean time if anyone in the list can with me a hand i will be really appreciated. From saku+cisco-nsp at ytti.fi Wed Aug 6 05:06:08 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 6 Aug 2008 12:06:08 +0300 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <6332c15961358010eaa374277a6abd84@daniels.id.au> References: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: <20080806090608.GA17116@mx.ytti.net> On (2008-08-05 22:14 -0500), lists at daniels.id.au wrote: > In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I > have a cloud in the middle connecting several (20-30) DSL sites to a head > office (hub and spoke), and the thought of having to manage multiple > tunnels (one per vrf), per site is making me cringe.. Yet another solution that was not suggested yet, which doesn't reduce your MTU either is 'vrf select'. Problem with it is, that if your customers can spoof their source address, they can get packets to different VRFs. So you'd need to run uRPF/strict in LAN interface in CE and make sure CE is physically secured. It is ugly hack, that is granted. VRF-lite and multiple PVC's would be my preferred solution. -- ++ytti From johnmanning.mpls at gmail.com Wed Aug 6 06:46:49 2008 From: johnmanning.mpls at gmail.com (MPLS MPLS) Date: Wed, 6 Aug 2008 16:16:49 +0530 Subject: [c-nsp] Six cos in the core Message-ID: Hello List, Would like to know if there are any Service Providers who have implemented Six cos queues in the core. Cisco seems to claim that for supporting Tele Presence application it needs to be queued in a dedicated queue in the SP core. Has any one done something on these lines for supporting Tele Presence rooms? Thanks, From dcurran at nuvox.com Wed Aug 6 07:38:28 2008 From: dcurran at nuvox.com (David Curran) Date: Wed, 06 Aug 2008 07:38:28 -0400 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: mGRE? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/greL3vpn.html > From: > Date: Tue, 05 Aug 2008 22:14:29 -0500 > To: David Curran > Cc: , > Subject: Re: [c-nsp] Extending MPLS over external providers cloud > > Hi David, > > On Tue, 05 Aug 2008 09:23:07 -0400, David Curran wrote: >> Is there an actual requirement to run LDP/MPLS over these tunnels or are >> you >> simply looking to extend a VRF? If its the latter, Multi-VRF CE (or >> VRF-Lite, whatever) works very well. > > The requirement is simply to provide multiple VRF's (3 to 5) at any remote > site, the vrf's will vary site-to-site based on local requirements. > In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I > have a cloud in the middle connecting several (20-30) DSL sites to a head > office (hub and spoke), and the thought of having to manage multiple > tunnels (one per vrf), per site is making me cringe.. > > Or am I missing something, is there some other way to more easily manage > these multiple tunnels? > > Thanks, > Aaron > > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From dcurran at nuvox.com Wed Aug 6 07:46:15 2008 From: dcurran at nuvox.com (David Curran) Date: Wed, 06 Aug 2008 07:46:15 -0400 Subject: [c-nsp] MPLS affecting normal IP cache flows In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6818E@xmb-ams-333.emea.cisco.com> Message-ID: Seems like you might need the "mpls netflow egress" command since this is a backbone interface. > From: "Oliver Boehmer (oboehmer)" > Date: Wed, 6 Aug 2008 08:28:24 +0200 > To: Andy Saykao , > > Subject: Re: [c-nsp] MPLS affecting normal IP cache flows > > Andy Saykao <> wrote on Wednesday, August 06, 2008 5:19 AM: > >> Hi All, >> >> I've deployed MPLS across parts of our core network and everything >> appears to be working fine. I've also got MPLS VPN's going which is >> the main reason for us rolling out MPLs in the first place. >> >> However, I've run into a problem with netflow on one of the PE routers >> that affects normal IP flows when mpls is enabled on the interface. >> The PE router having this problems is a cisco 7206VXR (NPE-G1) running > IOS >> Version 12.3(22). Other PE routers are not showing this problem but >> they are 7301's running a different IOS. >> >> What I'm finding is that when I enable "tag-switching ip" on interface >> Gi0/2 which forms part of our MPLS core (as seen below), the netflows >> for normal IP traffic isn't as it should be. Doing a "show ip cache >> flow" on the PE router only shows a few flows going through for normal >> IP traffic and we'd expect more IP cache flows to be going through >> because lots of customers hang off this PE router. When we remove the >> "tag-switching ip" from the interface, flows are back to normal. > [..] >> Any ideas as to why enabling mpls would be affecting normal IP cache >> flows? I can only suspect that it's some IOS bug with the IOS we're >> running . > > do you filter any LDP advertisements? If you just enable LDP on the > interface (or TDP for that matter), "regular" IPv4 traffic will also be > label-switched as LDP advertises labels for all non-BGP IPv4 prefixes in > your RIB. Can you do a "show mpls forwarding-table " for a > prefix you would expect to see in the cache? Do you see a incoming label > (which is != Pop label)? > > oli > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From dean at eatworms.org.uk Wed Aug 6 09:00:50 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 6 Aug 2008 14:00:50 +0100 Subject: [c-nsp] SGBP on 12.2(31)SB Message-ID: <005601c8f7c4$74084990$5c18dcb0$@org.uk> Has anyone got SGBP (Multichassis Multilink PPP) currently running on 12.2(31)SB on 7200s ? Its been working just fine across a pair of 7200 running 12.3(11)T10 which got upgraded to 12.2(31)SB8 last night. (I know later SB releases are available but we're using SB8 elsewhere aswell) And the SGBP stopped working. Appears SGBP is trying to use radius for authentication (our ppp authentication method) despite being configured with "aaa authentication sgbp local" and correct usernames to match stack groups etc. (which were working fine prior to the upgrade). Anyone been through this one before ? Dean From nimal at fnbs.net Wed Aug 6 09:09:54 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Wed, 06 Aug 2008 21:09:54 +0800 Subject: [c-nsp] Excessive AMDP2_FE-3-UNDERFLO Message-ID: <4899A2A2.4080108@fnbs.net> Hi guys, Need some advice. One of the interfaces on my border routers is consistently getting AMDP2_FE-3-UNDERFLO messages during its peak usage (9am-5pm) hours. The interface FastEthernet2/0 is seeing approx 40Mbps out and 15 Mbps in. The explaination for this error on Cisco website is: ------------ Explanation While transmitting a frame, the controller chip's local buffer received insufficient data because data could not be transferred to the chip fast enough to keep pace with its output rate. Normally, such a problem is temporary, depending on transient peak loads within the system. Recommended Action The system should recover. No action is required. ------------ I need some convincing of that. Of late, i've received a few reports of packet loss to my network of late, and am not sure if this transmit error has anything to do with it. Any help is much appreciated! FYI, the router in question is a Cisco 7206VXR. The interface is 100Mbps capable. Aug 6 09:05:51 202.X.X.X 16758: Aug 6 09:05:50.850 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:22:54 202.X.X.X 16759: Aug 6 09:22:53.283 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:25:09 202.X.X.X 16760: Aug 6 09:25:08.771 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:35:22 202.X.X.X 16761: Aug 6 09:35:21.443 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:48:33 202.X.X.X 16762: Aug 6 09:48:32.053 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:07:07 202.X.X.X 16764: Aug 6 10:07:06.674 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:08:37 202.X.X.X 16765: Aug 6 10:08:36.702 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:17:37 202.X.X.X 16766: Aug 6 10:17:36.630 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:42:52 202.X.X.X 16775: Aug 6 10:42:51.517 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:03:00 202.X.X.X 16783: Aug 6 11:02:59.377 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:04:22 202.X.X.X 16784: Aug 6 11:04:21.672 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:04:22 202.X.X.X 16785: Aug 6 11:04:21.672 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:17:19 202.X.X.X 16786: Aug 6 11:17:18.339 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:29:52 202.X.X.X 16787: .Aug 6 11:29:51.219 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:36:07 202.X.X.X 16788: Aug 6 11:36:06.764 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:41:57 202.X.X.X 16789: Aug 6 11:41:56.615 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:43:26 202.X.X.X 16790: Aug 6 11:43:25.694 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:49:07 202.X.X.X 16791: Aug 6 11:49:06.796 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:50:07 202.X.X.X 16792: Aug 6 11:50:06.636 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 12:23:37 202.X.X.X 16794: Aug 6 12:23:36.735 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 12:29:37 202.X.X.X 16795: Aug 6 12:29:36.649 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 12:39:27 202.X.X.X 16796: Aug 6 12:39:26.629 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 13:05:30 202.X.X.X 16803: Aug 6 13:05:29.396 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:21:40 202.X.X.X 16805: Aug 6 14:21:39.319 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:33:30 202.X.X.X 16806: Aug 6 14:33:29.319 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:36:55 202.X.X.X 16807: Aug 6 14:36:54.313 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:46:58 202.X.X.X 16808: Aug 6 14:46:57.086 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:10:52 202.X.X.X 16810: Aug 6 15:10:51.737 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:11:09 202.X.X.X 16811: Aug 6 15:11:08.061 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error Aug 6 15:13:52 202.X.X.X 16812: Aug 6 15:13:51.740 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:14:11 202.X.X.X 16813: Aug 6 15:14:10.795 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:18:59 202.X.X.X 16814: Aug 6 15:18:58.742 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:23:43 202.X.X.X 16815: Aug 6 15:23:42.172 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:46:06 202.X.X.X 16817: Aug 6 15:46:05.635 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:53:55 202.X.X.X 16818: Aug 6 15:53:54.048 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:09:06 202.X.X.X 16820: Aug 6 16:09:05.570 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:15:53 202.X.X.X 16821: Aug 6 16:15:52.157 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:17:43 202.X.X.X 16822: Aug 6 16:17:42.039 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:33:40 202.X.X.X 16823: Aug 6 16:33:39.344 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:35:08 202.X.X.X 16824: Aug 6 16:35:07.359 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:38:27 202.X.X.X 16825: Aug 6 16:38:26.278 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:44:58 202.X.X.X 16826: Aug 6 16:44:57.748 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:44:58 202.X.X.X 16827: Aug 6 16:44:57.748 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:49:07 202.X.X.X 16828: Aug 6 16:49:06.738 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:50:46 202.X.X.X 16829: Aug 6 16:50:45.557 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error From justin at justinshore.com Wed Aug 6 10:31:07 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 06 Aug 2008 09:31:07 -0500 Subject: [c-nsp] IOS-hosted DHCP rate-limiting Message-ID: <4899B5AB.9020204@justinshore.com> I just killed the PVC of a DSL customer that was sending exactly 115 DHCP DISCOVER messages per second. That caused a 600% increase on the CPU of the NPE-G1 that the PVC terminates on and the DHCP is currently being run on. Are there any DHCP rate-limiting features built into the IOS that could be used to throttle either how often the router will respond to certain received queries, to queries from a single host, or the rate at which queries can be punted to the CPU for processing? Thanks Justin From lukasz at bromirski.net Wed Aug 6 12:58:34 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 06 Aug 2008 18:58:34 +0200 Subject: [c-nsp] IOS-hosted DHCP rate-limiting In-Reply-To: <4899B5AB.9020204@justinshore.com> References: <4899B5AB.9020204@justinshore.com> Message-ID: <4899D83A.7010304@bromirski.net> Justin Shore wrote: > I just killed the PVC of a DSL customer that was sending exactly 115 > DHCP DISCOVER messages per second. That caused a 600% increase on the > CPU of the NPE-G1 that the PVC terminates on and the DHCP is currently > being run on. Are there any DHCP rate-limiting features built into the > IOS that could be used to throttle either how often the router will > respond to certain received queries, to queries from a single host, or > the rate at which queries can be punted to the CPU for processing? Check the Control Plane Policing deployment guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From notrevebr at gmail.com Wed Aug 6 13:21:07 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Wed, 6 Aug 2008 14:21:07 -0300 Subject: [c-nsp] Crazy NAT In-Reply-To: <3cf174360806191448q7dcfedfeybdfc47f6c6fd0617@mail.gmail.com> References: <3cf174360806191436n4a229c75t9167d1c755c1e45@mail.gmail.com> <485AD2F3.4060101@wi.rr.com> <3cf174360806191448q7dcfedfeybdfc47f6c6fd0617@mail.gmail.com> Message-ID: <3cf174360808061021v388a430arc871a95f3751ad23@mail.gmail.com> Hi all, I resolve this put the source to a route-map. tks all... On 6/19/08, Everton Diniz wrote: > Yes, > I have statics entries for nat. > > ip nat inside source static 10.180.26.153 10.180.20.153 > ip nat inside source static 10.180.52.70 172.30.170.201 extendable > ip nat inside source static 10.180.52.71 172.30.170.202 extendable > ip nat inside source static 10.180.53.70 172.30.170.203 extendable > ip nat inside source static 10.180.53.71 172.30.170.204 extendable > ip nat inside source static 10.180.54.70 172.30.170.205 extendable > ip nat inside source static 10.180.54.71 172.30.170.206 extendable > ip nat inside source static 10.180.57.70 172.30.170.207 extendable > ip nat inside source static 10.180.57.71 172.30.170.208 extendable > ip nat inside source static 10.180.57.73 172.30.170.209 extendable > ip nat inside source static 10.180.57.74 172.30.170.210 extendable > ip nat inside source static 10.180.56.70 172.30.170.211 extendable > ip nat inside source static 10.180.56.71 172.30.170.212 extendable > ip nat inside source static 10.1.1.210 172.30.170.221 extendable > ip nat inside source static 10.1.1.211 172.30.170.222 extendable > > On 6/19/08, Wink wrote: > > Are there other NAT statements in your config? > > > > Everton Diniz wrote: > > > > > > Hi, > > > > > > I have a crazy router that do Nat for a deny entry on ACL. Whyyyy??? > > > > > > > > > ip nat pool nat-pool 10.250.63.2 10.250.63.254 netmask 255.255.255.0 > > > ip nat inside source list permit-nat pool nat-pool > > > Extended IP access list permit-nat > > > 10 deny ip host 10.180.20.70 host 10.180.50.201 log > > > 20 deny ip host 10.180.20.96 host 10.180.50.201 log > > > 30 deny ip host 10.180.20.159 host 10.180.50.201 log > > > 40 deny ip 10.180.0.0 0.0.255.255 host 10.180.50.201 log (242 matches) > > > 50 permit ip 10.180.0.0 0.0.255.255 10.252.0.0 0.1.255.255 log > > > 60 deny ip any any log (108 matches) > > > > > > tcp 10.250.63.14:2984 10.180.20.70:2984 10.180.50.201:8080 > > 10.180.50.201:8080 > > > > > > Version 12.3(8)T5 > > > > > > Anyone has the same problem? > > > > > > Regards, > > > Everton > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > > > > > > > From rodunn at cisco.com Wed Aug 6 13:24:19 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 6 Aug 2008 13:24:19 -0400 Subject: [c-nsp] SA-ISA In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6819E@xmb-ams-333.emea.cisco.com> References: <4898A217.8090403@gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405D6819E@xmb-ams-333.emea.cisco.com> Message-ID: <20080806172419.GM2589@rtp-cse-489.cisco.com> That's correct. There are none. Rodney On Wed, Aug 06, 2008 at 08:44:50AM +0200, Oliver Boehmer (oboehmer) wrote: > Sridhar Ayengar <> wrote on Tuesday, August 05, 2008 8:55 PM: > > > Is the SA-ISA supported on the VIP2-50 in a 7500-series router? If it > > isn't, will it work anyway? > > it's not supported, and I strongly doubt it would work (definitly not > when dCEF is enabled), but I wouldn't be surprised if it doesn't even > come up. > As far as I know, there is NO hardware encryption capabilities on the > 7500 series.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From notrevebr at gmail.com Wed Aug 6 13:25:53 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Wed, 6 Aug 2008 14:25:53 -0300 Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router In-Reply-To: <1216129215.24030.4.camel@svesken.sys.mjna.net> References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com> <1216129215.24030.4.camel@svesken.sys.mjna.net> Message-ID: <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> Hi peter, sorry by the later, I tried test again. the host its ok, responding fot the request. On router side, after vpn becomes up, i see the 10.139.10/24 net in route table, and router encaps traffic. On the pix side, still see only the decaps traffic. On the acl L2Lnonat, i see the increase hitcount, but in acl L2L do not. Tks... On 7/15/08, Peter Rathlev wrote: > On Tue, 2008-07-15 at 10:19 -0300, Everton Diniz wrote: > > Hi all, > > > > I configure a tunnel btw pix and router. The traffic goes to PIX but > > do not have return. I see only encaps on the router and decaps on the > > PIX. > > Is missing anything? > > Are you sure the host in the other end is actually responding, and that > this response goes towards the PIX? As far as I can see there's nothing > wrong with the configuration. (I may be wrong, cf. my last mail to this > list. :-)) > > What happens if you try to trace from the 10.139.1.0/24 host to > something in 10.180.0.0/16? Do you get to the PIX (i.e. can you see the > connection in the logs)? > > Regards, > Peter > > > From rodunn at cisco.com Wed Aug 6 13:33:21 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 6 Aug 2008 13:33:21 -0400 Subject: [c-nsp] MPLS errors w/ no MPLS configured In-Reply-To: <20080805183349.GN6869@elvis.mu.org> References: <20080805183349.GN6869@elvis.mu.org> Message-ID: <20080806173321.GN2589@rtp-cse-489.cisco.com> It's cosmetic. It's a internal message that was printed when it should have went under a debug flag. I see it's fixed in a lot of the recent codes but not sure if they addressed it in the SB throttle. Rodney On Tue, Aug 05, 2008 at 11:33:49AM -0700, bill fumerola wrote: > anyone seeing these messages? > > Aug 1 02:35:58.924 UTC: > %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, > prefix not in routing table > -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 > > Aug 3 15:38:32.708 UTC: > %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table > -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 > > i'm not sure how dangerous these messages are. on one hand, we're not > running MPLS at all. on the other hand, i don't like errors that involve > broken tables/memory & tracebacks. > > rtr1.lon#sh run | i mpls|MPLS > no mpls traffic-eng auto-bw timers frequency 0 > rtr1.lon#sh ver | i 12.[23] > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB11, RELEASE SOFTWARE (fc3) > ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) > BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(26), RELEASE SOFTWARE (fc2) > rtr1.lon# > > there are BGP neighbors, both internal and external, on this host. no > address-family vpn tho. > > -- bill > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Wed Aug 6 14:35:41 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 6 Aug 2008 11:35:41 -0700 Subject: [c-nsp] 6500 ACE/FWSM Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EF9@tiger.deltadentalwa.com> Is it possible to automatically replicate what vlan's re associated to a vlan group between two chassis? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From junaid.x86 at gmail.com Wed Aug 6 16:15:37 2008 From: junaid.x86 at gmail.com (Junaid) Date: Thu, 7 Aug 2008 02:15:37 +0600 Subject: [c-nsp] EoMPLS between C7206 and C3845 Message-ID: Hi, I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are connected back-to-back via FastEthernet. The customers are connected via a switch connected to each PE: CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 The control place comes up without any issue: C7200-PE1#sh mpls l2transport vc de Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up Next hop: XXXXXX (ip of PE2's interface connected with PE1) Output interface: Fa3/0, imposed label stack {234} Create time: 04:55:52, last status change time: 04:22:07 Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up MPLS VC labels: local 2207, remote 234 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 658, send 558 byte totals: receive 61117, send 57759 packet drops: receive 0, send 0 C3845-PE2#sh mpls l2transport vc de Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up Next hop: XXXXXX (ip of PE1's interface connected with PE2) Output interface: Gi0/0, imposed label stack {2207} Create time: 05:06:06, last status change time: 04:42:00 Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up MPLS VC labels: local 234, remote 2207 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS test Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 807, send 697 byte totals: receive 81235, send 63925 packet drops: receive 0, seq error 0, send 0 But the data plane is having severe issue. I cannot ping end-to-end from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE connected to 3845), ARP works and I am able to send a ping packet to CE1. But CE1 never receives it. On the other side, CE2 does not get replies to its own ARP requests. Once I statically bind the mac address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies to it but CE1 never receives the reply. It seem that the communication is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and not the other way round. I replaced C3845 with C7206 and there was not issue in the data plane. My question is with the IOS I used for C3845, is EoMPLS not supported on it? As per Cisco's documentation, EoMPLS is supported on the IOS I used for C3845. Any one any experience in running EoMPLS on C3845? Another thing I noted was in the following output from C3845, it shows MRU=0 and also there was no outgoing interface attached: C3845-PE2#sh mpls forwarding-table labels 234 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 234 l2ckt(100) 50732 none point2point MAC/Encaps=0/0, MRU=0, Tag Stack{} No output feature configured While on C7206, the output was as it should be: C7200-PE1#sh mpls forwarding-table labels 2207 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point MAC/Encaps=0/0, MRU=1500, Tag Stack{} No output feature configured Any explanations/solutions? Regards, Junaid From rodunn at cisco.com Wed Aug 6 16:29:11 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 6 Aug 2008 16:29:11 -0400 Subject: [c-nsp] Do Adtrans reorder frames with MLFR per DLCI? Message-ID: <20080806202911.GH2589@rtp-cse-489.cisco.com> Ok...I'll ask for help for once. :) Does anyone here know if Adtran or Juniper CPE's reorder frames on receive of a MLFR bundle per section 4.2.3.2 of the FRF16 specification? Rodney From lists at hojmark.org Wed Aug 6 18:25:41 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 7 Aug 2008 00:25:41 +0200 Subject: [c-nsp] IOS SLB support In-Reply-To: References: <000501c80f72$d3245080$280a0a0a@hojmark.net><67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com> Message-ID: <3E71080198FB4BE595B6F956901ECA37@hojmark.net> > If we can upgrade to SRC and save ourselves $10K+ in redundant > load balancers (traffic rates would be 2-4 Mbps), I would like > to do that, but if SRC is generally "too new", then perhaps I > need to reconsider. It's funny you should mention 10k$, 'cause that's exactly the price of the IOS SLB license for the 7600 (FR-IOSSLB)... -A From tvarriale at comcast.net Wed Aug 6 18:15:22 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 6 Aug 2008 17:15:22 -0500 Subject: [c-nsp] 6500 ACE/FWSM References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EF9@tiger.deltadentalwa.com> Message-ID: <03FB3AE1D11945A6B3E277E1F4E2D815@flamalam> Not that I know of. It's a per box per card config. tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Wednesday, August 06, 2008 1:35 PM Subject: [c-nsp] 6500 ACE/FWSM > Is it possible to automatically replicate what vlan's re associated to a > vlan group between two chassis? > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zhassan at gmx.net Wed Aug 6 19:13:46 2008 From: zhassan at gmx.net (Zahid Hassan) Date: Thu, 7 Aug 2008 00:13:46 +0100 Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... In-Reply-To: <489073C7.5020003@utc.edu> References: <489073C7.5020003@utc.edu> Message-ID: <002901c8f81a$147e2a70$014fa8c0@xp1> Dear All, Is there any equivalent command like the "sh mls cef maximum-routes " on the Sup2 like on a Sup720 ? I am currently running full feed on few of my Sup2 and about 1K VPNv4 routes and bit concerned about its limit. Any comment or input will be greatly appreciated. ZH -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell Sent: 30 July 2008 15:00 To: cisco-nsp Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... Quick question for someone that's "been there done that" from someone who has said "I thought it would work" more often than I'd like :-) Can you get a full BGP feed (two peers) into a Sup2? with uRPF? Which RAM needs to be upgraded? I found out the hard way it won't fit into a SUP2/MSFC2/PFC2 w/256Mb. Will 512Mb do it? Can you put 512Mb in a Sup2 (some 3rd-party pages imply 256 is max, another says a "Sup2U" can do 512) ? Do you upgrade the Sup2 memory or one of the daughtercards, or both? Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Wed Aug 6 19:05:06 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Wed, 6 Aug 2008 16:05:06 -0700 Subject: [c-nsp] IOS SLB support In-Reply-To: <3E71080198FB4BE595B6F956901ECA37@hojmark.net> References: <000501c80f72$d3245080$280a0a0a@hojmark.net><67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com> <3E71080198FB4BE595B6F956901ECA37@hojmark.net> Message-ID: > It's funny you should mention 10k$, 'cause that's exactly the > price of the IOS SLB license for the 7600 (FR-IOSSLB)... On a related (but slightly orthogonal) note, I really wish Cisco made it easier to find what features require what licenses (and what they were called). In a previous life, I knew that I needed a "BGP" license for a 6500, but it took what seemed like an inordinate period to get the 6500 part number to get the license(*) (and of course now the license has been eliminated, since it is included in the IP Services and above feature set, unless what you want is the IS-IS part of the old "Interdomain Routing Feature", which now requires an Advanced Services feature set). (And how many knew that if one changed a redundant 6500 Sup1A to a primary there is an additional license code to order? I didn't. SUP1A-2GE-U-LIC=) Gary (*) Probably due to miscommunications on my part. From nachocheeze at gmail.com Wed Aug 6 21:30:01 2008 From: nachocheeze at gmail.com (nachocheeze at gmail.com) Date: Wed, 6 Aug 2008 20:30:01 -0500 Subject: [c-nsp] Strange vlan behavior Message-ID: We've got a network I'm looking at that is predominately L2 switched; a tangent of the old router-on-a-stick; some routing, but mostly switching. I fired up Wireshark on my laptop recently to diagnose something, and noticed something a bit odd. Here's a smaller version of the network with a problem I can't quite figure out what is going on. HostX, HostY, and MyLaptop are all on the same L2 vlan / L3 IP network (we'll say VLAN 31 and network 172.16.31.0/24). Switches A,B,C, and D are all lower end Cisco L2 only switches, Routers 1 and 2 are L2/L3 Catalyst 6500/MSFC. Currently, the L3 SVI for VLAN 31 lives on Router 1, but I've tried moving it to Router 2 and the same problem keeps happening. All links are 802.1q trunks. There's certain networks defined on Router 1, and different networks that are defined on Router 2. However, for some of those networks, there's hosts attached at user-level switches at both "north" and "south" ends (yes, all the L2 vlans do span from end to end across every dotq trunk, and I *KNOW* it's a bad design. It was born of a specific necessity and needs to change ASAP, but right now it isn't possible). Router1 and Router2 in addition to being fully trunked also have a dedicated numbered "routed vlan" that is used to route the disparate user networks between them. This is a scaled down version of the topology. HostX HostY | | ----------------------------- Switch D | Switch C | Router 1 (multiple vlans/SVIs) | Router 2 (multiple vlans/SVIs) | Switch B | Switch A | MyLaptop What I noticed that is making no sense is the following; when sniffing my network interface on MyLaptop, I can from time to time see snippets of traffic that transit directly between HostX and HostY. This is not ARP (broadcast) traffic, or multicast traffic but direct station to station unicast traffic between X and Y. Not *all* their traffic, like a SPAN port, but just little snippets here and there (sometimes a few ICMP packets, sometimes a couple of HTTP packets, etc). A sniff of MyLaptop's NIC shows the source IP address / source MAC address of HostX attempting a unicast transaction to the destination IP address / destination MAC address of HostY. Again, I'm seeing that unicast transaction directly from my laptop's tcpdump from several trunk links away. I've checked this with other L2 end-user switches that are on the same vlan/subnet in the north/south ends, and they all see this same kind of issue too. That means it's happening pretty much everywhere the vlan is trunked, and possibly on other vlans. From the way I understand, apart from maybe some ARP traffic if HostA and HostB don't know each other's L2 address, I should never see it; the traffic between HostA and HostB should stay on Switch Y for their entire conversation. I've checked everything in the path between stations, and nothing that I can find has been miscabled, no port monitoring is turned on anywhere, etc. Ideas for what I should start looking at? (besides a total retrofit of the design; that's in the works.) From hsa at ntt.net.id Wed Aug 6 22:44:09 2008 From: hsa at ntt.net.id (Hendry) Date: Thu, 07 Aug 2008 09:44:09 +0700 Subject: [c-nsp] EoMPLS between C7206 and C3845 In-Reply-To: References: Message-ID: <489A6179.5060406@ntt.net.id> Interesting, AFAIK 38xx series didnt support MPLS L2VPN (CMIW). ATOM only supported for the 72xx platform and above while VPLS only supported on 76xx and above. to be honest with you i never test it on 38xx but the interesting things that VC on both side showing up :) but with some odd result on 38xx that label 234 didnt seem pushing into the proper interface. Also if both end VC have VCCV capabitilites it might be worth to test it with MPLS LSP check aka "ping mpls pseudowire _neighbor-PE_ _vc-number_" both from PE1 or PE2. There's also solution for providing L2VPN to the customers by using L2TPv3 which defines the control protocol as well as the encapsulation procedures for tunneling multiple Layer 2 connections between two IP connected nodes (without MPLS), not sure though whether it was support on 38xx platform nor test it personally at the lab. my 0.2+ -- hsa Junaid wrote: > Hi, > > I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR > (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running > c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are > connected back-to-back via FastEthernet. The customers are connected > via a switch connected to each PE: > > CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 > > The control place comes up without any issue: > > C7200-PE1#sh mpls l2transport vc de > Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE2's interface connected with PE1) > Output interface: Fa3/0, imposed label stack {234} > Create time: 04:55:52, last status change time: 04:22:07 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up > MPLS VC labels: local 2207, remote 234 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS TEST > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 658, send 558 > byte totals: receive 61117, send 57759 > packet drops: receive 0, send 0 > > > C3845-PE2#sh mpls l2transport vc de > Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE1's interface connected with PE2) > Output interface: Gi0/0, imposed label stack {2207} > Create time: 05:06:06, last status change time: 04:42:00 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up > MPLS VC labels: local 234, remote 2207 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS test > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 807, send 697 > byte totals: receive 81235, send 63925 > packet drops: receive 0, seq error 0, send 0 > > > But the data plane is having severe issue. I cannot ping end-to-end > from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE > connected to 3845), ARP works and I am able to send a ping packet to > CE1. But CE1 never receives it. On the other side, CE2 does not get > replies to its own ARP requests. Once I statically bind the mac > address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies > to it but CE1 never receives the reply. It seem that the communication > is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and > not the other way round. I replaced C3845 with C7206 and there was not > issue in the data plane. > > My question is with the IOS I used for C3845, is EoMPLS not supported > on it? As per Cisco's documentation, EoMPLS is supported on the IOS I > used for C3845. Any one any experience in running EoMPLS on C3845? > > Another thing I noted was in the following output from C3845, it shows > MRU=0 and also there was no outgoing interface attached: > > C3845-PE2#sh mpls forwarding-table labels 234 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 234 l2ckt(100) 50732 none point2point > MAC/Encaps=0/0, MRU=0, Tag Stack{} > No output feature configured > > While on C7206, the output was as it should be: > > C7200-PE1#sh mpls forwarding-table labels 2207 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point > MAC/Encaps=0/0, MRU=1500, Tag Stack{} > No output feature configured > > > Any explanations/solutions? > > > > Regards, > > Junaid > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From vikassharmas at gmail.com Wed Aug 6 23:01:23 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 7 Aug 2008 08:31:23 +0530 Subject: [c-nsp] F5 firepass - MPLS connectivity Message-ID: Hi, Did any one has used F5's FirePass to connect MPLS VPN? If yes please let me know how? Regards, Vikas Sharma From stretch at packetlife.net Wed Aug 6 22:21:40 2008 From: stretch at packetlife.net (Jeremy Stretch) Date: Thu, 07 Aug 2008 05:21:40 +0300 Subject: [c-nsp] Strange vlan behavior In-Reply-To: References: Message-ID: <489A5C34.9020908@packetlife.net> This is normal if the receiving station is normally quiet (as are many Linux/UNIX boxes). Keep in mind that a switch will flood a frame if it doesn't have a CAM entry for the destination address. Check the MAC address table aging time (show mac-address-table aging-time) on the switches; I believe the default is 300 seconds. If the receiving station hasn't transmitted any traffic in the last 300 seconds, its entry in the switch's CAM will be purged and all traffic destined for that host will be flooded out all ports until the switch relearns the host's location. If this is only happening sporadically, and only at the very beginning of a conversation, it's normal to see a stray packet or two. If it's very frequent, however, your switches might be running out of CAM space (possibly an indication of a DoS attack; use 'show mac-address-table count' to inspect all known MAC addresses). If the leaked frames can't be tolerated, consider raising the aging timer or configuring static MAC addresses on each interface. --- Jeremy Stretch http://packetlife.net nachocheeze at gmail.com wrote: > We've got a network I'm looking at that is predominately L2 switched; > a tangent of the old router-on-a-stick; some routing, but mostly > switching. I fired up Wireshark on my laptop recently to diagnose > something, and noticed something a bit odd. Here's a smaller version > of the network with a problem I can't quite figure out what is going > on. > > HostX, HostY, and MyLaptop are all on the same L2 vlan / L3 IP network > (we'll say VLAN 31 and network 172.16.31.0/24). Switches A,B,C, and D > are all lower end Cisco L2 only switches, Routers 1 and 2 are L2/L3 > Catalyst 6500/MSFC. Currently, the L3 SVI for VLAN 31 lives on Router > 1, but I've tried moving it to Router 2 and the same problem keeps > happening. > > All links are 802.1q trunks. There's certain networks defined on > Router 1, and different networks that are defined on Router 2. > However, for some of those networks, there's hosts attached at > user-level switches at both "north" and "south" ends (yes, all the L2 > vlans do span from end to end across every dotq trunk, and I *KNOW* > it's a bad design. It was born of a specific necessity and needs to > change ASAP, but right now it isn't possible). Router1 and Router2 in > addition to being fully trunked also have a dedicated numbered "routed > vlan" that is used to route the disparate user networks between them. > > This is a scaled down version of the topology. > > HostX HostY > | | > ----------------------------- > Switch D > | > Switch C > | > Router 1 (multiple vlans/SVIs) > | > Router 2 (multiple vlans/SVIs) > | > Switch B > | > Switch A > | > MyLaptop > > What I noticed that is making no sense is the following; when sniffing > my network interface on MyLaptop, I can from time to time see snippets > of traffic that transit directly between HostX and HostY. This is not > ARP (broadcast) traffic, or multicast traffic but direct station to > station unicast traffic between X and Y. Not *all* their traffic, > like a SPAN port, but just little snippets here and there (sometimes a > few ICMP packets, sometimes a couple of HTTP packets, etc). A sniff > of MyLaptop's NIC shows the source IP address / source MAC address of > HostX attempting a unicast transaction to the destination IP address / > destination MAC address of HostY. Again, I'm seeing that unicast > transaction directly from my laptop's tcpdump from several trunk links > away. > > I've checked this with other L2 end-user switches that are on the same > vlan/subnet in the north/south ends, and they all see this same kind > of issue too. That means it's happening pretty much everywhere the > vlan is trunked, and possibly on other vlans. From the way I > understand, apart from maybe some ARP traffic if HostA and HostB don't > know each other's L2 address, I should never see it; the traffic > between HostA and HostB should stay on Switch Y for their entire > conversation. > > I've checked everything in the path between stations, and nothing that > I can find has been miscabled, no port monitoring is turned on > anywhere, etc. Ideas for what I should start looking at? (besides a > total retrofit of the design; that's in the works.) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From agristina+cisco-nsp at gmail.com Wed Aug 6 23:20:40 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Wed, 6 Aug 2008 20:20:40 -0700 Subject: [c-nsp] F5 firepass - MPLS connectivity In-Reply-To: References: Message-ID: <70bb1b8f0808062020g2e66fb2fnb5fbba62b3959eb5@mail.gmail.com> FirePass is SSL VPN. As far as I know it doesn't speak MPLS at all. If you are on the customer side of the CE device, it won't matter that it doesn't speak MPLS and you can use it for SSL VPN termination as it was intended. On Wed, Aug 6, 2008 at 8:01 PM, Vikas Sharma wrote: > Hi, > > Did any one has used F5's FirePass to connect MPLS VPN? If yes please let me > know how? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu Aug 7 00:33:59 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 7 Aug 2008 00:33:59 -0400 Subject: [c-nsp] EoMPLS between C7206 and C3845 In-Reply-To: References: Message-ID: <20080807043359.GC8990@rtp-cse-489.cisco.com> Can you load 12.4(15)T6 on the 3845? There was a bug with L2TPV3 where the interface didn't go in to promiscous mode to accept the frames so it would look like a one way PW. Check 'sh ip int' or 'sh controller' on the 3845. The outging interface does look odd too. Rodney On Thu, Aug 07, 2008 at 02:15:37AM +0600, Junaid wrote: > Hi, > > I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR > (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running > c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are > connected back-to-back via FastEthernet. The customers are connected > via a switch connected to each PE: > > CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 > > The control place comes up without any issue: > > C7200-PE1#sh mpls l2transport vc de > Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE2's interface connected with PE1) > Output interface: Fa3/0, imposed label stack {234} > Create time: 04:55:52, last status change time: 04:22:07 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up > MPLS VC labels: local 2207, remote 234 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS TEST > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 658, send 558 > byte totals: receive 61117, send 57759 > packet drops: receive 0, send 0 > > > C3845-PE2#sh mpls l2transport vc de > Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE1's interface connected with PE2) > Output interface: Gi0/0, imposed label stack {2207} > Create time: 05:06:06, last status change time: 04:42:00 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up > MPLS VC labels: local 234, remote 2207 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS test > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 807, send 697 > byte totals: receive 81235, send 63925 > packet drops: receive 0, seq error 0, send 0 > > > But the data plane is having severe issue. I cannot ping end-to-end > from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE > connected to 3845), ARP works and I am able to send a ping packet to > CE1. But CE1 never receives it. On the other side, CE2 does not get > replies to its own ARP requests. Once I statically bind the mac > address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies > to it but CE1 never receives the reply. It seem that the communication > is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and > not the other way round. I replaced C3845 with C7206 and there was not > issue in the data plane. > > My question is with the IOS I used for C3845, is EoMPLS not supported > on it? As per Cisco's documentation, EoMPLS is supported on the IOS I > used for C3845. Any one any experience in running EoMPLS on C3845? > > Another thing I noted was in the following output from C3845, it shows > MRU=0 and also there was no outgoing interface attached: > > C3845-PE2#sh mpls forwarding-table labels 234 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 234 l2ckt(100) 50732 none point2point > MAC/Encaps=0/0, MRU=0, Tag Stack{} > No output feature configured > > While on C7206, the output was as it should be: > > C7200-PE1#sh mpls forwarding-table labels 2207 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point > MAC/Encaps=0/0, MRU=1500, Tag Stack{} > No output feature configured > > > Any explanations/solutions? > > > > Regards, > > Junaid > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From vikassharmas at gmail.com Thu Aug 7 02:19:23 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 7 Aug 2008 11:49:23 +0530 Subject: [c-nsp] F5 firepass - MPLS connectivity In-Reply-To: <70bb1b8f0808062020g2e66fb2fnb5fbba62b3959eb5@mail.gmail.com> References: <70bb1b8f0808062020g2e66fb2fnb5fbba62b3959eb5@mail.gmail.com> Message-ID: Thanks Andrew, Actually I was looking for vrf-lite or mapping to vlan to vrf kind of functionality. I know it can provide SSL vpn but can I use this device to connect to the user directly to MPLS ?? I mean, user connect to FirePass and then based on which vlan the user is in, I can map that vlan to vrf and forward it to appropriate MPLS vpn. Regards, Vikas Sharma On 8/7/08, Andrew Gristina > wrote: > > FirePass is SSL VPN. As far as I know it doesn't speak MPLS at all. > If you are on the customer side of the CE device, it won't matter that > it doesn't speak MPLS and you can use it for SSL VPN termination as it > was intended. > > On Wed, Aug 6, 2008 at 8:01 PM, Vikas Sharma > wrote: > > Hi, > > > > Did any one has used F5's FirePass to connect MPLS VPN? If yes please let > me > > know how? > > > > Regards, > > Vikas Sharma > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From asturluismi at gmail.com Thu Aug 7 06:55:47 2008 From: asturluismi at gmail.com (luismi) Date: Thu, 07 Aug 2008 12:55:47 +0200 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack Message-ID: <1218106547.13339.13.camel@dsba-ipso> Hi all, I have a strange behaviour here with two 3750 stacks. My AAA config is... aaa group server tacacs+ tac-plus server 10.10.10.10 ! aaa authentication attempts login 2 aaa authentication login default group tacacs+ local-case aaa authentication login console group tacacs+ local-case aaa authorization exec default group tacacs+ local aaa authorization network default group tacacs+ local aaa accounting send stop-record authentication failure vrf default aaa accounting suppress null-username aaa accounting update newinfo jitter maximum 0 aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! tacacs-server host 10.10.10.10 single-connection tacacs-server timeout 10 no tacacs-server directed-request tacacs-server key 7 xxxx ! line con 0 exec-timeout 15 0 logging synchronous line vty 0 4 access-class 1 in exec-timeout 15 0 logging synchronous transport input telnet ssh line vty 5 15 access-class 1 in exec-timeout 15 0 logging synchronous transport input telnet ssh The TACACs software is "tac-plus F4.0.4.alpha-12" running in a linux box. The configuration is quite simple: $ cat /etc/tac-plus/tacacs.conf accounting file = /var/log/tac-plus/account # default authorization = permit key = xxxx user = DEFAULT { default service = permit } user = myuser { name = "Uh" member = oper3 login = des blablablabla service = exec {} service = shell {} } That configuration is working perfectly in 2950 and 2960 switches but not in 3750 stacks. I am just able to get access only by ssh. Telnet reports "authorization failed", i did a debug but I didn't find the reason. But that is not the end of the story, if I am logged in the 3750 stack with a ssh session I am able to do a telnet to it and use my TACACs credentials without problems. I have the same behaviour in 2 3750 stacks one of them is running c3750-advipservicesk9-mz.122-44.SE2 and the other stack is running c3750-ipservicesk9-mz.122-44.SE1 I didn't review yet the open and solved caveats for the next releases for that IOS -if there is a new release-, neither I can't remember to see any issue with AAA when I checked both "release notes". Any comment will be appreciated. Thanks. From nic.tjirkalli at za.verizonbusiness.com Thu Aug 7 07:52:30 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Thu, 7 Aug 2008 13:52:30 +0200 (SAST) Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: <1218106547.13339.13.camel@dsba-ipso> References: <1218106547.13339.13.camel@dsba-ipso> Message-ID: howdy ho, > Hi all, > > I have a strange behaviour here with two 3750 stacks. > > My AAA config is... > > aaa group server tacacs+ tac-plus > server 10.10.10.10 > ! > aaa authentication attempts login 2 > aaa authentication login default group tacacs+ local-case > aaa authentication login console group tacacs+ local-case > aaa authorization exec default group tacacs+ local > aaa authorization network default group tacacs+ local > aaa accounting send stop-record authentication failure vrf default > aaa accounting suppress null-username > aaa accounting update newinfo jitter maximum 0 > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 0 default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > aaa accounting network default start-stop group tacacs+ > aaa accounting connection default start-stop group tacacs+ > aaa accounting system default start-stop group tacacs+ > ! > tacacs-server host 10.10.10.10 single-connection > tacacs-server timeout 10 > no tacacs-server directed-request > tacacs-server key 7 xxxx > ! > line con 0 > exec-timeout 15 0 > logging synchronous > line vty 0 4 > access-class 1 in > exec-timeout 15 0 > logging synchronous > transport input telnet ssh > line vty 5 15 > access-class 1 in > exec-timeout 15 0 > logging synchronous > transport input telnet ssh > > The TACACs software is "tac-plus F4.0.4.alpha-12" running in a linux > box. > > The configuration is quite simple: > > $ cat /etc/tac-plus/tacacs.conf > accounting file = /var/log/tac-plus/account > # default authorization = permit > > key = xxxx > > user = DEFAULT { > default service = permit > } > > user = myuser { > name = "Uh" > member = oper3 > login = des blablablabla > service = exec {} > service = shell {} maybe add default service = permit here > } > > iF that fails, maybe try on aaa config of box to add :- aaa authorization commands 1 default local group tacacs+ if-authenticated aaa authorization commands 15 default local group tacacs+ if-authenticated good luck > That configuration is working perfectly in 2950 and 2960 switches but > not in 3750 stacks. > I am just able to get access only by ssh. > Telnet reports "authorization failed", i did a debug but I didn't find > the reason. > But that is not the end of the story, if I am logged in the 3750 stack > with a ssh session I am able to do a telnet to it and use my TACACs > credentials without problems. > > I have the same behaviour in 2 3750 stacks one of them is running > c3750-advipservicesk9-mz.122-44.SE2 and the other stack is running > c3750-ipservicesk9-mz.122-44.SE1 > > I didn't review yet the open and solved caveats for the next releases > for that IOS -if there is a new release-, neither I can't remember to > see any issue with AAA when I checked both "release notes". > > Any comment will be appreciated. > > Thanks. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > --------------------------------------------------------------------- It is easier to fight for one's principles than to live up to them Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From frnkblk at iname.com Thu Aug 7 08:45:33 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Thu, 7 Aug 2008 07:45:33 -0500 Subject: [c-nsp] IOS SLB support In-Reply-To: <3E71080198FB4BE595B6F956901ECA37@hojmark.net> References: <000501c80f72$d3245080$280a0a0a@hojmark.net><67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com> <3E71080198FB4BE595B6F956901ECA37@hojmark.net> Message-ID: You're kidding....I presumed it was a feature in the native code. Now external boxes don't seem that bad. Frank -----Original Message----- From: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] Sent: Wednesday, August 06, 2008 5:26 PM To: frnkblk at iname.com; 'Arie Vayner (avayner)' Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] IOS SLB support > If we can upgrade to SRC and save ourselves $10K+ in redundant > load balancers (traffic rates would be 2-4 Mbps), I would like > to do that, but if SRC is generally "too new", then perhaps I > need to reconsider. It's funny you should mention 10k$, 'cause that's exactly the price of the IOS SLB license for the 7600 (FR-IOSSLB)... -A From asturluismi at gmail.com Thu Aug 7 09:10:04 2008 From: asturluismi at gmail.com (luismi) Date: Thu, 07 Aug 2008 15:10:04 +0200 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: References: <1218106547.13339.13.camel@dsba-ipso> Message-ID: <1218114604.13339.18.camel@dsba-ipso> Hi, I tried the changes you told me, same result. El jue, 07-08-2008 a las 13:52 +0200, Nic Tjirkalli escribi?: > aaa authorization commands 1 default local group tacacs+ > if-authenticated > aaa authorization commands 15 default local group tacacs+ > if-authenticated From lsawyer at gci.com Thu Aug 7 11:09:13 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 7 Aug 2008 07:09:13 -0800 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: <1218114604.13339.18.camel@dsba-ipso> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA080EEE15@FNB1EX01.gci.com> Here's the AAA config on my 3750, which seems to work fine: aaa new-model aaa group server tacacs+ Cisco_secure server 192.168.4.22 ! aaa authentication login default group Cisco_secure enable aaa authentication enable default enable aaa authorization exec default group Cisco_secure none aaa authorization commands 15 default group Cisco_secure none aaa authorization network default group Cisco_secure none aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group Cisco_secure aaa accounting commands 1 default stop-only group Cisco_secure aaa accounting commands 15 default stop-only group Cisco_secure aaa accounting network default start-stop group Cisco_secure aaa accounting connection default start-stop group Cisco_secure aaa accounting system default stop-only group Cisco_secure ! aaa session-id common > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Thursday, August 07, 2008 5:10 AM > To: Nic Tjirkalli > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Very Strange AAA behaviour in a 3750 stack > > Hi, > > I tried the changes you told me, same result. > > El jue, 07-08-2008 a las 13:52 +0200, Nic Tjirkalli escribi?: > > aaa authorization commands 1 default local group tacacs+ > > if-authenticated aaa authorization commands 15 default local group > > tacacs+ if-authenticated > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Thu Aug 7 11:46:34 2008 From: asturluismi at gmail.com (luismi) Date: Thu, 07 Aug 2008 17:46:34 +0200 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA080EEE15@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA080EEE15@FNB1EX01.gci.com> Message-ID: <1218123994.13339.24.camel@dsba-ipso> Hi Leif, Are you able to use the Tacacs credentials in the conosole port and with telnet? I am only albe to use tacacs credentials using ssh. Telnet just works only if I have another session opened throught ssh. Console access don't work with Tacacs but I didn't chech it yet. El jue, 07-08-2008 a las 07:09 -0800, Leif Sawyer escribi?: > Here's the AAA config on my 3750, which seems to work fine: > > aaa new-model > aaa group server tacacs+ Cisco_secure > server 192.168.4.22 > ! > aaa authentication login default group Cisco_secure enable > aaa authentication enable default enable > aaa authorization exec default group Cisco_secure none > aaa authorization commands 15 default group Cisco_secure none > aaa authorization network default group Cisco_secure none > aaa accounting send stop-record authentication failure > aaa accounting exec default start-stop group Cisco_secure > aaa accounting commands 1 default stop-only group Cisco_secure > aaa accounting commands 15 default stop-only group Cisco_secure > aaa accounting network default start-stop group Cisco_secure > aaa accounting connection default start-stop group Cisco_secure > aaa accounting system default stop-only group Cisco_secure > ! > aaa session-id common > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > > Sent: Thursday, August 07, 2008 5:10 AM > > To: Nic Tjirkalli > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Very Strange AAA behaviour in a 3750 stack > > > > Hi, > > > > I tried the changes you told me, same result. > > > > El jue, 07-08-2008 a las 13:52 +0200, Nic Tjirkalli escribi?: > > > aaa authorization commands 1 default local group tacacs+ > > > if-authenticated aaa authorization commands 15 default local group > > > tacacs+ if-authenticated > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From omar.parihuana at gmail.com Thu Aug 7 11:58:21 2008 From: omar.parihuana at gmail.com (omar parihuana) Date: Thu, 7 Aug 2008 10:58:21 -0500 Subject: [c-nsp] OT: Linux Script for router management Message-ID: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> Hi List, I'm facing a problem with routers management, near of 80 dispersed routers of differents providers with differents usr/pass , I would like to have a linux console with a Menu with router list, then when a choose a option, I can get into the router automatically, or maybe other way, for example before I used a Linux console where I write down the hostname and I get the router. Do you know some tool/script that can do it? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From eric at atlantech.net Thu Aug 7 12:08:04 2008 From: eric at atlantech.net (Eric Van Tol) Date: Thu, 7 Aug 2008 12:08:04 -0400 Subject: [c-nsp] OT: Linux Script for router management In-Reply-To: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> References: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863509922AF6@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of omar parihuana > Sent: Thursday, August 07, 2008 11:58 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] OT: Linux Script for router management > > Hi List, > > I'm facing a problem with routers management, near of 80 dispersed > routers > of differents providers with differents usr/pass , I would like to > have a > linux console with a Menu with router list, then when a choose a > option, I > can get into the router automatically, or maybe other way, for > example > before I used a Linux console where I write down the hostname and I > get the > router. Do you know some tool/script that can do it? > You should be able to use RANCID (http://www.shrubbery.net/rancid) in combination with an MOTD banner on your server that lists all the routers and an alias to get access to each one. You get the added benefit of backing up configs of all the routers, too. -evt From rubensk at gmail.com Thu Aug 7 12:11:27 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 7 Aug 2008 13:11:27 -0300 Subject: [c-nsp] PFC-based EoMPLS and MPLS-TE Message-ID: <6bb5f5b10808070911i5d09f6c1p306f7e3d52247585@mail.gmail.com> I was wondering if anybody has mixed EoMPLS and MPLS-TE, running on PFC-based MPLS (Sup720, ME6524 and related platforms) in a scenario like this: PE1 -------- MPLS Cloud with TE affinity bits ---- PE2 PE1 and PE2 have an EoMPLS xconnect with each other, targeted at each router loopback. Affinity bits are configured on the links on the cloud based on whether they support Jumbo-frames or not. First part, a tunnel is created with affinity requirements such as it will always use "interesting" links; then, a static "ip route tunnelxxx" makes all traffic between PE1 and PE2 go thru that tunnel. Can this scenario work ? WIll LDP run thru the tunnel, as EoMPLS opens an LDP session between PE1 and PE2 ? Running thru the tunnel or not, will LDP correctly allocate labels so the EoMPLS connection goes thru ? Will this adversely impact the other traffic between those PEs, besides the fact that all PE-to-PE traffic will now follow the tunnel ? Rubens From RTeller at deltadentalwa.com Thu Aug 7 13:54:27 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 7 Aug 2008 10:54:27 -0700 Subject: [c-nsp] Ace Module Troubleshooting Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> So i have a wierd issue going on with my ACE module. I am sure it is a configuration issue but since i am making it up as i go i can only do so much. I am able to browse to a load balanced website from one computer but if i try to browse to it from another computer the website is unavailable. the website is under the dp-qa domain. ------------------------------------------------------------------------ --------------- logging console 6 logging timestamp access-list any line 8 extended permit icmp any any access-list any line 16 extended permit ip any any probe tcp TCP-5002_PROBE port 5002 interval 3 passdetect interval 3 probe tcp TCP-8003_PROBE port 8003 interval 3 passdetect interval 3 probe http TCP-80_PROBE interval 5 passdetect interval 5 expect status 200 200 hash connection term forced probe tcp TCP-9090_PROBE port 9090 interval 5 connection term forced probe http ciscotest_PROBE interval 5 passdetect interval 5 request method get url /ciscotest/ expect status 200 200 hash connection term forced rserver host dm-qa-app25 ip address 172.22.237.23 inservice rserver host dm-qa-app26 ip address 172.22.237.25 inservice rserver host dm-qa-web21 ip address 172.22.237.19 inservice rserver host dm-qa-web22 ip address 172.22.237.21 inservice rserver host dp-qa-app85 ip address 172.22.237.24 inservice rserver host dp-qa-app86 ip address 172.22.237.26 inservice rserver host dp-qa-web81 ip address 172.22.237.20 inservice rserver host dp-qa-web82 ip address 172.22.237.22 inservice rserver host recluse1 ip address 172.22.228.88 inservice rserver host recluse2 ip address 172.22.228.89 inservice serverfarm host dm-qa-app probe TCP-80_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-ivr probe TCP-5002_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dm-qa-socket probe TCP-8003_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-web probe ciscotest_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dp-qa-app probe TCP-80_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-ivr probe TCP-5002_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host dp-qa-socket probe TCP-8003_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-web probe ciscotest_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host recluse predictor leastconns probe TCP-9090_PROBE rserver recluse1 inservice rserver recluse2 inservice class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any 7 match protocol https any class-map match-all dm-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all dm-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map match-all dm-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map match-all dm-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all dp-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all dp-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map match-all dp-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map match-all dp-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any recluse_CLASS 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance first-match dm-qa-app_POLICY class class-default serverfarm dm-qa-app policy-map type loadbalance first-match dm-qa-ivr_POLICY class class-default serverfarm dm-qa-ivr policy-map type loadbalance first-match dm-qa-socket_POLICY class class-default serverfarm dm-qa-socket policy-map type loadbalance first-match dm-qa-web_POLICY class class-default serverfarm dm-qa-web policy-map type loadbalance first-match dp-qa-app_POLICY class class-default serverfarm dp-qa-app policy-map type loadbalance first-match dp-qa-ivr_POLICY class class-default serverfarm dp-qa-ivr policy-map type loadbalance first-match dp-qa-socket_POLICY class class-default serverfarm dp-qa-socket policy-map type loadbalance first-match dp-qa-web_POLICY class class-default serverfarm dp-qa-web policy-map type loadbalance first-match recluse_POLICY class class-default serverfarm recluse policy-map multi-match POLICY class recluse_CLASS loadbalance vip inservice loadbalance policy recluse_POLICY loadbalance vip icmp-reply active nat dynamic 134 vlan 238 class dm-qa-app_CLASS loadbalance vip inservice loadbalance policy dm-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 136 vlan 238 class dm-qa-web_CLASS loadbalance vip inservice loadbalance policy dm-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 137 vlan 238 class dm-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dm-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 138 vlan 238 class dm-qa-socket_CLASS loadbalance vip inservice loadbalance policy dm-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 139 vlan 238 class dp-qa-app_CLASS loadbalance vip inservice loadbalance policy dp-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 140 vlan 238 class dp-qa-web_CLASS loadbalance vip inservice loadbalance policy dp-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 141 vlan 238 class dp-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dp-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 142 vlan 238 class dp-qa-socket_CLASS loadbalance vip inservice loadbalance policy dp-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 143 vlan 238 interface vlan 238 ip address XXX.XXX.XXX.253 255.255.255.128 alias XXX.XXX.XXX.252 255.255.255.128 peer ip address XXX.XXX.XXX.254 255.255.255.128 access-group input any nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 service-policy input POLICY service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown domain dm-qa add-object serverfarm dm-qa-app add-object serverfarm dm-qa-ivr add-object serverfarm dm-qa-socket add-object serverfarm dm-qa-web add-object rserver dm-qa-app25 add-object rserver dm-qa-app26 add-object rserver dm-qa-web21 add-object rserver dm-qa-web22 domain recluse add-object serverfarm recluse add-object rserver recluse1 add-object rserver recluse2 domain dp-qa add-object serverfarm dp-qa-app add-object serverfarm dp-qa-ivr add-object serverfarm dp-qa-socket add-object serverfarm dp-qa-web add-object rserver dp-qa-app85 add-object rserver dp-qa-app86 add-object rserver dp-qa-web81 add-object rserver dp-qa-web82 ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From RTeller at deltadentalwa.com Thu Aug 7 14:09:22 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 7 Aug 2008 11:09:22 -0700 Subject: [c-nsp] Ace Module Troubleshooting In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1E@tiger.deltadentalwa.com> For some reason the class map didn't show up right class-map match-all dm-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all dm-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map match-all dm-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map match-all dm-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all dp-dev-app_CLASS 2 match virtual-address XXX.XXX.XXX.144 tcp eq www class-map match-all dp-dev-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.146 tcp eq 5002 class-map match-all dp-dev-socket_CLASS 2 match virtual-address XXX.XXX.XXX.147 tcp eq 8003 class-map match-all dp-dev-web_CLASS 2 match virtual-address XXX.XXX.XXX.145 tcp eq www class-map match-all dp-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all dp-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map match-all dp-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map match-all dp-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any recluse_CLASS 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: Thursday, August 07, 2008 10:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Ace Module Troubleshooting So i have a wierd issue going on with my ACE module. I am sure it is a configuration issue but since i am making it up as i go i can only do so much. I am able to browse to a load balanced website from one computer but if i try to browse to it from another computer the website is unavailable. the website is under the dp-qa domain. ------------------------------------------------------------------------ --------------- logging console 6 logging timestamp access-list any line 8 extended permit icmp any any access-list any line 16 extended permit ip any any probe tcp TCP-5002_PROBE port 5002 interval 3 passdetect interval 3 probe tcp TCP-8003_PROBE port 8003 interval 3 passdetect interval 3 probe http TCP-80_PROBE interval 5 passdetect interval 5 expect status 200 200 hash connection term forced probe tcp TCP-9090_PROBE port 9090 interval 5 connection term forced probe http ciscotest_PROBE interval 5 passdetect interval 5 request method get url /ciscotest/ expect status 200 200 hash connection term forced rserver host dm-qa-app25 ip address 172.22.237.23 inservice rserver host dm-qa-app26 ip address 172.22.237.25 inservice rserver host dm-qa-web21 ip address 172.22.237.19 inservice rserver host dm-qa-web22 ip address 172.22.237.21 inservice rserver host dp-qa-app85 ip address 172.22.237.24 inservice rserver host dp-qa-app86 ip address 172.22.237.26 inservice rserver host dp-qa-web81 ip address 172.22.237.20 inservice rserver host dp-qa-web82 ip address 172.22.237.22 inservice rserver host recluse1 ip address 172.22.228.88 inservice rserver host recluse2 ip address 172.22.228.89 inservice serverfarm host dm-qa-app probe TCP-80_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-ivr probe TCP-5002_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dm-qa-socket probe TCP-8003_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-web probe ciscotest_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dp-qa-app probe TCP-80_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-ivr probe TCP-5002_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host dp-qa-socket probe TCP-8003_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-web probe ciscotest_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host recluse predictor leastconns probe TCP-9090_PROBE rserver recluse1 inservice rserver recluse2 inservice class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any 7 match protocol https any class-map match-all dm-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all dm-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map match-all dm-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map match-all dm-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all dp-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all dp-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map match-all dp-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map match-all dp-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any recluse_CLASS 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance first-match dm-qa-app_POLICY class class-default serverfarm dm-qa-app policy-map type loadbalance first-match dm-qa-ivr_POLICY class class-default serverfarm dm-qa-ivr policy-map type loadbalance first-match dm-qa-socket_POLICY class class-default serverfarm dm-qa-socket policy-map type loadbalance first-match dm-qa-web_POLICY class class-default serverfarm dm-qa-web policy-map type loadbalance first-match dp-qa-app_POLICY class class-default serverfarm dp-qa-app policy-map type loadbalance first-match dp-qa-ivr_POLICY class class-default serverfarm dp-qa-ivr policy-map type loadbalance first-match dp-qa-socket_POLICY class class-default serverfarm dp-qa-socket policy-map type loadbalance first-match dp-qa-web_POLICY class class-default serverfarm dp-qa-web policy-map type loadbalance first-match recluse_POLICY class class-default serverfarm recluse policy-map multi-match POLICY class recluse_CLASS loadbalance vip inservice loadbalance policy recluse_POLICY loadbalance vip icmp-reply active nat dynamic 134 vlan 238 class dm-qa-app_CLASS loadbalance vip inservice loadbalance policy dm-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 136 vlan 238 class dm-qa-web_CLASS loadbalance vip inservice loadbalance policy dm-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 137 vlan 238 class dm-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dm-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 138 vlan 238 class dm-qa-socket_CLASS loadbalance vip inservice loadbalance policy dm-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 139 vlan 238 class dp-qa-app_CLASS loadbalance vip inservice loadbalance policy dp-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 140 vlan 238 class dp-qa-web_CLASS loadbalance vip inservice loadbalance policy dp-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 141 vlan 238 class dp-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dp-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 142 vlan 238 class dp-qa-socket_CLASS loadbalance vip inservice loadbalance policy dp-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 143 vlan 238 interface vlan 238 ip address XXX.XXX.XXX.253 255.255.255.128 alias XXX.XXX.XXX.252 255.255.255.128 peer ip address XXX.XXX.XXX.254 255.255.255.128 access-group input any nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 service-policy input POLICY service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown domain dm-qa add-object serverfarm dm-qa-app add-object serverfarm dm-qa-ivr add-object serverfarm dm-qa-socket add-object serverfarm dm-qa-web add-object rserver dm-qa-app25 add-object rserver dm-qa-app26 add-object rserver dm-qa-web21 add-object rserver dm-qa-web22 domain recluse add-object serverfarm recluse add-object rserver recluse1 add-object rserver recluse2 domain dp-qa add-object serverfarm dp-qa-app add-object serverfarm dp-qa-ivr add-object serverfarm dp-qa-socket add-object serverfarm dp-qa-web add-object rserver dp-qa-app85 add-object rserver dp-qa-app86 add-object rserver dp-qa-web81 add-object rserver dp-qa-web82 ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From notrevebr at gmail.com Thu Aug 7 15:19:52 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Thu, 7 Aug 2008 16:19:52 -0300 Subject: [c-nsp] CSAgent Message-ID: <3cf174360808071219r39971602g4b291a4ed3b539a7@mail.gmail.com> Hi all, Anyone knows if its possible use the CSAgent on the same machine that has Windows AD? Or i really need put another machine just to be CSAgent? Tks all.. From oboehmer at cisco.com Thu Aug 7 15:55:09 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 7 Aug 2008 21:55:09 +0200 Subject: [c-nsp] PFC-based EoMPLS and MPLS-TE In-Reply-To: <6bb5f5b10808070911i5d09f6c1p306f7e3d52247585@mail.gmail.com> References: <6bb5f5b10808070911i5d09f6c1p306f7e3d52247585@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D689C2@xmb-ams-333.emea.cisco.com> Rubens Kuhl Jr. <> wrote on Thursday, August 07, 2008 6:11 PM: > I was wondering if anybody has mixed EoMPLS and MPLS-TE, running on > PFC-based MPLS (Sup720, ME6524 and related platforms) in a scenario > like this: > > PE1 -------- MPLS Cloud with TE affinity bits ---- PE2 > > PE1 and PE2 have an EoMPLS xconnect with each other, targeted at each > router loopback. Affinity bits are configured on the links on the > cloud based on whether they support Jumbo-frames or not. First part, a > tunnel is created with affinity requirements such as it will always > use "interesting" links; then, a static "ip route loopback> tunnelxxx" makes all traffic between PE1 and PE2 go thru > that tunnel. > > Can this scenario work ? WIll LDP run thru the tunnel, as EoMPLS opens > an LDP session between PE1 and PE2 ? Running thru the tunnel or not, > will LDP correctly allocate labels so the EoMPLS connection goes thru > ? Will this adversely impact the other traffic between those PEs, > besides the fact that all PE-to-PE traffic will now follow the tunnel > ? I guess you want to look at the AToM Tunnel Selection feature where you can "nail" specific PWs to TE tunnels without any static routes. I've never tried to send PWs over tunnels in the way you've described above, but why don't you just use autoroute as you seem to accept that all PE-to-PE traffic will go via the tunnel? oli From jfitz at Princeton.EDU Thu Aug 7 16:45:04 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 7 Aug 2008 16:45:04 -0400 Subject: [c-nsp] FWSM asdm error 305006 ??? Message-ID: <28847781-E61F-48E1-86EF-327B2A1DB705@princeton.edu> I am running FWSM with 4.0(2) code in transparent mode. It also has DNS-GUARD disabled. New feature in 4.0 I constantly see entries in the ASDM log with the very ambiguous ERROR 305006 as shown below in log snippet... ---------------- 3|Aug 07 2008 07:53:01|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.11.140/49384 dst vgate1-paetec- outside:4.2.2.2/53 3|Aug 07 2008 07:53:10|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.11.140/63890 dst vgate1-paetec- outside:4.2.2.1/53 3|Aug 07 2008 07:57:03|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:123.204.68.27/10001 3|Aug 07 2008 08:04:29|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:210.64.246.78/10002 3|Aug 07 2008 08:08:24|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:211.74.194.205/10001 3|Aug 07 2008 08:08:34|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.13.215/2000 dst vgate1-paetec- outside:222.46.18.61/53 3|Aug 07 2008 08:10:15|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:210.64.174.123/10002 3|Aug 07 2008 08:18:59|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.15.215/2000 dst vgate1-paetec- outside:222.46.18.61/53 --------------- The IPs in the 128.112.x.x range are ours and on the INSIDE but none of them are in use and tcpdump on inside shows no packets from these addresses in case they were spoofed. Doing a tcpdump on the OUTSIDE , by use of taps we have to monitor traffic outside the router/FWSM, I can see packets to these hosts from the DSTs indicated above. These are probably crafted packets just trying to do some DNS damage. I am not sure why the message indicates the SRC of a host that never sent a packet and is non-existent, not to mention the "regular translation creation failed" cryptic phrase. I have looked at all the doc related to the FWSM error code 305006 but it does not appear to relate to this error. This error only appears for packets that have src or dst port 53 DNS and the inside IP is unreachable. Is this error just telling me that there is no corresponding flow for the initial flow and some timer has expired within the DNS-GUARD code of the FWSM. I sure could use some help on this one. Thanks in advance. Jeff Fitzwater OIT Network Systems Princeton University From tvarriale at comcast.net Thu Aug 7 16:45:42 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 7 Aug 2008 15:45:42 -0500 Subject: [c-nsp] Ace Module Troubleshooting References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1E@tiger.deltadentalwa.com> Message-ID: <80597FB2FB194810A3AA7A8E84E9E32B@FLAMALAM> A few questions... Which port is this occuring on? 9090? 10000? or both? Can you output "sh serverfarm recluse" and "sh probe TCP-9090_PROBE? Is this a web app running on those ports? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 07, 2008 1:09 PM Subject: Re: [c-nsp] Ace Module Troubleshooting > For some reason the class map didn't show up right > > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www > class-map match-all dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 > class-map match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 > class-map match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www > class-map match-all dp-dev-app_CLASS > 2 match virtual-address XXX.XXX.XXX.144 tcp eq www > class-map match-all dp-dev-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.146 tcp eq 5002 > class-map match-all dp-dev-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.147 tcp eq 8003 > class-map match-all dp-dev-web_CLASS > 2 match virtual-address XXX.XXX.XXX.145 tcp eq www > class-map match-all dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www > class-map match-all dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 > class-map match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 > class-map match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www > class-map match-any recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Thursday, August 07, 2008 10:54 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Ace Module Troubleshooting > > So i have a wierd issue going on with my ACE module. I am sure it is a > configuration issue but since i am making it up as i go i can only do so > much. > I am able to browse to a load balanced website from one computer but if > i try to browse to it from another computer the website is unavailable. > > the website is under the dp-qa domain. > > ------------------------------------------------------------------------ > --------------- > logging console 6 > logging timestamp > > > > > access-list any line 8 extended permit icmp any any access-list any line > 16 extended permit ip any any > > > > probe tcp TCP-5002_PROBE > port 5002 > interval 3 > passdetect interval 3 > probe tcp TCP-8003_PROBE > port 8003 > interval 3 > passdetect interval 3 > probe http TCP-80_PROBE > interval 5 > passdetect interval 5 > expect status 200 200 > hash > connection term forced > probe tcp TCP-9090_PROBE > port 9090 > interval 5 > connection term forced > probe http ciscotest_PROBE > interval 5 > passdetect interval 5 > request method get url /ciscotest/ > expect status 200 200 > hash > connection term forced > > > rserver host dm-qa-app25 > ip address 172.22.237.23 > inservice > rserver host dm-qa-app26 > ip address 172.22.237.25 > inservice > rserver host dm-qa-web21 > ip address 172.22.237.19 > inservice > rserver host dm-qa-web22 > ip address 172.22.237.21 > inservice > rserver host dp-qa-app85 > ip address 172.22.237.24 > inservice > rserver host dp-qa-app86 > ip address 172.22.237.26 > inservice > rserver host dp-qa-web81 > ip address 172.22.237.20 > inservice > rserver host dp-qa-web82 > ip address 172.22.237.22 > inservice > rserver host recluse1 > ip address 172.22.228.88 > inservice > rserver host recluse2 > ip address 172.22.228.89 > inservice > > serverfarm host dm-qa-app > probe TCP-80_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-ivr > probe TCP-5002_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dm-qa-socket > probe TCP-8003_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-web > probe ciscotest_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dp-qa-app > probe TCP-80_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-ivr > probe TCP-5002_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host dp-qa-socket > probe TCP-8003_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-web > probe ciscotest_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host recluse > predictor leastconns > probe TCP-9090_PROBE > rserver recluse1 > inservice > rserver recluse2 > inservice > > class-map type management match-any REMOTE_ACCESS > 2 match protocol ssh any > 3 match protocol telnet any > 4 match protocol icmp any > 5 match protocol snmp any > 6 match protocol http any > 7 match protocol https any > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all > dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map > match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map > match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all > dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all > dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map > match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map > match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any > recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY > class REMOTE_ACCESS > permit > > policy-map type loadbalance first-match dm-qa-app_POLICY > class class-default > serverfarm dm-qa-app > policy-map type loadbalance first-match dm-qa-ivr_POLICY > class class-default > serverfarm dm-qa-ivr > policy-map type loadbalance first-match dm-qa-socket_POLICY > class class-default > serverfarm dm-qa-socket > policy-map type loadbalance first-match dm-qa-web_POLICY > class class-default > serverfarm dm-qa-web > policy-map type loadbalance first-match dp-qa-app_POLICY > class class-default > serverfarm dp-qa-app > policy-map type loadbalance first-match dp-qa-ivr_POLICY > class class-default > serverfarm dp-qa-ivr > policy-map type loadbalance first-match dp-qa-socket_POLICY > class class-default > serverfarm dp-qa-socket > policy-map type loadbalance first-match dp-qa-web_POLICY > class class-default > serverfarm dp-qa-web > policy-map type loadbalance first-match recluse_POLICY > class class-default > serverfarm recluse > > policy-map multi-match POLICY > class recluse_CLASS > loadbalance vip inservice > loadbalance policy recluse_POLICY > loadbalance vip icmp-reply active > nat dynamic 134 vlan 238 > class dm-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 136 vlan 238 > class dm-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 137 vlan 238 > class dm-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 138 vlan 238 > class dm-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 139 vlan 238 > class dp-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 140 vlan 238 > class dp-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 141 vlan 238 > class dp-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 142 vlan 238 > class dp-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 143 vlan 238 > > interface vlan 238 > ip address XXX.XXX.XXX.253 255.255.255.128 > alias XXX.XXX.XXX.252 255.255.255.128 > peer ip address XXX.XXX.XXX.254 255.255.255.128 > access-group input any > nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 > nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 > nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 > nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 > nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 > nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 > nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 > nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 > nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 > service-policy input POLICY > service-policy input REMOTE_MGMT_ALLOW_POLICY > no shutdown > > domain dm-qa > add-object serverfarm dm-qa-app > add-object serverfarm dm-qa-ivr > add-object serverfarm dm-qa-socket > add-object serverfarm dm-qa-web > add-object rserver dm-qa-app25 > add-object rserver dm-qa-app26 > add-object rserver dm-qa-web21 > add-object rserver dm-qa-web22 > domain recluse > add-object serverfarm recluse > add-object rserver recluse1 > add-object rserver recluse2 > domain dp-qa > add-object serverfarm dp-qa-app > add-object serverfarm dp-qa-ivr > add-object serverfarm dp-qa-socket > add-object serverfarm dp-qa-web > add-object rserver dp-qa-app85 > add-object rserver dp-qa-app86 > add-object rserver dp-qa-web81 > add-object rserver dp-qa-web82 > > ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 > > > > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > ######################################################### > The information contained in this e-mail and subsequent attachments may > be privileged, > confidential and protected from disclosure. This transmission is > intended for the sole > use of the individual and entity to whom it is addressed. If you are > not the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Thu Aug 7 17:42:58 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 7 Aug 2008 14:42:58 -0700 Subject: [c-nsp] Ace Module Troubleshooting In-Reply-To: <80597FB2FB194810A3AA7A8E84E9E32B@FLAMALAM> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1E@tiger.deltadentalwa.com> <80597FB2FB194810A3AA7A8E84E9E32B@FLAMALAM> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F28@tiger.deltadentalwa.com> This issue was resolved by adding pat to the end of my nat statements -----Original Message----- From: Tony Varriale [mailto:tvarriale at comcast.net] Sent: Thursday, August 07, 2008 1:46 PM To: Teller, Robert; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Ace Module Troubleshooting A few questions... Which port is this occuring on? 9090? 10000? or both? Can you output "sh serverfarm recluse" and "sh probe TCP-9090_PROBE? Is this a web app running on those ports? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 07, 2008 1:09 PM Subject: Re: [c-nsp] Ace Module Troubleshooting > For some reason the class map didn't show up right > > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www > class-map match-all dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 > class-map match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 > class-map match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www > class-map match-all dp-dev-app_CLASS > 2 match virtual-address XXX.XXX.XXX.144 tcp eq www > class-map match-all dp-dev-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.146 tcp eq 5002 > class-map match-all dp-dev-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.147 tcp eq 8003 > class-map match-all dp-dev-web_CLASS > 2 match virtual-address XXX.XXX.XXX.145 tcp eq www > class-map match-all dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www > class-map match-all dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 > class-map match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 > class-map match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www > class-map match-any recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Thursday, August 07, 2008 10:54 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Ace Module Troubleshooting > > So i have a wierd issue going on with my ACE module. I am sure it is a > configuration issue but since i am making it up as i go i can only do so > much. > I am able to browse to a load balanced website from one computer but if > i try to browse to it from another computer the website is unavailable. > > the website is under the dp-qa domain. > > ------------------------------------------------------------------------ > --------------- > logging console 6 > logging timestamp > > > > > access-list any line 8 extended permit icmp any any access-list any line > 16 extended permit ip any any > > > > probe tcp TCP-5002_PROBE > port 5002 > interval 3 > passdetect interval 3 > probe tcp TCP-8003_PROBE > port 8003 > interval 3 > passdetect interval 3 > probe http TCP-80_PROBE > interval 5 > passdetect interval 5 > expect status 200 200 > hash > connection term forced > probe tcp TCP-9090_PROBE > port 9090 > interval 5 > connection term forced > probe http ciscotest_PROBE > interval 5 > passdetect interval 5 > request method get url /ciscotest/ > expect status 200 200 > hash > connection term forced > > > rserver host dm-qa-app25 > ip address 172.22.237.23 > inservice > rserver host dm-qa-app26 > ip address 172.22.237.25 > inservice > rserver host dm-qa-web21 > ip address 172.22.237.19 > inservice > rserver host dm-qa-web22 > ip address 172.22.237.21 > inservice > rserver host dp-qa-app85 > ip address 172.22.237.24 > inservice > rserver host dp-qa-app86 > ip address 172.22.237.26 > inservice > rserver host dp-qa-web81 > ip address 172.22.237.20 > inservice > rserver host dp-qa-web82 > ip address 172.22.237.22 > inservice > rserver host recluse1 > ip address 172.22.228.88 > inservice > rserver host recluse2 > ip address 172.22.228.89 > inservice > > serverfarm host dm-qa-app > probe TCP-80_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-ivr > probe TCP-5002_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dm-qa-socket > probe TCP-8003_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-web > probe ciscotest_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dp-qa-app > probe TCP-80_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-ivr > probe TCP-5002_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host dp-qa-socket > probe TCP-8003_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-web > probe ciscotest_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host recluse > predictor leastconns > probe TCP-9090_PROBE > rserver recluse1 > inservice > rserver recluse2 > inservice > > class-map type management match-any REMOTE_ACCESS > 2 match protocol ssh any > 3 match protocol telnet any > 4 match protocol icmp any > 5 match protocol snmp any > 6 match protocol http any > 7 match protocol https any > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all > dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map > match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map > match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all > dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all > dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map > match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map > match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any > recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY > class REMOTE_ACCESS > permit > > policy-map type loadbalance first-match dm-qa-app_POLICY > class class-default > serverfarm dm-qa-app > policy-map type loadbalance first-match dm-qa-ivr_POLICY > class class-default > serverfarm dm-qa-ivr > policy-map type loadbalance first-match dm-qa-socket_POLICY > class class-default > serverfarm dm-qa-socket > policy-map type loadbalance first-match dm-qa-web_POLICY > class class-default > serverfarm dm-qa-web > policy-map type loadbalance first-match dp-qa-app_POLICY > class class-default > serverfarm dp-qa-app > policy-map type loadbalance first-match dp-qa-ivr_POLICY > class class-default > serverfarm dp-qa-ivr > policy-map type loadbalance first-match dp-qa-socket_POLICY > class class-default > serverfarm dp-qa-socket > policy-map type loadbalance first-match dp-qa-web_POLICY > class class-default > serverfarm dp-qa-web > policy-map type loadbalance first-match recluse_POLICY > class class-default > serverfarm recluse > > policy-map multi-match POLICY > class recluse_CLASS > loadbalance vip inservice > loadbalance policy recluse_POLICY > loadbalance vip icmp-reply active > nat dynamic 134 vlan 238 > class dm-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 136 vlan 238 > class dm-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 137 vlan 238 > class dm-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 138 vlan 238 > class dm-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 139 vlan 238 > class dp-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 140 vlan 238 > class dp-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 141 vlan 238 > class dp-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 142 vlan 238 > class dp-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 143 vlan 238 > > interface vlan 238 > ip address XXX.XXX.XXX.253 255.255.255.128 > alias XXX.XXX.XXX.252 255.255.255.128 > peer ip address XXX.XXX.XXX.254 255.255.255.128 > access-group input any > nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 > nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 > nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 > nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 > nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 > nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 > nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 > nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 > nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 > service-policy input POLICY > service-policy input REMOTE_MGMT_ALLOW_POLICY > no shutdown > > domain dm-qa > add-object serverfarm dm-qa-app > add-object serverfarm dm-qa-ivr > add-object serverfarm dm-qa-socket > add-object serverfarm dm-qa-web > add-object rserver dm-qa-app25 > add-object rserver dm-qa-app26 > add-object rserver dm-qa-web21 > add-object rserver dm-qa-web22 > domain recluse > add-object serverfarm recluse > add-object rserver recluse1 > add-object rserver recluse2 > domain dp-qa > add-object serverfarm dp-qa-app > add-object serverfarm dp-qa-ivr > add-object serverfarm dp-qa-socket > add-object serverfarm dp-qa-web > add-object rserver dp-qa-app85 > add-object rserver dp-qa-app86 > add-object rserver dp-qa-web81 > add-object rserver dp-qa-web82 > > ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 > > > > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > ######################################################### > The information contained in this e-mail and subsequent attachments may > be privileged, > confidential and protected from disclosure. This transmission is > intended for the sole > use of the individual and entity to whom it is addressed. If you are > not the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sami.joseph at gmail.com Thu Aug 7 17:59:19 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Fri, 8 Aug 2008 00:59:19 +0300 Subject: [c-nsp] Route Leaking and next-hop recursion Message-ID: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> Hi All, I need to reinforce my understanding of how route leaking from a VRF to global works, I was not able to find a decent document using Google. Network topology: http://www.postyourimage.com/view_image.php?img_id=GpgBT3FzVRxuuE81218144855 On the 6500 switch, I created Vlans and SVIs like the following: *interface Vlan20* *ip address 10.5.5.73 255.255.255.248* And on interface vlan 40, I added a VRF *int vlan40* *ip vrf forwarding 3G* *ip address 10.0.0.1 255.255.255.252* Then I want the routes inside this VRF to access the IP addresses behind VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) So I need to do leaking from global to vrf and the path back from vrf to global: *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* And: (assuming the networks on the yellow cloud are 8.8.8.0) *ip route 8.8.8.0 255.255.255.0 vlan40* This way, I guaranteed that packets destined from the VRF to global will go to their next-hop which is directly connected to the switch (10.5.5.74) and I suppose route recursion should be able to find where the next-hop is. When we opened a ticket for this, we were told that with this setup, CEF is not going to be able to create a valid adjacency and so an arp request will be sent for each packet destined to 10.5.5.74 without a reply. Why cant CEF install an entry for 10.5.5.74, why cant route recursion work? Thanks, Sam From p.mayers at imperial.ac.uk Thu Aug 7 18:00:03 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 07 Aug 2008 23:00:03 +0100 Subject: [c-nsp] Crash bug in SXH3 Message-ID: <489B7063.8040904@imperial.ac.uk> All, Just a warning, there is a fatal crash bug in SXH3 related to using SCP. Considering the release notes claim fixes in that very area, this is highly amusing (note: issue may not actually be amusing) Does anyone else think the 6500 software train is becoming a bad joke? SRC claims *today* ISSU using dual sups / SSO, a much larger chunk of (33) features e.g. 6vpe etc. and one presumes a faster rate of ports from mainline IOS because they don't need to modularise everything. SXH on the other hand has... erm... buggy modularity. And... buggy monolithic too. I haven't got a TAC case open because we've rolled back to SXH2a (which has its own set of crash bugs, but less frequent ones...) and it's late - a task for tomorrow I feel. From rubensk at gmail.com Thu Aug 7 18:11:40 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 7 Aug 2008 19:11:40 -0300 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <6bb5f5b10808071511g21a6bccvab8599b86a2e559@mail.gmail.com> Phil, Are there any memory issues with SXH3 on your lab ? It seems SXH3, modular or monolithic, requires more SP/RP memory than SXH2a. Rubens On Thu, Aug 7, 2008 at 7:00 PM, Phil Mayers wrote: > All, > > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is highly > amusing (note: issue may not actually be amusing) > > Does anyone else think the 6500 software train is becoming a bad joke? SRC > claims *today* ISSU using dual sups / SSO, a much larger chunk of (33) > features e.g. 6vpe etc. and one presumes a faster rate of ports from > mainline IOS because they don't need to modularise everything. > > SXH on the other hand has... erm... buggy modularity. And... buggy > monolithic too. > > I haven't got a TAC case open because we've rolled back to SXH2a (which has > its own set of crash bugs, but less frequent ones...) and it's late - a task > for tomorrow I feel. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Rafael.Rodriguez at msmc.com Thu Aug 7 18:38:43 2008 From: Rafael.Rodriguez at msmc.com (Rafael Rodriguez) Date: Thu, 7 Aug 2008 18:38:43 -0400 Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... In-Reply-To: <489073C7.5020003@utc.edu> References: <489073C7.5020003@utc.edu> Message-ID: <13D27D9DCE0E0945A617043C88DD6194017C82B2@SVIPEXC1.msmc.com> Don't know the answer to your BGP question but you can put 512Mb on the SUP2 and the MSFC2. Cheers, RR -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell Sent: Wednesday, July 30, 2008 10:00 To: cisco-nsp Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... Quick question for someone that's "been there done that" from someone who has said "I thought it would work" more often than I'd like :-) Can you get a full BGP feed (two peers) into a Sup2? with uRPF? Which RAM needs to be upgraded? I found out the hard way it won't fit into a SUP2/MSFC2/PFC2 w/256Mb. Will 512Mb do it? Can you put 512Mb in a Sup2 (some 3rd-party pages imply 256 is max, another says a "Sup2U" can do 512) ? Do you upgrade the Sup2 memory or one of the daughtercards, or both? Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Aug 7 20:05:18 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 08 Aug 2008 02:05:18 +0200 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> Message-ID: <1218153918.29360.5.camel@abehat> On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > *interface Vlan20* > *ip address 10.5.5.73 255.255.255.248* > > *int vlan40* > *ip vrf forwarding 3G* > *ip address 10.0.0.1 255.255.255.252* > > Then I want the routes inside this VRF to access the IP addresses behind > VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > So I need to do leaking from global to vrf and the path back from vrf to > global: > > *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > And: (assuming the networks on the yellow cloud are 8.8.8.0) > > *ip route 8.8.8.0 255.255.255.0 vlan40* > > This way, I guaranteed that packets destined from the VRF to global will go > to their next-hop which is directly connected to the switch (10.5.5.74) and > I suppose route recursion should be able to find where the next-hop is. > > When we opened a ticket for this, we were told that with this setup, CEF is > not going to be able to create a valid adjacency and so an arp request will > be sent for each packet destined to 10.5.5.74 without a reply. > > Why cant CEF install an entry for 10.5.5.74, why cant route recursion work? Just a shot in the dark, but would it help to add an interface to the vrf route statement? Like this: ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global Regards, Peter From tdurack at gmail.com Thu Aug 7 21:32:31 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 7 Aug 2008 21:32:31 -0400 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <9e246b4d0808071832r26928204vad3acb050377e3b4@mail.gmail.com> We hit this in SXH2 also (haven't tested SXH2a.) Bug ID was: CSCse12154 - Bus error crash after executing secure copy (scp) We fixed it with a "no ip scp server" (or something like that.) Disappointing a bug this severe isn't fixed in SXH3. Maybe it will be in SXI... Tim:> On Thu, Aug 7, 2008 at 6:00 PM, Phil Mayers wrote: > All, > > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is highly > amusing (note: issue may not actually be amusing) > > Does anyone else think the 6500 software train is becoming a bad joke? SRC > claims *today* ISSU using dual sups / SSO, a much larger chunk of (33) > features e.g. 6vpe etc. and one presumes a faster rate of ports from > mainline IOS because they don't need to modularise everything. > > SXH on the other hand has... erm... buggy modularity. And... buggy > monolithic too. > > I haven't got a TAC case open because we've rolled back to SXH2a (which has > its own set of crash bugs, but less frequent ones...) and it's late - a task > for tomorrow I feel. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vikassharmas at gmail.com Fri Aug 8 00:55:00 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Fri, 8 Aug 2008 10:25:00 +0530 Subject: [c-nsp] EoMPLS port mode 7200 Message-ID: Hi, Can I configure EoMPLS on one side 7200 and another side 7600 using service type as EWS and vc-type 4? My requirement is -> 1st scenario - I require port mode between 7200 and 7600. 2nd scenario- I require port mode between 7200 and 12k Thanks & Regards, Vikas Sharma From tseveendorj at gmail.com Fri Aug 8 02:21:49 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Fri, 8 Aug 2008 14:21:49 +0800 Subject: [c-nsp] Fans: "monitor dropped" Message-ID: <62c908120808072321pac05536n9b973d7a7784172c@mail.gmail.com> Hi I would like to know what does following log ? Environmental monitor experienced the following events: Fans: "monitor dropped" at 14:08:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:09:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:10:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:11:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:12:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:13:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:14:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:15:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:16:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:17:28 GMT Fri Aug 8 2008. Temperature: Temperature Reading: Temp at inlet fails and data is not available. Temp at outlet is measured as -1C/31F. Temp delta of inlet and outlet fails and data is not available. Temperature State: Temperature is in normal state. I couldn't see temperature of AS5350 gateway. How to solve this Thanks for any help Sincerely, Tseveen From gert at greenie.muc.de Fri Aug 8 03:38:16 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 8 Aug 2008 09:38:16 +0200 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <20080808073816.GI288@greenie.muc.de> Hi, On Thu, Aug 07, 2008 at 11:00:03PM +0100, Phil Mayers wrote: > I haven't got a TAC case open because we've rolled back to SXH2a (which > has its own set of crash bugs, but less frequent ones...) and it's late > - a task for tomorrow I feel. I've had some problems with IPv6 not working on SVIs in SXH2a (very plain setup, /64 transit networks, SVIs on top of TenGigE on 6704 cards, ping to neighbour didn't work). Didn't test it further, as I wanted to move this box to SXH3 anyway - did that, v6 worked. Just as a data point. And yes, 6500/7600 "progress" is disappointing. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From tony at lava.net Fri Aug 8 03:55:01 2008 From: tony at lava.net (Antonio Querubin) Date: Thu, 7 Aug 2008 21:55:01 -1000 (HST) Subject: [c-nsp] intermittent 'igmp query-interval 125' Message-ID: For some reason I've started seeing the statement below appear and disappear at random times on several router's interfaces in the running config. This began after IGMP version 3 was enabled on several Juniper routers that share several backbone VLANs with our Cisco routers. The Cisco routers had already been running IGMP version 3 for a long while now without any odd effects. ip igmp query-interval 125 When the statement appears in the running-config the query interval is 125. And when it disappears from the running-config, the query interval has reverted back to the normal 60 seconds. Anyone know why this would be happening? Antonio Querubin whois: AQ7-ARIN From spinthiras.mario at gmail.com Fri Aug 8 06:17:00 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 8 Aug 2008 13:17:00 +0300 Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router In-Reply-To: <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com> <1216129215.24030.4.camel@svesken.sys.mjna.net> <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> Message-ID: <4f890e580808080317n6071999aic43234426f880477@mail.gmail.com> crypto ip-sec df-bit clear/set ? If you have mismatches on either ends you can see "unencrypted" traffic on one end while normal signs of operation on the other. Warm Regards, Mario A. Spinthiras http://www.spinthiras.net/ From spinthiras.mario at gmail.com Fri Aug 8 06:18:16 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 8 Aug 2008 13:18:16 +0300 Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router In-Reply-To: <4f890e580808080317n6071999aic43234426f880477@mail.gmail.com> References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com> <1216129215.24030.4.camel@svesken.sys.mjna.net> <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> <4f890e580808080317n6071999aic43234426f880477@mail.gmail.com> Message-ID: <4f890e580808080318p2b7af799p5aec69eeedf8924a@mail.gmail.com> Plus it would be great if you could run a packet-trace and paste it here. -- Warm Regards, Mario A. Spinthiras http://www.spinthiras.net/ From p.mayers at imperial.ac.uk Fri Aug 8 07:02:16 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 08 Aug 2008 12:02:16 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <9e246b4d0808071832r26928204vad3acb050377e3b4@mail.gmail.com> References: <489B7063.8040904@imperial.ac.uk> <9e246b4d0808071832r26928204vad3acb050377e3b4@mail.gmail.com> Message-ID: <489C27B8.90204@imperial.ac.uk> Tim Durack wrote: > We hit this in SXH2 also (haven't tested SXH2a.) Bug ID was: > > CSCse12154 - Bus error crash after executing secure copy (scp) > > We fixed it with a "no ip scp server" (or something like that.) The release notes claim it *was* fixed in SXH3, it's specifically mentioned in the list of "resolved caveats" Also, the bug in our case was triggered by an automated job: * cron job on unix machine * scp admin at router:startup-config /backups/router ...which doesn't read like the same bug. From sami.joseph at gmail.com Fri Aug 8 07:26:23 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Fri, 8 Aug 2008 14:26:23 +0300 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <1218153918.29360.5.camel@abehat> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> <1218153918.29360.5.camel@abehat> Message-ID: <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> That made it work but i need to understand the reason? Sam On Fri, Aug 8, 2008 at 3:05 AM, Peter Rathlev wrote: > On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > > > *interface Vlan20* > > *ip address 10.5.5.73 255.255.255.248* > > > > > *int vlan40* > > *ip vrf forwarding 3G* > > *ip address 10.0.0.1 255.255.255.252* > > > > Then I want the routes inside this VRF to access the IP addresses behind > > VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > > > So I need to do leaking from global to vrf and the path back from vrf to > > global: > > > > *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > > > And: (assuming the networks on the yellow cloud are 8.8.8.0) > > > > *ip route 8.8.8.0 255.255.255.0 vlan40* > > > > This way, I guaranteed that packets destined from the VRF to global will > go > > to their next-hop which is directly connected to the switch (10.5.5.74) > and > > I suppose route recursion should be able to find where the next-hop is. > > > > When we opened a ticket for this, we were told that with this setup, CEF > is > > not going to be able to create a valid adjacency and so an arp request > will > > be sent for each packet destined to 10.5.5.74 without a reply. > > > > Why cant CEF install an entry for 10.5.5.74, why cant route recursion > work? > > Just a shot in the dark, but would it help to add an interface to the > vrf route statement? Like this: > > ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > > Regards, > Peter > > > From peter at rathlev.dk Fri Aug 8 08:43:53 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 08 Aug 2008 14:43:53 +0200 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> <1218153918.29360.5.camel@abehat> <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> Message-ID: <1218199433.2135.5.camel@abehat> On Fri, 2008-08-08 at 14:26 +0300, Sami Joseph wrote: > On Fri, Aug 8, 2008 at 3:05 AM, wrote > > Just a shot in the dark, but would it help to add an interface to > > the vrf route statement? Like this: > > > > ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > > That made it work but i need to understand the reason? Well, I guess CEF needs all the relevant information (next hop IP + interface) to build a full adjacency, and not just a glean adjacency. I can't figure out why the glean wouldn't work, i.e. why there would never be any response to the ARP for 10.5.5.74. I guess CEF has some voodoo elements. :-) Regards, Peter > > > From booloo at ucsc.edu Fri Aug 8 12:42:14 2008 From: booloo at ucsc.edu (Mark Boolootian) Date: Fri, 8 Aug 2008 09:42:14 -0700 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080808073816.GI288@greenie.muc.de> References: <489B7063.8040904@imperial.ac.uk> <20080808073816.GI288@greenie.muc.de> Message-ID: <20080808164214.GA67424@root.ucsc.edu> Gert, > I've had some problems with IPv6 not working on SVIs in SXH2a (very plain > setup, /64 transit networks, SVIs on top of TenGigE on 6704 cards, ping to > neighbour didn't work). Can you tell me what feature set you were running? mark From billf at mu.org Fri Aug 8 13:08:15 2008 From: billf at mu.org (bill fumerola) Date: Fri, 8 Aug 2008 10:08:15 -0700 Subject: [c-nsp] OT: Linux Script for router management In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863509922AF6@exchange.aoihq.local> References: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> <2C05E949E19A9146AF7BDF9D44085B863509922AF6@exchange.aoihq.local> Message-ID: <20080808170815.GS6869@elvis.mu.org> On Thu, Aug 07, 2008 at 12:08:04PM -0400, Eric Van Tol wrote: > > -----Original Message----- > > I'm facing a problem with routers management, near of 80 dispersed > > routers > > of differents providers with differents usr/pass , I would like to > > have a > > linux console with a Menu with router list, then when a choose a > > option, I > > can get into the router automatically, or maybe other way, for > > example > > before I used a Linux console where I write down the hostname and I > > get the > > router. Do you know some tool/script that can do it? > > > > You should be able to use RANCID (http://www.shrubbery.net/rancid) in combination with an MOTD banner on your server that lists all the routers and an alias to get access to each one. You get the added benefit of backing up configs of all the routers, too. as for the menu: sh/dialog: http://invisible-island.net/dialog/ C: http://www.troubleshooters.com/lpm/200405/200405.htm#_A_Simple_Menu Perl: http://backpan.cpan.org/authors/id/C/CC/CCOLLINS/Curses-Menu-1.00.readme TCL: http://wiki.tcl.tk/12953 PHP: http://devzone.zend.com/article/1083-Using-Ncurses-in-PHP Python: http://www.ibm.com/developerworks/linux/library/l-python6.html choose your poison. -- - bill fumerola / billf at FreeBSD.org From dcurran at nuvox.com Fri Aug 8 14:29:42 2008 From: dcurran at nuvox.com (David Curran) Date: Fri, 08 Aug 2008 14:29:42 -0400 Subject: [c-nsp] Shaping vs. queuing Message-ID: I understand at a common sense level how shaping and queuing are different from each other and how they affect discreet packets or flows. What I?m trying to understand is in the context of different types of traffic which is best? Some things I ?know? about the situation are: * TCP has a congestion control mechanism in windowing and slow-start and can react to tail-drop or drop profiles quickly. * Real-time applications such as voice and video when faced with increased latency or jitter essentially drop the traffic to preserve quality. * Upper layer protocols typically have mechanisms to correct for missing or corrupted packets when sent via connectionless protocols. So if those three things are true, is policing voip or TCP traffic (with a Bc and Be properly defined) any ?worse? than shaping/queuing? I?m struggling to find literature comparing the two beyond ?policing drops shaping queues?. Any thoughts or links would be appreciated. -d This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From swmike at swm.pp.se Fri Aug 8 15:11:37 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 8 Aug 2008 21:11:37 +0200 (CEST) Subject: [c-nsp] Shaping vs. queuing In-Reply-To: References: Message-ID: On Fri, 8 Aug 2008, David Curran wrote: > Any thoughts or links would be appreciated. 1. File transfers based on TCP generally work better with shaping, especially if they are few and have high bw per TCP session. 2. Interactive protocols (cli terminal sessions over ssh for instance) generally work better with policing as it doesn't really matter if a packet is lost compared to a constant long delay due to queuing (in case file transfers are filling up the queues). This is at least true if the session is between hosts that are fairly close to each other. 3. Gamers want low latency and games usually handle packet loss fairly well. 4. IP telephony can generally handle a few percent packet loss without any major trouble (echo cancellation might be hurt in case of packet loss though). 5. IPTV transfer over UDP generally do not have error correction and are very sensitive to packet loss. 6. You do not want to queue ACKs if you can avoid it, as this slows down TCP based communications going the other way. So it's all down to what you want to prioritize. With the current traffic mix on the internet I don't really see any reason to ever queue a packet more than 30-40ms, then you might as well drop it (using WRED for instance). -- Mikael Abrahamsson email: swmike at swm.pp.se From damin at nacs.net Fri Aug 8 15:43:28 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Fri, 8 Aug 2008 15:43:28 -0400 Subject: [c-nsp] Service Provider Image for NPE-300 Message-ID: <05d301c8f98f$0791e2e0$16b5a8a0$@net> Hello, Got a 7206 VXR sitting in the back that I'm working on configuring for a simple BGP peering setup.. Nothing crazy.. just need to support Vlan Tagging + BGP for a couple of routes. Wondering what image people are running.. It currently has c7200-p-mz.122-46a.bin on it, but wondering if there is a 12.2S that might be more current and better suited.. From zeusdadog at gmail.com Fri Aug 8 22:28:40 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Fri, 8 Aug 2008 22:28:40 -0400 Subject: [c-nsp] 2851 and full BGP Message-ID: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> I have two 2851s connected to each other over gigabit Ethernet WAN. Both have 1GB RAM and running 12.4(20)T advanced IP services. Both routers are connected to our providers with full BGP feed. That part works fine. When I have the two 2851 try to send it's full route to each other, it gets to about 20,000 routes and the session resets. Here is a debug output Aug 8 09:48:30.099: BGP: x.x.x.x bad message length - 4097 Aug 8 09:48:30.099: BGP: x.x.x.x went from Established to Closing Any ideas on what could be causing this issue? Is there a better IOS version to use? Thanks in advance. From antal.gergely at hu.digi.tv Sat Aug 9 13:08:27 2008 From: antal.gergely at hu.digi.tv (Antal Gergely) Date: Sat, 09 Aug 2008 19:08:27 +0200 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> References: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> Message-ID: <489DCF0B.7080204@hu.digi.tv> Jay Nakamura wrote: > I have two 2851s connected to each other over gigabit Ethernet WAN. > > Both have 1GB RAM and running 12.4(20)T advanced IP services. > > Both routers are connected to our providers with full BGP feed. That part > works fine. > > When I have the two 2851 try to send it's full route to each other, it gets > to about 20,000 routes and the session resets. Here is a debug output > > Aug 8 09:48:30.099: BGP: x.x.x.x bad message length - 4097 > Aug 8 09:48:30.099: BGP: x.x.x.x went from Established to Closing > ip mtu problem?? sh ip bgp nei xxx | i data segment?? -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From amaged at cisco.com Sat Aug 9 14:33:59 2008 From: amaged at cisco.com (Ahmed Maged (amaged)) Date: Sat, 9 Aug 2008 20:33:59 +0200 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com><1218153918.29360.5.camel@abehat> <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> Message-ID: <0BB7A1080B7DBD4494E09FF171D2ACEA01C73225@xmb-ams-33c.emea.cisco.com> Hi Sami, Peter, I'll try to explain this for you in simple but long words, let me know if that doesn't make any sense to you. The packet will come in through your interface that is attached to a VRF and so it will lookup the VRF routing table to find a route but your destination is not inside the VRF, it's in the Global table so you will need to leak this route out. Now that was for the outgoing direction, how about the incoming, it will come from the interface that is in global and lookup the RIB for a next-hop and it wont find any, why, because its in the VRF. So, you will need another route to tell the router that in order to go to your source, you need to go into this VRF interface, and to achieve that you need to create a static route that point to the VRF. Now if you create this static route with the next-hop being an IP address, the router/CEF will try to do recursion in order to find the outgoing interface but it wont, why, because it's attached to a VRF so its invisible to our global table. And that's why you created a next-hop that consists of an IP and an interface. This way, you are bypassing the route recursion process by telling the router all the info it needs to find its destination and create the CEF adjacency (next-hop IP + interface). You can see this if you do (but be careful): debug ip cef events and debug ip cef interface http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper0918 6a00800a62d9.shtml Regards, Ahmed -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph Sent: Friday, August 08, 2008 2:26 PM To: Peter Rathlev Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Route Leaking and next-hop recursion That made it work but i need to understand the reason? Sam On Fri, Aug 8, 2008 at 3:05 AM, Peter Rathlev wrote: > On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > > > *interface Vlan20* > > *ip address 10.5.5.73 255.255.255.248* > > > > > *int vlan40* > > *ip vrf forwarding 3G* > > *ip address 10.0.0.1 255.255.255.252* > > > > Then I want the routes inside this VRF to access the IP addresses behind > > VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > > > So I need to do leaking from global to vrf and the path back from vrf to > > global: > > > > *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > > > And: (assuming the networks on the yellow cloud are 8.8.8.0) > > > > *ip route 8.8.8.0 255.255.255.0 vlan40* > > > > This way, I guaranteed that packets destined from the VRF to global will > go > > to their next-hop which is directly connected to the switch (10.5.5.74) > and > > I suppose route recursion should be able to find where the next-hop is. > > > > When we opened a ticket for this, we were told that with this setup, CEF > is > > not going to be able to create a valid adjacency and so an arp request > will > > be sent for each packet destined to 10.5.5.74 without a reply. > > > > Why cant CEF install an entry for 10.5.5.74, why cant route recursion > work? > > Just a shot in the dark, but would it help to add an interface to the > vrf route statement? Like this: > > ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > > Regards, > Peter > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Sat Aug 9 16:51:04 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sat, 9 Aug 2008 15:51:04 -0500 Subject: [c-nsp] Release notes for ISR ROMMON Message-ID: Anyone know where to find the release notes for the various ROMMON versions for the 2800 and 3800 routers? Noticed 'DRAM access optimization' as a benefit of the latest 2800 ROMMON, and I recently worked on a problem with a 3845 giving console messages like this: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Rommon primary and backup variables are invalid... Warning: monitor nvram area is corrupt ... using default values amd_flash_cmd: timeout on erase sector command environment checksum failed amd_flash_cmd: timeout on erase sector command environment write to NVRAM failed amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 ROM Monitor Can Not Recover From Exception A Board ? System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Storing backup rommon variables... amd_flash_cmd: timeout on erase sector command amd_flash_cmd: timeout on erase sector command environment checksum failed Total memory size = 512 MB - DIMM0 = 512 MB, DIMM1 = 0 MB c3845 platform with 524288 Kbytes of main memory Main memory is configured to 72/0(dimm 0/1) bit mode with ECC enabled Readonly ROMMON initialized amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 I've got a feeling it's really bad hardware, but usually want to exhaust all the possible bugs before calling TAC. Since it specifically mentions ROMMON variables in the output, figured it was at least related. The DRAM access optimization thing just sounds interesting. Searched the web site for a good 20 minutes, no luck. Thanks, Chuck From arla at rn.dk Sat Aug 9 17:17:09 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Sat, 9 Aug 2008 23:17:09 +0200 Subject: [c-nsp] static addressing to vpnclients on asa-firewall vs freeradius Message-ID: <8D68760F464FFD40A01BF2FB374E4A28869444B4F9@SRVEXC02.aas.its.nja.dk> Hi all I need some help regarding downloading static address to vpn clients on a asa-pix firewall. Does anyone have a sample off how the user entry has to look, when I?m using a freeware radius server. Both on the asa and the radius server Is there a attribute list available somewhere /Arne From jarruda-cnsp at jarruda.com Sat Aug 9 18:27:35 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Sat, 09 Aug 2008 18:27:35 -0400 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <0BB7A1080B7DBD4494E09FF171D2ACEA01C73225@xmb-ams-33c.emea.cisco.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com><1218153918.29360.5.camel@abehat> <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> <0BB7A1080B7DBD4494E09FF171D2ACEA01C73225@xmb-ams-33c.emea.cisco.com> Message-ID: <489E19D7.9060607@jarruda.com> Ahmed Maged (amaged) wrote: > Hi Sami, Peter, > > > > I'll try to explain this for you in simple but long words, let me know > if that doesn't make any sense to you. > > > > The packet will come in through your interface that is attached to a VRF > and so it will lookup the VRF routing table to find a route but your > destination is not inside the VRF, it's in the Global table so you will > need to leak this route out. > > > > Now that was for the outgoing direction, how about the incoming, it will > come from the interface that is in global and lookup the RIB for a > next-hop and it wont find any, why, because its in the VRF. > > > > So, you will need another route to tell the router that in order to go > to your source, you need to go into this VRF interface, and to achieve > that you need to create a static route that point to the VRF. > > > > Now if you create this static route with the next-hop being an IP > address, the router/CEF will try to do recursion in order to find the > outgoing interface but it wont, why, because it's attached to a VRF so > its invisible to our global table. > > > > And that's why you created a next-hop that consists of an IP and an > interface. This way, you are bypassing the route recursion process by > telling the router all the info it needs to find its destination and > create the CEF adjacency (next-hop IP + interface). > > > > You can see this if you do (but be careful): debug ip cef events and > debug ip cef interface Dumb question, if I've another route, where the next-hop is reached via this 'leaked+nailed-with-interface' route, would it work with a dynamic routing protocol ? Example, if a BGP route announced to this VRF, had the next-hop 'field' == to the remote end in a p2p interface in the global table, could I add a static route to reach the next-hop 'via' 'static-route on global + interface', and this would make all routes with that next-hop received via BGP work ? > > > > http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper0918 > 6a00800a62d9.shtml > > > > Regards, > > Ahmed > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph > Sent: Friday, August 08, 2008 2:26 PM > To: Peter Rathlev > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Route Leaking and next-hop recursion > > > > That made it work but i need to understand the reason? > > > > Sam > > > > On Fri, Aug 8, 2008 at 3:05 AM, Peter Rathlev wrote: > > > >> On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > >> > >>> *interface Vlan20* > >>> *ip address 10.5.5.73 255.255.255.248* > > >> > >>> *int vlan40* > >>> *ip vrf forwarding 3G* > >>> *ip address 10.0.0.1 255.255.255.252* > > >>> Then I want the routes inside this VRF to access the IP addresses > behind > >>> VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > >>> So I need to do leaking from global to vrf and the path back from > vrf to > >>> global: > > >>> *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > >>> And: (assuming the networks on the yellow cloud are 8.8.8.0) > > >>> *ip route 8.8.8.0 255.255.255.0 vlan40* > > >>> This way, I guaranteed that packets destined from the VRF to global > will > >> go > >>> to their next-hop which is directly connected to the switch > (10.5.5.74) > >> and > >>> I suppose route recursion should be able to find where the next-hop > is. > > >>> When we opened a ticket for this, we were told that with this setup, > CEF > >> is > >>> not going to be able to create a valid adjacency and so an arp > request > >> will > >>> be sent for each packet destined to 10.5.5.74 without a reply. > > >>> Why cant CEF install an entry for 10.5.5.74, why cant route > recursion > >> work? > > >> Just a shot in the dark, but would it help to add an interface to the > >> vrf route statement? Like this: > > >> ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > From mtinka at globaltransit.net Sun Aug 10 05:49:07 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 10 Aug 2008 17:49:07 +0800 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> References: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> Message-ID: <200808101749.07941.mtinka@globaltransit.net> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > Any ideas on what could be causing this issue? Is there > a better IOS version to use? Sounds like an MTU issue. Try disabling TCP PMTUd for BGP and see if that helps: router bgp 1234 no bgp transport path-mtu-discovery If that works, consider checking with your provider on the supported MTU, end-to-end, and adjust your interface MTU if it helps. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Sun Aug 10 10:27:52 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 10 Aug 2008 16:27:52 +0200 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080808164214.GA67424@root.ucsc.edu> References: <489B7063.8040904@imperial.ac.uk> <20080808073816.GI288@greenie.muc.de> <20080808164214.GA67424@root.ucsc.edu> Message-ID: <20080810142752.GL288@greenie.muc.de> Hi, On Fri, Aug 08, 2008 at 09:42:14AM -0700, Mark Boolootian wrote: > > I've had some problems with IPv6 not working on SVIs in SXH2a (very plain > > setup, /64 transit networks, SVIs on top of TenGigE on 6704 cards, ping to > > neighbour didn't work). > > Can you tell me what feature set you were running? "advipservicesk9" - Advanced IP Services SSH (So it was not "IPv6 not supported" but "IPv6 commands being accepted, parts of it working fine, but neighbours on an SVI on top of a 6704-10GE being unpingable"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ghostonthewire at gmail.com Sun Aug 10 15:22:23 2008 From: ghostonthewire at gmail.com (ghostonthewire) Date: Sun, 10 Aug 2008 23:22:23 +0400 Subject: [c-nsp] static addressing to vpnclients on asa-firewall vs freeradius In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28869444B4F9@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28869444B4F9@SRVEXC02.aas.its.nja.dk> Message-ID: <489F3FEF.1070205@gmail.com> hi, Arne. Arne Larsen / Region Nordjylland wrote: > Hi all > I need some help regarding downloading static address to vpn clients on a asa-pix firewall. I hope you mean "assigning"? > Does anyone have a sample off how the user entry has to look, when I?m using a freeware radius server. Both on the asa and the radius server > Is there a attribute list available somewhere > I use PIX 515E + 8.x software with FreeRADIUS. Typical entry for assigning static address for remote vpn user is: dn: uid=user,ou=users,dc=somecorp,dc=org dialupAccess: 1 gidNumber: 100 homeDirectory: /some/dir/ mail: user at somecorp.org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: radiusprofile objectClass: posixAccount uid: user cn: John User givenName: John User radiusFramedIPAddress: 192.168.0.1 radiusFramedIPNetmask: 255.255.255.0 sn: User uidNumber: 100 userPassword: somepassword From paul.cosgrove at heanet.ie Sun Aug 10 16:52:03 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Sun, 10 Aug 2008 21:52:03 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <200808101749.07941.mtinka@globaltransit.net> References: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> <200808101749.07941.mtinka@globaltransit.net> Message-ID: <489F54F3.6000707@heanet.ie> Keep in mind that if the peerings are not between directly connected IP, disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. You could check the achievable MTU using extended pings with the DF bit set, and compare it with the segment size listed by BGP before you decide whether to make that change. Paul. Mark Tinka wrote: > On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > > >> Any ideas on what could be causing this issue? Is there >> a better IOS version to use? >> > > Sounds like an MTU issue. > > Try disabling TCP PMTUd for BGP and see if that helps: > > router bgp 1234 > no bgp transport path-mtu-discovery > > If that works, consider checking with your provider on the > supported MTU, end-to-end, and adjust your interface MTU if > it helps. > > Cheers, > > Mark. > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Sun Aug 10 17:29:52 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 10 Aug 2008 16:29:52 -0500 Subject: [c-nsp] 2851 and full BGP Message-ID: Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. Chuck ----- Original Message ----- From: cisco-nsp-bounces at puck.nether.net To: mtinka at globaltransit.net Cc: cisco-nsp at puck.nether.net Sent: Sun Aug 10 15:52:03 2008 Subject: Re: [c-nsp] 2851 and full BGP Keep in mind that if the peerings are not between directly connected IP, disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. You could check the achievable MTU using extended pings with the DF bit set, and compare it with the segment size listed by BGP before you decide whether to make that change. Paul. Mark Tinka wrote: > On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > > >> Any ideas on what could be causing this issue? Is there >> a better IOS version to use? >> > > Sounds like an MTU issue. > > Try disabling TCP PMTUd for BGP and see if that helps: > > router bgp 1234 > no bgp transport path-mtu-discovery > > If that works, consider checking with your provider on the > supported MTU, end-to-end, and adjust your interface MTU if > it helps. > > Cheers, > > Mark. > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r3nd0 at yahoo.com Sun Aug 10 22:47:58 2008 From: r3nd0 at yahoo.com (rendo) Date: Mon, 11 Aug 2008 09:47:58 +0700 Subject: [c-nsp] impact of policy based routing In-Reply-To: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> References: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> Message-ID: <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> Hi, I'm looking for any cisco documentation or maybe your experiences regarding the impact of implementing policy based routing in 76xx platrform. I have a plan to put around 5-10 source based routing, each source goes to the same outgoing interface but with different IP next-hop. The projected throughput will be around 1 Gbps. I guess there are some impacts on CPU load and memory as well, so if anyone here has anything to share, it would be great. Thanks in advance. -rendo- From rubensk at gmail.com Sun Aug 10 23:09:29 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 11 Aug 2008 00:09:29 -0300 Subject: [c-nsp] impact of policy based routing In-Reply-To: <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> References: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> Message-ID: <6bb5f5b10808102009t3fd47c9fqfeeb3e4112f6bdf@mail.gmail.com> It depends on whether the policy route will be only processed by the SUP/RSP-720 or not. Although the following text is from the Cat IOS (ISBU) not 7600 IOS (ERBU), my understanding is it reflects what PFC3x can do and can't do in hardware: "The Policy Feature Card (PFC) and any Distributed Feature Cards (DFCs) provide hardware support for policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords. When configuring PBR, follow these guidelines and restrictions: ?The PFC provides hardware support for PBR configured on a tunnel interface. ?The PFC does not provide hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface. ?If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP. ?Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause flows to be sent to the RP to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route-maps. ?PBR traffic through switching module ports where PBR is configured is routed in software if the switching module resets. (CSCee92191) ?Any permit route-map sequence with no set statement will cause matching traffic to be processed by the RP. " If you manage to keep within these boundaries, CPU load will be as if there were no PBR at all. Otherwise, you will either eat up a signification port of RSP720 pps capacity, or kill a SUP720. Rubens On Sun, Aug 10, 2008 at 11:47 PM, rendo wrote: > Hi, > > I'm looking for any cisco documentation or maybe your experiences regarding > the impact of implementing policy based routing in 76xx platrform. I have a > plan to put around 5-10 source based routing, each source goes to the same > outgoing interface but with different IP next-hop. The projected throughput > will be around 1 Gbps. > > I guess there are some impacts on CPU load and memory as well, so if anyone > here has anything to share, it would be great. > > Thanks in advance. > > -rendo- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sdanelli at gmail.com Sun Aug 10 23:50:34 2008 From: sdanelli at gmail.com (Sergio D.) Date: Sun, 10 Aug 2008 21:50:34 -0600 Subject: [c-nsp] filter LDP bindings Message-ID: Hello, I am trying to filter LDP label bindings to only advertise my loopback address(for vpnv4 traffic) but I am unsure as to what the requirements are. Here is what I have: PE1#show ip route connected | in ^C C 1.1.1.0 is directly connected, Serial1/0 C 10.0.0.1 is directly connected, Loopback0 C 150.0.0.0 is directly connected, FastEthernet0/1 PE1#sh run | in tag no tag-switching advertise-tags tag-switching advertise-tags for ldp-filter PE1#show access-lists ldp-filter Standard IP access list ldp-filter 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) 999 deny any (7 matches) matches? but still generates a binding for all my connected interfaces: PE1#show mpls ldp bindings 150.0.0.0 24 tib entry: 150.0.0.0/24, rev 2 local binding: tag: imp-null remote binding: tsr: 25.25.25.25:0, tag: 18 PE1# And the other side tags it with a label: PE2#traceroute 150.0.0.1 Type escape sequence to abort. Tracing the route to 150.0.0.1 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec 2 1.1.1.1 24 msec 52 msec * TIA, -- Sergio Danelli From oboehmer at cisco.com Mon Aug 11 01:41:25 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 11 Aug 2008 07:41:25 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> Sergio D. <> wrote on Monday, August 11, 2008 5:51 AM: > Hello, > I am trying to filter LDP label bindings to only advertise my loopback > address(for vpnv4 traffic) but I am unsure as to what the > requirements are. Here is what I have: > PE1#show ip route connected | in ^C > C 1.1.1.0 is directly connected, Serial1/0 > C 10.0.0.1 is directly connected, Loopback0 > C 150.0.0.0 is directly connected, FastEthernet0/1 > > PE1#sh run | in tag > no tag-switching advertise-tags > tag-switching advertise-tags for ldp-filter > > PE1#show access-lists ldp-filter > Standard IP access list ldp-filter > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > 999 deny any (7 matches) > > matches? > > but still generates a binding for all my connected interfaces: > > PE1#show mpls ldp bindings 150.0.0.0 24 > tib entry: 150.0.0.0/24, rev 2 > local binding: tag: imp-null > remote binding: tsr: 25.25.25.25:0, tag: 18 > PE1# > > And the other side tags it with a label: > > PE2#traceroute 150.0.0.1 > > Type escape sequence to abort. > Tracing the route to 150.0.0.1 > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > 2 1.1.1.1 24 msec 52 msec * which release(es) are you using? Did you apply the filter on all the nodes? Can you remove the explict "deny any" line and try again? Some older IOS releases interpreted the explicit "deny any" differently (see http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m2 .html#wp1076409). BTW: the LDP filter only prevents advertisement of the binding, it doesn't prevent the LSR from assigning a label (the imp-null in your example). oli From joost.greene at gmail.com Mon Aug 11 04:13:38 2008 From: joost.greene at gmail.com (Joost greene) Date: Mon, 11 Aug 2008 11:13:38 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080801140458.GA21900@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> Message-ID: <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> Hi Saku, I forgot to mention that the question said to limit telnet access to loopback of two routers without using Access lists so i can see your answer makes sense but what do you mean by MPLS LSR ? Thanks, Joost On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti > wrote: > On (2008-08-01 15:14 +0200), Joost greene wrote: > > Hey, > > > Someone challenged me with a question on how i can filter telnet access > to > > one router from all hosts except two of them WITHOUT using access-lists > or > > access-line under the VTY? any ideas? > > I assume challenge was set, because asker knows how to do it. If not, > then I think challenge should be, how to make router output PONIES. > Anyhow, I think CoPP, rACL and policy-route would break the > 'no acl' definition and wouldn't be acceptable solution. > > I think what would fit the rule, is MPLS LSR where you'd only > have route back to couple management hosts and others couldn't > telnet to the box, simply because box doesn't have route to them. > Of course everyone in your IGP could telnet to the box also. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku+cisco-nsp at ytti.fi Mon Aug 11 04:21:43 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 11 Aug 2008 11:21:43 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> Message-ID: <20080811082143.GA30208@mx.ytti.net> On (2008-08-11 11:13 +0300), Joost greene wrote: > I forgot to mention that the question said to limit telnet access to > loopback of two routers without using Access lists so i can see your answer > makes sense but what do you mean by MPLS LSR ? LSR = Label Switch(ing) Router. Essentially it's MPLS network core router, one of it's features by design is, that it does not need IP routes to Internet, it only needs IP routes to other core and edge routers. So as you don't have route back to the chap telnetting to your box, telnet can not establish. To allow some hosts to telnet, simply make static route for those hosts towards some box which has route back to them. > Thanks, > Joost > > On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti > > > wrote: > > > On (2008-08-01 15:14 +0200), Joost greene wrote: > > > > Hey, > > > > > Someone challenged me with a question on how i can filter telnet access > > to > > > one router from all hosts except two of them WITHOUT using access-lists > > or > > > access-line under the VTY? any ideas? > > > > I assume challenge was set, because asker knows how to do it. If not, > > then I think challenge should be, how to make router output PONIES. > > Anyhow, I think CoPP, rACL and policy-route would break the > > 'no acl' definition and wouldn't be acceptable solution. > > > > I think what would fit the rule, is MPLS LSR where you'd only > > have route back to couple management hosts and others couldn't > > telnet to the box, simply because box doesn't have route to them. > > Of course everyone in your IGP could telnet to the box also. > > > > -- > > ++ytti > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- ++ytti From paul.cosgrove at heanet.ie Mon Aug 11 04:33:11 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 09:33:11 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: References: Message-ID: <489FF947.20206@heanet.ie> Hi Chuck, Jay will be able to clarify, but I took the following to mean that the two are separated via third party infrastructure: "two 2851s connected to each other over gigabit Ethernet WAN". May well be a bug though. Paul. Church, Charles wrote: > Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. > > Chuck > > ----- Original Message ----- > From: cisco-nsp-bounces at puck.nether.net > To: mtinka at globaltransit.net > Cc: cisco-nsp at puck.nether.net > Sent: Sun Aug 10 15:52:03 2008 > Subject: Re: [c-nsp] 2851 and full BGP > > > Keep in mind that if the peerings are not between directly connected IP, > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > You could check the achievable MTU using extended pings with the DF bit > set, and compare it with the segment size listed by BGP before you > decide whether to make that change. > > Paul. > > Mark Tinka wrote: >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >> >> >>> Any ideas on what could be causing this issue? Is there >>> a better IOS version to use? >>> >> Sounds like an MTU issue. >> >> Try disabling TCP PMTUd for BGP and see if that helps: >> >> router bgp 1234 >> no bgp transport path-mtu-discovery >> >> If that works, consider checking with your provider on the >> supported MTU, end-to-end, and adjust your interface MTU if >> it helps. >> >> Cheers, >> >> Mark. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From joost.greene at gmail.com Mon Aug 11 04:36:33 2008 From: joost.greene at gmail.com (Joost greene) Date: Mon, 11 Aug 2008 11:36:33 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080811082143.GA30208@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> Message-ID: <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> Ok, i thought this is a feature i dont know about :) I guess the answer would be PBR with prefix-list. Thank you all. On Mon, Aug 11, 2008 at 11:21 AM, Saku Ytti > wrote: > On (2008-08-11 11:13 +0300), Joost greene wrote: > > > I forgot to mention that the question said to limit telnet access to > > loopback of two routers without using Access lists so i can see your > answer > > makes sense but what do you mean by MPLS LSR ? > > LSR = Label Switch(ing) Router. Essentially it's MPLS network core router, > one of it's features by design is, that it does not need IP routes > to Internet, it only needs IP routes to other core and edge routers. > So as you don't have route back to the chap telnetting to your box, > telnet can not establish. To allow some hosts to telnet, simply make > static route for those hosts towards some box which has route > back to them. > > > > Thanks, > > Joost > > > > On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti > > < > saku%2Bcisco-nsp at ytti.fi > > > > wrote: > > > > > On (2008-08-01 15:14 +0200), Joost greene wrote: > > > > > > Hey, > > > > > > > Someone challenged me with a question on how i can filter telnet > access > > > to > > > > one router from all hosts except two of them WITHOUT using > access-lists > > > or > > > > access-line under the VTY? any ideas? > > > > > > I assume challenge was set, because asker knows how to do it. If not, > > > then I think challenge should be, how to make router output PONIES. > > > Anyhow, I think CoPP, rACL and policy-route would break the > > > 'no acl' definition and wouldn't be acceptable solution. > > > > > > I think what would fit the rule, is MPLS LSR where you'd only > > > have route back to couple management hosts and others couldn't > > > telnet to the box, simply because box doesn't have route to them. > > > Of course everyone in your IGP could telnet to the box also. > > > > > > -- > > > ++ytti > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku+cisco-nsp at ytti.fi Mon Aug 11 05:03:58 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 11 Aug 2008 12:03:58 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> Message-ID: <20080811090358.GA30568@mx.ytti.net> On (2008-08-11 11:36 +0300), Joost greene wrote: > Ok, i thought this is a feature i dont know about :) > > I guess the answer would be PBR with prefix-list. Although question was protocol specific which makes it hard to satisfy without ACLs. You could imagine that the box may be offering NTP, DNS or TFTP to the network which should continue to work. -- ++ytti From pl+list at pmacct.net Mon Aug 11 04:24:07 2008 From: pl+list at pmacct.net (Paolo Lucente) Date: Mon, 11 Aug 2008 09:24:07 +0100 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: Message-ID: <20080811082407.GA8243@london.pmacct.net> Hi Sergio, to add to what Oliver said that you maybe want to make sure you have in the configuration a "no mpls ldp advertise-labels" line. Without that, even if you configure a filter (which is successfully matched as you shown), labels would still be announced to adjacent LDP peers. Don't know if this could be your case; i did have to make use out of it to verify label filtering working on a 12.2SR while trying to minimize exposure of our labels in an "Inter-AS" L2 MPLS VPN scenario. no mpls ldp advertise-labels mpls ldp advertise-labels for LDP-DEST to LDP-PEER [ ... ] mpls label protocol ldp ! interface Loopback0 ip address 192.168.100.4 255.255.255.255 ! ip access-list standard LDP-DEST permit 192.168.100.4 ip access-list standard LDP-PEER permit 192.168.100.1 ! Cheers, Paolo On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > Hello, > I am trying to filter LDP label bindings to only advertise my loopback > address(for vpnv4 traffic) but I am unsure as to what the requirements are. > Here is what I have: > PE1#show ip route connected | in ^C > C 1.1.1.0 is directly connected, Serial1/0 > C 10.0.0.1 is directly connected, Loopback0 > C 150.0.0.0 is directly connected, FastEthernet0/1 > > PE1#sh run | in tag > no tag-switching advertise-tags > tag-switching advertise-tags for ldp-filter > > PE1#show access-lists ldp-filter > Standard IP access list ldp-filter > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > 999 deny any (7 matches) > > matches? > > but still generates a binding for all my connected interfaces: > > PE1#show mpls ldp bindings 150.0.0.0 24 > tib entry: 150.0.0.0/24, rev 2 > local binding: tag: imp-null > remote binding: tsr: 25.25.25.25:0, tag: 18 > PE1# > > And the other side tags it with a label: > > PE2#traceroute 150.0.0.1 > > Type escape sequence to abort. > Tracing the route to 150.0.0.1 > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > 2 1.1.1.1 24 msec 52 msec * > > TIA, > > -- > Sergio Danelli From ltd at cisco.com Mon Aug 11 06:30:16 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 11 Aug 2008 20:30:16 +1000 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080811090358.GA30568@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> <20080811090358.GA30568@mx.ytti.net> Message-ID: <48A014B8.4010807@cisco.com> Saku Ytti wrote: > Although question was protocol specific which makes > it hard to satisfy without ACLs. You could imagine > that the box may be offering NTP, DNS or TFTP to the > network which should continue to work. > > you could potentially do it using CoPP policy with a CoPP policy for the address(es) you wish, 0bps configured for other rates. if its just telnet, then certainly an access-class on the vty would work too, albeit that would be s/w enforced not h/w enforced. cheers, lincoln. From aj at sneep.net Mon Aug 11 06:55:47 2008 From: aj at sneep.net (Alastair Johnson) Date: Mon, 11 Aug 2008 18:55:47 +0800 Subject: [c-nsp] OSPF Reference bandwidth auto-cost and LAG Message-ID: <48A01AB3.3000503@sneep.net> Hi, I am trying to understand how IOS implements the OSPF reference bandwidth related to LAG interfaces. The only background material I can find on this is along the lines of: http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q3 Can anyone confirm whether LAG/Port-Channel interfaces have the reference BW recalculated based on the active member links? e.g. if I have ref BW = 100G, and a P-C with 2 10GE links, it should be metric = 5. If one 10GE link disappears from the bundle, do I have metric = 10? thanks, aj From rens at autempspourmoi.be Mon Aug 11 07:27:47 2008 From: rens at autempspourmoi.be (Rens) Date: Mon, 11 Aug 2008 13:27:47 +0200 Subject: [c-nsp] Console access via cell phone Message-ID: Hi, Is there any device that you can connect to the console port of a switch that you can put a SIM card in? So you can just dial to that number and have console access on the switch? Regards, Rens From stig.johansen at ementor.no Mon Aug 11 07:45:35 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 11 Aug 2008 13:45:35 +0200 Subject: [c-nsp] Console access via cell phone References: Message-ID: <13A13E9CF0F76342A79031B9E558C0C50360A93C@100NOOSLMSG004.common.alpharoot.net> Google is your friend: http://www.google.com/search?q=gsm+modem+rs232 Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Rens Sendt: 11. august 2008 13:28 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] Console access via cell phone Hi, Is there any device that you can connect to the console port of a switch that you can put a SIM card in? So you can just dial to that number and have console access on the switch? Regards, Rens _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Mon Aug 11 08:02:46 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 11 Aug 2008 14:02:46 +0200 Subject: [c-nsp] OSPF Reference bandwidth auto-cost and LAG In-Reply-To: <48A01AB3.3000503@sneep.net> References: <48A01AB3.3000503@sneep.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4CFE@xmb-ams-333.emea.cisco.com> Alastair Johnson <> wrote on Monday, August 11, 2008 12:56 PM: > Hi, > > I am trying to understand how IOS implements the OSPF reference > bandwidth related to LAG interfaces. > > The only background material I can find on this is along the lines of: > http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a008 0094704.shtml#q3 > > Can anyone confirm whether LAG/Port-Channel interfaces have the > reference BW recalculated based on the active member links? > > e.g. if I have ref BW = 100G, and a P-C with 2 10GE links, it should > be metric = 5. > > If one 10GE link disappears from the bundle, do I have metric = 10? yes, the bandwidth on the port-channel interface is based on the number of active links, and OSPF's cost will adjust automatically. oli From justin at justinshore.com Mon Aug 11 08:46:03 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 11 Aug 2008 07:46:03 -0500 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: Message-ID: <48A0348B.7070400@justinshore.com> Rens wrote: > Hi, > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > So you can just dial to that number and have console access on the switch? A couple of Avocent's console server product lines support PCMCIA expansion cards including cell modems. Justin From rens at autempspourmoi.be Mon Aug 11 09:00:41 2008 From: rens at autempspourmoi.be (Rens) Date: Mon, 11 Aug 2008 15:00:41 +0200 Subject: [c-nsp] Console access via cell phone In-Reply-To: <48A0348B.7070400@justinshore.com> References: <48A0348B.7070400@justinshore.com> Message-ID: I found a Siemens MC35i But no luck so far getting it to work, anyone has experience with this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: lundi 11 ao?t 2008 14:46 To: Rens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone Rens wrote: > Hi, > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > So you can just dial to that number and have console access on the switch? A couple of Avocent's console server product lines support PCMCIA expansion cards including cell modems. Justin From cchurc05 at harris.com Mon Aug 11 09:18:28 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 11 Aug 2008 08:18:28 -0500 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <489FF947.20206@heanet.ie> References: <489FF947.20206@heanet.ie> Message-ID: Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. That does make MTU a possibility. But didn't he get like 20% of his routes before the error message? Since it was 12.4(20)T (pretty bleeding edge), I'd lean towards that still. I'd think that an MTU problem would show up way before you got to 20%. Does BGP set the DF bit? Chuck -----Original Message----- From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Monday, August 11, 2008 4:33 AM To: Church, Charles Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP Hi Chuck, Jay will be able to clarify, but I took the following to mean that the two are separated via third party infrastructure: "two 2851s connected to each other over gigabit Ethernet WAN". May well be a bug though. Paul. Church, Charles wrote: > Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. > > Chuck > > ----- Original Message ----- > From: cisco-nsp-bounces at puck.nether.net > To: mtinka at globaltransit.net > Cc: cisco-nsp at puck.nether.net > Sent: Sun Aug 10 15:52:03 2008 > Subject: Re: [c-nsp] 2851 and full BGP > > > Keep in mind that if the peerings are not between directly connected IP, > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > You could check the achievable MTU using extended pings with the DF bit > set, and compare it with the segment size listed by BGP before you > decide whether to make that change. > > Paul. > > Mark Tinka wrote: >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >> >> >>> Any ideas on what could be causing this issue? Is there >>> a better IOS version to use? >>> >> Sounds like an MTU issue. >> >> Try disabling TCP PMTUd for BGP and see if that helps: >> >> router bgp 1234 >> no bgp transport path-mtu-discovery >> >> If that works, consider checking with your provider on the >> supported MTU, end-to-end, and adjust your interface MTU if >> it helps. >> >> Cheers, >> >> Mark. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From rendo.aw at gmail.com Mon Aug 11 09:20:01 2008 From: rendo.aw at gmail.com (rendo) Date: Mon, 11 Aug 2008 20:20:01 +0700 Subject: [c-nsp] impact of policy based routing In-Reply-To: <6bb5f5b10808102009t3fd47c9fqfeeb3e4112f6bdf@mail.gmail.com> References: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> <6bb5f5b10808102009t3fd47c9fqfeeb3e4112f6bdf@mail.gmail.com> Message-ID: <6e9252f0808110620x63850cd0q1136ad65482afcea@mail.gmail.com> Hi Rubens, Thanks for the answer, do you have any doc or url for the information below? -rendo- On Mon, Aug 11, 2008 at 10:09 AM, Rubens Kuhl Jr. wrote: > It depends on whether the policy route will be only processed by the > SUP/RSP-720 or not. > > Although the following text is from the Cat IOS (ISBU) not 7600 IOS > (ERBU), my understanding is it reflects what PFC3x can do and can't do > in hardware: > > "The Policy Feature Card (PFC) and any Distributed Feature Cards > (DFCs) provide hardware support for policy-based routing (PBR) for > route-map sequences that use the match ip address, set ip next-hop, > and ip default next-hop PBR keywords. > > When configuring PBR, follow these guidelines and restrictions: > ?The PFC provides hardware support for PBR configured on a tunnel > interface. > ?The PFC does not provide hardware support for PBR configured with the > set ip next-hop keywords if the next hop is a tunnel interface. > ?If the RP address falls within the range of a PBR ACL, traffic > addressed to the RP is policy routed in hardware instead of being > forwarded to the RP. To prevent policy routing of traffic addressed to > the RP, configure PBR ACLs to deny traffic addressed to the RP. > ?Any options in Cisco IOS ACLs that provide filtering in a PBR > route-map that would cause flows to be sent to the RP to be switched > in software are ignored. For example, logging is not supported in ACEs > in Cisco IOS ACLs that provide filtering in PBR route-maps. > ?PBR traffic through switching module ports where PBR is configured is > routed in software if the switching module resets. (CSCee92191) > ?Any permit route-map sequence with no set statement will cause > matching traffic to be processed by the RP. " > > If you manage to keep within these boundaries, CPU load will be as if > there were no PBR at all. Otherwise, you will either eat up a > signification port of RSP720 pps capacity, or kill a SUP720. > > > Rubens > > > On Sun, Aug 10, 2008 at 11:47 PM, rendo wrote: > > Hi, > > > > I'm looking for any cisco documentation or maybe your experiences > regarding > > the impact of implementing policy based routing in 76xx platrform. I have > a > > plan to put around 5-10 source based routing, each source goes to the > same > > outgoing interface but with different IP next-hop. The projected > throughput > > will be around 1 Gbps. > > > > I guess there are some impacts on CPU load and memory as well, so if > anyone > > here has anything to share, it would be great. > > > > Thanks in advance. > > > > -rendo- > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From baard at dahlmo.no Mon Aug 11 09:23:33 2008 From: baard at dahlmo.no (=?ISO-8859-15?Q?B=E5rd_Dahlmo?=) Date: Mon, 11 Aug 2008 15:23:33 +0200 (CEST) Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: On Thu, 7 Aug 2008, Phil Mayers wrote: > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is highly > amusing (note: issue may not actually be amusing) CSCsr86489 -- B?rd Dahlmo From jcartier at acs.on.ca Mon Aug 11 09:25:18 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 11 Aug 2008 09:25:18 -0400 Subject: [c-nsp] 2851 and full BGP In-Reply-To: Message-ID: Can you provide any system stats? What is the CPU and memory looking like...if something appears to be off it could indicate a code-level issue. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Monday, August 11, 2008 9:18 AM To: Paul Cosgrove Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. That does make MTU a possibility. But didn't he get like 20% of his routes before the error message? Since it was 12.4(20)T (pretty bleeding edge), I'd lean towards that still. I'd think that an MTU problem would show up way before you got to 20%. Does BGP set the DF bit? Chuck -----Original Message----- From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Monday, August 11, 2008 4:33 AM To: Church, Charles Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP Hi Chuck, Jay will be able to clarify, but I took the following to mean that the two are separated via third party infrastructure: "two 2851s connected to each other over gigabit Ethernet WAN". May well be a bug though. Paul. Church, Charles wrote: > Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. > > Chuck > > ----- Original Message ----- > From: cisco-nsp-bounces at puck.nether.net > To: mtinka at globaltransit.net > Cc: cisco-nsp at puck.nether.net > Sent: Sun Aug 10 15:52:03 2008 > Subject: Re: [c-nsp] 2851 and full BGP > > > Keep in mind that if the peerings are not between directly connected IP, > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > You could check the achievable MTU using extended pings with the DF bit > set, and compare it with the segment size listed by BGP before you > decide whether to make that change. > > Paul. > > Mark Tinka wrote: >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >> >> >>> Any ideas on what could be causing this issue? Is there >>> a better IOS version to use? >>> >> Sounds like an MTU issue. >> >> Try disabling TCP PMTUd for BGP and see if that helps: >> >> router bgp 1234 >> no bgp transport path-mtu-discovery >> >> If that works, consider checking with your provider on the >> supported MTU, end-to-end, and adjust your interface MTU if >> it helps. >> >> Cheers, >> >> Mark. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Aug 11 09:36:19 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 11 Aug 2008 14:36:19 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> Message-ID: <48A04053.1020102@imperial.ac.uk> B?rd Dahlmo wrote: > On Thu, 7 Aug 2008, Phil Mayers wrote: > >> Just a warning, there is a fatal crash bug in SXH3 related to using >> SCP. Considering the release notes claim fixes in that very area, this >> is highly amusing (note: issue may not actually be amusing) > > CSCsr86489 > Nice. TAC case has been open 4 days now, and I've had no reply. From zeusdadog at gmail.com Mon Aug 11 10:01:56 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 11 Aug 2008 10:01:56 -0400 Subject: [c-nsp] 2851 and full BGP In-Reply-To: References: <489FF947.20206@heanet.ie> Message-ID: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> To answer couple people's questions, MTU on the routers are 1500. I have tested with ping and df-bit set. Provider has higher frame size to cover that MTU over the WAN link and our switches that connects to them on both ends have higher frame size. (1526 frame size or higher) While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Anyway, is 12.4 the most stable way to go on 28xx? We are not using any fancy features. One router is using NM-1T3/E3 card but that's about it. Here are some output from both routers while exchanging just internal routes. border2-col#sh ip bgp neighbors Y.Y.Y.Y BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link BGP version 4, remote router ID Y.Y.Y.Y BGP state = Established, up for 3d03h Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 3 1 Updates: 171196 105628 Keepalives: 4581 4586 Route Refresh: 0 0 Total: 175787 110226 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 887105, neighbor version 887105/0 Output queue size : 0 Index 3, Offset 0, Mask 0x8 3 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is COLUMBUS_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 7 9 (Consumes 468 bytes) Prefixes Total: 8 9 Implicit Withdraw: 0 0 Explicit Withdraw: 1 0 Used as bestpath: n/a 9 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 535265 0 Bestpath from this peer: 9 n/a Total: 535274 0 Number of NLRIs in the update sent: max 1024, min 0 Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y Connections established 7; dropped 6 Last reset 3d03h, due to BGP Notification received, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: X.X.X.X, Local port: 51918 Foreign host: Y.Y.Y.Y, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x15C86EE0): Timer Starts Wakeups Next Retrans 4563 31 0x0 TimeWait 0 0 0x0 AckHold 4529 4183 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 1 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86289 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 border2-indy#sh ip bgp neighbors X.X.X.X BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link BGP version 4, remote router ID X.X.X.X BGP state = Established, up for 3d04h Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 9 9 Notifications: 1 4 Updates: 144559 224571 Keepalives: 4590 4585 Route Refresh: 0 0 Total: 149155 229172 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 2377206, neighbor version 2377206/0 Output queue size : 0 Index 2, Offset 0, Mask 0x4 2 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is INDY_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 9 7 (Consumes 364 bytes) Prefixes Total: 9 8 Implicit Withdraw: 0 0 Explicit Withdraw: 0 1 Used as bestpath: n/a 7 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 458047 0 Bestpath from this peer: 9 n/a Total: 458056 0 Number of NLRIs in the update sent: max 1135, min 0 Address tracking is enabled, the RIB does have a route to X.X.X.X Connections established 9; dropped 8 Last reset 3d04h, due to BGP Notification sent, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: Y.Y.Y.Y, Local port: 179 Foreign host: X.X.X.X, Foreign port: 51918 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x10A0F458): Timer Starts Wakeups Next Retrans 4578 46 0x0 TimeWait 0 0 0x0 AckHold 4532 4200 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms Status Flags: passive open, gen tcbs Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86253 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. > That does make MTU a possibility. But didn't he get like 20% of his > routes before the error message? Since it was 12.4(20)T (pretty > bleeding edge), I'd lean towards that still. I'd think that an MTU > problem would show up way before you got to 20%. Does BGP set the DF > bit? > > Chuck > > -----Original Message----- > From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Monday, August 11, 2008 4:33 AM > To: Church, Charles > Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2851 and full BGP > > > Hi Chuck, > > Jay will be able to clarify, but I took the following to mean that the > two are separated via third party infrastructure: "two 2851s connected > to each other over gigabit Ethernet WAN". > > May well be a bug though. > > Paul. > > Church, Charles wrote: > > Wasn't the original problem the iBGP connection over his own network? > Sounds like a bug more than anything else. > > > > Chuck > > > > ----- Original Message ----- > > From: cisco-nsp-bounces at puck.nether.net > > > To: mtinka at globaltransit.net > > Cc: cisco-nsp at puck.nether.net > > Sent: Sun Aug 10 15:52:03 2008 > > Subject: Re: [c-nsp] 2851 and full BGP > > > > > > Keep in mind that if the peerings are not between directly connected > IP, > > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > > > You could check the achievable MTU using extended pings with the DF > bit > > set, and compare it with the segment size listed by BGP before you > > decide whether to make that change. > > > > Paul. > > > > Mark Tinka wrote: > >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > >> > >> > >>> Any ideas on what could be causing this issue? Is there > >>> a better IOS version to use? > >>> > >> Sounds like an MTU issue. > >> > >> Try disabling TCP PMTUd for BGP and see if that helps: > >> > >> router bgp 1234 > >> no bgp transport path-mtu-discovery > >> > >> If that works, consider checking with your provider on the > >> supported MTU, end-to-end, and adjust your interface MTU if > >> it helps. > >> > >> Cheers, > >> > >> Mark. > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jcartier at acs.on.ca Mon Aug 11 10:10:32 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 11 Aug 2008 10:10:32 -0400 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: **While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Here's a good read - http://en.wikipedia.org/wiki/Cisco_IOS Mainline deployments are usually one's to try to stay away from, in my opinion and experience. They are typically more prone to bugs, but support widest variety of hardware. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura Sent: Monday, August 11, 2008 10:02 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP To answer couple people's questions, MTU on the routers are 1500. I have tested with ping and df-bit set. Provider has higher frame size to cover that MTU over the WAN link and our switches that connects to them on both ends have higher frame size. (1526 frame size or higher) While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Anyway, is 12.4 the most stable way to go on 28xx? We are not using any fancy features. One router is using NM-1T3/E3 card but that's about it. Here are some output from both routers while exchanging just internal routes. border2-col#sh ip bgp neighbors Y.Y.Y.Y BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link BGP version 4, remote router ID Y.Y.Y.Y BGP state = Established, up for 3d03h Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 3 1 Updates: 171196 105628 Keepalives: 4581 4586 Route Refresh: 0 0 Total: 175787 110226 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 887105, neighbor version 887105/0 Output queue size : 0 Index 3, Offset 0, Mask 0x8 3 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is COLUMBUS_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 7 9 (Consumes 468 bytes) Prefixes Total: 8 9 Implicit Withdraw: 0 0 Explicit Withdraw: 1 0 Used as bestpath: n/a 9 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 535265 0 Bestpath from this peer: 9 n/a Total: 535274 0 Number of NLRIs in the update sent: max 1024, min 0 Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y Connections established 7; dropped 6 Last reset 3d03h, due to BGP Notification received, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: X.X.X.X, Local port: 51918 Foreign host: Y.Y.Y.Y, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x15C86EE0): Timer Starts Wakeups Next Retrans 4563 31 0x0 TimeWait 0 0 0x0 AckHold 4529 4183 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 1 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86289 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 border2-indy#sh ip bgp neighbors X.X.X.X BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link BGP version 4, remote router ID X.X.X.X BGP state = Established, up for 3d04h Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 9 9 Notifications: 1 4 Updates: 144559 224571 Keepalives: 4590 4585 Route Refresh: 0 0 Total: 149155 229172 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 2377206, neighbor version 2377206/0 Output queue size : 0 Index 2, Offset 0, Mask 0x4 2 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is INDY_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 9 7 (Consumes 364 bytes) Prefixes Total: 9 8 Implicit Withdraw: 0 0 Explicit Withdraw: 0 1 Used as bestpath: n/a 7 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 458047 0 Bestpath from this peer: 9 n/a Total: 458056 0 Number of NLRIs in the update sent: max 1135, min 0 Address tracking is enabled, the RIB does have a route to X.X.X.X Connections established 9; dropped 8 Last reset 3d04h, due to BGP Notification sent, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: Y.Y.Y.Y, Local port: 179 Foreign host: X.X.X.X, Foreign port: 51918 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x10A0F458): Timer Starts Wakeups Next Retrans 4578 46 0x0 TimeWait 0 0 0x0 AckHold 4532 4200 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms Status Flags: passive open, gen tcbs Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86253 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. > That does make MTU a possibility. But didn't he get like 20% of his > routes before the error message? Since it was 12.4(20)T (pretty > bleeding edge), I'd lean towards that still. I'd think that an MTU > problem would show up way before you got to 20%. Does BGP set the DF > bit? > > Chuck > > -----Original Message----- > From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Monday, August 11, 2008 4:33 AM > To: Church, Charles > Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2851 and full BGP > > > Hi Chuck, > > Jay will be able to clarify, but I took the following to mean that the > two are separated via third party infrastructure: "two 2851s connected > to each other over gigabit Ethernet WAN". > > May well be a bug though. > > Paul. > > Church, Charles wrote: > > Wasn't the original problem the iBGP connection over his own network? > Sounds like a bug more than anything else. > > > > Chuck > > > > ----- Original Message ----- > > From: cisco-nsp-bounces at puck.nether.net > > > To: mtinka at globaltransit.net > > Cc: cisco-nsp at puck.nether.net > > Sent: Sun Aug 10 15:52:03 2008 > > Subject: Re: [c-nsp] 2851 and full BGP > > > > > > Keep in mind that if the peerings are not between directly connected > IP, > > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > > > You could check the achievable MTU using extended pings with the DF > bit > > set, and compare it with the segment size listed by BGP before you > > decide whether to make that change. > > > > Paul. > > > > Mark Tinka wrote: > >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > >> > >> > >>> Any ideas on what could be causing this issue? Is there > >>> a better IOS version to use? > >>> > >> Sounds like an MTU issue. > >> > >> Try disabling TCP PMTUd for BGP and see if that helps: > >> > >> router bgp 1234 > >> no bgp transport path-mtu-discovery > >> > >> If that works, consider checking with your provider on the > >> supported MTU, end-to-end, and adjust your interface MTU if > >> it helps. > >> > >> Cheers, > >> > >> Mark. > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Mon Aug 11 10:28:03 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 11 Aug 2008 09:28:03 -0500 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: 12.4 mainline seems pretty mature at this point. I've got a 2821 doing full tables from 2 upstrems over Ethernet, running 12.4(19), been solid for months, running prefix lists, heavy QOS, and a few other things. Unless you really need a feature from a 'T' train (or hardware support), you're usually better off with the mainline code. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura Sent: Monday, August 11, 2008 10:02 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP To answer couple people's questions, MTU on the routers are 1500. I have tested with ping and df-bit set. Provider has higher frame size to cover that MTU over the WAN link and our switches that connects to them on both ends have higher frame size. (1526 frame size or higher) While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Anyway, is 12.4 the most stable way to go on 28xx? We are not using any fancy features. One router is using NM-1T3/E3 card but that's about it. Here are some output from both routers while exchanging just internal routes. border2-col#sh ip bgp neighbors Y.Y.Y.Y BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link BGP version 4, remote router ID Y.Y.Y.Y BGP state = Established, up for 3d03h Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 3 1 Updates: 171196 105628 Keepalives: 4581 4586 Route Refresh: 0 0 Total: 175787 110226 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 887105, neighbor version 887105/0 Output queue size : 0 Index 3, Offset 0, Mask 0x8 3 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is COLUMBUS_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 7 9 (Consumes 468 bytes) Prefixes Total: 8 9 Implicit Withdraw: 0 0 Explicit Withdraw: 1 0 Used as bestpath: n/a 9 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 535265 0 Bestpath from this peer: 9 n/a Total: 535274 0 Number of NLRIs in the update sent: max 1024, min 0 Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y Connections established 7; dropped 6 Last reset 3d03h, due to BGP Notification received, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: X.X.X.X, Local port: 51918 Foreign host: Y.Y.Y.Y, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x15C86EE0): Timer Starts Wakeups Next Retrans 4563 31 0x0 TimeWait 0 0 0x0 AckHold 4529 4183 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 1 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86289 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 border2-indy#sh ip bgp neighbors X.X.X.X BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link BGP version 4, remote router ID X.X.X.X BGP state = Established, up for 3d04h Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 9 9 Notifications: 1 4 Updates: 144559 224571 Keepalives: 4590 4585 Route Refresh: 0 0 Total: 149155 229172 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 2377206, neighbor version 2377206/0 Output queue size : 0 Index 2, Offset 0, Mask 0x4 2 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is INDY_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 9 7 (Consumes 364 bytes) Prefixes Total: 9 8 Implicit Withdraw: 0 0 Explicit Withdraw: 0 1 Used as bestpath: n/a 7 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 458047 0 Bestpath from this peer: 9 n/a Total: 458056 0 Number of NLRIs in the update sent: max 1135, min 0 Address tracking is enabled, the RIB does have a route to X.X.X.X Connections established 9; dropped 8 Last reset 3d04h, due to BGP Notification sent, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: Y.Y.Y.Y, Local port: 179 Foreign host: X.X.X.X, Foreign port: 51918 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x10A0F458): Timer Starts Wakeups Next Retrans 4578 46 0x0 TimeWait 0 0 0x0 AckHold 4532 4200 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms Status Flags: passive open, gen tcbs Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86253 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. > That does make MTU a possibility. But didn't he get like 20% of his > routes before the error message? Since it was 12.4(20)T (pretty > bleeding edge), I'd lean towards that still. I'd think that an MTU > problem would show up way before you got to 20%. Does BGP set the DF > bit? > > Chuck > > -----Original Message----- > From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Monday, August 11, 2008 4:33 AM > To: Church, Charles > Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2851 and full BGP > > > Hi Chuck, > > Jay will be able to clarify, but I took the following to mean that the > two are separated via third party infrastructure: "two 2851s connected > to each other over gigabit Ethernet WAN". > > May well be a bug though. > > Paul. > > Church, Charles wrote: > > Wasn't the original problem the iBGP connection over his own network? > Sounds like a bug more than anything else. > > > > Chuck > > > > ----- Original Message ----- > > From: cisco-nsp-bounces at puck.nether.net > > > To: mtinka at globaltransit.net > > Cc: cisco-nsp at puck.nether.net > > Sent: Sun Aug 10 15:52:03 2008 > > Subject: Re: [c-nsp] 2851 and full BGP > > > > > > Keep in mind that if the peerings are not between directly connected > IP, > > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > > > You could check the achievable MTU using extended pings with the DF > bit > > set, and compare it with the segment size listed by BGP before you > > decide whether to make that change. > > > > Paul. > > > > Mark Tinka wrote: > >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > >> > >> > >>> Any ideas on what could be causing this issue? Is there > >>> a better IOS version to use? > >>> > >> Sounds like an MTU issue. > >> > >> Try disabling TCP PMTUd for BGP and see if that helps: > >> > >> router bgp 1234 > >> no bgp transport path-mtu-discovery > >> > >> If that works, consider checking with your provider on the > >> supported MTU, end-to-end, and adjust your interface MTU if > >> it helps. > >> > >> Cheers, > >> > >> Mark. > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul.cosgrove at heanet.ie Mon Aug 11 10:40:20 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 15:40:20 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: <48A04F54.7050800@heanet.ie> Hi Jay, PMTUD is not working here. You can see from the command output that a TCP MSS of 536 bytes is being used rather than the expected 1440 bytes: > Datagrams (max data segment is 536 bytes): This limits the size of BGP packets, requiring more to be sent and so increasing the load on the routers. You seem to have PTMUD enabled at both ends of the link, so perhaps there is filtering taking place which is stopping the required ICMP messages (or a bug as Chuck suggested). I don't know if this is the cause of your main issues, but I would fix that and then see if the issue is resolved. Paul. Jay Nakamura wrote: > To answer couple people's questions, > > MTU on the routers are 1500. I have tested with ping and df-bit set. > Provider has higher frame size to cover that MTU over the WAN link and our > switches that connects to them on both ends have higher frame size. (1526 > frame size or higher) > > While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, > cisco's link doesn't tell you what that means. I know GD, ED, etc releases > but wasn't sure what MD relase meant. Mainline deployment? > > Anyway, is 12.4 the most stable way to go on 28xx? We are not using any > fancy features. One router is using NM-1T3/E3 card but that's about it. > > Here are some output from both routers while exchanging just internal > routes. > > border2-col#sh ip bgp neighbors Y.Y.Y.Y > BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link > BGP version 4, remote router ID Y.Y.Y.Y > BGP state = Established, up for 3d03h > Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive > interval is 60 seconds > Neighbor capabilities: > Route refresh: advertised and received(new) > Address family IPv4 Unicast: advertised and received > Message statistics: > InQ depth is 0 > OutQ depth is 0 > > Sent Rcvd > Opens: 7 7 > Notifications: 3 1 > Updates: 171196 105628 > Keepalives: 4581 4586 > Route Refresh: 0 0 > Total: 175787 110226 > Default minimum time between advertisement runs is 0 seconds > > For address family: IPv4 Unicast > BGP table version 887105, neighbor version 887105/0 > Output queue size : 0 > Index 3, Offset 0, Mask 0x8 > 3 update-group member > Inbound soft reconfiguration allowed > Outgoing update prefix filter list is COLUMBUS_NET > Sent Rcvd > Prefix activity: ---- ---- > Prefixes Current: 7 9 (Consumes 468 bytes) > Prefixes Total: 8 9 > Implicit Withdraw: 0 0 > Explicit Withdraw: 1 0 > Used as bestpath: n/a 9 > Used as multipath: n/a 0 > > Outbound Inbound > Local Policy Denied Prefixes: -------- ------- > prefix-list 535265 0 > Bestpath from this peer: 9 n/a > Total: 535274 0 > Number of NLRIs in the update sent: max 1024, min 0 > > Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y > Connections established 7; dropped 6 > Last reset 3d03h, due to BGP Notification received, illegal header length > Transport(tcp) path-mtu-discovery is enabled > Connection state is ESTAB, I/O status: 1, unread input bytes: 0 > Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 > Local host: X.X.X.X, Local port: 51918 > Foreign host: Y.Y.Y.Y, Foreign port: 179 > Connection tableid (VRF): 0 > > Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) > > Event Timers (current time is 0x15C86EE0): > Timer Starts Wakeups Next > Retrans 4563 31 0x0 > TimeWait 0 0 0x0 > AckHold 4529 4183 0x0 > SendWnd 0 0 0x0 > KeepAlive 0 0 0x0 > GiveUp 0 0 0x0 > PmtuAger 1 1 0x0 > DeadWait 0 0 0x0 > Linger 0 0 0x0 > ProcessQ 0 0 0x0 > > iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 > irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 > > SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms > minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms > Status Flags: active open > Option Flags: nagle, path mtu capable > IP Precedence value : 6 > > Datagrams (max data segment is 536 bytes): > Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 > Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second > Congestion: 0), with data: 4532, total data bytes: 86289 > Packets received in fast path: 0, fast processed: 0, slow path: 0 > fast lock acquisition failures: 0, slow path: 0 > > > border2-indy#sh ip bgp neighbors X.X.X.X > BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link > BGP version 4, remote router ID X.X.X.X > BGP state = Established, up for 3d04h > Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive > interval is 60 seconds > Neighbor capabilities: > Route refresh: advertised and received(new) > Address family IPv4 Unicast: advertised and received > Message statistics: > InQ depth is 0 > OutQ depth is 0 > > Sent Rcvd > Opens: 9 9 > Notifications: 1 4 > Updates: 144559 224571 > Keepalives: 4590 4585 > Route Refresh: 0 0 > Total: 149155 229172 > Default minimum time between advertisement runs is 0 seconds > > For address family: IPv4 Unicast > BGP table version 2377206, neighbor version 2377206/0 > Output queue size : 0 > Index 2, Offset 0, Mask 0x4 > 2 update-group member > Inbound soft reconfiguration allowed > Outgoing update prefix filter list is INDY_NET > Sent Rcvd > Prefix activity: ---- ---- > Prefixes Current: 9 7 (Consumes 364 bytes) > Prefixes Total: 9 8 > Implicit Withdraw: 0 0 > Explicit Withdraw: 0 1 > Used as bestpath: n/a 7 > Used as multipath: n/a 0 > > Outbound Inbound > Local Policy Denied Prefixes: -------- ------- > prefix-list 458047 0 > Bestpath from this peer: 9 n/a > Total: 458056 0 > Number of NLRIs in the update sent: max 1135, min 0 > > Address tracking is enabled, the RIB does have a route to X.X.X.X > Connections established 9; dropped 8 > Last reset 3d04h, due to BGP Notification sent, illegal header length > Transport(tcp) path-mtu-discovery is enabled > Connection state is ESTAB, I/O status: 1, unread input bytes: 0 > Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 > Local host: Y.Y.Y.Y, Local port: 179 > Foreign host: X.X.X.X, Foreign port: 51918 > Connection tableid (VRF): 0 > > Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) > > Event Timers (current time is 0x10A0F458): > Timer Starts Wakeups Next > Retrans 4578 46 0x0 > TimeWait 0 0 0x0 > AckHold 4532 4200 0x0 > SendWnd 0 0 0x0 > KeepAlive 0 0 0x0 > GiveUp 0 0 0x0 > PmtuAger 0 0 0x0 > DeadWait 0 0 0x0 > Linger 0 0 0x0 > ProcessQ 0 0 0x0 > > iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 > irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 > > SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms > minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms > Status Flags: passive open, gen tcbs > Option Flags: nagle, path mtu capable > IP Precedence value : 6 > > Datagrams (max data segment is 536 bytes): > Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 > Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second > Congestion: 0), with data: 4532, total data bytes: 86253 > Packets received in fast path: 0, fast processed: 0, slow path: 0 > fast lock acquisition failures: 0, slow path: 0 > > On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > >> Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. >> That does make MTU a possibility. But didn't he get like 20% of his >> routes before the error message? Since it was 12.4(20)T (pretty >> bleeding edge), I'd lean towards that still. I'd think that an MTU >> problem would show up way before you got to 20%. Does BGP set the DF >> bit? >> >> Chuck >> >> -----Original Message----- >> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] >> Sent: Monday, August 11, 2008 4:33 AM >> To: Church, Charles >> Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 2851 and full BGP >> >> >> Hi Chuck, >> >> Jay will be able to clarify, but I took the following to mean that the >> two are separated via third party infrastructure: "two 2851s connected >> to each other over gigabit Ethernet WAN". >> >> May well be a bug though. >> >> Paul. >> >> Church, Charles wrote: >>> Wasn't the original problem the iBGP connection over his own network? >> Sounds like a bug more than anything else. >>> Chuck >>> >>> ----- Original Message ----- >>> From: cisco-nsp-bounces at puck.nether.net >> >>> To: mtinka at globaltransit.net >>> Cc: cisco-nsp at puck.nether.net >>> Sent: Sun Aug 10 15:52:03 2008 >>> Subject: Re: [c-nsp] 2851 and full BGP >>> >>> >>> Keep in mind that if the peerings are not between directly connected >> IP, >>> disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. >>> >>> You could check the achievable MTU using extended pings with the DF >> bit >>> set, and compare it with the segment size listed by BGP before you >>> decide whether to make that change. >>> >>> Paul. >>> >>> Mark Tinka wrote: >>>> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >>>> >>>> >>>>> Any ideas on what could be causing this issue? Is there >>>>> a better IOS version to use? >>>>> >>>> Sounds like an MTU issue. >>>> >>>> Try disabling TCP PMTUd for BGP and see if that helps: >>>> >>>> router bgp 1234 >>>> no bgp transport path-mtu-discovery >>>> >>>> If that works, consider checking with your provider on the >>>> supported MTU, end-to-end, and adjust your interface MTU if >>>> it helps. >>>> >>>> Cheers, >>>> >>>> Mark. >>>> >>>> >> ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> -- >> HEAnet Limited >> Ireland's Education & Research Network >> 5 George's Dock, IFSC, Dublin 1, Ireland >> Tel: +353.1.6609040 >> Web: http://www.heanet.ie >> Company registered in Ireland: 275301 >> >> Please consider the environment before printing this e-mail. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From paul.cosgrove at heanet.ie Mon Aug 11 10:45:52 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 15:45:52 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <48A04D45.5090401@heanet.ie> References: <489FF947.20206@heanet.ie> <48A04D45.5090401@heanet.ie> Message-ID: <48A050A0.5020806@heanet.ie> Forgot to cc the list on this earlier email. Paul Cosgrove wrote: > Hi Chuck, > > Indeed it is apparently more than that: Jay mentioned receiving 20,000 > routes before he sees the issue, so I guess about 75%. I had similar > thoughts about this but wasn't (and still am not) sure how frequently in > practice BGP with a full table is likely to have to send large updates. > > My (admittedly basic) understanding is that individual update messages > contain details about prefixes which share the same attributes. If the > attributes are different, different update messages will be used. > > If I have this right, the number of update messages will vary according > to the number of distinct attribute sets, and the size of each update > varies according to the number of NLRI which have those particular > attributes. > > This makes me think that MTU issues could indeed occur at any point > during the update process. A software bug might indeed turn out to be > the cause, but I wouldn't rule MTU issues out at this stage. > > Paul. > > > Church, Charles wrote: >> Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. >> That does make MTU a possibility. But didn't he get like 20% of his >> routes before the error message? Since it was 12.4(20)T (pretty >> bleeding edge), I'd lean towards that still. I'd think that an MTU >> problem would show up way before you got to 20%. Does BGP set the DF >> bit? >> >> Chuck >> >> -----Original Message----- >> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Monday, >> August 11, 2008 4:33 AM >> To: Church, Charles >> Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 2851 and full BGP >> >> >> Hi Chuck, >> >> Jay will be able to clarify, but I took the following to mean that the >> two are separated via third party infrastructure: "two 2851s connected >> to each other over gigabit Ethernet WAN". >> >> May well be a bug though. >> >> Paul. >> >> Church, Charles wrote: >>> Wasn't the original problem the iBGP connection over his own network? >> Sounds like a bug more than anything else. >>> Chuck >>> >>> ----- Original Message ----- >>> From: cisco-nsp-bounces at puck.nether.net >> >>> To: mtinka at globaltransit.net >>> Cc: cisco-nsp at puck.nether.net >>> Sent: Sun Aug 10 15:52:03 2008 >>> Subject: Re: [c-nsp] 2851 and full BGP >>> >>> >>> Keep in mind that if the peerings are not between directly connected >> IP, >>> disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. >>> >>> You could check the achievable MTU using extended pings with the DF >> bit >>> set, and compare it with the segment size listed by BGP before you >>> decide whether to make that change. >>> >>> Paul. >>> >>> Mark Tinka wrote: >>>> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >>>> >>>> >>>>> Any ideas on what could be causing this issue? Is there >>>>> a better IOS version to use? >>>>> >>>> Sounds like an MTU issue. >>>> >>>> Try disabling TCP PMTUd for BGP and see if that helps: >>>> >>>> router bgp 1234 >>>> no bgp transport path-mtu-discovery >>>> >>>> If that works, consider checking with your provider on the supported >>>> MTU, end-to-end, and adjust your interface MTU if it helps. >>>> >>>> Cheers, >>>> >>>> Mark. >>>> >> ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From antal.gergely at hu.digi.tv Mon Aug 11 10:47:16 2008 From: antal.gergely at hu.digi.tv (Antal Gergely) Date: Mon, 11 Aug 2008 16:47:16 +0200 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: <48A050F4.8000807@hu.digi.tv> Jay Nakamura wrote: > Datagrams (max data segment is 536 bytes): put a "ip mtu 1500" on the wan interface. its not the same as mtu xxxx -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From sdanelli at gmail.com Mon Aug 11 10:52:02 2008 From: sdanelli at gmail.com (Sergio D.) Date: Mon, 11 Aug 2008 08:52:02 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080811082407.GA8243@london.pmacct.net> References: <20080811082407.GA8243@london.pmacct.net> Message-ID: thanks for the response. I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no tag-switching advertise-tags" which I already have. Oliver, thanks for clearing up the assignment of the label, I guess thats fine as long as it doesn't get advertised which is what I am trying to avoid. I did try it without the deny at the end, and the result was the same. Do I need an access-list listing my peers and apply that? TIA On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > wrote: > Hi Sergio, > > to add to what Oliver said that you maybe want to make sure > you have in the configuration a "no mpls ldp advertise-labels" > line. Without that, even if you configure a filter (which is > successfully matched as you shown), labels would still be > announced to adjacent LDP peers. > > Don't know if this could be your case; i did have to make use > out of it to verify label filtering working on a 12.2SR while > trying to minimize exposure of our labels in an "Inter-AS" L2 > MPLS VPN scenario. > > no mpls ldp advertise-labels > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > [ ... ] > mpls label protocol ldp > ! > interface Loopback0 > ip address 192.168.100.4 255.255.255.255 > ! > ip access-list standard LDP-DEST > permit 192.168.100.4 > ip access-list standard LDP-PEER > permit 192.168.100.1 > ! > > Cheers, > Paolo > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > Hello, > > I am trying to filter LDP label bindings to only advertise my loopback > > address(for vpnv4 traffic) but I am unsure as to what the requirements > are. > > Here is what I have: > > PE1#show ip route connected | in ^C > > C 1.1.1.0 is directly connected, Serial1/0 > > C 10.0.0.1 is directly connected, Loopback0 > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > PE1#sh run | in tag > > no tag-switching advertise-tags > > tag-switching advertise-tags for ldp-filter > > > > PE1#show access-lists ldp-filter > > Standard IP access list ldp-filter > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > 999 deny any (7 matches) > > > > matches? > > > > but still generates a binding for all my connected interfaces: > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > tib entry: 150.0.0.0/24, rev 2 > > local binding: tag: imp-null > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > PE1# > > > > And the other side tags it with a label: > > > > PE2#traceroute 150.0.0.1 > > > > Type escape sequence to abort. > > Tracing the route to 150.0.0.1 > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > 2 1.1.1.1 24 msec 52 msec * > > > > TIA, > > > > -- > > Sergio Danelli > -- Sergio Danelli From paul at paulstewart.org Mon Aug 11 09:48:01 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 11 Aug 2008 09:48:01 -0400 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: <48A0348B.7070400@justinshore.com> Message-ID: <000001c8fbb8$df7f5f40$9e7e1dc0$@org> We're using Lantronix here for the same purpose.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens Sent: Monday, August 11, 2008 9:01 AM To: 'Justin Shore' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone I found a Siemens MC35i But no luck so far getting it to work, anyone has experience with this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: lundi 11 ao?t 2008 14:46 To: Rens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone Rens wrote: > Hi, > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > So you can just dial to that number and have console access on the switch? A couple of Avocent's console server product lines support PCMCIA expansion cards including cell modems. Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Mon Aug 11 11:35:18 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Mon, 11 Aug 2008 18:35:18 +0300 (IDT) Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <48A04053.1020102@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> Message-ID: On Mon, 11 Aug 2008, Phil Mayers wrote: > B?rd Dahlmo wrote: >> On Thu, 7 Aug 2008, Phil Mayers wrote: >> >>> Just a warning, there is a fatal crash bug in SXH3 related to using SCP. >>> Considering the release notes claim fixes in that very area, this is >>> highly amusing (note: issue may not actually be amusing) >> >> CSCsr86489 >> > > Nice. TAC case has been open 4 days now, and I've had no reply. I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 TAC cases do I get value for my money. Otherwise it is either "not my job, man", or "working as designed", etc. -Hank From p.mayers at imperial.ac.uk Mon Aug 11 11:39:42 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 11 Aug 2008 16:39:42 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> Message-ID: <48A05D3E.7020209@imperial.ac.uk> Hank Nussbacher wrote: > On Mon, 11 Aug 2008, Phil Mayers wrote: > >> B?rd Dahlmo wrote: >>> On Thu, 7 Aug 2008, Phil Mayers wrote: >>> >>>> Just a warning, there is a fatal crash bug in SXH3 related to using >>>> SCP. Considering the release notes claim fixes in that very area, >>>> this is highly amusing (note: issue may not actually be amusing) >>> >>> CSCsr86489 >>> >> >> Nice. TAC case has been open 4 days now, and I've had no reply. > > I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 > TAC cases do I get value for my money. Otherwise it is either "not my > job, man", or "working as designed", etc. They've not been quite that bad with me. Typically I get the response: """This is CSCsuch-and-such it'll be fixed in the next release""". This normally happens quite quickly. I've had one nasty incident which was P1 and gotten good time from a TAC engineer, though it eventually boiled down to "upgrade IOS" which to be frank I could have figured myself ;o) HOWEVER - I've interacted with other non-Cisco vendors and with non-smartnet Cisco (i.e. provided by reseller) and they've been absolutely APALLING - months have gone by with no results. By comparison to those other experiences, TAC/Smartnet is excellent :o( From oboehmer at cisco.com Mon Aug 11 11:51:09 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 11 Aug 2008 17:51:09 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: <20080811082407.GA8243@london.pmacct.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Sergio, your config looks fine, so I don't know what's happening. Can you show a "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) or a "show mpls forwarding interface " where is the neighbor's interface to PE1? No need to specify a "to " to select which neighbors you want to advertise this to in your case. oli Sergio D. wrote on Monday, August 11, 2008 4:52 PM: > thanks for the response. > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no > tag-switching advertise-tags" which I already have. > Oliver, > thanks for clearing up the assignment of the label, I guess thats > fine as long as it doesn't get advertised which is what I am trying > to avoid. I did try it without the deny at the end, and the result > was the same. > Do I need an access-list listing my peers and apply that? > > TIA > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > wrote: > > > Hi Sergio, > > to add to what Oliver said that you maybe want to make sure > you have in the configuration a "no mpls ldp advertise-labels" > line. Without that, even if you configure a filter (which is > successfully matched as you shown), labels would still be > announced to adjacent LDP peers. > > Don't know if this could be your case; i did have to make use > out of it to verify label filtering working on a 12.2SR while > trying to minimize exposure of our labels in an "Inter-AS" L2 > MPLS VPN scenario. > > > no mpls ldp advertise-labels > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > [ ... ] > mpls label protocol ldp > ! > interface Loopback0 > ip address 192.168.100.4 255.255.255.255 > ! > ip access-list standard LDP-DEST > permit 192.168.100.4 > ip access-list standard LDP-PEER > permit 192.168.100.1 > ! > > Cheers, > Paolo > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > Hello, > > I am trying to filter LDP label bindings to only advertise my > loopback > address(for vpnv4 traffic) but I am unsure as to what the > requirements are. > Here is what I have: > > PE1#show ip route connected | in ^C > > C 1.1.1.0 is directly connected, Serial1/0 > > C 10.0.0.1 is directly connected, Loopback0 > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > PE1#sh run | in tag > > no tag-switching advertise-tags > > tag-switching advertise-tags for ldp-filter > > > > PE1#show access-lists ldp-filter > > Standard IP access list ldp-filter > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > 999 deny any (7 matches) > > > > matches? > > > > but still generates a binding for all my connected interfaces: > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > tib entry: 150.0.0.0/24, rev 2 > > local binding: tag: imp-null > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > PE1# > > > > And the other side tags it with a label: > > > > PE2#traceroute 150.0.0.1 > > > > Type escape sequence to abort. > > Tracing the route to 150.0.0.1 > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > 2 1.1.1.1 24 msec 52 msec * > > > > TIA, > > > > -- > > Sergio Danelli > > > > > > -- > Sergio Danelli From paul.cosgrove at heanet.ie Mon Aug 11 11:55:09 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 16:55:09 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <48A050F4.8000807@hu.digi.tv> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> <48A050F4.8000807@hu.digi.tv> Message-ID: <48A060DD.1000004@heanet.ie> Hi Antal, Is that a workaround for a specific bug? Usually the IP MTU defaults to the MTU. You can check them with "show int" vs "show ip int". If the TCP session is between directly connected IPs, a TCP MSS equal to 40 byte less than the IP MTU is used. In other cases (e.g. peerings between loopbacks) an MSS 536 bytes is used unless PMTUD is enabled and can determine a higher value. Paul. Antal Gergely wrote: > Jay Nakamura wrote: > >> Datagrams (max data segment is 536 bytes): > > > put a "ip mtu 1500" on the wan interface. > its not the same as mtu xxxx > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From saku+cisco-nsp at ytti.fi Mon Aug 11 12:16:09 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 11 Aug 2008 19:16:09 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <48A014B8.4010807@cisco.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> <20080811090358.GA30568@mx.ytti.net> <48A014B8.4010807@cisco.com> Message-ID: <20080811161609.GB792@mx.ytti.net> On (2008-08-11 20:30 +1000), Lincoln Dale wrote: > you could potentially do it using CoPP policy with a CoPP policy for the > address(es) you wish, 0bps configured for other rates. OP was about doing it w/o ACL, CoPP would violate that rule. > if its just telnet, then certainly an access-class on the vty would work > too, albeit that would be s/w enforced not h/w enforced. -- ++ytti From sdanelli at gmail.com Mon Aug 11 13:24:26 2008 From: sdanelli at gmail.com (Sergio D.) Date: Mon, 11 Aug 2008 11:24:26 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Message-ID: Oli, from a neighbor a hop away: PE2#show mpls ldp bindings 10.0.0.1 32 tib entry: 10.0.0.1/32, rev 10 local binding: tag: 17 remote binding: tsr: 25.25.25.25:0, tag: 20 PE2# prefix I want to filter: PE2#show mpls forwarding-table 150.0.0.1 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 19 18 150.0.0.0/24 0 Se1/0 point2point thanks, On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Sergio, > > your config looks fine, so I don't know what's happening. Can you show a > "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) or a "show > mpls forwarding interface " where is the neighbor's interface > to PE1? > No need to specify a "to " to select which neighbors you want to > advertise this to in your case. > > oli > > Sergio D. wrote on Monday, August 11, 2008 > 4:52 PM: > > > thanks for the response. > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no > > tag-switching advertise-tags" which I already have. > > Oliver, > > thanks for clearing up the assignment of the label, I guess thats > > fine as long as it doesn't get advertised which is what I am trying > > to avoid. I did try it without the deny at the end, and the result > > was the same. > > Do I need an access-list listing my peers and apply that? > > > > TIA > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > wrote: > > > > > > Hi Sergio, > > > > to add to what Oliver said that you maybe want to make sure > > you have in the configuration a "no mpls ldp advertise-labels" > > line. Without that, even if you configure a filter (which is > > successfully matched as you shown), labels would still be > > announced to adjacent LDP peers. > > > > Don't know if this could be your case; i did have to make use > > out of it to verify label filtering working on a 12.2SR while > > trying to minimize exposure of our labels in an "Inter-AS" L2 > > MPLS VPN scenario. > > > > > > no mpls ldp advertise-labels > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > [ ... ] > > mpls label protocol ldp > > ! > > interface Loopback0 > > ip address 192.168.100.4 255.255.255.255 > > ! > > ip access-list standard LDP-DEST > > permit 192.168.100.4 > > ip access-list standard LDP-PEER > > permit 192.168.100.1 > > ! > > > > Cheers, > > Paolo > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > > Hello, > > > I am trying to filter LDP label bindings to only advertise my > > loopback > address(for vpnv4 traffic) but I am unsure as to what > the > > requirements are. > Here is what I have: > > > PE1#show ip route connected | in ^C > > > C 1.1.1.0 is directly connected, Serial1/0 > > > C 10.0.0.1 is directly connected, Loopback0 > > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > > > PE1#sh run | in tag > > > no tag-switching advertise-tags > > > tag-switching advertise-tags for ldp-filter > > > > > > PE1#show access-lists ldp-filter > > > Standard IP access list ldp-filter > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > > 999 deny any (7 matches) > > > > > > matches? > > > > > > but still generates a binding for all my connected interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > tib entry: 150.0.0.0/24, rev 2 > > > local binding: tag: imp-null > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > PE1# > > > > > > And the other side tags it with a label: > > > > > > PE2#traceroute 150.0.0.1 > > > > > > Type escape sequence to abort. > > > Tracing the route to 150.0.0.1 > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > TIA, > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio Danelli > -- Sergio From aj at sneep.net Mon Aug 11 13:27:36 2008 From: aj at sneep.net (Alastair Johnson) Date: Tue, 12 Aug 2008 01:27:36 +0800 Subject: [c-nsp] OSPF Reference bandwidth auto-cost and LAG In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4CFE@xmb-ams-333.emea.cisco.com> References: <48A01AB3.3000503@sneep.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4CFE@xmb-ams-333.emea.cisco.com> Message-ID: <48A07688.3060602@sneep.net> Oliver Boehmer (oboehmer) wrote: > Alastair Johnson <> wrote on Monday, August 11, 2008 12:56 PM: > >> e.g. if I have ref BW = 100G, and a P-C with 2 10GE links, it should >> be metric = 5. >> >> If one 10GE link disappears from the bundle, do I have metric = 10? > > yes, the bandwidth on the port-channel interface is based on the number > of active links, and OSPF's cost will adjust automatically. > > oli Thank you for your answer Oli - that is very helpful! regards, aj From sdanelli at gmail.com Mon Aug 11 13:29:57 2008 From: sdanelli at gmail.com (Sergio D.) Date: Mon, 11 Aug 2008 11:29:57 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Message-ID: This maybe of some value: PE1#show mpls ldp bindings advertisement-acls Advertisement spec: Prefix acl = 1 tib entry: 1.1.1.0/30, rev 26 tib entry: 1.1.1.4/30, rev 27 tib entry: 10.0.0.1/32, rev 33 Advert acl(s): Prefix acl 1 tib entry: 10.0.0.2/32, rev 34 Advert acl(s): Prefix acl 1 tib entry: 25.25.25.25/32, rev 30 tib entry: 150.0.0.0/24, rev 31 tib entry: 160.0.0.0/24, rev 32 appears that the ACL catches the right prefixes. On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Sergio, > > your config looks fine, so I don't know what's happening. Can you show a > "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) or a "show > mpls forwarding interface " where is the neighbor's interface > to PE1? > No need to specify a "to " to select which neighbors you want to > advertise this to in your case. > > oli > > Sergio D. wrote on Monday, August 11, 2008 > 4:52 PM: > > > thanks for the response. > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no > > tag-switching advertise-tags" which I already have. > > Oliver, > > thanks for clearing up the assignment of the label, I guess thats > > fine as long as it doesn't get advertised which is what I am trying > > to avoid. I did try it without the deny at the end, and the result > > was the same. > > Do I need an access-list listing my peers and apply that? > > > > TIA > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > wrote: > > > > > > Hi Sergio, > > > > to add to what Oliver said that you maybe want to make sure > > you have in the configuration a "no mpls ldp advertise-labels" > > line. Without that, even if you configure a filter (which is > > successfully matched as you shown), labels would still be > > announced to adjacent LDP peers. > > > > Don't know if this could be your case; i did have to make use > > out of it to verify label filtering working on a 12.2SR while > > trying to minimize exposure of our labels in an "Inter-AS" L2 > > MPLS VPN scenario. > > > > > > no mpls ldp advertise-labels > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > [ ... ] > > mpls label protocol ldp > > ! > > interface Loopback0 > > ip address 192.168.100.4 255.255.255.255 > > ! > > ip access-list standard LDP-DEST > > permit 192.168.100.4 > > ip access-list standard LDP-PEER > > permit 192.168.100.1 > > ! > > > > Cheers, > > Paolo > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > > Hello, > > > I am trying to filter LDP label bindings to only advertise my > > loopback > address(for vpnv4 traffic) but I am unsure as to what > the > > requirements are. > Here is what I have: > > > PE1#show ip route connected | in ^C > > > C 1.1.1.0 is directly connected, Serial1/0 > > > C 10.0.0.1 is directly connected, Loopback0 > > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > > > PE1#sh run | in tag > > > no tag-switching advertise-tags > > > tag-switching advertise-tags for ldp-filter > > > > > > PE1#show access-lists ldp-filter > > > Standard IP access list ldp-filter > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > > 999 deny any (7 matches) > > > > > > matches? > > > > > > but still generates a binding for all my connected interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > tib entry: 150.0.0.0/24, rev 2 > > > local binding: tag: imp-null > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > PE1# > > > > > > And the other side tags it with a label: > > > > > > PE2#traceroute 150.0.0.1 > > > > > > Type escape sequence to abort. > > > Tracing the route to 150.0.0.1 > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > TIA, > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio Danelli > -- Sergio Danelli JNCIE #170 From rolf-web at internet.ao Mon Aug 11 14:25:08 2008 From: rolf-web at internet.ao (Rolf Mendelsohn) Date: Mon, 11 Aug 2008 19:25:08 +0100 Subject: [c-nsp] Excessive AMDP2_FE-3-UNDERFLO In-Reply-To: <4899A2A2.4080108@fnbs.net> References: <4899A2A2.4080108@fnbs.net> Message-ID: <200808111925.09196.rolf-web@internet.ao> Hi Nimal, Check you processor / memory utilisation & check that all traffic is being CEF switched: sh proc cpu sh proc cpu history sh mem sh switching If traffic is being CEF switched and your CPU is running very high, you may consider upgrading your NPE - btw. what NPE do you have in that router? cheers /rolf On Wednesday 06 August 2008 14:09:54 Nimal David Sirimanne wrote: > Hi guys, > > Need some advice. > > One of the interfaces on my border routers is consistently getting > AMDP2_FE-3-UNDERFLO messages during its peak usage (9am-5pm) hours. The > interface FastEthernet2/0 is seeing approx 40Mbps out and 15 Mbps in. > > The explaination for this error on Cisco website is: > > ------------ > Explanation While transmitting a frame, the controller chip's local > buffer received insufficient data because data could not be transferred > to the chip fast enough to keep pace with its output rate. Normally, > such a problem is temporary, depending on transient peak loads within > the system. > > Recommended Action The system should recover. No action is required. > ------------ > > I need some convincing of that. Of late, i've received a few reports of > packet loss to my network of late, and am not sure if this transmit > error has anything to do with it. Any help is much appreciated! FYI, the > router in question is a Cisco 7206VXR. The interface is 100Mbps capable. > > Aug 6 09:05:51 202.X.X.X 16758: Aug 6 09:05:50.850 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:22:54 202.X.X.X 16759: Aug 6 09:22:53.283 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:25:09 202.X.X.X 16760: Aug 6 09:25:08.771 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:35:22 202.X.X.X 16761: Aug 6 09:35:21.443 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:48:33 202.X.X.X 16762: Aug 6 09:48:32.053 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:07:07 202.X.X.X 16764: Aug 6 10:07:06.674 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:08:37 202.X.X.X 16765: Aug 6 10:08:36.702 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:17:37 202.X.X.X 16766: Aug 6 10:17:36.630 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:42:52 202.X.X.X 16775: Aug 6 10:42:51.517 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:03:00 202.X.X.X 16783: Aug 6 11:02:59.377 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:04:22 202.X.X.X 16784: Aug 6 11:04:21.672 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:04:22 202.X.X.X 16785: Aug 6 11:04:21.672 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:17:19 202.X.X.X 16786: Aug 6 11:17:18.339 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:29:52 202.X.X.X 16787: .Aug 6 11:29:51.219 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:36:07 202.X.X.X 16788: Aug 6 11:36:06.764 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:41:57 202.X.X.X 16789: Aug 6 11:41:56.615 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:43:26 202.X.X.X 16790: Aug 6 11:43:25.694 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:49:07 202.X.X.X 16791: Aug 6 11:49:06.796 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:50:07 202.X.X.X 16792: Aug 6 11:50:06.636 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 12:23:37 202.X.X.X 16794: Aug 6 12:23:36.735 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 12:29:37 202.X.X.X 16795: Aug 6 12:29:36.649 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 12:39:27 202.X.X.X 16796: Aug 6 12:39:26.629 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 13:05:30 202.X.X.X 16803: Aug 6 13:05:29.396 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:21:40 202.X.X.X 16805: Aug 6 14:21:39.319 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:33:30 202.X.X.X 16806: Aug 6 14:33:29.319 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:36:55 202.X.X.X 16807: Aug 6 14:36:54.313 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:46:58 202.X.X.X 16808: Aug 6 14:46:57.086 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:10:52 202.X.X.X 16810: Aug 6 15:10:51.737 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:11:09 202.X.X.X 16811: Aug 6 15:11:08.061 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error > Aug 6 15:13:52 202.X.X.X 16812: Aug 6 15:13:51.740 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:14:11 202.X.X.X 16813: Aug 6 15:14:10.795 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:18:59 202.X.X.X 16814: Aug 6 15:18:58.742 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:23:43 202.X.X.X 16815: Aug 6 15:23:42.172 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:46:06 202.X.X.X 16817: Aug 6 15:46:05.635 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:53:55 202.X.X.X 16818: Aug 6 15:53:54.048 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:09:06 202.X.X.X 16820: Aug 6 16:09:05.570 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:15:53 202.X.X.X 16821: Aug 6 16:15:52.157 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:17:43 202.X.X.X 16822: Aug 6 16:17:42.039 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:33:40 202.X.X.X 16823: Aug 6 16:33:39.344 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:35:08 202.X.X.X 16824: Aug 6 16:35:07.359 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:38:27 202.X.X.X 16825: Aug 6 16:38:26.278 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:44:58 202.X.X.X 16826: Aug 6 16:44:57.748 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:44:58 202.X.X.X 16827: Aug 6 16:44:57.748 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:49:07 202.X.X.X 16828: Aug 6 16:49:06.738 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:50:46 202.X.X.X 16829: Aug 6 16:50:45.557 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sami.joseph at gmail.com Mon Aug 11 16:37:22 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Mon, 11 Aug 2008 23:37:22 +0300 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> Message-ID: <9da37ec40808111337w224abd0bwa890f904864906fc@mail.gmail.com> I've worked with different vendors "TAC"/Support and it would be fair to admit that there is a world of difference between the support i get from Cisco and other vendors. Within TAC information is openly shared and comes in quickly whether its a bug or else, while with others, i will have to wait till they check with everyone including the account managers before coming back to me with news that i have a bug. Yet sometimes there are some TAC engineers that prefer to walk the easy path and RMA the hardware but that never rarely happens on a Severity 1/2 cases and i can change how the case is going if my tone changes. I cant resist the urge to say their names, so please go ahead and try Huawei or Alcatle-lucent support and you'll be sending roses to TAC after each case. My final note, everyone receives a survey after each case and trust me, your comments shall improve their service as i have had an incident where my bad survery turned things around, so i know that those surveys are read and acted upon. ~Joost On Mon, Aug 11, 2008 at 6:35 PM, Hank Nussbacher wrote: > On Mon, 11 Aug 2008, Phil Mayers wrote: > > B?rd Dahlmo wrote: >> >>> On Thu, 7 Aug 2008, Phil Mayers wrote: >>> >>> Just a warning, there is a fatal crash bug in SXH3 related to using SCP. >>>> Considering the release notes claim fixes in that very area, this is highly >>>> amusing (note: issue may not actually be amusing) >>>> >>> >>> CSCsr86489 >>> >>> >> Nice. TAC case has been open 4 days now, and I've had no reply. >> > > I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 TAC > cases do I get value for my money. Otherwise it is either "not my job, > man", or "working as designed", etc. > > -Hank > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jloiacon at csc.com Mon Aug 11 17:08:23 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Mon, 11 Aug 2008 17:08:23 -0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: Message-ID: We have a requirement for about 2+ GE between two metro locations. I'm looking at the 3750-E with 2 X2 10GE uplink ports. I would use the 10GBASE-ER X2 Transceiver Module for the distance. Actually the distance is about at the 40 Km limit - but that's another question. Want to do BGP with a limited set of users at the remote location. Assuming the distance is OK, does this switch make sense? Recommend another? Thanks, Joe PS - Should I worry (alot) about being at or slightly above the 40 Km distance? From alex.burba at gmail.com Mon Aug 11 17:35:14 2008 From: alex.burba at gmail.com (Alex Burba) Date: Tue, 12 Aug 2008 01:35:14 +0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: Message-ID: <5a2c0b9f0808111435t41d5c4c4yb4371ccdc4ba712a@mail.gmail.com> It will do fine until you won't try to upload full view or try to serve more then 10-15 downlinks, i suppose. 2008/8/12 Joe Loiacono > We have a requirement for about 2+ GE between two metro locations. I'm > looking at the 3750-E with 2 X2 10GE uplink ports. I would use the > 10GBASE-ER X2 Transceiver Module for the distance. Actually the distance > is about at the 40 Km limit - but that's another question. Want to do BGP > with a limited set of users at the remote location. > > Assuming the distance is OK, does this switch make sense? Recommend > another? > > Thanks, > > Joe > > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chris at k7sle.com Mon Aug 11 18:01:24 2008 From: chris at k7sle.com (Chris Gauthier) Date: Mon, 11 Aug 2008 15:01:24 -0700 (PDT) Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: <5a2c0b9f0808111435t41d5c4c4yb4371ccdc4ba712a@mail.gmail.com> Message-ID: <3423466.81218492080258.JavaMail.SYSTEM@DAT004919> If this is just a satellite location, I would try to avoid BGP unless absolutely necessary. Maybe OSPF can meet your needs for this and then you can inject routes as needed. Chris ----- Original Message ----- From: "Alex Burba" To: "Joe Loiacono" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 11, 2008 2:35:14 PM GMT -08:00 US/Canada Pacific Subject: Re: [c-nsp] Good 10GE Metro switch It will do fine until you won't try to upload full view or try to serve more then 10-15 downlinks, i suppose. 2008/8/12 Joe Loiacono > We have a requirement for about 2+ GE between two metro locations. I'm > looking at the 3750-E with 2 X2 10GE uplink ports. I would use the > 10GBASE-ER X2 Transceiver Module for the distance. Actually the distance > is about at the 40 Km limit - but that's another question. Want to do BGP > with a limited set of users at the remote location. > > Assuming the distance is OK, does this switch make sense? Recommend > another? > > Thanks, > > Joe > > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Mon Aug 11 18:17:49 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 11 Aug 2008 18:17:49 -0400 (EDT) Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: Message-ID: On Mon, 11 Aug 2008, Joe Loiacono wrote: > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? That depends on the test results on your fiber span. If the fiber is clean, of high quality, and well-spliced, then there could be a little 'slop' in the loss budget. At that distance, dispersion may be more of a concern than attenuation. It all depends on what the test results look like. You'll want to see at least the 2-point loss test results at 1550 nm through your fiber span from an OTDR. If the splices are good, you shouldn't see too much of a reflectivity spike at the splice points, but you will see reflections from any physical cross-connects or jumpers that are in the span. With the 10GBASE-ER, your minimum transmit power is -4.7 dBm and your minimum receive power is -15.8 dBm Cisco's datasheet for the X2 modules may be found here: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6574/product_data_sheet0900aecd801f92aa.html jms From cchurc05 at harris.com Mon Aug 11 23:41:49 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 11 Aug 2008 22:41:49 -0500 Subject: [c-nsp] MD5 checksums for IOS images Message-ID: Anyone, Is there a central place to find MD5 hashes for IOS images, other than going through the process of getting to the point of almost downloading each image? We're thinking about implementing processes to verify image integrity, have about 40 or so different images we use currently on all our various gear. Thanks, Chuck From tianys at gmail.com Tue Aug 12 02:28:52 2008 From: tianys at gmail.com (=?GB2312?B?zO/Uxsn6?=) Date: Tue, 12 Aug 2008 14:28:52 +0800 Subject: [c-nsp] a multicast problem Message-ID: <615772ed0808112328l5050e282m3d85afaf2ac61637@mail.gmail.com> Dear. In my network, The usersA cannot see the multicast application smoothly at worktime, but at rest time, it's smoothly. The usersB can see the multicast application smoothly any time. what's the possible cause? Please help me, Thanks! Source(vlan10) | | SWA-------------- | | | | 6513A====6513B------\ | | | | usersA(problem) usersB(No problem) vlan 12 vlan 12 6513B is the RP. The 6513 is running PIM V2( sparse mode) in vlan 12. 6513B is DR and Forwarder. From zivl at gilat.net Tue Aug 12 02:31:55 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 12 Aug 2008 09:31:55 +0300 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: References: Message-ID: Taken from here: http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml "For those customers whose www.cisco.com account does not provide access to the Cisco IOS Upgrade Planner tool and hence cannot obtain the Cisco calculated, known-good MD5 hash value for a given Cisco IOS software image, or for those customers that would prefer to automate the process of validating MD5 hashes using their own tools, Cisco is making available a compressed file including the Cisco IOS software image name and known-good MD5 hash for all 12.0-based, 12.1-based, 12.2-based, 12.3-based and 12.4-based Cisco IOS software releases. This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains a second compressed file (a set of data files and a document explaining the file format) and a detached PGP signature for the second compressed file. The file has been signed by the current Cisco PSIRT PGP key. Information on how to obtain the current Cisco PSIRT PGP key can be found in the document entitled "Cisco Security Vulnerability Policy", available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. We recommend customers to uncompress the file and verify the signature for the second file before using the data files for any verification purposes." Hope this helps, Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Tuesday, August 12, 2008 6:42 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] MD5 checksums for IOS images Anyone, Is there a central place to find MD5 hashes for IOS images, other than going through the process of getting to the point of almost downloading each image? We're thinking about implementing processes to verify image integrity, have about 40 or so different images we use currently on all our various gear. Thanks, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From oboehmer at cisco.com Tue Aug 12 02:37:20 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 12 Aug 2008 08:37:20 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> Sergio, is PE2 really adjacent to PE1? I don't think it is, there must be some LDP speaker in the middle. If PE2 was adjacent to PE1, the outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null (aka "pop label" as those networks are directly connected on PE1), not 18 or 20, as you've indicated below. I would assume it is 25.25.25.25, as this LDP neighbor sends advertisements to both PE1 and PE2. As every speaker allocates labels independently, you need to filter the LDP advertisements on *all* LDP speakers. oli Sergio D. wrote on Monday, August 11, 2008 7:24 PM: > Oli, > from a neighbor a hop away: > > PE2#show mpls ldp bindings 10.0.0.1 32 > tib entry: 10.0.0.1/32, rev 10 > local binding: tag: 17 > remote binding: tsr: 25.25.25.25:0, tag: 20 > PE2# > > prefix I want to filter: > > PE2#show mpls forwarding-table 150.0.0.1 > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 19 18 150.0.0.0/24 0 Se1/0 point2point > > thanks, > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > wrote: > > > Sergio, > > your config looks fine, so I don't know what's happening. Can you > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) > or a "show mpls forwarding interface " where is the > neighbor's interface to PE1? > No need to specify a "to " to select which neighbors you want to > advertise this to in your case. > > oli > > Sergio D. wrote on Monday, August 11, > 2008 4:52 PM: > > > > thanks for the response. > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into > "no > tag-switching advertise-tags" which I already have. > > Oliver, > > thanks for clearing up the assignment of the label, I guess thats > > fine as long as it doesn't get advertised which is what I am trying > > to avoid. I did try it without the deny at the end, and the result > > was the same. > > Do I need an access-list listing my peers and apply that? > > > > TIA > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > > > wrote: > > > > > Hi Sergio, > > > > to add to what Oliver said that you maybe want to make sure > > you have in the configuration a "no mpls ldp > advertise-labels" > line. Without that, even if you configure > a filter (which is > successfully matched as you shown), > labels would still be > announced to adjacent LDP peers. > > > > Don't know if this could be your case; i did have to make use > > out of it to verify label filtering working on a 12.2SR while > > trying to minimize exposure of our labels in an "Inter-AS" L2 > > MPLS VPN scenario. > > > > > > no mpls ldp advertise-labels > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > [ ... ] > > mpls label protocol ldp > > ! > > interface Loopback0 > > ip address 192.168.100.4 255.255.255.255 > > ! > > ip access-list standard LDP-DEST > > permit 192.168.100.4 > > ip access-list standard LDP-PEER > > permit 192.168.100.1 > > ! > > > > Cheers, > > Paolo > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > > Hello, > > > I am trying to filter LDP label bindings to only advertise > my > loopback > address(for vpnv4 traffic) but I am unsure as > to what the > > requirements are. > Here is what I have: > > > PE1#show ip route connected | in ^C > > > C 1.1.1.0 is directly connected, Serial1/0 > > > C 10.0.0.1 is directly connected, Loopback0 > > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > > > PE1#sh run | in tag > > > no tag-switching advertise-tags > > > tag-switching advertise-tags for ldp-filter > > > > > > PE1#show access-lists ldp-filter > > > Standard IP access list ldp-filter > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > > 999 deny any (7 matches) > > > > > > matches? > > > > > > but still generates a binding for all my connected > interfaces: > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > tib entry: 150.0.0.0/24, rev 2 > > > local binding: tag: imp-null > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > PE1# > > > > > > And the other side tags it with a label: > > > > > > PE2#traceroute 150.0.0.1 > > > > > > Type escape sequence to abort. > > > Tracing the route to 150.0.0.1 > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > TIA, > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio Danelli > > > > > > -- > Sergio From p.mayers at imperial.ac.uk Tue Aug 12 04:49:31 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 12 Aug 2008 09:49:31 +0100 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: References: Message-ID: <20080812084931.GA11763@wildfire.net.ic.ac.uk> > >This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains Wow. Very nearly all IOS images; it's lacking very recent ones. That's probably one of the most useful links I've ever seen to the cisco web page. Shame their web server doesn't properly set ETag/Last-Modified headers so a friendly script could non-aggressively pull it repeatedly. One assumes they'll be updating this as time goes forward? From carlo.ngn at gmail.com Tue Aug 12 07:10:39 2008 From: carlo.ngn at gmail.com (Carlo Maggiolini) Date: Tue, 12 Aug 2008 13:10:39 +0200 Subject: [c-nsp] Ios slb and voip gateway Message-ID: Hi all, we've a 6506 that is configured to do slb for a farm of some sip servers. My goal is to balance the traffic generated from our cisco voip gateway that send traffic to the virtual-ip of the farm. My problem is that the udp packets that are generated by the gateway are always sent from the same signalling port ( 5060 ). The slb create a "connection" between the gateway ip/port and only one real server. Any suggestion or idea ? Thanks Carlo From adrian.minta at gmail.com Tue Aug 12 07:28:02 2008 From: adrian.minta at gmail.com (Adrian M) Date: Tue, 12 Aug 2008 14:28:02 +0300 Subject: [c-nsp] ME6500 Message-ID: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> Hello, I have a cisco ME-C6524GT-8S with software s6523-advipservicesk9-mz.122-18.ZU2 and I don't know how to do some basic things like: How to clear an arp entry "clear ip arp 10.10.10.10" doesn't work :( How to display mac learned on a routed subinterface "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 Is there a solution for this ? A newer software version ? Thank you. From rubensk at gmail.com Tue Aug 12 07:41:26 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 08:41:26 -0300 Subject: [c-nsp] ME6500 In-Reply-To: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> Message-ID: <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> On Tue, Aug 12, 2008 at 8:28 AM, Adrian M wrote: > Hello, > I have a cisco ME-C6524GT-8S with software > s6523-advipservicesk9-mz.122-18.ZU2 and I don't know how to do some > basic things like: > > How to clear an arp entry > "clear ip arp 10.10.10.10" doesn't work :( On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I haven't tried it on ME6524. Is "clear arp interface " where is the interface where the arp entry is located won't probably be that hard, unlesss you have thousand of entries on that routed or SVI interface. > How to display mac learned on a routed subinterface > "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 I don`t think routed subinterfaces have mac-address-table, by definition... ping (use both all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 will likely show whoever is attached to that interface (even for hosts that don't answer ping, because it's not common to filter out arp requests/responses in host firewalls these days). Rubens From jared at puck.nether.net Tue Aug 12 07:49:12 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 12 Aug 2008 07:49:12 -0400 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <48A05D3E.7020209@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> <48A05D3E.7020209@imperial.ac.uk> Message-ID: <20080812114912.GE61894@puck.nether.net> On Mon, Aug 11, 2008 at 04:39:42PM +0100, Phil Mayers wrote: > Hank Nussbacher wrote: >> On Mon, 11 Aug 2008, Phil Mayers wrote: >> >>> B?rd Dahlmo wrote: >>>> On Thu, 7 Aug 2008, Phil Mayers wrote: >>>> >>>>> Just a warning, there is a fatal crash bug in SXH3 related to >>>>> using SCP. Considering the release notes claim fixes in that very >>>>> area, this is highly amusing (note: issue may not actually be >>>>> amusing) >>>> >>>> CSCsr86489 >>>> >>> >>> Nice. TAC case has been open 4 days now, and I've had no reply. >> >> I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 >> TAC cases do I get value for my money. Otherwise it is either "not my >> job, man", or "working as designed", etc. > > They've not been quite that bad with me. > > Typically I get the response: """This is CSCsuch-and-such it'll be fixed > in the next release""". This normally happens quite quickly. You can have them put the case in a state called SW-RELEASE-PEND. This will indiciate that your issue is not resolved as the software is not available for you to run. Keep it open for a few months, perhaps if TAC has enough open cases in this state, they'll actually ask release ops to build something. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From adrian.minta at gmail.com Tue Aug 12 07:53:24 2008 From: adrian.minta at gmail.com (Adrian M) Date: Tue, 12 Aug 2008 14:53:24 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> Message-ID: <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> > On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I > haven't tried it on ME6524. Is "clear arp interface " where > is the interface where the arp entry is located won't probably be that > hard, unlesss you have thousand of entries on that routed or SVI > interface. "no arp a.b.c.d" doesn't work :( "clear arp x.x.x.x" doesn't exist either. "clear arp-cache interface GigabitEthernet 1/10" is not clearing arp entries from GigabitEthernet1/10.215 > > >> How to display mac learned on a routed subinterface >> "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 > > I don`t think routed subinterfaces have mac-address-table, by > definition... ping (use both > all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 > will likely show whoever is attached to that interface (even for hosts > that don't answer ping, because it's not common to filter out arp > requests/responses in host firewalls these days). > > > Rubens Ok ! But the box is still a switch. It uses internal vlans. From thegameiam at yahoo.com Tue Aug 12 06:55:29 2008 From: thegameiam at yahoo.com (David Barak) Date: Tue, 12 Aug 2008 03:55:29 -0700 (PDT) Subject: [c-nsp] a multicast problem In-Reply-To: <615772ed0808112328l5050e282m3d85afaf2ac61637@mail.gmail.com> Message-ID: <260860.57769.qm@web31810.mail.mud.yahoo.com> Have you taken a look at this Cisco notice: http://www.cisco.com/application/pdf/paws/68131/cat_multicast_prob.pdf and mitigated the IGMP snooping problem? David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Tue, 8/12/08, ??? wrote: > From: ??? > Subject: [c-nsp] a multicast problem > To: cisco-nsp at puck.nether.net > Date: Tuesday, August 12, 2008, 2:28 AM > Dear. > > In my network, The usersA cannot see the multicast > application smoothly > at worktime, but at rest time, it's smoothly. The > usersB can see the > multicast application smoothly any time. what's the > possible cause? > Please help me, Thanks! > > > Source(vlan10) > | > | > SWA-------------- > | | > | | > 6513A====6513B------\ > | | > | | > usersA(problem) usersB(No problem) > vlan 12 vlan 12 > > > 6513B is the RP. > The 6513 is running PIM V2( sparse mode) > in vlan 12. 6513B is DR and Forwarder. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Tue Aug 12 07:57:14 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 08:57:14 -0300 Subject: [c-nsp] ME6500 In-Reply-To: <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> Message-ID: <6bb5f5b10808120457h68f2c9a8m5c0bbc9aa7c97e5a@mail.gmail.com> On Tue, Aug 12, 2008 at 8:53 AM, Adrian M wrote: >> On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I >> haven't tried it on ME6524. Is "clear arp interface " where >> is the interface where the arp entry is located won't probably be that >> hard, unlesss you have thousand of entries on that routed or SVI >> interface. > > > "no arp a.b.c.d" doesn't work :( > "clear arp x.x.x.x" doesn't exist either. > "clear arp-cache interface GigabitEthernet 1/10" is not clearing arp > entries from GigabitEthernet1/10.215 clear arp interface GigabitEthernet1/10.215, perhaps ? >>> How to display mac learned on a routed subinterface >>> "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 >> >> I don`t think routed subinterfaces have mac-address-table, by >> definition... ping (use both >> all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 >> will likely show whoever is attached to that interface (even for hosts >> that don't answer ping, because it's not common to filter out arp >> requests/responses in host firewalls these days). >> > > Ok ! But the box is still a switch. It uses internal vlans. And still one can disable mac-learning on any vlan, whether it has an SVI or not. Rubens From gert at greenie.muc.de Tue Aug 12 08:17:06 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 12 Aug 2008 14:17:06 +0200 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080812114912.GE61894@puck.nether.net> References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> <48A05D3E.7020209@imperial.ac.uk> <20080812114912.GE61894@puck.nether.net> Message-ID: <20080812121706.GQ288@greenie.muc.de> Hi, On Tue, Aug 12, 2008 at 07:49:12AM -0400, Jared Mauch wrote: > You can have them put the case in a state called > SW-RELEASE-PEND. Yeah, hooray. One of my cases is in that state since over a year :( gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From achatz at forthnet.gr Tue Aug 12 08:42:24 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 12 Aug 2008 15:42:24 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> Message-ID: <48A18530.4070101@forthnet.gr> "clear arp-cache x.x.x.x" should work. Just keep in mind that after doing this, the local router will send an arp request to this mac. If it's still active, a reply is sent back and the local arp table will be filled again (you can check the "Age" counter). -- Tassos Adrian M wrote on 12/8/2008 2:53 ??: >> On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I >> haven't tried it on ME6524. Is "clear arp interface " where >> is the interface where the arp entry is located won't probably be that >> hard, unlesss you have thousand of entries on that routed or SVI >> interface. > > > "no arp a.b.c.d" doesn't work :( > "clear arp x.x.x.x" doesn't exist either. > "clear arp-cache interface GigabitEthernet 1/10" is not clearing arp > entries from GigabitEthernet1/10.215 > >> >>> How to display mac learned on a routed subinterface >>> "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 >> I don`t think routed subinterfaces have mac-address-table, by >> definition... ping (use both >> all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 >> will likely show whoever is attached to that interface (even for hosts >> that don't answer ping, because it's not common to filter out arp >> requests/responses in host firewalls these days). >> >> >> Rubens > > Ok ! But the box is still a switch. It uses internal vlans. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From adrian.minta at gmail.com Tue Aug 12 08:49:53 2008 From: adrian.minta at gmail.com (Adrian M) Date: Tue, 12 Aug 2008 15:49:53 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <48A18530.4070101@forthnet.gr> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> Message-ID: <14e72ec90808120549l37da32f8j93a8e7acf42ebd45@mail.gmail.com> 2008/8/12 Tassos Chatzithomaoglou : > "clear arp-cache x.x.x.x" should work. Just keep in mind that after doing > this, the local router will send an arp request to this mac. If it's still > active, a reply is sent back and the local arp table will be filled again > (you can check the "Age" counter). > switch#clear arp-cache ? interface Clear the entire ARP cache on the interface switch#clear arp-cache interface gigabitEthernet 1/10.215 ^ % Invalid input detected at '^' marker. Only "clear arp-cache interface gigabitEthernet 1/10" works but doesn't clear anything :( From zivl at gilat.net Tue Aug 12 08:52:06 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 12 Aug 2008 15:52:06 +0300 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: <20080812084931.GA11763@wildfire.net.ic.ac.uk> References: <20080812084931.GA11763@wildfire.net.ic.ac.uk> Message-ID: Yeah, you're right... According to the name seems like the file is dated 2008 May 16th, but I didn't find a way to see a list of files so I can decide which one is the last updated one... -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Tuesday, August 12, 2008 11:50 AM To: Ziv Leyes Cc: Church, Charles; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MD5 checksums for IOS images > >This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains Wow. Very nearly all IOS images; it's lacking very recent ones. That's probably one of the most useful links I've ever seen to the cisco web page. Shame their web server doesn't properly set ETag/Last-Modified headers so a friendly script could non-aggressively pull it repeatedly. One assumes they'll be updating this as time goes forward? ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From justin at justinshore.com Tue Aug 12 09:15:13 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 12 Aug 2008 08:15:13 -0500 Subject: [c-nsp] ME6500 In-Reply-To: <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> Message-ID: <48A18CE1.4050603@justinshore.com> Rubens Kuhl Jr. wrote: > On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I > haven't tried it on ME6524. Is "clear arp interface " where > is the interface where the arp entry is located won't probably be that > hard, unlesss you have thousand of entries on that routed or SVI > interface. Ruben is correct. conf t; no arp is what works on the ZU code. I have another ME6524 running SXH and it uses clear ip arp like the other platforms. Justin From justin at justinshore.com Tue Aug 12 09:17:17 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 12 Aug 2008 08:17:17 -0500 Subject: [c-nsp] ME6500 In-Reply-To: <48A18530.4070101@forthnet.gr> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> Message-ID: <48A18D5D.3030003@justinshore.com> The argument for clear arp-cache is an interface or null. 6524-2.brd#clear arp-cache ? interface Clear the entire ARP cache on the interface Ruben was correct with 'no arp ' from global config mode on that platform with the ZU code. Justin Tassos Chatzithomaoglou wrote: > "clear arp-cache x.x.x.x" should work. Just keep in mind that after > doing this, the local router will send an arp request to this mac. If > it's still active, a reply is sent back and the local arp table will be > filled again (you can check the "Age" counter). > > -- > Tassos From cchurc05 at harris.com Tue Aug 12 09:22:53 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 08:22:53 -0500 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: References: <20080812084931.GA11763@wildfire.net.ic.ac.uk> Message-ID: Thanks guys. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes Sent: Tuesday, August 12, 2008 8:52 AM To: Phil Mayers Cc: cisco-nsp at puck.nether.net; Church, Charles Subject: Re: [c-nsp] MD5 checksums for IOS images Yeah, you're right... According to the name seems like the file is dated 2008 May 16th, but I didn't find a way to see a list of files so I can decide which one is the last updated one... -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Tuesday, August 12, 2008 11:50 AM To: Ziv Leyes Cc: Church, Charles; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MD5 checksums for IOS images > >This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains Wow. Very nearly all IOS images; it's lacking very recent ones. That's probably one of the most useful links I've ever seen to the cisco web page. Shame their web server doesn't properly set ETag/Last-Modified headers so a friendly script could non-aggressively pull it repeatedly. One assumes they'll be updating this as time goes forward? ************************************************************************ ************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************ ************ ************************************************************************ ************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************ ************ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Tue Aug 12 09:29:44 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 12 Aug 2008 16:29:44 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <48A18D5D.3030003@justinshore.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> <48A18D5D.3030003@justinshore.com> Message-ID: <48A19048.9000508@forthnet.gr> Justin, "no arp" in config mode should work for static entries only. -- Tassos Justin Shore wrote on 12/8/2008 4:17 ??: > The argument for clear arp-cache is an interface or null. > > 6524-2.brd#clear arp-cache ? > interface Clear the entire ARP cache on the interface > > > Ruben was correct with 'no arp ' from global config mode on that > platform with the ZU code. > > Justin > > > Tassos Chatzithomaoglou wrote: >> "clear arp-cache x.x.x.x" should work. Just keep in mind that after >> doing this, the local router will send an arp request to this mac. If >> it's still active, a reply is sent back and the local arp table will >> be filled again (you can check the "Age" counter). >> >> -- >> Tassos > > From sdanelli at gmail.com Tue Aug 12 10:39:01 2008 From: sdanelli at gmail.com (Sergio D.) Date: Tue, 12 Aug 2008 08:39:01 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> Message-ID: Yes there is a "P" router in the middle. Why would the middle router be getting a binding if I am filtering from the source? On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Sergio, > > is PE2 really adjacent to PE1? I don't think it is, there must be some > LDP speaker in the middle. If PE2 was adjacent to PE1, the outgoing > label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null (aka "pop > label" as those networks are directly connected on PE1), not 18 or 20, > as you've indicated below. > I would assume it is 25.25.25.25, as this LDP neighbor sends > advertisements to both PE1 and PE2. > > As every speaker allocates labels independently, you need to filter the > LDP advertisements on *all* LDP speakers. > > oli > > Sergio D. wrote on Monday, August 11, 2008 > 7:24 PM: > > > Oli, > > from a neighbor a hop away: > > > > PE2#show mpls ldp bindings 10.0.0.1 32 > > tib entry: 10.0.0.1/32, rev 10 > > local binding: tag: 17 > > remote binding: tsr: 25.25.25.25:0, tag: 20 > > PE2# > > > > prefix I want to filter: > > > > PE2#show mpls forwarding-table 150.0.0.1 > > Local Outgoing Prefix Bytes tag Outgoing Next Hop > > tag tag or VC or Tunnel Id switched interface > > 19 18 150.0.0.0/24 0 Se1/0 point2point > > > > thanks, > > > > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > > wrote: > > > > > > Sergio, > > > > your config looks fine, so I don't know what's happening. Can > you > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP > neighbor(s) > > or a "show mpls forwarding interface " where is the > > neighbor's interface to PE1? > > No need to specify a "to " to select which neighbors you > want to > > advertise this to in your case. > > > > oli > > > > Sergio D. wrote on Monday, August > 11, > > 2008 4:52 PM: > > > > > > > thanks for the response. > > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns > into > > "no > tag-switching advertise-tags" which I already have. > > > Oliver, > > > thanks for clearing up the assignment of the label, I guess > thats > > > fine as long as it doesn't get advertised which is what I am > trying > > > to avoid. I did try it without the deny at the end, and the > result > > > was the same. > > > Do I need an access-list listing my peers and apply that? > > > > > > TIA > > > > > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > > > > > > pl%252Blist at pmacct.net > > > > > > wrote: > > > > > > > Hi Sergio, > > > > > > to add to what Oliver said that you maybe want to make > sure > > > you have in the configuration a "no mpls ldp > > advertise-labels" > line. Without that, even if you > configure > > a filter (which is > successfully matched as you shown), > > labels would still be > announced to adjacent LDP peers. > > > > > > Don't know if this could be your case; i did have to > make use > > > out of it to verify label filtering working on a 12.2SR > while > > > trying to minimize exposure of our labels in an > "Inter-AS" L2 > > > MPLS VPN scenario. > > > > > > > > > no mpls ldp advertise-labels > > > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > > [ ... ] > > > mpls label protocol ldp > > > ! > > > interface Loopback0 > > > ip address 192.168.100.4 255.255.255.255 > > > ! > > > ip access-list standard LDP-DEST > > > permit 192.168.100.4 > > > ip access-list standard LDP-PEER > > > permit 192.168.100.1 > > > ! > > > > > > Cheers, > > > Paolo > > > > > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. > wrote: > > > > Hello, > > > > I am trying to filter LDP label bindings to only > advertise > > my > loopback > address(for vpnv4 traffic) but I am unsure > as > > to what the > > > requirements are. > Here is what I have: > > > > PE1#show ip route connected | in ^C > > > > C 1.1.1.0 is directly connected, Serial1/0 > > > > C 10.0.0.1 is directly connected, Loopback0 > > > > C 150.0.0.0 is directly connected, > FastEthernet0/1 > > > > > > > > PE1#sh run | in tag > > > > no tag-switching advertise-tags > > > > tag-switching advertise-tags for ldp-filter > > > > > > > > PE1#show access-lists ldp-filter > > > > Standard IP access list ldp-filter > > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 > matches) > > > > 999 deny any (7 matches) > > > > > > > > matches? > > > > > > > > but still generates a binding for all my connected > > interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > > tib entry: 150.0.0.0/24, rev 2 > > > > local binding: tag: imp-null > > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > > PE1# > > > > > > > > And the other side tags it with a label: > > > > > > > > PE2#traceroute 150.0.0.1 > > > > > > > > Type escape sequence to abort. > > > > Tracing the route to 150.0.0.1 > > > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 > msec > > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > > > TIA, > > > > > > > > -- > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio > -- Sergio From oboehmer at cisco.com Tue Aug 12 10:54:14 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 12 Aug 2008 16:54:14 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC526F@xmb-ams-333.emea.cisco.com> because this is how LDP works in frame-based MPLS networks. Every LDP speakers independently allocates and distributes labels, so the P node also allocates a label for the 150.0.0.0/24 and advertises it to PE2, no matter if the upstream neighbor (PE1) sent one or not.. oli Sergio D. wrote on Tuesday, August 12, 2008 4:39 PM: > Yes there is a "P" router in the middle. Why would the middle router > be getting a binding if I am filtering from the source? > > > On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) > wrote: > > > Sergio, > > is PE2 really adjacent to PE1? I don't think it is, there must be > some LDP speaker in the middle. If PE2 was adjacent to PE1, the > outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null > (aka "pop label" as those networks are directly connected on PE1), > not 18 or 20, as you've indicated below. > I would assume it is 25.25.25.25, as this LDP neighbor sends > advertisements to both PE1 and PE2. > > As every speaker allocates labels independently, you need to filter > the LDP advertisements on *all* LDP speakers. > > > oli > > Sergio D. wrote on Monday, August 11, > 2008 > > 7:24 PM: > > > > Oli, > > from a neighbor a hop away: > > > > PE2#show mpls ldp bindings 10.0.0.1 32 > > tib entry: 10.0.0.1/32, rev 10 > > local binding: tag: 17 > > remote binding: tsr: 25.25.25.25:0, tag: 20 > > PE2# > > > > prefix I want to filter: > > > > PE2#show mpls forwarding-table 150.0.0.1 > > Local Outgoing Prefix Bytes tag Outgoing Next Hop > > tag tag or VC or Tunnel Id switched interface > > 19 18 150.0.0.0/24 0 Se1/0 > point2point > > > thanks, > > > > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > > wrote: > > > > > > Sergio, > > > > your config looks fine, so I don't know what's happening. Can > you > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP > neighbor(s) > > or a "show mpls forwarding interface " where is > the > neighbor's interface to PE1? > > No need to specify a "to " to select which neighbors you > want to > > advertise this to in your case. > > > > oli > > > > Sergio D. wrote on Monday, August > 11, > > 2008 4:52 PM: > > > > > > > thanks for the response. > > > I am using 12.3(22) and "no mpls ldp advertise-labels" > turns into > > "no > tag-switching advertise-tags" which I already have. > > > Oliver, > > > thanks for clearing up the assignment of the label, I guess > thats > > > fine as long as it doesn't get advertised which is what I > am trying > > > to avoid. I did try it without the deny at the end, and the > result > > > was the same. > > > Do I need an access-list listing my peers and apply that? > > > > > > TIA > > > > > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > > > > > > > > > > > > > > wrote: > > > > > > > Hi Sergio, > > > > > > to add to what Oliver said that you maybe want to > make sure > > > you have in the configuration a "no mpls ldp > > advertise-labels" > line. Without that, even if you > configure > > a filter (which is > successfully matched as you > shown), > labels would still be > announced to adjacent > LDP peers. > > > > > Don't know if this could be your case; i did have to > make use > > > out of it to verify label filtering working on a > 12.2SR while > > > trying to minimize exposure of our labels in an > "Inter-AS" L2 > > > MPLS VPN scenario. > > > > > > > > > no mpls ldp advertise-labels > > > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > > [ ... ] > > > mpls label protocol ldp > > > ! > > > interface Loopback0 > > > ip address 192.168.100.4 255.255.255.255 > > > ! > > > ip access-list standard LDP-DEST > > > permit 192.168.100.4 > > > ip access-list standard LDP-PEER > > > permit 192.168.100.1 > > > ! > > > > > > Cheers, > > > Paolo > > > > > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. > wrote: > > > > Hello, > > > > I am trying to filter LDP label bindings to only > advertise > > my > loopback > address(for vpnv4 traffic) but I am > unsure as > > to what the > > > requirements are. > Here is what I have: > > > > PE1#show ip route connected | in ^C > > > > C 1.1.1.0 is directly connected, Serial1/0 > > > > C 10.0.0.1 is directly connected, Loopback0 > > > > C 150.0.0.0 is directly connected, > FastEthernet0/1 > > > > > > > > PE1#sh run | in tag > > > > no tag-switching advertise-tags > > > > tag-switching advertise-tags for ldp-filter > > > > > > > > PE1#show access-lists ldp-filter > > > > Standard IP access list ldp-filter > > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 > matches) > > > > 999 deny any (7 matches) > > > > > > > > matches? > > > > > > > > but still generates a binding for all my connected > > interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > > tib entry: 150.0.0.0/24, rev 2 > > > > local binding: tag: imp-null > > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > > PE1# > > > > > > > > And the other side tags it with a label: > > > > > > > > PE2#traceroute 150.0.0.1 > > > > > > > > Type escape sequence to abort. > > > > Tracing the route to 150.0.0.1 > > > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec > 24 msec > > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > > > TIA, > > > > > > > > -- > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio > > > > > > -- > Sergio From kristian at spritelink.net Tue Aug 12 10:39:10 2008 From: kristian at spritelink.net (Kristian Larsson) Date: Tue, 12 Aug 2008 16:39:10 +0200 Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design) In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E13@exchangenj1> References: <20080703.202301.74732300.sthaug@nethelp.no> <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E13@exchangenj1> Message-ID: <20080812143910.GA16628@spritelink.se> On Fri, Jul 04, 2008 at 10:25:56AM -0400, Vinny Abello wrote: > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson > > Sent: Friday, July 04, 2008 1:42 AM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] IPv6 Migration with ISIS (was Route Reflector > > Design) > > > > On Thu, 3 Jul 2008, Vinny Abello wrote: > > > > > While on this topic, if anyone has figured out a non-disruptive > > strategy > > > to deploying IPv6 in a core with a mix of Cisco and Foundry routers > > > running ISIS, any pointers would be appreciated. Foundry currently > > > > We had multitopology problems between platforms/vendors as well, we > > ended > > up "solving" the issue by using OSPFv3 as IPv6 IGP (and ISIS for > > IPv4/VPNv4), this gave us a completely different control plane for IPv6 > > and pretty much guaranteed to be non-intrusive to devices not running > > IPv6 > > or needing the information. > > > > Multitopology ISIS is a great idea and I would really like to run it, > > but > > it just didn't work with our mix of platforms and vendors. > > Thanks Mikael. I hadn't considered running OSPFv3 for IPv6. I'll have to see if that is a viable possibility in our network. Did you run into any challenges in doing this such as administrative distances of the routing protocols and things defaulting to using IPv6 instead of IPv4 or other unexpected results? In theory if you're only doing the IPv6 address family, I wouldn't expect any problems, but firsthand experience is always better than theory. :) By the way, what other vendor's or vendors' equipment were you working with besides Cisco where you had the same ISIS multi-topology challenges? Apologies for a tad late answer, don't read my nanog box to often... I was the one implementing this, so thought I'd give you a few answers. We run RedBack SmartEdge boxes with a variety of software, some supposedly supporting IPv6 others do not at all. What happened with these boxes was that they threw away ISIS LSPs which contained one or more v6 TLVs resulting in that any IPv4 information in that LSP was also thrown away. From what I've heard this was the correct behaviour according to some early ISIS standard, though I can not find any mentioning of it in the current standards. OSPFv3 is working very well. We are using basically the same metric system as for ISIS IPv4 which makes administration quite easy. I say basically for we have a few places where we use an ISIS metric of > 65k and as OSPFv3 only support 16-bit link metrics while ISIS supports 24-bit this becomes a slight annoyance. "things defaulting to using ipv6 instead of ipv4".. this sound more of a host-side symptom and not one dependant upon your choice of IGP. I expect to migrate our network to MT ISIS after resolving all our issues with RedBack. The higher administrative distance of ISIS allows us to enable ISIS MT all over our network and run both OSPFv3 and ISIS MT for IPv6 with no impact. We would have plenty of time to compare the ISIS database with the OSPFv3 one to make sure everything looks good and then we can simply shut down OSPFv3 and let ISIS take over. If you want some more in-depth answers we can prolly take it off-list. Kind regards, Kristian. -- Kristian Larsson KLL-RIPE Network Engineer / Internet Core Tele2 / SWIPnet [AS1257] +46 704 910401 kll at spritelink.net From cgriffin at ufl.edu Tue Aug 12 11:32:42 2008 From: cgriffin at ufl.edu (Chris Griffin) Date: Tue, 12 Aug 2008 11:32:42 -0400 Subject: [c-nsp] SRC2? Message-ID: <1218555162.2004.15.camel@empacher.cns.ufl.edu> Anyone know when 12.2(33)SRC2 is supposed to be released, specifically for the 7600. I had heard by the end of July, but so far no release. Thanks -- Chris Griffin cgriffin at ufl.edu Sr. Network Engineer - CCNP Phone: (352) 273-1051 CNS - Network Services Fax: (352) 392-9440 University of Florida/FLR Gainesville, FL 32611 From sdanelli at gmail.com Tue Aug 12 11:52:33 2008 From: sdanelli at gmail.com (Sergio D.) Date: Tue, 12 Aug 2008 09:52:33 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC526F@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC526F@xmb-ams-333.emea.cisco.com> Message-ID: I see that makes sense. I will give it a shot. thanks for your help. On Tue, Aug 12, 2008 at 8:54 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > because this is how LDP works in frame-based MPLS networks. Every LDP > speakers independently allocates and distributes labels, so the P node > also allocates a label for the 150.0.0.0/24 and advertises it to PE2, no > matter if the upstream neighbor (PE1) sent one or not.. > > oli > > Sergio D. wrote on Tuesday, August 12, 2008 > 4:39 PM: > > > Yes there is a "P" router in the middle. Why would the middle router > > be getting a binding if I am filtering from the source? > > > > > > On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) > > wrote: > > > > > > Sergio, > > > > is PE2 really adjacent to PE1? I don't think it is, there must > be > > some LDP speaker in the middle. If PE2 was adjacent to PE1, the > > outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be > imp-null > > (aka "pop label" as those networks are directly connected on > PE1), > > not 18 or 20, as you've indicated below. > > I would assume it is 25.25.25.25, as this LDP neighbor sends > > advertisements to both PE1 and PE2. > > > > As every speaker allocates labels independently, you need to > filter > > the LDP advertisements on *all* LDP speakers. > > > > > > oli > > > > Sergio D. wrote on Monday, August > 11, > > 2008 > > > > 7:24 PM: > > > > > > > Oli, > > > from a neighbor a hop away: > > > > > > PE2#show mpls ldp bindings 10.0.0.1 32 > > > tib entry: 10.0.0.1/32, rev 10 > > > local binding: tag: 17 > > > remote binding: tsr: 25.25.25.25:0, tag: 20 > > > PE2# > > > > > > prefix I want to filter: > > > > > > PE2#show mpls forwarding-table 150.0.0.1 > > > Local Outgoing Prefix Bytes tag Outgoing > Next Hop > > > tag tag or VC or Tunnel Id switched interface > > > 19 18 150.0.0.0/24 0 Se1/0 > > point2point > > > > thanks, > > > > > > > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > > > wrote: > > > > > > > > > Sergio, > > > > > > your config looks fine, so I don't know what's > happening. Can > > you > > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP > > neighbor(s) > > > or a "show mpls forwarding interface " where > is > > the > neighbor's interface to PE1? > > > No need to specify a "to " to select which > neighbors you > > want to > > > advertise this to in your case. > > > > > > oli > > > > > > Sergio D. wrote on Monday, > August > > 11, > > > 2008 4:52 PM: > > > > > > > > > > thanks for the response. > > > > I am using 12.3(22) and "no mpls ldp advertise-labels" > > turns into > > > "no > tag-switching advertise-tags" which I already > have. > > > > Oliver, > > > > thanks for clearing up the assignment of the label, I > guess > > thats > > > > fine as long as it doesn't get advertised which is > what I > > am trying > > > > to avoid. I did try it without the deny at the end, > and the > > result > > > > was the same. > > > > Do I need an access-list listing my peers and apply > that? > > > > > > > > TIA > > > > > > > > > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > pl%2Blist at pmacct.net > > > > pl%252Blist at pmacct.net > > > > > > > > > > > > > > pl%252Blist at pmacct.net > > > > > > > > > > > > > wrote: > > > > > > > > > Hi Sergio, > > > > > > > > to add to what Oliver said that you maybe want > to > > make sure > > > > you have in the configuration a "no mpls ldp > > > advertise-labels" > line. Without that, even if > you > > configure > > > a filter (which is > successfully matched as you > > shown), > labels would still be > announced to > adjacent > > LDP peers. > > > > > > Don't know if this could be your case; i did > have to > > make use > > > > out of it to verify label filtering working on a > > 12.2SR while > > > > trying to minimize exposure of our labels in an > > "Inter-AS" L2 > > > > MPLS VPN scenario. > > > > > > > > > > > > no mpls ldp advertise-labels > > > > > > > > mpls ldp advertise-labels for LDP-DEST to > LDP-PEER > > > > [ ... ] > > > > mpls label protocol ldp > > > > ! > > > > interface Loopback0 > > > > ip address 192.168.100.4 255.255.255.255 > > > > ! > > > > ip access-list standard LDP-DEST > > > > permit 192.168.100.4 > > > > ip access-list standard LDP-PEER > > > > permit 192.168.100.1 > > > > ! > > > > > > > > Cheers, > > > > Paolo > > > > > > > > > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio > D. > > wrote: > > > > > Hello, > > > > > I am trying to filter LDP label bindings to > only > > advertise > > > my > loopback > address(for vpnv4 traffic) but I > am > > unsure as > > > to what the > > > > requirements are. > Here is what I have: > > > > > PE1#show ip route connected | in ^C > > > > > C 1.1.1.0 is directly connected, > Serial1/0 > > > > > C 10.0.0.1 is directly connected, > Loopback0 > > > > > C 150.0.0.0 is directly connected, > > FastEthernet0/1 > > > > > > > > > > PE1#sh run | in tag > > > > > no tag-switching advertise-tags > > > > > tag-switching advertise-tags for ldp-filter > > > > > > > > > > PE1#show access-lists ldp-filter > > > > > Standard IP access list ldp-filter > > > > > 10 permit 10.0.0.0, wildcard bits > 0.0.0.255 (6 > > matches) > > > > > 999 deny any (7 matches) > > > > > > > > > > matches? > > > > > > > > > > but still generates a binding for all my > connected > > > interfaces: > > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > > > tib entry: 150.0.0.0/24, rev 2 > > > > > local binding: tag: imp-null > > > > > remote binding: tsr: 25.25.25.25:0, > tag: 18 > > > > > PE1# > > > > > > > > > > And the other side tags it with a label: > > > > > > > > > > PE2#traceroute 150.0.0.1 > > > > > > > > > > Type escape sequence to abort. > > > > > Tracing the route to 150.0.0.1 > > > > > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 > msec > > 24 msec > > > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > > > > > TIA, > > > > > > > > > > -- > > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > -- > > > Sergio > > > > > > > > > > > > -- > > Sergio > -- Sergio From cchurc05 at harris.com Tue Aug 12 12:02:12 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 11:02:12 -0500 Subject: [c-nsp] Release notes for ISR ROMMON In-Reply-To: <200DE36ECF294B43891F0F70908C62F1ACD704F7@mspe2k1.cs.myharris.net> References: <200DE36ECF294B43891F0F70908C62F1ACD704F7@mspe2k1.cs.myharris.net> Message-ID: Anyone? -----Original Message----- From: Church, Charles Sent: Saturday, August 09, 2008 4:51 PM To: cisco-nsp at puck.nether.net Subject: Release notes for ISR ROMMON Anyone know where to find the release notes for the various ROMMON versions for the 2800 and 3800 routers? Noticed 'DRAM access optimization' as a benefit of the latest 2800 ROMMON, and I recently worked on a problem with a 3845 giving console messages like this: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Rommon primary and backup variables are invalid... Warning: monitor nvram area is corrupt ... using default values amd_flash_cmd: timeout on erase sector command environment checksum failed amd_flash_cmd: timeout on erase sector command environment write to NVRAM failed amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 ROM Monitor Can Not Recover From Exception A Board ? System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Storing backup rommon variables... amd_flash_cmd: timeout on erase sector command amd_flash_cmd: timeout on erase sector command environment checksum failed Total memory size = 512 MB - DIMM0 = 512 MB, DIMM1 = 0 MB c3845 platform with 524288 Kbytes of main memory Main memory is configured to 72/0(dimm 0/1) bit mode with ECC enabled Readonly ROMMON initialized amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 I've got a feeling it's really bad hardware, but usually want to exhaust all the possible bugs before calling TAC. Since it specifically mentions ROMMON variables in the output, figured it was at least related. The DRAM access optimization thing just sounds interesting. Searched the web site for a good 20 minutes, no luck. Thanks, Chuck From david.freedman at uk.clara.net Tue Aug 12 12:37:46 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 12 Aug 2008 17:37:46 +0100 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: Message-ID: Why not buy a cisco 1841 with 3G/2.5G HWIC? (http://www.cisco.com/en/US/products/ps7272/index.html) Put in a SIM from a provider where you can get a public IP or have the 1841 tunnel out to you (via ipsec ez vpn client eg) to a place you can access it via. Dave. Rens wrote: > Hi, > > > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > > > So you can just dial to that number and have console access on the switch? > > > > Regards, > > > > Rens > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From luan at t3technology.com Tue Aug 12 12:57:58 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Tue, 12 Aug 2008 12:57:58 -0400 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: Message-ID: <023701c8fc9c$92ffbb30$b8ff3190$@com> This is interesting... ONEBOX_Spoke3#show cellular 0/1/0 profile Electronic Serial Number (ESN) = Modem activated = YES Account Information: ====================== Activation Date: Phone Number (MDN) : Mobile Station Identifier (MSID) : So if you configure the dialer interface to accept incoming call via the MDN, you could basically use it (EVDO is what I have now) as console access while it serves as backup to primary connection? Anyone has configuration for this set up? Thanks. -Luan P.S Maybe you were just talking about this http://www.bb-elec.com/tech_articles/digi/appguide_connectwan_consolemgmt.pd f ? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Tuesday, August 12, 2008 12:38 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone Why not buy a cisco 1841 with 3G/2.5G HWIC? (http://www.cisco.com/en/US/products/ps7272/index.html) Put in a SIM from a provider where you can get a public IP or have the 1841 tunnel out to you (via ipsec ez vpn client eg) to a place you can access it via. Dave. Rens wrote: > Hi, > > > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > > > So you can just dial to that number and have console access on the switch? > > > > Regards, > > > > Rens > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kevin at gannons.net Tue Aug 12 13:53:16 2008 From: kevin at gannons.net (kevin gannon) Date: Tue, 12 Aug 2008 18:53:16 +0100 Subject: [c-nsp] Console access via cell phone In-Reply-To: <023701c8fc9c$92ffbb30$b8ff3190$@com> References: <023701c8fc9c$92ffbb30$b8ff3190$@com> Message-ID: <17eef0950808121053q2d79d4fctd28c009897ebd0e9@mail.gmail.com> Inbound calls are not supported on the 3g wic I last time I checked with TAC at least. Regards Kevin On Tue, Aug 12, 2008 at 5:57 PM, Luan M Nguyen wrote: > This is interesting... > ONEBOX_Spoke3#show cellular 0/1/0 profile > Electronic Serial Number (ESN) = > Modem activated = YES > > Account Information: > ====================== > Activation Date: > Phone Number (MDN) : > Mobile Station Identifier (MSID) : > > So if you configure the dialer interface to accept incoming call via the > MDN, you could basically use it (EVDO is what I have now) as console access > while it serves as backup to primary connection? Anyone has configuration > for this set up? > > Thanks. > > -Luan > > P.S Maybe you were just talking about this > http://www.bb-elec.com/tech_articles/digi/appguide_connectwan_consolemgmt.pd > f ? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman > Sent: Tuesday, August 12, 2008 12:38 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Console access via cell phone > > Why not buy a cisco 1841 with 3G/2.5G HWIC? > (http://www.cisco.com/en/US/products/ps7272/index.html) > > Put in a SIM from a provider where you can get a public IP or have the > 1841 tunnel out to you (via ipsec ez vpn client eg) to a place you can > access it via. > > Dave. > > > Rens wrote: >> Hi, >> >> >> >> Is there any device that you can connect to the console port of a switch >> that you can put a SIM card in? >> >> >> >> So you can just dial to that number and have console access on the switch? >> >> >> >> Regards, >> >> >> >> Rens >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cchurc05 at harris.com Tue Aug 12 14:30:02 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 13:30:02 -0500 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP Message-ID: Does anyone know if it's possible to use XMODEM from a 6500 Sup2's SP ROMMON to copy a native mode image (assume 12.2SX) and boot it successfully? I know it would take forever, just trying to update some documentation. All the docs on CCO seem to indicate that it can be used to copy a CatOS image and boot it. Just wondering if it's possible. Don't have a local 6500 to test it on. Thanks, Chuck From mcgrath at fas.harvard.edu Tue Aug 12 14:58:34 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Tue, 12 Aug 2008 14:58:34 -0400 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: References: Message-ID: <48A1DD5A.9050201@fas.harvard.edu> Use a PCMCIA to CF adapter and load the image using your PC - we used these extensively and they worked well and were much cheaper than the flash cards plus with a laptop we could copy directly onto the CF no need for XMODEM/TFTP Church, Charles wrote: > Does anyone know if it's possible to use XMODEM from a 6500 Sup2's SP > ROMMON to copy a native mode image (assume 12.2SX) and boot it > successfully? I know it would take forever, just trying to update some > documentation. All the docs on CCO seem to indicate that it can be used > to copy a CatOS image and boot it. Just wondering if it's possible. > Don't have a local 6500 to test it on. > > Thanks, > > Chuck > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gtb at slac.stanford.edu Tue Aug 12 15:53:09 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Tue, 12 Aug 2008 12:53:09 -0700 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: <48A1DD5A.9050201@fas.harvard.edu> References: <48A1DD5A.9050201@fas.harvard.edu> Message-ID: > Use a PCMCIA to CF adapter and load the image using your PC My vague recollection is that you needed at least a later ROMMON (7.1(1)?) in your SUP2 for ATA disk support for either the disk flash card, or the CF/adapter(*). If you had an early ROMMON image, you could only use linear flash, which would probably mean XMODEM to load to the linear flash, since it was harder to find (driver) support for linear flashes. My solution was to always upgrade the ROMMON as the first step of receiving a new or RMA'd SUP2 so that I could use a flash disk or CF/adapter later (since as stated, it is *so* much easier to use a PC to load the code than even attempt XMODEM). Gary (*) Do not depend on my memory of ROMMON versions, the Cisco web site with release notes is your friend. From cchurc05 at harris.com Tue Aug 12 16:21:50 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 15:21:50 -0500 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: References: <48A1DD5A.9050201@fas.harvard.edu> Message-ID: Yep, I'm familiar with the Sup2 and the 64MB ATA card. We're neck deep in converting our 1400 hybrid ones to native. I'm just trying to write a doc that assumes a tech in a remote location only has a laptop with a serial port, the correct IOS image on his/her laptop, and a sup2 with a totally blank ATA card (not even a MONLIB on it). Or perhaps no ATA card, and is using a 12.1E native image that'll fit on the 32MB internal card. Honestly, just wondering if from Sup2 SP ROMMON: ---------------------------------------- rommon 15 > xmodem -cs 38400 Do you wish to continue? (y/n) [n]: y Console port and Modem must operate at same baud rate. Use console & modem at 38400 bps for download ? (y/n) [n]: y Ready to receive file ...Will wait for a minute ------------------------------------------- .... will work if I upload a 52 MB 12.2SX image via XMODEM, or if it'll blow up. Thanks again, Chuck -----Original Message----- From: Buhrmaster, Gary [mailto:gtb at slac.stanford.edu] Sent: Tuesday, August 12, 2008 3:53 PM To: Scott McGrath; Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] XMODEM a native image to a 6500 Sup2 SP > Use a PCMCIA to CF adapter and load the image using your PC My vague recollection is that you needed at least a later ROMMON (7.1(1)?) in your SUP2 for ATA disk support for either the disk flash card, or the CF/adapter(*). If you had an early ROMMON image, you could only use linear flash, which would probably mean XMODEM to load to the linear flash, since it was harder to find (driver) support for linear flashes. My solution was to always upgrade the ROMMON as the first step of receiving a new or RMA'd SUP2 so that I could use a flash disk or CF/adapter later (since as stated, it is *so* much easier to use a PC to load the code than even attempt XMODEM). Gary (*) Do not depend on my memory of ROMMON versions, the Cisco web site with release notes is your friend. From rubensk at gmail.com Tue Aug 12 16:38:22 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 17:38:22 -0300 Subject: [c-nsp] ME6500 In-Reply-To: <48A19048.9000508@forthnet.gr> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> <48A18D5D.3030003@justinshore.com> <48A19048.9000508@forthnet.gr> Message-ID: <6bb5f5b10808121338p226cc10g2e97aea717301018@mail.gmail.com> There were some platforms like the 7500 where "no arp" in config mode did work for dynamic ARP entries. As I said, I haven't tested it on the ME6524, neither with SVIs or routed interfaces, neither with ZU2 or SXH IOS. An ARP entry associated with DHCP Snooping / Dynamic ARP Inspection / IP Source Guard may also show a different behavior than a pure dynamic ARP entry. Rubens 2008/8/12 Tassos Chatzithomaoglou : > > Justin, "no arp" in config mode should work for static entries only. > > -- > Tassos > > Justin Shore wrote on 12/8/2008 4:17 ??: >> >> The argument for clear arp-cache is an interface or null. >> >> 6524-2.brd#clear arp-cache ? >> interface Clear the entire ARP cache on the interface >> >> >> Ruben was correct with 'no arp ' from global config mode on that >> platform with the ZU code. >> >> Justin >> >> >> Tassos Chatzithomaoglou wrote: >>> >>> "clear arp-cache x.x.x.x" should work. Just keep in mind that after doing >>> this, the local router will send an arp request to this mac. If it's still >>> active, a reply is sent back and the local arp table will be filled again >>> (you can check the "Age" counter). >>> >>> -- >>> Tassos >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mack at exchange.alphared.com Tue Aug 12 20:26:33 2008 From: mack at exchange.alphared.com (mack) Date: Tue, 12 Aug 2008 19:26:33 -0500 Subject: [c-nsp] Support for SIP-600 Message-ID: <6F2FFD7C10F788479E354B84294036C430ABB953@EXCH-MBX.exchange.alphared.local> Can anyone verify if SXH and successors support the SIP-600 and corresponding 2xOC48 and 4xOC48 cards on the 6500 chassis. They are not listed in the release notes but the SIP-600 at least was supported in the SXF train with the 1xOC192 on the 6500 chassis. I hate changing chassis but it doesn't look like there is much alternative. -- LR Mack McBride Network Administrator Alpha Red, Inc. From dcp at dcptech.com Tue Aug 12 20:39:28 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 12 Aug 2008 20:39:28 -0400 Subject: [c-nsp] Support for SIP-600 In-Reply-To: <6F2FFD7C10F788479E354B84294036C430ABB953@EXCH-MBX.exchange.alphared.local> References: <6F2FFD7C10F788479E354B84294036C430ABB953@EXCH-MBX.exchange.alphared.local> Message-ID: <00da01c8fcdd$242e1170$1bfe200a@cisco.com> The SIP-600 is not supported by SXH. I believe SXI will support it again (don't have access to the secret decoder currently to confirm), but that is about a month out. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mack > Sent: Tuesday, August 12, 2008 8:27 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Support for SIP-600 > > Can anyone verify if SXH and successors support the SIP-600 and > corresponding 2xOC48 and 4xOC48 cards on the 6500 chassis. > > They are not listed in the release notes but the SIP-600 at least > was supported in the SXF train with the 1xOC192 on the 6500 chassis. > > I hate changing chassis but it doesn't look like there is > much alternative. > > > -- > LR Mack McBride > Network Administrator > Alpha Red, Inc. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Tue Aug 12 21:01:51 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 12 Aug 2008 20:01:51 -0500 Subject: [c-nsp] 1252ag backwards compatibility Message-ID: Hello, I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, do the 802.11n clients run at 802.11n and the 802.11g clients run at 802.11g? Or does everything run at 802.11g? Thanks, Dan. From rubensk at gmail.com Tue Aug 12 21:55:56 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 22:55:56 -0300 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) Message-ID: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> Robert, Updating this modular x monolithic thread to SXI, what's the current plan for SXI, modular only or both modular and non-modular ? Rubens On Tue, Oct 2, 2007 at 12:07 PM, Robert Crowe wrote: > SXH was originally planned to be modular only, but a non-modular image was > released. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers > Sent: Tuesday, October 02, 2007 10:48 AM > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SXH on 6500 > > On Tue, 2007-10-02 at 11:11 +0200, Gert Doering wrote: >> Hi, >> >> On Tue, Oct 02, 2007 at 09:53:12AM +0100, Phil Mayers wrote: >> > You are aware that SXH is only available in modular? >> >> That's news to me and my routers :) >> >> -rw-r--r-- 1 gert daemon 77939716 11 Sep 10:26 > s72033-advipservicesk9_wan-mz.122-33.SXH.bin >> -rw-r--r-- 1 gert netmaster 123923108 20 Aug 23:32 > s72033-advipservicesk9_wan-vz.122-33.SXH.bin >> >> gert > > You're correct of course. How odd - I'm looking at a pretty recent .ppt > from Cisco claiming SXH would be modular-only. I guess they blinked. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dcp at dcptech.com Tue Aug 12 22:11:59 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 12 Aug 2008 22:11:59 -0400 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> Message-ID: <00e601c8fcea$104fef40$1bfe200a@cisco.com> Both will remain for SX releases as far as I know. Eventually only modular will be available, but that is still a while out. I believe once we start seeing Safe Harbor Modular releases we will be closer to that happening. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Rubens Kuhl Jr. > Sent: Tuesday, August 12, 2008 9:56 PM > To: rocrowe at cisco.com > Cc: Cisco-nsp > Subject: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) > > Robert, > > Updating this modular x monolithic thread to SXI, what's the current > plan for SXI, modular only or both modular and non-modular ? > > > Rubens > > > On Tue, Oct 2, 2007 at 12:07 PM, Robert Crowe > wrote: > > SXH was originally planned to be modular only, but a > non-modular image was > > released. > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers > > Sent: Tuesday, October 02, 2007 10:48 AM > > To: Gert Doering > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] SXH on 6500 > > > > On Tue, 2007-10-02 at 11:11 +0200, Gert Doering wrote: > >> Hi, > >> > >> On Tue, Oct 02, 2007 at 09:53:12AM +0100, Phil Mayers wrote: > >> > You are aware that SXH is only available in modular? > >> > >> That's news to me and my routers :) > >> > >> -rw-r--r-- 1 gert daemon 77939716 11 Sep 10:26 > > s72033-advipservicesk9_wan-mz.122-33.SXH.bin > >> -rw-r--r-- 1 gert netmaster 123923108 20 Aug 23:32 > > s72033-advipservicesk9_wan-vz.122-33.SXH.bin > >> > >> gert > > > > You're correct of course. How odd - I'm looking at a pretty > recent .ppt > > from Cisco claiming SXH would be modular-only. I guess they blinked. > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mack at exchange.alphared.com Tue Aug 12 23:10:28 2008 From: mack at exchange.alphared.com (mack) Date: Tue, 12 Aug 2008 22:10:28 -0500 Subject: [c-nsp] OSM-2OC48/1DTP-SI Message-ID: <6F2FFD7C10F788479E354B84294036C430ABB95C@EXCH-MBX.exchange.alphared.local> Does anyone have compatibility info and actual route handling capability for the OSM-2OC48/1DTP-SI card? http://www.cisco.com/en/US/products/hw/modules/ps2831/products_data_sheet09186a0080088774.html The platform is a 6509 with Sup720-3BXL It looks like the card with 256MB should support a good number of routes. How many will it actually support? Another question is what mode with a Sup720-3BXL will run in when configured with this module? It looks like it will support a full 5Gig on the two POS ports. Can someone verify that? -- LR Mack McBride Network Administrator Alpha Red, Inc. From mjsaarin at cc.helsinki.fi Wed Aug 13 01:10:29 2008 From: mjsaarin at cc.helsinki.fi (Matti Saarinen) Date: Wed, 13 Aug 2008 08:10:29 +0300 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: (Charles Church's message of "Tue, 12 Aug 2008 15:21:50 -0500") References: <48A1DD5A.9050201@fas.harvard.edu> Message-ID: "Church, Charles" wrote: > Honestly, just wondering if from Sup2 SP ROMMON: > ---------------------------------------- > rommon 15 > xmodem -cs 38400 > [...] > .... will work if I upload a 52 MB 12.2SX image via XMODEM, or if it'll > blow up. I have done it, although I didn't use any higher speed than 9600 and the IOS was some 12.1E native image. But yes, it was possible and it took ages. Probably, it'll work also with larger IOS images than what 12.1E onees used to be. The image was not loaded to bootflash/PCMCIA/CF but to memory or such from which the boot loader read and booted the box with it. Cheers, -- - Matti - From adrian.minta at gmail.com Wed Aug 13 01:24:26 2008 From: adrian.minta at gmail.com (Adrian M) Date: Wed, 13 Aug 2008 08:24:26 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <6bb5f5b10808121338p226cc10g2e97aea717301018@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> <48A18D5D.3030003@justinshore.com> <48A19048.9000508@forthnet.gr> <6bb5f5b10808121338p226cc10g2e97aea717301018@mail.gmail.com> Message-ID: <14e72ec90808122224m271db890uc7d6b6f2c4627e88@mail.gmail.com> Thank you all ! Last night I did an upgrade to s6523-advipservicesk9-mz.122-33.SXH3 and now I have "clear ip arp x.x.x.x" switch#clear ip arp ? A.B.C.D IP address of dynamic ARP entry inspection Clear State of ARP Inspection From chpreddi at gmail.com Wed Aug 13 02:21:38 2008 From: chpreddi at gmail.com (Pratap Reddy) Date: Wed, 13 Aug 2008 16:21:38 +1000 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers Message-ID: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> Hi, I have a query regarding implementioan of 4 Byte AS on Cisco routers. Does any one implemented/tested 4 byte AS on Cisco routers? Cheers. Pratap. From ddunkin at netos.net Wed Aug 13 03:10:26 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Wed, 13 Aug 2008 00:10:26 -0700 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> It would appear support is still very limited. I still have not seen this pop up in the feature navigator by any recognizable name. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pratap Reddy Sent: Tuesday, August 12, 2008 23:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers Hi, I have a query regarding implementioan of 4 Byte AS on Cisco routers. Does any one implemented/tested 4 byte AS on Cisco routers? Cheers. Pratap. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Wed Aug 13 03:28:16 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 13 Aug 2008 10:28:16 +0300 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com > References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> Message-ID: <5.1.0.14.2.20080813102409.00afd328@efes.iucc.ac.il> At 12:10 AM 13-08-08 -0700, Darryl Dunkin wrote: There are a few already using it: http://www.cidr-report.org/cgi-bin/as-report?as=2.4&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=5.1&view=2.0 Just do a BGP search for AS23456: aut-num: AS23456 as-name: RESERVED-AS descr: assigned by IANA http://www.iana.org/assignments/as-numbers descr: see http://www.ietf.org/internet-drafts/draft-ietf-idr-as4bytes-13.txt org: ORG-IANA1-RIPE admin-c: RFC1918-RIPE tech-c: RFC1918-RIPE mnt-by: RIPE-NCC-HM-MNT changed: bit-bucket at ripe.net 20070328 source: RIPE gp1#sho ip bgp reg 23456 BGP table version is 8664272, local router ID is 128.139.220.90 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i169.222.0.0/24 xxx.139.220.91 0 100 0 20965 1299 6939 6939 7091 715 23456 i *>i192.26.93.0 xxx.139.220.91 0 100 0 20965 3549 2914 4697 23456 i *>i193.5.68.0/23 xxx.139.220.91 0 100 0 20965 3549 6830 8758 23456 i *>i193.31.7.0 xxx.139.220.91 0 100 0 20965 3549 1273 5539 23456 i *>i195.47.195.0 xxx.139.220.91 0 100 0 20965 3549 8495 23456 i *>i196.1.15.0 xxx.139.220.91 0 100 0 20965 3549 174 3741 23456 i *>i202.255.47.0 xxx.139.220.91 0 100 0 20965 3549 2516 7667 23456 i -Hank >It would appear support is still very limited. I still have not seen >this pop up in the feature navigator by any recognizable name. > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pratap Reddy >Sent: Tuesday, August 12, 2008 23:22 >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers > >Hi, > >I have a query regarding implementioan of 4 Byte AS on Cisco routers. > >Does any one implemented/tested 4 byte AS on Cisco routers? > > Cheers. >Pratap. >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From hohockjim at gmail.com Wed Aug 13 04:24:14 2008 From: hohockjim at gmail.com (Hock Jim) Date: Wed, 13 Aug 2008 16:24:14 +0800 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> Message-ID: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Already supported in IOS-XR. Recently heard from Cisco: 12.0S late Q4 2008 12.2SRE even later Q4 2008 12.5(1)T Q2 2009 That said, unless you're directly connected to a BGP peer with 32-bit ASNs, routing still works. You however lose visibility as to which AS it goes it. (Prolly have to resort to checking the Internet registries' whois manually.) On Wed, Aug 13, 2008 at 3:10 PM, Darryl Dunkin wrote: > It would appear support is still very limited. I still have not seen > this pop up in the feature navigator by any recognizable name. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pratap Reddy > Sent: Tuesday, August 12, 2008 23:22 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers > > Hi, > > I have a query regarding implementioan of 4 Byte AS on Cisco routers. > > Does any one implemented/tested 4 byte AS on Cisco routers? > > Cheers. > Pratap. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hashng at gmail.com Wed Aug 13 06:02:30 2008 From: hashng at gmail.com (Hash Aminu) Date: Wed, 13 Aug 2008 13:02:30 +0300 Subject: [c-nsp] Alternantive to REB(route bridge Encapsulation) Message-ID: Hi guys I am trying to find a Feature that will be able to replace Route bridge Encapsulation..because we are migrating to the 12.2S and does not support that feature..any thoughts or Ideas will be useful. Thanks TIA Hash From p.mayers at imperial.ac.uk Wed Aug 13 06:02:52 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 13 Aug 2008 11:02:52 +0100 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <00e601c8fcea$104fef40$1bfe200a@cisco.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> Message-ID: <48A2B14C.5030308@imperial.ac.uk> David Prall wrote: > Both will remain for SX releases as far as I know. Eventually only modular Which I believe is in large part the cause of the problems they've had with SXH. Think about it: You're the 6500 IOS team. You have a large body of upstream IOS code, and you have to back-port it, but at the *same* time you also have to modularise it. Contrast: You're the 7600 IOS team. You have a large body of upstream IOS code. You just have to back-port it. > will be available, but that is still a while out. I believe once we start > seeing Safe Harbor Modular releases we will be closer to that happening. Ha ha. The Safe Harbor site claims that SXH3 monolithic testing would start in July (before it was even released?) but there are already severe crash bugs in that release, so I assume they'll wait until SXH3a or 4 or whatever. The Safe Harbor site also says of modularity: IOS Software Modularity 12.2(18)SXF *All releases have FAILED due to CSCin96568, CSCsf03710. Most Recently Tested 12.2(18)SXF8 failed Candidate Under Test or Planned 12.2(33)SXI.x Q2FY09 So it'll be over 6 months before they even *BOTHER TESTING* a modular release for Safe Harbor, accounting for the usual 6500 fictional IOS release dates. Does it sound to you like they're banging the "modular" drum a bit quieter than they used to? Because it does to me. Let's not kid ourselves - SXF is going to be the stable release for some time to come. I just hope they release an SXF train with support for the 6716s I bought... From mtinka at globaltransit.net Wed Aug 13 08:04:31 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 13 Aug 2008 20:04:31 +0800 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Message-ID: <200808132004.32280.mtinka@globaltransit.net> On Wednesday 13 August 2008 16:24:14 Hock Jim wrote: > 12.2SRE even later Q4 2008 Hmmh, AFAIK, SRE is out mid-'09. What's planned for Q4'08 is SRD. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Aug 13 08:04:24 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 13 Aug 2008 20:04:24 +0800 Subject: [c-nsp] SRC2? In-Reply-To: <1218555162.2004.15.camel@empacher.cns.ufl.edu> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> Message-ID: <200808132004.24869.mtinka@globaltransit.net> On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: > Anyone know when 12.2(33)SRC2 is supposed to be released, > specifically for the 7600. I had heard by the end of > July, but so far no release. Same here... heard it was meant to be mid-July, but nothing yet. Having waited this long, it'll come when it comes, I guess :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From paul at paulstewart.org Wed Aug 13 09:04:37 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 09:04:37 -0400 Subject: [c-nsp] Fake Gear?? 2621XM Message-ID: <004a01c8fd45$25a39f30$70eadd90$@org> Hi there. Does anyone have a guide or list of stuff to look for if you think you've been sold fake gear? I've gathered little bits and pieces over time on what to look for.. We have a number of 2621XM's deployed at remote sites. They all have similar configs, similar IOS loads (although they've been upgraded several times), and all have max memory/flash (aftermarket). The exact same problem keeps happening about every 3-4 weeks on most of these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes onsite, he does a shutdown/no shutdown and everything starts working again for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug into but now we're starting to wonder when the same pattern is occurring over and over. At one of the sites, we swapped out the 2621XM and put an 1841 in place and so far no issues at all and it's been 5 weeks. Any thoughts? ;) Paul From tomas at soitron.com Wed Aug 13 08:58:02 2008 From: tomas at soitron.com (Tomas Daniska) Date: Wed, 13 Aug 2008 14:58:02 +0200 Subject: [c-nsp] SRB4 (was RE: SRC2?) In-Reply-To: <200808132004.24869.mtinka@globaltransit.net> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> <200808132004.24869.mtinka@globaltransit.net> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> speaking of the releases... is anyone running SRB4 in production yet? cheers -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: 13 August 2008 14:04 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SRC2? > > On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: > > > Anyone know when 12.2(33)SRC2 is supposed to be released, > > specifically for the 7600. I had heard by the end of > > July, but so far no release. > > Same here... heard it was meant to be mid-July, but nothing > yet. > > Having waited this long, it'll come when it comes, I > guess :-). > > Cheers, > > Mark. From paul at paulstewart.org Wed Aug 13 09:38:53 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 09:38:53 -0400 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <48A2DD95.9000704@packetlife.net> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A2DD95.9000704@packetlife.net> Message-ID: <000001c8fd49$f507d3f0$df177bd0$@org> Thanks.. none of these particular 2621XM's have any additional cards in them.... but that's a handy reference for sure ;) Paul -----Original Message----- From: Jeremy Stretch [mailto:stretch at packetlife.net] Sent: August 13, 2008 9:12 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM This page has some good info and pics: http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml -- stretch http://packetlife.net Paul Stewart wrote: > Hi there. > > > > Does anyone have a guide or list of stuff to look for if you think you've > been sold fake gear? I've gathered little bits and pieces over time on what > to look for.. > > > > We have a number of 2621XM's deployed at remote sites. They all have > similar configs, similar IOS loads (although they've been upgraded several > times), and all have max memory/flash (aftermarket). > > > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > > > Any thoughts? ;) > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ltd at cisco.com Wed Aug 13 09:43:58 2008 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 13 Aug 2008 23:43:58 +1000 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Message-ID: <48A2E51E.1080307@cisco.com> Hock Jim wrote: > Already supported in IOS-XR. > just for completness, NX-OS on Cisco Nexus 7K has it too. cheers, lincoln. From jlewis at lewis.org Wed Aug 13 09:59:05 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 13 Aug 2008 09:59:05 -0400 (EDT) Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: On Wed, 13 Aug 2008, Paul Stewart wrote: > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. It doesn't have to be fake gear to be buggy. That used to happen all the time on our AS5200s. Eventually, cisco came out with IOS that stopped doing it. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From stretch at packetlife.net Wed Aug 13 09:11:49 2008 From: stretch at packetlife.net (Jeremy Stretch) Date: Wed, 13 Aug 2008 16:11:49 +0300 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: <48A2DD95.9000704@packetlife.net> This page has some good info and pics: http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml -- stretch http://packetlife.net Paul Stewart wrote: > Hi there. > > > > Does anyone have a guide or list of stuff to look for if you think you've > been sold fake gear? I've gathered little bits and pieces over time on what > to look for.. > > > > We have a number of 2621XM's deployed at remote sites. They all have > similar configs, similar IOS loads (although they've been upgraded several > times), and all have max memory/flash (aftermarket). > > > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > > > Any thoughts? ;) > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rubensk at gmail.com Wed Aug 13 10:03:18 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 11:03:18 -0300 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <00e601c8fcea$104fef40$1bfe200a@cisco.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> Message-ID: <6bb5f5b10808130703j38efcc41ja910a797fded9732@mail.gmail.com> That is good news. The other good news would be that SXI monolithic could run with only 256 MB of SP memory and 512 MB of RP memory (default config of ME6524) ,Advanced IP Services. Any guess on this one ? Rubens On Tue, Aug 12, 2008 at 11:11 PM, David Prall wrote: > Both will remain for SX releases as far as I know. Eventually only modular > will be available, but that is still a while out. I believe once we start > seeing Safe Harbor Modular releases we will be closer to that happening. > > David > > -- > http://dcp.dcptech.com > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of >> Rubens Kuhl Jr. >> Sent: Tuesday, August 12, 2008 9:56 PM >> To: rocrowe at cisco.com >> Cc: Cisco-nsp >> Subject: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) >> >> Robert, >> >> Updating this modular x monolithic thread to SXI, what's the current >> plan for SXI, modular only or both modular and non-modular ? >> >> >> Rubens >> >> >> On Tue, Oct 2, 2007 at 12:07 PM, Robert Crowe >> wrote: >> > SXH was originally planned to be modular only, but a >> non-modular image was >> > released. >> > >> > -----Original Message----- >> > From: cisco-nsp-bounces at puck.nether.net >> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers >> > Sent: Tuesday, October 02, 2007 10:48 AM >> > To: Gert Doering >> > Cc: cisco-nsp at puck.nether.net >> > Subject: Re: [c-nsp] SXH on 6500 >> > >> > On Tue, 2007-10-02 at 11:11 +0200, Gert Doering wrote: >> >> Hi, >> >> >> >> On Tue, Oct 02, 2007 at 09:53:12AM +0100, Phil Mayers wrote: >> >> > You are aware that SXH is only available in modular? >> >> >> >> That's news to me and my routers :) >> >> >> >> -rw-r--r-- 1 gert daemon 77939716 11 Sep 10:26 >> > s72033-advipservicesk9_wan-mz.122-33.SXH.bin >> >> -rw-r--r-- 1 gert netmaster 123923108 20 Aug 23:32 >> > s72033-advipservicesk9_wan-vz.122-33.SXH.bin >> >> >> >> gert >> > >> > You're correct of course. How odd - I'm looking at a pretty >> recent .ppt >> > from Cisco claiming SXH would be modular-only. I guess they blinked. >> > >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From achatz at forthnet.gr Wed Aug 13 10:39:53 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 13 Aug 2008 17:39:53 +0300 Subject: [c-nsp] SRB4 (was RE: SRC2?) In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> <200808132004.24869.mtinka@globaltransit.net> <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> Message-ID: <48A2F239.1080108@forthnet.gr> I'm running it on 7600/SUP720 and 7600/RSP720 without any problems (upgrade from SRB2/3; no L3 features used). -- Tassos Tomas Daniska wrote on 13/8/2008 3:58 ??: > speaking of the releases... is anyone running SRB4 in production yet? > > cheers > > -- > > deejay > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Mark Tinka >> Sent: 13 August 2008 14:04 >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] SRC2? >> >> On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: >> >>> Anyone know when 12.2(33)SRC2 is supposed to be released, >>> specifically for the 7600. I had heard by the end of >>> July, but so far no release. >> Same here... heard it was meant to be mid-July, but nothing >> yet. >> >> Having waited this long, it'll come when it comes, I >> guess :-). >> >> Cheers, >> >> Mark. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Aug 13 11:08:17 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 13 Aug 2008 16:08:17 +0100 Subject: [c-nsp] Overruns - GSR Engine2 (3GE-GBIC-SC) Message-ID: Am seeing incrementing overruns corresponding to the Gigmac rfifo_full counter incrementing on this card: # sh int g4/0 | in overr 5519 input errors, 0 CRC, 0 frame, 5519 overrun, 0 ignored # sh int g4/0 | in overr 5521 input errors, 0 CRC, 0 frame, 5521 overrun, 0 ignored #execute-on slot 4 show controllers gig 0 | in fifo_full ========= Line Card (Slot 4) ========= 0 risl, 0 riq, 12947 rdrop, 0 rsupp, 0 rinvalid_encap, 12947 rfifo_full #execute-on slot 4 show controllers gig 0 | in fifo_full ========= Line Card (Slot 4) ========= 0 risl, 0 riq, 12953 rdrop, 0 rsupp, 0 rinvalid_encap, 12953 rfifo_full Linecard CPU is not high: #execute-on slot 4 show proc cpu | exc 0.00 ========= Line Card (Slot 4) ========= CPU utilization for five seconds: 38%/0%; one minute: 19%; five minutes: 17% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 53 25776564 10964270 2350 0.55% 0.75% 0.75% 0 CEF process 63 15474780 42493646 364 0.15% 0.24% 0.23% 0 Queue Mgr 80 1174512036 6109315 192253 36.55% 16.26% 15.51% 0 TAG Stats Backgr Traffic does not seem excessive on the port in question nor have I found any evidence of microbursts: #sh int g4/0 GigabitEthernet4/0 is up, line protocol is up Hardware is GigMac 3 Port GigabitEthernet, address is 0005.5ff8.c954 (bia 0005.5ff8.c954) Internet address is 10.0.0.1/30 MTU 1600 bytes, BW 1000000 Kbit, DLY 10 usec, rely 255/255, load 58/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, link type is force-up, media type is LX output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 2d01h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 204130000 bits/sec, 57532 packets/sec 5 minute output rate 230560000 bits/sec, 46316 packets/sec 7492692380 packets input, 3630841835600 bytes, 0 no buffer Received 42 broadcasts, 0 runts, 8629393 giants, 0 throttles 5584 input errors, 0 CRC, 0 frame, 5584 overrun, 0 ignored 0 watchdog, 30 multicast, 0 pause input 5459460767 packets output, 3540440430407 bytes, 0 underruns Transmitted 0 broadcasts 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Other ports in this card doing similar amounts of traffic are also getting these in proportion to the traffic level : #sh int g4/1 GigabitEthernet4/1 is up, line protocol is up Hardware is GigMac 3 Port GigabitEthernet, address is 0005.5ff8.c955 (bia 0005.5ff8.c955) Internet address is 192.168.1.1/30 MTU 2450 bytes, BW 1000000 Kbit, DLY 10 usec, rely 255/255, load 47/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, link type is autonegotiation, media type is LX output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 9w1d Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 146013 drops 30 second input rate 85938000 bits/sec, 24296 packets/sec 30 second output rate 185108000 bits/sec, 50553 packets/sec 100929774614 packets input, 44365470024613 bytes, 2 no buffer Received 3 broadcasts, 0 runts, 3019035119 giants, 0 throttles 92 input errors, 0 CRC, 0 frame, 92 overrun, 0 ignored 0 watchdog, 4214445 multicast, 0 pause input 152348554046 packets output, 61084338748442 bytes, 0 underruns Transmitted 8 broadcasts 0 output errors, 0 collisions, 6 interface resets 0 babbles, 0 late collision, 0 deferred 3 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out So is this a limitation of the PHY? Checking the specs for the gigmac PMC7160 (which I think this is?) it should be able to do around 1.94Gb/Sec @ 536KFps so what is causing the overruns? I found a report in bug CSCse98594 of broadcast frames interspersed with <= 64b packets causing this condition in tetra cards (E3) but would assume the PHY is different. Also worth to note, acl is being done in PSA and virtually no process switching (other than CEF recv/punt) is being done. Running 12.0(32)S8 on 12000 GRP-B, bugtool does not turn up anything wonderful. Has anybody seen this before? From justin at justinshore.com Wed Aug 13 11:14:19 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 13 Aug 2008 10:14:19 -0500 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <48A2B14C.5030308@imperial.ac.uk> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> <48A2B14C.5030308@imperial.ac.uk> Message-ID: <48A2FA4B.40104@justinshore.com> Phil Mayers wrote: > You're the 6500 IOS team. You have a large body of upstream IOS code, > and you have to back-port it, but at the *same* time you also have to > modularise it. I'm really going to dive off into OT land, but does anyone know if the Metro Ethernet 6500 is under the Enterprise BU or if it's the Service Provider BU? I've gotten contradicting answers before. It would seem really odd to me for the ME6524 to be under the Enterprise BU, no matter what its roots are, because on SPs will use it. Likewise I don't understand why it runs SX and not SR if it's in the SP BU. Justin From saku+cisco-nsp at ytti.fi Wed Aug 13 11:18:14 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 13 Aug 2008 18:18:14 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> Message-ID: <20080813151814.GA3645@mx.ytti.net> On (2008-08-11 07:41 +0200), Oliver Boehmer (oboehmer) wrote: > BTW: the LDP filter only prevents advertisement of the binding, it > doesn't prevent the LSR from assigning a label (the imp-null in your > example). I think we had this discussion some years ago, but it would be nice, instead of ACLs to be able to say 'no mpls ldp label; mpls ldp label loop0' or so, to generate label only for loop0. -- ++ytti From rubensk at gmail.com Wed Aug 13 11:24:03 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 12:24:03 -0300 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <48A2FA4B.40104@justinshore.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> <48A2B14C.5030308@imperial.ac.uk> <48A2FA4B.40104@justinshore.com> Message-ID: <6bb5f5b10808130824y68d58f6bl158f9d7e3621462f@mail.gmail.com> Latest info I've got is that the ME6500 is under the ISBU, Internet Systems. 7600 is under the ERBU, Edge Routing, and 12000/CRS is under the CRBU, Core Routing. Rubens On Wed, Aug 13, 2008 at 12:14 PM, Justin Shore wrote: > Phil Mayers wrote: >> >> You're the 6500 IOS team. You have a large body of upstream IOS code, and >> you have to back-port it, but at the *same* time you also have to modularise >> it. > > I'm really going to dive off into OT land, but does anyone know if the Metro > Ethernet 6500 is under the Enterprise BU or if it's the Service Provider BU? > I've gotten contradicting answers before. It would seem really odd to me > for the ME6524 to be under the Enterprise BU, no matter what its roots are, > because on SPs will use it. Likewise I don't understand why it runs SX and > not SR if it's in the SP BU. > > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Wed Aug 13 11:27:17 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 13 Aug 2008 10:27:17 -0500 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: <48A2FD55.8030006@justinshore.com> Paul Stewart wrote: > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. While I don't have an elegant fix for you, how about kron job that reloads the router every 2 week in the wee hours of the morning? If it's only a 2621XM it can't be too big of a site and likely not that critical (assumption but probably fair). A reload shouldn't be too painful. Though we are taking about a 2600 XM router. Boot time for one of them is over 10m if memory serves me correctly. I hate to use duct tape fixes like that but sometimes the simplest solution (problem avoidance) is the best overall approach. Justin From oboehmer at cisco.com Wed Aug 13 11:29:03 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 13 Aug 2008 17:29:03 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080813151814.GA3645@mx.ytti.net> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> <20080813151814.GA3645@mx.ytti.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> Saku Ytti <> wrote on Wednesday, August 13, 2008 5:18 PM: > On (2008-08-11 07:41 +0200), Oliver Boehmer (oboehmer) wrote: > >> BTW: the LDP filter only prevents advertisement of the binding, it >> doesn't prevent the LSR from assigning a label (the imp-null in your >> example). > > I think we had this discussion some years ago, but it would be nice, > instead of ACLs to be able to say 'no mpls ldp label; mpls ldp label > loop0' or so, to generate label only for loop0. well, an LSR needs to allocate labels also for other nodes' loopbacks, so this alone will not be enough ;-) However, IOS now has a label allocation filter (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all oc_filter.html) having a "allocate global host-routes" shorthand to only allocate labels for /32s (or uses a prefix-list for more granular control).. oli From jcartier at acs.on.ca Wed Aug 13 11:35:49 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 13 Aug 2008 11:35:49 -0400 Subject: [c-nsp] Sub-interface question... Message-ID: I'm in an awkward situation where I've been given the task to investigate how to design MPLS vrf connections without using vlans define locally, and with using sub-interfaces. I'm unsure of how this is possible...any suggestions on where to look? From paul at paulstewart.org Wed Aug 13 11:37:35 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 11:37:35 -0400 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <48A2FD55.8030006@justinshore.com> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A2FD55.8030006@justinshore.com> Message-ID: <001101c8fd5a$82e1a8d0$88a4fa70$@org> Thanks.. yeah, we've looked at that... but in the meantime as they fail we are pulling them out of production and scrapping them pretty much... I'm estimating we have 10-12 of these still left at sites and they all came from the same supplier which is suspicious (hence my questions on fake gear).... Paul -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: August 13, 2008 11:27 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Paul Stewart wrote: > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. While I don't have an elegant fix for you, how about kron job that reloads the router every 2 week in the wee hours of the morning? If it's only a 2621XM it can't be too big of a site and likely not that critical (assumption but probably fair). A reload shouldn't be too painful. Though we are taking about a 2600 XM router. Boot time for one of them is over 10m if memory serves me correctly. I hate to use duct tape fixes like that but sometimes the simplest solution (problem avoidance) is the best overall approach. Justin From jlewis at lewis.org Wed Aug 13 11:50:31 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 13 Aug 2008 11:50:31 -0400 (EDT) Subject: [c-nsp] conditional bgp default-originate Message-ID: I'd like to be able to conditionally advertise a default route to customers taking just default routes only if my transit BGP sessions appear to be functional. I thought something like this might work: neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match as-path 100 ip as-path access-list 100 permit ^3356_ ip as-path access-list 100 permit ^4323_ But no such luck. Checking the docs at http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 it seems I have to exactly match against a route for the route-map to work here. That means actually picking a few "canary routes" I expect to get from my upstreams and hoping they don't go anywhere or change mask. I'm not really happy with that. Are there better ways to do this? Also, while looking at the docs above and experimenting in the GNS3 simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few oddities. First, there's multiple errors in the docs mentioned above. i.e. From the URL above: In the following example, the last line of the configuration has been changed to show the use of an extended access list. The local router injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route to 192.168.0.0 with a mask of 255.255.0.0: router bgp 50000 network 172.16.0.0 neighbor 172.16.2.3 remote-as 60000 neighbor 172.16.2.3 default-originate route-map default-map ! route-map default-map 10 permit match ip address 1 ! access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 In the above example, they did change the ACL to an extended access-list, but the route-map wasn't updated to use it (still using 1) and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the access-list 100 uses a /24 mask. Just above this example, the docs say that access-list 1 permit 192.168.0.0 will match a route for 192.168.0.0 with any mask. In my simulator, I have R1--R2--R3 R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default to R3 using the route-map route-map BGP-UP permit 10 match ip address 50 access-list 50 permit 8.0.0.0 When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and default is not sent ot R3. If I add to access-list 50 access-list 50 permit 8.0.0.0 0.0.255.255 Standard IP access list 50 10 permit 8.0.0.0 (973 matches) 20 permit 8.0.0.0, wildcard bits 0.0.255.255 I get hits on the permit 8.0.0.0 line now, and default is sent to R3. This seems kind of broken. I haven't duplicated the setup with real hardware to see if it's a simulator screwup...but since the simulator is running actual IOS, it seems unlikely the simulator is to blame. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From cisco-nsp at gatlan.nl Wed Aug 13 11:35:23 2008 From: cisco-nsp at gatlan.nl (Bas Roos) Date: Wed, 13 Aug 2008 17:35:23 +0200 Subject: [c-nsp] SRC2? In-Reply-To: <1218555162.2004.15.camel@empacher.cns.ufl.edu> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> Message-ID: <48A2FF3B.5030104@gatlan.nl> Chris Griffin wrote: > Anyone know when 12.2(33)SRC2 is supposed to be released, specifically > for the 7600. I had heard by the end of July, but so far no release. > > Thanks We have a very annoying bug in the previous version and are waiting for this release for our 7206VXR. According to someone at Cisco, who wasn't supposed to say this, it would be released in about 4 to 5 weeks. Sadly, this was promised us about 8 weeks ago :( The latest statement we got from them was end-september. Cheers, Bas Roos From justin at justinshore.com Wed Aug 13 12:04:28 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 13 Aug 2008 11:04:28 -0500 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <001101c8fd5a$82e1a8d0$88a4fa70$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A2FD55.8030006@justinshore.com> <001101c8fd5a$82e1a8d0$88a4fa70$@org> Message-ID: <48A3060C.8070707@justinshore.com> It's a good way to justify new gear too. :-) Justin Paul Stewart wrote: > Thanks.. yeah, we've looked at that... but in the meantime as they fail we > are pulling them out of production and scrapping them pretty much... > > I'm estimating we have 10-12 of these still left at sites and they all came > from the same supplier which is suspicious (hence my questions on fake > gear).... > > Paul From Benjamin.Conconi at nok.ch Wed Aug 13 13:04:50 2008 From: Benjamin.Conconi at nok.ch (Benjamin.Conconi at nok.ch) Date: Wed, 13 Aug 2008 19:04:50 +0200 Subject: [c-nsp] ES40 / ES20+ / SRD Message-ID: <5572DC61C4EEAB4DABE7E00F1DEF0557112E50@VMBDN121.prod.axponet.ch> Hello Does anyone has informations / availability / pricing about the new ES40/ES20+ Linecard and SRD... thanks Ben From saku+cisco-nsp at ytti.fi Wed Aug 13 13:23:03 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 13 Aug 2008 20:23:03 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> Message-ID: <20080813172303.GA4180@mx.ytti.net> On (2008-08-13 17:29 +0200), Oliver Boehmer (oboehmer) wrote: > well, an LSR needs to allocate labels also for other nodes' loopbacks, > so this alone will not be enough ;-) All boxes would advertise everything they get, but only generate loop0. > However, IOS now has a label allocation filter > (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all > oc_filter.html) having a "allocate global host-routes" shorthand to only > allocate labels for /32s (or uses a prefix-list for more granular > control).. Interface would be nice short-cut, as it's probably most typical situation that you only want labels for loop0. -- ++ytti From oboehmer at cisco.com Wed Aug 13 14:38:18 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 13 Aug 2008 20:38:18 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080813172303.GA4180@mx.ytti.net> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> Saku Ytti wrote on Wednesday, August 13, 2008 7:23 PM: > On (2008-08-13 17:29 +0200), Oliver Boehmer (oboehmer) wrote: > >> well, an LSR needs to allocate labels also for other nodes' >> loopbacks, so this alone will not be enough ;-) > > All boxes would advertise everything they get, but only generate > loop0. well, this dependency on what other LDP neighbors send is not really in-line with the independent control mode LDP operates in, so the implementation might not be straight-forward. >> However, IOS now has a label allocation filter >> (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all >> oc_filter.html) having a "allocate global host-routes" shorthand to >> only allocate labels for /32s (or uses a prefix-list for more >> granular control).. > > Interface would be nice short-cut, as it's probably most typical > situation that you only want labels for loop0. well, "interfaces" would also cover connected /30 or /31s, something you usually don't want to advertise labels for? But wouldn't a (prefix) ACL be enough to cover most cases? Generally, loopbacks are allocated from one or more prefix ranges, so ACLs could be rather static? oli From TOMAS.LYNCH at GlobalCrossing.com Wed Aug 13 15:02:15 2008 From: TOMAS.LYNCH at GlobalCrossing.com (Lynch, Tomas) Date: Wed, 13 Aug 2008 15:02:15 -0400 Subject: [c-nsp] Sub-interface question... References: Message-ID: <5210A1C9084123478E12AA5924D1F2536F415A@w3usmia2.lat.gblxint.com> Frame relay, ATM ;) > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Cartier > Sent: Wednesday, August 13, 2008 12:36 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Sub-interface question... > > I'm in an awkward situation where I've been given the task to > investigate how to design MPLS vrf connections without using vlans > define locally, and with using sub-interfaces. I'm unsure of how this > is possible...any suggestions on where to look? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Wed Aug 13 15:04:44 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 13 Aug 2008 12:04:44 -0700 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: <48A3304C.1000609@rollernet.us> Paul Stewart wrote: > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > Any thoughts? ;) > I'm aware of fake modules, and a have some fakes, but I've personally never heard of fake routers before now. ~Seth From RTeller at deltadentalwa.com Wed Aug 13 15:13:37 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 13 Aug 2008 12:13:37 -0700 Subject: [c-nsp] VMPS and 6500 Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00FA6@tiger.deltadentalwa.com> I was thinking about playing with VMPS but from what I can tell it's not supported on IOS, is that correct? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From paul at paulstewart.org Wed Aug 13 15:24:22 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 15:24:22 -0400 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <48A3304C.1000609@rollernet.us> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A3304C.1000609@rollernet.us> Message-ID: <000301c8fd7a$3752cd70$a5f86850$@org> Neither had I... I have hard of lots of fake 2950 switches though and that they are extremely hard to tell the difference.... Thanks everyone for the replies.... anyone aware of a way to run serial numbers on Cisco.com and verify the correct model even? I'm heard of some grey market resellers doing this before... Paul -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: August 13, 2008 3:05 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Paul Stewart wrote: > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > Any thoughts? ;) > I'm aware of fake modules, and a have some fakes, but I've personally never heard of fake routers before now. ~Seth From sdanelli at gmail.com Wed Aug 13 15:47:31 2008 From: sdanelli at gmail.com (Sergio D.) Date: Wed, 13 Aug 2008 13:47:31 -0600 Subject: [c-nsp] filter LDP bindings Message-ID: "well, an LSR needs to allocate labels also for other nodes' loopbacks, so this alone will not be enough ;-)" Could it not just based is allocation of labels based on having it in the LFIB already? Why does the LSR need to allocate a label for all the learned prefixes? Juniper only binds the loopback and all the LSRs only allocate labels for that from other neighbors, maybe it just looks for /32 prefixes. Is that what Label distribution control mode: ordered vs. Label distribution control mode: independent is? thanks Message: 3 Date: Wed, 13 Aug 2008 17:29:03 +0200 From: "Oliver Boehmer (oboehmer)" Subject: Re: [c-nsp] filter LDP bindings To: "Saku Ytti" >, < cisco-nsp at puck.nether.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D at xmb-ams-333.emea.cisco.com> Content-Type: text/plain; charset="us-ascii" Saku Ytti <> wrote on Wednesday, August 13, 2008 5:18 PM: > On (2008-08-11 07:41 +0200), Oliver Boehmer (oboehmer) wrote: > >> BTW: the LDP filter only prevents advertisement of the binding, it >> doesn't prevent the LSR from assigning a label (the imp-null in your >> example). > > I think we had this discussion some years ago, but it would be nice, > instead of ACLs to be able to say 'no mpls ldp label; mpls ldp label > loop0' or so, to generate label only for loop0. well, an LSR needs to allocate labels also for other nodes' loopbacks, so this alone will not be enough ;-) However, IOS now has a label allocation filter (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all oc_filter.html) having a "allocate global host-routes" shorthand to only allocate labels for /32s (or uses a prefix-list for more granular control).. oli -- Sergio From jfitz at Princeton.EDU Wed Aug 13 16:17:21 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 13 Aug 2008 16:17:21 -0400 Subject: [c-nsp] 6500 snmp and vty acls ? Message-ID: Does anyone know if VTY and snmp ACLs are implemented in hardware or software on a 6500 with 720-CXL running 12.2(33)SXH. I am trying to understand COPP and move away from the VTY and SNMP ACLs. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University From vateatea at gmail.com Wed Aug 13 16:23:06 2008 From: vateatea at gmail.com (Kyle Johnson) Date: Wed, 13 Aug 2008 16:23:06 -0400 Subject: [c-nsp] CLIPS functionality for DHCP clients Message-ID: All- I'm trying to create a solution to allow for subscriber management based on client PC MAC address. I see that Redback offers this "CLIPS" (CPE mac address & RADIUS record) method of subscriber management but Redback equipment is pretty pricey... Does anyone have a suggestion on a Cisco equivalent (PPPOE functionality/sessions based off client MAC rather than PPPOE config..) that will run on lower-end gear? Thanks- Kyle From vijay.ramcharan at verizonbusiness.com Wed Aug 13 15:51:00 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Wed, 13 Aug 2008 19:51:00 +0000 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <000301c8fd7a$3752cd70$a5f86850$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A3304C.1000609@rollernet.us> <000301c8fd7a$3752cd70$a5f86850$@org> Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F0504EECD@ASHEVS011.mcilink.com> What if the counterfeiter simply copies a valid serial number and uses it to produce x number of fake Cisco labels (those are faked to look like real labels too) which they then affix to x number of fake chassis'? Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: August 13, 2008 15:24 To: 'Seth Mattinen' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Neither had I... I have hard of lots of fake 2950 switches though and that they are extremely hard to tell the difference.... Thanks everyone for the replies.... anyone aware of a way to run serial numbers on Cisco.com and verify the correct model even? I'm heard of some grey market resellers doing this before... Paul -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: August 13, 2008 3:05 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Paul Stewart wrote: > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > Any thoughts? ;) > I'm aware of fake modules, and a have some fakes, but I've personally never heard of fake routers before now. ~Seth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Wed Aug 13 16:30:57 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 13 Aug 2008 17:30:57 -0300 Subject: [c-nsp] RES: conditional bgp default-originate References: Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E27@spsrvmail03.nec.br> I haven't tested this, but you can configure two access-lists with both BGP session IP addresses of your upstream providers and match them in the route-map. neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match ip address 101 match ip address 102 route-map BGP-UP deny 20 access-list 101 permit ip host x.x.x.x access-list 101 remark upstream provider 1 bgp session ip address access-list 102 permit ip host y.y.y.y access-list 102 remark upstream provider 2 bgp session ip address Regards, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de Jon Lewis Enviada: qua 13/8/2008 12:50 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] conditional bgp default-originate I'd like to be able to conditionally advertise a default route to customers taking just default routes only if my transit BGP sessions appear to be functional. I thought something like this might work: neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match as-path 100 ip as-path access-list 100 permit ^3356_ ip as-path access-list 100 permit ^4323_ But no such luck. Checking the docs at http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 it seems I have to exactly match against a route for the route-map to work here. That means actually picking a few "canary routes" I expect to get from my upstreams and hoping they don't go anywhere or change mask. I'm not really happy with that. Are there better ways to do this? Also, while looking at the docs above and experimenting in the GNS3 simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few oddities. First, there's multiple errors in the docs mentioned above. i.e. From the URL above: In the following example, the last line of the configuration has been changed to show the use of an extended access list. The local router injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route to 192.168.0.0 with a mask of 255.255.0.0: router bgp 50000 network 172.16.0.0 neighbor 172.16.2.3 remote-as 60000 neighbor 172.16.2.3 default-originate route-map default-map ! route-map default-map 10 permit match ip address 1 ! access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 In the above example, they did change the ACL to an extended access-list, but the route-map wasn't updated to use it (still using 1) and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the access-list 100 uses a /24 mask. Just above this example, the docs say that access-list 1 permit 192.168.0.0 will match a route for 192.168.0.0 with any mask. In my simulator, I have R1--R2--R3 R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default to R3 using the route-map route-map BGP-UP permit 10 match ip address 50 access-list 50 permit 8.0.0.0 When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and default is not sent ot R3. If I add to access-list 50 access-list 50 permit 8.0.0.0 0.0.255.255 Standard IP access list 50 10 permit 8.0.0.0 (973 matches) 20 permit 8.0.0.0, wildcard bits 0.0.255.255 I get hits on the permit 8.0.0.0 line now, and default is sent to R3. This seems kind of broken. I haven't duplicated the setup with real hardware to see if it's a simulator screwup...but since the simulator is running actual IOS, it seems unlikely the simulator is to blame. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Wed Aug 13 16:32:15 2008 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 13 Aug 2008 16:32:15 -0400 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: Message-ID: <20080813203215.GF19971@puck.nether.net> On Wed, Aug 13, 2008 at 04:17:21PM -0400, Jeff Fitzwater wrote: > Does anyone know if VTY and snmp ACLs are implemented in hardware or > software on a 6500 with 720-CXL running 12.2(33)SXH. If implemented with line vty 0 4 access-class it's done in SW. > I am trying to understand COPP and move away from the VTY and SNMP ACLs. If implemented with CoPP then it's done in HW and Software. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From gert at greenie.muc.de Wed Aug 13 17:00:59 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 13 Aug 2008 23:00:59 +0200 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <48A2B14C.5030308@imperial.ac.uk> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> <48A2B14C.5030308@imperial.ac.uk> Message-ID: <20080813210059.GY288@greenie.muc.de> Hi, On Wed, Aug 13, 2008 at 11:02:52AM +0100, Phil Mayers wrote: > Think about it: > > You're the 6500 IOS team. You have a large body of upstream IOS code, > and you have to back-port it, but at the *same* time you also have to > modularise it. > > Contrast: > > You're the 7600 IOS team. You have a large body of upstream IOS code. > You just have to back-port it. Did I mention that the whole 6500-vs-7600-vs-"why the hell would anybody want stable IOS?" debacle is really annoying? IOS quality on the 6500/7600 platform, which really should be the "show horse" platform for Cisco, is on the same (low) level as "new hardware T train release" - but on other platforms one can usually choose a non-T train, while on 6500/7600, usually you don't even get to choose between pest or cholera... I can't believe why things as "IPv6 on a SVI" or "scp from the box" could simply be non-working in new releases. Is anyone testing this stuff? Or is the single programmer in each BU fully occupied with keeping the gazillion of BU "stupid decision makers" off his back? [..] > Let's not kid ourselves - SXF is going to be the stable release for some > time to come. I just hope they release an SXF train with support for the > 6716s I bought... There is no SXF support for the Sup720-10G either, as far as I have been led to understand, so I wouldn't hold my breath... (Stupid me, falling for Cisco sales pitch again "hey, when we have to swap your 7606S chassis against 6506 chassis anyway, what about paying just a leeeetle extra and getting a Sup720->Sup720-10G upgrade with it?"). Now we're running SXH3, have lost BFD on SVIs, and are waiting for some catastrophic thing to happen to our network. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Aug 13 17:07:36 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 13 Aug 2008 23:07:36 +0200 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Message-ID: <20080813210736.GZ288@greenie.muc.de> Hi, On Wed, Aug 13, 2008 at 04:24:14PM +0800, Hock Jim wrote: > That said, unless you're directly connected to a BGP peer with 32-bit ASNs, Even then it will work, sort of. Just configure the peer as AS23456. You'll lose AS-path filtering capability, though, and if you have multiple 32bit peer ASNs, it will be hard to figure out who is who. If you have a 32bit ASN yourself, then you're doomed. (You could buy a Vendor J router, they have implemented it on time... - it's not like "it's especially hard", or "cisco has not been told that the ASN clock is ticking" or even "Cisco folks have taken part in writing the relevant 32-bit RFC"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ras at e-gerbil.net Wed Aug 13 17:39:53 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 13 Aug 2008 16:39:53 -0500 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <20080813210736.GZ288@greenie.muc.de> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> Message-ID: <20080813213953.GH4889@gerbil.cluepon.net> On Wed, Aug 13, 2008 at 11:07:36PM +0200, Gert Doering wrote: > If you have a 32bit ASN yourself, then you're doomed. (You could buy > a Vendor J router, they have implemented it on time... - it's not like > "it's especially hard", or "cisco has not been told that the ASN clock > is ticking" or even "Cisco folks have taken part in writing the relevant > 32-bit RFC"). Rest assured that updating the festering piece of crap that is IOS to change every data structure that holds ASNs and every piece of code that tched them (think as-path, regexp, show/cli changes for the unbelievably retarded #.# syntax, etc), not to mention all the backwards compatibility code and testing, is especially hard. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From swmike at swm.pp.se Wed Aug 13 18:04:05 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 14 Aug 2008 00:04:05 +0200 (CEST) Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <20080813213953.GH4889@gerbil.cluepon.net> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> <20080813213953.GH4889@gerbil.cluepon.net> Message-ID: On Wed, 13 Aug 2008, Richard A Steenbergen wrote: > Rest assured that updating the festering piece of crap that is IOS to > change every data structure that holds ASNs and every piece of code that > tched them (think as-path, regexp, show/cli changes for the unbelievably > retarded #.# syntax, etc), not to mention all the backwards > compatibility code and testing, is especially hard. :) The most interesting thing is that it seems it'll be available in patch rebuilds of 12.0(32)S and 12.0(33)S. That's kind of special, I wouldn't have expected this kind of functionality show up in a patch rebuild. -- Mikael Abrahamsson email: swmike at swm.pp.se From rubensk at gmail.com Wed Aug 13 18:13:07 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 19:13:07 -0300 Subject: [c-nsp] CLIPS functionality for DHCP clients In-Reply-To: References: Message-ID: <6bb5f5b10808131513t770b99a9w14f1c1dd6628e98b@mail.gmail.com> I don't think there is any Cisco low-end solution to this; 7200, ASR, 10k and SCE are the platforms I think can do this one way or the other. Consider using Mikrotik or NoCat/NoDog solutions (http://nocat.net/). Rubens On Wed, Aug 13, 2008 at 5:23 PM, Kyle Johnson wrote: > All- > > I'm trying to create a solution to allow for subscriber management > based on client PC MAC address. I see that Redback offers this "CLIPS" > (CPE mac address & RADIUS record) method of subscriber management but > Redback equipment is pretty pricey... > > Does anyone have a suggestion on a Cisco equivalent (PPPOE > functionality/sessions based off client MAC rather than PPPOE > config..) that will run on lower-end gear? > > Thanks- > > Kyle > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From frnkblk at iname.com Wed Aug 13 18:49:07 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Wed, 13 Aug 2008 17:49:07 -0500 Subject: [c-nsp] 1252ag backwards compatibility In-Reply-To: References: Message-ID: Dan: Unless you're running Greenfield mode, which I'm not sure you can even configure on a Cisco AP, there's full backward compatibility such that 802.11b/g clients will operate at b/g and 802.11n clients (with 2.4 GHz support, of course) operate at n. Be aware that mixing 802.11n with 802.11b/g clients will reduce overall performance, but not significantly enough to devalue running 802.11n. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Tuesday, August 12, 2008 8:02 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 1252ag backwards compatibility Hello, I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, do the 802.11n clients run at 802.11n and the 802.11g clients run at 802.11g? Or does everything run at 802.11g? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Aug 13 19:38:52 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 13 Aug 2008 19:38:52 -0400 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> <20080813213953.GH4889@gerbil.cluepon.net> Message-ID: <20080813233852.GA18691@rtp-cse-489.cisco.com> It's called "lfep". Late feature exception process. btw, I've got a call to outline some of the 4 byte ASN stuff with the folks running 12.0S. Especially regarding 75xx, 10720, etc. support along with GRPB's. On Thu, Aug 14, 2008 at 12:04:05AM +0200, Mikael Abrahamsson wrote: > On Wed, 13 Aug 2008, Richard A Steenbergen wrote: > > >Rest assured that updating the festering piece of crap that is IOS to > >change every data structure that holds ASNs and every piece of code that > >tched them (think as-path, regexp, show/cli changes for the unbelievably > >retarded #.# syntax, etc), not to mention all the backwards > >compatibility code and testing, is especially hard. :) > > The most interesting thing is that it seems it'll be available in > patch rebuilds of 12.0(32)S and 12.0(33)S. That's kind of special, I > wouldn't have expected this kind of functionality show up in a patch > rebuild. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Wed Aug 13 19:45:10 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 20:45:10 -0300 Subject: [c-nsp] 1252ag backwards compatibility In-Reply-To: References: Message-ID: <6bb5f5b10808131645j6df4766bs91c9bfb345fe32de@mail.gmail.com> Can it be prevented, i.e, configuring 1252 to only run 802.11n, even in WDS mode ? We are hoping that 802.11n can improve on Wi-Fi tradition of having low pps rate, which is due to the sum of the 802.11b/a/g standard and low speed processors on the devices. Rubens On Wed, Aug 13, 2008 at 7:49 PM, Frank Bulk - iNAME wrote: > Dan: > > Unless you're running Greenfield mode, which I'm not sure you can even > configure on a Cisco AP, there's full backward compatibility such that > 802.11b/g clients will operate at b/g and 802.11n clients (with 2.4 GHz > support, of course) operate at n. Be aware that mixing 802.11n with > 802.11b/g clients will reduce overall performance, but not significantly > enough to devalue running 802.11n. > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Tuesday, August 12, 2008 8:02 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 1252ag backwards compatibility > > Hello, > > I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell > me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, > do the 802.11n clients run at 802.11n and the 802.11g clients run at > 802.11g? Or does everything run at 802.11g? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From leonardo.souza at nec.com.br Wed Aug 13 21:04:39 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 13 Aug 2008 22:04:39 -0300 Subject: [c-nsp] RES: SXI on 6500 (was: SXH on 6500) In-Reply-To: <20080813210059.GY288@greenie.muc.de> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com><00e601c8fcea$104fef40$1bfe200a@cisco.com><48A2B14C.5030308@imperial.ac.uk> <20080813210059.GY288@greenie.muc.de> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D018926D9@spsrvmail03.nec.br> Just kidding... while ( ! ( succeed = try_sx_train() ) ); -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Gert Doering Enviada em: quarta-feira, 13 de agosto de 2008 18:01 Para: Phil Mayers Cc: 'Cisco-nsp' Assunto: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) Hi, On Wed, Aug 13, 2008 at 11:02:52AM +0100, Phil Mayers wrote: > Think about it: > > You're the 6500 IOS team. You have a large body of upstream IOS code, > and you have to back-port it, but at the *same* time you also have to > modularise it. > > Contrast: > > You're the 7600 IOS team. You have a large body of upstream IOS code. > You just have to back-port it. Did I mention that the whole 6500-vs-7600-vs-"why the hell would anybody want stable IOS?" debacle is really annoying? IOS quality on the 6500/7600 platform, which really should be the "show horse" platform for Cisco, is on the same (low) level as "new hardware T train release" - but on other platforms one can usually choose a non-T train, while on 6500/7600, usually you don't even get to choose between pest or cholera... I can't believe why things as "IPv6 on a SVI" or "scp from the box" could simply be non-working in new releases. Is anyone testing this stuff? Or is the single programmer in each BU fully occupied with keeping the gazillion of BU "stupid decision makers" off his back? [..] > Let's not kid ourselves - SXF is going to be the stable release for > some time to come. I just hope they release an SXF train with support > for the 6716s I bought... There is no SXF support for the Sup720-10G either, as far as I have been led to understand, so I wouldn't hold my breath... (Stupid me, falling for Cisco sales pitch again "hey, when we have to swap your 7606S chassis against 6506 chassis anyway, what about paying just a leeeetle extra and getting a Sup720->Sup720-10G upgrade with it?"). Now we're running SXH3, have lost BFD on SVIs, and are waiting for some catastrophic thing to happen to our network. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mtinka at globaltransit.net Wed Aug 13 21:14:20 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 14 Aug 2008 09:14:20 +0800 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> Message-ID: <200808140914.21504.mtinka@globaltransit.net> On Wednesday 13 August 2008 23:29:03 Oliver Boehmer (oboehmer) wrote: > However, IOS now has a label allocation filter > (http://www.cisco.com/en/US/docs/ios/mpls/configuration/g >uide/mp_ldp_all oc_filter.html) having a "allocate global > host-routes" shorthand to only allocate labels for /32s > (or uses a prefix-list for more granular control).. We are doing this on our boxes running SRC - no complaints. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From andy.saykao at staff.netspace.net.au Wed Aug 13 22:58:13 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 14 Aug 2008 12:58:13 +1000 Subject: [c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPN Customers Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> Hi All We are looking at providing our Layer 3 MPLS VPN customers with the option of a managed internet gateway via a NAT-PE router. This would mean that remote sites no longer have to access the internet via the Central Site model as this is the way we've been implementing Internet access for MPLS VPN customers. As all our MPLS VPN customers are using private IP addresses, NAT would have to obviously take place at the NAT-PE router. Below is a simple illustration of our network with the MPLS cloud comprising of PE1,PE2 and P. All internet traffic goes out through the P router. We do not have local POPS in each city/state with a link to the Internet, instead we have one central POP and internet traffic from across the country is routed to the P router. [INTERNET] | | | [CE1] ----- [PE1] ----- [ P ] ----- [PE2] ----- [CE2] My delimma is that I'm not entirely sure which router should be designated as the NAT-PE router to act as the Internet Gateway for our MPLS VPN customers or if we need to put in a new PE router somewhere? So what I've brainstormed are the following ideas... 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do this because this is the core router that handles Internet traffic for all our customers and I don't want to mess it up. 2/ Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm unsure how to apply NAT because there is only one interface on the PE router connecting to the P router so I'm not really sure where the ip nat inside and outside command would go - unless we use NAT on a stick which I don't think is recommended in a production environment. 3/ Lastly, do we need to put in a new router to act as the NAT-PE router? If so, where would this be placed - maybe between the P router and the Internet? I've read various Cisco documentations but can't find anything for my particular situation. Any further ideas would be greatly appreciated. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From hank at efes.iucc.ac.il Thu Aug 14 01:23:50 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 14 Aug 2008 08:23:50 +0300 Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E27@spsrvmail03.nec.br> References: Message-ID: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> At 05:30 PM 13-08-08 -0300, Leonardo Gama Souza wrote: I have tested this and it is working at a specific customer: neighbor 10.100.80.7 default-originate route-map track-Broadwing neighbor 10.100.80.7 distribute-list nothing-else-plus out ! ip access-list extended nothing-else-plus ! Insert any nets you wish to announce here deny ip any any access-list 50 permit 216.140.0.0 0.3.255.255 ! route-map track-Broadwing permit 10 match ip address 50 ! You want to pick a network inside your upstream that will never go away and if it does, that means their backbone has gone down. Do a few traceroutes and you will quickly figure out what are their backbone CIDRs to use. -Hank >I haven't tested this, but you can configure two access-lists with both >BGP session IP addresses of your upstream providers and match them in the >route-map. > >neighbor 10.1.0.2 default-originate route-map BGP-UP > >route-map BGP-UP permit 10 > match ip address 101 > match ip address 102 >route-map BGP-UP deny 20 > >access-list 101 permit ip host x.x.x.x >access-list 101 remark upstream provider 1 bgp session ip address >access-list 102 permit ip host y.y.y.y >access-list 102 remark upstream provider 2 bgp session ip address > >Regards, >Leonardo Gama. >________________________________ > >De: cisco-nsp-bounces at puck.nether.net em nome de Jon Lewis >Enviada: qua 13/8/2008 12:50 >Para: cisco-nsp at puck.nether.net >Assunto: [c-nsp] conditional bgp default-originate > > > >I'd like to be able to conditionally advertise a default route to >customers taking just default routes only if my transit BGP sessions >appear to be functional. > >I thought something like this might work: > > neighbor 10.1.0.2 default-originate route-map BGP-UP > >route-map BGP-UP permit 10 > match as-path 100 > >ip as-path access-list 100 permit ^3356_ >ip as-path access-list 100 permit ^4323_ > >But no such luck. Checking the docs at > >http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 > >it seems I have to exactly match against a route for the route-map to work >here. That means actually picking a few "canary routes" I expect to get >from my upstreams and hoping they don't go anywhere or change mask. I'm >not really happy with that. Are there better ways to do this? > >Also, while looking at the docs above and experimenting in the GNS3 >simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few >oddities. > >First, there's multiple errors in the docs mentioned above. i.e. From the >URL above: > > In the following example, the last line of the configuration has been > changed to show the use of an extended access list. The local router > injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route > to 192.168.0.0 with a mask of 255.255.0.0: > > router bgp 50000 > network 172.16.0.0 > neighbor 172.16.2.3 remote-as 60000 > neighbor 172.16.2.3 default-originate route-map default-map > ! > route-map default-map 10 permit > match ip address 1 > ! > access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 > >In the above example, they did change the ACL to an extended access-list, >but the route-map wasn't updated to use it (still using 1) and they say >they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the >access-list 100 uses a /24 mask. > >Just above this example, the docs say that > access-list 1 permit 192.168.0.0 >will match a route for 192.168.0.0 with any mask. In my simulator, I have >R1--R2--R3 >R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default >to R3 using the route-map > >route-map BGP-UP permit 10 > match ip address 50 > >access-list 50 permit 8.0.0.0 > >When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and >default is not sent ot R3. If I add to access-list 50 >access-list 50 permit 8.0.0.0 0.0.255.255 > >Standard IP access list 50 > 10 permit 8.0.0.0 (973 matches) > 20 permit 8.0.0.0, wildcard bits 0.0.255.255 > >I get hits on the permit 8.0.0.0 line now, and default is sent to R3. >This seems kind of broken. I haven't duplicated the setup with real >hardware to see if it's a simulator screwup...but since the simulator is >running actual IOS, it seems unlikely the simulator is to blame. > >---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | >_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Thu Aug 14 02:16:45 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 14 Aug 2008 09:16:45 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> Message-ID: <20080814061645.GA18183@mx.ytti.net> On (2008-08-13 20:38 +0200), Oliver Boehmer (oboehmer) wrote: > well, this dependency on what other LDP neighbors send is not really > in-line with the independent control mode LDP operates in, so the > implementation might not be straight-forward. I think we have misunderstanding here. All boxes would 'stupidly' accept and readvertise everything they get, no additional states here, plain 'ol ios behaviour without LDP ACL. But per node, you'd tell the nodes not to generate label, except for their loopback. End result would be, that you'd only have loop0?s in each MPLS spakers LIBs, without any ACL/prefix-list maintenance overhead. > well, "interfaces" would also cover connected /30 or /31s, something you > usually don't want to advertise labels for? You'd replace the 'interface' with loop0 or loopX, which ever you use for labeled destination. > But wouldn't a (prefix) ACL be enough to cover most cases? Generally, > loopbacks are allocated from one or more prefix ranges, so ACLs could be > rather static? Yes, both can easily accomplish same goal, just bit additional admin overhead, while the true application in virtually all cases is, to generate label for single loopback interface. And actually we would have probably used 'your' way, had it been available when we wanted to implement it, instead of doing advertisement ACLs. -- ++ytti From gert at greenie.muc.de Thu Aug 14 02:29:57 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 14 Aug 2008 08:29:57 +0200 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <20080813213953.GH4889@gerbil.cluepon.net> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> <20080813213953.GH4889@gerbil.cluepon.net> Message-ID: <20080814062957.GA288@greenie.muc.de> Hi, On Wed, Aug 13, 2008 at 04:39:53PM -0500, Richard A Steenbergen wrote: > Rest assured that updating the festering piece of crap that is IOS to > change every data structure that holds ASNs and every piece of code that > tched them (think as-path, regexp, show/cli changes for the unbelievably > retarded #.# syntax, etc), not to mention all the backwards compatibility > code and testing, is especially hard. :) They have already done it for XR and Nexus, so they know how to do it. (Yes, I'm oversimplifying. But then, if they would consider it a major selling point, instead of an "operational requirement for their customers", it would have happened years ago.) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Aug 14 03:16:40 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 14 Aug 2008 08:16:40 +0100 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: Message-ID: <20080814071640.GB2690@wildfire.net.ic.ac.uk> On Wed, Aug 13, 2008 at 04:17:21PM -0400, Jeff Fitzwater wrote: >Does anyone know if VTY and snmp ACLs are implemented in hardware or >software on a 6500 with 720-CXL running 12.2(33)SXH. VTY and SNMP ACLs are done in software; they have to be, because they reference certain CPU conditions e.g. consider: vty 0 12 access-class NET_OPS in vty 13 15 access-class REALLY_VITAL in ...where you reserve VTYs 13-15 for really important stuff; clearly the CPU will have to be asked how many VTYs are open to make this work. Ditto with SNMP community strings - you might have 2 communities with mutually exclusive ACLs, and one needs to decode the SNMP header and extract the community before processing the ACL > >I am trying to understand COPP and move away from the VTY and SNMP ACLs. CoPP is done in hardware if everything is working correctly, though a 2nd pass of the ACLs can be performed in software to ensure that for a rate limit of N you don't get N*M pps - M being the number of DFC/PFC forwarding engines > >Thanks for any info. > > >Jeff Fitzwater >OIT Network Systems >Princeton University > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Thu Aug 14 03:24:05 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 14 Aug 2008 09:24:05 +0200 Subject: [c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPNCustomers In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58DD@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Thursday, August 14, 2008 4:58 AM: > Hi All > > We are looking at providing our Layer 3 MPLS VPN customers with the > option of a managed internet gateway via a NAT-PE router. This would > mean that remote sites no longer have to access the internet via the > Central Site model as this is the way we've been implementing Internet > access for MPLS VPN customers. > > As all our MPLS VPN customers are using private IP addresses, NAT > would have to obviously take place at the NAT-PE router. > [...] > My delimma is that I'm not entirely sure which router should be > designated as the NAT-PE router to act as the Internet Gateway for our > MPLS VPN customers or if we need to put in a new PE router somewhere? > > So what I've brainstormed are the following ideas... > > 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do > this because this is the core router that handles Internet traffic for > all our customers and I don't want to mess it up. Agreed, I wouldn't take this path either. NAT is stateful, so future scalability is a concern, which is limited if you did this on your core/P node (turning it into a PE). > 2/ Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm > unsure how to apply NAT because there is only one interface on the PE > router connecting to the P router so I'm not really sure where the ip > nat inside and outside command would go - unless we use NAT on a stick > which I don't think is recommended in a production environment. I would actually vote for some "on-a-stick" deployment, which is what many customers do (as far as I know). NPE-G1/G2 are popular platforms for this.. > 3/ Lastly, do we need to put in a new router to act as the NAT-PE > router? If so, where would this be placed - maybe between the P router > and the Internet? I would add a new node, and put it somewhere "close" to the P router/internet connection. You can scale by adding addtl. routers and distribute your VPN customers across these nodes. The config would be along this line: you use two interfaces (can be sub-interfaces): One MPLS interface (running LDP and your IGP), and one plain-IP interface. Both connect to the P node. You create a static default in the vrf pointing over the IP interface into the global table and create per-vrf NAT statements. int Gig0/0.10 ip address 192.168.0.2 255.255.255.252 mpls ip ip nat inside ! int gig0/0.20 ip address 192.168.10.2 255.255.255.252 ip nat outside ! ip route vrf foo 0.0.0.0 0.0.0.0 Gig0/0.20 192.168.10.1 global ! ip nat pool NAT-foo 10.1.1.1 10.1.1.10 netmask 255.255.255.240 add-route ip nat source list nat-acl-foo pool NAT-foo vrf foo overload ! ip access-list extended nat-acl-foo ! define what should be translated and you define MP-iBGP and advertise the static defaults into the respective VPNs. something like this. the only addtl. challenge is to advertise the NAT pool(s) over the gig0/0.20 interface so you send the return traffic from the Internet back over this outside interface. you could use a dedicated ipv4-bgp session or another IGP instance, for example.. I hope you'll get the idea.. oli From ney25 at hotmail.com Thu Aug 14 03:30:30 2008 From: ney25 at hotmail.com (Jack) Date: Thu, 14 Aug 2008 15:30:30 +0800 Subject: [c-nsp] EVC - MPLS Message-ID: Hi Folks, anyone has EVC - MPLS information to share ? any document can I refer to ? regards, Jack From oboehmer at cisco.com Thu Aug 14 03:41:41 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 14 Aug 2008 09:41:41 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080814061645.GA18183@mx.ytti.net> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> <20080814061645.GA18183@mx.ytti.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58F4@xmb-ams-333.emea.cisco.com> Saku Ytti wrote on Thursday, August 14, 2008 8:17 AM: > On (2008-08-13 20:38 +0200), Oliver Boehmer (oboehmer) wrote: > >> well, this dependency on what other LDP neighbors send is not really >> in-line with the independent control mode LDP operates in, so the >> implementation might not be straight-forward. > > I think we have misunderstanding here. All boxes would 'stupidly' > accept and readvertise everything they get, no additional states > here, plain 'ol ios behaviour without LDP ACL. Well, I think this is the catch: In independent control mode, LDP does not "re-advertise" something like a distance/path-vector routing protocol does, it advertises its local bindings. So to implement a "re-advertise" behaviour, one would need to change the local binding behaviour to "only allocate (and advertise) a label for a remotely-learned IGP prefix x/y if you already received a remote LDP binding for this prefix or if you're the egress LSR for this FEC".. This is ordered control, something IOS only implements for cell-mode MPLS (i.e. ATM). > But per node, you'd tell the nodes not to generate label, except > for their loopback. right, this part is simple.. > End result would be, that you'd only have loop0?s in each MPLS > spakers LIBs, without any ACL/prefix-list maintenance overhead. agreed. But I still see challenges getting this right in independent control mode.. Am I missing something? >> But wouldn't a (prefix) ACL be enough to cover most cases? Generally, >> loopbacks are allocated from one or more prefix ranges, so ACLs >> could be rather static? > > Yes, both can easily accomplish same goal, just bit additional admin > overhead, while the true application in virtually all cases is, to generate > label for single loopback interface. And actually we would have probably used > 'your' way, had it been available when we wanted to implement it, instead of > doing advertisement ACLs. I guess so, filtering label allocation is more "natural" and efficient than filtering the advertisement for this very common case.. oli From mjsaarin at cc.helsinki.fi Thu Aug 14 03:51:39 2008 From: mjsaarin at cc.helsinki.fi (Matti Saarinen) Date: Thu, 14 Aug 2008 10:51:39 +0300 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: <20080813203215.GF19971@puck.nether.net> (Jared Mauch's message of "Wed, 13 Aug 2008 16:32:15 -0400") References: <20080813203215.GF19971@puck.nether.net> Message-ID: Jared Mauch wrote: > On Wed, Aug 13, 2008 at 04:17:21PM -0400, Jeff Fitzwater wrote: > >> I am trying to understand COPP and move away from the VTY and SNMP ACLs. > > If implemented with CoPP then it's done in HW and Software. I tried to replace VTY ACLs with CoPP. It resulted in a box that accepted connections for a few hours and then eded up being unresponsive. Are there any examples for replacing VTY ACLs with CoPP that even I could understand? The documentation in CCO isn't helpful enough. -- - Matti - From tima at transtelecom.net Thu Aug 14 03:40:39 2008 From: tima at transtelecom.net (Tima Maryin) Date: Thu, 14 Aug 2008 11:40:39 +0400 Subject: [c-nsp] 32 bit ASN In-Reply-To: <20080731030350.GF23991@rtp-cse-489.cisco.com> References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com> <20080731030350.GF23991@rtp-cse-489.cisco.com> Message-ID: <48A3E177.30508@transtelecom.net> Hello! Is there any update on this ? Rodney Dunn wrote: > I'm asking about this. > > I'll get back with you. > > It's going to be in a 12.0(33)S rebuild for sure. > > But I need to check back on what the 12008 decision > was...ie: only in 32S rebuilds? > > > On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote: >> Hi, >> >> Does anyone know if the 32 bit ASN support is going to get >> implemented in the 12008 or 7500 RSP8 series? If not, what >> is recommended as replacements? From matt at peterson.org Thu Aug 14 05:33:25 2008 From: matt at peterson.org (Matt Peterson) Date: Thu, 14 Aug 2008 02:33:25 -0700 Subject: [c-nsp] 1230 Bridging of multiple VLANs Message-ID: Howdy, I have two 1231G units running 12.3(2)JA3 that I'm attempting to setup as a bridge. Unit #1 uplinks to the FastE interface fine, with standard bridge, ssid and sub-interface stances to yield multiple SSIDs/VLANs on its DotRadio0 (11b) interface - works great. Unit #2 is supposed to connect to Unit #1 over DotRadio1 (11a) as a transparent bridge and continue to advertise the same multiple SSIDs/ VLANs on its other radio - DotRadio0 (11b). After trying a number of configuration combinations, it's unclear if this product generation/IOS version supports multi-VLAN bridging - as the 1400s clearly do. Also, it's a tad unclear what the exact syntax of "station-role" the bridge interfaces should be in; with the above configuration I assume "root bridge" on unit #1 and "non-root bridge" on unit #2 - the examples I find are for slightly different hardware versions. Much appreciate confirmation support exists for this and tips on how to yield my desired configuration - cheers! --Matt From t.dahm at resolution.de Thu Aug 14 05:14:40 2008 From: t.dahm at resolution.de (Thorsten Dahm) Date: Thu, 14 Aug 2008 10:14:40 +0100 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: <20080813203215.GF19971@puck.nether.net> Message-ID: <48A3F780.9000701@resolution.de> Matti Saarinen wrote: > Are there any examples for replacing VTY ACLs with CoPP > that even I could understand? The documentation in CCO isn't helpful > enough. Maybe this link helps: http://aharp.ittns.northwestern.edu/papers/copp.html cheers, Thorsten From jlewis at lewis.org Thu Aug 14 07:29:11 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 14 Aug 2008 07:29:11 -0400 (EDT) Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> References: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> Message-ID: On Thu, 14 Aug 2008, Hank Nussbacher wrote: > I have tested this and it is working at a specific customer: > > neighbor 10.100.80.7 default-originate route-map track-Broadwing > neighbor 10.100.80.7 distribute-list nothing-else-plus out > ! > ip access-list extended nothing-else-plus > ! Insert any nets you wish to announce here > deny ip any any > access-list 50 permit 216.140.0.0 0.3.255.255 > ! > route-map track-Broadwing permit 10 > match ip address 50 > ! > > You want to pick a network inside your upstream that will never go away and > if it does, that means their backbone has gone down. Do a few traceroutes > and you will quickly figure out what are their backbone CIDRs to use. That's basically what I ended up with yesterday in the simulator. My problem with it is, without inside knowledge of my upstream networks, how do I know which routes will never go away or never even just change mask? To be safer, if I end up doing this, I'll probably put half a dozen or so networks from each upstream in the access-list. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From scaner at global-one.by Thu Aug 14 08:02:50 2008 From: scaner at global-one.by (Eugene Vedistchev) Date: Thu, 14 Aug 2008 15:02:50 +0300 Subject: [c-nsp] CLIPS functionality for DHCP clients In-Reply-To: <6bb5f5b10808131513t770b99a9w14f1c1dd6628e98b@mail.gmail.com> References: <6bb5f5b10808131513t770b99a9w14f1c1dd6628e98b@mail.gmail.com> Message-ID: <48A41EEA.8040801@global-one.by> Cisco ISG IOS feature can authenticate MAC in RADIUS. It exists in IOS images for 2800 and 2651XM as well as 7200, 10k, 7600. Eugene. Rubens Kuhl Jr. wrote: > I don't think there is any Cisco low-end solution to this; 7200, ASR, > 10k and SCE are the platforms I think can do this one way or the > other. > > Consider using Mikrotik or NoCat/NoDog solutions (http://nocat.net/). > > > Rubens > > > > On Wed, Aug 13, 2008 at 5:23 PM, Kyle Johnson wrote: > >> All- >> >> I'm trying to create a solution to allow for subscriber management >> based on client PC MAC address. I see that Redback offers this "CLIPS" >> (CPE mac address & RADIUS record) method of subscriber management but >> Redback equipment is pretty pricey... >> >> Does anyone have a suggestion on a Cisco equivalent (PPPOE >> functionality/sessions based off client MAC rather than PPPOE >> config..) that will run on lower-end gear? >> >> Thanks- >> >> Kyle >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From hank at efes.iucc.ac.il Thu Aug 14 08:36:16 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 14 Aug 2008 15:36:16 +0300 (IDT) Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: References: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> Message-ID: On Thu, 14 Aug 2008, Jon Lewis wrote: >> if it does, that means their backbone has gone down. Do a few > traceroutes >> and you will quickly figure out what are their backbone CIDRs to use. > > That's basically what I ended up with yesterday in the simulator. My problem > with it is, without inside knowledge of my upstream networks, how do I know > which routes will never go away or never even just change mask? > To be safer, if I end up doing this, I'll probably put half a dozen or so > networks from each upstream in the access-list. I suggest tracking one block and not a few. Finding the right one takes about 30 minutes of traceroutes from various LGs. -Hank From jlewis at lewis.org Thu Aug 14 09:00:07 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 14 Aug 2008 09:00:07 -0400 (EDT) Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: References: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> Message-ID: On Thu, 14 Aug 2008, Hank Nussbacher wrote: > On Thu, 14 Aug 2008, Jon Lewis wrote: > >> That's basically what I ended up with yesterday in the simulator. My >> problem with it is, without inside knowledge of my upstream networks, how >> do I know which routes will never go away or never even just change mask? >> To be safer, if I end up doing this, I'll probably put half a dozen or so >> networks from each upstream in the access-list. > > I suggest tracking one block and not a few. Finding the right one takes > about 30 minutes of traceroutes from various LGs. Since the access-list only needs to match any single listed route to work, why wouldn't you track several routes to be safer? You can look at a few looking glasses and know that ProviderX will always announce some CIDR with the same netmask? That sounds like a neat trick. Nobody ever deaggregates, right? :) ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From rodunn at cisco.com Thu Aug 14 09:33:10 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 14 Aug 2008 09:33:10 -0400 Subject: [c-nsp] 32 bit ASN In-Reply-To: <48A3E177.30508@transtelecom.net> References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com> <20080731030350.GF23991@rtp-cse-489.cisco.com> <48A3E177.30508@transtelecom.net> Message-ID: <20080814133310.GA24673@rtp-cse-489.cisco.com> See my email yesterday. I should have an update on Monday. On Thu, Aug 14, 2008 at 11:40:39AM +0400, Tima Maryin wrote: > Hello! > > > Is there any update on this ? > > > Rodney Dunn wrote: > >I'm asking about this. > > > >I'll get back with you. > > > >It's going to be in a 12.0(33)S rebuild for sure. > > > >But I need to check back on what the 12008 decision > >was...ie: only in 32S rebuilds? > > > > > >On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote: > >>Hi, > >> > >>Does anyone know if the 32 bit ASN support is going to get > >>implemented in the 12008 or 7500 RSP8 series? If not, what > >>is recommended as replacements? From johnmanning.mpls at gmail.com Thu Aug 14 09:35:47 2008 From: johnmanning.mpls at gmail.com (MPLS MPLS) Date: Thu, 14 Aug 2008 19:05:47 +0530 Subject: [c-nsp] Tele Presence - Priority Queue or CBWFQ within the SP core Message-ID: Hello there, Wanted to poll the SP folks here to understand what you do "in the Core" for supporting Tele Presence traffic on LLQ or CBWFQ? Cisco says LLQ but i don't agree because TP is a VBR traffic. And LLQ has its cost implications. Thanks very much for the feedback John.... From leung at yorku.ca Thu Aug 14 09:53:37 2008 From: leung at yorku.ca (Samuel Leung) Date: Thu, 14 Aug 2008 09:53:37 -0400 Subject: [c-nsp] VMPS and 6500 In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00FA6@tiger.deltadentalwa.com> Message-ID: Yes, it is correct. It's my understanding that VMPS server will not support on Cat6500 running IOS. Regards, Leung York University "Teller, Robert" Sent by: cisco-nsp-bounces at puck.nether.net 08/13/2008 03:15 PM To cisco-nsp at puck.nether.net cc Subject [c-nsp] VMPS and 6500 I was thinking about playing with VMPS but from what I can tell it's not supported on IOS, is that correct? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From evans.584 at osu.edu Thu Aug 14 09:59:44 2008 From: evans.584 at osu.edu (Kyle Evans) Date: Thu, 14 Aug 2008 09:59:44 -0400 Subject: [c-nsp] VMPS and 6500 In-Reply-To: References: Message-ID: <48A43A50.1030506@osu.edu> You may want to look into OpenVMPS or Freeradius (which supports VMPS). You can use one of these products installed on a real server to be your VMPS server. Kyle Samuel Leung wrote: > Yes, it is correct. It's my understanding that VMPS server will not > support on Cat6500 running IOS. > > Regards, > Leung > York University > > > > > > "Teller, Robert" > Sent by: cisco-nsp-bounces at puck.nether.net > 08/13/2008 03:15 PM > > To > cisco-nsp at puck.nether.net > cc > > Subject > [c-nsp] VMPS and 6500 > > > > > > > I was thinking about playing with VMPS but from what I can tell it's not > supported on IOS, is that correct? > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From nick.jon.griffin at gmail.com Thu Aug 14 10:30:42 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Thu, 14 Aug 2008 09:30:42 -0500 Subject: [c-nsp] VRF Lite Route Propagation Message-ID: I've figured out how to exchange routes between VRF's with the bgp address family configuration coupled with redistribute static|connected, etc however I'm trying to propagate this information and I'm having problems getting it to work as desired. This is a VRF-Lite only environment, and what I'm trying to accomplish is this. I would like to have separate VRF's for separate internet connections, ie a 1 to 1 relationship. I would also like to be able to get this default route from within the Internet 1 VRF into multiple Client Vlan VRF's, as well as dynamically pass the client vlan connected subnets back into the Internet 1 VRF. Exchanging between the VRF's one one router isn't the issue, it's passing it dynamically from Internet 1 VRF to another neighbor router in this same vrf say using OSPF or EIGRP that I'm having trouble with. I get them to show up as B routes via the address family configuration, but I am able to pass this to the neighboring router. I hope this make sense. Thanks in advance, Nick Griffin From carlo.ngn at gmail.com Thu Aug 14 10:35:29 2008 From: carlo.ngn at gmail.com (Carlo) Date: Thu, 14 Aug 2008 16:35:29 +0200 Subject: [c-nsp] Cisco authentication login page Message-ID: <48A442B1.1020800@gmail.com> Hi all, I'm trying to customize the default login page that the Cisco router uses for authentication proxy ( to autenticate users ). Can someone tell me how to do that ? I've tried to search in the Cisco web site, but it seems that there is no documentation about it. Looking at the default page, i see this strange string:
I think that the au_pxytimetag value shound be different for every message, but i don't know how to do that. Thanks in advance Carlo From mark at mjlnet.com Thu Aug 14 10:43:28 2008 From: mark at mjlnet.com (mark at mjlnet.com) Date: Thu, 14 Aug 2008 14:43:28 +0000 Subject: [c-nsp] Tele Presence - Priority Queue or CBWFQ within the SP core Message-ID: Hi, > >Wanted to poll the SP folks here to understand what you do "in the Core" for >supporting Tele Presence traffic on LLQ or CBWFQ? Cisco says LLQ but i don't >agree because TP is a VBR traffic. And LLQ has its cost implications. Problem with CBWFQ is that while you'll get a min bandwidth guarantee, there's no guarantee for latency and jitter (probably gotta stay within about 1% pkt loss, 30ms jitter max, and 150ms end-to-end latency, of course, for good quality). So, personally I'd use a priority queue with LLQ for TP (actually, a second priority queue, if available). Mark > >Thanks very much for the feedback > >John.... >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Thu Aug 14 11:39:48 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 14 Aug 2008 11:39:48 -0400 Subject: [c-nsp] VRF Lite Route Propagation In-Reply-To: References: Message-ID: <48A451C4.4090607@utc.edu> Nick Griffin wrote: > I've figured out how to exchange routes between VRF's with the bgp address > family configuration coupled with redistribute static|connected, etc however > I'm trying to propagate this information and I'm having problems getting it > to work as desired. I'll take a "guess" at your problem... If you have everything "centralized" into one PE doing your intra-VRF iBGP, and also providing VRF-specific routing processes... The intra-VRF routes are propagated locally via iBGP and the vrf route-target import/export specifications. To redistributed "learned" routes from the VRF-specific routing processes into the iBGP mesh, you must 'redistribute [protocol]' in the BGP address-family ipv4 vrf specification. To redistributed "learned" routes from the iBGP import/export process back into the VRF-specific routing processes, you must 'redistribute bgp [asn]' in the routing process vrf specification. Jeff From dmitry at dmitry.net Thu Aug 14 11:18:07 2008 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Thu, 14 Aug 2008 18:18:07 +0300 Subject: [c-nsp] route-map continue Message-ID: <20080814151807.GF26588@f17.dmitry.net> Hello! Does anybody can clear for me the continue statement behaviour? router bgp 111 ... neighbor 10.10.10.2 route-map TEST-OUT out neighbor 10.10.10.2 send-community ... route-map TEST-OUT permit 10 match community 10 continue 20 ! route-map TEST-OUT permit 20 set metric 222 set as-path prepend 111 111 111 ! The bgp neighbor receive all prefixes, but community matched are still without prepends and med. Is it correct behaviour? P.S. Tested in 12.2S on 7200 -- Dmitry Kiselev From nick.jon.griffin at gmail.com Thu Aug 14 12:26:37 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Thu, 14 Aug 2008 11:26:37 -0500 Subject: [c-nsp] VRF Lite Route Propagation In-Reply-To: <48A451C4.4090607@utc.edu> References: <48A451C4.4090607@utc.edu> Message-ID: I must be missing something, see below: C1#sh ip route vrf I1 Gateway of last resort is 1.1.111.1 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.111.0 is directly connected, Ethernet0/0.111 3.0.0.0/24 is subnetted, 1 subnets B 3.3.3.0 is directly connected, 02:26:01, Ethernet0/0.333 5.0.0.0/24 is subnetted, 1 subnets B 5.5.5.0 is directly connected, 02:26:01, Ethernet0/0.555 <---- Want this in I1 Vrf on R1 O*E2 0.0.0.0/0 [110/1] via 1.1.111.1, 02:26:01, Ethernet0/0.111 C1# router eigrp 1 no auto-summary ! address-family ipv4 vrf VRF3 network 3.3.3.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family ! router ospf 1 vrf I1 log-adjacency-changes redistribute static metric 1 subnets redistribute bgp 1 metric 5 subnets <------- Do this you said network 1.1.111.2 0.0.0.0 area 0 ! router bgp 1 no synchronization bgp router-id 3.3.3.3 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf VRF5 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf VRF3 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf I1 redistribute connected redistribute ospf 1 vrf I1 metric 5 match internal external 1 external 2 default-information originate no auto-summary no synchronization exit-address-family R1#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.111.2 1 FULL/DR 00:00:33 1.1.111.2 FastEthernet0/0.111 R1#sh ip route vrf I1 Gateway of last resort is 1.1.11.254 to network 0.0.0.0 1.0.0.0/24 is subnetted, 2 subnets C 1.1.11.0 is directly connected, FastEthernet0/0.11 C 1.1.111.0 is directly connected, FastEthernet0/0.111 2.0.0.0/24 is subnetted, 1 subnets S 2.2.2.0 [1/0] via 1.1.12.2 3.0.0.0/24 is subnetted, 1 subnets S 3.3.3.0 [1/0] via 1.1.111.2 S* 0.0.0.0/0 [1/0] via 1.1.11.254 R1#sh ip ospf database OSPF Router with ID (1.1.111.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.111.1 1.1.111.1 1524 0x80000028 0x0072CB 1 1.1.111.2 1.1.111.2 1473 0x80000028 0x00131F 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 1.1.111.2 1.1.111.2 1473 0x80000027 0x000F38 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 1.1.111.1 1524 0x80000027 0x00CB4E 1 3.3.3.0 1.1.111.2 141 0x80000001 0x000A57 3489660929 5.5.5.0 1.1.111.2 141 0x80000001 0x00C199 3489660929 R1# On Thu, Aug 14, 2008 at 10:39 AM, Jeff Kell wrote: > Nick Griffin wrote: > >> I've figured out how to exchange routes between VRF's with the bgp address >> family configuration coupled with redistribute static|connected, etc >> however >> I'm trying to propagate this information and I'm having problems getting >> it >> to work as desired. >> > > I'll take a "guess" at your problem... > > If you have everything "centralized" into one PE doing your intra-VRF iBGP, > and also providing VRF-specific routing processes... > > The intra-VRF routes are propagated locally via iBGP and the vrf > route-target import/export specifications. > > To redistributed "learned" routes from the VRF-specific routing processes > into the iBGP mesh, you must 'redistribute [protocol]' in the BGP > address-family ipv4 vrf specification. > > To redistributed "learned" routes from the iBGP import/export process back > into the VRF-specific routing processes, you must 'redistribute bgp [asn]' > in the routing process vrf specification. > > Jeff > > > From david.freedman at uk.clara.net Thu Aug 14 13:05:28 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 14 Aug 2008 18:05:28 +0100 Subject: [c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPNCustomers In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58DD@xmb-ams-333.emea.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58DD@xmb-ams-333.emea.cisco.com> Message-ID: We provide customers with a managed CE router on a stick which does NAT and stateful inspection, these may hang off any PE router of our choosing, in reality we implement these as virtual systems on a larger devices with 802.1q trunks to the PE routers. Dave. Oliver Boehmer (oboehmer) wrote: > Andy Saykao <> wrote on Thursday, August 14, 2008 4:58 AM: > >> Hi All >> >> We are looking at providing our Layer 3 MPLS VPN customers with the >> option of a managed internet gateway via a NAT-PE router. This would >> mean that remote sites no longer have to access the internet via the >> Central Site model as this is the way we've been implementing Internet >> access for MPLS VPN customers. >> >> As all our MPLS VPN customers are using private IP addresses, NAT >> would have to obviously take place at the NAT-PE router. >> > [...] >> My delimma is that I'm not entirely sure which router should be >> designated as the NAT-PE router to act as the Internet Gateway for our >> MPLS VPN customers or if we need to put in a new PE router somewhere? >> >> So what I've brainstormed are the following ideas... >> >> 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do >> this because this is the core router that handles Internet traffic for >> all our customers and I don't want to mess it up. > > Agreed, I wouldn't take this path either. NAT is stateful, so future > scalability is a concern, which is limited if you did this on your > core/P node (turning it into a PE). > >> 2/ Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm >> unsure how to apply NAT because there is only one interface on the PE >> router connecting to the P router so I'm not really sure where the ip >> nat inside and outside command would go - unless we use NAT on a stick >> which I don't think is recommended in a production environment. > > I would actually vote for some "on-a-stick" deployment, which is what > many customers do (as far as I know). NPE-G1/G2 are popular platforms > for this.. > >> 3/ Lastly, do we need to put in a new router to act as the NAT-PE >> router? If so, where would this be placed - maybe between the P router >> and the Internet? > > I would add a new node, and put it somewhere "close" to the P > router/internet connection. You can scale by adding addtl. routers and > distribute your VPN customers across these nodes. The config would be > along this line: > > you use two interfaces (can be sub-interfaces): One MPLS interface > (running LDP and your IGP), and one plain-IP interface. Both connect to > the P node. > You create a static default in the vrf pointing over the IP interface > into the global table and create per-vrf NAT statements. > > int Gig0/0.10 > ip address 192.168.0.2 255.255.255.252 > mpls ip > ip nat inside > ! > int gig0/0.20 > ip address 192.168.10.2 255.255.255.252 > ip nat outside > ! > ip route vrf foo 0.0.0.0 0.0.0.0 Gig0/0.20 192.168.10.1 global > ! > ip nat pool NAT-foo 10.1.1.1 10.1.1.10 netmask 255.255.255.240 add-route > > ip nat source list nat-acl-foo pool NAT-foo vrf foo overload > ! > ip access-list extended nat-acl-foo > ! define what should be translated > > and you define MP-iBGP and advertise the static defaults into the > respective VPNs. > > something like this. the only addtl. challenge is to advertise the NAT > pool(s) over the gig0/0.20 interface so you send the return traffic from > the Internet back over this outside interface. you could use a dedicated > ipv4-bgp session or another IGP instance, for example.. > > I hope you'll get the idea.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Thu Aug 14 13:10:37 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 14 Aug 2008 18:10:37 +0100 Subject: [c-nsp] conditional bgp default-originate In-Reply-To: References: Message-ID: <48A4670D.5010103@uk.clara.net> silly question, but why not ask your provider for a default route in with your feed and simply just propagate it downstream?? Dave. Jon Lewis wrote: > I'd like to be able to conditionally advertise a default route to > customers taking just default routes only if my transit BGP sessions > appear to be functional. > > I thought something like this might work: > > neighbor 10.1.0.2 default-originate route-map BGP-UP > > route-map BGP-UP permit 10 > match as-path 100 > > ip as-path access-list 100 permit ^3356_ > ip as-path access-list 100 permit ^4323_ > > But no such luck. Checking the docs at > > http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 > > > it seems I have to exactly match against a route for the route-map to > work here. That means actually picking a few "canary routes" I expect > to get from my upstreams and hoping they don't go anywhere or change > mask. I'm not really happy with that. Are there better ways to do this? > > Also, while looking at the docs above and experimenting in the GNS3 > simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a > few oddities. > > First, there's multiple errors in the docs mentioned above. i.e. From > the URL above: > > In the following example, the last line of the configuration has been > changed to show the use of an extended access list. The local router > injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route > to 192.168.0.0 with a mask of 255.255.0.0: > > router bgp 50000 > network 172.16.0.0 > neighbor 172.16.2.3 remote-as 60000 > neighbor 172.16.2.3 default-originate route-map default-map > ! > route-map default-map 10 permit > match ip address 1 > ! > access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 > > In the above example, they did change the ACL to an extended > access-list, but the route-map wasn't updated to use it (still using 1) > and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, > but the access-list 100 uses a /24 mask. > > Just above this example, the docs say that > access-list 1 permit 192.168.0.0 > will match a route for 192.168.0.0 with any mask. In my simulator, I > have R1--R2--R3 > R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default > to R3 using the route-map > > route-map BGP-UP permit 10 > match ip address 50 > > access-list 50 permit 8.0.0.0 > > When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and > default is not sent ot R3. If I add to access-list 50 > access-list 50 permit 8.0.0.0 0.0.255.255 > > Standard IP access list 50 > 10 permit 8.0.0.0 (973 matches) > 20 permit 8.0.0.0, wildcard bits 0.0.255.255 > > I get hits on the permit 8.0.0.0 line now, and default is sent to R3. > This seems kind of broken. I haven't duplicated the setup with real > hardware to see if it's a simulator screwup...but since the simulator is > running actual IOS, it seems unlikely the simulator is to blame. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Thu Aug 14 13:10:37 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 14 Aug 2008 18:10:37 +0100 Subject: [c-nsp] conditional bgp default-originate In-Reply-To: References: Message-ID: <48A4670D.5010103@uk.clara.net> silly question, but why not ask your provider for a default route in with your feed and simply just propagate it downstream?? Dave. Jon Lewis wrote: > I'd like to be able to conditionally advertise a default route to > customers taking just default routes only if my transit BGP sessions > appear to be functional. > > I thought something like this might work: > > neighbor 10.1.0.2 default-originate route-map BGP-UP > > route-map BGP-UP permit 10 > match as-path 100 > > ip as-path access-list 100 permit ^3356_ > ip as-path access-list 100 permit ^4323_ > > But no such luck. Checking the docs at > > http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 > > > it seems I have to exactly match against a route for the route-map to > work here. That means actually picking a few "canary routes" I expect > to get from my upstreams and hoping they don't go anywhere or change > mask. I'm not really happy with that. Are there better ways to do this? > > Also, while looking at the docs above and experimenting in the GNS3 > simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a > few oddities. > > First, there's multiple errors in the docs mentioned above. i.e. From > the URL above: > > In the following example, the last line of the configuration has been > changed to show the use of an extended access list. The local router > injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route > to 192.168.0.0 with a mask of 255.255.0.0: > > router bgp 50000 > network 172.16.0.0 > neighbor 172.16.2.3 remote-as 60000 > neighbor 172.16.2.3 default-originate route-map default-map > ! > route-map default-map 10 permit > match ip address 1 > ! > access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 > > In the above example, they did change the ACL to an extended > access-list, but the route-map wasn't updated to use it (still using 1) > and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, > but the access-list 100 uses a /24 mask. > > Just above this example, the docs say that > access-list 1 permit 192.168.0.0 > will match a route for 192.168.0.0 with any mask. In my simulator, I > have R1--R2--R3 > R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default > to R3 using the route-map > > route-map BGP-UP permit 10 > match ip address 50 > > access-list 50 permit 8.0.0.0 > > When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and > default is not sent ot R3. If I add to access-list 50 > access-list 50 permit 8.0.0.0 0.0.255.255 > > Standard IP access list 50 > 10 permit 8.0.0.0 (973 matches) > 20 permit 8.0.0.0, wildcard bits 0.0.255.255 > > I get hits on the permit 8.0.0.0 line now, and default is sent to R3. > This seems kind of broken. I haven't duplicated the setup with real > hardware to see if it's a simulator screwup...but since the simulator is > running actual IOS, it seems unlikely the simulator is to blame. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Thu Aug 14 13:35:04 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 14 Aug 2008 13:35:04 -0400 (EDT) Subject: [c-nsp] conditional bgp default-originate In-Reply-To: <48A4670D.5010103@uk.clara.net> References: <48A4670D.5010103@uk.clara.net> Message-ID: On Thu, 14 Aug 2008, David Freedman wrote: > silly question, but why not ask your provider for a default route in > with your feed and simply just propagate it downstream?? I don't need/want a default route. If a destination isn't in the global routing table, I don't want to send the packets upstream. I suppose your suggestion is the easiest solution though. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From saku+cisco-nsp at ytti.fi Thu Aug 14 14:16:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 14 Aug 2008 21:16:06 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58F4@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> <20080814061645.GA18183@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58F4@xmb-ams-333.emea.cisco.com> Message-ID: <20080814181605.GA28999@mx.ytti.net> On (2008-08-14 09:41 +0200), Oliver Boehmer (oboehmer) wrote: > Well, I think this is the catch: In independent control mode, LDP does not "re-advertise" something like a distance/path-vector routing protocol does, it advertises its local bindings. So to implement a "re-advertise" behaviour, one would need to change the local binding behaviour to "only allocate (and advertise) a label for a remotely-learned IGP prefix x/y if you already received a remote LDP binding for this prefix or if you're the egress LSR for this FEC".. This is ordered control, something IOS only implements for cell-mode MPLS (i.e. ATM). > > End result would be, that you'd only have loop0?s in each MPLS > > spakers LIBs, without any ACL/prefix-list maintenance overhead. > > agreed. But I still see challenges getting this right in independent control mode.. Am I missing something? Perhaps I mistook that it would be easier than in reality it is, to determine this information from LIB. I assumed that creating bindings perfectly normally for data received over LDP session is no-problem and only thing that needs to change, is that in first place, you don't locally add anything to your bindings, except your Loop0. > I guess so, filtering label allocation is more "natural" and efficient than filtering the advertisement for this very common case.. Yes (more natural than ACL filtering what you advertise out). -- ++ytti From peter at rathlev.dk Thu Aug 14 14:38:31 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 14 Aug 2008 20:38:31 +0200 Subject: [c-nsp] route-map continue In-Reply-To: <20080814151807.GF26588@f17.dmitry.net> References: <20080814151807.GF26588@f17.dmitry.net> Message-ID: <1218739111.9948.0.camel@abehat> On Thu, 2008-08-14 at 18:18 +0300, Dmitry Kiselev wrote: > Hello! > > Does anybody can clear for me the continue statement behaviour? > > router bgp 111 > ... > neighbor 10.10.10.2 route-map TEST-OUT out > neighbor 10.10.10.2 send-community > ... > > route-map TEST-OUT permit 10 > match community 10 > continue 20 > ! > route-map TEST-OUT permit 20 > set metric 222 > set as-path prepend 111 111 111 > ! > > The bgp neighbor receive all prefixes, but community matched > are still without prepends and med. Is it correct behaviour? > > P.S. Tested in 12.2S on 7200 According to FN you need 12.2SRC or 12.4T for outbound route-map continue support. Regards, Peter From peter at rathlev.dk Thu Aug 14 14:46:51 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 14 Aug 2008 20:46:51 +0200 Subject: [c-nsp] route-map continue In-Reply-To: <1218739111.9948.0.camel@abehat> References: <20080814151807.GF26588@f17.dmitry.net> <1218739111.9948.0.camel@abehat> Message-ID: <1218739611.10194.1.camel@abehat> On Thu, 2008-08-14 at 20:38 +0200, Peter Rathlev wrote: > On Thu, 2008-08-14 at 18:18 +0300, Dmitry Kiselev wrote: > > P.S. Tested in 12.2S on 7200 > > According to FN you need 12.2SRC or 12.4T for outbound route-map > continue support. SRB should also work by the way. Regards, Peter From christian at broknrobot.com Thu Aug 14 14:57:40 2008 From: christian at broknrobot.com (Christian Koch) Date: Thu, 14 Aug 2008 14:57:40 -0400 Subject: [c-nsp] route-map continue In-Reply-To: <1218739111.9948.0.camel@abehat> References: <20080814151807.GF26588@f17.dmitry.net> <1218739111.9948.0.camel@abehat> Message-ID: i was thinking the problem was 'outbound' maps, but then when double checking i saw this Restrictions for BGP Route-Map Continue ?Continue clauses are supported in outbound route maps only in Cisco IOS Release 12.0(31)S and subsequent releases. http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_brmcs.html On Thu, Aug 14, 2008 at 2:38 PM, Peter Rathlev wrote: > On Thu, 2008-08-14 at 18:18 +0300, Dmitry Kiselev wrote: >> Hello! >> >> Does anybody can clear for me the continue statement behaviour? >> >> router bgp 111 >> ... >> neighbor 10.10.10.2 route-map TEST-OUT out >> neighbor 10.10.10.2 send-community >> ... >> >> route-map TEST-OUT permit 10 >> match community 10 >> continue 20 >> ! >> route-map TEST-OUT permit 20 >> set metric 222 >> set as-path prepend 111 111 111 >> ! >> >> The bgp neighbor receive all prefixes, but community matched >> are still without prepends and med. Is it correct behaviour? >> >> P.S. Tested in 12.2S on 7200 > > According to FN you need 12.2SRC or 12.4T for outbound route-map > continue support. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Thu Aug 14 15:09:20 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 14 Aug 2008 14:09:20 -0500 Subject: [c-nsp] route-map continue In-Reply-To: References: <20080814151807.GF26588@f17.dmitry.net> <1218739111.9948.0.camel@abehat> Message-ID: <48A482E0.9060609@templin.org> Christian Koch wrote: > i was thinking the problem was 'outbound' maps, but then when double > checking i saw this > > Restrictions for BGP Route-Map Continue > > ?Continue clauses are supported in outbound route maps only in Cisco > IOS Release 12.0(31)S and subsequent releases. > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_brmcs.html Don't (totally) believe the feature guides. 12.0(32)S is the minimum safe release, due to the following bug that bit me hard: CSCsc36517 Symptoms: A router reloads unexpectedly when a continue statement is used in an outbound route map. Conditions: This symptom is observed on a Cisco router that is configured for BGP. Workaround: There is no workaround. On 7507s and 12008s, the outbound continue was 100% dangerous every time I used it, no matter how simple the route-map. pt From luan at t3technology.com Thu Aug 14 15:17:58 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Thu, 14 Aug 2008 15:17:58 -0400 Subject: [c-nsp] VRF Lite Route Propagation In-Reply-To: References: <48A451C4.4090607@utc.edu> Message-ID: <006701c8fe42$76415970$62c40c50$@com> Can you do a show run int Ethernet0/0.555 and show ip bgp vpnv4 vrf I1? -Luan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Griffin Sent: Thursday, August 14, 2008 12:27 PM To: Jeff Kell Cc: cisco-nsp Subject: Re: [c-nsp] VRF Lite Route Propagation I must be missing something, see below: C1#sh ip route vrf I1 Gateway of last resort is 1.1.111.1 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.111.0 is directly connected, Ethernet0/0.111 3.0.0.0/24 is subnetted, 1 subnets B 3.3.3.0 is directly connected, 02:26:01, Ethernet0/0.333 5.0.0.0/24 is subnetted, 1 subnets B 5.5.5.0 is directly connected, 02:26:01, Ethernet0/0.555 <---- Want this in I1 Vrf on R1 O*E2 0.0.0.0/0 [110/1] via 1.1.111.1, 02:26:01, Ethernet0/0.111 C1# router eigrp 1 no auto-summary ! address-family ipv4 vrf VRF3 network 3.3.3.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family ! router ospf 1 vrf I1 log-adjacency-changes redistribute static metric 1 subnets redistribute bgp 1 metric 5 subnets <------- Do this you said network 1.1.111.2 0.0.0.0 area 0 ! router bgp 1 no synchronization bgp router-id 3.3.3.3 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf VRF5 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf VRF3 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf I1 redistribute connected redistribute ospf 1 vrf I1 metric 5 match internal external 1 external 2 default-information originate no auto-summary no synchronization exit-address-family R1#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.111.2 1 FULL/DR 00:00:33 1.1.111.2 FastEthernet0/0.111 R1#sh ip route vrf I1 Gateway of last resort is 1.1.11.254 to network 0.0.0.0 1.0.0.0/24 is subnetted, 2 subnets C 1.1.11.0 is directly connected, FastEthernet0/0.11 C 1.1.111.0 is directly connected, FastEthernet0/0.111 2.0.0.0/24 is subnetted, 1 subnets S 2.2.2.0 [1/0] via 1.1.12.2 3.0.0.0/24 is subnetted, 1 subnets S 3.3.3.0 [1/0] via 1.1.111.2 S* 0.0.0.0/0 [1/0] via 1.1.11.254 R1#sh ip ospf database OSPF Router with ID (1.1.111.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.111.1 1.1.111.1 1524 0x80000028 0x0072CB 1 1.1.111.2 1.1.111.2 1473 0x80000028 0x00131F 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 1.1.111.2 1.1.111.2 1473 0x80000027 0x000F38 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 1.1.111.1 1524 0x80000027 0x00CB4E 1 3.3.3.0 1.1.111.2 141 0x80000001 0x000A57 3489660929 5.5.5.0 1.1.111.2 141 0x80000001 0x00C199 3489660929 R1# On Thu, Aug 14, 2008 at 10:39 AM, Jeff Kell wrote: > Nick Griffin wrote: > >> I've figured out how to exchange routes between VRF's with the bgp address >> family configuration coupled with redistribute static|connected, etc >> however >> I'm trying to propagate this information and I'm having problems getting >> it >> to work as desired. >> > > I'll take a "guess" at your problem... > > If you have everything "centralized" into one PE doing your intra-VRF iBGP, > and also providing VRF-specific routing processes... > > The intra-VRF routes are propagated locally via iBGP and the vrf > route-target import/export specifications. > > To redistributed "learned" routes from the VRF-specific routing processes > into the iBGP mesh, you must 'redistribute [protocol]' in the BGP > address-family ipv4 vrf specification. > > To redistributed "learned" routes from the iBGP import/export process back > into the VRF-specific routing processes, you must 'redistribute bgp [asn]' > in the routing process vrf specification. > > Jeff > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brett at looney.id.au Thu Aug 14 20:49:01 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 15 Aug 2008 08:49:01 +0800 Subject: [c-nsp] Cisco authentication login page In-Reply-To: <48A442B1.1020800@gmail.com> References: <48A442B1.1020800@gmail.com> Message-ID: <000401c8fe70$bab140b0$3013c210$@id.au> > I'm trying to customize the default login page that the Cisco > router uses for authentication proxy ( to autenticate users ). > Can someone tell me how to do that ? I've tried to search in > the Cisco web site, but it seems that there is no documentation > about it. > Looking at the default page, i see this strange string: > TYPE="hidden" NAME="au_pxytimetag" VALUE="13502936"> > I think that the au_pxytimetag value shound be different for > every message, but i don't know how to do that. When I played with this a while back I couldn't find a way to customise the bit of HTML you have there - it is produced by IOS. I'm not sure why you'd want to modify the au_pxytimetag value - it seems to work fine for me with multiple users without having to change that. I wrote a bit of custom HTML that the router then serves up before the FORM part of the HTML page is sent back to the client. The only limitation was that the HTML I provided had to be under 8k (may have been 4k) so because the disclaimer we had was so large I embedded an IFRAME which sourced the disclaimer from another web server. Documentation: http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_confi guration_example09186a0080094655.shtml B. From psirt at cisco.com Thu Aug 14 23:15:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Thursday, 14 Aug 2008 22:15:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Message-ID: <200808142215.webex@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Advisory ID: cisco-sa-20080814-webex Revision 1.0 For Public Release 2008 August 14 2230 UTC (GMT) +--------------------------------------------------------------------- Summary ======= An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx Meeting Manager contains a buffer overflow vulnerability that may result in a denial of service or remote code execution. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting. When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service. Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml Affected Products ================= Vulnerable Products +------------------ The WebEx Meeting Manager downloads several components to meeting participants before they join a WebEx meeting. The vulnerability in this Security Advisory affects the atucfobj.dll library. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. When a meeting participant connects to the WebEx meeting service through a web browser, the WebEx meeting service installs several components of the WebEx Meeting Manager browser plugin on the meeting participant's system. WebEx Meeting Manager includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code. The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. This vulnerability is documented in WebEx Bug IDs 292551 for WBS 26 and 306639 for WBS 25. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2737. Identifying WebEx Meeting Service Version +---------------------------------------- The following procedure allows meeting participants to identify the version of client software that is provided by a WebEx server. The procedure varies slightly depending on the version of the WebEx server software. The URL in all the following examples is provided to meeting participants as part of the WebEx meeting invite. Client build numbers adhere to the format of XX.YY.ZZ.WWWW. The first number indicates the major version number of the software build. For example, a client build number of 26.49.9.2838 indicates a WBS 26-based software version. For the WBS 26 version: 1. Browse to the WebEx meeting server at https://.webex.com/. 2. Select Support from the left side of the web page. 3. Select Downloads from the left side of the web page. 4. The version of the client software that is provided by the server is listed next to Client build. For WebEx servers that are running WBS 26, the first fixed version is 26.49.9.2838. Client build versions prior to 26.49.9.2838 are vulnerable. For the WBS 25 version: 1. Browse to the WebEx meeting server at https://.webex.com/. 2. Select Assistant on the left side of the page. 3. Select the Support link. 4. Select the Version link, which is displayed on the right side of the top of the page. 5. The Client Build version is displayed in a pop-up window. There is currently no fixed version for the WBS 25-based WebEx meeting service. This section of the Security Advisory will be updated when fixed version information is available. For the WBS 23 version: Servers that run WBS 23-based WebEx meeting service display version information using the following URL format: https://.webex.com/version/wbxversionlist.do?siteurl= On the redisplayed page the Client versions in files field will indicate the Client Build. For example: The 'T23' in WBXclient-T23L10NSP33EP13-1092.txt indicates a WBS 23-based system. Cisco WebEx is not planning to repair WBS 23-based software. Affected WBS 23-based servers will be upgraded to fixed WBS 25 or WBS 26-based software. Attack Vector Details +-------------------- This Security Advisory addresses a vulnerable ActiveX control (atucfobj.dll). If atucfobj.dll is present on a client's computer, it may be possible for an attacker to embed malicious code into HTML content that calls an affected function in atucfobj.dll via ActiveX. Users could encounter the malicious HTML in several ways. The most common manners are: * Browsing to a web-site that contains the malicious content * HTML that is embedded in e-mail messages * HTML that is delivered via instant messaging applications WebEx Upgrade Timeline +--------------------- Upgrades from WBS 23 versions to WBS 26 are expected to be complete by the end of September 2008. Fixed versions of WBS 25 are expected to be deployed by the end of September 2008. Deployed versions of WBS 26 are fixed. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss The CVSS scoring for WebEx bug IDs 292551 and 306639 are identical because they reference the same vulnerability. The below scoring applies to both 292551 and 306639. ActiveX Vulnerability in WebEx Meeting Manager CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in execution of arbitrary code. Software Versions and Fixes =========================== The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. Clients will receive an upgrade automatically in accordance with the process that is outlined in the Obtaining Fixed Software section of this advisory within the time frame that is outlined in the WebEx Upgrade Timeline subsection of this advisory. Cisco WebEx will not offer the modified atucfobj.dll as a separate download. Workarounds =========== WebEx meeting participants who join a WebEx meeting that is hosted by a server with fixed software will download a fixed version of atucfobj.dll prior to joining the meeting. Several other workarounds are described below in the following subsections. Manually Upgrading WebEx Meeting Manager +--------------------------------------- Users can verify that the WebEx meeting service server they are connecting to is running fixed code via the method that is described in the subsection entitled Identifying WebEx Version subsection of the Details section of this Security Advisory. If the WebEx server is running a version of software that is fixed, users can manually download and install the Meeting Manager client to ensure their versions of atucfobj.dll are not vulnerable. Removing WebEx Meeting Manager +----------------------------- It is possible to remove the WebEx Meeting Manager component from Microsoft Windows by using the Add or Remove Programs utility in the Windows Control Panel: 1. In Windows, choose Start > Control Panel. 2. Double-click Add or Remove Programs. 3. Double-click WebEx. 4. In the pop-up menu, check the Meeting Manager box and click Uninstall. 5. Follow the prompts to complete the uninstall process and restart the system. NOTE: After uninstalling the WebEx Meeting Manager, users that join a WebEx meeting that is hosted by a vulnerable version will again download and install a vulnerable atucfobj.dll. Disabling atucfobj.dll by Setting the Kill Bit +--------------------------------------------- It is possible to disable the execution of atucfobj.dll by using a configuration setting in Microsoft Windows. This method is called setting the kill bit for the DLL. Once set, this method prevents atucfobj.dll from loading, which prevents exploitation of the vulnerability. Instructions for setting the kill bit in Microsoft Windows are available at the following location: http://support.microsoft.com/kb/240797 Setting the kill bit for atucfobj.dll will persist even after a fixed version of the DLL is installed. To re-enable the use of atucfobj.dll, the kill bit will need to be unset. To disable atucfobj.dll users must know the CLSID for the DLL. The CLSID for atucfobj.dll is {32E26FD9-F435-4A20-A561-35D4B987CFDC} Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080814-webex.shtml Obtaining Fixed Software ======================== As outlined in WebEx Upgrade Timeline section, WebEx meeting participants who join a WebEx meeting that is hosted by a server with fixed software will automatically download a fixed version of atucfobj.dll prior to joining the meeting. Clients can also upgrade manually by following the instructions in the Manually Upgrading WebEx Meeting Manager subsection of the Workarounds section of this advisory. Clients can protect themselves without first accessing a WebEx server by following the instructions in the Removing WebEx Meeting Manager subsection of the Workarounds section of this advisory. Customers that need additional information can contact WebEx Global Support Services and Technical Support. WebEx Global Support Services and Technical Support can be reached through the WebEx support site at http://support.webex.com/support/support-overview.html or by phone at +1-866-229-3239 or +1-408-435-7088. Customers outside of the United States can reference the following link for local support numbers: http://support.webex.com/support/phone-numbers.html Exploitation and Public Announcements ===================================== This issue has been publicly announced on multiple external forums and mailing lists. Exploit code has been made available. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-August-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIpMm986n/Gc8U/uARAsqfAJ4g2GVClGfEWNW85vZdjGE/IOLOIwCeLLfe oB/jGGodR9UM/o0eMPGmYA0= =piFk -----END PGP SIGNATURE----- From danletkeman at gmail.com Thu Aug 14 23:33:11 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Thu, 14 Aug 2008 22:33:11 -0500 Subject: [c-nsp] best way to load share adsl Message-ID: Hello, I would like to setup load sharing on a 2621 for three adsl lines. Currently each of the adsl connections has a modem/router combo which is doing nat. All I need for the cisco router to do is load sharing or load balancing. What would be the best way to do this and could anyone recommend some documentation or a config? Thanks, Dan. From christian.macnevin at gmail.com Thu Aug 14 23:59:33 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 14 Aug 2008 20:59:33 -0700 Subject: [c-nsp] 3560 ACL performance? Message-ID: Hi So the marketing machine tells me 3650s do ACLs in hardware and zero performance hit blah blah. Anyone had any real world experience with high loads of packets on every interface under a simple ACL? Thanks From adrian at creative.net.au Fri Aug 15 00:40:40 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 15 Aug 2008 12:40:40 +0800 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: References: Message-ID: <20080815044040.GG29116@skywalker.creative.net.au> On Thu, Aug 14, 2008, Christian MacNevin wrote: > Hi > So the marketing machine tells me 3650s do ACLs in hardware and zero > performance hit blah blah. > Anyone had any real world experience with high loads of packets on > every interface under a simple ACL? they perform like the 3550's - It Just Works. Just make sure "simple ACL" translates to "is 100% programmed in hardware." (I've done this on 3550, 3560, 3750, 10/100/1000 ports.) Adrian From christian.macnevin at gmail.com Fri Aug 15 01:31:32 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 14 Aug 2008 22:31:32 -0700 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: <20080815044040.GG29116@skywalker.creative.net.au> References: <20080815044040.GG29116@skywalker.creative.net.au> Message-ID: <966F0B84-839A-4F80-A3B2-433838F61DE4@gmail.com> How do I know what's programmed in hardware? We're using basic ip lists blocking netbios ports. On Aug 14, 2008, at 9:40 PM, Adrian Chadd wrote: > On Thu, Aug 14, 2008, Christian MacNevin wrote: >> Hi >> So the marketing machine tells me 3650s do ACLs in hardware and zero >> performance hit blah blah. >> Anyone had any real world experience with high loads of packets on >> every interface under a simple ACL? > > they perform like the 3550's - It Just Works. Just make sure "simple > ACL" > translates to "is 100% programmed in hardware." > > (I've done this on 3550, 3560, 3750, 10/100/1000 ports.) > > > Adrian > From avayner at cisco.com Fri Aug 15 01:34:04 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 15 Aug 2008 07:34:04 +0200 Subject: [c-nsp] best way to load share adsl In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501BA869F@xmb-ams-331.emea.cisco.com> Dan, Take a look at this one: http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/12_4t/oer_12 _4t_book.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Friday, August 15, 2008 06:33 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] best way to load share adsl Hello, I would like to setup load sharing on a 2621 for three adsl lines. Currently each of the adsl connections has a modem/router combo which is doing nat. All I need for the cisco router to do is load sharing or load balancing. What would be the best way to do this and could anyone recommend some documentation or a config? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nimal at fnbs.net Fri Aug 15 02:32:05 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Fri, 15 Aug 2008 14:32:05 +0800 Subject: [c-nsp] Monitoring concurrent connections on a ASA Message-ID: <48A522E5.6050800@fnbs.net> Hi guy, Do you know if there is any way to monitor concurrent connections on a ASA firewall? Any snmp OID i can query that can return this value? Thanks! Nimal From vinny at tellurian.com Fri Aug 15 02:42:17 2008 From: vinny at tellurian.com (Vinny Abello) Date: Fri, 15 Aug 2008 02:42:17 -0400 Subject: [c-nsp] Monitoring concurrent connections on a ASA In-Reply-To: <48A522E5.6050800@fnbs.net> References: <48A522E5.6050800@fnbs.net> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF05646243E8B7A@exchangenj1> There probably is an OID (check the ASA MIB from Cisco), but the ASA includes ASDM which will show you concurrent connections (as well as memory, cpu, and bandwidth load) in realtime. You can also just do "show conn count" while logged in. -Vinny > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Nimal David Sirimanne > Sent: Friday, August 15, 2008 2:32 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Monitoring concurrent connections on a ASA > > Hi guy, > > Do you know if there is any way to monitor concurrent connections on a > ASA firewall? Any snmp OID i can query that can return this value? > > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dirkjan at os3.nl Fri Aug 15 03:30:13 2008 From: dirkjan at os3.nl (Dirk-Jan van Helmond) Date: Fri, 15 Aug 2008 09:30:13 +0200 (CEST) Subject: [c-nsp] Monitoring concurrent connections on a ASA In-Reply-To: <48A522E5.6050800@fnbs.net> References: <48A522E5.6050800@fnbs.net> Message-ID: <58667fd646efe2c61ceb7601d99f3a2a.squirrel@a61.nl> Hi Nimal, I use .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 with ASA 8.0.(3). http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.147.1.2.2.2.1.5&translate=Translate&submitValue=SUBMIT&submitClicked=true regards, Dirk-Jan > Hi guy, > > Do you know if there is any way to monitor concurrent connections on a > ASA firewall? Any snmp OID i can query that can return this value? > > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From matt at peterson.org Fri Aug 15 06:06:13 2008 From: matt at peterson.org (Matt Peterson) Date: Fri, 15 Aug 2008 03:06:13 -0700 Subject: [c-nsp] Cisco authentication login page In-Reply-To: <000401c8fe70$bab140b0$3013c210$@id.au> References: <48A442B1.1020800@gmail.com> <000401c8fe70$bab140b0$3013c210$@id.au> Message-ID: A slight alternative exists in 12.4T, "Consent Feature" - see . It appears that it's possible to customize the HTML. --Matt On Aug 14, 2008, at 5:49 PM, Brett Looney wrote: >> I'm trying to customize the default login page that the Cisco >> router uses for authentication proxy ( to autenticate users ). From lists.james.edwards at gmail.com Fri Aug 15 11:52:27 2008 From: lists.james.edwards at gmail.com (james edwards) Date: Fri, 15 Aug 2008 09:52:27 -0600 Subject: [c-nsp] regex for logical and Message-ID: I want to match AT3/0.1405 AND 163.65.47.29 from my flow table but am not hitting the right expression. ie i want to match lines that contain both AT3/0.1405 and 163.65.47.29. CORE_Router#sho ip cache flow | in AT3/0.1405 163.65.47.29 -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From stig.johansen at ementor.no Fri Aug 15 12:15:44 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Fri, 15 Aug 2008 18:15:44 +0200 Subject: [c-nsp] regex for logical and In-Reply-To: References: Message-ID: <13A13E9CF0F76342A79031B9E558C0C50360AC6B@100NOOSLMSG004.common.alpharoot.net> Try "sh ip cache flow | inc AT3/0.1405.*163.65.47.29" The ".*" part matches anything in between like this: . matches any single character * extends the previous expression to "zero or more times" So, you are saying "match any single character, zero or more times" Take a look at http://www.cisco.com/en/US/docs/ios/termserv/configuration/guide/tsv_reg_express.html for some more information. Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av james edwards Sendt: 15. august 2008 17:52 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] regex for logical and I want to match AT3/0.1405 AND 163.65.47.29 from my flow table but am not hitting the right expression. ie i want to match lines that contain both AT3/0.1405 and 163.65.47.29. CORE_Router#sho ip cache flow | in AT3/0.1405 163.65.47.29 -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Fri Aug 15 12:16:07 2008 From: christian at broknrobot.com (Christian Koch) Date: Fri, 15 Aug 2008 12:16:07 -0400 Subject: [c-nsp] regex for logical and In-Reply-To: References: Message-ID: .* should do the trick RTR#sh ip cache flow | i Te1/1.*1.1.1.1 Te1/1 1.1.1.1 2.2.2.2 tcp 58436 443 1 Te1/1 1.1.1.1 2.2.2.2 tcp 57819 443 2 Te1/1 1.1.1.1 2.2.2.2 tcp 58424 443 1 On Fri, Aug 15, 2008 at 11:52 AM, james edwards wrote: > I want to match AT3/0.1405 AND 163.65.47.29 from my flow table but am not > hitting the right expression. > > ie i want to match lines that contain both AT3/0.1405 and 163.65.47.29. > > CORE_Router#sho ip cache flow | in AT3/0.1405 163.65.47.29 > > -- > James H. Edwards > Senior Network Systems Administrator > Judicial Information Division > jedwards at nmcourts.gov > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Fri Aug 15 13:00:46 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 15 Aug 2008 12:00:46 -0500 Subject: [c-nsp] ip cef load sharing Message-ID: Hello, I have a 2621 router running 12.3(26) and I would like to setup load sharing to multiple adsl lines. When I do a traceroute on the router it randomly picks a dsl line and seems to work fine. But when I do traceroute tests from a workstation it always seems to take the same adsl line. Is there something else I need to add to the configuration to make it pick random lines, or is there a timeout of some sorts before it will select the next ip route Here is my config: ! interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto ! ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.10.10 ip route 0.0.0.0 0.0.0.0 192.168.10.11 ! The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 Thanks, Dan. From rodunn at cisco.com Fri Aug 15 13:12:02 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 15 Aug 2008 13:12:02 -0400 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: Message-ID: <20080815171202.GH8654@rtp-cse-489.cisco.com> Try ip load-sharing per-packet on both egress interfaces. On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: > Hello, > > I have a 2621 router running 12.3(26) and I would like to setup load > sharing to multiple adsl lines. When I do a traceroute on the router > it randomly picks a dsl line and seems to work fine. But when I do > traceroute tests from a workstation it always seems to take the same > adsl line. Is there something else I need to add to the configuration > to make it pick random lines, or is there a timeout of some sorts > before it will select the next ip route > > Here is my config: > > ! > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > duplex auto > speed auto > ! > ip http server > ip classless > ip route 0.0.0.0 0.0.0.0 192.168.10.10 > ip route 0.0.0.0 0.0.0.0 192.168.10.11 > ! > > The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Fri Aug 15 13:35:01 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 15 Aug 2008 12:35:01 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: <20080815171202.GH8654@rtp-cse-489.cisco.com> References: <20080815171202.GH8654@rtp-cse-489.cisco.com> Message-ID: ip load-sharing per-packet I tried adding this to F0/1 and the trace route works now(it randomly picks either line), but there seems to be issues with maybe the MTU? If I try to browse websites i get page errors and some of the pictures and pages don't load. Any ideas? Thanks, Dan. On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: > Try ip load-sharing per-packet on both egress interfaces. > > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >> Hello, >> >> I have a 2621 router running 12.3(26) and I would like to setup load >> sharing to multiple adsl lines. When I do a traceroute on the router >> it randomly picks a dsl line and seems to work fine. But when I do >> traceroute tests from a workstation it always seems to take the same >> adsl line. Is there something else I need to add to the configuration >> to make it pick random lines, or is there a timeout of some sorts >> before it will select the next ip route >> >> Here is my config: >> >> ! >> interface FastEthernet0/0 >> ip address 10.1.10.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> interface FastEthernet0/1 >> ip address 192.168.10.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> ip http server >> ip classless >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >> ! >> >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 >> >> Thanks, >> Dan. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Gregori.Parker at theplatform.com Fri Aug 15 13:10:27 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Fri, 15 Aug 2008 10:10:27 -0700 Subject: [c-nsp] Monitoring concurrent connections on a ASA In-Reply-To: <58667fd646efe2c61ceb7601d99f3a2a.squirrel@a61.nl> References: <48A522E5.6050800@fnbs.net> <58667fd646efe2c61ceb7601d99f3a2a.squirrel@a61.nl> Message-ID: <1A9866F953006D45AEE0166066114E091278401F@TPMAIL02.corp.theplatform.com> For our ASAs running 7.x, I use the following OID for total concurrent connections (the one Dirk sent returned no such instance for me) .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6 Here are other oids in that branch I see when walking # snmpwalk -v 2c .1.3.6.1.4.1.9.9.147.1.2.2.2.1 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.3.40.6 = STRING: "number of connections currently in use by the entire firewall" SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.3.40.7 = STRING: "highest number of connections in use at any one time since system startup" SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.4.40.6 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.4.40.7 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.5.40.6 = Gauge32: 1029 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.5.40.7 = Gauge32: 99821 HTH -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dirk-Jan van Helmond Sent: Friday, August 15, 2008 12:30 AM To: Nimal David Sirimanne Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Monitoring concurrent connections on a ASA Hi Nimal, I use .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 with ASA 8.0.(3). http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1. 4.1.9.9.147.1.2.2.2.1.5&translate=Translate&submitValue=SUBMIT&submitCli cked=true regards, Dirk-Jan > Hi guy, > > Do you know if there is any way to monitor concurrent connections on a > ASA firewall? Any snmp OID i can query that can return this value? > > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Fri Aug 15 13:49:25 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 15 Aug 2008 13:49:25 -0400 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com> Message-ID: <20080815174925.GL8654@rtp-cse-489.cisco.com> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: > ip load-sharing per-packet > > I tried adding this to F0/1 and the trace route works now(it randomly > picks either line), but there seems to be issues with maybe the MTU? > If I try to browse websites i get page errors and some of the pictures > and pages don't load. Yep...try configuring "ip tcp adjust-mss 1300" or so on the ingress interface from the LAN. > > Any ideas? > > Thanks, > Dan. > > On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: > > Try ip load-sharing per-packet on both egress interfaces. > > > > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: > >> Hello, > >> > >> I have a 2621 router running 12.3(26) and I would like to setup load > >> sharing to multiple adsl lines. When I do a traceroute on the router > >> it randomly picks a dsl line and seems to work fine. But when I do > >> traceroute tests from a workstation it always seems to take the same > >> adsl line. Is there something else I need to add to the configuration > >> to make it pick random lines, or is there a timeout of some sorts > >> before it will select the next ip route > >> > >> Here is my config: > >> > >> ! > >> interface FastEthernet0/0 > >> ip address 10.1.10.1 255.255.255.0 > >> duplex auto > >> speed auto > >> ! > >> interface FastEthernet0/1 > >> ip address 192.168.10.1 255.255.255.0 > >> duplex auto > >> speed auto > >> ! > >> ip http server > >> ip classless > >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 > >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 > >> ! > >> > >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 > >> > >> Thanks, > >> Dan. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From danletkeman at gmail.com Fri Aug 15 13:59:12 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 15 Aug 2008 12:59:12 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: <20080815174925.GL8654@rtp-cse-489.cisco.com> References: <20080815171202.GH8654@rtp-cse-489.cisco.com> <20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: Still seem to have the same problem even with this: interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 ip tcp adjust-mss 1300 duplex auto speed auto interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip load-sharing per-packet duplex auto speed auto Dan. On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: > On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >> ip load-sharing per-packet >> >> I tried adding this to F0/1 and the trace route works now(it randomly >> picks either line), but there seems to be issues with maybe the MTU? >> If I try to browse websites i get page errors and some of the pictures >> and pages don't load. > > Yep...try configuring "ip tcp adjust-mss 1300" or so on the > ingress interface from the LAN. > >> >> Any ideas? >> >> Thanks, >> Dan. >> >> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >> > Try ip load-sharing per-packet on both egress interfaces. >> > >> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >> >> Hello, >> >> >> >> I have a 2621 router running 12.3(26) and I would like to setup load >> >> sharing to multiple adsl lines. When I do a traceroute on the router >> >> it randomly picks a dsl line and seems to work fine. But when I do >> >> traceroute tests from a workstation it always seems to take the same >> >> adsl line. Is there something else I need to add to the configuration >> >> to make it pick random lines, or is there a timeout of some sorts >> >> before it will select the next ip route >> >> >> >> Here is my config: >> >> >> >> ! >> >> interface FastEthernet0/0 >> >> ip address 10.1.10.1 255.255.255.0 >> >> duplex auto >> >> speed auto >> >> ! >> >> interface FastEthernet0/1 >> >> ip address 192.168.10.1 255.255.255.0 >> >> duplex auto >> >> speed auto >> >> ! >> >> ip http server >> >> ip classless >> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >> >> ! >> >> >> >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 >> >> >> >> Thanks, >> >> Dan. >> >> _______________________________________________ >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jlewis at lewis.org Fri Aug 15 14:12:25 2008 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 15 Aug 2008 14:12:25 -0400 (EDT) Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com> <20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: On Fri, 15 Aug 2008, Dan Letkeman wrote: > Still seem to have the same problem even with this: > > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > ip tcp adjust-mss 1300 > duplex auto > speed auto > > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > ip load-sharing per-packet > duplex auto > speed auto You failed to mention whether these 2 DSL lines go to the same ISP and whether that ISP is setup to support your per-packet load sharing. Also, as you're using private IPs and talking about web access, I assume there's NAT. Where is the NAT being done? If your output traffic through each DSL router is NAT'd by that DSL router to a different public IP, your setup is not going to work. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jason at pins.net Fri Aug 15 22:38:25 2008 From: jason at pins.net (Jason Berenson) Date: Fri, 15 Aug 2008 22:38:25 -0400 Subject: [c-nsp] Verizon TLS Message-ID: <48A63DA1.9030401@pins.net> Greetings, I'm curious to get some input from everyone about Verizons TLS service. What do you think of it? What kind of hardware do you use at your edge and at the CPE. Example configs? We have a GigE connection at the core and order 100M circuits with whatever size EVC we require for the customer. I use rate limiting on the customers ethernet interface. A basic /30 serial between us and them and a static route in both directions. I have seen some strange things happen. This is a forklift upgrade for one customer that's going from 2 T1s to 10M TLS. When I had them connect our TLS router to their public switch things went nuts on the VZ side of the circuit (2500PPS) and stayed at around 100PPS on the customer side. This doesn't make much sense to me considering the T1 router has no problems and it's not like we're connecting a switch on our side to a switch on their side and causing a loop somewhere, there's a router at both ends. I originally suspected VZ as the problem but eliminated that idea by connecting a laptop directly to the customer hand off. The core router is a Cisco 7206VXR and the CPE is a 2651XM. When he connected a switch with no VLANs on it things quieted down a bit. It's pretty obvious his switch is causing a problem but why it has issues with the TLS and not the T1s is beyond me. Here's a quick diagram: Servers | 7206VXR ---------TLS-------- 2651XM ------- Public switch ------- Firewall ------- LAN CPE config: interface FastEthernet0/0 desc TLS side no ip address speed 100 full-duplex ! interface FastEthernet0/0.xxx encapsulation dot1Q xxx ip address 192.168.1.2 255.255.255.252 (rate limit to 10M) no cdp enable ! interface FastEthernet0/1 ip address 10.10.10.1 255.255.255.1 duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 Core config: interface GigabitEthernet0/3 no ip address duplex full speed 1000 media-type gbic negotiation auto ! interface GigabitEthernet0/3.xxx encapsulation dot1Q xxxx ip address 192.168.1.1 255.255.255.252 no cdp enable ! ip route 10.10.10.0 255.255.255.0 192.168.1.2 Any input would be greatly appreciated. -Jason From list-cisco-nsp at pwns.ms Fri Aug 15 23:37:03 2008 From: list-cisco-nsp at pwns.ms (list-cisco-nsp at pwns.ms) Date: Sat, 16 Aug 2008 03:37:03 +0000 Subject: [c-nsp] Verizon TLS Message-ID: <20080816033703.GA28942@pwns.ms> > Servers > > | > 7206VXR ---------TLS-------- 2651XM ------- Public switch ------- > Firewall ------- LAN > > CPE config: > > interface FastEthernet0/0 > desc TLS side > no ip address > speed 100 > full-duplex > ! > interface FastEthernet0/0.xxx > encapsulation dot1Q xxx > ip address 192.168.1.2 255.255.255.252 > (rate limit to 10M) > no cdp enable [snip] > ip route 0.0.0.0 0.0.0.0 192.168.1.1 Your diagram and config conflict with each other; according to the config, you're routing to the TLS *through* the switch. According to the diagram, the 2651XM is directly connected to the TLS, and is directly connected to the switch. My guess is that the switch leaks traffic between VLANs. The easiest workaround is probably just to connect the 2651XM directly to the TLS. They didn't have the problem with the T1s since they weren't going through the switch. From junaid.x86 at gmail.com Sat Aug 16 01:03:16 2008 From: junaid.x86 at gmail.com (Junaid) Date: Sat, 16 Aug 2008 11:03:16 +0600 Subject: [c-nsp] IP/MPLS Design Resource Message-ID: Hi, Can you please recommend/refer me to some good books/online-resource on IP/MPLS design? I am thinking of making an investment and buying a few books. Will appreciate if you can recommend any titles. Thanks. Regards, Junaid From frnkblk at iname.com Sat Aug 16 01:49:50 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Sat, 16 Aug 2008 00:49:50 -0500 Subject: [c-nsp] 1252ag backwards compatibility In-Reply-To: <6bb5f5b10808131645j6df4766bs91c9bfb345fe32de@mail.gmail.com> References: <6bb5f5b10808131645j6df4766bs91c9bfb345fe32de@mail.gmail.com> Message-ID: Yes, backward-compatibility can be prevented by running Greenfield mode, but I'm not sure if that's possible on the Cisco 1252. 802.11n clearly has the capability for a higher PPS than 802.11b/a/g if you fix the packet size, but I'm not sure what you mean about the processors. Frank -----Original Message----- From: Rubens Kuhl Jr. [mailto:rubensk at gmail.com] Sent: Wednesday, August 13, 2008 6:45 PM To: frnkblk at iname.com Cc: Dan Letkeman; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 1252ag backwards compatibility Can it be prevented, i.e, configuring 1252 to only run 802.11n, even in WDS mode ? We are hoping that 802.11n can improve on Wi-Fi tradition of having low pps rate, which is due to the sum of the 802.11b/a/g standard and low speed processors on the devices. Rubens On Wed, Aug 13, 2008 at 7:49 PM, Frank Bulk - iNAME wrote: > Dan: > > Unless you're running Greenfield mode, which I'm not sure you can even > configure on a Cisco AP, there's full backward compatibility such that > 802.11b/g clients will operate at b/g and 802.11n clients (with 2.4 GHz > support, of course) operate at n. Be aware that mixing 802.11n with > 802.11b/g clients will reduce overall performance, but not significantly > enough to devalue running 802.11n. > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Tuesday, August 12, 2008 8:02 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 1252ag backwards compatibility > > Hello, > > I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell > me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, > do the 802.11n clients run at 802.11n and the 802.11g clients run at > 802.11g? Or does everything run at 802.11g? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hashng at gmail.com Sat Aug 16 04:09:52 2008 From: hashng at gmail.com (Hash Aminu) Date: Sat, 16 Aug 2008 11:09:52 +0300 Subject: [c-nsp] Limiting Broadcast and Multicast Message-ID: Hi guys My network has a huge L2 broadcast coming from the clients connected (through DSLAMs)....the customer edge facing interfaces are on a 76k with 7600-ES20-GE and 7600-ES20-10G, AFAIK these cards dont support Storm-control--what other variants and options do i have in limiting these garbage before it gets to my network. TIA Hash From amolsapkal at gmail.com Sat Aug 16 10:31:59 2008 From: amolsapkal at gmail.com (Amol Sapkal) Date: Sat, 16 Aug 2008 18:31:59 +0400 Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption Message-ID: Hello all, I am looking at a firewall configuration, which has multiple DMZs. Of these, here are the configurations for three DMZs DMZ A: security level 50 DMZ B: security level 20 DMZ C: security level 0 Subnet X belongs to DMZ A subnet Y belongs to DMZ B Subnet Z belongs to DMZ C Rules: Subnet X on DMZ A is 'NAT exempted' with another subnet Y on DMZ B (using ACL) Subnet X is allowed 'ip any' access (incoming access-list), on DMZ A access-list On DMZ C, there is a 'permit ip any any' (incoming access-list) PIX software: v7.2(1) Analysis: Because subnet X is 'nat exempted', it will translate as-is for any traffic originating towards and from (bi-directional behaviour) the subnet Y. BUT, this will also translate the subnet X, *as is*, on the DMZ C (if DMZ A subnet tries to direct any traffic towards DMZ C subnet). Understanding: Given the above configuration (and my analysis), if there is any traffic originating from DMZ A (higher) to DMZ C (lower), it will be allowed. Also, if there any traffic originating from DMZ C to DMZ A (lower to higher), the traffic will be allowed because the ACLs allow those and because the NAT exemption rule will translate the subnet on all DMZs (assuming there was an attempt initially to send traffic towards DMZ C, from DMZ A) It's been a year now that I touched a PIX, and now am unable to remember how this works. Would be nice if someone here could help me validate my understandng of the above. Thanks in advance. -- Warm regards, Amol Sapkal ------------------------------------------------------------------- "When I'm not in my right mind, my left mind gets pretty crowded" ------------------------------------------------------------------- From hashng at gmail.com Sat Aug 16 11:09:56 2008 From: hashng at gmail.com (Hash Aminu) Date: Sat, 16 Aug 2008 18:09:56 +0300 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try Message-ID: Hi guys I am trying to find a Feature that will be able to replace Route bridge Encapsulation..because we are migrating to the 12.2S and does not support that feature..any thoughts or Ideas will be useful. Thanks TIA Hash From gert at greenie.muc.de Sat Aug 16 11:29:21 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 16 Aug 2008 17:29:21 +0200 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: Message-ID: <20080816152921.GL288@greenie.muc.de> Hi, On Mon, Aug 11, 2008 at 05:08:23PM -0400, Joe Loiacono wrote: > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? The key question is, how much loss (in dB) do you have on that line, and on the tolerances of the X2 optics in question - a "best case" X2 will transmit with +4.0 dBm, while a "worst case" X2 will transmit with -4.7 dBm, according to: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0btransc.html - so with a receiver sensitivity of -15.8 dBm, you have a power budget of 11.1 dB to 19.8 dB. 11.1 dB is very tight for a 40km span - you need good fibers, and nearly no patches in between (every patch brings about 0.5 dB loss). You need to ask your carrier about the attenuation of the fiber path. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Sat Aug 16 11:31:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 16 Aug 2008 17:31:39 +0200 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: References: Message-ID: <20080816153139.GM288@greenie.muc.de> Hi, On Sat, Aug 16, 2008 at 06:09:56PM +0300, Hash Aminu wrote: > I am trying to find a Feature that will be able to replace Route bridge > Encapsulation..because we are migrating to the 12.2S and does not support > that feature..any thoughts or Ideas will be useful. Thanks Makes me wonder why you would want to migrate to a dead IOS train that doesn't deliver what you want... But if you insist on feeling the pain, the alternative to RBE is "classical" ATM bridging - setup a BVI interface, a bridge-group, and put the ATM VC into the bridge group. Nasty, does not scale well (maximum of 255 bridge- groups), and much more convoluted configuration. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mksmith at adhost.com Sat Aug 16 11:43:51 2008 From: mksmith at adhost.com (Michael Smith) Date: Sat, 16 Aug 2008 08:43:51 -0700 Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption In-Reply-To: Message-ID: Hello Amol: By my reading you are correct. The basic rule is "nat from higher to lower, ACL from lower to higher." You have to have NAT translations when going from a higher security level to a lower security level, so from DMZ A to DMZ B or C in your example. If you don't want that traffic to be translated, you'll need a NAT statement that exempts all traffic back and forth between the two security areas. As an example: Nat (dmz-c) 0 0 access-list to-dmz-b Nat (dmz-b) 0 0 access-list to-dmz-c Access-list to-dmz-b permit ip Access-list to-dmz-c permit ip These would be in addition to any translations you *want* to occur, using 'nat (interface) 1' Hope that helps, Mike > From: Amol Sapkal > Date: Sat, 16 Aug 2008 18:31:59 +0400 > To: cisco-nsp > Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption > > Hello all, > > I am looking at a firewall configuration, which has multiple DMZs. Of these, > here are the configurations for three DMZs > > DMZ A: security level 50 > DMZ B: security level 20 > DMZ C: security level 0 > > Subnet X belongs to DMZ A > subnet Y belongs to DMZ B > Subnet Z belongs to DMZ C > > Rules: > Subnet X on DMZ A is 'NAT exempted' with another subnet Y on DMZ B (using > ACL) > Subnet X is allowed 'ip any' access (incoming access-list), on DMZ A > access-list > On DMZ C, there is a 'permit ip any any' (incoming access-list) > > PIX software: v7.2(1) > > Analysis: > Because subnet X is 'nat exempted', it will translate as-is for any traffic > originating towards and from (bi-directional behaviour) the subnet Y. BUT, > this will also translate the subnet X, *as is*, on the DMZ C (if DMZ A > subnet tries to direct any traffic towards DMZ C subnet). > > Understanding: > Given the above configuration (and my analysis), if there is any traffic > originating from DMZ A (higher) to DMZ C (lower), it will be allowed. > Also, if there any traffic originating from DMZ C to DMZ A (lower to > higher), the traffic will be allowed because the ACLs allow those and > because the NAT exemption rule will translate the subnet on all DMZs > (assuming there was an attempt initially to send traffic towards DMZ C, from > DMZ A) > > It's been a year now that I touched a PIX, and now am unable to remember how > this works. Would be nice if someone here could help me validate my > understandng of the above. > > Thanks in advance. > > > -- > Warm regards, > > Amol Sapkal > > ------------------------------------------------------------------- > "When I'm not in my right mind, my left mind > gets pretty crowded" > ------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jason at pins.net Sat Aug 16 14:13:28 2008 From: jason at pins.net (Jason Berenson) Date: Sat, 16 Aug 2008 14:13:28 -0400 Subject: [c-nsp] Verizon TLS In-Reply-To: <20080816033703.GA28942@pwns.ms> References: <20080816033703.GA28942@pwns.ms> Message-ID: <48A718C8.5000505@pins.net> Huh? FA0/0 connects directly to the TLS and FA0/1 connects to the customer switch. The TLS passes through the router before it ever hits their public switch. list-cisco-nsp at pwns.ms wrote: >> Servers >> >> | >> 7206VXR ---------TLS-------- 2651XM ------- Public switch ------- >> Firewall ------- LAN >> >> CPE config: >> >> interface FastEthernet0/0 >> desc TLS side >> no ip address >> speed 100 >> full-duplex >> ! >> interface FastEthernet0/0.xxx >> encapsulation dot1Q xxx >> ip address 192.168.1.2 255.255.255.252 >> (rate limit to 10M) >> no cdp enable >> > [snip] > >> ip route 0.0.0.0 0.0.0.0 192.168.1.1 >> > > Your diagram and config conflict with each other; according to the config, you're routing to the TLS *through* the switch. According to the diagram, the 2651XM is directly connected to the TLS, and is directly connected to the switch. > > My guess is that the switch leaks traffic between VLANs. The easiest workaround is probably just to connect the 2651XM directly to the TLS. They didn't have the problem with the T1s since they weren't going through the switch. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Sat Aug 16 19:35:37 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sun, 17 Aug 2008 09:05:37 +0930 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com><20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: Dan the reason your having issues is not MTU related, it's NAT related, because you have 3 ADSL lines each doing NAT against a different outside IP when you turn on per-packet load sharing you end up with flows to the same destination having different source IP addresses. Your only option is per-destination load balancing (ie the default), one way you can tweak this a little without breaking to much is to change the standard algorithm to include ports. Try adding "ip cef load-sharing algorithm include-ports destination" into your global config once you've removed your per-packet load sharing and see how you go. You are never going to get perfect load balancing in your scenario but if you have enough hosts on your LAN it should be sufficient enough, one way you can do per-packet is if you get another IP routed down all 3 adsl lines and put it on a loopback and NAT everything against that. Ben ----- Original Message ----- From: "Dan Letkeman" To: "Rodney Dunn" ; Sent: Saturday, August 16, 2008 3:29 AM Subject: Re: [c-nsp] ip cef load sharing > Still seem to have the same problem even with this: > > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > ip tcp adjust-mss 1300 > duplex auto > speed auto > > > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > ip load-sharing per-packet > duplex auto > speed auto > > Dan. > > On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: >> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>> ip load-sharing per-packet >>> >>> I tried adding this to F0/1 and the trace route works now(it randomly >>> picks either line), but there seems to be issues with maybe the MTU? >>> If I try to browse websites i get page errors and some of the pictures >>> and pages don't load. >> >> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >> ingress interface from the LAN. >> >>> >>> Any ideas? >>> >>> Thanks, >>> Dan. >>> >>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >>> > Try ip load-sharing per-packet on both egress interfaces. >>> > >>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>> >> Hello, >>> >> >>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>> >> it randomly picks a dsl line and seems to work fine. But when I do >>> >> traceroute tests from a workstation it always seems to take the same >>> >> adsl line. Is there something else I need to add to the >>> >> configuration >>> >> to make it pick random lines, or is there a timeout of some sorts >>> >> before it will select the next ip route >>> >> >>> >> Here is my config: >>> >> >>> >> ! >>> >> interface FastEthernet0/0 >>> >> ip address 10.1.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> interface FastEthernet0/1 >>> >> ip address 192.168.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> ip http server >>> >> ip classless >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>> >> ! >>> >> >>> >> The two adsl modem/routers I have are 192.168.10.10, and >>> >> 192.168.10.11 >>> >> >>> >> Thanks, >>> >> Dan. >>> >> _______________________________________________ >>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From fbulk at nwc.com Sun Aug 17 00:05:04 2008 From: fbulk at nwc.com (Frank Bulk) Date: Sat, 16 Aug 2008 23:05:04 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com><20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: There are a couple of companies that can help with this, too, though it's not Cisco-related: http://www.sharedband.com/ http://www.mushroomnetworks.com/ http://www.xrio.com/website/ Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele Sent: Saturday, August 16, 2008 6:36 PM To: Dan Letkeman; Rodney Dunn; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ip cef load sharing Dan the reason your having issues is not MTU related, it's NAT related, because you have 3 ADSL lines each doing NAT against a different outside IP when you turn on per-packet load sharing you end up with flows to the same destination having different source IP addresses. Your only option is per-destination load balancing (ie the default), one way you can tweak this a little without breaking to much is to change the standard algorithm to include ports. Try adding "ip cef load-sharing algorithm include-ports destination" into your global config once you've removed your per-packet load sharing and see how you go. You are never going to get perfect load balancing in your scenario but if you have enough hosts on your LAN it should be sufficient enough, one way you can do per-packet is if you get another IP routed down all 3 adsl lines and put it on a loopback and NAT everything against that. Ben ----- Original Message ----- From: "Dan Letkeman" To: "Rodney Dunn" ; Sent: Saturday, August 16, 2008 3:29 AM Subject: Re: [c-nsp] ip cef load sharing > Still seem to have the same problem even with this: > > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > ip tcp adjust-mss 1300 > duplex auto > speed auto > > > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > ip load-sharing per-packet > duplex auto > speed auto > > Dan. > > On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: >> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>> ip load-sharing per-packet >>> >>> I tried adding this to F0/1 and the trace route works now(it randomly >>> picks either line), but there seems to be issues with maybe the MTU? >>> If I try to browse websites i get page errors and some of the pictures >>> and pages don't load. >> >> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >> ingress interface from the LAN. >> >>> >>> Any ideas? >>> >>> Thanks, >>> Dan. >>> >>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >>> > Try ip load-sharing per-packet on both egress interfaces. >>> > >>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>> >> Hello, >>> >> >>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>> >> it randomly picks a dsl line and seems to work fine. But when I do >>> >> traceroute tests from a workstation it always seems to take the same >>> >> adsl line. Is there something else I need to add to the >>> >> configuration >>> >> to make it pick random lines, or is there a timeout of some sorts >>> >> before it will select the next ip route >>> >> >>> >> Here is my config: >>> >> >>> >> ! >>> >> interface FastEthernet0/0 >>> >> ip address 10.1.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> interface FastEthernet0/1 >>> >> ip address 192.168.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> ip http server >>> >> ip classless >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>> >> ! >>> >> >>> >> The two adsl modem/routers I have are 192.168.10.10, and >>> >> 192.168.10.11 >>> >> >>> >> Thanks, >>> >> Dan. >>> >> _______________________________________________ >>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hashng at gmail.com Sun Aug 17 04:55:00 2008 From: hashng at gmail.com (Hash Aminu) Date: Sun, 17 Aug 2008 11:55:00 +0300 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <20080816153139.GM288@greenie.muc.de> References: <20080816153139.GM288@greenie.muc.de> Message-ID: Hi Gert,T Thank you for the response, we are moving to 12.0S (7500 router to have a L2VPN support which is not supported on the 12.4T that supports the RBE). I just checked the cisco FN and Classical bridging is not supported on the "S" train. Any more inputs will be appreciated. Thanks Hash On Sat, Aug 16, 2008 at 6:31 PM, Gert Doering wrote: > Hi, > > On Sat, Aug 16, 2008 at 06:09:56PM +0300, Hash Aminu wrote: > > I am trying to find a Feature that will be able to replace Route bridge > > Encapsulation..because we are migrating to the 12.2S and does not support > > that feature..any thoughts or Ideas will be useful. Thanks > > Makes me wonder why you would want to migrate to a dead IOS train that > doesn't deliver what you want... > > But if you insist on feeling the pain, the alternative to RBE is > "classical" > ATM bridging - setup a BVI interface, a bridge-group, and put the ATM VC > into the bridge group. Nasty, does not scale well (maximum of 255 bridge- > groups), and much more convoluted configuration. > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From gert at greenie.muc.de Sun Aug 17 05:05:30 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 17 Aug 2008 11:05:30 +0200 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: References: <20080816153139.GM288@greenie.muc.de> Message-ID: <20080817090530.GP288@greenie.muc.de> Hi, On Sun, Aug 17, 2008 at 11:55:00AM +0300, Hash Aminu wrote: > Thank you for the response, we are moving to 12.0S (7500 router to have a > L2VPN support which is not supported on the 12.4T that supports the RBE). From the comments seen on this list, I don't think that any sort of L2VPN on 7500s is a good idea. 7500 is pretty much a dead and unsupported platform these days. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sami.joseph at gmail.com Sun Aug 17 18:41:07 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Mon, 18 Aug 2008 01:41:07 +0300 Subject: [c-nsp] MPLS VPN QoS on a SP core Message-ID: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Hello, Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Thanks, Sam From danletkeman at gmail.com Sun Aug 17 19:15:09 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 17 Aug 2008 18:15:09 -0500 Subject: [c-nsp] content filter placement in data center Message-ID: Hello, I have a few questions regarding content filter placement and routing in the data center. I would like to place our content/spyware/web filter in our data center, but I would like to place it in such a way that if it fails or has problems that it does not take everything down. Currently I have a Cisco router with two fast ethernet interfaces, and I have two internet connections to different ISP's. One of the connections is used for download for all of the users and the other connection is used for services (www, ftp, mail, etc). On the cisco router I am policy routing for those services and for the users. The current content filter is inline with the router and the rest of the network as a default route on the switch. 3560switch-------content filter-----------router--------internet (isp1) | -------------internet (isp2) Is there a way to connect it to the router and use policy routing, and the verify availability option so that if the content filter is down the system still works with out it? Thanks, Dan. From adrian at creative.net.au Sun Aug 17 19:17:33 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Mon, 18 Aug 2008 07:17:33 +0800 Subject: [c-nsp] content filter placement in data center In-Reply-To: References: Message-ID: <20080817231733.GG4568@skywalker.creative.net.au> On Sun, Aug 17, 2008, Dan Letkeman wrote: > Is there a way to connect it to the router and use policy routing, and > the verify availability option so that if the content filter is down > the system still works with out it? Yes. * Does the content filter speak WCCPv2? Or can you glue it to Squid? If so, try WCCPv2. * Otherwise, see if your platform/IOS supports object tracking and conditional route maps. You can set things up to use a route-map (or route!) if a destination host is reachable via ICMP. The archives have details on both of these. Adrian From andy.saykao at staff.netspace.net.au Sun Aug 17 21:09:47 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 18 Aug 2008 11:09:47 +1000 Subject: [c-nsp] IP/MPLS Design Resource Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365486E@vic-cr-ex1.staff.netspace.net.au> Hi Junaid, Welcome to the world of MPLS. I'm currently going through the same thing and have been designing and fine tuning our MPLS network for the past few months. The guys on NSP are very knowledgable so if you get stuck, try posting on the forum. Special thanks to Oli whose been helping me a fair bit :) Here's a book I recommend. Read the first few chapters to give you a good foundation. * MPLS Fundamentals by Luc De Ghein Also nothing beats some hands on experience and these labs are a great introduction. I used GNS3 to simulate these labs (http://www.gns3.net/). * MPLS Series - Vol. 1 - Basic MPLS http://blog.humanmodem.com/?p=115 * MPLS Series - Vol. 2 - MPLS VPN http://blog.humanmodem.com/?p=121 I also went through the Cisco PEC (Partner Education Connection) web site and listened to most of this series: * Implementing Cisco Multi-Protocol Label Switching (MPLS) 2.1 - EXPRESS http://www.cisco.com/web/learning/le36/learning_partner_e-learning_conne ction_tool_launch.html -- Regards, Andy Saykao System Administrator Netspace Online Systems Ph : 03 9811 0049 Mob : 0401 422 406 Fax : 03 9811 0044 Email: andy.saykao at staff.netspace.net.au -----Original Message----- Message: 4 Date: Sat, 16 Aug 2008 11:03:16 +0600 From: Junaid Subject: [c-nsp] IP/MPLS Design Resource To: cisco-nsp Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Hi, Can you please recommend/refer me to some good books/online-resource on IP/MPLS design? I am thinking of making an investment and buying a few books. Will appreciate if you can recommend any titles. Thanks. Regards, Junaid This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From adrian at enfusion-group.com Sun Aug 17 21:43:04 2008 From: adrian at enfusion-group.com (Adrian Chung) Date: Sun, 17 Aug 2008 21:43:04 -0400 Subject: [c-nsp] IBM CIGESM aggregation and Private VLANs. Message-ID: Apologies if this has been discussed before on this list, feel free to point me in the right direction, though the usual searches didn?t turn anything up. A couple of questions about Private VLANs between PVLAN speaking switches and non-PVLAN speaking switches. In the process of setting up a couple of Cisco Intelligent Gigabit Ethernet Switch Modules - these are the Cisco 2950-like switches that come as a modular option in IBM Blade Center server chassis. They have 4 external uplink ports and no private VLAN support. We?re connecting them up to a couple of 6500s over port-channelled bundles but are running up against questions surrounding private VLANs and trunking particularly between switches which do and do not support PVLANs. For argument sake, lets say the 6500s have an isolated PVLAN numbered 101, where the primary is 100. On the CIGESM side, there is no support for PVLANs, and the blades themselves only have 2 NICs. Because there are more than 2 VLANs to carry into each blade, the OS is configured for VLAN tagging. In testing, if we tag VLAN 101 in the OS, no communication to other isolated or promiscuous PVLAN ports happens across the trunk on the 6500. If we tag VLAN 100 in the OS, the OS has communication to all of the promiscuous ports and none of the other isolated ports, just like a proper isolated PVLAN port would. If I check the mac-address-table on the CIGESM trunk-port side, I see both entries for VLAN 100 (mapping back, all correspond to promiscuous ports) and VLAN 101 (mapping back, corresponding to isolated ports). Weird thing is, even if an interface tagged VLAN 101 is brought up in the OS, and a tcpdump is run on it, no traffic from other isolated PVLAN 101 ports is ever seen. A couple of questions around this behaviour: 1. Does anyone actually know how PVLANs are tagged and carried across a regular trunk? Is it simply tagged with the appropriate primary or secondary VLAN tags and expected that the receiving switch understands PVLANs and maps the secondaries the same way as the sender? 2. The scenario above with the OS tagging the primary VLAN but still seemingly maintaining isolation from other isolated ports and being able to reach promiscuous ports is technically fine, but what security issues surround this configuration? Cisco's documentation touches upon making sure that all switches involved in PVLAN trunking support PVLANs to ensure that no security is lost... 3. Does anyone else use CIGESMs and have requirements to see more than two VLANs inside the OS which are a mix of both regular and PVLAN ports, and if so, how do you configure your environment? (As an aside, this particular H blade chassis supports additional CIGESM modules and the blades can take an additional two NICs, which would mean we could have 4 CIGESMs and the problem goes away -- except for the fact that that means there's no room for Fiber Channel connectivity, which is also a requirement). -- Adrian Chung From danletkeman at gmail.com Sun Aug 17 21:45:28 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 17 Aug 2008 20:45:28 -0500 Subject: [c-nsp] content filter placement in data center In-Reply-To: <20080817231733.GG4568@skywalker.creative.net.au> References: <20080817231733.GG4568@skywalker.creative.net.au> Message-ID: I'm still a bit confused as to how I would connect this to the router? The filter appliance has an ingress and egress interface and only works in this configuration. Would I route-map incoming traffic and outgoing traffic to and from the router? I would like to make sure all incoming and outgoing traffic is filtered. I'm visualizing this configuration: --------------internet | switch----------router---------content filter | --------------wccp cache So if I route-map source ip's(workstations) to the content filter, the content filter will redirect the traffic back to the router and out the default route to the internet, but do I need to route-map the internet traffic back to the content filter? If I don't won't the traffic just go back into the network unfiltered? Would I be better off using my current configuration and rather setting up an object track between the switch and router with an alternate route? eg: switch----------content filter------------router-------------internet | | ------------------------------------------------- Thanks, Dan. On Sun, Aug 17, 2008 at 6:17 PM, Adrian Chadd wrote: > On Sun, Aug 17, 2008, Dan Letkeman wrote: > >> Is there a way to connect it to the router and use policy routing, and >> the verify availability option so that if the content filter is down >> the system still works with out it? > > Yes. > > * Does the content filter speak WCCPv2? Or can you glue it to Squid? > If so, try WCCPv2. > > * Otherwise, see if your platform/IOS supports object tracking and > conditional route maps. You can set things up to use a route-map > (or route!) if a destination host is reachable via ICMP. > > The archives have details on both of these. > > > Adrian > > From swmike at swm.pp.se Mon Aug 18 01:41:48 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 18 Aug 2008 07:41:48 +0200 (CEST) Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Message-ID: On Mon, 18 Aug 2008, Sami Joseph wrote: > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Yes. Depends on what you want, but you can for instance mark MPLS EXP for the traffic in a certain VPN and treat those packets differently in your core. -- Mikael Abrahamsson email: swmike at swm.pp.se From Toby.Burrows at qubenet.net Mon Aug 18 04:51:57 2008 From: Toby.Burrows at qubenet.net (Toby Burrows (Qube)) Date: Mon, 18 Aug 2008 09:51:57 +0100 Subject: [c-nsp] 11503 ssl redundancy synch Message-ID: Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? From sami.joseph at gmail.com Mon Aug 18 05:04:57 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Mon, 18 Aug 2008 12:04:57 +0300 Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Message-ID: <9da37ec40808180204k5dc61621gb4f26c1394501b3@mail.gmail.com> Hi Mikael, I am not going to do in my Core but i'm just curious how this is done? So i guess if we want to differentiate between VPNs in my core then we need alot of different classes which is not really available and thats what makes it difficult? Thanks, Sam On Mon, Aug 18, 2008 at 8:41 AM, Mikael Abrahamsson wrote: > On Mon, 18 Aug 2008, Sami Joseph wrote: > > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? >> > > Yes. > > Depends on what you want, but you can for instance mark MPLS EXP for the > traffic in a certain VPN and treat those packets differently in your core. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > From rblayzor.bulk at inoc.net Mon Aug 18 05:30:54 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 18 Aug 2008 05:30:54 -0400 Subject: [c-nsp] Nasty PIX 6.3 bug Message-ID: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> If anyone still has PIX's out there running 6.3(5) we had a pair of 525's nailed by this nasty bug: http://tinyurl.com/5wovce We've been running 6.3 for years and only after all the recent DNS exploits did we see this one start hitting us. The only way to fix it is to upgrade to 7.x or get the maint/patch train from TAC. If you have any DNS servers behind your PIX with a lot of clients querying through your firewalls, you might want to get this taken care of ASAP before your PIX's get jammed at 100% CPU load indefinitely. Also stateful failover kindly transfers the 100% load over to the standby box as well. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From swmike at swm.pp.se Mon Aug 18 05:50:27 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 18 Aug 2008 11:50:27 +0200 (CEST) Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: <9da37ec40808180204k5dc61621gb4f26c1394501b3@mail.gmail.com> References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> <9da37ec40808180204k5dc61621gb4f26c1394501b3@mail.gmail.com> Message-ID: On Mon, 18 Aug 2008, Sami Joseph wrote: > Hi Mikael, > > I am not going to do in my Core but i'm just curious how this is done? > > So i guess if we want to differentiate between VPNs in my core then we need > alot of different classes which is not really available and thats what makes > it difficult? QoS has many meanings. For me at least, it's implemented by packet marking at ingress and per-hop queuing decisions made by core routers of which the marking influences which queue a packet should be put into. I always recommend a KISS (keep it simple stupid) approach, the fewer classes you can have, the less complicated it is to handle. Best of all, is to make sure your statistical overbooking means you never have lines that are full, thus negating the need for QoS alltogether. I'd say reasonable amount of queues/classes is around 4-6, one for VoIP, one for Video, one for priority data (interactive applications) and then an best effort class. You might want to put all your VPN traffic into priority data and let your Internet uses get a lower SLA if you mix Internet and VPN traffic in your core. -- Mikael Abrahamsson email: swmike at swm.pp.se From rblayzor.bulk at inoc.net Mon Aug 18 05:24:26 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 18 Aug 2008 05:24:26 -0400 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: References: Message-ID: <350FA2C6-F18B-4B47-B2BC-CDC085BC501D@inoc.net> On Aug 16, 2008, at 11:09 AM, Hash Aminu wrote: > I am trying to find a Feature that will be able to replace Route > bridge > Encapsulation..because we are migrating to the 12.2S and does not > support > that feature..any thoughts or Ideas will be useful. Thanks Just what are you trying to accomplish? As previously mentioned the 7500 is EoS. You may want to look at a 7200 NPE-Gx running 12.2SB. Then you can keep RBE. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From gsinl at yahoo.com Mon Aug 18 06:13:08 2008 From: gsinl at yahoo.com (Gaurav Prakash) Date: Mon, 18 Aug 2008 15:43:08 +0530 (IST) Subject: [c-nsp] MPLS VPN QoS on a SP core Message-ID: <260492.45372.qm@web94003.mail.in2.yahoo.com> Hi, There are ways to do it.. typically 3 mode.. http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hmp_c/part15/hdtmode.htm Basically we cash in the feature of MPLS EXP bits used to mark/classify?packet and treat them acc.. Regards, Gaurav Prakash ?Save our Earth ----- Original Message ---- From: "cisco-nsp-request at puck.nether.net" To: cisco-nsp at puck.nether.net Sent: Monday, 18 August, 2008 2:34:58 PM Subject: cisco-nsp Digest, Vol 69, Issue 54 Send cisco-nsp mailing list submissions to ??? cisco-nsp at puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit ??? https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to ??? cisco-nsp-request at puck.nether.net You can reach the person managing the list at ??? cisco-nsp-owner at puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of cisco-nsp digest..." Today's Topics: ? 1. MPLS VPN QoS on a SP core (Sami Joseph) ? 2. content filter placement in data center (Dan Letkeman) ? 3. Re: content filter placement in data center (Adrian Chadd) ? 4. Re: IP/MPLS Design Resource (Andy Saykao) ? 5. IBM CIGESM aggregation and Private VLANs. (Adrian Chung) ? 6. Re: content filter placement in data center (Dan Letkeman) ? 7. Re: MPLS VPN QoS on a SP core (Mikael Abrahamsson) ? 8. 11503 ssl redundancy synch (Toby Burrows (Qube)) ? 9. Re: MPLS VPN QoS on a SP core (Sami Joseph) ---------------------------------------------------------------------- Message: 1 Date: Mon, 18 Aug 2008 01:41:07 +0300 From: "Sami Joseph" Subject: [c-nsp] MPLS VPN QoS on a SP core To: Cisco-nsp Message-ID: ??? <9da37ec40808171541x7c168f1br359e6491e98131cd at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hello, Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Thanks, Sam ------------------------------ Message: 2 Date: Sun, 17 Aug 2008 18:15:09 -0500 From: "Dan Letkeman" Subject: [c-nsp] content filter placement in data center To: cisco-nsp at puck.nether.net Message-ID: ??? Content-Type: text/plain; charset=ISO-8859-1 Hello, I have a few questions regarding content filter placement and routing in the data center.? I would like to place our content/spyware/web filter in our data center, but I would like to place it in such a way that if it fails or has problems that it does not take everything down. Currently I have a Cisco router with two fast ethernet interfaces, and I have two internet connections to different ISP's.? One of the connections is used for download for all of the users and the other connection is used for services (www, ftp, mail, etc).? On the cisco router I am policy routing for those services and for the users. The current content filter is inline with the router and the rest of the network as a default route on the switch. 3560switch-------content filter-----------router--------internet (isp1) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | -------------internet (isp2) Is there a way to connect it to the router and use policy routing, and the verify availability option so that if the content filter is down the system still works with out it? Thanks, Dan. ------------------------------ Message: 3 Date: Mon, 18 Aug 2008 07:17:33 +0800 From: Adrian Chadd Subject: Re: [c-nsp] content filter placement in data center To: Dan Letkeman Cc: cisco-nsp at puck.nether.net Message-ID: <20080817231733.GG4568 at skywalker.creative.net.au> Content-Type: text/plain; charset=us-ascii On Sun, Aug 17, 2008, Dan Letkeman wrote: > Is there a way to connect it to the router and use policy routing, and > the verify availability option so that if the content filter is down > the system still works with out it? Yes. * Does the content filter speak WCCPv2? Or can you glue it to Squid? ? If so, try WCCPv2. * Otherwise, see if your platform/IOS supports object tracking and ? conditional route maps. You can set things up to use a route-map ? (or route!) if a destination host is reachable via ICMP. ? The archives have details on both of these. Adrian ------------------------------ Message: 4 Date: Mon, 18 Aug 2008 11:09:47 +1000 From: "Andy Saykao" Subject: Re: [c-nsp] IP/MPLS Design Resource To: , Message-ID: ??? <56F211C5E3F24F47B103EA1B253822BE0365486E at vic-cr-ex1.staff.netspace.net.au> ??? Content-Type: text/plain;??? charset="us-ascii" Hi Junaid, Welcome to the world of MPLS. I'm currently going through the same thing and have been designing and fine tuning our MPLS network for the past few months. The guys on NSP are very knowledgable so if you get stuck, try posting on the forum. Special thanks to Oli whose been helping me a fair bit :) Here's a book I recommend. Read the first few chapters to give you a good foundation. * MPLS Fundamentals by Luc De Ghein Also nothing beats some hands on experience and these labs are a great introduction. I used GNS3 to simulate these labs (http://www.gns3.net/). * MPLS Series - Vol. 1 - Basic MPLS http://blog.humanmodem.com/?p=115 * MPLS Series - Vol. 2 - MPLS VPN http://blog.humanmodem.com/?p=121 I also went through the Cisco PEC (Partner Education Connection) web site and listened to most of this series: * Implementing Cisco Multi-Protocol Label Switching (MPLS) 2.1 - EXPRESS http://www.cisco.com/web/learning/le36/learning_partner_e-learning_conne ction_tool_launch.html -- Regards, Andy Saykao System Administrator Netspace Online Systems Ph : 03 9811 0049 Mob : 0401 422 406 Fax : 03 9811 0044 Email: andy.saykao at staff.netspace.net.au -----Original Message----- Message: 4 Date: Sat, 16 Aug 2008 11:03:16 +0600 From: Junaid Subject: [c-nsp] IP/MPLS Design Resource To: cisco-nsp Message-ID: ??? Content-Type: text/plain; charset=ISO-8859-1 Hi, Can you please recommend/refer me to some good books/online-resource on IP/MPLS design? I am thinking of making an investment and buying a few books. Will appreciate if you can recommend any titles. Thanks. Regards, Junaid This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ------------------------------ Message: 5 Date: Sun, 17 Aug 2008 21:43:04 -0400 From: Adrian Chung Subject: [c-nsp] IBM CIGESM aggregation and Private VLANs. To: Message-ID: Content-Type: text/plain;??? charset="ISO-8859-1" Apologies if this has been discussed before on this list, feel free to point me in the right direction, though the usual searches didn?t turn anything up. A couple of questions about Private VLANs between PVLAN speaking switches and non-PVLAN speaking switches. In the process of setting up a couple of Cisco Intelligent Gigabit Ethernet Switch Modules - these are the Cisco 2950-like switches that come as a modular option in IBM Blade Center server chassis.? They have 4 external uplink ports and no private VLAN support. We?re connecting them up to a couple of 6500s over port-channelled bundles but are running up against questions surrounding private VLANs and trunking particularly between switches which do and do not support PVLANs. For argument sake, lets say the 6500s have an isolated PVLAN numbered 101, where the primary is 100.? On the CIGESM side, there is no support for PVLANs, and the blades themselves only have 2 NICs.? Because there are more than 2 VLANs to carry into each blade, the OS is configured for VLAN tagging.? In testing, if we tag VLAN 101 in the OS, no communication to other isolated or promiscuous PVLAN ports happens across the trunk on the 6500. If we tag VLAN 100 in the OS, the OS has communication to all of the promiscuous ports and none of the other isolated ports, just like a proper isolated PVLAN port would. If I check the mac-address-table on the CIGESM trunk-port side, I see both entries for VLAN 100 (mapping back, all correspond to promiscuous ports) and VLAN 101 (mapping back, corresponding to isolated ports). Weird thing is, even if an interface tagged VLAN 101 is brought up in the OS, and a tcpdump is run on it, no traffic from other isolated PVLAN 101 ports is ever seen. A couple of questions around this behaviour: 1. Does anyone actually know how PVLANs are tagged and carried across a regular trunk?? Is it simply tagged with the appropriate primary or secondary VLAN tags and expected that the receiving switch understands PVLANs and maps the secondaries the same way as the sender? 2. The scenario above with the OS tagging the primary VLAN but still seemingly maintaining isolation from other isolated ports and being able to reach promiscuous ports is technically fine, but what security issues surround this configuration?? Cisco's documentation touches upon making sure that all switches involved in PVLAN trunking support PVLANs to ensure that no security is lost... 3.? Does anyone else use CIGESMs and have requirements to see more than two VLANs inside the OS which are a mix of both regular and PVLAN ports, and if so, how do you configure your environment? (As an aside, this particular H blade chassis supports additional CIGESM modules and the blades can take an additional two NICs, which would mean we could have 4 CIGESMs and the problem goes away -- except for the fact that that means there's no room for Fiber Channel connectivity, which is also a requirement). -- Adrian Chung ------------------------------ Message: 6 Date: Sun, 17 Aug 2008 20:45:28 -0500 From: "Dan Letkeman" Subject: Re: [c-nsp] content filter placement in data center To: "Adrian Chadd" , cisco-nsp at puck.nether.net Message-ID: ??? Content-Type: text/plain; charset=ISO-8859-1 I'm still a bit confused as to how I would connect this to the router? The filter appliance has an ingress and egress interface and only works in this configuration.? Would I route-map incoming traffic and outgoing traffic to and from the router?? I would like to make sure all incoming and outgoing traffic is filtered. I'm visualizing this configuration: ? ? ? ? ? ? ? ? ? ? ? --------------internet ? ? ? ? ? ? ? ? ? ? ? | switch----------router---------content filter ? ? ? ? ? ? ? ? ? ? ? | ? ? ? ? ? ? ? ? ? ? ? --------------wccp cache So if I route-map source ip's(workstations) to the content filter, the content filter will redirect the traffic back to the router and out the default route to the internet, but do I need to route-map the internet traffic back to the content filter?? If I don't won't the traffic just go back into the network unfiltered? Would I be better off using my current configuration and rather setting up an object track between the switch and router with an alternate route?? eg: switch----------content filter------------router-------------internet ? |? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | ? ------------------------------------------------- Thanks, Dan. On Sun, Aug 17, 2008 at 6:17 PM, Adrian Chadd wrote: > On Sun, Aug 17, 2008, Dan Letkeman wrote: > >> Is there a way to connect it to the router and use policy routing, and >> the verify availability option so that if the content filter is down >> the system still works with out it? > > Yes. > > * Does the content filter speak WCCPv2? Or can you glue it to Squid? >? If so, try WCCPv2. > > * Otherwise, see if your platform/IOS supports object tracking and >? conditional route maps. You can set things up to use a route-map >? (or route!) if a destination host is reachable via ICMP. > >? The archives have details on both of these. > > > Adrian > > ------------------------------ Message: 7 Date: Mon, 18 Aug 2008 07:41:48 +0200 (CEST) From: Mikael Abrahamsson Subject: Re: [c-nsp] MPLS VPN QoS on a SP core To: Sami Joseph Cc: Cisco-nsp Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Mon, 18 Aug 2008, Sami Joseph wrote: > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Yes. Depends on what you want, but you can for instance mark MPLS EXP for the traffic in a certain VPN and treat those packets differently in your core. -- Mikael Abrahamsson? ? email: swmike at swm.pp.se ------------------------------ Message: 8 Date: Mon, 18 Aug 2008 09:51:57 +0100 From: "Toby Burrows \(Qube\)" Subject: [c-nsp] 11503 ssl redundancy synch To: Message-ID: ??? Content-Type: text/plain;??? charset="US-ASCII" Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit?? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? ------------------------------ Message: 9 Date: Mon, 18 Aug 2008 12:04:57 +0300 From: "Sami Joseph" Subject: Re: [c-nsp] MPLS VPN QoS on a SP core To: "Mikael Abrahamsson" Cc: Cisco-nsp Message-ID: ??? <9da37ec40808180204k5dc61621gb4f26c1394501b3 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hi Mikael, I am not going to do in my Core but i'm just curious how this is done? So i guess if we want to differentiate between VPNs in my core then we need alot of different classes which is not really available and thats what makes it difficult? Thanks, Sam On Mon, Aug 18, 2008 at 8:41 AM, Mikael Abrahamsson wrote: > On Mon, 18 Aug 2008, Sami Joseph wrote: > >? Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? >> > > Yes. > > Depends on what you want, but you can for instance mark MPLS EXP for the > traffic in a certain VPN and treat those packets differently in your core. > > -- > Mikael Abrahamsson? ? email: swmike at swm.pp.se > ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 69, Issue 54 ***************************************** Get an email ID as yourname at ymail.com or yourname at rocketmail.com. Click here http://in.promos.yahoo.com/address From tomas.hlavacek at elfove.cz Mon Aug 18 07:19:42 2008 From: tomas.hlavacek at elfove.cz (Tomas Hlavacek) Date: Mon, 18 Aug 2008 13:19:42 +0200 Subject: [c-nsp] aaa local database Message-ID: <48A95ACE.1040405@elfove.cz> Hello! I am thinking about aaa local database. Is there any mechanism to distinguish local users (defined by username ...) or put them into some groups and give them access to only some services? For instance I have two users username alice password xxx username bob password yyy aaa new-model aaa authentication login default local aaa authentication ppp default local aaa authorization network default local Now bob and alice can login to router and also dial ppp. What if I want alice to have right only to login to router and bob only to dial ppp? Thanks, Tomas -- Tom?? Hlav??ek From oboehmer at cisco.com Mon Aug 18 08:12:23 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 18 Aug 2008 14:12:23 +0200 Subject: [c-nsp] aaa local database In-Reply-To: <48A95ACE.1040405@elfove.cz> References: <48A95ACE.1040405@elfove.cz> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E19E0C@xmb-ams-333.emea.cisco.com> Tomas Hlavacek <> wrote on Monday, August 18, 2008 1:20 PM: > Hello! > > I am thinking about aaa local database. Is there any mechanism to > distinguish local users (defined by username ...) or put them into > some groups and give them access to only some services? > > For instance I have two users > > username alice password xxx > username bob password yyy > > aaa new-model > aaa authentication login default local > aaa authentication ppp default local > aaa authorization network default local > > Now bob and alice can login to router and also dial ppp. > > What if I want alice to have right only to login to router and bob > only to dial ppp? the local database is not really very feature-rich, especially when it comes to PPP/network dialin. You could force bob to only do PPP with aaa authorization exec default local and then username bob autocommand exit or username bob autocommand ppp so bob's login shell will exit right away or, if you want to allow async login via modems, spawn ppp.. Not sure if you can prevent "alice" to dial in via ppp, though. Local DB is mainly used for some last-resort backup when T+/Radius is not available. certainly not a replacement.. Depending on your image/version, you could investigate the "Local AAA Server" feature and point your network authorization there, so you will then arrive at two different user databases locally configured on the device.. oli From tomas.hlavacek at elfove.cz Mon Aug 18 08:12:38 2008 From: tomas.hlavacek at elfove.cz (Tomas Hlavacek) Date: Mon, 18 Aug 2008 14:12:38 +0200 Subject: [c-nsp] aaa local database In-Reply-To: <48A96433.7040602@lumison.net> References: <48A95ACE.1040405@elfove.cz> <48A96433.7040602@lumison.net> Message-ID: <48A96736.7020105@elfove.cz> I should have told that I want this on 2811 with 12.4(20)T ADVIPSERVICESK9 IOS image. Alasdair Gow wrote: > What device are you trying to do this on? > > I know ASA's have dynamic policies, which you could customise to do this.... > > Cheers, > Ally > > Tomas Hlavacek wrote: > >> Hello! >> >> I am thinking about aaa local database. Is there any mechanism to >> distinguish local users (defined by username ...) or put them into >> some groups and give them access to only some services? >> >> For instance I have two users >> >> username alice password xxx >> username bob password yyy >> >> aaa new-model >> aaa authentication login default local >> aaa authentication ppp default local >> aaa authorization network default local >> >> Now bob and alice can login to router and also dial ppp. >> >> What if I want alice to have right only to login to router and bob >> only to dial ppp? >> >> Thanks, >> Tomas >> >> > > > -- Tom?? Hlav??ek From christian.macnevin at gmail.com Mon Aug 18 12:03:05 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Mon, 18 Aug 2008 09:03:05 -0700 Subject: [c-nsp] multicast bringing big irons to their knees? Message-ID: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> Hi I've only got the most superficial of ideas what's going on with this network, but i've been asked if there's any particular reason some Foundry switches would be being brought to their knees every time mcast is switched on in a network. 65s, 3750s and Netscreens all handle it fine. Given Foundry's marketing, they dobrag that everything's handled in port-based ASICs, but obviously it sounds like this stuff is going to the processor. Maybe it's PIM Sniffing not supported in hardware, not sure. Anyway, sorry for the amazing vagary here, but it's all I've got right now. Any thoughts? Cheers Christian From danletkeman at gmail.com Mon Aug 18 12:05:49 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Mon, 18 Aug 2008 11:05:49 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com> <20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: My only options for the IP CEF command are as follows: original Original algorithm tunnel Algorithm for use in tunnel only environments universal Algorithm for use in most environments I tried original, and it seems as if it load balances, but it doesn't switch from modem to modem very fast. But in any case there is a lot less problems with this on. I also found out that the content filter that is before the cisco router is also doing NAT. I'm assuming that's a problem as well because now the router doesn't know what the source IP is anymore. Any other ideas on how to make this work better? Thanks, Dan. On Sat, Aug 16, 2008 at 6:35 PM, Ben Steele wrote: > Dan the reason your having issues is not MTU related, it's NAT related, > because you have 3 ADSL lines each doing NAT against a different outside IP > when you turn on per-packet load sharing you end up with flows to the same > destination having different source IP addresses. > > Your only option is per-destination load balancing (ie the default), one way > you can tweak this a little without breaking to much is to change the > standard algorithm to include ports. > > Try adding "ip cef load-sharing algorithm include-ports destination" into > your global config once you've removed your per-packet load sharing and see > how you go. > > You are never going to get perfect load balancing in your scenario but if > you have enough hosts on your LAN it should be sufficient enough, one way > you can do per-packet is if you get another IP routed down all 3 adsl lines > and put it on a loopback and NAT everything against that. > > Ben > > ----- Original Message ----- From: "Dan Letkeman" > To: "Rodney Dunn" ; > Sent: Saturday, August 16, 2008 3:29 AM > Subject: Re: [c-nsp] ip cef load sharing > > >> Still seem to have the same problem even with this: >> >> interface FastEthernet0/0 >> ip address 10.1.10.1 255.255.255.0 >> ip tcp adjust-mss 1300 >> duplex auto >> speed auto >> >> >> interface FastEthernet0/1 >> ip address 192.168.10.1 255.255.255.0 >> ip load-sharing per-packet >> duplex auto >> speed auto >> >> Dan. >> >> On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: >>> >>> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>>> >>>> ip load-sharing per-packet >>>> >>>> I tried adding this to F0/1 and the trace route works now(it randomly >>>> picks either line), but there seems to be issues with maybe the MTU? >>>> If I try to browse websites i get page errors and some of the pictures >>>> and pages don't load. >>> >>> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >>> ingress interface from the LAN. >>> >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> Dan. >>>> >>>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >>>> > Try ip load-sharing per-packet on both egress interfaces. >>>> > >>>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>>> >> Hello, >>>> >> >>>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>>> >> it randomly picks a dsl line and seems to work fine. But when I do >>>> >> traceroute tests from a workstation it always seems to take the same >>>> >> adsl line. Is there something else I need to add to the >> >>>> >> configuration >>>> >> to make it pick random lines, or is there a timeout of some sorts >>>> >> before it will select the next ip route >>>> >> >>>> >> Here is my config: >>>> >> >>>> >> ! >>>> >> interface FastEthernet0/0 >>>> >> ip address 10.1.10.1 255.255.255.0 >>>> >> duplex auto >>>> >> speed auto >>>> >> ! >>>> >> interface FastEthernet0/1 >>>> >> ip address 192.168.10.1 255.255.255.0 >>>> >> duplex auto >>>> >> speed auto >>>> >> ! >>>> >> ip http server >>>> >> ip classless >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>>> >> ! >>>> >> >>>> >> The two adsl modem/routers I have are 192.168.10.10, and >> >>>> >> 192.168.10.11 >>>> >> >>>> >> Thanks, >>>> >> Dan. >>>> >> _______________________________________________ >>>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> > >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jared at puck.nether.net Mon Aug 18 12:07:45 2008 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 18 Aug 2008 12:07:45 -0400 Subject: [c-nsp] multicast bringing big irons to their knees? In-Reply-To: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> References: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> Message-ID: <20080818160745.GB96749@puck.nether.net> I suggest posting on foundry-nsp instead of cisco-nsp. - jared On Mon, Aug 18, 2008 at 09:03:05AM -0700, Christian MacNevin wrote: > Hi > I've only got the most superficial of ideas what's going on with this > network, but i've been asked if there's any particular reason > some Foundry switches would be being brought to their knees every time > mcast is switched on in a network. 65s, 3750s and Netscreens > all handle it fine. > Given Foundry's marketing, they dobrag that everything's handled in > port-based ASICs, but obviously it sounds like this stuff is going > to the processor. Maybe it's PIM Sniffing not supported in hardware, not > sure. > Anyway, sorry for the amazing vagary here, but it's all I've got right > now. Any thoughts? > Cheers > Christian_______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From paul.cosgrove at heanet.ie Mon Aug 18 12:33:34 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 18 Aug 2008 17:33:34 +0100 Subject: [c-nsp] multicast bringing big irons to their knees? In-Reply-To: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> References: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> Message-ID: <48A9A45E.1070504@heanet.ie> Hi Christian, You will need to explain more about the topology, your multicast setup and the traffic flows, for instance: - Are the foundary switches acting as your RPs? - Have you any other commands applied which will cause multicasts to be process switched? - Do you have high rates of multicast on the network? - Are you using any multicast groups which will appear the same as well known multicast groups at Layer 2 (e.g. x.0.0.1, x.0.0.2 etc)? If the Foundary switches are your RPs, the requirement to decapsulate register messages could explain why these are affected much more than your 6500s, 3750s and netscreens. 'ip pim register-rate-limit 5' applied to the cisco designated routers will help if that is the problem (not sure about equivalent netscreeen command). Paul. Christian MacNevin wrote: > Hi > I've only got the most superficial of ideas what's going on with this > network, but i've been asked if there's any particular reason > some Foundry switches would be being brought to their knees every time > mcast is switched on in a network. 65s, 3750s and Netscreens > all handle it fine. > Given Foundry's marketing, they dobrag that everything's handled in > port-based ASICs, but obviously it sounds like this stuff is going > to the processor. Maybe it's PIM Sniffing not supported in hardware, not > sure. > Anyway, sorry for the amazing vagary here, but it's all I've got right > now. Any thoughts? > Cheers > Christian_______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From lowen at pari.edu Mon Aug 18 12:40:23 2008 From: lowen at pari.edu (Lamar Owen) Date: Mon, 18 Aug 2008 12:40:23 -0400 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <20080817090530.GP288@greenie.muc.de> References: Message-ID: <200808181240.23419.lowen@pari.edu> On Sunday 17 August 2008 05:05:30 Gert Doering wrote: > From the comments seen on this list, I don't think that any sort of L2VPN > on 7500s is a good idea. > 7500 is pretty much a dead and unsupported platform these days. Good afternoon, list and Gert. I have read this list for some time now, and I am very grateful for much useful and constructive advice that I have seen that is relevant to what I am doing. However, I must rant just a bit, so please indulge me for a moment. And I fully realize many of you won't care about what I'm going to talk about below, and that's ok. Not all folk using older Cisco gear for core routing are financially able to do forklift upgrades. Some people, in this day of shrinking IT budgets and lowering bandwidth costs/margins (at least to NSP's; the enterprise user is seeing the opposite problem; for example, my OC3's base tariff went UP $1,000 per month thanks to tariff changes by the NECA), simply don't have the budget to write off their investment in older gear and drop in a newer platform. Although, PARI WILL accept your donation of older gear after you've done a forklift upgrade! There are non-profits (and for-profits that are turning into non-profits involuntarily) out there who would like to hear something a little more constructive than 'your platform is EoS; time to upgrade'. If I personally ask 'hey, anybody out there ever done L2TPv3 on a 7500/12012 pair that's serving an APS protected OC3 to a pair of 7401ASR's serving the other end of the APS protected OC3, and what have you found?' I don't want to hear 'you need to get a new whizbang 20000 to do that; all four of your routers are too old'. I'd like to hear what people have experienced; and, Gert, your experiences in particular have been very enlightening to me. I (and other enterprise usera and NSP's in my boat; I use an NSP who is a non-profit, for instance) am well aware that I should have something more modern; I cannot afford it, especially now that a big hunk of my equipment budget just went away thanks to the NECA tariff increase. And while I know that there is a contingent out there with the attitude that if someone can't afford rolling forklift upgrades every few years that they shouldn't be in business, I have no need for their opinion on that matter. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From adam.korab at gmail.com Mon Aug 18 12:46:47 2008 From: adam.korab at gmail.com (Adam Korab) Date: Mon, 18 Aug 2008 11:46:47 -0500 Subject: [c-nsp] %IPC-SP-5-WATERMARK: Message-ID: Hi, Just finished reading the thread from 2002 between Steiner, Alex Rubenstein, and Chris Johns. I'm currently dealing with what I think is the same issue, but running newer code than what Steinar recommended - 122-19.SXD7 to be precise. This issue prevents 'sh run' from executing, but otherwise traffic appears to be passing just fine. It's happening on 2 6509s, both with WS-X6K-SUP2-2GE installed. One question, given that it's a remote environment: will the boxes reload properly? The bit about the MSFC locking makes me nervous. What code is currently recommended for 6509/sup2? Any workarounds available in the meantime? Customer AFAIK doesn't have Smartnet.... Relevant bits: 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %ICC-SP-5-WATERMARK: 1355 pkts for class L2-AGING are waiting to be processed ---------- edge0#sh ipc que There are 0 IPC messages waiting for acknowledgement in the transmit queue. There are 0 IPC messages waiting for a response. There are 0 IPC messages waiting for additional fragments. There are 0 IPC messages currently on the IPC inboundQ. There are 0 IPC messages currently on the zone inboundQ. Messages currently in use : 50 Message cache size : 6000 Maximum message cache usage : 6000 0 times message cache crossed 12000 [max] There are 9 messages currently reserved for reply msg. ------- edge0#sh ipc stat IPC System Status Time last IPC stat cleared : never This processor is an IPC slave server. Do not drop output of IPC frames for test purposes. 6000 IPC Message Headers Cached. Rx Side Tx Side Total Frames 626763425 234165644 0 0 Total from Local Ports 1065511881 158268780 Total Protocol Control Frames 45199040 37948411 Total Frames Dropped 0 0 Service Usage Total via Unreliable Connection-Less Service 543615974 33935400 Total via Unreliable Sequenced Connection-Less Svc 0 0 Total via Reliable Connection-Oriented Service 37948411 45198990 IPC Protocol Version 0 Total Acknowledgements 45199040 37948411 Total Negative Acknowledgements 0 0 Device Drivers Total via Local Driver 0 0 Total via Platform Driver 626763425 117082850 Total Frames Dropped by Platform Drivers 0 0 Total Frames Sent when media is quiesced 0 Reliable Tx Statistics Device Drivers Total via Local Driver 0 0 Total via Platform Driver 626763425 117082850 Total Frames Dropped by Platform Drivers 0 0 Total Frames Sent when media is quiesced 0 Reliable Tx Statistics Re-Transmission 0 Re-Tx Timeout 3652 Rx Errors Tx Errors Unsupp IPC Proto Version 0 Tx Session Error 0 Corrupt Frame 0 Tx Seat Error 0 Duplicate Frame 0 Destination Unreachable 0 Out-of-Sequence Frame 0 Tx Test Drop 0 Dest Port does Not Exist 0 Tx Driver Failed 0 Rx IPC Msg Alloc Failed 0 Ctrl Frm Alloc Failed 0 Unable to Deliver Msg 0 Invalid Messages 0 Buffer Errors Misc Errors IPC Msg Alloc 0 IPC Open Port 18563 Emer IPC Msg Alloc 0 No HWQ 0 IPC Frame PakType Alloc 0 Hardware Error 0 IPC Frame MemD Alloc 0 Tx Driver Errors No Transport 0 MTU Failure 0 Dest does not Exist 0 Thanks! --Adam From rodunn at cisco.com Mon Aug 18 12:49:39 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 18 Aug 2008 12:49:39 -0400 Subject: [c-nsp] 32 bit ASN In-Reply-To: <20080814133310.GA24673@rtp-cse-489.cisco.com> References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com> <20080731030350.GF23991@rtp-cse-489.cisco.com> <48A3E177.30508@transtelecom.net> <20080814133310.GA24673@rtp-cse-489.cisco.com> Message-ID: <20080818164939.GX7135@rtp-cse-489.cisco.com> Target is 12.0(32)S12 and 12.0(32)SY8. I did say target.... Will also come in a rebuild of 33S but will no make it in 12.0(32)S2 for sure. Rodney On Thu, Aug 14, 2008 at 09:33:10AM -0400, Rodney Dunn wrote: > See my email yesterday. I should have an update on Monday. > > On Thu, Aug 14, 2008 at 11:40:39AM +0400, Tima Maryin wrote: > > Hello! > > > > > > Is there any update on this ? > > > > > > Rodney Dunn wrote: > > >I'm asking about this. > > > > > >I'll get back with you. > > > > > >It's going to be in a 12.0(33)S rebuild for sure. > > > > > >But I need to check back on what the 12008 decision > > >was...ie: only in 32S rebuilds? > > > > > > > > >On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote: > > >>Hi, > > >> > > >>Does anyone know if the 32 bit ASN support is going to get > > >>implemented in the 12008 or 7500 RSP8 series? If not, what > > >>is recommended as replacements? From Mark at u.tv Mon Aug 18 12:12:46 2008 From: Mark at u.tv (Mark Tohill) Date: Mon, 18 Aug 2008 17:12:46 +0100 Subject: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 Message-ID: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> Hi, Does anyone have experience of configuring Netflow Top Talkers on Modular 12.2SX images? We are running modular 12.2(18)SXF4 on Sup720, MSFC3, PFC3 on 6509-E, as below: sh ver Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-VM), Version 12.2(18)SXF4, RELEASE SOFTWARE (fc1) <..output ommited...> disk0:/sys/s72033/base/s72033-advipservicesk9_wan-vm <..output ommited...> Thanks, Mark Mark Tohill UTV Internet T:+44 (0)28 90 262196 M:+44 (0)7786 278716 E:mark at u.tv From adam.korab at gmail.com Mon Aug 18 13:05:33 2008 From: adam.korab at gmail.com (Adam Korab) Date: Mon, 18 Aug 2008 12:05:33 -0500 Subject: [c-nsp] Nasty PIX 6.3 bug In-Reply-To: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> References: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> Message-ID: On Mon, Aug 18, 2008 at 4:30 AM, Robert Blayzor wrote: > > We've been running 6.3 for years and only after all the recent DNS exploits > did we see this one start hitting us. > The only way to fix it is to upgrade to 7.x or get the maint/patch train > from TAC. If you have any DNS servers behind your PIX with a lot of clients The page says it's patched in 6.3(5.105) -- is that available only from the TAC? CCO lists just 6.3(5) GD. Forgive my ignorance, but it's been a long time since I've had to get a special file from TAC -- does an end-user have to have smartnet on the device? --Adam From streiner at cluebyfour.org Mon Aug 18 13:15:38 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 18 Aug 2008 13:15:38 -0400 (EDT) Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <200808181240.23419.lowen@pari.edu> References: <200808181240.23419.lowen@pari.edu> Message-ID: On Mon, 18 Aug 2008, Lamar Owen wrote: > On Sunday 17 August 2008 05:05:30 Gert Doering wrote: >> From the comments seen on this list, I don't think that any sort of L2VPN >> on 7500s is a good idea. > >> 7500 is pretty much a dead and unsupported platform these days. > > [snip] > > Not all folk using older Cisco gear for core routing are financially able to > do forklift upgrades. Some people, in this day of shrinking IT budgets and > lowering bandwidth costs/margins (at least to NSP's; the enterprise user is > seeing the opposite problem; for example, my OC3's base tariff went UP $1,000 > per month thanks to tariff changes by the NECA), simply don't have the budget > to write off their investment in older gear and drop in a newer platform. I don't think the original comment was intended as a knock on your organization's financial status (or any other organization's financial status for that matter) financial status. The Cisco 7500 series routers were and still are great routers - they served my network well for a great many years, but they are in fact at the end of their life cycle. If you can still use them to do what you need to do and they satisfy your operational requirements, then I hope they continue to work well for you for as long as needed. More to the point of what I think Gert was getting at is that since the 7500 series is end-of-life, you have the potential to get stuck if you need to get support from Cisco. There is also the possibility that whatever feature you need may not be available in future releases of IOS for that platform, or new releases for that platform may be suspended entirely. Replacement hardware will have to come from the secondary market since Cisco normally doesn't RMA end-of-life parts. Some organizations have policies that require them to keep vendor support on any piece of gear they have in production. That by nature forces them to stay ahead of the end-of-life curve, or at least be cognizant of the end-of-life dates for the gear they use. As a result, those upgrades get worked into their long-term capital planning cycles. I'm not suggesting that this is right or wrong... Since this has the potential to drift off-topic for this list, this will be my only contribution to this thread. Regards, jms From petelists at templin.org Mon Aug 18 13:16:27 2008 From: petelists at templin.org (Pete Templin) Date: Mon, 18 Aug 2008 12:16:27 -0500 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <200808181240.23419.lowen@pari.edu> References: <200808181240.23419.lowen@pari.edu> Message-ID: <48A9AE6B.9070600@templin.org> Lamar Owen wrote: > However, I must rant just a bit, so please indulge me for a moment. And I > fully realize many of you won't care about what I'm going to talk about > below, and that's ok. It's not that I won't care, it's that I care about your stance here. > I (and other enterprise usera and NSP's in my boat; I use an NSP who is a > non-profit, for instance) am well aware that I should have something more > modern; I cannot afford it, especially now that a big hunk of my equipment > budget just went away thanks to the NECA tariff increase. And while I know > that there is a contingent out there with the attitude that if someone can't > afford rolling forklift upgrades every few years that they shouldn't be in > business, I have no need for their opinion on that matter. The 7500s are roughly 13 years old. As such, they've served about four generations of IT lifecycle and then some, assuming upgrades every few years. From what little I can dig up, they were designed for core backbone routing applications. The 12000 series is perhaps 9 years old. That's three lifecycles, and these too were designed for core backbone routing applications. Remember the great time-to-market linecards? Yeah, the ones with no hope of being an edge card. With all due respect, how much enterprise feature value were you HONESTLY expecting from these core backbone routing platforms? Have any of these devices STOPPED doing what they do/did best? pt From rblayzor.bulk at inoc.net Mon Aug 18 13:27:39 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 18 Aug 2008 13:27:39 -0400 Subject: [c-nsp] Nasty PIX 6.3 bug In-Reply-To: References: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> Message-ID: <0DDF96A3-6F1F-411B-BDEA-AD7F752C1753@inoc.net> On Aug 18, 2008, at 1:05 PM, Adam Korab wrote: > The page says it's patched in 6.3(5.105) -- is that available only > from the TAC? CCO lists just 6.3(5) GD. Yes, 6.3(5)GD is released. The actual patched version TAC provided to us was 6.3(5.145) Which fixed the problem. And yes, you can only obtain it via TAC. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From christian.macnevin at gmail.com Mon Aug 18 13:37:18 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Mon, 18 Aug 2008 10:37:18 -0700 Subject: [c-nsp] multicast bringing big irons to their knees? In-Reply-To: <48A9A45E.1070504@heanet.ie> References: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> <48A9A45E.1070504@heanet.ie> Message-ID: <4DD41DB1-0C84-481F-BC17-490CBF3BC3F9@gmail.com> Thanks all That's literally all the info I have just now, it's a client network I may have to go look at. Just figured I'd toss it out and see if anybody had a screamer of a disclaimer on that hardware. I'll see how much more Ivan find out before I being this world of pain down on myself :) Sent from my iPhone On Aug 18, 2008, at 9:33 AM, Paul Cosgrove wrote: > Hi Christian, > > You will need to explain more about the topology, your multicast setup > and the traffic flows, for instance: > - Are the foundary switches acting as your RPs? > - Have you any other commands applied which will cause multicasts to > be > process switched? > - Do you have high rates of multicast on the network? > - Are you using any multicast groups which will appear the same as > well > known multicast groups at Layer 2 (e.g. x.0.0.1, x.0.0.2 etc)? > > If the Foundary switches are your RPs, the requirement to decapsulate > register messages could explain why these are affected much more than > your 6500s, 3750s and netscreens. 'ip pim register-rate-limit 5' > applied to the cisco designated routers will help if that is the > problem > (not sure about equivalent netscreeen command). > > Paul. > > Christian MacNevin wrote: >> Hi >> I've only got the most superficial of ideas what's going on with this >> network, but i've been asked if there's any particular reason >> some Foundry switches would be being brought to their knees every >> time >> mcast is switched on in a network. 65s, 3750s and Netscreens >> all handle it fine. >> Given Foundry's marketing, they dobrag that everything's handled in >> port-based ASICs, but obviously it sounds like this stuff is going >> to the processor. Maybe it's PIM Sniffing not supported in >> hardware, not >> sure. >> Anyway, sorry for the amazing vagary here, but it's all I've got >> right >> now. Any thoughts? >> Cheers >> Christian_______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. From svemulap at cisco.com Mon Aug 18 13:46:57 2008 From: svemulap at cisco.com (Shankar Vemulapalli (svemulap)) Date: Mon, 18 Aug 2008 10:46:57 -0700 Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Message-ID: <70BC84B185C3EE448EDB7AB8956D3B0E06392E1D@xmb-sjc-234.amer.cisco.com> Take a look at the following QoS SRND document which provides a very good starting point. http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf Look for "MPLS VPN QoS Design" Btw - one additional factor that you want to look in is if the customer is dual-homed to two SPs. In this case, we want to make sure we have consistent QoS guarantees across the MPLS VPN cloud. Hope it helps. /Shankar -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: Sunday, August 17, 2008 10:42 PM To: Sami Joseph Cc: Cisco-nsp Subject: Re: [c-nsp] MPLS VPN QoS on a SP core On Mon, 18 Aug 2008, Sami Joseph wrote: > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Yes. Depends on what you want, but you can for instance mark MPLS EXP for the traffic in a certain VPN and treat those packets differently in your core. -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jloiacon at csc.com Mon Aug 18 14:56:41 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Mon, 18 Aug 2008 14:56:41 -0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: <20080816152921.GL288@greenie.muc.de> Message-ID: Thanks Gert. Great information. Turns out the fiber length is about 60km, but it is testing at 13dB for 1550 nm. This winds up fitting in the 24dB optical budget for the XENPAK-10GB-ZR (80 km). I have removed dB for connectors and potential splices as well. Next challenge: On the other end of the connection is a Juniper MX. So here we go again ... PS: Here's a good link for understanding how to calculate optical budgets if anyone needs it: http://www.transition.com/TransitionNetworks/Learning/Whitepaper/Optical.aspx Joe Gert Doering 08/16/2008 11:29 AM To Joe Loiacono/CIV/CSC at CSC cc cisco-nsp at puck.nether.net Subject Re: [c-nsp] Good 10GE Metro switch Hi, On Mon, Aug 11, 2008 at 05:08:23PM -0400, Joe Loiacono wrote: > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? The key question is, how much loss (in dB) do you have on that line, and on the tolerances of the X2 optics in question - a "best case" X2 will transmit with +4.0 dBm, while a "worst case" X2 will transmit with -4.7 dBm, according to: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0btransc.html - so with a receiver sensitivity of -15.8 dBm, you have a power budget of 11.1 dB to 19.8 dB. 11.1 dB is very tight for a 40km span - you need good fibers, and nearly no patches in between (every patch brings about 0.5 dB loss). You need to ask your carrier about the attenuation of the fiber path. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de [attachment "att5fin1.dat" deleted by Joe Loiacono/CIV/CSC] From vijay.ramcharan at verizonbusiness.com Mon Aug 18 14:46:00 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Mon, 18 Aug 2008 18:46:00 +0000 Subject: [c-nsp] 11503 ssl redundancy synch In-Reply-To: References: Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F05196081@ASHEVS011.mcilink.com> I don't believe you are missing anything. SSL files (keys, certs etc) are most likely not copied across. You will probably need to manually import them into your standby box. For whatever reason, the ACE has this same limitation (seemingly silly as I can't put my finger on the reason why Cisco cannot sync SSL files as well as the config). F5 has had this on their boxes for a long time now. Makes SSL configuration a snap. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Toby Burrows (Qube) Sent: August 18, 2008 04:52 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 11503 ssl redundancy synch Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lowen at pari.edu Mon Aug 18 15:00:22 2008 From: lowen at pari.edu (Lamar Owen) Date: Mon, 18 Aug 2008 15:00:22 -0400 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <48A9AE6B.9070600@templin.org> References: Message-ID: <200808181500.22855.lowen@pari.edu> [Going OT to a degree; not going to continue thread past this post.] On Monday 18 August 2008 13:16:27 Pete wrote: > With all due respect, how much enterprise feature value were you > HONESTLY expecting from these core backbone routing platforms? Have any > of these devices STOPPED doing what they do/did best? I appreciate the point of view. Using a tool only for the purpose for which it was designed is certainly a valid worldview, perhaps even for the majority of service providers and enterprises out there, especially if you have a support contract. But at the same time understand that if someone is asking about using router X for something (whether it was designed for that or not is irrelevant) they'd like to hear experience in doing that thing, not that router Y is a better choice. If I want to know (and I ask) which router is the better choice, then answering Y is a good useful response. And, yes, I am of the view that many tools have uses of which the designers never thought, or for which the designers did not design (or for which the marketers didn't market). Like, for instance, the RSM internal router on a stick card for the Catalyst 5000. These actually do NAT at a very good rate; with a VIP piggyback on the RSM they can make superb border routers with a good firewall set and, like I said, NAT. Just wish a 12.0S had been released for the RSM; it is, after all, a 7500-series RSP2 on that card. And why the RSFC isn't able to run something past 12.1 is a crying shame, given the hardware heritage of the card (I know why it was crippled, I just don't agree with non-technical reasons to cripple what the device can do). As to the suitability of these old core platforms for edge 'stuff' I'll just comment that just getting APS on an OC3 connection is enough of a task; but I happen to need layer 2 transparency over this connection, incidentally, for VMware VMotion. With APS. (which knocks out any ATM solutions for the 7500 (or 7200/7400 for that matter!). Just need to have VLAN continuity through the OC3, that's all. Getting the 'edge' feature set and APS for an OC3 together has been a challenge for me, without blowing my equipment budget for the next five years, that is. And I already had the hardware in hand that I'm using, saving several tens of kilobucks. What I do find useful are things like the revelation that 3845's have issues with L2TP due to odd ethernet issues. Or that PXF being enabled on 7400 or 7200 NSE-1 causes artifact A in certain situations. Or that an OC48 POS liencard is required for 12000 to do this sort of thing. Or that, no, feature navigator is wrong, you really can't do that with IOS x.yS(z). Just looking for people's experience, not new equipment recommendations. Cisco support for these particular routers is not an option at this point for these routers; can't afford it. Now when I can afford something new, I'll ask about that. And if I can help by sharing my experience with a future questioner, I will do so. And, I do find most of the information I glean here very useful; Gert in particular has been a real jewel, and my rant isn't directed at Gert at all, just a general rant of sorts. I personally don't agree with this whole EoS/EoL 'programmed obsolescence' thing, even though I do understand the reasoning. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From zhassan at gmx.net Mon Aug 18 15:19:38 2008 From: zhassan at gmx.net (Zahid Hassan) Date: Mon, 18 Aug 2008 20:19:38 +0100 Subject: [c-nsp] EVC - MPLS In-Reply-To: References: Message-ID: <001e01c90167$60532210$014fa8c0@xp1> Jack, With EVC, are you referring to EoMPLS, ATOM and VPLS ? For an introduction to the technology, pleaser refer to the link below: http://www.cisco.com/en/US/tech/tk436/tk891/tech_brief0900aecd80162184.html If you need more information like commands and configs, let me know. Regards, ZH -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jack Sent: 14 August 2008 08:31 To: cisco-nsp at puck.nether.net Subject: [c-nsp] EVC - MPLS Hi Folks, anyone has EVC - MPLS information to share ? any document can I refer to ? regards, Jack From billf at mu.org Mon Aug 18 16:10:44 2008 From: billf at mu.org (bill fumerola) Date: Mon, 18 Aug 2008 13:10:44 -0700 Subject: [c-nsp] debugging stack corruption Message-ID: <20080818201044.GR29172@elvis.mu.org> anyone see anything like this. i assume only a reload will fix this: rtr1#sh proc cpu | e 0.0 CPU utilization for five seconds: 33%/8%; one minute: 37%; five minutes: 35% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 528125122320274973 22 23.35% 20.79% 20.97% 0 Exec 70 3616544001417549298 255 0.15% 0.11% 0.12% 0 IP Input 115 4851843096833738 0 0.15% 0.14% 0.15% 0 HQF Shaper Backg rtr1# nobody else is logged on, little to no amount of traffic is running through the aux/cons ports, but this is interesting: rtr1#show stacks Minimum process stacks: Free/Size Name 5676/6000 CDP BLOB 8640/9000 EM ED RF 11052/12000 Router Init 8676/9000 cdp init process 8348/12000 Init 5304/6000 RADIUS INITCONFIG 3616/6000 BGP Open 2264/3000 Rom Random Update Process 5616/6000 URPF stats 5316/6000 BGP Accepter 9248/12000 Exec 7176/12000 SSH Process 4264/6000 TFTP Read Process 4204/6000 MSDP Open 34540/36000 TCP Command 5236/7200 TTY Daemon 8496/9000 IP-EIGRP Router 3360/6000 d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P References: <20080817090530.GP288@greenie.muc.de> <200808181240.23419.lowen@pari.edu> Message-ID: <20080818201221.GV288@greenie.muc.de> Hi, On Mon, Aug 18, 2008 at 12:40:23PM -0400, Lamar Owen wrote: > Not all folk using older Cisco gear for core routing are financially able to > do forklift upgrades. I fully understand your point. I'm not one of those that recommend to put a 7206/NPE-150 into the junk bin, just because it's old... Cisco-XXX uptime is 7 years, 15 weeks, 2 days, 49 minutes ... cisco 7206 (NPE150) processor with 57344K/8192K bytes of memory. (yes, I know, but that's not the point. It's working, and all problematic packets are ACLed away) *But* especially the 7500 is not "old", it was already old when I started networking (well, the 7500 was "new" then, but it shares much of the architectural limits with the 7000, and that one was already old then). We have junked our single 7500 (at some time my great pride - dual RSP4+s in there!!!) some 3-4 years ago, because it was just too huge (space and power in the rack), too unreliable (OIRs usually caused a bus stall or a complete crash), and too feeble IOS support - no "real" 12.2S support, none of the cool features available, and a fairly clear commitment from Cisco to let the platform die. If a shop is in serious need for a L2VPN solution, and all they have is a 7500, I would seriously suggest finding two old PCs somewhere, put in a $15 intel GigE card, install Linux+OpenVPN, and enjoy the result. With Cisco, they are not going to be happy - it's "expensive" or "more advanced/tricky things are just not going to work". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Mon Aug 18 16:17:09 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 18 Aug 2008 22:17:09 +0200 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <200808181500.22855.lowen@pari.edu> References: <48A9AE6B.9070600@templin.org> <200808181500.22855.lowen@pari.edu> Message-ID: <20080818201709.GW288@greenie.muc.de> Hi, On Mon, Aug 18, 2008 at 03:00:22PM -0400, Lamar Owen wrote: > good firewall set and, like I said, NAT. Just wish a 12.0S had been released > for the RSM; it is, after all, a 7500-series RSP2 on that card. And why the > RSFC isn't able to run something past 12.1 is a crying shame, given the > hardware heritage of the card (I know why it was crippled, I just don't agree > with non-technical reasons to cripple what the device can do). I couldn't agree more wiht you on *that*. We're in the process of retiring 2 RSMs and 1 RSFC due to "end of IOS" - no IPv6 on them, and especially on the RSFC, purposely crippled to 12.1 (no 64bit counters and such). Since I'm the one that suggested buying them, and the hardware is still doing its job very well, I'm indeed not overly happy. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sthaug at nethelp.no Mon Aug 18 16:46:04 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 18 Aug 2008 22:46:04 +0200 (CEST) Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: <20080816152921.GL288@greenie.muc.de> Message-ID: <20080818.224604.41662275.sthaug@nethelp.no> > Turns out the fiber length is about 60km, but it is testing at 13dB for > 1550 nm. This winds up fitting in the 24dB optical budget for the > XENPAK-10GB-ZR (80 km). I have removed dB for connectors and potential > splices as well. > > Next challenge: On the other end of the connection is a Juniper MX. So > here we go again ... You should be just fine with a 10-GBASE-Z (80 km) XFP on the Juniper MX. See for instance Table 3 on this page: http://www.juniper.net/techpubs/hardware/common/mx-series-dpc/4-port-10-gigabit-ethernet-dpc-with-xfp.html#mx-series-dpc-4xge-xfp Steinar Haug, Nethelp consulting, sthaug at nethelp.no From kgraham at industrial-marshmallow.com Mon Aug 18 17:01:28 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 18 Aug 2008 14:01:28 -0700 (PDT) Subject: [c-nsp] CAB-HD8-ASYNC extension cables? Message-ID: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> Does anyone know what the formal name for the 'HD' end of an CAB-HD8-ASYNC (for the HWIC-8A/16A)? Ideally I'd like to do an extended runbefore fanning out into RJ45's. Also, given the async line definition of: "line 0/0/0 0/1/15" ...is it proper to infer that 0/0 has 16 ports? Namely, if 0/0 was an 8 port module, would it be broken out, separately such that IOS would present: line 0/0/0 0/0/7 line 0/1/0 0/1/15 From jloiacon at csc.com Mon Aug 18 17:04:57 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Mon, 18 Aug 2008 17:04:57 -0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: <20080818.224604.41662275.sthaug@nethelp.no> Message-ID: Wow. Thanks Steinar, I've been looking all over their website for this! Looks like about the same power budget as the Cisco XENPAK-10GB-ZR. Joe sthaug at nethelp.no 08/18/2008 04:46 PM To Joe Loiacono/CIV/CSC at CSC cc cisco-nsp at puck.nether.net Subject Re: [c-nsp] Good 10GE Metro switch > Turns out the fiber length is about 60km, but it is testing at 13dB for > 1550 nm. This winds up fitting in the 24dB optical budget for the > XENPAK-10GB-ZR (80 km). I have removed dB for connectors and potential > splices as well. > > Next challenge: On the other end of the connection is a Juniper MX. So > here we go again ... You should be just fine with a 10-GBASE-Z (80 km) XFP on the Juniper MX. See for instance Table 3 on this page: http://www.juniper.net/techpubs/hardware/common/mx-series-dpc/4-port-10-gigabit-ethernet-dpc-with-xfp.html#mx-series-dpc-4xge-xfp Steinar Haug, Nethelp consulting, sthaug at nethelp.no From p.mayers at imperial.ac.uk Mon Aug 18 17:32:59 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 18 Aug 2008 22:32:59 +0100 Subject: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 In-Reply-To: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> References: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> Message-ID: <20080818213259.GA32257@doorstop.net.ic.ac.uk> On Mon, Aug 18, 2008 at 05:12:46PM +0100, Mark Tohill wrote: >Hi, > >Does anyone have experience of configuring Netflow Top Talkers on >Modular 12.2SX images? I thought netflow top-talkers was an SXH feature? > >We are running modular 12.2(18)SXF4 on Sup720, MSFC3, PFC3 on 6509-E, as >below: > >sh ver >Cisco Internetwork Operating System Software >IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-VM), Version >12.2(18)SXF4, RELEASE SOFTWARE (fc1) ><..output ommited...> >disk0:/sys/s72033/base/s72033-advipservicesk9_wan-vm ><..output ommited...> Ok - but what are you asking? From gtb at slac.stanford.edu Mon Aug 18 18:51:11 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Mon, 18 Aug 2008 15:51:11 -0700 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080818201044.GR29172@elvis.mu.org> References: <20080818201044.GR29172@elvis.mu.org> Message-ID: > anyone see anything like this. i assume only a reload will fix this: Nothing exactly like this, but I have a number of crash files from SB11/12 on a 7200 with memory corruption (Block overrun/redzone corruption). Unfortunately the 7200 (a non-VXR) cannot be on maintenance (EOS/EOL), so I cannot open a TAC case (and no existing bugid seemed relevant). That is what I would recommend to you (open a TAC case). Gary From lambert at lambertfam.org Mon Aug 18 19:36:20 2008 From: lambert at lambertfam.org (Scott Lambert) Date: Mon, 18 Aug 2008 18:36:20 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Message-ID: <20080818233620.GA28542@sysmon.tcworks.net> I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin lambert at lambertfam.org From aakhter at cisco.com Mon Aug 18 20:39:21 2008 From: aakhter at cisco.com (Aamer Akhter (aakhter)) Date: Mon, 18 Aug 2008 20:39:21 -0400 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com><20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: Dan, Another option is to use the PfR NAT integration. The idea is that PfR will actively monitor the traffic and move subnet reachabilty around to try to even out the traffic. For existing NATed flows, PfR will preserve the stickiness on the established path. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/ps8787/white_paper_C11-458124.html -- Aamer Akhter / aa at cisco.com Ent & Commercial Systems, cisco Systems > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Monday, August 18, 2008 12:06 PM > To: Ben Steele; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ip cef load sharing > > My only options for the IP CEF command are as follows: > > original Original algorithm > tunnel Algorithm for use in tunnel only environments > universal Algorithm for use in most environments > > I tried original, and it seems as if it load balances, but it doesn't > switch from modem to modem very fast. But in any case there is a lot > less problems with this on. > > I also found out that the content filter that is before the cisco > router is also doing NAT. I'm assuming that's a problem as well > because now the router doesn't know what the source IP is anymore. > > Any other ideas on how to make this work better? > > Thanks, > Dan. > > On Sat, Aug 16, 2008 at 6:35 PM, Ben Steele > wrote: > > Dan the reason your having issues is not MTU related, it's NAT > related, > > because you have 3 ADSL lines each doing NAT against a different > outside IP > > when you turn on per-packet load sharing you end up with flows to the > same > > destination having different source IP addresses. > > > > Your only option is per-destination load balancing (ie the default), > one way > > you can tweak this a little without breaking to much is to change the > > standard algorithm to include ports. > > > > Try adding "ip cef load-sharing algorithm include-ports destination" > into > > your global config once you've removed your per-packet load sharing > and see > > how you go. > > > > You are never going to get perfect load balancing in your scenario > but if > > you have enough hosts on your LAN it should be sufficient enough, one > way > > you can do per-packet is if you get another IP routed down all 3 adsl > lines > > and put it on a loopback and NAT everything against that. > > > > Ben > > > > ----- Original Message ----- From: "Dan Letkeman" > > > To: "Rodney Dunn" ; > > Sent: Saturday, August 16, 2008 3:29 AM > > Subject: Re: [c-nsp] ip cef load sharing > > > > > >> Still seem to have the same problem even with this: > >> > >> interface FastEthernet0/0 > >> ip address 10.1.10.1 255.255.255.0 > >> ip tcp adjust-mss 1300 > >> duplex auto > >> speed auto > >> > >> > >> interface FastEthernet0/1 > >> ip address 192.168.10.1 255.255.255.0 > >> ip load-sharing per-packet > >> duplex auto > >> speed auto > >> > >> Dan. > >> > >> On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn > wrote: > >>> > >>> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: > >>>> > >>>> ip load-sharing per-packet > >>>> > >>>> I tried adding this to F0/1 and the trace route works now(it > randomly > >>>> picks either line), but there seems to be issues with maybe the > MTU? > >>>> If I try to browse websites i get page errors and some of the > pictures > >>>> and pages don't load. > >>> > >>> Yep...try configuring "ip tcp adjust-mss 1300" or so on the > >>> ingress interface from the LAN. > >>> > >>>> > >>>> Any ideas? > >>>> > >>>> Thanks, > >>>> Dan. > >>>> > >>>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn > wrote: > >>>> > Try ip load-sharing per-packet on both egress interfaces. > >>>> > > >>>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: > >>>> >> Hello, > >>>> >> > >>>> >> I have a 2621 router running 12.3(26) and I would like to setup > load > >>>> >> sharing to multiple adsl lines. When I do a traceroute on the > router > >>>> >> it randomly picks a dsl line and seems to work fine. But when > I do > >>>> >> traceroute tests from a workstation it always seems to take the > same > >>>> >> adsl line. Is there something else I need to add to the >> > >>>> >> configuration > >>>> >> to make it pick random lines, or is there a timeout of some > sorts > >>>> >> before it will select the next ip route > >>>> >> > >>>> >> Here is my config: > >>>> >> > >>>> >> ! > >>>> >> interface FastEthernet0/0 > >>>> >> ip address 10.1.10.1 255.255.255.0 > >>>> >> duplex auto > >>>> >> speed auto > >>>> >> ! > >>>> >> interface FastEthernet0/1 > >>>> >> ip address 192.168.10.1 255.255.255.0 > >>>> >> duplex auto > >>>> >> speed auto > >>>> >> ! > >>>> >> ip http server > >>>> >> ip classless > >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 > >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 > >>>> >> ! > >>>> >> > >>>> >> The two adsl modem/routers I have are 192.168.10.10, and >> > >>>> >> 192.168.10.11 > >>>> >> > >>>> >> Thanks, > >>>> >> Dan. > >>>> >> _______________________________________________ > >>>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>>> > > >>> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From agirling at denetron.com Mon Aug 18 21:40:35 2008 From: agirling at denetron.com (Andrew Girling) Date: Mon, 18 Aug 2008 21:40:35 -0400 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> References: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> Message-ID: <5E1349FC-0219-4F18-8DDC-879F84C459D5@denetron.com> On Aug 18, 2008, at 5:01 PM, Kevin Graham wrote: > Does anyone know what the formal name for the 'HD' end of an CAB-HD8- > ASYNC (for > the HWIC-8A/16A)? Ideally I'd like to do an extended runbefore > fanning out into > RJ45's. The connector on the cards are (Micro)D68F (also used by SCSI-3 devices). You would be looking for a D68M-D68F cable to extend the connection. Check with your favorite cabling vendor for pricing, but it may be cheaper to extend the RJ45's than purchase a D68 cable...though I'd admit the D68 extension is a tidier solution in the rack :). I was also able to come up with vendors that make custom length CAB-HD8-ASYNC compatible cables, that start in the neighborhood of > $100USD. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 478 bytes Desc: This is a digitally signed message part URL: From ryanclambert at gmail.com Mon Aug 18 21:59:45 2008 From: ryanclambert at gmail.com (Ryan Lambert) Date: Mon, 18 Aug 2008 21:59:45 -0400 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080818233620.GA28542@sysmon.tcworks.net> References: <20080818233620.GA28542@sysmon.tcworks.net> Message-ID: <002201c9019f$426e4300$c74ac900$@com> Hi Scott, Hopefully I am understanding your challenge correctly. It appears to me like you're having trouble chatting dynamic routing protocols directly with the wireless network, among some other various nitty-gritty that is not "just as simple" as the SE tries to make it sound. Looking at your diagram, it seems that the 7204 also should have a route to the 1841 via the mysterious cloud there, albeit a few more hops in between. For obvious reasons (lack of link state awareness), plain old static routing isn't a reliable option in your scenario. With that said, OSPF may not even be necessary. Have you considered the possibility of running ebgp-multihop from the Cisco 7204XVR to the 1841's interface directly connected to the wireless network? You could also establish a private BGP session with the other 1841 via the directly connected T1 link, and announce the same prefix out of both sessions. As for the VRRP question: If memory serves, I want to say yes, you can use a "real" IP address that does not exist in the same subnet as the floating virtual; at least, this worked the last time I tried to do it so far as I can recall. Unfortunately for the past year and change, I've been dealing with a limitation on a never-to-be-named hardware/software platform that just recently started allowing this... uhm, feature. I'm still kind of scratching my head on a good, clean way to "load-balance" this outbound for you, given only one of the routers is going to serve as the ASA's default route out in a VRRP/HSRP configuration. I'm sure there is an answer, it just doesn't look pretty in my head. Maybe the answer here is to do OSPF between the 1841s and the ASA, all in NBMA mode so that the 1841s aren't trying to share a default to one another. The only thing the 1841s should need to do are A) create an adjacency with the ASA, and b) advertise it a default route. In that case, it may be necessary to expand to a /28 if everything else is in use on that subnet. Maybe someone else has a better solution -- that's at least the one I'd try to lab out first, if it were me. Just something to think about, I guess... :) -Ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Lambert Sent: Monday, August 18, 2008 7:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin lambert at lambertfam.org _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwinkworth at att.net Mon Aug 18 22:16:37 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Mon, 18 Aug 2008 21:16:37 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <002201c9019f$426e4300$c74ac900$@com> References: <20080818233620.GA28542@sysmon.tcworks.net> <002201c9019f$426e4300$c74ac900$@com> Message-ID: <48AA2D05.60505@att.net> Well, it seems whatever NAT you need to do will happen on the ISP router or the ASA... so you could load-balance with EIGRP... using an GRE/IPSec tunnel over the wireless part... EIGRP would be nice because you could do load-variance... Ryan Lambert wrote: > Hi Scott, > > Hopefully I am understanding your challenge correctly. It appears to me like > you're having trouble chatting dynamic routing protocols directly with the > wireless network, among some other various nitty-gritty that is not "just as > simple" as the SE tries to make it sound. > > Looking at your diagram, it seems that the 7204 also should have a route to > the 1841 via the mysterious cloud there, albeit a few more hops in between. > For obvious reasons (lack of link state awareness), plain old static routing > isn't a reliable option in your scenario. With that said, OSPF may not even > be necessary. Have you considered the possibility of running ebgp-multihop > from the Cisco 7204XVR to the 1841's interface directly connected to the > wireless network? You could also establish a private BGP session with the > other 1841 via the directly connected T1 link, and announce the same prefix > out of both sessions. > > As for the VRRP question: If memory serves, I want to say yes, you can use a > "real" IP address that does not exist in the same subnet as the floating > virtual; at least, this worked the last time I tried to do it so far as I > can recall. Unfortunately for the past year and change, I've been dealing > with a limitation on a never-to-be-named hardware/software platform that > just recently started allowing this... uhm, feature. > > I'm still kind of scratching my head on a good, clean way to "load-balance" > this outbound for you, given only one of the routers is going to serve as > the ASA's default route out in a VRRP/HSRP configuration. I'm sure there is > an answer, it just doesn't look pretty in my head. Maybe the answer here is > to do OSPF between the 1841s and the ASA, all in NBMA mode so that the 1841s > aren't trying to share a default to one another. The only thing the 1841s > should need to do are A) create an adjacency with the ASA, and b) advertise > it a default route. In that case, it may be necessary to expand to a /28 if > everything else is in use on that subnet. Maybe someone else has a better > solution -- that's at least the one I'd try to lab out first, if it were me. > > Just something to think about, I guess... :) > > -Ryan > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Lambert > Sent: Monday, August 18, 2008 7:36 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load > balancing/failover setup > > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections to their Cisco PIX 515E. Cisco sold them an > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the > ASA and 1841s. Apparantly, the customer didn't even mention that the > two connections were to the same ISP, me. The customer just ordered the > equipment and said "Make it work." > > The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless > network. > > Cisco sales tech guy said: > >> What we discussed was the ASA having a default route to the virtual >> IP address of the routers and they would be running either VRRP or >> GLBP (whatever they decided they wanted to do) going out to the >> service provider. Then the routers would simply have a default route >> going out to the service provider to hit the 'Net. >> > > The network design is supposed to be something like : > > Cisco 7204VXR NPE G1 (ISP) > | | > T1 Wireless network cloud > | | > Cisco 1841 Cisco 1841 > | | > -+-------+--------+- > | > Cisco ASA 5510 (Customer) > > The wireless network cloud is creating logistical issues for me. The > wireless ethernet makes multiple hops through StarOS based routers > which do not speak OSPF, yet. I have to staticly route traffic to the > wireless cloud. The wireless network is handled by a different group > here and I don't have much influence over how they run it. > > I've been running ISP routers for 10 years, but have not had this > configuration come up before. 99.9999% of my customers have been single > homed to me. Also, ASA/PIX devices haven't been common for me until the > past couple of years and I keep running into areas where they seem to > try very hard to avoid having common routing features. I'm primarily a > servers guy but when you work in small ISPs, you get to do everything. > > I could use some guidence in the best way to make these links load > balance with graceful degradation if one link should fall down. > > I've been considering bringing up an IPSec VPN from the 7204VXR to the > 1841 handling the wireless ethernet connection, just to bypass the need > for dynamic routing in the wireless network. Then I could run OSPF or > other magic between the 1841s and my 7204. > > Is OSPF going to be enough to load balance the links, or will I need > something else? > > If not, could an MLPPP bundle be brought up which uses the T1 and an > IPSec tunnel? But then, how would I use the 1841s redundantly? > > To keep the 1841s redundant, do I need to use their existing router to > act as a T1 to ethernet bridge? > > Also, on the VRRP front, the customer currently has a /29 LAN subnet > outside their ASA. The current T1 router has one IP and the rest of > the IPs are in use on the ASA. Will we need to renumber them to a /28 > subnet? Or, can the virtual router address be from their current subnet > with the individual routers having their primary IPs from another, RFC > 1918, subnet? > > The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) > connections. > > If I configure the VirtualTemplates to permit CEF, which lowers CPU > utilization to about 30%, the router hangs in an ininite loop at random > intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 > SB series images at the time I last tried CEF did the same thing and I > haven't had enough nerve to try again since. > > Hopefully, that is not important right now. The only reason I mention > it is in case an IPSec tunnel, or whatever the necessary magic ends up > being, might make a significant impact on the CPU. > > From skeeve at skeeve.org Mon Aug 18 21:41:16 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Tue, 19 Aug 2008 11:41:16 +1000 Subject: [c-nsp] Will there be a Cisco 887? Message-ID: Hey all, I am trying to plan some CPE deployments for next year and wanted more information about the 880 series. I love the Wireless N and the 3G backup on the 881. But this is a ADSL2 deployment which I was going to use 877W's for, but given the move to N and the 3G option, I would prefer an 887. but I can't find out if they are going to release one or not. The 881 I understand, but the 888 (SHDSL) I have no idea why that would come BEFORE an ADSL2 model. Can someone at Cisco possibly enlighten me? .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From ben.steele at internode.on.net Mon Aug 18 23:55:22 2008 From: ben.steele at internode.on.net (ben.steele at internode.on.net) Date: Tue, 19 Aug 2008 12:55:22 +0900 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Message-ID: <60221.1219118122@internode.on.net> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi Scott, Try this: Seeing as you are working statics over your wireless cloud to simplify things a little setup a GRE tunnel from your 7200 over the wireless to the 1841 (don?t forget to subtract 24 bytes off the MTU, ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and also add keepalives so it will actually go down if it is down), and I assume your T1 is point to point from the other 1841 to the 7200. Now assuming this is going to be a redundant configuration as well as load-balanced you need to have a subnet that can float between the 2 links that your customer can NAT against (which by the way will happen on the ASA they got sold), there are 2 ways you can achieve this, 1 is by using ip sla to monitor the next hop of each of the customer links from your 7200 with statics, the other is private BGP, you sure as hell don't want to start running an IGP to your customers(unless it's MPLS VPN). Lets say you assign your customer 1.0.0.0/27 as their usable floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE tunnel(wireless) is 2.0.0.5/30 at your end. Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their own rtr group of course, say 1 and 2 respectively). Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 255.255.255.224 2.0.0.6 track 2 Hope that makes sense, essentially traffic will only route to your customer if your 7200 can ping their respective 1841, the other private BGP option I am going to assume you are already familiar with being in an ISP. Now for the customer to you. AFAIK the ASA cannot load balance it can only forward out 1 interface at a time. So what you need to do is put the ASA and the 2 1841 interfaces into a switch so they can all see each other at layer2, now setup hsrp on your 1841 interfaces for redundant gateways lets say you use 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a little trickier, I am going to assume your T1 is your primary link for this example but you can switch it around if you want. On your T1 1841 add a static route for the wireless /30 to go via the LAN interface of the Wireless 1841(ip route 2.0.0.4 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of the wireless link from your T1 1841, you want to setup ip sla to monitor the ISP end of the wireless link from your T1 router(ie the T1 router is monitoring 2.0.0.5) and you also want to monitor its end of the T1 link aswell 2.0.0.1 What this does is let your primary gateway know that it has a complete and valid path for both gateways for redundancy. Now you add 2 static routes with tracking on your primary 1841 Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 1.0.0.2 track 2 Your wireless 1841 need only have the 1 gateway via its wireless tunnel as it should only ever fall over to that router if there is a serious problem on the primary side so you don't want it routing back that way anyway, however make sure you enable pre-empt so it fails back to the primary once it is back up. You can optimise this a little further with the global command "ip cef load-sharing algorithm include-ports destination source" or if your game you can even do per-packet load sharing however i wouldn't recommend it as your 2 paths are going to have different characteristics, id probably just try the method i listed first. As mentioned previously the ASA config will just be straightforward, NAT/PAT against some pool in 1.0.0.0/27 with a default route to 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the redundancy and load balancing. Hope at least some of that made sense, if you need clarification on anything let me know. Cheers Ben On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent: I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin _______________________________________________ cisco-nsp mailing list https://puck.nether.net/mailman/listinfo/cisco-nsp [3] archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] Links: ------ [3] http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp [4] http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F From ben.steele at internode.on.net Mon Aug 18 23:56:54 2008 From: ben.steele at internode.on.net (ben.steele at internode.on.net) Date: Tue, 19 Aug 2008 12:56:54 +0900 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Message-ID: <60234.1219118214@internode.on.net> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi Scott, Try this: Seeing as you are working statics over your wireless cloud to simplify things a little setup a GRE tunnel from your 7200 over the wireless to the 1841 (don?t forget to subtract 24 bytes off the MTU, ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and also add keepalives so it will actually go down if it is down), and I assume your T1 is point to point from the other 1841 to the 7200. Now assuming this is going to be a redundant configuration as well as load-balanced you need to have a subnet that can float between the 2 links that your customer can NAT against (which by the way will happen on the ASA they got sold), there are 2 ways you can achieve this, 1 is by using ip sla to monitor the next hop of each of the customer links from your 7200 with statics, the other is private BGP, you sure as hell don't want to start running an IGP to your customers(unless it's MPLS VPN). Lets say you assign your customer 1.0.0.0/27 as their usable floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE tunnel(wireless) is 2.0.0.5/30 at your end. Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their own rtr group of course, say 1 and 2 respectively). Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 255.255.255.224 2.0.0.6 track 2 Hope that makes sense, essentially traffic will only route to your customer if your 7200 can ping their respective 1841, the other private BGP option I am going to assume you are already familiar with being in an ISP. Now for the customer to you. AFAIK the ASA cannot load balance it can only forward out 1 interface at a time. So what you need to do is put the ASA and the 2 1841 interfaces into a switch so they can all see each other at layer2, now setup hsrp on your 1841 interfaces for redundant gateways lets say you use 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a little trickier, I am going to assume your T1 is your primary link for this example but you can switch it around if you want. On your T1 1841 add a static route for the wireless /30 to go via the LAN interface of the Wireless 1841(ip route 2.0.0.4 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of the wireless link from your T1 1841, you want to setup ip sla to monitor the ISP end of the wireless link from your T1 router(ie the T1 router is monitoring 2.0.0.5) and you also want to monitor its end of the T1 link aswell 2.0.0.1 What this does is let your primary gateway know that it has a complete and valid path for both gateways for redundancy. Now you add 2 static routes with tracking on your primary 1841 Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 1.0.0.2 track 2 Your wireless 1841 need only have the 1 gateway via its wireless tunnel as it should only ever fall over to that router if there is a serious problem on the primary side so you don't want it routing back that way anyway, however make sure you enable pre-empt so it fails back to the primary once it is back up. You can optimise this a little further with the global command "ip cef load-sharing algorithm include-ports destination source" or if your game you can even do per-packet load sharing however i wouldn't recommend it as your 2 paths are going to have different characteristics, id probably just try the method i listed first. As mentioned previously the ASA config will just be straightforward, NAT/PAT against some pool in 1.0.0.0/27 with a default route to 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the redundancy and load balancing. Hope at least some of that made sense, if you need clarification on anything let me know. Cheers Ben On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent: I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin _______________________________________________ cisco-nsp mailing list https://puck.nether.net/mailman/listinfo/cisco-nsp [3] archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] Links: ------ [3] http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp [4] http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F From sethm at rollernet.us Tue Aug 19 00:02:27 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 18 Aug 2008 21:02:27 -0700 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080818233620.GA28542@sysmon.tcworks.net> References: <20080818233620.GA28542@sysmon.tcworks.net> Message-ID: <48AA45D3.6050701@rollernet.us> Scott Lambert wrote: > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections to their Cisco PIX 515E. Cisco sold them an > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the > ASA and 1841s. Apparantly, the customer didn't even mention that the > two connections were to the same ISP, me. The customer just ordered the > equipment and said "Make it work." Whoever sold them on that solution should be the one to make it work. ;) > The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless > network. > > Cisco sales tech guy said: >> What we discussed was the ASA having a default route to the virtual >> IP address of the routers and they would be running either VRRP or >> GLBP (whatever they decided they wanted to do) going out to the >> service provider. Then the routers would simply have a default route >> going out to the service provider to hit the 'Net. > > The network design is supposed to be something like : > > Cisco 7204VXR NPE G1 (ISP) > | | > T1 Wireless network cloud > | | > Cisco 1841 Cisco 1841 > | | > -+-------+--------+- > | > Cisco ASA 5510 (Customer) > I dunno what Cisco would do, but I'd start with a GRE tunnel over the wireless side. I do this from home back to the office (crypto on the tunnel too, of course) so I can get all my office routes via OSPF and effectively be directly connected. Make sure to put some static routes in there so the tunnel endpoint doesn't because learned over OSPF, which would cause the tunnel to drop. I wouldn't bother with the load balance on drastically unequal links - the first time they have a huge transfer and expect to see 6.5 megs, the flow will end up over the T1 and they'll be screaming about the 1.5 meg reality. ~Seth From kgraham at industrial-marshmallow.com Tue Aug 19 00:21:01 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 18 Aug 2008 21:21:01 -0700 (PDT) Subject: [c-nsp] CAB-HD8-ASYNC extension cables? Message-ID: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> > The connector on the cards are (Micro)D68F (also used by SCSI-3 > devices). You would be looking for a D68M-D68F cable to extend the > connection. [...oops. sorry Brian, you were right...] Thanks, I didn't have one on hand to check. Do you happen to know if the pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be very useful for sparing...) > ...though I'd admit the D68 extension is a tidier solution in the > rack :). That's the idea. Even with clean cable management, its still better to get that fanout as far from central panels as needed. > I was also able to come up with vendors that make custom length > CAB-HD8-ASYNC compatible cables If going that approach, it'd be even cooler to get something in a cassette format to go right next to the MPO breakouts... From gert at greenie.muc.de Tue Aug 19 04:20:58 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 19 Aug 2008 10:20:58 +0200 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080818233620.GA28542@sysmon.tcworks.net> References: <20080818233620.GA28542@sysmon.tcworks.net> Message-ID: <20080819082058.GY288@greenie.muc.de> Hi, On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote: > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections I see two key issues here: - how to load *balance*. - how to reliably detect "wireless is down" if there is no end-to-end routing possible The first one is hard - if you have two routers involved, VRRP (or GLBP, if there is only a single client) will not provide load balancing, but only failover. That is: while one of the boxes is working, it will receive all the traffic from the PIX, and if it breaks, all the traffic goes to the other box. One possible approach to do this might be via "manual balancing", as in "route all the VPN connections over one path, and all the web surfing over the other path", but that's not overly easy to maintain. The other approach might be with Cisco OER - let the boxes figure out what destinations have the most traffic, and balance these flows over both links. But that will only work outbound from the customer to you - from the ISP (you) to the customer, you also need to decide upon the balancing criteria, if any. "Just failover" is easy :) The second part (how to diagnose that the wireless is down) is easier - you could use a BGP session from the customer router to your edge router, just sending "customer routes" and "default" back and forth. If the wireless mesh breaks, the BGP session will also break, and routing will fall over to the other link. (The StarOS routers would need to know the customer routes statically, but that's not a problem, unless the customer changes their IP addresses frequently). If BGP is not an option, you could do it with IP SLA ("ping testing") and static route tracking ("if it doesn't ping, withdraw the route") on both ends, but that's less elegant than BGP - and much more configuration work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Toby.Burrows at qubenet.net Tue Aug 19 04:22:59 2008 From: Toby.Burrows at qubenet.net (Toby Burrows (Qube)) Date: Tue, 19 Aug 2008 09:22:59 +0100 Subject: [c-nsp] 11503 ssl redundancy synch In-Reply-To: <509A5E22DDC70B4DA85EA7C06C8FDA8F05196081@ASHEVS011.mcilink.com> References: <509A5E22DDC70B4DA85EA7C06C8FDA8F05196081@ASHEVS011.mcilink.com> Message-ID: Many thanks Vijay, had suspected as much, just didn't want to believe it! It does seem really silly for the price of these things, it looks like I will be pushing for a pair of F5's when I implement my shared LB solution, Thanks again, Toby Burrows -----Original Message----- From: Ramcharan, Vijay A [mailto:vijay.ramcharan at verizonbusiness.com] Sent: 18 August 2008 19:46 To: Toby Burrows (Qube); cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 11503 ssl redundancy synch I don't believe you are missing anything. SSL files (keys, certs etc) are most likely not copied across. You will probably need to manually import them into your standby box. For whatever reason, the ACE has this same limitation (seemingly silly as I can't put my finger on the reason why Cisco cannot sync SSL files as well as the config). F5 has had this on their boxes for a long time now. Makes SSL configuration a snap. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Toby Burrows (Qube) Sent: August 18, 2008 04:52 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 11503 ssl redundancy synch Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.tjirkalli at za.verizonbusiness.com Tue Aug 19 04:44:15 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Tue, 19 Aug 2008 10:44:15 +0200 (SAST) Subject: [c-nsp] Queuing on 1 Gig transit interfaces Message-ID: howdy ho, we have some transit interfaces taht are GIG E interfaces on CISCO 7500 and 7600 boxes. these interfaces run at most at around 300 Meg. The current queuing scheme on them is FIFO. we have some operational folk who are making sounds that they want the queuing to be WFQ as these boxes are pushing a mix of internet traffic and VOIP packets (RTP packets) My feelings are to leave the queuing as FIFO but was wondering if others had some feelings or expierence in this thanking you in advance for any thoughts or info later --------------------------------------------------------------------- Knowledge speaks, but wisdom listens. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From Mark at u.tv Tue Aug 19 04:45:22 2008 From: Mark at u.tv (Mark Tohill) Date: Tue, 19 Aug 2008 09:45:22 +0100 Subject: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 References: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> <20080818213259.GA32257@doorstop.net.ic.ac.uk> Message-ID: <658F94741F4A8A4F94171E37E417488B0272D7EE@UTVEXCHANGE.utv.local> Thanks for the reply Phil. It looks as if you're right. No mention of TopTalkers in the CLI. We'll maybe have to look at implementing this upstream or plan an IOS upgrade on the Cat's. Thanks again, Mark -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: 18 August 2008 22:33 To: Mark Tohill Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 On Mon, Aug 18, 2008 at 05:12:46PM +0100, Mark Tohill wrote: >Hi, > >Does anyone have experience of configuring Netflow Top Talkers on >Modular 12.2SX images? I thought netflow top-talkers was an SXH feature? > >We are running modular 12.2(18)SXF4 on Sup720, MSFC3, PFC3 on 6509-E, as >below: > >sh ver >Cisco Internetwork Operating System Software >IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-VM), Version >12.2(18)SXF4, RELEASE SOFTWARE (fc1) ><..output ommited...> >disk0:/sys/s72033/base/s72033-advipservicesk9_wan-vm ><..output ommited...> Ok - but what are you asking? From gkg at gmx.de Tue Aug 19 04:55:09 2008 From: gkg at gmx.de (Garry) Date: Tue, 19 Aug 2008 10:55:09 +0200 Subject: [c-nsp] 20G Etherchannel with Standby-SupV? Message-ID: <48AA8A6D.8070305@gmx.de> For a project we are in the process of evaluating the way to implement the requirements ... One solution would be a dual (extendable) site setup with a 4507R at each site, with dual SupV 10GE and dual connection each via two different fiber routes. Plan would be to connect one port each of the active and standby Sup via one way, the other via the other way, resulting in a decent redundancy in case of a Sup failure. Anyway, having dual 10G links between both sites would definitely call for setting up a 20G etherchannel - question is, can an etherchannel be configured using a 10G interface from each of the two Sups? From Cisco docs like http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps6033/product_data_sheet0900aecd801c5c66_ps4324_Products_Data_Sheet.html I read that all ports of the SupV (2x 10G & 4x 1G) in Standby/Redundancy are usable, so I would assume this also goes for setting up Etherchannels? Tnx, -garry From jhary at unsane.co.uk Tue Aug 19 04:57:20 2008 From: jhary at unsane.co.uk (Vincent Hoffman) Date: Tue, 19 Aug 2008 09:57:20 +0100 Subject: [c-nsp] snmp values for indiviual vlans on trunk port Message-ID: <48AA8AF0.80708@unsane.co.uk> Hi, Just been asked if its possible to pull out the traffic values for specific vlans on a trunk port via snmp on a 2960 or 3750. I'm pretty sure the answer is no, but thought I'd have an ask, any suggestions? Vince From p.mayers at imperial.ac.uk Tue Aug 19 05:11:31 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 19 Aug 2008 10:11:31 +0100 Subject: [c-nsp] snmp values for indiviual vlans on trunk port In-Reply-To: <48AA8AF0.80708@unsane.co.uk> References: <48AA8AF0.80708@unsane.co.uk> Message-ID: <48AA8E43.4070605@imperial.ac.uk> Vincent Hoffman wrote: > Hi, > Just been asked if its possible to pull out the traffic values > for specific vlans on a trunk port via snmp on a 2960 or 3750. No, the hardware doesn't support it > I'm pretty sure the answer is no, but thought I'd have an ask, any > suggestions? > > > Vince > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dgranzer at gmail.com Tue Aug 19 05:43:59 2008 From: dgranzer at gmail.com (David Granzer) Date: Tue, 19 Aug 2008 11:43:59 +0200 Subject: [c-nsp] Queuing on 1 Gig transit interfaces In-Reply-To: References: Message-ID: <844ef89c0808190243l12d74b2hc2eaaad3acf410f6@mail.gmail.com> Hello, if the interface is GigE with traffic at around 300Mb/s and there is not any other back presure mechanism like traffic shaping then on the interface is not congestion and the congestion management like WFQ is not in use. David the congestion management is used only when On 8/19/08, Nic Tjirkalli wrote: > > howdy ho, > > we have some transit interfaces taht are GIG E interfaces on CISCO 7500 > and 7600 boxes. these interfaces run at most at around 300 Meg. > > The current queuing scheme on them is FIFO. > > we have some operational folk who are making sounds that they want the > queuing to be WFQ as these boxes are pushing a mix of internet traffic and > VOIP packets (RTP packets) > > My feelings are to leave the queuing as FIFO but was wondering if others > had some feelings or expierence in this > > thanking you in advance for any thoughts or info > > later > > > > --------------------------------------------------------------------- > Knowledge speaks, but wisdom listens. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// > www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gkg at gmx.de Tue Aug 19 06:09:36 2008 From: gkg at gmx.de (Garry) Date: Tue, 19 Aug 2008 12:09:36 +0200 Subject: [c-nsp] 20G Etherchannel with Standby-SupV? In-Reply-To: <48AA8A6D.8070305@gmx.de> References: <48AA8A6D.8070305@gmx.de> Message-ID: <48AA9BE0.9040701@gmx.de> Looks like I mis-read (or at least misunderstood) the wording in the document I quoted ... in another one, I found a slightly more clear statement which noted that of the four 10G interfaces, any two could be used in a redundant setup ... so I guess the 20G idea is only feasible for a 2-site setup, as in any larger setup, a ring would be operated, which then terminates one 10G line each on two different remote sites ... -garry From agirling at denetron.com Tue Aug 19 06:25:31 2008 From: agirling at denetron.com (Andrew Girling) Date: Tue, 19 Aug 2008 06:25:31 -0400 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> References: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> Message-ID: <06A76432-F192-4FA7-A2FF-9B0CF1E59B8F@denetron.com> On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote: >> The connector on the cards are (Micro)D68F (also used by SCSI-3 > >> devices). You would be looking for a D68M-D68F cable to extend the >> connection. > > [...oops. sorry Brian, you were right...] > > Thanks, I didn't have one on hand to check. Do you happen to know if > the > pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be > very > useful for sparing...) Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been hard to track down online. > >> ...though I'd admit the D68 extension is a tidier solution in the >> rack :). > > That's the idea. Even with clean cable management, its still better to > get that fanout as far from central panels as needed. > >> I was also able to come up with vendors that make custom length >> CAB-HD8-ASYNC compatible cables > > If going that approach, it'd be even cooler to get something in a > cassette format to go right next to the MPO breakouts... Cisco does recommend a vendor that provides 1RU breakouts in 32 and 48 port configurations, which you feed using D68M-D68M cables: > Q. Are cable management solutions available for asynchronous ports? > A. Components Express Inc. offers patch panel solutions for the HWIC-8A and HWIC-16A. These patch panels connect to the high-density asynchronous connectors and break out into individual RJ-45 jacks for each asynchronous port I have not found any vendors providing a cassette format, but I certainly see the appeal there. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 478 bytes Desc: This is a digitally signed message part URL: From CB at nianet.dk Tue Aug 19 07:23:24 2008 From: CB at nianet.dk (Christian Bering) Date: Tue, 19 Aug 2008 13:23:24 +0200 Subject: [c-nsp] 7600, diagnostic per-port Message-ID: Hi all, #diagnostic start module 3 test per-port port 2 Diagnostic[Module 3]: Running test(s) 4-5 may disrupt normal system operation Do you want to continue? [no]: Will running this diagnostics feature be disruptive to traffic on any other ports than port 2? Port 2 is currenly down/down but I have traffic on port 1 and would rather not disrupt traffic on that port while testing port 2. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 From lowen at pari.edu Tue Aug 19 07:33:40 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 07:33:40 -0400 Subject: [c-nsp] Platform experience and recommendations for L2TPv3. Message-ID: <200808190733.40713.lowen@pari.edu> Good morning list. No rant today. :-) I am looking, however, for the collected experience of this list in platform experience and recommendations for providing six to twelve point to point L2TPv3 (or equivalent technology) tunnels at up to 150Mb/s rates between APS-protected OC3 endpoints (if you have experience in that area; otherwise just straight tunnels). I have a limited selection of 7500-series routers available, a single 3845, and a 12012 (but no OC48 POS card for a tunnel server; wish I could use the single card 'half' of an OC48 SRP set to do that, as I have one of those). I am open to suggestions on alternative means of providing layer 2 adjacency for multiple VLANs across an OC3 POS link, as well. I'd also like to hear the experience of the list on how to prevent hairpinning of traffic across an L2TPv3 tunnel; that is: I've got four devices: A, B, C, and D (I know, creative names). A and B are on one end of the link; C and D are on the other. A and C are in the same subnet and are layer 2 adjacent through tunnel X. B and D are both in a different subnet, and have layer 2 adjacency with each other through tunnel Y. How to I prevent traffic between A and B (or between C and D) of traversing the tunnel twice? (that is, one direction on tunnel X, through a router, then back through tunnel Y) I've thought of some form of HSRP or similar protocol. Or is there a better way? A needs to use a router on its end of the link, and C needs to use a router on its end of the link (oh, and just manipulating the default routes in A or C's OS isn't a possibility due to what A and C would be: VMware guests). The application is VMotion and HA/DRS on VMware across an OC3 POS WAN link between two VMware ESX hosts (one at the prime site, one at the DR); VMotion requires layer 2 adjacency (and does MAC hijacking, which has its own things, but I'm not that far yet) between the two ESX hosts in order to work. Thanks in advance for any responses. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From lowen at pari.edu Tue Aug 19 07:41:43 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 07:41:43 -0400 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <5E1349FC-0219-4F18-8DDC-879F84C459D5@denetron.com> References: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> Message-ID: <200808190741.44035.lowen@pari.edu> On Monday 18 August 2008 21:40:35 Andrew Girling wrote: > The connector on the cards are (Micro)D68F (also used by SCSI-3 > devices). A SCSI LVD/SE 68 pin extension might work; I'd just wonder about the pairing (SCSI cables have strict pairing guidelines; certain signals have to traverse certain pairs in the cable; the highest speed and most critical signals are carried in the center of the cable, and the slowest are carried closer to the shield). Each data line has its paired return, which might or might not match pairing in the HD8-ASYNC. At low speeds it wouldn't matter, but higher speed async signals might suffer from increased crosstalk. You can see the way SCSI LVD/SE cables are laid out by looking at http://www.paralan.com/lvdmsepinout.html -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From nasir.shaikh at bt.com Tue Aug 19 08:13:28 2008 From: nasir.shaikh at bt.com (nasir.shaikh at bt.com) Date: Tue, 19 Aug 2008 13:13:28 +0100 Subject: [c-nsp] OT: network inventory Message-ID: Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh From ney25 at hotmail.com Tue Aug 19 08:16:46 2008 From: ney25 at hotmail.com (Jack) Date: Tue, 19 Aug 2008 20:16:46 +0800 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: I think solar winds may help you. Regards, Jack -------------------------------------------------- From: Sent: Tuesday, 19 August, 2008 8:13 PM To: Subject: [c-nsp] OT: network inventory > Hi, > > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. > > > > Are there other utilities around that would scan the collected > configurations and read relevant info (descriptions, ip add, link > bandwidth etc)? > > > > > > Nasir Shaikh > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mathias.spoerr at at.ibm.com Tue Aug 19 08:23:05 2008 From: mathias.spoerr at at.ibm.com (Mathias Spoerr) Date: Tue, 19 Aug 2008 14:23:05 +0200 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: I made a small tool called wktools and its Freeware: www.spoerr.org/wktools It can do an inventory of your Cisco devices, including IOS routers, IOS&CatOS switches, PIX, ASA, FWSM and IP Phones Mathias From: To: Date: 19.08.2008 14:20 Subject: [c-nsp] OT: network inventory Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7943 bytes Desc: S/MIME Cryptographic Signature URL: From jaitken at aitken.com Tue Aug 19 08:29:05 2008 From: jaitken at aitken.com (Jeff Aitken) Date: Tue, 19 Aug 2008 12:29:05 +0000 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: <20080819122905.GB51150@eagle.aitken.com> On Tue, Aug 19, 2008 at 01:13:28PM +0100, nasir.shaikh at bt.com wrote: > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. Sounds like you want rancid: http://www.shrubbery.net/rancid/ --Jeff From a0kunev at yandex.ru Tue Aug 19 08:36:27 2008 From: a0kunev at yandex.ru (a0kunev) Date: Tue, 19 Aug 2008 16:36:27 +0400 Subject: [c-nsp] voice call drop on as5400 Message-ID: <60121219149387@webmail9.yandex.ru> Hello I would like to share the problem we recently got on our network. We have DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling only incoming calls, so the dial-pear config is simple, one voice and one voip provider. Recently we've started receiving complains from our customers on dead air and drops during their conferences. The issues looked like this - person dialed to the DID and nobody answered during 10-120 secounds, then the call terminated by timeout. recently we're able to reproduce this, with debug 'call-mgmnt' it's dumping the following on console: Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 I've checked with tcpdump cisco do not send anything to IP bridge to establish the call at that time. Telco says they see a lot of rejected calls from our side, but there is nothing on our end(I have not seen yet) as5400 were recently updated to 12.4(9)T4. Please advise on how to debug this problem. regards, Andrei From lowen at pari.edu Tue Aug 19 08:42:42 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 08:42:42 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: <200808190842.42251.lowen@pari.edu> On Tuesday 19 August 2008 08:13:28 nasir.shaikh at bt.com wrote: > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. > Are there other utilities around that would scan the collected > configurations and read relevant info (descriptions, ip add, link > bandwidth etc)? I use OpenNMS, which is a full bore network management system. Has great autodiscovery, and reads what it needs to know via SNMP. Can do layer 2 link detections and paths. Doesn't pull in configs; rancid does that quite well. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From bjorn at mork.no Tue Aug 19 08:51:09 2008 From: bjorn at mork.no (=?iso-8859-1?Q?Bj=F8rn_Mork?=) Date: Tue, 19 Aug 2008 14:51:09 +0200 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <06A76432-F192-4FA7-A2FF-9B0CF1E59B8F@denetron.com> (Andrew Girling's message of "Tue, 19 Aug 2008 06:25:31 -0400") References: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> <06A76432-F192-4FA7-A2FF-9B0CF1E59B8F@denetron.com> Message-ID: <874p5h6ude.fsf@obelix.mork.no> Andrew Girling writes: > On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote: > >> Thanks, I didn't have one on hand to check. Do you happen to know if >> the >> pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be >> very >> useful for sparing...) > > Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been > hard to track down online. It's here: http://www.cisco.com/en/US/docs/routers/access/hardware/notes/marcabl.pdf The pinout does not seem to be consistent with the CAB-OCTAL. Ref http://www.cisco.com/en/US/docs/routers/access/2500/software/user/guide/cables.html#wp2406 Bj?rn From abalashov at evaristesys.com Tue Aug 19 08:59:44 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 19 Aug 2008 08:59:44 -0400 (EDT) Subject: [c-nsp] voice call drop on as5400 In-Reply-To: <60121219149387@webmail9.yandex.ru> References: <60121219149387@webmail9.yandex.ru> Message-ID: <4763.97.81.69.51.1219150784.squirrel@webmail.corp.evaristesys.com> Is there anything that be gleaned from either the debug on the SIP side or the ISDN (are these PRIs?) side? ("debug isdn q931") On Tue, August 19, 2008 8:36 am, a0kunev wrote: > Hello > > I would like to share the problem we recently got on our network. We have > DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling > only incoming calls, so the dial-pear config is simple, one voice and one > voip provider. Recently we've started receiving complains from our > customers on dead air and drops during their conferences. The issues > looked like this - person dialed to the DID and nobody answered during > 10-120 secounds, then the call terminated by timeout. > > recently we're able to reproduce this, with debug 'call-mgmnt' it's > dumping the following on console: > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 > Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 > Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 > Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 > > I've checked with tcpdump cisco do not send anything to IP bridge to > establish the call at that time. Telco says they see a lot of rejected > calls from our side, but there is nothing on our end(I have not seen yet) > > as5400 were recently updated to 12.4(9)T4. > > Please advise on how to debug this problem. > regards, Andrei > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From maillist at webjogger.net Tue Aug 19 09:04:29 2008 From: maillist at webjogger.net (Adam Greene) Date: Tue, 19 Aug 2008 09:04:29 -0400 Subject: [c-nsp] OT: network inventory References: <200808190842.42251.lowen@pari.edu> Message-ID: <017d01c901fc$1dcb0300$12140a0a@GINKGO> Besides documenting config changes, can rancid perform a tftp backup of router / switch startup configs, or integrate with some other software to pull down the config file if a change is detected? ----- Original Message ----- From: "Lamar Owen" To: Sent: Tuesday, August 19, 2008 8:42 AM Subject: Re: [c-nsp] OT: network inventory > On Tuesday 19 August 2008 08:13:28 nasir.shaikh at bt.com wrote: >> Anybody familiar with (freeware/shareware) tools for a network >> inventory? Install-base is 100% cisco. > >> Are there other utilities around that would scan the collected >> configurations and read relevant info (descriptions, ip add, link >> bandwidth etc)? > > I use OpenNMS, which is a full bore network management system. Has great > autodiscovery, and reads what it needs to know via SNMP. Can do layer 2 > link > detections and paths. > > Doesn't pull in configs; rancid does that quite well. > -- > Lamar Owen > Chief Information Officer > Pisgah Astronomical Research Institute > 1 PARI Drive > Rosman, NC 28772 > http://www.pari.edu > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rskjels at pogostick.net Tue Aug 19 08:15:45 2008 From: rskjels at pogostick.net (Rikard Stemland Skjelsvik) Date: Tue, 19 Aug 2008 14:15:45 +0200 (MEST) Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: http://www.ziptie.org/ -- Rikard On Tue, 19 Aug 2008, nasir.shaikh at bt.com wrote: > Hi, > > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. > > > > Are there other utilities around that would scan the collected > configurations and read relevant info (descriptions, ip add, link > bandwidth etc)? > > > > > > Nasir Shaikh > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lowen at pari.edu Tue Aug 19 09:26:15 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 09:26:15 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <017d01c901fc$1dcb0300$12140a0a@GINKGO> References: Message-ID: <200808190926.15885.lowen@pari.edu> On Tuesday 19 August 2008 09:04:29 Adam Greene wrote: > Besides documenting config changes, can rancid perform a tftp backup of > router / switch startup configs, or integrate with some other software to > pull down the config file if a change is detected? See http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid and see if that meets your needs. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From jlewis at lewis.org Tue Aug 19 09:32:22 2008 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 19 Aug 2008 09:32:22 -0400 (EDT) Subject: [c-nsp] OT: network inventory In-Reply-To: <017d01c901fc$1dcb0300$12140a0a@GINKGO> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> Message-ID: On Tue, 19 Aug 2008, Adam Greene wrote: > Besides documenting config changes, can rancid perform a tftp backup of > router / switch startup configs, or integrate with some other software to > pull down the config file if a change is detected? It doesn't use tftp for it, but rancid does backup your configs and put them into CVS so you can see when a change was made, compare configs from different times, etc. It also stores the latest versions of the configs as flat files, so you can easily do some scripting to do things like find all routers of a certain type, make a list of router names and the software versions they're running, etc. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jzp-cnsp at rsuc.gweep.net Tue Aug 19 09:35:41 2008 From: jzp-cnsp at rsuc.gweep.net (Joe Provo) Date: Tue, 19 Aug 2008 09:35:41 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <017d01c901fc$1dcb0300$12140a0a@GINKGO> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> Message-ID: <20080819133540.GA69001@gweep.net> On Tue, Aug 19, 2008 at 09:04:29AM -0400, Adam Greene wrote: > Besides documenting config changes, can rancid perform a tftp backup of > router / switch startup configs, or integrate with some other software to > pull down the config file if a change is detected? Lots of folks trigger rancid runs on snmp traps or syslog events. Best IMO is to front-end your changes thru rancid & have that wrapper log/trigger runs/etc to your heart's content. Only the long list of 'round tuits' is to recreate all the good ol rtrmon suite actions as rancid wrappers. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From chip.gwyn at gmail.com Tue Aug 19 09:56:42 2008 From: chip.gwyn at gmail.com (chip) Date: Tue, 19 Aug 2008 09:56:42 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <20080819133540.GA69001@gweep.net> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> Message-ID: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... From MLouis at nwnit.com Tue Aug 19 10:02:13 2008 From: MLouis at nwnit.com (Mike Louis) Date: Tue, 19 Aug 2008 10:02:13 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: You can use a tool from the cisco partner site called Cisco Network Discovery Tool. It will categorize every modules in IOS/CatOS devices and output them to excel spreadsheets. It lists all EOL hardware and Software as well as serial numbers and such per device and module. Its great for smartnet renewals and tracking. You have to be a partner to use it though but it works well. I use it all the time. It also lists what IOS have PSIRT etc and provides links to the cisco PSIRT site. Mike -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chip Sent: Tuesday, August 19, 2008 9:57 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OT: network inventory So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From gordon at suncircle.org Tue Aug 19 10:13:40 2008 From: gordon at suncircle.org (gordon) Date: Tue, 19 Aug 2008 10:13:40 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <20080819101340.014bbec3@ngohj6-----wkay> I've had pretty good luck with nedi so far: http://www.nedi.ch/ On Tue, 19 Aug 2008 09:56:42 -0400 chip wrote: > So far all of the software that's been presented will autodiscover > devices and backup configs and such. Is there anything around that > will actually take inventory of a router. By inventory I mean, list > of cards, model numbers, serial numbers, pluggable optics, etc. I've > been working on scripts to do this and it's become alot more > complicated than I had originally planned. If there's already some > software out there that does this, I'd love to get my hands on it. > > --chip > From lowen at pari.edu Tue Aug 19 10:24:05 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 10:24:05 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: Message-ID: <200808191024.06283.lowen@pari.edu> On Tuesday 19 August 2008 09:56:42 chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From ian.mackinnon at lumison.net Tue Aug 19 10:03:33 2008 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Tue, 19 Aug 2008 15:03:33 +0100 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <48AAD2B5.7010109@lumison.net> hi Chip, chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. I've been working on > scripts to do this and it's become alot more complicated than I had > originally planned. If there's already some software out there that does > this, I'd love to get my hands on it. > > --chip > CiscoWorks does all that magic inventory stuff. Costs though :-( You can then do all sorts of queries, eg tell me all the routers running 12.x with a WICxxxx because there is a vulnerability. On recent IOS's "show inventory" does what you want, but it is not supported everywhere. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From chip.gwyn at gmail.com Tue Aug 19 10:38:52 2008 From: chip.gwyn at gmail.com (chip) Date: Tue, 19 Aug 2008 10:38:52 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <200808191024.06283.lowen@pari.edu> References: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> <200808191024.06283.lowen@pari.edu> Message-ID: <64a8ad980808190738m17beca3eqd7d9307163f84afe@mail.gmail.com> On Tue, Aug 19, 2008 at 10:24 AM, Lamar Owen wrote: > On Tuesday 19 August 2008 09:56:42 chip wrote: > > So far all of the software that's been presented will autodiscover > devices > > and backup configs and such. Is there anything around that will actually > > take inventory of a router. By inventory I mean, list of cards, model > > numbers, serial numbers, pluggable optics, etc. > > So you want to issue a 'show inventory raw' command and capture the > results, > essentially, right? > > Seems rancid could do this, as it can produce arbitrary scripts and diff > the > results; perhaps a rancid expert here (which I'm not) can further comment. > -- > Lamar Owen > Chief Information Officer > Pisgah Astronomical Research Institute > 1 PARI Drive > Rosman, NC 28772 > http://www.pari.edu > _______________________________________________ > 'show inventory raw' How have I missed this command for so long? That's perfect! Thanks sir! Now to parse, put into xml, and track the changes. Lots easier than dealing with snmp, different platforms, different os versions. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... From giany007 at yahoo.com Tue Aug 19 10:41:06 2008 From: giany007 at yahoo.com (Giany) Date: Tue, 19 Aug 2008 07:41:06 -0700 (PDT) Subject: [c-nsp] OT: network inventory In-Reply-To: <200808191024.06283.lowen@pari.edu> Message-ID: <591815.44232.qm@web38905.mail.mud.yahoo.com> I see a lot of people ask about this. Here it is my 2 cents: I have set this using rancid and some perl scripts. If you manage to install rancid then the perl script should contain: 1. variables with : rancid config files , router.db, snmp community 2. vars with port type for cisco/cat/juniper smth like ( %switchports = ("WS-X5225R","24|100baseTX",....) 3. get the list of devices you have : ?smth like : my @devcisco = `cat router.db | grep -i ":up:" | grep -i "cisco" | cut -f1 -d":"`; ? the same for the rest of devices 4. then for the list of devices you have get the infos you need (slot , port, ip..) --- On Tue, 8/19/08, Lamar Owen wrote: From: Lamar Owen Subject: Re: [c-nsp] OT: network inventory To: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 7:24 AM On Tuesday 19 August 2008 09:56:42 chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 19 10:41:05 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 19 Aug 2008 10:41:05 -0400 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080818201044.GR29172@elvis.mu.org> References: <20080818201044.GR29172@elvis.mu.org> Message-ID: <20080819144105.GF18913@rtp-cse-489.cisco.com> How are you getting this output? If you ssh/telnet to it and run the command do you get th esame output? That's not stack corruption to me. Rodney On Mon, Aug 18, 2008 at 01:10:44PM -0700, bill fumerola wrote: > > anyone see anything like this. i assume only a reload will fix this: > > rtr1#sh proc cpu | e 0.0 > CPU utilization for five seconds: 33%/8%; one minute: 37%; five minutes: > 35% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 528125122320274973 22 23.35% 20.79% 20.97% 0 Exec > 70 3616544001417549298 255 0.15% 0.11% 0.12% 0 IP Input > 115 4851843096833738 0 0.15% 0.14% 0.15% 0 HQF Shaper Backg > rtr1# > > nobody else is logged on, little to no amount of traffic is running > through the aux/cons ports, but this is interesting: > > rtr1#show stacks > Minimum process stacks: > Free/Size Name > 5676/6000 CDP BLOB > 8640/9000 EM ED RF > 11052/12000 Router Init > 8676/9000 cdp init process > 8348/12000 Init > 5304/6000 RADIUS INITCONFIG > 3616/6000 BGP Open > 2264/3000 Rom Random Update Process > 5616/6000 URPF stats > 5316/6000 BGP Accepter > 9248/12000 Exec > 7176/12000 SSH Process > 4264/6000 TFTP Read Process > 4204/6000 MSDP Open > 34540/36000 TCP Command > 5236/7200 TTY Daemon > 8496/9000 IP-EIGRP Router > 3360/6000 > d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P ,d^[mdd^\^Nld^\ > dd^[ 4d^[Q 4d^[1^Dd^[`Td^[{td^[^E^\d^[m ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > \d^[^Add^[^Q\d^[^QLd^[ > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > dd^[ > Ld^[)$d^[#td^[1 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? Dd^[dld^[. ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > 6856/9000 > d^\^[Td^[T^Dd^\y^Dd^\^P ,d^[mdd^\^Nld^\ > dd^[ 4d^[Q 4d^[1^Dd^[`Td^[{td^[^E^\d^[m ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > Minimum process stacks: > Free/Size Name > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > \d^[^Add^[^Q\d^[^QLd^[ > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > dd^[ > Ld^[)$d^[#td^[1 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? Dd^[dld^[. ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > 10468/12000 HSRP (Standby) > > Interrupt level stacks: > Level Called Unused/Size Name > 1 2648551315 6280/9000 Network interfaces > 2 0 9000/9000 DMA/Timer Interrupt > 3 185107 7472/9000 PA Management Int Handler > 4 1715750501 8444/9000 Console Uart > 5 0 9000/9000 OIR/Error Interrupt > 7 3207930022 8532/9000 NMI Interrupt Handler > > Spurious interrupts: 233 > rtr1# > > and on a different router: > > rtr1.chi#sh stacks > Minimum process stacks: > Free/Size Name > [....] > 3500/6000 > 7160/9000 5,<$/jDSw_h 5,< 5,< 5,< 5,< 5,< d(X d(X 5,< 5,< 5,< 5,< > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< d'X 5,< > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5, 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5,< 5,< 5,< 5,< 5, 5,<#^Qz|#^Qy|#^Qy| 5,<#^Qx|#^Qx| 5,<%Dtx%Dtx%Dtx%Dtx%Dsx%Dsx%Dsx%Dsx 5,< > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5,<%Dsx 5,< 5,< 5,<%Drx 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,<#^Qw|#^Qw|#^Qv| 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5, 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,<#W:x#W9x > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5, 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5, 5316/6000 BGP Accepter > 10176/12000 Exec > > although that router doesn't display the same CPU symptoms. > > first router is running: > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB11, RELEASE SOFTWARE (fc3) > ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) > BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(26), RELEASE SOFTWARE (fc2) > > second router is running: > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB12, > RELEASE SOFTWARE (fc3) > > > -- bill > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 19 10:42:51 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 19 Aug 2008 10:42:51 -0400 Subject: [c-nsp] Queuing on 1 Gig transit interfaces In-Reply-To: <844ef89c0808190243l12d74b2hc2eaaad3acf410f6@mail.gmail.com> References: <844ef89c0808190243l12d74b2hc2eaaad3acf410f6@mail.gmail.com> Message-ID: <20080819144251.GG18913@rtp-cse-489.cisco.com> Exactly. Some folks think they need it just to say they are doing fancy qos. ;) If you want to put a MQC policy on the interface they can. But don't do it at those rates on the 7500 as you will kill the VIP CPU. They need a hardware forwarding platform to do those rates with QOS. Rodney On Tue, Aug 19, 2008 at 11:43:59AM +0200, David Granzer wrote: > Hello, > > if the interface is GigE with traffic at around 300Mb/s and there is > not any other back presure mechanism like traffic shaping then on the > interface is not congestion and the congestion management like WFQ is > not in use. > > David > > > the congestion management is used only when > > On 8/19/08, Nic Tjirkalli wrote: > > > > howdy ho, > > > > we have some transit interfaces taht are GIG E interfaces on CISCO 7500 > > and 7600 boxes. these interfaces run at most at around 300 Meg. > > > > The current queuing scheme on them is FIFO. > > > > we have some operational folk who are making sounds that they want the > > queuing to be WFQ as these boxes are pushing a mix of internet traffic and > > VOIP packets (RTP packets) > > > > My feelings are to leave the queuing as FIFO but was wondering if others > > had some feelings or expierence in this > > > > thanking you in advance for any thoughts or info > > > > later > > > > > > > > --------------------------------------------------------------------- > > Knowledge speaks, but wisdom listens. > > > > Nic Tjirkalli > > Verizon Business South Africa > > Network Strategy Team > > > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > > is strictly confidential and intended only for use by the addressee unless > > otherwise indicated. > > > > Company Information:http:// > > www.verizonbusiness.com/za/contact/legal/ > > > > This e-mail is strictly confidential and intended only for use by the > > addressee unless otherwise indicated. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ben.steele at internode.on.net Tue Aug 19 10:43:50 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Wed, 20 Aug 2008 00:13:50 +0930 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup In-Reply-To: <60221.1219118122@internode.on.net> References: <60221.1219118122@internode.on.net> Message-ID: <3C1BDE6DD22848F38654FB175E2211DB@MOYAPENYA> omg terrible formatting, apologies everyone! damn webmail client... ----- Original Message ----- From: To: ; "Scott Lambert" Sent: Tuesday, August 19, 2008 1:25 PM Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup > BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } > > Hi Scott, > Try this: > Seeing as you are working statics over your wireless cloud to > simplify things a little setup a GRE tunnel from your 7200 over the > wireless to the 1841 (don?t forget to subtract 24 bytes off the MTU, > ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and > also add keepalives so it will actually go down if it is down), and I > assume your T1 is point to point from the other 1841 to the 7200. > Now assuming this is going to be a redundant configuration as well > as load-balanced you need to have a subnet that can float between the > 2 links that your customer can NAT against (which by the way will > happen on the ASA they got sold), there are 2 ways you can achieve > this, 1 is by using ip sla to monitor the next hop of each of the > customer links from your 7200 with statics, the other is private BGP, > you sure as hell don't want to start running an IGP to your > customers(unless it's MPLS VPN). > Lets say you assign your customer 1.0.0.0/27 as their usable > floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE > tunnel(wireless) is 2.0.0.5/30 at your end. > Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their > own rtr group of course, say 1 and 2 respectively). > Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 > 255.255.255.224 2.0.0.6 track 2 > Hope that makes sense, essentially traffic will only route to your > customer if your 7200 can ping their respective 1841, the other > private BGP option I am going to assume you are already familiar with > being in an ISP. > Now for the customer to you. > AFAIK the ASA cannot load balance it can only forward out 1 > interface at a time. > So what you need to do is put the ASA and the 2 1841 interfaces into > a switch so they can all see each other at layer2, now setup hsrp on > your 1841 interfaces for redundant gateways lets say you use > 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a > little trickier, I am going to assume your T1 is your primary link for > this example but you can switch it around if you want. > On your T1 1841 add a static route for the wireless /30 to go via > the LAN interface of the Wireless 1841(ip route 2.0.0.4 > 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of > the wireless link from your T1 1841, you want to setup ip sla to > monitor the ISP end of the wireless link from your T1 router(ie the T1 > router is monitoring 2.0.0.5) and you also want to monitor its end of > the T1 link aswell 2.0.0.1 > What this does is let your primary gateway know that it has a > complete and valid path for both gateways for redundancy. > Now you add 2 static routes with tracking on your primary 1841 > Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 > 1.0.0.2 track 2 > Your wireless 1841 need only have the 1 gateway via its wireless > tunnel as it should only ever fall over to that router if there is a > serious problem on the primary side so you don't want it routing back > that way anyway, however make sure you enable pre-empt so it fails > back to the primary once it is back up. > You can optimise this a little further with the global command "ip > cef load-sharing algorithm include-ports destination source" or if > your game you can even do per-packet load sharing however i wouldn't > recommend it as your 2 paths are going to have different > characteristics, id probably just try the method i listed first. > As mentioned previously the ASA config will just be straightforward, > NAT/PAT against some pool in 1.0.0.0/27 with a default route to > 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the > redundancy and load balancing. > Hope at least some of that made sense, if you need clarification on > anything let me know. > Cheers > Ben > On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent: > I have a customer who went directly to cisco to ask about how to > load > balance two WAN connections to their Cisco PIX 515E. Cisco sold them > an > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with > the > ASA and 1841s. Apparantly, the customer didn't even mention that the > > two connections were to the same ISP, me. The customer just ordered > the > equipment and said "Make it work." > The WANs are T1 (existing) and 4Mbps ethernet delivered via a > wireless > network. > Cisco sales tech guy said: > > What we discussed was the ASA having a default route to the > virtual > > IP address of the routers and they would be running either VRRP or > > > GLBP (whatever they decided they wanted to do) going out to the > > service provider. Then the routers would simply have a default > route > > going out to the service provider to hit the 'Net. > The network design is supposed to be something like : > Cisco 7204VXR NPE G1 (ISP) > | | > T1 Wireless network cloud > | | > Cisco 1841 Cisco 1841 > | | > -+-------+--------+- > | > Cisco ASA 5510 (Customer) > The wireless network cloud is creating logistical issues for me. The > > wireless ethernet makes multiple hops through StarOS based routers > which do not speak OSPF, yet. I have to staticly route traffic to > the > wireless cloud. The wireless network is handled by a different group > > here and I don't have much influence over how they run it. > I've been running ISP routers for 10 years, but have not had this > configuration come up before. 99.9999% of my customers have been > single > homed to me. Also, ASA/PIX devices haven't been common for me until > the > past couple of years and I keep running into areas where they seem > to > try very hard to avoid having common routing features. I'm primarily > a > servers guy but when you work in small ISPs, you get to do > everything. > I could use some guidence in the best way to make these links load > balance with graceful degradation if one link should fall down. > I've been considering bringing up an IPSec VPN from the 7204VXR to > the > 1841 handling the wireless ethernet connection, just to bypass the > need > for dynamic routing in the wireless network. Then I could run OSPF > or > other magic between the 1841s and my 7204. > Is OSPF going to be enough to load balance the links, or will I need > > something else? > If not, could an MLPPP bundle be brought up which uses the T1 and an > > IPSec tunnel? But then, how would I use the 1841s redundantly? > To keep the 1841s redundant, do I need to use their existing router > to > act as a T1 to ethernet bridge? > Also, on the VRRP front, the customer currently has a /29 LAN subnet > > outside their ASA. The current T1 router has one IP and the rest of > the IPs are in use on the ASA. Will we need to renumber them to a > /28 > subnet? Or, can the virtual router address be from their current > subnet > with the individual routers having their primary IPs from another, > RFC > 1918, subnet? > The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) > > connections. > If I configure the VirtualTemplates to permit CEF, which lowers CPU > utilization to about 30%, the router hangs in an ininite loop at > random > intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the > 12.2 > SB series images at the time I last tried CEF did the same thing and > I > haven't had enough nerve to try again since. > Hopefully, that is not important right now. The only reason I > mention > it is in case an IPSec tunnel, or whatever the necessary magic ends > up > being, might make a significant impact on the CPU. > -- > Scott Lambert KC5MLE Unix SysAdmin > _______________________________________________ > cisco-nsp mailing list > https://puck.nether.net/mailman/listinfo/cisco-nsp [3] > archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] > > > Links: > ------ > [3] > http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp > [4] > http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From wojciecj at hotmail.com Tue Aug 19 11:12:50 2008 From: wojciecj at hotmail.com (Jeffrey Wojciechowski) Date: Tue, 19 Aug 2008 10:12:50 -0500 Subject: [c-nsp] Transmit Discards Across MLPPP In-Reply-To: References: Message-ID: Hi All: I am new to this forum so not sure if this is a good place to ask this question. Whats the best way to troubleshoot transmit discards across MLPPP? Here is my setup and symptoms: -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE image) -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals -today bandwidth (Sending) across multilink max of 2.05mbps -95th percentile on sending utilization is 33.74% -today dropped packets so far 1,418 -show policy-map interface shows no drops in the ef queue (for our voip) so all drops are falling thru to our class-default which is using flow based fair queuing -drops only show @ multilink interface (sh int multilink123) not at the T1 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0) -I dont show any lost fragments (sh int multilink ppp) nor does the provider on the other end of this circuit) My understanding is that the router should only be discarding if the sending interface is congested but its no. I am concerned about thsese drops while the utilization is fairly low. Drops do increase as traffic increases on the link. Any guidence/advice would be very much appreicated. If this has been asked and answered in another thread, please point me in the right direction. Thanks! Jeff Wojciechowski _________________________________________________________________ Get thousands of games on your PC, your mobile phone, and the web with Windows?. http://clk.atdmt.com/MRT/go/108588800/direct/01/ From rodunn at cisco.com Tue Aug 19 12:34:00 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 19 Aug 2008 12:34:00 -0400 Subject: [c-nsp] Transmit Discards Across MLPPP In-Reply-To: References: Message-ID: <20080819163400.GM18913@rtp-cse-489.cisco.com> On a Cisco bundle we do QOS before putting the MLPPP headers on. That prevents a lot of out of orders if you do QOS after putting the MLP headers on. So what you are seeing sounds correct. You are most likely bursting above the bundle rate coming from your LAN going towards the bundle so the QOS kicks in, prioritizes the traffic, and drops the lower priority. Rodney On Tue, Aug 19, 2008 at 10:12:50AM -0500, Jeffrey Wojciechowski wrote: > Hi All: > > I am new to this forum so not sure if this is a good place to ask this question. > > Whats the best way to troubleshoot transmit discards across MLPPP? > > Here is my setup and symptoms: > > -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE image) > -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals > -today bandwidth (Sending) across multilink max of 2.05mbps > -95th percentile on sending utilization is 33.74% > -today dropped packets so far 1,418 > -show policy-map interface shows no drops in the ef queue (for our voip) so all drops are falling thru to our class-default which is using flow based fair queuing > -drops only show @ multilink interface (sh int multilink123) not at the T1 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0) > -I dont show any lost fragments (sh int multilink ppp) nor does the provider on the other end of this circuit) > > My understanding is that the router should only be discarding if the sending interface is congested but its no. I am concerned about thsese drops while the utilization is fairly low. Drops do increase as traffic increases on the link. > > Any guidence/advice would be very much appreicated. > > If this has been asked and answered in another thread, please point me in the right direction. > > Thanks! > > Jeff Wojciechowski > > > _________________________________________________________________ > Get thousands of games on your PC, your mobile phone, and the web with Windows?. > http://clk.atdmt.com/MRT/go/108588800/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lgeyer at gmail.com Tue Aug 19 13:13:32 2008 From: lgeyer at gmail.com (Laurent Geyer) Date: Tue, 19 Aug 2008 13:13:32 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <39647f4d0808191013l259e5bf4sa20c2671b1598e68@mail.gmail.com> On Tue, Aug 19, 2008 at 9:56 AM, chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. I've been working on > scripts to do this and it's become alot more complicated than I had > originally planned. If there's already some software out there that does > this, I'd love to get my hands on it. Checkout Ziptie. It's still a work in progress and things tend to change around a bit, but the core framework is there and looks very promising. The hardware inventory may not go as far as giving you details on the pluggable optics, but it covers the linecard inventory pretty well as of right now, and the dev team encourages feedback/feature requests. http://www.ziptie.org/files/images/Screenshot-ZipTie%20-%20Hardware%20Model%20-%20ZipTie%20.preview.png I'm still in the 'playing around' stage with it, but I'm giving serious consideration to putting it into production. Cheers, Laurent From a0kunev at yandex.ru Tue Aug 19 13:53:02 2008 From: a0kunev at yandex.ru (a0kunev) Date: Tue, 19 Aug 2008 21:53:02 +0400 Subject: [c-nsp] voice call drop on as5400 In-Reply-To: <4763.97.81.69.51.1219150784.squirrel@webmail.corp.evaristesys.com> References: <60121219149387@webmail9.yandex.ru> <4763.97.81.69.51.1219150784.squirrel@webmail.corp.evaristesys.com> Message-ID: <75f70fb80808191053t4b8bb45emb1c1375065247ee1@mail.gmail.com> Hi Alex, this is CAS with e&m, unfortunatly. T1s configured as signaling-class cas test profile incoming S<*a<*d<*n controller T1 7/0:1 framing esf ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 class test ! controller T3 7/0 framing m23 clock source line t1 1-28 controller ! I dont see much debug info regarding the issue, enabled debugs for: CAS: Channel Associated Signaling debugging is on Call Management: Call Management debugging is on Call-denial module: Call-denial debugging is on Call Treatment: Call treatment action debugging is on We issue rate is quite high, about 1000 rejections on 5000-6000 calls every day. Regards, Andrei On Tue, Aug 19, 2008 at 4:59 PM, Alex Balashov wrote: > > Is there anything that be gleaned from either the debug on the SIP side > or the ISDN (are these PRIs?) side? ("debug isdn q931") > > On Tue, August 19, 2008 8:36 am, a0kunev wrote: >> Hello >> >> I would like to share the problem we recently got on our network. We have >> DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling >> only incoming calls, so the dial-pear config is simple, one voice and one >> voip provider. Recently we've started receiving complains from our >> customers on dead air and drops during their conferences. The issues >> looked like this - person dialed to the DID and nobody answered during >> 10-120 secounds, then the call terminated by timeout. >> >> recently we're able to reproduce this, with debug 'call-mgmnt' it's >> dumping the following on console: >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 >> Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 >> Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 >> Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 >> >> I've checked with tcpdump cisco do not send anything to IP bridge to >> establish the call at that time. Telco says they see a lot of rejected >> calls from our side, but there is nothing on our end(I have not seen yet) >> >> as5400 were recently updated to 12.4(9)T4. >> >> Please advise on how to debug this problem. >> regards, Andrei >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > > From billf at mu.org Tue Aug 19 14:49:43 2008 From: billf at mu.org (bill fumerola) Date: Tue, 19 Aug 2008 11:49:43 -0700 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080819144105.GF18913@rtp-cse-489.cisco.com> References: <20080818201044.GR29172@elvis.mu.org> <20080819144105.GF18913@rtp-cse-489.cisco.com> Message-ID: <20080819184943.GU29172@elvis.mu.org> On Tue, Aug 19, 2008 at 10:41:05AM -0400, Rodney Dunn wrote: > How are you getting this output? ssh rtr1 en sh stacks > If you ssh/telnet to it and run the command do you get th esame output? it is not signal noise (serial spew, ip corruption, etc). > That's not stack corruption to me. i'll try and profile the exec process, but i'm not so good w/ profiling and tracing w/o at least symbols. there is also the matter of the 30% solid EXEC process. however, the switch that device is attached to (both in network and by serial via rtr1:aux<>sw1:cons) is exhibiting the same behavior. it could be a feedback loop on the serial connection, but i've tried turning all of that down and still no relief. the jump occurred to both at the same time. it could just be corruption in the display, but the CPU spike is what made me investigate in the first place. -- bill > > rtr1#show stacks > > Minimum process stacks: > > Free/Size Name [...] > > 3360/6000 > > d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P > ,d^[mdd^\^Nld^\ > > dd^[ 4d^[Q > 4d^[1^Dd^[`Td^[{td^[^E^\d^[m > ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > > \d^[^Add^[^Q\d^[^QLd^[ > > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D > ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D > $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > > dd^[ > > Ld^[)$d^[#td^[1 > 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M > ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ > ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? > > Dd^[dld^[. > ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > > 6856/9000 > > d^\^[Td^[T^Dd^\y^Dd^\^P > ,d^[mdd^\^Nld^\ > > dd^[ 4d^[Q > 4d^[1^Dd^[`Td^[{td^[^E^\d^[m > ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > > Minimum process stacks: > > Free/Size Name > > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > > \d^[^Add^[^Q\d^[^QLd^[ > > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D > ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D > $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > > dd^[ > > Ld^[)$d^[#td^[1 > 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M > ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ > ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? > > Dd^[dld^[. > ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > > 10468/12000 HSRP (Standby) > > > > Interrupt level stacks: > > Level Called Unused/Size Name > > 1 2648551315 6280/9000 Network interfaces > > 2 0 9000/9000 DMA/Timer Interrupt > > 3 185107 7472/9000 PA Management Int Handler > > 4 1715750501 8444/9000 Console Uart > > 5 0 9000/9000 OIR/Error Interrupt > > 7 3207930022 8532/9000 NMI Interrupt Handler > > > > Spurious interrupts: 233 > > rtr1# > > > > and on a different router: > > > > rtr1.chi#sh stacks > > Minimum process stacks: > > Free/Size Name > > [....] > > 3500/6000 > > 7160/9000 5,<$/jDSw_h 5,< 5,< 5,< 5,< 5,< d(X d(X 5,< 5,< 5,< 5,< > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< d'X 5,< > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5, > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5,< 5,< 5,< 5,< 5, > 5,<#^Qz|#^Qy|#^Qy| 5,<#^Qx|#^Qx| 5,<%Dtx%Dtx%Dtx%Dtx%Dsx%Dsx%Dsx%Dsx 5,< > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5,<%Dsx 5,< 5,< 5,<%Drx 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,<#^Qw|#^Qw|#^Qv| 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5, > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,<#W:x#W9x > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5, > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5, > 5316/6000 BGP Accepter From mathias.spoerr at at.ibm.com Tue Aug 19 11:45:44 2008 From: mathias.spoerr at at.ibm.com (Mathias Spoerr) Date: Tue, 19 Aug 2008 17:45:44 +0200 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. I've been working on > scripts to do this and it's become alot more complicated than I had > originally planned. If there's already some software out there that does > this, I'd love to get my hands on it. > wktools will also do this - it first collects all of the needed information with SSH/Telnet and then parses it. You will get the S/Ns of the chassis and all modules, power supplies... "show inventory raw" is not available on all platforms and versions... Mathias -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7943 bytes Desc: S/MIME Cryptographic Signature URL: From nitzan.tzelniker at gmail.com Tue Aug 19 17:04:50 2008 From: nitzan.tzelniker at gmail.com (Nitzan Tzelniker) Date: Wed, 20 Aug 2008 00:04:50 +0300 Subject: [c-nsp] OT: network inventory In-Reply-To: References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <6d72a2a10808191404l25d4a977mdf3f7045f8e5de56@mail.gmail.com> You can also use CISCO-ENTITY-ASSET-MIB and get the output of show inventory via SNMP for example snmptable -M /usr/share/snmp/mibs/ -m ALL -c public -v2c 1.1.1.1ceAssetTable The problem is that cisco didn't implement this on all platforms (GSR ) and on some (6500) it looks like they have a bug that dont return all the information. Nitzan On Tue, Aug 19, 2008 at 18:45, Mathias Spoerr wrote: > > So far all of the software that's been presented will autodiscover > devices > > and backup configs and such. Is there anything around that will > actually > > take inventory of a router. By inventory I mean, list of cards, model > > numbers, serial numbers, pluggable optics, etc. I've been working on > > scripts to do this and it's become alot more complicated than I had > > originally planned. If there's already some software out there that > does > > this, I'd love to get my hands on it. > > > > wktools will also do this - it first collects all of the needed > information with SSH/Telnet and then parses it. You will get the S/Ns of > the chassis and all modules, power supplies... "show inventory raw" is not > available on all platforms and versions... > > Mathias > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lambert at lambertfam.org Tue Aug 19 17:49:43 2008 From: lambert at lambertfam.org (Scott Lambert) Date: Tue, 19 Aug 2008 16:49:43 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <48AA45D3.6050701@rollernet.us> References: <20080818233620.GA28542@sysmon.tcworks.net> <48AA45D3.6050701@rollernet.us> Message-ID: <20080819214943.GA5508@sysmon.tcworks.net> On Mon, Aug 18, 2008 at 09:02:27PM -0700, Seth Mattinen wrote: > Scott Lambert wrote: > > I have a customer who went directly to cisco to ask about how to load > > balance two WAN connections to their Cisco PIX 515E. Cisco sold them an > > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the > > ASA and 1841s. Apparantly, the customer didn't even mention that the > > two connections were to the same ISP, me. The customer just ordered the > > equipment and said "Make it work." > > Whoever sold them on that solution should be the one to make it work. ;) Wouldn't that be nice though? :-) I'd like to thank everyone for their replies. I've learned quite a lot from them. I'll be doing more reading and testing with the suggested methods. We'll see what happens. I think I'm going to punt on the load balancing for now and just get it working in failover mode. I'll reply back when I know more and can ask intelligent follow-up questions. I had a thought on load balancing though, maybe I could hook both 1841s and the wireless ethernet handoff to a switch and get VRRP working on that side so that if the T1 router is up, then traffic can use both the wireless and T1 via whatever method but if the T1 router died, the wireless only router could take over. Thank you so much for your help! I don't feel so much like a fish out of water now. -- Scott Lambert KC5MLE Unix SysAdmin lambert at lambertfam.org From artur at css.com.br Tue Aug 19 16:56:33 2008 From: artur at css.com.br (Artur Renato Araujo da Silva) Date: Tue, 19 Aug 2008 17:56:33 -0300 Subject: [c-nsp] Cisco ASA - Export rules Message-ID: <48AB3381.2020005@css.com.br> Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur From frnkblk at iname.com Tue Aug 19 17:59:43 2008 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 19 Aug 2008 16:59:43 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080819082058.GY288@greenie.muc.de> References: <20080818233620.GA28542@sysmon.tcworks.net> <20080819082058.GY288@greenie.muc.de> Message-ID: If you can do (private) BGP, this document may help: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example0918 6a00800945bf.shtml#conf3 Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Tuesday, August 19, 2008 3:21 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Hi, On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote: > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections I see two key issues here: - how to load *balance*. - how to reliably detect "wireless is down" if there is no end-to-end routing possible The first one is hard - if you have two routers involved, VRRP (or GLBP, if there is only a single client) will not provide load balancing, but only failover. That is: while one of the boxes is working, it will receive all the traffic from the PIX, and if it breaks, all the traffic goes to the other box. One possible approach to do this might be via "manual balancing", as in "route all the VPN connections over one path, and all the web surfing over the other path", but that's not overly easy to maintain. The other approach might be with Cisco OER - let the boxes figure out what destinations have the most traffic, and balance these flows over both links. But that will only work outbound from the customer to you - from the ISP (you) to the customer, you also need to decide upon the balancing criteria, if any. "Just failover" is easy :) The second part (how to diagnose that the wireless is down) is easier - you could use a BGP session from the customer router to your edge router, just sending "customer routes" and "default" back and forth. If the wireless mesh breaks, the BGP session will also break, and routing will fall over to the other link. (The StarOS routers would need to know the customer routes statically, but that's not a problem, unless the customer changes their IP addresses frequently). If BGP is not an option, you could do it with IP SLA ("ping testing") and static route tracking ("if it doesn't ping, withdraw the route") on both ends, but that's less elegant than BGP - and much more configuration work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From RTeller at deltadentalwa.com Tue Aug 19 19:09:31 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 19 Aug 2008 16:09:31 -0700 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <48AB3381.2020005@css.com.br> References: <48AB3381.2020005@css.com.br> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105A@tiger.deltadentalwa.com> I use this script to parse my pix acls and export them to an excel file. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Artur Renato Araujo da Silva Sent: Tuesday, August 19, 2008 1:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA - Export rules Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From RTeller at deltadentalwa.com Tue Aug 19 19:18:06 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 19 Aug 2008 16:18:06 -0700 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105A@tiger.deltadentalwa.com> References: <48AB3381.2020005@css.com.br> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105A@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105C@tiger.deltadentalwa.com> 'Created by Robert Teller WScript.Echo "This script will take a minute or two to run" & vbCrLf & "Please be patient" Const ForReading = 1 'Looks for CF acl query WSArg = Wscript.arguments.Count If WSArg <> 1 Then WScript.Echo "Please select a valid source" WScript.Quit End If PixACL = Wscript.arguments.Item(0) set ObjExcel = createobject("excel.application") Set FSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = FSO.OpenTextFile(PixACL, ForReading) 'Names excel file EName = Split(WScript.ScriptName, ".")(0) & ".xls" EName = Replace(WScript.ScriptFullName,WScript.ScriptName,EName) 'Text files for output OFiles = Split(WScript.ScriptName, ".")(0) & ".xls" If fso.FileExists(Ename) Then fso.DeleteFile(Ename) ObjExcel.workbooks.Add ObjExcel.Worksheets.Add.Name = "Main" XRules = 0 For Each Sheet In ObjExcel.Worksheets If sheet.name <> "Main" Then sheet.usedrange.delete sheet.delete End If Next ObjExcel.Worksheets.Add.Name = "Rules" ObjExcel.Worksheets("Rules").move ObjExcel.Sheets(2) Rules "DMZ" ,"Line" ,"Action" ,"Protocol" ,"Source" ,"SrcPort" ,"dest" ,"DstPort" ,"HitC" ,"Inactive" ,"LogLevel" ,"LogInterval" ' ObjExcel.Worksheets("Rules").activate ' ObjExcel.Cells(1,1).value = "DMZ" 'acl_dmzname ' ObjExcel.Cells(1,2).value = "Line #" 'line ### ' ObjExcel.Cells(1,3).value = "Action" 'Permit/deny ' ObjExcel.Cells(1,4).value = "Protocol" 'ICMP/TCP/UDP ' ObjExcel.Cells(1,5).value = "Source" ' ObjExcel.Cells(1,6).value = "Destination" ' ObjExcel.Cells(1,7).value = "Port #" 'http/https..... ' ObjExcel.Cells(1,8).value = "Hit Count" 'hitcnt=... ' ObjExcel.Cells(1,9).value = "Inactive" 'hitcnt=... Do Until objTextFile.AtEndOfStream If IsEmpty(text) Then Text = objTextFile.Readline Text = Replace(Text,"access-list ","") Else Text = Text & objTextFile.Readline End If Loop AclArray = Split(text,"access-list ") x = 1 For Each AccessList In AclArray 'Make sure the line Is a valid acl ACLCheck = Split(AccessList," ") If UBound(ACLCheck) > 3 Then If ACLCheck(3) <> "remark" Then PixParse AccessList End If End If Next Sub PixParse(ACL) 'Converts object-group to Group If InStr(ACL,"object-group") Then ACL = Replace(ACL,"object-group","Group") 'Checks of ACL is inactive If InStr(ACL," inactive ") Then Inactive = True ACL = Replace(ACL," inactive","") End If 'Format and Remove logging information from variable Item If InStrRev(ACL," log ") And InStrRev(ACL," interval ") Then 'Checks for matching log level LoGLevelB = InStr(ACL," log ") + 5 LoGLevelE = InStr(LogLevelB,ACL, " ") LogLevel = Mid(ACL,LogLevelB,LogLevelE - LogLevelB) LogIntervalB = InStr(LogLevelE,ACL, " interval ") + 10 LogIntervalE = InStr(LogIntervalB,ACL, " ") LogInterval = Mid(ACL,LogIntervalB, LogIntervalE - LogIntervalB) ACL = Replace(ACL," log " & Loglevel & " interval " & logInterval," ") End If '########### DMZ ########### DMZ = InStr(ACL," ") DMZ = Left(ACL,DMZ) '########### DMZ ########### '########### Line ########### LineB = InStr(ACL," line ") + 6 LineE = InStr(LineB,ACL, " ") Line = "Line " & Mid(ACL,LineB, LineE - LineB) '########### Line ########### '########### Action ########### If InStr(ACL,"deny") Then Action = "Deny" ElseIf InStr(ACL,"permit") Then Action = "Permit" Else Action = "Other" End If '########### Action ########### '########### Protocol ########### Protocol = Split(ACL," ")(5) '########### Protocol ########### '########### Src Host ########### 'Determine if src is Host,Subnet or Any SrcHost = Split(ACL," ")(6) Select Case SrcHost Case "host" SourceB = InStr(ACL, " host ") + 6 SourceE = InStr(SourceB,ACL, " ") Source = "Host " & Mid(ACL, SourceB, SourceE - SourceB) Case "Group" SourceB = InStr(ACL, " Group ") + 7 SourceE = InStr(SourceB,ACL, " ") Source = "Group " & Mid(ACL, SourceB, SourceE - SourceB) Case "any" Source = "Any" SourceE = InStr(ACL,SrcHost) + Len(SrcHost) Case Else SourceB = InStr(ACL, SrcHost) SourceE = InStr(SourceB, ACL, " ") + 1 SourceE = InStr(SourceE, ACL, " ") Source = Mid(ACL, SourceB, SourceE - SourceB) End Select '########### Src Host ########### '########### Src Port ########### If Source = "Any" Then If Split(ACL," ")(7) = "eq" Then SrcPortB = InStr(SourceE, ACL, " eq ") + 4 SrcPortE = InStr(SrcPortB, ACL, " ") SrcPort = "eq " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) ElseIf Split(ACL," ")(7) = "range" Then SrcPortB = InStr(SourceE, ACL, " range ") + 7 SrcPortE = InStr(SrcPortB, ACL, " ") +1 SrcPortE = InStr(SrcPortE, ACL, " ") SrcPort = "range " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) Else SrcPortE = SourceE SrcPort = "Any" End If ElseIf Split(ACL," ")(8) = "eq" Or Split(ACL," ")(8) = "range" Then If Split(ACL," ")(8) = "eq" Then SrcPortB = InStr(SourceE, ACL, " eq ") + 4 SrcPortE = InStr(SrcPortB, ACL, " ") SrcPort = "eq " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) ElseIf Split(ACL," ")(8) = "range" Then SrcPortB = InStr(SourceE, ACL, " range ") + 7 SrcPortE = InStr(SrcPortB, ACL, " ") +1 SrcPortE = InStr(SrcPortE, ACL, " ") SrcPort = "range " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) End If Else SrcPortE = SourceE SrcPort = "Any" End If '########### Src Port ########### '########### Dst Host ########### 'Check if source ports are used If SourceE = SrcPortE Then 'Determine if dst is Host,Subnet or Any If Source = "Any" Then DstHost = Split(ACL," ")(7) Select Case DstHost Case "host" DestB = InStr(SrcPortE,ACL, " host ") + 6 DestE = InStr(DestB,ACL, " ") Dest = "Host " & Mid(ACL, DestB, DestE - DestB) Case "Group" DestB = InStr(SrcPortE,ACL, " Group ") + 7 DestE = InStr(DestB,ACL, " ") Dest = "Group " & Mid(ACL, DestB, DestE - DestB) Case "any" Dest = "Any" DestE = InStr(SrcPortE,ACL,DstHost) + Len(DstHost) Case Else DestB = InStr(SrcPortE,ACL, DstHost) DestE = InStr(DestB, ACL, " ") + 1 DestE = InStr(DestE, ACL, " ") Dest = Mid(ACL, DestB, DestE - DestB) End Select Else'If Left(Source,4) = "Host" Then DstHost = Split(ACL," ")(8) Select Case DstHost Case "host" DestB = InStr(SrcPortE,ACL, " host ") + 6 DestE = InStr(DestB,ACL, " ") Dest = "Host " & Mid(ACL, DestB, DestE - DestB) Case "Group" DestB = InStr(SrcPortE,ACL, " Group ") + 7 DestE = InStr(DestB,ACL, " ") Dest = "Group " & Mid(ACL, DestB, DestE - DestB) Case "any" Dest = "Any" DestE = InStr(SrcPortE,ACL,DstHost) + Len(DstHost) Case Else DestB = InStr(SrcPortE,ACL, DstHost) DestE = InStr(DestB, ACL, " ") + 1 DestE = InStr(DestE, ACL, " ") Dest = Mid(ACL, DestB, DestE - DestB) End Select End If End If If SourceE <> SrcPortE Then DestB = InStr(SrcPortE, ACL, " ") + 1 DestE = InStr(DestB,ACL, " ") DstHost = Mid(ACL,DestB, DestE - DestB) Select Case DstHost Case "host" DestB = InStr(DestE,ACL, " ") + 1 DestE = InStr(DestB,ACL, " ") Dest = "Host " & Mid(ACL, DestB, DestE - DestB) DestE = DestE - 1 Case "Group" DestB = InStr(DestE,ACL, " ") + 1 DestE = InStr(DestB,ACL, " ") Dest = "Group " & Mid(ACL, DestB, DestE - DestB) DestE = DestE - 1 Case "any" ' If DMZ = "acl_guest " Then ' WScript.Echo "DST HOST" ' WScript.Echo DestE & vbTab & Len(DstHost) ' Test = InStr(DestE,ACL,DstHost) ' WScript.Echo Test ' End If Dest = "Any" 'DestE = InStr(DestE,ACL,DstHost) + Len(DstHost) Case Else DestB = InStr(DestE,ACL, DstHost) DestE = InStr(DestB, ACL, " ") + 1 DestE = InStr(DestE, ACL, " ") Dest = Mid(ACL, DestB, DestE - DestB) End Select End If '########### Dst Host ########### '########### Hit Count ########### If InStr(ACL,"(hitcnt=") Then HitB = InStr(ACL,"(hitcnt=") + 8 HitE = InStr(ACL, ")") HitC = Mid(ACL,HitB,HitE - HitB) HitB = HitB - 8 Else HitB = InStrRev(ACL," ") HitC = "N/A" End If '########### Hit Count ########### '########### Dst Port ########### DstPortB = DestE + 1 DstPortE = HitB DstPort = Mid(ACL,DstPortB, DstPortE - DstPortB) ' If DMZ = "acl_guest " Then ' WScript.Echo DstPortB & vbTab & DstPortE ' End If If IsEmpty(DstPort) Then DstPort = "Any" If IsNull(DstPort) Then DstPort = "Any" '########### Dst Port ########### 'wscript.echo DMZ & vbtab & Line & vbtab & Action & vbtab & Protocol & vbtab & Source & vbtab & SrcPort & vbtab & dest & vbtab & DstPort & vbtab & HitC & vbtab & Inactive & vbtab & LogLevel & vbtab & LogInterval Rules DMZ, Line ,Action ,Protocol ,Source ,SrcPort ,dest ,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval LogIntervalB = Null LogIntervalE = Null LogInterval = Null LogLevelB = Null LogLevelE = Null LogLevel = Null DMZ = Null Action = Null Port = Null PortB = Null PortE = Null SrcHost = Null SourceB = Null SourceE = Null Source = Null SrcPortB = Null SrcPortE = Null SrcPort = Null DstHost = Null DestB = Null DestE = Null Dest = Null DstPortB = Null DstPortE = Null DstPort = Null HitB = Null HitE = Null HitC = Null Inactive = False End Sub Sub Rules(DMZ, Line ,Action ,Protocol ,Source ,SrcPort ,dest ,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval) XRules = 1 + XRules ObjExcel.Worksheets("Rules").activate ObjExcel.Cells(XRules,1).value = DMZ 'DMZ Rule is applied to ObjExcel.Cells(XRules,2).value = Line 'Line Number ObjExcel.Cells(XRules,3).value = Action 'Action ObjExcel.Cells(XRules,4).value = Protocol 'Protocol ObjExcel.Cells(XRules,5).value = Source 'Source ObjExcel.Cells(XRules,6).value = SrcPort 'Source port ObjExcel.Cells(XRules,7).value = dest 'Destination ObjExcel.Cells(XRules,8).value = DstPort 'Destination Port ObjExcel.Cells(XRules,9).value = HitC 'Hit Count ObjExcel.Cells(XRules,10).value = Inactive 'status of rule ObjExcel.Cells(XRules,11).value = LogLevel 'logging level ObjExcel.Cells(XRules,12).value = LogInterval 'Logging Interval End Sub finish Sub finish objTextFile.Close ObjExcel.Worksheets("Main").usedrange.delete ObjExcel.Worksheets("Main").delete For Each Sheet In ObjExcel.Worksheets ObjExcel.Worksheets(Sheet.Name).activate ObjExcel.Worksheets(sheet.name).Rows(1).Font.Bold = True ObjExcel.Worksheets(sheet.name).Rows(1).AutoFilter ObjExcel.Worksheets(sheet.name).Rows(1).HorizontalAlignment = -4108 ObjExcel.Worksheets(sheet.name).usedrange.EntireColumn.AutoFit() ObjExcel.Worksheets(sheet.name).Range("B2").Select ObjExcel.ActiveWindow.FreezePanes = True ObjExcel.Worksheets(sheet.name).Range("A1").Select Next ObjExcel.Worksheets("Rules").activate ObjExcel.activeworkbook.saveas EName ObjExcel.activeworkbook.close ObjExcel.Quit WScript.Echo "END" WScript.Quit End Sub ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From christian at broknrobot.com Tue Aug 19 19:35:56 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 19 Aug 2008 19:35:56 -0400 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <48AB3381.2020005@css.com.br> References: <48AB3381.2020005@css.com.br> Message-ID: you could use nipper, which is a config auditor, so it will audit your security policy and configuration, and you have the options to export to xml, html, etc .. http://sourceforge.net/projects/nipper/?abmode=1 On Tue, Aug 19, 2008 at 4:56 PM, Artur Renato Araujo da Silva wrote: > Hi, > > I would like to export the ASA rules to a HTML file (without using ASDM). > > Does anyone know a way (script?) to parse the ACLs and export to HTML? > > > Tks > Artur > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oliver.gorwits at oucs.ox.ac.uk Tue Aug 19 20:10:50 2008 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Wed, 20 Aug 2008 01:10:50 +0100 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <48AB610A.1090009@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Chip, chip wrote: | Is there | anything around that will actually take inventory of a router. | By inventory I mean, list of cards, model numbers, serial | numbers, pluggable optics, etc. We use Netdisco for network discovery (both for switches/routers, and connected end stations). It's written with Perl+Net-SNMP, has a web front-end, and uses PostgreSQL storage: ~ http://netdisco.org/ (The version in CVS is -much- improved, and will be released RSN) As for device inventory, the latest Netdisco code does all the ENTITY-MIB work, and I've been working on graphically representing that in the web UI: http://sites.google.com/a/gapps.oxuni.org.uk/oliver/netdisco-frontpanels Screenshot from above: http://users.ox.ac.uk/~oliver/data/images/frontpanel/frontpanel_demo_c3750_stack.png Next step is to generate SVG as an alternative to the vendor images. I hope that helps, and provides ideas for your own scripts, regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIq2EK2NPq7pwWBt4RAlQQAJ9iBrUgYoe9rckwZ61+CDArkmqAdwCg5bbO v2WhKVmWnK2WX/qFtSy7xHU= =+vRH -----END PGP SIGNATURE----- From stig.johansen at ementor.no Tue Aug 19 21:02:31 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Wed, 20 Aug 2008 03:02:31 +0200 Subject: [c-nsp] OT: network inventory References: <200808190842.42251.lowen@pari.edu><017d01c901fc$1dcb0300$12140a0a@GINKGO><20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <13A13E9CF0F76342A79031B9E558C0C50360ADEB@100NOOSLMSG004.common.alpharoot.net> Check out NAV (Network Administration Visualized) at http://metanav.uninett.no/ as well. It gives full inventory of all devices as well as a load of other useful features.. Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av chip Sendt: 19. august 2008 15:57 Til: cisco-nsp at puck.nether.net Emne: Re: [c-nsp] OT: network inventory So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Tue Aug 19 21:19:43 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 20 Aug 2008 11:19:43 +1000 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Just wondering from those in the know, whether it's best practice to implement public or private IP's for the PE-to-CE link. What's everyone using and why? For our MPLS network, I've been asked by my Manager to use private IP's for the PE-CE link in order to give the customer the appearance that they are on a secure PRIVATE network due to private IP's being used. Although I tend to be more fond of using public IP's because it's a unique address space so you don't have to worry about overlapping IP addresses on the customer's end and secondly there's no configuration from the Service Provider's end should you need to remove the connection from the VRF to conduct further testing from the Internet becuse the connection is already using public IP's (eg: for cases where the customer is complaining of slow speeds, packet loss, drop outs, etc and you want to test the individual connection and bypass their VPN). Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From christian at broknrobot.com Tue Aug 19 21:41:09 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 19 Aug 2008 21:41:09 -0400 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: a 64bit route distinguisher and the 32bit ip address are used to create vpnv4 address, which specifically solves the overlap problem On Tue, Aug 19, 2008 at 9:19 PM, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? > > For our MPLS network, I've been asked by my Manager to use private IP's > for the PE-CE link in order to give the customer the appearance that > they are on a secure PRIVATE network due to private IP's being used. > Although I tend to be more fond of using public IP's because it's a > unique address space so you don't have to worry about overlapping IP > addresses on the customer's end and secondly there's no configuration > from the Service Provider's end should you need to remove the connection > from the VRF to conduct further testing from the Internet becuse the > connection is already using public IP's (eg: for cases where the > customer is complaining of slow speeds, packet loss, drop outs, etc and > you want to test the individual connection and bypass their VPN). > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cchurc05 at harris.com Tue Aug 19 21:44:48 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 19 Aug 2008 20:44:48 -0500 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <48AB3381.2020005@css.com.br> References: <48AB3381.2020005@css.com.br> Message-ID: In ASDM, there is a button under file called "Show running configuration in a new window". That opens up a browser window with a URL something like: https://X.Y.Z.6/admin/exec/show%20running-config/show%20running-config%2 0asdm# that shows the whole running config. Probably nothing you couldn't get from an ssh session or expect script. Use Grep or find on "access-list" and that should be it. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Artur Renato Araujo da Silva Sent: Tuesday, August 19, 2008 4:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA - Export rules Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sforcejr at yahoo.com Tue Aug 19 22:10:23 2008 From: sforcejr at yahoo.com (Johnny Ramirez) Date: Tue, 19 Aug 2008 19:10:23 -0700 (PDT) Subject: [c-nsp] Unable to connect VLAN traffic Message-ID: <847346.12746.qm@web50511.mail.re2.yahoo.com> We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. ? Recently I? created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on? for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. ? Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. ? Thanks ? John ? ? From dwinkworth at att.net Tue Aug 19 22:35:15 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 19 Aug 2008 21:35:15 -0500 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <847346.12746.qm@web50511.mail.re2.yahoo.com> References: <847346.12746.qm@web50511.mail.re2.yahoo.com> Message-ID: <48AB82E3.9070606@att.net> Q-in-Q Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. > > Thanks > > John > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.138 / Virus Database: 270.6.5/1620 - Release Date: 8/19/2008 6:04 AM > > > > From justin at justinshore.com Tue Aug 19 22:41:07 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 19 Aug 2008 21:41:07 -0500 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <847346.12746.qm@web50511.mail.re2.yahoo.com> References: <847346.12746.qm@web50511.mail.re2.yahoo.com> Message-ID: <48AB8443.5070300@justinshore.com> Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin From josmon at rigozsaurus.com Tue Aug 19 22:59:03 2008 From: josmon at rigozsaurus.com (John Osmon) Date: Tue, 19 Aug 2008 20:59:03 -0600 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: <20080820025903.GA14373@jeeves.rigozsaurus.com> On Tue, Aug 19, 2008 at 09:41:09PM -0400, Christian Koch wrote: > a 64bit route distinguisher and the 32bit ip address are used to > create vpnv4 address, which specifically solves the overlap problem I don't think the overlap is the real issue: > > Although I tend to be more fond of using public IP's because it's a > > unique address space so you don't have to worry about overlapping IP > > addresses on the customer's end and secondly there's no configuration > > from the Service Provider's end should you need to remove the connection > > from the VRF to conduct further testing from the Internet becuse the > > connection is already using public IP's Using non-RFC1918 address means you have a guaranteed unique identifier for the interface. The non-overlap issue is a side effect of having a unique identifier. From swmike at swm.pp.se Tue Aug 19 23:49:28 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 20 Aug 2008 05:49:28 +0200 (CEST) Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: On Wed, 20 Aug 2008, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? Best practice is to use public IP for the PE-CE link and then you admin the CE using that address. If you have a serial interface you can do this with a /32 routed towards the physical interface and use unnumbered/loopback, otherwise you have to use /30 or /31. Using RFC1918 space creates huge potential of overlaps with customers, and a nightmare for management if you want your CE range to be unique per VPN, how are you going to reach your CEs via SNMP etc? -- Mikael Abrahamsson email: swmike at swm.pp.se From sforcejr at yahoo.com Tue Aug 19 23:54:43 2008 From: sforcejr at yahoo.com (Johnny Ramirez) Date: Tue, 19 Aug 2008 20:54:43 -0700 (PDT) Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <48AB8443.5070300@justinshore.com> Message-ID: <149656.10920.qm@web50503.mail.re2.yahoo.com> Justin, ? I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. ? ? Thanks ? ? ? John--- On Tue, 8/19/08, Justin Shore wrote: From: Justin Shore justin at justinshore.com Subject: Re: [c-nsp] Unable to connect VLAN traffic To: "Johnny Ramirez" Cc: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 9:41 PM Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transpor