From nic.tjirkalli at za.verizonbusiness.com Fri Aug 1 01:44:49 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Fri, 1 Aug 2008 07:44:49 +0200 (SAST) Subject: [c-nsp] XR OS-SHMWIN-2-ERROR_ENCOUNTERED In-Reply-To: References: Message-ID: Howdy ho, > How much memory is installed in slot0 LC? Looks like you might not have > enough. yip looks like the issue > > Can you send a "show diag" poor card only has 512Meg route memory SLOT 0 (RP/LC 0): Cisco 12000 4-Port ISE ATM Over SONET OC3/STM-1 Single Mode/IR SC-SC connector MAIN: type 129, 800-24341-04 rev G0 dev 0 HW config: 0x00 SW key: 00-00-00 PCA: 73-7852-07 rev E0 ver 4 HW version 1.0 S/N SAD1220039U MBUS: Embedded Agent Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00 DIAG: Test count: 0x00000000 Test results: 0x00000000 FRU: Linecard/Module: 4OC3/ATM-IR-SC Route Memory: MEM-LC-512= Packet Memory: MEM-LC1-PKT-512= L3 Engine: 3 - ISE OC48 (2.5 Gbps) MBUS Agent Software version 2.56 (RAM) (ROM version is 2.23) Using CAN Bus A ROM Monitor version 1.8 Fabric Downloader version used 8.0 (ROM version is 5.5) Primary clock is CSC1 Board State is IOS-XR RUN Insertion time: Fri Jul 4 10:15:08 2008 (3w6d ago) DRAM size: 536870912 bytes FrFab SDRAM size: 268435456 bytes ToFab SDRAM size: 268435456 bytes 0 crashes since restart/fault forgive and from :- from :- http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.4/general/release/notes/reln_342.html The minimum memory requirements for Cisco XR 12000 Series Routers running Cisco IOS XR Software Release 3.4.2 are: .1-GB line card route memory on all Engine 3 line cards so this looks like the issue thanx for your response and help - much appreciated later > > Rich > > On 31/07/2008, at 8:19 PM, Nic Tjirkalli wrote: > >> >> >> Howdy ho, >> >> Have a CISCO GSR 12416/PRP running XR 3.6.1 >> >> >> and it has started continually whining about :- >> >> LC/0/0/CPU0:Jul 31 10:15:47.970 : fib_mgr[146]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:15:50.337 : l2fib[180]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:17.989 : fib_mgr[146]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:19.372 : l2fib[180]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:48.014 : fib_mgr[146]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> LC/0/0/CPU0:Jul 31 10:16:49.269 : l2fib[180]: >> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state >> is critical >> >> >> CCO says log a tac case, but was wondering if anybody had some ideas of >> what this error is and how to go about "fixing" it >> >> thanx >> >> >> >> >> --------------------------------------------------------------------- >> Mind Like A Steel Trap - Rusty And Illegal In 37 States. >> >> Nic Tjirkalli >> Verizon Business South Africa >> Network Strategy Team >> >> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >> is strictly confidential and intended only for use by the addressee unless >> otherwise indicated. >> >> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >> >> This e-mail is strictly confidential and intended only for use by the >> addressee unless otherwise indicated. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------------------------------------------- Reality is merely an illusion, albeit a very persistent one. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From arla at rn.dk Fri Aug 1 01:32:33 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Fri, 1 Aug 2008 07:32:33 +0200 Subject: [c-nsp] debugging and tracing on IP-Sec tunnel Message-ID: <8D68760F464FFD40A01BF2FB374E4A2886948A677C@SRVEXC02.aas.its.nja.dk> Hi Folks I need some advise regarding trace and debug on a tunnel with IPSec. We are using a provider to some kind off health service, these servers can be reached via a tunnel interface in our network and vise versa. My problem is that one server is out off reach on http traffic but not on ssh. If I deploy an access-list on the tunnel interface, I can see that the http-traffic is being forwarded via the tunnel interface. So how can I be sure that the IP-Sec interface also is forwarding the http traffic and not just ssh. crypto isakmp policy 10 encr 3des hash md5 authentication pre-share lifetime 43200 crypto isakmp key Klipklapklop4433saksen address xxxxxxxxx ! crypto ipsec security-association lifetime seconds 43200 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac ! crypto map MEDMAP 2 ipsec-isakmp description nja -> medcom set peer xxxxxxxxxxx set transform-set strong match address krypt-medcom interface Tunnel1 description GRE interface ip address xxx.xxx.xxx.xxx 255.255.255.252 ip mtu 1300 ip nat outside keepalive 10 3 tunnel source FastEthernet0/0 tunnel destination xxx.xxx.xxx.xxx ! interface FastEthernet0/0 description Outside - Internetrouter ip address xxx.xxx.xxx.xxx 255.255.255.128 speed 100 full-duplex crypto map MEDMAP From abalashov at evaristesys.com Fri Aug 1 02:00:08 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 01 Aug 2008 02:00:08 -0400 Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN? In-Reply-To: References: Message-ID: <4892A668.3010902@evaristesys.com> Andreas Sikkema wrote: > How do I add 310 as a prefix to the calls from port 3/3 so that dialpeer > 100 does not match and calls go to dialpeer 12 (or something functionally > similar)? To add translations based on a specific physical port, you have to add the translation profile to the voice-port for 3/3, so that the translation can happen before any dial-peer matching is done (that's the order of evaluation). Example: voice translation-rule 2 rule 1 /^\(.+\)/ /05500\1/ ! ! voice translation-profile FAX-TRANSLATIONS translate called 2 ! ... ! voice-port 4/1:D translation-profile incoming FAX-TRANSLATIONS no comfort-noise bearer-cap 3100Hz ! ... ! dial-peer voice 803 voip description FAX DIDs destination-pattern 05500T session protocol sipv2 session target ipv4:XXX.YYY.ZZZ.AAA session transport udp dtmf-relay rtp-nte codec g711ulaw fax rate 14400 bytes 255 fax protocol pass-through g711ulaw no vad -- This example stamps a prefix of 05500 on all calls that come in on T1 4/1, and then there is a dial peer that matches 05500 + anything. In this case, it's a VoIP peer, but it doesn't have to be. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From peter at rathlev.dk Fri Aug 1 03:39:22 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 01 Aug 2008 09:39:22 +0200 Subject: [c-nsp] debugging and tracing on IP-Sec tunnel In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2886948A677C@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2886948A677C@SRVEXC02.aas.its.nja.dk> Message-ID: <1217576362.8240.17.camel@svesken.sys.mjna.net> On Fri, 2008-08-01 at 07:32 +0200, Arne Larsen wrote: > I need some advise regarding trace and debug on a tunnel with IPSec. We > are using a provider to some kind off health service, these servers > can be reached via a tunnel interface in our network and vise versa. > My problem is that one server is out off reach on http traffic but not > on ssh. If I deploy an access-list on the tunnel interface, I can see > that the http-traffic is being forwarded via the tunnel interface. So > how can I be sure that the IP-Sec interface also is forwarding the > http traffic and not just ssh. You could place a sniffer on the outside to look for ESP packets. If there's a time window with no or little other traffic, you could be fairly certain that some generated HTTP traffic is what you see on the outside. An access-list in Fa0/0 should also work. It could be the same as you use for encrypting ("krypt-medcom"), which I presume allows GRE traffic from your end to the other end. Both are limited by the fact that the traffic is now encrypted, so it's harder to tell if what you see is really is what you expect. Of course there could be other problems: The other end of the tunnel not accepting the traffic (this specific peer usually sends unreachables though) or maybe PMTUd problems. If a simple telnet towards port 80 is working, but downloading pages isn't, adjust-mss might help. (We use "ip tcp adjust-mss 1355" on our tunnel towards this provider.) This is less probable if you have two similar servers working, but they might be behind different tunnels themselves in the other end. Mail me off list if you'd like me to test things from our end. :-) Regards, Peter From Stefan.Hegger at lycos-europe.com Fri Aug 1 06:03:51 2008 From: Stefan.Hegger at lycos-europe.com (Stefan Hegger) Date: Fri, 1 Aug 2008 12:03:51 +0200 Subject: [c-nsp] DPD dead peer detection Message-ID: <200808011203.51395.Stefan.Hegger@lycos-europe.com> Hi, probably someone can help me to answer the following question. I have a VPN router (Router_a) with 2 interfaces connected to 2 ISP's with 2 IP's and I have a homeoffice with a small VPN router (Router_b) connected to one ISP with one interface and one IP. Now I want to use DPD to check which route to use to connect from Router_b to Router_a. ISP1 is the default, ISP2 is backup. As far as I understand DPD is a keepalive to check if a peer is up and switches between peers and does not do anything with the routing. So it checks only if the key exchange works and peer is established within same tunnel. If it is like that, I can not use DPD to solve my problem and should use track and ip sla monitor. Best Stefan -- Stefan Hegger Internet System Engineer Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33312 G?tersloh Phone: Tel: +49 5241 8071 334 Fax: +49 5241 80671 334 Mobile: +49 170 1892720 Sitz der Gesellschaft: G?tersloh Amtsgericht G?tersloh, HRB 2157 Gesch?ftsf?hrer: Christoph Mohn From joost.greene at gmail.com Fri Aug 1 09:14:18 2008 From: joost.greene at gmail.com (Joost greene) Date: Fri, 1 Aug 2008 15:14:18 +0200 Subject: [c-nsp] Filtering telnet without ACL Message-ID: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost From lists at memetic.org Fri Aug 1 09:04:50 2008 From: lists at memetic.org (Adam Armstrong) Date: Fri, 01 Aug 2008 14:04:50 +0100 Subject: [c-nsp] Netflow / 3560 platform In-Reply-To: References: Message-ID: <489309F2.5080606@memetic.org> David Curran wrote: > Touche. I was speaking of the smaller catalyst platforms. However I'm not > sure its fair to real routers to call the Supervisors route processors. > That's like calling a Yugo a race car. Sure, you COULD race it... > Look at the specs of the RSP-720. It would be a lot faster at software forwarding than all of the devices mentioned earlier. (it'd probably be similar speed to the NPE-G2, I guess) The issue is that the switch architecture makes it very hard to accurately track and record the information needed for netflow. This information is stored in TCAM, which is already scarce enough on those platforms! adam. From peter at rathlev.dk Fri Aug 1 09:56:16 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 01 Aug 2008 15:56:16 +0200 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <1217598976.11771.2.camel@svesken.sys.mjna.net> On Fri, 2008-08-01 at 15:14 +0200, Joost greene wrote: > Someone challenged me with a question on how i can filter telnet access > to one router from all hosts except two of them WITHOUT using > access-lists or access-line under the VTY? any ideas? Control-plane policing could do it without interface ACLs or VTY access-classes, but it'd be a little hard to realise without access-lists at all. You could also disable telnet by not including it in the "transport input ..." configuration under line VTY. Like using just "transport input ssh" or something. This would disable telnet, but not SSH. Regards, Peter From sil at infiltrated.net Fri Aug 1 09:19:49 2008 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 1 Aug 2008 08:19:49 -0500 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <20080801131949.GA8073@infiltrated.net> On Fri, 01 Aug 2008, Joost greene wrote: > Hello, > > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? > > Regards, > Joost > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Route map... ip access-list extended NO_TELNET deny tcp any any eq 23 ! route-map BLOCK_TELNET 10 match ip address NO_TELNET set interface Null 0 ! ip local policy route-map BLOCK_TELNET -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI "Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny." Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB From saku+cisco-nsp at ytti.fi Fri Aug 1 10:04:58 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Fri, 1 Aug 2008 17:04:58 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <20080801140458.GA21900@mx.ytti.net> On (2008-08-01 15:14 +0200), Joost greene wrote: Hey, > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? I assume challenge was set, because asker knows how to do it. If not, then I think challenge should be, how to make router output PONIES. Anyhow, I think CoPP, rACL and policy-route would break the 'no acl' definition and wouldn't be acceptable solution. I think what would fit the rule, is MPLS LSR where you'd only have route back to couple management hosts and others couldn't telnet to the box, simply because box doesn't have route to them. Of course everyone in your IGP could telnet to the box also. -- ++ytti From korio at korio.org Fri Aug 1 10:38:55 2008 From: korio at korio.org (Iassen Anadoliev) Date: Fri, 1 Aug 2008 17:38:55 +0300 (EEST) Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> On Fri, August 1, 2008 4:14 pm, Joost greene wrote: > Hello, > > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? > > Regards, > Joost > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev From dcurran at nuvox.com Fri Aug 1 11:38:17 2008 From: dcurran at nuvox.com (David Curran) Date: Fri, 01 Aug 2008 11:38:17 -0400 Subject: [c-nsp] Netflow / 3560 platform In-Reply-To: <489309F2.5080606@memetic.org> Message-ID: Agreed, and not to beat a dead horse, but there are mechanisms to send full packets to the processor and still circulate packets via the switch path for forwarding. My point is that a switch that has a reported 720G throughput most likely does not have the processor to do netflow on all of that. That was my point about comparing a switch to a router. OK, I promise, I'm done ;) > From: Adam Armstrong > Date: Fri, 01 Aug 2008 14:04:50 +0100 > To: David Curran , > Subject: Re: [c-nsp] Netflow / 3560 platform > > David Curran wrote: >> Touche. I was speaking of the smaller catalyst platforms. However I'm not >> sure its fair to real routers to call the Supervisors route processors. >> That's like calling a Yugo a race car. Sure, you COULD race it... >> > Look at the specs of the RSP-720. It would be a lot faster at software > forwarding than all of the devices > mentioned earlier. (it'd probably be similar speed to the NPE-G2, I guess) > > The issue is that the switch architecture makes it very hard to > accurately track and record the information needed for netflow. This > information is stored in TCAM, which is already scarce enough on those > platforms! > > adam. This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From ben.steele at internode.on.net Fri Aug 1 19:54:01 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sat, 2 Aug 2008 09:24:01 +0930 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> Message-ID: <830144EC662F4019942F71E912AEF4CE@MOYAPENYA> I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) ----- Original Message ----- From: "Iassen Anadoliev" To: "Joost greene" Cc: Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL > > On Fri, August 1, 2008 4:14 pm, Joost greene wrote: >> Hello, >> >> Someone challenged me with a question on how i can filter telnet access >> to >> one router from all hosts except two of them WITHOUT using access-lists >> or >> access-line under the VTY? any ideas? >> >> Regards, >> Joost >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > Well if we assume that this is an ethernet network and the hosts are > within our broadcast domain I think you can use MQC = NBAR something like: > > class-map match-all PERMIT_TELNET > match protocol telnet > match class-map PERMIT_TELNET_HOSTS > exit > > class-map match-any PERMIT_TELNET_HOSTS > match source-address mac xxx.xxx.xxx > match source-address mac yyy.yyy.yyy > exit > > class-map DENY_TELNET > match protocol telnet > exit > > policy-map IN_FE0/0 > class PERMIT_TELNET > bandwidth remaining percent 100 > class DENY_TELNET > drop > > int fastether0/0 > service-policy input IN_FE0/0 > > -- > WWell by > Iassen Anadoliev > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Fri Aug 1 19:54:55 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sat, 2 Aug 2008 09:24:55 +0930 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <07607f0f796c82d1fb4f34924200bc9f.squirrel@webmail.korio.org> Message-ID: <4560D7C7AD2A47E0814DB3C15FF446DB@MOYAPENYA> I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) ----- Original Message ----- From: "Iassen Anadoliev" To: "Joost greene" Cc: Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL > > On Fri, August 1, 2008 4:14 pm, Joost greene wrote: >> Hello, >> >> Someone challenged me with a question on how i can filter telnet access >> to >> one router from all hosts except two of them WITHOUT using access-lists >> or >> access-line under the VTY? any ideas? >> >> Regards, >> Joost >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > Well if we assume that this is an ethernet network and the hosts are > within our broadcast domain I think you can use MQC = NBAR something like: > > class-map match-all PERMIT_TELNET > match protocol telnet > match class-map PERMIT_TELNET_HOSTS > exit > > class-map match-any PERMIT_TELNET_HOSTS > match source-address mac xxx.xxx.xxx > match source-address mac yyy.yyy.yyy > exit > > class-map DENY_TELNET > match protocol telnet > exit > > policy-map IN_FE0/0 > class PERMIT_TELNET > bandwidth remaining percent 100 > class DENY_TELNET > drop > > int fastether0/0 > service-policy input IN_FE0/0 > > -- > WWell by > Iassen Anadoliev > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From bitkraft at gmail.com Fri Aug 1 22:05:41 2008 From: bitkraft at gmail.com (Brian Spade) Date: Fri, 1 Aug 2008 19:05:41 -0700 Subject: [c-nsp] Netflow / 3560 platform In-Reply-To: References: <489309F2.5080606@memetic.org> Message-ID: <505b616c0808011905v4b5dfaa3ye24432b0718473a0@mail.gmail.com> Thanks for your responses. I thought it was Cisco's evil plan to make customers purchase the more expensive 650x line of switches for Netflow :-) /b On Fri, Aug 1, 2008 at 8:38 AM, David Curran wrote: > Agreed, and not to beat a dead horse, but there are mechanisms to send full > packets to the processor and still circulate packets via the switch path > for > forwarding. My point is that a switch that has a reported 720G throughput > most likely does not have the processor to do netflow on all of that. > > That was my point about comparing a switch to a router. OK, I promise, > I'm done ;) > > > > From: Adam Armstrong > > Date: Fri, 01 Aug 2008 14:04:50 +0100 > > To: David Curran , > > Subject: Re: [c-nsp] Netflow / 3560 platform > > > > David Curran wrote: > >> Touche. I was speaking of the smaller catalyst platforms. However I'm > not > >> sure its fair to real routers to call the Supervisors route processors. > >> That's like calling a Yugo a race car. Sure, you COULD race it... > >> > > Look at the specs of the RSP-720. It would be a lot faster at software > > forwarding than all of the devices > > mentioned earlier. (it'd probably be similar speed to the NPE-G2, I > guess) > > > > The issue is that the switch architecture makes it very hard to > > accurately track and record the information needed for netflow. This > > information is stored in TCAM, which is already scarce enough on those > > platforms! > > > > adam. > > > > This email and any attachments ("Message") may contain legally privileged > and/or confidential information. If you are not the addressee, or if this > Message has been addressed to you in error, you are not authorized to read, > copy, or distribute it, and we ask that you please delete it (including all > copies) and notify the sender by return email. Delivery of this Message to > any person other than the intended recipient(s) shall not be deemed a waiver > of confidentiality and/or a privilege. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jay at west.net Sat Aug 2 12:35:27 2008 From: jay at west.net (Jay Hennigan) Date: Sat, 02 Aug 2008 09:35:27 -0700 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080801140458.GA21900@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> Message-ID: <48948CCF.7070003@west.net> Saku Ytti wrote: > I assume challenge was set, because asker knows how to do it. Or the asker didn't know how to do it and it cost him some time and a few points, somewhere, in some lab... -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From ras at e-gerbil.net Sat Aug 2 15:20:49 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sat, 2 Aug 2008 14:20:49 -0500 Subject: [c-nsp] SNMP query mac-address-table on 6500/7600 IOS Message-ID: <20080802192049.GF4889@gerbil.cluepon.net> Is there a way to SNMP query the mac-address-table on a 6500/7600 sup720 running IOS (SXF, SRC, whatever)? There are some docs on the subject for lower end catalysts but I'm not getting any data under dot1dTpFdbTable or anything else useful from the bridge mib. I'll also settle for alternative ways to solve my problem... I'm trying to identify the actual physical port that a specific IP address (or mac address, since I already have that) is being sent to, when that IP address is routed via a L3 vlan iface that is trunked via multiple switchports. Querying the mac-address-table seems like the easiest way, except I can't seem to make it work via snmp. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From tbaranski at mail.com Sat Aug 2 15:31:09 2008 From: tbaranski at mail.com (Terry Baranski) Date: Sat, 2 Aug 2008 15:31:09 -0400 Subject: [c-nsp] DPD dead peer detection In-Reply-To: <200808011203.51395.Stefan.Hegger@lycos-europe.com> Message-ID: <000001c8f4d6$518ddf10$0200000a@pleth0ra> Stefan, You're right -- DPD is just a keepalive. It sounds like what you want is two "set peer" statements in Router-B's crypto-map. If you have recent enough code you can put the "default" command after the ISP1 peer statement to make it the primary. If not, I don't know of a way to always prefer one peer over the other -- in my experience the first peer in a crypto-map isn't always the one used (at the very least, the failover behavior seems to be non-revertive). I think you'll still want to use DPD in this scenario for reliable failure detection -- it should allow Router-B to switch peers faster during a failure. -Terry > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stefan Hegger > Sent: Friday, August 01, 2008 6:04 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] DPD dead peer detection > > > Hi, > > probably someone can help me to answer the following question. > > > I have a VPN router (Router_a) with 2 interfaces connected to > 2 ISP's with 2 > IP's and I have a homeoffice with a small VPN router > (Router_b) connected to > one ISP with one interface and one IP. > > Now I want to use DPD to check which route to use to connect > from Router_b to > Router_a. ISP1 is the default, ISP2 is backup. > > As far as I understand DPD is a keepalive to check if a peer > is up and > switches between peers and does not do anything with the > routing. So it > checks only if the key exchange works and peer is established > within same > tunnel. If it is like that, I can not use DPD to solve my > problem and should > use track and ip sla monitor. > > Best Stefan > -- > Stefan Hegger > Internet System Engineer > > Lycos Europe GmbH > Carl-Bertelsmann Str. 29 > Postfach 315 > 33312 G?tersloh > > Phone: > Tel: +49 5241 8071 334 > Fax: +49 5241 80671 334 > Mobile: +49 170 1892720 > > Sitz der Gesellschaft: G?tersloh > Amtsgericht G?tersloh, HRB 2157 > Gesch?ftsf?hrer: Christoph Mohn > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From felixnkansah at gmail.com Sat Aug 2 16:20:02 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sat, 2 Aug 2008 20:20:02 +0000 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? Message-ID: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> Hi, I am working on an MPLS proposal for a mobile carrier (with 2mil+ customers). I need to decide on what routers to use as PE and P for their backhaul between 5 sites. I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as PE/P. Please let me know what your expert opinion is on this matter. They require MPLS VPN, TE, and QoS. Regards, Felix From saku+cisco-nsp at ytti.fi Sat Aug 2 16:40:42 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sat, 2 Aug 2008 23:40:42 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> Message-ID: <20080802204042.GA8482@mx.ytti.net> On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti From rubensk at gmail.com Sat Aug 2 16:52:28 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sat, 2 Aug 2008 17:52:28 -0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> Message-ID: <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and 12000. ME6524 seems a good fit for this environment, J-2320/6350 could be the J-land options to explore (although ISR 38x5 are their counterparts at C-land, not the ME6524). Rubens On Sat, Aug 2, 2008 at 5:20 PM, Felix Nkansah wrote: > Hi, > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. > > Regards, > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Sat Aug 2 18:14:10 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sat, 2 Aug 2008 17:14:10 -0500 Subject: [c-nsp] SNMP query mac-address-table on 6500/7600 IOS In-Reply-To: <20080802192049.GF4889@gerbil.cluepon.net> References: <20080802192049.GF4889@gerbil.cluepon.net> Message-ID: <20080802221410.GH4889@gerbil.cluepon.net> On Sat, Aug 02, 2008 at 02:20:49PM -0500, Richard A Steenbergen wrote: > Is there a way to SNMP query the mac-address-table on a 6500/7600 sup720 > running IOS (SXF, SRC, whatever)? There are some docs on the subject for > lower end catalysts but I'm not getting any data under dot1dTpFdbTable or > anything else useful from the bridge mib. > > I'll also settle for alternative ways to solve my problem... I'm trying to > identify the actual physical port that a specific IP address (or mac > address, since I already have that) is being sent to, when that IP address > is routed via a L3 vlan iface that is trunked via multiple switchports. > Querying the mac-address-table seems like the easiest way, except I can't > seem to make it work via snmp. Sigh nevermind, found the problem. Seems you have to use a community of blah at vlanid to access the bridge mib. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From vikassharmas at gmail.com Sun Aug 3 02:14:57 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Sun, 3 Aug 2008 11:44:57 +0530 Subject: [c-nsp] mac-address auto support for FWSM Message-ID: Hi, Does FWSM support mac-address auto command? If yes which version? Regards, Vikas Sharma From christian at broknrobot.com Sun Aug 3 03:08:52 2008 From: christian at broknrobot.com (Christian Koch) Date: Sun, 3 Aug 2008 03:08:52 -0400 Subject: [c-nsp] mac-address auto support for FWSM In-Reply-To: References: Message-ID: i don't believe so.. On Sun, Aug 3, 2008 at 2:14 AM, Vikas Sharma wrote: > Hi, > > Does FWSM support mac-address auto command? If yes which version? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From haminu at cisco.com Sun Aug 3 03:13:33 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Sun, 3 Aug 2008 09:13:33 +0200 Subject: [c-nsp] mac-address auto support for FWSM In-Reply-To: References: Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04E6C2F8@xmb-ams-334.emea.cisco.com> Hi Upto 3.2 its not supported...I don't think its there... Hth hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch Sent: Sunday, August 03, 2008 10:09 AM To: Vikas Sharma Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] mac-address auto support for FWSM i don't believe so.. On Sun, Aug 3, 2008 at 2:14 AM, Vikas Sharma wrote: > Hi, > > Does FWSM support mac-address auto command? If yes which version? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From haminu at cisco.com Sun Aug 3 03:16:19 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Sun, 3 Aug 2008 09:16:19 +0200 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080802204042.GA8482@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04E6C2FA@xmb-ams-334.emea.cisco.com> Hi Saku It depends again on what services you are trying to provision...in all cases I have seen the 7600 a way to go ..wihout cost beign the hindrance :) Hth Hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Saturday, August 02, 2008 11:41 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Sun Aug 3 04:12:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 11:12:06 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> Message-ID: <20080803081205.GA22300@mx.ytti.net> On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: > AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software > releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit missing was L2 MPLS VPN's which is coming in release3 iirc. > 12000. ME6524 seems a good fit for this environment, J-2320/6350 could > be the J-land options to explore (although ISR 38x5 are their > counterparts at C-land, not the ME6524). QoS in PE and catalyst doesn't seem good fit to me. Unless you have dedicated port to each customer. But in view most all PE usages include customers in VLAN, in which case, to do any QoS, you need HQoS, which LAN cards can not do. They are cheap for a reason. While in LSR/P role, LAN cards are perfect fit. It's quite backwards really, you want 'WAN' cards to face your distribution and LAN cards are fine in all core, except if you want to do VPLS, in which case LER/PE needs WAN card to core too. WAN being SIP (be careful with ES20). -- ++ytti From gert at greenie.muc.de Sun Aug 3 04:57:15 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 3 Aug 2008 10:57:15 +0200 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080802204042.GA8482@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> Message-ID: <20080803085714.GW288@greenie.muc.de> Hi, On Sat, Aug 02, 2008 at 11:40:42PM +0300, Saku Ytti wrote: > no IPv6/uRPF Is this a hardware or software limitation? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From saku+cisco-nsp at ytti.fi Sun Aug 3 05:35:22 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 12:35:22 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803085714.GW288@greenie.muc.de> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <20080803085714.GW288@greenie.muc.de> Message-ID: <20080803093522.GA22667@mx.ytti.net> On (2008-08-03 10:57 +0200), Gert Doering wrote: > Hi, > > On Sat, Aug 02, 2008 at 11:40:42PM +0300, Saku Ytti wrote: > > no IPv6/uRPF > > Is this a hardware or software limitation? Hardware, but you can of course use ACLs. I /think/ EARL8 (Nexus7k) does lose+strict per interface and IPv6/uRPF. -- ++ytti From masood at nexlinx.net.pk Sun Aug 3 09:18:46 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sun, 3 Aug 2008 18:18:46 +0500 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080802204042.GA8482@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> Message-ID: <011101c8f56b$79494590$6bdbd0b0$@net.pk> MPLS VPN, TE and QoS, If all you need in one BOX than better you go for Juniper M Series. Juniper M10i or M120/320. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 1:41 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > customers). > > I need to decide on what routers to use as PE and P for their backhaul > between 5 sites. > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > PE/P. > > Please let me know what your expert opinion is on this matter. They require > MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Sun Aug 3 09:04:07 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 16:04:07 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <011101c8f56b$79494590$6bdbd0b0$@net.pk> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <011101c8f56b$79494590$6bdbd0b0$@net.pk> Message-ID: <20080803130407.GA28665@mx.ytti.net> On (2008-08-03 18:18 +0500), Masood Ahmad Shah wrote: > MPLS VPN, TE and QoS, If all you need in one BOX than better you go for > Juniper M Series. Juniper M10i or M120/320. M10i is quite aging platform, displaying varying amount of issues. I'd say MX and M120 would be better picks. One particular example comes to mind is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. (PFC3B also suffers from this, but PFC3C with SXH should not, haven't tested though). > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti > Sent: Sunday, August 03, 2008 1:41 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? > > On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > > customers). > > > > I need to decide on what routers to use as PE and P for their backhaul > > between 5 sites. > > > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > > PE/P. > > > > Please let me know what your expert opinion is on this matter. They > require > > MPLS VPN, TE, and QoS. > > You should find out very carefully if or not you can live with LAN > card limitations. Without knowing specific of your QoS requirements, > it's very likely that you are terminating customers to subinterfaces, > effectively requiring HQoS which LAN cards do not do. > Other limitations that pop in my mind are, no vlan local significance, > no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, > no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups > in IPv6. > > If you find out that you can't live with LAN cards, the main attraction > of 7600/6500 goes away and you have much more options to choose from. > ASR1k, MX, M, GSR, CRS. > But if you are aware of all the catches with LAN interfaces and can > live/workaround them, it's very good value to your money. However, in my > book they suite much better LSR/P role than LER/PE role. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ++ytti From masood at nexlinx.net.pk Sun Aug 3 13:12:23 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sun, 3 Aug 2008 22:12:23 +0500 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803130407.GA28665@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <011101c8f56b$79494590$6bdbd0b0$@net.pk> <20080803130407.GA28665@mx.ytti.net> Message-ID: <013701c8f58c$1bc17930$53446b90$@net.pk> In case of Cisco, how about point to multipoint LSP's & multipoint to point LSP's? If you need scalable VPLS you may find JUNOS (juniper) better than IOS. Although both vendors are supporting LDP/RSVP-TE, but they have some layer 8-9 :) issues. One (Cisco) is supporting LDP while juniper is working extensively on RSVP-TE(BGP). -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 6:04 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-03 18:18 +0500), Masood Ahmad Shah wrote: > MPLS VPN, TE and QoS, If all you need in one BOX than better you go for > Juniper M Series. Juniper M10i or M120/320. M10i is quite aging platform, displaying varying amount of issues. I'd say MX and M120 would be better picks. One particular example comes to mind is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. (PFC3B also suffers from this, but PFC3C with SXH should not, haven't tested though). > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti > Sent: Sunday, August 03, 2008 1:41 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? > > On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > > customers). > > > > I need to decide on what routers to use as PE and P for their backhaul > > between 5 sites. > > > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > > PE/P. > > > > Please let me know what your expert opinion is on this matter. They > require > > MPLS VPN, TE, and QoS. > > You should find out very carefully if or not you can live with LAN > card limitations. Without knowing specific of your QoS requirements, > it's very likely that you are terminating customers to subinterfaces, > effectively requiring HQoS which LAN cards do not do. > Other limitations that pop in my mind are, no vlan local significance, > no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, > no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups > in IPv6. > > If you find out that you can't live with LAN cards, the main attraction > of 7600/6500 goes away and you have much more options to choose from. > ASR1k, MX, M, GSR, CRS. > But if you are aware of all the catches with LAN interfaces and can > live/workaround them, it's very good value to your money. However, in my > book they suite much better LSR/P role than LER/PE role. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sun Aug 3 12:19:09 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 3 Aug 2008 11:19:09 -0500 Subject: [c-nsp] router as bridge for netflow exports Message-ID: Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. From masood at nexlinx.net.pk Sun Aug 3 13:27:37 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sun, 3 Aug 2008 22:27:37 +0500 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <013701c8f58c$1bc17930$53446b90$@net.pk> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <20080802204042.GA8482@mx.ytti.net> <011101c8f56b$79494590$6bdbd0b0$@net.pk> <20080803130407.GA28665@mx.ytti.net> <013701c8f58c$1bc17930$53446b90$@net.pk> Message-ID: <013801c8f58e$3cc76200$b6562600$@net.pk> I don't want to start another thread for MPLS TE along with best vendor but it's an important topic in mobile carrier's networks. There are currently two label distribution protocols that Cisco/Juniper support for Traffic Engineering: RSVP, CR-LDP. Although the two protocols provide a similar level of service, the way they operate is different, and the detailed function they offer is also not consistent. Network Engineer's need clear information to help them decide which protocol to implement in a Traffic Engineered MPLS network. Each protocol has its champions and detractors, and the specifications are still under development. Recognizing that the choice of label distribution protocol is crucial for the success of device manufacturers and network providers, making very difficult to identify which protocol is the right one to use in a particular environment. Traffic Engineering is never ending topic, but some comment/thoughts can make it more interesting.. Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Masood Ahmad Shah Sent: Sunday, August 03, 2008 10:12 PM To: 'Saku Ytti'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? In case of Cisco, how about point to multipoint LSP's & multipoint to point LSP's? If you need scalable VPLS you may find JUNOS (juniper) better than IOS. Although both vendors are supporting LDP/RSVP-TE, but they have some layer 8-9 :) issues. One (Cisco) is supporting LDP while juniper is working extensively on RSVP-TE(BGP). -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 6:04 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-03 18:18 +0500), Masood Ahmad Shah wrote: > MPLS VPN, TE and QoS, If all you need in one BOX than better you go for > Juniper M Series. Juniper M10i or M120/320. M10i is quite aging platform, displaying varying amount of issues. I'd say MX and M120 would be better picks. One particular example comes to mind is inability to pop explicit-null and decreasing IP TTL at the same time, making egress PE disappear from traceroute, when using core-hiding and explicit-null. (PFC3B also suffers from this, but PFC3C with SXH should not, haven't tested though). > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti > Sent: Sunday, August 03, 2008 1:41 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? > > On (2008-08-02 20:20 +0000), Felix Nkansah wrote: > > > I am working on an MPLS proposal for a mobile carrier (with 2mil+ > > customers). > > > > I need to decide on what routers to use as PE and P for their backhaul > > between 5 sites. > > > > I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as > > PE/P. > > > > Please let me know what your expert opinion is on this matter. They > require > > MPLS VPN, TE, and QoS. > > You should find out very carefully if or not you can live with LAN > card limitations. Without knowing specific of your QoS requirements, > it's very likely that you are terminating customers to subinterfaces, > effectively requiring HQoS which LAN cards do not do. > Other limitations that pop in my mind are, no vlan local significance, > no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, > no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups > in IPv6. > > If you find out that you can't live with LAN cards, the main attraction > of 7600/6500 goes away and you have much more options to choose from. > ASR1k, MX, M, GSR, CRS. > But if you are aware of all the catches with LAN interfaces and can > live/workaround them, it's very good value to your money. However, in my > book they suite much better LSR/P role than LER/PE role. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Sun Aug 3 13:44:23 2008 From: christian at broknrobot.com (Christian Koch) Date: Sun, 3 Aug 2008 13:44:23 -0400 Subject: [c-nsp] EOBC Tx Errors Message-ID: Can anyone tell me exactly what the ethernet out of band channel is used for and why I would be getting errors on it? box is 7609-S with RSP720 Thanks Christian From rubensk at gmail.com Sun Aug 3 15:23:31 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sun, 3 Aug 2008 16:23:31 -0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803081205.GA22300@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> Message-ID: <6bb5f5b10808031223r484641abs46c9cd23d1021e39@mail.gmail.com> >> 12000. ME6524 seems a good fit for this environment, J-2320/6350 could >> be the J-land options to explore (although ISR 38x5 are their >> counterparts at C-land, not the ME6524). > > QoS in PE and catalyst doesn't seem good fit to me. Unless you have > dedicated port to each customer. But in view most all PE usages > include customers in VLAN, in which case, to do any QoS, you > need HQoS, which LAN cards can not do. They are cheap for > a reason. "mls qos vlan-based" can be turned on to do PFC-QoS on VLANs... (at least on PFC3C, but I thought it was supported on other PFC3 releases). HQoS is nice for building services like "25% of the bandwidth has voice priority, if no voice traffic present you can go up to 100%, if more than 25% is voice than only 25% will have expedite forwarding", but if you provide simple CIR/PIR services per VLAN, differentiating needs by different VLANs, what could be achieved by HQoS that PFC-QoS would do only by dedicating a port ? Rubens Rubens From saku+cisco-nsp at ytti.fi Sun Aug 3 15:42:54 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 3 Aug 2008 22:42:54 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <6bb5f5b10808031223r484641abs46c9cd23d1021e39@mail.gmail.com> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> <6bb5f5b10808031223r484641abs46c9cd23d1021e39@mail.gmail.com> Message-ID: <20080803194254.GB1690@mx.ytti.net> On (2008-08-03 16:23 -0300), Rubens Kuhl Jr. wrote: > "mls qos vlan-based" can be turned on to do PFC-QoS on VLANs... (at > least on PFC3C, but I thought it was supported on other PFC3 > releases). > > HQoS is nice for building services like "25% of the bandwidth has > voice priority, if no voice traffic present you can go up to 100%, if > more than 25% is voice than only 25% will have expedite forwarding", > but if you provide simple CIR/PIR services per VLAN, differentiating > needs by different VLANs, what could be achieved by HQoS that PFC-QoS > would do only by dedicating a port ? Well consider I have TenGig connection to my distribution, and customers are terminated to VLAN subinterfaces. Now, obviously the router has no clue what is actual speed of each VLAN. So lets say I have 2M corporate connection in one VLAN. To guarantee voice quality for that 2M customer, I'd need first shape it to 2M then inside that 2M space, I'd need to prioritize VoIP. Of course, if at all possible, QoS should be done in the port facing the customer. Be it DSLAM port or Switch port, then you don't have to care about QoS in aggregation/PE level and can get significant cost savings. -- ++ytti From mtinka at globaltransit.net Sun Aug 3 19:05:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 4 Aug 2008 07:05:03 +0800 Subject: [c-nsp] LDP Graceful restart In-Reply-To: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com> References: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com> Message-ID: <200808040705.07913.mtinka@globaltransit.net> On Thursday 31 July 2008 20:25:15 Monika M wrote: > Does the graceful restart feature for LDP works in a > single route processor configuration? (similar to Routing > protocols?) We have seen it work as desired between multiple 7206-VXR units (which are, by no means, hardware/distributed routing platforms, but for all intents and purposes, have a single control plane). Here's some log output: Jul 27 00:26:41.874 MYT: %LDP-5-GR: GR session 192.168.0.1:0 (inst. 13): interrupted--recovery pending We have a couple of Junipers (M-series) that have LDP configured for GR, but those have been stable so I have no logs to offer :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From nmcnsp at packetarchitects.com Mon Aug 4 01:22:27 2008 From: nmcnsp at packetarchitects.com (Nihar Mehta) Date: Sun, 3 Aug 2008 22:22:27 -0700 Subject: [c-nsp] 6509 ACE/FWSM Modules?????????? In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com> References: <20080729184001.GD17128@ronin.4ever.de> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com> Message-ID: Cisco has published the following for design with ACE and FWSM. http://www.cisco.com/univercd/cc/td/doc/solution/*ace*_*fwsm*.pdf - Nihar On Tue, Jul 29, 2008 at 3:49 PM, Teller, Robert wrote: > I am working on implementing two 6509 chassis setup using vss and > ace/fwsm modules. Anyone know of any good books for the ACE and FWSM > modules? > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jmayer at loplof.de Mon Aug 4 01:58:07 2008 From: jmayer at loplof.de (Joerg Mayer) Date: Mon, 4 Aug 2008 07:58:07 +0200 Subject: [c-nsp] 6500 rfc 2674 support? In-Reply-To: <20080718221119.GA27323@wildfire.net.ic.ac.uk> References: <31DA323D-AE39-4AEA-8B76-3BB4B7CCBC29@princeton.edu> <20080718221119.GA27323@wildfire.net.ic.ac.uk> Message-ID: <20080804055807.GM21516@thot.informatik.uni-kl.de> On Fri, Jul 18, 2008 at 11:11:19PM +0100, Phil Mayers wrote: > > Is there another CISCO MIB that can be accessed without using > >indexing that contains the BRIDGE FDB with vlan info? > > > > > >It sure would be nice to have this work since all our other switches > >support it. We are trying to come up with an accurate way to model > >L2 VLANs . > > Granted that the @vlan is a (tiny) bit tedious to implement, what's > inaccurate about using the indexed mode? IIRC, it has been very inconvenient for us when using SNMPv3 because you need to add a new config line for each vlan (aka context). ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From stig.johansen at ementor.no Mon Aug 4 02:46:14 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 4 Aug 2008 08:46:14 +0200 Subject: [c-nsp] router as bridge for netflow exports References: Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B95@100NOOSLMSG004.common.alpharoot.net> Setup a sniffer and use netflow export on it. See f.ex. http://www.ntop.com/nProbe.html Best regards, Stig Meireles Johansen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: 3. august 2008 18:19 To: cisco-nsp at puck.nether.net Subject: [c-nsp] router as bridge for netflow exports Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From soonkian.wong at gmail.com Mon Aug 4 05:18:27 2008 From: soonkian.wong at gmail.com (Soon Kian) Date: Mon, 4 Aug 2008 17:18:27 +0800 Subject: [c-nsp] NPE-G2 Adjustable MTU Message-ID: <371cac6a0808040218k2857f2edoad0afba807dc50e@mail.gmail.com> Hi Guys, Has anyone successfully increase the interface MTU on the tunnel with MPLS VPN Inter-AS command "mpls bgp forwarding" configured at the same time ? So far I have tried several IOS feature, they can only support either but not both commands @ the same time. We are trying to establish Option'B NNI VPN using tunnel for backup purpose. Thanks in advance Cheers Soon Kian From aaronis at people.net.au Mon Aug 4 07:33:39 2008 From: aaronis at people.net.au (Aaron R) Date: Mon, 4 Aug 2008 19:33:39 +0800 Subject: [c-nsp] router as bridge for netflow exports In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B95@100NOOSLMSG004.common.alpharoot.net> Message-ID: <200808041133.m74BXlTY096312@puck.nether.net> Yep I have also used softflowd which is essentially the same thing. SPAN the port and away you go she generates netflows for you. http://www.mindrot.org/projects/softflowd/ Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stig Johansen Sent: Monday, August 04, 2008 2:46 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] router as bridge for netflow exports Setup a sniffer and use netflow export on it. See f.ex. http://www.ntop.com/nProbe.html Best regards, Stig Meireles Johansen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: 3. august 2008 18:19 To: cisco-nsp at puck.nether.net Subject: [c-nsp] router as bridge for netflow exports Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.12/1589 - Release Date: 8/3/2008 1:00 PM From david.freedman at uk.clara.net Mon Aug 4 09:49:35 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 04 Aug 2008 14:49:35 +0100 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: I think if I loosen the definition of "telnet" I can win here. "no transport input telnet" on the VTYs. Then connect your console/aux into your terminal server / DCN and access it via telnet. Dave. Joost greene wrote: > Hello, > > Someone challenged me with a question on how i can filter telnet access to > one router from all hosts except two of them WITHOUT using access-lists or > access-line under the VTY? any ideas? > > Regards, > Joost > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From haminu at cisco.com Mon Aug 4 09:43:40 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Mon, 4 Aug 2008 15:43:40 +0200 Subject: [c-nsp] 6509 ACE/FWSM Modules?????????? In-Reply-To: References: <20080729184001.GD17128@ronin.4ever.de><06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com> Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04EBDE06@xmb-ams-334.emea.cisco.com> I would say for Design reference this is really good and informative....you might wana take a look at it http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmig ration_09186a008078de90.pdf your first puzzle will be the logical placement of the module and the devices and the modes they are to operate, as the case is always : it depends but take a look at the file above. HTH Hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nihar Mehta Sent: Monday, August 04, 2008 8:22 AM To: Teller, Robert Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6509 ACE/FWSM Modules?????????? Cisco has published the following for design with ACE and FWSM. http://www.cisco.com/univercd/cc/td/doc/solution/*ace*_*fwsm*.pdf - Nihar On Tue, Jul 29, 2008 at 3:49 PM, Teller, Robert wrote: > I am working on implementing two 6509 chassis setup using vss and > ace/fwsm modules. Anyone know of any good books for the ACE and FWSM > modules? > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From haminu at cisco.com Mon Aug 4 10:03:22 2008 From: haminu at cisco.com (Hashiru Aminu -X (haminu - SSAI at Cisco)) Date: Mon, 4 Aug 2008 16:03:22 +0200 Subject: [c-nsp] LDP Graceful restart In-Reply-To: <200808040705.07913.mtinka@globaltransit.net> References: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com> <200808040705.07913.mtinka@globaltransit.net> Message-ID: <72794E1E8C10754E94DF9FF678D68EDA04EBDE27@xmb-ams-334.emea.cisco.com> Your answer is Yes, logically you can have graceful restart on a router that does not have multiple RSP, but you will need to have the neighboring router to at least have the NSF/SSO feature .... Take a look at this link. http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_grac e_rstrt_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1088518 HTH Hash -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Monday, August 04, 2008 2:05 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LDP Graceful restart On Thursday 31 July 2008 20:25:15 Monika M wrote: > Does the graceful restart feature for LDP works in a single route > processor configuration? (similar to Routing > protocols?) We have seen it work as desired between multiple 7206-VXR units (which are, by no means, hardware/distributed routing platforms, but for all intents and purposes, have a single control plane). Here's some log output: Jul 27 00:26:41.874 MYT: %LDP-5-GR: GR session 192.168.0.1:0 (inst. 13): interrupted--recovery pending We have a couple of Junipers (M-series) that have LDP configured for GR, but those have been stable so I have no logs to offer :-). Cheers, Mark. From sf at lists.esoteric.ca Mon Aug 4 11:59:32 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Mon, 04 Aug 2008 11:59:32 -0400 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <20080803081205.GA22300@mx.ytti.net> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> Message-ID: <48972764.8050208@lists.esoteric.ca> > WAN being SIP (be careful with ES20). Would you mind elaborating on that? I'm leaning toward the ES20 at the moment for our needs.. -- Stephen Saku Ytti wrote: > On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: > >> AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software >> releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and > > I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit > missing was L2 MPLS VPN's which is coming in release3 iirc. > >> 12000. ME6524 seems a good fit for this environment, J-2320/6350 could >> be the J-land options to explore (although ISR 38x5 are their >> counterparts at C-land, not the ME6524). > > QoS in PE and catalyst doesn't seem good fit to me. Unless you have > dedicated port to each customer. But in view most all PE usages > include customers in VLAN, in which case, to do any QoS, you > need HQoS, which LAN cards can not do. They are cheap for > a reason. > While in LSR/P role, LAN cards are perfect fit. It's quite backwards > really, you want 'WAN' cards to face your distribution and LAN > cards are fine in all core, except if you want to do VPLS, > in which case LER/PE needs WAN card to core too. > > WAN being SIP (be careful with ES20). From maillist at webjogger.net Mon Aug 4 13:54:24 2008 From: maillist at webjogger.net (Adam Greene) Date: Mon, 4 Aug 2008 13:54:24 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? Message-ID: <03d501c8f65b$21714f70$12140a0a@GINKGO> Hi, I have a 2811 router running Advanced IP Services 12.4(19) which has been acting funny. First issue I had was after inserting (2) WIC-1ADSL cards the processor jumped to 99%. After shutting down the interfaces and rebooting, the router went back to normal. Now the router is becoming intermittently inaccessible via telnet, while still passing traffic through its interfaces. Total interfaces on unit: (2) WIC-1DSU-T1-V2 (2) WIC-1ADSL (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards The other thing we did recently is add the NM-HDV2-1T1/E1. Before adding these cards, we never had an issue. Running a "show controller serial x/x/x" and a "show buffer" through the Output Interpreter, I am told: "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. This is because, the input rate exceeds the ability of the receiver to handle data .... Paste the output of the show buffer command output into the Output Interpreter to check whether the buffers can be tuned. " "ERROR: Since its last reload, this router has created or maintained a relatively large number of 'h2p1 buffers' yet still has very few free buffers. The above symptoms suggest that a buffer leak has occurred." I'm wondering if a buffer leak could be the source of the issue. Maybe this wasn't a problem before the router had the new DSL cards and T1 network module, but now the new cards are claiming too much memory and the buffer leak is causing issues. We could try down or upgrading the IOS .... Thanks for advice, Adam From alexmoya at bellsouth.net Mon Aug 4 14:28:50 2008 From: alexmoya at bellsouth.net (Alex Moya) Date: Mon, 4 Aug 2008 14:28:50 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? In-Reply-To: <03d501c8f65b$21714f70$12140a0a@GINKGO> References: <03d501c8f65b$21714f70$12140a0a@GINKGO> Message-ID: How much men does the router have on it? Sent from my iPhone On Aug 4, 2008, at 1:54 PM, "Adam Greene" wrote: > Hi, > > I have a 2811 router running Advanced IP Services 12.4(19) which has > been acting funny. > > First issue I had was after inserting (2) WIC-1ADSL cards the > processor jumped to 99%. After shutting down the interfaces and > rebooting, the router went back to normal. > > Now the router is becoming intermittently inaccessible via telnet, > while still passing traffic through its interfaces. > > Total interfaces on unit: > (2) WIC-1DSU-T1-V2 > (2) WIC-1ADSL > (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards > > The other thing we did recently is add the NM-HDV2-1T1/E1. Before > adding these cards, we never had an issue. > > Running a "show controller serial x/x/x" and a "show buffer" through > the Output Interpreter, I am told: > > "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. > This is because, the input rate exceeds the ability of the receiver > to handle data .... Paste the output of the show buffer command > output into the Output Interpreter to check whether the buffers can > be tuned. " > > "ERROR: Since its last reload, this router has created or maintained > a relatively large number of 'h2p1 buffers' yet still has very few > free buffers. The above symptoms suggest that a buffer leak has > occurred." > > I'm wondering if a buffer leak could be the source of the issue. > Maybe this wasn't a problem before the router had the new DSL cards > and T1 network module, but now the new cards are claiming too much > memory and the buffer leak is causing issues. > > We could try down or upgrading the IOS .... > > Thanks for advice, > Adam > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Mon Aug 4 14:49:08 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Mon, 4 Aug 2008 11:49:08 -0700 Subject: [c-nsp] Adding vlan 1 to vlan-group In-Reply-To: References: <03d501c8f65b$21714f70$12140a0a@GINKGO> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EBE@tiger.deltadentalwa.com> Is there a configuration option that will allow me to add vlan 1 to a vlan group to be used with an ace module? When I try to do it I am receiving the following error message. svclc vlan-group 111 1 Vlan 1 can not be a secure vlan I am doing this for a temporary migration reasons. ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From stig.johansen at ementor.no Mon Aug 4 15:30:21 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 4 Aug 2008 21:30:21 +0200 Subject: [c-nsp] Adding vlan 1 to vlan-group References: <03d501c8f65b$21714f70$12140a0a@GINKGO> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EBE@tiger.deltadentalwa.com> Message-ID: <13A13E9CF0F76342A79031B9E558C0C5033F51BF@100NOOSLMSG004.common.alpharoot.net> Sure is.. it's called a cable, and runs from a port in your vlan 1 to a port in another vlan which you configure on your ACE-module. :) Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Teller, Robert Sendt: 4. august 2008 17:49 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] Adding vlan 1 to vlan-group Is there a configuration option that will allow me to add vlan 1 to a vlan group to be used with an ace module? When I try to do it I am receiving the following error message. svclc vlan-group 111 1 Vlan 1 can not be a secure vlan I am doing this for a temporary migration reasons. ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From maillist at webjogger.net Mon Aug 4 15:41:05 2008 From: maillist at webjogger.net (Adam Greene) Date: Mon, 4 Aug 2008 15:41:05 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? References: <03d501c8f65b$21714f70$12140a0a@GINKGO> Message-ID: <045001c8f66a$08c5dbd0$12140a0a@GINKGO> Cisco 2811 (revision 53.51) with 245760K/16384K bytes of memory. ----- Original Message ----- From: "Alex Moya" To: "Adam Greene" Cc: Sent: Monday, August 04, 2008 2:28 PM Subject: Re: [c-nsp] buffer leak in 12.4(19)? > How much men does the router have on it? > > Sent from my iPhone > > On Aug 4, 2008, at 1:54 PM, "Adam Greene" > wrote: > >> Hi, >> >> I have a 2811 router running Advanced IP Services 12.4(19) which has >> been acting funny. >> >> First issue I had was after inserting (2) WIC-1ADSL cards the >> processor jumped to 99%. After shutting down the interfaces and >> rebooting, the router went back to normal. >> >> Now the router is becoming intermittently inaccessible via telnet, >> while still passing traffic through its interfaces. >> >> Total interfaces on unit: >> (2) WIC-1DSU-T1-V2 >> (2) WIC-1ADSL >> (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards >> >> The other thing we did recently is add the NM-HDV2-1T1/E1. Before >> adding these cards, we never had an issue. >> >> Running a "show controller serial x/x/x" and a "show buffer" through >> the Output Interpreter, I am told: >> >> "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. >> This is because, the input rate exceeds the ability of the receiver >> to handle data .... Paste the output of the show buffer command >> output into the Output Interpreter to check whether the buffers can >> be tuned. " >> >> "ERROR: Since its last reload, this router has created or maintained >> a relatively large number of 'h2p1 buffers' yet still has very few >> free buffers. The above symptoms suggest that a buffer leak has >> occurred." >> >> I'm wondering if a buffer leak could be the source of the issue. >> Maybe this wasn't a problem before the router had the new DSL cards >> and T1 network module, but now the new cards are claiming too much >> memory and the buffer leak is causing issues. >> >> We could try down or upgrading the IOS .... >> >> Thanks for advice, >> Adam >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From alexmoya at bellsouth.net Mon Aug 4 16:30:43 2008 From: alexmoya at bellsouth.net (Alex Moya) Date: Mon, 4 Aug 2008 16:30:43 -0400 Subject: [c-nsp] buffer leak in 12.4(19)? In-Reply-To: <045001c8f66a$08c5dbd0$12140a0a@GINKGO> References: <03d501c8f65b$21714f70$12140a0a@GINKGO> <045001c8f66a$08c5dbd0$12140a0a@GINKGO> Message-ID: <5E24C1D5-B31B-4A62-9BCF-52A8E01E11C2@bellsouth.net> Should work fine.You could have a bad card Sent from my iPhone On Aug 4, 2008, at 3:41 PM, "Adam Greene" wrote: > Cisco 2811 (revision 53.51) with 245760K/16384K bytes of memory. > > ----- Original Message ----- From: "Alex Moya" > > To: "Adam Greene" > Cc: > Sent: Monday, August 04, 2008 2:28 PM > Subject: Re: [c-nsp] buffer leak in 12.4(19)? > > >> How much men does the router have on it? >> Sent from my iPhone >> On Aug 4, 2008, at 1:54 PM, "Adam Greene" >> wrote: >>> Hi, >>> >>> I have a 2811 router running Advanced IP Services 12.4(19) which >>> has been acting funny. >>> >>> First issue I had was after inserting (2) WIC-1ADSL cards the >>> processor jumped to 99%. After shutting down the interfaces and >>> rebooting, the router went back to normal. >>> >>> Now the router is becoming intermittently inaccessible via >>> telnet, while still passing traffic through its interfaces. >>> >>> Total interfaces on unit: >>> (2) WIC-1DSU-T1-V2 >>> (2) WIC-1ADSL >>> (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards >>> >>> The other thing we did recently is add the NM-HDV2-1T1/E1. Before >>> adding these cards, we never had an issue. >>> >>> Running a "show controller serial x/x/x" and a "show buffer" >>> through the Output Interpreter, I am told: >>> >>> "WARNING: The interface Serial0/0/0 has reported 449 'overruns'. >>> This is because, the input rate exceeds the ability of the >>> receiver to handle data .... Paste the output of the show buffer >>> command output into the Output Interpreter to check whether the >>> buffers can be tuned. " >>> >>> "ERROR: Since its last reload, this router has created or >>> maintained a relatively large number of 'h2p1 buffers' yet still >>> has very few free buffers. The above symptoms suggest that a >>> buffer leak has occurred." >>> >>> I'm wondering if a buffer leak could be the source of the issue. >>> Maybe this wasn't a problem before the router had the new DSL >>> cards and T1 network module, but now the new cards are claiming >>> too much memory and the buffer leak is causing issues. >>> >>> We could try down or upgrading the IOS .... >>> >>> Thanks for advice, >>> Adam >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From malitsky at netabn.com Mon Aug 4 18:35:57 2008 From: malitsky at netabn.com (Michael Malitsky) Date: Mon, 4 Aug 2008 17:35:57 -0500 Subject: [c-nsp] CPE for IPSEC Message-ID: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky From paul at paulstewart.org Mon Aug 4 20:45:13 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 4 Aug 2008 20:45:13 -0400 Subject: [c-nsp] DSCP / NAT Message-ID: <00f901c8f694$86c095a0$9441c0e0$@org> Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul From cchurc05 at harris.com Mon Aug 4 21:06:22 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 4 Aug 2008 20:06:22 -0500 Subject: [c-nsp] DSCP / NAT In-Reply-To: <00f901c8f694$86c095a0$9441c0e0$@org> References: <00f901c8f694$86c095a0$9441c0e0$@org> Message-ID: I thought that was the default action for most NATing devices? I'm pretty sure the 12.4 Cisco devices I've used all do that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Monday, August 04, 2008 8:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DSCP / NAT Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ddunkin at netos.net Mon Aug 4 21:11:56 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Mon, 4 Aug 2008 18:11:56 -0700 Subject: [c-nsp] DSCP / NAT References: <00f901c8f694$86c095a0$9441c0e0$@org> Message-ID: <56F5BC5F404CF84896C447397A1AAF207AF33B@MAIL.nosi.netos.com> Correct, it should just go straight through, NAT translates the address/port only. It should not touch the rest of the packet unless otherwise configured. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Monday, August 04, 2008 18:06 To: Paul Stewart; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DSCP / NAT I thought that was the default action for most NATing devices? I'm pretty sure the 12.4 Cisco devices I've used all do that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Monday, August 04, 2008 8:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DSCP / NAT Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From zivl at gilat.net Tue Aug 5 02:31:02 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 5 Aug 2008 09:31:02 +0300 Subject: [c-nsp] CPE for IPSEC In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> Message-ID: Check out about "Thales" -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 1:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From avayner at cisco.com Tue Aug 5 04:51:16 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 5 Aug 2008 10:51:16 +0200 Subject: [c-nsp] CPE for IPSEC In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501AC522D@xmb-ams-331.emea.cisco.com> Michael, A few questions: 1. I see you mention 225Mbps, but what is the packet-per-second rate? This is actually a more important factor, as router performance is usually PPS-rate based 2. Is 225M the total hub rate, or is it per spoke? In general, I would suggest getting the HW encryption option (VAM in the 7200 case) as it would provide a more deterministic latency as encryption would be done in dedicated HW. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 01:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sam_mailinglists at spacething.org Tue Aug 5 06:30:40 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 05 Aug 2008 11:30:40 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 Message-ID: <48982BD0.9030405@spacething.org> Hi, We have a pair of 4948s and some DDOS devices configured in this topology (this is an inheritated design btw!): SW1 SVI ---VLANA-- SW2 SVI | | DDOS Std DDOS Act | | SW1 (L2) --VLANB-- SW2 (L2) X | | | Inside ----VLANB--- Inside The Standby DDOS device does not pass traffic, but VLANs A and B are effectively bridged by the Active DDOS device on the right. The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they provide a HSRP address that the inside network has a default pointing towards. The CPU on the active side (SW2) is pegged at 99% and it's all in host learning. The log buffer reports: Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: (Suppressed 61591949 times)Packet received with my own MAC address (X:X:X:X:X:X) as source on port Gix/y in vlan B (Gix/y connects to the inside port on the DDOS appliance). I believe this is because the switches MAC tables aren't VRF aware and the only way to solve the CPU problem is to use physically seperate switches: i.e. replace the L2 portions in the diagram with separate L2 switches. Is my thinking correct? Is their another way? Thanks, Sam From p.mayers at imperial.ac.uk Tue Aug 5 07:12:46 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 05 Aug 2008 12:12:46 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <48982BD0.9030405@spacething.org> References: <48982BD0.9030405@spacething.org> Message-ID: <489835AE.1080006@imperial.ac.uk> Sam Stickland wrote: > Hi, > > We have a pair of 4948s and some DDOS devices configured in this > topology (this is an inheritated design btw!): > > SW1 SVI ---VLANA-- SW2 SVI > | | > DDOS Std DDOS Act > | | > SW1 (L2) --VLANB-- SW2 (L2) > X | > | | > Inside ----VLANB--- Inside > > The Standby DDOS device does not pass traffic, but VLANs A and B are > effectively bridged by the Active DDOS device on the right. What is a DDOS device? Do you mean IDS/IPS? > > The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they > provide a HSRP address that the inside network has a default pointing > towards. > > The CPU on the active side (SW2) is pegged at 99% and it's all in host > learning. The log buffer reports: > > Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: > (Suppressed 61591949 times)Packet received with my own MAC address > (X:X:X:X:X:X) as source on port Gix/y in vlan B > > (Gix/y connects to the inside port on the DDOS appliance). > > I believe this is because the switches MAC tables aren't VRF aware and MAC tables aren't VRF aware. They only need to be VLAN-aware. Frankly I'm surprised this isn't working; if the SW2(L2) are really at layer2 with no SVI, and no L2 control protocols passing the DDoS device e.g. spanning tree, CDP, LLDP etc. > the only way to solve the CPU problem is to use physically seperate > switches: i.e. replace the L2 portions in the diagram with separate L2 > switches. You could try changing the MAC address of the SVI e.g. to a locally assigned one: int VlanX mac-address H.H.H ...I'm not familiar with the C4k platform, but it's common that devices have a finite number of MAC addresses they can use. Also when I tried it on our 6500s I had problems where it didn't pick up the MAC change on an existing SVI until reboot, but would on a newly-created SVI. From sam_mailinglists at spacething.org Tue Aug 5 07:21:31 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 05 Aug 2008 12:21:31 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <489835AE.1080006@imperial.ac.uk> References: <48982BD0.9030405@spacething.org> <489835AE.1080006@imperial.ac.uk> Message-ID: <489837BB.3000701@spacething.org> Phil Mayers wrote: > Sam Stickland wrote: >> Hi, >> >> We have a pair of 4948s and some DDOS devices configured in this >> topology (this is an inheritated design btw!): >> >> SW1 SVI ---VLANA-- SW2 SVI >> | | >> DDOS Std DDOS Act >> | | >> SW1 (L2) --VLANB-- SW2 (L2) >> X | >> | | >> Inside ----VLANB--- Inside >> >> The Standby DDOS device does not pass traffic, but VLANs A and B are >> effectively bridged by the Active DDOS device on the right. > > What is a DDOS device? Do you mean IDS/IPS? Yup. >> >> The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they >> provide a HSRP address that the inside network has a default pointing >> towards. >> >> The CPU on the active side (SW2) is pegged at 99% and it's all in >> host learning. The log buffer reports: >> >> Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: >> (Suppressed 61591949 times)Packet received with my own MAC address >> (X:X:X:X:X:X) as source on port Gix/y in vlan B >> >> (Gix/y connects to the inside port on the DDOS appliance). >> >> I believe this is because the switches MAC tables aren't VRF aware and > > MAC tables aren't VRF aware. They only need to be VLAN-aware. > I'm aware of this, I was just stating my reasoning in a perhaps not to clear way :) > Frankly I'm surprised this isn't working; if the SW2(L2) are really at > layer2 with no SVI, and no L2 control protocols passing the DDoS > device e.g. spanning tree, CDP, LLDP etc. The have no SVI, but spanning-tree instances are running for VLANs A and B. > >> the only way to solve the CPU problem is to use physically seperate >> switches: i.e. replace the L2 portions in the diagram with separate >> L2 switches. > > You could try changing the MAC address of the SVI e.g. to a locally > assigned one: > > int VlanX > mac-address H.H.H > > ...I'm not familiar with the C4k platform, but it's common that > devices have a finite number of MAC addresses they can use. Also when > I tried it on our 6500s I had problems where it didn't pick up the MAC > change on an existing SVI until reboot, but would on a newly-created SVI. Unfortunately the C4k platform doesn't support changing the BIA addresses, but given the nature of the error I don't think it would help. I think it's caused by the layer 2 portion of the switches seeing traffic sourced from it's own SVI on ones it's ports, which is confusing the host learning. Sam From csirek at cooler.hu Tue Aug 5 06:56:45 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Tue, 05 Aug 2008 12:56:45 +0200 Subject: [c-nsp] Cat4948 free list memory parity error Message-ID: <489831ED.5010109@cooler.hu> Hi I got this messages but i did not found any info at cisco.com: Log: Aug 5 11:31:27 MET-DST: %C4K_SWITCHINGENGINEMAN-3-FREELISTMEMORYPARITY: Parity mismatch in freelist memory, flm addr=E425, reg bits=8000E425, total=2 System image file is "bootflash:cat4000-i9s-mz.122-25.EWA8.bin" cisco WS-C4948-10GE (MPC8540) processor (revision 5) with 262144K bytes of memory. Thanks, csirek From lists at daniels.id.au Tue Aug 5 07:44:40 2008 From: lists at daniels.id.au (Aaron Daniels - Lists) Date: Tue, 5 Aug 2008 21:44:40 +1000 Subject: [c-nsp] Extending MPLS over external providers cloud Message-ID: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Hello Guru's Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some smaller low bandwidth sites connected using DSL via an ISP. This external VRF terminates within a single VRF of ours. We are now looking at extending several of our VRF's to these remote DSL sites, so as far as I see it, we can either put LDP over a tunnel, or each vrf over a separate tunnel. At first glance I was thinking about LDP over DMVPN, which I will lab up over the next few days. Has anyone done something like this before? What methods have been tried and tested, etc, etc. All feedback welcome. Thanks, Aaron Daniels From ltd at cisco.com Tue Aug 5 08:47:02 2008 From: ltd at cisco.com (Lincoln Dale) Date: Tue, 05 Aug 2008 22:47:02 +1000 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <48982BD0.9030405@spacething.org> References: <48982BD0.9030405@spacething.org> Message-ID: <48984BC6.4070509@cisco.com> Sam Stickland wrote: > Hi, > > We have a pair of 4948s and some DDOS devices configured in this > topology (this is an inheritated design btw!): > > SW1 SVI ---VLANA-- SW2 SVI > | | > DDOS Std DDOS Act > | | > SW1 (L2) --VLANB-- SW2 (L2) > X | > | | > Inside ----VLANB--- Inside > [..] > I believe this is because the switches MAC tables aren't VRF aware and > the only way to solve the CPU problem is to use physically seperate > switches: i.e. replace the L2 portions in the diagram with separate L2 > switches. > > Is my thinking correct? Is their another way? logically speaking, VRFs are for L3 what VLANs are for L2. i don't think "replacing with seperate L2 switches" will fix it, i think you've got a L2 loop that needs fixing. cheers, lincoln. From rodunn at cisco.com Tue Aug 5 08:53:28 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 5 Aug 2008 08:53:28 -0400 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> References: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Message-ID: <20080805125328.GE19739@rtp-cse-489.cisco.com> LDP over point to point GRE is the most common way. Be careful with the MTU needed on the transport links because you are adding another 24 bytes of GRE overhead on top of the label stack. So if the transport is only 1500 bytes you will have issues. As for MPLSoDMVPN I've seen some discussions about it but haven't ever put it in the lab or seen it in production. Rodney On Tue, Aug 05, 2008 at 09:44:40PM +1000, Aaron Daniels - Lists wrote: > Hello Guru's > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > smaller low bandwidth sites connected using DSL via an ISP. This external > VRF terminates within a single VRF of ours. > We are now looking at extending several of our VRF's to these remote DSL > sites, so as far as I see it, we can either put LDP over a tunnel, or each > vrf over a separate tunnel. > At first glance I was thinking about LDP over DMVPN, which I will lab up > over the next few days. > > Has anyone done something like this before? What methods have been tried and > tested, etc, etc. > All feedback welcome. > > Thanks, > Aaron Daniels > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gulerozgur at yahoo.co.uk Tue Aug 5 08:57:06 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Tue, 5 Aug 2008 12:57:06 +0000 (GMT) Subject: [c-nsp] EOBC Tx Errors In-Reply-To: Message-ID: <27110.28490.qm@web25501.mail.ukl.yahoo.com> Hi Christian Have a look at this link... http://supportwiki.cisco.com/ViewWiki/index.php/How_to_display_the_EOBC_error_counters_in_the_Catalyst_6500_series_switches_and_a_definition_of_the_EOBC_interface /Ozgur --- On Sun, 3/8/08, Christian Koch wrote: From: Christian Koch Subject: [c-nsp] EOBC Tx Errors To: "cisco-nsp" Date: Sunday, 3 August, 2008, 6:44 PM Can anyone tell me exactly what the ethernet out of band channel is used for and why I would be getting errors on it? box is 7609-S with RSP720 Thanks Christian _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html From gulerozgur at yahoo.co.uk Tue Aug 5 09:07:23 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Tue, 5 Aug 2008 13:07:23 +0000 (GMT) Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> Message-ID: <977486.34468.qm@web25504.mail.ukl.yahoo.com> ACL restriction might not rule out the prefix-list option. So i would go for the prefix list + route-map solution. --- On Fri, 1/8/08, Joost greene wrote: From: Joost greene Subject: [c-nsp] Filtering telnet without ACL To: cisco-nsp at puck.nether.net Date: Friday, 1 August, 2008, 2:14 PM Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html From sam_mailinglists at spacething.org Tue Aug 5 09:14:35 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 05 Aug 2008 14:14:35 +0100 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <48984BC6.4070509@cisco.com> References: <48982BD0.9030405@spacething.org> <48984BC6.4070509@cisco.com> Message-ID: <4898523B.7060604@spacething.org> Lincoln Dale wrote: > > > Sam Stickland wrote: >> Hi, >> >> We have a pair of 4948s and some DDOS devices configured in this >> topology (this is an inheritated design btw!): >> >> SW1 SVI ---VLANA-- SW2 SVI >> | | >> DDOS Std DDOS Act >> | | >> SW1 (L2) --VLANB-- SW2 (L2) >> X | >> | | >> Inside ----VLANB--- Inside >> [..] >> I believe this is because the switches MAC tables aren't VRF aware >> and the only way to solve the CPU problem is to use physically >> seperate switches: i.e. replace the L2 portions in the diagram with >> separate L2 switches. >> >> Is my thinking correct? Is their another way? > logically speaking, VRFs are for L3 what VLANs are for L2. > > i don't think "replacing with seperate L2 switches" will fix it, i > think you've got a L2 loop that needs fixing. Really? Where? Drawing out the diagram above as the spanning-tree topology stabilises it's: SW1 SVI ---VLANA-- SW2 SVI | DDOS Std DDOS Act | | SW1 (L2) --VLANB-- SW2 (L2) | | Inside ----VLANB--- Inside Far from ideal, I know, but I'm not sure there's a L2 loop here. Sam From dcurran at nuvox.com Tue Aug 5 09:23:07 2008 From: dcurran at nuvox.com (David Curran) Date: Tue, 05 Aug 2008 09:23:07 -0400 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Message-ID: Is there an actual requirement to run LDP/MPLS over these tunnels or are you simply looking to extend a VRF? If its the latter, Multi-VRF CE (or VRF-Lite, whatever) works very well. > From: Aaron Daniels - Lists > Date: Tue, 5 Aug 2008 21:44:40 +1000 > To: > Subject: [c-nsp] Extending MPLS over external providers cloud > > Hello Guru's > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > smaller low bandwidth sites connected using DSL via an ISP. This external > VRF terminates within a single VRF of ours. > We are now looking at extending several of our VRF's to these remote DSL > sites, so as far as I see it, we can either put LDP over a tunnel, or each > vrf over a separate tunnel. > At first glance I was thinking about LDP over DMVPN, which I will lab up > over the next few days. > > Has anyone done something like this before? What methods have been tried and > tested, etc, etc. > All feedback welcome. > > Thanks, > Aaron Daniels > > > > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From malitsky at netabn.com Tue Aug 5 09:31:05 2008 From: malitsky at netabn.com (Michael Malitsky) Date: Tue, 5 Aug 2008 08:31:05 -0500 Subject: [c-nsp] CPE for IPSEC References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> <67F7C1FAF83A074AA3520D8F155782A501AC522D@xmb-ams-331.emea.cisco.com> Message-ID: <79AF0C3901752A49881FE4CB31F7AA40D337EF@abn-borg2.NETABN.LOCAL> Arie, Thanks for the response. 200Mb is the aggregate bandwidth available on the WAN port at each site. Even if I knew what the typical traffic rates were today, the application group would change something tomorrow, so I have to design for the worst case - 390kpps using 64-byte packets. I phrased the original question the way I did because the specs for the ASA and VAM are written in bits-per-second rather than packets-per-second. In either case, I am curious how close does real world come to the specs? Thanks, Michael Malitsky -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Tue 8/5/2008 3:51 AM To: Michael Malitsky; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] CPE for IPSEC Michael, A few questions: 1. I see you mention 225Mbps, but what is the packet-per-second rate? This is actually a more important factor, as router performance is usually PPS-rate based 2. Is 225M the total hub rate, or is it per spoke? In general, I would suggest getting the HW encryption option (VAM in the 7200 case) as it would provide a more deterministic latency as encryption would be done in dedicated HW. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 01:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Tue Aug 5 09:33:25 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 5 Aug 2008 15:33:25 +0200 Subject: [c-nsp] CPE for IPSEC In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40D337EF@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40FBD3EA@abn-borg2.NETABN.LOCAL> <67F7C1FAF83A074AA3520D8F155782A501AC522D@xmb-ams-331.emea.cisco.com> <79AF0C3901752A49881FE4CB31F7AA40D337EF@abn-borg2.NETABN.LOCAL> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501B30BA3@xmb-ams-331.emea.cisco.com> Michael, Would you also require any QOS policies (especially hierarchical policing with shaping)? Arie ________________________________ From: Michael Malitsky [mailto:malitsky at netabn.com] Sent: Tuesday, August 05, 2008 16:31 PM To: Arie Vayner (avayner); cisco-nsp at puck.nether.net Subject: RE: [c-nsp] CPE for IPSEC Arie, Thanks for the response. 200Mb is the aggregate bandwidth available on the WAN port at each site. Even if I knew what the typical traffic rates were today, the application group would change something tomorrow, so I have to design for the worst case - 390kpps using 64-byte packets. I phrased the original question the way I did because the specs for the ASA and VAM are written in bits-per-second rather than packets-per-second. In either case, I am curious how close does real world come to the specs? Thanks, Michael Malitsky -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Tue 8/5/2008 3:51 AM To: Michael Malitsky; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] CPE for IPSEC Michael, A few questions: 1. I see you mention 225Mbps, but what is the packet-per-second rate? This is actually a more important factor, as router performance is usually PPS-rate based 2. Is 225M the total hub rate, or is it per spoke? In general, I would suggest getting the HW encryption option (VAM in the 7200 case) as it would provide a more deterministic latency as encryption would be done in dedicated HW. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky Sent: Tuesday, August 05, 2008 01:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CPE for IPSEC Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From billf at mu.org Tue Aug 5 13:06:17 2008 From: billf at mu.org (bill fumerola) Date: Tue, 5 Aug 2008 10:06:17 -0700 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <489837BB.3000701@spacething.org> References: <48982BD0.9030405@spacething.org> <489835AE.1080006@imperial.ac.uk> <489837BB.3000701@spacething.org> Message-ID: <20080805170617.GM6869@elvis.mu.org> On Tue, Aug 05, 2008 at 12:21:31PM +0100, Sam Stickland wrote: > Phil Mayers wrote: > >Sam Stickland wrote: > >>SW1 SVI ---VLANA-- SW2 SVI > >> | | > >>DDOS Std DDOS Act > >> | | > >>SW1 (L2) --VLANB-- SW2 (L2) > >> X | > >> | | > >>Inside ----VLANB--- Inside > >> > >>The Standby DDOS device does not pass traffic, but VLANs A and B are > >>effectively bridged by the Active DDOS device on the right. > > > >What is a DDOS device? Do you mean IDS/IPS? > Yup. these are two devices, not one with two interfaces, right? are they connected to each other in any way besides through the switch? e.g. for state sharing or other such. > >>The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they > >>provide a HSRP address that the inside network has a default pointing > >>towards. > >> > >>The CPU on the active side (SW2) is pegged at 99% and it's all in > >>host learning. The log buffer reports: > >> > >>Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: > >>(Suppressed 61591949 times)Packet received with my own MAC address > >>(X:X:X:X:X:X) as source on port Gix/y in vlan B > >> > >>(Gix/y connects to the inside port on the DDOS appliance). > > >Frankly I'm surprised this isn't working; if the SW2(L2) are really at > >layer2 with no SVI, and no L2 control protocols passing the DDoS > >device e.g. spanning tree, CDP, LLDP etc. > The have no SVI, but spanning-tree instances are running for VLANs A and B. > [...] > Unfortunately the C4k platform doesn't support changing the BIA > addresses, but given the nature of the error I don't think it would > help. I think it's caused by the layer 2 portion of the switches seeing > traffic sourced from it's own SVI on ones it's ports, which is confusing > the host learning. off-the-top-of-my-head: - which spanning tree version are you running? does the IDS participate? - redacted configs would be appropriate since the SVI configuration is so specific and not just the usual vlanX,no-vrf.. you mix "they have no SVI" and mentions of SVIs enough times that it's not clear where they really are or aren't and who/what is pointing to them - your diagram mixes L1,L2 and L3, it'd be nice to get a physical and logical diagram (and/or a redacted config) - fire up ye olde sniffer on the IDS box, it could very well be bridging more (or less!) than you think - speaking of bridging, is there a way to use .1q + routing w/ your IDS? - look into Loop Guard on both SW1 and SW2. also, to a lesser extent look into rootguard, bpduguard, and be sure spanning tree isn't oscilating - w/o the config, it's hard to say, but PVLANs may give you the seperation of traffic between ports you desire - VACLs on the IDS ports to permit the things you know about and log the things you don't may be useful combined w/ sniffing also, i've only used cat6.5k (hybrid & native) and not the 4948.. i dunno the exact capabilities of some of the features i mentioned (PVLAN, VACL). -- - bill fumerola / billf at FreeBSD.org From billf at mu.org Tue Aug 5 14:33:49 2008 From: billf at mu.org (bill fumerola) Date: Tue, 5 Aug 2008 11:33:49 -0700 Subject: [c-nsp] MPLS errors w/ no MPLS configured Message-ID: <20080805183349.GN6869@elvis.mu.org> anyone seeing these messages? Aug 1 02:35:58.924 UTC: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 Aug 3 15:38:32.708 UTC: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 i'm not sure how dangerous these messages are. on one hand, we're not running MPLS at all. on the other hand, i don't like errors that involve broken tables/memory & tracebacks. rtr1.lon#sh run | i mpls|MPLS no mpls traffic-eng auto-bw timers frequency 0 rtr1.lon#sh ver | i 12.[23] Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB11, RELEASE SOFTWARE (fc3) ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(26), RELEASE SOFTWARE (fc2) rtr1.lon# there are BGP neighbors, both internal and external, on this host. no address-family vpn tho. -- bill From ploopster at gmail.com Tue Aug 5 14:55:19 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Tue, 05 Aug 2008 14:55:19 -0400 Subject: [c-nsp] SA-ISA Message-ID: <4898A217.8090403@gmail.com> Is the SA-ISA supported on the VIP2-50 in a 7500-series router? If it isn't, will it work anyway? Thanks. Peace... Sridhar From saku+cisco-nsp at ytti.fi Tue Aug 5 15:42:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Tue, 5 Aug 2008 22:42:06 +0300 Subject: [c-nsp] MPLS PE Routers for a Mobile Carrier? In-Reply-To: <48972764.8050208@lists.esoteric.ca> References: <18dba4e50808021320h3cc3868fme97fcd0a010f5610@mail.gmail.com> <6bb5f5b10808021352n76b077e4wb60076252ed4432c@mail.gmail.com> <20080803081205.GA22300@mx.ytti.net> <48972764.8050208@lists.esoteric.ca> Message-ID: <20080805194206.GA25049@mx.ytti.net> On (2008-08-04 11:59 -0400), Stephen Fulton wrote: > > WAN being SIP (be careful with ES20). > > Would you mind elaborating on that? I'm leaning toward the ES20 at the > moment for our needs.. My biggest pain, lack of vlan local significance, so if you have same VLAN on two different interfaces you need to terminate it to some unique SVI. And if you terminate it to SVI, and still want to benefit from ES20 QoS features, you need to do QoS on the EVC, and on EVC you have only very few match statements, namely match CoS, no match ACL or anything. On first thought, match CoS may be enough. But if you'd want to just shape all traffic to 5Mbps, you'd have to use 'class-default', as you can't use ACL with 'ANY'. And if you use class-default, you reduce the amount of VRF customers you can terminate on the box (you run out of the 4k VLAN sooner) and you reduce pps performance (additional lookup for first 512 VRF's). Also no uRPF/strict and uRPF/loose per interface. All these limitations puzzle me, as it appears to be SIP600, and SIP600 has vlan local significance and uRPF per port. Talk to your SE/AM, hopefully there is something new coming with same price and better feature parity with 'real' WAN cards. (+EVC magic) > > -- Stephen > > > Saku Ytti wrote: >> On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: >> >>> AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software >>> releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and >> >> I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit >> missing was L2 MPLS VPN's which is coming in release3 iirc. >> >>> 12000. ME6524 seems a good fit for this environment, J-2320/6350 could >>> be the J-land options to explore (although ISR 38x5 are their >>> counterparts at C-land, not the ME6524). >> >> QoS in PE and catalyst doesn't seem good fit to me. Unless you have >> dedicated port to each customer. But in view most all PE usages >> include customers in VLAN, in which case, to do any QoS, you need HQoS, >> which LAN cards can not do. They are cheap for a reason. >> While in LSR/P role, LAN cards are perfect fit. It's quite backwards >> really, you want 'WAN' cards to face your distribution and LAN >> cards are fine in all core, except if you want to do VPLS, >> in which case LER/PE needs WAN card to core too. >> >> WAN being SIP (be careful with ES20). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti From saku+cisco-nsp at ytti.fi Tue Aug 5 15:53:00 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Tue, 5 Aug 2008 22:53:00 +0300 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: References: <008401c8f6f0$a7cd4250$f767c6f0$@id.au> Message-ID: <20080805195300.GB25049@mx.ytti.net> On (2008-08-05 09:23 -0400), David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well. My vote on vrf-lite too. I fear we as a industry poop all over L3 MPLS VPN by doing stunts like this (I'm guilty too). And in a customer role, I would never trust on L3 MPLS VPN bought from operator, but would run my own VPN over IP tunnels on cheapest pure Internet DSL available. You should only talk MPLS (be it 'native', OptB or OptC) only to a router that is physically secured (not customers cabinet) and administered by fully trusted party (not competitor with whom you run e.g. OptB.) Main grief with having say OptB to untrusted physical location or managed by other organization is lack of label checking, so they can just inject any labels into the network and they will be forwarded. Sure, label space is large, but take a look what space assigned labels hold and that space is very small, and pushing packet to any VRF from site connected to your MPLS network is easy. Of course it's just unidirectional, but we can't ignore that, since then other people may ignore other 'irrelevant' security issue that is unidirectional, for the other direction, and you'd have fully compromised VRF. Possible remedies would be for CSCO and JNPR to implement OptB as RFC states, so that they'd only accept labels from OptB ASBR that were previously advertised to it via BGP. Then you'd only need to trust ASBR with the VRF's you're sharing with them, which is much easier to be done (they'd be screwing their own customer). For pure MPLS or OptC there is no remedy, you could randomize label assignment to make it unfeasible to inject traffic to every VRF, but it doesn't replace the need for trust. > > From: Aaron Daniels - Lists > > Date: Tue, 5 Aug 2008 21:44:40 +1000 > > To: > > Subject: [c-nsp] Extending MPLS over external providers cloud > > > > Hello Guru's > > > > Our organisation runs a MPLS core (basic, MPLS VPN's), but also has some > > smaller low bandwidth sites connected using DSL via an ISP. This external > > VRF terminates within a single VRF of ours. > > We are now looking at extending several of our VRF's to these remote DSL > > sites, so as far as I see it, we can either put LDP over a tunnel, or each > > vrf over a separate tunnel. > > At first glance I was thinking about LDP over DMVPN, which I will lab up > > over the next few days. > > > > Has anyone done something like this before? What methods have been tried and > > tested, etc, etc. > > All feedback welcome. > > > > Thanks, > > Aaron Daniels > > > > > > > > > > > > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti From ltd at cisco.com Tue Aug 5 21:58:22 2008 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 06 Aug 2008 11:58:22 +1000 Subject: [c-nsp] Spanning VRFs and seeing my own MAC address on a 4948 In-Reply-To: <4898523B.7060604@spacething.org> References: <48982BD0.9030405@spacething.org> <48984BC6.4070509@cisco.com> <4898523B.7060604@spacething.org> Message-ID: <4899053E.9000206@cisco.com> Sam Stickland wrote: > >>> believe this is because the switches MAC tables aren't VRF aware >>> and the only way to solve the CPU problem is to use physically >>> seperate switches: i.e. replace the L2 portions in the diagram with >>> separate L2 switches. >>> >>> Is my thinking correct? Is their another way? >> logically speaking, VRFs are for L3 what VLANs are for L2. >> >> i don't think "replacing with seperate L2 switches" will fix it, i >> think you've got a L2 loop that needs fixing. > Really? Where? i'd say its something evil that the DDoS devices are doing. what its doing is up for debate, but clearly that SW2 is indicating its receiving BACK packets its sending from the log message, clearly its working overtime on the MAC learning too given its at 99% CPU in that process moving mac addresses between ports . . . > Drawing out the diagram above as the spanning-tree topology stabilises > it's: > [..] > Far from ideal, I know, but I'm not sure there's a L2 loop here. my guess is the DDos boxes are eating/modifying BPDUs to allow STP to establish in the first place. purely a guess mind you, as i say, just going on the evidence of what the cisco switch is reporting & having done lots of 'testing' of these kinds of scenarios on other cisco boxes... cbeers, lincoln. From danletkeman at gmail.com Tue Aug 5 22:01:54 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 5 Aug 2008 21:01:54 -0500 Subject: [c-nsp] shaping http traffic on a 2821 Message-ID: Hello, I'm wondering if anyone has some good documentation or examples of shaping http traffic on a router. I have been ask to look into this for an educational institute where they don't want to add more bandwidth, but make better use of what they have. The connection is currently a 20mbit connection. I would also like to prioritize traffic so incoming requests to the http server and voip calls, get a higher priority. Thanks, Dan. From vikassharmas at gmail.com Tue Aug 5 23:00:23 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Wed, 6 Aug 2008 08:30:23 +0530 Subject: [c-nsp] Inter-AS option B - filter based on IPv4+ Labels? Message-ID: Hi, In Inter-AS - option B, I have an option of filtering with BGP attributes ASPATH, ext communities, RDs checks. Can I filter based on IPv4+ Labels? i.e. set route maps to filter and send only the desirable prefixes are injected into the BGP table and propagated using IPv4+ Labels to the adjacent ASBR? Can you point me the web page? If above it true then I can use standard BGP communities to filter the traffic between ASBRs in option B!!! Regards, Vikas Sharma From lists at daniels.id.au Tue Aug 5 23:14:29 2008 From: lists at daniels.id.au (lists at daniels.id.au) Date: Tue, 05 Aug 2008 22:14:29 -0500 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: References: Message-ID: <6332c15961358010eaa374277a6abd84@daniels.id.au> Hi David, On Tue, 05 Aug 2008 09:23:07 -0400, David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are > you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well. The requirement is simply to provide multiple VRF's (3 to 5) at any remote site, the vrf's will vary site-to-site based on local requirements. In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I have a cloud in the middle connecting several (20-30) DSL sites to a head office (hub and spoke), and the thought of having to manage multiple tunnels (one per vrf), per site is making me cringe.. Or am I missing something, is there some other way to more easily manage these multiple tunnels? Thanks, Aaron From andy.saykao at staff.netspace.net.au Tue Aug 5 23:19:06 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 6 Aug 2008 13:19:06 +1000 Subject: [c-nsp] MPLS affecting normal IP cache flows Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365482D@vic-cr-ex1.staff.netspace.net.au> Hi All, I've deployed MPLS across parts of our core network and everything appears to be working fine. I've also got MPLS VPN's going which is the main reason for us rolling out MPLs in the first place. However, I've run into a problem with netflow on one of the PE routers that affects normal IP flows when mpls is enabled on the interface. The PE router having this problems is a cisco 7206VXR (NPE-G1) running IOS Version 12.3(22). Other PE routers are not showing this problem but they are 7301's running a different IOS. What I'm finding is that when I enable "tag-switching ip" on interface Gi0/2 which forms part of our MPLS core (as seen below), the netflows for normal IP traffic isn't as it should be. Doing a "show ip cache flow" on the PE router only shows a few flows going through for normal IP traffic and we'd expect more IP cache flows to be going through because lots of customers hang off this PE router. When we remove the "tag-switching ip" from the interface, flows are back to normal. interface GigabitEthernet0/2 mtu 1500 ip address 203.10.110.x 255.255.255.224 ip route-cache flow load-interval 30 duplex full speed 1000 media-type rj45 no negotiation auto tag-switching mtu 1508 tag-switching ip no clns route-cache We are also seeing this in the file size on the netflow collector. After enabling mpls on interface Gi0/2 above on July 29th, you can see that from that time on the file size of flows being collected at 12pm is considerable less than what we would expect. > ls -la *12-2.bz2 -rw-r--r-- 1 root wheel 29224597 Jul 21 12:59 Netstat_2008072112-2.bz2 -rw-r--r-- 1 root wheel 30218681 Jul 22 12:59 Netstat_2008072212-2.bz2 -rw-r--r-- 1 root wheel 28635436 Jul 23 12:59 Netstat_2008072312-2.bz2 -rw-r--r-- 1 root wheel 26987099 Jul 24 12:59 Netstat_2008072412-2.bz2 -rw-r--r-- 1 root wheel 26003303 Jul 25 12:59 Netstat_2008072512-2.bz2 -rw-r--r-- 1 root wheel 4427493 Jul 26 12:59 Netstat_2008072612-2.bz2 -rw-r--r-- 1 root wheel 4758483 Jul 27 12:59 Netstat_2008072712-2.bz2 -rw-r--r-- 1 root wheel 28679702 Jul 28 12:59 Netstat_2008072812-2.bz2 -rw-r--r-- 1 root wheel 222144 Jul 29 12:59 Netstat_2008072912-2.bz2 -rw-r--r-- 1 root wheel 154352 Jul 30 12:59 Netstat_2008073012-2.bz2 -rw-r--r-- 1 root wheel 315422 Jul 31 12:59 Netstat_2008073112-2.bz2 -rw-r--r-- 1 root wheel 388378 Aug 1 12:59 Netstat_2008080112-2.bz2 -rw-r--r-- 1 root wheel 145880 Aug 2 12:59 Netstat_2008080212-2.bz2 -rw-r--r-- 1 root wheel 171154 Aug 3 12:59 Netstat_2008080312-2.bz2 -rw-r--r-- 1 root wheel 410493 Aug 4 12:59 Netstat_2008080412-2.bz2 -rw-r--r-- 1 root wheel 326936 Aug 5 12:59 Netstat_2008080512-2.bz2 Any ideas as to why enabling mpls would be affecting normal IP cache flows? I can only suspect that it's some IOS bug with the IOS we're running . Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ecables at gmail.com Tue Aug 5 23:54:33 2008 From: ecables at gmail.com (Eric Cables) Date: Tue, 5 Aug 2008 20:54:33 -0700 Subject: [c-nsp] shaping http traffic on a 2821 In-Reply-To: References: Message-ID: Just do a search for MQC (Modular QoS CLI) on cisco.com; you'll have plenty of material at your disposal. On Tue, Aug 5, 2008 at 7:01 PM, Dan Letkeman wrote: > Hello, > > I'm wondering if anyone has some good documentation or examples of > shaping http traffic on a router. I have been ask to look into this > for an educational institute where they don't want to add more > bandwidth, but make better use of what they have. The connection is > currently a 20mbit connection. I would also like to prioritize > traffic so incoming requests to the http server and voip calls, get a > higher priority. > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Eric Cables From arla at rn.dk Wed Aug 6 02:10:41 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Wed, 6 Aug 2008 08:10:41 +0200 Subject: [c-nsp] old 6513 chassis vs sup720 Message-ID: <8D68760F464FFD40A01BF2FB374E4A2886948A6788@SRVEXC02.aas.its.nja.dk> Hi Folks. I've got a 6513 chassis, and I believe that It's very old. Can I be sure that this supports sup720 ??. Is there a command that can verify this ?? /Arne From swmike at swm.pp.se Wed Aug 6 02:20:55 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 6 Aug 2008 08:20:55 +0200 (CEST) Subject: [c-nsp] old 6513 chassis vs sup720 In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2886948A6788@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2886948A6788@SRVEXC02.aas.its.nja.dk> Message-ID: On Wed, 6 Aug 2008, Arne Larsen / Region Nordjylland wrote: > I've got a 6513 chassis, and I believe that It's very old. Can I be sure > that this supports sup720 ??. Is there a command that can verify this ?? You need to check at least the PSUs and the fans to see if they're what's needed for SUP720. In my experience, not even Cisco will get it right all the time in what's needed to get an old chassis to work with SUP720. -- Mikael Abrahamsson email: swmike at swm.pp.se From oboehmer at cisco.com Wed Aug 6 02:28:24 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 6 Aug 2008 08:28:24 +0200 Subject: [c-nsp] MPLS affecting normal IP cache flows In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE0365482D@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE0365482D@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6818E@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Wednesday, August 06, 2008 5:19 AM: > Hi All, > > I've deployed MPLS across parts of our core network and everything > appears to be working fine. I've also got MPLS VPN's going which is > the main reason for us rolling out MPLs in the first place. > > However, I've run into a problem with netflow on one of the PE routers > that affects normal IP flows when mpls is enabled on the interface. > The PE router having this problems is a cisco 7206VXR (NPE-G1) running IOS > Version 12.3(22). Other PE routers are not showing this problem but > they are 7301's running a different IOS. > > What I'm finding is that when I enable "tag-switching ip" on interface > Gi0/2 which forms part of our MPLS core (as seen below), the netflows > for normal IP traffic isn't as it should be. Doing a "show ip cache > flow" on the PE router only shows a few flows going through for normal > IP traffic and we'd expect more IP cache flows to be going through > because lots of customers hang off this PE router. When we remove the > "tag-switching ip" from the interface, flows are back to normal. [..] > Any ideas as to why enabling mpls would be affecting normal IP cache > flows? I can only suspect that it's some IOS bug with the IOS we're > running . do you filter any LDP advertisements? If you just enable LDP on the interface (or TDP for that matter), "regular" IPv4 traffic will also be label-switched as LDP advertises labels for all non-BGP IPv4 prefixes in your RIB. Can you do a "show mpls forwarding-table " for a prefix you would expect to see in the cache? Do you see a incoming label (which is != Pop label)? oli From oboehmer at cisco.com Wed Aug 6 02:44:50 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 6 Aug 2008 08:44:50 +0200 Subject: [c-nsp] SA-ISA In-Reply-To: <4898A217.8090403@gmail.com> References: <4898A217.8090403@gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6819E@xmb-ams-333.emea.cisco.com> Sridhar Ayengar <> wrote on Tuesday, August 05, 2008 8:55 PM: > Is the SA-ISA supported on the VIP2-50 in a 7500-series router? If it > isn't, will it work anyway? it's not supported, and I strongly doubt it would work (definitly not when dCEF is enabled), but I wouldn't be surprised if it doesn't even come up. As far as I know, there is NO hardware encryption capabilities on the 7500 series.. oli From oboehmer at cisco.com Wed Aug 6 03:01:11 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 6 Aug 2008 09:01:11 +0200 Subject: [c-nsp] Inter-AS option B - filter based on IPv4+ Labels? In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D681B2@xmb-ams-333.emea.cisco.com> Vikas Sharma <> wrote on Wednesday, August 06, 2008 5:00 AM: > Hi, > > In Inter-AS - option B, I have an option of filtering with BGP > attributes ASPATH, ext communities, RDs checks. Can I filter based on > IPv4+ Labels? i.e. set route maps to filter and send only the > desirable prefixes are injected into the BGP table and propagated > using IPv4+ Labels to the adjacent ASBR? Can you point me the web > page? you can filter on the IP prefix "part" of the vpnv4 RD: update (match ip address ...), however this filter ignores the RD so a "deny 10.0.0.1" would filter 10.0.0.1 from all vpns using this address. If you have control over the vpn's address space (i.e. if those are your "own" VPNs), it would be an option. Filtering based on the VPN label is not possible (and would not make sense as the label is dynamically allocated). oli From stig.johansen at ementor.no Wed Aug 6 03:05:03 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Wed, 6 Aug 2008 09:05:03 +0200 Subject: [c-nsp] Extending MPLS over external providers cloud References: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: <13A13E9CF0F76342A79031B9E558C0C5033F525A@100NOOSLMSG004.common.alpharoot.net> You should look into running several DMVPN's (using a FVRF and IVRF, as it's called), one for each VRF you want to provide at the remote sites. If you have a total of 5 VRF's, you'll have a headend with 5 different DMVPN's in 5 different VRF's and all is done with dynamic routing and setup. The CE's should run Multi-VRF's. Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av lists at daniels.id.au Sendt: 6. august 2008 05:14 Til: David Curran Kopi: lists at daniels.id.au; cisco-nsp at puck.nether.net Emne: Re: [c-nsp] Extending MPLS over external providers cloud Hi David, On Tue, 05 Aug 2008 09:23:07 -0400, David Curran wrote: > Is there an actual requirement to run LDP/MPLS over these tunnels or are > you > simply looking to extend a VRF? If its the latter, Multi-VRF CE (or > VRF-Lite, whatever) works very well. The requirement is simply to provide multiple VRF's (3 to 5) at any remote site, the vrf's will vary site-to-site based on local requirements. In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I have a cloud in the middle connecting several (20-30) DSL sites to a head office (hub and spoke), and the thought of having to manage multiple tunnels (one per vrf), per site is making me cringe.. Or am I missing something, is there some other way to more easily manage these multiple tunnels? Thanks, Aaron _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From perc69+cnsp at gmail.com Wed Aug 6 03:10:59 2008 From: perc69+cnsp at gmail.com (Per Carlson) Date: Wed, 6 Aug 2008 09:10:59 +0200 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <6332c15961358010eaa374277a6abd84@daniels.id.au> References: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: <746ca6da0808060010i5dc6120j327b6bc246a5c4b6@mail.gmail.com> On Wed, Aug 6, 2008 at 05:14, wrote: > ... here I > have a cloud in the middle connecting several (20-30) DSL sites to a head > office (hub and spoke), and the thought of having to manage multiple > tunnels (one per vrf), per site is making me cringe.. We have successfully used PPP/L2TP in a similar scenario (multiple VRF-Lites over one logical IP-interface). What you need is a CPE supporting "L2TP Client Initiated Tunneling"[1] (available from 12.3(2)T), and a PE able to terminate PPP/L2TP and running MPLS at the same time (we are using a 7200 running 12.2(31)SB/Enterprise for this). The L2TP-session is terminated in one VRF on the PE-router and the PPP-sessions are directed into other VRF's based on the RADIUS reply. Yup, you will need a RADIUS- (or TACACS+) server for this. [1] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html -- Pelle From ncnet at sbcglobal.net Wed Aug 6 03:30:10 2008 From: ncnet at sbcglobal.net (Larry Stites) Date: Wed, 06 Aug 2008 00:30:10 -0700 Subject: [c-nsp] old 6513 chassis vs sup720 In-Reply-To: Message-ID: DUAL WS-CAC2500W and WS-C6K-13SLT-FAN2 are minimum hardware requirements. on 8/5/08 11:20 PM, Mikael Abrahamsson wrote: > On Wed, 6 Aug 2008, Arne Larsen / Region Nordjylland wrote: > >> I've got a 6513 chassis, and I believe that It's very old. Can I be sure >> that this supports sup720 ??. Is there a command that can verify this ?? > > You need to check at least the PSUs and the fans to see if they're what's > needed for SUP720. > > In my experience, not even Cisco will get it right all the time in what's > needed to get an old chassis to work with SUP720. ~.~.~.~.~.~.~.~.~.~.~. Larry Stites NorCal Networks, Inc. Nevada City, CA 95959 530-320-4194 530-265-2588 fax From asturluismi at gmail.com Wed Aug 6 04:34:36 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 06 Aug 2008 10:34:36 +0200 Subject: [c-nsp] NAT issue with 7206 and c7200p-ik91s-mz.122-31.SB12 Message-ID: <1218011676.8499.9.camel@dsba-ipso> Hi all, I have a strange nat issue here, it seems not to work as it should be. #sh ip nat translations Then I tried to.. # no ip nat inside source list 13 pool nat_08 overload %Dynamic mapping in use, cannot remove # no ip nat pool nat_08 1.1.1.13 1.1.1.13 netmask 255.255.255.252 %Pool nat_08 in use, cannot destroy Why I can't remove those lines? I tried too to do a "clear ip nat translations" and "ip clear nat translations forced" without a success. I removed "ip nat inside" and "ip nat outside" commands from interfaces, with no effect at all, same result. Now, I also load a new "ip nat inside" rule over a new "ip nat pool" rule and I just see misses in my "sh ip nat stats", and "ip nat inside" and "ip nat outside" are correct! I will review "open caveats" for the release but in the mean time if anyone in the list can with me a hand i will be really appreciated. From saku+cisco-nsp at ytti.fi Wed Aug 6 05:06:08 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 6 Aug 2008 12:06:08 +0300 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <6332c15961358010eaa374277a6abd84@daniels.id.au> References: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: <20080806090608.GA17116@mx.ytti.net> On (2008-08-05 22:14 -0500), lists at daniels.id.au wrote: > In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I > have a cloud in the middle connecting several (20-30) DSL sites to a head > office (hub and spoke), and the thought of having to manage multiple > tunnels (one per vrf), per site is making me cringe.. Yet another solution that was not suggested yet, which doesn't reduce your MTU either is 'vrf select'. Problem with it is, that if your customers can spoof their source address, they can get packets to different VRFs. So you'd need to run uRPF/strict in LAN interface in CE and make sure CE is physically secured. It is ugly hack, that is granted. VRF-lite and multiple PVC's would be my preferred solution. -- ++ytti From johnmanning.mpls at gmail.com Wed Aug 6 06:46:49 2008 From: johnmanning.mpls at gmail.com (MPLS MPLS) Date: Wed, 6 Aug 2008 16:16:49 +0530 Subject: [c-nsp] Six cos in the core Message-ID: Hello List, Would like to know if there are any Service Providers who have implemented Six cos queues in the core. Cisco seems to claim that for supporting Tele Presence application it needs to be queued in a dedicated queue in the SP core. Has any one done something on these lines for supporting Tele Presence rooms? Thanks, From dcurran at nuvox.com Wed Aug 6 07:38:28 2008 From: dcurran at nuvox.com (David Curran) Date: Wed, 06 Aug 2008 07:38:28 -0400 Subject: [c-nsp] Extending MPLS over external providers cloud In-Reply-To: <6332c15961358010eaa374277a6abd84@daniels.id.au> Message-ID: mGRE? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/greL3vpn.html > From: > Date: Tue, 05 Aug 2008 22:14:29 -0500 > To: David Curran > Cc: , > Subject: Re: [c-nsp] Extending MPLS over external providers cloud > > Hi David, > > On Tue, 05 Aug 2008 09:23:07 -0400, David Curran wrote: >> Is there an actual requirement to run LDP/MPLS over these tunnels or are >> you >> simply looking to extend a VRF? If its the latter, Multi-VRF CE (or >> VRF-Lite, whatever) works very well. > > The requirement is simply to provide multiple VRF's (3 to 5) at any remote > site, the vrf's will vary site-to-site based on local requirements. > In an ethernet scenario, I agree VRF-Lite, dot1q and away we go, but here I > have a cloud in the middle connecting several (20-30) DSL sites to a head > office (hub and spoke), and the thought of having to manage multiple > tunnels (one per vrf), per site is making me cringe.. > > Or am I missing something, is there some other way to more easily manage > these multiple tunnels? > > Thanks, > Aaron > > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From dcurran at nuvox.com Wed Aug 6 07:46:15 2008 From: dcurran at nuvox.com (David Curran) Date: Wed, 06 Aug 2008 07:46:15 -0400 Subject: [c-nsp] MPLS affecting normal IP cache flows In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6818E@xmb-ams-333.emea.cisco.com> Message-ID: Seems like you might need the "mpls netflow egress" command since this is a backbone interface. > From: "Oliver Boehmer (oboehmer)" > Date: Wed, 6 Aug 2008 08:28:24 +0200 > To: Andy Saykao , > > Subject: Re: [c-nsp] MPLS affecting normal IP cache flows > > Andy Saykao <> wrote on Wednesday, August 06, 2008 5:19 AM: > >> Hi All, >> >> I've deployed MPLS across parts of our core network and everything >> appears to be working fine. I've also got MPLS VPN's going which is >> the main reason for us rolling out MPLs in the first place. >> >> However, I've run into a problem with netflow on one of the PE routers >> that affects normal IP flows when mpls is enabled on the interface. >> The PE router having this problems is a cisco 7206VXR (NPE-G1) running > IOS >> Version 12.3(22). Other PE routers are not showing this problem but >> they are 7301's running a different IOS. >> >> What I'm finding is that when I enable "tag-switching ip" on interface >> Gi0/2 which forms part of our MPLS core (as seen below), the netflows >> for normal IP traffic isn't as it should be. Doing a "show ip cache >> flow" on the PE router only shows a few flows going through for normal >> IP traffic and we'd expect more IP cache flows to be going through >> because lots of customers hang off this PE router. When we remove the >> "tag-switching ip" from the interface, flows are back to normal. > [..] >> Any ideas as to why enabling mpls would be affecting normal IP cache >> flows? I can only suspect that it's some IOS bug with the IOS we're >> running . > > do you filter any LDP advertisements? If you just enable LDP on the > interface (or TDP for that matter), "regular" IPv4 traffic will also be > label-switched as LDP advertises labels for all non-BGP IPv4 prefixes in > your RIB. Can you do a "show mpls forwarding-table " for a > prefix you would expect to see in the cache? Do you see a incoming label > (which is != Pop label)? > > oli > This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From dean at eatworms.org.uk Wed Aug 6 09:00:50 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 6 Aug 2008 14:00:50 +0100 Subject: [c-nsp] SGBP on 12.2(31)SB Message-ID: <005601c8f7c4$74084990$5c18dcb0$@org.uk> Has anyone got SGBP (Multichassis Multilink PPP) currently running on 12.2(31)SB on 7200s ? Its been working just fine across a pair of 7200 running 12.3(11)T10 which got upgraded to 12.2(31)SB8 last night. (I know later SB releases are available but we're using SB8 elsewhere aswell) And the SGBP stopped working. Appears SGBP is trying to use radius for authentication (our ppp authentication method) despite being configured with "aaa authentication sgbp local" and correct usernames to match stack groups etc. (which were working fine prior to the upgrade). Anyone been through this one before ? Dean From nimal at fnbs.net Wed Aug 6 09:09:54 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Wed, 06 Aug 2008 21:09:54 +0800 Subject: [c-nsp] Excessive AMDP2_FE-3-UNDERFLO Message-ID: <4899A2A2.4080108@fnbs.net> Hi guys, Need some advice. One of the interfaces on my border routers is consistently getting AMDP2_FE-3-UNDERFLO messages during its peak usage (9am-5pm) hours. The interface FastEthernet2/0 is seeing approx 40Mbps out and 15 Mbps in. The explaination for this error on Cisco website is: ------------ Explanation While transmitting a frame, the controller chip's local buffer received insufficient data because data could not be transferred to the chip fast enough to keep pace with its output rate. Normally, such a problem is temporary, depending on transient peak loads within the system. Recommended Action The system should recover. No action is required. ------------ I need some convincing of that. Of late, i've received a few reports of packet loss to my network of late, and am not sure if this transmit error has anything to do with it. Any help is much appreciated! FYI, the router in question is a Cisco 7206VXR. The interface is 100Mbps capable. Aug 6 09:05:51 202.X.X.X 16758: Aug 6 09:05:50.850 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:22:54 202.X.X.X 16759: Aug 6 09:22:53.283 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:25:09 202.X.X.X 16760: Aug 6 09:25:08.771 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:35:22 202.X.X.X 16761: Aug 6 09:35:21.443 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 09:48:33 202.X.X.X 16762: Aug 6 09:48:32.053 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:07:07 202.X.X.X 16764: Aug 6 10:07:06.674 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:08:37 202.X.X.X 16765: Aug 6 10:08:36.702 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:17:37 202.X.X.X 16766: Aug 6 10:17:36.630 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 10:42:52 202.X.X.X 16775: Aug 6 10:42:51.517 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:03:00 202.X.X.X 16783: Aug 6 11:02:59.377 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:04:22 202.X.X.X 16784: Aug 6 11:04:21.672 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:04:22 202.X.X.X 16785: Aug 6 11:04:21.672 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:17:19 202.X.X.X 16786: Aug 6 11:17:18.339 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:29:52 202.X.X.X 16787: .Aug 6 11:29:51.219 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:36:07 202.X.X.X 16788: Aug 6 11:36:06.764 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:41:57 202.X.X.X 16789: Aug 6 11:41:56.615 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:43:26 202.X.X.X 16790: Aug 6 11:43:25.694 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:49:07 202.X.X.X 16791: Aug 6 11:49:06.796 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 11:50:07 202.X.X.X 16792: Aug 6 11:50:06.636 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 12:23:37 202.X.X.X 16794: Aug 6 12:23:36.735 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 12:29:37 202.X.X.X 16795: Aug 6 12:29:36.649 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 12:39:27 202.X.X.X 16796: Aug 6 12:39:26.629 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 13:05:30 202.X.X.X 16803: Aug 6 13:05:29.396 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:21:40 202.X.X.X 16805: Aug 6 14:21:39.319 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:33:30 202.X.X.X 16806: Aug 6 14:33:29.319 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:36:55 202.X.X.X 16807: Aug 6 14:36:54.313 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 14:46:58 202.X.X.X 16808: Aug 6 14:46:57.086 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:10:52 202.X.X.X 16810: Aug 6 15:10:51.737 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:11:09 202.X.X.X 16811: Aug 6 15:11:08.061 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error Aug 6 15:13:52 202.X.X.X 16812: Aug 6 15:13:51.740 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:14:11 202.X.X.X 16813: Aug 6 15:14:10.795 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:18:59 202.X.X.X 16814: Aug 6 15:18:58.742 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:23:43 202.X.X.X 16815: Aug 6 15:23:42.172 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:46:06 202.X.X.X 16817: Aug 6 15:46:05.635 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 15:53:55 202.X.X.X 16818: Aug 6 15:53:54.048 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:09:06 202.X.X.X 16820: Aug 6 16:09:05.570 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:15:53 202.X.X.X 16821: Aug 6 16:15:52.157 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:17:43 202.X.X.X 16822: Aug 6 16:17:42.039 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:33:40 202.X.X.X 16823: Aug 6 16:33:39.344 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:35:08 202.X.X.X 16824: Aug 6 16:35:07.359 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:38:27 202.X.X.X 16825: Aug 6 16:38:26.278 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:44:58 202.X.X.X 16826: Aug 6 16:44:57.748 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:44:58 202.X.X.X 16827: Aug 6 16:44:57.748 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:49:07 202.X.X.X 16828: Aug 6 16:49:06.738 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error Aug 6 16:50:46 202.X.X.X 16829: Aug 6 16:50:45.557 MAL: %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error From justin at justinshore.com Wed Aug 6 10:31:07 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 06 Aug 2008 09:31:07 -0500 Subject: [c-nsp] IOS-hosted DHCP rate-limiting Message-ID: <4899B5AB.9020204@justinshore.com> I just killed the PVC of a DSL customer that was sending exactly 115 DHCP DISCOVER messages per second. That caused a 600% increase on the CPU of the NPE-G1 that the PVC terminates on and the DHCP is currently being run on. Are there any DHCP rate-limiting features built into the IOS that could be used to throttle either how often the router will respond to certain received queries, to queries from a single host, or the rate at which queries can be punted to the CPU for processing? Thanks Justin From lukasz at bromirski.net Wed Aug 6 12:58:34 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Wed, 06 Aug 2008 18:58:34 +0200 Subject: [c-nsp] IOS-hosted DHCP rate-limiting In-Reply-To: <4899B5AB.9020204@justinshore.com> References: <4899B5AB.9020204@justinshore.com> Message-ID: <4899D83A.7010304@bromirski.net> Justin Shore wrote: > I just killed the PVC of a DSL customer that was sending exactly 115 > DHCP DISCOVER messages per second. That caused a 600% increase on the > CPU of the NPE-G1 that the PVC terminates on and the DHCP is currently > being run on. Are there any DHCP rate-limiting features built into the > IOS that could be used to throttle either how often the router will > respond to certain received queries, to queries from a single host, or > the rate at which queries can be punted to the CPU for processing? Check the Control Plane Policing deployment guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From notrevebr at gmail.com Wed Aug 6 13:21:07 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Wed, 6 Aug 2008 14:21:07 -0300 Subject: [c-nsp] Crazy NAT In-Reply-To: <3cf174360806191448q7dcfedfeybdfc47f6c6fd0617@mail.gmail.com> References: <3cf174360806191436n4a229c75t9167d1c755c1e45@mail.gmail.com> <485AD2F3.4060101@wi.rr.com> <3cf174360806191448q7dcfedfeybdfc47f6c6fd0617@mail.gmail.com> Message-ID: <3cf174360808061021v388a430arc871a95f3751ad23@mail.gmail.com> Hi all, I resolve this put the source to a route-map. tks all... On 6/19/08, Everton Diniz wrote: > Yes, > I have statics entries for nat. > > ip nat inside source static 10.180.26.153 10.180.20.153 > ip nat inside source static 10.180.52.70 172.30.170.201 extendable > ip nat inside source static 10.180.52.71 172.30.170.202 extendable > ip nat inside source static 10.180.53.70 172.30.170.203 extendable > ip nat inside source static 10.180.53.71 172.30.170.204 extendable > ip nat inside source static 10.180.54.70 172.30.170.205 extendable > ip nat inside source static 10.180.54.71 172.30.170.206 extendable > ip nat inside source static 10.180.57.70 172.30.170.207 extendable > ip nat inside source static 10.180.57.71 172.30.170.208 extendable > ip nat inside source static 10.180.57.73 172.30.170.209 extendable > ip nat inside source static 10.180.57.74 172.30.170.210 extendable > ip nat inside source static 10.180.56.70 172.30.170.211 extendable > ip nat inside source static 10.180.56.71 172.30.170.212 extendable > ip nat inside source static 10.1.1.210 172.30.170.221 extendable > ip nat inside source static 10.1.1.211 172.30.170.222 extendable > > On 6/19/08, Wink wrote: > > Are there other NAT statements in your config? > > > > Everton Diniz wrote: > > > > > > Hi, > > > > > > I have a crazy router that do Nat for a deny entry on ACL. Whyyyy??? > > > > > > > > > ip nat pool nat-pool 10.250.63.2 10.250.63.254 netmask 255.255.255.0 > > > ip nat inside source list permit-nat pool nat-pool > > > Extended IP access list permit-nat > > > 10 deny ip host 10.180.20.70 host 10.180.50.201 log > > > 20 deny ip host 10.180.20.96 host 10.180.50.201 log > > > 30 deny ip host 10.180.20.159 host 10.180.50.201 log > > > 40 deny ip 10.180.0.0 0.0.255.255 host 10.180.50.201 log (242 matches) > > > 50 permit ip 10.180.0.0 0.0.255.255 10.252.0.0 0.1.255.255 log > > > 60 deny ip any any log (108 matches) > > > > > > tcp 10.250.63.14:2984 10.180.20.70:2984 10.180.50.201:8080 > > 10.180.50.201:8080 > > > > > > Version 12.3(8)T5 > > > > > > Anyone has the same problem? > > > > > > Regards, > > > Everton > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > > > > > > > From rodunn at cisco.com Wed Aug 6 13:24:19 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 6 Aug 2008 13:24:19 -0400 Subject: [c-nsp] SA-ISA In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405D6819E@xmb-ams-333.emea.cisco.com> References: <4898A217.8090403@gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405D6819E@xmb-ams-333.emea.cisco.com> Message-ID: <20080806172419.GM2589@rtp-cse-489.cisco.com> That's correct. There are none. Rodney On Wed, Aug 06, 2008 at 08:44:50AM +0200, Oliver Boehmer (oboehmer) wrote: > Sridhar Ayengar <> wrote on Tuesday, August 05, 2008 8:55 PM: > > > Is the SA-ISA supported on the VIP2-50 in a 7500-series router? If it > > isn't, will it work anyway? > > it's not supported, and I strongly doubt it would work (definitly not > when dCEF is enabled), but I wouldn't be surprised if it doesn't even > come up. > As far as I know, there is NO hardware encryption capabilities on the > 7500 series.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From notrevebr at gmail.com Wed Aug 6 13:25:53 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Wed, 6 Aug 2008 14:25:53 -0300 Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router In-Reply-To: <1216129215.24030.4.camel@svesken.sys.mjna.net> References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com> <1216129215.24030.4.camel@svesken.sys.mjna.net> Message-ID: <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> Hi peter, sorry by the later, I tried test again. the host its ok, responding fot the request. On router side, after vpn becomes up, i see the 10.139.10/24 net in route table, and router encaps traffic. On the pix side, still see only the decaps traffic. On the acl L2Lnonat, i see the increase hitcount, but in acl L2L do not. Tks... On 7/15/08, Peter Rathlev wrote: > On Tue, 2008-07-15 at 10:19 -0300, Everton Diniz wrote: > > Hi all, > > > > I configure a tunnel btw pix and router. The traffic goes to PIX but > > do not have return. I see only encaps on the router and decaps on the > > PIX. > > Is missing anything? > > Are you sure the host in the other end is actually responding, and that > this response goes towards the PIX? As far as I can see there's nothing > wrong with the configuration. (I may be wrong, cf. my last mail to this > list. :-)) > > What happens if you try to trace from the 10.139.1.0/24 host to > something in 10.180.0.0/16? Do you get to the PIX (i.e. can you see the > connection in the logs)? > > Regards, > Peter > > > From rodunn at cisco.com Wed Aug 6 13:33:21 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 6 Aug 2008 13:33:21 -0400 Subject: [c-nsp] MPLS errors w/ no MPLS configured In-Reply-To: <20080805183349.GN6869@elvis.mu.org> References: <20080805183349.GN6869@elvis.mu.org> Message-ID: <20080806173321.GN2589@rtp-cse-489.cisco.com> It's cosmetic. It's a internal message that was printed when it should have went under a debug flag. I see it's fixed in a lot of the recent codes but not sure if they addressed it in the SB throttle. Rodney On Tue, Aug 05, 2008 at 11:33:49AM -0700, bill fumerola wrote: > anyone seeing these messages? > > Aug 1 02:35:58.924 UTC: > %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, > prefix not in routing table > -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 > > Aug 3 15:38:32.708 UTC: > %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table > -Traceback= 61061318 610616E4 61042C28 61042CD0 610A3544 610A3904 61048EF4 6105053C 610516A8 > > i'm not sure how dangerous these messages are. on one hand, we're not > running MPLS at all. on the other hand, i don't like errors that involve > broken tables/memory & tracebacks. > > rtr1.lon#sh run | i mpls|MPLS > no mpls traffic-eng auto-bw timers frequency 0 > rtr1.lon#sh ver | i 12.[23] > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB11, RELEASE SOFTWARE (fc3) > ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) > BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(26), RELEASE SOFTWARE (fc2) > rtr1.lon# > > there are BGP neighbors, both internal and external, on this host. no > address-family vpn tho. > > -- bill > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Wed Aug 6 14:35:41 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 6 Aug 2008 11:35:41 -0700 Subject: [c-nsp] 6500 ACE/FWSM Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EF9@tiger.deltadentalwa.com> Is it possible to automatically replicate what vlan's re associated to a vlan group between two chassis? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From junaid.x86 at gmail.com Wed Aug 6 16:15:37 2008 From: junaid.x86 at gmail.com (Junaid) Date: Thu, 7 Aug 2008 02:15:37 +0600 Subject: [c-nsp] EoMPLS between C7206 and C3845 Message-ID: Hi, I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are connected back-to-back via FastEthernet. The customers are connected via a switch connected to each PE: CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 The control place comes up without any issue: C7200-PE1#sh mpls l2transport vc de Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up Next hop: XXXXXX (ip of PE2's interface connected with PE1) Output interface: Fa3/0, imposed label stack {234} Create time: 04:55:52, last status change time: 04:22:07 Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up MPLS VC labels: local 2207, remote 234 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 658, send 558 byte totals: receive 61117, send 57759 packet drops: receive 0, send 0 C3845-PE2#sh mpls l2transport vc de Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up Next hop: XXXXXX (ip of PE1's interface connected with PE2) Output interface: Gi0/0, imposed label stack {2207} Create time: 05:06:06, last status change time: 04:42:00 Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up MPLS VC labels: local 234, remote 2207 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: MPLS test Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 807, send 697 byte totals: receive 81235, send 63925 packet drops: receive 0, seq error 0, send 0 But the data plane is having severe issue. I cannot ping end-to-end from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE connected to 3845), ARP works and I am able to send a ping packet to CE1. But CE1 never receives it. On the other side, CE2 does not get replies to its own ARP requests. Once I statically bind the mac address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies to it but CE1 never receives the reply. It seem that the communication is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and not the other way round. I replaced C3845 with C7206 and there was not issue in the data plane. My question is with the IOS I used for C3845, is EoMPLS not supported on it? As per Cisco's documentation, EoMPLS is supported on the IOS I used for C3845. Any one any experience in running EoMPLS on C3845? Another thing I noted was in the following output from C3845, it shows MRU=0 and also there was no outgoing interface attached: C3845-PE2#sh mpls forwarding-table labels 234 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 234 l2ckt(100) 50732 none point2point MAC/Encaps=0/0, MRU=0, Tag Stack{} No output feature configured While on C7206, the output was as it should be: C7200-PE1#sh mpls forwarding-table labels 2207 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point MAC/Encaps=0/0, MRU=1500, Tag Stack{} No output feature configured Any explanations/solutions? Regards, Junaid From rodunn at cisco.com Wed Aug 6 16:29:11 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 6 Aug 2008 16:29:11 -0400 Subject: [c-nsp] Do Adtrans reorder frames with MLFR per DLCI? Message-ID: <20080806202911.GH2589@rtp-cse-489.cisco.com> Ok...I'll ask for help for once. :) Does anyone here know if Adtran or Juniper CPE's reorder frames on receive of a MLFR bundle per section 4.2.3.2 of the FRF16 specification? Rodney From lists at hojmark.org Wed Aug 6 18:25:41 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 7 Aug 2008 00:25:41 +0200 Subject: [c-nsp] IOS SLB support In-Reply-To: References: <000501c80f72$d3245080$280a0a0a@hojmark.net><67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com> Message-ID: <3E71080198FB4BE595B6F956901ECA37@hojmark.net> > If we can upgrade to SRC and save ourselves $10K+ in redundant > load balancers (traffic rates would be 2-4 Mbps), I would like > to do that, but if SRC is generally "too new", then perhaps I > need to reconsider. It's funny you should mention 10k$, 'cause that's exactly the price of the IOS SLB license for the 7600 (FR-IOSSLB)... -A From tvarriale at comcast.net Wed Aug 6 18:15:22 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 6 Aug 2008 17:15:22 -0500 Subject: [c-nsp] 6500 ACE/FWSM References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00EF9@tiger.deltadentalwa.com> Message-ID: <03FB3AE1D11945A6B3E277E1F4E2D815@flamalam> Not that I know of. It's a per box per card config. tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Wednesday, August 06, 2008 1:35 PM Subject: [c-nsp] 6500 ACE/FWSM > Is it possible to automatically replicate what vlan's re associated to a > vlan group between two chassis? > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zhassan at gmx.net Wed Aug 6 19:13:46 2008 From: zhassan at gmx.net (Zahid Hassan) Date: Thu, 7 Aug 2008 00:13:46 +0100 Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... In-Reply-To: <489073C7.5020003@utc.edu> References: <489073C7.5020003@utc.edu> Message-ID: <002901c8f81a$147e2a70$014fa8c0@xp1> Dear All, Is there any equivalent command like the "sh mls cef maximum-routes " on the Sup2 like on a Sup720 ? I am currently running full feed on few of my Sup2 and about 1K VPNv4 routes and bit concerned about its limit. Any comment or input will be greatly appreciated. ZH -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell Sent: 30 July 2008 15:00 To: cisco-nsp Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... Quick question for someone that's "been there done that" from someone who has said "I thought it would work" more often than I'd like :-) Can you get a full BGP feed (two peers) into a Sup2? with uRPF? Which RAM needs to be upgraded? I found out the hard way it won't fit into a SUP2/MSFC2/PFC2 w/256Mb. Will 512Mb do it? Can you put 512Mb in a Sup2 (some 3rd-party pages imply 256 is max, another says a "Sup2U" can do 512) ? Do you upgrade the Sup2 memory or one of the daughtercards, or both? Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Wed Aug 6 19:05:06 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Wed, 6 Aug 2008 16:05:06 -0700 Subject: [c-nsp] IOS SLB support In-Reply-To: <3E71080198FB4BE595B6F956901ECA37@hojmark.net> References: <000501c80f72$d3245080$280a0a0a@hojmark.net><67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com> <3E71080198FB4BE595B6F956901ECA37@hojmark.net> Message-ID: > It's funny you should mention 10k$, 'cause that's exactly the > price of the IOS SLB license for the 7600 (FR-IOSSLB)... On a related (but slightly orthogonal) note, I really wish Cisco made it easier to find what features require what licenses (and what they were called). In a previous life, I knew that I needed a "BGP" license for a 6500, but it took what seemed like an inordinate period to get the 6500 part number to get the license(*) (and of course now the license has been eliminated, since it is included in the IP Services and above feature set, unless what you want is the IS-IS part of the old "Interdomain Routing Feature", which now requires an Advanced Services feature set). (And how many knew that if one changed a redundant 6500 Sup1A to a primary there is an additional license code to order? I didn't. SUP1A-2GE-U-LIC=) Gary (*) Probably due to miscommunications on my part. From nachocheeze at gmail.com Wed Aug 6 21:30:01 2008 From: nachocheeze at gmail.com (nachocheeze at gmail.com) Date: Wed, 6 Aug 2008 20:30:01 -0500 Subject: [c-nsp] Strange vlan behavior Message-ID: We've got a network I'm looking at that is predominately L2 switched; a tangent of the old router-on-a-stick; some routing, but mostly switching. I fired up Wireshark on my laptop recently to diagnose something, and noticed something a bit odd. Here's a smaller version of the network with a problem I can't quite figure out what is going on. HostX, HostY, and MyLaptop are all on the same L2 vlan / L3 IP network (we'll say VLAN 31 and network 172.16.31.0/24). Switches A,B,C, and D are all lower end Cisco L2 only switches, Routers 1 and 2 are L2/L3 Catalyst 6500/MSFC. Currently, the L3 SVI for VLAN 31 lives on Router 1, but I've tried moving it to Router 2 and the same problem keeps happening. All links are 802.1q trunks. There's certain networks defined on Router 1, and different networks that are defined on Router 2. However, for some of those networks, there's hosts attached at user-level switches at both "north" and "south" ends (yes, all the L2 vlans do span from end to end across every dotq trunk, and I *KNOW* it's a bad design. It was born of a specific necessity and needs to change ASAP, but right now it isn't possible). Router1 and Router2 in addition to being fully trunked also have a dedicated numbered "routed vlan" that is used to route the disparate user networks between them. This is a scaled down version of the topology. HostX HostY | | ----------------------------- Switch D | Switch C | Router 1 (multiple vlans/SVIs) | Router 2 (multiple vlans/SVIs) | Switch B | Switch A | MyLaptop What I noticed that is making no sense is the following; when sniffing my network interface on MyLaptop, I can from time to time see snippets of traffic that transit directly between HostX and HostY. This is not ARP (broadcast) traffic, or multicast traffic but direct station to station unicast traffic between X and Y. Not *all* their traffic, like a SPAN port, but just little snippets here and there (sometimes a few ICMP packets, sometimes a couple of HTTP packets, etc). A sniff of MyLaptop's NIC shows the source IP address / source MAC address of HostX attempting a unicast transaction to the destination IP address / destination MAC address of HostY. Again, I'm seeing that unicast transaction directly from my laptop's tcpdump from several trunk links away. I've checked this with other L2 end-user switches that are on the same vlan/subnet in the north/south ends, and they all see this same kind of issue too. That means it's happening pretty much everywhere the vlan is trunked, and possibly on other vlans. From the way I understand, apart from maybe some ARP traffic if HostA and HostB don't know each other's L2 address, I should never see it; the traffic between HostA and HostB should stay on Switch Y for their entire conversation. I've checked everything in the path between stations, and nothing that I can find has been miscabled, no port monitoring is turned on anywhere, etc. Ideas for what I should start looking at? (besides a total retrofit of the design; that's in the works.) From hsa at ntt.net.id Wed Aug 6 22:44:09 2008 From: hsa at ntt.net.id (Hendry) Date: Thu, 07 Aug 2008 09:44:09 +0700 Subject: [c-nsp] EoMPLS between C7206 and C3845 In-Reply-To: References: Message-ID: <489A6179.5060406@ntt.net.id> Interesting, AFAIK 38xx series didnt support MPLS L2VPN (CMIW). ATOM only supported for the 72xx platform and above while VPLS only supported on 76xx and above. to be honest with you i never test it on 38xx but the interesting things that VC on both side showing up :) but with some odd result on 38xx that label 234 didnt seem pushing into the proper interface. Also if both end VC have VCCV capabitilites it might be worth to test it with MPLS LSP check aka "ping mpls pseudowire _neighbor-PE_ _vc-number_" both from PE1 or PE2. There's also solution for providing L2VPN to the customers by using L2TPv3 which defines the control protocol as well as the encapsulation procedures for tunneling multiple Layer 2 connections between two IP connected nodes (without MPLS), not sure though whether it was support on 38xx platform nor test it personally at the lab. my 0.2+ -- hsa Junaid wrote: > Hi, > > I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR > (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running > c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are > connected back-to-back via FastEthernet. The customers are connected > via a switch connected to each PE: > > CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 > > The control place comes up without any issue: > > C7200-PE1#sh mpls l2transport vc de > Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE2's interface connected with PE1) > Output interface: Fa3/0, imposed label stack {234} > Create time: 04:55:52, last status change time: 04:22:07 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up > MPLS VC labels: local 2207, remote 234 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS TEST > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 658, send 558 > byte totals: receive 61117, send 57759 > packet drops: receive 0, send 0 > > > C3845-PE2#sh mpls l2transport vc de > Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE1's interface connected with PE2) > Output interface: Gi0/0, imposed label stack {2207} > Create time: 05:06:06, last status change time: 04:42:00 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up > MPLS VC labels: local 234, remote 2207 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS test > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 807, send 697 > byte totals: receive 81235, send 63925 > packet drops: receive 0, seq error 0, send 0 > > > But the data plane is having severe issue. I cannot ping end-to-end > from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE > connected to 3845), ARP works and I am able to send a ping packet to > CE1. But CE1 never receives it. On the other side, CE2 does not get > replies to its own ARP requests. Once I statically bind the mac > address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies > to it but CE1 never receives the reply. It seem that the communication > is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and > not the other way round. I replaced C3845 with C7206 and there was not > issue in the data plane. > > My question is with the IOS I used for C3845, is EoMPLS not supported > on it? As per Cisco's documentation, EoMPLS is supported on the IOS I > used for C3845. Any one any experience in running EoMPLS on C3845? > > Another thing I noted was in the following output from C3845, it shows > MRU=0 and also there was no outgoing interface attached: > > C3845-PE2#sh mpls forwarding-table labels 234 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 234 l2ckt(100) 50732 none point2point > MAC/Encaps=0/0, MRU=0, Tag Stack{} > No output feature configured > > While on C7206, the output was as it should be: > > C7200-PE1#sh mpls forwarding-table labels 2207 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point > MAC/Encaps=0/0, MRU=1500, Tag Stack{} > No output feature configured > > > Any explanations/solutions? > > > > Regards, > > Junaid > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From vikassharmas at gmail.com Wed Aug 6 23:01:23 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 7 Aug 2008 08:31:23 +0530 Subject: [c-nsp] F5 firepass - MPLS connectivity Message-ID: Hi, Did any one has used F5's FirePass to connect MPLS VPN? If yes please let me know how? Regards, Vikas Sharma From stretch at packetlife.net Wed Aug 6 22:21:40 2008 From: stretch at packetlife.net (Jeremy Stretch) Date: Thu, 07 Aug 2008 05:21:40 +0300 Subject: [c-nsp] Strange vlan behavior In-Reply-To: References: Message-ID: <489A5C34.9020908@packetlife.net> This is normal if the receiving station is normally quiet (as are many Linux/UNIX boxes). Keep in mind that a switch will flood a frame if it doesn't have a CAM entry for the destination address. Check the MAC address table aging time (show mac-address-table aging-time) on the switches; I believe the default is 300 seconds. If the receiving station hasn't transmitted any traffic in the last 300 seconds, its entry in the switch's CAM will be purged and all traffic destined for that host will be flooded out all ports until the switch relearns the host's location. If this is only happening sporadically, and only at the very beginning of a conversation, it's normal to see a stray packet or two. If it's very frequent, however, your switches might be running out of CAM space (possibly an indication of a DoS attack; use 'show mac-address-table count' to inspect all known MAC addresses). If the leaked frames can't be tolerated, consider raising the aging timer or configuring static MAC addresses on each interface. --- Jeremy Stretch http://packetlife.net nachocheeze at gmail.com wrote: > We've got a network I'm looking at that is predominately L2 switched; > a tangent of the old router-on-a-stick; some routing, but mostly > switching. I fired up Wireshark on my laptop recently to diagnose > something, and noticed something a bit odd. Here's a smaller version > of the network with a problem I can't quite figure out what is going > on. > > HostX, HostY, and MyLaptop are all on the same L2 vlan / L3 IP network > (we'll say VLAN 31 and network 172.16.31.0/24). Switches A,B,C, and D > are all lower end Cisco L2 only switches, Routers 1 and 2 are L2/L3 > Catalyst 6500/MSFC. Currently, the L3 SVI for VLAN 31 lives on Router > 1, but I've tried moving it to Router 2 and the same problem keeps > happening. > > All links are 802.1q trunks. There's certain networks defined on > Router 1, and different networks that are defined on Router 2. > However, for some of those networks, there's hosts attached at > user-level switches at both "north" and "south" ends (yes, all the L2 > vlans do span from end to end across every dotq trunk, and I *KNOW* > it's a bad design. It was born of a specific necessity and needs to > change ASAP, but right now it isn't possible). Router1 and Router2 in > addition to being fully trunked also have a dedicated numbered "routed > vlan" that is used to route the disparate user networks between them. > > This is a scaled down version of the topology. > > HostX HostY > | | > ----------------------------- > Switch D > | > Switch C > | > Router 1 (multiple vlans/SVIs) > | > Router 2 (multiple vlans/SVIs) > | > Switch B > | > Switch A > | > MyLaptop > > What I noticed that is making no sense is the following; when sniffing > my network interface on MyLaptop, I can from time to time see snippets > of traffic that transit directly between HostX and HostY. This is not > ARP (broadcast) traffic, or multicast traffic but direct station to > station unicast traffic between X and Y. Not *all* their traffic, > like a SPAN port, but just little snippets here and there (sometimes a > few ICMP packets, sometimes a couple of HTTP packets, etc). A sniff > of MyLaptop's NIC shows the source IP address / source MAC address of > HostX attempting a unicast transaction to the destination IP address / > destination MAC address of HostY. Again, I'm seeing that unicast > transaction directly from my laptop's tcpdump from several trunk links > away. > > I've checked this with other L2 end-user switches that are on the same > vlan/subnet in the north/south ends, and they all see this same kind > of issue too. That means it's happening pretty much everywhere the > vlan is trunked, and possibly on other vlans. From the way I > understand, apart from maybe some ARP traffic if HostA and HostB don't > know each other's L2 address, I should never see it; the traffic > between HostA and HostB should stay on Switch Y for their entire > conversation. > > I've checked everything in the path between stations, and nothing that > I can find has been miscabled, no port monitoring is turned on > anywhere, etc. Ideas for what I should start looking at? (besides a > total retrofit of the design; that's in the works.) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From agristina+cisco-nsp at gmail.com Wed Aug 6 23:20:40 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Wed, 6 Aug 2008 20:20:40 -0700 Subject: [c-nsp] F5 firepass - MPLS connectivity In-Reply-To: References: Message-ID: <70bb1b8f0808062020g2e66fb2fnb5fbba62b3959eb5@mail.gmail.com> FirePass is SSL VPN. As far as I know it doesn't speak MPLS at all. If you are on the customer side of the CE device, it won't matter that it doesn't speak MPLS and you can use it for SSL VPN termination as it was intended. On Wed, Aug 6, 2008 at 8:01 PM, Vikas Sharma wrote: > Hi, > > Did any one has used F5's FirePass to connect MPLS VPN? If yes please let me > know how? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu Aug 7 00:33:59 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 7 Aug 2008 00:33:59 -0400 Subject: [c-nsp] EoMPLS between C7206 and C3845 In-Reply-To: References: Message-ID: <20080807043359.GC8990@rtp-cse-489.cisco.com> Can you load 12.4(15)T6 on the 3845? There was a bug with L2TPV3 where the interface didn't go in to promiscous mode to accept the frames so it would look like a one way PW. Check 'sh ip int' or 'sh controller' on the 3845. The outging interface does look odd too. Rodney On Thu, Aug 07, 2008 at 02:15:37AM +0600, Junaid wrote: > Hi, > > I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR > (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running > c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are > connected back-to-back via FastEthernet. The customers are connected > via a switch connected to each PE: > > CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 > > The control place comes up without any issue: > > C7200-PE1#sh mpls l2transport vc de > Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE2's interface connected with PE1) > Output interface: Fa3/0, imposed label stack {234} > Create time: 04:55:52, last status change time: 04:22:07 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up > MPLS VC labels: local 2207, remote 234 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS TEST > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 658, send 558 > byte totals: receive 61117, send 57759 > packet drops: receive 0, send 0 > > > C3845-PE2#sh mpls l2transport vc de > Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE1's interface connected with PE2) > Output interface: Gi0/0, imposed label stack {2207} > Create time: 05:06:06, last status change time: 04:42:00 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up > MPLS VC labels: local 234, remote 2207 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS test > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 807, send 697 > byte totals: receive 81235, send 63925 > packet drops: receive 0, seq error 0, send 0 > > > But the data plane is having severe issue. I cannot ping end-to-end > from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE > connected to 3845), ARP works and I am able to send a ping packet to > CE1. But CE1 never receives it. On the other side, CE2 does not get > replies to its own ARP requests. Once I statically bind the mac > address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies > to it but CE1 never receives the reply. It seem that the communication > is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and > not the other way round. I replaced C3845 with C7206 and there was not > issue in the data plane. > > My question is with the IOS I used for C3845, is EoMPLS not supported > on it? As per Cisco's documentation, EoMPLS is supported on the IOS I > used for C3845. Any one any experience in running EoMPLS on C3845? > > Another thing I noted was in the following output from C3845, it shows > MRU=0 and also there was no outgoing interface attached: > > C3845-PE2#sh mpls forwarding-table labels 234 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 234 l2ckt(100) 50732 none point2point > MAC/Encaps=0/0, MRU=0, Tag Stack{} > No output feature configured > > While on C7206, the output was as it should be: > > C7200-PE1#sh mpls forwarding-table labels 2207 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point > MAC/Encaps=0/0, MRU=1500, Tag Stack{} > No output feature configured > > > Any explanations/solutions? > > > > Regards, > > Junaid > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From vikassharmas at gmail.com Thu Aug 7 02:19:23 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 7 Aug 2008 11:49:23 +0530 Subject: [c-nsp] F5 firepass - MPLS connectivity In-Reply-To: <70bb1b8f0808062020g2e66fb2fnb5fbba62b3959eb5@mail.gmail.com> References: <70bb1b8f0808062020g2e66fb2fnb5fbba62b3959eb5@mail.gmail.com> Message-ID: Thanks Andrew, Actually I was looking for vrf-lite or mapping to vlan to vrf kind of functionality. I know it can provide SSL vpn but can I use this device to connect to the user directly to MPLS ?? I mean, user connect to FirePass and then based on which vlan the user is in, I can map that vlan to vrf and forward it to appropriate MPLS vpn. Regards, Vikas Sharma On 8/7/08, Andrew Gristina > wrote: > > FirePass is SSL VPN. As far as I know it doesn't speak MPLS at all. > If you are on the customer side of the CE device, it won't matter that > it doesn't speak MPLS and you can use it for SSL VPN termination as it > was intended. > > On Wed, Aug 6, 2008 at 8:01 PM, Vikas Sharma > wrote: > > Hi, > > > > Did any one has used F5's FirePass to connect MPLS VPN? If yes please let > me > > know how? > > > > Regards, > > Vikas Sharma > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From asturluismi at gmail.com Thu Aug 7 06:55:47 2008 From: asturluismi at gmail.com (luismi) Date: Thu, 07 Aug 2008 12:55:47 +0200 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack Message-ID: <1218106547.13339.13.camel@dsba-ipso> Hi all, I have a strange behaviour here with two 3750 stacks. My AAA config is... aaa group server tacacs+ tac-plus server 10.10.10.10 ! aaa authentication attempts login 2 aaa authentication login default group tacacs+ local-case aaa authentication login console group tacacs+ local-case aaa authorization exec default group tacacs+ local aaa authorization network default group tacacs+ local aaa accounting send stop-record authentication failure vrf default aaa accounting suppress null-username aaa accounting update newinfo jitter maximum 0 aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! tacacs-server host 10.10.10.10 single-connection tacacs-server timeout 10 no tacacs-server directed-request tacacs-server key 7 xxxx ! line con 0 exec-timeout 15 0 logging synchronous line vty 0 4 access-class 1 in exec-timeout 15 0 logging synchronous transport input telnet ssh line vty 5 15 access-class 1 in exec-timeout 15 0 logging synchronous transport input telnet ssh The TACACs software is "tac-plus F4.0.4.alpha-12" running in a linux box. The configuration is quite simple: $ cat /etc/tac-plus/tacacs.conf accounting file = /var/log/tac-plus/account # default authorization = permit key = xxxx user = DEFAULT { default service = permit } user = myuser { name = "Uh" member = oper3 login = des blablablabla service = exec {} service = shell {} } That configuration is working perfectly in 2950 and 2960 switches but not in 3750 stacks. I am just able to get access only by ssh. Telnet reports "authorization failed", i did a debug but I didn't find the reason. But that is not the end of the story, if I am logged in the 3750 stack with a ssh session I am able to do a telnet to it and use my TACACs credentials without problems. I have the same behaviour in 2 3750 stacks one of them is running c3750-advipservicesk9-mz.122-44.SE2 and the other stack is running c3750-ipservicesk9-mz.122-44.SE1 I didn't review yet the open and solved caveats for the next releases for that IOS -if there is a new release-, neither I can't remember to see any issue with AAA when I checked both "release notes". Any comment will be appreciated. Thanks. From nic.tjirkalli at za.verizonbusiness.com Thu Aug 7 07:52:30 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Thu, 7 Aug 2008 13:52:30 +0200 (SAST) Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: <1218106547.13339.13.camel@dsba-ipso> References: <1218106547.13339.13.camel@dsba-ipso> Message-ID: howdy ho, > Hi all, > > I have a strange behaviour here with two 3750 stacks. > > My AAA config is... > > aaa group server tacacs+ tac-plus > server 10.10.10.10 > ! > aaa authentication attempts login 2 > aaa authentication login default group tacacs+ local-case > aaa authentication login console group tacacs+ local-case > aaa authorization exec default group tacacs+ local > aaa authorization network default group tacacs+ local > aaa accounting send stop-record authentication failure vrf default > aaa accounting suppress null-username > aaa accounting update newinfo jitter maximum 0 > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 0 default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > aaa accounting network default start-stop group tacacs+ > aaa accounting connection default start-stop group tacacs+ > aaa accounting system default start-stop group tacacs+ > ! > tacacs-server host 10.10.10.10 single-connection > tacacs-server timeout 10 > no tacacs-server directed-request > tacacs-server key 7 xxxx > ! > line con 0 > exec-timeout 15 0 > logging synchronous > line vty 0 4 > access-class 1 in > exec-timeout 15 0 > logging synchronous > transport input telnet ssh > line vty 5 15 > access-class 1 in > exec-timeout 15 0 > logging synchronous > transport input telnet ssh > > The TACACs software is "tac-plus F4.0.4.alpha-12" running in a linux > box. > > The configuration is quite simple: > > $ cat /etc/tac-plus/tacacs.conf > accounting file = /var/log/tac-plus/account > # default authorization = permit > > key = xxxx > > user = DEFAULT { > default service = permit > } > > user = myuser { > name = "Uh" > member = oper3 > login = des blablablabla > service = exec {} > service = shell {} maybe add default service = permit here > } > > iF that fails, maybe try on aaa config of box to add :- aaa authorization commands 1 default local group tacacs+ if-authenticated aaa authorization commands 15 default local group tacacs+ if-authenticated good luck > That configuration is working perfectly in 2950 and 2960 switches but > not in 3750 stacks. > I am just able to get access only by ssh. > Telnet reports "authorization failed", i did a debug but I didn't find > the reason. > But that is not the end of the story, if I am logged in the 3750 stack > with a ssh session I am able to do a telnet to it and use my TACACs > credentials without problems. > > I have the same behaviour in 2 3750 stacks one of them is running > c3750-advipservicesk9-mz.122-44.SE2 and the other stack is running > c3750-ipservicesk9-mz.122-44.SE1 > > I didn't review yet the open and solved caveats for the next releases > for that IOS -if there is a new release-, neither I can't remember to > see any issue with AAA when I checked both "release notes". > > Any comment will be appreciated. > > Thanks. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > --------------------------------------------------------------------- It is easier to fight for one's principles than to live up to them Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From frnkblk at iname.com Thu Aug 7 08:45:33 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Thu, 7 Aug 2008 07:45:33 -0500 Subject: [c-nsp] IOS SLB support In-Reply-To: <3E71080198FB4BE595B6F956901ECA37@hojmark.net> References: <000501c80f72$d3245080$280a0a0a@hojmark.net><67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com> <3E71080198FB4BE595B6F956901ECA37@hojmark.net> Message-ID: You're kidding....I presumed it was a feature in the native code. Now external boxes don't seem that bad. Frank -----Original Message----- From: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] Sent: Wednesday, August 06, 2008 5:26 PM To: frnkblk at iname.com; 'Arie Vayner (avayner)' Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] IOS SLB support > If we can upgrade to SRC and save ourselves $10K+ in redundant > load balancers (traffic rates would be 2-4 Mbps), I would like > to do that, but if SRC is generally "too new", then perhaps I > need to reconsider. It's funny you should mention 10k$, 'cause that's exactly the price of the IOS SLB license for the 7600 (FR-IOSSLB)... -A From asturluismi at gmail.com Thu Aug 7 09:10:04 2008 From: asturluismi at gmail.com (luismi) Date: Thu, 07 Aug 2008 15:10:04 +0200 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: References: <1218106547.13339.13.camel@dsba-ipso> Message-ID: <1218114604.13339.18.camel@dsba-ipso> Hi, I tried the changes you told me, same result. El jue, 07-08-2008 a las 13:52 +0200, Nic Tjirkalli escribi?: > aaa authorization commands 1 default local group tacacs+ > if-authenticated > aaa authorization commands 15 default local group tacacs+ > if-authenticated From lsawyer at gci.com Thu Aug 7 11:09:13 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 7 Aug 2008 07:09:13 -0800 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: <1218114604.13339.18.camel@dsba-ipso> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA080EEE15@FNB1EX01.gci.com> Here's the AAA config on my 3750, which seems to work fine: aaa new-model aaa group server tacacs+ Cisco_secure server 192.168.4.22 ! aaa authentication login default group Cisco_secure enable aaa authentication enable default enable aaa authorization exec default group Cisco_secure none aaa authorization commands 15 default group Cisco_secure none aaa authorization network default group Cisco_secure none aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group Cisco_secure aaa accounting commands 1 default stop-only group Cisco_secure aaa accounting commands 15 default stop-only group Cisco_secure aaa accounting network default start-stop group Cisco_secure aaa accounting connection default start-stop group Cisco_secure aaa accounting system default stop-only group Cisco_secure ! aaa session-id common > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Thursday, August 07, 2008 5:10 AM > To: Nic Tjirkalli > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Very Strange AAA behaviour in a 3750 stack > > Hi, > > I tried the changes you told me, same result. > > El jue, 07-08-2008 a las 13:52 +0200, Nic Tjirkalli escribi?: > > aaa authorization commands 1 default local group tacacs+ > > if-authenticated aaa authorization commands 15 default local group > > tacacs+ if-authenticated > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Thu Aug 7 11:46:34 2008 From: asturluismi at gmail.com (luismi) Date: Thu, 07 Aug 2008 17:46:34 +0200 Subject: [c-nsp] Very Strange AAA behaviour in a 3750 stack In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA080EEE15@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA080EEE15@FNB1EX01.gci.com> Message-ID: <1218123994.13339.24.camel@dsba-ipso> Hi Leif, Are you able to use the Tacacs credentials in the conosole port and with telnet? I am only albe to use tacacs credentials using ssh. Telnet just works only if I have another session opened throught ssh. Console access don't work with Tacacs but I didn't chech it yet. El jue, 07-08-2008 a las 07:09 -0800, Leif Sawyer escribi?: > Here's the AAA config on my 3750, which seems to work fine: > > aaa new-model > aaa group server tacacs+ Cisco_secure > server 192.168.4.22 > ! > aaa authentication login default group Cisco_secure enable > aaa authentication enable default enable > aaa authorization exec default group Cisco_secure none > aaa authorization commands 15 default group Cisco_secure none > aaa authorization network default group Cisco_secure none > aaa accounting send stop-record authentication failure > aaa accounting exec default start-stop group Cisco_secure > aaa accounting commands 1 default stop-only group Cisco_secure > aaa accounting commands 15 default stop-only group Cisco_secure > aaa accounting network default start-stop group Cisco_secure > aaa accounting connection default start-stop group Cisco_secure > aaa accounting system default stop-only group Cisco_secure > ! > aaa session-id common > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > > Sent: Thursday, August 07, 2008 5:10 AM > > To: Nic Tjirkalli > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Very Strange AAA behaviour in a 3750 stack > > > > Hi, > > > > I tried the changes you told me, same result. > > > > El jue, 07-08-2008 a las 13:52 +0200, Nic Tjirkalli escribi?: > > > aaa authorization commands 1 default local group tacacs+ > > > if-authenticated aaa authorization commands 15 default local group > > > tacacs+ if-authenticated > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From omar.parihuana at gmail.com Thu Aug 7 11:58:21 2008 From: omar.parihuana at gmail.com (omar parihuana) Date: Thu, 7 Aug 2008 10:58:21 -0500 Subject: [c-nsp] OT: Linux Script for router management Message-ID: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> Hi List, I'm facing a problem with routers management, near of 80 dispersed routers of differents providers with differents usr/pass , I would like to have a linux console with a Menu with router list, then when a choose a option, I can get into the router automatically, or maybe other way, for example before I used a Linux console where I write down the hostname and I get the router. Do you know some tool/script that can do it? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From eric at atlantech.net Thu Aug 7 12:08:04 2008 From: eric at atlantech.net (Eric Van Tol) Date: Thu, 7 Aug 2008 12:08:04 -0400 Subject: [c-nsp] OT: Linux Script for router management In-Reply-To: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> References: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863509922AF6@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of omar parihuana > Sent: Thursday, August 07, 2008 11:58 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] OT: Linux Script for router management > > Hi List, > > I'm facing a problem with routers management, near of 80 dispersed > routers > of differents providers with differents usr/pass , I would like to > have a > linux console with a Menu with router list, then when a choose a > option, I > can get into the router automatically, or maybe other way, for > example > before I used a Linux console where I write down the hostname and I > get the > router. Do you know some tool/script that can do it? > You should be able to use RANCID (http://www.shrubbery.net/rancid) in combination with an MOTD banner on your server that lists all the routers and an alias to get access to each one. You get the added benefit of backing up configs of all the routers, too. -evt From rubensk at gmail.com Thu Aug 7 12:11:27 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 7 Aug 2008 13:11:27 -0300 Subject: [c-nsp] PFC-based EoMPLS and MPLS-TE Message-ID: <6bb5f5b10808070911i5d09f6c1p306f7e3d52247585@mail.gmail.com> I was wondering if anybody has mixed EoMPLS and MPLS-TE, running on PFC-based MPLS (Sup720, ME6524 and related platforms) in a scenario like this: PE1 -------- MPLS Cloud with TE affinity bits ---- PE2 PE1 and PE2 have an EoMPLS xconnect with each other, targeted at each router loopback. Affinity bits are configured on the links on the cloud based on whether they support Jumbo-frames or not. First part, a tunnel is created with affinity requirements such as it will always use "interesting" links; then, a static "ip route tunnelxxx" makes all traffic between PE1 and PE2 go thru that tunnel. Can this scenario work ? WIll LDP run thru the tunnel, as EoMPLS opens an LDP session between PE1 and PE2 ? Running thru the tunnel or not, will LDP correctly allocate labels so the EoMPLS connection goes thru ? Will this adversely impact the other traffic between those PEs, besides the fact that all PE-to-PE traffic will now follow the tunnel ? Rubens From RTeller at deltadentalwa.com Thu Aug 7 13:54:27 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 7 Aug 2008 10:54:27 -0700 Subject: [c-nsp] Ace Module Troubleshooting Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> So i have a wierd issue going on with my ACE module. I am sure it is a configuration issue but since i am making it up as i go i can only do so much. I am able to browse to a load balanced website from one computer but if i try to browse to it from another computer the website is unavailable. the website is under the dp-qa domain. ------------------------------------------------------------------------ --------------- logging console 6 logging timestamp access-list any line 8 extended permit icmp any any access-list any line 16 extended permit ip any any probe tcp TCP-5002_PROBE port 5002 interval 3 passdetect interval 3 probe tcp TCP-8003_PROBE port 8003 interval 3 passdetect interval 3 probe http TCP-80_PROBE interval 5 passdetect interval 5 expect status 200 200 hash connection term forced probe tcp TCP-9090_PROBE port 9090 interval 5 connection term forced probe http ciscotest_PROBE interval 5 passdetect interval 5 request method get url /ciscotest/ expect status 200 200 hash connection term forced rserver host dm-qa-app25 ip address 172.22.237.23 inservice rserver host dm-qa-app26 ip address 172.22.237.25 inservice rserver host dm-qa-web21 ip address 172.22.237.19 inservice rserver host dm-qa-web22 ip address 172.22.237.21 inservice rserver host dp-qa-app85 ip address 172.22.237.24 inservice rserver host dp-qa-app86 ip address 172.22.237.26 inservice rserver host dp-qa-web81 ip address 172.22.237.20 inservice rserver host dp-qa-web82 ip address 172.22.237.22 inservice rserver host recluse1 ip address 172.22.228.88 inservice rserver host recluse2 ip address 172.22.228.89 inservice serverfarm host dm-qa-app probe TCP-80_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-ivr probe TCP-5002_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dm-qa-socket probe TCP-8003_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-web probe ciscotest_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dp-qa-app probe TCP-80_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-ivr probe TCP-5002_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host dp-qa-socket probe TCP-8003_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-web probe ciscotest_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host recluse predictor leastconns probe TCP-9090_PROBE rserver recluse1 inservice rserver recluse2 inservice class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any 7 match protocol https any class-map match-all dm-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all dm-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map match-all dm-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map match-all dm-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all dp-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all dp-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map match-all dp-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map match-all dp-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any recluse_CLASS 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance first-match dm-qa-app_POLICY class class-default serverfarm dm-qa-app policy-map type loadbalance first-match dm-qa-ivr_POLICY class class-default serverfarm dm-qa-ivr policy-map type loadbalance first-match dm-qa-socket_POLICY class class-default serverfarm dm-qa-socket policy-map type loadbalance first-match dm-qa-web_POLICY class class-default serverfarm dm-qa-web policy-map type loadbalance first-match dp-qa-app_POLICY class class-default serverfarm dp-qa-app policy-map type loadbalance first-match dp-qa-ivr_POLICY class class-default serverfarm dp-qa-ivr policy-map type loadbalance first-match dp-qa-socket_POLICY class class-default serverfarm dp-qa-socket policy-map type loadbalance first-match dp-qa-web_POLICY class class-default serverfarm dp-qa-web policy-map type loadbalance first-match recluse_POLICY class class-default serverfarm recluse policy-map multi-match POLICY class recluse_CLASS loadbalance vip inservice loadbalance policy recluse_POLICY loadbalance vip icmp-reply active nat dynamic 134 vlan 238 class dm-qa-app_CLASS loadbalance vip inservice loadbalance policy dm-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 136 vlan 238 class dm-qa-web_CLASS loadbalance vip inservice loadbalance policy dm-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 137 vlan 238 class dm-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dm-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 138 vlan 238 class dm-qa-socket_CLASS loadbalance vip inservice loadbalance policy dm-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 139 vlan 238 class dp-qa-app_CLASS loadbalance vip inservice loadbalance policy dp-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 140 vlan 238 class dp-qa-web_CLASS loadbalance vip inservice loadbalance policy dp-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 141 vlan 238 class dp-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dp-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 142 vlan 238 class dp-qa-socket_CLASS loadbalance vip inservice loadbalance policy dp-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 143 vlan 238 interface vlan 238 ip address XXX.XXX.XXX.253 255.255.255.128 alias XXX.XXX.XXX.252 255.255.255.128 peer ip address XXX.XXX.XXX.254 255.255.255.128 access-group input any nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 service-policy input POLICY service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown domain dm-qa add-object serverfarm dm-qa-app add-object serverfarm dm-qa-ivr add-object serverfarm dm-qa-socket add-object serverfarm dm-qa-web add-object rserver dm-qa-app25 add-object rserver dm-qa-app26 add-object rserver dm-qa-web21 add-object rserver dm-qa-web22 domain recluse add-object serverfarm recluse add-object rserver recluse1 add-object rserver recluse2 domain dp-qa add-object serverfarm dp-qa-app add-object serverfarm dp-qa-ivr add-object serverfarm dp-qa-socket add-object serverfarm dp-qa-web add-object rserver dp-qa-app85 add-object rserver dp-qa-app86 add-object rserver dp-qa-web81 add-object rserver dp-qa-web82 ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From RTeller at deltadentalwa.com Thu Aug 7 14:09:22 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 7 Aug 2008 11:09:22 -0700 Subject: [c-nsp] Ace Module Troubleshooting In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1E@tiger.deltadentalwa.com> For some reason the class map didn't show up right class-map match-all dm-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all dm-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map match-all dm-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map match-all dm-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all dp-dev-app_CLASS 2 match virtual-address XXX.XXX.XXX.144 tcp eq www class-map match-all dp-dev-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.146 tcp eq 5002 class-map match-all dp-dev-socket_CLASS 2 match virtual-address XXX.XXX.XXX.147 tcp eq 8003 class-map match-all dp-dev-web_CLASS 2 match virtual-address XXX.XXX.XXX.145 tcp eq www class-map match-all dp-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all dp-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map match-all dp-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map match-all dp-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any recluse_CLASS 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: Thursday, August 07, 2008 10:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Ace Module Troubleshooting So i have a wierd issue going on with my ACE module. I am sure it is a configuration issue but since i am making it up as i go i can only do so much. I am able to browse to a load balanced website from one computer but if i try to browse to it from another computer the website is unavailable. the website is under the dp-qa domain. ------------------------------------------------------------------------ --------------- logging console 6 logging timestamp access-list any line 8 extended permit icmp any any access-list any line 16 extended permit ip any any probe tcp TCP-5002_PROBE port 5002 interval 3 passdetect interval 3 probe tcp TCP-8003_PROBE port 8003 interval 3 passdetect interval 3 probe http TCP-80_PROBE interval 5 passdetect interval 5 expect status 200 200 hash connection term forced probe tcp TCP-9090_PROBE port 9090 interval 5 connection term forced probe http ciscotest_PROBE interval 5 passdetect interval 5 request method get url /ciscotest/ expect status 200 200 hash connection term forced rserver host dm-qa-app25 ip address 172.22.237.23 inservice rserver host dm-qa-app26 ip address 172.22.237.25 inservice rserver host dm-qa-web21 ip address 172.22.237.19 inservice rserver host dm-qa-web22 ip address 172.22.237.21 inservice rserver host dp-qa-app85 ip address 172.22.237.24 inservice rserver host dp-qa-app86 ip address 172.22.237.26 inservice rserver host dp-qa-web81 ip address 172.22.237.20 inservice rserver host dp-qa-web82 ip address 172.22.237.22 inservice rserver host recluse1 ip address 172.22.228.88 inservice rserver host recluse2 ip address 172.22.228.89 inservice serverfarm host dm-qa-app probe TCP-80_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-ivr probe TCP-5002_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dm-qa-socket probe TCP-8003_PROBE rserver dm-qa-app25 inservice rserver dm-qa-app26 inservice serverfarm host dm-qa-web probe ciscotest_PROBE rserver dm-qa-web21 inservice rserver dm-qa-web22 inservice serverfarm host dp-qa-app probe TCP-80_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-ivr probe TCP-5002_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host dp-qa-socket probe TCP-8003_PROBE rserver dp-qa-app85 inservice rserver dp-qa-app86 inservice serverfarm host dp-qa-web probe ciscotest_PROBE rserver dp-qa-web81 inservice rserver dp-qa-web82 inservice serverfarm host recluse predictor leastconns probe TCP-9090_PROBE rserver recluse1 inservice rserver recluse2 inservice class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any 7 match protocol https any class-map match-all dm-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all dm-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map match-all dm-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map match-all dm-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all dp-qa-app_CLASS 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all dp-qa-ivr_CLASS 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map match-all dp-qa-socket_CLASS 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map match-all dp-qa-web_CLASS 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any recluse_CLASS 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance first-match dm-qa-app_POLICY class class-default serverfarm dm-qa-app policy-map type loadbalance first-match dm-qa-ivr_POLICY class class-default serverfarm dm-qa-ivr policy-map type loadbalance first-match dm-qa-socket_POLICY class class-default serverfarm dm-qa-socket policy-map type loadbalance first-match dm-qa-web_POLICY class class-default serverfarm dm-qa-web policy-map type loadbalance first-match dp-qa-app_POLICY class class-default serverfarm dp-qa-app policy-map type loadbalance first-match dp-qa-ivr_POLICY class class-default serverfarm dp-qa-ivr policy-map type loadbalance first-match dp-qa-socket_POLICY class class-default serverfarm dp-qa-socket policy-map type loadbalance first-match dp-qa-web_POLICY class class-default serverfarm dp-qa-web policy-map type loadbalance first-match recluse_POLICY class class-default serverfarm recluse policy-map multi-match POLICY class recluse_CLASS loadbalance vip inservice loadbalance policy recluse_POLICY loadbalance vip icmp-reply active nat dynamic 134 vlan 238 class dm-qa-app_CLASS loadbalance vip inservice loadbalance policy dm-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 136 vlan 238 class dm-qa-web_CLASS loadbalance vip inservice loadbalance policy dm-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 137 vlan 238 class dm-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dm-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 138 vlan 238 class dm-qa-socket_CLASS loadbalance vip inservice loadbalance policy dm-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 139 vlan 238 class dp-qa-app_CLASS loadbalance vip inservice loadbalance policy dp-qa-app_POLICY loadbalance vip icmp-reply active nat dynamic 140 vlan 238 class dp-qa-web_CLASS loadbalance vip inservice loadbalance policy dp-qa-web_POLICY loadbalance vip icmp-reply active nat dynamic 141 vlan 238 class dp-qa-ivr_CLASS loadbalance vip inservice loadbalance policy dp-qa-ivr_POLICY loadbalance vip icmp-reply active nat dynamic 142 vlan 238 class dp-qa-socket_CLASS loadbalance vip inservice loadbalance policy dp-qa-socket_POLICY loadbalance vip icmp-reply active nat dynamic 143 vlan 238 interface vlan 238 ip address XXX.XXX.XXX.253 255.255.255.128 alias XXX.XXX.XXX.252 255.255.255.128 peer ip address XXX.XXX.XXX.254 255.255.255.128 access-group input any nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 service-policy input POLICY service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown domain dm-qa add-object serverfarm dm-qa-app add-object serverfarm dm-qa-ivr add-object serverfarm dm-qa-socket add-object serverfarm dm-qa-web add-object rserver dm-qa-app25 add-object rserver dm-qa-app26 add-object rserver dm-qa-web21 add-object rserver dm-qa-web22 domain recluse add-object serverfarm recluse add-object rserver recluse1 add-object rserver recluse2 domain dp-qa add-object serverfarm dp-qa-app add-object serverfarm dp-qa-ivr add-object serverfarm dp-qa-socket add-object serverfarm dp-qa-web add-object rserver dp-qa-app85 add-object rserver dp-qa-app86 add-object rserver dp-qa-web81 add-object rserver dp-qa-web82 ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From notrevebr at gmail.com Thu Aug 7 15:19:52 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Thu, 7 Aug 2008 16:19:52 -0300 Subject: [c-nsp] CSAgent Message-ID: <3cf174360808071219r39971602g4b291a4ed3b539a7@mail.gmail.com> Hi all, Anyone knows if its possible use the CSAgent on the same machine that has Windows AD? Or i really need put another machine just to be CSAgent? Tks all.. From oboehmer at cisco.com Thu Aug 7 15:55:09 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 7 Aug 2008 21:55:09 +0200 Subject: [c-nsp] PFC-based EoMPLS and MPLS-TE In-Reply-To: <6bb5f5b10808070911i5d09f6c1p306f7e3d52247585@mail.gmail.com> References: <6bb5f5b10808070911i5d09f6c1p306f7e3d52247585@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405D689C2@xmb-ams-333.emea.cisco.com> Rubens Kuhl Jr. <> wrote on Thursday, August 07, 2008 6:11 PM: > I was wondering if anybody has mixed EoMPLS and MPLS-TE, running on > PFC-based MPLS (Sup720, ME6524 and related platforms) in a scenario > like this: > > PE1 -------- MPLS Cloud with TE affinity bits ---- PE2 > > PE1 and PE2 have an EoMPLS xconnect with each other, targeted at each > router loopback. Affinity bits are configured on the links on the > cloud based on whether they support Jumbo-frames or not. First part, a > tunnel is created with affinity requirements such as it will always > use "interesting" links; then, a static "ip route loopback> tunnelxxx" makes all traffic between PE1 and PE2 go thru > that tunnel. > > Can this scenario work ? WIll LDP run thru the tunnel, as EoMPLS opens > an LDP session between PE1 and PE2 ? Running thru the tunnel or not, > will LDP correctly allocate labels so the EoMPLS connection goes thru > ? Will this adversely impact the other traffic between those PEs, > besides the fact that all PE-to-PE traffic will now follow the tunnel > ? I guess you want to look at the AToM Tunnel Selection feature where you can "nail" specific PWs to TE tunnels without any static routes. I've never tried to send PWs over tunnels in the way you've described above, but why don't you just use autoroute as you seem to accept that all PE-to-PE traffic will go via the tunnel? oli From jfitz at Princeton.EDU Thu Aug 7 16:45:04 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 7 Aug 2008 16:45:04 -0400 Subject: [c-nsp] FWSM asdm error 305006 ??? Message-ID: <28847781-E61F-48E1-86EF-327B2A1DB705@princeton.edu> I am running FWSM with 4.0(2) code in transparent mode. It also has DNS-GUARD disabled. New feature in 4.0 I constantly see entries in the ASDM log with the very ambiguous ERROR 305006 as shown below in log snippet... ---------------- 3|Aug 07 2008 07:53:01|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.11.140/49384 dst vgate1-paetec- outside:4.2.2.2/53 3|Aug 07 2008 07:53:10|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.11.140/63890 dst vgate1-paetec- outside:4.2.2.1/53 3|Aug 07 2008 07:57:03|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:123.204.68.27/10001 3|Aug 07 2008 08:04:29|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:210.64.246.78/10002 3|Aug 07 2008 08:08:24|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:211.74.194.205/10001 3|Aug 07 2008 08:08:34|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.13.215/2000 dst vgate1-paetec- outside:222.46.18.61/53 3|Aug 07 2008 08:10:15|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- outside:210.64.174.123/10002 3|Aug 07 2008 08:18:59|305006: regular translation creation failed for udp src vgate1-paetec-inside:128.112.15.215/2000 dst vgate1-paetec- outside:222.46.18.61/53 --------------- The IPs in the 128.112.x.x range are ours and on the INSIDE but none of them are in use and tcpdump on inside shows no packets from these addresses in case they were spoofed. Doing a tcpdump on the OUTSIDE , by use of taps we have to monitor traffic outside the router/FWSM, I can see packets to these hosts from the DSTs indicated above. These are probably crafted packets just trying to do some DNS damage. I am not sure why the message indicates the SRC of a host that never sent a packet and is non-existent, not to mention the "regular translation creation failed" cryptic phrase. I have looked at all the doc related to the FWSM error code 305006 but it does not appear to relate to this error. This error only appears for packets that have src or dst port 53 DNS and the inside IP is unreachable. Is this error just telling me that there is no corresponding flow for the initial flow and some timer has expired within the DNS-GUARD code of the FWSM. I sure could use some help on this one. Thanks in advance. Jeff Fitzwater OIT Network Systems Princeton University From tvarriale at comcast.net Thu Aug 7 16:45:42 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 7 Aug 2008 15:45:42 -0500 Subject: [c-nsp] Ace Module Troubleshooting References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1E@tiger.deltadentalwa.com> Message-ID: <80597FB2FB194810A3AA7A8E84E9E32B@FLAMALAM> A few questions... Which port is this occuring on? 9090? 10000? or both? Can you output "sh serverfarm recluse" and "sh probe TCP-9090_PROBE? Is this a web app running on those ports? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 07, 2008 1:09 PM Subject: Re: [c-nsp] Ace Module Troubleshooting > For some reason the class map didn't show up right > > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www > class-map match-all dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 > class-map match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 > class-map match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www > class-map match-all dp-dev-app_CLASS > 2 match virtual-address XXX.XXX.XXX.144 tcp eq www > class-map match-all dp-dev-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.146 tcp eq 5002 > class-map match-all dp-dev-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.147 tcp eq 8003 > class-map match-all dp-dev-web_CLASS > 2 match virtual-address XXX.XXX.XXX.145 tcp eq www > class-map match-all dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www > class-map match-all dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 > class-map match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 > class-map match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www > class-map match-any recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Thursday, August 07, 2008 10:54 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Ace Module Troubleshooting > > So i have a wierd issue going on with my ACE module. I am sure it is a > configuration issue but since i am making it up as i go i can only do so > much. > I am able to browse to a load balanced website from one computer but if > i try to browse to it from another computer the website is unavailable. > > the website is under the dp-qa domain. > > ------------------------------------------------------------------------ > --------------- > logging console 6 > logging timestamp > > > > > access-list any line 8 extended permit icmp any any access-list any line > 16 extended permit ip any any > > > > probe tcp TCP-5002_PROBE > port 5002 > interval 3 > passdetect interval 3 > probe tcp TCP-8003_PROBE > port 8003 > interval 3 > passdetect interval 3 > probe http TCP-80_PROBE > interval 5 > passdetect interval 5 > expect status 200 200 > hash > connection term forced > probe tcp TCP-9090_PROBE > port 9090 > interval 5 > connection term forced > probe http ciscotest_PROBE > interval 5 > passdetect interval 5 > request method get url /ciscotest/ > expect status 200 200 > hash > connection term forced > > > rserver host dm-qa-app25 > ip address 172.22.237.23 > inservice > rserver host dm-qa-app26 > ip address 172.22.237.25 > inservice > rserver host dm-qa-web21 > ip address 172.22.237.19 > inservice > rserver host dm-qa-web22 > ip address 172.22.237.21 > inservice > rserver host dp-qa-app85 > ip address 172.22.237.24 > inservice > rserver host dp-qa-app86 > ip address 172.22.237.26 > inservice > rserver host dp-qa-web81 > ip address 172.22.237.20 > inservice > rserver host dp-qa-web82 > ip address 172.22.237.22 > inservice > rserver host recluse1 > ip address 172.22.228.88 > inservice > rserver host recluse2 > ip address 172.22.228.89 > inservice > > serverfarm host dm-qa-app > probe TCP-80_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-ivr > probe TCP-5002_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dm-qa-socket > probe TCP-8003_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-web > probe ciscotest_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dp-qa-app > probe TCP-80_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-ivr > probe TCP-5002_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host dp-qa-socket > probe TCP-8003_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-web > probe ciscotest_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host recluse > predictor leastconns > probe TCP-9090_PROBE > rserver recluse1 > inservice > rserver recluse2 > inservice > > class-map type management match-any REMOTE_ACCESS > 2 match protocol ssh any > 3 match protocol telnet any > 4 match protocol icmp any > 5 match protocol snmp any > 6 match protocol http any > 7 match protocol https any > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all > dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map > match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map > match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all > dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all > dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map > match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map > match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any > recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY > class REMOTE_ACCESS > permit > > policy-map type loadbalance first-match dm-qa-app_POLICY > class class-default > serverfarm dm-qa-app > policy-map type loadbalance first-match dm-qa-ivr_POLICY > class class-default > serverfarm dm-qa-ivr > policy-map type loadbalance first-match dm-qa-socket_POLICY > class class-default > serverfarm dm-qa-socket > policy-map type loadbalance first-match dm-qa-web_POLICY > class class-default > serverfarm dm-qa-web > policy-map type loadbalance first-match dp-qa-app_POLICY > class class-default > serverfarm dp-qa-app > policy-map type loadbalance first-match dp-qa-ivr_POLICY > class class-default > serverfarm dp-qa-ivr > policy-map type loadbalance first-match dp-qa-socket_POLICY > class class-default > serverfarm dp-qa-socket > policy-map type loadbalance first-match dp-qa-web_POLICY > class class-default > serverfarm dp-qa-web > policy-map type loadbalance first-match recluse_POLICY > class class-default > serverfarm recluse > > policy-map multi-match POLICY > class recluse_CLASS > loadbalance vip inservice > loadbalance policy recluse_POLICY > loadbalance vip icmp-reply active > nat dynamic 134 vlan 238 > class dm-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 136 vlan 238 > class dm-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 137 vlan 238 > class dm-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 138 vlan 238 > class dm-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 139 vlan 238 > class dp-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 140 vlan 238 > class dp-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 141 vlan 238 > class dp-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 142 vlan 238 > class dp-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 143 vlan 238 > > interface vlan 238 > ip address XXX.XXX.XXX.253 255.255.255.128 > alias XXX.XXX.XXX.252 255.255.255.128 > peer ip address XXX.XXX.XXX.254 255.255.255.128 > access-group input any > nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 > nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 > nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 > nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 > nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 > nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 > nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 > nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 > nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 > service-policy input POLICY > service-policy input REMOTE_MGMT_ALLOW_POLICY > no shutdown > > domain dm-qa > add-object serverfarm dm-qa-app > add-object serverfarm dm-qa-ivr > add-object serverfarm dm-qa-socket > add-object serverfarm dm-qa-web > add-object rserver dm-qa-app25 > add-object rserver dm-qa-app26 > add-object rserver dm-qa-web21 > add-object rserver dm-qa-web22 > domain recluse > add-object serverfarm recluse > add-object rserver recluse1 > add-object rserver recluse2 > domain dp-qa > add-object serverfarm dp-qa-app > add-object serverfarm dp-qa-ivr > add-object serverfarm dp-qa-socket > add-object serverfarm dp-qa-web > add-object rserver dp-qa-app85 > add-object rserver dp-qa-app86 > add-object rserver dp-qa-web81 > add-object rserver dp-qa-web82 > > ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 > > > > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > ######################################################### > The information contained in this e-mail and subsequent attachments may > be privileged, > confidential and protected from disclosure. This transmission is > intended for the sole > use of the individual and entity to whom it is addressed. If you are > not the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Thu Aug 7 17:42:58 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 7 Aug 2008 14:42:58 -0700 Subject: [c-nsp] Ace Module Troubleshooting In-Reply-To: <80597FB2FB194810A3AA7A8E84E9E32B@FLAMALAM> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1D@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F1E@tiger.deltadentalwa.com> <80597FB2FB194810A3AA7A8E84E9E32B@FLAMALAM> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00F28@tiger.deltadentalwa.com> This issue was resolved by adding pat to the end of my nat statements -----Original Message----- From: Tony Varriale [mailto:tvarriale at comcast.net] Sent: Thursday, August 07, 2008 1:46 PM To: Teller, Robert; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Ace Module Troubleshooting A few questions... Which port is this occuring on? 9090? 10000? or both? Can you output "sh serverfarm recluse" and "sh probe TCP-9090_PROBE? Is this a web app running on those ports? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 07, 2008 1:09 PM Subject: Re: [c-nsp] Ace Module Troubleshooting > For some reason the class map didn't show up right > > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www > class-map match-all dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 > class-map match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 > class-map match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www > class-map match-all dp-dev-app_CLASS > 2 match virtual-address XXX.XXX.XXX.144 tcp eq www > class-map match-all dp-dev-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.146 tcp eq 5002 > class-map match-all dp-dev-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.147 tcp eq 8003 > class-map match-all dp-dev-web_CLASS > 2 match virtual-address XXX.XXX.XXX.145 tcp eq www > class-map match-all dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www > class-map match-all dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 > class-map match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 > class-map match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www > class-map match-any recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Thursday, August 07, 2008 10:54 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Ace Module Troubleshooting > > So i have a wierd issue going on with my ACE module. I am sure it is a > configuration issue but since i am making it up as i go i can only do so > much. > I am able to browse to a load balanced website from one computer but if > i try to browse to it from another computer the website is unavailable. > > the website is under the dp-qa domain. > > ------------------------------------------------------------------------ > --------------- > logging console 6 > logging timestamp > > > > > access-list any line 8 extended permit icmp any any access-list any line > 16 extended permit ip any any > > > > probe tcp TCP-5002_PROBE > port 5002 > interval 3 > passdetect interval 3 > probe tcp TCP-8003_PROBE > port 8003 > interval 3 > passdetect interval 3 > probe http TCP-80_PROBE > interval 5 > passdetect interval 5 > expect status 200 200 > hash > connection term forced > probe tcp TCP-9090_PROBE > port 9090 > interval 5 > connection term forced > probe http ciscotest_PROBE > interval 5 > passdetect interval 5 > request method get url /ciscotest/ > expect status 200 200 > hash > connection term forced > > > rserver host dm-qa-app25 > ip address 172.22.237.23 > inservice > rserver host dm-qa-app26 > ip address 172.22.237.25 > inservice > rserver host dm-qa-web21 > ip address 172.22.237.19 > inservice > rserver host dm-qa-web22 > ip address 172.22.237.21 > inservice > rserver host dp-qa-app85 > ip address 172.22.237.24 > inservice > rserver host dp-qa-app86 > ip address 172.22.237.26 > inservice > rserver host dp-qa-web81 > ip address 172.22.237.20 > inservice > rserver host dp-qa-web82 > ip address 172.22.237.22 > inservice > rserver host recluse1 > ip address 172.22.228.88 > inservice > rserver host recluse2 > ip address 172.22.228.89 > inservice > > serverfarm host dm-qa-app > probe TCP-80_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-ivr > probe TCP-5002_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dm-qa-socket > probe TCP-8003_PROBE > rserver dm-qa-app25 > inservice > rserver dm-qa-app26 > inservice > serverfarm host dm-qa-web > probe ciscotest_PROBE > rserver dm-qa-web21 > inservice > rserver dm-qa-web22 > inservice > serverfarm host dp-qa-app > probe TCP-80_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-ivr > probe TCP-5002_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host dp-qa-socket > probe TCP-8003_PROBE > rserver dp-qa-app85 > inservice > rserver dp-qa-app86 > inservice > serverfarm host dp-qa-web > probe ciscotest_PROBE > rserver dp-qa-web81 > inservice > rserver dp-qa-web82 > inservice > serverfarm host recluse > predictor leastconns > probe TCP-9090_PROBE > rserver recluse1 > inservice > rserver recluse2 > inservice > > class-map type management match-any REMOTE_ACCESS > 2 match protocol ssh any > 3 match protocol telnet any > 4 match protocol icmp any > 5 match protocol snmp any > 6 match protocol http any > 7 match protocol https any > class-map match-all dm-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.136 tcp eq www class-map match-all > dm-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.138 tcp eq 5002 class-map > match-all dm-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.139 tcp eq 8003 class-map > match-all dm-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.137 tcp eq www class-map match-all > dp-qa-app_CLASS > 2 match virtual-address XXX.XXX.XXX.140 tcp eq www class-map match-all > dp-qa-ivr_CLASS > 2 match virtual-address XXX.XXX.XXX.142 tcp eq 5002 class-map > match-all dp-qa-socket_CLASS > 2 match virtual-address XXX.XXX.XXX.143 tcp eq 8003 class-map > match-all dp-qa-web_CLASS > 2 match virtual-address XXX.XXX.XXX.141 tcp eq www class-map match-any > recluse_CLASS > 2 match virtual-address XXX.XXX.XXX.134 tcp eq 9090 > 3 match virtual-address XXX.XXX.XXX.134 tcp eq 10000 > > policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY > class REMOTE_ACCESS > permit > > policy-map type loadbalance first-match dm-qa-app_POLICY > class class-default > serverfarm dm-qa-app > policy-map type loadbalance first-match dm-qa-ivr_POLICY > class class-default > serverfarm dm-qa-ivr > policy-map type loadbalance first-match dm-qa-socket_POLICY > class class-default > serverfarm dm-qa-socket > policy-map type loadbalance first-match dm-qa-web_POLICY > class class-default > serverfarm dm-qa-web > policy-map type loadbalance first-match dp-qa-app_POLICY > class class-default > serverfarm dp-qa-app > policy-map type loadbalance first-match dp-qa-ivr_POLICY > class class-default > serverfarm dp-qa-ivr > policy-map type loadbalance first-match dp-qa-socket_POLICY > class class-default > serverfarm dp-qa-socket > policy-map type loadbalance first-match dp-qa-web_POLICY > class class-default > serverfarm dp-qa-web > policy-map type loadbalance first-match recluse_POLICY > class class-default > serverfarm recluse > > policy-map multi-match POLICY > class recluse_CLASS > loadbalance vip inservice > loadbalance policy recluse_POLICY > loadbalance vip icmp-reply active > nat dynamic 134 vlan 238 > class dm-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 136 vlan 238 > class dm-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 137 vlan 238 > class dm-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 138 vlan 238 > class dm-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dm-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 139 vlan 238 > class dp-qa-app_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-app_POLICY > loadbalance vip icmp-reply active > nat dynamic 140 vlan 238 > class dp-qa-web_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-web_POLICY > loadbalance vip icmp-reply active > nat dynamic 141 vlan 238 > class dp-qa-ivr_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-ivr_POLICY > loadbalance vip icmp-reply active > nat dynamic 142 vlan 238 > class dp-qa-socket_CLASS > loadbalance vip inservice > loadbalance policy dp-qa-socket_POLICY > loadbalance vip icmp-reply active > nat dynamic 143 vlan 238 > > interface vlan 238 > ip address XXX.XXX.XXX.253 255.255.255.128 > alias XXX.XXX.XXX.252 255.255.255.128 > peer ip address XXX.XXX.XXX.254 255.255.255.128 > access-group input any > nat-pool 134 XXX.XXX.XXX.134 XXX.XXX.XXX.134 netmask 255.255.255.255 > nat-pool 136 XXX.XXX.XXX.136 XXX.XXX.XXX.136 netmask 255.255.255.255 > nat-pool 137 XXX.XXX.XXX.137 XXX.XXX.XXX.137 netmask 255.255.255.255 > nat-pool 138 XXX.XXX.XXX.138 XXX.XXX.XXX.138 netmask 255.255.255.255 > nat-pool 139 XXX.XXX.XXX.139 XXX.XXX.XXX.139 netmask 255.255.255.255 > nat-pool 140 XXX.XXX.XXX.140 XXX.XXX.XXX.140 netmask 255.255.255.255 > nat-pool 141 XXX.XXX.XXX.141 XXX.XXX.XXX.141 netmask 255.255.255.255 > nat-pool 142 XXX.XXX.XXX.142 XXX.XXX.XXX.142 netmask 255.255.255.255 > nat-pool 143 XXX.XXX.XXX.143 XXX.XXX.XXX.143 netmask 255.255.255.255 > service-policy input POLICY > service-policy input REMOTE_MGMT_ALLOW_POLICY > no shutdown > > domain dm-qa > add-object serverfarm dm-qa-app > add-object serverfarm dm-qa-ivr > add-object serverfarm dm-qa-socket > add-object serverfarm dm-qa-web > add-object rserver dm-qa-app25 > add-object rserver dm-qa-app26 > add-object rserver dm-qa-web21 > add-object rserver dm-qa-web22 > domain recluse > add-object serverfarm recluse > add-object rserver recluse1 > add-object rserver recluse2 > domain dp-qa > add-object serverfarm dp-qa-app > add-object serverfarm dp-qa-ivr > add-object serverfarm dp-qa-socket > add-object serverfarm dp-qa-web > add-object rserver dp-qa-app85 > add-object rserver dp-qa-app86 > add-object rserver dp-qa-web81 > add-object rserver dp-qa-web82 > > ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 > > > > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > ######################################################### > The information contained in this e-mail and subsequent attachments may > be privileged, > confidential and protected from disclosure. This transmission is > intended for the sole > use of the individual and entity to whom it is addressed. If you are > not the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sami.joseph at gmail.com Thu Aug 7 17:59:19 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Fri, 8 Aug 2008 00:59:19 +0300 Subject: [c-nsp] Route Leaking and next-hop recursion Message-ID: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> Hi All, I need to reinforce my understanding of how route leaking from a VRF to global works, I was not able to find a decent document using Google. Network topology: http://www.postyourimage.com/view_image.php?img_id=GpgBT3FzVRxuuE81218144855 On the 6500 switch, I created Vlans and SVIs like the following: *interface Vlan20* *ip address 10.5.5.73 255.255.255.248* And on interface vlan 40, I added a VRF *int vlan40* *ip vrf forwarding 3G* *ip address 10.0.0.1 255.255.255.252* Then I want the routes inside this VRF to access the IP addresses behind VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) So I need to do leaking from global to vrf and the path back from vrf to global: *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* And: (assuming the networks on the yellow cloud are 8.8.8.0) *ip route 8.8.8.0 255.255.255.0 vlan40* This way, I guaranteed that packets destined from the VRF to global will go to their next-hop which is directly connected to the switch (10.5.5.74) and I suppose route recursion should be able to find where the next-hop is. When we opened a ticket for this, we were told that with this setup, CEF is not going to be able to create a valid adjacency and so an arp request will be sent for each packet destined to 10.5.5.74 without a reply. Why cant CEF install an entry for 10.5.5.74, why cant route recursion work? Thanks, Sam From p.mayers at imperial.ac.uk Thu Aug 7 18:00:03 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 07 Aug 2008 23:00:03 +0100 Subject: [c-nsp] Crash bug in SXH3 Message-ID: <489B7063.8040904@imperial.ac.uk> All, Just a warning, there is a fatal crash bug in SXH3 related to using SCP. Considering the release notes claim fixes in that very area, this is highly amusing (note: issue may not actually be amusing) Does anyone else think the 6500 software train is becoming a bad joke? SRC claims *today* ISSU using dual sups / SSO, a much larger chunk of (33) features e.g. 6vpe etc. and one presumes a faster rate of ports from mainline IOS because they don't need to modularise everything. SXH on the other hand has... erm... buggy modularity. And... buggy monolithic too. I haven't got a TAC case open because we've rolled back to SXH2a (which has its own set of crash bugs, but less frequent ones...) and it's late - a task for tomorrow I feel. From rubensk at gmail.com Thu Aug 7 18:11:40 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 7 Aug 2008 19:11:40 -0300 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <6bb5f5b10808071511g21a6bccvab8599b86a2e559@mail.gmail.com> Phil, Are there any memory issues with SXH3 on your lab ? It seems SXH3, modular or monolithic, requires more SP/RP memory than SXH2a. Rubens On Thu, Aug 7, 2008 at 7:00 PM, Phil Mayers wrote: > All, > > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is highly > amusing (note: issue may not actually be amusing) > > Does anyone else think the 6500 software train is becoming a bad joke? SRC > claims *today* ISSU using dual sups / SSO, a much larger chunk of (33) > features e.g. 6vpe etc. and one presumes a faster rate of ports from > mainline IOS because they don't need to modularise everything. > > SXH on the other hand has... erm... buggy modularity. And... buggy > monolithic too. > > I haven't got a TAC case open because we've rolled back to SXH2a (which has > its own set of crash bugs, but less frequent ones...) and it's late - a task > for tomorrow I feel. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Rafael.Rodriguez at msmc.com Thu Aug 7 18:38:43 2008 From: Rafael.Rodriguez at msmc.com (Rafael Rodriguez) Date: Thu, 7 Aug 2008 18:38:43 -0400 Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... In-Reply-To: <489073C7.5020003@utc.edu> References: <489073C7.5020003@utc.edu> Message-ID: <13D27D9DCE0E0945A617043C88DD6194017C82B2@SVIPEXC1.msmc.com> Don't know the answer to your BGP question but you can put 512Mb on the SUP2 and the MSFC2. Cheers, RR -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell Sent: Wednesday, July 30, 2008 10:00 To: cisco-nsp Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory... Quick question for someone that's "been there done that" from someone who has said "I thought it would work" more often than I'd like :-) Can you get a full BGP feed (two peers) into a Sup2? with uRPF? Which RAM needs to be upgraded? I found out the hard way it won't fit into a SUP2/MSFC2/PFC2 w/256Mb. Will 512Mb do it? Can you put 512Mb in a Sup2 (some 3rd-party pages imply 256 is max, another says a "Sup2U" can do 512) ? Do you upgrade the Sup2 memory or one of the daughtercards, or both? Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Aug 7 20:05:18 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 08 Aug 2008 02:05:18 +0200 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> Message-ID: <1218153918.29360.5.camel@abehat> On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > *interface Vlan20* > *ip address 10.5.5.73 255.255.255.248* > > *int vlan40* > *ip vrf forwarding 3G* > *ip address 10.0.0.1 255.255.255.252* > > Then I want the routes inside this VRF to access the IP addresses behind > VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > So I need to do leaking from global to vrf and the path back from vrf to > global: > > *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > And: (assuming the networks on the yellow cloud are 8.8.8.0) > > *ip route 8.8.8.0 255.255.255.0 vlan40* > > This way, I guaranteed that packets destined from the VRF to global will go > to their next-hop which is directly connected to the switch (10.5.5.74) and > I suppose route recursion should be able to find where the next-hop is. > > When we opened a ticket for this, we were told that with this setup, CEF is > not going to be able to create a valid adjacency and so an arp request will > be sent for each packet destined to 10.5.5.74 without a reply. > > Why cant CEF install an entry for 10.5.5.74, why cant route recursion work? Just a shot in the dark, but would it help to add an interface to the vrf route statement? Like this: ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global Regards, Peter From tdurack at gmail.com Thu Aug 7 21:32:31 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 7 Aug 2008 21:32:31 -0400 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <9e246b4d0808071832r26928204vad3acb050377e3b4@mail.gmail.com> We hit this in SXH2 also (haven't tested SXH2a.) Bug ID was: CSCse12154 - Bus error crash after executing secure copy (scp) We fixed it with a "no ip scp server" (or something like that.) Disappointing a bug this severe isn't fixed in SXH3. Maybe it will be in SXI... Tim:> On Thu, Aug 7, 2008 at 6:00 PM, Phil Mayers wrote: > All, > > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is highly > amusing (note: issue may not actually be amusing) > > Does anyone else think the 6500 software train is becoming a bad joke? SRC > claims *today* ISSU using dual sups / SSO, a much larger chunk of (33) > features e.g. 6vpe etc. and one presumes a faster rate of ports from > mainline IOS because they don't need to modularise everything. > > SXH on the other hand has... erm... buggy modularity. And... buggy > monolithic too. > > I haven't got a TAC case open because we've rolled back to SXH2a (which has > its own set of crash bugs, but less frequent ones...) and it's late - a task > for tomorrow I feel. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vikassharmas at gmail.com Fri Aug 8 00:55:00 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Fri, 8 Aug 2008 10:25:00 +0530 Subject: [c-nsp] EoMPLS port mode 7200 Message-ID: Hi, Can I configure EoMPLS on one side 7200 and another side 7600 using service type as EWS and vc-type 4? My requirement is -> 1st scenario - I require port mode between 7200 and 7600. 2nd scenario- I require port mode between 7200 and 12k Thanks & Regards, Vikas Sharma From tseveendorj at gmail.com Fri Aug 8 02:21:49 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Fri, 8 Aug 2008 14:21:49 +0800 Subject: [c-nsp] Fans: "monitor dropped" Message-ID: <62c908120808072321pac05536n9b973d7a7784172c@mail.gmail.com> Hi I would like to know what does following log ? Environmental monitor experienced the following events: Fans: "monitor dropped" at 14:08:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:09:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:10:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:11:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:12:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:13:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:14:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:15:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:16:28 GMT Fri Aug 8 2008. Fans: "monitor dropped" at 14:17:28 GMT Fri Aug 8 2008. Temperature: Temperature Reading: Temp at inlet fails and data is not available. Temp at outlet is measured as -1C/31F. Temp delta of inlet and outlet fails and data is not available. Temperature State: Temperature is in normal state. I couldn't see temperature of AS5350 gateway. How to solve this Thanks for any help Sincerely, Tseveen From gert at greenie.muc.de Fri Aug 8 03:38:16 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 8 Aug 2008 09:38:16 +0200 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <20080808073816.GI288@greenie.muc.de> Hi, On Thu, Aug 07, 2008 at 11:00:03PM +0100, Phil Mayers wrote: > I haven't got a TAC case open because we've rolled back to SXH2a (which > has its own set of crash bugs, but less frequent ones...) and it's late > - a task for tomorrow I feel. I've had some problems with IPv6 not working on SVIs in SXH2a (very plain setup, /64 transit networks, SVIs on top of TenGigE on 6704 cards, ping to neighbour didn't work). Didn't test it further, as I wanted to move this box to SXH3 anyway - did that, v6 worked. Just as a data point. And yes, 6500/7600 "progress" is disappointing. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From tony at lava.net Fri Aug 8 03:55:01 2008 From: tony at lava.net (Antonio Querubin) Date: Thu, 7 Aug 2008 21:55:01 -1000 (HST) Subject: [c-nsp] intermittent 'igmp query-interval 125' Message-ID: For some reason I've started seeing the statement below appear and disappear at random times on several router's interfaces in the running config. This began after IGMP version 3 was enabled on several Juniper routers that share several backbone VLANs with our Cisco routers. The Cisco routers had already been running IGMP version 3 for a long while now without any odd effects. ip igmp query-interval 125 When the statement appears in the running-config the query interval is 125. And when it disappears from the running-config, the query interval has reverted back to the normal 60 seconds. Anyone know why this would be happening? Antonio Querubin whois: AQ7-ARIN From spinthiras.mario at gmail.com Fri Aug 8 06:17:00 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 8 Aug 2008 13:17:00 +0300 Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router In-Reply-To: <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com> <1216129215.24030.4.camel@svesken.sys.mjna.net> <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> Message-ID: <4f890e580808080317n6071999aic43234426f880477@mail.gmail.com> crypto ip-sec df-bit clear/set ? If you have mismatches on either ends you can see "unencrypted" traffic on one end while normal signs of operation on the other. Warm Regards, Mario A. Spinthiras http://www.spinthiras.net/ From spinthiras.mario at gmail.com Fri Aug 8 06:18:16 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 8 Aug 2008 13:18:16 +0300 Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router In-Reply-To: <4f890e580808080317n6071999aic43234426f880477@mail.gmail.com> References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com> <1216129215.24030.4.camel@svesken.sys.mjna.net> <3cf174360808061025k6786e852p35c9067015daeada@mail.gmail.com> <4f890e580808080317n6071999aic43234426f880477@mail.gmail.com> Message-ID: <4f890e580808080318p2b7af799p5aec69eeedf8924a@mail.gmail.com> Plus it would be great if you could run a packet-trace and paste it here. -- Warm Regards, Mario A. Spinthiras http://www.spinthiras.net/ From p.mayers at imperial.ac.uk Fri Aug 8 07:02:16 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 08 Aug 2008 12:02:16 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <9e246b4d0808071832r26928204vad3acb050377e3b4@mail.gmail.com> References: <489B7063.8040904@imperial.ac.uk> <9e246b4d0808071832r26928204vad3acb050377e3b4@mail.gmail.com> Message-ID: <489C27B8.90204@imperial.ac.uk> Tim Durack wrote: > We hit this in SXH2 also (haven't tested SXH2a.) Bug ID was: > > CSCse12154 - Bus error crash after executing secure copy (scp) > > We fixed it with a "no ip scp server" (or something like that.) The release notes claim it *was* fixed in SXH3, it's specifically mentioned in the list of "resolved caveats" Also, the bug in our case was triggered by an automated job: * cron job on unix machine * scp admin at router:startup-config /backups/router ...which doesn't read like the same bug. From sami.joseph at gmail.com Fri Aug 8 07:26:23 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Fri, 8 Aug 2008 14:26:23 +0300 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <1218153918.29360.5.camel@abehat> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> <1218153918.29360.5.camel@abehat> Message-ID: <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> That made it work but i need to understand the reason? Sam On Fri, Aug 8, 2008 at 3:05 AM, Peter Rathlev wrote: > On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > > > *interface Vlan20* > > *ip address 10.5.5.73 255.255.255.248* > > > > > *int vlan40* > > *ip vrf forwarding 3G* > > *ip address 10.0.0.1 255.255.255.252* > > > > Then I want the routes inside this VRF to access the IP addresses behind > > VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > > > So I need to do leaking from global to vrf and the path back from vrf to > > global: > > > > *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > > > And: (assuming the networks on the yellow cloud are 8.8.8.0) > > > > *ip route 8.8.8.0 255.255.255.0 vlan40* > > > > This way, I guaranteed that packets destined from the VRF to global will > go > > to their next-hop which is directly connected to the switch (10.5.5.74) > and > > I suppose route recursion should be able to find where the next-hop is. > > > > When we opened a ticket for this, we were told that with this setup, CEF > is > > not going to be able to create a valid adjacency and so an arp request > will > > be sent for each packet destined to 10.5.5.74 without a reply. > > > > Why cant CEF install an entry for 10.5.5.74, why cant route recursion > work? > > Just a shot in the dark, but would it help to add an interface to the > vrf route statement? Like this: > > ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > > Regards, > Peter > > > From peter at rathlev.dk Fri Aug 8 08:43:53 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 08 Aug 2008 14:43:53 +0200 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com> <1218153918.29360.5.camel@abehat> <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> Message-ID: <1218199433.2135.5.camel@abehat> On Fri, 2008-08-08 at 14:26 +0300, Sami Joseph wrote: > On Fri, Aug 8, 2008 at 3:05 AM, wrote > > Just a shot in the dark, but would it help to add an interface to > > the vrf route statement? Like this: > > > > ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > > That made it work but i need to understand the reason? Well, I guess CEF needs all the relevant information (next hop IP + interface) to build a full adjacency, and not just a glean adjacency. I can't figure out why the glean wouldn't work, i.e. why there would never be any response to the ARP for 10.5.5.74. I guess CEF has some voodoo elements. :-) Regards, Peter > > > From booloo at ucsc.edu Fri Aug 8 12:42:14 2008 From: booloo at ucsc.edu (Mark Boolootian) Date: Fri, 8 Aug 2008 09:42:14 -0700 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080808073816.GI288@greenie.muc.de> References: <489B7063.8040904@imperial.ac.uk> <20080808073816.GI288@greenie.muc.de> Message-ID: <20080808164214.GA67424@root.ucsc.edu> Gert, > I've had some problems with IPv6 not working on SVIs in SXH2a (very plain > setup, /64 transit networks, SVIs on top of TenGigE on 6704 cards, ping to > neighbour didn't work). Can you tell me what feature set you were running? mark From billf at mu.org Fri Aug 8 13:08:15 2008 From: billf at mu.org (bill fumerola) Date: Fri, 8 Aug 2008 10:08:15 -0700 Subject: [c-nsp] OT: Linux Script for router management In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863509922AF6@exchange.aoihq.local> References: <834c50110808070858k233c6d4g28665bd3d0a09350@mail.gmail.com> <2C05E949E19A9146AF7BDF9D44085B863509922AF6@exchange.aoihq.local> Message-ID: <20080808170815.GS6869@elvis.mu.org> On Thu, Aug 07, 2008 at 12:08:04PM -0400, Eric Van Tol wrote: > > -----Original Message----- > > I'm facing a problem with routers management, near of 80 dispersed > > routers > > of differents providers with differents usr/pass , I would like to > > have a > > linux console with a Menu with router list, then when a choose a > > option, I > > can get into the router automatically, or maybe other way, for > > example > > before I used a Linux console where I write down the hostname and I > > get the > > router. Do you know some tool/script that can do it? > > > > You should be able to use RANCID (http://www.shrubbery.net/rancid) in combination with an MOTD banner on your server that lists all the routers and an alias to get access to each one. You get the added benefit of backing up configs of all the routers, too. as for the menu: sh/dialog: http://invisible-island.net/dialog/ C: http://www.troubleshooters.com/lpm/200405/200405.htm#_A_Simple_Menu Perl: http://backpan.cpan.org/authors/id/C/CC/CCOLLINS/Curses-Menu-1.00.readme TCL: http://wiki.tcl.tk/12953 PHP: http://devzone.zend.com/article/1083-Using-Ncurses-in-PHP Python: http://www.ibm.com/developerworks/linux/library/l-python6.html choose your poison. -- - bill fumerola / billf at FreeBSD.org From dcurran at nuvox.com Fri Aug 8 14:29:42 2008 From: dcurran at nuvox.com (David Curran) Date: Fri, 08 Aug 2008 14:29:42 -0400 Subject: [c-nsp] Shaping vs. queuing Message-ID: I understand at a common sense level how shaping and queuing are different from each other and how they affect discreet packets or flows. What I?m trying to understand is in the context of different types of traffic which is best? Some things I ?know? about the situation are: * TCP has a congestion control mechanism in windowing and slow-start and can react to tail-drop or drop profiles quickly. * Real-time applications such as voice and video when faced with increased latency or jitter essentially drop the traffic to preserve quality. * Upper layer protocols typically have mechanisms to correct for missing or corrupted packets when sent via connectionless protocols. So if those three things are true, is policing voip or TCP traffic (with a Bc and Be properly defined) any ?worse? than shaping/queuing? I?m struggling to find literature comparing the two beyond ?policing drops shaping queues?. Any thoughts or links would be appreciated. -d This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From swmike at swm.pp.se Fri Aug 8 15:11:37 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 8 Aug 2008 21:11:37 +0200 (CEST) Subject: [c-nsp] Shaping vs. queuing In-Reply-To: References: Message-ID: On Fri, 8 Aug 2008, David Curran wrote: > Any thoughts or links would be appreciated. 1. File transfers based on TCP generally work better with shaping, especially if they are few and have high bw per TCP session. 2. Interactive protocols (cli terminal sessions over ssh for instance) generally work better with policing as it doesn't really matter if a packet is lost compared to a constant long delay due to queuing (in case file transfers are filling up the queues). This is at least true if the session is between hosts that are fairly close to each other. 3. Gamers want low latency and games usually handle packet loss fairly well. 4. IP telephony can generally handle a few percent packet loss without any major trouble (echo cancellation might be hurt in case of packet loss though). 5. IPTV transfer over UDP generally do not have error correction and are very sensitive to packet loss. 6. You do not want to queue ACKs if you can avoid it, as this slows down TCP based communications going the other way. So it's all down to what you want to prioritize. With the current traffic mix on the internet I don't really see any reason to ever queue a packet more than 30-40ms, then you might as well drop it (using WRED for instance). -- Mikael Abrahamsson email: swmike at swm.pp.se From damin at nacs.net Fri Aug 8 15:43:28 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Fri, 8 Aug 2008 15:43:28 -0400 Subject: [c-nsp] Service Provider Image for NPE-300 Message-ID: <05d301c8f98f$0791e2e0$16b5a8a0$@net> Hello, Got a 7206 VXR sitting in the back that I'm working on configuring for a simple BGP peering setup.. Nothing crazy.. just need to support Vlan Tagging + BGP for a couple of routes. Wondering what image people are running.. It currently has c7200-p-mz.122-46a.bin on it, but wondering if there is a 12.2S that might be more current and better suited.. From zeusdadog at gmail.com Fri Aug 8 22:28:40 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Fri, 8 Aug 2008 22:28:40 -0400 Subject: [c-nsp] 2851 and full BGP Message-ID: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> I have two 2851s connected to each other over gigabit Ethernet WAN. Both have 1GB RAM and running 12.4(20)T advanced IP services. Both routers are connected to our providers with full BGP feed. That part works fine. When I have the two 2851 try to send it's full route to each other, it gets to about 20,000 routes and the session resets. Here is a debug output Aug 8 09:48:30.099: BGP: x.x.x.x bad message length - 4097 Aug 8 09:48:30.099: BGP: x.x.x.x went from Established to Closing Any ideas on what could be causing this issue? Is there a better IOS version to use? Thanks in advance. From antal.gergely at hu.digi.tv Sat Aug 9 13:08:27 2008 From: antal.gergely at hu.digi.tv (Antal Gergely) Date: Sat, 09 Aug 2008 19:08:27 +0200 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> References: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> Message-ID: <489DCF0B.7080204@hu.digi.tv> Jay Nakamura wrote: > I have two 2851s connected to each other over gigabit Ethernet WAN. > > Both have 1GB RAM and running 12.4(20)T advanced IP services. > > Both routers are connected to our providers with full BGP feed. That part > works fine. > > When I have the two 2851 try to send it's full route to each other, it gets > to about 20,000 routes and the session resets. Here is a debug output > > Aug 8 09:48:30.099: BGP: x.x.x.x bad message length - 4097 > Aug 8 09:48:30.099: BGP: x.x.x.x went from Established to Closing > ip mtu problem?? sh ip bgp nei xxx | i data segment?? -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From amaged at cisco.com Sat Aug 9 14:33:59 2008 From: amaged at cisco.com (Ahmed Maged (amaged)) Date: Sat, 9 Aug 2008 20:33:59 +0200 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com><1218153918.29360.5.camel@abehat> <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> Message-ID: <0BB7A1080B7DBD4494E09FF171D2ACEA01C73225@xmb-ams-33c.emea.cisco.com> Hi Sami, Peter, I'll try to explain this for you in simple but long words, let me know if that doesn't make any sense to you. The packet will come in through your interface that is attached to a VRF and so it will lookup the VRF routing table to find a route but your destination is not inside the VRF, it's in the Global table so you will need to leak this route out. Now that was for the outgoing direction, how about the incoming, it will come from the interface that is in global and lookup the RIB for a next-hop and it wont find any, why, because its in the VRF. So, you will need another route to tell the router that in order to go to your source, you need to go into this VRF interface, and to achieve that you need to create a static route that point to the VRF. Now if you create this static route with the next-hop being an IP address, the router/CEF will try to do recursion in order to find the outgoing interface but it wont, why, because it's attached to a VRF so its invisible to our global table. And that's why you created a next-hop that consists of an IP and an interface. This way, you are bypassing the route recursion process by telling the router all the info it needs to find its destination and create the CEF adjacency (next-hop IP + interface). You can see this if you do (but be careful): debug ip cef events and debug ip cef interface http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper0918 6a00800a62d9.shtml Regards, Ahmed -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph Sent: Friday, August 08, 2008 2:26 PM To: Peter Rathlev Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Route Leaking and next-hop recursion That made it work but i need to understand the reason? Sam On Fri, Aug 8, 2008 at 3:05 AM, Peter Rathlev wrote: > On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > > > *interface Vlan20* > > *ip address 10.5.5.73 255.255.255.248* > > > > > *int vlan40* > > *ip vrf forwarding 3G* > > *ip address 10.0.0.1 255.255.255.252* > > > > Then I want the routes inside this VRF to access the IP addresses behind > > VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > > > So I need to do leaking from global to vrf and the path back from vrf to > > global: > > > > *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > > > And: (assuming the networks on the yellow cloud are 8.8.8.0) > > > > *ip route 8.8.8.0 255.255.255.0 vlan40* > > > > This way, I guaranteed that packets destined from the VRF to global will > go > > to their next-hop which is directly connected to the switch (10.5.5.74) > and > > I suppose route recursion should be able to find where the next-hop is. > > > > When we opened a ticket for this, we were told that with this setup, CEF > is > > not going to be able to create a valid adjacency and so an arp request > will > > be sent for each packet destined to 10.5.5.74 without a reply. > > > > Why cant CEF install an entry for 10.5.5.74, why cant route recursion > work? > > Just a shot in the dark, but would it help to add an interface to the > vrf route statement? Like this: > > ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > > Regards, > Peter > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Sat Aug 9 16:51:04 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sat, 9 Aug 2008 15:51:04 -0500 Subject: [c-nsp] Release notes for ISR ROMMON Message-ID: Anyone know where to find the release notes for the various ROMMON versions for the 2800 and 3800 routers? Noticed 'DRAM access optimization' as a benefit of the latest 2800 ROMMON, and I recently worked on a problem with a 3845 giving console messages like this: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Rommon primary and backup variables are invalid... Warning: monitor nvram area is corrupt ... using default values amd_flash_cmd: timeout on erase sector command environment checksum failed amd_flash_cmd: timeout on erase sector command environment write to NVRAM failed amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 ROM Monitor Can Not Recover From Exception A Board ? System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Storing backup rommon variables... amd_flash_cmd: timeout on erase sector command amd_flash_cmd: timeout on erase sector command environment checksum failed Total memory size = 512 MB - DIMM0 = 512 MB, DIMM1 = 0 MB c3845 platform with 524288 Kbytes of main memory Main memory is configured to 72/0(dimm 0/1) bit mode with ECC enabled Readonly ROMMON initialized amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 I've got a feeling it's really bad hardware, but usually want to exhaust all the possible bugs before calling TAC. Since it specifically mentions ROMMON variables in the output, figured it was at least related. The DRAM access optimization thing just sounds interesting. Searched the web site for a good 20 minutes, no luck. Thanks, Chuck From arla at rn.dk Sat Aug 9 17:17:09 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Sat, 9 Aug 2008 23:17:09 +0200 Subject: [c-nsp] static addressing to vpnclients on asa-firewall vs freeradius Message-ID: <8D68760F464FFD40A01BF2FB374E4A28869444B4F9@SRVEXC02.aas.its.nja.dk> Hi all I need some help regarding downloading static address to vpn clients on a asa-pix firewall. Does anyone have a sample off how the user entry has to look, when I?m using a freeware radius server. Both on the asa and the radius server Is there a attribute list available somewhere /Arne From jarruda-cnsp at jarruda.com Sat Aug 9 18:27:35 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Sat, 09 Aug 2008 18:27:35 -0400 Subject: [c-nsp] Route Leaking and next-hop recursion In-Reply-To: <0BB7A1080B7DBD4494E09FF171D2ACEA01C73225@xmb-ams-33c.emea.cisco.com> References: <9da37ec40808071459p5e08695chb07666bc35773f95@mail.gmail.com><1218153918.29360.5.camel@abehat> <9da37ec40808080426w4fafcfa8g3af06815066a92ea@mail.gmail.com> <0BB7A1080B7DBD4494E09FF171D2ACEA01C73225@xmb-ams-33c.emea.cisco.com> Message-ID: <489E19D7.9060607@jarruda.com> Ahmed Maged (amaged) wrote: > Hi Sami, Peter, > > > > I'll try to explain this for you in simple but long words, let me know > if that doesn't make any sense to you. > > > > The packet will come in through your interface that is attached to a VRF > and so it will lookup the VRF routing table to find a route but your > destination is not inside the VRF, it's in the Global table so you will > need to leak this route out. > > > > Now that was for the outgoing direction, how about the incoming, it will > come from the interface that is in global and lookup the RIB for a > next-hop and it wont find any, why, because its in the VRF. > > > > So, you will need another route to tell the router that in order to go > to your source, you need to go into this VRF interface, and to achieve > that you need to create a static route that point to the VRF. > > > > Now if you create this static route with the next-hop being an IP > address, the router/CEF will try to do recursion in order to find the > outgoing interface but it wont, why, because it's attached to a VRF so > its invisible to our global table. > > > > And that's why you created a next-hop that consists of an IP and an > interface. This way, you are bypassing the route recursion process by > telling the router all the info it needs to find its destination and > create the CEF adjacency (next-hop IP + interface). > > > > You can see this if you do (but be careful): debug ip cef events and > debug ip cef interface Dumb question, if I've another route, where the next-hop is reached via this 'leaked+nailed-with-interface' route, would it work with a dynamic routing protocol ? Example, if a BGP route announced to this VRF, had the next-hop 'field' == to the remote end in a p2p interface in the global table, could I add a static route to reach the next-hop 'via' 'static-route on global + interface', and this would make all routes with that next-hop received via BGP work ? > > > > http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper0918 > 6a00800a62d9.shtml > > > > Regards, > > Ahmed > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph > Sent: Friday, August 08, 2008 2:26 PM > To: Peter Rathlev > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Route Leaking and next-hop recursion > > > > That made it work but i need to understand the reason? > > > > Sam > > > > On Fri, Aug 8, 2008 at 3:05 AM, Peter Rathlev wrote: > > > >> On Fri, 2008-08-08 at 00:59 +0300, Sami Joseph wrote: > >> > >>> *interface Vlan20* > >>> *ip address 10.5.5.73 255.255.255.248* > > >> > >>> *int vlan40* > >>> *ip vrf forwarding 3G* > >>> *ip address 10.0.0.1 255.255.255.252* > > >>> Then I want the routes inside this VRF to access the IP addresses > behind > >>> VLAN20 as depicted in the diagram : (1.1.1.10 and 1.1.1.11) > > >>> So I need to do leaking from global to vrf and the path back from > vrf to > >>> global: > > >>> *ip route vrf 3G 1.1.1.10 255.255.255.255 10.5.5.74 global* > > >>> And: (assuming the networks on the yellow cloud are 8.8.8.0) > > >>> *ip route 8.8.8.0 255.255.255.0 vlan40* > > >>> This way, I guaranteed that packets destined from the VRF to global > will > >> go > >>> to their next-hop which is directly connected to the switch > (10.5.5.74) > >> and > >>> I suppose route recursion should be able to find where the next-hop > is. > > >>> When we opened a ticket for this, we were told that with this setup, > CEF > >> is > >>> not going to be able to create a valid adjacency and so an arp > request > >> will > >>> be sent for each packet destined to 10.5.5.74 without a reply. > > >>> Why cant CEF install an entry for 10.5.5.74, why cant route > recursion > >> work? > > >> Just a shot in the dark, but would it help to add an interface to the > >> vrf route statement? Like this: > > >> ip route vrf 3G 1.1.1.10 255.255.255.255 Vlan20 10.5.5.74 global > From mtinka at globaltransit.net Sun Aug 10 05:49:07 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 10 Aug 2008 17:49:07 +0800 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> References: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> Message-ID: <200808101749.07941.mtinka@globaltransit.net> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > Any ideas on what could be causing this issue? Is there > a better IOS version to use? Sounds like an MTU issue. Try disabling TCP PMTUd for BGP and see if that helps: router bgp 1234 no bgp transport path-mtu-discovery If that works, consider checking with your provider on the supported MTU, end-to-end, and adjust your interface MTU if it helps. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Sun Aug 10 10:27:52 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 10 Aug 2008 16:27:52 +0200 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080808164214.GA67424@root.ucsc.edu> References: <489B7063.8040904@imperial.ac.uk> <20080808073816.GI288@greenie.muc.de> <20080808164214.GA67424@root.ucsc.edu> Message-ID: <20080810142752.GL288@greenie.muc.de> Hi, On Fri, Aug 08, 2008 at 09:42:14AM -0700, Mark Boolootian wrote: > > I've had some problems with IPv6 not working on SVIs in SXH2a (very plain > > setup, /64 transit networks, SVIs on top of TenGigE on 6704 cards, ping to > > neighbour didn't work). > > Can you tell me what feature set you were running? "advipservicesk9" - Advanced IP Services SSH (So it was not "IPv6 not supported" but "IPv6 commands being accepted, parts of it working fine, but neighbours on an SVI on top of a 6704-10GE being unpingable"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ghostonthewire at gmail.com Sun Aug 10 15:22:23 2008 From: ghostonthewire at gmail.com (ghostonthewire) Date: Sun, 10 Aug 2008 23:22:23 +0400 Subject: [c-nsp] static addressing to vpnclients on asa-firewall vs freeradius In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28869444B4F9@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28869444B4F9@SRVEXC02.aas.its.nja.dk> Message-ID: <489F3FEF.1070205@gmail.com> hi, Arne. Arne Larsen / Region Nordjylland wrote: > Hi all > I need some help regarding downloading static address to vpn clients on a asa-pix firewall. I hope you mean "assigning"? > Does anyone have a sample off how the user entry has to look, when I?m using a freeware radius server. Both on the asa and the radius server > Is there a attribute list available somewhere > I use PIX 515E + 8.x software with FreeRADIUS. Typical entry for assigning static address for remote vpn user is: dn: uid=user,ou=users,dc=somecorp,dc=org dialupAccess: 1 gidNumber: 100 homeDirectory: /some/dir/ mail: user at somecorp.org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: radiusprofile objectClass: posixAccount uid: user cn: John User givenName: John User radiusFramedIPAddress: 192.168.0.1 radiusFramedIPNetmask: 255.255.255.0 sn: User uidNumber: 100 userPassword: somepassword From paul.cosgrove at heanet.ie Sun Aug 10 16:52:03 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Sun, 10 Aug 2008 21:52:03 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <200808101749.07941.mtinka@globaltransit.net> References: <9418aca70808081928v6bf4327oc4e05bd620fa8fd1@mail.gmail.com> <200808101749.07941.mtinka@globaltransit.net> Message-ID: <489F54F3.6000707@heanet.ie> Keep in mind that if the peerings are not between directly connected IP, disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. You could check the achievable MTU using extended pings with the DF bit set, and compare it with the segment size listed by BGP before you decide whether to make that change. Paul. Mark Tinka wrote: > On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > > >> Any ideas on what could be causing this issue? Is there >> a better IOS version to use? >> > > Sounds like an MTU issue. > > Try disabling TCP PMTUd for BGP and see if that helps: > > router bgp 1234 > no bgp transport path-mtu-discovery > > If that works, consider checking with your provider on the > supported MTU, end-to-end, and adjust your interface MTU if > it helps. > > Cheers, > > Mark. > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Sun Aug 10 17:29:52 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 10 Aug 2008 16:29:52 -0500 Subject: [c-nsp] 2851 and full BGP Message-ID: Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. Chuck ----- Original Message ----- From: cisco-nsp-bounces at puck.nether.net To: mtinka at globaltransit.net Cc: cisco-nsp at puck.nether.net Sent: Sun Aug 10 15:52:03 2008 Subject: Re: [c-nsp] 2851 and full BGP Keep in mind that if the peerings are not between directly connected IP, disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. You could check the achievable MTU using extended pings with the DF bit set, and compare it with the segment size listed by BGP before you decide whether to make that change. Paul. Mark Tinka wrote: > On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > > >> Any ideas on what could be causing this issue? Is there >> a better IOS version to use? >> > > Sounds like an MTU issue. > > Try disabling TCP PMTUd for BGP and see if that helps: > > router bgp 1234 > no bgp transport path-mtu-discovery > > If that works, consider checking with your provider on the > supported MTU, end-to-end, and adjust your interface MTU if > it helps. > > Cheers, > > Mark. > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r3nd0 at yahoo.com Sun Aug 10 22:47:58 2008 From: r3nd0 at yahoo.com (rendo) Date: Mon, 11 Aug 2008 09:47:58 +0700 Subject: [c-nsp] impact of policy based routing In-Reply-To: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> References: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> Message-ID: <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> Hi, I'm looking for any cisco documentation or maybe your experiences regarding the impact of implementing policy based routing in 76xx platrform. I have a plan to put around 5-10 source based routing, each source goes to the same outgoing interface but with different IP next-hop. The projected throughput will be around 1 Gbps. I guess there are some impacts on CPU load and memory as well, so if anyone here has anything to share, it would be great. Thanks in advance. -rendo- From rubensk at gmail.com Sun Aug 10 23:09:29 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 11 Aug 2008 00:09:29 -0300 Subject: [c-nsp] impact of policy based routing In-Reply-To: <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> References: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> Message-ID: <6bb5f5b10808102009t3fd47c9fqfeeb3e4112f6bdf@mail.gmail.com> It depends on whether the policy route will be only processed by the SUP/RSP-720 or not. Although the following text is from the Cat IOS (ISBU) not 7600 IOS (ERBU), my understanding is it reflects what PFC3x can do and can't do in hardware: "The Policy Feature Card (PFC) and any Distributed Feature Cards (DFCs) provide hardware support for policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords. When configuring PBR, follow these guidelines and restrictions: ?The PFC provides hardware support for PBR configured on a tunnel interface. ?The PFC does not provide hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface. ?If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP. ?Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause flows to be sent to the RP to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route-maps. ?PBR traffic through switching module ports where PBR is configured is routed in software if the switching module resets. (CSCee92191) ?Any permit route-map sequence with no set statement will cause matching traffic to be processed by the RP. " If you manage to keep within these boundaries, CPU load will be as if there were no PBR at all. Otherwise, you will either eat up a signification port of RSP720 pps capacity, or kill a SUP720. Rubens On Sun, Aug 10, 2008 at 11:47 PM, rendo wrote: > Hi, > > I'm looking for any cisco documentation or maybe your experiences regarding > the impact of implementing policy based routing in 76xx platrform. I have a > plan to put around 5-10 source based routing, each source goes to the same > outgoing interface but with different IP next-hop. The projected throughput > will be around 1 Gbps. > > I guess there are some impacts on CPU load and memory as well, so if anyone > here has anything to share, it would be great. > > Thanks in advance. > > -rendo- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sdanelli at gmail.com Sun Aug 10 23:50:34 2008 From: sdanelli at gmail.com (Sergio D.) Date: Sun, 10 Aug 2008 21:50:34 -0600 Subject: [c-nsp] filter LDP bindings Message-ID: Hello, I am trying to filter LDP label bindings to only advertise my loopback address(for vpnv4 traffic) but I am unsure as to what the requirements are. Here is what I have: PE1#show ip route connected | in ^C C 1.1.1.0 is directly connected, Serial1/0 C 10.0.0.1 is directly connected, Loopback0 C 150.0.0.0 is directly connected, FastEthernet0/1 PE1#sh run | in tag no tag-switching advertise-tags tag-switching advertise-tags for ldp-filter PE1#show access-lists ldp-filter Standard IP access list ldp-filter 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) 999 deny any (7 matches) matches? but still generates a binding for all my connected interfaces: PE1#show mpls ldp bindings 150.0.0.0 24 tib entry: 150.0.0.0/24, rev 2 local binding: tag: imp-null remote binding: tsr: 25.25.25.25:0, tag: 18 PE1# And the other side tags it with a label: PE2#traceroute 150.0.0.1 Type escape sequence to abort. Tracing the route to 150.0.0.1 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec 2 1.1.1.1 24 msec 52 msec * TIA, -- Sergio Danelli From oboehmer at cisco.com Mon Aug 11 01:41:25 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 11 Aug 2008 07:41:25 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> Sergio D. <> wrote on Monday, August 11, 2008 5:51 AM: > Hello, > I am trying to filter LDP label bindings to only advertise my loopback > address(for vpnv4 traffic) but I am unsure as to what the > requirements are. Here is what I have: > PE1#show ip route connected | in ^C > C 1.1.1.0 is directly connected, Serial1/0 > C 10.0.0.1 is directly connected, Loopback0 > C 150.0.0.0 is directly connected, FastEthernet0/1 > > PE1#sh run | in tag > no tag-switching advertise-tags > tag-switching advertise-tags for ldp-filter > > PE1#show access-lists ldp-filter > Standard IP access list ldp-filter > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > 999 deny any (7 matches) > > matches? > > but still generates a binding for all my connected interfaces: > > PE1#show mpls ldp bindings 150.0.0.0 24 > tib entry: 150.0.0.0/24, rev 2 > local binding: tag: imp-null > remote binding: tsr: 25.25.25.25:0, tag: 18 > PE1# > > And the other side tags it with a label: > > PE2#traceroute 150.0.0.1 > > Type escape sequence to abort. > Tracing the route to 150.0.0.1 > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > 2 1.1.1.1 24 msec 52 msec * which release(es) are you using? Did you apply the filter on all the nodes? Can you remove the explict "deny any" line and try again? Some older IOS releases interpreted the explicit "deny any" differently (see http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m2 .html#wp1076409). BTW: the LDP filter only prevents advertisement of the binding, it doesn't prevent the LSR from assigning a label (the imp-null in your example). oli From joost.greene at gmail.com Mon Aug 11 04:13:38 2008 From: joost.greene at gmail.com (Joost greene) Date: Mon, 11 Aug 2008 11:13:38 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080801140458.GA21900@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> Message-ID: <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> Hi Saku, I forgot to mention that the question said to limit telnet access to loopback of two routers without using Access lists so i can see your answer makes sense but what do you mean by MPLS LSR ? Thanks, Joost On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti > wrote: > On (2008-08-01 15:14 +0200), Joost greene wrote: > > Hey, > > > Someone challenged me with a question on how i can filter telnet access > to > > one router from all hosts except two of them WITHOUT using access-lists > or > > access-line under the VTY? any ideas? > > I assume challenge was set, because asker knows how to do it. If not, > then I think challenge should be, how to make router output PONIES. > Anyhow, I think CoPP, rACL and policy-route would break the > 'no acl' definition and wouldn't be acceptable solution. > > I think what would fit the rule, is MPLS LSR where you'd only > have route back to couple management hosts and others couldn't > telnet to the box, simply because box doesn't have route to them. > Of course everyone in your IGP could telnet to the box also. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku+cisco-nsp at ytti.fi Mon Aug 11 04:21:43 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 11 Aug 2008 11:21:43 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> Message-ID: <20080811082143.GA30208@mx.ytti.net> On (2008-08-11 11:13 +0300), Joost greene wrote: > I forgot to mention that the question said to limit telnet access to > loopback of two routers without using Access lists so i can see your answer > makes sense but what do you mean by MPLS LSR ? LSR = Label Switch(ing) Router. Essentially it's MPLS network core router, one of it's features by design is, that it does not need IP routes to Internet, it only needs IP routes to other core and edge routers. So as you don't have route back to the chap telnetting to your box, telnet can not establish. To allow some hosts to telnet, simply make static route for those hosts towards some box which has route back to them. > Thanks, > Joost > > On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti > > > wrote: > > > On (2008-08-01 15:14 +0200), Joost greene wrote: > > > > Hey, > > > > > Someone challenged me with a question on how i can filter telnet access > > to > > > one router from all hosts except two of them WITHOUT using access-lists > > or > > > access-line under the VTY? any ideas? > > > > I assume challenge was set, because asker knows how to do it. If not, > > then I think challenge should be, how to make router output PONIES. > > Anyhow, I think CoPP, rACL and policy-route would break the > > 'no acl' definition and wouldn't be acceptable solution. > > > > I think what would fit the rule, is MPLS LSR where you'd only > > have route back to couple management hosts and others couldn't > > telnet to the box, simply because box doesn't have route to them. > > Of course everyone in your IGP could telnet to the box also. > > > > -- > > ++ytti > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- ++ytti From paul.cosgrove at heanet.ie Mon Aug 11 04:33:11 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 09:33:11 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: References: Message-ID: <489FF947.20206@heanet.ie> Hi Chuck, Jay will be able to clarify, but I took the following to mean that the two are separated via third party infrastructure: "two 2851s connected to each other over gigabit Ethernet WAN". May well be a bug though. Paul. Church, Charles wrote: > Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. > > Chuck > > ----- Original Message ----- > From: cisco-nsp-bounces at puck.nether.net > To: mtinka at globaltransit.net > Cc: cisco-nsp at puck.nether.net > Sent: Sun Aug 10 15:52:03 2008 > Subject: Re: [c-nsp] 2851 and full BGP > > > Keep in mind that if the peerings are not between directly connected IP, > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > You could check the achievable MTU using extended pings with the DF bit > set, and compare it with the segment size listed by BGP before you > decide whether to make that change. > > Paul. > > Mark Tinka wrote: >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >> >> >>> Any ideas on what could be causing this issue? Is there >>> a better IOS version to use? >>> >> Sounds like an MTU issue. >> >> Try disabling TCP PMTUd for BGP and see if that helps: >> >> router bgp 1234 >> no bgp transport path-mtu-discovery >> >> If that works, consider checking with your provider on the >> supported MTU, end-to-end, and adjust your interface MTU if >> it helps. >> >> Cheers, >> >> Mark. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From joost.greene at gmail.com Mon Aug 11 04:36:33 2008 From: joost.greene at gmail.com (Joost greene) Date: Mon, 11 Aug 2008 11:36:33 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080811082143.GA30208@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> Message-ID: <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> Ok, i thought this is a feature i dont know about :) I guess the answer would be PBR with prefix-list. Thank you all. On Mon, Aug 11, 2008 at 11:21 AM, Saku Ytti > wrote: > On (2008-08-11 11:13 +0300), Joost greene wrote: > > > I forgot to mention that the question said to limit telnet access to > > loopback of two routers without using Access lists so i can see your > answer > > makes sense but what do you mean by MPLS LSR ? > > LSR = Label Switch(ing) Router. Essentially it's MPLS network core router, > one of it's features by design is, that it does not need IP routes > to Internet, it only needs IP routes to other core and edge routers. > So as you don't have route back to the chap telnetting to your box, > telnet can not establish. To allow some hosts to telnet, simply make > static route for those hosts towards some box which has route > back to them. > > > > Thanks, > > Joost > > > > On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti > > < > saku%2Bcisco-nsp at ytti.fi > > > > wrote: > > > > > On (2008-08-01 15:14 +0200), Joost greene wrote: > > > > > > Hey, > > > > > > > Someone challenged me with a question on how i can filter telnet > access > > > to > > > > one router from all hosts except two of them WITHOUT using > access-lists > > > or > > > > access-line under the VTY? any ideas? > > > > > > I assume challenge was set, because asker knows how to do it. If not, > > > then I think challenge should be, how to make router output PONIES. > > > Anyhow, I think CoPP, rACL and policy-route would break the > > > 'no acl' definition and wouldn't be acceptable solution. > > > > > > I think what would fit the rule, is MPLS LSR where you'd only > > > have route back to couple management hosts and others couldn't > > > telnet to the box, simply because box doesn't have route to them. > > > Of course everyone in your IGP could telnet to the box also. > > > > > > -- > > > ++ytti > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku+cisco-nsp at ytti.fi Mon Aug 11 05:03:58 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 11 Aug 2008 12:03:58 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> Message-ID: <20080811090358.GA30568@mx.ytti.net> On (2008-08-11 11:36 +0300), Joost greene wrote: > Ok, i thought this is a feature i dont know about :) > > I guess the answer would be PBR with prefix-list. Although question was protocol specific which makes it hard to satisfy without ACLs. You could imagine that the box may be offering NTP, DNS or TFTP to the network which should continue to work. -- ++ytti From pl+list at pmacct.net Mon Aug 11 04:24:07 2008 From: pl+list at pmacct.net (Paolo Lucente) Date: Mon, 11 Aug 2008 09:24:07 +0100 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: Message-ID: <20080811082407.GA8243@london.pmacct.net> Hi Sergio, to add to what Oliver said that you maybe want to make sure you have in the configuration a "no mpls ldp advertise-labels" line. Without that, even if you configure a filter (which is successfully matched as you shown), labels would still be announced to adjacent LDP peers. Don't know if this could be your case; i did have to make use out of it to verify label filtering working on a 12.2SR while trying to minimize exposure of our labels in an "Inter-AS" L2 MPLS VPN scenario. no mpls ldp advertise-labels mpls ldp advertise-labels for LDP-DEST to LDP-PEER [ ... ] mpls label protocol ldp ! interface Loopback0 ip address 192.168.100.4 255.255.255.255 ! ip access-list standard LDP-DEST permit 192.168.100.4 ip access-list standard LDP-PEER permit 192.168.100.1 ! Cheers, Paolo On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > Hello, > I am trying to filter LDP label bindings to only advertise my loopback > address(for vpnv4 traffic) but I am unsure as to what the requirements are. > Here is what I have: > PE1#show ip route connected | in ^C > C 1.1.1.0 is directly connected, Serial1/0 > C 10.0.0.1 is directly connected, Loopback0 > C 150.0.0.0 is directly connected, FastEthernet0/1 > > PE1#sh run | in tag > no tag-switching advertise-tags > tag-switching advertise-tags for ldp-filter > > PE1#show access-lists ldp-filter > Standard IP access list ldp-filter > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > 999 deny any (7 matches) > > matches? > > but still generates a binding for all my connected interfaces: > > PE1#show mpls ldp bindings 150.0.0.0 24 > tib entry: 150.0.0.0/24, rev 2 > local binding: tag: imp-null > remote binding: tsr: 25.25.25.25:0, tag: 18 > PE1# > > And the other side tags it with a label: > > PE2#traceroute 150.0.0.1 > > Type escape sequence to abort. > Tracing the route to 150.0.0.1 > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > 2 1.1.1.1 24 msec 52 msec * > > TIA, > > -- > Sergio Danelli From ltd at cisco.com Mon Aug 11 06:30:16 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 11 Aug 2008 20:30:16 +1000 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <20080811090358.GA30568@mx.ytti.net> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> <20080811090358.GA30568@mx.ytti.net> Message-ID: <48A014B8.4010807@cisco.com> Saku Ytti wrote: > Although question was protocol specific which makes > it hard to satisfy without ACLs. You could imagine > that the box may be offering NTP, DNS or TFTP to the > network which should continue to work. > > you could potentially do it using CoPP policy with a CoPP policy for the address(es) you wish, 0bps configured for other rates. if its just telnet, then certainly an access-class on the vty would work too, albeit that would be s/w enforced not h/w enforced. cheers, lincoln. From aj at sneep.net Mon Aug 11 06:55:47 2008 From: aj at sneep.net (Alastair Johnson) Date: Mon, 11 Aug 2008 18:55:47 +0800 Subject: [c-nsp] OSPF Reference bandwidth auto-cost and LAG Message-ID: <48A01AB3.3000503@sneep.net> Hi, I am trying to understand how IOS implements the OSPF reference bandwidth related to LAG interfaces. The only background material I can find on this is along the lines of: http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q3 Can anyone confirm whether LAG/Port-Channel interfaces have the reference BW recalculated based on the active member links? e.g. if I have ref BW = 100G, and a P-C with 2 10GE links, it should be metric = 5. If one 10GE link disappears from the bundle, do I have metric = 10? thanks, aj From rens at autempspourmoi.be Mon Aug 11 07:27:47 2008 From: rens at autempspourmoi.be (Rens) Date: Mon, 11 Aug 2008 13:27:47 +0200 Subject: [c-nsp] Console access via cell phone Message-ID: Hi, Is there any device that you can connect to the console port of a switch that you can put a SIM card in? So you can just dial to that number and have console access on the switch? Regards, Rens From stig.johansen at ementor.no Mon Aug 11 07:45:35 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 11 Aug 2008 13:45:35 +0200 Subject: [c-nsp] Console access via cell phone References: Message-ID: <13A13E9CF0F76342A79031B9E558C0C50360A93C@100NOOSLMSG004.common.alpharoot.net> Google is your friend: http://www.google.com/search?q=gsm+modem+rs232 Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Rens Sendt: 11. august 2008 13:28 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] Console access via cell phone Hi, Is there any device that you can connect to the console port of a switch that you can put a SIM card in? So you can just dial to that number and have console access on the switch? Regards, Rens _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Mon Aug 11 08:02:46 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 11 Aug 2008 14:02:46 +0200 Subject: [c-nsp] OSPF Reference bandwidth auto-cost and LAG In-Reply-To: <48A01AB3.3000503@sneep.net> References: <48A01AB3.3000503@sneep.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4CFE@xmb-ams-333.emea.cisco.com> Alastair Johnson <> wrote on Monday, August 11, 2008 12:56 PM: > Hi, > > I am trying to understand how IOS implements the OSPF reference > bandwidth related to LAG interfaces. > > The only background material I can find on this is along the lines of: > http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a008 0094704.shtml#q3 > > Can anyone confirm whether LAG/Port-Channel interfaces have the > reference BW recalculated based on the active member links? > > e.g. if I have ref BW = 100G, and a P-C with 2 10GE links, it should > be metric = 5. > > If one 10GE link disappears from the bundle, do I have metric = 10? yes, the bandwidth on the port-channel interface is based on the number of active links, and OSPF's cost will adjust automatically. oli From justin at justinshore.com Mon Aug 11 08:46:03 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 11 Aug 2008 07:46:03 -0500 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: Message-ID: <48A0348B.7070400@justinshore.com> Rens wrote: > Hi, > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > So you can just dial to that number and have console access on the switch? A couple of Avocent's console server product lines support PCMCIA expansion cards including cell modems. Justin From rens at autempspourmoi.be Mon Aug 11 09:00:41 2008 From: rens at autempspourmoi.be (Rens) Date: Mon, 11 Aug 2008 15:00:41 +0200 Subject: [c-nsp] Console access via cell phone In-Reply-To: <48A0348B.7070400@justinshore.com> References: <48A0348B.7070400@justinshore.com> Message-ID: I found a Siemens MC35i But no luck so far getting it to work, anyone has experience with this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: lundi 11 ao?t 2008 14:46 To: Rens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone Rens wrote: > Hi, > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > So you can just dial to that number and have console access on the switch? A couple of Avocent's console server product lines support PCMCIA expansion cards including cell modems. Justin From cchurc05 at harris.com Mon Aug 11 09:18:28 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 11 Aug 2008 08:18:28 -0500 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <489FF947.20206@heanet.ie> References: <489FF947.20206@heanet.ie> Message-ID: Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. That does make MTU a possibility. But didn't he get like 20% of his routes before the error message? Since it was 12.4(20)T (pretty bleeding edge), I'd lean towards that still. I'd think that an MTU problem would show up way before you got to 20%. Does BGP set the DF bit? Chuck -----Original Message----- From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Monday, August 11, 2008 4:33 AM To: Church, Charles Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP Hi Chuck, Jay will be able to clarify, but I took the following to mean that the two are separated via third party infrastructure: "two 2851s connected to each other over gigabit Ethernet WAN". May well be a bug though. Paul. Church, Charles wrote: > Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. > > Chuck > > ----- Original Message ----- > From: cisco-nsp-bounces at puck.nether.net > To: mtinka at globaltransit.net > Cc: cisco-nsp at puck.nether.net > Sent: Sun Aug 10 15:52:03 2008 > Subject: Re: [c-nsp] 2851 and full BGP > > > Keep in mind that if the peerings are not between directly connected IP, > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > You could check the achievable MTU using extended pings with the DF bit > set, and compare it with the segment size listed by BGP before you > decide whether to make that change. > > Paul. > > Mark Tinka wrote: >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >> >> >>> Any ideas on what could be causing this issue? Is there >>> a better IOS version to use? >>> >> Sounds like an MTU issue. >> >> Try disabling TCP PMTUd for BGP and see if that helps: >> >> router bgp 1234 >> no bgp transport path-mtu-discovery >> >> If that works, consider checking with your provider on the >> supported MTU, end-to-end, and adjust your interface MTU if >> it helps. >> >> Cheers, >> >> Mark. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From rendo.aw at gmail.com Mon Aug 11 09:20:01 2008 From: rendo.aw at gmail.com (rendo) Date: Mon, 11 Aug 2008 20:20:01 +0700 Subject: [c-nsp] impact of policy based routing In-Reply-To: <6bb5f5b10808102009t3fd47c9fqfeeb3e4112f6bdf@mail.gmail.com> References: <6e9252f0808101945i1417d97cud5ce25fb811ceff2@mail.gmail.com> <6e9252f0808101947s101aafb5nad88d71bfe973e0a@mail.gmail.com> <6bb5f5b10808102009t3fd47c9fqfeeb3e4112f6bdf@mail.gmail.com> Message-ID: <6e9252f0808110620x63850cd0q1136ad65482afcea@mail.gmail.com> Hi Rubens, Thanks for the answer, do you have any doc or url for the information below? -rendo- On Mon, Aug 11, 2008 at 10:09 AM, Rubens Kuhl Jr. wrote: > It depends on whether the policy route will be only processed by the > SUP/RSP-720 or not. > > Although the following text is from the Cat IOS (ISBU) not 7600 IOS > (ERBU), my understanding is it reflects what PFC3x can do and can't do > in hardware: > > "The Policy Feature Card (PFC) and any Distributed Feature Cards > (DFCs) provide hardware support for policy-based routing (PBR) for > route-map sequences that use the match ip address, set ip next-hop, > and ip default next-hop PBR keywords. > > When configuring PBR, follow these guidelines and restrictions: > ?The PFC provides hardware support for PBR configured on a tunnel > interface. > ?The PFC does not provide hardware support for PBR configured with the > set ip next-hop keywords if the next hop is a tunnel interface. > ?If the RP address falls within the range of a PBR ACL, traffic > addressed to the RP is policy routed in hardware instead of being > forwarded to the RP. To prevent policy routing of traffic addressed to > the RP, configure PBR ACLs to deny traffic addressed to the RP. > ?Any options in Cisco IOS ACLs that provide filtering in a PBR > route-map that would cause flows to be sent to the RP to be switched > in software are ignored. For example, logging is not supported in ACEs > in Cisco IOS ACLs that provide filtering in PBR route-maps. > ?PBR traffic through switching module ports where PBR is configured is > routed in software if the switching module resets. (CSCee92191) > ?Any permit route-map sequence with no set statement will cause > matching traffic to be processed by the RP. " > > If you manage to keep within these boundaries, CPU load will be as if > there were no PBR at all. Otherwise, you will either eat up a > signification port of RSP720 pps capacity, or kill a SUP720. > > > Rubens > > > On Sun, Aug 10, 2008 at 11:47 PM, rendo wrote: > > Hi, > > > > I'm looking for any cisco documentation or maybe your experiences > regarding > > the impact of implementing policy based routing in 76xx platrform. I have > a > > plan to put around 5-10 source based routing, each source goes to the > same > > outgoing interface but with different IP next-hop. The projected > throughput > > will be around 1 Gbps. > > > > I guess there are some impacts on CPU load and memory as well, so if > anyone > > here has anything to share, it would be great. > > > > Thanks in advance. > > > > -rendo- > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From baard at dahlmo.no Mon Aug 11 09:23:33 2008 From: baard at dahlmo.no (=?ISO-8859-15?Q?B=E5rd_Dahlmo?=) Date: Mon, 11 Aug 2008 15:23:33 +0200 (CEST) Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: On Thu, 7 Aug 2008, Phil Mayers wrote: > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is highly > amusing (note: issue may not actually be amusing) CSCsr86489 -- B?rd Dahlmo From jcartier at acs.on.ca Mon Aug 11 09:25:18 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 11 Aug 2008 09:25:18 -0400 Subject: [c-nsp] 2851 and full BGP In-Reply-To: Message-ID: Can you provide any system stats? What is the CPU and memory looking like...if something appears to be off it could indicate a code-level issue. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Monday, August 11, 2008 9:18 AM To: Paul Cosgrove Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. That does make MTU a possibility. But didn't he get like 20% of his routes before the error message? Since it was 12.4(20)T (pretty bleeding edge), I'd lean towards that still. I'd think that an MTU problem would show up way before you got to 20%. Does BGP set the DF bit? Chuck -----Original Message----- From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Monday, August 11, 2008 4:33 AM To: Church, Charles Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP Hi Chuck, Jay will be able to clarify, but I took the following to mean that the two are separated via third party infrastructure: "two 2851s connected to each other over gigabit Ethernet WAN". May well be a bug though. Paul. Church, Charles wrote: > Wasn't the original problem the iBGP connection over his own network? Sounds like a bug more than anything else. > > Chuck > > ----- Original Message ----- > From: cisco-nsp-bounces at puck.nether.net > To: mtinka at globaltransit.net > Cc: cisco-nsp at puck.nether.net > Sent: Sun Aug 10 15:52:03 2008 > Subject: Re: [c-nsp] 2851 and full BGP > > > Keep in mind that if the peerings are not between directly connected IP, > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > You could check the achievable MTU using extended pings with the DF bit > set, and compare it with the segment size listed by BGP before you > decide whether to make that change. > > Paul. > > Mark Tinka wrote: >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >> >> >>> Any ideas on what could be causing this issue? Is there >>> a better IOS version to use? >>> >> Sounds like an MTU issue. >> >> Try disabling TCP PMTUd for BGP and see if that helps: >> >> router bgp 1234 >> no bgp transport path-mtu-discovery >> >> If that works, consider checking with your provider on the >> supported MTU, end-to-end, and adjust your interface MTU if >> it helps. >> >> Cheers, >> >> Mark. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Aug 11 09:36:19 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 11 Aug 2008 14:36:19 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> Message-ID: <48A04053.1020102@imperial.ac.uk> B?rd Dahlmo wrote: > On Thu, 7 Aug 2008, Phil Mayers wrote: > >> Just a warning, there is a fatal crash bug in SXH3 related to using >> SCP. Considering the release notes claim fixes in that very area, this >> is highly amusing (note: issue may not actually be amusing) > > CSCsr86489 > Nice. TAC case has been open 4 days now, and I've had no reply. From zeusdadog at gmail.com Mon Aug 11 10:01:56 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 11 Aug 2008 10:01:56 -0400 Subject: [c-nsp] 2851 and full BGP In-Reply-To: References: <489FF947.20206@heanet.ie> Message-ID: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> To answer couple people's questions, MTU on the routers are 1500. I have tested with ping and df-bit set. Provider has higher frame size to cover that MTU over the WAN link and our switches that connects to them on both ends have higher frame size. (1526 frame size or higher) While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Anyway, is 12.4 the most stable way to go on 28xx? We are not using any fancy features. One router is using NM-1T3/E3 card but that's about it. Here are some output from both routers while exchanging just internal routes. border2-col#sh ip bgp neighbors Y.Y.Y.Y BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link BGP version 4, remote router ID Y.Y.Y.Y BGP state = Established, up for 3d03h Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 3 1 Updates: 171196 105628 Keepalives: 4581 4586 Route Refresh: 0 0 Total: 175787 110226 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 887105, neighbor version 887105/0 Output queue size : 0 Index 3, Offset 0, Mask 0x8 3 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is COLUMBUS_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 7 9 (Consumes 468 bytes) Prefixes Total: 8 9 Implicit Withdraw: 0 0 Explicit Withdraw: 1 0 Used as bestpath: n/a 9 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 535265 0 Bestpath from this peer: 9 n/a Total: 535274 0 Number of NLRIs in the update sent: max 1024, min 0 Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y Connections established 7; dropped 6 Last reset 3d03h, due to BGP Notification received, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: X.X.X.X, Local port: 51918 Foreign host: Y.Y.Y.Y, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x15C86EE0): Timer Starts Wakeups Next Retrans 4563 31 0x0 TimeWait 0 0 0x0 AckHold 4529 4183 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 1 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86289 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 border2-indy#sh ip bgp neighbors X.X.X.X BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link BGP version 4, remote router ID X.X.X.X BGP state = Established, up for 3d04h Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 9 9 Notifications: 1 4 Updates: 144559 224571 Keepalives: 4590 4585 Route Refresh: 0 0 Total: 149155 229172 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 2377206, neighbor version 2377206/0 Output queue size : 0 Index 2, Offset 0, Mask 0x4 2 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is INDY_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 9 7 (Consumes 364 bytes) Prefixes Total: 9 8 Implicit Withdraw: 0 0 Explicit Withdraw: 0 1 Used as bestpath: n/a 7 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 458047 0 Bestpath from this peer: 9 n/a Total: 458056 0 Number of NLRIs in the update sent: max 1135, min 0 Address tracking is enabled, the RIB does have a route to X.X.X.X Connections established 9; dropped 8 Last reset 3d04h, due to BGP Notification sent, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: Y.Y.Y.Y, Local port: 179 Foreign host: X.X.X.X, Foreign port: 51918 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x10A0F458): Timer Starts Wakeups Next Retrans 4578 46 0x0 TimeWait 0 0 0x0 AckHold 4532 4200 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms Status Flags: passive open, gen tcbs Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86253 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. > That does make MTU a possibility. But didn't he get like 20% of his > routes before the error message? Since it was 12.4(20)T (pretty > bleeding edge), I'd lean towards that still. I'd think that an MTU > problem would show up way before you got to 20%. Does BGP set the DF > bit? > > Chuck > > -----Original Message----- > From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Monday, August 11, 2008 4:33 AM > To: Church, Charles > Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2851 and full BGP > > > Hi Chuck, > > Jay will be able to clarify, but I took the following to mean that the > two are separated via third party infrastructure: "two 2851s connected > to each other over gigabit Ethernet WAN". > > May well be a bug though. > > Paul. > > Church, Charles wrote: > > Wasn't the original problem the iBGP connection over his own network? > Sounds like a bug more than anything else. > > > > Chuck > > > > ----- Original Message ----- > > From: cisco-nsp-bounces at puck.nether.net > > > To: mtinka at globaltransit.net > > Cc: cisco-nsp at puck.nether.net > > Sent: Sun Aug 10 15:52:03 2008 > > Subject: Re: [c-nsp] 2851 and full BGP > > > > > > Keep in mind that if the peerings are not between directly connected > IP, > > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > > > You could check the achievable MTU using extended pings with the DF > bit > > set, and compare it with the segment size listed by BGP before you > > decide whether to make that change. > > > > Paul. > > > > Mark Tinka wrote: > >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > >> > >> > >>> Any ideas on what could be causing this issue? Is there > >>> a better IOS version to use? > >>> > >> Sounds like an MTU issue. > >> > >> Try disabling TCP PMTUd for BGP and see if that helps: > >> > >> router bgp 1234 > >> no bgp transport path-mtu-discovery > >> > >> If that works, consider checking with your provider on the > >> supported MTU, end-to-end, and adjust your interface MTU if > >> it helps. > >> > >> Cheers, > >> > >> Mark. > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jcartier at acs.on.ca Mon Aug 11 10:10:32 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 11 Aug 2008 10:10:32 -0400 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: **While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Here's a good read - http://en.wikipedia.org/wiki/Cisco_IOS Mainline deployments are usually one's to try to stay away from, in my opinion and experience. They are typically more prone to bugs, but support widest variety of hardware. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura Sent: Monday, August 11, 2008 10:02 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP To answer couple people's questions, MTU on the routers are 1500. I have tested with ping and df-bit set. Provider has higher frame size to cover that MTU over the WAN link and our switches that connects to them on both ends have higher frame size. (1526 frame size or higher) While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Anyway, is 12.4 the most stable way to go on 28xx? We are not using any fancy features. One router is using NM-1T3/E3 card but that's about it. Here are some output from both routers while exchanging just internal routes. border2-col#sh ip bgp neighbors Y.Y.Y.Y BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link BGP version 4, remote router ID Y.Y.Y.Y BGP state = Established, up for 3d03h Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 3 1 Updates: 171196 105628 Keepalives: 4581 4586 Route Refresh: 0 0 Total: 175787 110226 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 887105, neighbor version 887105/0 Output queue size : 0 Index 3, Offset 0, Mask 0x8 3 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is COLUMBUS_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 7 9 (Consumes 468 bytes) Prefixes Total: 8 9 Implicit Withdraw: 0 0 Explicit Withdraw: 1 0 Used as bestpath: n/a 9 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 535265 0 Bestpath from this peer: 9 n/a Total: 535274 0 Number of NLRIs in the update sent: max 1024, min 0 Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y Connections established 7; dropped 6 Last reset 3d03h, due to BGP Notification received, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: X.X.X.X, Local port: 51918 Foreign host: Y.Y.Y.Y, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x15C86EE0): Timer Starts Wakeups Next Retrans 4563 31 0x0 TimeWait 0 0 0x0 AckHold 4529 4183 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 1 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86289 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 border2-indy#sh ip bgp neighbors X.X.X.X BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link BGP version 4, remote router ID X.X.X.X BGP state = Established, up for 3d04h Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 9 9 Notifications: 1 4 Updates: 144559 224571 Keepalives: 4590 4585 Route Refresh: 0 0 Total: 149155 229172 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 2377206, neighbor version 2377206/0 Output queue size : 0 Index 2, Offset 0, Mask 0x4 2 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is INDY_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 9 7 (Consumes 364 bytes) Prefixes Total: 9 8 Implicit Withdraw: 0 0 Explicit Withdraw: 0 1 Used as bestpath: n/a 7 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 458047 0 Bestpath from this peer: 9 n/a Total: 458056 0 Number of NLRIs in the update sent: max 1135, min 0 Address tracking is enabled, the RIB does have a route to X.X.X.X Connections established 9; dropped 8 Last reset 3d04h, due to BGP Notification sent, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: Y.Y.Y.Y, Local port: 179 Foreign host: X.X.X.X, Foreign port: 51918 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x10A0F458): Timer Starts Wakeups Next Retrans 4578 46 0x0 TimeWait 0 0 0x0 AckHold 4532 4200 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms Status Flags: passive open, gen tcbs Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86253 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. > That does make MTU a possibility. But didn't he get like 20% of his > routes before the error message? Since it was 12.4(20)T (pretty > bleeding edge), I'd lean towards that still. I'd think that an MTU > problem would show up way before you got to 20%. Does BGP set the DF > bit? > > Chuck > > -----Original Message----- > From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Monday, August 11, 2008 4:33 AM > To: Church, Charles > Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2851 and full BGP > > > Hi Chuck, > > Jay will be able to clarify, but I took the following to mean that the > two are separated via third party infrastructure: "two 2851s connected > to each other over gigabit Ethernet WAN". > > May well be a bug though. > > Paul. > > Church, Charles wrote: > > Wasn't the original problem the iBGP connection over his own network? > Sounds like a bug more than anything else. > > > > Chuck > > > > ----- Original Message ----- > > From: cisco-nsp-bounces at puck.nether.net > > > To: mtinka at globaltransit.net > > Cc: cisco-nsp at puck.nether.net > > Sent: Sun Aug 10 15:52:03 2008 > > Subject: Re: [c-nsp] 2851 and full BGP > > > > > > Keep in mind that if the peerings are not between directly connected > IP, > > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > > > You could check the achievable MTU using extended pings with the DF > bit > > set, and compare it with the segment size listed by BGP before you > > decide whether to make that change. > > > > Paul. > > > > Mark Tinka wrote: > >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > >> > >> > >>> Any ideas on what could be causing this issue? Is there > >>> a better IOS version to use? > >>> > >> Sounds like an MTU issue. > >> > >> Try disabling TCP PMTUd for BGP and see if that helps: > >> > >> router bgp 1234 > >> no bgp transport path-mtu-discovery > >> > >> If that works, consider checking with your provider on the > >> supported MTU, end-to-end, and adjust your interface MTU if > >> it helps. > >> > >> Cheers, > >> > >> Mark. > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Mon Aug 11 10:28:03 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 11 Aug 2008 09:28:03 -0500 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: 12.4 mainline seems pretty mature at this point. I've got a 2821 doing full tables from 2 upstrems over Ethernet, running 12.4(19), been solid for months, running prefix lists, heavy QOS, and a few other things. Unless you really need a feature from a 'T' train (or hardware support), you're usually better off with the mainline code. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura Sent: Monday, August 11, 2008 10:02 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2851 and full BGP To answer couple people's questions, MTU on the routers are 1500. I have tested with ping and df-bit set. Provider has higher frame size to cover that MTU over the WAN link and our switches that connects to them on both ends have higher frame size. (1526 frame size or higher) While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, cisco's link doesn't tell you what that means. I know GD, ED, etc releases but wasn't sure what MD relase meant. Mainline deployment? Anyway, is 12.4 the most stable way to go on 28xx? We are not using any fancy features. One router is using NM-1T3/E3 card but that's about it. Here are some output from both routers while exchanging just internal routes. border2-col#sh ip bgp neighbors Y.Y.Y.Y BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link BGP version 4, remote router ID Y.Y.Y.Y BGP state = Established, up for 3d03h Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 3 1 Updates: 171196 105628 Keepalives: 4581 4586 Route Refresh: 0 0 Total: 175787 110226 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 887105, neighbor version 887105/0 Output queue size : 0 Index 3, Offset 0, Mask 0x8 3 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is COLUMBUS_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 7 9 (Consumes 468 bytes) Prefixes Total: 8 9 Implicit Withdraw: 0 0 Explicit Withdraw: 1 0 Used as bestpath: n/a 9 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 535265 0 Bestpath from this peer: 9 n/a Total: 535274 0 Number of NLRIs in the update sent: max 1024, min 0 Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y Connections established 7; dropped 6 Last reset 3d03h, due to BGP Notification received, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: X.X.X.X, Local port: 51918 Foreign host: Y.Y.Y.Y, Foreign port: 179 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x15C86EE0): Timer Starts Wakeups Next Retrans 4563 31 0x0 TimeWait 0 0 0x0 AckHold 4529 4183 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 1 1 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86289 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 border2-indy#sh ip bgp neighbors X.X.X.X BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link BGP version 4, remote router ID X.X.X.X BGP state = Established, up for 3d04h Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 9 9 Notifications: 1 4 Updates: 144559 224571 Keepalives: 4590 4585 Route Refresh: 0 0 Total: 149155 229172 Default minimum time between advertisement runs is 0 seconds For address family: IPv4 Unicast BGP table version 2377206, neighbor version 2377206/0 Output queue size : 0 Index 2, Offset 0, Mask 0x4 2 update-group member Inbound soft reconfiguration allowed Outgoing update prefix filter list is INDY_NET Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 9 7 (Consumes 364 bytes) Prefixes Total: 9 8 Implicit Withdraw: 0 0 Explicit Withdraw: 0 1 Used as bestpath: n/a 7 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- prefix-list 458047 0 Bestpath from this peer: 9 n/a Total: 458056 0 Number of NLRIs in the update sent: max 1135, min 0 Address tracking is enabled, the RIB does have a route to X.X.X.X Connections established 9; dropped 8 Last reset 3d04h, due to BGP Notification sent, illegal header length Transport(tcp) path-mtu-discovery is enabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: Y.Y.Y.Y, Local port: 179 Foreign host: X.X.X.X, Foreign port: 51918 Connection tableid (VRF): 0 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x10A0F458): Timer Starts Wakeups Next Retrans 4578 46 0x0 TimeWait 0 0 0x0 AckHold 4532 4200 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms Status Flags: passive open, gen tcbs Option Flags: nagle, path mtu capable IP Precedence value : 6 Datagrams (max data segment is 536 bytes): Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4532, total data bytes: 86253 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. > That does make MTU a possibility. But didn't he get like 20% of his > routes before the error message? Since it was 12.4(20)T (pretty > bleeding edge), I'd lean towards that still. I'd think that an MTU > problem would show up way before you got to 20%. Does BGP set the DF > bit? > > Chuck > > -----Original Message----- > From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Monday, August 11, 2008 4:33 AM > To: Church, Charles > Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2851 and full BGP > > > Hi Chuck, > > Jay will be able to clarify, but I took the following to mean that the > two are separated via third party infrastructure: "two 2851s connected > to each other over gigabit Ethernet WAN". > > May well be a bug though. > > Paul. > > Church, Charles wrote: > > Wasn't the original problem the iBGP connection over his own network? > Sounds like a bug more than anything else. > > > > Chuck > > > > ----- Original Message ----- > > From: cisco-nsp-bounces at puck.nether.net > > > To: mtinka at globaltransit.net > > Cc: cisco-nsp at puck.nether.net > > Sent: Sun Aug 10 15:52:03 2008 > > Subject: Re: [c-nsp] 2851 and full BGP > > > > > > Keep in mind that if the peerings are not between directly connected > IP, > > disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. > > > > You could check the achievable MTU using extended pings with the DF > bit > > set, and compare it with the segment size listed by BGP before you > > decide whether to make that change. > > > > Paul. > > > > Mark Tinka wrote: > >> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: > >> > >> > >>> Any ideas on what could be causing this issue? Is there > >>> a better IOS version to use? > >>> > >> Sounds like an MTU issue. > >> > >> Try disabling TCP PMTUd for BGP and see if that helps: > >> > >> router bgp 1234 > >> no bgp transport path-mtu-discovery > >> > >> If that works, consider checking with your provider on the > >> supported MTU, end-to-end, and adjust your interface MTU if > >> it helps. > >> > >> Cheers, > >> > >> Mark. > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul.cosgrove at heanet.ie Mon Aug 11 10:40:20 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 15:40:20 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: <48A04F54.7050800@heanet.ie> Hi Jay, PMTUD is not working here. You can see from the command output that a TCP MSS of 536 bytes is being used rather than the expected 1440 bytes: > Datagrams (max data segment is 536 bytes): This limits the size of BGP packets, requiring more to be sent and so increasing the load on the routers. You seem to have PTMUD enabled at both ends of the link, so perhaps there is filtering taking place which is stopping the required ICMP messages (or a bug as Chuck suggested). I don't know if this is the cause of your main issues, but I would fix that and then see if the issue is resolved. Paul. Jay Nakamura wrote: > To answer couple people's questions, > > MTU on the routers are 1500. I have tested with ping and df-bit set. > Provider has higher frame size to cover that MTU over the WAN link and our > switches that connects to them on both ends have higher frame size. (1526 > frame size or higher) > > While I am at it, I noticed 12.4 line IOS for 28xx is MD release. Which, > cisco's link doesn't tell you what that means. I know GD, ED, etc releases > but wasn't sure what MD relase meant. Mainline deployment? > > Anyway, is 12.4 the most stable way to go on 28xx? We are not using any > fancy features. One router is using NM-1T3/E3 card but that's about it. > > Here are some output from both routers while exchanging just internal > routes. > > border2-col#sh ip bgp neighbors Y.Y.Y.Y > BGP neighbor is Y.Y.Y.Y, remote AS ZZZZ, internal link > BGP version 4, remote router ID Y.Y.Y.Y > BGP state = Established, up for 3d03h > Last read 00:00:41, last write 00:00:49, hold time is 180, keepalive > interval is 60 seconds > Neighbor capabilities: > Route refresh: advertised and received(new) > Address family IPv4 Unicast: advertised and received > Message statistics: > InQ depth is 0 > OutQ depth is 0 > > Sent Rcvd > Opens: 7 7 > Notifications: 3 1 > Updates: 171196 105628 > Keepalives: 4581 4586 > Route Refresh: 0 0 > Total: 175787 110226 > Default minimum time between advertisement runs is 0 seconds > > For address family: IPv4 Unicast > BGP table version 887105, neighbor version 887105/0 > Output queue size : 0 > Index 3, Offset 0, Mask 0x8 > 3 update-group member > Inbound soft reconfiguration allowed > Outgoing update prefix filter list is COLUMBUS_NET > Sent Rcvd > Prefix activity: ---- ---- > Prefixes Current: 7 9 (Consumes 468 bytes) > Prefixes Total: 8 9 > Implicit Withdraw: 0 0 > Explicit Withdraw: 1 0 > Used as bestpath: n/a 9 > Used as multipath: n/a 0 > > Outbound Inbound > Local Policy Denied Prefixes: -------- ------- > prefix-list 535265 0 > Bestpath from this peer: 9 n/a > Total: 535274 0 > Number of NLRIs in the update sent: max 1024, min 0 > > Address tracking is enabled, the RIB does have a route to Y.Y.Y.Y > Connections established 7; dropped 6 > Last reset 3d03h, due to BGP Notification received, illegal header length > Transport(tcp) path-mtu-discovery is enabled > Connection state is ESTAB, I/O status: 1, unread input bytes: 0 > Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 > Local host: X.X.X.X, Local port: 51918 > Foreign host: Y.Y.Y.Y, Foreign port: 179 > Connection tableid (VRF): 0 > > Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) > > Event Timers (current time is 0x15C86EE0): > Timer Starts Wakeups Next > Retrans 4563 31 0x0 > TimeWait 0 0 0x0 > AckHold 4529 4183 0x0 > SendWnd 0 0 0x0 > KeepAlive 0 0 0x0 > GiveUp 0 0 0x0 > PmtuAger 1 1 0x0 > DeadWait 0 0 0x0 > Linger 0 0 0x0 > ProcessQ 0 0 0x0 > > iss: 3264861958 snduna: 3264948248 sndnxt: 3264948248 sndwnd: 16023 > irs: 3518332904 rcvnxt: 3518419120 rcvwnd: 16118 delrcvwnd: 266 > > SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms > minRTT: 4 ms, maxRTT: 2824 ms, ACK hold: 200 ms > Status Flags: active open > Option Flags: nagle, path mtu capable > IP Precedence value : 6 > > Datagrams (max data segment is 536 bytes): > Rcvd: 8963 (out of order: 0), with data: 4530, total data bytes: 86215 > Sent: 8919 (retransmit: 31, fastretransmit: 0, partialack: 0, Second > Congestion: 0), with data: 4532, total data bytes: 86289 > Packets received in fast path: 0, fast processed: 0, slow path: 0 > fast lock acquisition failures: 0, slow path: 0 > > > border2-indy#sh ip bgp neighbors X.X.X.X > BGP neighbor is X.X.X.X, remote AS ZZZZ, internal link > BGP version 4, remote router ID X.X.X.X > BGP state = Established, up for 3d04h > Last read 00:00:39, last write 00:00:31, hold time is 180, keepalive > interval is 60 seconds > Neighbor capabilities: > Route refresh: advertised and received(new) > Address family IPv4 Unicast: advertised and received > Message statistics: > InQ depth is 0 > OutQ depth is 0 > > Sent Rcvd > Opens: 9 9 > Notifications: 1 4 > Updates: 144559 224571 > Keepalives: 4590 4585 > Route Refresh: 0 0 > Total: 149155 229172 > Default minimum time between advertisement runs is 0 seconds > > For address family: IPv4 Unicast > BGP table version 2377206, neighbor version 2377206/0 > Output queue size : 0 > Index 2, Offset 0, Mask 0x4 > 2 update-group member > Inbound soft reconfiguration allowed > Outgoing update prefix filter list is INDY_NET > Sent Rcvd > Prefix activity: ---- ---- > Prefixes Current: 9 7 (Consumes 364 bytes) > Prefixes Total: 9 8 > Implicit Withdraw: 0 0 > Explicit Withdraw: 0 1 > Used as bestpath: n/a 7 > Used as multipath: n/a 0 > > Outbound Inbound > Local Policy Denied Prefixes: -------- ------- > prefix-list 458047 0 > Bestpath from this peer: 9 n/a > Total: 458056 0 > Number of NLRIs in the update sent: max 1135, min 0 > > Address tracking is enabled, the RIB does have a route to X.X.X.X > Connections established 9; dropped 8 > Last reset 3d04h, due to BGP Notification sent, illegal header length > Transport(tcp) path-mtu-discovery is enabled > Connection state is ESTAB, I/O status: 1, unread input bytes: 0 > Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 > Local host: Y.Y.Y.Y, Local port: 179 > Foreign host: X.X.X.X, Foreign port: 51918 > Connection tableid (VRF): 0 > > Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) > > Event Timers (current time is 0x10A0F458): > Timer Starts Wakeups Next > Retrans 4578 46 0x0 > TimeWait 0 0 0x0 > AckHold 4532 4200 0x0 > SendWnd 0 0 0x0 > KeepAlive 0 0 0x0 > GiveUp 0 0 0x0 > PmtuAger 0 0 0x0 > DeadWait 0 0 0x0 > Linger 0 0 0x0 > ProcessQ 0 0 0x0 > > iss: 3518332904 snduna: 3518419158 sndnxt: 3518419158 sndwnd: 16080 > irs: 3264861958 rcvnxt: 3264948267 rcvwnd: 16004 delrcvwnd: 380 > > SRTT: 304 ms, RTTO: 335 ms, RTV: 31 ms, KRTT: 0 ms > minRTT: 4 ms, maxRTT: 468 ms, ACK hold: 200 ms > Status Flags: passive open, gen tcbs > Option Flags: nagle, path mtu capable > IP Precedence value : 6 > > Datagrams (max data segment is 536 bytes): > Rcvd: 8953 (out of order: 0), with data: 4533, total data bytes: 86308 > Sent: 8920 (retransmit: 46, fastretransmit: 0, partialack: 0, Second > Congestion: 0), with data: 4532, total data bytes: 86253 > Packets received in fast path: 0, fast processed: 0, slow path: 0 > fast lock acquisition failures: 0, slow path: 0 > > On Mon, Aug 11, 2008 at 9:18 AM, Church, Charles wrote: > >> Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. >> That does make MTU a possibility. But didn't he get like 20% of his >> routes before the error message? Since it was 12.4(20)T (pretty >> bleeding edge), I'd lean towards that still. I'd think that an MTU >> problem would show up way before you got to 20%. Does BGP set the DF >> bit? >> >> Chuck >> >> -----Original Message----- >> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] >> Sent: Monday, August 11, 2008 4:33 AM >> To: Church, Charles >> Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 2851 and full BGP >> >> >> Hi Chuck, >> >> Jay will be able to clarify, but I took the following to mean that the >> two are separated via third party infrastructure: "two 2851s connected >> to each other over gigabit Ethernet WAN". >> >> May well be a bug though. >> >> Paul. >> >> Church, Charles wrote: >>> Wasn't the original problem the iBGP connection over his own network? >> Sounds like a bug more than anything else. >>> Chuck >>> >>> ----- Original Message ----- >>> From: cisco-nsp-bounces at puck.nether.net >> >>> To: mtinka at globaltransit.net >>> Cc: cisco-nsp at puck.nether.net >>> Sent: Sun Aug 10 15:52:03 2008 >>> Subject: Re: [c-nsp] 2851 and full BGP >>> >>> >>> Keep in mind that if the peerings are not between directly connected >> IP, >>> disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. >>> >>> You could check the achievable MTU using extended pings with the DF >> bit >>> set, and compare it with the segment size listed by BGP before you >>> decide whether to make that change. >>> >>> Paul. >>> >>> Mark Tinka wrote: >>>> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >>>> >>>> >>>>> Any ideas on what could be causing this issue? Is there >>>>> a better IOS version to use? >>>>> >>>> Sounds like an MTU issue. >>>> >>>> Try disabling TCP PMTUd for BGP and see if that helps: >>>> >>>> router bgp 1234 >>>> no bgp transport path-mtu-discovery >>>> >>>> If that works, consider checking with your provider on the >>>> supported MTU, end-to-end, and adjust your interface MTU if >>>> it helps. >>>> >>>> Cheers, >>>> >>>> Mark. >>>> >>>> >> ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> -- >> HEAnet Limited >> Ireland's Education & Research Network >> 5 George's Dock, IFSC, Dublin 1, Ireland >> Tel: +353.1.6609040 >> Web: http://www.heanet.ie >> Company registered in Ireland: 275301 >> >> Please consider the environment before printing this e-mail. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From paul.cosgrove at heanet.ie Mon Aug 11 10:45:52 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 15:45:52 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <48A04D45.5090401@heanet.ie> References: <489FF947.20206@heanet.ie> <48A04D45.5090401@heanet.ie> Message-ID: <48A050A0.5020806@heanet.ie> Forgot to cc the list on this earlier email. Paul Cosgrove wrote: > Hi Chuck, > > Indeed it is apparently more than that: Jay mentioned receiving 20,000 > routes before he sees the issue, so I guess about 75%. I had similar > thoughts about this but wasn't (and still am not) sure how frequently in > practice BGP with a full table is likely to have to send large updates. > > My (admittedly basic) understanding is that individual update messages > contain details about prefixes which share the same attributes. If the > attributes are different, different update messages will be used. > > If I have this right, the number of update messages will vary according > to the number of distinct attribute sets, and the size of each update > varies according to the number of NLRI which have those particular > attributes. > > This makes me think that MTU issues could indeed occur at any point > during the update process. A software bug might indeed turn out to be > the cause, but I wouldn't rule MTU issues out at this stage. > > Paul. > > > Church, Charles wrote: >> Oh, yeah. Sorry, I didn't catch the 'WAN' part of it the first time. >> That does make MTU a possibility. But didn't he get like 20% of his >> routes before the error message? Since it was 12.4(20)T (pretty >> bleeding edge), I'd lean towards that still. I'd think that an MTU >> problem would show up way before you got to 20%. Does BGP set the DF >> bit? >> >> Chuck >> >> -----Original Message----- >> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Monday, >> August 11, 2008 4:33 AM >> To: Church, Charles >> Cc: mtinka at globaltransit.net; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 2851 and full BGP >> >> >> Hi Chuck, >> >> Jay will be able to clarify, but I took the following to mean that the >> two are separated via third party infrastructure: "two 2851s connected >> to each other over gigabit Ethernet WAN". >> >> May well be a bug though. >> >> Paul. >> >> Church, Charles wrote: >>> Wasn't the original problem the iBGP connection over his own network? >> Sounds like a bug more than anything else. >>> Chuck >>> >>> ----- Original Message ----- >>> From: cisco-nsp-bounces at puck.nether.net >> >>> To: mtinka at globaltransit.net >>> Cc: cisco-nsp at puck.nether.net >>> Sent: Sun Aug 10 15:52:03 2008 >>> Subject: Re: [c-nsp] 2851 and full BGP >>> >>> >>> Keep in mind that if the peerings are not between directly connected >> IP, >>> disabling PMTUd for BGP will cause it to use an MSS of 536 bytes. >>> >>> You could check the achievable MTU using extended pings with the DF >> bit >>> set, and compare it with the segment size listed by BGP before you >>> decide whether to make that change. >>> >>> Paul. >>> >>> Mark Tinka wrote: >>>> On Saturday 09 August 2008 10:28:40 Jay Nakamura wrote: >>>> >>>> >>>>> Any ideas on what could be causing this issue? Is there >>>>> a better IOS version to use? >>>>> >>>> Sounds like an MTU issue. >>>> >>>> Try disabling TCP PMTUd for BGP and see if that helps: >>>> >>>> router bgp 1234 >>>> no bgp transport path-mtu-discovery >>>> >>>> If that works, consider checking with your provider on the supported >>>> MTU, end-to-end, and adjust your interface MTU if it helps. >>>> >>>> Cheers, >>>> >>>> Mark. >>>> >> ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From antal.gergely at hu.digi.tv Mon Aug 11 10:47:16 2008 From: antal.gergely at hu.digi.tv (Antal Gergely) Date: Mon, 11 Aug 2008 16:47:16 +0200 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> Message-ID: <48A050F4.8000807@hu.digi.tv> Jay Nakamura wrote: > Datagrams (max data segment is 536 bytes): put a "ip mtu 1500" on the wan interface. its not the same as mtu xxxx -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From sdanelli at gmail.com Mon Aug 11 10:52:02 2008 From: sdanelli at gmail.com (Sergio D.) Date: Mon, 11 Aug 2008 08:52:02 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080811082407.GA8243@london.pmacct.net> References: <20080811082407.GA8243@london.pmacct.net> Message-ID: thanks for the response. I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no tag-switching advertise-tags" which I already have. Oliver, thanks for clearing up the assignment of the label, I guess thats fine as long as it doesn't get advertised which is what I am trying to avoid. I did try it without the deny at the end, and the result was the same. Do I need an access-list listing my peers and apply that? TIA On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > wrote: > Hi Sergio, > > to add to what Oliver said that you maybe want to make sure > you have in the configuration a "no mpls ldp advertise-labels" > line. Without that, even if you configure a filter (which is > successfully matched as you shown), labels would still be > announced to adjacent LDP peers. > > Don't know if this could be your case; i did have to make use > out of it to verify label filtering working on a 12.2SR while > trying to minimize exposure of our labels in an "Inter-AS" L2 > MPLS VPN scenario. > > no mpls ldp advertise-labels > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > [ ... ] > mpls label protocol ldp > ! > interface Loopback0 > ip address 192.168.100.4 255.255.255.255 > ! > ip access-list standard LDP-DEST > permit 192.168.100.4 > ip access-list standard LDP-PEER > permit 192.168.100.1 > ! > > Cheers, > Paolo > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > Hello, > > I am trying to filter LDP label bindings to only advertise my loopback > > address(for vpnv4 traffic) but I am unsure as to what the requirements > are. > > Here is what I have: > > PE1#show ip route connected | in ^C > > C 1.1.1.0 is directly connected, Serial1/0 > > C 10.0.0.1 is directly connected, Loopback0 > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > PE1#sh run | in tag > > no tag-switching advertise-tags > > tag-switching advertise-tags for ldp-filter > > > > PE1#show access-lists ldp-filter > > Standard IP access list ldp-filter > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > 999 deny any (7 matches) > > > > matches? > > > > but still generates a binding for all my connected interfaces: > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > tib entry: 150.0.0.0/24, rev 2 > > local binding: tag: imp-null > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > PE1# > > > > And the other side tags it with a label: > > > > PE2#traceroute 150.0.0.1 > > > > Type escape sequence to abort. > > Tracing the route to 150.0.0.1 > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > 2 1.1.1.1 24 msec 52 msec * > > > > TIA, > > > > -- > > Sergio Danelli > -- Sergio Danelli From paul at paulstewart.org Mon Aug 11 09:48:01 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 11 Aug 2008 09:48:01 -0400 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: <48A0348B.7070400@justinshore.com> Message-ID: <000001c8fbb8$df7f5f40$9e7e1dc0$@org> We're using Lantronix here for the same purpose.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens Sent: Monday, August 11, 2008 9:01 AM To: 'Justin Shore' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone I found a Siemens MC35i But no luck so far getting it to work, anyone has experience with this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: lundi 11 ao?t 2008 14:46 To: Rens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone Rens wrote: > Hi, > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > So you can just dial to that number and have console access on the switch? A couple of Avocent's console server product lines support PCMCIA expansion cards including cell modems. Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Mon Aug 11 11:35:18 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Mon, 11 Aug 2008 18:35:18 +0300 (IDT) Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <48A04053.1020102@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> Message-ID: On Mon, 11 Aug 2008, Phil Mayers wrote: > B?rd Dahlmo wrote: >> On Thu, 7 Aug 2008, Phil Mayers wrote: >> >>> Just a warning, there is a fatal crash bug in SXH3 related to using SCP. >>> Considering the release notes claim fixes in that very area, this is >>> highly amusing (note: issue may not actually be amusing) >> >> CSCsr86489 >> > > Nice. TAC case has been open 4 days now, and I've had no reply. I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 TAC cases do I get value for my money. Otherwise it is either "not my job, man", or "working as designed", etc. -Hank From p.mayers at imperial.ac.uk Mon Aug 11 11:39:42 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 11 Aug 2008 16:39:42 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> Message-ID: <48A05D3E.7020209@imperial.ac.uk> Hank Nussbacher wrote: > On Mon, 11 Aug 2008, Phil Mayers wrote: > >> B?rd Dahlmo wrote: >>> On Thu, 7 Aug 2008, Phil Mayers wrote: >>> >>>> Just a warning, there is a fatal crash bug in SXH3 related to using >>>> SCP. Considering the release notes claim fixes in that very area, >>>> this is highly amusing (note: issue may not actually be amusing) >>> >>> CSCsr86489 >>> >> >> Nice. TAC case has been open 4 days now, and I've had no reply. > > I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 > TAC cases do I get value for my money. Otherwise it is either "not my > job, man", or "working as designed", etc. They've not been quite that bad with me. Typically I get the response: """This is CSCsuch-and-such it'll be fixed in the next release""". This normally happens quite quickly. I've had one nasty incident which was P1 and gotten good time from a TAC engineer, though it eventually boiled down to "upgrade IOS" which to be frank I could have figured myself ;o) HOWEVER - I've interacted with other non-Cisco vendors and with non-smartnet Cisco (i.e. provided by reseller) and they've been absolutely APALLING - months have gone by with no results. By comparison to those other experiences, TAC/Smartnet is excellent :o( From oboehmer at cisco.com Mon Aug 11 11:51:09 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 11 Aug 2008 17:51:09 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: <20080811082407.GA8243@london.pmacct.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Sergio, your config looks fine, so I don't know what's happening. Can you show a "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) or a "show mpls forwarding interface " where is the neighbor's interface to PE1? No need to specify a "to " to select which neighbors you want to advertise this to in your case. oli Sergio D. wrote on Monday, August 11, 2008 4:52 PM: > thanks for the response. > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no > tag-switching advertise-tags" which I already have. > Oliver, > thanks for clearing up the assignment of the label, I guess thats > fine as long as it doesn't get advertised which is what I am trying > to avoid. I did try it without the deny at the end, and the result > was the same. > Do I need an access-list listing my peers and apply that? > > TIA > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > wrote: > > > Hi Sergio, > > to add to what Oliver said that you maybe want to make sure > you have in the configuration a "no mpls ldp advertise-labels" > line. Without that, even if you configure a filter (which is > successfully matched as you shown), labels would still be > announced to adjacent LDP peers. > > Don't know if this could be your case; i did have to make use > out of it to verify label filtering working on a 12.2SR while > trying to minimize exposure of our labels in an "Inter-AS" L2 > MPLS VPN scenario. > > > no mpls ldp advertise-labels > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > [ ... ] > mpls label protocol ldp > ! > interface Loopback0 > ip address 192.168.100.4 255.255.255.255 > ! > ip access-list standard LDP-DEST > permit 192.168.100.4 > ip access-list standard LDP-PEER > permit 192.168.100.1 > ! > > Cheers, > Paolo > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > Hello, > > I am trying to filter LDP label bindings to only advertise my > loopback > address(for vpnv4 traffic) but I am unsure as to what the > requirements are. > Here is what I have: > > PE1#show ip route connected | in ^C > > C 1.1.1.0 is directly connected, Serial1/0 > > C 10.0.0.1 is directly connected, Loopback0 > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > PE1#sh run | in tag > > no tag-switching advertise-tags > > tag-switching advertise-tags for ldp-filter > > > > PE1#show access-lists ldp-filter > > Standard IP access list ldp-filter > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > 999 deny any (7 matches) > > > > matches? > > > > but still generates a binding for all my connected interfaces: > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > tib entry: 150.0.0.0/24, rev 2 > > local binding: tag: imp-null > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > PE1# > > > > And the other side tags it with a label: > > > > PE2#traceroute 150.0.0.1 > > > > Type escape sequence to abort. > > Tracing the route to 150.0.0.1 > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > 2 1.1.1.1 24 msec 52 msec * > > > > TIA, > > > > -- > > Sergio Danelli > > > > > > -- > Sergio Danelli From paul.cosgrove at heanet.ie Mon Aug 11 11:55:09 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 11 Aug 2008 16:55:09 +0100 Subject: [c-nsp] 2851 and full BGP In-Reply-To: <48A050F4.8000807@hu.digi.tv> References: <489FF947.20206@heanet.ie> <9418aca70808110701p6c56744fu25128f29cb4d48a5@mail.gmail.com> <48A050F4.8000807@hu.digi.tv> Message-ID: <48A060DD.1000004@heanet.ie> Hi Antal, Is that a workaround for a specific bug? Usually the IP MTU defaults to the MTU. You can check them with "show int" vs "show ip int". If the TCP session is between directly connected IPs, a TCP MSS equal to 40 byte less than the IP MTU is used. In other cases (e.g. peerings between loopbacks) an MSS 536 bytes is used unless PMTUD is enabled and can determine a higher value. Paul. Antal Gergely wrote: > Jay Nakamura wrote: > >> Datagrams (max data segment is 536 bytes): > > > put a "ip mtu 1500" on the wan interface. > its not the same as mtu xxxx > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From saku+cisco-nsp at ytti.fi Mon Aug 11 12:16:09 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 11 Aug 2008 19:16:09 +0300 Subject: [c-nsp] Filtering telnet without ACL In-Reply-To: <48A014B8.4010807@cisco.com> References: <4e65e5160808010614m762048b5y48d26c54ccd5fbd7@mail.gmail.com> <20080801140458.GA21900@mx.ytti.net> <4e65e5160808110113p3dcde9c0v41be990bef33b891@mail.gmail.com> <20080811082143.GA30208@mx.ytti.net> <4e65e5160808110136p30db9085s32d13a49edb1862d@mail.gmail.com> <20080811090358.GA30568@mx.ytti.net> <48A014B8.4010807@cisco.com> Message-ID: <20080811161609.GB792@mx.ytti.net> On (2008-08-11 20:30 +1000), Lincoln Dale wrote: > you could potentially do it using CoPP policy with a CoPP policy for the > address(es) you wish, 0bps configured for other rates. OP was about doing it w/o ACL, CoPP would violate that rule. > if its just telnet, then certainly an access-class on the vty would work > too, albeit that would be s/w enforced not h/w enforced. -- ++ytti From sdanelli at gmail.com Mon Aug 11 13:24:26 2008 From: sdanelli at gmail.com (Sergio D.) Date: Mon, 11 Aug 2008 11:24:26 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Message-ID: Oli, from a neighbor a hop away: PE2#show mpls ldp bindings 10.0.0.1 32 tib entry: 10.0.0.1/32, rev 10 local binding: tag: 17 remote binding: tsr: 25.25.25.25:0, tag: 20 PE2# prefix I want to filter: PE2#show mpls forwarding-table 150.0.0.1 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 19 18 150.0.0.0/24 0 Se1/0 point2point thanks, On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Sergio, > > your config looks fine, so I don't know what's happening. Can you show a > "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) or a "show > mpls forwarding interface " where is the neighbor's interface > to PE1? > No need to specify a "to " to select which neighbors you want to > advertise this to in your case. > > oli > > Sergio D. wrote on Monday, August 11, 2008 > 4:52 PM: > > > thanks for the response. > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no > > tag-switching advertise-tags" which I already have. > > Oliver, > > thanks for clearing up the assignment of the label, I guess thats > > fine as long as it doesn't get advertised which is what I am trying > > to avoid. I did try it without the deny at the end, and the result > > was the same. > > Do I need an access-list listing my peers and apply that? > > > > TIA > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > wrote: > > > > > > Hi Sergio, > > > > to add to what Oliver said that you maybe want to make sure > > you have in the configuration a "no mpls ldp advertise-labels" > > line. Without that, even if you configure a filter (which is > > successfully matched as you shown), labels would still be > > announced to adjacent LDP peers. > > > > Don't know if this could be your case; i did have to make use > > out of it to verify label filtering working on a 12.2SR while > > trying to minimize exposure of our labels in an "Inter-AS" L2 > > MPLS VPN scenario. > > > > > > no mpls ldp advertise-labels > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > [ ... ] > > mpls label protocol ldp > > ! > > interface Loopback0 > > ip address 192.168.100.4 255.255.255.255 > > ! > > ip access-list standard LDP-DEST > > permit 192.168.100.4 > > ip access-list standard LDP-PEER > > permit 192.168.100.1 > > ! > > > > Cheers, > > Paolo > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > > Hello, > > > I am trying to filter LDP label bindings to only advertise my > > loopback > address(for vpnv4 traffic) but I am unsure as to what > the > > requirements are. > Here is what I have: > > > PE1#show ip route connected | in ^C > > > C 1.1.1.0 is directly connected, Serial1/0 > > > C 10.0.0.1 is directly connected, Loopback0 > > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > > > PE1#sh run | in tag > > > no tag-switching advertise-tags > > > tag-switching advertise-tags for ldp-filter > > > > > > PE1#show access-lists ldp-filter > > > Standard IP access list ldp-filter > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > > 999 deny any (7 matches) > > > > > > matches? > > > > > > but still generates a binding for all my connected interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > tib entry: 150.0.0.0/24, rev 2 > > > local binding: tag: imp-null > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > PE1# > > > > > > And the other side tags it with a label: > > > > > > PE2#traceroute 150.0.0.1 > > > > > > Type escape sequence to abort. > > > Tracing the route to 150.0.0.1 > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > TIA, > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio Danelli > -- Sergio From aj at sneep.net Mon Aug 11 13:27:36 2008 From: aj at sneep.net (Alastair Johnson) Date: Tue, 12 Aug 2008 01:27:36 +0800 Subject: [c-nsp] OSPF Reference bandwidth auto-cost and LAG In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4CFE@xmb-ams-333.emea.cisco.com> References: <48A01AB3.3000503@sneep.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4CFE@xmb-ams-333.emea.cisco.com> Message-ID: <48A07688.3060602@sneep.net> Oliver Boehmer (oboehmer) wrote: > Alastair Johnson <> wrote on Monday, August 11, 2008 12:56 PM: > >> e.g. if I have ref BW = 100G, and a P-C with 2 10GE links, it should >> be metric = 5. >> >> If one 10GE link disappears from the bundle, do I have metric = 10? > > yes, the bandwidth on the port-channel interface is based on the number > of active links, and OSPF's cost will adjust automatically. > > oli Thank you for your answer Oli - that is very helpful! regards, aj From sdanelli at gmail.com Mon Aug 11 13:29:57 2008 From: sdanelli at gmail.com (Sergio D.) Date: Mon, 11 Aug 2008 11:29:57 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Message-ID: This maybe of some value: PE1#show mpls ldp bindings advertisement-acls Advertisement spec: Prefix acl = 1 tib entry: 1.1.1.0/30, rev 26 tib entry: 1.1.1.4/30, rev 27 tib entry: 10.0.0.1/32, rev 33 Advert acl(s): Prefix acl 1 tib entry: 10.0.0.2/32, rev 34 Advert acl(s): Prefix acl 1 tib entry: 25.25.25.25/32, rev 30 tib entry: 150.0.0.0/24, rev 31 tib entry: 160.0.0.0/24, rev 32 appears that the ACL catches the right prefixes. On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Sergio, > > your config looks fine, so I don't know what's happening. Can you show a > "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) or a "show > mpls forwarding interface " where is the neighbor's interface > to PE1? > No need to specify a "to " to select which neighbors you want to > advertise this to in your case. > > oli > > Sergio D. wrote on Monday, August 11, 2008 > 4:52 PM: > > > thanks for the response. > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into "no > > tag-switching advertise-tags" which I already have. > > Oliver, > > thanks for clearing up the assignment of the label, I guess thats > > fine as long as it doesn't get advertised which is what I am trying > > to avoid. I did try it without the deny at the end, and the result > > was the same. > > Do I need an access-list listing my peers and apply that? > > > > TIA > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > wrote: > > > > > > Hi Sergio, > > > > to add to what Oliver said that you maybe want to make sure > > you have in the configuration a "no mpls ldp advertise-labels" > > line. Without that, even if you configure a filter (which is > > successfully matched as you shown), labels would still be > > announced to adjacent LDP peers. > > > > Don't know if this could be your case; i did have to make use > > out of it to verify label filtering working on a 12.2SR while > > trying to minimize exposure of our labels in an "Inter-AS" L2 > > MPLS VPN scenario. > > > > > > no mpls ldp advertise-labels > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > [ ... ] > > mpls label protocol ldp > > ! > > interface Loopback0 > > ip address 192.168.100.4 255.255.255.255 > > ! > > ip access-list standard LDP-DEST > > permit 192.168.100.4 > > ip access-list standard LDP-PEER > > permit 192.168.100.1 > > ! > > > > Cheers, > > Paolo > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > > Hello, > > > I am trying to filter LDP label bindings to only advertise my > > loopback > address(for vpnv4 traffic) but I am unsure as to what > the > > requirements are. > Here is what I have: > > > PE1#show ip route connected | in ^C > > > C 1.1.1.0 is directly connected, Serial1/0 > > > C 10.0.0.1 is directly connected, Loopback0 > > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > > > PE1#sh run | in tag > > > no tag-switching advertise-tags > > > tag-switching advertise-tags for ldp-filter > > > > > > PE1#show access-lists ldp-filter > > > Standard IP access list ldp-filter > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > > 999 deny any (7 matches) > > > > > > matches? > > > > > > but still generates a binding for all my connected interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > tib entry: 150.0.0.0/24, rev 2 > > > local binding: tag: imp-null > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > PE1# > > > > > > And the other side tags it with a label: > > > > > > PE2#traceroute 150.0.0.1 > > > > > > Type escape sequence to abort. > > > Tracing the route to 150.0.0.1 > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > TIA, > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio Danelli > -- Sergio Danelli JNCIE #170 From rolf-web at internet.ao Mon Aug 11 14:25:08 2008 From: rolf-web at internet.ao (Rolf Mendelsohn) Date: Mon, 11 Aug 2008 19:25:08 +0100 Subject: [c-nsp] Excessive AMDP2_FE-3-UNDERFLO In-Reply-To: <4899A2A2.4080108@fnbs.net> References: <4899A2A2.4080108@fnbs.net> Message-ID: <200808111925.09196.rolf-web@internet.ao> Hi Nimal, Check you processor / memory utilisation & check that all traffic is being CEF switched: sh proc cpu sh proc cpu history sh mem sh switching If traffic is being CEF switched and your CPU is running very high, you may consider upgrading your NPE - btw. what NPE do you have in that router? cheers /rolf On Wednesday 06 August 2008 14:09:54 Nimal David Sirimanne wrote: > Hi guys, > > Need some advice. > > One of the interfaces on my border routers is consistently getting > AMDP2_FE-3-UNDERFLO messages during its peak usage (9am-5pm) hours. The > interface FastEthernet2/0 is seeing approx 40Mbps out and 15 Mbps in. > > The explaination for this error on Cisco website is: > > ------------ > Explanation While transmitting a frame, the controller chip's local > buffer received insufficient data because data could not be transferred > to the chip fast enough to keep pace with its output rate. Normally, > such a problem is temporary, depending on transient peak loads within > the system. > > Recommended Action The system should recover. No action is required. > ------------ > > I need some convincing of that. Of late, i've received a few reports of > packet loss to my network of late, and am not sure if this transmit > error has anything to do with it. Any help is much appreciated! FYI, the > router in question is a Cisco 7206VXR. The interface is 100Mbps capable. > > Aug 6 09:05:51 202.X.X.X 16758: Aug 6 09:05:50.850 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:22:54 202.X.X.X 16759: Aug 6 09:22:53.283 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:25:09 202.X.X.X 16760: Aug 6 09:25:08.771 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:35:22 202.X.X.X 16761: Aug 6 09:35:21.443 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 09:48:33 202.X.X.X 16762: Aug 6 09:48:32.053 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:07:07 202.X.X.X 16764: Aug 6 10:07:06.674 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:08:37 202.X.X.X 16765: Aug 6 10:08:36.702 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:17:37 202.X.X.X 16766: Aug 6 10:17:36.630 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 10:42:52 202.X.X.X 16775: Aug 6 10:42:51.517 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:03:00 202.X.X.X 16783: Aug 6 11:02:59.377 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:04:22 202.X.X.X 16784: Aug 6 11:04:21.672 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:04:22 202.X.X.X 16785: Aug 6 11:04:21.672 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:17:19 202.X.X.X 16786: Aug 6 11:17:18.339 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:29:52 202.X.X.X 16787: .Aug 6 11:29:51.219 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:36:07 202.X.X.X 16788: Aug 6 11:36:06.764 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:41:57 202.X.X.X 16789: Aug 6 11:41:56.615 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:43:26 202.X.X.X 16790: Aug 6 11:43:25.694 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:49:07 202.X.X.X 16791: Aug 6 11:49:06.796 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 11:50:07 202.X.X.X 16792: Aug 6 11:50:06.636 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 12:23:37 202.X.X.X 16794: Aug 6 12:23:36.735 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 12:29:37 202.X.X.X 16795: Aug 6 12:29:36.649 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 12:39:27 202.X.X.X 16796: Aug 6 12:39:26.629 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 13:05:30 202.X.X.X 16803: Aug 6 13:05:29.396 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:21:40 202.X.X.X 16805: Aug 6 14:21:39.319 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:33:30 202.X.X.X 16806: Aug 6 14:33:29.319 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:36:55 202.X.X.X 16807: Aug 6 14:36:54.313 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 14:46:58 202.X.X.X 16808: Aug 6 14:46:57.086 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:10:52 202.X.X.X 16810: Aug 6 15:10:51.737 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:11:09 202.X.X.X 16811: Aug 6 15:11:08.061 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error > Aug 6 15:13:52 202.X.X.X 16812: Aug 6 15:13:51.740 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:14:11 202.X.X.X 16813: Aug 6 15:14:10.795 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:18:59 202.X.X.X 16814: Aug 6 15:18:58.742 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:23:43 202.X.X.X 16815: Aug 6 15:23:42.172 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:46:06 202.X.X.X 16817: Aug 6 15:46:05.635 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 15:53:55 202.X.X.X 16818: Aug 6 15:53:54.048 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:09:06 202.X.X.X 16820: Aug 6 16:09:05.570 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:15:53 202.X.X.X 16821: Aug 6 16:15:52.157 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:17:43 202.X.X.X 16822: Aug 6 16:17:42.039 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:33:40 202.X.X.X 16823: Aug 6 16:33:39.344 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:35:08 202.X.X.X 16824: Aug 6 16:35:07.359 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:38:27 202.X.X.X 16825: Aug 6 16:38:26.278 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:44:58 202.X.X.X 16826: Aug 6 16:44:57.748 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:44:58 202.X.X.X 16827: Aug 6 16:44:57.748 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:49:07 202.X.X.X 16828: Aug 6 16:49:06.738 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/0 transmit error > Aug 6 16:50:46 202.X.X.X 16829: Aug 6 16:50:45.557 MAL: > %AMDP2_FE-3-UNDERFLO: FastEthernet2/1 transmit error > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sami.joseph at gmail.com Mon Aug 11 16:37:22 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Mon, 11 Aug 2008 23:37:22 +0300 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> Message-ID: <9da37ec40808111337w224abd0bwa890f904864906fc@mail.gmail.com> I've worked with different vendors "TAC"/Support and it would be fair to admit that there is a world of difference between the support i get from Cisco and other vendors. Within TAC information is openly shared and comes in quickly whether its a bug or else, while with others, i will have to wait till they check with everyone including the account managers before coming back to me with news that i have a bug. Yet sometimes there are some TAC engineers that prefer to walk the easy path and RMA the hardware but that never rarely happens on a Severity 1/2 cases and i can change how the case is going if my tone changes. I cant resist the urge to say their names, so please go ahead and try Huawei or Alcatle-lucent support and you'll be sending roses to TAC after each case. My final note, everyone receives a survey after each case and trust me, your comments shall improve their service as i have had an incident where my bad survery turned things around, so i know that those surveys are read and acted upon. ~Joost On Mon, Aug 11, 2008 at 6:35 PM, Hank Nussbacher wrote: > On Mon, 11 Aug 2008, Phil Mayers wrote: > > B?rd Dahlmo wrote: >> >>> On Thu, 7 Aug 2008, Phil Mayers wrote: >>> >>> Just a warning, there is a fatal crash bug in SXH3 related to using SCP. >>>> Considering the release notes claim fixes in that very area, this is highly >>>> amusing (note: issue may not actually be amusing) >>>> >>> >>> CSCsr86489 >>> >>> >> Nice. TAC case has been open 4 days now, and I've had no reply. >> > > I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 TAC > cases do I get value for my money. Otherwise it is either "not my job, > man", or "working as designed", etc. > > -Hank > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jloiacon at csc.com Mon Aug 11 17:08:23 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Mon, 11 Aug 2008 17:08:23 -0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: Message-ID: We have a requirement for about 2+ GE between two metro locations. I'm looking at the 3750-E with 2 X2 10GE uplink ports. I would use the 10GBASE-ER X2 Transceiver Module for the distance. Actually the distance is about at the 40 Km limit - but that's another question. Want to do BGP with a limited set of users at the remote location. Assuming the distance is OK, does this switch make sense? Recommend another? Thanks, Joe PS - Should I worry (alot) about being at or slightly above the 40 Km distance? From alex.burba at gmail.com Mon Aug 11 17:35:14 2008 From: alex.burba at gmail.com (Alex Burba) Date: Tue, 12 Aug 2008 01:35:14 +0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: Message-ID: <5a2c0b9f0808111435t41d5c4c4yb4371ccdc4ba712a@mail.gmail.com> It will do fine until you won't try to upload full view or try to serve more then 10-15 downlinks, i suppose. 2008/8/12 Joe Loiacono > We have a requirement for about 2+ GE between two metro locations. I'm > looking at the 3750-E with 2 X2 10GE uplink ports. I would use the > 10GBASE-ER X2 Transceiver Module for the distance. Actually the distance > is about at the 40 Km limit - but that's another question. Want to do BGP > with a limited set of users at the remote location. > > Assuming the distance is OK, does this switch make sense? Recommend > another? > > Thanks, > > Joe > > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chris at k7sle.com Mon Aug 11 18:01:24 2008 From: chris at k7sle.com (Chris Gauthier) Date: Mon, 11 Aug 2008 15:01:24 -0700 (PDT) Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: <5a2c0b9f0808111435t41d5c4c4yb4371ccdc4ba712a@mail.gmail.com> Message-ID: <3423466.81218492080258.JavaMail.SYSTEM@DAT004919> If this is just a satellite location, I would try to avoid BGP unless absolutely necessary. Maybe OSPF can meet your needs for this and then you can inject routes as needed. Chris ----- Original Message ----- From: "Alex Burba" To: "Joe Loiacono" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 11, 2008 2:35:14 PM GMT -08:00 US/Canada Pacific Subject: Re: [c-nsp] Good 10GE Metro switch It will do fine until you won't try to upload full view or try to serve more then 10-15 downlinks, i suppose. 2008/8/12 Joe Loiacono > We have a requirement for about 2+ GE between two metro locations. I'm > looking at the 3750-E with 2 X2 10GE uplink ports. I would use the > 10GBASE-ER X2 Transceiver Module for the distance. Actually the distance > is about at the 40 Km limit - but that's another question. Want to do BGP > with a limited set of users at the remote location. > > Assuming the distance is OK, does this switch make sense? Recommend > another? > > Thanks, > > Joe > > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Mon Aug 11 18:17:49 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 11 Aug 2008 18:17:49 -0400 (EDT) Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: Message-ID: On Mon, 11 Aug 2008, Joe Loiacono wrote: > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? That depends on the test results on your fiber span. If the fiber is clean, of high quality, and well-spliced, then there could be a little 'slop' in the loss budget. At that distance, dispersion may be more of a concern than attenuation. It all depends on what the test results look like. You'll want to see at least the 2-point loss test results at 1550 nm through your fiber span from an OTDR. If the splices are good, you shouldn't see too much of a reflectivity spike at the splice points, but you will see reflections from any physical cross-connects or jumpers that are in the span. With the 10GBASE-ER, your minimum transmit power is -4.7 dBm and your minimum receive power is -15.8 dBm Cisco's datasheet for the X2 modules may be found here: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6574/product_data_sheet0900aecd801f92aa.html jms From cchurc05 at harris.com Mon Aug 11 23:41:49 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 11 Aug 2008 22:41:49 -0500 Subject: [c-nsp] MD5 checksums for IOS images Message-ID: Anyone, Is there a central place to find MD5 hashes for IOS images, other than going through the process of getting to the point of almost downloading each image? We're thinking about implementing processes to verify image integrity, have about 40 or so different images we use currently on all our various gear. Thanks, Chuck From tianys at gmail.com Tue Aug 12 02:28:52 2008 From: tianys at gmail.com (=?GB2312?B?zO/Uxsn6?=) Date: Tue, 12 Aug 2008 14:28:52 +0800 Subject: [c-nsp] a multicast problem Message-ID: <615772ed0808112328l5050e282m3d85afaf2ac61637@mail.gmail.com> Dear. In my network, The usersA cannot see the multicast application smoothly at worktime, but at rest time, it's smoothly. The usersB can see the multicast application smoothly any time. what's the possible cause? Please help me, Thanks! Source(vlan10) | | SWA-------------- | | | | 6513A====6513B------\ | | | | usersA(problem) usersB(No problem) vlan 12 vlan 12 6513B is the RP. The 6513 is running PIM V2( sparse mode) in vlan 12. 6513B is DR and Forwarder. From zivl at gilat.net Tue Aug 12 02:31:55 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 12 Aug 2008 09:31:55 +0300 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: References: Message-ID: Taken from here: http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml "For those customers whose www.cisco.com account does not provide access to the Cisco IOS Upgrade Planner tool and hence cannot obtain the Cisco calculated, known-good MD5 hash value for a given Cisco IOS software image, or for those customers that would prefer to automate the process of validating MD5 hashes using their own tools, Cisco is making available a compressed file including the Cisco IOS software image name and known-good MD5 hash for all 12.0-based, 12.1-based, 12.2-based, 12.3-based and 12.4-based Cisco IOS software releases. This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains a second compressed file (a set of data files and a document explaining the file format) and a detached PGP signature for the second compressed file. The file has been signed by the current Cisco PSIRT PGP key. Information on how to obtain the current Cisco PSIRT PGP key can be found in the document entitled "Cisco Security Vulnerability Policy", available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. We recommend customers to uncompress the file and verify the signature for the second file before using the data files for any verification purposes." Hope this helps, Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: Tuesday, August 12, 2008 6:42 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] MD5 checksums for IOS images Anyone, Is there a central place to find MD5 hashes for IOS images, other than going through the process of getting to the point of almost downloading each image? We're thinking about implementing processes to verify image integrity, have about 40 or so different images we use currently on all our various gear. Thanks, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From oboehmer at cisco.com Tue Aug 12 02:37:20 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 12 Aug 2008 08:37:20 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> Sergio, is PE2 really adjacent to PE1? I don't think it is, there must be some LDP speaker in the middle. If PE2 was adjacent to PE1, the outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null (aka "pop label" as those networks are directly connected on PE1), not 18 or 20, as you've indicated below. I would assume it is 25.25.25.25, as this LDP neighbor sends advertisements to both PE1 and PE2. As every speaker allocates labels independently, you need to filter the LDP advertisements on *all* LDP speakers. oli Sergio D. wrote on Monday, August 11, 2008 7:24 PM: > Oli, > from a neighbor a hop away: > > PE2#show mpls ldp bindings 10.0.0.1 32 > tib entry: 10.0.0.1/32, rev 10 > local binding: tag: 17 > remote binding: tsr: 25.25.25.25:0, tag: 20 > PE2# > > prefix I want to filter: > > PE2#show mpls forwarding-table 150.0.0.1 > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 19 18 150.0.0.0/24 0 Se1/0 point2point > > thanks, > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > wrote: > > > Sergio, > > your config looks fine, so I don't know what's happening. Can you > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP neighbor(s) > or a "show mpls forwarding interface " where is the > neighbor's interface to PE1? > No need to specify a "to " to select which neighbors you want to > advertise this to in your case. > > oli > > Sergio D. wrote on Monday, August 11, > 2008 4:52 PM: > > > > thanks for the response. > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns into > "no > tag-switching advertise-tags" which I already have. > > Oliver, > > thanks for clearing up the assignment of the label, I guess thats > > fine as long as it doesn't get advertised which is what I am trying > > to avoid. I did try it without the deny at the end, and the result > > was the same. > > Do I need an access-list listing my peers and apply that? > > > > TIA > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > > > wrote: > > > > > Hi Sergio, > > > > to add to what Oliver said that you maybe want to make sure > > you have in the configuration a "no mpls ldp > advertise-labels" > line. Without that, even if you configure > a filter (which is > successfully matched as you shown), > labels would still be > announced to adjacent LDP peers. > > > > Don't know if this could be your case; i did have to make use > > out of it to verify label filtering working on a 12.2SR while > > trying to minimize exposure of our labels in an "Inter-AS" L2 > > MPLS VPN scenario. > > > > > > no mpls ldp advertise-labels > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > [ ... ] > > mpls label protocol ldp > > ! > > interface Loopback0 > > ip address 192.168.100.4 255.255.255.255 > > ! > > ip access-list standard LDP-DEST > > permit 192.168.100.4 > > ip access-list standard LDP-PEER > > permit 192.168.100.1 > > ! > > > > Cheers, > > Paolo > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. wrote: > > > Hello, > > > I am trying to filter LDP label bindings to only advertise > my > loopback > address(for vpnv4 traffic) but I am unsure as > to what the > > requirements are. > Here is what I have: > > > PE1#show ip route connected | in ^C > > > C 1.1.1.0 is directly connected, Serial1/0 > > > C 10.0.0.1 is directly connected, Loopback0 > > > C 150.0.0.0 is directly connected, FastEthernet0/1 > > > > > > PE1#sh run | in tag > > > no tag-switching advertise-tags > > > tag-switching advertise-tags for ldp-filter > > > > > > PE1#show access-lists ldp-filter > > > Standard IP access list ldp-filter > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 matches) > > > 999 deny any (7 matches) > > > > > > matches? > > > > > > but still generates a binding for all my connected > interfaces: > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > tib entry: 150.0.0.0/24, rev 2 > > > local binding: tag: imp-null > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > PE1# > > > > > > And the other side tags it with a label: > > > > > > PE2#traceroute 150.0.0.1 > > > > > > Type escape sequence to abort. > > > Tracing the route to 150.0.0.1 > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 msec > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > TIA, > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio Danelli > > > > > > -- > Sergio From p.mayers at imperial.ac.uk Tue Aug 12 04:49:31 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 12 Aug 2008 09:49:31 +0100 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: References: Message-ID: <20080812084931.GA11763@wildfire.net.ic.ac.uk> > >This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains Wow. Very nearly all IOS images; it's lacking very recent ones. That's probably one of the most useful links I've ever seen to the cisco web page. Shame their web server doesn't properly set ETag/Last-Modified headers so a friendly script could non-aggressively pull it repeatedly. One assumes they'll be updating this as time goes forward? From carlo.ngn at gmail.com Tue Aug 12 07:10:39 2008 From: carlo.ngn at gmail.com (Carlo Maggiolini) Date: Tue, 12 Aug 2008 13:10:39 +0200 Subject: [c-nsp] Ios slb and voip gateway Message-ID: Hi all, we've a 6506 that is configured to do slb for a farm of some sip servers. My goal is to balance the traffic generated from our cisco voip gateway that send traffic to the virtual-ip of the farm. My problem is that the udp packets that are generated by the gateway are always sent from the same signalling port ( 5060 ). The slb create a "connection" between the gateway ip/port and only one real server. Any suggestion or idea ? Thanks Carlo From adrian.minta at gmail.com Tue Aug 12 07:28:02 2008 From: adrian.minta at gmail.com (Adrian M) Date: Tue, 12 Aug 2008 14:28:02 +0300 Subject: [c-nsp] ME6500 Message-ID: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> Hello, I have a cisco ME-C6524GT-8S with software s6523-advipservicesk9-mz.122-18.ZU2 and I don't know how to do some basic things like: How to clear an arp entry "clear ip arp 10.10.10.10" doesn't work :( How to display mac learned on a routed subinterface "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 Is there a solution for this ? A newer software version ? Thank you. From rubensk at gmail.com Tue Aug 12 07:41:26 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 08:41:26 -0300 Subject: [c-nsp] ME6500 In-Reply-To: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> Message-ID: <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> On Tue, Aug 12, 2008 at 8:28 AM, Adrian M wrote: > Hello, > I have a cisco ME-C6524GT-8S with software > s6523-advipservicesk9-mz.122-18.ZU2 and I don't know how to do some > basic things like: > > How to clear an arp entry > "clear ip arp 10.10.10.10" doesn't work :( On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I haven't tried it on ME6524. Is "clear arp interface " where is the interface where the arp entry is located won't probably be that hard, unlesss you have thousand of entries on that routed or SVI interface. > How to display mac learned on a routed subinterface > "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 I don`t think routed subinterfaces have mac-address-table, by definition... ping (use both all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 will likely show whoever is attached to that interface (even for hosts that don't answer ping, because it's not common to filter out arp requests/responses in host firewalls these days). Rubens From jared at puck.nether.net Tue Aug 12 07:49:12 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 12 Aug 2008 07:49:12 -0400 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <48A05D3E.7020209@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> <48A05D3E.7020209@imperial.ac.uk> Message-ID: <20080812114912.GE61894@puck.nether.net> On Mon, Aug 11, 2008 at 04:39:42PM +0100, Phil Mayers wrote: > Hank Nussbacher wrote: >> On Mon, 11 Aug 2008, Phil Mayers wrote: >> >>> B?rd Dahlmo wrote: >>>> On Thu, 7 Aug 2008, Phil Mayers wrote: >>>> >>>>> Just a warning, there is a fatal crash bug in SXH3 related to >>>>> using SCP. Considering the release notes claim fixes in that very >>>>> area, this is highly amusing (note: issue may not actually be >>>>> amusing) >>>> >>>> CSCsr86489 >>>> >>> >>> Nice. TAC case has been open 4 days now, and I've had no reply. >> >> I have found cisco-nsp far more useful than TAC. Only 1 out of every 3 >> TAC cases do I get value for my money. Otherwise it is either "not my >> job, man", or "working as designed", etc. > > They've not been quite that bad with me. > > Typically I get the response: """This is CSCsuch-and-such it'll be fixed > in the next release""". This normally happens quite quickly. You can have them put the case in a state called SW-RELEASE-PEND. This will indiciate that your issue is not resolved as the software is not available for you to run. Keep it open for a few months, perhaps if TAC has enough open cases in this state, they'll actually ask release ops to build something. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From adrian.minta at gmail.com Tue Aug 12 07:53:24 2008 From: adrian.minta at gmail.com (Adrian M) Date: Tue, 12 Aug 2008 14:53:24 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> Message-ID: <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> > On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I > haven't tried it on ME6524. Is "clear arp interface " where > is the interface where the arp entry is located won't probably be that > hard, unlesss you have thousand of entries on that routed or SVI > interface. "no arp a.b.c.d" doesn't work :( "clear arp x.x.x.x" doesn't exist either. "clear arp-cache interface GigabitEthernet 1/10" is not clearing arp entries from GigabitEthernet1/10.215 > > >> How to display mac learned on a routed subinterface >> "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 > > I don`t think routed subinterfaces have mac-address-table, by > definition... ping (use both > all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 > will likely show whoever is attached to that interface (even for hosts > that don't answer ping, because it's not common to filter out arp > requests/responses in host firewalls these days). > > > Rubens Ok ! But the box is still a switch. It uses internal vlans. From thegameiam at yahoo.com Tue Aug 12 06:55:29 2008 From: thegameiam at yahoo.com (David Barak) Date: Tue, 12 Aug 2008 03:55:29 -0700 (PDT) Subject: [c-nsp] a multicast problem In-Reply-To: <615772ed0808112328l5050e282m3d85afaf2ac61637@mail.gmail.com> Message-ID: <260860.57769.qm@web31810.mail.mud.yahoo.com> Have you taken a look at this Cisco notice: http://www.cisco.com/application/pdf/paws/68131/cat_multicast_prob.pdf and mitigated the IGMP snooping problem? David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Tue, 8/12/08, ??? wrote: > From: ??? > Subject: [c-nsp] a multicast problem > To: cisco-nsp at puck.nether.net > Date: Tuesday, August 12, 2008, 2:28 AM > Dear. > > In my network, The usersA cannot see the multicast > application smoothly > at worktime, but at rest time, it's smoothly. The > usersB can see the > multicast application smoothly any time. what's the > possible cause? > Please help me, Thanks! > > > Source(vlan10) > | > | > SWA-------------- > | | > | | > 6513A====6513B------\ > | | > | | > usersA(problem) usersB(No problem) > vlan 12 vlan 12 > > > 6513B is the RP. > The 6513 is running PIM V2( sparse mode) > in vlan 12. 6513B is DR and Forwarder. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Tue Aug 12 07:57:14 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 08:57:14 -0300 Subject: [c-nsp] ME6500 In-Reply-To: <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> Message-ID: <6bb5f5b10808120457h68f2c9a8m5c0bbc9aa7c97e5a@mail.gmail.com> On Tue, Aug 12, 2008 at 8:53 AM, Adrian M wrote: >> On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I >> haven't tried it on ME6524. Is "clear arp interface " where >> is the interface where the arp entry is located won't probably be that >> hard, unlesss you have thousand of entries on that routed or SVI >> interface. > > > "no arp a.b.c.d" doesn't work :( > "clear arp x.x.x.x" doesn't exist either. > "clear arp-cache interface GigabitEthernet 1/10" is not clearing arp > entries from GigabitEthernet1/10.215 clear arp interface GigabitEthernet1/10.215, perhaps ? >>> How to display mac learned on a routed subinterface >>> "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 >> >> I don`t think routed subinterfaces have mac-address-table, by >> definition... ping (use both >> all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 >> will likely show whoever is attached to that interface (even for hosts >> that don't answer ping, because it's not common to filter out arp >> requests/responses in host firewalls these days). >> > > Ok ! But the box is still a switch. It uses internal vlans. And still one can disable mac-learning on any vlan, whether it has an SVI or not. Rubens From gert at greenie.muc.de Tue Aug 12 08:17:06 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 12 Aug 2008 14:17:06 +0200 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080812114912.GE61894@puck.nether.net> References: <489B7063.8040904@imperial.ac.uk> <48A04053.1020102@imperial.ac.uk> <48A05D3E.7020209@imperial.ac.uk> <20080812114912.GE61894@puck.nether.net> Message-ID: <20080812121706.GQ288@greenie.muc.de> Hi, On Tue, Aug 12, 2008 at 07:49:12AM -0400, Jared Mauch wrote: > You can have them put the case in a state called > SW-RELEASE-PEND. Yeah, hooray. One of my cases is in that state since over a year :( gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From achatz at forthnet.gr Tue Aug 12 08:42:24 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 12 Aug 2008 15:42:24 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> Message-ID: <48A18530.4070101@forthnet.gr> "clear arp-cache x.x.x.x" should work. Just keep in mind that after doing this, the local router will send an arp request to this mac. If it's still active, a reply is sent back and the local arp table will be filled again (you can check the "Age" counter). -- Tassos Adrian M wrote on 12/8/2008 2:53 ??: >> On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I >> haven't tried it on ME6524. Is "clear arp interface " where >> is the interface where the arp entry is located won't probably be that >> hard, unlesss you have thousand of entries on that routed or SVI >> interface. > > > "no arp a.b.c.d" doesn't work :( > "clear arp x.x.x.x" doesn't exist either. > "clear arp-cache interface GigabitEthernet 1/10" is not clearing arp > entries from GigabitEthernet1/10.215 > >> >>> How to display mac learned on a routed subinterface >>> "sh mac-address-table" don't display mac addresses for ports like Gi1/10.200 >> I don`t think routed subinterfaces have mac-address-table, by >> definition... ping (use both >> all-zeros and all-ones broadcasts) followed by show ip arp gi1/10.200 >> will likely show whoever is attached to that interface (even for hosts >> that don't answer ping, because it's not common to filter out arp >> requests/responses in host firewalls these days). >> >> >> Rubens > > Ok ! But the box is still a switch. It uses internal vlans. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From adrian.minta at gmail.com Tue Aug 12 08:49:53 2008 From: adrian.minta at gmail.com (Adrian M) Date: Tue, 12 Aug 2008 15:49:53 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <48A18530.4070101@forthnet.gr> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> Message-ID: <14e72ec90808120549l37da32f8j93a8e7acf42ebd45@mail.gmail.com> 2008/8/12 Tassos Chatzithomaoglou : > "clear arp-cache x.x.x.x" should work. Just keep in mind that after doing > this, the local router will send an arp request to this mac. If it's still > active, a reply is sent back and the local arp table will be filled again > (you can check the "Age" counter). > switch#clear arp-cache ? interface Clear the entire ARP cache on the interface switch#clear arp-cache interface gigabitEthernet 1/10.215 ^ % Invalid input detected at '^' marker. Only "clear arp-cache interface gigabitEthernet 1/10" works but doesn't clear anything :( From zivl at gilat.net Tue Aug 12 08:52:06 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 12 Aug 2008 15:52:06 +0300 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: <20080812084931.GA11763@wildfire.net.ic.ac.uk> References: <20080812084931.GA11763@wildfire.net.ic.ac.uk> Message-ID: Yeah, you're right... According to the name seems like the file is dated 2008 May 16th, but I didn't find a way to see a list of files so I can decide which one is the last updated one... -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Tuesday, August 12, 2008 11:50 AM To: Ziv Leyes Cc: Church, Charles; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MD5 checksums for IOS images > >This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains Wow. Very nearly all IOS images; it's lacking very recent ones. That's probably one of the most useful links I've ever seen to the cisco web page. Shame their web server doesn't properly set ETag/Last-Modified headers so a friendly script could non-aggressively pull it repeatedly. One assumes they'll be updating this as time goes forward? ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From justin at justinshore.com Tue Aug 12 09:15:13 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 12 Aug 2008 08:15:13 -0500 Subject: [c-nsp] ME6500 In-Reply-To: <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> Message-ID: <48A18CE1.4050603@justinshore.com> Rubens Kuhl Jr. wrote: > On some platforms, "conf t" +"no arp a.b.c.d" can do this, but I > haven't tried it on ME6524. Is "clear arp interface " where > is the interface where the arp entry is located won't probably be that > hard, unlesss you have thousand of entries on that routed or SVI > interface. Ruben is correct. conf t; no arp is what works on the ZU code. I have another ME6524 running SXH and it uses clear ip arp like the other platforms. Justin From justin at justinshore.com Tue Aug 12 09:17:17 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 12 Aug 2008 08:17:17 -0500 Subject: [c-nsp] ME6500 In-Reply-To: <48A18530.4070101@forthnet.gr> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> Message-ID: <48A18D5D.3030003@justinshore.com> The argument for clear arp-cache is an interface or null. 6524-2.brd#clear arp-cache ? interface Clear the entire ARP cache on the interface Ruben was correct with 'no arp ' from global config mode on that platform with the ZU code. Justin Tassos Chatzithomaoglou wrote: > "clear arp-cache x.x.x.x" should work. Just keep in mind that after > doing this, the local router will send an arp request to this mac. If > it's still active, a reply is sent back and the local arp table will be > filled again (you can check the "Age" counter). > > -- > Tassos From cchurc05 at harris.com Tue Aug 12 09:22:53 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 08:22:53 -0500 Subject: [c-nsp] MD5 checksums for IOS images In-Reply-To: References: <20080812084931.GA11763@wildfire.net.ic.ac.uk> Message-ID: Thanks guys. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes Sent: Tuesday, August 12, 2008 8:52 AM To: Phil Mayers Cc: cisco-nsp at puck.nether.net; Church, Charles Subject: Re: [c-nsp] MD5 checksums for IOS images Yeah, you're right... According to the name seems like the file is dated 2008 May 16th, but I didn't find a way to see a list of files so I can decide which one is the last updated one... -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Tuesday, August 12, 2008 11:50 AM To: Ziv Leyes Cc: Church, Charles; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MD5 checksums for IOS images > >This file can be found at http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip and contains Wow. Very nearly all IOS images; it's lacking very recent ones. That's probably one of the most useful links I've ever seen to the cisco web page. Shame their web server doesn't properly set ETag/Last-Modified headers so a friendly script could non-aggressively pull it repeatedly. One assumes they'll be updating this as time goes forward? ************************************************************************ ************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************ ************ ************************************************************************ ************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************ ************ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Tue Aug 12 09:29:44 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 12 Aug 2008 16:29:44 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <48A18D5D.3030003@justinshore.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> <48A18D5D.3030003@justinshore.com> Message-ID: <48A19048.9000508@forthnet.gr> Justin, "no arp" in config mode should work for static entries only. -- Tassos Justin Shore wrote on 12/8/2008 4:17 ??: > The argument for clear arp-cache is an interface or null. > > 6524-2.brd#clear arp-cache ? > interface Clear the entire ARP cache on the interface > > > Ruben was correct with 'no arp ' from global config mode on that > platform with the ZU code. > > Justin > > > Tassos Chatzithomaoglou wrote: >> "clear arp-cache x.x.x.x" should work. Just keep in mind that after >> doing this, the local router will send an arp request to this mac. If >> it's still active, a reply is sent back and the local arp table will >> be filled again (you can check the "Age" counter). >> >> -- >> Tassos > > From sdanelli at gmail.com Tue Aug 12 10:39:01 2008 From: sdanelli at gmail.com (Sergio D.) Date: Tue, 12 Aug 2008 08:39:01 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> Message-ID: Yes there is a "P" router in the middle. Why would the middle router be getting a binding if I am filtering from the source? On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Sergio, > > is PE2 really adjacent to PE1? I don't think it is, there must be some > LDP speaker in the middle. If PE2 was adjacent to PE1, the outgoing > label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null (aka "pop > label" as those networks are directly connected on PE1), not 18 or 20, > as you've indicated below. > I would assume it is 25.25.25.25, as this LDP neighbor sends > advertisements to both PE1 and PE2. > > As every speaker allocates labels independently, you need to filter the > LDP advertisements on *all* LDP speakers. > > oli > > Sergio D. wrote on Monday, August 11, 2008 > 7:24 PM: > > > Oli, > > from a neighbor a hop away: > > > > PE2#show mpls ldp bindings 10.0.0.1 32 > > tib entry: 10.0.0.1/32, rev 10 > > local binding: tag: 17 > > remote binding: tsr: 25.25.25.25:0, tag: 20 > > PE2# > > > > prefix I want to filter: > > > > PE2#show mpls forwarding-table 150.0.0.1 > > Local Outgoing Prefix Bytes tag Outgoing Next Hop > > tag tag or VC or Tunnel Id switched interface > > 19 18 150.0.0.0/24 0 Se1/0 point2point > > > > thanks, > > > > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > > wrote: > > > > > > Sergio, > > > > your config looks fine, so I don't know what's happening. Can > you > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP > neighbor(s) > > or a "show mpls forwarding interface " where is the > > neighbor's interface to PE1? > > No need to specify a "to " to select which neighbors you > want to > > advertise this to in your case. > > > > oli > > > > Sergio D. wrote on Monday, August > 11, > > 2008 4:52 PM: > > > > > > > thanks for the response. > > > I am using 12.3(22) and "no mpls ldp advertise-labels" turns > into > > "no > tag-switching advertise-tags" which I already have. > > > Oliver, > > > thanks for clearing up the assignment of the label, I guess > thats > > > fine as long as it doesn't get advertised which is what I am > trying > > > to avoid. I did try it without the deny at the end, and the > result > > > was the same. > > > Do I need an access-list listing my peers and apply that? > > > > > > TIA > > > > > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > > > > > > pl%252Blist at pmacct.net > > > > > > wrote: > > > > > > > Hi Sergio, > > > > > > to add to what Oliver said that you maybe want to make > sure > > > you have in the configuration a "no mpls ldp > > advertise-labels" > line. Without that, even if you > configure > > a filter (which is > successfully matched as you shown), > > labels would still be > announced to adjacent LDP peers. > > > > > > Don't know if this could be your case; i did have to > make use > > > out of it to verify label filtering working on a 12.2SR > while > > > trying to minimize exposure of our labels in an > "Inter-AS" L2 > > > MPLS VPN scenario. > > > > > > > > > no mpls ldp advertise-labels > > > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > > [ ... ] > > > mpls label protocol ldp > > > ! > > > interface Loopback0 > > > ip address 192.168.100.4 255.255.255.255 > > > ! > > > ip access-list standard LDP-DEST > > > permit 192.168.100.4 > > > ip access-list standard LDP-PEER > > > permit 192.168.100.1 > > > ! > > > > > > Cheers, > > > Paolo > > > > > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. > wrote: > > > > Hello, > > > > I am trying to filter LDP label bindings to only > advertise > > my > loopback > address(for vpnv4 traffic) but I am unsure > as > > to what the > > > requirements are. > Here is what I have: > > > > PE1#show ip route connected | in ^C > > > > C 1.1.1.0 is directly connected, Serial1/0 > > > > C 10.0.0.1 is directly connected, Loopback0 > > > > C 150.0.0.0 is directly connected, > FastEthernet0/1 > > > > > > > > PE1#sh run | in tag > > > > no tag-switching advertise-tags > > > > tag-switching advertise-tags for ldp-filter > > > > > > > > PE1#show access-lists ldp-filter > > > > Standard IP access list ldp-filter > > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 > matches) > > > > 999 deny any (7 matches) > > > > > > > > matches? > > > > > > > > but still generates a binding for all my connected > > interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > > tib entry: 150.0.0.0/24, rev 2 > > > > local binding: tag: imp-null > > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > > PE1# > > > > > > > > And the other side tags it with a label: > > > > > > > > PE2#traceroute 150.0.0.1 > > > > > > > > Type escape sequence to abort. > > > > Tracing the route to 150.0.0.1 > > > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24 > msec > > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > > > TIA, > > > > > > > > -- > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio > -- Sergio From oboehmer at cisco.com Tue Aug 12 10:54:14 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 12 Aug 2008 16:54:14 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC526F@xmb-ams-333.emea.cisco.com> because this is how LDP works in frame-based MPLS networks. Every LDP speakers independently allocates and distributes labels, so the P node also allocates a label for the 150.0.0.0/24 and advertises it to PE2, no matter if the upstream neighbor (PE1) sent one or not.. oli Sergio D. wrote on Tuesday, August 12, 2008 4:39 PM: > Yes there is a "P" router in the middle. Why would the middle router > be getting a binding if I am filtering from the source? > > > On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) > wrote: > > > Sergio, > > is PE2 really adjacent to PE1? I don't think it is, there must be > some LDP speaker in the middle. If PE2 was adjacent to PE1, the > outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null > (aka "pop label" as those networks are directly connected on PE1), > not 18 or 20, as you've indicated below. > I would assume it is 25.25.25.25, as this LDP neighbor sends > advertisements to both PE1 and PE2. > > As every speaker allocates labels independently, you need to filter > the LDP advertisements on *all* LDP speakers. > > > oli > > Sergio D. wrote on Monday, August 11, > 2008 > > 7:24 PM: > > > > Oli, > > from a neighbor a hop away: > > > > PE2#show mpls ldp bindings 10.0.0.1 32 > > tib entry: 10.0.0.1/32, rev 10 > > local binding: tag: 17 > > remote binding: tsr: 25.25.25.25:0, tag: 20 > > PE2# > > > > prefix I want to filter: > > > > PE2#show mpls forwarding-table 150.0.0.1 > > Local Outgoing Prefix Bytes tag Outgoing Next Hop > > tag tag or VC or Tunnel Id switched interface > > 19 18 150.0.0.0/24 0 Se1/0 > point2point > > > thanks, > > > > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > > wrote: > > > > > > Sergio, > > > > your config looks fine, so I don't know what's happening. Can > you > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP > neighbor(s) > > or a "show mpls forwarding interface " where is > the > neighbor's interface to PE1? > > No need to specify a "to " to select which neighbors you > want to > > advertise this to in your case. > > > > oli > > > > Sergio D. wrote on Monday, August > 11, > > 2008 4:52 PM: > > > > > > > thanks for the response. > > > I am using 12.3(22) and "no mpls ldp advertise-labels" > turns into > > "no > tag-switching advertise-tags" which I already have. > > > Oliver, > > > thanks for clearing up the assignment of the label, I guess > thats > > > fine as long as it doesn't get advertised which is what I > am trying > > > to avoid. I did try it without the deny at the end, and the > result > > > was the same. > > > Do I need an access-list listing my peers and apply that? > > > > > > TIA > > > > > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > > > > > > > > > > > > > > > > wrote: > > > > > > > Hi Sergio, > > > > > > to add to what Oliver said that you maybe want to > make sure > > > you have in the configuration a "no mpls ldp > > advertise-labels" > line. Without that, even if you > configure > > a filter (which is > successfully matched as you > shown), > labels would still be > announced to adjacent > LDP peers. > > > > > Don't know if this could be your case; i did have to > make use > > > out of it to verify label filtering working on a > 12.2SR while > > > trying to minimize exposure of our labels in an > "Inter-AS" L2 > > > MPLS VPN scenario. > > > > > > > > > no mpls ldp advertise-labels > > > > > > mpls ldp advertise-labels for LDP-DEST to LDP-PEER > > > [ ... ] > > > mpls label protocol ldp > > > ! > > > interface Loopback0 > > > ip address 192.168.100.4 255.255.255.255 > > > ! > > > ip access-list standard LDP-DEST > > > permit 192.168.100.4 > > > ip access-list standard LDP-PEER > > > permit 192.168.100.1 > > > ! > > > > > > Cheers, > > > Paolo > > > > > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D. > wrote: > > > > Hello, > > > > I am trying to filter LDP label bindings to only > advertise > > my > loopback > address(for vpnv4 traffic) but I am > unsure as > > to what the > > > requirements are. > Here is what I have: > > > > PE1#show ip route connected | in ^C > > > > C 1.1.1.0 is directly connected, Serial1/0 > > > > C 10.0.0.1 is directly connected, Loopback0 > > > > C 150.0.0.0 is directly connected, > FastEthernet0/1 > > > > > > > > PE1#sh run | in tag > > > > no tag-switching advertise-tags > > > > tag-switching advertise-tags for ldp-filter > > > > > > > > PE1#show access-lists ldp-filter > > > > Standard IP access list ldp-filter > > > > 10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6 > matches) > > > > 999 deny any (7 matches) > > > > > > > > matches? > > > > > > > > but still generates a binding for all my connected > > interfaces: > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > > tib entry: 150.0.0.0/24, rev 2 > > > > local binding: tag: imp-null > > > > remote binding: tsr: 25.25.25.25:0, tag: 18 > > > > PE1# > > > > > > > > And the other side tags it with a label: > > > > > > > > PE2#traceroute 150.0.0.1 > > > > > > > > Type escape sequence to abort. > > > > Tracing the route to 150.0.0.1 > > > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec > 24 msec > > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > > > TIA, > > > > > > > > -- > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > -- > > > Sergio Danelli > > > > > > > > > > > > -- > > Sergio > > > > > > -- > Sergio From kristian at spritelink.net Tue Aug 12 10:39:10 2008 From: kristian at spritelink.net (Kristian Larsson) Date: Tue, 12 Aug 2008 16:39:10 +0200 Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design) In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E13@exchangenj1> References: <20080703.202301.74732300.sthaug@nethelp.no> <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E13@exchangenj1> Message-ID: <20080812143910.GA16628@spritelink.se> On Fri, Jul 04, 2008 at 10:25:56AM -0400, Vinny Abello wrote: > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson > > Sent: Friday, July 04, 2008 1:42 AM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] IPv6 Migration with ISIS (was Route Reflector > > Design) > > > > On Thu, 3 Jul 2008, Vinny Abello wrote: > > > > > While on this topic, if anyone has figured out a non-disruptive > > strategy > > > to deploying IPv6 in a core with a mix of Cisco and Foundry routers > > > running ISIS, any pointers would be appreciated. Foundry currently > > > > We had multitopology problems between platforms/vendors as well, we > > ended > > up "solving" the issue by using OSPFv3 as IPv6 IGP (and ISIS for > > IPv4/VPNv4), this gave us a completely different control plane for IPv6 > > and pretty much guaranteed to be non-intrusive to devices not running > > IPv6 > > or needing the information. > > > > Multitopology ISIS is a great idea and I would really like to run it, > > but > > it just didn't work with our mix of platforms and vendors. > > Thanks Mikael. I hadn't considered running OSPFv3 for IPv6. I'll have to see if that is a viable possibility in our network. Did you run into any challenges in doing this such as administrative distances of the routing protocols and things defaulting to using IPv6 instead of IPv4 or other unexpected results? In theory if you're only doing the IPv6 address family, I wouldn't expect any problems, but firsthand experience is always better than theory. :) By the way, what other vendor's or vendors' equipment were you working with besides Cisco where you had the same ISIS multi-topology challenges? Apologies for a tad late answer, don't read my nanog box to often... I was the one implementing this, so thought I'd give you a few answers. We run RedBack SmartEdge boxes with a variety of software, some supposedly supporting IPv6 others do not at all. What happened with these boxes was that they threw away ISIS LSPs which contained one or more v6 TLVs resulting in that any IPv4 information in that LSP was also thrown away. From what I've heard this was the correct behaviour according to some early ISIS standard, though I can not find any mentioning of it in the current standards. OSPFv3 is working very well. We are using basically the same metric system as for ISIS IPv4 which makes administration quite easy. I say basically for we have a few places where we use an ISIS metric of > 65k and as OSPFv3 only support 16-bit link metrics while ISIS supports 24-bit this becomes a slight annoyance. "things defaulting to using ipv6 instead of ipv4".. this sound more of a host-side symptom and not one dependant upon your choice of IGP. I expect to migrate our network to MT ISIS after resolving all our issues with RedBack. The higher administrative distance of ISIS allows us to enable ISIS MT all over our network and run both OSPFv3 and ISIS MT for IPv6 with no impact. We would have plenty of time to compare the ISIS database with the OSPFv3 one to make sure everything looks good and then we can simply shut down OSPFv3 and let ISIS take over. If you want some more in-depth answers we can prolly take it off-list. Kind regards, Kristian. -- Kristian Larsson KLL-RIPE Network Engineer / Internet Core Tele2 / SWIPnet [AS1257] +46 704 910401 kll at spritelink.net From cgriffin at ufl.edu Tue Aug 12 11:32:42 2008 From: cgriffin at ufl.edu (Chris Griffin) Date: Tue, 12 Aug 2008 11:32:42 -0400 Subject: [c-nsp] SRC2? Message-ID: <1218555162.2004.15.camel@empacher.cns.ufl.edu> Anyone know when 12.2(33)SRC2 is supposed to be released, specifically for the 7600. I had heard by the end of July, but so far no release. Thanks -- Chris Griffin cgriffin at ufl.edu Sr. Network Engineer - CCNP Phone: (352) 273-1051 CNS - Network Services Fax: (352) 392-9440 University of Florida/FLR Gainesville, FL 32611 From sdanelli at gmail.com Tue Aug 12 11:52:33 2008 From: sdanelli at gmail.com (Sergio D.) Date: Tue, 12 Aug 2008 09:52:33 -0600 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC526F@xmb-ams-333.emea.cisco.com> References: <20080811082407.GA8243@london.pmacct.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4E77@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4F78@xmb-ams-333.emea.cisco.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC526F@xmb-ams-333.emea.cisco.com> Message-ID: I see that makes sense. I will give it a shot. thanks for your help. On Tue, Aug 12, 2008 at 8:54 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > because this is how LDP works in frame-based MPLS networks. Every LDP > speakers independently allocates and distributes labels, so the P node > also allocates a label for the 150.0.0.0/24 and advertises it to PE2, no > matter if the upstream neighbor (PE1) sent one or not.. > > oli > > Sergio D. wrote on Tuesday, August 12, 2008 > 4:39 PM: > > > Yes there is a "P" router in the middle. Why would the middle router > > be getting a binding if I am filtering from the source? > > > > > > On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) > > wrote: > > > > > > Sergio, > > > > is PE2 really adjacent to PE1? I don't think it is, there must > be > > some LDP speaker in the middle. If PE2 was adjacent to PE1, the > > outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be > imp-null > > (aka "pop label" as those networks are directly connected on > PE1), > > not 18 or 20, as you've indicated below. > > I would assume it is 25.25.25.25, as this LDP neighbor sends > > advertisements to both PE1 and PE2. > > > > As every speaker allocates labels independently, you need to > filter > > the LDP advertisements on *all* LDP speakers. > > > > > > oli > > > > Sergio D. wrote on Monday, August > 11, > > 2008 > > > > 7:24 PM: > > > > > > > Oli, > > > from a neighbor a hop away: > > > > > > PE2#show mpls ldp bindings 10.0.0.1 32 > > > tib entry: 10.0.0.1/32, rev 10 > > > local binding: tag: 17 > > > remote binding: tsr: 25.25.25.25:0, tag: 20 > > > PE2# > > > > > > prefix I want to filter: > > > > > > PE2#show mpls forwarding-table 150.0.0.1 > > > Local Outgoing Prefix Bytes tag Outgoing > Next Hop > > > tag tag or VC or Tunnel Id switched interface > > > 19 18 150.0.0.0/24 0 Se1/0 > > point2point > > > > thanks, > > > > > > > > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer) > > > wrote: > > > > > > > > > Sergio, > > > > > > your config looks fine, so I don't know what's > happening. Can > > you > > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP > > neighbor(s) > > > or a "show mpls forwarding interface " where > is > > the > neighbor's interface to PE1? > > > No need to specify a "to " to select which > neighbors you > > want to > > > advertise this to in your case. > > > > > > oli > > > > > > Sergio D. wrote on Monday, > August > > 11, > > > 2008 4:52 PM: > > > > > > > > > > thanks for the response. > > > > I am using 12.3(22) and "no mpls ldp advertise-labels" > > turns into > > > "no > tag-switching advertise-tags" which I already > have. > > > > Oliver, > > > > thanks for clearing up the assignment of the label, I > guess > > thats > > > > fine as long as it doesn't get advertised which is > what I > > am trying > > > > to avoid. I did try it without the deny at the end, > and the > > result > > > > was the same. > > > > Do I need an access-list listing my peers and apply > that? > > > > > > > > TIA > > > > > > > > > > > > > > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente > > pl%2Blist at pmacct.net > > > > pl%252Blist at pmacct.net > > > > > > > > > > > > > > pl%252Blist at pmacct.net > > > > > > > > > > > > > wrote: > > > > > > > > > Hi Sergio, > > > > > > > > to add to what Oliver said that you maybe want > to > > make sure > > > > you have in the configuration a "no mpls ldp > > > advertise-labels" > line. Without that, even if > you > > configure > > > a filter (which is > successfully matched as you > > shown), > labels would still be > announced to > adjacent > > LDP peers. > > > > > > Don't know if this could be your case; i did > have to > > make use > > > > out of it to verify label filtering working on a > > 12.2SR while > > > > trying to minimize exposure of our labels in an > > "Inter-AS" L2 > > > > MPLS VPN scenario. > > > > > > > > > > > > no mpls ldp advertise-labels > > > > > > > > mpls ldp advertise-labels for LDP-DEST to > LDP-PEER > > > > [ ... ] > > > > mpls label protocol ldp > > > > ! > > > > interface Loopback0 > > > > ip address 192.168.100.4 255.255.255.255 > > > > ! > > > > ip access-list standard LDP-DEST > > > > permit 192.168.100.4 > > > > ip access-list standard LDP-PEER > > > > permit 192.168.100.1 > > > > ! > > > > > > > > Cheers, > > > > Paolo > > > > > > > > > > > > > > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio > D. > > wrote: > > > > > Hello, > > > > > I am trying to filter LDP label bindings to > only > > advertise > > > my > loopback > address(for vpnv4 traffic) but I > am > > unsure as > > > to what the > > > > requirements are. > Here is what I have: > > > > > PE1#show ip route connected | in ^C > > > > > C 1.1.1.0 is directly connected, > Serial1/0 > > > > > C 10.0.0.1 is directly connected, > Loopback0 > > > > > C 150.0.0.0 is directly connected, > > FastEthernet0/1 > > > > > > > > > > PE1#sh run | in tag > > > > > no tag-switching advertise-tags > > > > > tag-switching advertise-tags for ldp-filter > > > > > > > > > > PE1#show access-lists ldp-filter > > > > > Standard IP access list ldp-filter > > > > > 10 permit 10.0.0.0, wildcard bits > 0.0.0.255 (6 > > matches) > > > > > 999 deny any (7 matches) > > > > > > > > > > matches? > > > > > > > > > > but still generates a binding for all my > connected > > > interfaces: > > > > > > > PE1#show mpls ldp bindings 150.0.0.0 24 > > > > > tib entry: 150.0.0.0/24, rev 2 > > > > > local binding: tag: imp-null > > > > > remote binding: tsr: 25.25.25.25:0, > tag: 18 > > > > > PE1# > > > > > > > > > > And the other side tags it with a label: > > > > > > > > > > PE2#traceroute 150.0.0.1 > > > > > > > > > > Type escape sequence to abort. > > > > > Tracing the route to 150.0.0.1 > > > > > > > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 > msec > > 24 msec > > > > > 2 1.1.1.1 24 msec 52 msec * > > > > > > > > > > TIA, > > > > > > > > > > -- > > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Sergio Danelli > > > > > > > > > > > > > > > > > > -- > > > Sergio > > > > > > > > > > > > -- > > Sergio > -- Sergio From cchurc05 at harris.com Tue Aug 12 12:02:12 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 11:02:12 -0500 Subject: [c-nsp] Release notes for ISR ROMMON In-Reply-To: <200DE36ECF294B43891F0F70908C62F1ACD704F7@mspe2k1.cs.myharris.net> References: <200DE36ECF294B43891F0F70908C62F1ACD704F7@mspe2k1.cs.myharris.net> Message-ID: Anyone? -----Original Message----- From: Church, Charles Sent: Saturday, August 09, 2008 4:51 PM To: cisco-nsp at puck.nether.net Subject: Release notes for ISR ROMMON Anyone know where to find the release notes for the various ROMMON versions for the 2800 and 3800 routers? Noticed 'DRAM access optimization' as a benefit of the latest 2800 ROMMON, and I recently worked on a problem with a 3845 giving console messages like this: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Rommon primary and backup variables are invalid... Warning: monitor nvram area is corrupt ... using default values amd_flash_cmd: timeout on erase sector command environment checksum failed amd_flash_cmd: timeout on erase sector command environment write to NVRAM failed amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 ROM Monitor Can Not Recover From Exception A Board ? System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Storing backup rommon variables... amd_flash_cmd: timeout on erase sector command amd_flash_cmd: timeout on erase sector command environment checksum failed Total memory size = 512 MB - DIMM0 = 512 MB, DIMM1 = 0 MB c3845 platform with 524288 Kbytes of main memory Main memory is configured to 72/0(dimm 0/1) bit mode with ECC enabled Readonly ROMMON initialized amd_flash_cmd: timeout on erase sector command *** Emulating mis-aligned store at 0x9fc1d9af PC = 0x9fc1da34 ... failed, opcode = 0x23 I've got a feeling it's really bad hardware, but usually want to exhaust all the possible bugs before calling TAC. Since it specifically mentions ROMMON variables in the output, figured it was at least related. The DRAM access optimization thing just sounds interesting. Searched the web site for a good 20 minutes, no luck. Thanks, Chuck From david.freedman at uk.clara.net Tue Aug 12 12:37:46 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 12 Aug 2008 17:37:46 +0100 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: Message-ID: Why not buy a cisco 1841 with 3G/2.5G HWIC? (http://www.cisco.com/en/US/products/ps7272/index.html) Put in a SIM from a provider where you can get a public IP or have the 1841 tunnel out to you (via ipsec ez vpn client eg) to a place you can access it via. Dave. Rens wrote: > Hi, > > > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > > > So you can just dial to that number and have console access on the switch? > > > > Regards, > > > > Rens > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From luan at t3technology.com Tue Aug 12 12:57:58 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Tue, 12 Aug 2008 12:57:58 -0400 Subject: [c-nsp] Console access via cell phone In-Reply-To: References: Message-ID: <023701c8fc9c$92ffbb30$b8ff3190$@com> This is interesting... ONEBOX_Spoke3#show cellular 0/1/0 profile Electronic Serial Number (ESN) = Modem activated = YES Account Information: ====================== Activation Date: Phone Number (MDN) : Mobile Station Identifier (MSID) : So if you configure the dialer interface to accept incoming call via the MDN, you could basically use it (EVDO is what I have now) as console access while it serves as backup to primary connection? Anyone has configuration for this set up? Thanks. -Luan P.S Maybe you were just talking about this http://www.bb-elec.com/tech_articles/digi/appguide_connectwan_consolemgmt.pd f ? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Tuesday, August 12, 2008 12:38 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Console access via cell phone Why not buy a cisco 1841 with 3G/2.5G HWIC? (http://www.cisco.com/en/US/products/ps7272/index.html) Put in a SIM from a provider where you can get a public IP or have the 1841 tunnel out to you (via ipsec ez vpn client eg) to a place you can access it via. Dave. Rens wrote: > Hi, > > > > Is there any device that you can connect to the console port of a switch > that you can put a SIM card in? > > > > So you can just dial to that number and have console access on the switch? > > > > Regards, > > > > Rens > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kevin at gannons.net Tue Aug 12 13:53:16 2008 From: kevin at gannons.net (kevin gannon) Date: Tue, 12 Aug 2008 18:53:16 +0100 Subject: [c-nsp] Console access via cell phone In-Reply-To: <023701c8fc9c$92ffbb30$b8ff3190$@com> References: <023701c8fc9c$92ffbb30$b8ff3190$@com> Message-ID: <17eef0950808121053q2d79d4fctd28c009897ebd0e9@mail.gmail.com> Inbound calls are not supported on the 3g wic I last time I checked with TAC at least. Regards Kevin On Tue, Aug 12, 2008 at 5:57 PM, Luan M Nguyen wrote: > This is interesting... > ONEBOX_Spoke3#show cellular 0/1/0 profile > Electronic Serial Number (ESN) = > Modem activated = YES > > Account Information: > ====================== > Activation Date: > Phone Number (MDN) : > Mobile Station Identifier (MSID) : > > So if you configure the dialer interface to accept incoming call via the > MDN, you could basically use it (EVDO is what I have now) as console access > while it serves as backup to primary connection? Anyone has configuration > for this set up? > > Thanks. > > -Luan > > P.S Maybe you were just talking about this > http://www.bb-elec.com/tech_articles/digi/appguide_connectwan_consolemgmt.pd > f ? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman > Sent: Tuesday, August 12, 2008 12:38 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Console access via cell phone > > Why not buy a cisco 1841 with 3G/2.5G HWIC? > (http://www.cisco.com/en/US/products/ps7272/index.html) > > Put in a SIM from a provider where you can get a public IP or have the > 1841 tunnel out to you (via ipsec ez vpn client eg) to a place you can > access it via. > > Dave. > > > Rens wrote: >> Hi, >> >> >> >> Is there any device that you can connect to the console port of a switch >> that you can put a SIM card in? >> >> >> >> So you can just dial to that number and have console access on the switch? >> >> >> >> Regards, >> >> >> >> Rens >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cchurc05 at harris.com Tue Aug 12 14:30:02 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 13:30:02 -0500 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP Message-ID: Does anyone know if it's possible to use XMODEM from a 6500 Sup2's SP ROMMON to copy a native mode image (assume 12.2SX) and boot it successfully? I know it would take forever, just trying to update some documentation. All the docs on CCO seem to indicate that it can be used to copy a CatOS image and boot it. Just wondering if it's possible. Don't have a local 6500 to test it on. Thanks, Chuck From mcgrath at fas.harvard.edu Tue Aug 12 14:58:34 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Tue, 12 Aug 2008 14:58:34 -0400 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: References: Message-ID: <48A1DD5A.9050201@fas.harvard.edu> Use a PCMCIA to CF adapter and load the image using your PC - we used these extensively and they worked well and were much cheaper than the flash cards plus with a laptop we could copy directly onto the CF no need for XMODEM/TFTP Church, Charles wrote: > Does anyone know if it's possible to use XMODEM from a 6500 Sup2's SP > ROMMON to copy a native mode image (assume 12.2SX) and boot it > successfully? I know it would take forever, just trying to update some > documentation. All the docs on CCO seem to indicate that it can be used > to copy a CatOS image and boot it. Just wondering if it's possible. > Don't have a local 6500 to test it on. > > Thanks, > > Chuck > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gtb at slac.stanford.edu Tue Aug 12 15:53:09 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Tue, 12 Aug 2008 12:53:09 -0700 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: <48A1DD5A.9050201@fas.harvard.edu> References: <48A1DD5A.9050201@fas.harvard.edu> Message-ID: > Use a PCMCIA to CF adapter and load the image using your PC My vague recollection is that you needed at least a later ROMMON (7.1(1)?) in your SUP2 for ATA disk support for either the disk flash card, or the CF/adapter(*). If you had an early ROMMON image, you could only use linear flash, which would probably mean XMODEM to load to the linear flash, since it was harder to find (driver) support for linear flashes. My solution was to always upgrade the ROMMON as the first step of receiving a new or RMA'd SUP2 so that I could use a flash disk or CF/adapter later (since as stated, it is *so* much easier to use a PC to load the code than even attempt XMODEM). Gary (*) Do not depend on my memory of ROMMON versions, the Cisco web site with release notes is your friend. From cchurc05 at harris.com Tue Aug 12 16:21:50 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 12 Aug 2008 15:21:50 -0500 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: References: <48A1DD5A.9050201@fas.harvard.edu> Message-ID: Yep, I'm familiar with the Sup2 and the 64MB ATA card. We're neck deep in converting our 1400 hybrid ones to native. I'm just trying to write a doc that assumes a tech in a remote location only has a laptop with a serial port, the correct IOS image on his/her laptop, and a sup2 with a totally blank ATA card (not even a MONLIB on it). Or perhaps no ATA card, and is using a 12.1E native image that'll fit on the 32MB internal card. Honestly, just wondering if from Sup2 SP ROMMON: ---------------------------------------- rommon 15 > xmodem -cs 38400 Do you wish to continue? (y/n) [n]: y Console port and Modem must operate at same baud rate. Use console & modem at 38400 bps for download ? (y/n) [n]: y Ready to receive file ...Will wait for a minute ------------------------------------------- .... will work if I upload a 52 MB 12.2SX image via XMODEM, or if it'll blow up. Thanks again, Chuck -----Original Message----- From: Buhrmaster, Gary [mailto:gtb at slac.stanford.edu] Sent: Tuesday, August 12, 2008 3:53 PM To: Scott McGrath; Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] XMODEM a native image to a 6500 Sup2 SP > Use a PCMCIA to CF adapter and load the image using your PC My vague recollection is that you needed at least a later ROMMON (7.1(1)?) in your SUP2 for ATA disk support for either the disk flash card, or the CF/adapter(*). If you had an early ROMMON image, you could only use linear flash, which would probably mean XMODEM to load to the linear flash, since it was harder to find (driver) support for linear flashes. My solution was to always upgrade the ROMMON as the first step of receiving a new or RMA'd SUP2 so that I could use a flash disk or CF/adapter later (since as stated, it is *so* much easier to use a PC to load the code than even attempt XMODEM). Gary (*) Do not depend on my memory of ROMMON versions, the Cisco web site with release notes is your friend. From rubensk at gmail.com Tue Aug 12 16:38:22 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 17:38:22 -0300 Subject: [c-nsp] ME6500 In-Reply-To: <48A19048.9000508@forthnet.gr> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> <48A18D5D.3030003@justinshore.com> <48A19048.9000508@forthnet.gr> Message-ID: <6bb5f5b10808121338p226cc10g2e97aea717301018@mail.gmail.com> There were some platforms like the 7500 where "no arp" in config mode did work for dynamic ARP entries. As I said, I haven't tested it on the ME6524, neither with SVIs or routed interfaces, neither with ZU2 or SXH IOS. An ARP entry associated with DHCP Snooping / Dynamic ARP Inspection / IP Source Guard may also show a different behavior than a pure dynamic ARP entry. Rubens 2008/8/12 Tassos Chatzithomaoglou : > > Justin, "no arp" in config mode should work for static entries only. > > -- > Tassos > > Justin Shore wrote on 12/8/2008 4:17 ??: >> >> The argument for clear arp-cache is an interface or null. >> >> 6524-2.brd#clear arp-cache ? >> interface Clear the entire ARP cache on the interface >> >> >> Ruben was correct with 'no arp ' from global config mode on that >> platform with the ZU code. >> >> Justin >> >> >> Tassos Chatzithomaoglou wrote: >>> >>> "clear arp-cache x.x.x.x" should work. Just keep in mind that after doing >>> this, the local router will send an arp request to this mac. If it's still >>> active, a reply is sent back and the local arp table will be filled again >>> (you can check the "Age" counter). >>> >>> -- >>> Tassos >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mack at exchange.alphared.com Tue Aug 12 20:26:33 2008 From: mack at exchange.alphared.com (mack) Date: Tue, 12 Aug 2008 19:26:33 -0500 Subject: [c-nsp] Support for SIP-600 Message-ID: <6F2FFD7C10F788479E354B84294036C430ABB953@EXCH-MBX.exchange.alphared.local> Can anyone verify if SXH and successors support the SIP-600 and corresponding 2xOC48 and 4xOC48 cards on the 6500 chassis. They are not listed in the release notes but the SIP-600 at least was supported in the SXF train with the 1xOC192 on the 6500 chassis. I hate changing chassis but it doesn't look like there is much alternative. -- LR Mack McBride Network Administrator Alpha Red, Inc. From dcp at dcptech.com Tue Aug 12 20:39:28 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 12 Aug 2008 20:39:28 -0400 Subject: [c-nsp] Support for SIP-600 In-Reply-To: <6F2FFD7C10F788479E354B84294036C430ABB953@EXCH-MBX.exchange.alphared.local> References: <6F2FFD7C10F788479E354B84294036C430ABB953@EXCH-MBX.exchange.alphared.local> Message-ID: <00da01c8fcdd$242e1170$1bfe200a@cisco.com> The SIP-600 is not supported by SXH. I believe SXI will support it again (don't have access to the secret decoder currently to confirm), but that is about a month out. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mack > Sent: Tuesday, August 12, 2008 8:27 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Support for SIP-600 > > Can anyone verify if SXH and successors support the SIP-600 and > corresponding 2xOC48 and 4xOC48 cards on the 6500 chassis. > > They are not listed in the release notes but the SIP-600 at least > was supported in the SXF train with the 1xOC192 on the 6500 chassis. > > I hate changing chassis but it doesn't look like there is > much alternative. > > > -- > LR Mack McBride > Network Administrator > Alpha Red, Inc. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Tue Aug 12 21:01:51 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 12 Aug 2008 20:01:51 -0500 Subject: [c-nsp] 1252ag backwards compatibility Message-ID: Hello, I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, do the 802.11n clients run at 802.11n and the 802.11g clients run at 802.11g? Or does everything run at 802.11g? Thanks, Dan. From rubensk at gmail.com Tue Aug 12 21:55:56 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 12 Aug 2008 22:55:56 -0300 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) Message-ID: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> Robert, Updating this modular x monolithic thread to SXI, what's the current plan for SXI, modular only or both modular and non-modular ? Rubens On Tue, Oct 2, 2007 at 12:07 PM, Robert Crowe wrote: > SXH was originally planned to be modular only, but a non-modular image was > released. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers > Sent: Tuesday, October 02, 2007 10:48 AM > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SXH on 6500 > > On Tue, 2007-10-02 at 11:11 +0200, Gert Doering wrote: >> Hi, >> >> On Tue, Oct 02, 2007 at 09:53:12AM +0100, Phil Mayers wrote: >> > You are aware that SXH is only available in modular? >> >> That's news to me and my routers :) >> >> -rw-r--r-- 1 gert daemon 77939716 11 Sep 10:26 > s72033-advipservicesk9_wan-mz.122-33.SXH.bin >> -rw-r--r-- 1 gert netmaster 123923108 20 Aug 23:32 > s72033-advipservicesk9_wan-vz.122-33.SXH.bin >> >> gert > > You're correct of course. How odd - I'm looking at a pretty recent .ppt > from Cisco claiming SXH would be modular-only. I guess they blinked. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dcp at dcptech.com Tue Aug 12 22:11:59 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 12 Aug 2008 22:11:59 -0400 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> Message-ID: <00e601c8fcea$104fef40$1bfe200a@cisco.com> Both will remain for SX releases as far as I know. Eventually only modular will be available, but that is still a while out. I believe once we start seeing Safe Harbor Modular releases we will be closer to that happening. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Rubens Kuhl Jr. > Sent: Tuesday, August 12, 2008 9:56 PM > To: rocrowe at cisco.com > Cc: Cisco-nsp > Subject: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) > > Robert, > > Updating this modular x monolithic thread to SXI, what's the current > plan for SXI, modular only or both modular and non-modular ? > > > Rubens > > > On Tue, Oct 2, 2007 at 12:07 PM, Robert Crowe > wrote: > > SXH was originally planned to be modular only, but a > non-modular image was > > released. > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers > > Sent: Tuesday, October 02, 2007 10:48 AM > > To: Gert Doering > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] SXH on 6500 > > > > On Tue, 2007-10-02 at 11:11 +0200, Gert Doering wrote: > >> Hi, > >> > >> On Tue, Oct 02, 2007 at 09:53:12AM +0100, Phil Mayers wrote: > >> > You are aware that SXH is only available in modular? > >> > >> That's news to me and my routers :) > >> > >> -rw-r--r-- 1 gert daemon 77939716 11 Sep 10:26 > > s72033-advipservicesk9_wan-mz.122-33.SXH.bin > >> -rw-r--r-- 1 gert netmaster 123923108 20 Aug 23:32 > > s72033-advipservicesk9_wan-vz.122-33.SXH.bin > >> > >> gert > > > > You're correct of course. How odd - I'm looking at a pretty > recent .ppt > > from Cisco claiming SXH would be modular-only. I guess they blinked. > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mack at exchange.alphared.com Tue Aug 12 23:10:28 2008 From: mack at exchange.alphared.com (mack) Date: Tue, 12 Aug 2008 22:10:28 -0500 Subject: [c-nsp] OSM-2OC48/1DTP-SI Message-ID: <6F2FFD7C10F788479E354B84294036C430ABB95C@EXCH-MBX.exchange.alphared.local> Does anyone have compatibility info and actual route handling capability for the OSM-2OC48/1DTP-SI card? http://www.cisco.com/en/US/products/hw/modules/ps2831/products_data_sheet09186a0080088774.html The platform is a 6509 with Sup720-3BXL It looks like the card with 256MB should support a good number of routes. How many will it actually support? Another question is what mode with a Sup720-3BXL will run in when configured with this module? It looks like it will support a full 5Gig on the two POS ports. Can someone verify that? -- LR Mack McBride Network Administrator Alpha Red, Inc. From mjsaarin at cc.helsinki.fi Wed Aug 13 01:10:29 2008 From: mjsaarin at cc.helsinki.fi (Matti Saarinen) Date: Wed, 13 Aug 2008 08:10:29 +0300 Subject: [c-nsp] XMODEM a native image to a 6500 Sup2 SP In-Reply-To: (Charles Church's message of "Tue, 12 Aug 2008 15:21:50 -0500") References: <48A1DD5A.9050201@fas.harvard.edu> Message-ID: "Church, Charles" wrote: > Honestly, just wondering if from Sup2 SP ROMMON: > ---------------------------------------- > rommon 15 > xmodem -cs 38400 > [...] > .... will work if I upload a 52 MB 12.2SX image via XMODEM, or if it'll > blow up. I have done it, although I didn't use any higher speed than 9600 and the IOS was some 12.1E native image. But yes, it was possible and it took ages. Probably, it'll work also with larger IOS images than what 12.1E onees used to be. The image was not loaded to bootflash/PCMCIA/CF but to memory or such from which the boot loader read and booted the box with it. Cheers, -- - Matti - From adrian.minta at gmail.com Wed Aug 13 01:24:26 2008 From: adrian.minta at gmail.com (Adrian M) Date: Wed, 13 Aug 2008 08:24:26 +0300 Subject: [c-nsp] ME6500 In-Reply-To: <6bb5f5b10808121338p226cc10g2e97aea717301018@mail.gmail.com> References: <14e72ec90808120428u13851a08j5d032c7cf7b4673e@mail.gmail.com> <6bb5f5b10808120441r1d2cbffg8b80cc077c70f62e@mail.gmail.com> <14e72ec90808120453u710d567cl644d54415a891da7@mail.gmail.com> <48A18530.4070101@forthnet.gr> <48A18D5D.3030003@justinshore.com> <48A19048.9000508@forthnet.gr> <6bb5f5b10808121338p226cc10g2e97aea717301018@mail.gmail.com> Message-ID: <14e72ec90808122224m271db890uc7d6b6f2c4627e88@mail.gmail.com> Thank you all ! Last night I did an upgrade to s6523-advipservicesk9-mz.122-33.SXH3 and now I have "clear ip arp x.x.x.x" switch#clear ip arp ? A.B.C.D IP address of dynamic ARP entry inspection Clear State of ARP Inspection From chpreddi at gmail.com Wed Aug 13 02:21:38 2008 From: chpreddi at gmail.com (Pratap Reddy) Date: Wed, 13 Aug 2008 16:21:38 +1000 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers Message-ID: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> Hi, I have a query regarding implementioan of 4 Byte AS on Cisco routers. Does any one implemented/tested 4 byte AS on Cisco routers? Cheers. Pratap. From ddunkin at netos.net Wed Aug 13 03:10:26 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Wed, 13 Aug 2008 00:10:26 -0700 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> It would appear support is still very limited. I still have not seen this pop up in the feature navigator by any recognizable name. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pratap Reddy Sent: Tuesday, August 12, 2008 23:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers Hi, I have a query regarding implementioan of 4 Byte AS on Cisco routers. Does any one implemented/tested 4 byte AS on Cisco routers? Cheers. Pratap. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Wed Aug 13 03:28:16 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 13 Aug 2008 10:28:16 +0300 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com > References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> Message-ID: <5.1.0.14.2.20080813102409.00afd328@efes.iucc.ac.il> At 12:10 AM 13-08-08 -0700, Darryl Dunkin wrote: There are a few already using it: http://www.cidr-report.org/cgi-bin/as-report?as=2.4&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=5.1&view=2.0 Just do a BGP search for AS23456: aut-num: AS23456 as-name: RESERVED-AS descr: assigned by IANA http://www.iana.org/assignments/as-numbers descr: see http://www.ietf.org/internet-drafts/draft-ietf-idr-as4bytes-13.txt org: ORG-IANA1-RIPE admin-c: RFC1918-RIPE tech-c: RFC1918-RIPE mnt-by: RIPE-NCC-HM-MNT changed: bit-bucket at ripe.net 20070328 source: RIPE gp1#sho ip bgp reg 23456 BGP table version is 8664272, local router ID is 128.139.220.90 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i169.222.0.0/24 xxx.139.220.91 0 100 0 20965 1299 6939 6939 7091 715 23456 i *>i192.26.93.0 xxx.139.220.91 0 100 0 20965 3549 2914 4697 23456 i *>i193.5.68.0/23 xxx.139.220.91 0 100 0 20965 3549 6830 8758 23456 i *>i193.31.7.0 xxx.139.220.91 0 100 0 20965 3549 1273 5539 23456 i *>i195.47.195.0 xxx.139.220.91 0 100 0 20965 3549 8495 23456 i *>i196.1.15.0 xxx.139.220.91 0 100 0 20965 3549 174 3741 23456 i *>i202.255.47.0 xxx.139.220.91 0 100 0 20965 3549 2516 7667 23456 i -Hank >It would appear support is still very limited. I still have not seen >this pop up in the feature navigator by any recognizable name. > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pratap Reddy >Sent: Tuesday, August 12, 2008 23:22 >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers > >Hi, > >I have a query regarding implementioan of 4 Byte AS on Cisco routers. > >Does any one implemented/tested 4 byte AS on Cisco routers? > > Cheers. >Pratap. >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From hohockjim at gmail.com Wed Aug 13 04:24:14 2008 From: hohockjim at gmail.com (Hock Jim) Date: Wed, 13 Aug 2008 16:24:14 +0800 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> Message-ID: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Already supported in IOS-XR. Recently heard from Cisco: 12.0S late Q4 2008 12.2SRE even later Q4 2008 12.5(1)T Q2 2009 That said, unless you're directly connected to a BGP peer with 32-bit ASNs, routing still works. You however lose visibility as to which AS it goes it. (Prolly have to resort to checking the Internet registries' whois manually.) On Wed, Aug 13, 2008 at 3:10 PM, Darryl Dunkin wrote: > It would appear support is still very limited. I still have not seen > this pop up in the feature navigator by any recognizable name. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pratap Reddy > Sent: Tuesday, August 12, 2008 23:22 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers > > Hi, > > I have a query regarding implementioan of 4 Byte AS on Cisco routers. > > Does any one implemented/tested 4 byte AS on Cisco routers? > > Cheers. > Pratap. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hashng at gmail.com Wed Aug 13 06:02:30 2008 From: hashng at gmail.com (Hash Aminu) Date: Wed, 13 Aug 2008 13:02:30 +0300 Subject: [c-nsp] Alternantive to REB(route bridge Encapsulation) Message-ID: Hi guys I am trying to find a Feature that will be able to replace Route bridge Encapsulation..because we are migrating to the 12.2S and does not support that feature..any thoughts or Ideas will be useful. Thanks TIA Hash From p.mayers at imperial.ac.uk Wed Aug 13 06:02:52 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 13 Aug 2008 11:02:52 +0100 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <00e601c8fcea$104fef40$1bfe200a@cisco.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> Message-ID: <48A2B14C.5030308@imperial.ac.uk> David Prall wrote: > Both will remain for SX releases as far as I know. Eventually only modular Which I believe is in large part the cause of the problems they've had with SXH. Think about it: You're the 6500 IOS team. You have a large body of upstream IOS code, and you have to back-port it, but at the *same* time you also have to modularise it. Contrast: You're the 7600 IOS team. You have a large body of upstream IOS code. You just have to back-port it. > will be available, but that is still a while out. I believe once we start > seeing Safe Harbor Modular releases we will be closer to that happening. Ha ha. The Safe Harbor site claims that SXH3 monolithic testing would start in July (before it was even released?) but there are already severe crash bugs in that release, so I assume they'll wait until SXH3a or 4 or whatever. The Safe Harbor site also says of modularity: IOS Software Modularity 12.2(18)SXF *All releases have FAILED due to CSCin96568, CSCsf03710. Most Recently Tested 12.2(18)SXF8 failed Candidate Under Test or Planned 12.2(33)SXI.x Q2FY09 So it'll be over 6 months before they even *BOTHER TESTING* a modular release for Safe Harbor, accounting for the usual 6500 fictional IOS release dates. Does it sound to you like they're banging the "modular" drum a bit quieter than they used to? Because it does to me. Let's not kid ourselves - SXF is going to be the stable release for some time to come. I just hope they release an SXF train with support for the 6716s I bought... From mtinka at globaltransit.net Wed Aug 13 08:04:31 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 13 Aug 2008 20:04:31 +0800 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Message-ID: <200808132004.32280.mtinka@globaltransit.net> On Wednesday 13 August 2008 16:24:14 Hock Jim wrote: > 12.2SRE even later Q4 2008 Hmmh, AFAIK, SRE is out mid-'09. What's planned for Q4'08 is SRD. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Aug 13 08:04:24 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 13 Aug 2008 20:04:24 +0800 Subject: [c-nsp] SRC2? In-Reply-To: <1218555162.2004.15.camel@empacher.cns.ufl.edu> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> Message-ID: <200808132004.24869.mtinka@globaltransit.net> On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: > Anyone know when 12.2(33)SRC2 is supposed to be released, > specifically for the 7600. I had heard by the end of > July, but so far no release. Same here... heard it was meant to be mid-July, but nothing yet. Having waited this long, it'll come when it comes, I guess :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From paul at paulstewart.org Wed Aug 13 09:04:37 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 09:04:37 -0400 Subject: [c-nsp] Fake Gear?? 2621XM Message-ID: <004a01c8fd45$25a39f30$70eadd90$@org> Hi there. Does anyone have a guide or list of stuff to look for if you think you've been sold fake gear? I've gathered little bits and pieces over time on what to look for.. We have a number of 2621XM's deployed at remote sites. They all have similar configs, similar IOS loads (although they've been upgraded several times), and all have max memory/flash (aftermarket). The exact same problem keeps happening about every 3-4 weeks on most of these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes onsite, he does a shutdown/no shutdown and everything starts working again for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug into but now we're starting to wonder when the same pattern is occurring over and over. At one of the sites, we swapped out the 2621XM and put an 1841 in place and so far no issues at all and it's been 5 weeks. Any thoughts? ;) Paul From tomas at soitron.com Wed Aug 13 08:58:02 2008 From: tomas at soitron.com (Tomas Daniska) Date: Wed, 13 Aug 2008 14:58:02 +0200 Subject: [c-nsp] SRB4 (was RE: SRC2?) In-Reply-To: <200808132004.24869.mtinka@globaltransit.net> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> <200808132004.24869.mtinka@globaltransit.net> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> speaking of the releases... is anyone running SRB4 in production yet? cheers -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: 13 August 2008 14:04 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SRC2? > > On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: > > > Anyone know when 12.2(33)SRC2 is supposed to be released, > > specifically for the 7600. I had heard by the end of > > July, but so far no release. > > Same here... heard it was meant to be mid-July, but nothing > yet. > > Having waited this long, it'll come when it comes, I > guess :-). > > Cheers, > > Mark. From paul at paulstewart.org Wed Aug 13 09:38:53 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 09:38:53 -0400 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <48A2DD95.9000704@packetlife.net> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A2DD95.9000704@packetlife.net> Message-ID: <000001c8fd49$f507d3f0$df177bd0$@org> Thanks.. none of these particular 2621XM's have any additional cards in them.... but that's a handy reference for sure ;) Paul -----Original Message----- From: Jeremy Stretch [mailto:stretch at packetlife.net] Sent: August 13, 2008 9:12 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM This page has some good info and pics: http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml -- stretch http://packetlife.net Paul Stewart wrote: > Hi there. > > > > Does anyone have a guide or list of stuff to look for if you think you've > been sold fake gear? I've gathered little bits and pieces over time on what > to look for.. > > > > We have a number of 2621XM's deployed at remote sites. They all have > similar configs, similar IOS loads (although they've been upgraded several > times), and all have max memory/flash (aftermarket). > > > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > > > Any thoughts? ;) > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ltd at cisco.com Wed Aug 13 09:43:58 2008 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 13 Aug 2008 23:43:58 +1000 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Message-ID: <48A2E51E.1080307@cisco.com> Hock Jim wrote: > Already supported in IOS-XR. > just for completness, NX-OS on Cisco Nexus 7K has it too. cheers, lincoln. From jlewis at lewis.org Wed Aug 13 09:59:05 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 13 Aug 2008 09:59:05 -0400 (EDT) Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: On Wed, 13 Aug 2008, Paul Stewart wrote: > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. It doesn't have to be fake gear to be buggy. That used to happen all the time on our AS5200s. Eventually, cisco came out with IOS that stopped doing it. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From stretch at packetlife.net Wed Aug 13 09:11:49 2008 From: stretch at packetlife.net (Jeremy Stretch) Date: Wed, 13 Aug 2008 16:11:49 +0300 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: <48A2DD95.9000704@packetlife.net> This page has some good info and pics: http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1-v2.shtml -- stretch http://packetlife.net Paul Stewart wrote: > Hi there. > > > > Does anyone have a guide or list of stuff to look for if you think you've > been sold fake gear? I've gathered little bits and pieces over time on what > to look for.. > > > > We have a number of 2621XM's deployed at remote sites. They all have > similar configs, similar IOS loads (although they've been upgraded several > times), and all have max memory/flash (aftermarket). > > > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > > > Any thoughts? ;) > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rubensk at gmail.com Wed Aug 13 10:03:18 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 11:03:18 -0300 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <00e601c8fcea$104fef40$1bfe200a@cisco.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> Message-ID: <6bb5f5b10808130703j38efcc41ja910a797fded9732@mail.gmail.com> That is good news. The other good news would be that SXI monolithic could run with only 256 MB of SP memory and 512 MB of RP memory (default config of ME6524) ,Advanced IP Services. Any guess on this one ? Rubens On Tue, Aug 12, 2008 at 11:11 PM, David Prall wrote: > Both will remain for SX releases as far as I know. Eventually only modular > will be available, but that is still a while out. I believe once we start > seeing Safe Harbor Modular releases we will be closer to that happening. > > David > > -- > http://dcp.dcptech.com > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of >> Rubens Kuhl Jr. >> Sent: Tuesday, August 12, 2008 9:56 PM >> To: rocrowe at cisco.com >> Cc: Cisco-nsp >> Subject: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) >> >> Robert, >> >> Updating this modular x monolithic thread to SXI, what's the current >> plan for SXI, modular only or both modular and non-modular ? >> >> >> Rubens >> >> >> On Tue, Oct 2, 2007 at 12:07 PM, Robert Crowe >> wrote: >> > SXH was originally planned to be modular only, but a >> non-modular image was >> > released. >> > >> > -----Original Message----- >> > From: cisco-nsp-bounces at puck.nether.net >> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers >> > Sent: Tuesday, October 02, 2007 10:48 AM >> > To: Gert Doering >> > Cc: cisco-nsp at puck.nether.net >> > Subject: Re: [c-nsp] SXH on 6500 >> > >> > On Tue, 2007-10-02 at 11:11 +0200, Gert Doering wrote: >> >> Hi, >> >> >> >> On Tue, Oct 02, 2007 at 09:53:12AM +0100, Phil Mayers wrote: >> >> > You are aware that SXH is only available in modular? >> >> >> >> That's news to me and my routers :) >> >> >> >> -rw-r--r-- 1 gert daemon 77939716 11 Sep 10:26 >> > s72033-advipservicesk9_wan-mz.122-33.SXH.bin >> >> -rw-r--r-- 1 gert netmaster 123923108 20 Aug 23:32 >> > s72033-advipservicesk9_wan-vz.122-33.SXH.bin >> >> >> >> gert >> > >> > You're correct of course. How odd - I'm looking at a pretty >> recent .ppt >> > from Cisco claiming SXH would be modular-only. I guess they blinked. >> > >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From achatz at forthnet.gr Wed Aug 13 10:39:53 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 13 Aug 2008 17:39:53 +0300 Subject: [c-nsp] SRB4 (was RE: SRC2?) In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> <200808132004.24869.mtinka@globaltransit.net> <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> Message-ID: <48A2F239.1080108@forthnet.gr> I'm running it on 7600/SUP720 and 7600/RSP720 without any problems (upgrade from SRB2/3; no L3 features used). -- Tassos Tomas Daniska wrote on 13/8/2008 3:58 ??: > speaking of the releases... is anyone running SRB4 in production yet? > > cheers > > -- > > deejay > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Mark Tinka >> Sent: 13 August 2008 14:04 >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] SRC2? >> >> On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: >> >>> Anyone know when 12.2(33)SRC2 is supposed to be released, >>> specifically for the 7600. I had heard by the end of >>> July, but so far no release. >> Same here... heard it was meant to be mid-July, but nothing >> yet. >> >> Having waited this long, it'll come when it comes, I >> guess :-). >> >> Cheers, >> >> Mark. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Aug 13 11:08:17 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 13 Aug 2008 16:08:17 +0100 Subject: [c-nsp] Overruns - GSR Engine2 (3GE-GBIC-SC) Message-ID: Am seeing incrementing overruns corresponding to the Gigmac rfifo_full counter incrementing on this card: # sh int g4/0 | in overr 5519 input errors, 0 CRC, 0 frame, 5519 overrun, 0 ignored # sh int g4/0 | in overr 5521 input errors, 0 CRC, 0 frame, 5521 overrun, 0 ignored #execute-on slot 4 show controllers gig 0 | in fifo_full ========= Line Card (Slot 4) ========= 0 risl, 0 riq, 12947 rdrop, 0 rsupp, 0 rinvalid_encap, 12947 rfifo_full #execute-on slot 4 show controllers gig 0 | in fifo_full ========= Line Card (Slot 4) ========= 0 risl, 0 riq, 12953 rdrop, 0 rsupp, 0 rinvalid_encap, 12953 rfifo_full Linecard CPU is not high: #execute-on slot 4 show proc cpu | exc 0.00 ========= Line Card (Slot 4) ========= CPU utilization for five seconds: 38%/0%; one minute: 19%; five minutes: 17% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 53 25776564 10964270 2350 0.55% 0.75% 0.75% 0 CEF process 63 15474780 42493646 364 0.15% 0.24% 0.23% 0 Queue Mgr 80 1174512036 6109315 192253 36.55% 16.26% 15.51% 0 TAG Stats Backgr Traffic does not seem excessive on the port in question nor have I found any evidence of microbursts: #sh int g4/0 GigabitEthernet4/0 is up, line protocol is up Hardware is GigMac 3 Port GigabitEthernet, address is 0005.5ff8.c954 (bia 0005.5ff8.c954) Internet address is 10.0.0.1/30 MTU 1600 bytes, BW 1000000 Kbit, DLY 10 usec, rely 255/255, load 58/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, link type is force-up, media type is LX output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 2d01h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 204130000 bits/sec, 57532 packets/sec 5 minute output rate 230560000 bits/sec, 46316 packets/sec 7492692380 packets input, 3630841835600 bytes, 0 no buffer Received 42 broadcasts, 0 runts, 8629393 giants, 0 throttles 5584 input errors, 0 CRC, 0 frame, 5584 overrun, 0 ignored 0 watchdog, 30 multicast, 0 pause input 5459460767 packets output, 3540440430407 bytes, 0 underruns Transmitted 0 broadcasts 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Other ports in this card doing similar amounts of traffic are also getting these in proportion to the traffic level : #sh int g4/1 GigabitEthernet4/1 is up, line protocol is up Hardware is GigMac 3 Port GigabitEthernet, address is 0005.5ff8.c955 (bia 0005.5ff8.c955) Internet address is 192.168.1.1/30 MTU 2450 bytes, BW 1000000 Kbit, DLY 10 usec, rely 255/255, load 47/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, link type is autonegotiation, media type is LX output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 9w1d Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 146013 drops 30 second input rate 85938000 bits/sec, 24296 packets/sec 30 second output rate 185108000 bits/sec, 50553 packets/sec 100929774614 packets input, 44365470024613 bytes, 2 no buffer Received 3 broadcasts, 0 runts, 3019035119 giants, 0 throttles 92 input errors, 0 CRC, 0 frame, 92 overrun, 0 ignored 0 watchdog, 4214445 multicast, 0 pause input 152348554046 packets output, 61084338748442 bytes, 0 underruns Transmitted 8 broadcasts 0 output errors, 0 collisions, 6 interface resets 0 babbles, 0 late collision, 0 deferred 3 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out So is this a limitation of the PHY? Checking the specs for the gigmac PMC7160 (which I think this is?) it should be able to do around 1.94Gb/Sec @ 536KFps so what is causing the overruns? I found a report in bug CSCse98594 of broadcast frames interspersed with <= 64b packets causing this condition in tetra cards (E3) but would assume the PHY is different. Also worth to note, acl is being done in PSA and virtually no process switching (other than CEF recv/punt) is being done. Running 12.0(32)S8 on 12000 GRP-B, bugtool does not turn up anything wonderful. Has anybody seen this before? From justin at justinshore.com Wed Aug 13 11:14:19 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 13 Aug 2008 10:14:19 -0500 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <48A2B14C.5030308@imperial.ac.uk> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> <48A2B14C.5030308@imperial.ac.uk> Message-ID: <48A2FA4B.40104@justinshore.com> Phil Mayers wrote: > You're the 6500 IOS team. You have a large body of upstream IOS code, > and you have to back-port it, but at the *same* time you also have to > modularise it. I'm really going to dive off into OT land, but does anyone know if the Metro Ethernet 6500 is under the Enterprise BU or if it's the Service Provider BU? I've gotten contradicting answers before. It would seem really odd to me for the ME6524 to be under the Enterprise BU, no matter what its roots are, because on SPs will use it. Likewise I don't understand why it runs SX and not SR if it's in the SP BU. Justin From saku+cisco-nsp at ytti.fi Wed Aug 13 11:18:14 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 13 Aug 2008 18:18:14 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> Message-ID: <20080813151814.GA3645@mx.ytti.net> On (2008-08-11 07:41 +0200), Oliver Boehmer (oboehmer) wrote: > BTW: the LDP filter only prevents advertisement of the binding, it > doesn't prevent the LSR from assigning a label (the imp-null in your > example). I think we had this discussion some years ago, but it would be nice, instead of ACLs to be able to say 'no mpls ldp label; mpls ldp label loop0' or so, to generate label only for loop0. -- ++ytti From rubensk at gmail.com Wed Aug 13 11:24:03 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 12:24:03 -0300 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <48A2FA4B.40104@justinshore.com> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> <48A2B14C.5030308@imperial.ac.uk> <48A2FA4B.40104@justinshore.com> Message-ID: <6bb5f5b10808130824y68d58f6bl158f9d7e3621462f@mail.gmail.com> Latest info I've got is that the ME6500 is under the ISBU, Internet Systems. 7600 is under the ERBU, Edge Routing, and 12000/CRS is under the CRBU, Core Routing. Rubens On Wed, Aug 13, 2008 at 12:14 PM, Justin Shore wrote: > Phil Mayers wrote: >> >> You're the 6500 IOS team. You have a large body of upstream IOS code, and >> you have to back-port it, but at the *same* time you also have to modularise >> it. > > I'm really going to dive off into OT land, but does anyone know if the Metro > Ethernet 6500 is under the Enterprise BU or if it's the Service Provider BU? > I've gotten contradicting answers before. It would seem really odd to me > for the ME6524 to be under the Enterprise BU, no matter what its roots are, > because on SPs will use it. Likewise I don't understand why it runs SX and > not SR if it's in the SP BU. > > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Wed Aug 13 11:27:17 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 13 Aug 2008 10:27:17 -0500 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: <48A2FD55.8030006@justinshore.com> Paul Stewart wrote: > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. While I don't have an elegant fix for you, how about kron job that reloads the router every 2 week in the wee hours of the morning? If it's only a 2621XM it can't be too big of a site and likely not that critical (assumption but probably fair). A reload shouldn't be too painful. Though we are taking about a 2600 XM router. Boot time for one of them is over 10m if memory serves me correctly. I hate to use duct tape fixes like that but sometimes the simplest solution (problem avoidance) is the best overall approach. Justin From oboehmer at cisco.com Wed Aug 13 11:29:03 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 13 Aug 2008 17:29:03 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080813151814.GA3645@mx.ytti.net> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC4AB5@xmb-ams-333.emea.cisco.com> <20080813151814.GA3645@mx.ytti.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> Saku Ytti <> wrote on Wednesday, August 13, 2008 5:18 PM: > On (2008-08-11 07:41 +0200), Oliver Boehmer (oboehmer) wrote: > >> BTW: the LDP filter only prevents advertisement of the binding, it >> doesn't prevent the LSR from assigning a label (the imp-null in your >> example). > > I think we had this discussion some years ago, but it would be nice, > instead of ACLs to be able to say 'no mpls ldp label; mpls ldp label > loop0' or so, to generate label only for loop0. well, an LSR needs to allocate labels also for other nodes' loopbacks, so this alone will not be enough ;-) However, IOS now has a label allocation filter (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all oc_filter.html) having a "allocate global host-routes" shorthand to only allocate labels for /32s (or uses a prefix-list for more granular control).. oli From jcartier at acs.on.ca Wed Aug 13 11:35:49 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 13 Aug 2008 11:35:49 -0400 Subject: [c-nsp] Sub-interface question... Message-ID: I'm in an awkward situation where I've been given the task to investigate how to design MPLS vrf connections without using vlans define locally, and with using sub-interfaces. I'm unsure of how this is possible...any suggestions on where to look? From paul at paulstewart.org Wed Aug 13 11:37:35 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 11:37:35 -0400 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <48A2FD55.8030006@justinshore.com> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A2FD55.8030006@justinshore.com> Message-ID: <001101c8fd5a$82e1a8d0$88a4fa70$@org> Thanks.. yeah, we've looked at that... but in the meantime as they fail we are pulling them out of production and scrapping them pretty much... I'm estimating we have 10-12 of these still left at sites and they all came from the same supplier which is suspicious (hence my questions on fake gear).... Paul -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: August 13, 2008 11:27 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Paul Stewart wrote: > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. While I don't have an elegant fix for you, how about kron job that reloads the router every 2 week in the wee hours of the morning? If it's only a 2621XM it can't be too big of a site and likely not that critical (assumption but probably fair). A reload shouldn't be too painful. Though we are taking about a 2600 XM router. Boot time for one of them is over 10m if memory serves me correctly. I hate to use duct tape fixes like that but sometimes the simplest solution (problem avoidance) is the best overall approach. Justin From jlewis at lewis.org Wed Aug 13 11:50:31 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 13 Aug 2008 11:50:31 -0400 (EDT) Subject: [c-nsp] conditional bgp default-originate Message-ID: I'd like to be able to conditionally advertise a default route to customers taking just default routes only if my transit BGP sessions appear to be functional. I thought something like this might work: neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match as-path 100 ip as-path access-list 100 permit ^3356_ ip as-path access-list 100 permit ^4323_ But no such luck. Checking the docs at http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 it seems I have to exactly match against a route for the route-map to work here. That means actually picking a few "canary routes" I expect to get from my upstreams and hoping they don't go anywhere or change mask. I'm not really happy with that. Are there better ways to do this? Also, while looking at the docs above and experimenting in the GNS3 simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few oddities. First, there's multiple errors in the docs mentioned above. i.e. From the URL above: In the following example, the last line of the configuration has been changed to show the use of an extended access list. The local router injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route to 192.168.0.0 with a mask of 255.255.0.0: router bgp 50000 network 172.16.0.0 neighbor 172.16.2.3 remote-as 60000 neighbor 172.16.2.3 default-originate route-map default-map ! route-map default-map 10 permit match ip address 1 ! access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 In the above example, they did change the ACL to an extended access-list, but the route-map wasn't updated to use it (still using 1) and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the access-list 100 uses a /24 mask. Just above this example, the docs say that access-list 1 permit 192.168.0.0 will match a route for 192.168.0.0 with any mask. In my simulator, I have R1--R2--R3 R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default to R3 using the route-map route-map BGP-UP permit 10 match ip address 50 access-list 50 permit 8.0.0.0 When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and default is not sent ot R3. If I add to access-list 50 access-list 50 permit 8.0.0.0 0.0.255.255 Standard IP access list 50 10 permit 8.0.0.0 (973 matches) 20 permit 8.0.0.0, wildcard bits 0.0.255.255 I get hits on the permit 8.0.0.0 line now, and default is sent to R3. This seems kind of broken. I haven't duplicated the setup with real hardware to see if it's a simulator screwup...but since the simulator is running actual IOS, it seems unlikely the simulator is to blame. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From cisco-nsp at gatlan.nl Wed Aug 13 11:35:23 2008 From: cisco-nsp at gatlan.nl (Bas Roos) Date: Wed, 13 Aug 2008 17:35:23 +0200 Subject: [c-nsp] SRC2? In-Reply-To: <1218555162.2004.15.camel@empacher.cns.ufl.edu> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> Message-ID: <48A2FF3B.5030104@gatlan.nl> Chris Griffin wrote: > Anyone know when 12.2(33)SRC2 is supposed to be released, specifically > for the 7600. I had heard by the end of July, but so far no release. > > Thanks We have a very annoying bug in the previous version and are waiting for this release for our 7206VXR. According to someone at Cisco, who wasn't supposed to say this, it would be released in about 4 to 5 weeks. Sadly, this was promised us about 8 weeks ago :( The latest statement we got from them was end-september. Cheers, Bas Roos From justin at justinshore.com Wed Aug 13 12:04:28 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 13 Aug 2008 11:04:28 -0500 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <001101c8fd5a$82e1a8d0$88a4fa70$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A2FD55.8030006@justinshore.com> <001101c8fd5a$82e1a8d0$88a4fa70$@org> Message-ID: <48A3060C.8070707@justinshore.com> It's a good way to justify new gear too. :-) Justin Paul Stewart wrote: > Thanks.. yeah, we've looked at that... but in the meantime as they fail we > are pulling them out of production and scrapping them pretty much... > > I'm estimating we have 10-12 of these still left at sites and they all came > from the same supplier which is suspicious (hence my questions on fake > gear).... > > Paul From Benjamin.Conconi at nok.ch Wed Aug 13 13:04:50 2008 From: Benjamin.Conconi at nok.ch (Benjamin.Conconi at nok.ch) Date: Wed, 13 Aug 2008 19:04:50 +0200 Subject: [c-nsp] ES40 / ES20+ / SRD Message-ID: <5572DC61C4EEAB4DABE7E00F1DEF0557112E50@VMBDN121.prod.axponet.ch> Hello Does anyone has informations / availability / pricing about the new ES40/ES20+ Linecard and SRD... thanks Ben From saku+cisco-nsp at ytti.fi Wed Aug 13 13:23:03 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 13 Aug 2008 20:23:03 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> Message-ID: <20080813172303.GA4180@mx.ytti.net> On (2008-08-13 17:29 +0200), Oliver Boehmer (oboehmer) wrote: > well, an LSR needs to allocate labels also for other nodes' loopbacks, > so this alone will not be enough ;-) All boxes would advertise everything they get, but only generate loop0. > However, IOS now has a label allocation filter > (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all > oc_filter.html) having a "allocate global host-routes" shorthand to only > allocate labels for /32s (or uses a prefix-list for more granular > control).. Interface would be nice short-cut, as it's probably most typical situation that you only want labels for loop0. -- ++ytti From oboehmer at cisco.com Wed Aug 13 14:38:18 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 13 Aug 2008 20:38:18 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080813172303.GA4180@mx.ytti.net> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> Saku Ytti wrote on Wednesday, August 13, 2008 7:23 PM: > On (2008-08-13 17:29 +0200), Oliver Boehmer (oboehmer) wrote: > >> well, an LSR needs to allocate labels also for other nodes' >> loopbacks, so this alone will not be enough ;-) > > All boxes would advertise everything they get, but only generate > loop0. well, this dependency on what other LDP neighbors send is not really in-line with the independent control mode LDP operates in, so the implementation might not be straight-forward. >> However, IOS now has a label allocation filter >> (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all >> oc_filter.html) having a "allocate global host-routes" shorthand to >> only allocate labels for /32s (or uses a prefix-list for more >> granular control).. > > Interface would be nice short-cut, as it's probably most typical > situation that you only want labels for loop0. well, "interfaces" would also cover connected /30 or /31s, something you usually don't want to advertise labels for? But wouldn't a (prefix) ACL be enough to cover most cases? Generally, loopbacks are allocated from one or more prefix ranges, so ACLs could be rather static? oli From TOMAS.LYNCH at GlobalCrossing.com Wed Aug 13 15:02:15 2008 From: TOMAS.LYNCH at GlobalCrossing.com (Lynch, Tomas) Date: Wed, 13 Aug 2008 15:02:15 -0400 Subject: [c-nsp] Sub-interface question... References: Message-ID: <5210A1C9084123478E12AA5924D1F2536F415A@w3usmia2.lat.gblxint.com> Frame relay, ATM ;) > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Cartier > Sent: Wednesday, August 13, 2008 12:36 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Sub-interface question... > > I'm in an awkward situation where I've been given the task to > investigate how to design MPLS vrf connections without using vlans > define locally, and with using sub-interfaces. I'm unsure of how this > is possible...any suggestions on where to look? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Wed Aug 13 15:04:44 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 13 Aug 2008 12:04:44 -0700 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <004a01c8fd45$25a39f30$70eadd90$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> Message-ID: <48A3304C.1000609@rollernet.us> Paul Stewart wrote: > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > Any thoughts? ;) > I'm aware of fake modules, and a have some fakes, but I've personally never heard of fake routers before now. ~Seth From RTeller at deltadentalwa.com Wed Aug 13 15:13:37 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 13 Aug 2008 12:13:37 -0700 Subject: [c-nsp] VMPS and 6500 Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00FA6@tiger.deltadentalwa.com> I was thinking about playing with VMPS but from what I can tell it's not supported on IOS, is that correct? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From paul at paulstewart.org Wed Aug 13 15:24:22 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 13 Aug 2008 15:24:22 -0400 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <48A3304C.1000609@rollernet.us> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A3304C.1000609@rollernet.us> Message-ID: <000301c8fd7a$3752cd70$a5f86850$@org> Neither had I... I have hard of lots of fake 2950 switches though and that they are extremely hard to tell the difference.... Thanks everyone for the replies.... anyone aware of a way to run serial numbers on Cisco.com and verify the correct model even? I'm heard of some grey market resellers doing this before... Paul -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: August 13, 2008 3:05 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Paul Stewart wrote: > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > Any thoughts? ;) > I'm aware of fake modules, and a have some fakes, but I've personally never heard of fake routers before now. ~Seth From sdanelli at gmail.com Wed Aug 13 15:47:31 2008 From: sdanelli at gmail.com (Sergio D.) Date: Wed, 13 Aug 2008 13:47:31 -0600 Subject: [c-nsp] filter LDP bindings Message-ID: "well, an LSR needs to allocate labels also for other nodes' loopbacks, so this alone will not be enough ;-)" Could it not just based is allocation of labels based on having it in the LFIB already? Why does the LSR need to allocate a label for all the learned prefixes? Juniper only binds the loopback and all the LSRs only allocate labels for that from other neighbors, maybe it just looks for /32 prefixes. Is that what Label distribution control mode: ordered vs. Label distribution control mode: independent is? thanks Message: 3 Date: Wed, 13 Aug 2008 17:29:03 +0200 From: "Oliver Boehmer (oboehmer)" Subject: Re: [c-nsp] filter LDP bindings To: "Saku Ytti" >, < cisco-nsp at puck.nether.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D at xmb-ams-333.emea.cisco.com> Content-Type: text/plain; charset="us-ascii" Saku Ytti <> wrote on Wednesday, August 13, 2008 5:18 PM: > On (2008-08-11 07:41 +0200), Oliver Boehmer (oboehmer) wrote: > >> BTW: the LDP filter only prevents advertisement of the binding, it >> doesn't prevent the LSR from assigning a label (the imp-null in your >> example). > > I think we had this discussion some years ago, but it would be nice, > instead of ACLs to be able to say 'no mpls ldp label; mpls ldp label > loop0' or so, to generate label only for loop0. well, an LSR needs to allocate labels also for other nodes' loopbacks, so this alone will not be enough ;-) However, IOS now has a label allocation filter (http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_all oc_filter.html) having a "allocate global host-routes" shorthand to only allocate labels for /32s (or uses a prefix-list for more granular control).. oli -- Sergio From jfitz at Princeton.EDU Wed Aug 13 16:17:21 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 13 Aug 2008 16:17:21 -0400 Subject: [c-nsp] 6500 snmp and vty acls ? Message-ID: Does anyone know if VTY and snmp ACLs are implemented in hardware or software on a 6500 with 720-CXL running 12.2(33)SXH. I am trying to understand COPP and move away from the VTY and SNMP ACLs. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University From vateatea at gmail.com Wed Aug 13 16:23:06 2008 From: vateatea at gmail.com (Kyle Johnson) Date: Wed, 13 Aug 2008 16:23:06 -0400 Subject: [c-nsp] CLIPS functionality for DHCP clients Message-ID: All- I'm trying to create a solution to allow for subscriber management based on client PC MAC address. I see that Redback offers this "CLIPS" (CPE mac address & RADIUS record) method of subscriber management but Redback equipment is pretty pricey... Does anyone have a suggestion on a Cisco equivalent (PPPOE functionality/sessions based off client MAC rather than PPPOE config..) that will run on lower-end gear? Thanks- Kyle From vijay.ramcharan at verizonbusiness.com Wed Aug 13 15:51:00 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Wed, 13 Aug 2008 19:51:00 +0000 Subject: [c-nsp] Fake Gear?? 2621XM In-Reply-To: <000301c8fd7a$3752cd70$a5f86850$@org> References: <004a01c8fd45$25a39f30$70eadd90$@org> <48A3304C.1000609@rollernet.us> <000301c8fd7a$3752cd70$a5f86850$@org> Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F0504EECD@ASHEVS011.mcilink.com> What if the counterfeiter simply copies a valid serial number and uses it to produce x number of fake Cisco labels (those are faked to look like real labels too) which they then affix to x number of fake chassis'? Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: August 13, 2008 15:24 To: 'Seth Mattinen' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Neither had I... I have hard of lots of fake 2950 switches though and that they are extremely hard to tell the difference.... Thanks everyone for the replies.... anyone aware of a way to run serial numbers on Cisco.com and verify the correct model even? I'm heard of some grey market resellers doing this before... Paul -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: August 13, 2008 3:05 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fake Gear?? 2621XM Paul Stewart wrote: > > The exact same problem keeps happening about every 3-4 weeks on most of > these 2621XM's - the FastE0/1 port "goes to sleep". When a technician goes > onsite, he does a shutdown/no shutdown and everything starts working again > for 3-4 weeks. At first we thought this was the equipment the 2621XM's plug > into but now we're starting to wonder when the same pattern is occurring > over and over. At one of the sites, we swapped out the 2621XM and put an > 1841 in place and so far no issues at all and it's been 5 weeks. > > Any thoughts? ;) > I'm aware of fake modules, and a have some fakes, but I've personally never heard of fake routers before now. ~Seth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Wed Aug 13 16:30:57 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 13 Aug 2008 17:30:57 -0300 Subject: [c-nsp] RES: conditional bgp default-originate References: Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E27@spsrvmail03.nec.br> I haven't tested this, but you can configure two access-lists with both BGP session IP addresses of your upstream providers and match them in the route-map. neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match ip address 101 match ip address 102 route-map BGP-UP deny 20 access-list 101 permit ip host x.x.x.x access-list 101 remark upstream provider 1 bgp session ip address access-list 102 permit ip host y.y.y.y access-list 102 remark upstream provider 2 bgp session ip address Regards, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de Jon Lewis Enviada: qua 13/8/2008 12:50 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] conditional bgp default-originate I'd like to be able to conditionally advertise a default route to customers taking just default routes only if my transit BGP sessions appear to be functional. I thought something like this might work: neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match as-path 100 ip as-path access-list 100 permit ^3356_ ip as-path access-list 100 permit ^4323_ But no such luck. Checking the docs at http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 it seems I have to exactly match against a route for the route-map to work here. That means actually picking a few "canary routes" I expect to get from my upstreams and hoping they don't go anywhere or change mask. I'm not really happy with that. Are there better ways to do this? Also, while looking at the docs above and experimenting in the GNS3 simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few oddities. First, there's multiple errors in the docs mentioned above. i.e. From the URL above: In the following example, the last line of the configuration has been changed to show the use of an extended access list. The local router injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route to 192.168.0.0 with a mask of 255.255.0.0: router bgp 50000 network 172.16.0.0 neighbor 172.16.2.3 remote-as 60000 neighbor 172.16.2.3 default-originate route-map default-map ! route-map default-map 10 permit match ip address 1 ! access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 In the above example, they did change the ACL to an extended access-list, but the route-map wasn't updated to use it (still using 1) and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the access-list 100 uses a /24 mask. Just above this example, the docs say that access-list 1 permit 192.168.0.0 will match a route for 192.168.0.0 with any mask. In my simulator, I have R1--R2--R3 R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default to R3 using the route-map route-map BGP-UP permit 10 match ip address 50 access-list 50 permit 8.0.0.0 When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and default is not sent ot R3. If I add to access-list 50 access-list 50 permit 8.0.0.0 0.0.255.255 Standard IP access list 50 10 permit 8.0.0.0 (973 matches) 20 permit 8.0.0.0, wildcard bits 0.0.255.255 I get hits on the permit 8.0.0.0 line now, and default is sent to R3. This seems kind of broken. I haven't duplicated the setup with real hardware to see if it's a simulator screwup...but since the simulator is running actual IOS, it seems unlikely the simulator is to blame. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Wed Aug 13 16:32:15 2008 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 13 Aug 2008 16:32:15 -0400 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: Message-ID: <20080813203215.GF19971@puck.nether.net> On Wed, Aug 13, 2008 at 04:17:21PM -0400, Jeff Fitzwater wrote: > Does anyone know if VTY and snmp ACLs are implemented in hardware or > software on a 6500 with 720-CXL running 12.2(33)SXH. If implemented with line vty 0 4 access-class it's done in SW. > I am trying to understand COPP and move away from the VTY and SNMP ACLs. If implemented with CoPP then it's done in HW and Software. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From gert at greenie.muc.de Wed Aug 13 17:00:59 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 13 Aug 2008 23:00:59 +0200 Subject: [c-nsp] SXI on 6500 (was: SXH on 6500) In-Reply-To: <48A2B14C.5030308@imperial.ac.uk> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com> <00e601c8fcea$104fef40$1bfe200a@cisco.com> <48A2B14C.5030308@imperial.ac.uk> Message-ID: <20080813210059.GY288@greenie.muc.de> Hi, On Wed, Aug 13, 2008 at 11:02:52AM +0100, Phil Mayers wrote: > Think about it: > > You're the 6500 IOS team. You have a large body of upstream IOS code, > and you have to back-port it, but at the *same* time you also have to > modularise it. > > Contrast: > > You're the 7600 IOS team. You have a large body of upstream IOS code. > You just have to back-port it. Did I mention that the whole 6500-vs-7600-vs-"why the hell would anybody want stable IOS?" debacle is really annoying? IOS quality on the 6500/7600 platform, which really should be the "show horse" platform for Cisco, is on the same (low) level as "new hardware T train release" - but on other platforms one can usually choose a non-T train, while on 6500/7600, usually you don't even get to choose between pest or cholera... I can't believe why things as "IPv6 on a SVI" or "scp from the box" could simply be non-working in new releases. Is anyone testing this stuff? Or is the single programmer in each BU fully occupied with keeping the gazillion of BU "stupid decision makers" off his back? [..] > Let's not kid ourselves - SXF is going to be the stable release for some > time to come. I just hope they release an SXF train with support for the > 6716s I bought... There is no SXF support for the Sup720-10G either, as far as I have been led to understand, so I wouldn't hold my breath... (Stupid me, falling for Cisco sales pitch again "hey, when we have to swap your 7606S chassis against 6506 chassis anyway, what about paying just a leeeetle extra and getting a Sup720->Sup720-10G upgrade with it?"). Now we're running SXH3, have lost BFD on SVIs, and are waiting for some catastrophic thing to happen to our network. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Aug 13 17:07:36 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 13 Aug 2008 23:07:36 +0200 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> Message-ID: <20080813210736.GZ288@greenie.muc.de> Hi, On Wed, Aug 13, 2008 at 04:24:14PM +0800, Hock Jim wrote: > That said, unless you're directly connected to a BGP peer with 32-bit ASNs, Even then it will work, sort of. Just configure the peer as AS23456. You'll lose AS-path filtering capability, though, and if you have multiple 32bit peer ASNs, it will be hard to figure out who is who. If you have a 32bit ASN yourself, then you're doomed. (You could buy a Vendor J router, they have implemented it on time... - it's not like "it's especially hard", or "cisco has not been told that the ASN clock is ticking" or even "Cisco folks have taken part in writing the relevant 32-bit RFC"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ras at e-gerbil.net Wed Aug 13 17:39:53 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 13 Aug 2008 16:39:53 -0500 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <20080813210736.GZ288@greenie.muc.de> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> Message-ID: <20080813213953.GH4889@gerbil.cluepon.net> On Wed, Aug 13, 2008 at 11:07:36PM +0200, Gert Doering wrote: > If you have a 32bit ASN yourself, then you're doomed. (You could buy > a Vendor J router, they have implemented it on time... - it's not like > "it's especially hard", or "cisco has not been told that the ASN clock > is ticking" or even "Cisco folks have taken part in writing the relevant > 32-bit RFC"). Rest assured that updating the festering piece of crap that is IOS to change every data structure that holds ASNs and every piece of code that tched them (think as-path, regexp, show/cli changes for the unbelievably retarded #.# syntax, etc), not to mention all the backwards compatibility code and testing, is especially hard. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From swmike at swm.pp.se Wed Aug 13 18:04:05 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 14 Aug 2008 00:04:05 +0200 (CEST) Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <20080813213953.GH4889@gerbil.cluepon.net> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> <20080813213953.GH4889@gerbil.cluepon.net> Message-ID: On Wed, 13 Aug 2008, Richard A Steenbergen wrote: > Rest assured that updating the festering piece of crap that is IOS to > change every data structure that holds ASNs and every piece of code that > tched them (think as-path, regexp, show/cli changes for the unbelievably > retarded #.# syntax, etc), not to mention all the backwards > compatibility code and testing, is especially hard. :) The most interesting thing is that it seems it'll be available in patch rebuilds of 12.0(32)S and 12.0(33)S. That's kind of special, I wouldn't have expected this kind of functionality show up in a patch rebuild. -- Mikael Abrahamsson email: swmike at swm.pp.se From rubensk at gmail.com Wed Aug 13 18:13:07 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 19:13:07 -0300 Subject: [c-nsp] CLIPS functionality for DHCP clients In-Reply-To: References: Message-ID: <6bb5f5b10808131513t770b99a9w14f1c1dd6628e98b@mail.gmail.com> I don't think there is any Cisco low-end solution to this; 7200, ASR, 10k and SCE are the platforms I think can do this one way or the other. Consider using Mikrotik or NoCat/NoDog solutions (http://nocat.net/). Rubens On Wed, Aug 13, 2008 at 5:23 PM, Kyle Johnson wrote: > All- > > I'm trying to create a solution to allow for subscriber management > based on client PC MAC address. I see that Redback offers this "CLIPS" > (CPE mac address & RADIUS record) method of subscriber management but > Redback equipment is pretty pricey... > > Does anyone have a suggestion on a Cisco equivalent (PPPOE > functionality/sessions based off client MAC rather than PPPOE > config..) that will run on lower-end gear? > > Thanks- > > Kyle > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From frnkblk at iname.com Wed Aug 13 18:49:07 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Wed, 13 Aug 2008 17:49:07 -0500 Subject: [c-nsp] 1252ag backwards compatibility In-Reply-To: References: Message-ID: Dan: Unless you're running Greenfield mode, which I'm not sure you can even configure on a Cisco AP, there's full backward compatibility such that 802.11b/g clients will operate at b/g and 802.11n clients (with 2.4 GHz support, of course) operate at n. Be aware that mixing 802.11n with 802.11b/g clients will reduce overall performance, but not significantly enough to devalue running 802.11n. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Tuesday, August 12, 2008 8:02 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 1252ag backwards compatibility Hello, I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, do the 802.11n clients run at 802.11n and the 802.11g clients run at 802.11g? Or does everything run at 802.11g? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Aug 13 19:38:52 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 13 Aug 2008 19:38:52 -0400 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> <20080813213953.GH4889@gerbil.cluepon.net> Message-ID: <20080813233852.GA18691@rtp-cse-489.cisco.com> It's called "lfep". Late feature exception process. btw, I've got a call to outline some of the 4 byte ASN stuff with the folks running 12.0S. Especially regarding 75xx, 10720, etc. support along with GRPB's. On Thu, Aug 14, 2008 at 12:04:05AM +0200, Mikael Abrahamsson wrote: > On Wed, 13 Aug 2008, Richard A Steenbergen wrote: > > >Rest assured that updating the festering piece of crap that is IOS to > >change every data structure that holds ASNs and every piece of code that > >tched them (think as-path, regexp, show/cli changes for the unbelievably > >retarded #.# syntax, etc), not to mention all the backwards > >compatibility code and testing, is especially hard. :) > > The most interesting thing is that it seems it'll be available in > patch rebuilds of 12.0(32)S and 12.0(33)S. That's kind of special, I > wouldn't have expected this kind of functionality show up in a patch > rebuild. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Wed Aug 13 19:45:10 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 13 Aug 2008 20:45:10 -0300 Subject: [c-nsp] 1252ag backwards compatibility In-Reply-To: References: Message-ID: <6bb5f5b10808131645j6df4766bs91c9bfb345fe32de@mail.gmail.com> Can it be prevented, i.e, configuring 1252 to only run 802.11n, even in WDS mode ? We are hoping that 802.11n can improve on Wi-Fi tradition of having low pps rate, which is due to the sum of the 802.11b/a/g standard and low speed processors on the devices. Rubens On Wed, Aug 13, 2008 at 7:49 PM, Frank Bulk - iNAME wrote: > Dan: > > Unless you're running Greenfield mode, which I'm not sure you can even > configure on a Cisco AP, there's full backward compatibility such that > 802.11b/g clients will operate at b/g and 802.11n clients (with 2.4 GHz > support, of course) operate at n. Be aware that mixing 802.11n with > 802.11b/g clients will reduce overall performance, but not significantly > enough to devalue running 802.11n. > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Tuesday, August 12, 2008 8:02 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 1252ag backwards compatibility > > Hello, > > I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell > me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, > do the 802.11n clients run at 802.11n and the 802.11g clients run at > 802.11g? Or does everything run at 802.11g? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From leonardo.souza at nec.com.br Wed Aug 13 21:04:39 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 13 Aug 2008 22:04:39 -0300 Subject: [c-nsp] RES: SXI on 6500 (was: SXH on 6500) In-Reply-To: <20080813210059.GY288@greenie.muc.de> References: <6bb5f5b10808121855v1b5b72ffu615976325c362367@mail.gmail.com><00e601c8fcea$104fef40$1bfe200a@cisco.com><48A2B14C.5030308@imperial.ac.uk> <20080813210059.GY288@greenie.muc.de> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D018926D9@spsrvmail03.nec.br> Just kidding... while ( ! ( succeed = try_sx_train() ) ); -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Gert Doering Enviada em: quarta-feira, 13 de agosto de 2008 18:01 Para: Phil Mayers Cc: 'Cisco-nsp' Assunto: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) Hi, On Wed, Aug 13, 2008 at 11:02:52AM +0100, Phil Mayers wrote: > Think about it: > > You're the 6500 IOS team. You have a large body of upstream IOS code, > and you have to back-port it, but at the *same* time you also have to > modularise it. > > Contrast: > > You're the 7600 IOS team. You have a large body of upstream IOS code. > You just have to back-port it. Did I mention that the whole 6500-vs-7600-vs-"why the hell would anybody want stable IOS?" debacle is really annoying? IOS quality on the 6500/7600 platform, which really should be the "show horse" platform for Cisco, is on the same (low) level as "new hardware T train release" - but on other platforms one can usually choose a non-T train, while on 6500/7600, usually you don't even get to choose between pest or cholera... I can't believe why things as "IPv6 on a SVI" or "scp from the box" could simply be non-working in new releases. Is anyone testing this stuff? Or is the single programmer in each BU fully occupied with keeping the gazillion of BU "stupid decision makers" off his back? [..] > Let's not kid ourselves - SXF is going to be the stable release for > some time to come. I just hope they release an SXF train with support > for the 6716s I bought... There is no SXF support for the Sup720-10G either, as far as I have been led to understand, so I wouldn't hold my breath... (Stupid me, falling for Cisco sales pitch again "hey, when we have to swap your 7606S chassis against 6506 chassis anyway, what about paying just a leeeetle extra and getting a Sup720->Sup720-10G upgrade with it?"). Now we're running SXH3, have lost BFD on SVIs, and are waiting for some catastrophic thing to happen to our network. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mtinka at globaltransit.net Wed Aug 13 21:14:20 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 14 Aug 2008 09:14:20 +0800 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> Message-ID: <200808140914.21504.mtinka@globaltransit.net> On Wednesday 13 August 2008 23:29:03 Oliver Boehmer (oboehmer) wrote: > However, IOS now has a label allocation filter > (http://www.cisco.com/en/US/docs/ios/mpls/configuration/g >uide/mp_ldp_all oc_filter.html) having a "allocate global > host-routes" shorthand to only allocate labels for /32s > (or uses a prefix-list for more granular control).. We are doing this on our boxes running SRC - no complaints. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From andy.saykao at staff.netspace.net.au Wed Aug 13 22:58:13 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 14 Aug 2008 12:58:13 +1000 Subject: [c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPN Customers Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> Hi All We are looking at providing our Layer 3 MPLS VPN customers with the option of a managed internet gateway via a NAT-PE router. This would mean that remote sites no longer have to access the internet via the Central Site model as this is the way we've been implementing Internet access for MPLS VPN customers. As all our MPLS VPN customers are using private IP addresses, NAT would have to obviously take place at the NAT-PE router. Below is a simple illustration of our network with the MPLS cloud comprising of PE1,PE2 and P. All internet traffic goes out through the P router. We do not have local POPS in each city/state with a link to the Internet, instead we have one central POP and internet traffic from across the country is routed to the P router. [INTERNET] | | | [CE1] ----- [PE1] ----- [ P ] ----- [PE2] ----- [CE2] My delimma is that I'm not entirely sure which router should be designated as the NAT-PE router to act as the Internet Gateway for our MPLS VPN customers or if we need to put in a new PE router somewhere? So what I've brainstormed are the following ideas... 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do this because this is the core router that handles Internet traffic for all our customers and I don't want to mess it up. 2/ Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm unsure how to apply NAT because there is only one interface on the PE router connecting to the P router so I'm not really sure where the ip nat inside and outside command would go - unless we use NAT on a stick which I don't think is recommended in a production environment. 3/ Lastly, do we need to put in a new router to act as the NAT-PE router? If so, where would this be placed - maybe between the P router and the Internet? I've read various Cisco documentations but can't find anything for my particular situation. Any further ideas would be greatly appreciated. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From hank at efes.iucc.ac.il Thu Aug 14 01:23:50 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 14 Aug 2008 08:23:50 +0300 Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E27@spsrvmail03.nec.br> References: Message-ID: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> At 05:30 PM 13-08-08 -0300, Leonardo Gama Souza wrote: I have tested this and it is working at a specific customer: neighbor 10.100.80.7 default-originate route-map track-Broadwing neighbor 10.100.80.7 distribute-list nothing-else-plus out ! ip access-list extended nothing-else-plus ! Insert any nets you wish to announce here deny ip any any access-list 50 permit 216.140.0.0 0.3.255.255 ! route-map track-Broadwing permit 10 match ip address 50 ! You want to pick a network inside your upstream that will never go away and if it does, that means their backbone has gone down. Do a few traceroutes and you will quickly figure out what are their backbone CIDRs to use. -Hank >I haven't tested this, but you can configure two access-lists with both >BGP session IP addresses of your upstream providers and match them in the >route-map. > >neighbor 10.1.0.2 default-originate route-map BGP-UP > >route-map BGP-UP permit 10 > match ip address 101 > match ip address 102 >route-map BGP-UP deny 20 > >access-list 101 permit ip host x.x.x.x >access-list 101 remark upstream provider 1 bgp session ip address >access-list 102 permit ip host y.y.y.y >access-list 102 remark upstream provider 2 bgp session ip address > >Regards, >Leonardo Gama. >________________________________ > >De: cisco-nsp-bounces at puck.nether.net em nome de Jon Lewis >Enviada: qua 13/8/2008 12:50 >Para: cisco-nsp at puck.nether.net >Assunto: [c-nsp] conditional bgp default-originate > > > >I'd like to be able to conditionally advertise a default route to >customers taking just default routes only if my transit BGP sessions >appear to be functional. > >I thought something like this might work: > > neighbor 10.1.0.2 default-originate route-map BGP-UP > >route-map BGP-UP permit 10 > match as-path 100 > >ip as-path access-list 100 permit ^3356_ >ip as-path access-list 100 permit ^4323_ > >But no such luck. Checking the docs at > >http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 > >it seems I have to exactly match against a route for the route-map to work >here. That means actually picking a few "canary routes" I expect to get >from my upstreams and hoping they don't go anywhere or change mask. I'm >not really happy with that. Are there better ways to do this? > >Also, while looking at the docs above and experimenting in the GNS3 >simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few >oddities. > >First, there's multiple errors in the docs mentioned above. i.e. From the >URL above: > > In the following example, the last line of the configuration has been > changed to show the use of an extended access list. The local router > injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route > to 192.168.0.0 with a mask of 255.255.0.0: > > router bgp 50000 > network 172.16.0.0 > neighbor 172.16.2.3 remote-as 60000 > neighbor 172.16.2.3 default-originate route-map default-map > ! > route-map default-map 10 permit > match ip address 1 > ! > access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 > >In the above example, they did change the ACL to an extended access-list, >but the route-map wasn't updated to use it (still using 1) and they say >they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the >access-list 100 uses a /24 mask. > >Just above this example, the docs say that > access-list 1 permit 192.168.0.0 >will match a route for 192.168.0.0 with any mask. In my simulator, I have >R1--R2--R3 >R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default >to R3 using the route-map > >route-map BGP-UP permit 10 > match ip address 50 > >access-list 50 permit 8.0.0.0 > >When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and >default is not sent ot R3. If I add to access-list 50 >access-list 50 permit 8.0.0.0 0.0.255.255 > >Standard IP access list 50 > 10 permit 8.0.0.0 (973 matches) > 20 permit 8.0.0.0, wildcard bits 0.0.255.255 > >I get hits on the permit 8.0.0.0 line now, and default is sent to R3. >This seems kind of broken. I haven't duplicated the setup with real >hardware to see if it's a simulator screwup...but since the simulator is >running actual IOS, it seems unlikely the simulator is to blame. > >---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | >_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Thu Aug 14 02:16:45 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 14 Aug 2008 09:16:45 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> Message-ID: <20080814061645.GA18183@mx.ytti.net> On (2008-08-13 20:38 +0200), Oliver Boehmer (oboehmer) wrote: > well, this dependency on what other LDP neighbors send is not really > in-line with the independent control mode LDP operates in, so the > implementation might not be straight-forward. I think we have misunderstanding here. All boxes would 'stupidly' accept and readvertise everything they get, no additional states here, plain 'ol ios behaviour without LDP ACL. But per node, you'd tell the nodes not to generate label, except for their loopback. End result would be, that you'd only have loop0?s in each MPLS spakers LIBs, without any ACL/prefix-list maintenance overhead. > well, "interfaces" would also cover connected /30 or /31s, something you > usually don't want to advertise labels for? You'd replace the 'interface' with loop0 or loopX, which ever you use for labeled destination. > But wouldn't a (prefix) ACL be enough to cover most cases? Generally, > loopbacks are allocated from one or more prefix ranges, so ACLs could be > rather static? Yes, both can easily accomplish same goal, just bit additional admin overhead, while the true application in virtually all cases is, to generate label for single loopback interface. And actually we would have probably used 'your' way, had it been available when we wanted to implement it, instead of doing advertisement ACLs. -- ++ytti From gert at greenie.muc.de Thu Aug 14 02:29:57 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 14 Aug 2008 08:29:57 +0200 Subject: [c-nsp] 4 Byte AS implementation on Cisco Routers In-Reply-To: <20080813213953.GH4889@gerbil.cluepon.net> References: <910ab33c0808122321i111088o50eaca733112e973@mail.gmail.com> <56F5BC5F404CF84896C447397A1AAF207AF7DD@MAIL.nosi.netos.com> <8bfbd2090808130124u5016cc34oaced0258112b8d73@mail.gmail.com> <20080813210736.GZ288@greenie.muc.de> <20080813213953.GH4889@gerbil.cluepon.net> Message-ID: <20080814062957.GA288@greenie.muc.de> Hi, On Wed, Aug 13, 2008 at 04:39:53PM -0500, Richard A Steenbergen wrote: > Rest assured that updating the festering piece of crap that is IOS to > change every data structure that holds ASNs and every piece of code that > tched them (think as-path, regexp, show/cli changes for the unbelievably > retarded #.# syntax, etc), not to mention all the backwards compatibility > code and testing, is especially hard. :) They have already done it for XR and Nexus, so they know how to do it. (Yes, I'm oversimplifying. But then, if they would consider it a major selling point, instead of an "operational requirement for their customers", it would have happened years ago.) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Aug 14 03:16:40 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 14 Aug 2008 08:16:40 +0100 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: Message-ID: <20080814071640.GB2690@wildfire.net.ic.ac.uk> On Wed, Aug 13, 2008 at 04:17:21PM -0400, Jeff Fitzwater wrote: >Does anyone know if VTY and snmp ACLs are implemented in hardware or >software on a 6500 with 720-CXL running 12.2(33)SXH. VTY and SNMP ACLs are done in software; they have to be, because they reference certain CPU conditions e.g. consider: vty 0 12 access-class NET_OPS in vty 13 15 access-class REALLY_VITAL in ...where you reserve VTYs 13-15 for really important stuff; clearly the CPU will have to be asked how many VTYs are open to make this work. Ditto with SNMP community strings - you might have 2 communities with mutually exclusive ACLs, and one needs to decode the SNMP header and extract the community before processing the ACL > >I am trying to understand COPP and move away from the VTY and SNMP ACLs. CoPP is done in hardware if everything is working correctly, though a 2nd pass of the ACLs can be performed in software to ensure that for a rate limit of N you don't get N*M pps - M being the number of DFC/PFC forwarding engines > >Thanks for any info. > > >Jeff Fitzwater >OIT Network Systems >Princeton University > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Thu Aug 14 03:24:05 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 14 Aug 2008 09:24:05 +0200 Subject: [c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPNCustomers In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58DD@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Thursday, August 14, 2008 4:58 AM: > Hi All > > We are looking at providing our Layer 3 MPLS VPN customers with the > option of a managed internet gateway via a NAT-PE router. This would > mean that remote sites no longer have to access the internet via the > Central Site model as this is the way we've been implementing Internet > access for MPLS VPN customers. > > As all our MPLS VPN customers are using private IP addresses, NAT > would have to obviously take place at the NAT-PE router. > [...] > My delimma is that I'm not entirely sure which router should be > designated as the NAT-PE router to act as the Internet Gateway for our > MPLS VPN customers or if we need to put in a new PE router somewhere? > > So what I've brainstormed are the following ideas... > > 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do > this because this is the core router that handles Internet traffic for > all our customers and I don't want to mess it up. Agreed, I wouldn't take this path either. NAT is stateful, so future scalability is a concern, which is limited if you did this on your core/P node (turning it into a PE). > 2/ Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm > unsure how to apply NAT because there is only one interface on the PE > router connecting to the P router so I'm not really sure where the ip > nat inside and outside command would go - unless we use NAT on a stick > which I don't think is recommended in a production environment. I would actually vote for some "on-a-stick" deployment, which is what many customers do (as far as I know). NPE-G1/G2 are popular platforms for this.. > 3/ Lastly, do we need to put in a new router to act as the NAT-PE > router? If so, where would this be placed - maybe between the P router > and the Internet? I would add a new node, and put it somewhere "close" to the P router/internet connection. You can scale by adding addtl. routers and distribute your VPN customers across these nodes. The config would be along this line: you use two interfaces (can be sub-interfaces): One MPLS interface (running LDP and your IGP), and one plain-IP interface. Both connect to the P node. You create a static default in the vrf pointing over the IP interface into the global table and create per-vrf NAT statements. int Gig0/0.10 ip address 192.168.0.2 255.255.255.252 mpls ip ip nat inside ! int gig0/0.20 ip address 192.168.10.2 255.255.255.252 ip nat outside ! ip route vrf foo 0.0.0.0 0.0.0.0 Gig0/0.20 192.168.10.1 global ! ip nat pool NAT-foo 10.1.1.1 10.1.1.10 netmask 255.255.255.240 add-route ip nat source list nat-acl-foo pool NAT-foo vrf foo overload ! ip access-list extended nat-acl-foo ! define what should be translated and you define MP-iBGP and advertise the static defaults into the respective VPNs. something like this. the only addtl. challenge is to advertise the NAT pool(s) over the gig0/0.20 interface so you send the return traffic from the Internet back over this outside interface. you could use a dedicated ipv4-bgp session or another IGP instance, for example.. I hope you'll get the idea.. oli From ney25 at hotmail.com Thu Aug 14 03:30:30 2008 From: ney25 at hotmail.com (Jack) Date: Thu, 14 Aug 2008 15:30:30 +0800 Subject: [c-nsp] EVC - MPLS Message-ID: Hi Folks, anyone has EVC - MPLS information to share ? any document can I refer to ? regards, Jack From oboehmer at cisco.com Thu Aug 14 03:41:41 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 14 Aug 2008 09:41:41 +0200 Subject: [c-nsp] filter LDP bindings In-Reply-To: <20080814061645.GA18183@mx.ytti.net> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> <20080814061645.GA18183@mx.ytti.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58F4@xmb-ams-333.emea.cisco.com> Saku Ytti wrote on Thursday, August 14, 2008 8:17 AM: > On (2008-08-13 20:38 +0200), Oliver Boehmer (oboehmer) wrote: > >> well, this dependency on what other LDP neighbors send is not really >> in-line with the independent control mode LDP operates in, so the >> implementation might not be straight-forward. > > I think we have misunderstanding here. All boxes would 'stupidly' > accept and readvertise everything they get, no additional states > here, plain 'ol ios behaviour without LDP ACL. Well, I think this is the catch: In independent control mode, LDP does not "re-advertise" something like a distance/path-vector routing protocol does, it advertises its local bindings. So to implement a "re-advertise" behaviour, one would need to change the local binding behaviour to "only allocate (and advertise) a label for a remotely-learned IGP prefix x/y if you already received a remote LDP binding for this prefix or if you're the egress LSR for this FEC".. This is ordered control, something IOS only implements for cell-mode MPLS (i.e. ATM). > But per node, you'd tell the nodes not to generate label, except > for their loopback. right, this part is simple.. > End result would be, that you'd only have loop0?s in each MPLS > spakers LIBs, without any ACL/prefix-list maintenance overhead. agreed. But I still see challenges getting this right in independent control mode.. Am I missing something? >> But wouldn't a (prefix) ACL be enough to cover most cases? Generally, >> loopbacks are allocated from one or more prefix ranges, so ACLs >> could be rather static? > > Yes, both can easily accomplish same goal, just bit additional admin > overhead, while the true application in virtually all cases is, to generate > label for single loopback interface. And actually we would have probably used > 'your' way, had it been available when we wanted to implement it, instead of > doing advertisement ACLs. I guess so, filtering label allocation is more "natural" and efficient than filtering the advertisement for this very common case.. oli From mjsaarin at cc.helsinki.fi Thu Aug 14 03:51:39 2008 From: mjsaarin at cc.helsinki.fi (Matti Saarinen) Date: Thu, 14 Aug 2008 10:51:39 +0300 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: <20080813203215.GF19971@puck.nether.net> (Jared Mauch's message of "Wed, 13 Aug 2008 16:32:15 -0400") References: <20080813203215.GF19971@puck.nether.net> Message-ID: Jared Mauch wrote: > On Wed, Aug 13, 2008 at 04:17:21PM -0400, Jeff Fitzwater wrote: > >> I am trying to understand COPP and move away from the VTY and SNMP ACLs. > > If implemented with CoPP then it's done in HW and Software. I tried to replace VTY ACLs with CoPP. It resulted in a box that accepted connections for a few hours and then eded up being unresponsive. Are there any examples for replacing VTY ACLs with CoPP that even I could understand? The documentation in CCO isn't helpful enough. -- - Matti - From tima at transtelecom.net Thu Aug 14 03:40:39 2008 From: tima at transtelecom.net (Tima Maryin) Date: Thu, 14 Aug 2008 11:40:39 +0400 Subject: [c-nsp] 32 bit ASN In-Reply-To: <20080731030350.GF23991@rtp-cse-489.cisco.com> References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com> <20080731030350.GF23991@rtp-cse-489.cisco.com> Message-ID: <48A3E177.30508@transtelecom.net> Hello! Is there any update on this ? Rodney Dunn wrote: > I'm asking about this. > > I'll get back with you. > > It's going to be in a 12.0(33)S rebuild for sure. > > But I need to check back on what the 12008 decision > was...ie: only in 32S rebuilds? > > > On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote: >> Hi, >> >> Does anyone know if the 32 bit ASN support is going to get >> implemented in the 12008 or 7500 RSP8 series? If not, what >> is recommended as replacements? From matt at peterson.org Thu Aug 14 05:33:25 2008 From: matt at peterson.org (Matt Peterson) Date: Thu, 14 Aug 2008 02:33:25 -0700 Subject: [c-nsp] 1230 Bridging of multiple VLANs Message-ID: Howdy, I have two 1231G units running 12.3(2)JA3 that I'm attempting to setup as a bridge. Unit #1 uplinks to the FastE interface fine, with standard bridge, ssid and sub-interface stances to yield multiple SSIDs/VLANs on its DotRadio0 (11b) interface - works great. Unit #2 is supposed to connect to Unit #1 over DotRadio1 (11a) as a transparent bridge and continue to advertise the same multiple SSIDs/ VLANs on its other radio - DotRadio0 (11b). After trying a number of configuration combinations, it's unclear if this product generation/IOS version supports multi-VLAN bridging - as the 1400s clearly do. Also, it's a tad unclear what the exact syntax of "station-role" the bridge interfaces should be in; with the above configuration I assume "root bridge" on unit #1 and "non-root bridge" on unit #2 - the examples I find are for slightly different hardware versions. Much appreciate confirmation support exists for this and tips on how to yield my desired configuration - cheers! --Matt From t.dahm at resolution.de Thu Aug 14 05:14:40 2008 From: t.dahm at resolution.de (Thorsten Dahm) Date: Thu, 14 Aug 2008 10:14:40 +0100 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: <20080813203215.GF19971@puck.nether.net> Message-ID: <48A3F780.9000701@resolution.de> Matti Saarinen wrote: > Are there any examples for replacing VTY ACLs with CoPP > that even I could understand? The documentation in CCO isn't helpful > enough. Maybe this link helps: http://aharp.ittns.northwestern.edu/papers/copp.html cheers, Thorsten From jlewis at lewis.org Thu Aug 14 07:29:11 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 14 Aug 2008 07:29:11 -0400 (EDT) Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> References: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> Message-ID: On Thu, 14 Aug 2008, Hank Nussbacher wrote: > I have tested this and it is working at a specific customer: > > neighbor 10.100.80.7 default-originate route-map track-Broadwing > neighbor 10.100.80.7 distribute-list nothing-else-plus out > ! > ip access-list extended nothing-else-plus > ! Insert any nets you wish to announce here > deny ip any any > access-list 50 permit 216.140.0.0 0.3.255.255 > ! > route-map track-Broadwing permit 10 > match ip address 50 > ! > > You want to pick a network inside your upstream that will never go away and > if it does, that means their backbone has gone down. Do a few traceroutes > and you will quickly figure out what are their backbone CIDRs to use. That's basically what I ended up with yesterday in the simulator. My problem with it is, without inside knowledge of my upstream networks, how do I know which routes will never go away or never even just change mask? To be safer, if I end up doing this, I'll probably put half a dozen or so networks from each upstream in the access-list. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From scaner at global-one.by Thu Aug 14 08:02:50 2008 From: scaner at global-one.by (Eugene Vedistchev) Date: Thu, 14 Aug 2008 15:02:50 +0300 Subject: [c-nsp] CLIPS functionality for DHCP clients In-Reply-To: <6bb5f5b10808131513t770b99a9w14f1c1dd6628e98b@mail.gmail.com> References: <6bb5f5b10808131513t770b99a9w14f1c1dd6628e98b@mail.gmail.com> Message-ID: <48A41EEA.8040801@global-one.by> Cisco ISG IOS feature can authenticate MAC in RADIUS. It exists in IOS images for 2800 and 2651XM as well as 7200, 10k, 7600. Eugene. Rubens Kuhl Jr. wrote: > I don't think there is any Cisco low-end solution to this; 7200, ASR, > 10k and SCE are the platforms I think can do this one way or the > other. > > Consider using Mikrotik or NoCat/NoDog solutions (http://nocat.net/). > > > Rubens > > > > On Wed, Aug 13, 2008 at 5:23 PM, Kyle Johnson wrote: > >> All- >> >> I'm trying to create a solution to allow for subscriber management >> based on client PC MAC address. I see that Redback offers this "CLIPS" >> (CPE mac address & RADIUS record) method of subscriber management but >> Redback equipment is pretty pricey... >> >> Does anyone have a suggestion on a Cisco equivalent (PPPOE >> functionality/sessions based off client MAC rather than PPPOE >> config..) that will run on lower-end gear? >> >> Thanks- >> >> Kyle >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From hank at efes.iucc.ac.il Thu Aug 14 08:36:16 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 14 Aug 2008 15:36:16 +0300 (IDT) Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: References: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> Message-ID: On Thu, 14 Aug 2008, Jon Lewis wrote: >> if it does, that means their backbone has gone down. Do a few > traceroutes >> and you will quickly figure out what are their backbone CIDRs to use. > > That's basically what I ended up with yesterday in the simulator. My problem > with it is, without inside knowledge of my upstream networks, how do I know > which routes will never go away or never even just change mask? > To be safer, if I end up doing this, I'll probably put half a dozen or so > networks from each upstream in the access-list. I suggest tracking one block and not a few. Finding the right one takes about 30 minutes of traceroutes from various LGs. -Hank From jlewis at lewis.org Thu Aug 14 09:00:07 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 14 Aug 2008 09:00:07 -0400 (EDT) Subject: [c-nsp] RES: conditional bgp default-originate In-Reply-To: References: <5.1.0.14.2.20080814080718.00af9e50@efes.iucc.ac.il> Message-ID: On Thu, 14 Aug 2008, Hank Nussbacher wrote: > On Thu, 14 Aug 2008, Jon Lewis wrote: > >> That's basically what I ended up with yesterday in the simulator. My >> problem with it is, without inside knowledge of my upstream networks, how >> do I know which routes will never go away or never even just change mask? >> To be safer, if I end up doing this, I'll probably put half a dozen or so >> networks from each upstream in the access-list. > > I suggest tracking one block and not a few. Finding the right one takes > about 30 minutes of traceroutes from various LGs. Since the access-list only needs to match any single listed route to work, why wouldn't you track several routes to be safer? You can look at a few looking glasses and know that ProviderX will always announce some CIDR with the same netmask? That sounds like a neat trick. Nobody ever deaggregates, right? :) ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From rodunn at cisco.com Thu Aug 14 09:33:10 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 14 Aug 2008 09:33:10 -0400 Subject: [c-nsp] 32 bit ASN In-Reply-To: <48A3E177.30508@transtelecom.net> References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com> <20080731030350.GF23991@rtp-cse-489.cisco.com> <48A3E177.30508@transtelecom.net> Message-ID: <20080814133310.GA24673@rtp-cse-489.cisco.com> See my email yesterday. I should have an update on Monday. On Thu, Aug 14, 2008 at 11:40:39AM +0400, Tima Maryin wrote: > Hello! > > > Is there any update on this ? > > > Rodney Dunn wrote: > >I'm asking about this. > > > >I'll get back with you. > > > >It's going to be in a 12.0(33)S rebuild for sure. > > > >But I need to check back on what the 12008 decision > >was...ie: only in 32S rebuilds? > > > > > >On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote: > >>Hi, > >> > >>Does anyone know if the 32 bit ASN support is going to get > >>implemented in the 12008 or 7500 RSP8 series? If not, what > >>is recommended as replacements? From johnmanning.mpls at gmail.com Thu Aug 14 09:35:47 2008 From: johnmanning.mpls at gmail.com (MPLS MPLS) Date: Thu, 14 Aug 2008 19:05:47 +0530 Subject: [c-nsp] Tele Presence - Priority Queue or CBWFQ within the SP core Message-ID: Hello there, Wanted to poll the SP folks here to understand what you do "in the Core" for supporting Tele Presence traffic on LLQ or CBWFQ? Cisco says LLQ but i don't agree because TP is a VBR traffic. And LLQ has its cost implications. Thanks very much for the feedback John.... From leung at yorku.ca Thu Aug 14 09:53:37 2008 From: leung at yorku.ca (Samuel Leung) Date: Thu, 14 Aug 2008 09:53:37 -0400 Subject: [c-nsp] VMPS and 6500 In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00FA6@tiger.deltadentalwa.com> Message-ID: Yes, it is correct. It's my understanding that VMPS server will not support on Cat6500 running IOS. Regards, Leung York University "Teller, Robert" Sent by: cisco-nsp-bounces at puck.nether.net 08/13/2008 03:15 PM To cisco-nsp at puck.nether.net cc Subject [c-nsp] VMPS and 6500 I was thinking about playing with VMPS but from what I can tell it's not supported on IOS, is that correct? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From evans.584 at osu.edu Thu Aug 14 09:59:44 2008 From: evans.584 at osu.edu (Kyle Evans) Date: Thu, 14 Aug 2008 09:59:44 -0400 Subject: [c-nsp] VMPS and 6500 In-Reply-To: References: Message-ID: <48A43A50.1030506@osu.edu> You may want to look into OpenVMPS or Freeradius (which supports VMPS). You can use one of these products installed on a real server to be your VMPS server. Kyle Samuel Leung wrote: > Yes, it is correct. It's my understanding that VMPS server will not > support on Cat6500 running IOS. > > Regards, > Leung > York University > > > > > > "Teller, Robert" > Sent by: cisco-nsp-bounces at puck.nether.net > 08/13/2008 03:15 PM > > To > cisco-nsp at puck.nether.net > cc > > Subject > [c-nsp] VMPS and 6500 > > > > > > > I was thinking about playing with VMPS but from what I can tell it's not > supported on IOS, is that correct? > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From nick.jon.griffin at gmail.com Thu Aug 14 10:30:42 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Thu, 14 Aug 2008 09:30:42 -0500 Subject: [c-nsp] VRF Lite Route Propagation Message-ID: I've figured out how to exchange routes between VRF's with the bgp address family configuration coupled with redistribute static|connected, etc however I'm trying to propagate this information and I'm having problems getting it to work as desired. This is a VRF-Lite only environment, and what I'm trying to accomplish is this. I would like to have separate VRF's for separate internet connections, ie a 1 to 1 relationship. I would also like to be able to get this default route from within the Internet 1 VRF into multiple Client Vlan VRF's, as well as dynamically pass the client vlan connected subnets back into the Internet 1 VRF. Exchanging between the VRF's one one router isn't the issue, it's passing it dynamically from Internet 1 VRF to another neighbor router in this same vrf say using OSPF or EIGRP that I'm having trouble with. I get them to show up as B routes via the address family configuration, but I am able to pass this to the neighboring router. I hope this make sense. Thanks in advance, Nick Griffin From carlo.ngn at gmail.com Thu Aug 14 10:35:29 2008 From: carlo.ngn at gmail.com (Carlo) Date: Thu, 14 Aug 2008 16:35:29 +0200 Subject: [c-nsp] Cisco authentication login page Message-ID: <48A442B1.1020800@gmail.com> Hi all, I'm trying to customize the default login page that the Cisco router uses for authentication proxy ( to autenticate users ). Can someone tell me how to do that ? I've tried to search in the Cisco web site, but it seems that there is no documentation about it. Looking at the default page, i see this strange string:
I think that the au_pxytimetag value shound be different for every message, but i don't know how to do that. Thanks in advance Carlo From mark at mjlnet.com Thu Aug 14 10:43:28 2008 From: mark at mjlnet.com (mark at mjlnet.com) Date: Thu, 14 Aug 2008 14:43:28 +0000 Subject: [c-nsp] Tele Presence - Priority Queue or CBWFQ within the SP core Message-ID: Hi, > >Wanted to poll the SP folks here to understand what you do "in the Core" for >supporting Tele Presence traffic on LLQ or CBWFQ? Cisco says LLQ but i don't >agree because TP is a VBR traffic. And LLQ has its cost implications. Problem with CBWFQ is that while you'll get a min bandwidth guarantee, there's no guarantee for latency and jitter (probably gotta stay within about 1% pkt loss, 30ms jitter max, and 150ms end-to-end latency, of course, for good quality). So, personally I'd use a priority queue with LLQ for TP (actually, a second priority queue, if available). Mark > >Thanks very much for the feedback > >John.... >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Thu Aug 14 11:39:48 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 14 Aug 2008 11:39:48 -0400 Subject: [c-nsp] VRF Lite Route Propagation In-Reply-To: References: Message-ID: <48A451C4.4090607@utc.edu> Nick Griffin wrote: > I've figured out how to exchange routes between VRF's with the bgp address > family configuration coupled with redistribute static|connected, etc however > I'm trying to propagate this information and I'm having problems getting it > to work as desired. I'll take a "guess" at your problem... If you have everything "centralized" into one PE doing your intra-VRF iBGP, and also providing VRF-specific routing processes... The intra-VRF routes are propagated locally via iBGP and the vrf route-target import/export specifications. To redistributed "learned" routes from the VRF-specific routing processes into the iBGP mesh, you must 'redistribute [protocol]' in the BGP address-family ipv4 vrf specification. To redistributed "learned" routes from the iBGP import/export process back into the VRF-specific routing processes, you must 'redistribute bgp [asn]' in the routing process vrf specification. Jeff From dmitry at dmitry.net Thu Aug 14 11:18:07 2008 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Thu, 14 Aug 2008 18:18:07 +0300 Subject: [c-nsp] route-map continue Message-ID: <20080814151807.GF26588@f17.dmitry.net> Hello! Does anybody can clear for me the continue statement behaviour? router bgp 111 ... neighbor 10.10.10.2 route-map TEST-OUT out neighbor 10.10.10.2 send-community ... route-map TEST-OUT permit 10 match community 10 continue 20 ! route-map TEST-OUT permit 20 set metric 222 set as-path prepend 111 111 111 ! The bgp neighbor receive all prefixes, but community matched are still without prepends and med. Is it correct behaviour? P.S. Tested in 12.2S on 7200 -- Dmitry Kiselev From nick.jon.griffin at gmail.com Thu Aug 14 12:26:37 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Thu, 14 Aug 2008 11:26:37 -0500 Subject: [c-nsp] VRF Lite Route Propagation In-Reply-To: <48A451C4.4090607@utc.edu> References: <48A451C4.4090607@utc.edu> Message-ID: I must be missing something, see below: C1#sh ip route vrf I1 Gateway of last resort is 1.1.111.1 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.111.0 is directly connected, Ethernet0/0.111 3.0.0.0/24 is subnetted, 1 subnets B 3.3.3.0 is directly connected, 02:26:01, Ethernet0/0.333 5.0.0.0/24 is subnetted, 1 subnets B 5.5.5.0 is directly connected, 02:26:01, Ethernet0/0.555 <---- Want this in I1 Vrf on R1 O*E2 0.0.0.0/0 [110/1] via 1.1.111.1, 02:26:01, Ethernet0/0.111 C1# router eigrp 1 no auto-summary ! address-family ipv4 vrf VRF3 network 3.3.3.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family ! router ospf 1 vrf I1 log-adjacency-changes redistribute static metric 1 subnets redistribute bgp 1 metric 5 subnets <------- Do this you said network 1.1.111.2 0.0.0.0 area 0 ! router bgp 1 no synchronization bgp router-id 3.3.3.3 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf VRF5 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf VRF3 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf I1 redistribute connected redistribute ospf 1 vrf I1 metric 5 match internal external 1 external 2 default-information originate no auto-summary no synchronization exit-address-family R1#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.111.2 1 FULL/DR 00:00:33 1.1.111.2 FastEthernet0/0.111 R1#sh ip route vrf I1 Gateway of last resort is 1.1.11.254 to network 0.0.0.0 1.0.0.0/24 is subnetted, 2 subnets C 1.1.11.0 is directly connected, FastEthernet0/0.11 C 1.1.111.0 is directly connected, FastEthernet0/0.111 2.0.0.0/24 is subnetted, 1 subnets S 2.2.2.0 [1/0] via 1.1.12.2 3.0.0.0/24 is subnetted, 1 subnets S 3.3.3.0 [1/0] via 1.1.111.2 S* 0.0.0.0/0 [1/0] via 1.1.11.254 R1#sh ip ospf database OSPF Router with ID (1.1.111.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.111.1 1.1.111.1 1524 0x80000028 0x0072CB 1 1.1.111.2 1.1.111.2 1473 0x80000028 0x00131F 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 1.1.111.2 1.1.111.2 1473 0x80000027 0x000F38 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 1.1.111.1 1524 0x80000027 0x00CB4E 1 3.3.3.0 1.1.111.2 141 0x80000001 0x000A57 3489660929 5.5.5.0 1.1.111.2 141 0x80000001 0x00C199 3489660929 R1# On Thu, Aug 14, 2008 at 10:39 AM, Jeff Kell wrote: > Nick Griffin wrote: > >> I've figured out how to exchange routes between VRF's with the bgp address >> family configuration coupled with redistribute static|connected, etc >> however >> I'm trying to propagate this information and I'm having problems getting >> it >> to work as desired. >> > > I'll take a "guess" at your problem... > > If you have everything "centralized" into one PE doing your intra-VRF iBGP, > and also providing VRF-specific routing processes... > > The intra-VRF routes are propagated locally via iBGP and the vrf > route-target import/export specifications. > > To redistributed "learned" routes from the VRF-specific routing processes > into the iBGP mesh, you must 'redistribute [protocol]' in the BGP > address-family ipv4 vrf specification. > > To redistributed "learned" routes from the iBGP import/export process back > into the VRF-specific routing processes, you must 'redistribute bgp [asn]' > in the routing process vrf specification. > > Jeff > > > From david.freedman at uk.clara.net Thu Aug 14 13:05:28 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 14 Aug 2008 18:05:28 +0100 Subject: [c-nsp] Setting up a Internet Gateway (NAT-PE) for MPLS VPNCustomers In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58DD@xmb-ams-333.emea.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE0365485E@vic-cr-ex1.staff.netspace.net.au> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58DD@xmb-ams-333.emea.cisco.com> Message-ID: We provide customers with a managed CE router on a stick which does NAT and stateful inspection, these may hang off any PE router of our choosing, in reality we implement these as virtual systems on a larger devices with 802.1q trunks to the PE routers. Dave. Oliver Boehmer (oboehmer) wrote: > Andy Saykao <> wrote on Thursday, August 14, 2008 4:58 AM: > >> Hi All >> >> We are looking at providing our Layer 3 MPLS VPN customers with the >> option of a managed internet gateway via a NAT-PE router. This would >> mean that remote sites no longer have to access the internet via the >> Central Site model as this is the way we've been implementing Internet >> access for MPLS VPN customers. >> >> As all our MPLS VPN customers are using private IP addresses, NAT >> would have to obviously take place at the NAT-PE router. >> > [...] >> My delimma is that I'm not entirely sure which router should be >> designated as the NAT-PE router to act as the Internet Gateway for our >> MPLS VPN customers or if we need to put in a new PE router somewhere? >> >> So what I've brainstormed are the following ideas... >> >> 1/ Do we set the P router up as the NAT-PE router? I'm reluctant to do >> this because this is the core router that handles Internet traffic for >> all our customers and I don't want to mess it up. > > Agreed, I wouldn't take this path either. NAT is stateful, so future > scalability is a concern, which is limited if you did this on your > core/P node (turning it into a PE). > >> 2/ Can the NAT-PE router be assigned to either PE1 or PE2? If so, I'm >> unsure how to apply NAT because there is only one interface on the PE >> router connecting to the P router so I'm not really sure where the ip >> nat inside and outside command would go - unless we use NAT on a stick >> which I don't think is recommended in a production environment. > > I would actually vote for some "on-a-stick" deployment, which is what > many customers do (as far as I know). NPE-G1/G2 are popular platforms > for this.. > >> 3/ Lastly, do we need to put in a new router to act as the NAT-PE >> router? If so, where would this be placed - maybe between the P router >> and the Internet? > > I would add a new node, and put it somewhere "close" to the P > router/internet connection. You can scale by adding addtl. routers and > distribute your VPN customers across these nodes. The config would be > along this line: > > you use two interfaces (can be sub-interfaces): One MPLS interface > (running LDP and your IGP), and one plain-IP interface. Both connect to > the P node. > You create a static default in the vrf pointing over the IP interface > into the global table and create per-vrf NAT statements. > > int Gig0/0.10 > ip address 192.168.0.2 255.255.255.252 > mpls ip > ip nat inside > ! > int gig0/0.20 > ip address 192.168.10.2 255.255.255.252 > ip nat outside > ! > ip route vrf foo 0.0.0.0 0.0.0.0 Gig0/0.20 192.168.10.1 global > ! > ip nat pool NAT-foo 10.1.1.1 10.1.1.10 netmask 255.255.255.240 add-route > > ip nat source list nat-acl-foo pool NAT-foo vrf foo overload > ! > ip access-list extended nat-acl-foo > ! define what should be translated > > and you define MP-iBGP and advertise the static defaults into the > respective VPNs. > > something like this. the only addtl. challenge is to advertise the NAT > pool(s) over the gig0/0.20 interface so you send the return traffic from > the Internet back over this outside interface. you could use a dedicated > ipv4-bgp session or another IGP instance, for example.. > > I hope you'll get the idea.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Thu Aug 14 13:10:37 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 14 Aug 2008 18:10:37 +0100 Subject: [c-nsp] conditional bgp default-originate In-Reply-To: References: Message-ID: <48A4670D.5010103@uk.clara.net> silly question, but why not ask your provider for a default route in with your feed and simply just propagate it downstream?? Dave. Jon Lewis wrote: > I'd like to be able to conditionally advertise a default route to > customers taking just default routes only if my transit BGP sessions > appear to be functional. > > I thought something like this might work: > > neighbor 10.1.0.2 default-originate route-map BGP-UP > > route-map BGP-UP permit 10 > match as-path 100 > > ip as-path access-list 100 permit ^3356_ > ip as-path access-list 100 permit ^4323_ > > But no such luck. Checking the docs at > > http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 > > > it seems I have to exactly match against a route for the route-map to > work here. That means actually picking a few "canary routes" I expect > to get from my upstreams and hoping they don't go anywhere or change > mask. I'm not really happy with that. Are there better ways to do this? > > Also, while looking at the docs above and experimenting in the GNS3 > simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a > few oddities. > > First, there's multiple errors in the docs mentioned above. i.e. From > the URL above: > > In the following example, the last line of the configuration has been > changed to show the use of an extended access list. The local router > injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route > to 192.168.0.0 with a mask of 255.255.0.0: > > router bgp 50000 > network 172.16.0.0 > neighbor 172.16.2.3 remote-as 60000 > neighbor 172.16.2.3 default-originate route-map default-map > ! > route-map default-map 10 permit > match ip address 1 > ! > access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 > > In the above example, they did change the ACL to an extended > access-list, but the route-map wasn't updated to use it (still using 1) > and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, > but the access-list 100 uses a /24 mask. > > Just above this example, the docs say that > access-list 1 permit 192.168.0.0 > will match a route for 192.168.0.0 with any mask. In my simulator, I > have R1--R2--R3 > R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default > to R3 using the route-map > > route-map BGP-UP permit 10 > match ip address 50 > > access-list 50 permit 8.0.0.0 > > When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and > default is not sent ot R3. If I add to access-list 50 > access-list 50 permit 8.0.0.0 0.0.255.255 > > Standard IP access list 50 > 10 permit 8.0.0.0 (973 matches) > 20 permit 8.0.0.0, wildcard bits 0.0.255.255 > > I get hits on the permit 8.0.0.0 line now, and default is sent to R3. > This seems kind of broken. I haven't duplicated the setup with real > hardware to see if it's a simulator screwup...but since the simulator is > running actual IOS, it seems unlikely the simulator is to blame. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Thu Aug 14 13:10:37 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 14 Aug 2008 18:10:37 +0100 Subject: [c-nsp] conditional bgp default-originate In-Reply-To: References: Message-ID: <48A4670D.5010103@uk.clara.net> silly question, but why not ask your provider for a default route in with your feed and simply just propagate it downstream?? Dave. Jon Lewis wrote: > I'd like to be able to conditionally advertise a default route to > customers taking just default routes only if my transit BGP sessions > appear to be functional. > > I thought something like this might work: > > neighbor 10.1.0.2 default-originate route-map BGP-UP > > route-map BGP-UP permit 10 > match as-path 100 > > ip as-path access-list 100 permit ^3356_ > ip as-path access-list 100 permit ^4323_ > > But no such luck. Checking the docs at > > http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 > > > it seems I have to exactly match against a route for the route-map to > work here. That means actually picking a few "canary routes" I expect > to get from my upstreams and hoping they don't go anywhere or change > mask. I'm not really happy with that. Are there better ways to do this? > > Also, while looking at the docs above and experimenting in the GNS3 > simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a > few oddities. > > First, there's multiple errors in the docs mentioned above. i.e. From > the URL above: > > In the following example, the last line of the configuration has been > changed to show the use of an extended access list. The local router > injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route > to 192.168.0.0 with a mask of 255.255.0.0: > > router bgp 50000 > network 172.16.0.0 > neighbor 172.16.2.3 remote-as 60000 > neighbor 172.16.2.3 default-originate route-map default-map > ! > route-map default-map 10 permit > match ip address 1 > ! > access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 > > In the above example, they did change the ACL to an extended > access-list, but the route-map wasn't updated to use it (still using 1) > and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, > but the access-list 100 uses a /24 mask. > > Just above this example, the docs say that > access-list 1 permit 192.168.0.0 > will match a route for 192.168.0.0 with any mask. In my simulator, I > have R1--R2--R3 > R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default > to R3 using the route-map > > route-map BGP-UP permit 10 > match ip address 50 > > access-list 50 permit 8.0.0.0 > > When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and > default is not sent ot R3. If I add to access-list 50 > access-list 50 permit 8.0.0.0 0.0.255.255 > > Standard IP access list 50 > 10 permit 8.0.0.0 (973 matches) > 20 permit 8.0.0.0, wildcard bits 0.0.255.255 > > I get hits on the permit 8.0.0.0 line now, and default is sent to R3. > This seems kind of broken. I haven't duplicated the setup with real > hardware to see if it's a simulator screwup...but since the simulator is > running actual IOS, it seems unlikely the simulator is to blame. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Thu Aug 14 13:35:04 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 14 Aug 2008 13:35:04 -0400 (EDT) Subject: [c-nsp] conditional bgp default-originate In-Reply-To: <48A4670D.5010103@uk.clara.net> References: <48A4670D.5010103@uk.clara.net> Message-ID: On Thu, 14 Aug 2008, David Freedman wrote: > silly question, but why not ask your provider for a default route in > with your feed and simply just propagate it downstream?? I don't need/want a default route. If a destination isn't in the global routing table, I don't want to send the packets upstream. I suppose your suggestion is the easiest solution though. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From saku+cisco-nsp at ytti.fi Thu Aug 14 14:16:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 14 Aug 2008 21:16:06 +0300 Subject: [c-nsp] filter LDP bindings In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58F4@xmb-ams-333.emea.cisco.com> References: <20080813151814.GA3645@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC577D@xmb-ams-333.emea.cisco.com> <20080813172303.GA4180@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC5825@xmb-ams-333.emea.cisco.com> <20080814061645.GA18183@mx.ytti.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405DC58F4@xmb-ams-333.emea.cisco.com> Message-ID: <20080814181605.GA28999@mx.ytti.net> On (2008-08-14 09:41 +0200), Oliver Boehmer (oboehmer) wrote: > Well, I think this is the catch: In independent control mode, LDP does not "re-advertise" something like a distance/path-vector routing protocol does, it advertises its local bindings. So to implement a "re-advertise" behaviour, one would need to change the local binding behaviour to "only allocate (and advertise) a label for a remotely-learned IGP prefix x/y if you already received a remote LDP binding for this prefix or if you're the egress LSR for this FEC".. This is ordered control, something IOS only implements for cell-mode MPLS (i.e. ATM). > > End result would be, that you'd only have loop0?s in each MPLS > > spakers LIBs, without any ACL/prefix-list maintenance overhead. > > agreed. But I still see challenges getting this right in independent control mode.. Am I missing something? Perhaps I mistook that it would be easier than in reality it is, to determine this information from LIB. I assumed that creating bindings perfectly normally for data received over LDP session is no-problem and only thing that needs to change, is that in first place, you don't locally add anything to your bindings, except your Loop0. > I guess so, filtering label allocation is more "natural" and efficient than filtering the advertisement for this very common case.. Yes (more natural than ACL filtering what you advertise out). -- ++ytti From peter at rathlev.dk Thu Aug 14 14:38:31 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 14 Aug 2008 20:38:31 +0200 Subject: [c-nsp] route-map continue In-Reply-To: <20080814151807.GF26588@f17.dmitry.net> References: <20080814151807.GF26588@f17.dmitry.net> Message-ID: <1218739111.9948.0.camel@abehat> On Thu, 2008-08-14 at 18:18 +0300, Dmitry Kiselev wrote: > Hello! > > Does anybody can clear for me the continue statement behaviour? > > router bgp 111 > ... > neighbor 10.10.10.2 route-map TEST-OUT out > neighbor 10.10.10.2 send-community > ... > > route-map TEST-OUT permit 10 > match community 10 > continue 20 > ! > route-map TEST-OUT permit 20 > set metric 222 > set as-path prepend 111 111 111 > ! > > The bgp neighbor receive all prefixes, but community matched > are still without prepends and med. Is it correct behaviour? > > P.S. Tested in 12.2S on 7200 According to FN you need 12.2SRC or 12.4T for outbound route-map continue support. Regards, Peter From peter at rathlev.dk Thu Aug 14 14:46:51 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 14 Aug 2008 20:46:51 +0200 Subject: [c-nsp] route-map continue In-Reply-To: <1218739111.9948.0.camel@abehat> References: <20080814151807.GF26588@f17.dmitry.net> <1218739111.9948.0.camel@abehat> Message-ID: <1218739611.10194.1.camel@abehat> On Thu, 2008-08-14 at 20:38 +0200, Peter Rathlev wrote: > On Thu, 2008-08-14 at 18:18 +0300, Dmitry Kiselev wrote: > > P.S. Tested in 12.2S on 7200 > > According to FN you need 12.2SRC or 12.4T for outbound route-map > continue support. SRB should also work by the way. Regards, Peter From christian at broknrobot.com Thu Aug 14 14:57:40 2008 From: christian at broknrobot.com (Christian Koch) Date: Thu, 14 Aug 2008 14:57:40 -0400 Subject: [c-nsp] route-map continue In-Reply-To: <1218739111.9948.0.camel@abehat> References: <20080814151807.GF26588@f17.dmitry.net> <1218739111.9948.0.camel@abehat> Message-ID: i was thinking the problem was 'outbound' maps, but then when double checking i saw this Restrictions for BGP Route-Map Continue ?Continue clauses are supported in outbound route maps only in Cisco IOS Release 12.0(31)S and subsequent releases. http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_brmcs.html On Thu, Aug 14, 2008 at 2:38 PM, Peter Rathlev wrote: > On Thu, 2008-08-14 at 18:18 +0300, Dmitry Kiselev wrote: >> Hello! >> >> Does anybody can clear for me the continue statement behaviour? >> >> router bgp 111 >> ... >> neighbor 10.10.10.2 route-map TEST-OUT out >> neighbor 10.10.10.2 send-community >> ... >> >> route-map TEST-OUT permit 10 >> match community 10 >> continue 20 >> ! >> route-map TEST-OUT permit 20 >> set metric 222 >> set as-path prepend 111 111 111 >> ! >> >> The bgp neighbor receive all prefixes, but community matched >> are still without prepends and med. Is it correct behaviour? >> >> P.S. Tested in 12.2S on 7200 > > According to FN you need 12.2SRC or 12.4T for outbound route-map > continue support. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Thu Aug 14 15:09:20 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 14 Aug 2008 14:09:20 -0500 Subject: [c-nsp] route-map continue In-Reply-To: References: <20080814151807.GF26588@f17.dmitry.net> <1218739111.9948.0.camel@abehat> Message-ID: <48A482E0.9060609@templin.org> Christian Koch wrote: > i was thinking the problem was 'outbound' maps, but then when double > checking i saw this > > Restrictions for BGP Route-Map Continue > > ?Continue clauses are supported in outbound route maps only in Cisco > IOS Release 12.0(31)S and subsequent releases. > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_brmcs.html Don't (totally) believe the feature guides. 12.0(32)S is the minimum safe release, due to the following bug that bit me hard: CSCsc36517 Symptoms: A router reloads unexpectedly when a continue statement is used in an outbound route map. Conditions: This symptom is observed on a Cisco router that is configured for BGP. Workaround: There is no workaround. On 7507s and 12008s, the outbound continue was 100% dangerous every time I used it, no matter how simple the route-map. pt From luan at t3technology.com Thu Aug 14 15:17:58 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Thu, 14 Aug 2008 15:17:58 -0400 Subject: [c-nsp] VRF Lite Route Propagation In-Reply-To: References: <48A451C4.4090607@utc.edu> Message-ID: <006701c8fe42$76415970$62c40c50$@com> Can you do a show run int Ethernet0/0.555 and show ip bgp vpnv4 vrf I1? -Luan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Griffin Sent: Thursday, August 14, 2008 12:27 PM To: Jeff Kell Cc: cisco-nsp Subject: Re: [c-nsp] VRF Lite Route Propagation I must be missing something, see below: C1#sh ip route vrf I1 Gateway of last resort is 1.1.111.1 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.111.0 is directly connected, Ethernet0/0.111 3.0.0.0/24 is subnetted, 1 subnets B 3.3.3.0 is directly connected, 02:26:01, Ethernet0/0.333 5.0.0.0/24 is subnetted, 1 subnets B 5.5.5.0 is directly connected, 02:26:01, Ethernet0/0.555 <---- Want this in I1 Vrf on R1 O*E2 0.0.0.0/0 [110/1] via 1.1.111.1, 02:26:01, Ethernet0/0.111 C1# router eigrp 1 no auto-summary ! address-family ipv4 vrf VRF3 network 3.3.3.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family ! router ospf 1 vrf I1 log-adjacency-changes redistribute static metric 1 subnets redistribute bgp 1 metric 5 subnets <------- Do this you said network 1.1.111.2 0.0.0.0 area 0 ! router bgp 1 no synchronization bgp router-id 3.3.3.3 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf VRF5 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf VRF3 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf I1 redistribute connected redistribute ospf 1 vrf I1 metric 5 match internal external 1 external 2 default-information originate no auto-summary no synchronization exit-address-family R1#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.111.2 1 FULL/DR 00:00:33 1.1.111.2 FastEthernet0/0.111 R1#sh ip route vrf I1 Gateway of last resort is 1.1.11.254 to network 0.0.0.0 1.0.0.0/24 is subnetted, 2 subnets C 1.1.11.0 is directly connected, FastEthernet0/0.11 C 1.1.111.0 is directly connected, FastEthernet0/0.111 2.0.0.0/24 is subnetted, 1 subnets S 2.2.2.0 [1/0] via 1.1.12.2 3.0.0.0/24 is subnetted, 1 subnets S 3.3.3.0 [1/0] via 1.1.111.2 S* 0.0.0.0/0 [1/0] via 1.1.11.254 R1#sh ip ospf database OSPF Router with ID (1.1.111.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.111.1 1.1.111.1 1524 0x80000028 0x0072CB 1 1.1.111.2 1.1.111.2 1473 0x80000028 0x00131F 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 1.1.111.2 1.1.111.2 1473 0x80000027 0x000F38 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 1.1.111.1 1524 0x80000027 0x00CB4E 1 3.3.3.0 1.1.111.2 141 0x80000001 0x000A57 3489660929 5.5.5.0 1.1.111.2 141 0x80000001 0x00C199 3489660929 R1# On Thu, Aug 14, 2008 at 10:39 AM, Jeff Kell wrote: > Nick Griffin wrote: > >> I've figured out how to exchange routes between VRF's with the bgp address >> family configuration coupled with redistribute static|connected, etc >> however >> I'm trying to propagate this information and I'm having problems getting >> it >> to work as desired. >> > > I'll take a "guess" at your problem... > > If you have everything "centralized" into one PE doing your intra-VRF iBGP, > and also providing VRF-specific routing processes... > > The intra-VRF routes are propagated locally via iBGP and the vrf > route-target import/export specifications. > > To redistributed "learned" routes from the VRF-specific routing processes > into the iBGP mesh, you must 'redistribute [protocol]' in the BGP > address-family ipv4 vrf specification. > > To redistributed "learned" routes from the iBGP import/export process back > into the VRF-specific routing processes, you must 'redistribute bgp [asn]' > in the routing process vrf specification. > > Jeff > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brett at looney.id.au Thu Aug 14 20:49:01 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 15 Aug 2008 08:49:01 +0800 Subject: [c-nsp] Cisco authentication login page In-Reply-To: <48A442B1.1020800@gmail.com> References: <48A442B1.1020800@gmail.com> Message-ID: <000401c8fe70$bab140b0$3013c210$@id.au> > I'm trying to customize the default login page that the Cisco > router uses for authentication proxy ( to autenticate users ). > Can someone tell me how to do that ? I've tried to search in > the Cisco web site, but it seems that there is no documentation > about it. > Looking at the default page, i see this strange string: > TYPE="hidden" NAME="au_pxytimetag" VALUE="13502936"> > I think that the au_pxytimetag value shound be different for > every message, but i don't know how to do that. When I played with this a while back I couldn't find a way to customise the bit of HTML you have there - it is produced by IOS. I'm not sure why you'd want to modify the au_pxytimetag value - it seems to work fine for me with multiple users without having to change that. I wrote a bit of custom HTML that the router then serves up before the FORM part of the HTML page is sent back to the client. The only limitation was that the HTML I provided had to be under 8k (may have been 4k) so because the disclaimer we had was so large I embedded an IFRAME which sourced the disclaimer from another web server. Documentation: http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_confi guration_example09186a0080094655.shtml B. From psirt at cisco.com Thu Aug 14 23:15:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Thursday, 14 Aug 2008 22:15:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Message-ID: <200808142215.webex@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Advisory ID: cisco-sa-20080814-webex Revision 1.0 For Public Release 2008 August 14 2230 UTC (GMT) +--------------------------------------------------------------------- Summary ======= An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx Meeting Manager contains a buffer overflow vulnerability that may result in a denial of service or remote code execution. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting. When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service. Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml Affected Products ================= Vulnerable Products +------------------ The WebEx Meeting Manager downloads several components to meeting participants before they join a WebEx meeting. The vulnerability in this Security Advisory affects the atucfobj.dll library. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. When a meeting participant connects to the WebEx meeting service through a web browser, the WebEx meeting service installs several components of the WebEx Meeting Manager browser plugin on the meeting participant's system. WebEx Meeting Manager includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code. The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. This vulnerability is documented in WebEx Bug IDs 292551 for WBS 26 and 306639 for WBS 25. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2737. Identifying WebEx Meeting Service Version +---------------------------------------- The following procedure allows meeting participants to identify the version of client software that is provided by a WebEx server. The procedure varies slightly depending on the version of the WebEx server software. The URL in all the following examples is provided to meeting participants as part of the WebEx meeting invite. Client build numbers adhere to the format of XX.YY.ZZ.WWWW. The first number indicates the major version number of the software build. For example, a client build number of 26.49.9.2838 indicates a WBS 26-based software version. For the WBS 26 version: 1. Browse to the WebEx meeting server at https://.webex.com/. 2. Select Support from the left side of the web page. 3. Select Downloads from the left side of the web page. 4. The version of the client software that is provided by the server is listed next to Client build. For WebEx servers that are running WBS 26, the first fixed version is 26.49.9.2838. Client build versions prior to 26.49.9.2838 are vulnerable. For the WBS 25 version: 1. Browse to the WebEx meeting server at https://.webex.com/. 2. Select Assistant on the left side of the page. 3. Select the Support link. 4. Select the Version link, which is displayed on the right side of the top of the page. 5. The Client Build version is displayed in a pop-up window. There is currently no fixed version for the WBS 25-based WebEx meeting service. This section of the Security Advisory will be updated when fixed version information is available. For the WBS 23 version: Servers that run WBS 23-based WebEx meeting service display version information using the following URL format: https://.webex.com/version/wbxversionlist.do?siteurl= On the redisplayed page the Client versions in files field will indicate the Client Build. For example: The 'T23' in WBXclient-T23L10NSP33EP13-1092.txt indicates a WBS 23-based system. Cisco WebEx is not planning to repair WBS 23-based software. Affected WBS 23-based servers will be upgraded to fixed WBS 25 or WBS 26-based software. Attack Vector Details +-------------------- This Security Advisory addresses a vulnerable ActiveX control (atucfobj.dll). If atucfobj.dll is present on a client's computer, it may be possible for an attacker to embed malicious code into HTML content that calls an affected function in atucfobj.dll via ActiveX. Users could encounter the malicious HTML in several ways. The most common manners are: * Browsing to a web-site that contains the malicious content * HTML that is embedded in e-mail messages * HTML that is delivered via instant messaging applications WebEx Upgrade Timeline +--------------------- Upgrades from WBS 23 versions to WBS 26 are expected to be complete by the end of September 2008. Fixed versions of WBS 25 are expected to be deployed by the end of September 2008. Deployed versions of WBS 26 are fixed. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss The CVSS scoring for WebEx bug IDs 292551 and 306639 are identical because they reference the same vulnerability. The below scoring applies to both 292551 and 306639. ActiveX Vulnerability in WebEx Meeting Manager CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in execution of arbitrary code. Software Versions and Fixes =========================== The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. Clients will receive an upgrade automatically in accordance with the process that is outlined in the Obtaining Fixed Software section of this advisory within the time frame that is outlined in the WebEx Upgrade Timeline subsection of this advisory. Cisco WebEx will not offer the modified atucfobj.dll as a separate download. Workarounds =========== WebEx meeting participants who join a WebEx meeting that is hosted by a server with fixed software will download a fixed version of atucfobj.dll prior to joining the meeting. Several other workarounds are described below in the following subsections. Manually Upgrading WebEx Meeting Manager +--------------------------------------- Users can verify that the WebEx meeting service server they are connecting to is running fixed code via the method that is described in the subsection entitled Identifying WebEx Version subsection of the Details section of this Security Advisory. If the WebEx server is running a version of software that is fixed, users can manually download and install the Meeting Manager client to ensure their versions of atucfobj.dll are not vulnerable. Removing WebEx Meeting Manager +----------------------------- It is possible to remove the WebEx Meeting Manager component from Microsoft Windows by using the Add or Remove Programs utility in the Windows Control Panel: 1. In Windows, choose Start > Control Panel. 2. Double-click Add or Remove Programs. 3. Double-click WebEx. 4. In the pop-up menu, check the Meeting Manager box and click Uninstall. 5. Follow the prompts to complete the uninstall process and restart the system. NOTE: After uninstalling the WebEx Meeting Manager, users that join a WebEx meeting that is hosted by a vulnerable version will again download and install a vulnerable atucfobj.dll. Disabling atucfobj.dll by Setting the Kill Bit +--------------------------------------------- It is possible to disable the execution of atucfobj.dll by using a configuration setting in Microsoft Windows. This method is called setting the kill bit for the DLL. Once set, this method prevents atucfobj.dll from loading, which prevents exploitation of the vulnerability. Instructions for setting the kill bit in Microsoft Windows are available at the following location: http://support.microsoft.com/kb/240797 Setting the kill bit for atucfobj.dll will persist even after a fixed version of the DLL is installed. To re-enable the use of atucfobj.dll, the kill bit will need to be unset. To disable atucfobj.dll users must know the CLSID for the DLL. The CLSID for atucfobj.dll is {32E26FD9-F435-4A20-A561-35D4B987CFDC} Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080814-webex.shtml Obtaining Fixed Software ======================== As outlined in WebEx Upgrade Timeline section, WebEx meeting participants who join a WebEx meeting that is hosted by a server with fixed software will automatically download a fixed version of atucfobj.dll prior to joining the meeting. Clients can also upgrade manually by following the instructions in the Manually Upgrading WebEx Meeting Manager subsection of the Workarounds section of this advisory. Clients can protect themselves without first accessing a WebEx server by following the instructions in the Removing WebEx Meeting Manager subsection of the Workarounds section of this advisory. Customers that need additional information can contact WebEx Global Support Services and Technical Support. WebEx Global Support Services and Technical Support can be reached through the WebEx support site at http://support.webex.com/support/support-overview.html or by phone at +1-866-229-3239 or +1-408-435-7088. Customers outside of the United States can reference the following link for local support numbers: http://support.webex.com/support/phone-numbers.html Exploitation and Public Announcements ===================================== This issue has been publicly announced on multiple external forums and mailing lists. Exploit code has been made available. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-August-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIpMm986n/Gc8U/uARAsqfAJ4g2GVClGfEWNW85vZdjGE/IOLOIwCeLLfe oB/jGGodR9UM/o0eMPGmYA0= =piFk -----END PGP SIGNATURE----- From danletkeman at gmail.com Thu Aug 14 23:33:11 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Thu, 14 Aug 2008 22:33:11 -0500 Subject: [c-nsp] best way to load share adsl Message-ID: Hello, I would like to setup load sharing on a 2621 for three adsl lines. Currently each of the adsl connections has a modem/router combo which is doing nat. All I need for the cisco router to do is load sharing or load balancing. What would be the best way to do this and could anyone recommend some documentation or a config? Thanks, Dan. From christian.macnevin at gmail.com Thu Aug 14 23:59:33 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 14 Aug 2008 20:59:33 -0700 Subject: [c-nsp] 3560 ACL performance? Message-ID: Hi So the marketing machine tells me 3650s do ACLs in hardware and zero performance hit blah blah. Anyone had any real world experience with high loads of packets on every interface under a simple ACL? Thanks From adrian at creative.net.au Fri Aug 15 00:40:40 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 15 Aug 2008 12:40:40 +0800 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: References: Message-ID: <20080815044040.GG29116@skywalker.creative.net.au> On Thu, Aug 14, 2008, Christian MacNevin wrote: > Hi > So the marketing machine tells me 3650s do ACLs in hardware and zero > performance hit blah blah. > Anyone had any real world experience with high loads of packets on > every interface under a simple ACL? they perform like the 3550's - It Just Works. Just make sure "simple ACL" translates to "is 100% programmed in hardware." (I've done this on 3550, 3560, 3750, 10/100/1000 ports.) Adrian From christian.macnevin at gmail.com Fri Aug 15 01:31:32 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 14 Aug 2008 22:31:32 -0700 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: <20080815044040.GG29116@skywalker.creative.net.au> References: <20080815044040.GG29116@skywalker.creative.net.au> Message-ID: <966F0B84-839A-4F80-A3B2-433838F61DE4@gmail.com> How do I know what's programmed in hardware? We're using basic ip lists blocking netbios ports. On Aug 14, 2008, at 9:40 PM, Adrian Chadd wrote: > On Thu, Aug 14, 2008, Christian MacNevin wrote: >> Hi >> So the marketing machine tells me 3650s do ACLs in hardware and zero >> performance hit blah blah. >> Anyone had any real world experience with high loads of packets on >> every interface under a simple ACL? > > they perform like the 3550's - It Just Works. Just make sure "simple > ACL" > translates to "is 100% programmed in hardware." > > (I've done this on 3550, 3560, 3750, 10/100/1000 ports.) > > > Adrian > From avayner at cisco.com Fri Aug 15 01:34:04 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 15 Aug 2008 07:34:04 +0200 Subject: [c-nsp] best way to load share adsl In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501BA869F@xmb-ams-331.emea.cisco.com> Dan, Take a look at this one: http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/12_4t/oer_12 _4t_book.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Friday, August 15, 2008 06:33 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] best way to load share adsl Hello, I would like to setup load sharing on a 2621 for three adsl lines. Currently each of the adsl connections has a modem/router combo which is doing nat. All I need for the cisco router to do is load sharing or load balancing. What would be the best way to do this and could anyone recommend some documentation or a config? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nimal at fnbs.net Fri Aug 15 02:32:05 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Fri, 15 Aug 2008 14:32:05 +0800 Subject: [c-nsp] Monitoring concurrent connections on a ASA Message-ID: <48A522E5.6050800@fnbs.net> Hi guy, Do you know if there is any way to monitor concurrent connections on a ASA firewall? Any snmp OID i can query that can return this value? Thanks! Nimal From vinny at tellurian.com Fri Aug 15 02:42:17 2008 From: vinny at tellurian.com (Vinny Abello) Date: Fri, 15 Aug 2008 02:42:17 -0400 Subject: [c-nsp] Monitoring concurrent connections on a ASA In-Reply-To: <48A522E5.6050800@fnbs.net> References: <48A522E5.6050800@fnbs.net> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF05646243E8B7A@exchangenj1> There probably is an OID (check the ASA MIB from Cisco), but the ASA includes ASDM which will show you concurrent connections (as well as memory, cpu, and bandwidth load) in realtime. You can also just do "show conn count" while logged in. -Vinny > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Nimal David Sirimanne > Sent: Friday, August 15, 2008 2:32 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Monitoring concurrent connections on a ASA > > Hi guy, > > Do you know if there is any way to monitor concurrent connections on a > ASA firewall? Any snmp OID i can query that can return this value? > > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dirkjan at os3.nl Fri Aug 15 03:30:13 2008 From: dirkjan at os3.nl (Dirk-Jan van Helmond) Date: Fri, 15 Aug 2008 09:30:13 +0200 (CEST) Subject: [c-nsp] Monitoring concurrent connections on a ASA In-Reply-To: <48A522E5.6050800@fnbs.net> References: <48A522E5.6050800@fnbs.net> Message-ID: <58667fd646efe2c61ceb7601d99f3a2a.squirrel@a61.nl> Hi Nimal, I use .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 with ASA 8.0.(3). http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.147.1.2.2.2.1.5&translate=Translate&submitValue=SUBMIT&submitClicked=true regards, Dirk-Jan > Hi guy, > > Do you know if there is any way to monitor concurrent connections on a > ASA firewall? Any snmp OID i can query that can return this value? > > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From matt at peterson.org Fri Aug 15 06:06:13 2008 From: matt at peterson.org (Matt Peterson) Date: Fri, 15 Aug 2008 03:06:13 -0700 Subject: [c-nsp] Cisco authentication login page In-Reply-To: <000401c8fe70$bab140b0$3013c210$@id.au> References: <48A442B1.1020800@gmail.com> <000401c8fe70$bab140b0$3013c210$@id.au> Message-ID: A slight alternative exists in 12.4T, "Consent Feature" - see . It appears that it's possible to customize the HTML. --Matt On Aug 14, 2008, at 5:49 PM, Brett Looney wrote: >> I'm trying to customize the default login page that the Cisco >> router uses for authentication proxy ( to autenticate users ). From lists.james.edwards at gmail.com Fri Aug 15 11:52:27 2008 From: lists.james.edwards at gmail.com (james edwards) Date: Fri, 15 Aug 2008 09:52:27 -0600 Subject: [c-nsp] regex for logical and Message-ID: I want to match AT3/0.1405 AND 163.65.47.29 from my flow table but am not hitting the right expression. ie i want to match lines that contain both AT3/0.1405 and 163.65.47.29. CORE_Router#sho ip cache flow | in AT3/0.1405 163.65.47.29 -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From stig.johansen at ementor.no Fri Aug 15 12:15:44 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Fri, 15 Aug 2008 18:15:44 +0200 Subject: [c-nsp] regex for logical and In-Reply-To: References: Message-ID: <13A13E9CF0F76342A79031B9E558C0C50360AC6B@100NOOSLMSG004.common.alpharoot.net> Try "sh ip cache flow | inc AT3/0.1405.*163.65.47.29" The ".*" part matches anything in between like this: . matches any single character * extends the previous expression to "zero or more times" So, you are saying "match any single character, zero or more times" Take a look at http://www.cisco.com/en/US/docs/ios/termserv/configuration/guide/tsv_reg_express.html for some more information. Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av james edwards Sendt: 15. august 2008 17:52 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] regex for logical and I want to match AT3/0.1405 AND 163.65.47.29 from my flow table but am not hitting the right expression. ie i want to match lines that contain both AT3/0.1405 and 163.65.47.29. CORE_Router#sho ip cache flow | in AT3/0.1405 163.65.47.29 -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Fri Aug 15 12:16:07 2008 From: christian at broknrobot.com (Christian Koch) Date: Fri, 15 Aug 2008 12:16:07 -0400 Subject: [c-nsp] regex for logical and In-Reply-To: References: Message-ID: .* should do the trick RTR#sh ip cache flow | i Te1/1.*1.1.1.1 Te1/1 1.1.1.1 2.2.2.2 tcp 58436 443 1 Te1/1 1.1.1.1 2.2.2.2 tcp 57819 443 2 Te1/1 1.1.1.1 2.2.2.2 tcp 58424 443 1 On Fri, Aug 15, 2008 at 11:52 AM, james edwards wrote: > I want to match AT3/0.1405 AND 163.65.47.29 from my flow table but am not > hitting the right expression. > > ie i want to match lines that contain both AT3/0.1405 and 163.65.47.29. > > CORE_Router#sho ip cache flow | in AT3/0.1405 163.65.47.29 > > -- > James H. Edwards > Senior Network Systems Administrator > Judicial Information Division > jedwards at nmcourts.gov > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Fri Aug 15 13:00:46 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 15 Aug 2008 12:00:46 -0500 Subject: [c-nsp] ip cef load sharing Message-ID: Hello, I have a 2621 router running 12.3(26) and I would like to setup load sharing to multiple adsl lines. When I do a traceroute on the router it randomly picks a dsl line and seems to work fine. But when I do traceroute tests from a workstation it always seems to take the same adsl line. Is there something else I need to add to the configuration to make it pick random lines, or is there a timeout of some sorts before it will select the next ip route Here is my config: ! interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto ! ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.10.10 ip route 0.0.0.0 0.0.0.0 192.168.10.11 ! The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 Thanks, Dan. From rodunn at cisco.com Fri Aug 15 13:12:02 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 15 Aug 2008 13:12:02 -0400 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: Message-ID: <20080815171202.GH8654@rtp-cse-489.cisco.com> Try ip load-sharing per-packet on both egress interfaces. On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: > Hello, > > I have a 2621 router running 12.3(26) and I would like to setup load > sharing to multiple adsl lines. When I do a traceroute on the router > it randomly picks a dsl line and seems to work fine. But when I do > traceroute tests from a workstation it always seems to take the same > adsl line. Is there something else I need to add to the configuration > to make it pick random lines, or is there a timeout of some sorts > before it will select the next ip route > > Here is my config: > > ! > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > duplex auto > speed auto > ! > ip http server > ip classless > ip route 0.0.0.0 0.0.0.0 192.168.10.10 > ip route 0.0.0.0 0.0.0.0 192.168.10.11 > ! > > The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Fri Aug 15 13:35:01 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 15 Aug 2008 12:35:01 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: <20080815171202.GH8654@rtp-cse-489.cisco.com> References: <20080815171202.GH8654@rtp-cse-489.cisco.com> Message-ID: ip load-sharing per-packet I tried adding this to F0/1 and the trace route works now(it randomly picks either line), but there seems to be issues with maybe the MTU? If I try to browse websites i get page errors and some of the pictures and pages don't load. Any ideas? Thanks, Dan. On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: > Try ip load-sharing per-packet on both egress interfaces. > > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >> Hello, >> >> I have a 2621 router running 12.3(26) and I would like to setup load >> sharing to multiple adsl lines. When I do a traceroute on the router >> it randomly picks a dsl line and seems to work fine. But when I do >> traceroute tests from a workstation it always seems to take the same >> adsl line. Is there something else I need to add to the configuration >> to make it pick random lines, or is there a timeout of some sorts >> before it will select the next ip route >> >> Here is my config: >> >> ! >> interface FastEthernet0/0 >> ip address 10.1.10.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> interface FastEthernet0/1 >> ip address 192.168.10.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> ip http server >> ip classless >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >> ! >> >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 >> >> Thanks, >> Dan. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Gregori.Parker at theplatform.com Fri Aug 15 13:10:27 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Fri, 15 Aug 2008 10:10:27 -0700 Subject: [c-nsp] Monitoring concurrent connections on a ASA In-Reply-To: <58667fd646efe2c61ceb7601d99f3a2a.squirrel@a61.nl> References: <48A522E5.6050800@fnbs.net> <58667fd646efe2c61ceb7601d99f3a2a.squirrel@a61.nl> Message-ID: <1A9866F953006D45AEE0166066114E091278401F@TPMAIL02.corp.theplatform.com> For our ASAs running 7.x, I use the following OID for total concurrent connections (the one Dirk sent returned no such instance for me) .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6 Here are other oids in that branch I see when walking # snmpwalk -v 2c .1.3.6.1.4.1.9.9.147.1.2.2.2.1 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.3.40.6 = STRING: "number of connections currently in use by the entire firewall" SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.3.40.7 = STRING: "highest number of connections in use at any one time since system startup" SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.4.40.6 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.4.40.7 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.5.40.6 = Gauge32: 1029 SNMPv2-SMI::enterprises.9.9.147.1.2.2.2.1.5.40.7 = Gauge32: 99821 HTH -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dirk-Jan van Helmond Sent: Friday, August 15, 2008 12:30 AM To: Nimal David Sirimanne Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Monitoring concurrent connections on a ASA Hi Nimal, I use .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 with ASA 8.0.(3). http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1. 4.1.9.9.147.1.2.2.2.1.5&translate=Translate&submitValue=SUBMIT&submitCli cked=true regards, Dirk-Jan > Hi guy, > > Do you know if there is any way to monitor concurrent connections on a > ASA firewall? Any snmp OID i can query that can return this value? > > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Fri Aug 15 13:49:25 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 15 Aug 2008 13:49:25 -0400 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com> Message-ID: <20080815174925.GL8654@rtp-cse-489.cisco.com> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: > ip load-sharing per-packet > > I tried adding this to F0/1 and the trace route works now(it randomly > picks either line), but there seems to be issues with maybe the MTU? > If I try to browse websites i get page errors and some of the pictures > and pages don't load. Yep...try configuring "ip tcp adjust-mss 1300" or so on the ingress interface from the LAN. > > Any ideas? > > Thanks, > Dan. > > On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: > > Try ip load-sharing per-packet on both egress interfaces. > > > > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: > >> Hello, > >> > >> I have a 2621 router running 12.3(26) and I would like to setup load > >> sharing to multiple adsl lines. When I do a traceroute on the router > >> it randomly picks a dsl line and seems to work fine. But when I do > >> traceroute tests from a workstation it always seems to take the same > >> adsl line. Is there something else I need to add to the configuration > >> to make it pick random lines, or is there a timeout of some sorts > >> before it will select the next ip route > >> > >> Here is my config: > >> > >> ! > >> interface FastEthernet0/0 > >> ip address 10.1.10.1 255.255.255.0 > >> duplex auto > >> speed auto > >> ! > >> interface FastEthernet0/1 > >> ip address 192.168.10.1 255.255.255.0 > >> duplex auto > >> speed auto > >> ! > >> ip http server > >> ip classless > >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 > >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 > >> ! > >> > >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 > >> > >> Thanks, > >> Dan. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From danletkeman at gmail.com Fri Aug 15 13:59:12 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 15 Aug 2008 12:59:12 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: <20080815174925.GL8654@rtp-cse-489.cisco.com> References: <20080815171202.GH8654@rtp-cse-489.cisco.com> <20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: Still seem to have the same problem even with this: interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 ip tcp adjust-mss 1300 duplex auto speed auto interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip load-sharing per-packet duplex auto speed auto Dan. On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: > On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >> ip load-sharing per-packet >> >> I tried adding this to F0/1 and the trace route works now(it randomly >> picks either line), but there seems to be issues with maybe the MTU? >> If I try to browse websites i get page errors and some of the pictures >> and pages don't load. > > Yep...try configuring "ip tcp adjust-mss 1300" or so on the > ingress interface from the LAN. > >> >> Any ideas? >> >> Thanks, >> Dan. >> >> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >> > Try ip load-sharing per-packet on both egress interfaces. >> > >> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >> >> Hello, >> >> >> >> I have a 2621 router running 12.3(26) and I would like to setup load >> >> sharing to multiple adsl lines. When I do a traceroute on the router >> >> it randomly picks a dsl line and seems to work fine. But when I do >> >> traceroute tests from a workstation it always seems to take the same >> >> adsl line. Is there something else I need to add to the configuration >> >> to make it pick random lines, or is there a timeout of some sorts >> >> before it will select the next ip route >> >> >> >> Here is my config: >> >> >> >> ! >> >> interface FastEthernet0/0 >> >> ip address 10.1.10.1 255.255.255.0 >> >> duplex auto >> >> speed auto >> >> ! >> >> interface FastEthernet0/1 >> >> ip address 192.168.10.1 255.255.255.0 >> >> duplex auto >> >> speed auto >> >> ! >> >> ip http server >> >> ip classless >> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >> >> ! >> >> >> >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 >> >> >> >> Thanks, >> >> Dan. >> >> _______________________________________________ >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jlewis at lewis.org Fri Aug 15 14:12:25 2008 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 15 Aug 2008 14:12:25 -0400 (EDT) Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com> <20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: On Fri, 15 Aug 2008, Dan Letkeman wrote: > Still seem to have the same problem even with this: > > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > ip tcp adjust-mss 1300 > duplex auto > speed auto > > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > ip load-sharing per-packet > duplex auto > speed auto You failed to mention whether these 2 DSL lines go to the same ISP and whether that ISP is setup to support your per-packet load sharing. Also, as you're using private IPs and talking about web access, I assume there's NAT. Where is the NAT being done? If your output traffic through each DSL router is NAT'd by that DSL router to a different public IP, your setup is not going to work. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jason at pins.net Fri Aug 15 22:38:25 2008 From: jason at pins.net (Jason Berenson) Date: Fri, 15 Aug 2008 22:38:25 -0400 Subject: [c-nsp] Verizon TLS Message-ID: <48A63DA1.9030401@pins.net> Greetings, I'm curious to get some input from everyone about Verizons TLS service. What do you think of it? What kind of hardware do you use at your edge and at the CPE. Example configs? We have a GigE connection at the core and order 100M circuits with whatever size EVC we require for the customer. I use rate limiting on the customers ethernet interface. A basic /30 serial between us and them and a static route in both directions. I have seen some strange things happen. This is a forklift upgrade for one customer that's going from 2 T1s to 10M TLS. When I had them connect our TLS router to their public switch things went nuts on the VZ side of the circuit (2500PPS) and stayed at around 100PPS on the customer side. This doesn't make much sense to me considering the T1 router has no problems and it's not like we're connecting a switch on our side to a switch on their side and causing a loop somewhere, there's a router at both ends. I originally suspected VZ as the problem but eliminated that idea by connecting a laptop directly to the customer hand off. The core router is a Cisco 7206VXR and the CPE is a 2651XM. When he connected a switch with no VLANs on it things quieted down a bit. It's pretty obvious his switch is causing a problem but why it has issues with the TLS and not the T1s is beyond me. Here's a quick diagram: Servers | 7206VXR ---------TLS-------- 2651XM ------- Public switch ------- Firewall ------- LAN CPE config: interface FastEthernet0/0 desc TLS side no ip address speed 100 full-duplex ! interface FastEthernet0/0.xxx encapsulation dot1Q xxx ip address 192.168.1.2 255.255.255.252 (rate limit to 10M) no cdp enable ! interface FastEthernet0/1 ip address 10.10.10.1 255.255.255.1 duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 Core config: interface GigabitEthernet0/3 no ip address duplex full speed 1000 media-type gbic negotiation auto ! interface GigabitEthernet0/3.xxx encapsulation dot1Q xxxx ip address 192.168.1.1 255.255.255.252 no cdp enable ! ip route 10.10.10.0 255.255.255.0 192.168.1.2 Any input would be greatly appreciated. -Jason From list-cisco-nsp at pwns.ms Fri Aug 15 23:37:03 2008 From: list-cisco-nsp at pwns.ms (list-cisco-nsp at pwns.ms) Date: Sat, 16 Aug 2008 03:37:03 +0000 Subject: [c-nsp] Verizon TLS Message-ID: <20080816033703.GA28942@pwns.ms> > Servers > > | > 7206VXR ---------TLS-------- 2651XM ------- Public switch ------- > Firewall ------- LAN > > CPE config: > > interface FastEthernet0/0 > desc TLS side > no ip address > speed 100 > full-duplex > ! > interface FastEthernet0/0.xxx > encapsulation dot1Q xxx > ip address 192.168.1.2 255.255.255.252 > (rate limit to 10M) > no cdp enable [snip] > ip route 0.0.0.0 0.0.0.0 192.168.1.1 Your diagram and config conflict with each other; according to the config, you're routing to the TLS *through* the switch. According to the diagram, the 2651XM is directly connected to the TLS, and is directly connected to the switch. My guess is that the switch leaks traffic between VLANs. The easiest workaround is probably just to connect the 2651XM directly to the TLS. They didn't have the problem with the T1s since they weren't going through the switch. From junaid.x86 at gmail.com Sat Aug 16 01:03:16 2008 From: junaid.x86 at gmail.com (Junaid) Date: Sat, 16 Aug 2008 11:03:16 +0600 Subject: [c-nsp] IP/MPLS Design Resource Message-ID: Hi, Can you please recommend/refer me to some good books/online-resource on IP/MPLS design? I am thinking of making an investment and buying a few books. Will appreciate if you can recommend any titles. Thanks. Regards, Junaid From frnkblk at iname.com Sat Aug 16 01:49:50 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Sat, 16 Aug 2008 00:49:50 -0500 Subject: [c-nsp] 1252ag backwards compatibility In-Reply-To: <6bb5f5b10808131645j6df4766bs91c9bfb345fe32de@mail.gmail.com> References: <6bb5f5b10808131645j6df4766bs91c9bfb345fe32de@mail.gmail.com> Message-ID: Yes, backward-compatibility can be prevented by running Greenfield mode, but I'm not sure if that's possible on the Cisco 1252. 802.11n clearly has the capability for a higher PPS than 802.11b/a/g if you fix the packet size, but I'm not sure what you mean about the processors. Frank -----Original Message----- From: Rubens Kuhl Jr. [mailto:rubensk at gmail.com] Sent: Wednesday, August 13, 2008 6:45 PM To: frnkblk at iname.com Cc: Dan Letkeman; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 1252ag backwards compatibility Can it be prevented, i.e, configuring 1252 to only run 802.11n, even in WDS mode ? We are hoping that 802.11n can improve on Wi-Fi tradition of having low pps rate, which is due to the sum of the 802.11b/a/g standard and low speed processors on the devices. Rubens On Wed, Aug 13, 2008 at 7:49 PM, Frank Bulk - iNAME wrote: > Dan: > > Unless you're running Greenfield mode, which I'm not sure you can even > configure on a Cisco AP, there's full backward compatibility such that > 802.11b/g clients will operate at b/g and 802.11n clients (with 2.4 GHz > support, of course) operate at n. Be aware that mixing 802.11n with > 802.11b/g clients will reduce overall performance, but not significantly > enough to devalue running 802.11n. > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Tuesday, August 12, 2008 8:02 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 1252ag backwards compatibility > > Hello, > > I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell > me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, > do the 802.11n clients run at 802.11n and the 802.11g clients run at > 802.11g? Or does everything run at 802.11g? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hashng at gmail.com Sat Aug 16 04:09:52 2008 From: hashng at gmail.com (Hash Aminu) Date: Sat, 16 Aug 2008 11:09:52 +0300 Subject: [c-nsp] Limiting Broadcast and Multicast Message-ID: Hi guys My network has a huge L2 broadcast coming from the clients connected (through DSLAMs)....the customer edge facing interfaces are on a 76k with 7600-ES20-GE and 7600-ES20-10G, AFAIK these cards dont support Storm-control--what other variants and options do i have in limiting these garbage before it gets to my network. TIA Hash From amolsapkal at gmail.com Sat Aug 16 10:31:59 2008 From: amolsapkal at gmail.com (Amol Sapkal) Date: Sat, 16 Aug 2008 18:31:59 +0400 Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption Message-ID: Hello all, I am looking at a firewall configuration, which has multiple DMZs. Of these, here are the configurations for three DMZs DMZ A: security level 50 DMZ B: security level 20 DMZ C: security level 0 Subnet X belongs to DMZ A subnet Y belongs to DMZ B Subnet Z belongs to DMZ C Rules: Subnet X on DMZ A is 'NAT exempted' with another subnet Y on DMZ B (using ACL) Subnet X is allowed 'ip any' access (incoming access-list), on DMZ A access-list On DMZ C, there is a 'permit ip any any' (incoming access-list) PIX software: v7.2(1) Analysis: Because subnet X is 'nat exempted', it will translate as-is for any traffic originating towards and from (bi-directional behaviour) the subnet Y. BUT, this will also translate the subnet X, *as is*, on the DMZ C (if DMZ A subnet tries to direct any traffic towards DMZ C subnet). Understanding: Given the above configuration (and my analysis), if there is any traffic originating from DMZ A (higher) to DMZ C (lower), it will be allowed. Also, if there any traffic originating from DMZ C to DMZ A (lower to higher), the traffic will be allowed because the ACLs allow those and because the NAT exemption rule will translate the subnet on all DMZs (assuming there was an attempt initially to send traffic towards DMZ C, from DMZ A) It's been a year now that I touched a PIX, and now am unable to remember how this works. Would be nice if someone here could help me validate my understandng of the above. Thanks in advance. -- Warm regards, Amol Sapkal ------------------------------------------------------------------- "When I'm not in my right mind, my left mind gets pretty crowded" ------------------------------------------------------------------- From hashng at gmail.com Sat Aug 16 11:09:56 2008 From: hashng at gmail.com (Hash Aminu) Date: Sat, 16 Aug 2008 18:09:56 +0300 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try Message-ID: Hi guys I am trying to find a Feature that will be able to replace Route bridge Encapsulation..because we are migrating to the 12.2S and does not support that feature..any thoughts or Ideas will be useful. Thanks TIA Hash From gert at greenie.muc.de Sat Aug 16 11:29:21 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 16 Aug 2008 17:29:21 +0200 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: Message-ID: <20080816152921.GL288@greenie.muc.de> Hi, On Mon, Aug 11, 2008 at 05:08:23PM -0400, Joe Loiacono wrote: > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? The key question is, how much loss (in dB) do you have on that line, and on the tolerances of the X2 optics in question - a "best case" X2 will transmit with +4.0 dBm, while a "worst case" X2 will transmit with -4.7 dBm, according to: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0btransc.html - so with a receiver sensitivity of -15.8 dBm, you have a power budget of 11.1 dB to 19.8 dB. 11.1 dB is very tight for a 40km span - you need good fibers, and nearly no patches in between (every patch brings about 0.5 dB loss). You need to ask your carrier about the attenuation of the fiber path. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Sat Aug 16 11:31:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 16 Aug 2008 17:31:39 +0200 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: References: Message-ID: <20080816153139.GM288@greenie.muc.de> Hi, On Sat, Aug 16, 2008 at 06:09:56PM +0300, Hash Aminu wrote: > I am trying to find a Feature that will be able to replace Route bridge > Encapsulation..because we are migrating to the 12.2S and does not support > that feature..any thoughts or Ideas will be useful. Thanks Makes me wonder why you would want to migrate to a dead IOS train that doesn't deliver what you want... But if you insist on feeling the pain, the alternative to RBE is "classical" ATM bridging - setup a BVI interface, a bridge-group, and put the ATM VC into the bridge group. Nasty, does not scale well (maximum of 255 bridge- groups), and much more convoluted configuration. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mksmith at adhost.com Sat Aug 16 11:43:51 2008 From: mksmith at adhost.com (Michael Smith) Date: Sat, 16 Aug 2008 08:43:51 -0700 Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption In-Reply-To: Message-ID: Hello Amol: By my reading you are correct. The basic rule is "nat from higher to lower, ACL from lower to higher." You have to have NAT translations when going from a higher security level to a lower security level, so from DMZ A to DMZ B or C in your example. If you don't want that traffic to be translated, you'll need a NAT statement that exempts all traffic back and forth between the two security areas. As an example: Nat (dmz-c) 0 0 access-list to-dmz-b Nat (dmz-b) 0 0 access-list to-dmz-c Access-list to-dmz-b permit ip Access-list to-dmz-c permit ip These would be in addition to any translations you *want* to occur, using 'nat (interface) 1' Hope that helps, Mike > From: Amol Sapkal > Date: Sat, 16 Aug 2008 18:31:59 +0400 > To: cisco-nsp > Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption > > Hello all, > > I am looking at a firewall configuration, which has multiple DMZs. Of these, > here are the configurations for three DMZs > > DMZ A: security level 50 > DMZ B: security level 20 > DMZ C: security level 0 > > Subnet X belongs to DMZ A > subnet Y belongs to DMZ B > Subnet Z belongs to DMZ C > > Rules: > Subnet X on DMZ A is 'NAT exempted' with another subnet Y on DMZ B (using > ACL) > Subnet X is allowed 'ip any' access (incoming access-list), on DMZ A > access-list > On DMZ C, there is a 'permit ip any any' (incoming access-list) > > PIX software: v7.2(1) > > Analysis: > Because subnet X is 'nat exempted', it will translate as-is for any traffic > originating towards and from (bi-directional behaviour) the subnet Y. BUT, > this will also translate the subnet X, *as is*, on the DMZ C (if DMZ A > subnet tries to direct any traffic towards DMZ C subnet). > > Understanding: > Given the above configuration (and my analysis), if there is any traffic > originating from DMZ A (higher) to DMZ C (lower), it will be allowed. > Also, if there any traffic originating from DMZ C to DMZ A (lower to > higher), the traffic will be allowed because the ACLs allow those and > because the NAT exemption rule will translate the subnet on all DMZs > (assuming there was an attempt initially to send traffic towards DMZ C, from > DMZ A) > > It's been a year now that I touched a PIX, and now am unable to remember how > this works. Would be nice if someone here could help me validate my > understandng of the above. > > Thanks in advance. > > > -- > Warm regards, > > Amol Sapkal > > ------------------------------------------------------------------- > "When I'm not in my right mind, my left mind > gets pretty crowded" > ------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jason at pins.net Sat Aug 16 14:13:28 2008 From: jason at pins.net (Jason Berenson) Date: Sat, 16 Aug 2008 14:13:28 -0400 Subject: [c-nsp] Verizon TLS In-Reply-To: <20080816033703.GA28942@pwns.ms> References: <20080816033703.GA28942@pwns.ms> Message-ID: <48A718C8.5000505@pins.net> Huh? FA0/0 connects directly to the TLS and FA0/1 connects to the customer switch. The TLS passes through the router before it ever hits their public switch. list-cisco-nsp at pwns.ms wrote: >> Servers >> >> | >> 7206VXR ---------TLS-------- 2651XM ------- Public switch ------- >> Firewall ------- LAN >> >> CPE config: >> >> interface FastEthernet0/0 >> desc TLS side >> no ip address >> speed 100 >> full-duplex >> ! >> interface FastEthernet0/0.xxx >> encapsulation dot1Q xxx >> ip address 192.168.1.2 255.255.255.252 >> (rate limit to 10M) >> no cdp enable >> > [snip] > >> ip route 0.0.0.0 0.0.0.0 192.168.1.1 >> > > Your diagram and config conflict with each other; according to the config, you're routing to the TLS *through* the switch. According to the diagram, the 2651XM is directly connected to the TLS, and is directly connected to the switch. > > My guess is that the switch leaks traffic between VLANs. The easiest workaround is probably just to connect the 2651XM directly to the TLS. They didn't have the problem with the T1s since they weren't going through the switch. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Sat Aug 16 19:35:37 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sun, 17 Aug 2008 09:05:37 +0930 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com><20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: Dan the reason your having issues is not MTU related, it's NAT related, because you have 3 ADSL lines each doing NAT against a different outside IP when you turn on per-packet load sharing you end up with flows to the same destination having different source IP addresses. Your only option is per-destination load balancing (ie the default), one way you can tweak this a little without breaking to much is to change the standard algorithm to include ports. Try adding "ip cef load-sharing algorithm include-ports destination" into your global config once you've removed your per-packet load sharing and see how you go. You are never going to get perfect load balancing in your scenario but if you have enough hosts on your LAN it should be sufficient enough, one way you can do per-packet is if you get another IP routed down all 3 adsl lines and put it on a loopback and NAT everything against that. Ben ----- Original Message ----- From: "Dan Letkeman" To: "Rodney Dunn" ; Sent: Saturday, August 16, 2008 3:29 AM Subject: Re: [c-nsp] ip cef load sharing > Still seem to have the same problem even with this: > > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > ip tcp adjust-mss 1300 > duplex auto > speed auto > > > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > ip load-sharing per-packet > duplex auto > speed auto > > Dan. > > On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: >> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>> ip load-sharing per-packet >>> >>> I tried adding this to F0/1 and the trace route works now(it randomly >>> picks either line), but there seems to be issues with maybe the MTU? >>> If I try to browse websites i get page errors and some of the pictures >>> and pages don't load. >> >> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >> ingress interface from the LAN. >> >>> >>> Any ideas? >>> >>> Thanks, >>> Dan. >>> >>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >>> > Try ip load-sharing per-packet on both egress interfaces. >>> > >>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>> >> Hello, >>> >> >>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>> >> it randomly picks a dsl line and seems to work fine. But when I do >>> >> traceroute tests from a workstation it always seems to take the same >>> >> adsl line. Is there something else I need to add to the >>> >> configuration >>> >> to make it pick random lines, or is there a timeout of some sorts >>> >> before it will select the next ip route >>> >> >>> >> Here is my config: >>> >> >>> >> ! >>> >> interface FastEthernet0/0 >>> >> ip address 10.1.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> interface FastEthernet0/1 >>> >> ip address 192.168.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> ip http server >>> >> ip classless >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>> >> ! >>> >> >>> >> The two adsl modem/routers I have are 192.168.10.10, and >>> >> 192.168.10.11 >>> >> >>> >> Thanks, >>> >> Dan. >>> >> _______________________________________________ >>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From fbulk at nwc.com Sun Aug 17 00:05:04 2008 From: fbulk at nwc.com (Frank Bulk) Date: Sat, 16 Aug 2008 23:05:04 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com><20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: There are a couple of companies that can help with this, too, though it's not Cisco-related: http://www.sharedband.com/ http://www.mushroomnetworks.com/ http://www.xrio.com/website/ Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele Sent: Saturday, August 16, 2008 6:36 PM To: Dan Letkeman; Rodney Dunn; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ip cef load sharing Dan the reason your having issues is not MTU related, it's NAT related, because you have 3 ADSL lines each doing NAT against a different outside IP when you turn on per-packet load sharing you end up with flows to the same destination having different source IP addresses. Your only option is per-destination load balancing (ie the default), one way you can tweak this a little without breaking to much is to change the standard algorithm to include ports. Try adding "ip cef load-sharing algorithm include-ports destination" into your global config once you've removed your per-packet load sharing and see how you go. You are never going to get perfect load balancing in your scenario but if you have enough hosts on your LAN it should be sufficient enough, one way you can do per-packet is if you get another IP routed down all 3 adsl lines and put it on a loopback and NAT everything against that. Ben ----- Original Message ----- From: "Dan Letkeman" To: "Rodney Dunn" ; Sent: Saturday, August 16, 2008 3:29 AM Subject: Re: [c-nsp] ip cef load sharing > Still seem to have the same problem even with this: > > interface FastEthernet0/0 > ip address 10.1.10.1 255.255.255.0 > ip tcp adjust-mss 1300 > duplex auto > speed auto > > > interface FastEthernet0/1 > ip address 192.168.10.1 255.255.255.0 > ip load-sharing per-packet > duplex auto > speed auto > > Dan. > > On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: >> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>> ip load-sharing per-packet >>> >>> I tried adding this to F0/1 and the trace route works now(it randomly >>> picks either line), but there seems to be issues with maybe the MTU? >>> If I try to browse websites i get page errors and some of the pictures >>> and pages don't load. >> >> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >> ingress interface from the LAN. >> >>> >>> Any ideas? >>> >>> Thanks, >>> Dan. >>> >>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >>> > Try ip load-sharing per-packet on both egress interfaces. >>> > >>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>> >> Hello, >>> >> >>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>> >> it randomly picks a dsl line and seems to work fine. But when I do >>> >> traceroute tests from a workstation it always seems to take the same >>> >> adsl line. Is there something else I need to add to the >>> >> configuration >>> >> to make it pick random lines, or is there a timeout of some sorts >>> >> before it will select the next ip route >>> >> >>> >> Here is my config: >>> >> >>> >> ! >>> >> interface FastEthernet0/0 >>> >> ip address 10.1.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> interface FastEthernet0/1 >>> >> ip address 192.168.10.1 255.255.255.0 >>> >> duplex auto >>> >> speed auto >>> >> ! >>> >> ip http server >>> >> ip classless >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>> >> ! >>> >> >>> >> The two adsl modem/routers I have are 192.168.10.10, and >>> >> 192.168.10.11 >>> >> >>> >> Thanks, >>> >> Dan. >>> >> _______________________________________________ >>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hashng at gmail.com Sun Aug 17 04:55:00 2008 From: hashng at gmail.com (Hash Aminu) Date: Sun, 17 Aug 2008 11:55:00 +0300 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <20080816153139.GM288@greenie.muc.de> References: <20080816153139.GM288@greenie.muc.de> Message-ID: Hi Gert,T Thank you for the response, we are moving to 12.0S (7500 router to have a L2VPN support which is not supported on the 12.4T that supports the RBE). I just checked the cisco FN and Classical bridging is not supported on the "S" train. Any more inputs will be appreciated. Thanks Hash On Sat, Aug 16, 2008 at 6:31 PM, Gert Doering wrote: > Hi, > > On Sat, Aug 16, 2008 at 06:09:56PM +0300, Hash Aminu wrote: > > I am trying to find a Feature that will be able to replace Route bridge > > Encapsulation..because we are migrating to the 12.2S and does not support > > that feature..any thoughts or Ideas will be useful. Thanks > > Makes me wonder why you would want to migrate to a dead IOS train that > doesn't deliver what you want... > > But if you insist on feeling the pain, the alternative to RBE is > "classical" > ATM bridging - setup a BVI interface, a bridge-group, and put the ATM VC > into the bridge group. Nasty, does not scale well (maximum of 255 bridge- > groups), and much more convoluted configuration. > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From gert at greenie.muc.de Sun Aug 17 05:05:30 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 17 Aug 2008 11:05:30 +0200 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: References: <20080816153139.GM288@greenie.muc.de> Message-ID: <20080817090530.GP288@greenie.muc.de> Hi, On Sun, Aug 17, 2008 at 11:55:00AM +0300, Hash Aminu wrote: > Thank you for the response, we are moving to 12.0S (7500 router to have a > L2VPN support which is not supported on the 12.4T that supports the RBE). From the comments seen on this list, I don't think that any sort of L2VPN on 7500s is a good idea. 7500 is pretty much a dead and unsupported platform these days. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sami.joseph at gmail.com Sun Aug 17 18:41:07 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Mon, 18 Aug 2008 01:41:07 +0300 Subject: [c-nsp] MPLS VPN QoS on a SP core Message-ID: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Hello, Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Thanks, Sam From danletkeman at gmail.com Sun Aug 17 19:15:09 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 17 Aug 2008 18:15:09 -0500 Subject: [c-nsp] content filter placement in data center Message-ID: Hello, I have a few questions regarding content filter placement and routing in the data center. I would like to place our content/spyware/web filter in our data center, but I would like to place it in such a way that if it fails or has problems that it does not take everything down. Currently I have a Cisco router with two fast ethernet interfaces, and I have two internet connections to different ISP's. One of the connections is used for download for all of the users and the other connection is used for services (www, ftp, mail, etc). On the cisco router I am policy routing for those services and for the users. The current content filter is inline with the router and the rest of the network as a default route on the switch. 3560switch-------content filter-----------router--------internet (isp1) | -------------internet (isp2) Is there a way to connect it to the router and use policy routing, and the verify availability option so that if the content filter is down the system still works with out it? Thanks, Dan. From adrian at creative.net.au Sun Aug 17 19:17:33 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Mon, 18 Aug 2008 07:17:33 +0800 Subject: [c-nsp] content filter placement in data center In-Reply-To: References: Message-ID: <20080817231733.GG4568@skywalker.creative.net.au> On Sun, Aug 17, 2008, Dan Letkeman wrote: > Is there a way to connect it to the router and use policy routing, and > the verify availability option so that if the content filter is down > the system still works with out it? Yes. * Does the content filter speak WCCPv2? Or can you glue it to Squid? If so, try WCCPv2. * Otherwise, see if your platform/IOS supports object tracking and conditional route maps. You can set things up to use a route-map (or route!) if a destination host is reachable via ICMP. The archives have details on both of these. Adrian From andy.saykao at staff.netspace.net.au Sun Aug 17 21:09:47 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 18 Aug 2008 11:09:47 +1000 Subject: [c-nsp] IP/MPLS Design Resource Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365486E@vic-cr-ex1.staff.netspace.net.au> Hi Junaid, Welcome to the world of MPLS. I'm currently going through the same thing and have been designing and fine tuning our MPLS network for the past few months. The guys on NSP are very knowledgable so if you get stuck, try posting on the forum. Special thanks to Oli whose been helping me a fair bit :) Here's a book I recommend. Read the first few chapters to give you a good foundation. * MPLS Fundamentals by Luc De Ghein Also nothing beats some hands on experience and these labs are a great introduction. I used GNS3 to simulate these labs (http://www.gns3.net/). * MPLS Series - Vol. 1 - Basic MPLS http://blog.humanmodem.com/?p=115 * MPLS Series - Vol. 2 - MPLS VPN http://blog.humanmodem.com/?p=121 I also went through the Cisco PEC (Partner Education Connection) web site and listened to most of this series: * Implementing Cisco Multi-Protocol Label Switching (MPLS) 2.1 - EXPRESS http://www.cisco.com/web/learning/le36/learning_partner_e-learning_conne ction_tool_launch.html -- Regards, Andy Saykao System Administrator Netspace Online Systems Ph : 03 9811 0049 Mob : 0401 422 406 Fax : 03 9811 0044 Email: andy.saykao at staff.netspace.net.au -----Original Message----- Message: 4 Date: Sat, 16 Aug 2008 11:03:16 +0600 From: Junaid Subject: [c-nsp] IP/MPLS Design Resource To: cisco-nsp Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Hi, Can you please recommend/refer me to some good books/online-resource on IP/MPLS design? I am thinking of making an investment and buying a few books. Will appreciate if you can recommend any titles. Thanks. Regards, Junaid This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From adrian at enfusion-group.com Sun Aug 17 21:43:04 2008 From: adrian at enfusion-group.com (Adrian Chung) Date: Sun, 17 Aug 2008 21:43:04 -0400 Subject: [c-nsp] IBM CIGESM aggregation and Private VLANs. Message-ID: Apologies if this has been discussed before on this list, feel free to point me in the right direction, though the usual searches didn?t turn anything up. A couple of questions about Private VLANs between PVLAN speaking switches and non-PVLAN speaking switches. In the process of setting up a couple of Cisco Intelligent Gigabit Ethernet Switch Modules - these are the Cisco 2950-like switches that come as a modular option in IBM Blade Center server chassis. They have 4 external uplink ports and no private VLAN support. We?re connecting them up to a couple of 6500s over port-channelled bundles but are running up against questions surrounding private VLANs and trunking particularly between switches which do and do not support PVLANs. For argument sake, lets say the 6500s have an isolated PVLAN numbered 101, where the primary is 100. On the CIGESM side, there is no support for PVLANs, and the blades themselves only have 2 NICs. Because there are more than 2 VLANs to carry into each blade, the OS is configured for VLAN tagging. In testing, if we tag VLAN 101 in the OS, no communication to other isolated or promiscuous PVLAN ports happens across the trunk on the 6500. If we tag VLAN 100 in the OS, the OS has communication to all of the promiscuous ports and none of the other isolated ports, just like a proper isolated PVLAN port would. If I check the mac-address-table on the CIGESM trunk-port side, I see both entries for VLAN 100 (mapping back, all correspond to promiscuous ports) and VLAN 101 (mapping back, corresponding to isolated ports). Weird thing is, even if an interface tagged VLAN 101 is brought up in the OS, and a tcpdump is run on it, no traffic from other isolated PVLAN 101 ports is ever seen. A couple of questions around this behaviour: 1. Does anyone actually know how PVLANs are tagged and carried across a regular trunk? Is it simply tagged with the appropriate primary or secondary VLAN tags and expected that the receiving switch understands PVLANs and maps the secondaries the same way as the sender? 2. The scenario above with the OS tagging the primary VLAN but still seemingly maintaining isolation from other isolated ports and being able to reach promiscuous ports is technically fine, but what security issues surround this configuration? Cisco's documentation touches upon making sure that all switches involved in PVLAN trunking support PVLANs to ensure that no security is lost... 3. Does anyone else use CIGESMs and have requirements to see more than two VLANs inside the OS which are a mix of both regular and PVLAN ports, and if so, how do you configure your environment? (As an aside, this particular H blade chassis supports additional CIGESM modules and the blades can take an additional two NICs, which would mean we could have 4 CIGESMs and the problem goes away -- except for the fact that that means there's no room for Fiber Channel connectivity, which is also a requirement). -- Adrian Chung From danletkeman at gmail.com Sun Aug 17 21:45:28 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 17 Aug 2008 20:45:28 -0500 Subject: [c-nsp] content filter placement in data center In-Reply-To: <20080817231733.GG4568@skywalker.creative.net.au> References: <20080817231733.GG4568@skywalker.creative.net.au> Message-ID: I'm still a bit confused as to how I would connect this to the router? The filter appliance has an ingress and egress interface and only works in this configuration. Would I route-map incoming traffic and outgoing traffic to and from the router? I would like to make sure all incoming and outgoing traffic is filtered. I'm visualizing this configuration: --------------internet | switch----------router---------content filter | --------------wccp cache So if I route-map source ip's(workstations) to the content filter, the content filter will redirect the traffic back to the router and out the default route to the internet, but do I need to route-map the internet traffic back to the content filter? If I don't won't the traffic just go back into the network unfiltered? Would I be better off using my current configuration and rather setting up an object track between the switch and router with an alternate route? eg: switch----------content filter------------router-------------internet | | ------------------------------------------------- Thanks, Dan. On Sun, Aug 17, 2008 at 6:17 PM, Adrian Chadd wrote: > On Sun, Aug 17, 2008, Dan Letkeman wrote: > >> Is there a way to connect it to the router and use policy routing, and >> the verify availability option so that if the content filter is down >> the system still works with out it? > > Yes. > > * Does the content filter speak WCCPv2? Or can you glue it to Squid? > If so, try WCCPv2. > > * Otherwise, see if your platform/IOS supports object tracking and > conditional route maps. You can set things up to use a route-map > (or route!) if a destination host is reachable via ICMP. > > The archives have details on both of these. > > > Adrian > > From swmike at swm.pp.se Mon Aug 18 01:41:48 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 18 Aug 2008 07:41:48 +0200 (CEST) Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Message-ID: On Mon, 18 Aug 2008, Sami Joseph wrote: > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Yes. Depends on what you want, but you can for instance mark MPLS EXP for the traffic in a certain VPN and treat those packets differently in your core. -- Mikael Abrahamsson email: swmike at swm.pp.se From Toby.Burrows at qubenet.net Mon Aug 18 04:51:57 2008 From: Toby.Burrows at qubenet.net (Toby Burrows (Qube)) Date: Mon, 18 Aug 2008 09:51:57 +0100 Subject: [c-nsp] 11503 ssl redundancy synch Message-ID: Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? From sami.joseph at gmail.com Mon Aug 18 05:04:57 2008 From: sami.joseph at gmail.com (Sami Joseph) Date: Mon, 18 Aug 2008 12:04:57 +0300 Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Message-ID: <9da37ec40808180204k5dc61621gb4f26c1394501b3@mail.gmail.com> Hi Mikael, I am not going to do in my Core but i'm just curious how this is done? So i guess if we want to differentiate between VPNs in my core then we need alot of different classes which is not really available and thats what makes it difficult? Thanks, Sam On Mon, Aug 18, 2008 at 8:41 AM, Mikael Abrahamsson wrote: > On Mon, 18 Aug 2008, Sami Joseph wrote: > > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? >> > > Yes. > > Depends on what you want, but you can for instance mark MPLS EXP for the > traffic in a certain VPN and treat those packets differently in your core. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > From rblayzor.bulk at inoc.net Mon Aug 18 05:30:54 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 18 Aug 2008 05:30:54 -0400 Subject: [c-nsp] Nasty PIX 6.3 bug Message-ID: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> If anyone still has PIX's out there running 6.3(5) we had a pair of 525's nailed by this nasty bug: http://tinyurl.com/5wovce We've been running 6.3 for years and only after all the recent DNS exploits did we see this one start hitting us. The only way to fix it is to upgrade to 7.x or get the maint/patch train from TAC. If you have any DNS servers behind your PIX with a lot of clients querying through your firewalls, you might want to get this taken care of ASAP before your PIX's get jammed at 100% CPU load indefinitely. Also stateful failover kindly transfers the 100% load over to the standby box as well. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From swmike at swm.pp.se Mon Aug 18 05:50:27 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 18 Aug 2008 11:50:27 +0200 (CEST) Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: <9da37ec40808180204k5dc61621gb4f26c1394501b3@mail.gmail.com> References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> <9da37ec40808180204k5dc61621gb4f26c1394501b3@mail.gmail.com> Message-ID: On Mon, 18 Aug 2008, Sami Joseph wrote: > Hi Mikael, > > I am not going to do in my Core but i'm just curious how this is done? > > So i guess if we want to differentiate between VPNs in my core then we need > alot of different classes which is not really available and thats what makes > it difficult? QoS has many meanings. For me at least, it's implemented by packet marking at ingress and per-hop queuing decisions made by core routers of which the marking influences which queue a packet should be put into. I always recommend a KISS (keep it simple stupid) approach, the fewer classes you can have, the less complicated it is to handle. Best of all, is to make sure your statistical overbooking means you never have lines that are full, thus negating the need for QoS alltogether. I'd say reasonable amount of queues/classes is around 4-6, one for VoIP, one for Video, one for priority data (interactive applications) and then an best effort class. You might want to put all your VPN traffic into priority data and let your Internet uses get a lower SLA if you mix Internet and VPN traffic in your core. -- Mikael Abrahamsson email: swmike at swm.pp.se From rblayzor.bulk at inoc.net Mon Aug 18 05:24:26 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 18 Aug 2008 05:24:26 -0400 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: References: Message-ID: <350FA2C6-F18B-4B47-B2BC-CDC085BC501D@inoc.net> On Aug 16, 2008, at 11:09 AM, Hash Aminu wrote: > I am trying to find a Feature that will be able to replace Route > bridge > Encapsulation..because we are migrating to the 12.2S and does not > support > that feature..any thoughts or Ideas will be useful. Thanks Just what are you trying to accomplish? As previously mentioned the 7500 is EoS. You may want to look at a 7200 NPE-Gx running 12.2SB. Then you can keep RBE. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From gsinl at yahoo.com Mon Aug 18 06:13:08 2008 From: gsinl at yahoo.com (Gaurav Prakash) Date: Mon, 18 Aug 2008 15:43:08 +0530 (IST) Subject: [c-nsp] MPLS VPN QoS on a SP core Message-ID: <260492.45372.qm@web94003.mail.in2.yahoo.com> Hi, There are ways to do it.. typically 3 mode.. http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hmp_c/part15/hdtmode.htm Basically we cash in the feature of MPLS EXP bits used to mark/classify?packet and treat them acc.. Regards, Gaurav Prakash ?Save our Earth ----- Original Message ---- From: "cisco-nsp-request at puck.nether.net" To: cisco-nsp at puck.nether.net Sent: Monday, 18 August, 2008 2:34:58 PM Subject: cisco-nsp Digest, Vol 69, Issue 54 Send cisco-nsp mailing list submissions to ??? cisco-nsp at puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit ??? https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to ??? cisco-nsp-request at puck.nether.net You can reach the person managing the list at ??? cisco-nsp-owner at puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of cisco-nsp digest..." Today's Topics: ? 1. MPLS VPN QoS on a SP core (Sami Joseph) ? 2. content filter placement in data center (Dan Letkeman) ? 3. Re: content filter placement in data center (Adrian Chadd) ? 4. Re: IP/MPLS Design Resource (Andy Saykao) ? 5. IBM CIGESM aggregation and Private VLANs. (Adrian Chung) ? 6. Re: content filter placement in data center (Dan Letkeman) ? 7. Re: MPLS VPN QoS on a SP core (Mikael Abrahamsson) ? 8. 11503 ssl redundancy synch (Toby Burrows (Qube)) ? 9. Re: MPLS VPN QoS on a SP core (Sami Joseph) ---------------------------------------------------------------------- Message: 1 Date: Mon, 18 Aug 2008 01:41:07 +0300 From: "Sami Joseph" Subject: [c-nsp] MPLS VPN QoS on a SP core To: Cisco-nsp Message-ID: ??? <9da37ec40808171541x7c168f1br359e6491e98131cd at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hello, Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Thanks, Sam ------------------------------ Message: 2 Date: Sun, 17 Aug 2008 18:15:09 -0500 From: "Dan Letkeman" Subject: [c-nsp] content filter placement in data center To: cisco-nsp at puck.nether.net Message-ID: ??? Content-Type: text/plain; charset=ISO-8859-1 Hello, I have a few questions regarding content filter placement and routing in the data center.? I would like to place our content/spyware/web filter in our data center, but I would like to place it in such a way that if it fails or has problems that it does not take everything down. Currently I have a Cisco router with two fast ethernet interfaces, and I have two internet connections to different ISP's.? One of the connections is used for download for all of the users and the other connection is used for services (www, ftp, mail, etc).? On the cisco router I am policy routing for those services and for the users. The current content filter is inline with the router and the rest of the network as a default route on the switch. 3560switch-------content filter-----------router--------internet (isp1) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | -------------internet (isp2) Is there a way to connect it to the router and use policy routing, and the verify availability option so that if the content filter is down the system still works with out it? Thanks, Dan. ------------------------------ Message: 3 Date: Mon, 18 Aug 2008 07:17:33 +0800 From: Adrian Chadd Subject: Re: [c-nsp] content filter placement in data center To: Dan Letkeman Cc: cisco-nsp at puck.nether.net Message-ID: <20080817231733.GG4568 at skywalker.creative.net.au> Content-Type: text/plain; charset=us-ascii On Sun, Aug 17, 2008, Dan Letkeman wrote: > Is there a way to connect it to the router and use policy routing, and > the verify availability option so that if the content filter is down > the system still works with out it? Yes. * Does the content filter speak WCCPv2? Or can you glue it to Squid? ? If so, try WCCPv2. * Otherwise, see if your platform/IOS supports object tracking and ? conditional route maps. You can set things up to use a route-map ? (or route!) if a destination host is reachable via ICMP. ? The archives have details on both of these. Adrian ------------------------------ Message: 4 Date: Mon, 18 Aug 2008 11:09:47 +1000 From: "Andy Saykao" Subject: Re: [c-nsp] IP/MPLS Design Resource To: , Message-ID: ??? <56F211C5E3F24F47B103EA1B253822BE0365486E at vic-cr-ex1.staff.netspace.net.au> ??? Content-Type: text/plain;??? charset="us-ascii" Hi Junaid, Welcome to the world of MPLS. I'm currently going through the same thing and have been designing and fine tuning our MPLS network for the past few months. The guys on NSP are very knowledgable so if you get stuck, try posting on the forum. Special thanks to Oli whose been helping me a fair bit :) Here's a book I recommend. Read the first few chapters to give you a good foundation. * MPLS Fundamentals by Luc De Ghein Also nothing beats some hands on experience and these labs are a great introduction. I used GNS3 to simulate these labs (http://www.gns3.net/). * MPLS Series - Vol. 1 - Basic MPLS http://blog.humanmodem.com/?p=115 * MPLS Series - Vol. 2 - MPLS VPN http://blog.humanmodem.com/?p=121 I also went through the Cisco PEC (Partner Education Connection) web site and listened to most of this series: * Implementing Cisco Multi-Protocol Label Switching (MPLS) 2.1 - EXPRESS http://www.cisco.com/web/learning/le36/learning_partner_e-learning_conne ction_tool_launch.html -- Regards, Andy Saykao System Administrator Netspace Online Systems Ph : 03 9811 0049 Mob : 0401 422 406 Fax : 03 9811 0044 Email: andy.saykao at staff.netspace.net.au -----Original Message----- Message: 4 Date: Sat, 16 Aug 2008 11:03:16 +0600 From: Junaid Subject: [c-nsp] IP/MPLS Design Resource To: cisco-nsp Message-ID: ??? Content-Type: text/plain; charset=ISO-8859-1 Hi, Can you please recommend/refer me to some good books/online-resource on IP/MPLS design? I am thinking of making an investment and buying a few books. Will appreciate if you can recommend any titles. Thanks. Regards, Junaid This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ------------------------------ Message: 5 Date: Sun, 17 Aug 2008 21:43:04 -0400 From: Adrian Chung Subject: [c-nsp] IBM CIGESM aggregation and Private VLANs. To: Message-ID: Content-Type: text/plain;??? charset="ISO-8859-1" Apologies if this has been discussed before on this list, feel free to point me in the right direction, though the usual searches didn?t turn anything up. A couple of questions about Private VLANs between PVLAN speaking switches and non-PVLAN speaking switches. In the process of setting up a couple of Cisco Intelligent Gigabit Ethernet Switch Modules - these are the Cisco 2950-like switches that come as a modular option in IBM Blade Center server chassis.? They have 4 external uplink ports and no private VLAN support. We?re connecting them up to a couple of 6500s over port-channelled bundles but are running up against questions surrounding private VLANs and trunking particularly between switches which do and do not support PVLANs. For argument sake, lets say the 6500s have an isolated PVLAN numbered 101, where the primary is 100.? On the CIGESM side, there is no support for PVLANs, and the blades themselves only have 2 NICs.? Because there are more than 2 VLANs to carry into each blade, the OS is configured for VLAN tagging.? In testing, if we tag VLAN 101 in the OS, no communication to other isolated or promiscuous PVLAN ports happens across the trunk on the 6500. If we tag VLAN 100 in the OS, the OS has communication to all of the promiscuous ports and none of the other isolated ports, just like a proper isolated PVLAN port would. If I check the mac-address-table on the CIGESM trunk-port side, I see both entries for VLAN 100 (mapping back, all correspond to promiscuous ports) and VLAN 101 (mapping back, corresponding to isolated ports). Weird thing is, even if an interface tagged VLAN 101 is brought up in the OS, and a tcpdump is run on it, no traffic from other isolated PVLAN 101 ports is ever seen. A couple of questions around this behaviour: 1. Does anyone actually know how PVLANs are tagged and carried across a regular trunk?? Is it simply tagged with the appropriate primary or secondary VLAN tags and expected that the receiving switch understands PVLANs and maps the secondaries the same way as the sender? 2. The scenario above with the OS tagging the primary VLAN but still seemingly maintaining isolation from other isolated ports and being able to reach promiscuous ports is technically fine, but what security issues surround this configuration?? Cisco's documentation touches upon making sure that all switches involved in PVLAN trunking support PVLANs to ensure that no security is lost... 3.? Does anyone else use CIGESMs and have requirements to see more than two VLANs inside the OS which are a mix of both regular and PVLAN ports, and if so, how do you configure your environment? (As an aside, this particular H blade chassis supports additional CIGESM modules and the blades can take an additional two NICs, which would mean we could have 4 CIGESMs and the problem goes away -- except for the fact that that means there's no room for Fiber Channel connectivity, which is also a requirement). -- Adrian Chung ------------------------------ Message: 6 Date: Sun, 17 Aug 2008 20:45:28 -0500 From: "Dan Letkeman" Subject: Re: [c-nsp] content filter placement in data center To: "Adrian Chadd" , cisco-nsp at puck.nether.net Message-ID: ??? Content-Type: text/plain; charset=ISO-8859-1 I'm still a bit confused as to how I would connect this to the router? The filter appliance has an ingress and egress interface and only works in this configuration.? Would I route-map incoming traffic and outgoing traffic to and from the router?? I would like to make sure all incoming and outgoing traffic is filtered. I'm visualizing this configuration: ? ? ? ? ? ? ? ? ? ? ? --------------internet ? ? ? ? ? ? ? ? ? ? ? | switch----------router---------content filter ? ? ? ? ? ? ? ? ? ? ? | ? ? ? ? ? ? ? ? ? ? ? --------------wccp cache So if I route-map source ip's(workstations) to the content filter, the content filter will redirect the traffic back to the router and out the default route to the internet, but do I need to route-map the internet traffic back to the content filter?? If I don't won't the traffic just go back into the network unfiltered? Would I be better off using my current configuration and rather setting up an object track between the switch and router with an alternate route?? eg: switch----------content filter------------router-------------internet ? |? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | ? ------------------------------------------------- Thanks, Dan. On Sun, Aug 17, 2008 at 6:17 PM, Adrian Chadd wrote: > On Sun, Aug 17, 2008, Dan Letkeman wrote: > >> Is there a way to connect it to the router and use policy routing, and >> the verify availability option so that if the content filter is down >> the system still works with out it? > > Yes. > > * Does the content filter speak WCCPv2? Or can you glue it to Squid? >? If so, try WCCPv2. > > * Otherwise, see if your platform/IOS supports object tracking and >? conditional route maps. You can set things up to use a route-map >? (or route!) if a destination host is reachable via ICMP. > >? The archives have details on both of these. > > > Adrian > > ------------------------------ Message: 7 Date: Mon, 18 Aug 2008 07:41:48 +0200 (CEST) From: Mikael Abrahamsson Subject: Re: [c-nsp] MPLS VPN QoS on a SP core To: Sami Joseph Cc: Cisco-nsp Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Mon, 18 Aug 2008, Sami Joseph wrote: > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Yes. Depends on what you want, but you can for instance mark MPLS EXP for the traffic in a certain VPN and treat those packets differently in your core. -- Mikael Abrahamsson? ? email: swmike at swm.pp.se ------------------------------ Message: 8 Date: Mon, 18 Aug 2008 09:51:57 +0100 From: "Toby Burrows \(Qube\)" Subject: [c-nsp] 11503 ssl redundancy synch To: Message-ID: ??? Content-Type: text/plain;??? charset="US-ASCII" Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit?? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? ------------------------------ Message: 9 Date: Mon, 18 Aug 2008 12:04:57 +0300 From: "Sami Joseph" Subject: Re: [c-nsp] MPLS VPN QoS on a SP core To: "Mikael Abrahamsson" Cc: Cisco-nsp Message-ID: ??? <9da37ec40808180204k5dc61621gb4f26c1394501b3 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hi Mikael, I am not going to do in my Core but i'm just curious how this is done? So i guess if we want to differentiate between VPNs in my core then we need alot of different classes which is not really available and thats what makes it difficult? Thanks, Sam On Mon, Aug 18, 2008 at 8:41 AM, Mikael Abrahamsson wrote: > On Mon, 18 Aug 2008, Sami Joseph wrote: > >? Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? >> > > Yes. > > Depends on what you want, but you can for instance mark MPLS EXP for the > traffic in a certain VPN and treat those packets differently in your core. > > -- > Mikael Abrahamsson? ? email: swmike at swm.pp.se > ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 69, Issue 54 ***************************************** Get an email ID as yourname at ymail.com or yourname at rocketmail.com. Click here http://in.promos.yahoo.com/address From tomas.hlavacek at elfove.cz Mon Aug 18 07:19:42 2008 From: tomas.hlavacek at elfove.cz (Tomas Hlavacek) Date: Mon, 18 Aug 2008 13:19:42 +0200 Subject: [c-nsp] aaa local database Message-ID: <48A95ACE.1040405@elfove.cz> Hello! I am thinking about aaa local database. Is there any mechanism to distinguish local users (defined by username ...) or put them into some groups and give them access to only some services? For instance I have two users username alice password xxx username bob password yyy aaa new-model aaa authentication login default local aaa authentication ppp default local aaa authorization network default local Now bob and alice can login to router and also dial ppp. What if I want alice to have right only to login to router and bob only to dial ppp? Thanks, Tomas -- Tom?? Hlav??ek From oboehmer at cisco.com Mon Aug 18 08:12:23 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 18 Aug 2008 14:12:23 +0200 Subject: [c-nsp] aaa local database In-Reply-To: <48A95ACE.1040405@elfove.cz> References: <48A95ACE.1040405@elfove.cz> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E19E0C@xmb-ams-333.emea.cisco.com> Tomas Hlavacek <> wrote on Monday, August 18, 2008 1:20 PM: > Hello! > > I am thinking about aaa local database. Is there any mechanism to > distinguish local users (defined by username ...) or put them into > some groups and give them access to only some services? > > For instance I have two users > > username alice password xxx > username bob password yyy > > aaa new-model > aaa authentication login default local > aaa authentication ppp default local > aaa authorization network default local > > Now bob and alice can login to router and also dial ppp. > > What if I want alice to have right only to login to router and bob > only to dial ppp? the local database is not really very feature-rich, especially when it comes to PPP/network dialin. You could force bob to only do PPP with aaa authorization exec default local and then username bob autocommand exit or username bob autocommand ppp so bob's login shell will exit right away or, if you want to allow async login via modems, spawn ppp.. Not sure if you can prevent "alice" to dial in via ppp, though. Local DB is mainly used for some last-resort backup when T+/Radius is not available. certainly not a replacement.. Depending on your image/version, you could investigate the "Local AAA Server" feature and point your network authorization there, so you will then arrive at two different user databases locally configured on the device.. oli From tomas.hlavacek at elfove.cz Mon Aug 18 08:12:38 2008 From: tomas.hlavacek at elfove.cz (Tomas Hlavacek) Date: Mon, 18 Aug 2008 14:12:38 +0200 Subject: [c-nsp] aaa local database In-Reply-To: <48A96433.7040602@lumison.net> References: <48A95ACE.1040405@elfove.cz> <48A96433.7040602@lumison.net> Message-ID: <48A96736.7020105@elfove.cz> I should have told that I want this on 2811 with 12.4(20)T ADVIPSERVICESK9 IOS image. Alasdair Gow wrote: > What device are you trying to do this on? > > I know ASA's have dynamic policies, which you could customise to do this.... > > Cheers, > Ally > > Tomas Hlavacek wrote: > >> Hello! >> >> I am thinking about aaa local database. Is there any mechanism to >> distinguish local users (defined by username ...) or put them into >> some groups and give them access to only some services? >> >> For instance I have two users >> >> username alice password xxx >> username bob password yyy >> >> aaa new-model >> aaa authentication login default local >> aaa authentication ppp default local >> aaa authorization network default local >> >> Now bob and alice can login to router and also dial ppp. >> >> What if I want alice to have right only to login to router and bob >> only to dial ppp? >> >> Thanks, >> Tomas >> >> > > > -- Tom?? Hlav??ek From christian.macnevin at gmail.com Mon Aug 18 12:03:05 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Mon, 18 Aug 2008 09:03:05 -0700 Subject: [c-nsp] multicast bringing big irons to their knees? Message-ID: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> Hi I've only got the most superficial of ideas what's going on with this network, but i've been asked if there's any particular reason some Foundry switches would be being brought to their knees every time mcast is switched on in a network. 65s, 3750s and Netscreens all handle it fine. Given Foundry's marketing, they dobrag that everything's handled in port-based ASICs, but obviously it sounds like this stuff is going to the processor. Maybe it's PIM Sniffing not supported in hardware, not sure. Anyway, sorry for the amazing vagary here, but it's all I've got right now. Any thoughts? Cheers Christian From danletkeman at gmail.com Mon Aug 18 12:05:49 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Mon, 18 Aug 2008 11:05:49 -0500 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com> <20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: My only options for the IP CEF command are as follows: original Original algorithm tunnel Algorithm for use in tunnel only environments universal Algorithm for use in most environments I tried original, and it seems as if it load balances, but it doesn't switch from modem to modem very fast. But in any case there is a lot less problems with this on. I also found out that the content filter that is before the cisco router is also doing NAT. I'm assuming that's a problem as well because now the router doesn't know what the source IP is anymore. Any other ideas on how to make this work better? Thanks, Dan. On Sat, Aug 16, 2008 at 6:35 PM, Ben Steele wrote: > Dan the reason your having issues is not MTU related, it's NAT related, > because you have 3 ADSL lines each doing NAT against a different outside IP > when you turn on per-packet load sharing you end up with flows to the same > destination having different source IP addresses. > > Your only option is per-destination load balancing (ie the default), one way > you can tweak this a little without breaking to much is to change the > standard algorithm to include ports. > > Try adding "ip cef load-sharing algorithm include-ports destination" into > your global config once you've removed your per-packet load sharing and see > how you go. > > You are never going to get perfect load balancing in your scenario but if > you have enough hosts on your LAN it should be sufficient enough, one way > you can do per-packet is if you get another IP routed down all 3 adsl lines > and put it on a loopback and NAT everything against that. > > Ben > > ----- Original Message ----- From: "Dan Letkeman" > To: "Rodney Dunn" ; > Sent: Saturday, August 16, 2008 3:29 AM > Subject: Re: [c-nsp] ip cef load sharing > > >> Still seem to have the same problem even with this: >> >> interface FastEthernet0/0 >> ip address 10.1.10.1 255.255.255.0 >> ip tcp adjust-mss 1300 >> duplex auto >> speed auto >> >> >> interface FastEthernet0/1 >> ip address 192.168.10.1 255.255.255.0 >> ip load-sharing per-packet >> duplex auto >> speed auto >> >> Dan. >> >> On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn wrote: >>> >>> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>>> >>>> ip load-sharing per-packet >>>> >>>> I tried adding this to F0/1 and the trace route works now(it randomly >>>> picks either line), but there seems to be issues with maybe the MTU? >>>> If I try to browse websites i get page errors and some of the pictures >>>> and pages don't load. >>> >>> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >>> ingress interface from the LAN. >>> >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> Dan. >>>> >>>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn wrote: >>>> > Try ip load-sharing per-packet on both egress interfaces. >>>> > >>>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>>> >> Hello, >>>> >> >>>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>>> >> it randomly picks a dsl line and seems to work fine. But when I do >>>> >> traceroute tests from a workstation it always seems to take the same >>>> >> adsl line. Is there something else I need to add to the >> >>>> >> configuration >>>> >> to make it pick random lines, or is there a timeout of some sorts >>>> >> before it will select the next ip route >>>> >> >>>> >> Here is my config: >>>> >> >>>> >> ! >>>> >> interface FastEthernet0/0 >>>> >> ip address 10.1.10.1 255.255.255.0 >>>> >> duplex auto >>>> >> speed auto >>>> >> ! >>>> >> interface FastEthernet0/1 >>>> >> ip address 192.168.10.1 255.255.255.0 >>>> >> duplex auto >>>> >> speed auto >>>> >> ! >>>> >> ip http server >>>> >> ip classless >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>>> >> ! >>>> >> >>>> >> The two adsl modem/routers I have are 192.168.10.10, and >> >>>> >> 192.168.10.11 >>>> >> >>>> >> Thanks, >>>> >> Dan. >>>> >> _______________________________________________ >>>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> > >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jared at puck.nether.net Mon Aug 18 12:07:45 2008 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 18 Aug 2008 12:07:45 -0400 Subject: [c-nsp] multicast bringing big irons to their knees? In-Reply-To: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> References: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> Message-ID: <20080818160745.GB96749@puck.nether.net> I suggest posting on foundry-nsp instead of cisco-nsp. - jared On Mon, Aug 18, 2008 at 09:03:05AM -0700, Christian MacNevin wrote: > Hi > I've only got the most superficial of ideas what's going on with this > network, but i've been asked if there's any particular reason > some Foundry switches would be being brought to their knees every time > mcast is switched on in a network. 65s, 3750s and Netscreens > all handle it fine. > Given Foundry's marketing, they dobrag that everything's handled in > port-based ASICs, but obviously it sounds like this stuff is going > to the processor. Maybe it's PIM Sniffing not supported in hardware, not > sure. > Anyway, sorry for the amazing vagary here, but it's all I've got right > now. Any thoughts? > Cheers > Christian_______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From paul.cosgrove at heanet.ie Mon Aug 18 12:33:34 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 18 Aug 2008 17:33:34 +0100 Subject: [c-nsp] multicast bringing big irons to their knees? In-Reply-To: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> References: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> Message-ID: <48A9A45E.1070504@heanet.ie> Hi Christian, You will need to explain more about the topology, your multicast setup and the traffic flows, for instance: - Are the foundary switches acting as your RPs? - Have you any other commands applied which will cause multicasts to be process switched? - Do you have high rates of multicast on the network? - Are you using any multicast groups which will appear the same as well known multicast groups at Layer 2 (e.g. x.0.0.1, x.0.0.2 etc)? If the Foundary switches are your RPs, the requirement to decapsulate register messages could explain why these are affected much more than your 6500s, 3750s and netscreens. 'ip pim register-rate-limit 5' applied to the cisco designated routers will help if that is the problem (not sure about equivalent netscreeen command). Paul. Christian MacNevin wrote: > Hi > I've only got the most superficial of ideas what's going on with this > network, but i've been asked if there's any particular reason > some Foundry switches would be being brought to their knees every time > mcast is switched on in a network. 65s, 3750s and Netscreens > all handle it fine. > Given Foundry's marketing, they dobrag that everything's handled in > port-based ASICs, but obviously it sounds like this stuff is going > to the processor. Maybe it's PIM Sniffing not supported in hardware, not > sure. > Anyway, sorry for the amazing vagary here, but it's all I've got right > now. Any thoughts? > Cheers > Christian_______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From lowen at pari.edu Mon Aug 18 12:40:23 2008 From: lowen at pari.edu (Lamar Owen) Date: Mon, 18 Aug 2008 12:40:23 -0400 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <20080817090530.GP288@greenie.muc.de> References: Message-ID: <200808181240.23419.lowen@pari.edu> On Sunday 17 August 2008 05:05:30 Gert Doering wrote: > From the comments seen on this list, I don't think that any sort of L2VPN > on 7500s is a good idea. > 7500 is pretty much a dead and unsupported platform these days. Good afternoon, list and Gert. I have read this list for some time now, and I am very grateful for much useful and constructive advice that I have seen that is relevant to what I am doing. However, I must rant just a bit, so please indulge me for a moment. And I fully realize many of you won't care about what I'm going to talk about below, and that's ok. Not all folk using older Cisco gear for core routing are financially able to do forklift upgrades. Some people, in this day of shrinking IT budgets and lowering bandwidth costs/margins (at least to NSP's; the enterprise user is seeing the opposite problem; for example, my OC3's base tariff went UP $1,000 per month thanks to tariff changes by the NECA), simply don't have the budget to write off their investment in older gear and drop in a newer platform. Although, PARI WILL accept your donation of older gear after you've done a forklift upgrade! There are non-profits (and for-profits that are turning into non-profits involuntarily) out there who would like to hear something a little more constructive than 'your platform is EoS; time to upgrade'. If I personally ask 'hey, anybody out there ever done L2TPv3 on a 7500/12012 pair that's serving an APS protected OC3 to a pair of 7401ASR's serving the other end of the APS protected OC3, and what have you found?' I don't want to hear 'you need to get a new whizbang 20000 to do that; all four of your routers are too old'. I'd like to hear what people have experienced; and, Gert, your experiences in particular have been very enlightening to me. I (and other enterprise usera and NSP's in my boat; I use an NSP who is a non-profit, for instance) am well aware that I should have something more modern; I cannot afford it, especially now that a big hunk of my equipment budget just went away thanks to the NECA tariff increase. And while I know that there is a contingent out there with the attitude that if someone can't afford rolling forklift upgrades every few years that they shouldn't be in business, I have no need for their opinion on that matter. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From adam.korab at gmail.com Mon Aug 18 12:46:47 2008 From: adam.korab at gmail.com (Adam Korab) Date: Mon, 18 Aug 2008 11:46:47 -0500 Subject: [c-nsp] %IPC-SP-5-WATERMARK: Message-ID: Hi, Just finished reading the thread from 2002 between Steiner, Alex Rubenstein, and Chris Johns. I'm currently dealing with what I think is the same issue, but running newer code than what Steinar recommended - 122-19.SXD7 to be precise. This issue prevents 'sh run' from executing, but otherwise traffic appears to be passing just fine. It's happening on 2 6509s, both with WS-X6K-SUP2-2GE installed. One question, given that it's a remote environment: will the boxes reload properly? The bit about the MSFC locking makes me nervous. What code is currently recommended for 6509/sup2? Any workarounds available in the meantime? Customer AFAIK doesn't have Smartnet.... Relevant bits: 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %IPC-SP-5-WATERMARK: 1320 messages pending in rcv for the port Card1/1:Request(10000.5) seat 10000 2y8w: %ICC-SP-5-WATERMARK: 1355 pkts for class L2-AGING are waiting to be processed ---------- edge0#sh ipc que There are 0 IPC messages waiting for acknowledgement in the transmit queue. There are 0 IPC messages waiting for a response. There are 0 IPC messages waiting for additional fragments. There are 0 IPC messages currently on the IPC inboundQ. There are 0 IPC messages currently on the zone inboundQ. Messages currently in use : 50 Message cache size : 6000 Maximum message cache usage : 6000 0 times message cache crossed 12000 [max] There are 9 messages currently reserved for reply msg. ------- edge0#sh ipc stat IPC System Status Time last IPC stat cleared : never This processor is an IPC slave server. Do not drop output of IPC frames for test purposes. 6000 IPC Message Headers Cached. Rx Side Tx Side Total Frames 626763425 234165644 0 0 Total from Local Ports 1065511881 158268780 Total Protocol Control Frames 45199040 37948411 Total Frames Dropped 0 0 Service Usage Total via Unreliable Connection-Less Service 543615974 33935400 Total via Unreliable Sequenced Connection-Less Svc 0 0 Total via Reliable Connection-Oriented Service 37948411 45198990 IPC Protocol Version 0 Total Acknowledgements 45199040 37948411 Total Negative Acknowledgements 0 0 Device Drivers Total via Local Driver 0 0 Total via Platform Driver 626763425 117082850 Total Frames Dropped by Platform Drivers 0 0 Total Frames Sent when media is quiesced 0 Reliable Tx Statistics Device Drivers Total via Local Driver 0 0 Total via Platform Driver 626763425 117082850 Total Frames Dropped by Platform Drivers 0 0 Total Frames Sent when media is quiesced 0 Reliable Tx Statistics Re-Transmission 0 Re-Tx Timeout 3652 Rx Errors Tx Errors Unsupp IPC Proto Version 0 Tx Session Error 0 Corrupt Frame 0 Tx Seat Error 0 Duplicate Frame 0 Destination Unreachable 0 Out-of-Sequence Frame 0 Tx Test Drop 0 Dest Port does Not Exist 0 Tx Driver Failed 0 Rx IPC Msg Alloc Failed 0 Ctrl Frm Alloc Failed 0 Unable to Deliver Msg 0 Invalid Messages 0 Buffer Errors Misc Errors IPC Msg Alloc 0 IPC Open Port 18563 Emer IPC Msg Alloc 0 No HWQ 0 IPC Frame PakType Alloc 0 Hardware Error 0 IPC Frame MemD Alloc 0 Tx Driver Errors No Transport 0 MTU Failure 0 Dest does not Exist 0 Thanks! --Adam From rodunn at cisco.com Mon Aug 18 12:49:39 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 18 Aug 2008 12:49:39 -0400 Subject: [c-nsp] 32 bit ASN In-Reply-To: <20080814133310.GA24673@rtp-cse-489.cisco.com> References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com> <20080731030350.GF23991@rtp-cse-489.cisco.com> <48A3E177.30508@transtelecom.net> <20080814133310.GA24673@rtp-cse-489.cisco.com> Message-ID: <20080818164939.GX7135@rtp-cse-489.cisco.com> Target is 12.0(32)S12 and 12.0(32)SY8. I did say target.... Will also come in a rebuild of 33S but will no make it in 12.0(32)S2 for sure. Rodney On Thu, Aug 14, 2008 at 09:33:10AM -0400, Rodney Dunn wrote: > See my email yesterday. I should have an update on Monday. > > On Thu, Aug 14, 2008 at 11:40:39AM +0400, Tima Maryin wrote: > > Hello! > > > > > > Is there any update on this ? > > > > > > Rodney Dunn wrote: > > >I'm asking about this. > > > > > >I'll get back with you. > > > > > >It's going to be in a 12.0(33)S rebuild for sure. > > > > > >But I need to check back on what the 12008 decision > > >was...ie: only in 32S rebuilds? > > > > > > > > >On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote: > > >>Hi, > > >> > > >>Does anyone know if the 32 bit ASN support is going to get > > >>implemented in the 12008 or 7500 RSP8 series? If not, what > > >>is recommended as replacements? From Mark at u.tv Mon Aug 18 12:12:46 2008 From: Mark at u.tv (Mark Tohill) Date: Mon, 18 Aug 2008 17:12:46 +0100 Subject: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 Message-ID: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> Hi, Does anyone have experience of configuring Netflow Top Talkers on Modular 12.2SX images? We are running modular 12.2(18)SXF4 on Sup720, MSFC3, PFC3 on 6509-E, as below: sh ver Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-VM), Version 12.2(18)SXF4, RELEASE SOFTWARE (fc1) <..output ommited...> disk0:/sys/s72033/base/s72033-advipservicesk9_wan-vm <..output ommited...> Thanks, Mark Mark Tohill UTV Internet T:+44 (0)28 90 262196 M:+44 (0)7786 278716 E:mark at u.tv From adam.korab at gmail.com Mon Aug 18 13:05:33 2008 From: adam.korab at gmail.com (Adam Korab) Date: Mon, 18 Aug 2008 12:05:33 -0500 Subject: [c-nsp] Nasty PIX 6.3 bug In-Reply-To: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> References: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> Message-ID: On Mon, Aug 18, 2008 at 4:30 AM, Robert Blayzor wrote: > > We've been running 6.3 for years and only after all the recent DNS exploits > did we see this one start hitting us. > The only way to fix it is to upgrade to 7.x or get the maint/patch train > from TAC. If you have any DNS servers behind your PIX with a lot of clients The page says it's patched in 6.3(5.105) -- is that available only from the TAC? CCO lists just 6.3(5) GD. Forgive my ignorance, but it's been a long time since I've had to get a special file from TAC -- does an end-user have to have smartnet on the device? --Adam From streiner at cluebyfour.org Mon Aug 18 13:15:38 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 18 Aug 2008 13:15:38 -0400 (EDT) Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <200808181240.23419.lowen@pari.edu> References: <200808181240.23419.lowen@pari.edu> Message-ID: On Mon, 18 Aug 2008, Lamar Owen wrote: > On Sunday 17 August 2008 05:05:30 Gert Doering wrote: >> From the comments seen on this list, I don't think that any sort of L2VPN >> on 7500s is a good idea. > >> 7500 is pretty much a dead and unsupported platform these days. > > [snip] > > Not all folk using older Cisco gear for core routing are financially able to > do forklift upgrades. Some people, in this day of shrinking IT budgets and > lowering bandwidth costs/margins (at least to NSP's; the enterprise user is > seeing the opposite problem; for example, my OC3's base tariff went UP $1,000 > per month thanks to tariff changes by the NECA), simply don't have the budget > to write off their investment in older gear and drop in a newer platform. I don't think the original comment was intended as a knock on your organization's financial status (or any other organization's financial status for that matter) financial status. The Cisco 7500 series routers were and still are great routers - they served my network well for a great many years, but they are in fact at the end of their life cycle. If you can still use them to do what you need to do and they satisfy your operational requirements, then I hope they continue to work well for you for as long as needed. More to the point of what I think Gert was getting at is that since the 7500 series is end-of-life, you have the potential to get stuck if you need to get support from Cisco. There is also the possibility that whatever feature you need may not be available in future releases of IOS for that platform, or new releases for that platform may be suspended entirely. Replacement hardware will have to come from the secondary market since Cisco normally doesn't RMA end-of-life parts. Some organizations have policies that require them to keep vendor support on any piece of gear they have in production. That by nature forces them to stay ahead of the end-of-life curve, or at least be cognizant of the end-of-life dates for the gear they use. As a result, those upgrades get worked into their long-term capital planning cycles. I'm not suggesting that this is right or wrong... Since this has the potential to drift off-topic for this list, this will be my only contribution to this thread. Regards, jms From petelists at templin.org Mon Aug 18 13:16:27 2008 From: petelists at templin.org (Pete Templin) Date: Mon, 18 Aug 2008 12:16:27 -0500 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <200808181240.23419.lowen@pari.edu> References: <200808181240.23419.lowen@pari.edu> Message-ID: <48A9AE6B.9070600@templin.org> Lamar Owen wrote: > However, I must rant just a bit, so please indulge me for a moment. And I > fully realize many of you won't care about what I'm going to talk about > below, and that's ok. It's not that I won't care, it's that I care about your stance here. > I (and other enterprise usera and NSP's in my boat; I use an NSP who is a > non-profit, for instance) am well aware that I should have something more > modern; I cannot afford it, especially now that a big hunk of my equipment > budget just went away thanks to the NECA tariff increase. And while I know > that there is a contingent out there with the attitude that if someone can't > afford rolling forklift upgrades every few years that they shouldn't be in > business, I have no need for their opinion on that matter. The 7500s are roughly 13 years old. As such, they've served about four generations of IT lifecycle and then some, assuming upgrades every few years. From what little I can dig up, they were designed for core backbone routing applications. The 12000 series is perhaps 9 years old. That's three lifecycles, and these too were designed for core backbone routing applications. Remember the great time-to-market linecards? Yeah, the ones with no hope of being an edge card. With all due respect, how much enterprise feature value were you HONESTLY expecting from these core backbone routing platforms? Have any of these devices STOPPED doing what they do/did best? pt From rblayzor.bulk at inoc.net Mon Aug 18 13:27:39 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 18 Aug 2008 13:27:39 -0400 Subject: [c-nsp] Nasty PIX 6.3 bug In-Reply-To: References: <7B40DE6D-13F6-4A3A-8A7A-DE5EC7F37CF9@inoc.net> Message-ID: <0DDF96A3-6F1F-411B-BDEA-AD7F752C1753@inoc.net> On Aug 18, 2008, at 1:05 PM, Adam Korab wrote: > The page says it's patched in 6.3(5.105) -- is that available only > from the TAC? CCO lists just 6.3(5) GD. Yes, 6.3(5)GD is released. The actual patched version TAC provided to us was 6.3(5.145) Which fixed the problem. And yes, you can only obtain it via TAC. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From christian.macnevin at gmail.com Mon Aug 18 13:37:18 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Mon, 18 Aug 2008 10:37:18 -0700 Subject: [c-nsp] multicast bringing big irons to their knees? In-Reply-To: <48A9A45E.1070504@heanet.ie> References: <5E4F128D-0065-4B5C-A977-F84A95A5A09E@gmail.com> <48A9A45E.1070504@heanet.ie> Message-ID: <4DD41DB1-0C84-481F-BC17-490CBF3BC3F9@gmail.com> Thanks all That's literally all the info I have just now, it's a client network I may have to go look at. Just figured I'd toss it out and see if anybody had a screamer of a disclaimer on that hardware. I'll see how much more Ivan find out before I being this world of pain down on myself :) Sent from my iPhone On Aug 18, 2008, at 9:33 AM, Paul Cosgrove wrote: > Hi Christian, > > You will need to explain more about the topology, your multicast setup > and the traffic flows, for instance: > - Are the foundary switches acting as your RPs? > - Have you any other commands applied which will cause multicasts to > be > process switched? > - Do you have high rates of multicast on the network? > - Are you using any multicast groups which will appear the same as > well > known multicast groups at Layer 2 (e.g. x.0.0.1, x.0.0.2 etc)? > > If the Foundary switches are your RPs, the requirement to decapsulate > register messages could explain why these are affected much more than > your 6500s, 3750s and netscreens. 'ip pim register-rate-limit 5' > applied to the cisco designated routers will help if that is the > problem > (not sure about equivalent netscreeen command). > > Paul. > > Christian MacNevin wrote: >> Hi >> I've only got the most superficial of ideas what's going on with this >> network, but i've been asked if there's any particular reason >> some Foundry switches would be being brought to their knees every >> time >> mcast is switched on in a network. 65s, 3750s and Netscreens >> all handle it fine. >> Given Foundry's marketing, they dobrag that everything's handled in >> port-based ASICs, but obviously it sounds like this stuff is going >> to the processor. Maybe it's PIM Sniffing not supported in >> hardware, not >> sure. >> Anyway, sorry for the amazing vagary here, but it's all I've got >> right >> now. Any thoughts? >> Cheers >> Christian_______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. From svemulap at cisco.com Mon Aug 18 13:46:57 2008 From: svemulap at cisco.com (Shankar Vemulapalli (svemulap)) Date: Mon, 18 Aug 2008 10:46:57 -0700 Subject: [c-nsp] MPLS VPN QoS on a SP core In-Reply-To: References: <9da37ec40808171541x7c168f1br359e6491e98131cd@mail.gmail.com> Message-ID: <70BC84B185C3EE448EDB7AB8956D3B0E06392E1D@xmb-sjc-234.amer.cisco.com> Take a look at the following QoS SRND document which provides a very good starting point. http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf Look for "MPLS VPN QoS Design" Btw - one additional factor that you want to look in is if the customer is dual-homed to two SPs. In this case, we want to make sure we have consistent QoS guarantees across the MPLS VPN cloud. Hope it helps. /Shankar -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: Sunday, August 17, 2008 10:42 PM To: Sami Joseph Cc: Cisco-nsp Subject: Re: [c-nsp] MPLS VPN QoS on a SP core On Mon, 18 Aug 2008, Sami Joseph wrote: > Is there a way to provide QoS for a specific VPN in an MPLS VPN Core? Yes. Depends on what you want, but you can for instance mark MPLS EXP for the traffic in a certain VPN and treat those packets differently in your core. -- Mikael Abrahamsson email: swmike at swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jloiacon at csc.com Mon Aug 18 14:56:41 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Mon, 18 Aug 2008 14:56:41 -0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: <20080816152921.GL288@greenie.muc.de> Message-ID: Thanks Gert. Great information. Turns out the fiber length is about 60km, but it is testing at 13dB for 1550 nm. This winds up fitting in the 24dB optical budget for the XENPAK-10GB-ZR (80 km). I have removed dB for connectors and potential splices as well. Next challenge: On the other end of the connection is a Juniper MX. So here we go again ... PS: Here's a good link for understanding how to calculate optical budgets if anyone needs it: http://www.transition.com/TransitionNetworks/Learning/Whitepaper/Optical.aspx Joe Gert Doering 08/16/2008 11:29 AM To Joe Loiacono/CIV/CSC at CSC cc cisco-nsp at puck.nether.net Subject Re: [c-nsp] Good 10GE Metro switch Hi, On Mon, Aug 11, 2008 at 05:08:23PM -0400, Joe Loiacono wrote: > PS - Should I worry (alot) about being at or slightly above the 40 Km > distance? The key question is, how much loss (in dB) do you have on that line, and on the tolerances of the X2 optics in question - a "best case" X2 will transmit with +4.0 dBm, while a "worst case" X2 will transmit with -4.7 dBm, according to: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0btransc.html - so with a receiver sensitivity of -15.8 dBm, you have a power budget of 11.1 dB to 19.8 dB. 11.1 dB is very tight for a 40km span - you need good fibers, and nearly no patches in between (every patch brings about 0.5 dB loss). You need to ask your carrier about the attenuation of the fiber path. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de [attachment "att5fin1.dat" deleted by Joe Loiacono/CIV/CSC] From vijay.ramcharan at verizonbusiness.com Mon Aug 18 14:46:00 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Mon, 18 Aug 2008 18:46:00 +0000 Subject: [c-nsp] 11503 ssl redundancy synch In-Reply-To: References: Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F05196081@ASHEVS011.mcilink.com> I don't believe you are missing anything. SSL files (keys, certs etc) are most likely not copied across. You will probably need to manually import them into your standby box. For whatever reason, the ACE has this same limitation (seemingly silly as I can't put my finger on the reason why Cisco cannot sync SSL files as well as the config). F5 has had this on their boxes for a long time now. Makes SSL configuration a snap. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Toby Burrows (Qube) Sent: August 18, 2008 04:52 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 11503 ssl redundancy synch Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lowen at pari.edu Mon Aug 18 15:00:22 2008 From: lowen at pari.edu (Lamar Owen) Date: Mon, 18 Aug 2008 15:00:22 -0400 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <48A9AE6B.9070600@templin.org> References: Message-ID: <200808181500.22855.lowen@pari.edu> [Going OT to a degree; not going to continue thread past this post.] On Monday 18 August 2008 13:16:27 Pete wrote: > With all due respect, how much enterprise feature value were you > HONESTLY expecting from these core backbone routing platforms? Have any > of these devices STOPPED doing what they do/did best? I appreciate the point of view. Using a tool only for the purpose for which it was designed is certainly a valid worldview, perhaps even for the majority of service providers and enterprises out there, especially if you have a support contract. But at the same time understand that if someone is asking about using router X for something (whether it was designed for that or not is irrelevant) they'd like to hear experience in doing that thing, not that router Y is a better choice. If I want to know (and I ask) which router is the better choice, then answering Y is a good useful response. And, yes, I am of the view that many tools have uses of which the designers never thought, or for which the designers did not design (or for which the marketers didn't market). Like, for instance, the RSM internal router on a stick card for the Catalyst 5000. These actually do NAT at a very good rate; with a VIP piggyback on the RSM they can make superb border routers with a good firewall set and, like I said, NAT. Just wish a 12.0S had been released for the RSM; it is, after all, a 7500-series RSP2 on that card. And why the RSFC isn't able to run something past 12.1 is a crying shame, given the hardware heritage of the card (I know why it was crippled, I just don't agree with non-technical reasons to cripple what the device can do). As to the suitability of these old core platforms for edge 'stuff' I'll just comment that just getting APS on an OC3 connection is enough of a task; but I happen to need layer 2 transparency over this connection, incidentally, for VMware VMotion. With APS. (which knocks out any ATM solutions for the 7500 (or 7200/7400 for that matter!). Just need to have VLAN continuity through the OC3, that's all. Getting the 'edge' feature set and APS for an OC3 together has been a challenge for me, without blowing my equipment budget for the next five years, that is. And I already had the hardware in hand that I'm using, saving several tens of kilobucks. What I do find useful are things like the revelation that 3845's have issues with L2TP due to odd ethernet issues. Or that PXF being enabled on 7400 or 7200 NSE-1 causes artifact A in certain situations. Or that an OC48 POS liencard is required for 12000 to do this sort of thing. Or that, no, feature navigator is wrong, you really can't do that with IOS x.yS(z). Just looking for people's experience, not new equipment recommendations. Cisco support for these particular routers is not an option at this point for these routers; can't afford it. Now when I can afford something new, I'll ask about that. And if I can help by sharing my experience with a future questioner, I will do so. And, I do find most of the information I glean here very useful; Gert in particular has been a real jewel, and my rant isn't directed at Gert at all, just a general rant of sorts. I personally don't agree with this whole EoS/EoL 'programmed obsolescence' thing, even though I do understand the reasoning. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From zhassan at gmx.net Mon Aug 18 15:19:38 2008 From: zhassan at gmx.net (Zahid Hassan) Date: Mon, 18 Aug 2008 20:19:38 +0100 Subject: [c-nsp] EVC - MPLS In-Reply-To: References: Message-ID: <001e01c90167$60532210$014fa8c0@xp1> Jack, With EVC, are you referring to EoMPLS, ATOM and VPLS ? For an introduction to the technology, pleaser refer to the link below: http://www.cisco.com/en/US/tech/tk436/tk891/tech_brief0900aecd80162184.html If you need more information like commands and configs, let me know. Regards, ZH -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jack Sent: 14 August 2008 08:31 To: cisco-nsp at puck.nether.net Subject: [c-nsp] EVC - MPLS Hi Folks, anyone has EVC - MPLS information to share ? any document can I refer to ? regards, Jack From billf at mu.org Mon Aug 18 16:10:44 2008 From: billf at mu.org (bill fumerola) Date: Mon, 18 Aug 2008 13:10:44 -0700 Subject: [c-nsp] debugging stack corruption Message-ID: <20080818201044.GR29172@elvis.mu.org> anyone see anything like this. i assume only a reload will fix this: rtr1#sh proc cpu | e 0.0 CPU utilization for five seconds: 33%/8%; one minute: 37%; five minutes: 35% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 528125122320274973 22 23.35% 20.79% 20.97% 0 Exec 70 3616544001417549298 255 0.15% 0.11% 0.12% 0 IP Input 115 4851843096833738 0 0.15% 0.14% 0.15% 0 HQF Shaper Backg rtr1# nobody else is logged on, little to no amount of traffic is running through the aux/cons ports, but this is interesting: rtr1#show stacks Minimum process stacks: Free/Size Name 5676/6000 CDP BLOB 8640/9000 EM ED RF 11052/12000 Router Init 8676/9000 cdp init process 8348/12000 Init 5304/6000 RADIUS INITCONFIG 3616/6000 BGP Open 2264/3000 Rom Random Update Process 5616/6000 URPF stats 5316/6000 BGP Accepter 9248/12000 Exec 7176/12000 SSH Process 4264/6000 TFTP Read Process 4204/6000 MSDP Open 34540/36000 TCP Command 5236/7200 TTY Daemon 8496/9000 IP-EIGRP Router 3360/6000 d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P References: <20080817090530.GP288@greenie.muc.de> <200808181240.23419.lowen@pari.edu> Message-ID: <20080818201221.GV288@greenie.muc.de> Hi, On Mon, Aug 18, 2008 at 12:40:23PM -0400, Lamar Owen wrote: > Not all folk using older Cisco gear for core routing are financially able to > do forklift upgrades. I fully understand your point. I'm not one of those that recommend to put a 7206/NPE-150 into the junk bin, just because it's old... Cisco-XXX uptime is 7 years, 15 weeks, 2 days, 49 minutes ... cisco 7206 (NPE150) processor with 57344K/8192K bytes of memory. (yes, I know, but that's not the point. It's working, and all problematic packets are ACLed away) *But* especially the 7500 is not "old", it was already old when I started networking (well, the 7500 was "new" then, but it shares much of the architectural limits with the 7000, and that one was already old then). We have junked our single 7500 (at some time my great pride - dual RSP4+s in there!!!) some 3-4 years ago, because it was just too huge (space and power in the rack), too unreliable (OIRs usually caused a bus stall or a complete crash), and too feeble IOS support - no "real" 12.2S support, none of the cool features available, and a fairly clear commitment from Cisco to let the platform die. If a shop is in serious need for a L2VPN solution, and all they have is a 7500, I would seriously suggest finding two old PCs somewhere, put in a $15 intel GigE card, install Linux+OpenVPN, and enjoy the result. With Cisco, they are not going to be happy - it's "expensive" or "more advanced/tricky things are just not going to work". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Mon Aug 18 16:17:09 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 18 Aug 2008 22:17:09 +0200 Subject: [c-nsp] Fwd: Alternantive to REB(route bridge Encapsulation)-2nd try In-Reply-To: <200808181500.22855.lowen@pari.edu> References: <48A9AE6B.9070600@templin.org> <200808181500.22855.lowen@pari.edu> Message-ID: <20080818201709.GW288@greenie.muc.de> Hi, On Mon, Aug 18, 2008 at 03:00:22PM -0400, Lamar Owen wrote: > good firewall set and, like I said, NAT. Just wish a 12.0S had been released > for the RSM; it is, after all, a 7500-series RSP2 on that card. And why the > RSFC isn't able to run something past 12.1 is a crying shame, given the > hardware heritage of the card (I know why it was crippled, I just don't agree > with non-technical reasons to cripple what the device can do). I couldn't agree more wiht you on *that*. We're in the process of retiring 2 RSMs and 1 RSFC due to "end of IOS" - no IPv6 on them, and especially on the RSFC, purposely crippled to 12.1 (no 64bit counters and such). Since I'm the one that suggested buying them, and the hardware is still doing its job very well, I'm indeed not overly happy. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sthaug at nethelp.no Mon Aug 18 16:46:04 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 18 Aug 2008 22:46:04 +0200 (CEST) Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: References: <20080816152921.GL288@greenie.muc.de> Message-ID: <20080818.224604.41662275.sthaug@nethelp.no> > Turns out the fiber length is about 60km, but it is testing at 13dB for > 1550 nm. This winds up fitting in the 24dB optical budget for the > XENPAK-10GB-ZR (80 km). I have removed dB for connectors and potential > splices as well. > > Next challenge: On the other end of the connection is a Juniper MX. So > here we go again ... You should be just fine with a 10-GBASE-Z (80 km) XFP on the Juniper MX. See for instance Table 3 on this page: http://www.juniper.net/techpubs/hardware/common/mx-series-dpc/4-port-10-gigabit-ethernet-dpc-with-xfp.html#mx-series-dpc-4xge-xfp Steinar Haug, Nethelp consulting, sthaug at nethelp.no From kgraham at industrial-marshmallow.com Mon Aug 18 17:01:28 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 18 Aug 2008 14:01:28 -0700 (PDT) Subject: [c-nsp] CAB-HD8-ASYNC extension cables? Message-ID: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> Does anyone know what the formal name for the 'HD' end of an CAB-HD8-ASYNC (for the HWIC-8A/16A)? Ideally I'd like to do an extended runbefore fanning out into RJ45's. Also, given the async line definition of: "line 0/0/0 0/1/15" ...is it proper to infer that 0/0 has 16 ports? Namely, if 0/0 was an 8 port module, would it be broken out, separately such that IOS would present: line 0/0/0 0/0/7 line 0/1/0 0/1/15 From jloiacon at csc.com Mon Aug 18 17:04:57 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Mon, 18 Aug 2008 17:04:57 -0400 Subject: [c-nsp] Good 10GE Metro switch In-Reply-To: <20080818.224604.41662275.sthaug@nethelp.no> Message-ID: Wow. Thanks Steinar, I've been looking all over their website for this! Looks like about the same power budget as the Cisco XENPAK-10GB-ZR. Joe sthaug at nethelp.no 08/18/2008 04:46 PM To Joe Loiacono/CIV/CSC at CSC cc cisco-nsp at puck.nether.net Subject Re: [c-nsp] Good 10GE Metro switch > Turns out the fiber length is about 60km, but it is testing at 13dB for > 1550 nm. This winds up fitting in the 24dB optical budget for the > XENPAK-10GB-ZR (80 km). I have removed dB for connectors and potential > splices as well. > > Next challenge: On the other end of the connection is a Juniper MX. So > here we go again ... You should be just fine with a 10-GBASE-Z (80 km) XFP on the Juniper MX. See for instance Table 3 on this page: http://www.juniper.net/techpubs/hardware/common/mx-series-dpc/4-port-10-gigabit-ethernet-dpc-with-xfp.html#mx-series-dpc-4xge-xfp Steinar Haug, Nethelp consulting, sthaug at nethelp.no From p.mayers at imperial.ac.uk Mon Aug 18 17:32:59 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 18 Aug 2008 22:32:59 +0100 Subject: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 In-Reply-To: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> References: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> Message-ID: <20080818213259.GA32257@doorstop.net.ic.ac.uk> On Mon, Aug 18, 2008 at 05:12:46PM +0100, Mark Tohill wrote: >Hi, > >Does anyone have experience of configuring Netflow Top Talkers on >Modular 12.2SX images? I thought netflow top-talkers was an SXH feature? > >We are running modular 12.2(18)SXF4 on Sup720, MSFC3, PFC3 on 6509-E, as >below: > >sh ver >Cisco Internetwork Operating System Software >IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-VM), Version >12.2(18)SXF4, RELEASE SOFTWARE (fc1) ><..output ommited...> >disk0:/sys/s72033/base/s72033-advipservicesk9_wan-vm ><..output ommited...> Ok - but what are you asking? From gtb at slac.stanford.edu Mon Aug 18 18:51:11 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Mon, 18 Aug 2008 15:51:11 -0700 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080818201044.GR29172@elvis.mu.org> References: <20080818201044.GR29172@elvis.mu.org> Message-ID: > anyone see anything like this. i assume only a reload will fix this: Nothing exactly like this, but I have a number of crash files from SB11/12 on a 7200 with memory corruption (Block overrun/redzone corruption). Unfortunately the 7200 (a non-VXR) cannot be on maintenance (EOS/EOL), so I cannot open a TAC case (and no existing bugid seemed relevant). That is what I would recommend to you (open a TAC case). Gary From lambert at lambertfam.org Mon Aug 18 19:36:20 2008 From: lambert at lambertfam.org (Scott Lambert) Date: Mon, 18 Aug 2008 18:36:20 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Message-ID: <20080818233620.GA28542@sysmon.tcworks.net> I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin lambert at lambertfam.org From aakhter at cisco.com Mon Aug 18 20:39:21 2008 From: aakhter at cisco.com (Aamer Akhter (aakhter)) Date: Mon, 18 Aug 2008 20:39:21 -0400 Subject: [c-nsp] ip cef load sharing In-Reply-To: References: <20080815171202.GH8654@rtp-cse-489.cisco.com><20080815174925.GL8654@rtp-cse-489.cisco.com> Message-ID: Dan, Another option is to use the PfR NAT integration. The idea is that PfR will actively monitor the traffic and move subnet reachabilty around to try to even out the traffic. For existing NATed flows, PfR will preserve the stickiness on the established path. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/ps8787/white_paper_C11-458124.html -- Aamer Akhter / aa at cisco.com Ent & Commercial Systems, cisco Systems > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Monday, August 18, 2008 12:06 PM > To: Ben Steele; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ip cef load sharing > > My only options for the IP CEF command are as follows: > > original Original algorithm > tunnel Algorithm for use in tunnel only environments > universal Algorithm for use in most environments > > I tried original, and it seems as if it load balances, but it doesn't > switch from modem to modem very fast. But in any case there is a lot > less problems with this on. > > I also found out that the content filter that is before the cisco > router is also doing NAT. I'm assuming that's a problem as well > because now the router doesn't know what the source IP is anymore. > > Any other ideas on how to make this work better? > > Thanks, > Dan. > > On Sat, Aug 16, 2008 at 6:35 PM, Ben Steele > wrote: > > Dan the reason your having issues is not MTU related, it's NAT > related, > > because you have 3 ADSL lines each doing NAT against a different > outside IP > > when you turn on per-packet load sharing you end up with flows to the > same > > destination having different source IP addresses. > > > > Your only option is per-destination load balancing (ie the default), > one way > > you can tweak this a little without breaking to much is to change the > > standard algorithm to include ports. > > > > Try adding "ip cef load-sharing algorithm include-ports destination" > into > > your global config once you've removed your per-packet load sharing > and see > > how you go. > > > > You are never going to get perfect load balancing in your scenario > but if > > you have enough hosts on your LAN it should be sufficient enough, one > way > > you can do per-packet is if you get another IP routed down all 3 adsl > lines > > and put it on a loopback and NAT everything against that. > > > > Ben > > > > ----- Original Message ----- From: "Dan Letkeman" > > > To: "Rodney Dunn" ; > > Sent: Saturday, August 16, 2008 3:29 AM > > Subject: Re: [c-nsp] ip cef load sharing > > > > > >> Still seem to have the same problem even with this: > >> > >> interface FastEthernet0/0 > >> ip address 10.1.10.1 255.255.255.0 > >> ip tcp adjust-mss 1300 > >> duplex auto > >> speed auto > >> > >> > >> interface FastEthernet0/1 > >> ip address 192.168.10.1 255.255.255.0 > >> ip load-sharing per-packet > >> duplex auto > >> speed auto > >> > >> Dan. > >> > >> On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn > wrote: > >>> > >>> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: > >>>> > >>>> ip load-sharing per-packet > >>>> > >>>> I tried adding this to F0/1 and the trace route works now(it > randomly > >>>> picks either line), but there seems to be issues with maybe the > MTU? > >>>> If I try to browse websites i get page errors and some of the > pictures > >>>> and pages don't load. > >>> > >>> Yep...try configuring "ip tcp adjust-mss 1300" or so on the > >>> ingress interface from the LAN. > >>> > >>>> > >>>> Any ideas? > >>>> > >>>> Thanks, > >>>> Dan. > >>>> > >>>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn > wrote: > >>>> > Try ip load-sharing per-packet on both egress interfaces. > >>>> > > >>>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: > >>>> >> Hello, > >>>> >> > >>>> >> I have a 2621 router running 12.3(26) and I would like to setup > load > >>>> >> sharing to multiple adsl lines. When I do a traceroute on the > router > >>>> >> it randomly picks a dsl line and seems to work fine. But when > I do > >>>> >> traceroute tests from a workstation it always seems to take the > same > >>>> >> adsl line. Is there something else I need to add to the >> > >>>> >> configuration > >>>> >> to make it pick random lines, or is there a timeout of some > sorts > >>>> >> before it will select the next ip route > >>>> >> > >>>> >> Here is my config: > >>>> >> > >>>> >> ! > >>>> >> interface FastEthernet0/0 > >>>> >> ip address 10.1.10.1 255.255.255.0 > >>>> >> duplex auto > >>>> >> speed auto > >>>> >> ! > >>>> >> interface FastEthernet0/1 > >>>> >> ip address 192.168.10.1 255.255.255.0 > >>>> >> duplex auto > >>>> >> speed auto > >>>> >> ! > >>>> >> ip http server > >>>> >> ip classless > >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 > >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 > >>>> >> ! > >>>> >> > >>>> >> The two adsl modem/routers I have are 192.168.10.10, and >> > >>>> >> 192.168.10.11 > >>>> >> > >>>> >> Thanks, > >>>> >> Dan. > >>>> >> _______________________________________________ > >>>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>>> > > >>> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From agirling at denetron.com Mon Aug 18 21:40:35 2008 From: agirling at denetron.com (Andrew Girling) Date: Mon, 18 Aug 2008 21:40:35 -0400 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> References: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> Message-ID: <5E1349FC-0219-4F18-8DDC-879F84C459D5@denetron.com> On Aug 18, 2008, at 5:01 PM, Kevin Graham wrote: > Does anyone know what the formal name for the 'HD' end of an CAB-HD8- > ASYNC (for > the HWIC-8A/16A)? Ideally I'd like to do an extended runbefore > fanning out into > RJ45's. The connector on the cards are (Micro)D68F (also used by SCSI-3 devices). You would be looking for a D68M-D68F cable to extend the connection. Check with your favorite cabling vendor for pricing, but it may be cheaper to extend the RJ45's than purchase a D68 cable...though I'd admit the D68 extension is a tidier solution in the rack :). I was also able to come up with vendors that make custom length CAB-HD8-ASYNC compatible cables, that start in the neighborhood of > $100USD. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 478 bytes Desc: This is a digitally signed message part URL: From ryanclambert at gmail.com Mon Aug 18 21:59:45 2008 From: ryanclambert at gmail.com (Ryan Lambert) Date: Mon, 18 Aug 2008 21:59:45 -0400 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080818233620.GA28542@sysmon.tcworks.net> References: <20080818233620.GA28542@sysmon.tcworks.net> Message-ID: <002201c9019f$426e4300$c74ac900$@com> Hi Scott, Hopefully I am understanding your challenge correctly. It appears to me like you're having trouble chatting dynamic routing protocols directly with the wireless network, among some other various nitty-gritty that is not "just as simple" as the SE tries to make it sound. Looking at your diagram, it seems that the 7204 also should have a route to the 1841 via the mysterious cloud there, albeit a few more hops in between. For obvious reasons (lack of link state awareness), plain old static routing isn't a reliable option in your scenario. With that said, OSPF may not even be necessary. Have you considered the possibility of running ebgp-multihop from the Cisco 7204XVR to the 1841's interface directly connected to the wireless network? You could also establish a private BGP session with the other 1841 via the directly connected T1 link, and announce the same prefix out of both sessions. As for the VRRP question: If memory serves, I want to say yes, you can use a "real" IP address that does not exist in the same subnet as the floating virtual; at least, this worked the last time I tried to do it so far as I can recall. Unfortunately for the past year and change, I've been dealing with a limitation on a never-to-be-named hardware/software platform that just recently started allowing this... uhm, feature. I'm still kind of scratching my head on a good, clean way to "load-balance" this outbound for you, given only one of the routers is going to serve as the ASA's default route out in a VRRP/HSRP configuration. I'm sure there is an answer, it just doesn't look pretty in my head. Maybe the answer here is to do OSPF between the 1841s and the ASA, all in NBMA mode so that the 1841s aren't trying to share a default to one another. The only thing the 1841s should need to do are A) create an adjacency with the ASA, and b) advertise it a default route. In that case, it may be necessary to expand to a /28 if everything else is in use on that subnet. Maybe someone else has a better solution -- that's at least the one I'd try to lab out first, if it were me. Just something to think about, I guess... :) -Ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Lambert Sent: Monday, August 18, 2008 7:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin lambert at lambertfam.org _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwinkworth at att.net Mon Aug 18 22:16:37 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Mon, 18 Aug 2008 21:16:37 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <002201c9019f$426e4300$c74ac900$@com> References: <20080818233620.GA28542@sysmon.tcworks.net> <002201c9019f$426e4300$c74ac900$@com> Message-ID: <48AA2D05.60505@att.net> Well, it seems whatever NAT you need to do will happen on the ISP router or the ASA... so you could load-balance with EIGRP... using an GRE/IPSec tunnel over the wireless part... EIGRP would be nice because you could do load-variance... Ryan Lambert wrote: > Hi Scott, > > Hopefully I am understanding your challenge correctly. It appears to me like > you're having trouble chatting dynamic routing protocols directly with the > wireless network, among some other various nitty-gritty that is not "just as > simple" as the SE tries to make it sound. > > Looking at your diagram, it seems that the 7204 also should have a route to > the 1841 via the mysterious cloud there, albeit a few more hops in between. > For obvious reasons (lack of link state awareness), plain old static routing > isn't a reliable option in your scenario. With that said, OSPF may not even > be necessary. Have you considered the possibility of running ebgp-multihop > from the Cisco 7204XVR to the 1841's interface directly connected to the > wireless network? You could also establish a private BGP session with the > other 1841 via the directly connected T1 link, and announce the same prefix > out of both sessions. > > As for the VRRP question: If memory serves, I want to say yes, you can use a > "real" IP address that does not exist in the same subnet as the floating > virtual; at least, this worked the last time I tried to do it so far as I > can recall. Unfortunately for the past year and change, I've been dealing > with a limitation on a never-to-be-named hardware/software platform that > just recently started allowing this... uhm, feature. > > I'm still kind of scratching my head on a good, clean way to "load-balance" > this outbound for you, given only one of the routers is going to serve as > the ASA's default route out in a VRRP/HSRP configuration. I'm sure there is > an answer, it just doesn't look pretty in my head. Maybe the answer here is > to do OSPF between the 1841s and the ASA, all in NBMA mode so that the 1841s > aren't trying to share a default to one another. The only thing the 1841s > should need to do are A) create an adjacency with the ASA, and b) advertise > it a default route. In that case, it may be necessary to expand to a /28 if > everything else is in use on that subnet. Maybe someone else has a better > solution -- that's at least the one I'd try to lab out first, if it were me. > > Just something to think about, I guess... :) > > -Ryan > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Lambert > Sent: Monday, August 18, 2008 7:36 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load > balancing/failover setup > > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections to their Cisco PIX 515E. Cisco sold them an > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the > ASA and 1841s. Apparantly, the customer didn't even mention that the > two connections were to the same ISP, me. The customer just ordered the > equipment and said "Make it work." > > The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless > network. > > Cisco sales tech guy said: > >> What we discussed was the ASA having a default route to the virtual >> IP address of the routers and they would be running either VRRP or >> GLBP (whatever they decided they wanted to do) going out to the >> service provider. Then the routers would simply have a default route >> going out to the service provider to hit the 'Net. >> > > The network design is supposed to be something like : > > Cisco 7204VXR NPE G1 (ISP) > | | > T1 Wireless network cloud > | | > Cisco 1841 Cisco 1841 > | | > -+-------+--------+- > | > Cisco ASA 5510 (Customer) > > The wireless network cloud is creating logistical issues for me. The > wireless ethernet makes multiple hops through StarOS based routers > which do not speak OSPF, yet. I have to staticly route traffic to the > wireless cloud. The wireless network is handled by a different group > here and I don't have much influence over how they run it. > > I've been running ISP routers for 10 years, but have not had this > configuration come up before. 99.9999% of my customers have been single > homed to me. Also, ASA/PIX devices haven't been common for me until the > past couple of years and I keep running into areas where they seem to > try very hard to avoid having common routing features. I'm primarily a > servers guy but when you work in small ISPs, you get to do everything. > > I could use some guidence in the best way to make these links load > balance with graceful degradation if one link should fall down. > > I've been considering bringing up an IPSec VPN from the 7204VXR to the > 1841 handling the wireless ethernet connection, just to bypass the need > for dynamic routing in the wireless network. Then I could run OSPF or > other magic between the 1841s and my 7204. > > Is OSPF going to be enough to load balance the links, or will I need > something else? > > If not, could an MLPPP bundle be brought up which uses the T1 and an > IPSec tunnel? But then, how would I use the 1841s redundantly? > > To keep the 1841s redundant, do I need to use their existing router to > act as a T1 to ethernet bridge? > > Also, on the VRRP front, the customer currently has a /29 LAN subnet > outside their ASA. The current T1 router has one IP and the rest of > the IPs are in use on the ASA. Will we need to renumber them to a /28 > subnet? Or, can the virtual router address be from their current subnet > with the individual routers having their primary IPs from another, RFC > 1918, subnet? > > The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) > connections. > > If I configure the VirtualTemplates to permit CEF, which lowers CPU > utilization to about 30%, the router hangs in an ininite loop at random > intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 > SB series images at the time I last tried CEF did the same thing and I > haven't had enough nerve to try again since. > > Hopefully, that is not important right now. The only reason I mention > it is in case an IPSec tunnel, or whatever the necessary magic ends up > being, might make a significant impact on the CPU. > > From skeeve at skeeve.org Mon Aug 18 21:41:16 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Tue, 19 Aug 2008 11:41:16 +1000 Subject: [c-nsp] Will there be a Cisco 887? Message-ID: Hey all, I am trying to plan some CPE deployments for next year and wanted more information about the 880 series. I love the Wireless N and the 3G backup on the 881. But this is a ADSL2 deployment which I was going to use 877W's for, but given the move to N and the 3G option, I would prefer an 887. but I can't find out if they are going to release one or not. The 881 I understand, but the 888 (SHDSL) I have no idea why that would come BEFORE an ADSL2 model. Can someone at Cisco possibly enlighten me? .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From ben.steele at internode.on.net Mon Aug 18 23:55:22 2008 From: ben.steele at internode.on.net (ben.steele at internode.on.net) Date: Tue, 19 Aug 2008 12:55:22 +0900 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Message-ID: <60221.1219118122@internode.on.net> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi Scott, Try this: Seeing as you are working statics over your wireless cloud to simplify things a little setup a GRE tunnel from your 7200 over the wireless to the 1841 (don?t forget to subtract 24 bytes off the MTU, ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and also add keepalives so it will actually go down if it is down), and I assume your T1 is point to point from the other 1841 to the 7200. Now assuming this is going to be a redundant configuration as well as load-balanced you need to have a subnet that can float between the 2 links that your customer can NAT against (which by the way will happen on the ASA they got sold), there are 2 ways you can achieve this, 1 is by using ip sla to monitor the next hop of each of the customer links from your 7200 with statics, the other is private BGP, you sure as hell don't want to start running an IGP to your customers(unless it's MPLS VPN). Lets say you assign your customer 1.0.0.0/27 as their usable floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE tunnel(wireless) is 2.0.0.5/30 at your end. Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their own rtr group of course, say 1 and 2 respectively). Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 255.255.255.224 2.0.0.6 track 2 Hope that makes sense, essentially traffic will only route to your customer if your 7200 can ping their respective 1841, the other private BGP option I am going to assume you are already familiar with being in an ISP. Now for the customer to you. AFAIK the ASA cannot load balance it can only forward out 1 interface at a time. So what you need to do is put the ASA and the 2 1841 interfaces into a switch so they can all see each other at layer2, now setup hsrp on your 1841 interfaces for redundant gateways lets say you use 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a little trickier, I am going to assume your T1 is your primary link for this example but you can switch it around if you want. On your T1 1841 add a static route for the wireless /30 to go via the LAN interface of the Wireless 1841(ip route 2.0.0.4 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of the wireless link from your T1 1841, you want to setup ip sla to monitor the ISP end of the wireless link from your T1 router(ie the T1 router is monitoring 2.0.0.5) and you also want to monitor its end of the T1 link aswell 2.0.0.1 What this does is let your primary gateway know that it has a complete and valid path for both gateways for redundancy. Now you add 2 static routes with tracking on your primary 1841 Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 1.0.0.2 track 2 Your wireless 1841 need only have the 1 gateway via its wireless tunnel as it should only ever fall over to that router if there is a serious problem on the primary side so you don't want it routing back that way anyway, however make sure you enable pre-empt so it fails back to the primary once it is back up. You can optimise this a little further with the global command "ip cef load-sharing algorithm include-ports destination source" or if your game you can even do per-packet load sharing however i wouldn't recommend it as your 2 paths are going to have different characteristics, id probably just try the method i listed first. As mentioned previously the ASA config will just be straightforward, NAT/PAT against some pool in 1.0.0.0/27 with a default route to 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the redundancy and load balancing. Hope at least some of that made sense, if you need clarification on anything let me know. Cheers Ben On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent: I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin _______________________________________________ cisco-nsp mailing list https://puck.nether.net/mailman/listinfo/cisco-nsp [3] archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] Links: ------ [3] http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp [4] http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F From ben.steele at internode.on.net Mon Aug 18 23:56:54 2008 From: ben.steele at internode.on.net (ben.steele at internode.on.net) Date: Tue, 19 Aug 2008 12:56:54 +0900 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Message-ID: <60234.1219118214@internode.on.net> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi Scott, Try this: Seeing as you are working statics over your wireless cloud to simplify things a little setup a GRE tunnel from your 7200 over the wireless to the 1841 (don?t forget to subtract 24 bytes off the MTU, ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and also add keepalives so it will actually go down if it is down), and I assume your T1 is point to point from the other 1841 to the 7200. Now assuming this is going to be a redundant configuration as well as load-balanced you need to have a subnet that can float between the 2 links that your customer can NAT against (which by the way will happen on the ASA they got sold), there are 2 ways you can achieve this, 1 is by using ip sla to monitor the next hop of each of the customer links from your 7200 with statics, the other is private BGP, you sure as hell don't want to start running an IGP to your customers(unless it's MPLS VPN). Lets say you assign your customer 1.0.0.0/27 as their usable floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE tunnel(wireless) is 2.0.0.5/30 at your end. Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their own rtr group of course, say 1 and 2 respectively). Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 255.255.255.224 2.0.0.6 track 2 Hope that makes sense, essentially traffic will only route to your customer if your 7200 can ping their respective 1841, the other private BGP option I am going to assume you are already familiar with being in an ISP. Now for the customer to you. AFAIK the ASA cannot load balance it can only forward out 1 interface at a time. So what you need to do is put the ASA and the 2 1841 interfaces into a switch so they can all see each other at layer2, now setup hsrp on your 1841 interfaces for redundant gateways lets say you use 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a little trickier, I am going to assume your T1 is your primary link for this example but you can switch it around if you want. On your T1 1841 add a static route for the wireless /30 to go via the LAN interface of the Wireless 1841(ip route 2.0.0.4 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of the wireless link from your T1 1841, you want to setup ip sla to monitor the ISP end of the wireless link from your T1 router(ie the T1 router is monitoring 2.0.0.5) and you also want to monitor its end of the T1 link aswell 2.0.0.1 What this does is let your primary gateway know that it has a complete and valid path for both gateways for redundancy. Now you add 2 static routes with tracking on your primary 1841 Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 1.0.0.2 track 2 Your wireless 1841 need only have the 1 gateway via its wireless tunnel as it should only ever fall over to that router if there is a serious problem on the primary side so you don't want it routing back that way anyway, however make sure you enable pre-empt so it fails back to the primary once it is back up. You can optimise this a little further with the global command "ip cef load-sharing algorithm include-ports destination source" or if your game you can even do per-packet load sharing however i wouldn't recommend it as your 2 paths are going to have different characteristics, id probably just try the method i listed first. As mentioned previously the ASA config will just be straightforward, NAT/PAT against some pool in 1.0.0.0/27 with a default route to 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the redundancy and load balancing. Hope at least some of that made sense, if you need clarification on anything let me know. Cheers Ben On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent: I have a customer who went directly to cisco to ask about how to load balance two WAN connections to their Cisco PIX 515E. Cisco sold them an ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the ASA and 1841s. Apparantly, the customer didn't even mention that the two connections were to the same ISP, me. The customer just ordered the equipment and said "Make it work." The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless network. Cisco sales tech guy said: > What we discussed was the ASA having a default route to the virtual > IP address of the routers and they would be running either VRRP or > GLBP (whatever they decided they wanted to do) going out to the > service provider. Then the routers would simply have a default route > going out to the service provider to hit the 'Net. The network design is supposed to be something like : Cisco 7204VXR NPE G1 (ISP) | | T1 Wireless network cloud | | Cisco 1841 Cisco 1841 | | -+-------+--------+- | Cisco ASA 5510 (Customer) The wireless network cloud is creating logistical issues for me. The wireless ethernet makes multiple hops through StarOS based routers which do not speak OSPF, yet. I have to staticly route traffic to the wireless cloud. The wireless network is handled by a different group here and I don't have much influence over how they run it. I've been running ISP routers for 10 years, but have not had this configuration come up before. 99.9999% of my customers have been single homed to me. Also, ASA/PIX devices haven't been common for me until the past couple of years and I keep running into areas where they seem to try very hard to avoid having common routing features. I'm primarily a servers guy but when you work in small ISPs, you get to do everything. I could use some guidence in the best way to make these links load balance with graceful degradation if one link should fall down. I've been considering bringing up an IPSec VPN from the 7204VXR to the 1841 handling the wireless ethernet connection, just to bypass the need for dynamic routing in the wireless network. Then I could run OSPF or other magic between the 1841s and my 7204. Is OSPF going to be enough to load balance the links, or will I need something else? If not, could an MLPPP bundle be brought up which uses the T1 and an IPSec tunnel? But then, how would I use the 1841s redundantly? To keep the 1841s redundant, do I need to use their existing router to act as a T1 to ethernet bridge? Also, on the VRRP front, the customer currently has a /29 LAN subnet outside their ASA. The current T1 router has one IP and the rest of the IPs are in use on the ASA. Will we need to renumber them to a /28 subnet? Or, can the virtual router address be from their current subnet with the individual routers having their primary IPs from another, RFC 1918, subnet? The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) connections. If I configure the VirtualTemplates to permit CEF, which lowers CPU utilization to about 30%, the router hangs in an ininite loop at random intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the 12.2 SB series images at the time I last tried CEF did the same thing and I haven't had enough nerve to try again since. Hopefully, that is not important right now. The only reason I mention it is in case an IPSec tunnel, or whatever the necessary magic ends up being, might make a significant impact on the CPU. -- Scott Lambert KC5MLE Unix SysAdmin _______________________________________________ cisco-nsp mailing list https://puck.nether.net/mailman/listinfo/cisco-nsp [3] archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] Links: ------ [3] http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp [4] http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F From sethm at rollernet.us Tue Aug 19 00:02:27 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 18 Aug 2008 21:02:27 -0700 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080818233620.GA28542@sysmon.tcworks.net> References: <20080818233620.GA28542@sysmon.tcworks.net> Message-ID: <48AA45D3.6050701@rollernet.us> Scott Lambert wrote: > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections to their Cisco PIX 515E. Cisco sold them an > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the > ASA and 1841s. Apparantly, the customer didn't even mention that the > two connections were to the same ISP, me. The customer just ordered the > equipment and said "Make it work." Whoever sold them on that solution should be the one to make it work. ;) > The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless > network. > > Cisco sales tech guy said: >> What we discussed was the ASA having a default route to the virtual >> IP address of the routers and they would be running either VRRP or >> GLBP (whatever they decided they wanted to do) going out to the >> service provider. Then the routers would simply have a default route >> going out to the service provider to hit the 'Net. > > The network design is supposed to be something like : > > Cisco 7204VXR NPE G1 (ISP) > | | > T1 Wireless network cloud > | | > Cisco 1841 Cisco 1841 > | | > -+-------+--------+- > | > Cisco ASA 5510 (Customer) > I dunno what Cisco would do, but I'd start with a GRE tunnel over the wireless side. I do this from home back to the office (crypto on the tunnel too, of course) so I can get all my office routes via OSPF and effectively be directly connected. Make sure to put some static routes in there so the tunnel endpoint doesn't because learned over OSPF, which would cause the tunnel to drop. I wouldn't bother with the load balance on drastically unequal links - the first time they have a huge transfer and expect to see 6.5 megs, the flow will end up over the T1 and they'll be screaming about the 1.5 meg reality. ~Seth From kgraham at industrial-marshmallow.com Tue Aug 19 00:21:01 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 18 Aug 2008 21:21:01 -0700 (PDT) Subject: [c-nsp] CAB-HD8-ASYNC extension cables? Message-ID: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> > The connector on the cards are (Micro)D68F (also used by SCSI-3 > devices). You would be looking for a D68M-D68F cable to extend the > connection. [...oops. sorry Brian, you were right...] Thanks, I didn't have one on hand to check. Do you happen to know if the pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be very useful for sparing...) > ...though I'd admit the D68 extension is a tidier solution in the > rack :). That's the idea. Even with clean cable management, its still better to get that fanout as far from central panels as needed. > I was also able to come up with vendors that make custom length > CAB-HD8-ASYNC compatible cables If going that approach, it'd be even cooler to get something in a cassette format to go right next to the MPO breakouts... From gert at greenie.muc.de Tue Aug 19 04:20:58 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 19 Aug 2008 10:20:58 +0200 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080818233620.GA28542@sysmon.tcworks.net> References: <20080818233620.GA28542@sysmon.tcworks.net> Message-ID: <20080819082058.GY288@greenie.muc.de> Hi, On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote: > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections I see two key issues here: - how to load *balance*. - how to reliably detect "wireless is down" if there is no end-to-end routing possible The first one is hard - if you have two routers involved, VRRP (or GLBP, if there is only a single client) will not provide load balancing, but only failover. That is: while one of the boxes is working, it will receive all the traffic from the PIX, and if it breaks, all the traffic goes to the other box. One possible approach to do this might be via "manual balancing", as in "route all the VPN connections over one path, and all the web surfing over the other path", but that's not overly easy to maintain. The other approach might be with Cisco OER - let the boxes figure out what destinations have the most traffic, and balance these flows over both links. But that will only work outbound from the customer to you - from the ISP (you) to the customer, you also need to decide upon the balancing criteria, if any. "Just failover" is easy :) The second part (how to diagnose that the wireless is down) is easier - you could use a BGP session from the customer router to your edge router, just sending "customer routes" and "default" back and forth. If the wireless mesh breaks, the BGP session will also break, and routing will fall over to the other link. (The StarOS routers would need to know the customer routes statically, but that's not a problem, unless the customer changes their IP addresses frequently). If BGP is not an option, you could do it with IP SLA ("ping testing") and static route tracking ("if it doesn't ping, withdraw the route") on both ends, but that's less elegant than BGP - and much more configuration work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Toby.Burrows at qubenet.net Tue Aug 19 04:22:59 2008 From: Toby.Burrows at qubenet.net (Toby Burrows (Qube)) Date: Tue, 19 Aug 2008 09:22:59 +0100 Subject: [c-nsp] 11503 ssl redundancy synch In-Reply-To: <509A5E22DDC70B4DA85EA7C06C8FDA8F05196081@ASHEVS011.mcilink.com> References: <509A5E22DDC70B4DA85EA7C06C8FDA8F05196081@ASHEVS011.mcilink.com> Message-ID: Many thanks Vijay, had suspected as much, just didn't want to believe it! It does seem really silly for the price of these things, it looks like I will be pushing for a pair of F5's when I implement my shared LB solution, Thanks again, Toby Burrows -----Original Message----- From: Ramcharan, Vijay A [mailto:vijay.ramcharan at verizonbusiness.com] Sent: 18 August 2008 19:46 To: Toby Burrows (Qube); cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 11503 ssl redundancy synch I don't believe you are missing anything. SSL files (keys, certs etc) are most likely not copied across. You will probably need to manually import them into your standby box. For whatever reason, the ACE has this same limitation (seemingly silly as I can't put my finger on the reason why Cisco cannot sync SSL files as well as the config). F5 has had this on their boxes for a long time now. Makes SSL configuration a snap. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Toby Burrows (Qube) Sent: August 18, 2008 04:52 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 11503 ssl redundancy synch Hi all, I have 2 css11503's in active/passive redundancy config. When using the commit_redundConfig command the ssl does not copy across. I have cleared the standby box and started again, but with no luck. The config guides I have found offer little info on the ssl redundancy, just the normal IP redundancy, the question is should I configure the ssl config and import the certs on both boxes and then commit the redundant config when I have verified the ssl config on the standby unit? Or should it copy all config including all the ssl stuff and I'm missing something? Thanks in advance Toby Burrows Network Engineer Qube Networks :: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Networks Ltd :: Company Number 04155284 Registered in England and Wales :: VAT Registration No: GB 769 6428 71 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person. P Please consider the environment - do you really need to print this email? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.tjirkalli at za.verizonbusiness.com Tue Aug 19 04:44:15 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Tue, 19 Aug 2008 10:44:15 +0200 (SAST) Subject: [c-nsp] Queuing on 1 Gig transit interfaces Message-ID: howdy ho, we have some transit interfaces taht are GIG E interfaces on CISCO 7500 and 7600 boxes. these interfaces run at most at around 300 Meg. The current queuing scheme on them is FIFO. we have some operational folk who are making sounds that they want the queuing to be WFQ as these boxes are pushing a mix of internet traffic and VOIP packets (RTP packets) My feelings are to leave the queuing as FIFO but was wondering if others had some feelings or expierence in this thanking you in advance for any thoughts or info later --------------------------------------------------------------------- Knowledge speaks, but wisdom listens. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From Mark at u.tv Tue Aug 19 04:45:22 2008 From: Mark at u.tv (Mark Tohill) Date: Tue, 19 Aug 2008 09:45:22 +0100 Subject: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 References: <658F94741F4A8A4F94171E37E417488B0272D7EB@UTVEXCHANGE.utv.local> <20080818213259.GA32257@doorstop.net.ic.ac.uk> Message-ID: <658F94741F4A8A4F94171E37E417488B0272D7EE@UTVEXCHANGE.utv.local> Thanks for the reply Phil. It looks as if you're right. No mention of TopTalkers in the CLI. We'll maybe have to look at implementing this upstream or plan an IOS upgrade on the Cat's. Thanks again, Mark -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: 18 August 2008 22:33 To: Mark Tohill Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Netflow TopTalkers and Modular 12.2(18)SXF4 On Mon, Aug 18, 2008 at 05:12:46PM +0100, Mark Tohill wrote: >Hi, > >Does anyone have experience of configuring Netflow Top Talkers on >Modular 12.2SX images? I thought netflow top-talkers was an SXH feature? > >We are running modular 12.2(18)SXF4 on Sup720, MSFC3, PFC3 on 6509-E, as >below: > >sh ver >Cisco Internetwork Operating System Software >IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-VM), Version >12.2(18)SXF4, RELEASE SOFTWARE (fc1) ><..output ommited...> >disk0:/sys/s72033/base/s72033-advipservicesk9_wan-vm ><..output ommited...> Ok - but what are you asking? From gkg at gmx.de Tue Aug 19 04:55:09 2008 From: gkg at gmx.de (Garry) Date: Tue, 19 Aug 2008 10:55:09 +0200 Subject: [c-nsp] 20G Etherchannel with Standby-SupV? Message-ID: <48AA8A6D.8070305@gmx.de> For a project we are in the process of evaluating the way to implement the requirements ... One solution would be a dual (extendable) site setup with a 4507R at each site, with dual SupV 10GE and dual connection each via two different fiber routes. Plan would be to connect one port each of the active and standby Sup via one way, the other via the other way, resulting in a decent redundancy in case of a Sup failure. Anyway, having dual 10G links between both sites would definitely call for setting up a 20G etherchannel - question is, can an etherchannel be configured using a 10G interface from each of the two Sups? From Cisco docs like http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps6033/product_data_sheet0900aecd801c5c66_ps4324_Products_Data_Sheet.html I read that all ports of the SupV (2x 10G & 4x 1G) in Standby/Redundancy are usable, so I would assume this also goes for setting up Etherchannels? Tnx, -garry From jhary at unsane.co.uk Tue Aug 19 04:57:20 2008 From: jhary at unsane.co.uk (Vincent Hoffman) Date: Tue, 19 Aug 2008 09:57:20 +0100 Subject: [c-nsp] snmp values for indiviual vlans on trunk port Message-ID: <48AA8AF0.80708@unsane.co.uk> Hi, Just been asked if its possible to pull out the traffic values for specific vlans on a trunk port via snmp on a 2960 or 3750. I'm pretty sure the answer is no, but thought I'd have an ask, any suggestions? Vince From p.mayers at imperial.ac.uk Tue Aug 19 05:11:31 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 19 Aug 2008 10:11:31 +0100 Subject: [c-nsp] snmp values for indiviual vlans on trunk port In-Reply-To: <48AA8AF0.80708@unsane.co.uk> References: <48AA8AF0.80708@unsane.co.uk> Message-ID: <48AA8E43.4070605@imperial.ac.uk> Vincent Hoffman wrote: > Hi, > Just been asked if its possible to pull out the traffic values > for specific vlans on a trunk port via snmp on a 2960 or 3750. No, the hardware doesn't support it > I'm pretty sure the answer is no, but thought I'd have an ask, any > suggestions? > > > Vince > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dgranzer at gmail.com Tue Aug 19 05:43:59 2008 From: dgranzer at gmail.com (David Granzer) Date: Tue, 19 Aug 2008 11:43:59 +0200 Subject: [c-nsp] Queuing on 1 Gig transit interfaces In-Reply-To: References: Message-ID: <844ef89c0808190243l12d74b2hc2eaaad3acf410f6@mail.gmail.com> Hello, if the interface is GigE with traffic at around 300Mb/s and there is not any other back presure mechanism like traffic shaping then on the interface is not congestion and the congestion management like WFQ is not in use. David the congestion management is used only when On 8/19/08, Nic Tjirkalli wrote: > > howdy ho, > > we have some transit interfaces taht are GIG E interfaces on CISCO 7500 > and 7600 boxes. these interfaces run at most at around 300 Meg. > > The current queuing scheme on them is FIFO. > > we have some operational folk who are making sounds that they want the > queuing to be WFQ as these boxes are pushing a mix of internet traffic and > VOIP packets (RTP packets) > > My feelings are to leave the queuing as FIFO but was wondering if others > had some feelings or expierence in this > > thanking you in advance for any thoughts or info > > later > > > > --------------------------------------------------------------------- > Knowledge speaks, but wisdom listens. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// > www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gkg at gmx.de Tue Aug 19 06:09:36 2008 From: gkg at gmx.de (Garry) Date: Tue, 19 Aug 2008 12:09:36 +0200 Subject: [c-nsp] 20G Etherchannel with Standby-SupV? In-Reply-To: <48AA8A6D.8070305@gmx.de> References: <48AA8A6D.8070305@gmx.de> Message-ID: <48AA9BE0.9040701@gmx.de> Looks like I mis-read (or at least misunderstood) the wording in the document I quoted ... in another one, I found a slightly more clear statement which noted that of the four 10G interfaces, any two could be used in a redundant setup ... so I guess the 20G idea is only feasible for a 2-site setup, as in any larger setup, a ring would be operated, which then terminates one 10G line each on two different remote sites ... -garry From agirling at denetron.com Tue Aug 19 06:25:31 2008 From: agirling at denetron.com (Andrew Girling) Date: Tue, 19 Aug 2008 06:25:31 -0400 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> References: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> Message-ID: <06A76432-F192-4FA7-A2FF-9B0CF1E59B8F@denetron.com> On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote: >> The connector on the cards are (Micro)D68F (also used by SCSI-3 > >> devices). You would be looking for a D68M-D68F cable to extend the >> connection. > > [...oops. sorry Brian, you were right...] > > Thanks, I didn't have one on hand to check. Do you happen to know if > the > pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be > very > useful for sparing...) Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been hard to track down online. > >> ...though I'd admit the D68 extension is a tidier solution in the >> rack :). > > That's the idea. Even with clean cable management, its still better to > get that fanout as far from central panels as needed. > >> I was also able to come up with vendors that make custom length >> CAB-HD8-ASYNC compatible cables > > If going that approach, it'd be even cooler to get something in a > cassette format to go right next to the MPO breakouts... Cisco does recommend a vendor that provides 1RU breakouts in 32 and 48 port configurations, which you feed using D68M-D68M cables: > Q. Are cable management solutions available for asynchronous ports? > A. Components Express Inc. offers patch panel solutions for the HWIC-8A and HWIC-16A. These patch panels connect to the high-density asynchronous connectors and break out into individual RJ-45 jacks for each asynchronous port I have not found any vendors providing a cassette format, but I certainly see the appeal there. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 478 bytes Desc: This is a digitally signed message part URL: From CB at nianet.dk Tue Aug 19 07:23:24 2008 From: CB at nianet.dk (Christian Bering) Date: Tue, 19 Aug 2008 13:23:24 +0200 Subject: [c-nsp] 7600, diagnostic per-port Message-ID: Hi all, #diagnostic start module 3 test per-port port 2 Diagnostic[Module 3]: Running test(s) 4-5 may disrupt normal system operation Do you want to continue? [no]: Will running this diagnostics feature be disruptive to traffic on any other ports than port 2? Port 2 is currenly down/down but I have traffic on port 1 and would rather not disrupt traffic on that port while testing port 2. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 From lowen at pari.edu Tue Aug 19 07:33:40 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 07:33:40 -0400 Subject: [c-nsp] Platform experience and recommendations for L2TPv3. Message-ID: <200808190733.40713.lowen@pari.edu> Good morning list. No rant today. :-) I am looking, however, for the collected experience of this list in platform experience and recommendations for providing six to twelve point to point L2TPv3 (or equivalent technology) tunnels at up to 150Mb/s rates between APS-protected OC3 endpoints (if you have experience in that area; otherwise just straight tunnels). I have a limited selection of 7500-series routers available, a single 3845, and a 12012 (but no OC48 POS card for a tunnel server; wish I could use the single card 'half' of an OC48 SRP set to do that, as I have one of those). I am open to suggestions on alternative means of providing layer 2 adjacency for multiple VLANs across an OC3 POS link, as well. I'd also like to hear the experience of the list on how to prevent hairpinning of traffic across an L2TPv3 tunnel; that is: I've got four devices: A, B, C, and D (I know, creative names). A and B are on one end of the link; C and D are on the other. A and C are in the same subnet and are layer 2 adjacent through tunnel X. B and D are both in a different subnet, and have layer 2 adjacency with each other through tunnel Y. How to I prevent traffic between A and B (or between C and D) of traversing the tunnel twice? (that is, one direction on tunnel X, through a router, then back through tunnel Y) I've thought of some form of HSRP or similar protocol. Or is there a better way? A needs to use a router on its end of the link, and C needs to use a router on its end of the link (oh, and just manipulating the default routes in A or C's OS isn't a possibility due to what A and C would be: VMware guests). The application is VMotion and HA/DRS on VMware across an OC3 POS WAN link between two VMware ESX hosts (one at the prime site, one at the DR); VMotion requires layer 2 adjacency (and does MAC hijacking, which has its own things, but I'm not that far yet) between the two ESX hosts in order to work. Thanks in advance for any responses. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From lowen at pari.edu Tue Aug 19 07:41:43 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 07:41:43 -0400 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <5E1349FC-0219-4F18-8DDC-879F84C459D5@denetron.com> References: <277180.79235.qm@web901.biz.mail.mud.yahoo.com> Message-ID: <200808190741.44035.lowen@pari.edu> On Monday 18 August 2008 21:40:35 Andrew Girling wrote: > The connector on the cards are (Micro)D68F (also used by SCSI-3 > devices). A SCSI LVD/SE 68 pin extension might work; I'd just wonder about the pairing (SCSI cables have strict pairing guidelines; certain signals have to traverse certain pairs in the cable; the highest speed and most critical signals are carried in the center of the cable, and the slowest are carried closer to the shield). Each data line has its paired return, which might or might not match pairing in the HD8-ASYNC. At low speeds it wouldn't matter, but higher speed async signals might suffer from increased crosstalk. You can see the way SCSI LVD/SE cables are laid out by looking at http://www.paralan.com/lvdmsepinout.html -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From nasir.shaikh at bt.com Tue Aug 19 08:13:28 2008 From: nasir.shaikh at bt.com (nasir.shaikh at bt.com) Date: Tue, 19 Aug 2008 13:13:28 +0100 Subject: [c-nsp] OT: network inventory Message-ID: Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh From ney25 at hotmail.com Tue Aug 19 08:16:46 2008 From: ney25 at hotmail.com (Jack) Date: Tue, 19 Aug 2008 20:16:46 +0800 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: I think solar winds may help you. Regards, Jack -------------------------------------------------- From: Sent: Tuesday, 19 August, 2008 8:13 PM To: Subject: [c-nsp] OT: network inventory > Hi, > > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. > > > > Are there other utilities around that would scan the collected > configurations and read relevant info (descriptions, ip add, link > bandwidth etc)? > > > > > > Nasir Shaikh > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mathias.spoerr at at.ibm.com Tue Aug 19 08:23:05 2008 From: mathias.spoerr at at.ibm.com (Mathias Spoerr) Date: Tue, 19 Aug 2008 14:23:05 +0200 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: I made a small tool called wktools and its Freeware: www.spoerr.org/wktools It can do an inventory of your Cisco devices, including IOS routers, IOS&CatOS switches, PIX, ASA, FWSM and IP Phones Mathias From: To: Date: 19.08.2008 14:20 Subject: [c-nsp] OT: network inventory Hi, Anybody familiar with (freeware/shareware) tools for a network inventory? Install-base is 100% cisco. Are there other utilities around that would scan the collected configurations and read relevant info (descriptions, ip add, link bandwidth etc)? Nasir Shaikh _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7943 bytes Desc: S/MIME Cryptographic Signature URL: From jaitken at aitken.com Tue Aug 19 08:29:05 2008 From: jaitken at aitken.com (Jeff Aitken) Date: Tue, 19 Aug 2008 12:29:05 +0000 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: <20080819122905.GB51150@eagle.aitken.com> On Tue, Aug 19, 2008 at 01:13:28PM +0100, nasir.shaikh at bt.com wrote: > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. Sounds like you want rancid: http://www.shrubbery.net/rancid/ --Jeff From a0kunev at yandex.ru Tue Aug 19 08:36:27 2008 From: a0kunev at yandex.ru (a0kunev) Date: Tue, 19 Aug 2008 16:36:27 +0400 Subject: [c-nsp] voice call drop on as5400 Message-ID: <60121219149387@webmail9.yandex.ru> Hello I would like to share the problem we recently got on our network. We have DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling only incoming calls, so the dial-pear config is simple, one voice and one voip provider. Recently we've started receiving complains from our customers on dead air and drops during their conferences. The issues looked like this - person dialed to the DID and nobody answered during 10-120 secounds, then the call terminated by timeout. recently we're able to reproduce this, with debug 'call-mgmnt' it's dumping the following on console: Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ received Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 I've checked with tcpdump cisco do not send anything to IP bridge to establish the call at that time. Telco says they see a lot of rejected calls from our side, but there is nothing on our end(I have not seen yet) as5400 were recently updated to 12.4(9)T4. Please advise on how to debug this problem. regards, Andrei From lowen at pari.edu Tue Aug 19 08:42:42 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 08:42:42 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: <200808190842.42251.lowen@pari.edu> On Tuesday 19 August 2008 08:13:28 nasir.shaikh at bt.com wrote: > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. > Are there other utilities around that would scan the collected > configurations and read relevant info (descriptions, ip add, link > bandwidth etc)? I use OpenNMS, which is a full bore network management system. Has great autodiscovery, and reads what it needs to know via SNMP. Can do layer 2 link detections and paths. Doesn't pull in configs; rancid does that quite well. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From bjorn at mork.no Tue Aug 19 08:51:09 2008 From: bjorn at mork.no (=?iso-8859-1?Q?Bj=F8rn_Mork?=) Date: Tue, 19 Aug 2008 14:51:09 +0200 Subject: [c-nsp] CAB-HD8-ASYNC extension cables? In-Reply-To: <06A76432-F192-4FA7-A2FF-9B0CF1E59B8F@denetron.com> (Andrew Girling's message of "Tue, 19 Aug 2008 06:25:31 -0400") References: <994323.8219.qm@web905.biz.mail.mud.yahoo.com> <06A76432-F192-4FA7-A2FF-9B0CF1E59B8F@denetron.com> Message-ID: <874p5h6ude.fsf@obelix.mork.no> Andrew Girling writes: > On Aug 19, 2008, at 12:21 AM, Kevin Graham wrote: > >> Thanks, I didn't have one on hand to check. Do you happen to know if >> the >> pinout is consistent w/ the HD68's used in the CAB-OCTAL? (Could be >> very >> useful for sparing...) > > Unfortunately, I'm not sure, and the pinout on the HD8-ASYNC has been > hard to track down online. It's here: http://www.cisco.com/en/US/docs/routers/access/hardware/notes/marcabl.pdf The pinout does not seem to be consistent with the CAB-OCTAL. Ref http://www.cisco.com/en/US/docs/routers/access/2500/software/user/guide/cables.html#wp2406 Bj?rn From abalashov at evaristesys.com Tue Aug 19 08:59:44 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 19 Aug 2008 08:59:44 -0400 (EDT) Subject: [c-nsp] voice call drop on as5400 In-Reply-To: <60121219149387@webmail9.yandex.ru> References: <60121219149387@webmail9.yandex.ru> Message-ID: <4763.97.81.69.51.1219150784.squirrel@webmail.corp.evaristesys.com> Is there anything that be gleaned from either the debug on the SIP side or the ISDN (are these PRIs?) side? ("debug isdn q931") On Tue, August 19, 2008 8:36 am, a0kunev wrote: > Hello > > I would like to share the problem we recently got on our network. We have > DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling > only incoming calls, so the dial-pear config is simple, one voice and one > voip provider. Recently we've started receiving complains from our > customers on dead air and drops during their conferences. The issues > looked like this - person dialed to the DID and nobody answered during > 10-120 secounds, then the call terminated by timeout. > > recently we're able to reproduce this, with debug 'call-mgmnt' it's > dumping the following on console: > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ > received > Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 > Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 > Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 > Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 > > I've checked with tcpdump cisco do not send anything to IP bridge to > establish the call at that time. Telco says they see a lot of rejected > calls from our side, but there is nothing on our end(I have not seen yet) > > as5400 were recently updated to 12.4(9)T4. > > Please advise on how to debug this problem. > regards, Andrei > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From maillist at webjogger.net Tue Aug 19 09:04:29 2008 From: maillist at webjogger.net (Adam Greene) Date: Tue, 19 Aug 2008 09:04:29 -0400 Subject: [c-nsp] OT: network inventory References: <200808190842.42251.lowen@pari.edu> Message-ID: <017d01c901fc$1dcb0300$12140a0a@GINKGO> Besides documenting config changes, can rancid perform a tftp backup of router / switch startup configs, or integrate with some other software to pull down the config file if a change is detected? ----- Original Message ----- From: "Lamar Owen" To: Sent: Tuesday, August 19, 2008 8:42 AM Subject: Re: [c-nsp] OT: network inventory > On Tuesday 19 August 2008 08:13:28 nasir.shaikh at bt.com wrote: >> Anybody familiar with (freeware/shareware) tools for a network >> inventory? Install-base is 100% cisco. > >> Are there other utilities around that would scan the collected >> configurations and read relevant info (descriptions, ip add, link >> bandwidth etc)? > > I use OpenNMS, which is a full bore network management system. Has great > autodiscovery, and reads what it needs to know via SNMP. Can do layer 2 > link > detections and paths. > > Doesn't pull in configs; rancid does that quite well. > -- > Lamar Owen > Chief Information Officer > Pisgah Astronomical Research Institute > 1 PARI Drive > Rosman, NC 28772 > http://www.pari.edu > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rskjels at pogostick.net Tue Aug 19 08:15:45 2008 From: rskjels at pogostick.net (Rikard Stemland Skjelsvik) Date: Tue, 19 Aug 2008 14:15:45 +0200 (MEST) Subject: [c-nsp] OT: network inventory In-Reply-To: References: Message-ID: http://www.ziptie.org/ -- Rikard On Tue, 19 Aug 2008, nasir.shaikh at bt.com wrote: > Hi, > > Anybody familiar with (freeware/shareware) tools for a network > inventory? Install-base is 100% cisco. > > > > Are there other utilities around that would scan the collected > configurations and read relevant info (descriptions, ip add, link > bandwidth etc)? > > > > > > Nasir Shaikh > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lowen at pari.edu Tue Aug 19 09:26:15 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 09:26:15 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <017d01c901fc$1dcb0300$12140a0a@GINKGO> References: Message-ID: <200808190926.15885.lowen@pari.edu> On Tuesday 19 August 2008 09:04:29 Adam Greene wrote: > Besides documenting config changes, can rancid perform a tftp backup of > router / switch startup configs, or integrate with some other software to > pull down the config file if a change is detected? See http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid and see if that meets your needs. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From jlewis at lewis.org Tue Aug 19 09:32:22 2008 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 19 Aug 2008 09:32:22 -0400 (EDT) Subject: [c-nsp] OT: network inventory In-Reply-To: <017d01c901fc$1dcb0300$12140a0a@GINKGO> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> Message-ID: On Tue, 19 Aug 2008, Adam Greene wrote: > Besides documenting config changes, can rancid perform a tftp backup of > router / switch startup configs, or integrate with some other software to > pull down the config file if a change is detected? It doesn't use tftp for it, but rancid does backup your configs and put them into CVS so you can see when a change was made, compare configs from different times, etc. It also stores the latest versions of the configs as flat files, so you can easily do some scripting to do things like find all routers of a certain type, make a list of router names and the software versions they're running, etc. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jzp-cnsp at rsuc.gweep.net Tue Aug 19 09:35:41 2008 From: jzp-cnsp at rsuc.gweep.net (Joe Provo) Date: Tue, 19 Aug 2008 09:35:41 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <017d01c901fc$1dcb0300$12140a0a@GINKGO> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> Message-ID: <20080819133540.GA69001@gweep.net> On Tue, Aug 19, 2008 at 09:04:29AM -0400, Adam Greene wrote: > Besides documenting config changes, can rancid perform a tftp backup of > router / switch startup configs, or integrate with some other software to > pull down the config file if a change is detected? Lots of folks trigger rancid runs on snmp traps or syslog events. Best IMO is to front-end your changes thru rancid & have that wrapper log/trigger runs/etc to your heart's content. Only the long list of 'round tuits' is to recreate all the good ol rtrmon suite actions as rancid wrappers. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From chip.gwyn at gmail.com Tue Aug 19 09:56:42 2008 From: chip.gwyn at gmail.com (chip) Date: Tue, 19 Aug 2008 09:56:42 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <20080819133540.GA69001@gweep.net> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> Message-ID: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... From MLouis at nwnit.com Tue Aug 19 10:02:13 2008 From: MLouis at nwnit.com (Mike Louis) Date: Tue, 19 Aug 2008 10:02:13 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: You can use a tool from the cisco partner site called Cisco Network Discovery Tool. It will categorize every modules in IOS/CatOS devices and output them to excel spreadsheets. It lists all EOL hardware and Software as well as serial numbers and such per device and module. Its great for smartnet renewals and tracking. You have to be a partner to use it though but it works well. I use it all the time. It also lists what IOS have PSIRT etc and provides links to the cisco PSIRT site. Mike -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chip Sent: Tuesday, August 19, 2008 9:57 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OT: network inventory So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From gordon at suncircle.org Tue Aug 19 10:13:40 2008 From: gordon at suncircle.org (gordon) Date: Tue, 19 Aug 2008 10:13:40 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <20080819101340.014bbec3@ngohj6-----wkay> I've had pretty good luck with nedi so far: http://www.nedi.ch/ On Tue, 19 Aug 2008 09:56:42 -0400 chip wrote: > So far all of the software that's been presented will autodiscover > devices and backup configs and such. Is there anything around that > will actually take inventory of a router. By inventory I mean, list > of cards, model numbers, serial numbers, pluggable optics, etc. I've > been working on scripts to do this and it's become alot more > complicated than I had originally planned. If there's already some > software out there that does this, I'd love to get my hands on it. > > --chip > From lowen at pari.edu Tue Aug 19 10:24:05 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 19 Aug 2008 10:24:05 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: Message-ID: <200808191024.06283.lowen@pari.edu> On Tuesday 19 August 2008 09:56:42 chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From ian.mackinnon at lumison.net Tue Aug 19 10:03:33 2008 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Tue, 19 Aug 2008 15:03:33 +0100 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <48AAD2B5.7010109@lumison.net> hi Chip, chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. I've been working on > scripts to do this and it's become alot more complicated than I had > originally planned. If there's already some software out there that does > this, I'd love to get my hands on it. > > --chip > CiscoWorks does all that magic inventory stuff. Costs though :-( You can then do all sorts of queries, eg tell me all the routers running 12.x with a WICxxxx because there is a vulnerability. On recent IOS's "show inventory" does what you want, but it is not supported everywhere. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From chip.gwyn at gmail.com Tue Aug 19 10:38:52 2008 From: chip.gwyn at gmail.com (chip) Date: Tue, 19 Aug 2008 10:38:52 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <200808191024.06283.lowen@pari.edu> References: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> <200808191024.06283.lowen@pari.edu> Message-ID: <64a8ad980808190738m17beca3eqd7d9307163f84afe@mail.gmail.com> On Tue, Aug 19, 2008 at 10:24 AM, Lamar Owen wrote: > On Tuesday 19 August 2008 09:56:42 chip wrote: > > So far all of the software that's been presented will autodiscover > devices > > and backup configs and such. Is there anything around that will actually > > take inventory of a router. By inventory I mean, list of cards, model > > numbers, serial numbers, pluggable optics, etc. > > So you want to issue a 'show inventory raw' command and capture the > results, > essentially, right? > > Seems rancid could do this, as it can produce arbitrary scripts and diff > the > results; perhaps a rancid expert here (which I'm not) can further comment. > -- > Lamar Owen > Chief Information Officer > Pisgah Astronomical Research Institute > 1 PARI Drive > Rosman, NC 28772 > http://www.pari.edu > _______________________________________________ > 'show inventory raw' How have I missed this command for so long? That's perfect! Thanks sir! Now to parse, put into xml, and track the changes. Lots easier than dealing with snmp, different platforms, different os versions. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... From giany007 at yahoo.com Tue Aug 19 10:41:06 2008 From: giany007 at yahoo.com (Giany) Date: Tue, 19 Aug 2008 07:41:06 -0700 (PDT) Subject: [c-nsp] OT: network inventory In-Reply-To: <200808191024.06283.lowen@pari.edu> Message-ID: <591815.44232.qm@web38905.mail.mud.yahoo.com> I see a lot of people ask about this. Here it is my 2 cents: I have set this using rancid and some perl scripts. If you manage to install rancid then the perl script should contain: 1. variables with : rancid config files , router.db, snmp community 2. vars with port type for cisco/cat/juniper smth like ( %switchports = ("WS-X5225R","24|100baseTX",....) 3. get the list of devices you have : ?smth like : my @devcisco = `cat router.db | grep -i ":up:" | grep -i "cisco" | cut -f1 -d":"`; ? the same for the rest of devices 4. then for the list of devices you have get the infos you need (slot , port, ip..) --- On Tue, 8/19/08, Lamar Owen wrote: From: Lamar Owen Subject: Re: [c-nsp] OT: network inventory To: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 7:24 AM On Tuesday 19 August 2008 09:56:42 chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. So you want to issue a 'show inventory raw' command and capture the results, essentially, right? Seems rancid could do this, as it can produce arbitrary scripts and diff the results; perhaps a rancid expert here (which I'm not) can further comment. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 19 10:41:05 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 19 Aug 2008 10:41:05 -0400 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080818201044.GR29172@elvis.mu.org> References: <20080818201044.GR29172@elvis.mu.org> Message-ID: <20080819144105.GF18913@rtp-cse-489.cisco.com> How are you getting this output? If you ssh/telnet to it and run the command do you get th esame output? That's not stack corruption to me. Rodney On Mon, Aug 18, 2008 at 01:10:44PM -0700, bill fumerola wrote: > > anyone see anything like this. i assume only a reload will fix this: > > rtr1#sh proc cpu | e 0.0 > CPU utilization for five seconds: 33%/8%; one minute: 37%; five minutes: > 35% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 528125122320274973 22 23.35% 20.79% 20.97% 0 Exec > 70 3616544001417549298 255 0.15% 0.11% 0.12% 0 IP Input > 115 4851843096833738 0 0.15% 0.14% 0.15% 0 HQF Shaper Backg > rtr1# > > nobody else is logged on, little to no amount of traffic is running > through the aux/cons ports, but this is interesting: > > rtr1#show stacks > Minimum process stacks: > Free/Size Name > 5676/6000 CDP BLOB > 8640/9000 EM ED RF > 11052/12000 Router Init > 8676/9000 cdp init process > 8348/12000 Init > 5304/6000 RADIUS INITCONFIG > 3616/6000 BGP Open > 2264/3000 Rom Random Update Process > 5616/6000 URPF stats > 5316/6000 BGP Accepter > 9248/12000 Exec > 7176/12000 SSH Process > 4264/6000 TFTP Read Process > 4204/6000 MSDP Open > 34540/36000 TCP Command > 5236/7200 TTY Daemon > 8496/9000 IP-EIGRP Router > 3360/6000 > d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P ,d^[mdd^\^Nld^\ > dd^[ 4d^[Q 4d^[1^Dd^[`Td^[{td^[^E^\d^[m ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > \d^[^Add^[^Q\d^[^QLd^[ > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > dd^[ > Ld^[)$d^[#td^[1 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? Dd^[dld^[. ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > 6856/9000 > d^\^[Td^[T^Dd^\y^Dd^\^P ,d^[mdd^\^Nld^\ > dd^[ 4d^[Q 4d^[1^Dd^[`Td^[{td^[^E^\d^[m ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > Minimum process stacks: > Free/Size Name > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > \d^[^Add^[^Q\d^[^QLd^[ > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > dd^[ > Ld^[)$d^[#td^[1 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? Dd^[dld^[. ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > 10468/12000 HSRP (Standby) > > Interrupt level stacks: > Level Called Unused/Size Name > 1 2648551315 6280/9000 Network interfaces > 2 0 9000/9000 DMA/Timer Interrupt > 3 185107 7472/9000 PA Management Int Handler > 4 1715750501 8444/9000 Console Uart > 5 0 9000/9000 OIR/Error Interrupt > 7 3207930022 8532/9000 NMI Interrupt Handler > > Spurious interrupts: 233 > rtr1# > > and on a different router: > > rtr1.chi#sh stacks > Minimum process stacks: > Free/Size Name > [....] > 3500/6000 > 7160/9000 5,<$/jDSw_h 5,< 5,< 5,< 5,< 5,< d(X d(X 5,< 5,< 5,< 5,< > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< d'X 5,< > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5, 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5,< 5,< 5,< 5,< 5, 5,<#^Qz|#^Qy|#^Qy| 5,<#^Qx|#^Qx| 5,<%Dtx%Dtx%Dtx%Dtx%Dsx%Dsx%Dsx%Dsx 5,< > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5,<%Dsx 5,< 5,< 5,<%Drx 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,<#^Qw|#^Qw|#^Qv| 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5, 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,<#W:x#W9x > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5, 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > 5,< 5, 5316/6000 BGP Accepter > 10176/12000 Exec > > although that router doesn't display the same CPU symptoms. > > first router is running: > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB11, RELEASE SOFTWARE (fc3) > ROM: System Bootstrap, Version 12.3(4r)T4, RELEASE SOFTWARE (fc1) > BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(26), RELEASE SOFTWARE (fc2) > > second router is running: > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(31)SB12, > RELEASE SOFTWARE (fc3) > > > -- bill > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 19 10:42:51 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 19 Aug 2008 10:42:51 -0400 Subject: [c-nsp] Queuing on 1 Gig transit interfaces In-Reply-To: <844ef89c0808190243l12d74b2hc2eaaad3acf410f6@mail.gmail.com> References: <844ef89c0808190243l12d74b2hc2eaaad3acf410f6@mail.gmail.com> Message-ID: <20080819144251.GG18913@rtp-cse-489.cisco.com> Exactly. Some folks think they need it just to say they are doing fancy qos. ;) If you want to put a MQC policy on the interface they can. But don't do it at those rates on the 7500 as you will kill the VIP CPU. They need a hardware forwarding platform to do those rates with QOS. Rodney On Tue, Aug 19, 2008 at 11:43:59AM +0200, David Granzer wrote: > Hello, > > if the interface is GigE with traffic at around 300Mb/s and there is > not any other back presure mechanism like traffic shaping then on the > interface is not congestion and the congestion management like WFQ is > not in use. > > David > > > the congestion management is used only when > > On 8/19/08, Nic Tjirkalli wrote: > > > > howdy ho, > > > > we have some transit interfaces taht are GIG E interfaces on CISCO 7500 > > and 7600 boxes. these interfaces run at most at around 300 Meg. > > > > The current queuing scheme on them is FIFO. > > > > we have some operational folk who are making sounds that they want the > > queuing to be WFQ as these boxes are pushing a mix of internet traffic and > > VOIP packets (RTP packets) > > > > My feelings are to leave the queuing as FIFO but was wondering if others > > had some feelings or expierence in this > > > > thanking you in advance for any thoughts or info > > > > later > > > > > > > > --------------------------------------------------------------------- > > Knowledge speaks, but wisdom listens. > > > > Nic Tjirkalli > > Verizon Business South Africa > > Network Strategy Team > > > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > > is strictly confidential and intended only for use by the addressee unless > > otherwise indicated. > > > > Company Information:http:// > > www.verizonbusiness.com/za/contact/legal/ > > > > This e-mail is strictly confidential and intended only for use by the > > addressee unless otherwise indicated. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ben.steele at internode.on.net Tue Aug 19 10:43:50 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Wed, 20 Aug 2008 00:13:50 +0930 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup In-Reply-To: <60221.1219118122@internode.on.net> References: <60221.1219118122@internode.on.net> Message-ID: <3C1BDE6DD22848F38654FB175E2211DB@MOYAPENYA> omg terrible formatting, apologies everyone! damn webmail client... ----- Original Message ----- From: To: ; "Scott Lambert" Sent: Tuesday, August 19, 2008 1:25 PM Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup > BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } > > Hi Scott, > Try this: > Seeing as you are working statics over your wireless cloud to > simplify things a little setup a GRE tunnel from your 7200 over the > wireless to the 1841 (don?t forget to subtract 24 bytes off the MTU, > ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and > also add keepalives so it will actually go down if it is down), and I > assume your T1 is point to point from the other 1841 to the 7200. > Now assuming this is going to be a redundant configuration as well > as load-balanced you need to have a subnet that can float between the > 2 links that your customer can NAT against (which by the way will > happen on the ASA they got sold), there are 2 ways you can achieve > this, 1 is by using ip sla to monitor the next hop of each of the > customer links from your 7200 with statics, the other is private BGP, > you sure as hell don't want to start running an IGP to your > customers(unless it's MPLS VPN). > Lets say you assign your customer 1.0.0.0/27 as their usable > floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE > tunnel(wireless) is 2.0.0.5/30 at your end. > Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their > own rtr group of course, say 1 and 2 respectively). > Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0 > 255.255.255.224 2.0.0.6 track 2 > Hope that makes sense, essentially traffic will only route to your > customer if your 7200 can ping their respective 1841, the other > private BGP option I am going to assume you are already familiar with > being in an ISP. > Now for the customer to you. > AFAIK the ASA cannot load balance it can only forward out 1 > interface at a time. > So what you need to do is put the ASA and the 2 1841 interfaces into > a switch so they can all see each other at layer2, now setup hsrp on > your 1841 interfaces for redundant gateways lets say you use > 1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a > little trickier, I am going to assume your T1 is your primary link for > this example but you can switch it around if you want. > On your T1 1841 add a static route for the wireless /30 to go via > the LAN interface of the Wireless 1841(ip route 2.0.0.4 > 255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of > the wireless link from your T1 1841, you want to setup ip sla to > monitor the ISP end of the wireless link from your T1 router(ie the T1 > router is monitoring 2.0.0.5) and you also want to monitor its end of > the T1 link aswell 2.0.0.1 > What this does is let your primary gateway know that it has a > complete and valid path for both gateways for redundancy. > Now you add 2 static routes with tracking on your primary 1841 > Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0 > 1.0.0.2 track 2 > Your wireless 1841 need only have the 1 gateway via its wireless > tunnel as it should only ever fall over to that router if there is a > serious problem on the primary side so you don't want it routing back > that way anyway, however make sure you enable pre-empt so it fails > back to the primary once it is back up. > You can optimise this a little further with the global command "ip > cef load-sharing algorithm include-ports destination source" or if > your game you can even do per-packet load sharing however i wouldn't > recommend it as your 2 paths are going to have different > characteristics, id probably just try the method i listed first. > As mentioned previously the ASA config will just be straightforward, > NAT/PAT against some pool in 1.0.0.0/27 with a default route to > 1.0.0.3(hsrp), nothing more to it, the 1841's will do all the > redundancy and load balancing. > Hope at least some of that made sense, if you need clarification on > anything let me know. > Cheers > Ben > On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent: > I have a customer who went directly to cisco to ask about how to > load > balance two WAN connections to their Cisco PIX 515E. Cisco sold them > an > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with > the > ASA and 1841s. Apparantly, the customer didn't even mention that the > > two connections were to the same ISP, me. The customer just ordered > the > equipment and said "Make it work." > The WANs are T1 (existing) and 4Mbps ethernet delivered via a > wireless > network. > Cisco sales tech guy said: > > What we discussed was the ASA having a default route to the > virtual > > IP address of the routers and they would be running either VRRP or > > > GLBP (whatever they decided they wanted to do) going out to the > > service provider. Then the routers would simply have a default > route > > going out to the service provider to hit the 'Net. > The network design is supposed to be something like : > Cisco 7204VXR NPE G1 (ISP) > | | > T1 Wireless network cloud > | | > Cisco 1841 Cisco 1841 > | | > -+-------+--------+- > | > Cisco ASA 5510 (Customer) > The wireless network cloud is creating logistical issues for me. The > > wireless ethernet makes multiple hops through StarOS based routers > which do not speak OSPF, yet. I have to staticly route traffic to > the > wireless cloud. The wireless network is handled by a different group > > here and I don't have much influence over how they run it. > I've been running ISP routers for 10 years, but have not had this > configuration come up before. 99.9999% of my customers have been > single > homed to me. Also, ASA/PIX devices haven't been common for me until > the > past couple of years and I keep running into areas where they seem > to > try very hard to avoid having common routing features. I'm primarily > a > servers guy but when you work in small ISPs, you get to do > everything. > I could use some guidence in the best way to make these links load > balance with graceful degradation if one link should fall down. > I've been considering bringing up an IPSec VPN from the 7204VXR to > the > 1841 handling the wireless ethernet connection, just to bypass the > need > for dynamic routing in the wireless network. Then I could run OSPF > or > other magic between the 1841s and my 7204. > Is OSPF going to be enough to load balance the links, or will I need > > something else? > If not, could an MLPPP bundle be brought up which uses the T1 and an > > IPSec tunnel? But then, how would I use the 1841s redundantly? > To keep the 1841s redundant, do I need to use their existing router > to > act as a T1 to ethernet bridge? > Also, on the VRRP front, the customer currently has a /29 LAN subnet > > outside their ASA. The current T1 router has one IP and the rest of > the IPs are in use on the ASA. Will we need to renumber them to a > /28 > subnet? Or, can the virtual router address be from their current > subnet > with the individual routers having their primary IPs from another, > RFC > 1918, subnet? > The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E) > > connections. > If I configure the VirtualTemplates to permit CEF, which lowers CPU > utilization to about 30%, the router hangs in an ininite loop at > random > intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the > 12.2 > SB series images at the time I last tried CEF did the same thing and > I > haven't had enough nerve to try again since. > Hopefully, that is not important right now. The only reason I > mention > it is in case an IPSec tunnel, or whatever the necessary magic ends > up > being, might make a significant impact on the CPU. > -- > Scott Lambert KC5MLE Unix SysAdmin > _______________________________________________ > cisco-nsp mailing list > https://puck.nether.net/mailman/listinfo/cisco-nsp [3] > archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] > > > Links: > ------ > [3] > http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp > [4] > http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From wojciecj at hotmail.com Tue Aug 19 11:12:50 2008 From: wojciecj at hotmail.com (Jeffrey Wojciechowski) Date: Tue, 19 Aug 2008 10:12:50 -0500 Subject: [c-nsp] Transmit Discards Across MLPPP In-Reply-To: References: Message-ID: Hi All: I am new to this forum so not sure if this is a good place to ask this question. Whats the best way to troubleshoot transmit discards across MLPPP? Here is my setup and symptoms: -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE image) -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals -today bandwidth (Sending) across multilink max of 2.05mbps -95th percentile on sending utilization is 33.74% -today dropped packets so far 1,418 -show policy-map interface shows no drops in the ef queue (for our voip) so all drops are falling thru to our class-default which is using flow based fair queuing -drops only show @ multilink interface (sh int multilink123) not at the T1 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0) -I dont show any lost fragments (sh int multilink ppp) nor does the provider on the other end of this circuit) My understanding is that the router should only be discarding if the sending interface is congested but its no. I am concerned about thsese drops while the utilization is fairly low. Drops do increase as traffic increases on the link. Any guidence/advice would be very much appreicated. If this has been asked and answered in another thread, please point me in the right direction. Thanks! Jeff Wojciechowski _________________________________________________________________ Get thousands of games on your PC, your mobile phone, and the web with Windows?. http://clk.atdmt.com/MRT/go/108588800/direct/01/ From rodunn at cisco.com Tue Aug 19 12:34:00 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 19 Aug 2008 12:34:00 -0400 Subject: [c-nsp] Transmit Discards Across MLPPP In-Reply-To: References: Message-ID: <20080819163400.GM18913@rtp-cse-489.cisco.com> On a Cisco bundle we do QOS before putting the MLPPP headers on. That prevents a lot of out of orders if you do QOS after putting the MLP headers on. So what you are seeing sounds correct. You are most likely bursting above the bundle rate coming from your LAN going towards the bundle so the QOS kicks in, prioritizes the traffic, and drops the lower priority. Rodney On Tue, Aug 19, 2008 at 10:12:50AM -0500, Jeffrey Wojciechowski wrote: > Hi All: > > I am new to this forum so not sure if this is a good place to ask this question. > > Whats the best way to troubleshoot transmit discards across MLPPP? > > Here is my setup and symptoms: > > -Cisco 2821 with 3x VWIC1-1MFT making up the multilink @ 1536 bandwidth (IPBASE image) > -I am polling that router via SNMP with Solarwinds Orion @ 1 min intervals > -today bandwidth (Sending) across multilink max of 2.05mbps > -95th percentile on sending utilization is 33.74% > -today dropped packets so far 1,418 > -show policy-map interface shows no drops in the ef queue (for our voip) so all drops are falling thru to our class-default which is using flow based fair queuing > -drops only show @ multilink interface (sh int multilink123) not at the T1 interface level (sh int s0/2/0:0, sh int s0/2/1:0 and sh int s0/1/0:0) > -I dont show any lost fragments (sh int multilink ppp) nor does the provider on the other end of this circuit) > > My understanding is that the router should only be discarding if the sending interface is congested but its no. I am concerned about thsese drops while the utilization is fairly low. Drops do increase as traffic increases on the link. > > Any guidence/advice would be very much appreicated. > > If this has been asked and answered in another thread, please point me in the right direction. > > Thanks! > > Jeff Wojciechowski > > > _________________________________________________________________ > Get thousands of games on your PC, your mobile phone, and the web with Windows?. > http://clk.atdmt.com/MRT/go/108588800/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lgeyer at gmail.com Tue Aug 19 13:13:32 2008 From: lgeyer at gmail.com (Laurent Geyer) Date: Tue, 19 Aug 2008 13:13:32 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <39647f4d0808191013l259e5bf4sa20c2671b1598e68@mail.gmail.com> On Tue, Aug 19, 2008 at 9:56 AM, chip wrote: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. I've been working on > scripts to do this and it's become alot more complicated than I had > originally planned. If there's already some software out there that does > this, I'd love to get my hands on it. Checkout Ziptie. It's still a work in progress and things tend to change around a bit, but the core framework is there and looks very promising. The hardware inventory may not go as far as giving you details on the pluggable optics, but it covers the linecard inventory pretty well as of right now, and the dev team encourages feedback/feature requests. http://www.ziptie.org/files/images/Screenshot-ZipTie%20-%20Hardware%20Model%20-%20ZipTie%20.preview.png I'm still in the 'playing around' stage with it, but I'm giving serious consideration to putting it into production. Cheers, Laurent From a0kunev at yandex.ru Tue Aug 19 13:53:02 2008 From: a0kunev at yandex.ru (a0kunev) Date: Tue, 19 Aug 2008 21:53:02 +0400 Subject: [c-nsp] voice call drop on as5400 In-Reply-To: <4763.97.81.69.51.1219150784.squirrel@webmail.corp.evaristesys.com> References: <60121219149387@webmail9.yandex.ru> <4763.97.81.69.51.1219150784.squirrel@webmail.corp.evaristesys.com> Message-ID: <75f70fb80808191053t4b8bb45emb1c1375065247ee1@mail.gmail.com> Hi Alex, this is CAS with e&m, unfortunatly. T1s configured as signaling-class cas test profile incoming S<*a<*d<*n controller T1 7/0:1 framing esf ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 class test ! controller T3 7/0 framing m23 clock source line t1 1-28 controller ! I dont see much debug info regarding the issue, enabled debugs for: CAS: Channel Associated Signaling debugging is on Call Management: Call Management debugging is on Call-denial module: Call-denial debugging is on Call Treatment: Call treatment action debugging is on We issue rate is quite high, about 1000 rejections on 5000-6000 calls every day. Regards, Andrei On Tue, Aug 19, 2008 at 4:59 PM, Alex Balashov wrote: > > Is there anything that be gleaned from either the debug on the SIP side > or the ISDN (are these PRIs?) side? ("debug isdn q931") > > On Tue, August 19, 2008 8:36 am, a0kunev wrote: >> Hello >> >> I would like to share the problem we recently got on our network. We have >> DS3 coming to as5400, that converting PSTN calls to VOIP. We're handling >> only incoming calls, so the dial-pear config is simple, one voice and one >> voip provider. Recently we've started receiving complains from our >> customers on dead air and drops during their conferences. The issues >> looked like this - person dialed to the DID and nobody answered during >> 10-120 secounds, then the call terminated by timeout. >> >> recently we're able to reproduce this, with debug 'call-mgmnt' it's >> dumping the following on console: >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.478: msg_to_calls_mgmt: msg type CPM_VOICE_CALL_MOD_REJ >> received >> Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A3(2A7) s3/p85 u1/c7 event 3 >> Aug 19 11:08:06.482: from Trunk(7): Bad CID 2A4(2AB) s3/p86 u1/c6 event 3 >> Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A5(2A8) s3/p87 u1/c8 event 3 >> Aug 19 11:08:06.486: from Trunk(7): Bad CID 2A6(2AB) s3/p88 u1/c6 event 3 >> >> I've checked with tcpdump cisco do not send anything to IP bridge to >> establish the call at that time. Telco says they see a lot of rejected >> calls from our side, but there is nothing on our end(I have not seen yet) >> >> as5400 were recently updated to 12.4(9)T4. >> >> Please advise on how to debug this problem. >> regards, Andrei >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > > From billf at mu.org Tue Aug 19 14:49:43 2008 From: billf at mu.org (bill fumerola) Date: Tue, 19 Aug 2008 11:49:43 -0700 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080819144105.GF18913@rtp-cse-489.cisco.com> References: <20080818201044.GR29172@elvis.mu.org> <20080819144105.GF18913@rtp-cse-489.cisco.com> Message-ID: <20080819184943.GU29172@elvis.mu.org> On Tue, Aug 19, 2008 at 10:41:05AM -0400, Rodney Dunn wrote: > How are you getting this output? ssh rtr1 en sh stacks > If you ssh/telnet to it and run the command do you get th esame output? it is not signal noise (serial spew, ip corruption, etc). > That's not stack corruption to me. i'll try and profile the exec process, but i'm not so good w/ profiling and tracing w/o at least symbols. there is also the matter of the 30% solid EXEC process. however, the switch that device is attached to (both in network and by serial via rtr1:aux<>sw1:cons) is exhibiting the same behavior. it could be a feedback loop on the serial connection, but i've tried turning all of that down and still no relief. the jump occurred to both at the same time. it could just be corruption in the display, but the CPU spike is what made me investigate in the first place. -- bill > > rtr1#show stacks > > Minimum process stacks: > > Free/Size Name [...] > > 3360/6000 > > d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P > ,d^[mdd^\^Nld^\ > > dd^[ 4d^[Q > 4d^[1^Dd^[`Td^[{td^[^E^\d^[m > ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > > \d^[^Add^[^Q\d^[^QLd^[ > > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D > ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D > $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > > dd^[ > > Ld^[)$d^[#td^[1 > 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M > ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ > ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? > > Dd^[dld^[. > ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > > 6856/9000 > > d^\^[Td^[T^Dd^\y^Dd^\^P > ,d^[mdd^\^Nld^\ > > dd^[ 4d^[Q > 4d^[1^Dd^[`Td^[{td^[^E^\d^[m > ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > > Minimum process stacks: > > Free/Size Name > > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > > \d^[^Add^[^Q\d^[^QLd^[ > > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D > ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D > $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > > dd^[ > > Ld^[)$d^[#td^[1 > 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M > ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ > ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? > > Dd^[dld^[. > ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > > 10468/12000 HSRP (Standby) > > > > Interrupt level stacks: > > Level Called Unused/Size Name > > 1 2648551315 6280/9000 Network interfaces > > 2 0 9000/9000 DMA/Timer Interrupt > > 3 185107 7472/9000 PA Management Int Handler > > 4 1715750501 8444/9000 Console Uart > > 5 0 9000/9000 OIR/Error Interrupt > > 7 3207930022 8532/9000 NMI Interrupt Handler > > > > Spurious interrupts: 233 > > rtr1# > > > > and on a different router: > > > > rtr1.chi#sh stacks > > Minimum process stacks: > > Free/Size Name > > [....] > > 3500/6000 > > 7160/9000 5,<$/jDSw_h 5,< 5,< 5,< 5,< 5,< d(X d(X 5,< 5,< 5,< 5,< > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< d'X 5,< > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5, > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5,< 5,< 5,< 5,< 5, > 5,<#^Qz|#^Qy|#^Qy| 5,<#^Qx|#^Qx| 5,<%Dtx%Dtx%Dtx%Dtx%Dsx%Dsx%Dsx%Dsx 5,< > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5,<%Dsx 5,< 5,< 5,<%Drx 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,<#^Qw|#^Qw|#^Qv| 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5, > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,<#W:x#W9x > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5, > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > 5,< 5, > 5316/6000 BGP Accepter From mathias.spoerr at at.ibm.com Tue Aug 19 11:45:44 2008 From: mathias.spoerr at at.ibm.com (Mathias Spoerr) Date: Tue, 19 Aug 2008 17:45:44 +0200 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: > So far all of the software that's been presented will autodiscover devices > and backup configs and such. Is there anything around that will actually > take inventory of a router. By inventory I mean, list of cards, model > numbers, serial numbers, pluggable optics, etc. I've been working on > scripts to do this and it's become alot more complicated than I had > originally planned. If there's already some software out there that does > this, I'd love to get my hands on it. > wktools will also do this - it first collects all of the needed information with SSH/Telnet and then parses it. You will get the S/Ns of the chassis and all modules, power supplies... "show inventory raw" is not available on all platforms and versions... Mathias -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7943 bytes Desc: S/MIME Cryptographic Signature URL: From nitzan.tzelniker at gmail.com Tue Aug 19 17:04:50 2008 From: nitzan.tzelniker at gmail.com (Nitzan Tzelniker) Date: Wed, 20 Aug 2008 00:04:50 +0300 Subject: [c-nsp] OT: network inventory In-Reply-To: References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <6d72a2a10808191404l25d4a977mdf3f7045f8e5de56@mail.gmail.com> You can also use CISCO-ENTITY-ASSET-MIB and get the output of show inventory via SNMP for example snmptable -M /usr/share/snmp/mibs/ -m ALL -c public -v2c 1.1.1.1ceAssetTable The problem is that cisco didn't implement this on all platforms (GSR ) and on some (6500) it looks like they have a bug that dont return all the information. Nitzan On Tue, Aug 19, 2008 at 18:45, Mathias Spoerr wrote: > > So far all of the software that's been presented will autodiscover > devices > > and backup configs and such. Is there anything around that will > actually > > take inventory of a router. By inventory I mean, list of cards, model > > numbers, serial numbers, pluggable optics, etc. I've been working on > > scripts to do this and it's become alot more complicated than I had > > originally planned. If there's already some software out there that > does > > this, I'd love to get my hands on it. > > > > wktools will also do this - it first collects all of the needed > information with SSH/Telnet and then parses it. You will get the S/Ns of > the chassis and all modules, power supplies... "show inventory raw" is not > available on all platforms and versions... > > Mathias > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lambert at lambertfam.org Tue Aug 19 17:49:43 2008 From: lambert at lambertfam.org (Scott Lambert) Date: Tue, 19 Aug 2008 16:49:43 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <48AA45D3.6050701@rollernet.us> References: <20080818233620.GA28542@sysmon.tcworks.net> <48AA45D3.6050701@rollernet.us> Message-ID: <20080819214943.GA5508@sysmon.tcworks.net> On Mon, Aug 18, 2008 at 09:02:27PM -0700, Seth Mattinen wrote: > Scott Lambert wrote: > > I have a customer who went directly to cisco to ask about how to load > > balance two WAN connections to their Cisco PIX 515E. Cisco sold them an > > ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the > > ASA and 1841s. Apparantly, the customer didn't even mention that the > > two connections were to the same ISP, me. The customer just ordered the > > equipment and said "Make it work." > > Whoever sold them on that solution should be the one to make it work. ;) Wouldn't that be nice though? :-) I'd like to thank everyone for their replies. I've learned quite a lot from them. I'll be doing more reading and testing with the suggested methods. We'll see what happens. I think I'm going to punt on the load balancing for now and just get it working in failover mode. I'll reply back when I know more and can ask intelligent follow-up questions. I had a thought on load balancing though, maybe I could hook both 1841s and the wireless ethernet handoff to a switch and get VRRP working on that side so that if the T1 router is up, then traffic can use both the wireless and T1 via whatever method but if the T1 router died, the wireless only router could take over. Thank you so much for your help! I don't feel so much like a fish out of water now. -- Scott Lambert KC5MLE Unix SysAdmin lambert at lambertfam.org From artur at css.com.br Tue Aug 19 16:56:33 2008 From: artur at css.com.br (Artur Renato Araujo da Silva) Date: Tue, 19 Aug 2008 17:56:33 -0300 Subject: [c-nsp] Cisco ASA - Export rules Message-ID: <48AB3381.2020005@css.com.br> Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur From frnkblk at iname.com Tue Aug 19 17:59:43 2008 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 19 Aug 2008 16:59:43 -0500 Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup In-Reply-To: <20080819082058.GY288@greenie.muc.de> References: <20080818233620.GA28542@sysmon.tcworks.net> <20080819082058.GY288@greenie.muc.de> Message-ID: If you can do (private) BGP, this document may help: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example0918 6a00800945bf.shtml#conf3 Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Tuesday, August 19, 2008 3:21 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup Hi, On Mon, Aug 18, 2008 at 06:36:20PM -0500, Scott Lambert wrote: > I have a customer who went directly to cisco to ask about how to load > balance two WAN connections I see two key issues here: - how to load *balance*. - how to reliably detect "wireless is down" if there is no end-to-end routing possible The first one is hard - if you have two routers involved, VRRP (or GLBP, if there is only a single client) will not provide load balancing, but only failover. That is: while one of the boxes is working, it will receive all the traffic from the PIX, and if it breaks, all the traffic goes to the other box. One possible approach to do this might be via "manual balancing", as in "route all the VPN connections over one path, and all the web surfing over the other path", but that's not overly easy to maintain. The other approach might be with Cisco OER - let the boxes figure out what destinations have the most traffic, and balance these flows over both links. But that will only work outbound from the customer to you - from the ISP (you) to the customer, you also need to decide upon the balancing criteria, if any. "Just failover" is easy :) The second part (how to diagnose that the wireless is down) is easier - you could use a BGP session from the customer router to your edge router, just sending "customer routes" and "default" back and forth. If the wireless mesh breaks, the BGP session will also break, and routing will fall over to the other link. (The StarOS routers would need to know the customer routes statically, but that's not a problem, unless the customer changes their IP addresses frequently). If BGP is not an option, you could do it with IP SLA ("ping testing") and static route tracking ("if it doesn't ping, withdraw the route") on both ends, but that's less elegant than BGP - and much more configuration work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From RTeller at deltadentalwa.com Tue Aug 19 19:09:31 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 19 Aug 2008 16:09:31 -0700 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <48AB3381.2020005@css.com.br> References: <48AB3381.2020005@css.com.br> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105A@tiger.deltadentalwa.com> I use this script to parse my pix acls and export them to an excel file. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Artur Renato Araujo da Silva Sent: Tuesday, August 19, 2008 1:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA - Export rules Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From RTeller at deltadentalwa.com Tue Aug 19 19:18:06 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 19 Aug 2008 16:18:06 -0700 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105A@tiger.deltadentalwa.com> References: <48AB3381.2020005@css.com.br> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105A@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0105C@tiger.deltadentalwa.com> 'Created by Robert Teller WScript.Echo "This script will take a minute or two to run" & vbCrLf & "Please be patient" Const ForReading = 1 'Looks for CF acl query WSArg = Wscript.arguments.Count If WSArg <> 1 Then WScript.Echo "Please select a valid source" WScript.Quit End If PixACL = Wscript.arguments.Item(0) set ObjExcel = createobject("excel.application") Set FSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = FSO.OpenTextFile(PixACL, ForReading) 'Names excel file EName = Split(WScript.ScriptName, ".")(0) & ".xls" EName = Replace(WScript.ScriptFullName,WScript.ScriptName,EName) 'Text files for output OFiles = Split(WScript.ScriptName, ".")(0) & ".xls" If fso.FileExists(Ename) Then fso.DeleteFile(Ename) ObjExcel.workbooks.Add ObjExcel.Worksheets.Add.Name = "Main" XRules = 0 For Each Sheet In ObjExcel.Worksheets If sheet.name <> "Main" Then sheet.usedrange.delete sheet.delete End If Next ObjExcel.Worksheets.Add.Name = "Rules" ObjExcel.Worksheets("Rules").move ObjExcel.Sheets(2) Rules "DMZ" ,"Line" ,"Action" ,"Protocol" ,"Source" ,"SrcPort" ,"dest" ,"DstPort" ,"HitC" ,"Inactive" ,"LogLevel" ,"LogInterval" ' ObjExcel.Worksheets("Rules").activate ' ObjExcel.Cells(1,1).value = "DMZ" 'acl_dmzname ' ObjExcel.Cells(1,2).value = "Line #" 'line ### ' ObjExcel.Cells(1,3).value = "Action" 'Permit/deny ' ObjExcel.Cells(1,4).value = "Protocol" 'ICMP/TCP/UDP ' ObjExcel.Cells(1,5).value = "Source" ' ObjExcel.Cells(1,6).value = "Destination" ' ObjExcel.Cells(1,7).value = "Port #" 'http/https..... ' ObjExcel.Cells(1,8).value = "Hit Count" 'hitcnt=... ' ObjExcel.Cells(1,9).value = "Inactive" 'hitcnt=... Do Until objTextFile.AtEndOfStream If IsEmpty(text) Then Text = objTextFile.Readline Text = Replace(Text,"access-list ","") Else Text = Text & objTextFile.Readline End If Loop AclArray = Split(text,"access-list ") x = 1 For Each AccessList In AclArray 'Make sure the line Is a valid acl ACLCheck = Split(AccessList," ") If UBound(ACLCheck) > 3 Then If ACLCheck(3) <> "remark" Then PixParse AccessList End If End If Next Sub PixParse(ACL) 'Converts object-group to Group If InStr(ACL,"object-group") Then ACL = Replace(ACL,"object-group","Group") 'Checks of ACL is inactive If InStr(ACL," inactive ") Then Inactive = True ACL = Replace(ACL," inactive","") End If 'Format and Remove logging information from variable Item If InStrRev(ACL," log ") And InStrRev(ACL," interval ") Then 'Checks for matching log level LoGLevelB = InStr(ACL," log ") + 5 LoGLevelE = InStr(LogLevelB,ACL, " ") LogLevel = Mid(ACL,LogLevelB,LogLevelE - LogLevelB) LogIntervalB = InStr(LogLevelE,ACL, " interval ") + 10 LogIntervalE = InStr(LogIntervalB,ACL, " ") LogInterval = Mid(ACL,LogIntervalB, LogIntervalE - LogIntervalB) ACL = Replace(ACL," log " & Loglevel & " interval " & logInterval," ") End If '########### DMZ ########### DMZ = InStr(ACL," ") DMZ = Left(ACL,DMZ) '########### DMZ ########### '########### Line ########### LineB = InStr(ACL," line ") + 6 LineE = InStr(LineB,ACL, " ") Line = "Line " & Mid(ACL,LineB, LineE - LineB) '########### Line ########### '########### Action ########### If InStr(ACL,"deny") Then Action = "Deny" ElseIf InStr(ACL,"permit") Then Action = "Permit" Else Action = "Other" End If '########### Action ########### '########### Protocol ########### Protocol = Split(ACL," ")(5) '########### Protocol ########### '########### Src Host ########### 'Determine if src is Host,Subnet or Any SrcHost = Split(ACL," ")(6) Select Case SrcHost Case "host" SourceB = InStr(ACL, " host ") + 6 SourceE = InStr(SourceB,ACL, " ") Source = "Host " & Mid(ACL, SourceB, SourceE - SourceB) Case "Group" SourceB = InStr(ACL, " Group ") + 7 SourceE = InStr(SourceB,ACL, " ") Source = "Group " & Mid(ACL, SourceB, SourceE - SourceB) Case "any" Source = "Any" SourceE = InStr(ACL,SrcHost) + Len(SrcHost) Case Else SourceB = InStr(ACL, SrcHost) SourceE = InStr(SourceB, ACL, " ") + 1 SourceE = InStr(SourceE, ACL, " ") Source = Mid(ACL, SourceB, SourceE - SourceB) End Select '########### Src Host ########### '########### Src Port ########### If Source = "Any" Then If Split(ACL," ")(7) = "eq" Then SrcPortB = InStr(SourceE, ACL, " eq ") + 4 SrcPortE = InStr(SrcPortB, ACL, " ") SrcPort = "eq " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) ElseIf Split(ACL," ")(7) = "range" Then SrcPortB = InStr(SourceE, ACL, " range ") + 7 SrcPortE = InStr(SrcPortB, ACL, " ") +1 SrcPortE = InStr(SrcPortE, ACL, " ") SrcPort = "range " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) Else SrcPortE = SourceE SrcPort = "Any" End If ElseIf Split(ACL," ")(8) = "eq" Or Split(ACL," ")(8) = "range" Then If Split(ACL," ")(8) = "eq" Then SrcPortB = InStr(SourceE, ACL, " eq ") + 4 SrcPortE = InStr(SrcPortB, ACL, " ") SrcPort = "eq " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) ElseIf Split(ACL," ")(8) = "range" Then SrcPortB = InStr(SourceE, ACL, " range ") + 7 SrcPortE = InStr(SrcPortB, ACL, " ") +1 SrcPortE = InStr(SrcPortE, ACL, " ") SrcPort = "range " & Mid(ACL,SrcPortB, SrcPortE - SrcPortB) End If Else SrcPortE = SourceE SrcPort = "Any" End If '########### Src Port ########### '########### Dst Host ########### 'Check if source ports are used If SourceE = SrcPortE Then 'Determine if dst is Host,Subnet or Any If Source = "Any" Then DstHost = Split(ACL," ")(7) Select Case DstHost Case "host" DestB = InStr(SrcPortE,ACL, " host ") + 6 DestE = InStr(DestB,ACL, " ") Dest = "Host " & Mid(ACL, DestB, DestE - DestB) Case "Group" DestB = InStr(SrcPortE,ACL, " Group ") + 7 DestE = InStr(DestB,ACL, " ") Dest = "Group " & Mid(ACL, DestB, DestE - DestB) Case "any" Dest = "Any" DestE = InStr(SrcPortE,ACL,DstHost) + Len(DstHost) Case Else DestB = InStr(SrcPortE,ACL, DstHost) DestE = InStr(DestB, ACL, " ") + 1 DestE = InStr(DestE, ACL, " ") Dest = Mid(ACL, DestB, DestE - DestB) End Select Else'If Left(Source,4) = "Host" Then DstHost = Split(ACL," ")(8) Select Case DstHost Case "host" DestB = InStr(SrcPortE,ACL, " host ") + 6 DestE = InStr(DestB,ACL, " ") Dest = "Host " & Mid(ACL, DestB, DestE - DestB) Case "Group" DestB = InStr(SrcPortE,ACL, " Group ") + 7 DestE = InStr(DestB,ACL, " ") Dest = "Group " & Mid(ACL, DestB, DestE - DestB) Case "any" Dest = "Any" DestE = InStr(SrcPortE,ACL,DstHost) + Len(DstHost) Case Else DestB = InStr(SrcPortE,ACL, DstHost) DestE = InStr(DestB, ACL, " ") + 1 DestE = InStr(DestE, ACL, " ") Dest = Mid(ACL, DestB, DestE - DestB) End Select End If End If If SourceE <> SrcPortE Then DestB = InStr(SrcPortE, ACL, " ") + 1 DestE = InStr(DestB,ACL, " ") DstHost = Mid(ACL,DestB, DestE - DestB) Select Case DstHost Case "host" DestB = InStr(DestE,ACL, " ") + 1 DestE = InStr(DestB,ACL, " ") Dest = "Host " & Mid(ACL, DestB, DestE - DestB) DestE = DestE - 1 Case "Group" DestB = InStr(DestE,ACL, " ") + 1 DestE = InStr(DestB,ACL, " ") Dest = "Group " & Mid(ACL, DestB, DestE - DestB) DestE = DestE - 1 Case "any" ' If DMZ = "acl_guest " Then ' WScript.Echo "DST HOST" ' WScript.Echo DestE & vbTab & Len(DstHost) ' Test = InStr(DestE,ACL,DstHost) ' WScript.Echo Test ' End If Dest = "Any" 'DestE = InStr(DestE,ACL,DstHost) + Len(DstHost) Case Else DestB = InStr(DestE,ACL, DstHost) DestE = InStr(DestB, ACL, " ") + 1 DestE = InStr(DestE, ACL, " ") Dest = Mid(ACL, DestB, DestE - DestB) End Select End If '########### Dst Host ########### '########### Hit Count ########### If InStr(ACL,"(hitcnt=") Then HitB = InStr(ACL,"(hitcnt=") + 8 HitE = InStr(ACL, ")") HitC = Mid(ACL,HitB,HitE - HitB) HitB = HitB - 8 Else HitB = InStrRev(ACL," ") HitC = "N/A" End If '########### Hit Count ########### '########### Dst Port ########### DstPortB = DestE + 1 DstPortE = HitB DstPort = Mid(ACL,DstPortB, DstPortE - DstPortB) ' If DMZ = "acl_guest " Then ' WScript.Echo DstPortB & vbTab & DstPortE ' End If If IsEmpty(DstPort) Then DstPort = "Any" If IsNull(DstPort) Then DstPort = "Any" '########### Dst Port ########### 'wscript.echo DMZ & vbtab & Line & vbtab & Action & vbtab & Protocol & vbtab & Source & vbtab & SrcPort & vbtab & dest & vbtab & DstPort & vbtab & HitC & vbtab & Inactive & vbtab & LogLevel & vbtab & LogInterval Rules DMZ, Line ,Action ,Protocol ,Source ,SrcPort ,dest ,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval LogIntervalB = Null LogIntervalE = Null LogInterval = Null LogLevelB = Null LogLevelE = Null LogLevel = Null DMZ = Null Action = Null Port = Null PortB = Null PortE = Null SrcHost = Null SourceB = Null SourceE = Null Source = Null SrcPortB = Null SrcPortE = Null SrcPort = Null DstHost = Null DestB = Null DestE = Null Dest = Null DstPortB = Null DstPortE = Null DstPort = Null HitB = Null HitE = Null HitC = Null Inactive = False End Sub Sub Rules(DMZ, Line ,Action ,Protocol ,Source ,SrcPort ,dest ,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval) XRules = 1 + XRules ObjExcel.Worksheets("Rules").activate ObjExcel.Cells(XRules,1).value = DMZ 'DMZ Rule is applied to ObjExcel.Cells(XRules,2).value = Line 'Line Number ObjExcel.Cells(XRules,3).value = Action 'Action ObjExcel.Cells(XRules,4).value = Protocol 'Protocol ObjExcel.Cells(XRules,5).value = Source 'Source ObjExcel.Cells(XRules,6).value = SrcPort 'Source port ObjExcel.Cells(XRules,7).value = dest 'Destination ObjExcel.Cells(XRules,8).value = DstPort 'Destination Port ObjExcel.Cells(XRules,9).value = HitC 'Hit Count ObjExcel.Cells(XRules,10).value = Inactive 'status of rule ObjExcel.Cells(XRules,11).value = LogLevel 'logging level ObjExcel.Cells(XRules,12).value = LogInterval 'Logging Interval End Sub finish Sub finish objTextFile.Close ObjExcel.Worksheets("Main").usedrange.delete ObjExcel.Worksheets("Main").delete For Each Sheet In ObjExcel.Worksheets ObjExcel.Worksheets(Sheet.Name).activate ObjExcel.Worksheets(sheet.name).Rows(1).Font.Bold = True ObjExcel.Worksheets(sheet.name).Rows(1).AutoFilter ObjExcel.Worksheets(sheet.name).Rows(1).HorizontalAlignment = -4108 ObjExcel.Worksheets(sheet.name).usedrange.EntireColumn.AutoFit() ObjExcel.Worksheets(sheet.name).Range("B2").Select ObjExcel.ActiveWindow.FreezePanes = True ObjExcel.Worksheets(sheet.name).Range("A1").Select Next ObjExcel.Worksheets("Rules").activate ObjExcel.activeworkbook.saveas EName ObjExcel.activeworkbook.close ObjExcel.Quit WScript.Echo "END" WScript.Quit End Sub ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From christian at broknrobot.com Tue Aug 19 19:35:56 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 19 Aug 2008 19:35:56 -0400 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <48AB3381.2020005@css.com.br> References: <48AB3381.2020005@css.com.br> Message-ID: you could use nipper, which is a config auditor, so it will audit your security policy and configuration, and you have the options to export to xml, html, etc .. http://sourceforge.net/projects/nipper/?abmode=1 On Tue, Aug 19, 2008 at 4:56 PM, Artur Renato Araujo da Silva wrote: > Hi, > > I would like to export the ASA rules to a HTML file (without using ASDM). > > Does anyone know a way (script?) to parse the ACLs and export to HTML? > > > Tks > Artur > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oliver.gorwits at oucs.ox.ac.uk Tue Aug 19 20:10:50 2008 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Wed, 20 Aug 2008 01:10:50 +0100 Subject: [c-nsp] OT: network inventory In-Reply-To: <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <48AB610A.1090009@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Chip, chip wrote: | Is there | anything around that will actually take inventory of a router. | By inventory I mean, list of cards, model numbers, serial | numbers, pluggable optics, etc. We use Netdisco for network discovery (both for switches/routers, and connected end stations). It's written with Perl+Net-SNMP, has a web front-end, and uses PostgreSQL storage: ~ http://netdisco.org/ (The version in CVS is -much- improved, and will be released RSN) As for device inventory, the latest Netdisco code does all the ENTITY-MIB work, and I've been working on graphically representing that in the web UI: http://sites.google.com/a/gapps.oxuni.org.uk/oliver/netdisco-frontpanels Screenshot from above: http://users.ox.ac.uk/~oliver/data/images/frontpanel/frontpanel_demo_c3750_stack.png Next step is to generate SVG as an alternative to the vendor images. I hope that helps, and provides ideas for your own scripts, regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIq2EK2NPq7pwWBt4RAlQQAJ9iBrUgYoe9rckwZ61+CDArkmqAdwCg5bbO v2WhKVmWnK2WX/qFtSy7xHU= =+vRH -----END PGP SIGNATURE----- From stig.johansen at ementor.no Tue Aug 19 21:02:31 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Wed, 20 Aug 2008 03:02:31 +0200 Subject: [c-nsp] OT: network inventory References: <200808190842.42251.lowen@pari.edu><017d01c901fc$1dcb0300$12140a0a@GINKGO><20080819133540.GA69001@gweep.net> <64a8ad980808190656p5eab85bp1dd9324cb180c829@mail.gmail.com> Message-ID: <13A13E9CF0F76342A79031B9E558C0C50360ADEB@100NOOSLMSG004.common.alpharoot.net> Check out NAV (Network Administration Visualized) at http://metanav.uninett.no/ as well. It gives full inventory of all devices as well as a load of other useful features.. Best regards, Stig Meireles Johansen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av chip Sendt: 19. august 2008 15:57 Til: cisco-nsp at puck.nether.net Emne: Re: [c-nsp] OT: network inventory So far all of the software that's been presented will autodiscover devices and backup configs and such. Is there anything around that will actually take inventory of a router. By inventory I mean, list of cards, model numbers, serial numbers, pluggable optics, etc. I've been working on scripts to do this and it's become alot more complicated than I had originally planned. If there's already some software out there that does this, I'd love to get my hands on it. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Tue Aug 19 21:19:43 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 20 Aug 2008 11:19:43 +1000 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Just wondering from those in the know, whether it's best practice to implement public or private IP's for the PE-to-CE link. What's everyone using and why? For our MPLS network, I've been asked by my Manager to use private IP's for the PE-CE link in order to give the customer the appearance that they are on a secure PRIVATE network due to private IP's being used. Although I tend to be more fond of using public IP's because it's a unique address space so you don't have to worry about overlapping IP addresses on the customer's end and secondly there's no configuration from the Service Provider's end should you need to remove the connection from the VRF to conduct further testing from the Internet becuse the connection is already using public IP's (eg: for cases where the customer is complaining of slow speeds, packet loss, drop outs, etc and you want to test the individual connection and bypass their VPN). Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From christian at broknrobot.com Tue Aug 19 21:41:09 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 19 Aug 2008 21:41:09 -0400 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: a 64bit route distinguisher and the 32bit ip address are used to create vpnv4 address, which specifically solves the overlap problem On Tue, Aug 19, 2008 at 9:19 PM, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? > > For our MPLS network, I've been asked by my Manager to use private IP's > for the PE-CE link in order to give the customer the appearance that > they are on a secure PRIVATE network due to private IP's being used. > Although I tend to be more fond of using public IP's because it's a > unique address space so you don't have to worry about overlapping IP > addresses on the customer's end and secondly there's no configuration > from the Service Provider's end should you need to remove the connection > from the VRF to conduct further testing from the Internet becuse the > connection is already using public IP's (eg: for cases where the > customer is complaining of slow speeds, packet loss, drop outs, etc and > you want to test the individual connection and bypass their VPN). > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cchurc05 at harris.com Tue Aug 19 21:44:48 2008 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 19 Aug 2008 20:44:48 -0500 Subject: [c-nsp] Cisco ASA - Export rules In-Reply-To: <48AB3381.2020005@css.com.br> References: <48AB3381.2020005@css.com.br> Message-ID: In ASDM, there is a button under file called "Show running configuration in a new window". That opens up a browser window with a URL something like: https://X.Y.Z.6/admin/exec/show%20running-config/show%20running-config%2 0asdm# that shows the whole running config. Probably nothing you couldn't get from an ssh session or expect script. Use Grep or find on "access-list" and that should be it. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Artur Renato Araujo da Silva Sent: Tuesday, August 19, 2008 4:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA - Export rules Hi, I would like to export the ASA rules to a HTML file (without using ASDM). Does anyone know a way (script?) to parse the ACLs and export to HTML? Tks Artur _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sforcejr at yahoo.com Tue Aug 19 22:10:23 2008 From: sforcejr at yahoo.com (Johnny Ramirez) Date: Tue, 19 Aug 2008 19:10:23 -0700 (PDT) Subject: [c-nsp] Unable to connect VLAN traffic Message-ID: <847346.12746.qm@web50511.mail.re2.yahoo.com> We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. ? Recently I? created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on? for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. ? Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. ? Thanks ? John ? ? From dwinkworth at att.net Tue Aug 19 22:35:15 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 19 Aug 2008 21:35:15 -0500 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <847346.12746.qm@web50511.mail.re2.yahoo.com> References: <847346.12746.qm@web50511.mail.re2.yahoo.com> Message-ID: <48AB82E3.9070606@att.net> Q-in-Q Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. > > Thanks > > John > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.138 / Virus Database: 270.6.5/1620 - Release Date: 8/19/2008 6:04 AM > > > > From justin at justinshore.com Tue Aug 19 22:41:07 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 19 Aug 2008 21:41:07 -0500 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <847346.12746.qm@web50511.mail.re2.yahoo.com> References: <847346.12746.qm@web50511.mail.re2.yahoo.com> Message-ID: <48AB8443.5070300@justinshore.com> Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin From josmon at rigozsaurus.com Tue Aug 19 22:59:03 2008 From: josmon at rigozsaurus.com (John Osmon) Date: Tue, 19 Aug 2008 20:59:03 -0600 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: <20080820025903.GA14373@jeeves.rigozsaurus.com> On Tue, Aug 19, 2008 at 09:41:09PM -0400, Christian Koch wrote: > a 64bit route distinguisher and the 32bit ip address are used to > create vpnv4 address, which specifically solves the overlap problem I don't think the overlap is the real issue: > > Although I tend to be more fond of using public IP's because it's a > > unique address space so you don't have to worry about overlapping IP > > addresses on the customer's end and secondly there's no configuration > > from the Service Provider's end should you need to remove the connection > > from the VRF to conduct further testing from the Internet becuse the > > connection is already using public IP's Using non-RFC1918 address means you have a guaranteed unique identifier for the interface. The non-overlap issue is a side effect of having a unique identifier. From swmike at swm.pp.se Tue Aug 19 23:49:28 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 20 Aug 2008 05:49:28 +0200 (CEST) Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: On Wed, 20 Aug 2008, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? Best practice is to use public IP for the PE-CE link and then you admin the CE using that address. If you have a serial interface you can do this with a /32 routed towards the physical interface and use unnumbered/loopback, otherwise you have to use /30 or /31. Using RFC1918 space creates huge potential of overlaps with customers, and a nightmare for management if you want your CE range to be unique per VPN, how are you going to reach your CEs via SNMP etc? -- Mikael Abrahamsson email: swmike at swm.pp.se From sforcejr at yahoo.com Tue Aug 19 23:54:43 2008 From: sforcejr at yahoo.com (Johnny Ramirez) Date: Tue, 19 Aug 2008 20:54:43 -0700 (PDT) Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <48AB8443.5070300@justinshore.com> Message-ID: <149656.10920.qm@web50503.mail.re2.yahoo.com> Justin, ? I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. ? ? Thanks ? ? ? John--- On Tue, 8/19/08, Justin Shore wrote: From: Justin Shore justin at justinshore.com Subject: Re: [c-nsp] Unable to connect VLAN traffic To: "Johnny Ramirez" Cc: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 9:41 PM Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin From ryanclambert at gmail.com Wed Aug 20 00:25:07 2008 From: ryanclambert at gmail.com (Ryan Lambert) Date: Wed, 20 Aug 2008 00:25:07 -0400 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <149656.10920.qm@web50503.mail.re2.yahoo.com> References: <48AB8443.5070300@justinshore.com> <149656.10920.qm@web50503.mail.re2.yahoo.com> Message-ID: <000301c9027c$bfe4e860$3faeb920$@com> Johnny, I think the better solution if your provider can accommodate, is to do Q-in-Q instead of having to dictate what tags you can use. This allows you, as Justin mentioned, to use your own tags across the circuit instead of having to coordinate with them every time you need to add another VLAN, or change something. -Ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Johnny Ramirez Sent: Tuesday, August 19, 2008 11:55 PM To: Justin Shore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Unable to connect VLAN traffic Justin, ? I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. ? ? Thanks ? ? ? John--- On Tue, 8/19/08, Justin Shore wrote: From: Justin Shore justin at justinshore.com Subject: Re: [c-nsp] Unable to connect VLAN traffic To: "Johnny Ramirez" Cc: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 9:41 PM Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Wed Aug 20 00:44:21 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 19 Aug 2008 23:44:21 -0500 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <149656.10920.qm@web50503.mail.re2.yahoo.com> References: <149656.10920.qm@web50503.mail.re2.yahoo.com> Message-ID: <48ABA125.5050404@justinshore.com> Johnny Ramirez wrote: > > Justin, > > I appreciate your well explained answer. So basically they would tell me > what VLANs I should use for me to match them. That's one possibility. Hopefully your SP has progressed beyond that point though and supports Q-in-Q. It scales much better than integrating customer VLAN IDs with the SP's VLAN IDs. With Q-in-Q they'll internally assign a VLAN ID to your access interface and will prepend that VLAN tag to whatever VLAN tags you hand them on your trunk port. They'll switch that double-stacked Ethernet frame across their SP backbone to your other remote access interface. That's of course an assumption based on what you wrote about shared fiber. It's possible they're doing some sort of EoMPLS but the access edge will still likely be Q-in-Q to stuff multiple VLANs into a EoMPLS VC. HTH Justin From abalashov at evaristesys.com Wed Aug 20 00:48:29 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 20 Aug 2008 00:48:29 -0400 Subject: [c-nsp] VLAN ID limit? Message-ID: <48ABA21D.3060900@evaristesys.com> For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From agristina+cisco-nsp at gmail.com Wed Aug 20 00:54:11 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Tue, 19 Aug 2008 21:54:11 -0700 Subject: [c-nsp] VLAN ID limit? In-Reply-To: <48ABA21D.3060900@evaristesys.com> References: <48ABA21D.3060900@evaristesys.com> Message-ID: <70bb1b8f0808192154n50c24b01pfa36a60fd3028e67@mail.gmail.com> Are you in transparent vtp mode? On Tue, Aug 19, 2008 at 9:48 PM, Alex Balashov wrote: > For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN > IDs higher than 1005: > > > sw01(config)#switchport trunk allowed vlan add 1202 > Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN > number (1202) out of the range 1 to 1005. > > This is with a trunking interface: > > interface FastEthernet0/1 > duplex full > speed 100 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 1,3,100,1002-1005 > switchport mode trunk > > IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). > > I'm pretty sure this has already been asked a thousand times, but how do I > get around this issue so I can get support for the extended VLAN IDs up to > 4096? > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cphillips at wbsconnect.com Wed Aug 20 00:55:05 2008 From: cphillips at wbsconnect.com (Chris Phillips) Date: Tue, 19 Aug 2008 21:55:05 -0700 Subject: [c-nsp] VLAN ID limit? In-Reply-To: <48ABA21D.3060900@evaristesys.com> References: <48ABA21D.3060900@evaristesys.com> Message-ID: <48ABA3A9.8080007@wbsconnect.com> Alex, You don't get around it on the 2924. You will need to upgrade to the 2950G-24-EI. They're not much more than the 2924. Good luck. Alex Balashov wrote: > For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like > VLAN IDs higher than 1005: > > > sw01(config)#switchport trunk allowed vlan add 1202 > Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN > number (1202) out of the range 1 to 1005. > > This is with a trunking interface: > > interface FastEthernet0/1 > duplex full > speed 100 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 1,3,100,1002-1005 > switchport mode trunk > > IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). > > I'm pretty sure this has already been asked a thousand times, but how do > I get around this issue so I can get support for the extended VLAN IDs > up to 4096? > From abalashov at evaristesys.com Wed Aug 20 00:53:35 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 20 Aug 2008 00:53:35 -0400 Subject: [c-nsp] VLAN ID limit? In-Reply-To: <70bb1b8f0808192154n50c24b01pfa36a60fd3028e67@mail.gmail.com> References: <48ABA21D.3060900@evaristesys.com> <70bb1b8f0808192154n50c24b01pfa36a60fd3028e67@mail.gmail.com> Message-ID: <48ABA34F.3010309@evaristesys.com> Andrew Gristina wrote: > Are you in transparent vtp mode? The switch is set to VTP server, but there is no VTP config file, no domain set, and pruning, V2 and all the other stuff is turned off. I am assuming that means VTP is dormant somehow, since I have no wish to use it with the upstream provider's switch. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From abalashov at evaristesys.com Wed Aug 20 00:54:21 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 20 Aug 2008 00:54:21 -0400 Subject: [c-nsp] VLAN ID limit? In-Reply-To: <48ABA3A9.8080007@wbsconnect.com> References: <48ABA21D.3060900@evaristesys.com> <48ABA3A9.8080007@wbsconnect.com> Message-ID: <48ABA37D.8020400@evaristesys.com> Damn. Are you absolutely sure there is no IOS upgrade for the existing switch that can fix this? Chris Phillips wrote: > Alex, > > You don't get around it on the 2924. You will need to upgrade to the > 2950G-24-EI. > > They're not much more than the 2924. > > Good luck. > > Alex Balashov wrote: >> For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like >> VLAN IDs higher than 1005: >> >> >> sw01(config)#switchport trunk allowed vlan add 1202 >> Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN >> number (1202) out of the range 1 to 1005. >> >> This is with a trunking interface: >> >> interface FastEthernet0/1 >> duplex full >> speed 100 >> switchport trunk encapsulation dot1q >> switchport trunk allowed vlan 1,3,100,1002-1005 >> switchport mode trunk >> >> IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). >> >> I'm pretty sure this has already been asked a thousand times, but how >> do I get around this issue so I can get support for the extended VLAN >> IDs up to 4096? >> -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From cphillips at wbsconnect.com Wed Aug 20 01:09:18 2008 From: cphillips at wbsconnect.com (Chris Phillips) Date: Tue, 19 Aug 2008 22:09:18 -0700 Subject: [c-nsp] VLAN ID limit? In-Reply-To: <48ABA37D.8020400@evaristesys.com> References: <48ABA21D.3060900@evaristesys.com> <48ABA3A9.8080007@wbsconnect.com> <48ABA37D.8020400@evaristesys.com> Message-ID: <48ABA6FE.2070505@wbsconnect.com> The last time I checked 12.0(WC17) or something like that, it was not possible. WC17 came out in mid-2007 if I recall correctly. I don't think that Cisco is going to support anything > 1005 on the XL series switches ever. Their goal is to keep you buying new gear, and if they just keep adding features to the odd stuff, who needs new gear. Anyway, there's several other improvements that the 2950Gs have over the XLs, that make it much more appealing. Here's a few: they run 12.1 instead of 12.0 ssh support "do" support don't have to use the "vlan database" to create VLANs etc... Like I said before, they're dirt cheap and very much worth the slight price increase. Alex Balashov wrote: > Damn. > > Are you absolutely sure there is no IOS upgrade for the existing switch > that can fix this? > > Chris Phillips wrote: > >> Alex, >> >> You don't get around it on the 2924. You will need to upgrade to the >> 2950G-24-EI. >> >> They're not much more than the 2924. >> >> Good luck. >> >> Alex Balashov wrote: >>> For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like >>> VLAN IDs higher than 1005: >>> >>> >>> sw01(config)#switchport trunk allowed vlan add 1202 >>> Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN >>> number (1202) out of the range 1 to 1005. >>> >>> This is with a trunking interface: >>> >>> interface FastEthernet0/1 >>> duplex full >>> speed 100 >>> switchport trunk encapsulation dot1q >>> switchport trunk allowed vlan 1,3,100,1002-1005 >>> switchport mode trunk >>> >>> IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). >>> >>> I'm pretty sure this has already been asked a thousand times, but how >>> do I get around this issue so I can get support for the extended VLAN >>> IDs up to 4096? >>> > > From gkuri at csupomona.edu Wed Aug 20 00:59:22 2008 From: gkuri at csupomona.edu (Gabriel Kuri) Date: Tue, 19 Aug 2008 21:59:22 -0700 Subject: [c-nsp] VLAN ID limit? References: <48ABA21D.3060900@evaristesys.com> Message-ID: <844F0905D254C449AF0FCCA2BB63651103F9F79A@EX01.win.csupomona.edu> afaik, the 2900XL and 3500XL series switches do not support extended range vLANs, you'll need to upgrade your switch, sorry ... http://supportwiki.cisco.com/ViewWiki/index.php/The_Cisco_Catalyst_switch_does_not_permit_the_creation_of_extended-range_VLANs_in_the_VLAN_database_mode ----- Gabriel Kuri | Sr. Network Engineer Instructional and Information Technology Division California State Polytechnic University, Pomona http://www.csupomona.edu/~iit | +1 909 979 6363 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net on behalf of Alex Balashov Sent: Tue 8/19/2008 9:48 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VLAN ID limit? For some reason, my Catalyst 2900 series (WS-C2924-XL) does not like VLAN IDs higher than 1005: sw01(config)#switchport trunk allowed vlan add 1202 Command rejected: Bad VLAN list - character #5 (EOL) delimits a VLAN number (1202) out of the range 1 to 1005. This is with a trunking interface: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,3,100,1002-1005 switchport mode trunk IOS is 12.0(5)WC8 (C2900XL-C3H2S-M). I'm pretty sure this has already been asked a thousand times, but how do I get around this issue so I can get support for the extended VLAN IDs up to 4096? -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dgranzer at gmail.com Wed Aug 20 04:13:44 2008 From: dgranzer at gmail.com (David Granzer) Date: Wed, 20 Aug 2008 10:13:44 +0200 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: <844ef89c0808200113n15952017s306a3938f8702ae5@mail.gmail.com> Hello Andy, I'm not sure if there exist something like best practice for using private or public IP's between PE-CE. I think it's more depend on your own design and what you want to use. You can use private IP's and 'save' your public IP space, but then you can find case (maybe) when you will overlap with private IP's used in customer network. I guess that public IP's have the same security in MPLS VPN enviroment because they are not accessible from the global routing table, so they don't exist for public internet. Regards, David On 8/20/08, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? > For our MPLS network, I've been asked by my Manager to use private IP's > for the PE-CE link in order to give the customer the appearance that > they are on a secure PRIVATE network due to private IP's being used. > Although I tend to be more fond of using public IP's because it's a > unique address space so you don't have to worry about overlapping IP > addresses on the customer's end and secondly there's no configuration > from the Service Provider's end should you need to remove the connection > from the VRF to conduct further testing from the Internet becuse the > connection is already using public IP's (eg: for cases where the > customer is complaining of slow speeds, packet loss, drop outs, etc and > you want to test the individual connection and bypass their VPN). > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tim at pelican.org Wed Aug 20 04:46:24 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 20 Aug 2008 09:46:24 +0100 (BST) Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <844ef89c0808200113n15952017s306a3938f8702ae5@mail.gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> <844ef89c0808200113n15952017s306a3938f8702ae5@mail.gmail.com> Message-ID: <5ae0a275e024d20600ea67061f3c8040.squirrel@webmail.pelican.org> On Wed, August 20, 2008 9:13 am, David Granzer wrote: > You can use private IP's and 'save' your public IP space, but then you > can find case (maybe) when you will overlap with private IP's used in > customer network. Assuming you want to manage the CE in any way, this *will* bite you. In a previous life, I've spent a lot of time and pain, both engineering-wise and customer-facing trying to dance around this conflict after making an initial misguided decision to use private addressing for PE-CE links (and CE loopbacks, in this particular case). This time around, the MPLS VPN product I'm working on is using public address space for everything. Unique public addresses for the management loopbacks, and unique-within-a-VPN addresses for the WAN links, the latter saving space by re-using the same WAN address block over and over again for different customer. Regards, Tim. From oboehmer at cisco.com Wed Aug 20 05:49:59 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 20 Aug 2008 11:49:59 +0200 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <844ef89c0808200113n15952017s306a3938f8702ae5@mail.gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> <844ef89c0808200113n15952017s306a3938f8702ae5@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E708A3@xmb-ams-333.emea.cisco.com> There was actually an attempt to allocate a specific address block for this purpose (which would be private like 1918-space), but this never got anywhere.. Take a look at http://tools.ietf.org/html/draft-guichard-pe-ce-addr-03 for a discussion about possible options.. oli David Granzer <> wrote on Wednesday, August 20, 2008 10:14 AM: > Hello Andy, > > I'm not sure if there exist something like best practice for using > private or public IP's between PE-CE. I think it's more depend on > your own design and what you want to use. > > You can use private IP's and 'save' your public IP space, but then > you can find case (maybe) when you will overlap with private IP's > used in customer network. > > I guess that public IP's have the same security in MPLS VPN enviroment > because they are not accessible from the global routing table, so > they don't exist for public internet. > > Regards, > David > > On 8/20/08, Andy Saykao wrote: >> Just wondering from those in the know, whether it's best practice to >> implement public or private IP's for the PE-to-CE link. What's >> everyone using and why? For our MPLS network, I've been asked by >> my Manager to use private IP's for the PE-CE link in order to give >> the customer the appearance that they are on a secure PRIVATE >> network due to private IP's being used. Although I tend to be more >> fond of using public IP's because it's a unique address space so >> you don't have to worry about overlapping IP addresses on the >> customer's end and secondly there's no configuration from the >> Service Provider's end should you need to remove the connection >> from the VRF to conduct further testing from the Internet becuse >> the connection is already using public IP's (eg: for cases where >> the customer is complaining of slow speeds, packet loss, drop outs, >> etc and you want to test the individual connection and bypass their >> VPN). >> >> Thanks. >> >> Andy >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom >> they are addressed. Please notify the sender immediately by email >> if you have received this email by mistake and delete this email >> from your system. Please note that any views or opinions presented >> in this email are solely those of the author and do not >> necessarily represent those of the organisation. Finally, the >> recipient should check this email and any attachments for the >> presence of viruses. The organisation accepts no liability for any >> damage caused by any virus transmitted by this email. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sforcejr at yahoo.com Wed Aug 20 07:23:37 2008 From: sforcejr at yahoo.com (Johnny Ramirez) Date: Wed, 20 Aug 2008 04:23:37 -0700 (PDT) Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <000301c9027c$bfe4e860$3faeb920$@com> Message-ID: <952151.30623.qm@web50509.mail.re2.yahoo.com> Thanks Ryan for clarifying what Justin said. I get it now. I hope they can accomodate that. ? Johnny --- On Tue, 8/19/08, Ryan Lambert wrote: From: Ryan Lambert Subject: RE: [c-nsp] Unable to connect VLAN traffic To: sforcejr at yahoo.com, "'Justin Shore'" Cc: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 11:25 PM Johnny, I think the better solution if your provider can accommodate, is to do Q-in-Q instead of having to dictate what tags you can use. This allows you, as Justin mentioned, to use your own tags across the circuit instead of having to coordinate with them every time you need to add another VLAN, or change something. -Ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Johnny Ramirez Sent: Tuesday, August 19, 2008 11:55 PM To: Justin Shore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Unable to connect VLAN traffic Justin, ? I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. ? ? Thanks ? ? ? John--- On Tue, 8/19/08, Justin Shore wrote: From: Justin Shore justin at justinshore.com Subject: Re: [c-nsp] Unable to connect VLAN traffic To: "Johnny Ramirez" Cc: cisco-nsp at puck.nether.net Date: Tuesday, August 19, 2008, 9:41 PM Johnny Ramirez wrote: > We have layer 2 connectivity from our main office to an offsite facility where our servers reside. We are connected via fiber but is not a dedicated circuit. > > Recently I created a VLAN with same ID on both switches (main office and Offsite facility) . I trunked the port on both ends but not traffic passes on this VLAN. Obviously only VLAN 1 works. According to a consultant the provider of the fiber connection needs to turn "something" on for us to be able to pass VLAN traffic other than VLAN 1's. What would be that "something", he does not even kow it himself. > > Can anybody shed any light on this?. We are urgently needing to have a separate VLAN for our VOIP traffic. John, Basically what this amounts to is that your transport provider is only accepting untagged Ethernet frames and thus only the one VLAN you previously used on your access interface. You need the provider to accept tagged Ethernet frames so that tagged frames from each of your VLANs will be accepted for transport. The provider may either dictate to you what VLAN IDs you must use. They may use Q-in-Q (aka VLAN stacking) to assign their own tag in front of your tags. This would give you the most flexibility and will keep you from having to work with them to allow future VLANs across the trunk. Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Wed Aug 20 08:19:55 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 20 Aug 2008 09:19:55 -0300 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: <6bb5f5b10808200519m183697fcmc9219e3ba8b22ee4@mail.gmail.com> If you have 2 two virtual channels on the PE-CE link, one can be used for management and belong to the "Management" VRF, while the other belongs to the customer VRF. It's easier to do this when the connection is Ethernet, where a virtual channel is a VLAN. On TDM world, running frame-relay encapsulation might do the trick. On ATM, VPI/VCI. Rubens On Tue, Aug 19, 2008 at 10:19 PM, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? > > For our MPLS network, I've been asked by my Manager to use private IP's > for the PE-CE link in order to give the customer the appearance that > they are on a secure PRIVATE network due to private IP's being used. > Although I tend to be more fond of using public IP's because it's a > unique address space so you don't have to worry about overlapping IP > addresses on the customer's end and secondly there's no configuration > from the Service Provider's end should you need to remove the connection > from the VRF to conduct further testing from the Internet becuse the > connection is already using public IP's (eg: for cases where the > customer is complaining of slow speeds, packet loss, drop outs, etc and > you want to test the individual connection and bypass their VPN). > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tim at pelican.org Wed Aug 20 08:33:38 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 20 Aug 2008 13:33:38 +0100 (BST) Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <6bb5f5b10808200519m183697fcmc9219e3ba8b22ee4@mail.gmail.com> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> <6bb5f5b10808200519m183697fcmc9219e3ba8b22ee4@mail.gmail.com> Message-ID: On Wed, August 20, 2008 1:19 pm, Rubens Kuhl Jr. wrote: > If you have 2 two virtual channels on the PE-CE link, one can be used > for management and belong to the "Management" VRF, while the other > belongs to the customer VRF. It's easier to do this when the > connection is Ethernet, where a virtual channel is a VLAN. > > On TDM world, running frame-relay encapsulation might do the trick. On > ATM, VPI/VCI. Nice if that's *all* you sell. On DSL, especially wholesale, it's close to impossible to get two PVCs to the same site, and all bets are off. Regards, Tim. From lowen at pari.edu Wed Aug 20 09:04:23 2008 From: lowen at pari.edu (Lamar Owen) Date: Wed, 20 Aug 2008 09:04:23 -0400 Subject: [c-nsp] OT: network inventory In-Reply-To: <6d72a2a10808191404l25d4a977mdf3f7045f8e5de56@mail.gmail.com> References: Message-ID: <200808200904.23632.lowen@pari.edu> On Tuesday 19 August 2008 17:04:50 Nitzan Tzelniker wrote: > You can also use CISCO-ENTITY-ASSET-MIB and get the output of show > inventory via SNMP for example > The problem is that cisco didn't implement this on all platforms (GSR ) and > on some (6500) it looks like they have a bug that dont return all the > information. How I found the raw option to show inventory was because on our 7401ASR's a straight show inventory doesn't get the PA in the slot; but show inventory raw does. What's odd is that our 12012 here does support the exec mode sh inv raw command just fine; haven't tried the SNMP version. Don't have a 6500 to try with. Of course, CatOS has show module; but the RSM doesn't have show inventory. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From maillist at webjogger.net Wed Aug 20 09:18:25 2008 From: maillist at webjogger.net (Adam Greene) Date: Wed, 20 Aug 2008 09:18:25 -0400 Subject: [c-nsp] OT: network inventory References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> Message-ID: <018901c902c7$3a5c6150$12140a0a@GINKGO> OK, great thanks. I think we will give rancid a whirl. I assume that I'll be able to tftp whatever config file rancid creates back into a new device should we experience a hardware failure. Thanks again Adam ----- Original Message ----- From: "Jon Lewis" To: "Adam Greene" Cc: Sent: Tuesday, August 19, 2008 9:32 AM Subject: Re: [c-nsp] OT: network inventory > On Tue, 19 Aug 2008, Adam Greene wrote: > >> Besides documenting config changes, can rancid perform a tftp backup of >> router / switch startup configs, or integrate with some other software to >> pull down the config file if a change is detected? > > It doesn't use tftp for it, but rancid does backup your configs and put > them into CVS so you can see when a change was made, compare configs from > different times, etc. It also stores the latest versions of the configs > as flat files, so you can easily do some scripting to do things like find > all routers of a certain type, make a list of router names and the > software versions they're running, etc. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > From rodunn at cisco.com Wed Aug 20 09:34:10 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 20 Aug 2008 09:34:10 -0400 Subject: [c-nsp] debugging stack corruption In-Reply-To: <20080819184943.GU29172@elvis.mu.org> References: <20080818201044.GR29172@elvis.mu.org> <20080819144105.GF18913@rtp-cse-489.cisco.com> <20080819184943.GU29172@elvis.mu.org> Message-ID: <20080820133410.GA29893@rtp-cse-489.cisco.com> If you pull that cable on the aux/console do you still see the saem thing? On Tue, Aug 19, 2008 at 11:49:43AM -0700, bill fumerola wrote: > On Tue, Aug 19, 2008 at 10:41:05AM -0400, Rodney Dunn wrote: > > How are you getting this output? > > ssh rtr1 > en > sh stacks > > > If you ssh/telnet to it and run the command do you get th esame output? > > it is not signal noise (serial spew, ip corruption, etc). > > > That's not stack corruption to me. > > i'll try and profile the exec process, but i'm not so good w/ profiling > and tracing w/o at least symbols. > > there is also the matter of the 30% solid EXEC process. however, the > switch that device is attached to (both in network and by serial via > rtr1:aux<>sw1:cons) is exhibiting the same behavior. it could be a feedback > loop on the serial connection, but i've tried turning all of that down > and still no relief. the jump occurred to both at the same time. > > it could just be corruption in the display, but the CPU spike is what > made me investigate in the first place. > > -- bill > > > > rtr1#show stacks > > > Minimum process stacks: > > > Free/Size Name > [...] > > > 3360/6000 > > > d^\ytd^[^P^Ld^\zTd^[`Dd^[I$d^\^[Td^[T^Dd^\y^Dd^\^P > > ,d^[mdd^\^Nld^\ > > > dd^[ 4d^[Q > > 4d^[1^Dd^[`Td^[{td^[^E^\d^[m > > ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > > > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > > > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > > > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > > > \d^[^Add^[^Q\d^[^QLd^[ > > > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D > > ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D > > $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > > > dd^[ > > > Ld^[)$d^[#td^[1 > > 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > > > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M > > ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ > > ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? > > > > Dd^[dld^[. > > ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > > > 6856/9000 > > > d^\^[Td^[T^Dd^\y^Dd^\^P > > ,d^[mdd^\^Nld^\ > > > dd^[ 4d^[Q > > 4d^[1^Dd^[`Td^[{td^[^E^\d^[m > > ,d^\^ALd^[jTd^[pLd^[|^\d^[~td^[^D,d^[RDd^ld^[x$d^[^^Dd^[ptd^[^Bld^[^QLd^[^Q\d^[ > > > ld^[zdd^\,$d^[ttd^[^Vdd^[iLd^[^X\d^[)4d^\34d^[v$d^[^VTd^\^Ptd^^\d^[{Dd^[R|d^\^Q^\d^[`^Ld^[]^Ld^\ > > > Minimum process stacks: > > > Free/Size Name > > > ,d^[^R^Dd^[^Fld^[\d^[b^Td^[^LDd^\^P^Dd^[^B4d^[^NLd^[^Y,d^[^Kdd^\ > > > ^\d^\^CDd^[s^Td^[^A^\d^[U,d^[j,d^[~^Dd^\^QDd^[Jtd^[~Ld^[|^Td^[,Dd^^\d^[rld^[R|d^[{Dd^[ > > > \d^[^Add^[^Q\d^[^QLd^[ > > > ld^[ttd^[zdd^\,$d^[^Vdd^[)4d^\34d^[wLd^[m,d^[^Z|d^[\,d^[g|d^[y|d^[^D > > ld^[^Bld^[RDd^[ptd^[^Q$d^[v4d^\^Ptd^[^VTd^[7$d^\1td^[P$d^[uTd^[^VTd^[zdd^[7$d^[z,d^[z^\d^[ytd^[@Td^[<^Dd^\,$d^\+Dd^\,4d^[^D > > $d^[YTd^\^L^Dd^[1^Dd^[^O^\d^[^PDd^[^L^\d^\ > > > dd^[ > > > Ld^[)$d^[#td^[1 > > 4d^[^BDd^[yLd^[+,d^[^E^\d^\^S^Dd^[ > > > 4d^[y^Td^[^WDd^[l\d^[Y|d^\1^Dd^\0$d^\/Dd^\1dd^[{^Dd^[^SDd^[^LTd^[|^\d^[H4d^[pLd^[M > > ,d^[xTd^[r4d^[u^\d^[n^Ld^[rDd^[p^Td^[{td^[~ > > ,d^[}$d^[}^Dd^[P\d^[w|d^[mtd^[O4d^[{ld^[x\d^[? > > > > Dd^[dld^[. > > ^Dd^Ld^$d^[,d^[dd^[^\d^[Td^\ > > > 10468/12000 HSRP (Standby) > > > > > > Interrupt level stacks: > > > Level Called Unused/Size Name > > > 1 2648551315 6280/9000 Network interfaces > > > 2 0 9000/9000 DMA/Timer Interrupt > > > 3 185107 7472/9000 PA Management Int Handler > > > 4 1715750501 8444/9000 Console Uart > > > 5 0 9000/9000 OIR/Error Interrupt > > > 7 3207930022 8532/9000 NMI Interrupt Handler > > > > > > Spurious interrupts: 233 > > > rtr1# > > > > > > and on a different router: > > > > > > rtr1.chi#sh stacks > > > Minimum process stacks: > > > Free/Size Name > > > [....] > > > 3500/6000 > > > 7160/9000 5,<$/jDSw_h 5,< 5,< 5,< 5,< 5,< d(X d(X 5,< 5,< 5,< 5,< > > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< d'X 5,< > > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > > 5,< 5, > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > > 5,< 5,< 5,< 5,< 5,< 5, > > 5,<#^Qz|#^Qy|#^Qy| 5,<#^Qx|#^Qx| 5,<%Dtx%Dtx%Dtx%Dtx%Dsx%Dsx%Dsx%Dsx 5,< > > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > > 5,< 5,<%Dsx 5,< 5,< 5,<%Drx 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > > 5,<#^Qw|#^Qw|#^Qv| 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > > 5, > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,<#W:x#W9x > > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5, > > 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< 5,< > > > 5,< 5, > > 5316/6000 BGP Accepter From dale.shaw+cisco-nsp at gmail.com Wed Aug 20 09:57:59 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 20 Aug 2008 06:57:59 -0700 Subject: [c-nsp] OT: network inventory In-Reply-To: <018901c902c7$3a5c6150$12140a0a@GINKGO> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <018901c902c7$3a5c6150$12140a0a@GINKGO> Message-ID: <3329cbb40808200657u381651fbm1af6a3b8edd25f4a@mail.gmail.com> Hi, On 8/20/08, Adam Greene wrote: > OK, great thanks. I think we will give rancid a whirl. I assume that I'll be > able to tftp whatever config file rancid creates back into a new device > should we experience a hardware failure. Yep, just make sure you turn off the feature that masks out passwords and SNMP community strings, or re-enter them before TFTP'ing. RANCID throws a whole bunch of other inventory info in with the config, but IIRC it's all commented out with !'s, so the device will ignore it. cheers, Dale From jlewis at lewis.org Wed Aug 20 10:03:06 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 20 Aug 2008 10:03:06 -0400 (EDT) Subject: [c-nsp] OT: network inventory In-Reply-To: <018901c902c7$3a5c6150$12140a0a@GINKGO> References: <200808190842.42251.lowen@pari.edu> <017d01c901fc$1dcb0300$12140a0a@GINKGO> <018901c902c7$3a5c6150$12140a0a@GINKGO> Message-ID: Mostly. By default, rancid does remove cisco obfuscated passwords (the ones that are trivially decrypted), so if you just copy a config from rancid back to a device, it may not quite be fully functional...but the first time someone does a write mem on a big router running a boot image or other software that doesn't support all the features being used, you'll be glad you have the config backed up by rancid. On Wed, 20 Aug 2008, Adam Greene wrote: > OK, great thanks. I think we will give rancid a whirl. I assume that I'll be > able to tftp whatever config file rancid creates back into a new device > should we experience a hardware failure. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ras at e-gerbil.net Wed Aug 20 10:30:29 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 20 Aug 2008 09:30:29 -0500 Subject: [c-nsp] RSVP bandwidths > 10G Message-ID: <20080820143029.GN4889@gerbil.cluepon.net> 7600router(config-if)#ip rsvp bandwidth ? <1-10000000> Reservable Bandwidth (kbps) How is one supposed to configure RSVP bandwidths greater than 10Gbps, if say for example you're doing RSVP over a 8x10G port-channel. I see the same hard-coded limitatin for RSVP bandwidth in all 7600 code, including current SRC. And before anyone says it, yes I know you could do 8xVLANs, but thats just ridiculously convoluted not to mention messy/noisey for LSP path selection. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From kelvin_team at yahoo.com Wed Aug 20 10:41:25 2008 From: kelvin_team at yahoo.com (Kelvin Goei) Date: Wed, 20 Aug 2008 07:41:25 -0700 (PDT) Subject: [c-nsp] OSPF point-to-point vs dr/bdr Message-ID: <653784.11263.qm@web56715.mail.re3.yahoo.com> Hi all, we have campus network with 4 core routers and 8 zones (distribution layer) connected to the core altogether. Each zone have 2 routers for redundancy. For intranet we are running OSPF as the routing protocol. Want to ask, what is the benefit if we are using point-to-point for connection between each zones router to the core instead of using dr/bdr connection? Thanks... From oboehmer at cisco.com Wed Aug 20 10:46:53 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 20 Aug 2008 16:46:53 +0200 Subject: [c-nsp] RSVP bandwidths > 10G In-Reply-To: <20080820143029.GN4889@gerbil.cluepon.net> References: <20080820143029.GN4889@gerbil.cluepon.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E70A7A@xmb-ams-333.emea.cisco.com> Richard A Steenbergen <> wrote on Wednesday, August 20, 2008 4:30 PM: > 7600router(config-if)#ip rsvp bandwidth ? > <1-10000000> Reservable Bandwidth (kbps) > > How is one supposed to configure RSVP bandwidths greater than 10Gbps, > if say for example you're doing RSVP over a 8x10G port-channel. I see > the same hard-coded limitatin for RSVP bandwidth in all 7600 code, > including current SRC. DDTS CSCsh56847 requests to bump up the limit. I guess for now you might be able to do "ip rsvp bandwidth" without an argument to have the router allocate 75% of the available BW dynamically. Haven't tried this on a 10GE channel though. TE over a channel is a challenge anyway as RSVP doesn't take the actual load-sharing into account.. I.e. RSVP might allow two 8G reservations which end up being hashed over the same physical port, resulting in packet loss.. oli From peter at rathlev.dk Wed Aug 20 11:00:47 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 20 Aug 2008 17:00:47 +0200 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <653784.11263.qm@web56715.mail.re3.yahoo.com> References: <653784.11263.qm@web56715.mail.re3.yahoo.com> Message-ID: <1219244447.7374.3.camel@abehat> On Wed, 2008-08-20 at 07:41 -0700, Kelvin Goei wrote: > Want to ask, what is the benefit if we are using point-to-point for > connection between each zones router to the core instead of using > dr/bdr connection? Configuring a link as "point-to-point" means that OSPF skips the BR/BDR election, making the calculations a little simpler. Normally a multi-access media (like Ethernet) means the SPF algorithm has to use a "trick" to build a graph, since all graph links must exclusively be between two nodes. Electing a pseudo-node and treating the multi-access media like a star topology solves this, but makes the SPF graph more complex. Regards, Peter From paul.cosgrove at heanet.ie Wed Aug 20 12:04:41 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Wed, 20 Aug 2008 17:04:41 +0100 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <1219244447.7374.3.camel@abehat> References: <653784.11263.qm@web56715.mail.re3.yahoo.com> <1219244447.7374.3.camel@abehat> Message-ID: <48AC4099.9010809@heanet.ie> Peter Rathlev wrote: > On Wed, 2008-08-20 at 07:41 -0700, Kelvin Goei wrote: >> Want to ask, what is the benefit if we are using point-to-point for >> connection between each zones router to the core instead of using >> dr/bdr connection? > > Configuring a link as "point-to-point" means that OSPF skips the BR/BDR > election, making the calculations a little simpler. Normally a > multi-access media (like Ethernet) means the SPF algorithm has to use a > "trick" to build a graph, since all graph links must exclusively be > between two nodes. Electing a pseudo-node and treating the multi-access > media like a star topology solves this, but makes the SPF graph more > complex. > > Regards, > Peter > Just to add, just in case it isn't obvious from Peters comments, that the neighbor establishment can also be quicker since DR election does not occur. The wait timer, which is normally 40 seconds, does not need to be used. Paul. -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From sthaug at nethelp.no Wed Aug 20 12:29:22 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 20 Aug 2008 18:29:22 +0200 (CEST) Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <48AC4099.9010809@heanet.ie> References: <653784.11263.qm@web56715.mail.re3.yahoo.com> <1219244447.7374.3.camel@abehat> <48AC4099.9010809@heanet.ie> Message-ID: <20080820.182922.74694833.sthaug@nethelp.no> > Just to add, just in case it isn't obvious from Peters comments, that > the neighbor establishment can also be quicker since DR election does > not occur. The wait timer, which is normally 40 seconds, does not need > to be used. These are all good points, and makes me wonder - if it's *known* that an Ethernet link will be used as a point to point link between two routers, why doesn't everybody configure it explicitly as a point to point link? I know we always do... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ras at e-gerbil.net Wed Aug 20 13:13:49 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 20 Aug 2008 12:13:49 -0500 Subject: [c-nsp] RSVP bandwidths > 10G In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405E70A7A@xmb-ams-333.emea.cisco.com> References: <20080820143029.GN4889@gerbil.cluepon.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405E70A7A@xmb-ams-333.emea.cisco.com> Message-ID: <20080820171349.GR4889@gerbil.cluepon.net> On Wed, Aug 20, 2008 at 04:46:53PM +0200, Oliver Boehmer (oboehmer) wrote: > Richard A Steenbergen <> wrote on Wednesday, August 20, 2008 4:30 PM: > > > 7600router(config-if)#ip rsvp bandwidth ? > > <1-10000000> Reservable Bandwidth (kbps) > > > > How is one supposed to configure RSVP bandwidths greater than 10Gbps, > > if say for example you're doing RSVP over a 8x10G port-channel. I see > > the same hard-coded limitatin for RSVP bandwidth in all 7600 code, > > including current SRC. > > DDTS CSCsh56847 requests to bump up the limit. I guess for now you might > be able to do "ip rsvp bandwidth" without an argument to have the router > allocate 75% of the available BW dynamically. Haven't tried this on a > 10GE channel though. Yeah the docs on the subject seem to indicate that it can sometimes work by using percent (well I assume they meant percent, they seem to have neglected the actual keyword, but I don't think they mean 100Kbps :P): http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_bundle_interface.html And if left to its own devices the port-channel interface DOES seem to find correct bandwidth values: Port-channel1 is up, line protocol is up (connected) Hardware is EtherChannel, address is 001a.6c97.cab6 (bia 001a.6c97.cab6) MTU 9216 bytes, BW 40000000 Kbit, DLY 10 usec, However, it doesn't look like this handles layer 3 SVIs trunked over a port-channel switchport, which happens to be my configuration. The SVIs always come up with a bandwidth of 10Gbps, no matter what interfaces they are trunked to: Vlan60 is up, line protocol is up Hardware is EtherSVI, address is 0018.741f.85c0 (bia 0018.741f.85c0) MTU 9170 bytes, BW 1000000 Kbit, DLY 10 usec, And of course, you can't manually configure the bandwidth values higher than 10Gbps either, on either the port-channel or vlan: router(config)#int port-ch1 router(config-if)#bandwidth ? <1-10000000> Bandwidth in kilobits inherit Specify how bandwidth is inherited router(config-if)#int vlan60 router(config-if)#bandwidth ? <1-10000000> Bandwidth in kilobits inherit Specify how bandwidth is inherited > TE over a channel is a challenge anyway as RSVP doesn't take the actual > load-sharing into account.. I.e. RSVP might allow two 8G reservations > which end up being hashed over the same physical port, resulting in > packet loss.. Wouldn't this be a function of the port-channel hash algorithm, not RSVP? Why would RSVP know or care about the individual L2 channel members, other than maybe not having a configured flow size biger than the individual member capacity? I suppose you'd have a tough time achieving a good balance if you can only hash on the mpls label and not the payload when doing you hash calculation, but thats another story... FWIW this is exactly how we do multi-10G parallel links on Juniper today, and it signals 80G RSVP across a single L3 interface on a 8x10G LACP bundle then looks inside the labels for l3/l4 payload when doing hash calculation damn near perfectly. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From kratzers at pa.net Wed Aug 20 13:15:01 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Wed, 20 Aug 2008 13:15:01 -0400 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820.182922.74694833.sthaug@nethelp.no> References: <653784.11263.qm@web56715.mail.re3.yahoo.com> <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> Message-ID: <200808201315.02110.kratzers@pa.net> On Wednesday 20 August 2008 12:29:22 sthaug at nethelp.no wrote: > > Just to add, just in case it isn't obvious from Peters comments, that > > the neighbor establishment can also be quicker since DR election does > > not occur. The wait timer, which is normally 40 seconds, does not need > > to be used. > > These are all good points, and makes me wonder - if it's *known* that an > Ethernet link will be used as a point to point link between two routers, > why doesn't everybody configure it explicitly as a point to point link? > I know we always do... > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR election, and it's just one more unnecessary tweak to keep track of. IMHO. Stephen Kratzer Network Engineer CTI Networks, Inc. From everton at lab.ipaccess.diveo.net.br Wed Aug 20 12:47:35 2008 From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques) Date: Wed, 20 Aug 2008 13:47:35 -0300 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> Message-ID: <20080820164735.GA16618@diveo.net.br> On Wed, Aug 20, 2008 at 11:19:43AM +1000, Andy Saykao wrote: > Just wondering from those in the know, whether it's best practice to > implement public or private IP's for the PE-to-CE link. What's everyone > using and why? There is a kind of best practices in a presentation from Cisco Networkers 2008. Slide 83 content is reproduced below. Cisco Networkers 2008 BRKIPM-2001: Deploying MPLS VPN Networks by Dirk Schroetter Best Practices 1. Use RR to scale BGP; deploy RRs in pair for the redundancy Keep RRs out of the forwarding paths and disable CEF (saves memory) 2. RT and RD should have ASN in them i.e. ASN: X Reserve first few 100s of X for the internal purposes such as filtering 3. Consider unique RD per VRF per PE, if load sharing of VPN traffic is required 4. Don't use customer names as the VRF names; nightmare for the NOC. Use simple combination of numbers and characters in the VRF name For example: v101, v102, v201, v202, etc. Use description. 5. PE-CE IP address should come out of SP.s public address space to avoid overlapping Use /31 subnetting on PE-CE interfaces 6. Define an upper limit at the PE on the number of prefixes received from the CE for each VRF or neighbor Max-prefix within the VRF configuration; Do suppress the inactive routes. Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE) Hope this helps, Everton From sthaug at nethelp.no Wed Aug 20 13:43:51 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 20 Aug 2008 19:43:51 +0200 (CEST) Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <200808201315.02110.kratzers@pa.net> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> Message-ID: <20080820.194351.41689631.sthaug@nethelp.no> > > These are all good points, and makes me wonder - if it's *known* that an > > Ethernet link will be used as a point to point link between two routers, > > why doesn't everybody configure it explicitly as a point to point link? > > I know we always do... > > The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR > election, and it's just one more unnecessary tweak to keep track of. IMHO. Funny, we look at it exactly the opposite way. We're a service provider, and a large majority of the Ethernet links where we run an IGP are point to point links. So we have the point to point configuration as part of our standard config template, nothing extra to keep track of. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From liviu.pislaru at gmail.com Wed Aug 20 14:04:27 2008 From: liviu.pislaru at gmail.com (Liviu Pislaru) Date: Wed, 20 Aug 2008 21:04:27 +0300 Subject: [c-nsp] multicast NOT in HW on 7600 Message-ID: hi i have a multicast problem in the following topology; TOPOLOGY: Msource -> R1(SVI 10) ---trunk--- (SVI 10) R2 ---routed--- R3 ......Rn ... Receiver - R1(7613), R2(7609), R(7613) / IOS SRA3 / WS-SUP720-3BXL - 10G link between them in WS-X6704-10GE linecards with DFC - trunk between R1 and R2, link routed between R2 and R3 - SVI 10 has "ip pim sparse-mode" and "mpls ip" so R1 is PE router and R2,R3 ...Rn are P routers. - routed links between P routers has "ip pim sparse-mode" and "mpls ip" - Msource (multicast source) interface from R1(routed) is configured in vrf XXX - BGP address-family ipv4 mdt configured on R1 (and all other PE) PROBLEM: all multicast traffic goes to RP on R2 (is software processed), CPU load increase, etc ... although all 76xx (P routers) are identically configured (regarding multicast), on R2 (the one with the problem) we could NOT see this line: P-router#sh mls ip multicast summary | i mvpn Hardware shortcuts for mvpn mroutes supported WORKAROUND: Suspecting that "ip pim" on SVI might be the problem, i've changed the topology with a routed link between R1 and R3 and the problem was solved. NEW TOPOLOGY: Msource -> R1 ---routed--- R3 ......Rn ... Receiver Unfortunatelly, i could not afford to change the link between R1 and R2 from trunk to routed and keep R2 with multicast traffic flowing through it. Have anybody of you ever experienced the same ? Any advice ? thank you, liviu. From christian.macnevin at gmail.com Wed Aug 20 14:12:46 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 20 Aug 2008 11:12:46 -0700 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <20080820164735.GA16618@diveo.net.br> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> <20080820164735.GA16618@diveo.net.br> Message-ID: Agree with everyone who's agreed with point 5 :) I've been in MPLS SPs for years and regretted every time I've seen somebody try and use private space for management. On Aug 20, 2008, at 9:47 AM, Everton da Silva Marques wrote: > On Wed, Aug 20, 2008 at 11:19:43AM +1000, Andy Saykao wrote: >> Just wondering from those in the know, whether it's best practice to >> implement public or private IP's for the PE-to-CE link. What's >> everyone >> using and why? > > There is a kind of best practices in a presentation from > Cisco Networkers 2008. Slide 83 content is reproduced below. > > Cisco Networkers 2008 > BRKIPM-2001: Deploying MPLS VPN Networks > by Dirk Schroetter > > Best Practices > > 1. Use RR to scale BGP; deploy RRs in pair for the redundancy > Keep RRs out of the forwarding paths and disable CEF (saves memory) > > 2. RT and RD should have ASN in them i.e. ASN: X > Reserve first few 100s of X for the internal purposes such as > filtering > > 3. Consider unique RD per VRF per PE, if load sharing of VPN traffic > is required > > 4. Don't use customer names as the VRF names; nightmare for the NOC. > Use simple combination of numbers and characters in the VRF name > For example: v101, v102, v201, v202, etc. Use description. > > 5. PE-CE IP address should come out of SP.s public address space to > avoid overlapping > Use /31 subnetting on PE-CE interfaces > > 6. Define an upper limit at the PE on the number of prefixes > received from the CE for each VRF or neighbor > Max-prefix within the VRF configuration; Do suppress the inactive > routes. > Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE) > > Hope this helps, > Everton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From svemulap at cisco.com Wed Aug 20 14:13:47 2008 From: svemulap at cisco.com (Shankar Vemulapalli (svemulap)) Date: Wed, 20 Aug 2008 11:13:47 -0700 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820.194351.41689631.sthaug@nethelp.no> References: <48AC4099.9010809@heanet.ie><20080820.182922.74694833.sthaug@nethelp.no><200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> Message-ID: <70BC84B185C3EE448EDB7AB8956D3B0E06401DD0@xmb-sjc-234.amer.cisco.com> Hopefully - the below URL should provide more info. and motivation behind p2p support on LAN. http://www.ietf.org/internet-drafts/draft-ietf-isis-igp-p2p-over-lan-06. txt /Shankar -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sthaug at nethelp.no Sent: Wednesday, August 20, 2008 10:44 AM To: kratzers at pa.net Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OSPF point-to-point vs dr/bdr > > These are all good points, and makes me wonder - if it's *known* > > that an Ethernet link will be used as a point to point link between > > two routers, why doesn't everybody configure it explicitly as a point to point link? > > I know we always do... > > The benefit/cost ratio is low. You aren't saving much be eliminating > DR/BDR election, and it's just one more unnecessary tweak to keep track of. IMHO. Funny, we look at it exactly the opposite way. We're a service provider, and a large majority of the Ethernet links where we run an IGP are point to point links. So we have the point to point configuration as part of our standard config template, nothing extra to keep track of. Steinar Haug, Nethelp consulting, sthaug at nethelp.no _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Aug 20 14:16:02 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 20 Aug 2008 14:16:02 -0400 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820.194351.41689631.sthaug@nethelp.no> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> Message-ID: <20080820181602.GI1454@rtp-cse-489.cisco.com> There was a point to point configuration on the link itself and it caused a bunch of platform forwarding problems once. I wouldn't use that one. Note I'm not talking about the OSPF point to point control plane configuration. Rodney On Wed, Aug 20, 2008 at 07:43:51PM +0200, sthaug at nethelp.no wrote: > > > These are all good points, and makes me wonder - if it's *known* that an > > > Ethernet link will be used as a point to point link between two routers, > > > why doesn't everybody configure it explicitly as a point to point link? > > > I know we always do... > > > > The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR > > election, and it's just one more unnecessary tweak to keep track of. IMHO. > > Funny, we look at it exactly the opposite way. We're a service provider, > and a large majority of the Ethernet links where we run an IGP are point > to point links. So we have the point to point configuration as part of > our standard config template, nothing extra to keep track of. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick.jon.griffin at gmail.com Wed Aug 20 14:18:18 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Wed, 20 Aug 2008 13:18:18 -0500 Subject: [c-nsp] Simple VRF ( I hope ) Message-ID: I have a scenario that I am trying to accomplish and I'm having some issues getting my head around it. In the simplest form I have a client on VRF 1 and a server in the global table and I want to enable communication between the 2 so I do 2 things: 2.2.2.0 is vrf 1 network and 1.1.1.0 is in the global table: ip route 2.2.2.0 255.255.255.0 Vlan12 2.2.2.2 ip route vrf I1 1.1.1.0 255.255.255.0 1.1.1.2 global The issue is with the global/next hop ip address on the vrf route. In my scenario the global subnet is an svi on a layer 3 switch, of which the next hop would be the switch itself. I cannot reference the switch itself as the next hop because the IOS won't take the command, if I have 2 routers/switches parallel on the same subnet I can add the route on each router reference the opposite router and all works well. There are scenarios where I don't have 2 switches on the global subnet so i can't configure it this way, and I don't know if this is desirable. It's clearly arp/cef related, however am I missing something here? How would this normally be handled? I am not attempting to use the VRF's for security, hence the leaking between the Global and the VRF, I am more so looking to control the VRF's egress to the internet to avoid using policy based routing. I hope this makes sense, thanks in advance! From sthaug at nethelp.no Wed Aug 20 14:28:33 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 20 Aug 2008 20:28:33 +0200 (CEST) Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820181602.GI1454@rtp-cse-489.cisco.com> References: <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> <20080820181602.GI1454@rtp-cse-489.cisco.com> Message-ID: <20080820.202833.71141378.sthaug@nethelp.no> > There was a point to point configuration on the link itself and it > caused a bunch of platform forwarding problems once. > > I wouldn't use that one. Agreed. > Note I'm not talking about the OSPF point to point control plane > configuration. Yup, that's the one I'm talking about, and which we have as part of our standard config template. We see only advantages (likewise for IS-IS). Steinar Haug, Nethelp consulting, sthaug at nethelp.no From jay at west.net Wed Aug 20 14:00:30 2008 From: jay at west.net (Jay Hennigan) Date: Wed, 20 Aug 2008 11:00:30 -0700 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <149656.10920.qm@web50503.mail.re2.yahoo.com> References: <149656.10920.qm@web50503.mail.re2.yahoo.com> Message-ID: <48AC5BBE.2040105@west.net> Johnny Ramirez wrote: > Justin, > > I appreciate your well explained answer. So basically they would tell me what VLANs I should use for me to match them. Maybe. When you have multiple VLANs on the same interface, Cisco calls this a "trunk". Other vendors may define "trunk" differently, such as LACP/PAGP, so beware of terminology issues with the carrier. In order to carry multiple VLANs and sort them out at the other end, frames on each VLAN have a "tag" in the header which is used by the receiving switch to identify the VLAN. Your transport provider is probably using this technology to service multiple customers. Within the provider's network, your frames are tagged with a VLAN-id unique to you as a customer. The tag is stripped at the other end. Thus, the transport provider isn't expecting to see a VLAN tag on your traffic, as it uses VLAN tags internally to distinguish between customers. When you send tagged frames the transport provider either strips your tags or discards the frames to avoid confusion with its customer-identifying tags. Your choices: 1. Define all of the VLANs you'll use, hope they don't conflict with those for other customers, and ask the provider to pass your tags. This is messy and doesn't scale. 2. Ask your carrier to provision the circuit as "Q-in-Q" (802.1q with your tags inside 802.1q with their tags). Think postal mail with an envelope inside an envelope. This scales, the transport provider doesn't care what's written on the inside envelope. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From paul.cosgrove at heanet.ie Wed Aug 20 14:42:13 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Wed, 20 Aug 2008 19:42:13 +0100 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820181602.GI1454@rtp-cse-489.cisco.com> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> <20080820181602.GI1454@rtp-cse-489.cisco.com> Message-ID: <48AC6585.9070701@heanet.ie> I'm not sure I understand you there. Do you mean that the intention behind the draft RFC was for some form of point-to-point configuration command on the interface, which would apply to all link state routing protocols? Paul. Rodney Dunn wrote: > There was a point to point configuration on the link itself and it > caused a bunch of platform forwarding problems once. > > I wouldn't use that one. > > Note I'm not talking about the OSPF point to point control plane > configuration. > > Rodney > > On Wed, Aug 20, 2008 at 07:43:51PM +0200, sthaug at nethelp.no wrote: >>>> These are all good points, and makes me wonder - if it's *known* that an >>>> Ethernet link will be used as a point to point link between two routers, >>>> why doesn't everybody configure it explicitly as a point to point link? >>>> I know we always do... >>> The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR >>> election, and it's just one more unnecessary tweak to keep track of. IMHO. >> Funny, we look at it exactly the opposite way. We're a service provider, >> and a large majority of the Ethernet links where we run an IGP are point >> to point links. So we have the point to point configuration as part of >> our standard config template, nothing extra to keep track of. >> >> Steinar Haug, Nethelp consulting, sthaug at nethelp.no >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From kgraham at industrial-marshmallow.com Wed Aug 20 14:55:54 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Wed, 20 Aug 2008 11:55:54 -0700 (PDT) Subject: [c-nsp] OSPF point-to-point vs dr/bdr Message-ID: <732364.51443.qm@web908.biz.mail.mud.yahoo.com> > Funny, we look at it exactly the opposite way. We're a service provider, > and a large majority of the Ethernet links where we run an IGP are point > to point links. So we have the point to point configuration as part of > our standard config template, nothing extra to keep track of. I agree that it makes a lot of sense, but what's the failure mode in the event that configuration is missing on one side, or that a network-type configured as point-to-point is multiaccess? From sthaug at nethelp.no Wed Aug 20 14:59:51 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 20 Aug 2008 20:59:51 +0200 (CEST) Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <732364.51443.qm@web908.biz.mail.mud.yahoo.com> References: <732364.51443.qm@web908.biz.mail.mud.yahoo.com> Message-ID: <20080820.205951.104088643.sthaug@nethelp.no> > > Funny, we look at it exactly the opposite way. We're a service provider, > > and a large majority of the Ethernet links where we run an IGP are point > > to point links. So we have the point to point configuration as part of > > our standard config template, nothing extra to keep track of. > > I agree that it makes a lot of sense, but what's the failure mode in the > event that configuration is missing on one side, or that a network-type > configured as point-to-point is multiaccess? As far as I can see: - Missing on one side: OSPF adjacency won't come up. - Multiaccess: We use /30 on our point to point Ethernet links. A third router on a multiaccess segment should lead to address conflicts, again preventing OSPF adjacency. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From svemulap at cisco.com Wed Aug 20 15:09:21 2008 From: svemulap at cisco.com (Shankar Vemulapalli (svemulap)) Date: Wed, 20 Aug 2008 12:09:21 -0700 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820.202833.71141378.sthaug@nethelp.no> References: <200808201315.02110.kratzers@pa.net><20080820.194351.41689631.sthaug@nethelp.no><20080820181602.GI1454@rtp-cse-489.cisco.com> <20080820.202833.71141378.sthaug@nethelp.no> Message-ID: <70BC84B185C3EE448EDB7AB8956D3B0E06401E58@xmb-sjc-234.amer.cisco.com> Take a look at the NANOG Presentation that I did a while back. I covered this topic in slide #s: 71-73 http://www.nanog.org/mtg-0202/shankar.html Thanks, /Shankar -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of sthaug at nethelp.no Sent: Wednesday, August 20, 2008 11:29 AM To: Rodney Dunn (rodunn) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OSPF point-to-point vs dr/bdr > There was a point to point configuration on the link itself and it > caused a bunch of platform forwarding problems once. > > I wouldn't use that one. Agreed. > Note I'm not talking about the OSPF point to point control plane > configuration. Yup, that's the one I'm talking about, and which we have as part of our standard config template. We see only advantages (likewise for IS-IS). Steinar Haug, Nethelp consulting, sthaug at nethelp.no _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Aug 20 16:22:59 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 20 Aug 2008 16:22:59 -0400 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <48AC6585.9070701@heanet.ie> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> <20080820181602.GI1454@rtp-cse-489.cisco.com> <48AC6585.9070701@heanet.ie> Message-ID: <20080820202259.GF3810@rtp-cse-489.cisco.com> Not sure. I didn't write it. ;) >From a quick glance it seems to imply that type of behavior but I'm not aware it was ever really done. On Wed, Aug 20, 2008 at 07:42:13PM +0100, Paul Cosgrove wrote: > I'm not sure I understand you there. Do you mean that the intention > behind the draft RFC was for some form of point-to-point configuration > command on the interface, which would apply to all link state routing > protocols? > > Paul. > > Rodney Dunn wrote: > > There was a point to point configuration on the link itself and it > > caused a bunch of platform forwarding problems once. > > > > I wouldn't use that one. > > > > Note I'm not talking about the OSPF point to point control plane > > configuration. > > > > Rodney > > > > On Wed, Aug 20, 2008 at 07:43:51PM +0200, sthaug at nethelp.no wrote: > >>>> These are all good points, and makes me wonder - if it's *known* that an > >>>> Ethernet link will be used as a point to point link between two routers, > >>>> why doesn't everybody configure it explicitly as a point to point link? > >>>> I know we always do... > >>> The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR > >>> election, and it's just one more unnecessary tweak to keep track of. IMHO. > >> Funny, we look at it exactly the opposite way. We're a service provider, > >> and a large majority of the Ethernet links where we run an IGP are point > >> to point links. So we have the point to point configuration as part of > >> our standard config template, nothing extra to keep track of. > >> > >> Steinar Haug, Nethelp consulting, sthaug at nethelp.no > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. From Andrey.Pinaev at megafonmoscow.ru Wed Aug 20 15:51:34 2008 From: Andrey.Pinaev at megafonmoscow.ru (Pinaev, Andrey) Date: Wed, 20 Aug 2008 23:51:34 +0400 Subject: [c-nsp] BGP connection and default route Message-ID: <924401BDDCA9B14384E97DC41E85C50E039343ED@SDEXCH.sonicduo.com> Hi, ALL When RIB has only default route and hasn't any NH prefixes, BGP doesn't establish connections. What nature of this restriction in IOS? Andy Pinaev. From jay at west.net Wed Aug 20 16:33:29 2008 From: jay at west.net (Jay Hennigan) Date: Wed, 20 Aug 2008 13:33:29 -0700 Subject: [c-nsp] T3 drop-insert scenario In-Reply-To: References: <48AB3381.2020005@css.com.br> Message-ID: <48AC7F99.2080209@west.net> We have two locations connected with a DS-3 terminating on PA-T3+ cards on 7206VXR chassis, nowhere near fully loaded. There is another need for four T-1s interconnecting the same locations for a different purpose, not associated with the T3 traffic. Can anyone recommend Cisco or other vendor device to peel off four DS1s from the T3 at each end and pass the remainder as a single pipe for IP? I've Googled and come up with mixed results. We could if necessary swap the PA-T3+ cards for HSSI. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From blahu77 at gmail.com Wed Aug 20 16:50:34 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 20 Aug 2008 21:50:34 +0100 Subject: [c-nsp] T3 drop-insert scenario In-Reply-To: <48AC7F99.2080209@west.net> References: <48AB3381.2020005@css.com.br> <48AC7F99.2080209@west.net> Message-ID: <383357750808201350sf11815dr6a4ea81c8329a8f4@mail.gmail.com> > > Can anyone recommend Cisco or other vendor device to peel off four DS1s from > the T3 at each end and pass the remainder as a single pipe for IP? I've > Googled and come up with mixed results. > RAD DXC should be able to do so... Best Regards, -- -mat From gsgranados at comcast.net Wed Aug 20 16:51:04 2008 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 20 Aug 2008 13:51:04 -0700 Subject: [c-nsp] Problems when configuring BGP on 4506 Message-ID: <013e01c90306$7a6d99a0$c300a8c0@ccntd1.covad.com> I'm new with the 4506 so this may be an obvious problem. In my case I have one 4506 that I'm using the layer 3 routing option. I'm trying to send 1 full BGP feed for now for the purposes of testing, eventually I'll add another to make the excersize meaningful. My problem is this, when I turn up the session after a few seconds up to a minute the routes withdraw and when I do a show ip BGP a.b.c.d I see the route entry and it's indicated to have no path available unaccessible. When the routes first install they have the path available and work. In parallel, I'm noticing a series of IP Cef Distributed errors concerning low memory. (no bgp log messages) So, am I seeing a limitation in the number of routes I can install? The cpu shows 512 megs installed, is there a software limit that I'm bumping in to? The switch is running 12.1-19 ? Is this a hardware / memory issue or should I check in other areas? What would make a bgp table full of routes remove once the table is downloaded? Thank you Scott P.S. Sorry if this is a n00by question, the 4506 is a new switch in my lab and google hasn't yielded me to many usable pointers yet. From kratzers at pa.net Wed Aug 20 17:11:40 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Wed, 20 Aug 2008 17:11:40 -0400 Subject: [c-nsp] BGP connection and default route In-Reply-To: <924401BDDCA9B14384E97DC41E85C50E039343ED@SDEXCH.sonicduo.com> References: <924401BDDCA9B14384E97DC41E85C50E039343ED@SDEXCH.sonicduo.com> Message-ID: <200808201711.41883.kratzers@pa.net> On Wednesday 20 August 2008 15:51:34 Pinaev, Andrey wrote: > Hi, ALL > > When RIB has only default route and hasn't any NH prefixes, BGP doesn't > establish connections. > > What nature of this restriction in IOS? > > > > Andy Pinaev. If you're running iBGP or eBGP with ebgp-multihop, the neighbors need to have a route (static, connected, or IGP) between them. It's important that the BGP session is established across the intended interface. IOS enforces this by not allowing locally-generated BGP messages to follow a default route (or something to that effect). Stephen Kratzer Network Engineer CTI Networks, Inc. From cchurc05 at harris.com Wed Aug 20 17:22:26 2008 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 20 Aug 2008 16:22:26 -0500 Subject: [c-nsp] Problems when configuring BGP on 4506 In-Reply-To: <013e01c90306$7a6d99a0$c300a8c0@ccntd1.covad.com> References: <013e01c90306$7a6d99a0$c300a8c0@ccntd1.covad.com> Message-ID: Scott, The Sup 6E can hold up to 256K routes, all other 4500 Sups I think are half that or less. If you want a full table these days, the 4500 can't do it. It's not a memory limitation, it's in the hardware. Archives have it covered in great detail. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, August 20, 2008 4:51 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Problems when configuring BGP on 4506 I'm new with the 4506 so this may be an obvious problem. In my case I have one 4506 that I'm using the layer 3 routing option. I'm trying to send 1 full BGP feed for now for the purposes of testing, eventually I'll add another to make the excersize meaningful. My problem is this, when I turn up the session after a few seconds up to a minute the routes withdraw and when I do a show ip BGP a.b.c.d I see the route entry and it's indicated to have no path available unaccessible. When the routes first install they have the path available and work. In parallel, I'm noticing a series of IP Cef Distributed errors concerning low memory. (no bgp log messages) So, am I seeing a limitation in the number of routes I can install? The cpu shows 512 megs installed, is there a software limit that I'm bumping in to? The switch is running 12.1-19 ? Is this a hardware / memory issue or should I check in other areas? What would make a bgp table full of routes remove once the table is downloaded? Thank you Scott P.S. Sorry if this is a n00by question, the 4506 is a new switch in my lab and google hasn't yielded me to many usable pointers yet. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Wed Aug 20 17:25:25 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 20 Aug 2008 14:25:25 -0700 Subject: [c-nsp] Problems when configuring BGP on 4506 In-Reply-To: <013e01c90306$7a6d99a0$c300a8c0@ccntd1.covad.com> References: <013e01c90306$7a6d99a0$c300a8c0@ccntd1.covad.com> Message-ID: From your description, I think you're saying that you're sending routes to a receiver who isn't injecting them into the table? Enable soft-reconfiguration inbound to check whether it's still receiving all the routes ('neighbor a.b.c.d soft-reconfiguration inbound') then Check this with 'sh ip bgp received-routes'. Then cross reference with 'sh ip route bgp' to see what's getting in. if you're getting them, check the next hop being advertised is available. If the next hops being advertised aren't reachable, then make sure the advertising router is set to 'next-hop-self'. HTH and apologies if I'm off target.. On Aug 20, 2008, at 1:51 PM, Scott Granados wrote: > I'm new with the 4506 so this may be an obvious problem. > > In my case I have one 4506 that I'm using the layer 3 routing > option. I'm trying to send 1 full BGP feed for now for the purposes > of testing, eventually I'll add another to make the excersize > meaningful. My problem is this, when I turn up the session after a > few seconds up to a minute the routes withdraw and when I do a show > ip BGP a.b.c.d I see the route entry and it's indicated to have no > path available unaccessible. When the routes first install they > have the path available and work. In parallel, I'm noticing a > series of IP Cef Distributed errors concerning low memory. (no bgp > log messages) > > So, am I seeing a limitation in the number of routes I can install? > The cpu shows 512 megs installed, isere a software limit that I'm > bumping in to? > > The switch is running 12.1-19 ? > > Is this a hardware / memory issue or should I check in other areas? > What would make a bgp table full of routes remove once the table is > downloaded? > > Thank you > Scott > > P.S. Sorry if this is a n00by question, the 4506 is a new switch in > my lab and google hasn't yielded me to many usable pointers yet. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From risnaini at indo.net.id Wed Aug 20 18:16:08 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 21 Aug 2008 05:16:08 +0700 Subject: [c-nsp] Unable to connect VLAN traffic In-Reply-To: <952151.30623.qm@web50509.mail.re2.yahoo.com> References: <952151.30623.qm@web50509.mail.re2.yahoo.com> Message-ID: <48AC97A8.6060307@indo.net.id> Just a bit out of cisco, the simplest thing doing this Q in Q is in Nortel, i have been working with. a. rahman isnaini rangkayo sutan From daniel_p_lacey at yahoo.com Wed Aug 20 18:51:22 2008 From: daniel_p_lacey at yahoo.com (Daniel Lacey) Date: Wed, 20 Aug 2008 15:51:22 -0700 Subject: [c-nsp] 7206 12.2(18) Maximum # of MLPPP T1s on PA-MC-T3 Message-ID: <48AC9FEA.5080607@yahoo.com> Hi all, cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K bytes of memory. R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2 Cache 6 slot VXR midplane, Version 2.0 I found that the PA-MC-T3 card will handle 12 T1 links in one MLPPP group and still use HW. After 12, the 7206 will go into SW mode for the MLPPP bundle. How many T1s can I use, albeit in SW mode, can I bundle together? I know I can bundle across PA-MC-T3, again in SW mode, but how many total T1s can I bundle across two PA-MC-T3 cards? How about where I will run into performance issues? Thanks in advance! Dan From rubensk at gmail.com Wed Aug 20 19:19:40 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 20 Aug 2008 20:19:40 -0300 Subject: [c-nsp] Cheap STM-1 router Message-ID: <6bb5f5b10808201619t633cbbf7n3ee712316a38bdd2@mail.gmail.com> Hi. I'm trying to convince a friend not to use SDH-to-Ethernet mux and instead go for a router-based solution, but I've only found ATM network modules to go with 3xxx series routers. What would the cheapest(new, used, refurbished, all of above) Cisco gear that could: 1) On the remote sites, have STM-1 SDH connection; no sub-channeling, just a single IP interface with all the STM-1 capacity. 2) On the central site, have STM-16 SDH connection; some channeling is required, so each remote STM-1 is a sub-interface. Tks, Rubens From darrellroot at mac.com Wed Aug 20 19:44:39 2008 From: darrellroot at mac.com (Darrell Root) Date: Wed, 20 Aug 2008 16:44:39 -0700 Subject: [c-nsp] smoke and condensation damage to routers Message-ID: We had a fire in a building where we stored a significant quantity of gear and are attempting to determine whether any of the gear in the vicinity can be trusted (and dealing with the insurance adjustor). Stuff sprayed with water or in dense smoke (everything on the floor of the fire) is thrown out of course. I've got some switches which were 1 floor downstairs from the fire. They were in moderate smoke. They are dry, although the building was very humid (3 inches of water on floor). Most of them smell smoky. My worst judgement call is a pair of ASA5580-40's in the original packaging 1 floor down from the fire. They were inside a plastic bag inside a box on a pallet. The box is dry. Some condensation was noticed inside the plastic bag when it was opened up. From my standpoint I don't want to trust any of this gear in production. Of course, the insurance adjustor sees gear that appears undamaged and is now completely dry. Anyone have experience running gear that was subjected to smoke, and possibly some condensation? Did it result in abnormal outages in the future? Darrell Root ciscotraining at mac.com From brandon at sterling.net Wed Aug 20 19:49:53 2008 From: brandon at sterling.net (Brandon Price) Date: Wed, 20 Aug 2008 16:49:53 -0700 Subject: [c-nsp] 7206 12.2(18) Maximum # of MLPPP T1s on PA-MC-T3 In-Reply-To: <48AC9FEA.5080607@yahoo.com> References: <48AC9FEA.5080607@yahoo.com> Message-ID: Just for the heck of it I Bundled all 28 once in a lab with a NPE400 on one end and a NPE300 on the other.. I was able to pull about 40mbps or so across the link.. if memory serves me correct the cpus spiked pretty high.. above 90% I think... I didn't do a whole lot of testing but it definitely took all 28 members... Brandon -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Lacey Sent: Wednesday, August 20, 2008 3:51 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206 12.2(18) Maximum # of MLPPP T1s on PA-MC-T3 Hi all, cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K bytes of memory. R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2 Cache 6 slot VXR midplane, Version 2.0 I found that the PA-MC-T3 card will handle 12 T1 links in one MLPPP group and still use HW. After 12, the 7206 will go into SW mode for the MLPPP bundle. How many T1s can I use, albeit in SW mode, can I bundle together? I know I can bundle across PA-MC-T3, again in SW mode, but how many total T1s can I bundle across two PA-MC-T3 cards? How about where I will run into performance issues? Thanks in advance! Dan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brandon at sterling.net Wed Aug 20 19:59:17 2008 From: brandon at sterling.net (Brandon Price) Date: Wed, 20 Aug 2008 16:59:17 -0700 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au><20080820164735.GA16618@diveo.net.br> Message-ID: Other than just saying "its bad" can you give some specifics as to the problems you've run into using private addresses for PE-CE links? As long as the SP hands out unique addresses across all of the links, what does it matter whether they are "private" or "public" ? Brandon -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian MacNevin Sent: Wednesday, August 20, 2008 11:13 AM To: everton at lab.ipaccess.diveo.net.br Cc: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Agree with everyone who's agreed with point 5 :) I've been in MPLS SPs for years and regretted every time I've seen somebody try and use private space for management. On Aug 20, 2008, at 9:47 AM, Everton da Silva Marques wrote: > On Wed, Aug 20, 2008 at 11:19:43AM +1000, Andy Saykao wrote: >> Just wondering from those in the know, whether it's best practice to >> implement public or private IP's for the PE-to-CE link. What's >> everyone >> using and why? > > There is a kind of best practices in a presentation from > Cisco Networkers 2008. Slide 83 content is reproduced below. > > Cisco Networkers 2008 > BRKIPM-2001: Deploying MPLS VPN Networks > by Dirk Schroetter > > Best Practices > > 1. Use RR to scale BGP; deploy RRs in pair for the redundancy > Keep RRs out of the forwarding paths and disable CEF (saves memory) > > 2. RT and RD should have ASN in them i.e. ASN: X > Reserve first few 100s of X for the internal purposes such as > filtering > > 3. Consider unique RD per VRF per PE, if load sharing of VPN traffic > is required > > 4. Don't use customer names as the VRF names; nightmare for the NOC. > Use simple combination of numbers and characters in the VRF name > For example: v101, v102, v201, v202, etc. Use description. > > 5. PE-CE IP address should come out of SP.s public address space to > avoid overlapping > Use /31 subnetting on PE-CE interfaces > > 6. Define an upper limit at the PE on the number of prefixes > received from the CE for each VRF or neighbor > Max-prefix within the VRF configuration; Do suppress the inactive > routes. > Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE) > > Hope this helps, > Everton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Wed Aug 20 20:07:49 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 20 Aug 2008 17:07:49 -0700 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au><20080820164735.GA16618@diveo.net.br> Message-ID: Because you can never guarantee what addresses your customers are going to use, and you can't force them to renumber, because they're paying you. And adopting a new strategy for each customer that breaks you just isn't scaleable. On Aug 20, 2008, at 4:59 PM, Brandon Price wrote: Other than just saying "its bad" can you give some specifics as to the problems you've run into using private addresses for PE-CE links? As long as the SP hands out unique addresses across all of the links, what does it matter whether they are "private" or "public" ? Brandon -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian MacNevin Sent: Wednesday, August 20, 2008 11:13 AM To: everton at lab.ipaccess.diveo.net.br Cc: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Agree with everyone who's agreed with point 5 :) I've been in MPLS SPs for years and regretted every time I've seen somebody try and use private space for management. On Aug 20, 2008, at 9:47 AM, Everton da Silva Marques wrote: > On Wed, Aug 20, 2008 at 11:19:43AM +1000, Andy Saykao wrote: >> Just wondering from those in the know, whether it's best practice to >> implement public or private IP's for the PE-to-CE link. What's >> everyone >> using and why? > > There is a kind of best practices in a presentation from > Cisco Networkers 2008. Slide 83 content is reproduced below. > > Cisco Networkers 2008 > BRKIPM-2001: Deploying MPLS VPN Networks > by Dirk Schroetter > > Best Practices > > 1. Use RR to scale BGP; deploy RRs in pair for the redundancy > Keep RRs out of the forwarding paths and disable CEF (saves memory) > > 2. RT and RD should have ASN in them i.e. ASN: X > Reserve first few 100s of X for the internal purposes such as > filtering > > 3. Consider unique RD per VRF per PE, if load sharing of VPN traffic > is required > > 4. Don't use customer names as the VRF names; nightmare for the NOC. > Use simple combination of numbers and characters in the VRF name > For example: v101, v102, v201, v202, etc. Use description. > > 5. PE-CE IP address should come out of SP.s public address space to > avoid overlapping > Use /31 subnetting on PE-CE interfaces > > 6. Define an upper limit at the PE on the number of prefixes > received from the CE for each VRF or neighbor > Max-prefix within the VRF configuration; Do suppress the inactive > routes. > Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE) > > Hope this helps, > Everton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.engehausen at gmail.com Wed Aug 20 20:35:14 2008 From: r.engehausen at gmail.com (Roy) Date: Wed, 20 Aug 2008 17:35:14 -0700 Subject: [c-nsp] smoke and condensation damage to routers In-Reply-To: References: Message-ID: <48ACB842.3060307@gmail.com> I think I would start by asking Cisco. Their typical specs show the storage conditions. Example: PRODUCT SPECIFICATIONS: ENVIRONMENTAL CONDITIONS ? Storage temperature: -38 to 150?F (-40 to 70?C) ? Storage relative humidity: 5 to 95% relative humidity (RH) Darrell Root wrote: > > We had a fire in a building where we stored a significant quantity of > gear and are attempting to > determine whether any of the gear in the vicinity can be trusted (and > dealing with the insurance > adjustor). > > Stuff sprayed with water or in dense smoke (everything on the floor of > the fire) is thrown out of course. > > I've got some switches which were 1 floor downstairs from the fire. > They were in moderate smoke. > They are dry, although the building was very humid (3 inches of water > on floor). Most of them smell > smoky. > > My worst judgement call is a pair of ASA5580-40's in the original > packaging 1 floor down from the > fire. They were inside a plastic bag inside a box on a pallet. The box > is dry. > Some condensation was noticed inside the plastic bag when it was > opened up. > > From my standpoint I don't want to trust any of this gear in > production. Of course, the insurance > adjustor sees gear that appears undamaged and is now completely dry. > > Anyone have experience running gear that was subjected to smoke, and > possibly some > condensation? Did it result in abnormal outages in the future? > > Darrell Root > ciscotraining at mac.com > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From abalashov at evaristesys.com Wed Aug 20 20:53:57 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 20 Aug 2008 20:53:57 -0400 Subject: [c-nsp] smoke and condensation damage to routers In-Reply-To: References: Message-ID: <48ACBCA5.7080509@evaristesys.com> It seems to me that most of the questions you are asking can only be resolved by empirical means, as most of the marginal effects you are describing beyond the immediately affected area are likely to be manifested on a microscopic level, or in some other province of the physical that affects the function of integrated circuits but is not readily discernable to the naked eye. There does not exist a feat, method, or technique of analytical, or "a priori" physics that can give you a reliable answer one way or another. From personal observation in similar situations, I would say that the ASA5580-40s are almost certainly just fine. Darrell Root wrote: > > We had a fire in a building where we stored a significant quantity of > gear and are attempting to > determine whether any of the gear in the vicinity can be trusted (and > dealing with the insurance > adjustor). > > Stuff sprayed with water or in dense smoke (everything on the floor of > the fire) is thrown out of course. > > I've got some switches which were 1 floor downstairs from the fire. > They were in moderate smoke. > They are dry, although the building was very humid (3 inches of water on > floor). Most of them smell > smoky. > > My worst judgement call is a pair of ASA5580-40's in the original > packaging 1 floor down from the > fire. They were inside a plastic bag inside a box on a pallet. The box > is dry. > Some condensation was noticed inside the plastic bag when it was opened up. > > From my standpoint I don't want to trust any of this gear in > production. Of course, the insurance > adjustor sees gear that appears undamaged and is now completely dry. > > Anyone have experience running gear that was subjected to smoke, and > possibly some > condensation? Did it result in abnormal outages in the future? > > Darrell Root > ciscotraining at mac.com > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From andy.saykao at staff.netspace.net.au Wed Aug 20 21:08:58 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 21 Aug 2008 11:08:58 +1000 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654886@vic-cr-ex1.staff.netspace.net.au> Well we don't have to worry about managing the CE side because this is the customer's reponsibility, so gathering by what I've read so far, using a public or private address space shouldn't matter. I do agree with everyone that having a public address space for the PE-CE link means that you'll never have to worry about what private address space the customer is using on their LAN side. This is a nice worry not to have :) I also agree with Brandon that so long as you manage the address space carefully across all of the links, it probably won't matter too much whether you go with public or private. Since my manager has already decided to use a private IP range for the PE-CE link, we'll just have to take it case by case and hope we use an obscure private range that no one else is using *fingers crosses*. If we ever do encounter overlapping IP's and the customer can't change their IP addressing scheme, I guess we can always pull out another obscure private range to use. Thanks for the interesting dicsussion. Cheers. Andy -----Original Message----- From: Christian MacNevin [mailto:christian.macnevin at gmail.com] Sent: Thursday, 21 August 2008 10:08 AM To: Brandon Price Cc: everton at lab.ipaccess.diveo.net.br; Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Because you can never guarantee what addresses your customers are going to use, and you can't force them to renumber, because they're paying you. And adopting a new strategy for each customer that breaks you just isn't scaleable. On Aug 20, 2008, at 4:59 PM, Brandon Price wrote: Other than just saying "its bad" can you give some specifics as to the problems you've run into using private addresses for PE-CE links? As long as the SP hands out unique addresses across all of the links, what does it matter whether they are "private" or "public" ? Brandon -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian MacNevin Sent: Wednesday, August 20, 2008 11:13 AM To: everton at lab.ipaccess.diveo.net.br Cc: Andy Saykao; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? Agree with everyone who's agreed with point 5 :) I've been in MPLS SPs for years and regretted every time I've seen somebody try and use private space for management. On Aug 20, 2008, at 9:47 AM, Everton da Silva Marques wrote: > On Wed, Aug 20, 2008 at 11:19:43AM +1000, Andy Saykao wrote: >> Just wondering from those in the know, whether it's best practice to >> implement public or private IP's for the PE-to-CE link. What's >> everyone using and why? > > There is a kind of best practices in a presentation from Cisco > Networkers 2008. Slide 83 content is reproduced below. > > Cisco Networkers 2008 > BRKIPM-2001: Deploying MPLS VPN Networks by Dirk Schroetter > > Best Practices > > 1. Use RR to scale BGP; deploy RRs in pair for the redundancy Keep RRs > out of the forwarding paths and disable CEF (saves memory) > > 2. RT and RD should have ASN in them i.e. ASN: X Reserve first few > 100s of X for the internal purposes such as filtering > > 3. Consider unique RD per VRF per PE, if load sharing of VPN traffic > is required > > 4. Don't use customer names as the VRF names; nightmare for the NOC. > Use simple combination of numbers and characters in the VRF name For > example: v101, v102, v201, v202, etc. Use description. > > 5. PE-CE IP address should come out of SP.s public address space to > avoid overlapping Use /31 subnetting on PE-CE interfaces > > 6. Define an upper limit at the PE on the number of prefixes received > from the CE for each VRF or neighbor Max-prefix within the VRF > configuration; Do suppress the inactive routes. > Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE) > > Hope this helps, > Everton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mksmith at adhost.com Wed Aug 20 21:53:06 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Wed, 20 Aug 2008 18:53:06 -0700 Subject: [c-nsp] T3 drop-insert scenario In-Reply-To: <48AC7F99.2080209@west.net> References: <48AB3381.2020005@css.com.br> <48AC7F99.2080209@west.net> Message-ID: <17838240D9A5544AAA5FF95F8D52031604902EBC@ad-exh01.adhost.lan> > > We have two locations connected with a DS-3 terminating on PA-T3+ cards > on 7206VXR chassis, nowhere near fully loaded. There is another need > for four T-1s interconnecting the same locations for a different > purpose, not associated with the T3 traffic. > > Can anyone recommend Cisco or other vendor device to peel off four DS1s > from the T3 at each end and pass the remainder as a single pipe for IP? > I've Googled and come up with mixed results. > > We could if necessary swap the PA-T3+ cards for HSSI. > This looks pretty nice as well. http://www.interlinkweb.com/systemics/email/minimux2000.pdf Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From gsgranados at comcast.net Wed Aug 20 22:22:12 2008 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 20 Aug 2008 19:22:12 -0700 Subject: [c-nsp] smoke and condensation damage to routers References: <48ACBCA5.7080509@evaristesys.com> Message-ID: <037501c90334$bf2cd960$c300a8c0@ccntd1.covad.com> Just to add a little to this, have you seen the condition of some ILEC central offices these days? I remember being in one in Connecticut that had standing water.;) The point is routers get left in a lot of less than data center quality level facilities. Think of how many 26xx's, hell 25xx, random access servers and random odd devices that sit in the back of Quick Stops, food courts and the odd war zone here or there that function for not a few months but years of uptime. I would think that if the boxes are reasonably free from damage a good cleaning and once over should do the trick. Before you settle with your insurance company make them allow you to leave a month of so test period. ----- Original Message ----- From: "Alex Balashov" Cc: "Darrell Root" ; Sent: Wednesday, August 20, 2008 5:53 PM Subject: Re: [c-nsp] smoke and condensation damage to routers > It seems to me that most of the questions you are asking can only be > resolved by empirical means, as most of the marginal effects you are > describing beyond the immediately affected area are likely to be > manifested on a microscopic level, or in some other province of the > physical that affects the function of integrated circuits but is not > readily discernable to the naked eye. > > There does not exist a feat, method, or technique of analytical, or "a > priori" physics that can give you a reliable answer one way or another. > > From personal observation in similar situations, I would say that the > ASA5580-40s are almost certainly just fine. > > Darrell Root wrote: > >> >> We had a fire in a building where we stored a significant quantity of >> gear and are attempting to >> determine whether any of the gear in the vicinity can be trusted (and >> dealing with the insurance >> adjustor). >> >> Stuff sprayed with water or in dense smoke (everything on the floor of >> the fire) is thrown out of course. >> >> I've got some switches which were 1 floor downstairs from the fire. They >> were in moderate smoke. >> They are dry, although the building was very humid (3 inches of water on >> floor). Most of them smell >> smoky. >> >> My worst judgement call is a pair of ASA5580-40's in the original >> packaging 1 floor down from the >> fire. They were inside a plastic bag inside a box on a pallet. The box >> is dry. >> Some condensation was noticed inside the plastic bag when it was opened >> up. >> >> From my standpoint I don't want to trust any of this gear in production. >> Of course, the insurance >> adjustor sees gear that appears undamaged and is now completely dry. >> >> Anyone have experience running gear that was subjected to smoke, and >> possibly some >> condensation? Did it result in abnormal outages in the future? >> >> Darrell Root >> ciscotraining at mac.com >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mack at exchange.alphared.com Wed Aug 20 22:24:32 2008 From: mack at exchange.alphared.com (mack) Date: Wed, 20 Aug 2008 21:24:32 -0500 Subject: [c-nsp] smoke and condensation damage to routers Message-ID: <6F2FFD7C10F788479E354B84294036C432B6D609@EXCH-MBX.exchange.alphared.local> Having lived in south Louisiana and south east Texas, I am very familiar with condensation and high humidity. It is generally not harmful to solid state gear that is unpowered. Condensation is usually pure H2O which evaporates without residue. Water and electricity do not mix well. Long term exposure to moisture will cause corrosion which is of course bad. But short term exposure should be OK. I wouldn't recommend it exposing equipment to condensation as standard practice though. Smoke is another matter. Graphite is a moderately good conductor. Soot is made of carbon in the graphite polymorh (well mostly). A thin layer on a switch can have catastrophic effects in a production environment. Even if it doesn't cause a short, it may cause stray capacitance which will result in flaky operation. ------------------------------------- Message: 1 Date: Wed, 20 Aug 2008 16:44:39 -0700 From: Darrell Root Subject: [c-nsp] smoke and condensation damage to routers To: cisco-nsp at puck.nether.net Cc: Darrell Root Message-ID: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes We had a fire in a building where we stored a significant quantity of gear and are attempting to determine whether any of the gear in the vicinity can be trusted (and dealing with the insurance adjustor). Stuff sprayed with water or in dense smoke (everything on the floor of the fire) is thrown out of course. I've got some switches which were 1 floor downstairs from the fire. They were in moderate smoke. They are dry, although the building was very humid (3 inches of water on floor). Most of them smell smoky. My worst judgement call is a pair of ASA5580-40's in the original packaging 1 floor down from the fire. They were inside a plastic bag inside a box on a pallet. The box is dry. Some condensation was noticed inside the plastic bag when it was opened up. From my standpoint I don't want to trust any of this gear in production. Of course, the insurance adjustor sees gear that appears undamaged and is now completely dry. Anyone have experience running gear that was subjected to smoke, and possibly some condensation? Did it result in abnormal outages in the future? Darrell Root ciscotraining at mac.com -- LR Mack McBride Network Administrator Alpha Red, Inc. From mtinka at globaltransit.net Wed Aug 20 22:52:31 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 21 Aug 2008 10:52:31 +0800 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820.182922.74694833.sthaug@nethelp.no> References: <653784.11263.qm@web56715.mail.re3.yahoo.com> <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> Message-ID: <200808211052.35611.mtinka@globaltransit.net> On Thursday 21 August 2008 00:29:22 sthaug at nethelp.no wrote: > These are all good points, and makes me wonder - if it's > *known* that an Ethernet link will be used as a point to > point link between two routers, why doesn't everybody > configure it explicitly as a point to point link? I know > we always do... Same here. We always do for our WAN Ethernet links between core routers in different POP's, albeit on IS-IS. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From oboehmer at cisco.com Thu Aug 21 01:40:07 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 21 Aug 2008 07:40:07 +0200 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654886@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654886@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E70BDF@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Thursday, August 21, 2008 3:09 AM: >[...] > Since my manager has already decided to use a private IP range for the > PE-CE link, we'll just have to take it case by case and hope we use an > obscure private range that no one else is using *fingers crosses*. If > we ever do encounter overlapping IP's and the customer can't change > their IP addressing scheme, I guess we can always pull out another obscure > private range to use. I've seen someone using 198.18.0.0/15 as defined in RFC3330/RFC2544.. oli From oboehmer at cisco.com Thu Aug 21 01:54:34 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 21 Aug 2008 07:54:34 +0200 Subject: [c-nsp] RSVP bandwidths > 10G In-Reply-To: <20080820171349.GR4889@gerbil.cluepon.net> References: <20080820143029.GN4889@gerbil.cluepon.net> <70B7A1CCBFA5C649BD562B6D9F7ED78405E70A7A@xmb-ams-333.emea.cisco.com> <20080820171349.GR4889@gerbil.cluepon.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E70BE0@xmb-ams-333.emea.cisco.com> Richard A Steenbergen wrote on Wednesday, August 20, 2008 7:14 PM: > On Wed, Aug 20, 2008 at 04:46:53PM +0200, Oliver Boehmer (oboehmer) > wrote: >> Richard A Steenbergen <> wrote on Wednesday, August 20, 2008 4:30 PM: >> >>> 7600router(config-if)#ip rsvp bandwidth ? >>> <1-10000000> Reservable Bandwidth (kbps) >>> >>> How is one supposed to configure RSVP bandwidths greater than >>> 10Gbps, if say for example you're doing RSVP over a 8x10G >>> port-channel. I see the same hard-coded limitatin for RSVP >>> bandwidth in all 7600 code, including current SRC. >> >> DDTS CSCsh56847 requests to bump up the limit. I guess for now you >> might be able to do "ip rsvp bandwidth" without an argument to have >> the router allocate 75% of the available BW dynamically. Haven't >> tried this on a 10GE channel though. > > Yeah the docs on the subject seem to indicate that it can sometimes > work by using percent (well I assume they meant percent, they seem to have > neglected the actual keyword, but I don't think they mean 100Kbps :P): > > http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_bundle_i nterface.html > > And if left to its own devices the port-channel interface DOES seem to > find correct bandwidth values: > > Port-channel1 is up, line protocol is up (connected) > Hardware is EtherChannel, address is 001a.6c97.cab6 (bia > 001a.6c97.cab6) MTU 9216 bytes, BW 40000000 Kbit, DLY 10 usec, right. > > However, it doesn't look like this handles layer 3 SVIs trunked over a > port-channel switchport, which happens to be my configuration. The > SVIs always come up with a bandwidth of 10Gbps, no matter what interfaces > they are trunked to: > > Vlan60 is up, line protocol is up > Hardware is EtherSVI, address is 0018.741f.85c0 (bia 0018.741f.85c0) > MTU 9170 bytes, BW 1000000 Kbit, DLY 10 usec, I guess this is expected with SVIs, they don't follow the physical link bandwidth (which could be a challenge if you have more than one port associated with it). If you need to trunk multiple p2p vlans across the channel, I'd rather use routed subinterfaces which do inherit the proper bandwidth. > >> TE over a channel is a challenge anyway as RSVP doesn't take the >> actual load-sharing into account.. I.e. RSVP might allow two 8G >> reservations which end up being hashed over the same physical port, >> resulting in packet loss.. > > Wouldn't this be a function of the port-channel hash algorithm, not > RSVP? > Why would RSVP know or care about the individual L2 channel members, > other than maybe not having a configured flow size biger than the individual > member capacity? I suppose you'd have a tough time achieving a good > balance if you can only hash on the mpls label and not the payload > when doing you hash calculation, but thats another story... Right. My point is possibly a theoretical one: If you only run MPLS-TE over non-bundled links (i.e. all your traffic uses tunnels) and use adequate BW reservation, everything will be "fine", CSPF/RSVP will find the right path for your traffic and you won't oversubscribe the links (on the above assumption). On a channel, RSVP might grant a reservation which can't be met based on the hashing within the forwarding plane. > FWIW this is exactly how we do multi-10G parallel links on Juniper > today, and it signals 80G RSVP across a single L3 interface on a 8x10G LACP > bundle then looks inside the labels for l3/l4 payload when doing hash > calculation damn near perfectly. :) right, and it would also work on a Cisco, however if you end up sending a "huge" (i.e. >10G) IPSEC/L2TP/whatever tunnel across this link, the forwarding will hash this to a single physical port and you see drops. This also happens without RSVP/MPLS-TE, however with MPLS-TE folks have the expectation of "I asked for this BW, I got this BW, and I want to use it" ;-) As I said: a rather theoretical case, but one which needs to be kept in mind.. oli From lists at memetic.org Thu Aug 21 04:25:56 2008 From: lists at memetic.org (Adam Armstrong) Date: Thu, 21 Aug 2008 09:25:56 +0100 Subject: [c-nsp] Cheap STM-1 router In-Reply-To: <6bb5f5b10808201619t633cbbf7n3ee712316a38bdd2@mail.gmail.com> References: <6bb5f5b10808201619t633cbbf7n3ee712316a38bdd2@mail.gmail.com> Message-ID: <48AD2694.2030807@memetic.org> What about 7200s? They're a bit big, but you can pick them up relatively inexpensively these days (NPE300/225 should do you) If you want something smaller, i'd almost always go for a 7301 over a 38xx. adam. > Hi. > > I'm trying to convince a friend not to use SDH-to-Ethernet mux and > instead go for a router-based solution, but I've only found ATM > network modules to go with 3xxx series routers. > > What would the cheapest(new, used, refurbished, all of above) Cisco > gear that could: > 1) On the remote sites, have STM-1 SDH connection; no sub-channeling, > just a single IP interface with all the STM-1 capacity. > 2) On the central site, have STM-16 SDH connection; some channeling is > required, so each remote STM-1 is a sub-interface. > > > Tks, > Rubens > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sdavid at ecritel.net Thu Aug 21 04:27:47 2008 From: sdavid at ecritel.net (=?iso-8859-1?Q?DAVID_S=E9bastien?=) Date: Thu, 21 Aug 2008 10:27:47 +0200 Subject: [c-nsp] ACE module c6500 & Cacti Message-ID: Hi, I wish I can oversee quite my waiters(servers) behind my cards(maps) ACE, I do not find a template under Cacti and when I wish to create a template I do not arrive to find via snmp some information about rserver & serverfarm. Any help is welcome. Best regards. S?bastien DAVID Ecritel, Service R?seaux, www.ecritel.net Groupe Euro Asian Equities, www.euroasianequities.com site de Clichy: 7/9, rue Petit 92582 Clichy Cedex T?l: +33 1 73025084 - Fax: +33 1 47560448 This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. ECRITEL and its subsidiaries will not therefore be liable for the message if modified. --------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, ECRITEL et ses filiales declinent toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. From iam at st-andrews.ac.uk Thu Aug 21 04:11:48 2008 From: iam at st-andrews.ac.uk (Ian McDonald) Date: Thu, 21 Aug 2008 09:11:48 +0100 Subject: [c-nsp] smoke and condensation damage to routers In-Reply-To: References: Message-ID: <48AD2344.1030108@st-andrews.ac.uk> > > My worst judgement call is a pair of ASA5580-40's in the original > packaging 1 floor down from the > fire. They were inside a plastic bag inside a box on a pallet. The box > is dry. > Some condensation was noticed inside the plastic bag when it was opened up. > > From my standpoint I don't want to trust any of this gear in > production. Of course, the insurance > adjustor sees gear that appears undamaged and is now completely dry. > > Anyone have experience running gear that was subjected to smoke, and > possibly some > condensation? Did it result in abnormal outages in the future? > > Darrell Root > ciscotraining at mac.com > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Darrell, We recently had a flood in a comms room, and our loss-adjuster stated that even if we were to dry the equipment out, it might have been subjected to conditions outside the manufacturers guidelines (though we had no way of knowing). His position was that if there were to be a fire, or accident (electric shock or the like) caused by the equipment in the future, the insurance company would be potentially legally responsible. His only way to establish if the equipment was now safe for reuse would be to have the manufacturer re-test, and re-certify the equipment as safe (thus moving the burden back to the manufacturer). His position on re-testing was that it was likely to be more hassle, and more expensive than simply writing the kit off (particularly with our edu discount). Hence the equipment in the room was written off, and replaced, even though it was only a few months old. I'd ask the loss adjuster to produce you paperwork certifying it as undamaged and safe for use, signed by a director of his company, if they refuse to see sense. Even they ought to be able to see the legal implications of one catching fire or electrocuting an engineer in a month's time, especially in today's litigious world. -- ian From p.mayers at imperial.ac.uk Thu Aug 21 04:45:26 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 21 Aug 2008 09:45:26 +0100 Subject: [c-nsp] multicast NOT in HW on 7600 In-Reply-To: References: Message-ID: <20080821084526.GB27802@wildfire.net.ic.ac.uk> On Wed, Aug 20, 2008 at 09:04:27PM +0300, Liviu Pislaru wrote: >hi > >i have a multicast problem in the following topology; > >TOPOLOGY: >Msource -> R1(SVI 10) ---trunk--- (SVI 10) R2 ---routed--- R3 ......Rn ... >Receiver > >- R1(7613), R2(7609), R(7613) / IOS SRA3 / WS-SUP720-3BXL >- 10G link between them in WS-X6704-10GE linecards with DFC >- trunk between R1 and R2, link routed between R2 and R3 >- SVI 10 has "ip pim sparse-mode" and "mpls ip" so R1 is PE router and R2,R3 >...Rn are P routers. >- routed links between P routers has "ip pim sparse-mode" and "mpls ip" >- Msource (multicast source) interface from R1(routed) is configured in vrf >XXX >- BGP address-family ipv4 mdt configured on R1 (and all other PE) > >PROBLEM: >all multicast traffic goes to RP on R2 (is software processed), CPU load >increase, etc ... Something is configured wrong somewhere. Can you supply the output of: sh run | inc ^ip (pim|multi) sh run int Vlan10 sh ip pim int sh ip pim nei sh ip rpf SOURCEIP ...on both R1 and R2? It sounds to me as if R2 isn't correctly configured as an RP, or isn't able to send the PIM joins which would push things down into hardware - the initial packets to the RP are always in software, so that's normal, but it's not normal for the traffic to be continually CPU-punted. From p.mayers at imperial.ac.uk Thu Aug 21 04:48:01 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 21 Aug 2008 09:48:01 +0100 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820.182922.74694833.sthaug@nethelp.no> References: <653784.11263.qm@web56715.mail.re3.yahoo.com> <1219244447.7374.3.camel@abehat> <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> Message-ID: <20080821084801.GC27802@wildfire.net.ic.ac.uk> On Wed, Aug 20, 2008 at 06:29:22PM +0200, sthaug at nethelp.no wrote: >> Just to add, just in case it isn't obvious from Peters comments, that >> the neighbor establishment can also be quicker since DR election does >> not occur. The wait timer, which is normally 40 seconds, does not need >> to be used. > >These are all good points, and makes me wonder - if it's *known* that an >Ethernet link will be used as a point to point link between two routers, >why doesn't everybody configure it explicitly as a point to point link? >I know we always do... We do likewise. I was under the impression it was pretty common. From paul.cosgrove at heanet.ie Thu Aug 21 04:51:49 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Thu, 21 Aug 2008 09:51:49 +0100 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080820202259.GF3810@rtp-cse-489.cisco.com> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> <20080820181602.GI1454@rtp-cse-489.cisco.com> <48AC6585.9070701@heanet.ie> <20080820202259.GF3810@rtp-cse-489.cisco.com> Message-ID: <48AD2CA5.8010202@heanet.ie> I mistakenly thought you had replied to the previous message I received in that thread, which was about the RFC which covers multiple link state protocols. Can you explain what command you are advising us not to use, does it still exist? Is it a command which is protocol generic or are you talking about "ip ospf network"? Paul. Rodney Dunn wrote: > Not sure. I didn't write it. ;) > > From a quick glance it seems to imply that type of behavior but > I'm not aware it was ever really done. > > On Wed, Aug 20, 2008 at 07:42:13PM +0100, Paul Cosgrove wrote: >> I'm not sure I understand you there. Do you mean that the intention >> behind the draft RFC was for some form of point-to-point configuration >> command on the interface, which would apply to all link state routing >> protocols? >> >> Paul. >> >> Rodney Dunn wrote: >>> There was a point to point configuration on the link itself and it >>> caused a bunch of platform forwarding problems once. >>> >>> I wouldn't use that one. >>> >>> Note I'm not talking about the OSPF point to point control plane >>> configuration. >>> >>> Rodney >>> >>> On Wed, Aug 20, 2008 at 07:43:51PM +0200, sthaug at nethelp.no wrote: >>>>>> These are all good points, and makes me wonder - if it's *known* that an >>>>>> Ethernet link will be used as a point to point link between two routers, >>>>>> why doesn't everybody configure it explicitly as a point to point link? >>>>>> I know we always do... >>>>> The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR >>>>> election, and it's just one more unnecessary tweak to keep track of. IMHO. >>>> Funny, we look at it exactly the opposite way. We're a service provider, >>>> and a large majority of the Ethernet links where we run an IGP are point >>>> to point links. So we have the point to point configuration as part of >>>> our standard config template, nothing extra to keep track of. >>>> >>>> Steinar Haug, Nethelp consulting, sthaug at nethelp.no >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> -- >> HEAnet Limited >> Ireland's Education & Research Network >> 5 George's Dock, IFSC, Dublin 1, Ireland >> Tel: +353.1.6609040 >> Web: http://www.heanet.ie >> Company registered in Ireland: 275301 >> >> Please consider the environment before printing this e-mail. > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From liviu.pislaru at gmail.com Thu Aug 21 05:42:09 2008 From: liviu.pislaru at gmail.com (Liviu Pislaru) Date: Thu, 21 Aug 2008 12:42:09 +0300 Subject: [c-nsp] multicast NOT in HW on 7600 In-Reply-To: <20080821084526.GB27802@wildfire.net.ic.ac.uk> References: <20080821084526.GB27802@wildfire.net.ic.ac.uk> Message-ID: <1219311729.6349.40.camel@moby> hi Phil, because R2 is not part of the NEW TOPOLOGY, R1 and R2 are not PIM neighbors anymore. [...] R1#sh run | inc ^ip (pim|multi) ip multicast-routing ip multicast-routing vrf XXX ip pim ssm range multicast-mdt R1#sh run int Vlan10 interface Vlan10 description XXX mtu 9216 ip address XXX no ip redirects no ip unreachables no ip proxy-arp ip mtu 1524 ip pim sparse-mode load-interval 30 mpls mtu 1542 mpls ip end ------------ R2#sh run | inc ^ip (pim|multi) ip multicast-routing ip pim ssm range multicast-mdt R2#sh run int Vlan10 interface Vlan10 description XXX mtu 9216 ip address XXX no ip redirects no ip unreachables no ip proxy-arp ip mtu 1524 ip pim sparse-mode load-interval 30 mpls mtu 1542 mpls ip end [...] i issue the command "mls ip multicast" AGAIN on R2 and it looks like this solved my problem. BEFORE ------------------------------------------------- R2#sh mls ip multicast summary 0 MMLS entries using 0 bytes of memory Number of partial hardware-switched flows: 0 Number of complete hardware-switched flows: 0 Directly connected subnet entry install is enabled Current mode of replication is Egress Auto-detection of replication mode is enabled Consistency checker is enabled Bidir gm-scan-interval: 10 R2#sh mls ip multicast statistics MLS Multicast configuration and state: Counters last cleared Never Router Mac 001b.0de6.7b80 MLS multicast operating state IDLE Layer 3 Switching H/W Version PFC III+ Maximum number of allowed outstanding message 20 Maximum size reached from feQ 0 Maximum size reached from screq 2 Feature Notification sent (simple/rtr-mac) 0/0 Feature Notification Ack received 0 Unsolicited Feature Notification received 0 MSM sent/Received 0/0 Delete notifications received 0 sgc oif delete notifications received 0 Flow Statistics messages received 0 Restart Notification messages received 0 Cleanup Send/Resp-rx seq number 0/0 AFTER: ----------------------------------------------- R2#sh mls ip multicast summary 0 MMLS entries using 0 bytes of memory Number of partial hardware-switched flows: 0 Number of complete hardware-switched flows: 0 Directly connected subnet entry install is enabled Hardware shortcuts for mvpn mroutes supported ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Current mode of replication is Egress Auto-detection of replication mode is enabled Consistency checker is enabled Bidir gm-scan-interval: 10 R2#sh mls ip multicast statistics MLS Multicast configuration and state: Counters last cleared Never Router Mac 001b.0de6.7b80 MLS multicast operating state ACTIVE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ SCB RetryQ size 1 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Layer 3 Switching H/W Version PFC III ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum number of allowed outstanding message 20 Maximum size reached from feQ 0 Maximum size reached from screq 2 Feature Notification sent (simple/rtr-mac) 1/2 Feature Notification Ack received 3 Unsolicited Feature Notification received 0 MSM sent/Received 0/0 Delete notifications received 0 sgc oif delete notifications received 0 Flow Statistics messages received 0 Restart Notification messages received 0 Cleanup Send/Resp-rx seq number 0/0 couple of years ago, because of the number of mac-addresses or unicast routes (depends on SDM profile), at a certain moment, 3750-ME did all the routing in software (CEF disable) and "ip cef distributed" reactivate CEF and hardware routing. looks the same to me on 7600 with multicast but in this case i don't know what is the trigger. i'll keep digging. -- liviu. On Thu, 2008-08-21 at 09:45 +0100, Phil Mayers wrote: > Something is configured wrong somewhere. Can you supply the output of: > > sh run | inc ^ip (pim|multi) > sh run int Vlan10 > sh ip pim int > sh ip pim nei > sh ip rpf SOURCEIP > > ...on both R1 and R2? > > It sounds to me as if R2 isn't correctly configured as an RP, or isn't > able to send the PIM joins which would push things down into hardware - > the initial packets to the RP are always in software, so that's normal, > but it's not normal for the traffic to be continually CPU-punted. > From jp at softnet.si Thu Aug 21 06:49:57 2008 From: jp at softnet.si (Primoz Jeroncic) Date: Thu, 21 Aug 2008 12:49:57 +0200 (CEST) Subject: [c-nsp] some weird routing problems after GSR upgrade Message-ID: Hi After upgrade of one of our c12008 from GRP-B to PRP-1, and with this required IOS upgrade (from service provider 12.0.30.S5 to 12.0.33.S1) I'm starting to get some really weird issues with routing. At the moment my network topology looks like this: Upstream-1 -- GSR-1 -- GSR-2 -- GSR-3 -- c7401 -- c7206 -- backup upstream Now show explanation. Route engine line card and IOS were upgraded on GSR-1. One prefix is originated and advertised in BGP from GSR-2. Second prefix is originated and advertised from c7206. In case if matters, MPLS is enabled from GSR-1 to c7401. C7206 is not in MPLS enabled network. Both prefixes are announced through same AS, and if everything is fine, they both go out through GSR-1 and Upstream-1. And now my problem. Config is same as it was before. Before everything was working fine, and when link between c7401 and c7206 went down, prefix originated on c7206 went out through backup upstream and came into my network (to GSR-2) through upstream-1 and GSR-1. After upgrade, things doesn't work like this anymore. Until I clear route for prefix originated on c7206 on GSR-1 (clear ip route x.x.x.0), trafic goes from GSR-2 to GSR-3, then to c7401, then back to GSR-3 and GSR-2, and then another loop. After link goes down, there's no routes for this prefix in GSR-3 and c7401, so traffic should go over default route. There is route for this prefix on GSR-2, but it's pointing to GSR-1, and on GSR-1 there's route for this prefix through Upstream-1. So based on routing tables everything looks fine. But traffic still bounces as described above. I know easiest solution would be to downgrade GSR-1 to previous IOS which was working. But with older IOS, one of Gigabitethernet linecards in GSR-1 was crashing constantly every 15 to 20mins. Considering there is about 200 BGP peerings on that GE, you can imagine that peerings were down pretty much all the time :) With 12.0.33.S1, this crashes are history, but this routing problem is something what I didn't have before. If anyone has problems like this, or if anyone has any idea how to solve this, please let me know. I would be extremely greatful for any hint on this. Thanks in advance, and if I wasn't clear enough, please drop me note, and I will try to explain again. Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From sam_mailinglists at spacething.org Thu Aug 21 07:14:50 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Thu, 21 Aug 2008 12:14:50 +0100 Subject: [c-nsp] Graphing service response times on Cisco Content Engine Message-ID: <48AD4E2A.1000703@spacething.org> Hi, I've trying to graph some MIB values from a Cisco Content Engine (CISCO-CONTENT-ENGINE-MIB) All of the OIDs work fine except the ones below. They all return values, but they are static and unchanging. Has anyone else tried this with success? I'm assuming this is a counter bug, but perhaps there's some additional config that's needed to turn these statistics on? cceHttpPerfServiceTime - 1.3.6.1.4.1.9.9.178.1.1.2.4 Average duration of each connection serviced by the HTTP proxy. cceHttpPerfHitServiceTime cceHttpPerfHitServiceTime - 1.3.6.1.4.1.9.9.178.1.1.2.5 Average duration required for the HTTP proxy to send a hit response. A hit response is a response for which the object can be serviced from the populated cache of the HTTP proxy. cceHttpPerfMissServiceTime cceHttpPerfMissServiceTime - 1.3.6.1.4.1.9.9.178.1.1.2.6 Average duration required for the HTTP proxy to send a miss response. A miss response is a response for which the object cannot be serviced from the populated cache of the HTTP proxy. cceHttpPerfObjectSize - 1.3.6.1.4.1.9.9.178.1.1.2.7 Average size of the object served from the HTTP proxy. This is on: Application and Content Networking System Software Hardware Version: ce565-5.4.5.7 Application and Content Networking System Software Software Release 5.4.5 (build b7 Mar 26 2007) Thanks, Sam From jml at packetpimp.org Thu Aug 21 08:14:03 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Thu, 21 Aug 2008 08:14:03 -0400 Subject: [c-nsp] smoke and condensation damage to routers In-Reply-To: References: Message-ID: <48AD5C0B.2030906@packetpimp.org> If you can believe this. ;) Hurricane Wilma took the roof off our corp hq a couple years back, water ran down between floors, through conduits, etc and got more or less everywhere. We had a 6500 in a wiring closet that got dumped full of water. Believe it or not that switch has been running in the same closet ever since, same cards and parts. It had dried out for several months and was powered off when it got wet so there were no shorts. It still amazes me, but it still works just fine. Crazy. We had some servers that had the same thing happen to them. Darrell Root wrote: > > We had a fire in a building where we stored a significant quantity of > gear and are attempting to > determine whether any of the gear in the vicinity can be trusted (and > dealing with the insurance > adjustor). > > Stuff sprayed with water or in dense smoke (everything on the floor of > the fire) is thrown out of course. > > I've got some switches which were 1 floor downstairs from the fire. > They were in moderate smoke. > They are dry, although the building was very humid (3 inches of water on > floor). Most of them smell > smoky. > > My worst judgement call is a pair of ASA5580-40's in the original > packaging 1 floor down from the > fire. They were inside a plastic bag inside a box on a pallet. The box > is dry. > Some condensation was noticed inside the plastic bag when it was opened up. > > From my standpoint I don't want to trust any of this gear in > production. Of course, the insurance > adjustor sees gear that appears undamaged and is now completely dry. > > Anyone have experience running gear that was subjected to smoke, and > possibly some > condensation? Did it result in abnormal outages in the future? > > Darrell Root > ciscotraining at mac.com > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 21 09:36:12 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 21 Aug 2008 09:36:12 -0400 Subject: [c-nsp] 7206 12.2(18) Maximum # of MLPPP T1s on PA-MC-T3 In-Reply-To: References: <48AC9FEA.5080607@yahoo.com> Message-ID: <20080821133612.GE11562@rtp-cse-489.cisco.com> It will take it but the reordering overhead will be huge with that many members. On Wed, Aug 20, 2008 at 04:49:53PM -0700, Brandon Price wrote: > Just for the heck of it I Bundled all 28 once in a lab with a NPE400 on > one end and a NPE300 on the other.. > > I was able to pull about 40mbps or so across the link.. if memory serves > me correct the cpus spiked pretty high.. above 90% I think... I didn't > do a whole lot of testing but it definitely took all 28 members... > > > Brandon > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Lacey > Sent: Wednesday, August 20, 2008 3:51 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 7206 12.2(18) Maximum # of MLPPP T1s on PA-MC-T3 > > Hi all, > > cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K bytes > of memory. > R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2 Cache > 6 slot VXR midplane, Version 2.0 > > I found that the PA-MC-T3 card will handle 12 T1 links in one MLPPP > group and still use HW. > After 12, the 7206 will go into SW mode for the MLPPP bundle. > > How many T1s can I use, albeit in SW mode, can I bundle together? > > I know I can bundle across PA-MC-T3, again in SW mode, but how many > total T1s can I bundle across two PA-MC-T3 cards? > > How about where I will run into performance issues? > > Thanks in advance! > Dan > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lowen at pari.edu Thu Aug 21 10:10:47 2008 From: lowen at pari.edu (Lamar Owen) Date: Thu, 21 Aug 2008 10:10:47 -0400 Subject: [c-nsp] Cheap STM-1 router In-Reply-To: <6bb5f5b10808201619t633cbbf7n3ee712316a38bdd2@mail.gmail.com> References: <6bb5f5b10808201619t633cbbf7n3ee712316a38bdd2@mail.gmail.com> Message-ID: <200808211010.48388.lowen@pari.edu> On Wednesday 20 August 2008 19:19:40 Rubens Kuhl Jr. wrote: > What would the cheapest(new, used, refurbished, all of above) Cisco > gear that could: > 1) On the remote sites, have STM-1 SDH connection; no sub-channeling, > just a single IP interface with all the STM-1 capacity. 7200, 7500, 7400, or anything else that will take a 12.0S, 12.2S, or 12.4 IOS and a PA-POS-OC3SMx (where x is L or I depending upon optics reach). If the service provider requires APS protection on those circuits you need two of them. I have a pair of 7401ASR's with two PA-POS-OC3SMI's doing APS, and that's a quite interesting thing. If you think you need more ports than 7401 provides (two GigE/FastE combo ports) then 7200 is good choice; if you really want bargain basement prices get somebody's castoff 7505 or 7507. > 2) On the central site, have STM-16 SDH connection; some channeling is > required, so each remote STM-1 is a sub-interface. Older 12000 running 12.0S and a channelized OC48 linecard. The OC48 channelized cards should work with any of the fabrics available for 12000, and might even work in 12008 or 12012 with a full fabric. 12012's are available cheap on eBay, but you might get a good ROI for something that requires less power and rackspace by spending more up front for a low-end 7600 or even 1000, and the 7600 and 10000 will give you more edge features than 12000. Not having set up the channelized OCx stuff, I'm not sure which software features you would need, sorry. APS would still require two chassis; there is a single router APS option, but only with specific linecards and specific chassis. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From elmi at 4ever.de Thu Aug 21 10:34:16 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 21 Aug 2008 16:34:16 +0200 Subject: [c-nsp] 7301 (NPE-G1) leaking L2 frames over L3 Message-ID: <20080821143415.GT12234@ronin.4ever.de> Hi knowledgeable folks, I have a somewhat weird issue with an admittedly slightly aged IOS on a 7301: That router is leaking Ethernet frames from one L3 interface to another. I have been alerted by the folks at the exchange (who monitor very closely, thanks). Since they haven't turned my port off yet, leaking should be minimal. The box is a 7301 with PA-2FE-TX (f1/0 connected to the exchange), running IOS 12.3(14)T7. Inside - towards some servers - is a L3 portchannel (via a WS-3750): interface Port-channel1 description PO to sw (via g0/0 and g0/1) ip address xxx.xxx.xxx.1 255.255.255.0 ip access-group MGT-no in ip access-group acl-SERVICE-out out no ip redirects no ip unreachables no ip proxy-arp ip route-cache same-interface ip route-cache flow load-interval 30 duplex full hold-queue 150 in end Outside is a layer 3 port to the exchange fabric: interface FastEthernet1/0 description exchange port ip address xxx.xxx.xxx.xxx 255.255.254.0 ip access-group FILTER_IN-FastEthernet1-0-in-3 in no ip redirects no ip unreachables no ip proxy-arp ip accounting mac-address input ip accounting mac-address output ip accounting access-violations load-interval 30 duplex full speed 100 ipv6 address xx:xx:xx:xx:xx:xx:xx:xx/64 ipv6 nd suppress-ra no ipv6 mld router no keepalive no cdp enable end Captured frames show that Ethernet frames with source MACs of the server NICs make it to the exchange fabric somehow. My questions: - is this some kind of misconfiguration on my part? - if not: does anyone know of / remember such a bug? - how could I find info, probably on cisco.com? I'm at a loss here. Blindly upgrading to T14 or whatever might or might not kill the bug. I'd like to reboot as rarely as possible... Thanks for any help, hints or insight. Elmar. From rodunn at cisco.com Thu Aug 21 11:13:13 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 21 Aug 2008 11:13:13 -0400 Subject: [c-nsp] 7301 (NPE-G1) leaking L2 frames over L3 In-Reply-To: <20080821143415.GT12234@ronin.4ever.de> References: <20080821143415.GT12234@ronin.4ever.de> Message-ID: <20080821151313.GG12557@rtp-cse-489.cisco.com> I saw something like this once on a GSR linecard where we didn't rewrite the mac header correctly. I've never seen it on a 72xx but I could have missed it. Do they have the full frame so you can see if the dmac has been rewritten in the frame to point to the L3 next hop of the exchange point? Or does the frame have the srcmac of the server and the dmac of the Portchannel1 interface in it? Rodney On Thu, Aug 21, 2008 at 04:34:16PM +0200, Elmar K. Bins wrote: > Hi knowledgeable folks, > > I have a somewhat weird issue with an admittedly slightly aged IOS > on a 7301: That router is leaking Ethernet frames from one L3 interface > to another. > > I have been alerted by the folks at the exchange (who monitor very > closely, thanks). Since they haven't turned my port off yet, > leaking should be minimal. > > The box is a 7301 with PA-2FE-TX (f1/0 connected to the exchange), > running IOS 12.3(14)T7. > > Inside - towards some servers - is a L3 portchannel > (via a WS-3750): > > interface Port-channel1 > description PO to sw (via g0/0 and g0/1) > ip address xxx.xxx.xxx.1 255.255.255.0 > ip access-group MGT-no in > ip access-group acl-SERVICE-out out > no ip redirects > no ip unreachables > no ip proxy-arp > ip route-cache same-interface > ip route-cache flow > load-interval 30 > duplex full > hold-queue 150 in > end > > > Outside is a layer 3 port to the exchange fabric: > > interface FastEthernet1/0 > description exchange port > ip address xxx.xxx.xxx.xxx 255.255.254.0 > ip access-group FILTER_IN-FastEthernet1-0-in-3 in > no ip redirects > no ip unreachables > no ip proxy-arp > ip accounting mac-address input > ip accounting mac-address output > ip accounting access-violations > load-interval 30 > duplex full > speed 100 > ipv6 address xx:xx:xx:xx:xx:xx:xx:xx/64 > ipv6 nd suppress-ra > no ipv6 mld router > no keepalive > no cdp enable > end > > > Captured frames show that Ethernet frames with source MACs > of the server NICs make it to the exchange fabric somehow. > > My questions: > > - is this some kind of misconfiguration on my part? > - if not: does anyone know of / remember such a bug? > - how could I find info, probably on cisco.com? > > I'm at a loss here. Blindly upgrading to T14 or whatever > might or might not kill the bug. I'd like to reboot as > rarely as possible... > > Thanks for any help, hints or insight. > > Elmar. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Thu Aug 21 11:49:00 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 21 Aug 2008 11:49:00 -0400 (EDT) Subject: [c-nsp] smoke and condensation damage to routers In-Reply-To: References: Message-ID: On Wed, 20 Aug 2008, Darrell Root wrote: > My worst judgement call is a pair of ASA5580-40's in the original packaging 1 > floor down from the > fire. They were inside a plastic bag inside a box on a pallet. The box is > dry. > Some condensation was noticed inside the plastic bag when it was opened up. Time to read over the fine print of your SmartNet agreement for "act of God" type provisions and limtations. If you can get RMA replacements from SmartNet, that might be the route to go. As far as the insurance adjuster goes, I would take the position that even if you have a replacement/support agreement with the vendor (i.e. SmartNet), thet might not cover smoke/water damage, meaning that there is potential that the vendor will not replace the gear. I've had gear that sustained water damage while in service. We took one of the switches, dried it out, tried it in the lab, and it fired up, but I would never put that switch back in production because it could easily fail prematurely. My main concerns would be deposits left on the guts of the gear after the water dried. That can cause corrosion, especially when heat and electric current are involved, an it can also interfere with airflow / heat dissipation, even if you replace the power supply/supplies and any fan modules, etc... jms From Gregori.Parker at theplatform.com Thu Aug 21 13:29:00 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Thu, 21 Aug 2008 10:29:00 -0700 Subject: [c-nsp] best fault management solutions? Message-ID: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> I've had it with Ciscoworks. I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. - Gregori From daniel.voyer at bell.ca Thu Aug 21 13:39:28 2008 From: daniel.voyer at bell.ca (daniel.voyer at bell.ca) Date: Thu, 21 Aug 2008 13:39:28 -0400 Subject: [c-nsp] best fault management solutions? In-Reply-To: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> Message-ID: <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca> Hello, Then you want a see this: http://www.emc.com/products/family/smarts-family.htm Smart is a monitoring tools with corolation engine. If you router crashes, you will know about, and you will also know what's behind that router that you just lost and then gives you the impact. It can go up to servers. - dan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker Sent: August 21, 2008 1:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] best fault management solutions? I've had it with Ciscoworks. I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. - Gregori _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 21 15:16:25 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 21 Aug 2008 15:16:25 -0400 Subject: [c-nsp] 7301 (NPE-G1) leaking L2 frames over L3 In-Reply-To: <20080821151809.GX12234@ronin.4ever.de> References: <20080821143415.GT12234@ronin.4ever.de> <20080821151313.GG12557@rtp-cse-489.cisco.com> <20080821151809.GX12234@ronin.4ever.de> Message-ID: <20080821191625.GV12557@rtp-cse-489.cisco.com> I've been doing this TAC support job for 10 years as of this month and one thing I've learned is "never say never" ;) ...to get it to the output interface code must be run to set the outbound tx ring so that means a lookup must happen. I'm saying I'm skeptical about what you are reporting. ;) On Thu, Aug 21, 2008 at 05:18:09PM +0200, Elmar K. Bins wrote: > Re, > > rodunn at cisco.com (Rodney Dunn) wrote: > > > Do they have the full frame so you can see if the dmac has > > been rewritten in the frame to point to the L3 next hop of > > the exchange point? > > > > Or does the frame have the srcmac of the server and the dmac > > of the Portchannel1 interface in it? > > The frame carries the server NIC's MAC as the source, and > the Portchannel MAC as the destination ethernet address. > > This looks a lot like bridging... > Elmi. > > PS: "show int <...> irb" shows routed only. > > -- > > "Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche > Eigenschaft von Vergleichen angesehen werden." (Marius Fr?nzel in desd) > > --------------------------------------------------------------[ ELMI-RIPE ]--- > From rodunn at cisco.com Thu Aug 21 15:17:10 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 21 Aug 2008 15:17:10 -0400 Subject: [c-nsp] 7301 (NPE-G1) leaking L2 frames over L3 In-Reply-To: <20080821151809.GX12234@ronin.4ever.de> References: <20080821143415.GT12234@ronin.4ever.de> <20080821151313.GG12557@rtp-cse-489.cisco.com> <20080821151809.GX12234@ronin.4ever.de> Message-ID: <20080821191710.GW12557@rtp-cse-489.cisco.com> Can you send me the full configuration offline? 'sh tech' would be good. On Thu, Aug 21, 2008 at 05:18:09PM +0200, Elmar K. Bins wrote: > Re, > > rodunn at cisco.com (Rodney Dunn) wrote: > > > Do they have the full frame so you can see if the dmac has > > been rewritten in the frame to point to the L3 next hop of > > the exchange point? > > > > Or does the frame have the srcmac of the server and the dmac > > of the Portchannel1 interface in it? > > The frame carries the server NIC's MAC as the source, and > the Portchannel MAC as the destination ethernet address. > > This looks a lot like bridging... > Elmi. > > PS: "show int <...> irb" shows routed only. > > -- > > "Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche > Eigenschaft von Vergleichen angesehen werden." (Marius Fr?nzel in desd) > > --------------------------------------------------------------[ ELMI-RIPE ]--- > From elmi at 4ever.de Thu Aug 21 15:47:03 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 21 Aug 2008 21:47:03 +0200 Subject: [c-nsp] 7301 (NPE-G1) leaking L2 frames over L3 In-Reply-To: <20080821191625.GV12557@rtp-cse-489.cisco.com> References: <20080821143415.GT12234@ronin.4ever.de> <20080821151313.GG12557@rtp-cse-489.cisco.com> <20080821151809.GX12234@ronin.4ever.de> <20080821191625.GV12557@rtp-cse-489.cisco.com> Message-ID: <20080821194703.GB48711@ronin.4ever.de> rodunn at cisco.com (Rodney Dunn) wrote: > I've been doing this TAC support job for 10 years as of this month > and one thing I've learned is "never say never" ;) I trust you on that one ;) > ...to get it to the output interface code must be run > to set the outbound tx ring so that means a lookup must happen. > > I'm saying I'm skeptical about what you are reporting. ;) Since the "we've dumped these packets, look here" came from the Exchange, and they found it on the exchange switchport...well... I'm only half of the wise guys here, and maybe I have configured a leak somewhere (even if it's pretty straightforward). Elmar. From RTeller at deltadentalwa.com Thu Aug 21 18:47:35 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 21 Aug 2008 15:47:35 -0700 Subject: [c-nsp] Cisco ACE Context Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> I have two cisco 6509 chassis with ace and fwsm modules. I have configured the ace blades to use an internal and external conext. On ACE-A I am able to bring up both contexts and everything talks just fine but on ACE-B I can't bring up vlan 138. Is there something I'm missing? ------------------------------------------------------------------------ ----------------------------------------- svclc autostate svclc multiple-vlan-interfaces svclc module 7 vlan-group 9706, firewall autostate firewall multiple-vlan-interfaces firewall module 3 vlan-group 9706, firewall vlan-group 9706 100,120,138,150,190,200,210,235,238,555,575,801-804 firewall vlan-group 9706 999 ------------------------------------------------------------------------ ----------------------------------------- ADMIN Context ------------------------------------------------------------------------ ----------------------------------------- ft interface vlan 801 ip address XXX.XXX.XXX.145 255.255.255.252 peer ip address XXX.XXX.XXX.146 255.255.255.252 no shutdown ft peer 1 heartbeat interval 300 heartbeat count 20 ft-interface vlan 801 ft group 1 peer 1 priority 200 associate-context Admin inservice context WDS-External allocate-interface vlan 138 context WDS-Internal allocate-interface vlan 238 ft group 2 peer 1 priority 200 associate-context WDS-Internal inservice ft group 3 peer 1 priority 200 associate-context WDS-External inservice ------------------------------------------------------------------------ ----------------------------------------- context WDS-External ------------------------------------------------------------------------ ----------------------------------------- interface vlan 138 ip address XXX.XXX.XXX.150 255.255.255.192 alias XXX.XXX.XXX.188 255.255.255.192 peer ip address XXX.XXX.XXX.189 255.255.255.192 access-group input any service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown vlan138 is down, VLAN not assigned from the supervisor Hardware type is VLAN MAC address is 00:1f:6c:89:0c:33 Mode : routed IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 FT status is standby Description:not set MTU: 1500 bytes Last cleared: never Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 Not assigned from the Supervisor, down on Supervisor Service-policy download failures : 3 0 unicast packets input, 0 bytes 0 multicast, 0 broadcast 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops 0 unicast packets output, 0 bytes 0 multicast, 0 broadcast 0 output errors, 0 ignored ------------------------------------------------------------------------ ----------------------------------------- Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From christian.macnevin at gmail.com Thu Aug 21 19:07:24 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 21 Aug 2008 16:07:24 -0700 Subject: [c-nsp] best fault management solutions? In-Reply-To: <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca> Message-ID: SMARTS is the f&**ing S#!T (meaning i like it) On Aug 21, 2008, at 10:39 AM, wrote: Hello, Then you want a see this: http://www.emc.com/products/family/smarts-family.htm Smart is a monitoring tools with corolation engine. If you router crashes, you will know about, and you will also know what's behind that router that you just lost and then gives you the impact. It can go up to servers. - dan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net ] On Behalf Of Gregori Parker Sent: August 21, 2008 1:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] best fault management solutions? I've had it with Ciscoworks. I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. - Gregori _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Thu Aug 21 19:15:31 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 21 Aug 2008 18:15:31 -0500 Subject: [c-nsp] Cisco ACE Context References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> Message-ID: <020101c903e3$cf4fc1e0$f211a8c0@flamadam> Would you do a sh vlan b on sup-b? Is 138 there? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 21, 2008 5:47 PM Subject: [c-nsp] Cisco ACE Context >I have two cisco 6509 chassis with ace and fwsm modules. I have > configured the ace blades to use an internal and external conext. On > ACE-A I am able to bring up both contexts and everything talks just fine > but on ACE-B I can't bring up vlan 138. Is there something I'm missing? > > > > ------------------------------------------------------------------------ > ----------------------------------------- > > svclc autostate > > svclc multiple-vlan-interfaces > > svclc module 7 vlan-group 9706, > > firewall autostate > > firewall multiple-vlan-interfaces > > firewall module 3 vlan-group 9706, > > firewall vlan-group 9706 > 100,120,138,150,190,200,210,235,238,555,575,801-804 > > firewall vlan-group 9706 999 > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > ADMIN Context > > ------------------------------------------------------------------------ > ----------------------------------------- > > ft interface vlan 801 > > ip address XXX.XXX.XXX.145 255.255.255.252 > > peer ip address XXX.XXX.XXX.146 255.255.255.252 > > no shutdown > > > > ft peer 1 > > heartbeat interval 300 > > heartbeat count 20 > > ft-interface vlan 801 > > ft group 1 > > peer 1 > > priority 200 > > associate-context Admin > > inservice > > > > context WDS-External > > allocate-interface vlan 138 > > context WDS-Internal > > allocate-interface vlan 238 > > > > ft group 2 > > peer 1 > > priority 200 > > associate-context WDS-Internal > > inservice > > ft group 3 > > peer 1 > > priority 200 > > associate-context WDS-External > > inservice > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > context WDS-External > > ------------------------------------------------------------------------ > ----------------------------------------- > > interface vlan 138 > > ip address XXX.XXX.XXX.150 255.255.255.192 > > alias XXX.XXX.XXX.188 255.255.255.192 > > peer ip address XXX.XXX.XXX.189 255.255.255.192 > > access-group input any > > service-policy input REMOTE_MGMT_ALLOW_POLICY > > no shutdown > > > > vlan138 is down, VLAN not assigned from the supervisor > > Hardware type is VLAN > > MAC address is 00:1f:6c:89:0c:33 > > Mode : routed > > IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 > > FT status is standby > > Description:not set > > MTU: 1500 bytes > > Last cleared: never > > Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 > > Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 > > Not assigned from the Supervisor, down on Supervisor > > Service-policy download failures : 3 > > 0 unicast packets input, 0 bytes > > 0 multicast, 0 broadcast > > 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops > > 0 unicast packets output, 0 bytes > > 0 multicast, 0 broadcast > > 0 output errors, 0 ignored > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Thu Aug 21 19:32:35 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 21 Aug 2008 16:32:35 -0700 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <020101c903e3$cf4fc1e0$f211a8c0@flamadam> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> That is correct. But if I do show vlan on the ace module it doesn't show up even though it is associated to vlan group 9706 Sea-ACE-A/Admin# show vlans Vlans configured on SUP for this module vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 vlan999 Sea-ACE-B/Admin# show vlans Vlans configured on SUP for this module vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 -----Original Message----- From: Tony Varriale [mailto:tvarriale at comcast.net] Sent: Thursday, August 21, 2008 4:16 PM To: Teller, Robert; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context Would you do a sh vlan b on sup-b? Is 138 there? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 21, 2008 5:47 PM Subject: [c-nsp] Cisco ACE Context >I have two cisco 6509 chassis with ace and fwsm modules. I have > configured the ace blades to use an internal and external conext. On > ACE-A I am able to bring up both contexts and everything talks just fine > but on ACE-B I can't bring up vlan 138. Is there something I'm missing? > > > > ------------------------------------------------------------------------ > ----------------------------------------- > > svclc autostate > > svclc multiple-vlan-interfaces > > svclc module 7 vlan-group 9706, > > firewall autostate > > firewall multiple-vlan-interfaces > > firewall module 3 vlan-group 9706, > > firewall vlan-group 9706 > 100,120,138,150,190,200,210,235,238,555,575,801-804 > > firewall vlan-group 9706 999 > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > ADMIN Context > > ------------------------------------------------------------------------ > ----------------------------------------- > > ft interface vlan 801 > > ip address XXX.XXX.XXX.145 255.255.255.252 > > peer ip address XXX.XXX.XXX.146 255.255.255.252 > > no shutdown > > > > ft peer 1 > > heartbeat interval 300 > > heartbeat count 20 > > ft-interface vlan 801 > > ft group 1 > > peer 1 > > priority 200 > > associate-context Admin > > inservice > > > > context WDS-External > > allocate-interface vlan 138 > > context WDS-Internal > > allocate-interface vlan 238 > > > > ft group 2 > > peer 1 > > priority 200 > > associate-context WDS-Internal > > inservice > > ft group 3 > > peer 1 > > priority 200 > > associate-context WDS-External > > inservice > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > context WDS-External > > ------------------------------------------------------------------------ > ----------------------------------------- > > interface vlan 138 > > ip address XXX.XXX.XXX.150 255.255.255.192 > > alias XXX.XXX.XXX.188 255.255.255.192 > > peer ip address XXX.XXX.XXX.189 255.255.255.192 > > access-group input any > > service-policy input REMOTE_MGMT_ALLOW_POLICY > > no shutdown > > > > vlan138 is down, VLAN not assigned from the supervisor > > Hardware type is VLAN > > MAC address is 00:1f:6c:89:0c:33 > > Mode : routed > > IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 > > FT status is standby > > Description:not set > > MTU: 1500 bytes > > Last cleared: never > > Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 > > Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 > > Not assigned from the Supervisor, down on Supervisor > > Service-policy download failures : 3 > > 0 unicast packets input, 0 bytes > > 0 multicast, 0 broadcast > > 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops > > 0 unicast packets output, 0 bytes > > 0 multicast, 0 broadcast > > 0 output errors, 0 ignored > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Thu Aug 21 19:43:51 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 21 Aug 2008 18:43:51 -0500 Subject: [c-nsp] Cisco ACE Context References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> Message-ID: <022001c903e7$c4200010$f211a8c0@flamadam> sh firewall vlan-group sh svclc vlan-group ----- Original Message ----- From: "Teller, Robert" To: "Tony Varriale" ; Sent: Thursday, August 21, 2008 6:32 PM Subject: RE: [c-nsp] Cisco ACE Context That is correct. But if I do show vlan on the ace module it doesn't show up even though it is associated to vlan group 9706 Sea-ACE-A/Admin# show vlans Vlans configured on SUP for this module vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 vlan999 Sea-ACE-B/Admin# show vlans Vlans configured on SUP for this module vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 -----Original Message----- From: Tony Varriale [mailto:tvarriale at comcast.net] Sent: Thursday, August 21, 2008 4:16 PM To: Teller, Robert; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context Would you do a sh vlan b on sup-b? Is 138 there? tv ----- Original Message ----- From: "Teller, Robert" To: Sent: Thursday, August 21, 2008 5:47 PM Subject: [c-nsp] Cisco ACE Context >I have two cisco 6509 chassis with ace and fwsm modules. I have > configured the ace blades to use an internal and external conext. On > ACE-A I am able to bring up both contexts and everything talks just fine > but on ACE-B I can't bring up vlan 138. Is there something I'm missing? > > > > ------------------------------------------------------------------------ > ----------------------------------------- > > svclc autostate > > svclc multiple-vlan-interfaces > > svclc module 7 vlan-group 9706, > > firewall autostate > > firewall multiple-vlan-interfaces > > firewall module 3 vlan-group 9706, > > firewall vlan-group 9706 > 100,120,138,150,190,200,210,235,238,555,575,801-804 > > firewall vlan-group 9706 999 > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > ADMIN Context > > ------------------------------------------------------------------------ > ----------------------------------------- > > ft interface vlan 801 > > ip address XXX.XXX.XXX.145 255.255.255.252 > > peer ip address XXX.XXX.XXX.146 255.255.255.252 > > no shutdown > > > > ft peer 1 > > heartbeat interval 300 > > heartbeat count 20 > > ft-interface vlan 801 > > ft group 1 > > peer 1 > > priority 200 > > associate-context Admin > > inservice > > > > context WDS-External > > allocate-interface vlan 138 > > context WDS-Internal > > allocate-interface vlan 238 > > > > ft group 2 > > peer 1 > > priority 200 > > associate-context WDS-Internal > > inservice > > ft group 3 > > peer 1 > > priority 200 > > associate-context WDS-External > > inservice > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > context WDS-External > > ------------------------------------------------------------------------ > ----------------------------------------- > > interface vlan 138 > > ip address XXX.XXX.XXX.150 255.255.255.192 > > alias XXX.XXX.XXX.188 255.255.255.192 > > peer ip address XXX.XXX.XXX.189 255.255.255.192 > > access-group input any > > service-policy input REMOTE_MGMT_ALLOW_POLICY > > no shutdown > > > > vlan138 is down, VLAN not assigned from the supervisor > > Hardware type is VLAN > > MAC address is 00:1f:6c:89:0c:33 > > Mode : routed > > IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 > > FT status is standby > > Description:not set > > MTU: 1500 bytes > > Last cleared: never > > Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 > > Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 > > Not assigned from the Supervisor, down on Supervisor > > Service-policy download failures : 3 > > 0 unicast packets input, 0 bytes > > 0 multicast, 0 broadcast > > 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops > > 0 unicast packets output, 0 bytes > > 0 multicast, 0 broadcast > > 0 output errors, 0 ignored > > ------------------------------------------------------------------------ > ----------------------------------------- > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be > privileged, > confidential and protected from disclosure. This transmission is intended > for the sole > use of the individual and entity to whom it is addressed. If you are not > the intended > recipient, any dissemination, distribution or copying is strictly > prohibited. If you > think that you have received this message in error, please e-mail the > sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Thu Aug 21 19:52:49 2008 From: christian at broknrobot.com (Christian Koch) Date: Thu, 21 Aug 2008 19:52:49 -0400 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> Message-ID: what do you see when you do a 'sh svclc vlan-group' on the 6500 that ace-b is installed in? On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert wrote: > That is correct. But if I do show vlan on the ace module it doesn't show > up even though it is associated to vlan group 9706 > > Sea-ACE-A/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 > vlan238 vlan555 vlan801-803 vlan999 > > Sea-ACE-B/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 > > > > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, August 21, 2008 4:16 PM > To: Teller, Robert; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > Would you do a sh vlan b on sup-b? > > Is 138 there? > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: > Sent: Thursday, August 21, 2008 5:47 PM > Subject: [c-nsp] Cisco ACE Context > > >>I have two cisco 6509 chassis with ace and fwsm modules. I have >> configured the ace blades to use an internal and external conext. On >> ACE-A I am able to bring up both contexts and everything talks just > fine >> but on ACE-B I can't bring up vlan 138. Is there something I'm > missing? >> >> >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> svclc autostate >> >> svclc multiple-vlan-interfaces >> >> svclc module 7 vlan-group 9706, >> >> firewall autostate >> >> firewall multiple-vlan-interfaces >> >> firewall module 3 vlan-group 9706, >> >> firewall vlan-group 9706 >> 100,120,138,150,190,200,210,235,238,555,575,801-804 >> >> firewall vlan-group 9706 999 >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> ADMIN Context >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> ft interface vlan 801 >> >> ip address XXX.XXX.XXX.145 255.255.255.252 >> >> peer ip address XXX.XXX.XXX.146 255.255.255.252 >> >> no shutdown >> >> >> >> ft peer 1 >> >> heartbeat interval 300 >> >> heartbeat count 20 >> >> ft-interface vlan 801 >> >> ft group 1 >> >> peer 1 >> >> priority 200 >> >> associate-context Admin >> >> inservice >> >> >> >> context WDS-External >> >> allocate-interface vlan 138 >> >> context WDS-Internal >> >> allocate-interface vlan 238 >> >> >> >> ft group 2 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-Internal >> >> inservice >> >> ft group 3 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-External >> >> inservice >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> context WDS-External >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> interface vlan 138 >> >> ip address XXX.XXX.XXX.150 255.255.255.192 >> >> alias XXX.XXX.XXX.188 255.255.255.192 >> >> peer ip address XXX.XXX.XXX.189 255.255.255.192 >> >> access-group input any >> >> service-policy input REMOTE_MGMT_ALLOW_POLICY >> >> no shutdown >> >> >> >> vlan138 is down, VLAN not assigned from the supervisor >> >> Hardware type is VLAN >> >> MAC address is 00:1f:6c:89:0c:33 >> >> Mode : routed >> >> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >> >> FT status is standby >> >> Description:not set >> >> MTU: 1500 bytes >> >> Last cleared: never >> >> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >> >> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 >> >> Not assigned from the Supervisor, down on Supervisor >> >> Service-policy download failures : 3 >> >> 0 unicast packets input, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >> >> 0 unicast packets output, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 output errors, 0 ignored >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> Robert Teller >> Washington Dental Service >> Network Administrator >> (206) 528-2371 >> RTeller at DeltaDentalWa.com >> >> >> >> >> ######################################################### >> The information contained in this e-mail and subsequent attachments > may be >> privileged, >> confidential and protected from disclosure. This transmission is > intended >> for the sole >> use of the individual and entity to whom it is addressed. If you are > not >> the intended >> recipient, any dissemination, distribution or copying is strictly >> prohibited. If you >> think that you have received this message in error, please e-mail the >> sender at the above >> e-mail address. >> ######################################################### >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From RTeller at deltadentalwa.com Thu Aug 21 19:53:21 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 21 Aug 2008 16:53:21 -0700 Subject: [c-nsp] Cisco ACE Context In-Reply-To: References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> Sea-6509-B#sh svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ----- ---------- ----- 9706 FWSM 100,120,138,150,190,200,210,235,238,555,575,801-804,999 -----Original Message----- From: Christian Koch [mailto:christian at broknrobot.com] Sent: Thursday, August 21, 2008 4:53 PM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context what do you see when you do a 'sh svclc vlan-group' on the 6500 that ace-b is installed in? On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert wrote: > That is correct. But if I do show vlan on the ace module it doesn't show > up even though it is associated to vlan group 9706 > > Sea-ACE-A/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 > vlan238 vlan555 vlan801-803 vlan999 > > Sea-ACE-B/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 > > > > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, August 21, 2008 4:16 PM > To: Teller, Robert; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > Would you do a sh vlan b on sup-b? > > Is 138 there? > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: > Sent: Thursday, August 21, 2008 5:47 PM > Subject: [c-nsp] Cisco ACE Context > > >>I have two cisco 6509 chassis with ace and fwsm modules. I have >> configured the ace blades to use an internal and external conext. On >> ACE-A I am able to bring up both contexts and everything talks just > fine >> but on ACE-B I can't bring up vlan 138. Is there something I'm > missing? >> >> >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> svclc autostate >> >> svclc multiple-vlan-interfaces >> >> svclc module 7 vlan-group 9706, >> >> firewall autostate >> >> firewall multiple-vlan-interfaces >> >> firewall module 3 vlan-group 9706, >> >> firewall vlan-group 9706 >> 100,120,138,150,190,200,210,235,238,555,575,801-804 >> >> firewall vlan-group 9706 999 >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> ADMIN Context >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> ft interface vlan 801 >> >> ip address XXX.XXX.XXX.145 255.255.255.252 >> >> peer ip address XXX.XXX.XXX.146 255.255.255.252 >> >> no shutdown >> >> >> >> ft peer 1 >> >> heartbeat interval 300 >> >> heartbeat count 20 >> >> ft-interface vlan 801 >> >> ft group 1 >> >> peer 1 >> >> priority 200 >> >> associate-context Admin >> >> inservice >> >> >> >> context WDS-External >> >> allocate-interface vlan 138 >> >> context WDS-Internal >> >> allocate-interface vlan 238 >> >> >> >> ft group 2 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-Internal >> >> inservice >> >> ft group 3 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-External >> >> inservice >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> context WDS-External >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> interface vlan 138 >> >> ip address XXX.XXX.XXX.150 255.255.255.192 >> >> alias XXX.XXX.XXX.188 255.255.255.192 >> >> peer ip address XXX.XXX.XXX.189 255.255.255.192 >> >> access-group input any >> >> service-policy input REMOTE_MGMT_ALLOW_POLICY >> >> no shutdown >> >> >> >> vlan138 is down, VLAN not assigned from the supervisor >> >> Hardware type is VLAN >> >> MAC address is 00:1f:6c:89:0c:33 >> >> Mode : routed >> >> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >> >> FT status is standby >> >> Description:not set >> >> MTU: 1500 bytes >> >> Last cleared: never >> >> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >> >> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 >> >> Not assigned from the Supervisor, down on Supervisor >> >> Service-policy download failures : 3 >> >> 0 unicast packets input, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >> >> 0 unicast packets output, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 output errors, 0 ignored >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> Robert Teller >> Washington Dental Service >> Network Administrator >> (206) 528-2371 >> RTeller at DeltaDentalWa.com >> >> >> >> >> ######################################################### >> The information contained in this e-mail and subsequent attachments > may be >> privileged, >> confidential and protected from disclosure. This transmission is > intended >> for the sole >> use of the individual and entity to whom it is addressed. If you are > not >> the intended >> recipient, any dissemination, distribution or copying is strictly >> prohibited. If you >> think that you have received this message in error, please e-mail the >> sender at the above >> e-mail address. >> ######################################################### >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tvarriale at comcast.net Thu Aug 21 20:21:46 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 21 Aug 2008 19:21:46 -0500 Subject: [c-nsp] Cisco ACE Context References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> Message-ID: <024301c903ed$10831b90$f211a8c0@flamadam> I'm partially confused as you are missing a number of vlans not just 138. Can you remove it and reapply? The only other thing I can think of is sh int trunk and see if the vlan is getting pruned back. tv ----- Original Message ----- From: "Teller, Robert" To: "Christian Koch" Cc: "Tony Varriale" ; Sent: Thursday, August 21, 2008 6:53 PM Subject: RE: [c-nsp] Cisco ACE Context Sea-6509-B#sh svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ----- ---------- ----- 9706 FWSM 100,120,138,150,190,200,210,235,238,555,575,801-804,999 -----Original Message----- From: Christian Koch [mailto:christian at broknrobot.com] Sent: Thursday, August 21, 2008 4:53 PM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context what do you see when you do a 'sh svclc vlan-group' on the 6500 that ace-b is installed in? On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert wrote: > That is correct. But if I do show vlan on the ace module it doesn't show > up even though it is associated to vlan group 9706 > > Sea-ACE-A/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 > vlan238 vlan555 vlan801-803 vlan999 > > Sea-ACE-B/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 > > > > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, August 21, 2008 4:16 PM > To: Teller, Robert; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > Would you do a sh vlan b on sup-b? > > Is 138 there? > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: > Sent: Thursday, August 21, 2008 5:47 PM > Subject: [c-nsp] Cisco ACE Context > > >>I have two cisco 6509 chassis with ace and fwsm modules. I have >> configured the ace blades to use an internal and external conext. On >> ACE-A I am able to bring up both contexts and everything talks just > fine >> but on ACE-B I can't bring up vlan 138. Is there something I'm > missing? >> >> >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> svclc autostate >> >> svclc multiple-vlan-interfaces >> >> svclc module 7 vlan-group 9706, >> >> firewall autostate >> >> firewall multiple-vlan-interfaces >> >> firewall module 3 vlan-group 9706, >> >> firewall vlan-group 9706 >> 100,120,138,150,190,200,210,235,238,555,575,801-804 >> >> firewall vlan-group 9706 999 >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> ADMIN Context >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> ft interface vlan 801 >> >> ip address XXX.XXX.XXX.145 255.255.255.252 >> >> peer ip address XXX.XXX.XXX.146 255.255.255.252 >> >> no shutdown >> >> >> >> ft peer 1 >> >> heartbeat interval 300 >> >> heartbeat count 20 >> >> ft-interface vlan 801 >> >> ft group 1 >> >> peer 1 >> >> priority 200 >> >> associate-context Admin >> >> inservice >> >> >> >> context WDS-External >> >> allocate-interface vlan 138 >> >> context WDS-Internal >> >> allocate-interface vlan 238 >> >> >> >> ft group 2 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-Internal >> >> inservice >> >> ft group 3 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-External >> >> inservice >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> context WDS-External >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> interface vlan 138 >> >> ip address XXX.XXX.XXX.150 255.255.255.192 >> >> alias XXX.XXX.XXX.188 255.255.255.192 >> >> peer ip address XXX.XXX.XXX.189 255.255.255.192 >> >> access-group input any >> >> service-policy input REMOTE_MGMT_ALLOW_POLICY >> >> no shutdown >> >> >> >> vlan138 is down, VLAN not assigned from the supervisor >> >> Hardware type is VLAN >> >> MAC address is 00:1f:6c:89:0c:33 >> >> Mode : routed >> >> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >> >> FT status is standby >> >> Description:not set >> >> MTU: 1500 bytes >> >> Last cleared: never >> >> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >> >> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 >> >> Not assigned from the Supervisor, down on Supervisor >> >> Service-policy download failures : 3 >> >> 0 unicast packets input, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >> >> 0 unicast packets output, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 output errors, 0 ignored >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> Robert Teller >> Washington Dental Service >> Network Administrator >> (206) 528-2371 >> RTeller at DeltaDentalWa.com >> >> >> >> >> ######################################################### >> The information contained in this e-mail and subsequent attachments > may be >> privileged, >> confidential and protected from disclosure. This transmission is > intended >> for the sole >> use of the individual and entity to whom it is addressed. If you are > not >> the intended >> recipient, any dissemination, distribution or copying is strictly >> prohibited. If you >> think that you have received this message in error, please e-mail the >> sender at the above >> e-mail address. >> ######################################################### >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Thu Aug 21 23:08:58 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Fri, 22 Aug 2008 00:08:58 -0300 Subject: [c-nsp] best fault management solutions? In-Reply-To: <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca> Message-ID: <6bb5f5b10808212008i1cab3e96h8d96e4c967029af9@mail.gmail.com> Smarts is what used to be BMC Patrol or something else ? How it compares price-wise to Cisco Works ? Rubens On Thu, Aug 21, 2008 at 2:39 PM, wrote: > > > Hello, > > Then you want a see this: > http://www.emc.com/products/family/smarts-family.htm > > Smart is a monitoring tools with corolation engine. If you router crashes, you will know about, and you will also know what's behind that router that you just lost and then gives you the impact. It can go up to servers. > > - dan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker > Sent: August 21, 2008 1:29 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] best fault management solutions? > > I've had it with Ciscoworks. > > I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. > > So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. > I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. > > - Gregori > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From affanzbasalamah at gmail.com Thu Aug 21 23:33:58 2008 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Fri, 22 Aug 2008 10:33:58 +0700 Subject: [c-nsp] Sup32 capacity Message-ID: Hi all, Sorry if questions about Sup32 capacity is already asking too many times, but I would like to know in your experience whether Sup32 is enough if I operate it to do : - 2 link 155 Mbps, 4 link E1 - 7 bgp peer, 3 of them has 30000 routes, the rest is only hundreds routes I just love Sup32 to provide free 8 SFP port to do aggregation in my NOC without adding more module on 7603 chassis. Regards, -affan From elmi at 4ever.de Fri Aug 22 03:08:51 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Fri, 22 Aug 2008 09:08:51 +0200 Subject: [c-nsp] Sup32 capacity In-Reply-To: References: Message-ID: <20080822070851.GF48711@ronin.4ever.de> Re Affan, affanzbasalamah at gmail.com (Affan Basalamah) wrote: > but I would like to know in your experience whether Sup32 is enough if > I operate it to do : > > - 2 link 155 Mbps, 4 link E1 > - 7 bgp peer, 3 of them has 30000 routes, the rest is only hundreds routes > > I just love Sup32 to provide free 8 SFP port to do aggregation in my > NOC without adding more module on 7603 chassis. On paper, it's much more than you need. I'd expect it to work a bit further than your current needs, which is good (you don't have to replace it so quickly). Yours, Elmar. From mtinka at globaltransit.net Fri Aug 22 04:31:42 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 22 Aug 2008 16:31:42 +0800 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <20080820164735.GA16618@diveo.net.br> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> <20080820164735.GA16618@diveo.net.br> Message-ID: <200808221631.47493.mtinka@globaltransit.net> On Thursday 21 August 2008 00:47:35 Everton da Silva Marques wrote: > 1. Use RR to scale BGP; deploy RRs in pair for the > redundancy Keep RRs out of the forwarding paths and > disable CEF (saves memory) Curious to actually know by what % memory is saved when CEF is disabled on a fairly modern IOS-based platform today, particularly, software routers (which make affordable route reflectors). We use 7201's for route reflectors (IPv4, VPNv4, and with any luck, l2vpn AFI in the future), with tens of peers configured, about 5 of whom send full tables, while the rest send a couple of hundred to a few thousand routes. Configured with 2GB of DRAM, 1.78GB is available after boot (thanks to 12.2(33)SRC1), and 322MB is used to hold the learned routes (as at today). 1.47GB is left for future use. CEF is enabled, CPU lays low at 1% to 2%. Overload bit is set on IS-IS to keep them from being transit routers. With these values, we're not inclined to disable CEF; but would be interested in hearing your experiences with this practice, and on what platforms. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gaurav at inwire.net Fri Aug 22 03:58:35 2008 From: gaurav at inwire.net (Gaurav Sabharwal) Date: Fri, 22 Aug 2008 09:58:35 +0200 Subject: [c-nsp] best fault management solutions? In-Reply-To: <6bb5f5b10808212008i1cab3e96h8d96e4c967029af9@mail.gmail.com> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca> <6bb5f5b10808212008i1cab3e96h8d96e4c967029af9@mail.gmail.com> Message-ID: <48AE71AB.8060504@inwire.net> Cisco Works will definitely be cheaper than SMARTS solution. Another option to look at is EM7 from ScienceLogic http://www.sciencelogic.com/ There appliances have a start price of $ 25K. - Gaurav on 08/22/2008 05:08 AM Rubens Kuhl Jr. said the following: > Smarts is what used to be BMC Patrol or something else ? > > How it compares price-wise to Cisco Works ? > > > Rubens > > > On Thu, Aug 21, 2008 at 2:39 PM, wrote: >> >> Hello, >> >> Then you want a see this: >> http://www.emc.com/products/family/smarts-family.htm >> >> Smart is a monitoring tools with corolation engine. If you router crashes, you will know about, and you will also know what's behind that router that you just lost and then gives you the impact. It can go up to servers. >> >> - dan >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker >> Sent: August 21, 2008 1:29 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] best fault management solutions? >> >> I've had it with Ciscoworks. >> >> I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. >> >> So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. >> I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. >> >> - Gregori From jared at puck.nether.net Fri Aug 22 08:01:31 2008 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 22 Aug 2008 08:01:31 -0400 Subject: [c-nsp] Sup32 capacity In-Reply-To: <20080822070851.GF48711@ronin.4ever.de> References: <20080822070851.GF48711@ronin.4ever.de> Message-ID: <20080822120131.GD76625@puck.nether.net> On Fri, Aug 22, 2008 at 09:08:51AM +0200, Elmar K. Bins wrote: > Re Affan, > > affanzbasalamah at gmail.com (Affan Basalamah) wrote: > > > but I would like to know in your experience whether Sup32 is enough if > > I operate it to do : > > > > - 2 link 155 Mbps, 4 link E1 > > - 7 bgp peer, 3 of them has 30000 routes, the rest is only hundreds routes > > > > I just love Sup32 to provide free 8 SFP port to do aggregation in my > > NOC without adding more module on 7603 chassis. > > On paper, it's much more than you need. I'd expect it to work a bit > further than your current needs, which is good (you don't have to > replace it so quickly). Keep in mind the following: You will need to upgrade to SUP720-3BXL to do full routes in the future. You will not have access to the fabric so future upgrades to 10G or other cards will require SUP upgrade as well and may require power upgrades too. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From jlewis at lewis.org Fri Aug 22 08:24:46 2008 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 22 Aug 2008 08:24:46 -0400 (EDT) Subject: [c-nsp] Sup32 capacity In-Reply-To: <20080822120131.GD76625@puck.nether.net> References: <20080822070851.GF48711@ronin.4ever.de> <20080822120131.GD76625@puck.nether.net> Message-ID: On Fri, 22 Aug 2008, Jared Mauch wrote: >>> but I would like to know in your experience whether Sup32 is enough if >>> I operate it to do : >>> >>> - 2 link 155 Mbps, 4 link E1 >>> - 7 bgp peer, 3 of them has 30000 routes, the rest is only hundreds routes >>> >>> I just love Sup32 to provide free 8 SFP port to do aggregation in my >>> NOC without adding more module on 7603 chassis. > > Keep in mind the following: > > You will need to upgrade to SUP720-3BXL to do full routes in the > future. I think your wording here is not as clear as it could be. The OP apparently isn't doing full routes right now. If they wanted to do full routes today on a Sup32, it wouldn't work. SUP720-3BXL is currently the minimum Sup necessary for doing full routes on a 6500/7600. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From lowen at pari.edu Fri Aug 22 10:47:34 2008 From: lowen at pari.edu (Lamar Owen) Date: Fri, 22 Aug 2008 10:47:34 -0400 Subject: [c-nsp] L2TPv3 interoperability between 12.0S and 12.4. Message-ID: <200808221047.34606.lowen@pari.edu> Good morning list. I have had an odd version discrepancy before between 12.0S and 12.4 in the past; in particular, I tried to have a 12.0S-running 12012 act as working and a 7505 running 12.4 as protect on an APS-protected OC3; but this did not work; the protect and the working would not negotiate APS properly (and they had a direct link between them). Subbed a 7507 that had 12.0S as the protect, and it works fine. But two 7401ASR's running 12.4, one as working and one as protect, talk APS fine with each other. In any case, looking for experience on possible issues of this kind for L2TPv3 between a 7507 running 12.0S and a 7401ASR running 12.4. 12.0S is required on the 7507 for the SRPIP-OC12 module it uses to communicate with the 12012 and 7507 doing APS on the OC3. I know, better hardware would be nice; but just looking for anybody's experience with odd L2TPv3 issues between different IOS versions (and trains). -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From RTeller at deltadentalwa.com Fri Aug 22 12:07:53 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Fri, 22 Aug 2008 09:07:53 -0700 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <024301c903ed$10831b90$f211a8c0@flamadam> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> So on Chassis-B interface tengig 7/1 is configured differently then chassis-A. And I can't even get into chassis-a tengig 7/1 to make any changes to it. interface TenGigabitEthernet7/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,120,138,150,190,200,210,235,238,555,575 switchport trunk allowed vlan add 801-804,999 switchport mode trunk switchport nonegotiate mls qos trust cos flowcontrol receive on no cdp enable end -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: Thursday, August 21, 2008 5:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context I'm partially confused as you are missing a number of vlans not just 138. Can you remove it and reapply? The only other thing I can think of is sh int trunk and see if the vlan is getting pruned back. tv ----- Original Message ----- From: "Teller, Robert" To: "Christian Koch" Cc: "Tony Varriale" ; Sent: Thursday, August 21, 2008 6:53 PM Subject: RE: [c-nsp] Cisco ACE Context Sea-6509-B#sh svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ----- ---------- ----- 9706 FWSM 100,120,138,150,190,200,210,235,238,555,575,801-804,999 -----Original Message----- From: Christian Koch [mailto:christian at broknrobot.com] Sent: Thursday, August 21, 2008 4:53 PM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context what do you see when you do a 'sh svclc vlan-group' on the 6500 that ace-b is installed in? On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert wrote: > That is correct. But if I do show vlan on the ace module it doesn't show > up even though it is associated to vlan group 9706 > > Sea-ACE-A/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 > vlan238 vlan555 vlan801-803 vlan999 > > Sea-ACE-B/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 > > > > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, August 21, 2008 4:16 PM > To: Teller, Robert; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > Would you do a sh vlan b on sup-b? > > Is 138 there? > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: > Sent: Thursday, August 21, 2008 5:47 PM > Subject: [c-nsp] Cisco ACE Context > > >>I have two cisco 6509 chassis with ace and fwsm modules. I have >> configured the ace blades to use an internal and external conext. On >> ACE-A I am able to bring up both contexts and everything talks just > fine >> but on ACE-B I can't bring up vlan 138. Is there something I'm > missing? >> >> >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> svclc autostate >> >> svclc multiple-vlan-interfaces >> >> svclc module 7 vlan-group 9706, >> >> firewall autostate >> >> firewall multiple-vlan-interfaces >> >> firewall module 3 vlan-group 9706, >> >> firewall vlan-group 9706 >> 100,120,138,150,190,200,210,235,238,555,575,801-804 >> >> firewall vlan-group 9706 999 >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> ADMIN Context >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> ft interface vlan 801 >> >> ip address XXX.XXX.XXX.145 255.255.255.252 >> >> peer ip address XXX.XXX.XXX.146 255.255.255.252 >> >> no shutdown >> >> >> >> ft peer 1 >> >> heartbeat interval 300 >> >> heartbeat count 20 >> >> ft-interface vlan 801 >> >> ft group 1 >> >> peer 1 >> >> priority 200 >> >> associate-context Admin >> >> inservice >> >> >> >> context WDS-External >> >> allocate-interface vlan 138 >> >> context WDS-Internal >> >> allocate-interface vlan 238 >> >> >> >> ft group 2 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-Internal >> >> inservice >> >> ft group 3 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-External >> >> inservice >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> context WDS-External >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> interface vlan 138 >> >> ip address XXX.XXX.XXX.150 255.255.255.192 >> >> alias XXX.XXX.XXX.188 255.255.255.192 >> >> peer ip address XXX.XXX.XXX.189 255.255.255.192 >> >> access-group input any >> >> service-policy input REMOTE_MGMT_ALLOW_POLICY >> >> no shutdown >> >> >> >> vlan138 is down, VLAN not assigned from the supervisor >> >> Hardware type is VLAN >> >> MAC address is 00:1f:6c:89:0c:33 >> >> Mode : routed >> >> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >> >> FT status is standby >> >> Description:not set >> >> MTU: 1500 bytes >> >> Last cleared: never >> >> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >> >> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 >> >> Not assigned from the Supervisor, down on Supervisor >> >> Service-policy download failures : 3 >> >> 0 unicast packets input, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >> >> 0 unicast packets output, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 output errors, 0 ignored >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> Robert Teller >> Washington Dental Service >> Network Administrator >> (206) 528-2371 >> RTeller at DeltaDentalWa.com >> >> >> >> >> ######################################################### >> The information contained in this e-mail and subsequent attachments > may be >> privileged, >> confidential and protected from disclosure. This transmission is > intended >> for the sole >> use of the individual and entity to whom it is addressed. If you are > not >> the intended >> recipient, any dissemination, distribution or copying is strictly >> prohibited. If you >> think that you have received this message in error, please e-mail the >> sender at the above >> e-mail address. >> ######################################################### >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Gregori.Parker at theplatform.com Fri Aug 22 12:39:38 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Fri, 22 Aug 2008 09:39:38 -0700 Subject: [c-nsp] best fault management solutions? In-Reply-To: <48AE71AB.8060504@inwire.net> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca><6bb5f5b10808212008i1cab3e96h8d96e4c967029af9@mail.gmail.com> <48AE71AB.8060504@inwire.net> Message-ID: <1A9866F953006D45AEE0166066114E0912A5B11D@TPMAIL02.corp.theplatform.com> To clarify, I'm not looking for an all-in-one ciscoworks-class solution that rivals the cost of my car, I'm just curious how everyone here handles device fault management. The DFM module in Ciscoworks does a good job of alerting me about things like broadcast rate, queue thresholds and BGP events, but I'm not finding it to be reliable or worth the cost. So, before I spend the next month leveraging perl and net-snmp to get the information I want, I thought I'd ask to see what people are using. I have absolutely no need for server/application monitoring - just something that actively polls devices and handles snmp traps, knows the difference between a switch and a firewall, and lets me know when there's cause for concern. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gaurav Sabharwal Sent: Friday, August 22, 2008 12:59 AM To: Rubens Kuhl Jr. Cc: Cisco-nsp Subject: Re: [c-nsp] best fault management solutions? Cisco Works will definitely be cheaper than SMARTS solution. Another option to look at is EM7 from ScienceLogic http://www.sciencelogic.com/ There appliances have a start price of $ 25K. - Gaurav on 08/22/2008 05:08 AM Rubens Kuhl Jr. said the following: > Smarts is what used to be BMC Patrol or something else ? > > How it compares price-wise to Cisco Works ? > > > Rubens > > > On Thu, Aug 21, 2008 at 2:39 PM, wrote: >> >> Hello, >> >> Then you want a see this: >> http://www.emc.com/products/family/smarts-family.htm >> >> Smart is a monitoring tools with corolation engine. If you router crashes, you will know about, and you will also know what's behind that router that you just lost and then gives you the impact. It can go up to servers. >> >> - dan >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker >> Sent: August 21, 2008 1:29 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] best fault management solutions? >> >> I've had it with Ciscoworks. >> >> I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. >> >> So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. >> I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. >> >> - Gregori _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Fri Aug 22 12:40:28 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Fri, 22 Aug 2008 09:40:28 -0700 Subject: [c-nsp] BGP authentication failure with no md5? Message-ID: I'm getting auth failures from a peer (juniper) when there's no md5 configured on the link. Somehow this rings a bell about a cosmetic thing in a junos train from a prior life, but I'm surprised to see that the session is actually still up. Anybody seen this one before? I'm running 12.4(21) on a 38. Thanks Christian From jml at packetpimp.org Fri Aug 22 13:03:51 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Fri, 22 Aug 2008 13:03:51 -0400 Subject: [c-nsp] best fault management solutions? In-Reply-To: <1A9866F953006D45AEE0166066114E0912A5B11D@TPMAIL02.corp.theplatform.com> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B72FB@MBX03.bell.corp.bce.ca><6bb5f5b10808212008i1cab3e96h8d96e4c967029af9@mail.gmail.com> <48AE71AB.8060504@inwire.net> <1A9866F953006D45AEE0166066114E0912A5B11D@TPMAIL02.corp.theplatform.com> Message-ID: <48AEF177.9070604@packetpimp.org> You could do something as simple as mrtg templates and a few simple scripts to auto-gen the mrtg configs with thresholds that email you. You also get graphs of the trends to boot. We have several tools running but I tend to use mrtg more than the others. I have some code if you're interested, php with a mysql backend, its hacked together but it works. Gregori Parker wrote: > To clarify, I'm not looking for an all-in-one ciscoworks-class solution > that rivals the cost of my car, I'm just curious how everyone here > handles device fault management. > > The DFM module in Ciscoworks does a good job of alerting me about things > like broadcast rate, queue thresholds and BGP events, but I'm not > finding it to be reliable or worth the cost. So, before I spend the > next month leveraging perl and net-snmp to get the information I want, I > thought I'd ask to see what people are using. I have absolutely no need > for server/application monitoring - just something that actively polls > devices and handles snmp traps, knows the difference between a switch > and a firewall, and lets me know when there's cause for concern. > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gaurav Sabharwal > Sent: Friday, August 22, 2008 12:59 AM > To: Rubens Kuhl Jr. > Cc: Cisco-nsp > Subject: Re: [c-nsp] best fault management solutions? > > Cisco Works will definitely be cheaper than SMARTS solution. > > Another option to look at is EM7 from ScienceLogic > http://www.sciencelogic.com/ There appliances have a start price of $ > 25K. > > - Gaurav > on 08/22/2008 05:08 AM Rubens Kuhl Jr. said the following: >> Smarts is what used to be BMC Patrol or something else ? >> >> How it compares price-wise to Cisco Works ? >> >> >> Rubens >> >> >> On Thu, Aug 21, 2008 at 2:39 PM, wrote: >>> Hello, >>> >>> Then you want a see this: >>> http://www.emc.com/products/family/smarts-family.htm >>> >>> Smart is a monitoring tools with corolation engine. If you router > crashes, you will know about, and you will also know what's behind that > router that you just lost and then gives you the impact. It can go up to > servers. >>> - dan >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker >>> Sent: August 21, 2008 1:29 PM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] best fault management solutions? >>> >>> I've had it with Ciscoworks. >>> >>> I'm not new to getting LMS working properly, I'm just tired of > lowering my expectations. Device discovery is hit and miss, new > versions seem progressively worse, and the whole product is about as > ergonomic as a pile of broken glass. I've stripped it down to just > common services and DFM, but there just isn't enough value there > relative to resources. >>> So, I'm looking for DFM-like replacement recommendations - I > currently have configuration and performance management covered by > rancid, cacti, syslog-ng and a few other open source tools; and I have > netflow taken care of - I'm just having trouble finding a good solution > for device fault management (i.e. temp, fan, interface errors, queues, > broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco > environment. >>> I need something with a little bit of intelligence, not just a simple > trap forwarder. Have already evaluated Orion, but it has too many > extras that I don't need (i.e. netflow, traffic graphs, configs, et al > are already handled) and not enough of what I do need (device awareness, > alerting). Not concerned with cost and platform, thanks in advance. >>> - Gregori > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Fri Aug 22 13:28:21 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 22 Aug 2008 13:28:21 -0400 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <48AD2CA5.8010202@heanet.ie> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> <20080820181602.GI1454@rtp-cse-489.cisco.com> <48AC6585.9070701@heanet.ie> <20080820202259.GF3810@rtp-cse-489.cisco.com> <48AD2CA5.8010202@heanet.ie> Message-ID: <20080822172821.GJ24210@rtp-cse-489.cisco.com> "ethernet point-to-point" It doesn't do what it sounds like it does. We are having internal discussions around having a single CLI to simulate p2p behavior. What about if at the first pass you had to manually configure the next hop ip/mac address manually? Rodney On Thu, Aug 21, 2008 at 09:51:49AM +0100, Paul Cosgrove wrote: > I mistakenly thought you had replied to the previous message I received > in that thread, which was about the RFC which covers multiple link state > protocols. Can you explain what command you are advising us not to use, > does it still exist? Is it a command which is protocol generic or are > you talking about "ip ospf network"? > > Paul. > > Rodney Dunn wrote: > > Not sure. I didn't write it. ;) > > > > From a quick glance it seems to imply that type of behavior but > > I'm not aware it was ever really done. > > > > On Wed, Aug 20, 2008 at 07:42:13PM +0100, Paul Cosgrove wrote: > >> I'm not sure I understand you there. Do you mean that the intention > >> behind the draft RFC was for some form of point-to-point configuration > >> command on the interface, which would apply to all link state routing > >> protocols? > >> > >> Paul. > >> > >> Rodney Dunn wrote: > >>> There was a point to point configuration on the link itself and it > >>> caused a bunch of platform forwarding problems once. > >>> > >>> I wouldn't use that one. > >>> > >>> Note I'm not talking about the OSPF point to point control plane > >>> configuration. > >>> > >>> Rodney > >>> > >>> On Wed, Aug 20, 2008 at 07:43:51PM +0200, sthaug at nethelp.no wrote: > >>>>>> These are all good points, and makes me wonder - if it's *known* that an > >>>>>> Ethernet link will be used as a point to point link between two routers, > >>>>>> why doesn't everybody configure it explicitly as a point to point link? > >>>>>> I know we always do... > >>>>> The benefit/cost ratio is low. You aren't saving much be eliminating DR/BDR > >>>>> election, and it's just one more unnecessary tweak to keep track of. IMHO. > >>>> Funny, we look at it exactly the opposite way. We're a service provider, > >>>> and a large majority of the Ethernet links where we run an IGP are point > >>>> to point links. So we have the point to point configuration as part of > >>>> our standard config template, nothing extra to keep track of. > >>>> > >>>> Steinar Haug, Nethelp consulting, sthaug at nethelp.no > >>>> > >>>> _______________________________________________ > >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> > >> -- > >> HEAnet Limited > >> Ireland's Education & Research Network > >> 5 George's Dock, IFSC, Dublin 1, Ireland > >> Tel: +353.1.6609040 > >> Web: http://www.heanet.ie > >> Company registered in Ireland: 275301 > >> > >> Please consider the environment before printing this e-mail. > > > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. From lowen at pari.edu Fri Aug 22 13:31:29 2008 From: lowen at pari.edu (Lamar Owen) Date: Fri, 22 Aug 2008 13:31:29 -0400 Subject: [c-nsp] best fault management solutions? In-Reply-To: <1A9866F953006D45AEE0166066114E0912A5B11D@TPMAIL02.corp.theplatform.com> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> Message-ID: <200808221331.29467.lowen@pari.edu> On Friday 22 August 2008 12:39:38 Gregori Parker wrote: > To clarify, I'm not looking for an all-in-one ciscoworks-class solution > that rivals the cost of my car, I'm just curious how everyone here > handles device fault management. I use a combination of tools here, but the closest fit to what you're looking at is OpenNMS. www.opennms.org -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From sthaug at nethelp.no Fri Aug 22 13:35:54 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 22 Aug 2008 19:35:54 +0200 (CEST) Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080822172821.GJ24210@rtp-cse-489.cisco.com> References: <20080820202259.GF3810@rtp-cse-489.cisco.com> <48AD2CA5.8010202@heanet.ie> <20080822172821.GJ24210@rtp-cse-489.cisco.com> Message-ID: <20080822.193554.74717787.sthaug@nethelp.no> > "ethernet point-to-point" > > It doesn't do what it sounds like it does. > > We are having internal discussions around having a single CLI > to simulate p2p behavior. > > What about if at the first pass you had to manually configure > the next hop ip/mac address manually? It's not obvious to me that this would be an improvement over having to explicitly configure point-to-point for OSPF or IS-IS? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From rodunn at cisco.com Fri Aug 22 13:40:29 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 22 Aug 2008 13:40:29 -0400 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080822.193554.74717787.sthaug@nethelp.no> References: <20080820202259.GF3810@rtp-cse-489.cisco.com> <48AD2CA5.8010202@heanet.ie> <20080822172821.GJ24210@rtp-cse-489.cisco.com> <20080822.193554.74717787.sthaug@nethelp.no> Message-ID: <20080822174029.GK24210@rtp-cse-489.cisco.com> On Fri, Aug 22, 2008 at 07:35:54PM +0200, sthaug at nethelp.no wrote: > > "ethernet point-to-point" > > > > It doesn't do what it sounds like it does. > > > > We are having internal discussions around having a single CLI > > to simulate p2p behavior. > > > > What about if at the first pass you had to manually configure > > the next hop ip/mac address manually? > > It's not obvious to me that this would be an improvement over having > to explicitly configure point-to-point for OSPF or IS-IS? Agree. The idea was it would be a lower level configuration that any upper layer protocol would recognize and act accordingly. I can see where you are coming from that unless the configuration was much more simple the overhead isn't worth the improvement...if you call it that. The static way was simpler than relying on dynamic learning via some other l2 means. Rodney > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no From rodunn at cisco.com Fri Aug 22 13:47:41 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 22 Aug 2008 13:47:41 -0400 Subject: [c-nsp] some weird routing problems after GSR upgrade In-Reply-To: References: Message-ID: <20080822174741.GL24210@rtp-cse-489.cisco.com> On Thu, Aug 21, 2008 at 12:49:57PM +0200, Primoz Jeroncic wrote: > Hi > > After upgrade of one of our c12008 from GRP-B to PRP-1, and with > this required IOS upgrade (from service provider 12.0.30.S5 to > 12.0.33.S1) I'm starting to get some really weird issues with > routing. > At the moment my network topology looks like this: > > Upstream-1 -- GSR-1 -- GSR-2 -- GSR-3 -- c7401 -- c7206 -- backup upstream > > Now show explanation. Route engine line card and IOS were upgraded > on GSR-1. > One prefix is originated and advertised in BGP from GSR-2. > Second prefix is originated and advertised from c7206. > In case if matters, MPLS is enabled from GSR-1 to c7401. C7206 is > not in MPLS enabled network. > Both prefixes are announced through same AS, and if everything is fine, > they both go out through GSR-1 and Upstream-1. > > And now my problem. Config is same as it was before. Before everything > was working fine, and when link between c7401 and c7206 went down, > prefix originated on c7206 went out through backup upstream and came > into my network (to GSR-2) through upstream-1 and GSR-1. That doesn't make sense because if you break the link between 7401 and 7206 then GSR1 doesn't have reachability to the 7206 to get the route to send it out since the 7206 originated it. > After upgrade, things doesn't work like this anymore. Until I clear > route for prefix originated on c7206 on GSR-1 (clear ip route x.x.x.0), > trafic goes from GSR-2 to GSR-3, then to c7401, then back to GSR-3 and > GSR-2, and then another loop. We'd need to see 'sh ip route' to figure out what exact prefix is being used in the routing table at the time along with 'sh ip cef' for the ip address you see a looping traceroute for. > > After link goes down, there's no routes for this prefix in GSR-3 and > c7401, so traffic should go over default route. There is route for > this prefix on GSR-2, but it's pointing to GSR-1, and on GSR-1 there's > route for this prefix through Upstream-1. So based on routing tables > everything looks fine. But traffic still bounces as described above. You have to verify with 'sh ip cef' since it will print the recursion for you to the next hops. > > I know easiest solution would be to downgrade GSR-1 to previous IOS > which was working. But with older IOS, one of Gigabitethernet linecards > in GSR-1 was crashing constantly every 15 to 20mins. Considering there > is about 200 BGP peerings on that GE, you can imagine that peerings > were down pretty much all the time :) With 12.0.33.S1, this crashes > are history, but this routing problem is something what I didn't have > before. > > If anyone has problems like this, or if anyone has any idea how to solve > this, please let me know. I would be extremely greatful for any hint > on this. > > Thanks in advance, and if I wasn't clear enough, please drop me note, and > I will try to explain again. > > Have fun, > Primoz Jeroncic > Support - IP Connectivity & Routing > ------------------------------------------------------------------- > Softnet d.o.o. tel: +386 1 562 31 40 | > Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 > 1236 Trzin primoz(at)softnet.si | for larger values of 1 > Slovenija http://flea.softnet.si/ > ------------------------------------------------------------------- > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Fri Aug 22 13:55:18 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Fri, 22 Aug 2008 10:55:18 -0700 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> So it looks like the problem is that the interface associated to the ace is configurable. Does anyone know how to remove it without rebuilding the chassis? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: Friday, August 22, 2008 9:08 AM To: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context So on Chassis-B interface tengig 7/1 is configured differently then chassis-A. And I can't even get into chassis-a tengig 7/1 to make any changes to it. interface TenGigabitEthernet7/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,120,138,150,190,200,210,235,238,555,575 switchport trunk allowed vlan add 801-804,999 switchport mode trunk switchport nonegotiate mls qos trust cos flowcontrol receive on no cdp enable end -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: Thursday, August 21, 2008 5:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context I'm partially confused as you are missing a number of vlans not just 138. Can you remove it and reapply? The only other thing I can think of is sh int trunk and see if the vlan is getting pruned back. tv ----- Original Message ----- From: "Teller, Robert" To: "Christian Koch" Cc: "Tony Varriale" ; Sent: Thursday, August 21, 2008 6:53 PM Subject: RE: [c-nsp] Cisco ACE Context Sea-6509-B#sh svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ----- ---------- ----- 9706 FWSM 100,120,138,150,190,200,210,235,238,555,575,801-804,999 -----Original Message----- From: Christian Koch [mailto:christian at broknrobot.com] Sent: Thursday, August 21, 2008 4:53 PM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context what do you see when you do a 'sh svclc vlan-group' on the 6500 that ace-b is installed in? On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert wrote: > That is correct. But if I do show vlan on the ace module it doesn't show > up even though it is associated to vlan group 9706 > > Sea-ACE-A/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 > vlan238 vlan555 vlan801-803 vlan999 > > Sea-ACE-B/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 > > > > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, August 21, 2008 4:16 PM > To: Teller, Robert; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > Would you do a sh vlan b on sup-b? > > Is 138 there? > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: > Sent: Thursday, August 21, 2008 5:47 PM > Subject: [c-nsp] Cisco ACE Context > > >>I have two cisco 6509 chassis with ace and fwsm modules. I have >> configured the ace blades to use an internal and external conext. On >> ACE-A I am able to bring up both contexts and everything talks just > fine >> but on ACE-B I can't bring up vlan 138. Is there something I'm > missing? >> >> >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> svclc autostate >> >> svclc multiple-vlan-interfaces >> >> svclc module 7 vlan-group 9706, >> >> firewall autostate >> >> firewall multiple-vlan-interfaces >> >> firewall module 3 vlan-group 9706, >> >> firewall vlan-group 9706 >> 100,120,138,150,190,200,210,235,238,555,575,801-804 >> >> firewall vlan-group 9706 999 >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> ADMIN Context >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> ft interface vlan 801 >> >> ip address XXX.XXX.XXX.145 255.255.255.252 >> >> peer ip address XXX.XXX.XXX.146 255.255.255.252 >> >> no shutdown >> >> >> >> ft peer 1 >> >> heartbeat interval 300 >> >> heartbeat count 20 >> >> ft-interface vlan 801 >> >> ft group 1 >> >> peer 1 >> >> priority 200 >> >> associate-context Admin >> >> inservice >> >> >> >> context WDS-External >> >> allocate-interface vlan 138 >> >> context WDS-Internal >> >> allocate-interface vlan 238 >> >> >> >> ft group 2 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-Internal >> >> inservice >> >> ft group 3 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-External >> >> inservice >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> context WDS-External >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> interface vlan 138 >> >> ip address XXX.XXX.XXX.150 255.255.255.192 >> >> alias XXX.XXX.XXX.188 255.255.255.192 >> >> peer ip address XXX.XXX.XXX.189 255.255.255.192 >> >> access-group input any >> >> service-policy input REMOTE_MGMT_ALLOW_POLICY >> >> no shutdown >> >> >> >> vlan138 is down, VLAN not assigned from the supervisor >> >> Hardware type is VLAN >> >> MAC address is 00:1f:6c:89:0c:33 >> >> Mode : routed >> >> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >> >> FT status is standby >> >> Description:not set >> >> MTU: 1500 bytes >> >> Last cleared: never >> >> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >> >> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 >> >> Not assigned from the Supervisor, down on Supervisor >> >> Service-policy download failures : 3 >> >> 0 unicast packets input, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >> >> 0 unicast packets output, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 output errors, 0 ignored >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> Robert Teller >> Washington Dental Service >> Network Administrator >> (206) 528-2371 >> RTeller at DeltaDentalWa.com >> >> >> >> >> ######################################################### >> The information contained in this e-mail and subsequent attachments > may be >> privileged, >> confidential and protected from disclosure. This transmission is > intended >> for the sole >> use of the individual and entity to whom it is addressed. If you are > not >> the intended >> recipient, any dissemination, distribution or copying is strictly >> prohibited. If you >> think that you have received this message in error, please e-mail the >> sender at the above >> e-mail address. >> ######################################################### >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Fri Aug 22 14:22:50 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 22 Aug 2008 13:22:50 -0500 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> Message-ID: <48AF03FA.2040207@justinshore.com> I haven't worked with an ACE yet but I have two possibly related stories to relay. Our FWSM internal 1Q trunks (firewall-group) got hosed up shortly after their deployment in our 7600s (SR code). We'd add a VLAN and it would show up in the firewall-group config line and it would appear in the FWSM sys context but it would not come up/up in the context. No data could be passed by the FWSM on those VLANs. TAC determined that a reboot of the FWSM was necessary. We rebooted the FWSM to no avail. When that failed TAC instructed us to power cycle the chassis. Doing that resolved the VLAN issue. IIRC we were on a SRAn release at the time. I later upgraded to SRB. Prior to the mentioning of the 10G interface this fit you problem more but I didn't have time to write it up at the time. The second story has to do with the special 10G internal interfaces. We had a couple SMEs out to install and configure a pair of IPSec SPAs in the SSC-400 carriers in our 7600s. The SMEs manually configured the 2 internal GigE ints on the SPAs with the VLANs that they thought so be on them. The virtual ints were 1Q trunks. A few months later after battling extremely weird problems (traffic from VLAN x appearing on VLAN y with a significant delay in the middle, dupe frames, packet loss, 7600s crashing, etc) I found a TAC engineer who could explain how the IPSec SPA ints were supposed to be configured. As it turns out you are not supposed to touch the virtual ints when running in VRF Mode, period. Under no circumstances do you touch the ints when in VRF Mode. The inside and outside VLANs are configured automatically as you configure VRF in crypto statements. Turns out that the SMEs had configured numerous VLANs on both virtual ints and in many cases the VLANs overlapped. Ie, you had the same VLANs on both sides of the SPA, both the encrypted side and the unencrypted side. The auto config stopped as soon as they modified the interface config manually. My TAC engineer (a VPN specialist) couldn't believe it actually worked, even a little. He helped me fix the problem though. I had to pull the SPAs, reboot both 7600s, reinsert the SPAs, and reconfigure crypto from the ground up without touching the 1 GigE internal ints. I mention this story in case these internal 10G ints aren't supposed to be manually configured but are instead supposed to be configured automatically based on the svclc group commands. None of this may be related though. Good luck. FYI Justin Teller, Robert wrote: > So it looks like the problem is that the interface associated to the ace > is configurable. Does anyone know how to remove it without rebuilding > the chassis? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Friday, August 22, 2008 9:08 AM > To: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > So on Chassis-B interface tengig 7/1 is configured differently then > chassis-A. And I can't even get into chassis-a tengig 7/1 to make any > changes to it. > > interface TenGigabitEthernet7/1 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan > 100,120,138,150,190,200,210,235,238,555,575 > switchport trunk allowed vlan add 801-804,999 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > flowcontrol receive on > no cdp enable > end > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale > Sent: Thursday, August 21, 2008 5:22 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > I'm partially confused as you are missing a number of vlans not just > 138. > > Can you remove it and reapply? > > The only other thing I can think of is sh int trunk and see if the vlan > is > getting pruned back. > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: "Christian Koch" > Cc: "Tony Varriale" ; > Sent: Thursday, August 21, 2008 6:53 PM > Subject: RE: [c-nsp] Cisco ACE Context > > > Sea-6509-B#sh svclc vlan-group > Display vlan-groups created by both ACE module and FWSM commands > > Group Created by vlans > ----- ---------- ----- > 9706 FWSM > 100,120,138,150,190,200,210,235,238,555,575,801-804,999 > > -----Original Message----- > From: Christian Koch [mailto:christian at broknrobot.com] > Sent: Thursday, August 21, 2008 4:53 PM > To: Teller, Robert > Cc: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > what do you see when you do a 'sh svclc vlan-group' on the 6500 that > ace-b is installed in? > > > On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert > wrote: >> That is correct. But if I do show vlan on the ace module it doesn't > show >> up even though it is associated to vlan group 9706 >> >> Sea-ACE-A/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 > vlan235 >> vlan238 vlan555 vlan801-803 vlan999 >> >> Sea-ACE-B/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 >> >> >> >> -----Original Message----- >> From: Tony Varriale [mailto:tvarriale at comcast.net] >> Sent: Thursday, August 21, 2008 4:16 PM >> To: Teller, Robert; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> Would you do a sh vlan b on sup-b? >> >> Is 138 there? >> >> tv >> ----- Original Message ----- >> From: "Teller, Robert" >> To: >> Sent: Thursday, August 21, 2008 5:47 PM >> Subject: [c-nsp] Cisco ACE Context >> >> >>> I have two cisco 6509 chassis with ace and fwsm modules. I have >>> configured the ace blades to use an internal and external conext. On >>> ACE-A I am able to bring up both contexts and everything talks just >> fine >>> but on ACE-B I can't bring up vlan 138. Is there something I'm >> missing? >>> >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> svclc autostate >>> >>> svclc multiple-vlan-interfaces >>> >>> svclc module 7 vlan-group 9706, >>> >>> firewall autostate >>> >>> firewall multiple-vlan-interfaces >>> >>> firewall module 3 vlan-group 9706, >>> >>> firewall vlan-group 9706 >>> 100,120,138,150,190,200,210,235,238,555,575,801-804 >>> >>> firewall vlan-group 9706 999 >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> ADMIN Context >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> ft interface vlan 801 >>> >>> ip address XXX.XXX.XXX.145 255.255.255.252 >>> >>> peer ip address XXX.XXX.XXX.146 255.255.255.252 >>> >>> no shutdown >>> >>> >>> >>> ft peer 1 >>> >>> heartbeat interval 300 >>> >>> heartbeat count 20 >>> >>> ft-interface vlan 801 >>> >>> ft group 1 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context Admin >>> >>> inservice >>> >>> >>> >>> context WDS-External >>> >>> allocate-interface vlan 138 >>> >>> context WDS-Internal >>> >>> allocate-interface vlan 238 >>> >>> >>> >>> ft group 2 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-Internal >>> >>> inservice >>> >>> ft group 3 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-External >>> >>> inservice >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> context WDS-External >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> interface vlan 138 >>> >>> ip address XXX.XXX.XXX.150 255.255.255.192 >>> >>> alias XXX.XXX.XXX.188 255.255.255.192 >>> >>> peer ip address XXX.XXX.XXX.189 255.255.255.192 >>> >>> access-group input any >>> >>> service-policy input REMOTE_MGMT_ALLOW_POLICY >>> >>> no shutdown >>> >>> >>> >>> vlan138 is down, VLAN not assigned from the supervisor >>> >>> Hardware type is VLAN >>> >>> MAC address is 00:1f:6c:89:0c:33 >>> >>> Mode : routed >>> >>> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >>> >>> FT status is standby >>> >>> Description:not set >>> >>> MTU: 1500 bytes >>> >>> Last cleared: never >>> >>> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >>> >>> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is > 255.255.255.192 >>> Not assigned from the Supervisor, down on Supervisor >>> >>> Service-policy download failures : 3 >>> >>> 0 unicast packets input, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >>> >>> 0 unicast packets output, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 output errors, 0 ignored >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> Robert Teller >>> Washington Dental Service >>> Network Administrator >>> (206) 528-2371 >>> RTeller at DeltaDentalWa.com >>> >>> >>> >>> >>> ######################################################### >>> The information contained in this e-mail and subsequent attachments >> may be >>> privileged, >>> confidential and protected from disclosure. This transmission is >> intended >>> for the sole >>> use of the individual and entity to whom it is addressed. If you are >> not >>> the intended >>> recipient, any dissemination, distribution or copying is strictly >>> prohibited. If you >>> think that you have received this message in error, please e-mail the >>> sender at the above >>> e-mail address. >>> ######################################################### >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Fri Aug 22 14:37:38 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Fri, 22 Aug 2008 11:37:38 -0700 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <48AF03FA.2040207@justinshore.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> <48AF03FA.2040207@justinshore.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> Hmmm that is really weird rebooting the chassis fixed it. Any idea what could have happened? Is it just me or do the ace modules take FOREVER to boot up? I also noticed that if I configure the ANM software to administer the ace modules when I type show run on the active context it just hangs and nothing happens. Anyone else experience this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: Friday, August 22, 2008 11:23 AM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context I haven't worked with an ACE yet but I have two possibly related stories to relay. Our FWSM internal 1Q trunks (firewall-group) got hosed up shortly after their deployment in our 7600s (SR code). We'd add a VLAN and it would show up in the firewall-group config line and it would appear in the FWSM sys context but it would not come up/up in the context. No data could be passed by the FWSM on those VLANs. TAC determined that a reboot of the FWSM was necessary. We rebooted the FWSM to no avail. When that failed TAC instructed us to power cycle the chassis. Doing that resolved the VLAN issue. IIRC we were on a SRAn release at the time. I later upgraded to SRB. Prior to the mentioning of the 10G interface this fit you problem more but I didn't have time to write it up at the time. The second story has to do with the special 10G internal interfaces. We had a couple SMEs out to install and configure a pair of IPSec SPAs in the SSC-400 carriers in our 7600s. The SMEs manually configured the 2 internal GigE ints on the SPAs with the VLANs that they thought so be on them. The virtual ints were 1Q trunks. A few months later after battling extremely weird problems (traffic from VLAN x appearing on VLAN y with a significant delay in the middle, dupe frames, packet loss, 7600s crashing, etc) I found a TAC engineer who could explain how the IPSec SPA ints were supposed to be configured. As it turns out you are not supposed to touch the virtual ints when running in VRF Mode, period. Under no circumstances do you touch the ints when in VRF Mode. The inside and outside VLANs are configured automatically as you configure VRF in crypto statements. Turns out that the SMEs had configured numerous VLANs on both virtual ints and in many cases the VLANs overlapped. Ie, you had the same VLANs on both sides of the SPA, both the encrypted side and the unencrypted side. The auto config stopped as soon as they modified the interface config manually. My TAC engineer (a VPN specialist) couldn't believe it actually worked, even a little. He helped me fix the problem though. I had to pull the SPAs, reboot both 7600s, reinsert the SPAs, and reconfigure crypto from the ground up without touching the 1 GigE internal ints. I mention this story in case these internal 10G ints aren't supposed to be manually configured but are instead supposed to be configured automatically based on the svclc group commands. None of this may be related though. Good luck. FYI Justin Teller, Robert wrote: > So it looks like the problem is that the interface associated to the ace > is configurable. Does anyone know how to remove it without rebuilding > the chassis? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Friday, August 22, 2008 9:08 AM > To: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > So on Chassis-B interface tengig 7/1 is configured differently then > chassis-A. And I can't even get into chassis-a tengig 7/1 to make any > changes to it. > > interface TenGigabitEthernet7/1 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan > 100,120,138,150,190,200,210,235,238,555,575 > switchport trunk allowed vlan add 801-804,999 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > flowcontrol receive on > no cdp enable > end > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale > Sent: Thursday, August 21, 2008 5:22 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > I'm partially confused as you are missing a number of vlans not just > 138. > > Can you remove it and reapply? > > The only other thing I can think of is sh int trunk and see if the vlan > is > getting pruned back. > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: "Christian Koch" > Cc: "Tony Varriale" ; > Sent: Thursday, August 21, 2008 6:53 PM > Subject: RE: [c-nsp] Cisco ACE Context > > > Sea-6509-B#sh svclc vlan-group > Display vlan-groups created by both ACE module and FWSM commands > > Group Created by vlans > ----- ---------- ----- > 9706 FWSM > 100,120,138,150,190,200,210,235,238,555,575,801-804,999 > > -----Original Message----- > From: Christian Koch [mailto:christian at broknrobot.com] > Sent: Thursday, August 21, 2008 4:53 PM > To: Teller, Robert > Cc: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > what do you see when you do a 'sh svclc vlan-group' on the 6500 that > ace-b is installed in? > > > On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert > wrote: >> That is correct. But if I do show vlan on the ace module it doesn't > show >> up even though it is associated to vlan group 9706 >> >> Sea-ACE-A/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 > vlan235 >> vlan238 vlan555 vlan801-803 vlan999 >> >> Sea-ACE-B/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 >> >> >> >> -----Original Message----- >> From: Tony Varriale [mailto:tvarriale at comcast.net] >> Sent: Thursday, August 21, 2008 4:16 PM >> To: Teller, Robert; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> Would you do a sh vlan b on sup-b? >> >> Is 138 there? >> >> tv >> ----- Original Message ----- >> From: "Teller, Robert" >> To: >> Sent: Thursday, August 21, 2008 5:47 PM >> Subject: [c-nsp] Cisco ACE Context >> >> >>> I have two cisco 6509 chassis with ace and fwsm modules. I have >>> configured the ace blades to use an internal and external conext. On >>> ACE-A I am able to bring up both contexts and everything talks just >> fine >>> but on ACE-B I can't bring up vlan 138. Is there something I'm >> missing? >>> >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> svclc autostate >>> >>> svclc multiple-vlan-interfaces >>> >>> svclc module 7 vlan-group 9706, >>> >>> firewall autostate >>> >>> firewall multiple-vlan-interfaces >>> >>> firewall module 3 vlan-group 9706, >>> >>> firewall vlan-group 9706 >>> 100,120,138,150,190,200,210,235,238,555,575,801-804 >>> >>> firewall vlan-group 9706 999 >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> ADMIN Context >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> ft interface vlan 801 >>> >>> ip address XXX.XXX.XXX.145 255.255.255.252 >>> >>> peer ip address XXX.XXX.XXX.146 255.255.255.252 >>> >>> no shutdown >>> >>> >>> >>> ft peer 1 >>> >>> heartbeat interval 300 >>> >>> heartbeat count 20 >>> >>> ft-interface vlan 801 >>> >>> ft group 1 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context Admin >>> >>> inservice >>> >>> >>> >>> context WDS-External >>> >>> allocate-interface vlan 138 >>> >>> context WDS-Internal >>> >>> allocate-interface vlan 238 >>> >>> >>> >>> ft group 2 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-Internal >>> >>> inservice >>> >>> ft group 3 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-External >>> >>> inservice >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> context WDS-External >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> interface vlan 138 >>> >>> ip address XXX.XXX.XXX.150 255.255.255.192 >>> >>> alias XXX.XXX.XXX.188 255.255.255.192 >>> >>> peer ip address XXX.XXX.XXX.189 255.255.255.192 >>> >>> access-group input any >>> >>> service-policy input REMOTE_MGMT_ALLOW_POLICY >>> >>> no shutdown >>> >>> >>> >>> vlan138 is down, VLAN not assigned from the supervisor >>> >>> Hardware type is VLAN >>> >>> MAC address is 00:1f:6c:89:0c:33 >>> >>> Mode : routed >>> >>> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >>> >>> FT status is standby >>> >>> Description:not set >>> >>> MTU: 1500 bytes >>> >>> Last cleared: never >>> >>> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >>> >>> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is > 255.255.255.192 >>> Not assigned from the Supervisor, down on Supervisor >>> >>> Service-policy download failures : 3 >>> >>> 0 unicast packets input, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >>> >>> 0 unicast packets output, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 output errors, 0 ignored >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> Robert Teller >>> Washington Dental Service >>> Network Administrator >>> (206) 528-2371 >>> RTeller at DeltaDentalWa.com >>> >>> >>> >>> >>> ######################################################### >>> The information contained in this e-mail and subsequent attachments >> may be >>> privileged, >>> confidential and protected from disclosure. This transmission is >> intended >>> for the sole >>> use of the individual and entity to whom it is addressed. If you are >> not >>> the intended >>> recipient, any dissemination, distribution or copying is strictly >>> prohibited. If you >>> think that you have received this message in error, please e-mail the >>> sender at the above >>> e-mail address. >>> ######################################################### >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From robbie.jacka at regions.com Fri Aug 22 14:40:45 2008 From: robbie.jacka at regions.com (robbie.jacka at regions.com) Date: Fri, 22 Aug 2008 13:40:45 -0500 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <48AF03FA.2040207@justinshore.com> Message-ID: I'd second the experience. From my knowledge, the TenG interfaces are absolutely not supposed to be configured, and in fact, in at least 12.2 (18)SXF8, cannot be modified at all (configuration attempts result in a "% This interface cannot be modified" message). I'd recommend moving both 6500s to the same code (it sounds like one is on a revision that allows TenG interface modifications) and starting from scratch, with regards to applying the svclc assignments and interface configurations. Removal/reapplication after setting the synthetic TenG interfaces to default configurations could possibly straighten this out. -- robbie The second story has to do with the special 10G internal interfaces. We had a couple SMEs out to install and configure a pair of IPSec SPAs in the SSC-400 carriers in our 7600s. The SMEs manually configured the 2 internal GigE ints on the SPAs with the VLANs that they thought so be on them. The virtual ints were 1Q trunks. A few months later after battling extremely weird problems (traffic from VLAN x appearing on VLAN y with a significant delay in the middle, dupe frames, packet loss, 7600s crashing, etc) I found a TAC engineer who could explain how the IPSec SPA ints were supposed to be configured. As it turns out you are not supposed to touch the virtual ints when running in VRF Mode, period. Under no circumstances do you touch the ints when in VRF Mode. The inside and outside VLANs are configured automatically as you configure VRF in crypto statements. Turns out that the SMEs had configured numerous VLANs on both virtual ints and in many cases the VLANs overlapped. Ie, you had the same VLANs on both sides of the SPA, both the encrypted side and the unencrypted side. The auto config stopped as soon as they modified the interface config manually. My TAC engineer (a VPN specialist) couldn't believe it actually worked, even a little. He helped me fix the problem though. I had to pull the SPAs, reboot both 7600s, reinsert the SPAs, and reconfigure crypto from the ground up without touching the 1 GigE internal ints. I mention this story in case these internal 10G ints aren't supposed to be manually configured but are instead supposed to be configured automatically based on the svclc group commands. None of this may be related though. Good luck. FYI Justin From justin at justinshore.com Fri Aug 22 15:16:49 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 22 Aug 2008 14:16:49 -0500 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> <48AF03FA.2040207@justinshore.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> Message-ID: <48AF10A1.2070900@justinshore.com> Which time? :-) I didn't work the FWSM problem but from what I was told there was some problem with the internal vs overall VLAN structure having to do with VLANs being added or removed while already (or still) being assigned to the FWSM, etc. I can try to locate the case notes if needed. The problem was IOS-related, not FWSM-specific. That was the FWSM fix. The IPSec SPA problem was horrible. I beat my head on the wall for months on that one, went through numerous TAC engineers too. I finally got that one TAC VPN Specialist and he knocked it out of the park. I'd turn up a new VLAN and within seconds the CPU would hit 100%. Come to find out that the VLAN I enabled was permitted as part of a range of VLANs that the SMEs configured on both sides of the IPSec SPA. Frames were getting looped through the SPA and in a never-ending circle. The VLAN I'm referring to had HSRP configured on it. The Sup was bombarded with HSRP packets which I assume are processed in SW because the CPU was thoroughly hammered. I did a packet capture on the IPSec SPA ints. Within a second of running tcpdump I'd ctrl-c it. tcpdump had caught roughly 250k of packets and missed 500k. That's a lot of packets for a processor to chew on! I had some VLANs without a FHRP configured. Mirroring an IPSec SPA GigE int showed all sorts of traffic that shouldn't have been on the IPSec SPA at all. And in the end I came to find out that the VLAN ranges on those ports were causing the problem. I got conflicting answers from TAC on what those 2 ints did. Some engineers said that the first int was L2 and the second was L3 (made no sense but I couldn't argue). Some said that all VLANs should be permitted on both ints and that the SPA would sort it out (that would have been fun!). Others had it partially right, that one was the encrypted outside of the VLAN and the other was the unencrypted inside. However they were on to state that the VLAN list for each int should match what you have configured with your crypto engine commands. Ie, all 'crypto engine slot x/y outside' VLANs were to be allowed on the first 1Q trunk and all the inside VLANs were to be on the second. Some engineers added to that saying that the inside VLANs should only be on the 2nd int but that the outside VLANs should be on both. It was a real cluster and resulted in some of the longest downtime this phone company and our class-5 switches had ever experienced. That VPN Specialist bailed us out though. I'm always coming up with really weird, baffling problems like that. One last thing. Our 7600s have single Sups. It was a design choice that I plan on someday correcting. However in the 3 TAC cases where we've been told to reboot the chassis to correct the problem I always make a point to ask if we had 2 Sups would failing over the Sups fix the problem. In none of the 3 cases was the answer ever yes. It took reboots to fix all 3 major problems (the 3rd had to do with VRFs that would not disappear after deleting them). Good luck Justin Teller, Robert wrote: > Hmmm that is really weird rebooting the chassis fixed it. Any idea what > could have happened? > > Is it just me or do the ace modules take FOREVER to boot up? > > I also noticed that if I configure the ANM software to administer the > ace modules when I type show run on the active context it just hangs and > nothing happens. Anyone else experience this? > > -----Original Message----- > From: Justin Shore [mailto:justin at justinshore.com] > Sent: Friday, August 22, 2008 11:23 AM > To: Teller, Robert > Cc: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > I haven't worked with an ACE yet but I have two possibly related stories > > to relay. > > Our FWSM internal 1Q trunks (firewall-group) got hosed up shortly after > their deployment in our 7600s (SR code). We'd add a VLAN and it would > show up in the firewall-group config line and it would appear in the > FWSM sys context but it would not come up/up in the context. No data > could be passed by the FWSM on those VLANs. TAC determined that a > reboot of the FWSM was necessary. We rebooted the FWSM to no avail. > When that failed TAC instructed us to power cycle the chassis. Doing > that resolved the VLAN issue. IIRC we were on a SRAn release at the > time. I later upgraded to SRB. Prior to the mentioning of the 10G > interface this fit you problem more but I didn't have time to write it > up at the time. > > The second story has to do with the special 10G internal interfaces. We > > had a couple SMEs out to install and configure a pair of IPSec SPAs in > the SSC-400 carriers in our 7600s. The SMEs manually configured the 2 > internal GigE ints on the SPAs with the VLANs that they thought so be on > > them. The virtual ints were 1Q trunks. A few months later after > battling extremely weird problems (traffic from VLAN x appearing on VLAN > > y with a significant delay in the middle, dupe frames, packet loss, > 7600s crashing, etc) I found a TAC engineer who could explain how the > IPSec SPA ints were supposed to be configured. As it turns out you are > not supposed to touch the virtual ints when running in VRF Mode, period. > > Under no circumstances do you touch the ints when in VRF Mode. The > inside and outside VLANs are configured automatically as you configure > VRF in crypto statements. Turns out that the SMEs had configured > numerous VLANs on both virtual ints and in many cases the VLANs > overlapped. Ie, you had the same VLANs on both sides of the SPA, both > the encrypted side and the unencrypted side. The auto config stopped as > > soon as they modified the interface config manually. My TAC engineer (a > > VPN specialist) couldn't believe it actually worked, even a little. He > helped me fix the problem though. I had to pull the SPAs, reboot both > 7600s, reinsert the SPAs, and reconfigure crypto from the ground up > without touching the 1 GigE internal ints. I mention this story in case > > these internal 10G ints aren't supposed to be manually configured but > are instead supposed to be configured automatically based on the svclc > group commands. None of this may be related though. Good luck. > > FYI > Justin > > Teller, Robert wrote: >> So it looks like the problem is that the interface associated to the > ace >> is configurable. Does anyone know how to remove it without rebuilding >> the chassis? >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert >> Sent: Friday, August 22, 2008 9:08 AM >> To: Tony Varriale; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> So on Chassis-B interface tengig 7/1 is configured differently then >> chassis-A. And I can't even get into chassis-a tengig 7/1 to make any >> changes to it. >> >> interface TenGigabitEthernet7/1 >> switchport >> switchport trunk encapsulation dot1q >> switchport trunk allowed vlan >> 100,120,138,150,190,200,210,235,238,555,575 >> switchport trunk allowed vlan add 801-804,999 >> switchport mode trunk >> switchport nonegotiate >> mls qos trust cos >> flowcontrol receive on >> no cdp enable >> end >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale >> Sent: Thursday, August 21, 2008 5:22 PM >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> I'm partially confused as you are missing a number of vlans not just >> 138. >> >> Can you remove it and reapply? >> >> The only other thing I can think of is sh int trunk and see if the > vlan >> is >> getting pruned back. >> >> tv >> ----- Original Message ----- >> From: "Teller, Robert" >> To: "Christian Koch" >> Cc: "Tony Varriale" ; > >> Sent: Thursday, August 21, 2008 6:53 PM >> Subject: RE: [c-nsp] Cisco ACE Context >> >> >> Sea-6509-B#sh svclc vlan-group >> Display vlan-groups created by both ACE module and FWSM commands >> >> Group Created by vlans >> ----- ---------- ----- >> 9706 FWSM >> 100,120,138,150,190,200,210,235,238,555,575,801-804,999 >> >> -----Original Message----- >> From: Christian Koch [mailto:christian at broknrobot.com] >> Sent: Thursday, August 21, 2008 4:53 PM >> To: Teller, Robert >> Cc: Tony Varriale; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> what do you see when you do a 'sh svclc vlan-group' on the 6500 that >> ace-b is installed in? >> >> >> On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert >> wrote: >>> That is correct. But if I do show vlan on the ace module it doesn't >> show >>> up even though it is associated to vlan group 9706 >>> >>> Sea-ACE-A/Admin# show vlans >>> Vlans configured on SUP for this module >>> vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 >> vlan235 >>> vlan238 vlan555 vlan801-803 vlan999 >>> >>> Sea-ACE-B/Admin# show vlans >>> Vlans configured on SUP for this module >>> vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 >>> >>> >>> >>> -----Original Message----- >>> From: Tony Varriale [mailto:tvarriale at comcast.net] >>> Sent: Thursday, August 21, 2008 4:16 PM >>> To: Teller, Robert; cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Cisco ACE Context >>> >>> Would you do a sh vlan b on sup-b? >>> >>> Is 138 there? >>> >>> tv >>> ----- Original Message ----- >>> From: "Teller, Robert" >>> To: >>> Sent: Thursday, August 21, 2008 5:47 PM >>> Subject: [c-nsp] Cisco ACE Context >>> >>> >>>> I have two cisco 6509 chassis with ace and fwsm modules. I have >>>> configured the ace blades to use an internal and external conext. On >>>> ACE-A I am able to bring up both contexts and everything talks just >>> fine >>>> but on ACE-B I can't bring up vlan 138. Is there something I'm >>> missing? >>>> >>>> > ------------------------------------------------------------------------ >>>> ----------------------------------------- >>>> >>>> svclc autostate >>>> >>>> svclc multiple-vlan-interfaces >>>> >>>> svclc module 7 vlan-group 9706, >>>> >>>> firewall autostate >>>> >>>> firewall multiple-vlan-interfaces >>>> >>>> firewall module 3 vlan-group 9706, >>>> >>>> firewall vlan-group 9706 >>>> 100,120,138,150,190,200,210,235,238,555,575,801-804 >>>> >>>> firewall vlan-group 9706 999 >>>> >>>> > ------------------------------------------------------------------------ >>>> ----------------------------------------- >>>> >>>> >>>> >>>> ADMIN Context >>>> >>>> > ------------------------------------------------------------------------ >>>> ----------------------------------------- >>>> >>>> ft interface vlan 801 >>>> >>>> ip address XXX.XXX.XXX.145 255.255.255.252 >>>> >>>> peer ip address XXX.XXX.XXX.146 255.255.255.252 >>>> >>>> no shutdown >>>> >>>> >>>> >>>> ft peer 1 >>>> >>>> heartbeat interval 300 >>>> >>>> heartbeat count 20 >>>> >>>> ft-interface vlan 801 >>>> >>>> ft group 1 >>>> >>>> peer 1 >>>> >>>> priority 200 >>>> >>>> associate-context Admin >>>> >>>> inservice >>>> >>>> >>>> >>>> context WDS-External >>>> >>>> allocate-interface vlan 138 >>>> >>>> context WDS-Internal >>>> >>>> allocate-interface vlan 238 >>>> >>>> >>>> >>>> ft group 2 >>>> >>>> peer 1 >>>> >>>> priority 200 >>>> >>>> associate-context WDS-Internal >>>> >>>> inservice >>>> >>>> ft group 3 >>>> >>>> peer 1 >>>> >>>> priority 200 >>>> >>>> associate-context WDS-External >>>> >>>> inservice >>>> >>>> > ------------------------------------------------------------------------ >>>> ----------------------------------------- >>>> >>>> >>>> >>>> context WDS-External >>>> >>>> > ------------------------------------------------------------------------ >>>> ----------------------------------------- >>>> >>>> interface vlan 138 >>>> >>>> ip address XXX.XXX.XXX.150 255.255.255.192 >>>> >>>> alias XXX.XXX.XXX.188 255.255.255.192 >>>> >>>> peer ip address XXX.XXX.XXX.189 255.255.255.192 >>>> >>>> access-group input any >>>> >>>> service-policy input REMOTE_MGMT_ALLOW_POLICY >>>> >>>> no shutdown >>>> >>>> >>>> >>>> vlan138 is down, VLAN not assigned from the supervisor >>>> >>>> Hardware type is VLAN >>>> >>>> MAC address is 00:1f:6c:89:0c:33 >>>> >>>> Mode : routed >>>> >>>> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >>>> >>>> FT status is standby >>>> >>>> Description:not set >>>> >>>> MTU: 1500 bytes >>>> >>>> Last cleared: never >>>> >>>> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >>>> >>>> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is >> 255.255.255.192 >>>> Not assigned from the Supervisor, down on Supervisor >>>> >>>> Service-policy download failures : 3 >>>> >>>> 0 unicast packets input, 0 bytes >>>> >>>> 0 multicast, 0 broadcast >>>> >>>> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >>>> >>>> 0 unicast packets output, 0 bytes >>>> >>>> 0 multicast, 0 broadcast >>>> >>>> 0 output errors, 0 ignored >>>> >>>> > ------------------------------------------------------------------------ >>>> ----------------------------------------- >>>> >>>> >>>> >>>> Robert Teller >>>> Washington Dental Service >>>> Network Administrator >>>> (206) 528-2371 >>>> RTeller at DeltaDentalWa.com >>>> >>>> >>>> >>>> >>>> ######################################################### >>>> The information contained in this e-mail and subsequent attachments >>> may be >>>> privileged, >>>> confidential and protected from disclosure. This transmission is >>> intended >>>> for the sole >>>> use of the individual and entity to whom it is addressed. If you > are >>> not >>>> the intended >>>> recipient, any dissemination, distribution or copying is strictly >>>> prohibited. If you >>>> think that you have received this message in error, please e-mail > the >>>> sender at the above >>>> e-mail address. >>>> ######################################################### >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From vijay.ramcharan at verizonbusiness.com Fri Aug 22 15:55:42 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Fri, 22 Aug 2008 19:55:42 +0000 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <024301c903ed$10831b90$f211a8c0@flamadam> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F05374E8C@ASHEVS011.mcilink.com> I second the remove and reapply. I have seen this happen before. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: August 21, 2008 20:22 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context I'm partially confused as you are missing a number of vlans not just 138. Can you remove it and reapply? The only other thing I can think of is sh int trunk and see if the vlan is getting pruned back. tv ----- Original Message ----- From: "Teller, Robert" To: "Christian Koch" Cc: "Tony Varriale" ; Sent: Thursday, August 21, 2008 6:53 PM Subject: RE: [c-nsp] Cisco ACE Context Sea-6509-B#sh svclc vlan-group Display vlan-groups created by both ACE module and FWSM commands Group Created by vlans ----- ---------- ----- 9706 FWSM 100,120,138,150,190,200,210,235,238,555,575,801-804,999 -----Original Message----- From: Christian Koch [mailto:christian at broknrobot.com] Sent: Thursday, August 21, 2008 4:53 PM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context what do you see when you do a 'sh svclc vlan-group' on the 6500 that ace-b is installed in? On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert wrote: > That is correct. But if I do show vlan on the ace module it doesn't show > up even though it is associated to vlan group 9706 > > Sea-ACE-A/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 vlan235 > vlan238 vlan555 vlan801-803 vlan999 > > Sea-ACE-B/Admin# show vlans > Vlans configured on SUP for this module > vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 > > > > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, August 21, 2008 4:16 PM > To: Teller, Robert; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > Would you do a sh vlan b on sup-b? > > Is 138 there? > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: > Sent: Thursday, August 21, 2008 5:47 PM > Subject: [c-nsp] Cisco ACE Context > > >>I have two cisco 6509 chassis with ace and fwsm modules. I have >> configured the ace blades to use an internal and external conext. On >> ACE-A I am able to bring up both contexts and everything talks just > fine >> but on ACE-B I can't bring up vlan 138. Is there something I'm > missing? >> >> >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> svclc autostate >> >> svclc multiple-vlan-interfaces >> >> svclc module 7 vlan-group 9706, >> >> firewall autostate >> >> firewall multiple-vlan-interfaces >> >> firewall module 3 vlan-group 9706, >> >> firewall vlan-group 9706 >> 100,120,138,150,190,200,210,235,238,555,575,801-804 >> >> firewall vlan-group 9706 999 >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> ADMIN Context >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> ft interface vlan 801 >> >> ip address XXX.XXX.XXX.145 255.255.255.252 >> >> peer ip address XXX.XXX.XXX.146 255.255.255.252 >> >> no shutdown >> >> >> >> ft peer 1 >> >> heartbeat interval 300 >> >> heartbeat count 20 >> >> ft-interface vlan 801 >> >> ft group 1 >> >> peer 1 >> >> priority 200 >> >> associate-context Admin >> >> inservice >> >> >> >> context WDS-External >> >> allocate-interface vlan 138 >> >> context WDS-Internal >> >> allocate-interface vlan 238 >> >> >> >> ft group 2 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-Internal >> >> inservice >> >> ft group 3 >> >> peer 1 >> >> priority 200 >> >> associate-context WDS-External >> >> inservice >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> context WDS-External >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> interface vlan 138 >> >> ip address XXX.XXX.XXX.150 255.255.255.192 >> >> alias XXX.XXX.XXX.188 255.255.255.192 >> >> peer ip address XXX.XXX.XXX.189 255.255.255.192 >> >> access-group input any >> >> service-policy input REMOTE_MGMT_ALLOW_POLICY >> >> no shutdown >> >> >> >> vlan138 is down, VLAN not assigned from the supervisor >> >> Hardware type is VLAN >> >> MAC address is 00:1f:6c:89:0c:33 >> >> Mode : routed >> >> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >> >> FT status is standby >> >> Description:not set >> >> MTU: 1500 bytes >> >> Last cleared: never >> >> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >> >> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is 255.255.255.192 >> >> Not assigned from the Supervisor, down on Supervisor >> >> Service-policy download failures : 3 >> >> 0 unicast packets input, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >> >> 0 unicast packets output, 0 bytes >> >> 0 multicast, 0 broadcast >> >> 0 output errors, 0 ignored >> >> > ------------------------------------------------------------------------ >> ----------------------------------------- >> >> >> >> Robert Teller >> Washington Dental Service >> Network Administrator >> (206) 528-2371 >> RTeller at DeltaDentalWa.com >> >> >> >> >> ######################################################### >> The information contained in this e-mail and subsequent attachments > may be >> privileged, >> confidential and protected from disclosure. This transmission is > intended >> for the sole >> use of the individual and entity to whom it is addressed. If you are > not >> the intended >> recipient, any dissemination, distribution or copying is strictly >> prohibited. If you >> think that you have received this message in error, please e-mail the >> sender at the above >> e-mail address. >> ######################################################### >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Fri Aug 22 16:31:52 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 22 Aug 2008 22:31:52 +0200 Subject: [c-nsp] OSPF point-to-point vs dr/bdr In-Reply-To: <20080822172821.GJ24210@rtp-cse-489.cisco.com> References: <48AC4099.9010809@heanet.ie> <20080820.182922.74694833.sthaug@nethelp.no> <200808201315.02110.kratzers@pa.net> <20080820.194351.41689631.sthaug@nethelp.no> <20080820181602.GI1454@rtp-cse-489.cisco.com> <48AC6585.9070701@heanet.ie> <20080820202259.GF3810@rtp-cse-489.cisco.com> <48AD2CA5.8010202@heanet.ie> <20080822172821.GJ24210@rtp-cse-489.cisco.com> Message-ID: <20080822203152.GV288@greenie.muc.de> Hi, On Fri, Aug 22, 2008 at 01:28:21PM -0400, Rodney Dunn wrote: > "ethernet point-to-point" [..] > What about if at the first pass you had to manually configure > the next hop ip/mac address manually? No good. Swap router on the other end, spend days troubleshooting. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From vijay.ramcharan at verizonbusiness.com Fri Aug 22 16:27:58 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Fri, 22 Aug 2008 20:27:58 +0000 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> <48AF03FA.2040207@justinshore.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F05374F58@ASHEVS011.mcilink.com> Well it appears that there are other issues than just an ACE interface that won't show up as assigned. Regarding the bootup time, early code versions took what seemed to be about 10 minutes to boot up, IIRC (10 minutes is forever in my book). Last time I did a software upgrade to the then latest available code 3.0.0_A1_6_3a, both modules came up significantly faster so looks like some optimization has been done there. You may want to look into doing a software upgrade. If you haven't as yet looked at any release notes, the caveat list on each release may be be somewhat of a surprise. I see that A2 software was recently released. The release notes can be found here: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/ v3.00_A2/release/note/RACEA2X.html#wp403943 I remember trying to generate a CSR on the earlier version of code and having the ACE spontaneously reboot. At least the standby module took over as expected. Then there's the dreaded standby "COLD" state... Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: August 22, 2008 14:38 To: Justin Shore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context Hmmm that is really weird rebooting the chassis fixed it. Any idea what could have happened? Is it just me or do the ace modules take FOREVER to boot up? I also noticed that if I configure the ANM software to administer the ace modules when I type show run on the active context it just hangs and nothing happens. Anyone else experience this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: Friday, August 22, 2008 11:23 AM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context I haven't worked with an ACE yet but I have two possibly related stories to relay. Our FWSM internal 1Q trunks (firewall-group) got hosed up shortly after their deployment in our 7600s (SR code). We'd add a VLAN and it would show up in the firewall-group config line and it would appear in the FWSM sys context but it would not come up/up in the context. No data could be passed by the FWSM on those VLANs. TAC determined that a reboot of the FWSM was necessary. We rebooted the FWSM to no avail. When that failed TAC instructed us to power cycle the chassis. Doing that resolved the VLAN issue. IIRC we were on a SRAn release at the time. I later upgraded to SRB. Prior to the mentioning of the 10G interface this fit you problem more but I didn't have time to write it up at the time. The second story has to do with the special 10G internal interfaces. We had a couple SMEs out to install and configure a pair of IPSec SPAs in the SSC-400 carriers in our 7600s. The SMEs manually configured the 2 internal GigE ints on the SPAs with the VLANs that they thought so be on them. The virtual ints were 1Q trunks. A few months later after battling extremely weird problems (traffic from VLAN x appearing on VLAN y with a significant delay in the middle, dupe frames, packet loss, 7600s crashing, etc) I found a TAC engineer who could explain how the IPSec SPA ints were supposed to be configured. As it turns out you are not supposed to touch the virtual ints when running in VRF Mode, period. Under no circumstances do you touch the ints when in VRF Mode. The inside and outside VLANs are configured automatically as you configure VRF in crypto statements. Turns out that the SMEs had configured numerous VLANs on both virtual ints and in many cases the VLANs overlapped. Ie, you had the same VLANs on both sides of the SPA, both the encrypted side and the unencrypted side. The auto config stopped as soon as they modified the interface config manually. My TAC engineer (a VPN specialist) couldn't believe it actually worked, even a little. He helped me fix the problem though. I had to pull the SPAs, reboot both 7600s, reinsert the SPAs, and reconfigure crypto from the ground up without touching the 1 GigE internal ints. I mention this story in case these internal 10G ints aren't supposed to be manually configured but are instead supposed to be configured automatically based on the svclc group commands. None of this may be related though. Good luck. FYI Justin Teller, Robert wrote: > So it looks like the problem is that the interface associated to the ace > is configurable. Does anyone know how to remove it without rebuilding > the chassis? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Friday, August 22, 2008 9:08 AM > To: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > So on Chassis-B interface tengig 7/1 is configured differently then > chassis-A. And I can't even get into chassis-a tengig 7/1 to make any > changes to it. > > interface TenGigabitEthernet7/1 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan > 100,120,138,150,190,200,210,235,238,555,575 > switchport trunk allowed vlan add 801-804,999 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > flowcontrol receive on > no cdp enable > end > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale > Sent: Thursday, August 21, 2008 5:22 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > I'm partially confused as you are missing a number of vlans not just > 138. > > Can you remove it and reapply? > > The only other thing I can think of is sh int trunk and see if the vlan > is > getting pruned back. > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: "Christian Koch" > Cc: "Tony Varriale" ; > Sent: Thursday, August 21, 2008 6:53 PM > Subject: RE: [c-nsp] Cisco ACE Context > > > Sea-6509-B#sh svclc vlan-group > Display vlan-groups created by both ACE module and FWSM commands > > Group Created by vlans > ----- ---------- ----- > 9706 FWSM > 100,120,138,150,190,200,210,235,238,555,575,801-804,999 > > -----Original Message----- > From: Christian Koch [mailto:christian at broknrobot.com] > Sent: Thursday, August 21, 2008 4:53 PM > To: Teller, Robert > Cc: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > what do you see when you do a 'sh svclc vlan-group' on the 6500 that > ace-b is installed in? > > > On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert > wrote: >> That is correct. But if I do show vlan on the ace module it doesn't > show >> up even though it is associated to vlan group 9706 >> >> Sea-ACE-A/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 > vlan235 >> vlan238 vlan555 vlan801-803 vlan999 >> >> Sea-ACE-B/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 >> >> >> >> -----Original Message----- >> From: Tony Varriale [mailto:tvarriale at comcast.net] >> Sent: Thursday, August 21, 2008 4:16 PM >> To: Teller, Robert; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> Would you do a sh vlan b on sup-b? >> >> Is 138 there? >> >> tv >> ----- Original Message ----- >> From: "Teller, Robert" >> To: >> Sent: Thursday, August 21, 2008 5:47 PM >> Subject: [c-nsp] Cisco ACE Context >> >> >>> I have two cisco 6509 chassis with ace and fwsm modules. I have >>> configured the ace blades to use an internal and external conext. On >>> ACE-A I am able to bring up both contexts and everything talks just >> fine >>> but on ACE-B I can't bring up vlan 138. Is there something I'm >> missing? >>> >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> svclc autostate >>> >>> svclc multiple-vlan-interfaces >>> >>> svclc module 7 vlan-group 9706, >>> >>> firewall autostate >>> >>> firewall multiple-vlan-interfaces >>> >>> firewall module 3 vlan-group 9706, >>> >>> firewall vlan-group 9706 >>> 100,120,138,150,190,200,210,235,238,555,575,801-804 >>> >>> firewall vlan-group 9706 999 >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> ADMIN Context >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> ft interface vlan 801 >>> >>> ip address XXX.XXX.XXX.145 255.255.255.252 >>> >>> peer ip address XXX.XXX.XXX.146 255.255.255.252 >>> >>> no shutdown >>> >>> >>> >>> ft peer 1 >>> >>> heartbeat interval 300 >>> >>> heartbeat count 20 >>> >>> ft-interface vlan 801 >>> >>> ft group 1 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context Admin >>> >>> inservice >>> >>> >>> >>> context WDS-External >>> >>> allocate-interface vlan 138 >>> >>> context WDS-Internal >>> >>> allocate-interface vlan 238 >>> >>> >>> >>> ft group 2 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-Internal >>> >>> inservice >>> >>> ft group 3 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-External >>> >>> inservice >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> context WDS-External >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> interface vlan 138 >>> >>> ip address XXX.XXX.XXX.150 255.255.255.192 >>> >>> alias XXX.XXX.XXX.188 255.255.255.192 >>> >>> peer ip address XXX.XXX.XXX.189 255.255.255.192 >>> >>> access-group input any >>> >>> service-policy input REMOTE_MGMT_ALLOW_POLICY >>> >>> no shutdown >>> >>> >>> >>> vlan138 is down, VLAN not assigned from the supervisor >>> >>> Hardware type is VLAN >>> >>> MAC address is 00:1f:6c:89:0c:33 >>> >>> Mode : routed >>> >>> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >>> >>> FT status is standby >>> >>> Description:not set >>> >>> MTU: 1500 bytes >>> >>> Last cleared: never >>> >>> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >>> >>> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is > 255.255.255.192 >>> Not assigned from the Supervisor, down on Supervisor >>> >>> Service-policy download failures : 3 >>> >>> 0 unicast packets input, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >>> >>> 0 unicast packets output, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 output errors, 0 ignored >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> Robert Teller >>> Washington Dental Service >>> Network Administrator >>> (206) 528-2371 >>> RTeller at DeltaDentalWa.com >>> >>> >>> >>> >>> ######################################################### >>> The information contained in this e-mail and subsequent attachments >> may be >>> privileged, >>> confidential and protected from disclosure. This transmission is >> intended >>> for the sole >>> use of the individual and entity to whom it is addressed. If you are >> not >>> the intended >>> recipient, any dissemination, distribution or copying is strictly >>> prohibited. If you >>> think that you have received this message in error, please e-mail the >>> sender at the above >>> e-mail address. >>> ######################################################### >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Fri Aug 22 19:01:03 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Fri, 22 Aug 2008 16:01:03 -0700 Subject: [c-nsp] Cisco ACE Context In-Reply-To: <509A5E22DDC70B4DA85EA7C06C8FDA8F05374F58@ASHEVS011.mcilink.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> <48AF03FA.2040207@justinshore.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> <509A5E22DDC70B4DA85EA7C06C8FDA8F05374F58@ASHEVS011.mcilink.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010CD@tiger.deltadentalwa.com> So what is this dreaded cold standby you speak of because I think I am experiencing it. -----Original Message----- From: Ramcharan, Vijay A [mailto:vijay.ramcharan at verizonbusiness.com] Sent: Friday, August 22, 2008 1:28 PM To: Teller, Robert Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Cisco ACE Context Well it appears that there are other issues than just an ACE interface that won't show up as assigned. Regarding the bootup time, early code versions took what seemed to be about 10 minutes to boot up, IIRC (10 minutes is forever in my book). Last time I did a software upgrade to the then latest available code 3.0.0_A1_6_3a, both modules came up significantly faster so looks like some optimization has been done there. You may want to look into doing a software upgrade. If you haven't as yet looked at any release notes, the caveat list on each release may be be somewhat of a surprise. I see that A2 software was recently released. The release notes can be found here: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/ v3.00_A2/release/note/RACEA2X.html#wp403943 I remember trying to generate a CSR on the earlier version of code and having the ACE spontaneously reboot. At least the standby module took over as expected. Then there's the dreaded standby "COLD" state... Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: August 22, 2008 14:38 To: Justin Shore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context Hmmm that is really weird rebooting the chassis fixed it. Any idea what could have happened? Is it just me or do the ace modules take FOREVER to boot up? I also noticed that if I configure the ANM software to administer the ace modules when I type show run on the active context it just hangs and nothing happens. Anyone else experience this? -----Original Message----- From: Justin Shore [mailto:justin at justinshore.com] Sent: Friday, August 22, 2008 11:23 AM To: Teller, Robert Cc: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Context I haven't worked with an ACE yet but I have two possibly related stories to relay. Our FWSM internal 1Q trunks (firewall-group) got hosed up shortly after their deployment in our 7600s (SR code). We'd add a VLAN and it would show up in the firewall-group config line and it would appear in the FWSM sys context but it would not come up/up in the context. No data could be passed by the FWSM on those VLANs. TAC determined that a reboot of the FWSM was necessary. We rebooted the FWSM to no avail. When that failed TAC instructed us to power cycle the chassis. Doing that resolved the VLAN issue. IIRC we were on a SRAn release at the time. I later upgraded to SRB. Prior to the mentioning of the 10G interface this fit you problem more but I didn't have time to write it up at the time. The second story has to do with the special 10G internal interfaces. We had a couple SMEs out to install and configure a pair of IPSec SPAs in the SSC-400 carriers in our 7600s. The SMEs manually configured the 2 internal GigE ints on the SPAs with the VLANs that they thought so be on them. The virtual ints were 1Q trunks. A few months later after battling extremely weird problems (traffic from VLAN x appearing on VLAN y with a significant delay in the middle, dupe frames, packet loss, 7600s crashing, etc) I found a TAC engineer who could explain how the IPSec SPA ints were supposed to be configured. As it turns out you are not supposed to touch the virtual ints when running in VRF Mode, period. Under no circumstances do you touch the ints when in VRF Mode. The inside and outside VLANs are configured automatically as you configure VRF in crypto statements. Turns out that the SMEs had configured numerous VLANs on both virtual ints and in many cases the VLANs overlapped. Ie, you had the same VLANs on both sides of the SPA, both the encrypted side and the unencrypted side. The auto config stopped as soon as they modified the interface config manually. My TAC engineer (a VPN specialist) couldn't believe it actually worked, even a little. He helped me fix the problem though. I had to pull the SPAs, reboot both 7600s, reinsert the SPAs, and reconfigure crypto from the ground up without touching the 1 GigE internal ints. I mention this story in case these internal 10G ints aren't supposed to be manually configured but are instead supposed to be configured automatically based on the svclc group commands. None of this may be related though. Good luck. FYI Justin Teller, Robert wrote: > So it looks like the problem is that the interface associated to the ace > is configurable. Does anyone know how to remove it without rebuilding > the chassis? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert > Sent: Friday, August 22, 2008 9:08 AM > To: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > So on Chassis-B interface tengig 7/1 is configured differently then > chassis-A. And I can't even get into chassis-a tengig 7/1 to make any > changes to it. > > interface TenGigabitEthernet7/1 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan > 100,120,138,150,190,200,210,235,238,555,575 > switchport trunk allowed vlan add 801-804,999 > switchport mode trunk > switchport nonegotiate > mls qos trust cos > flowcontrol receive on > no cdp enable > end > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale > Sent: Thursday, August 21, 2008 5:22 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > I'm partially confused as you are missing a number of vlans not just > 138. > > Can you remove it and reapply? > > The only other thing I can think of is sh int trunk and see if the vlan > is > getting pruned back. > > tv > ----- Original Message ----- > From: "Teller, Robert" > To: "Christian Koch" > Cc: "Tony Varriale" ; > Sent: Thursday, August 21, 2008 6:53 PM > Subject: RE: [c-nsp] Cisco ACE Context > > > Sea-6509-B#sh svclc vlan-group > Display vlan-groups created by both ACE module and FWSM commands > > Group Created by vlans > ----- ---------- ----- > 9706 FWSM > 100,120,138,150,190,200,210,235,238,555,575,801-804,999 > > -----Original Message----- > From: Christian Koch [mailto:christian at broknrobot.com] > Sent: Thursday, August 21, 2008 4:53 PM > To: Teller, Robert > Cc: Tony Varriale; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco ACE Context > > what do you see when you do a 'sh svclc vlan-group' on the 6500 that > ace-b is installed in? > > > On Thu, Aug 21, 2008 at 7:32 PM, Teller, Robert > wrote: >> That is correct. But if I do show vlan on the ace module it doesn't > show >> up even though it is associated to vlan group 9706 >> >> Sea-ACE-A/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan120 vlan138 vlan150 vlan190 vlan200 vlan210 > vlan235 >> vlan238 vlan555 vlan801-803 vlan999 >> >> Sea-ACE-B/Admin# show vlans >> Vlans configured on SUP for this module >> vlan100 vlan200 vlan210 vlan235 vlan238 vlan555 vlan801-803 >> >> >> >> -----Original Message----- >> From: Tony Varriale [mailto:tvarriale at comcast.net] >> Sent: Thursday, August 21, 2008 4:16 PM >> To: Teller, Robert; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Cisco ACE Context >> >> Would you do a sh vlan b on sup-b? >> >> Is 138 there? >> >> tv >> ----- Original Message ----- >> From: "Teller, Robert" >> To: >> Sent: Thursday, August 21, 2008 5:47 PM >> Subject: [c-nsp] Cisco ACE Context >> >> >>> I have two cisco 6509 chassis with ace and fwsm modules. I have >>> configured the ace blades to use an internal and external conext. On >>> ACE-A I am able to bring up both contexts and everything talks just >> fine >>> but on ACE-B I can't bring up vlan 138. Is there something I'm >> missing? >>> >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> svclc autostate >>> >>> svclc multiple-vlan-interfaces >>> >>> svclc module 7 vlan-group 9706, >>> >>> firewall autostate >>> >>> firewall multiple-vlan-interfaces >>> >>> firewall module 3 vlan-group 9706, >>> >>> firewall vlan-group 9706 >>> 100,120,138,150,190,200,210,235,238,555,575,801-804 >>> >>> firewall vlan-group 9706 999 >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> ADMIN Context >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> ft interface vlan 801 >>> >>> ip address XXX.XXX.XXX.145 255.255.255.252 >>> >>> peer ip address XXX.XXX.XXX.146 255.255.255.252 >>> >>> no shutdown >>> >>> >>> >>> ft peer 1 >>> >>> heartbeat interval 300 >>> >>> heartbeat count 20 >>> >>> ft-interface vlan 801 >>> >>> ft group 1 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context Admin >>> >>> inservice >>> >>> >>> >>> context WDS-External >>> >>> allocate-interface vlan 138 >>> >>> context WDS-Internal >>> >>> allocate-interface vlan 238 >>> >>> >>> >>> ft group 2 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-Internal >>> >>> inservice >>> >>> ft group 3 >>> >>> peer 1 >>> >>> priority 200 >>> >>> associate-context WDS-External >>> >>> inservice >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> context WDS-External >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> interface vlan 138 >>> >>> ip address XXX.XXX.XXX.150 255.255.255.192 >>> >>> alias XXX.XXX.XXX.188 255.255.255.192 >>> >>> peer ip address XXX.XXX.XXX.189 255.255.255.192 >>> >>> access-group input any >>> >>> service-policy input REMOTE_MGMT_ALLOW_POLICY >>> >>> no shutdown >>> >>> >>> >>> vlan138 is down, VLAN not assigned from the supervisor >>> >>> Hardware type is VLAN >>> >>> MAC address is 00:1f:6c:89:0c:33 >>> >>> Mode : routed >>> >>> IP address is XXX.XXX.XXX.150 netmask is 255.255.255.192 >>> >>> FT status is standby >>> >>> Description:not set >>> >>> MTU: 1500 bytes >>> >>> Last cleared: never >>> >>> Alias IP address is XXX.XXX.XXX.188 netmask is 255.255.255.192 >>> >>> Peer IP address is XXX.XXX.XXX.189 Peer IP netmask is > 255.255.255.192 >>> Not assigned from the Supervisor, down on Supervisor >>> >>> Service-policy download failures : 3 >>> >>> 0 unicast packets input, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops >>> >>> 0 unicast packets output, 0 bytes >>> >>> 0 multicast, 0 broadcast >>> >>> 0 output errors, 0 ignored >>> >>> > ------------------------------------------------------------------------ >>> ----------------------------------------- >>> >>> >>> >>> Robert Teller >>> Washington Dental Service >>> Network Administrator >>> (206) 528-2371 >>> RTeller at DeltaDentalWa.com >>> >>> >>> >>> >>> ######################################################### >>> The information contained in this e-mail and subsequent attachments >> may be >>> privileged, >>> confidential and protected from disclosure. This transmission is >> intended >>> for the sole >>> use of the individual and entity to whom it is addressed. If you are >> not >>> the intended >>> recipient, any dissemination, distribution or copying is strictly >>> prohibited. If you >>> think that you have received this message in error, please e-mail the >>> sender at the above >>> e-mail address. >>> ######################################################### >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ryanclambert at gmail.com Fri Aug 22 22:01:41 2008 From: ryanclambert at gmail.com (Ryan Lambert) Date: Fri, 22 Aug 2008 22:01:41 -0400 Subject: [c-nsp] Interesting 7206 behavior Message-ID: <001801c904c4$3087ff50$9197fdf0$@com> Running a 7206XVR with NPE-300. Code 12.0(28)S6. For what it's worth, the two T1s land on a PA-MC-2T3+. Anyone seen anything similar to this before? I took a quick peek on Cisco's site for anything relevant, but I didn't come up with much. As per usual, browsing the list of bugs managed to freak me out, but I didn't see exactly what I was looking for. router(config-if)#int mu16 router(config-if)#service-policy output Customer_QoS-Colo Service policies on multilink interfaces are not supported router(config-if)#int ser5/1/25:0 router(config-if)#service-policy output Customer_QoS-Colo Serial5/1/25:0 is a member of a multilink/mfr bundle. Please attach the service-policy to the multilink/mfr interface instead. I did sanitize some of this to take out router/customer names, but this is the actual output, if you can believe that. As a side note, this works if I rip one of the T1s out of the MLPPP bundle and apply the policy to the individual serial interface. Does not work -ever- on the Multilink interface, or on an interface part of a multilink group. Thanks, -Ryan From ryanclambert at gmail.com Fri Aug 22 22:14:12 2008 From: ryanclambert at gmail.com (Ryan Lambert) Date: Fri, 22 Aug 2008 22:14:12 -0400 Subject: [c-nsp] Interesting 7206 behavior Message-ID: <001d01c904c5$f0b80530$d2280f90$@com> Well, guess I should have waited 5 more minutes to hit "send" ;) I did just manage to find something that seems to suggest I may be out of luck short of an upgrade. I meet the "affected versions" criteria. L Bug ID CSCsi23203. Remove service policy from T1 prior to adding it to the multilink bundle Symptom: When adding T1s (which already have QOS applied) to a multilink bundle and do not remove the QoS service policy from the links, IOS does not remove it from the member links. When you remove it from the member links and the links are up and active, the VIP crashes. If you do this while disabled, there is no issue. Conditions: Service policy must be applied to standalone T1s Workaround: First remove the service policy from the serial member links and then add the T1's to the multilink bundle Booooooo. -Ryan From: Ryan Lambert [mailto:ryanclambert at gmail.com] Sent: Friday, August 22, 2008 10:02 PM To: 'cisco-nsp at puck.nether.net' Subject: Interesting 7206 behavior Running a 7206XVR with NPE-300. Code 12.0(28)S6. For what it's worth, the two T1s land on a PA-MC-2T3+. Anyone seen anything similar to this before? I took a quick peek on Cisco's site for anything relevant, but I didn't come up with much. As per usual, browsing the list of bugs managed to freak me out, but I didn't see exactly what I was looking for. router(config-if)#int mu16 router(config-if)#service-policy output Customer_QoS-Colo Service policies on multilink interfaces are not supported router(config-if)#int ser5/1/25:0 router(config-if)#service-policy output Customer_QoS-Colo Serial5/1/25:0 is a member of a multilink/mfr bundle. Please attach the service-policy to the multilink/mfr interface instead. I did sanitize some of this to take out router/customer names, but this is the actual output, if you can believe that. As a side note, this works if I rip one of the T1s out of the MLPPP bundle and apply the policy to the individual serial interface. Does not work -ever- on the Multilink interface, or on an interface part of a multilink group. Thanks, -Ryan From dhooper at emerge.net.au Sat Aug 23 02:39:03 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Sat, 23 Aug 2008 14:39:03 +0800 Subject: [c-nsp] best fault management solutions? In-Reply-To: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> References: <1A9866F953006D45AEE0166066114E09129069AE@TPMAIL02.corp.theplatform.com> Message-ID: Hi, I use Opsview (www.opsview.org) to achieve fault monitoring over a variety of cisco devices, I find myself writing alot of plugins for it and for ever hunting down snmp oid's to monitor conditions important to me, but I think any fault management system requires a certain amount of massaging to make it fit. -Dan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker Sent: Friday, 22 August 2008 1:29 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] best fault management solutions? I've had it with Ciscoworks. I'm not new to getting LMS working properly, I'm just tired of lowering my expectations. Device discovery is hit and miss, new versions seem progressively worse, and the whole product is about as ergonomic as a pile of broken glass. I've stripped it down to just common services and DFM, but there just isn't enough value there relative to resources. So, I'm looking for DFM-like replacement recommendations - I currently have configuration and performance management covered by rancid, cacti, syslog-ng and a few other open source tools; and I have netflow taken care of - I'm just having trouble finding a good solution for device fault management (i.e. temp, fan, interface errors, queues, broadcast rate, bgp neighbor state changes, etc) for a mostly-Cisco environment. I need something with a little bit of intelligence, not just a simple trap forwarder. Have already evaluated Orion, but it has too many extras that I don't need (i.e. netflow, traffic graphs, configs, et al are already handled) and not enough of what I do need (device awareness, alerting). Not concerned with cost and platform, thanks in advance. - Gregori _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sshafi at gmail.com Sat Aug 23 04:42:44 2008 From: sshafi at gmail.com (Lala Lander) Date: Sat, 23 Aug 2008 01:42:44 -0700 Subject: [c-nsp] Web Caches Message-ID: Hi guys, I am looking for information on Web Caches. I need to find out what vendors are out there and what is your deployment and operational experience My objective is to reduce Internet bandwidth usage and some URL filtering. I am currently evaluating BlueCoat and Secure Computing but I need your opinion before I test them any further. thanks. From RTeller at deltadentalwa.com Sat Aug 23 09:14:18 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Sat, 23 Aug 2008 06:14:18 -0700 Subject: [c-nsp] Web Caches In-Reply-To: References: Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010D0@tiger.deltadentalwa.com> I am using securecomputings webwasher and the setup works really well. It's a little more then bluecoat but cheaper if you go for an HA setup. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lala Lander Sent: Saturday, August 23, 2008 1:43 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Web Caches Hi guys, I am looking for information on Web Caches. I need to find out what vendors are out there and what is your deployment and operational experience My objective is to reduce Internet bandwidth usage and some URL filtering. I am currently evaluating BlueCoat and Secure Computing but I need your opinion before I test them any further. thanks. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From adrian at creative.net.au Sat Aug 23 10:13:37 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Sat, 23 Aug 2008 22:13:37 +0800 Subject: [c-nsp] Web Caches In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010D0@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010D0@tiger.deltadentalwa.com> Message-ID: <20080823141337.GA20788@skywalker.creative.net.au> Squid also does a reasonable job and there are patches to integrate it into SmartFilter and other commercial products. Adrian On Sat, Aug 23, 2008, Teller, Robert wrote: > I am using securecomputings webwasher and the setup works really well. > It's a little more then bluecoat but cheaper if you go for an HA setup. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lala Lander > Sent: Saturday, August 23, 2008 1:43 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Web Caches > > Hi guys, > > I am looking for information on Web Caches. I need to find out what > vendors > are out there and what is your deployment and operational experience My > objective is to reduce Internet bandwidth usage and some URL filtering. > I am > currently evaluating BlueCoat and Secure Computing but I need your > opinion > before I test them any further. > > thanks. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be privileged, > confidential and protected from disclosure. This transmission is intended for the sole > use of the individual and entity to whom it is addressed. If you are not the intended > recipient, any dissemination, distribution or copying is strictly prohibited. If you > think that you have received this message in error, please e-mail the sender at the above > e-mail address. > ######################################################### > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - From avayner at cisco.com Sat Aug 23 10:39:42 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sat, 23 Aug 2008 16:39:42 +0200 Subject: [c-nsp] Interesting 7206 behavior In-Reply-To: <001801c904c4$3087ff50$9197fdf0$@com> References: <001801c904c4$3087ff50$9197fdf0$@com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C25DAE@xmb-ams-331.emea.cisco.com> Ryan, It seems QOS support on multilink ports was disabled in 12.0(28)S due to some major issues between the LFI and QOS code. The support is there in newer software, specifically the 12.2SB. I suggest you try using 12.2(31)SB. I think this link could help: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/mcmlp.html Thanks Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan Lambert Sent: Saturday, August 23, 2008 05:02 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Interesting 7206 behavior Running a 7206XVR with NPE-300. Code 12.0(28)S6. For what it's worth, the two T1s land on a PA-MC-2T3+. Anyone seen anything similar to this before? I took a quick peek on Cisco's site for anything relevant, but I didn't come up with much. As per usual, browsing the list of bugs managed to freak me out, but I didn't see exactly what I was looking for. router(config-if)#int mu16 router(config-if)#service-policy output Customer_QoS-Colo Service policies on multilink interfaces are not supported router(config-if)#int ser5/1/25:0 router(config-if)#service-policy output Customer_QoS-Colo Serial5/1/25:0 is a member of a multilink/mfr bundle. Please attach the service-policy to the multilink/mfr interface instead. I did sanitize some of this to take out router/customer names, but this is the actual output, if you can believe that. As a side note, this works if I rip one of the T1s out of the MLPPP bundle and apply the policy to the individual serial interface. Does not work -ever- on the Multilink interface, or on an interface part of a multilink group. Thanks, -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mradulovic at comutel.co.rs Sat Aug 23 10:01:33 2008 From: mradulovic at comutel.co.rs (Miodrag Radulovic) Date: Sat, 23 Aug 2008 16:01:33 +0200 Subject: [c-nsp] AUTO: Miodrag Radulovic is out of the office (returning 07-09-2008) Message-ID: I am out of the office until 07-09-2008. Privremeno nedostupan - Out-of-Office Message. Poruka koju ste poslali je prispela i bice sacuvana, ali napominjem da sam na odmoru van zemlje do 07.09.2008. i moj pristup elektronskoj posti bice veoma ogranicen. Ukoliko se radi o potrebi za hitnom intervencijom, dostupan sam preko mobilnog telefona 065/3016576. The message that you have sent will be saved in my inbox, but please note that due to summer holliday I will be out of the country until 07.09.2008. In that period my access to my email will be very limited. In case of urgency, I am available on my mobile phone: +381 65 3016576. Miodrag Radulovic General Manager COMUTEL Note: This is an automated response to your message "cisco-nsp Digest, Vol 69, Issue 89" sent on 23.8.2008 10:42:47. This is the only notification you will receive while this person is away. From ryanclambert at gmail.com Sat Aug 23 14:07:02 2008 From: ryanclambert at gmail.com (Ryan Lambert) Date: Sat, 23 Aug 2008 14:07:02 -0400 Subject: [c-nsp] Interesting 7206 behavior In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501C25DAE@xmb-ams-331.emea.cisco.com> References: <001801c904c4$3087ff50$9197fdf0$@com> <67F7C1FAF83A074AA3520D8F155782A501C25DAE@xmb-ams-331.emea.cisco.com> Message-ID: <000001c9054b$0bc5faa0$2351efe0$@com> Arie, Thanks for the information. I thought it was a little curious that the feature was there, it was just bouncing me back and forth between "go here" and "just kidding, not supported!". We are looking at NPE upgrades anyway, so this is at least something I can table for discussion come Monday. Thanks again! -Ryan -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Saturday, August 23, 2008 10:40 AM To: Ryan Lambert; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Interesting 7206 behavior Ryan, It seems QOS support on multilink ports was disabled in 12.0(28)S due to some major issues between the LFI and QOS code. The support is there in newer software, specifically the 12.2SB. I suggest you try using 12.2(31)SB. I think this link could help: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/mcmlp.html Thanks Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan Lambert Sent: Saturday, August 23, 2008 05:02 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Interesting 7206 behavior Running a 7206XVR with NPE-300. Code 12.0(28)S6. For what it's worth, the two T1s land on a PA-MC-2T3+. Anyone seen anything similar to this before? I took a quick peek on Cisco's site for anything relevant, but I didn't come up with much. As per usual, browsing the list of bugs managed to freak me out, but I didn't see exactly what I was looking for. router(config-if)#int mu16 router(config-if)#service-policy output Customer_QoS-Colo Service policies on multilink interfaces are not supported router(config-if)#int ser5/1/25:0 router(config-if)#service-policy output Customer_QoS-Colo Serial5/1/25:0 is a member of a multilink/mfr bundle. Please attach the service-policy to the multilink/mfr interface instead. I did sanitize some of this to take out router/customer names, but this is the actual output, if you can believe that. As a side note, this works if I rip one of the T1s out of the MLPPP bundle and apply the policy to the individual serial interface. Does not work -ever- on the Multilink interface, or on an interface part of a multilink group. Thanks, -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From agirling at denetron.com Sat Aug 23 19:25:22 2008 From: agirling at denetron.com (Andrew Girling) Date: Sat, 23 Aug 2008 19:25:22 -0400 Subject: [c-nsp] smoke and condensation damage to routers In-Reply-To: References: Message-ID: <097DA560-2CC6-45CB-BCAB-99DE77A845AE@denetron.com> On Aug 20, 2008, at 7:44 PM, Darrell Root wrote: > From my standpoint I don't want to trust any of this gear in > production. Of course, the insurance > adjustor sees gear that appears undamaged and is now completely dry. > > Anyone have experience running gear that was subjected to smoke, and > possibly some > condensation? Did it result in abnormal outages in the future? Darrell, I've dealt with a fire in an academic building that affected a communication closet in close proximity. Due to cleanup efforts and health regulations, it was about a week before the building and floor was accessible for service. Our first priority was to replace data/ telecom cabling and resume service to floors above/below the fire damaged by heat and water. By the time the gear was replaced, it was running for several weeks caked in soot. We had sent the equipment out to a local disaster/environmental cleanup company that specialized in electronics. The switches were returned, tested, and redeployed in other areas without incident, and have been in service for a number of years since. Safety is the number one concern. The potential for the gear to catch fire, electrocute someone, etc are all risks that NEED to be addressed. The gear should be cleaned/certified by the vendor, an electronics disaster recovery company, or replaced by your insurance. As Ian said, ask the adjuster to provide certification paperwork, which will likely make them reconsider their decision that "it is fine". Regards, Andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 478 bytes Desc: This is a digitally signed message part URL: From danletkeman at gmail.com Sun Aug 24 00:26:53 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 23 Aug 2008 23:26:53 -0500 Subject: [c-nsp] route availability Message-ID: Hello, I currently have a four default routes on a 2621 router that is doing load balancing to four adsl modems/routers (which are doing NAT). ip cef ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip route 0.0.0.0 0.0.0.0 192.168.11.254 This is working for load balancing, but when one of the modems stops working I basically loose all connection to the internet. What would be the best way to verify the availability of the next hop? Thanks, Dan. From avayner at cisco.com Sun Aug 24 01:12:26 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 24 Aug 2008 07:12:26 +0200 Subject: [c-nsp] route availability In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C25DCD@xmb-ams-331.emea.cisco.com> Dan, Take a look at "Enhanced Object Tracking": http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_eot. html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Sunday, August 24, 2008 07:27 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] route availability Hello, I currently have a four default routes on a 2621 router that is doing load balancing to four adsl modems/routers (which are doing NAT). ip cef ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip route 0.0.0.0 0.0.0.0 192.168.11.254 This is working for load balancing, but when one of the modems stops working I basically loose all connection to the internet. What would be the best way to verify the availability of the next hop? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.tjirkalli at za.verizonbusiness.com Sun Aug 24 03:19:38 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Sun, 24 Aug 2008 09:19:38 +0200 (SAST) Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels Message-ID: howdy ho all, Was hoping I could use this forum to get some direction on resolving a strange issue I have with a DMVPN setup. All works 100% if I do not protect the tunnels with IPSEC. As soon as I enable IPSEC the tunnels stop passing traffic. The setup :- ============ All routers are CISCO 1841 platforms. the IOS image is :- C1841-ADVIPSERVICESK9-M c1841-advipservicesk9-mz.124-21.bin HUB Router ---------- HUB router connects via ADSL (a PPPOE session over ethernet) and then fires up an L2TP tunnel to obtain a static IP address. The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1) This IP address is the NHS. All connections to/from the hub use the address of 196.47.0.204. Tunnel interface on the hub router is 10.0.0.1 Spoke Router ------------ the Spoke router (there are 2 I am just showing one) connects via ADSL (a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke routers use Dialer1 as their interface into the NHRP cloud. NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface ie do not add the command tunnel protection ipsec profile DMVPN on Tunnel0 Tunnel interface on the hub router is 10.0.0.3 all works perfectly. The Problem =========== When I enable IPSEC encryption on the tunnel interfaces on all routers then things break. I have tried with both 3DES and AES and same issue. All the crypto sessions seem correct - correct SAs come up. The dynamically created crypto-maps seem correct. BUT. on the spoke routers, IPSEC reports that no packets are being de-encapsulated but no errors are reported. nhrp-spoke-2#show crypto ipsec sa interface: Tunnel0 local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) current_peer 196.47.0.204 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 0 But on the HUB. all is well protected vrf: (none) local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) current_peer 41.195.37.191 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 Any ideas/thoughts would be greatly appreciated. The configuration's and some useful output are below HUB Configuration ================= hostname adsl-nhrp-hub ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 vpdn enable ! l2tp-class l2tpclass1 authentication password 7 03070E0C2E572B6A1719 ! ! ! ! ! ! pseudowire-class pwclass1 encapsulation l2tpv2 protocol l2tpv2 l2tpclass1 ip local interface Dialer1 ! ! ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac ! crypto ipsec profile DMVPN set transform-set 3DES_MD5 ! ! ! ! interface Loopback0 ip address 172.16.1.1 255.255.255.255 ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication xxxxxxxxxx ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 60 ip nhrp registration timeout 30 ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source Virtual-PPP1 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN ! interface Null0 no ip unreachables ! interface FastEthernet0/0 no ip address speed 100 full-duplex pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface Virtual-PPP1 ip address negotiated ip mtu 1452 ip virtual-reassembly no logging event link-status no peer neighbor-route no cdp enable ppp chap hostname XXXXX ppp chap password 7 XXXXXX ppp pap sent-username XXXX password 7 XXXXX pseudowire 196.30.121.42 10 pw-class pwclass1 ! interface Dialer1 mtu 1492 ip address negotiated ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp chap hostname XXX ppp chap password 7 XXXX ppp pap sent-username XXXX password 7 XXXX ! router eigrp 1 redistribute connected route-map to-eigrp redistribute static passive-interface Dialer1 network 10.0.0.0 0.0.0.255 no auto-summary ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 ip route 196.30.121.42 255.255.255.255 Dialer1 ! ! ip http server no ip http secure-server ! ! ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 access-list 1 permit any access-list 2 deny any access-list 3 permit 10.0.0.2 access-list 3 permit 10.222.0.1 access-list 3 permit 10.222.0.2 access-list 3 permit 10.244.0.2 no cdp run ! route-map to-eigrp deny 10 match ip address prefix-list local ! route-map to-eigrp permit 1000 adsl-nhrp-hub#show ip nhrp 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 Type: dynamic, Flags: authoritative unique registered used NBMA address: 41.195.37.174 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 Type: dynamic, Flags: authoritative unique registered used NBMA address: 41.195.37.191 adsl-nhrp-hub#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 protected vrf: (none) local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0) current_peer 41.195.37.174 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174 path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 current outbound spi: 0xD9D819B1(3654818225) inbound esp sas: spi: 0x8AD878CD(2329442509) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4437499/1923) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD9D819B1(3654818225) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4437454/1923) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) current_peer 41.195.37.191 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191 path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 current outbound spi: 0x6E27D1C2(1848103362) inbound esp sas: spi: 0xEE9B0E5D(4003139165) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4478781/3289) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6E27D1C2(1848103362) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4478771/3289) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: adsl-nhrp-hub#show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: DMVPN Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ 3DES_MD5, } Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 41.195.37.174 Extended IP access list access-list permit gre host 196.47.0.204 host 41.195.37.174 Current peer: 41.195.37.174 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ 3DES_MD5, } Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 41.195.37.191 Extended IP access list access-list permit gre host 196.47.0.204 host 41.195.37.191 Current peer: 41.195.37.191 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ 3DES_MD5, } Interfaces using crypto map Tunnel0-head-0: Tunnel0 adsl-nhrp-hub#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Dt 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC 0 0 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC 0 0 3003 Tunnel0 196.47.0.204 set AES+MD5 169 0 3004 Tunnel0 196.47.0.204 set AES+MD5 0 8 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 818 0 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 0 1 Spoke Configuration =================== ip cef ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 vpdn enable ! l2tp-class l2tpclass1 authentication password 7 xxxx ! ! pseudowire-class pwclass1 encapsulation l2tpv2 protocol l2tpv2 l2tpclass1 ip local interface Dialer1 ! ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac ! crypto ipsec profile DMVPN set transform-set 3DES_MD5 ! ! ! ! interface Loopback0 ip address 172.16.1.3 255.255.255.255 ! interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication xxxxxxxxxx ip nhrp map 10.0.0.1 196.47.0.204 ip nhrp map multicast 196.47.0.204 ip nhrp network-id 1 ip nhrp holdtime 60 ip nhrp nhs 10.0.0.1 ip nhrp registration timeout 30 ip tcp adjust-mss 1360 tunnel source Dialer1 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address dhcp speed 100 full-duplex pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0/1 ip address 10.222.0.1 255.255.255.0 speed 100 full-duplex ! ! interface Dialer1 mtu 1492 ip address negotiated ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp chap hostname XXXX ppp chap password 0 XXXX ppp pap sent-username XXXX password 0 XXXXX ! router eigrp 1 redistribute connected route-map to-eigrp redistribute static passive-interface FastEthernet0/1 passive-interface Dialer1 network 10.0.0.0 0.0.0.255 no auto-summary eigrp stub connected ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! ip http server no ip http secure-server ! ! ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 access-list 1 permit any access-list 2 deny any access-list 3 permit 10.222.0.1 access-list 3 permit 10.222.0.2 access-list 3 permit 10.244.0.2 access-list 3 permit 10.244.0.1 ! route-map clear-df permit 10 set ip df 0 ! route-map to-eigrp deny 10 match ip address prefix-list local ! route-map to-eigrp permit 1000 Some Debugs =========== nhrp-spoke-2#show ip nhrp 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire Type: static, Flags: authoritative used NBMA address: 196.47.0.204 nhrp-spoke-2#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 protected vrf: (none) local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) current_peer 196.47.0.204 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 0 local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204 path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 current outbound spi: 0xEE9B0E5D(4003139165) inbound esp sas: spi: 0x6E27D1C2(1848103362) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4530791/3584) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEE9B0E5D(4003139165) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4530789/3584) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: nhrp-spoke-2#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 0 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 0 3003 Dialer1 41.195.37.191 set AES+MD5 15 0 3004 Dialer1 41.195.37.191 set AES+MD5 0 0 nhrp-spoke-2#show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: DMVPN Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ 3DES_MD5, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 196.47.0.204 Extended IP access list access-list permit gre host 41.195.37.191 host 196.47.0.204 Current peer: 196.47.0.204 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ 3DES_MD5, } Interfaces using crypto map Tunnel0-head-0: Tunnel0 --------------------------------------------------------------------- A feature is a bug with seniority. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From hank at efes.iucc.ac.il Sun Aug 24 06:56:14 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 24 Aug 2008 13:56:14 +0300 Subject: [c-nsp] Cisco ACE and Akamai In-Reply-To: <509A5E22DDC70B4DA85EA7C06C8FDA8F05374F58@ASHEVS011.mcilink .com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010AD@tiger.deltadentalwa.com> <020101c903e3$cf4fc1e0$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B1@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B2@tiger.deltadentalwa.com> <024301c903ed$10831b90$f211a8c0@flamadam> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010B8@tiger.deltadentalwa.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C1@tiger.deltadentalwa.com> <48AF03FA.2040207@justinshore.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC010C5@tiger.deltadentalwa.com> Message-ID: <5.1.0.14.2.20080824135225.00b21628@efes.iucc.ac.il> Since I see there are more and more people using the ACE on the list, has anyone encountered a problem with the ACE vers A1(8.0a) and Akamai where Akamai returns a null cookie even though one is set? Thanks, Hank From rodunn at cisco.com Sun Aug 24 08:43:47 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Sun, 24 Aug 2008 08:43:47 -0400 Subject: [c-nsp] Interesting 7206 behavior In-Reply-To: <000001c9054b$0bc5faa0$2351efe0$@com> References: <001801c904c4$3087ff50$9197fdf0$@com> <67F7C1FAF83A074AA3520D8F155782A501C25DAE@xmb-ams-331.emea.cisco.com> <000001c9054b$0bc5faa0$2351efe0$@com> Message-ID: <20080824124347.GE14555@rtp-cse-489.cisco.com> It had a lot of do with the fact that there isn't CEF support for MLPPP in 12.0S. It's there in 12.2(31)SB and SRC releases for the 72xx along with 12.4 based releases. Rodney On Sat, Aug 23, 2008 at 02:07:02PM -0400, Ryan Lambert wrote: > Arie, > > Thanks for the information. > > I thought it was a little curious that the feature was there, it was just > bouncing me back and forth between "go here" and "just kidding, not > supported!". > > We are looking at NPE upgrades anyway, so this is at least something I can > table for discussion come Monday. > > Thanks again! > > -Ryan > > -----Original Message----- > From: Arie Vayner (avayner) [mailto:avayner at cisco.com] > Sent: Saturday, August 23, 2008 10:40 AM > To: Ryan Lambert; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] Interesting 7206 behavior > > Ryan, > > It seems QOS support on multilink ports was disabled in 12.0(28)S due to > some major issues between the LFI and QOS code. > The support is there in newer software, specifically the 12.2SB. I > suggest you try using 12.2(31)SB. > > I think this link could help: > http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/mcmlp.html > > Thanks > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan Lambert > Sent: Saturday, August 23, 2008 05:02 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Interesting 7206 behavior > > Running a 7206XVR with NPE-300. Code 12.0(28)S6. > > > > For what it's worth, the two T1s land on a PA-MC-2T3+. > > > > Anyone seen anything similar to this before? I took a quick peek on > Cisco's site for anything relevant, but I didn't come up with much. As > per usual, browsing the list of bugs managed to freak me out, but I > didn't see exactly what I was looking for. > > > > router(config-if)#int mu16 > > router(config-if)#service-policy output Customer_QoS-Colo > > Service policies on multilink interfaces are not supported > > > > router(config-if)#int ser5/1/25:0 > > router(config-if)#service-policy output Customer_QoS-Colo > > Serial5/1/25:0 is a member of a multilink/mfr bundle. > > Please attach the service-policy to the multilink/mfr interface > instead. > > > > I did sanitize some of this to take out router/customer names, but this > is the actual output, if you can believe that. > > > > As a side note, this works if I rip one of the T1s out of the MLPPP > bundle and apply the policy to the individual serial interface. Does not > work > -ever- on the Multilink interface, or on an interface part of a > multilink group. > > > > Thanks, > > -Ryan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ddjones at riddlemaster.org Sun Aug 24 16:10:59 2008 From: ddjones at riddlemaster.org (Daniel D Jones) Date: Sun, 24 Aug 2008 16:10:59 -0400 Subject: [c-nsp] ADSL weirdness Message-ID: <200808241610.59074.ddjones@riddlemaster.org> This is driving me absolutely batty. I have an ADSL connection with a /29 block of static IPs. I was originally using a BroadMax DSL modem. The modem works but locks up semi-regularly. Behind the modem, I have a 2651XM router. Tired of having to reboot the modem, I picked up an ADSL WIC for the router. After configuring everything, the router connects via ADSL and everything appears to be fine on the router. The problem is that I can not access some web pages. Hotmail.com and myspace.com are two that I know will not load but they aren't the only two. I can ping the web site IPs, at least those that answer ping. The page will start to load and then stall. Some pages will time out, others will simply say "loading" and never complete, even if left up over night. If I switch back to the BroadMax modem, I can load the same webpages without any issue. I get the exact same behavior regardless of what browser I'm using, and on Windows and Linux, so it's unlikely to be any sort of host issue. I've checked the web page IPs and there doesn't appear to be any pattern. They're certainly not all in a common subnet or anything. The sites where I'm having an issue do all seem to be more complex sites with lots of scripting. I've tried to find out if the pages are doing anything weird, such as opening connections on unusual ports or transferring stuff using unusual protocols, but I haven't been able to identify anything. I'm not at all certain that it's only web page traffic that has issues, but that's what I've noticed to this point. I run a mail server and a small mailing list, and I've gotten a couple of complaints of messages bouncing from one user but I believe that's his issue, not mine. Mail appears to be flowing normally otherwise. Here's the config I have on the router: Interface ATM0/0 no ip address no ip mroute-cache no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 interface Dialer1 mtu 1492 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 ppp chap hostname USERNAME ppp chap password 7 PASSWORD ppp pap sent-username USERNAME password 7 PASSWORD I'm running NAT for internal IPs but my servers have public IPs and the issue occurs regardless of whether I'm on a NAT'd machine or a server. The internal networks runs on switches hanging off the fastethernet ports, which are the internal NAT interface. The servers are connected to a 16 port switch module in the router. I was running some firewall rules but in an effort to solve this problem, I've removed all access lists other than the one liner which allows the private IPs into NAT. Ideas, hints and suggestions all welcome. From blahu77 at gmail.com Sun Aug 24 16:25:37 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 24 Aug 2008 21:25:37 +0100 Subject: [c-nsp] ADSL weirdness In-Reply-To: <200808241610.59074.ddjones@riddlemaster.org> References: <200808241610.59074.ddjones@riddlemaster.org> Message-ID: <383357750808241325v71f2cb9euf6311c51b81be4a0@mail.gmail.com> Daniel, > > interface Dialer1 > mtu 1492 sounds like TCP window problem try adding ip mtu 1492 ip tcp adjust-mss 1452 look here for more info http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html Best Regards, -- -mat From christian.macnevin at gmail.com Sun Aug 24 18:32:06 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Sun, 24 Aug 2008 15:32:06 -0700 Subject: [c-nsp] Multiple SPAN config question (re: tim's reply of 2005 sometime) Message-ID: <58B0D66E-91A0-4061-A171-610FA5AE5E3E@gmail.com> Hi So this is the conversation I'm referencing inline below. The configuration we've tried has vlan sources and destionations on a 6148A linecard. It seems to be sending traffic from *all* vlans to each port, however. The IOS is 12.2(18)SXF14. Is there a hardware limitation on the split source split port option? Config: monitor session 2 source vlan 64 , 120 , 888 , 998 monitor session 2 destination interface Gi2/23 - 26 #### REFERENCED CONVERSATION: To span, say, two of the spanned vlans to one of the configured dest ports, just add multiple vlans to the allowed list, ie, sw trunk all vlan 10-11, or similar. The config I mentioned will include the 1q headers already. If you don't want that, you could make the native vlan of the span dest port trunk the vlan you have in the allowed list. One word of caution on this configuration. The system is not (currently, & no firm plans) intelligent enough to not send ALL the SPAN traffic to ALL the destintaion modules, even if that module ultimately won't forward the traffic because of the allowed vlan list. For example, if I have a fabric enabled system with modules 1 2 & 3, and I span vlans 10 & 11 from module 1 to dest ports on module 2 & 3, where the allowed list on the mod 2 port is 10 & the allowed list on the mod 3 port is 11, VLAN 10 & 11 traffic is passed over BOTH the fabric channels, the one connecting to module 2 & the one connecting to module 3, even though module 2 will ultimately drop the vlan 11 traffic & module 3 will drop the vlan 10 traffic. Tim At 05:22 PM 3/17/2005, Virgil declared: >On 18/3/05 7:29 AM, "Tim Stevenson" wrote: > >Tim, > > > And then configure a single SPAN session like so: > > > > mon ses 1 source vlan 10 - 13 > > mon ses 1 dest int gig 1/1 - 4 > > > > This ends up spanning just vlan 10 traffic to int gig 1/1, just vlan 11 > > traffic to int gig 1/2, etc. > >That's excellent information. What would be required to receive traffic for >a couple of vlans to one port, and include the dot1q headers as well? > > >Regards >Virgil Tim Stevenson, tstevens at xxxxxxxxx Routing & Switching CCIE #5561 Technical Marketing Engineer, Catalyst 6500 Cisco Systems, http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. _______________________________________________ cisco-nsp mailing list cisco-nsp at xxxxxxxxxxxxxxx https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tianys at gmail.com Sun Aug 24 21:29:33 2008 From: tianys at gmail.com (Mr. Tian) Date: Mon, 25 Aug 2008 09:29:33 +0800 Subject: [c-nsp] Cat 6500 SUP720 environment problems.. In-Reply-To: <615772ed0808210029n723036efvac28dc61fdaceee4@mail.gmail.com> References: <0A78C84FC38D5A4D859688C61E8A4C3FB583@blackberry1.backberry01.local> <5c374d9a0705100618x61981f02x4f8af520e6613a5@mail.gmail.com> <615772ed0808210029n723036efvac28dc61fdaceee4@mail.gmail.com> Message-ID: <615772ed0808241829g35f9506dpa374aa31f8824536@mail.gmail.com> ---------- Forwarded message ---------- From: Mr. Tian Date: 2008/8/21 Subject: Re: [c-nsp] Cat 6500 SUP720 environment problems.. To: John R hello. I meet the same question. Have you resolved the problem? Thanks! 2007/5/10 John R Hello all > > We have some questions in relation to our environment, we basically have a > pair of 6509 chassis with sup720-3b`s connecting to lots ( over 300 ) cisco > 3020 blade switches, with each 3020 attached to both 6509`s, there are no > DFC`s on the linecards. > > The 6500`s have 8 x Gig-E connections as a portchannel between them > > The environment runs unicast and multicast but there is no really high > traffic levels, we have some questions relating to below, any comments > would > be most welcome. > > > 6500 --- 8 gig-e portchannel --- 6500 > \ / > \ / > \ 300+ 3020 blades / > > > > Cat6509`s are running both running 12.2.18SXF5 - > ipservicesk9-mz.122-18.SXF5.bin > > CAT6KSUP720-3B#sh cat > chassis MAC addresses: 1024 addresses from 0018.7433.3400 to > 0018.7433.37ff > traffic meter = 1% Last cleared at 13:22:27 GMT Thu Nov 9 2006 > peak = 96% reached at 01:12:36 BST Thu May 10 2007 > switching-clock: clock switchover and system reset is allowed > > Q - Is this peak only for the shared bus ? > > > ###################################################################################### > > CAT6KSUP720-3B#sh pla ha cap for > L2 Forwarding Resources > MAC Table usage: Module Collisions Total Used > %Used > 5 0 65536 2905 > 4% > > VPN CAM usage: Total Used > %Used > 512 0 > 0% > L3 Forwarding Resources > FIB TCAM usage: Total Used > %Used > 72 bits (IPv4, MPLS, EoM) 196608 4232 > 2% > 144 bits (IP mcast, IPv6) 32768 1483 > 5% > > detail: Protocol Used > %Used > IPv4 4232 > 2% > MPLS 0 > 0% > EoM 0 > 0% > > IPv6 2 > 1% > IPv4 mcast 1481 > 5% > IPv6 mcast 0 > 0% > > Adjacency usage: Total Used > %Used > 1048576 4194 > 1% > > Forwarding engine load: > Module pps peak-pps > peak-time > 5 616391 9068315 15:29:21 GMT Mon Dec 18 > 2006 > > Q - Is the peak-pps the largest peak seen by the PFC > Q - If it is, is this not well short of the 30mpps that the box should be > able to support > > > ###################################################################################### > > CAT6KSUP720-3B#sh ibc brief > Interface information: > Interface IBC0/0(idb 0x51E4F010) > Hardware is Mistral IBC (revision 5) > 5 minute rx rate 134000 bits/sec, 60 packets/sec > 5 minute tx rate 76000 bits/sec, 48 packets/sec > 801981457 packets input, 158150852481 bytes > 571784929 broadcasts received > 615169009 packets output, 150564832578 bytes > 65392127 broadcasts sent > 1 Inband input packet drops > 0 Bridge Packet loopback drops > 50002482 Packets CEF Switched, 118971932 Packets Fast Switched > 0 Packets SLB Switched, 0 Packets CWAN Switched > IBC resets = 1; last at 14:25:38.107 gmt Sat Oct 28 2006 > MISTRAL ERROR COUNTERS > System address timeouts = 0 BUS errors = 0 > IBC Address timeouts = 0 (addr 0x0) > Page CRC errors = 0 IBL CRC errors = 0 > ECC Correctable errors = 0 > Packets with padding removed (0/0/0) = 0 > Packets expanded (0/0) = 0 > Packets attempted tail end expansion > 1 page and were dropped = 0 > IP packets dropped with frag offset of 1 = 0 > 1696 packets (aggregate) dropped on throttled interfaces > Hazard Illegal packet length = 0 Illegal Offset = 0 > Hazard Packet underflow = 0 Packet Overflow = 0 > IBL fill hang count = 0 Unencapsed packets = 0 > LBIC RXQ Drop pkt count = 0 LBIC drop pkt count = 0 > LBIC Drop pkt stick = 0 > > The CEF counter is not clocking in this instance, whereas the fast switch > counter is, our understanding is that the IBC is the bus between the SP and > RP? > > Q - Why do we see so many fast switches packets > Q - Should the CEF counter not increment > > > > > ###################################################################################### > > CAT6KSUP720-3B#sh ip mroute count ters > IP Multicast Statistics > 730 routes using 681034 bytes of memory > 21 groups, 33.76 average sources per group > > Q - The above is the avergae mcast count for the box, this to us doesn't > seem high ? > Q - With lots of multicast boundary commands configured can this add to > load > ? > > > ###################################################################################### > > CAT6KSUP720-3B# sh mod > Mod Ports Card Type Model Serial > No. > --- ----- -------------------------------------- ------------------ > ----------- > 1 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1025XXXX > 2 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1026XXXX > 3 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1026XXXX > 4 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1026XXXX > 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B > SAL1028XXXX > 6 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1025XXXX > 7 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1026XXXX > 8 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1026XXXX > 9 48 CEF720 48 port 1000mb SFP WS-X6748-SFP > SAL1025XXXX > > Q. - Every port on the switch is configured as per the config below, will > this cause problems ? > I.E - Is RMON on every port advisable ? > > rmon collection stats 4 owner "root at mgmtstation [1161348691907]" > rmon collection history 4 owner "root at mgmtstation [1161348775440]" > buckets > 50 > > > ##################################################################################### > > mls aging long 64 > mls aging normal 32 > > Q. - Should the above setting be changed to default times for long and > normal flows ? > > > ##################################################################################### > > Q. - We see large numbers of output drops, but little in the way of traffic > between the port-channel connecting the two 6ks together - does this match > the following bug ? > > http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv86024 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Sun Aug 24 22:32:13 2008 From: ben.steele at internode.on.net (ben.steele at internode.on.net) Date: Mon, 25 Aug 2008 11:32:13 +0900 Subject: [c-nsp] ACE Regex filtering for url match trouble with % Message-ID: <57206.1219631533@internode.on.net> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi, Has anyone had any issues with filtering anything with a % sign in the url when trying to match for url filtering. Example: class-map type http inspect match-any SQL_FILTER 2 match url .[Ee][Xx][Ee][Cc]@.* 3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* The first string will match no problem, but the second one won't, i've tried all different methods of matching the % sign like 'ing it, putting it in [] etc. in theory the above should just work with something like http://www.bla.com/SELECT%20test.html [1] as it does with EXEC@ but it doesn't, anyone got any ideas or had similar issues, just want to check here before I raise a TAC. Cheers Ben Links: ------ [1] http://www.bla.com/SELECT%20test.html From christian at broknrobot.com Sun Aug 24 23:02:26 2008 From: christian at broknrobot.com (Christian Koch) Date: Sun, 24 Aug 2008 23:02:26 -0400 Subject: [c-nsp] ACE Regex filtering for url match trouble with % In-Reply-To: <57206.1219631533@internode.on.net> References: <57206.1219631533@internode.on.net> Message-ID: have you tried adding " \ " in front of the " % " character? On Sun, Aug 24, 2008 at 10:32 PM, wrote: > > > BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } > Hi, > > Has anyone had any issues with filtering anything with a % sign in > the url when trying to match for url filtering. > > Example: > > class-map type http inspect match-any SQL_FILTER > 2 match url .[Ee][Xx][Ee][Cc]@.* > 3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* > > The first string will match no problem, but the second one won't, > i've tried all different methods of matching the % sign like 'ing it, > putting it in [] etc. in theory the above should just work with > something like http://www.bla.com/SELECT%20test.html [1] as it does > with EXEC@ but it doesn't, anyone got any ideas or had similar issues, > just want to check here before I raise a TAC. > > Cheers > > Ben > > > Links: > ------ > [1] http://www.bla.com/SELECT%20test.html > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vinny at tellurian.com Sun Aug 24 23:36:12 2008 From: vinny at tellurian.com (Vinny Abello) Date: Sun, 24 Aug 2008 23:36:12 -0400 Subject: [c-nsp] ADSL weirdness In-Reply-To: <383357750808241325v71f2cb9euf6311c51b81be4a0@mail.gmail.com> References: <200808241610.59074.ddjones@riddlemaster.org> <383357750808241325v71f2cb9euf6311c51b81be4a0@mail.gmail.com> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF05646243E8DBC@exchangenj1> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mateusz Blaszczyk > Sent: Sunday, August 24, 2008 4:26 PM > To: Daniel D Jones > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ADSL weirdness > > Daniel, > > > > > interface Dialer1 > > mtu 1492 > > sounds like TCP window problem > try adding > > ip mtu 1492 > ip tcp adjust-mss 1452 > > look here for more info > > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss > .html Specifically add: ip tcp adjust-mss 1452 to the INSIDE interface where your devices which access the web sites are attached. That should do it. -Vinny From ben.steele at internode.on.net Sun Aug 24 23:41:55 2008 From: ben.steele at internode.on.net (ben.steele at internode.on.net) Date: Mon, 25 Aug 2008 12:41:55 +0900 Subject: [c-nsp] ACE Regex filtering for url match trouble with % Message-ID: <58339.1219635715@internode.on.net> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Yes I have, I did mention that in my first post but this stupid webmail client removed it and just put "'ing" instead of "'ing" :) FWIW I did manage to get this to match by telling it to match an ASCII space instead ie .*selectx20.* however this is more of a hack for my original request so I will still chase up with TAC. Cheers On Mon 25/08/08 12:32 PM , "Christian Koch" christian at broknrobot.com sent: have you tried adding " " in front of the " % " character? On Sun, Aug 24, 2008 at 10:32 PM, wrote: > > > BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } > Hi, > > Has anyone had any issues with filtering anything with a % sign in > the url when trying to match for url filtering. > > Example: > > class-map type http inspect match-any SQL_FILTER > 2 match url .[Ee][Xx][Ee][Cc]@.* > 3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* > > The first string will match no problem, but the second one won't, > i've tried all different methods of matching the % sign like 'ing it, > putting it in [] etc. in theory the above should just work with > something like http://www.bla.com/SELECT%20test.html [2] [1] as it does > with EXEC@ but it doesn't, anyone got any ideas or had similar issues, > just want to check here before I raise a TAC. > > Cheers > > Ben > > > Links: > ------ > [1] http://www.bla.com/SELECT%20test.html [3] > _______________________________________________ > cisco-nsp mailing list > https://puck.nether.net/mailman/listinfo/cisco-nsp [5] > archive at http://puck.nether.net/pipermail/cisco-nsp/ [6] > Links: ------ [2] https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html [3] https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html [5] https://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp [6] https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F From nic.tjirkalli at za.verizonbusiness.com Mon Aug 25 03:40:26 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Mon, 25 Aug 2008 09:40:26 +0200 (SAST) Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels In-Reply-To: References: Message-ID: howdy ho all, thanx to thise who sent through suggestions to how to get the IPSEC to work - the ideas were :- try mode transport :- dont use wilcard for the secret so i changed the hub and spoke as follows :- crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac mode transport crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 alss same symptons - crypto comes up - hub reports IPSEC encaps and decaps - spoke sites report 0 decaps for IPSEC and no errors any other ideas? thanx > > > howdy ho all, > > Was hoping I could use this forum to get some direction on resolving a > strange issue I have with a DMVPN setup. > > All works 100% if I do not protect the tunnels with IPSEC. As soon as I > enable IPSEC the tunnels stop passing traffic. > > > The setup :- > ============ > > All routers are CISCO 1841 platforms. the IOS image is :- > C1841-ADVIPSERVICESK9-M > c1841-advipservicesk9-mz.124-21.bin > > > HUB Router > ---------- > HUB router connects via ADSL (a PPPOE session over ethernet) and then fires > up an L2TP tunnel to obtain a static IP address. > > The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1) > This IP address is the NHS. All connections to/from the hub > use the address of 196.47.0.204. > > Tunnel interface on the hub router is 10.0.0.1 > > > Spoke Router > ------------ > the Spoke router (there are 2 I am just showing one) connects via ADSL > (a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke > routers use Dialer1 as their interface into the NHRP cloud. > > NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface > ie do not add the command tunnel protection ipsec profile DMVPN > on Tunnel0 > > Tunnel interface on the hub router is 10.0.0.3 > all works perfectly. > > > The Problem > =========== > > When I enable IPSEC encryption on the tunnel interfaces on all routers > then things break. I have tried with both 3DES and AES and same issue. > > All the crypto sessions seem correct - correct SAs come up. The dynamically > created crypto-maps seem correct. > > BUT. on the spoke routers, IPSEC reports that no packets are being > de-encapsulated but no errors are reported. > > nhrp-spoke-2#show crypto ipsec sa > > interface: Tunnel0 > local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > current_peer 196.47.0.204 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 0 > > > But on the HUB. all is well > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > current_peer 41.195.37.191 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 > #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 1, #recv errors 0 > > > Any ideas/thoughts would be greatly appreciated. > > The configuration's and some useful output are below > > > > HUB Configuration > ================= > > hostname adsl-nhrp-hub > ! > boot-start-marker > boot-end-marker > ! > logging buffered 4096 debugging > ! > no aaa new-model > ip cef > ! > ! > ! > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 03070E0C2E572B6A1719 > ! > ! > ! > ! > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! > ! > crypto isakmp policy 10 > encr aes > hash md5 > authentication pre-share > group 2 > crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > ! > crypto ipsec profile DMVPN > set transform-set 3DES_MD5 > ! > ! > ! > ! > interface Loopback0 > ip address 172.16.1.1 255.255.255.255 > ! > interface Tunnel0 > ip address 10.0.0.1 255.255.255.0 > no ip redirects > ip mtu 1400 > no ip next-hop-self eigrp 1 > ip nhrp authentication xxxxxxxxxx > ip nhrp map multicast dynamic > ip nhrp network-id 1 > ip nhrp holdtime 60 > ip nhrp registration timeout 30 > ip tcp adjust-mss 1360 > no ip split-horizon eigrp 1 > tunnel source Virtual-PPP1 > tunnel mode gre multipoint > tunnel key 1 > tunnel protection ipsec profile DMVPN > ! > interface Null0 > no ip unreachables > ! > interface FastEthernet0/0 > no ip address > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > no ip address > duplex auto > speed auto > ! > interface Virtual-PPP1 > ip address negotiated > ip mtu 1452 > ip virtual-reassembly > no logging event link-status > no peer neighbor-route > no cdp enable > ppp chap hostname XXXXX > ppp chap password 7 XXXXXX > ppp pap sent-username XXXX password 7 XXXXX > pseudowire 196.30.121.42 10 pw-class pwclass1 > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > dialer-group 1 > ppp chap hostname XXX > ppp chap password 7 XXXX > ppp pap sent-username XXXX password 7 XXXX > ! > router eigrp 1 > redistribute connected route-map to-eigrp > redistribute static > passive-interface Dialer1 > network 10.0.0.0 0.0.0.255 > no auto-summary > ! > no ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 > ip route 196.30.121.42 255.255.255.255 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ! > ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 > ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.0.0.2 > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > no cdp run > ! > route-map to-eigrp deny 10 > match ip address prefix-list local > ! > route-map to-eigrp permit 1000 > > > adsl-nhrp-hub#show ip nhrp > 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 > Type: dynamic, Flags: authoritative unique registered used > NBMA address: 41.195.37.174 > 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 > Type: dynamic, Flags: authoritative unique registered used > NBMA address: 41.195.37.191 > > adsl-nhrp-hub#show crypto ipsec sa > > interface: Tunnel0 > Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 > > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0) > current_peer 41.195.37.174 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 > #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > > local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174 > path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 > current outbound spi: 0xD9D819B1(3654818225) > > inbound esp sas: > spi: 0x8AD878CD(2329442509) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4437499/1923) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xD9D819B1(3654818225) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4437454/1923) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > current_peer 41.195.37.191 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 > #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 1, #recv errors 0 > > local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191 > path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 > current outbound spi: 0x6E27D1C2(1848103362) > > inbound esp sas: > spi: 0xEE9B0E5D(4003139165) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4478781/3289) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0x6E27D1C2(1848103362) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4478771/3289) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > adsl-nhrp-hub#show crypto map > Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp > Profile name: DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 41.195.37.174 > Extended IP access list > access-list permit gre host 196.47.0.204 host 41.195.37.174 > Current peer: 41.195.37.174 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 41.195.37.191 > Extended IP access list > access-list permit gre host 196.47.0.204 host 41.195.37.191 > Current peer: 41.195.37.191 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > Interfaces using crypto map Tunnel0-head-0: > Tunnel0 > > adsl-nhrp-hub#show crypto engine connections active > > ID Interface IP-Address State Algorithm Encrypt > Dt > 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC 0 > 0 > 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC 0 > 0 > 3003 Tunnel0 196.47.0.204 set AES+MD5 169 > 0 > 3004 Tunnel0 196.47.0.204 set AES+MD5 0 > 8 > 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 818 > 0 > 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 0 > 1 > > > Spoke Configuration > =================== > > ip cef > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 xxxx > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! > crypto isakmp policy 10 > encr aes > hash md5 > authentication pre-share > group 2 > crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > ! > crypto ipsec profile DMVPN > set transform-set 3DES_MD5 > ! > ! > ! > ! > interface Loopback0 > ip address 172.16.1.3 255.255.255.255 > ! > interface Tunnel0 > ip address 10.0.0.3 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication xxxxxxxxxx > ip nhrp map 10.0.0.1 196.47.0.204 > ip nhrp map multicast 196.47.0.204 > ip nhrp network-id 1 > ip nhrp holdtime 60 > ip nhrp nhs 10.0.0.1 > ip nhrp registration timeout 30 > ip tcp adjust-mss 1360 > tunnel source Dialer1 > tunnel mode gre multipoint > tunnel key 1 > tunnel protection ipsec profile DMVPN > ! > interface FastEthernet0/0 > ip address dhcp > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > ip address 10.222.0.1 255.255.255.0 > speed 100 > full-duplex > ! > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > ppp chap hostname XXXX > ppp chap password 0 XXXX > ppp pap sent-username XXXX password 0 XXXXX > ! > router eigrp 1 > redistribute connected route-map to-eigrp > redistribute static > passive-interface FastEthernet0/1 > passive-interface Dialer1 > network 10.0.0.0 0.0.0.255 > no auto-summary > eigrp stub connected > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ! > ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > access-list 3 permit 10.244.0.1 > ! > route-map clear-df permit 10 > set ip df 0 > ! > route-map to-eigrp deny 10 > match ip address prefix-list local > ! > route-map to-eigrp permit 1000 > > > Some Debugs > =========== > > nhrp-spoke-2#show ip nhrp > 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire > Type: static, Flags: authoritative used > NBMA address: 196.47.0.204 > > > nhrp-spoke-2#show crypto ipsec sa > > interface: Tunnel0 > Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 > > protected vrf: (none) > local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > current_peer 196.47.0.204 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 0 > > local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204 > path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 > current outbound spi: 0xEE9B0E5D(4003139165) > > inbound esp sas: > spi: 0x6E27D1C2(1848103362) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4530791/3584) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xEE9B0E5D(4003139165) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4530789/3584) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > nhrp-spoke-2#show crypto engine connections active > > ID Interface IP-Address State Algorithm Encrypt > Decrypt > 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 > 0 > 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 > 0 > 3003 Dialer1 41.195.37.191 set AES+MD5 15 > 0 > 3004 Dialer1 41.195.37.191 set AES+MD5 0 > 0 > > nhrp-spoke-2#show crypto map > Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp > Profile name: DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 196.47.0.204 > Extended IP access list > access-list permit gre host 41.195.37.191 host 196.47.0.204 > Current peer: 196.47.0.204 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > Interfaces using crypto map Tunnel0-head-0: > Tunnel0 > > > --------------------------------------------------------------------- > A feature is a bug with seniority. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > --------------------------------------------------------------------- Some days you're the pigeon, and some days you're the statue. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From ltd at cisco.com Mon Aug 25 03:53:15 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 25 Aug 2008 17:53:15 +1000 Subject: [c-nsp] ACE Regex filtering for url match trouble with % In-Reply-To: <58339.1219635715@internode.on.net> References: <58339.1219635715@internode.on.net> Message-ID: <48B264EB.7040708@cisco.com> ben.steele at internode.on.net wrote: > FWIW I did manage to get this to match by telling it to match an > ASCII space instead ie .*selectx20.* however this is more of a hack > for my original request so I will still chase up with TAC. > i haven't looked at the ACE source code / firmware, but it may well be that it does a first-pass of converting "%(something)" to a non-encoded value first (in this case, a " "), because otherwise it would be trivial for a hacker to bypass said filter(s). you could see if regex ".*select\s.*" works too. cheers, lincoln. From jp at softnet.si Mon Aug 25 03:58:59 2008 From: jp at softnet.si (Primoz Jeroncic) Date: Mon, 25 Aug 2008 09:58:59 +0200 (CEST) Subject: [c-nsp] c3560 ACL and Adv.IP Services 12.2.44.SE2 Message-ID: Hi guys Is it just me, or did option to put ACL for outbound traffic on L3 port of Catalyst c3560, really dissapear in Advanced IP Services 12.2.44.SE2 IOS? I have option for inbound packets, but no outbound anymore. Funny thing is, that configuration left from old IOS is still there, and outbound ACL still filters traffic, but I can't set new ACL for outbound traffic on different port. Why do I have feeling, that Cisco is getting more and more like Microsoft. Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From rshbrk at mail.ru Mon Aug 25 04:26:52 2008 From: rshbrk at mail.ru (Roman Shibrick) Date: Mon, 25 Aug 2008 12:26:52 +0400 Subject: [c-nsp] Strange behaviour spanning-tree on port Message-ID: Hi, all. At me is Cisco Catalyst 4507 Sup V. In logs I constantly see next lines: ... Aug 25 09:30:29: Created spanning tree port Gi7/21 (18977BF8) for tree VLAN0178 (18B8B968) Aug 25 09:30:29: Enabling spanning tree port: GigabitEthernet7/21 (18977BF8) Aug 25 09:30:29: RSTP(178): initializing port Gi7/21 Aug 25 09:30:29: RSTP(178): Gi7/21 is now designated Aug 25 09:31:01: Disabling spanning tree port: GigabitEthernet7/21 (18977BF8) Aug 25 09:31:01: Deleting spanning tree port: Gi7/21 (18977BF8) Aug 25 09:31:01: STP PVST: deleted vlan 178 intf 189EE290 Aug 25 09:31:04: Created spanning tree port Gi7/21 (18977BF8) for tree VLAN0178 (18B8B968) Aug 25 09:31:04: Enabling spanning tree port: GigabitEthernet7/21 (18977BF8) Aug 25 09:31:04: RSTP(178): initializing port Gi7/21 Aug 25 09:31:04: RSTP(178): Gi7/21 is now designated Aug 25 09:31:35: Disabling spanning tree port: GigabitEthernet7/21 (18977BF8) Aug 25 09:31:35: Deleting spanning tree port: Gi7/21 (18977BF8) Aug 25 09:31:35: STP PVST: deleted vlan 178 intf 189EE290 ... HP server is included in the given port. Port configuration is: interface GigabitEthernet7/21 description == Servers switchport access vlan 178 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 001e.0b4b.4056 no keepalive spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable end Why constantly there is rapid-pvst, pvst reinitialization on the given port? Vlan Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- VLAN0178 Desg FWD 4 128.405 Edge P2p build15-CORE#sh spanning-tree interface gigabitEthernet 7/21 det Port 405 (GigabitEthernet7/21) of VLAN0178 is designated forwarding Port path cost 4, Port priority 128, Port Identifier 128.405. Designated root has priority 20658, address 001c.581f.9e80 Designated bridge has priority 20658, address 001c.581f.9e80 Designated port id is 128.405, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled BPDU: sent 0, received 0 GigabitEthernet7/21 is up, line protocol is up (connected) 59200 packets input, 35164800 bytes, 0 no buffer Received 59200 broadcasts (0 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 660390 packets output, 95397300 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Thanks. Roman From vikassharmas at gmail.com Mon Aug 25 04:41:45 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Mon, 25 Aug 2008 14:11:45 +0530 Subject: [c-nsp] voip with ssl vpn Message-ID: Hi All, Did any one has tested securing voip with ssl vpn? Regards, Vikas Sharma From bjorn at mork.no Mon Aug 25 05:50:13 2008 From: bjorn at mork.no (=?iso-8859-1?Q?Bj=F8rn_Mork?=) Date: Mon, 25 Aug 2008 11:50:13 +0200 Subject: [c-nsp] Web Caches In-Reply-To: (Lala Lander's message of "Sat, 23 Aug 2008 01:42:44 -0700") References: Message-ID: <87y72lh19m.fsf@obelix.mork.no> "Lala Lander" writes: > I am looking for information on Web Caches. http://www.ircache.net/ and http://www.web-cache.com/ are good starting points. Bj?rn From b.turnbow at twt.it Mon Aug 25 06:45:37 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 25 Aug 2008 12:45:37 +0200 Subject: [c-nsp] Surge protection on leased lines Message-ID: Hello, We have several customers that our having problems every time a storm goes through. Our national telco company seems to offer no lightning protection on their lines, and every storm causes a line outage and burns up the attached wic. We've made sure the chassis are grounded , but would also like to try and install a surge protection detween the v.35 interface of the telco and our CPEs. I see that Cisco offers a surge protection cable for smart serial interfaces, but not for classic serial interfaces. I wanted ask what others would recommend / experiences regarding surge protection on leased lines. Thanks in advance Brian From b.turnbow at twt.it Mon Aug 25 08:51:31 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 25 Aug 2008 14:51:31 +0200 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: References: Message-ID: We use them and have never experienced problems as long as you keep in the tcam space. With too many routes/acls ecc they punt to cpu. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian MacNevin Sent: venerd? 15 agosto 2008 6.00 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3560 ACL performance? Hi So the marketing machine tells me 3650s do ACLs in hardware and zero performance hit blah blah. Anyone had any real world experience with high loads of packets on every interface under a simple ACL? Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Mon Aug 25 08:59:46 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 25 Aug 2008 14:59:46 +0200 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: References: Message-ID: COPP is done in hardware ACL on VTY/SNMP is software as far as I remember -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater Sent: mercoled? 13 agosto 2008 22.17 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6500 snmp and vty acls ? Does anyone know if VTY and snmp ACLs are implemented in hardware or software on a 6500 with 720-CXL running 12.2(33)SXH. I am trying to understand COPP and move away from the VTY and SNMP ACLs. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bouaziz at nerim.net Mon Aug 25 08:57:34 2008 From: bouaziz at nerim.net (Raphael Bouaziz) Date: Mon, 25 Aug 2008 14:57:34 +0200 Subject: [c-nsp] UBR+ and service-policy on ATM PVCs Message-ID: <20080825125733.GC55339@nerim.net> Hi all, I am trying to find the right IOS version to use on 7200s w/ NPE-400/NPE-G1 that both support UBR+ and QoS (service policies) on a per-vc basis. Today we use 12.2(16)B2 to terminate ATM PVCs (from xDSL lines) on these routers, it works fine. But this (old) version lacks QoS support. When testing newer versions (I tried 12.3 & 12.4 mainline, 12.2SB, 12.4T) that could support QoS, we rise an issue with UBR+. Commands are accepted but ignored, and PVCs get configured with UBR at physical linerate. ATM interfaces are PA-A3-OC3MM w/ hardware version 2.0. Which IOS version should we use? Thanks. -- Raphael Bouaziz. From mmoerman at ebay.com Mon Aug 25 09:54:26 2008 From: mmoerman at ebay.com (Maarten Moerman) Date: Mon, 25 Aug 2008 15:54:26 +0200 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. Message-ID: Hi, I have a kind of problem at the moment which I'll try to explain here. Diagram: sw1 with 4 * GE--> 4 * GE @ r1 @ 10GE--> 10GE @ r2 4 * GE--> 4 * GEsw2 sw1 + sw2 = 6509 with 6748 blades r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE xenpaks on 6704 10GE blades On sw1 +2 I have: Int port-channel1 Trunk encaps dot1q (multiple vlan) Int giga x/1-4 Channel-group 1 mode on On r1 + r2 I have: Int port-channel 1 mtu 9216 xconnect encapsulation mpls Int giga x/1-4 mtu 9216 channel-group 1 mode on However, I'm currently facing the problem, that I cannot exceed the bandwith of that port-channel over 1gbit. The ingress is no problem, it tries to send, but the other side doesn't seem to pick up the traffic. Does this have to do with the fact that the portchannel on the routers only see 1 source, and 1 destination address? So that it cannot correctly balance traffic among 4 interfaces? Anybody has an idea how to solve this? Thanks in advance, Maarten Moerman From rendo.aw at gmail.com Mon Aug 25 09:59:37 2008 From: rendo.aw at gmail.com (rendo) Date: Mon, 25 Aug 2008 20:59:37 +0700 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: References: Message-ID: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> hi, is there any exact/rough number of acl which doesn't impact the cpu? or how can we check/make sure that the cpu will not be impacted if the traffic increasing? Thanks. ./rendo On Mon, Aug 25, 2008 at 7:51 PM, Brian Turnbow wrote: > > We use them and have never experienced problems as long as you keep in the tcam space. > With too many routes/acls ecc they punt to cpu. > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian MacNevin > Sent: venerd? 15 agosto 2008 6.00 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 3560 ACL performance? > > Hi > So the marketing machine tells me 3650s do ACLs in hardware and zero > performance hit blah blah. > Anyone had any real world experience with high loads of packets on > every interface under a simple ACL? > Thanks > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From antal.gergely at hu.digi.tv Mon Aug 25 10:05:10 2008 From: antal.gergely at hu.digi.tv (Antal Gergely) Date: Mon, 25 Aug 2008 16:05:10 +0200 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. In-Reply-To: References: Message-ID: <48B2BC16.5080304@hu.digi.tv> Maarten Moerman wrote: > Hi, > > I have a kind of problem at the moment which I'll try to explain here. > > Diagram: > > sw1 with 4 * GE--> 4 * GE @ r1 @ 10GE--> 10GE @ r2 4 * GE--> 4 * GEsw2 > > sw1 + sw2 = 6509 with 6748 blades > r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE xenpaks > on 6704 10GE blades > > On sw1 +2 I have: > > Int port-channel1 > Trunk encaps dot1q (multiple vlan) > > Int giga x/1-4 > Channel-group 1 mode on > > On r1 + r2 I have: > > Int port-channel 1 > mtu 9216 > xconnect encapsulation mpls > > Int giga x/1-4 > mtu 9216 > channel-group 1 mode on > > However, I'm currently facing the problem, that I cannot exceed the bandwith > of that port-channel over 1gbit. The ingress is no problem, it tries to > send, but the other side doesn't seem to pick up the traffic. > > Does this have to do with the fact that the portchannel on the routers only > see 1 source, and 1 destination address? So that it cannot correctly balance > traffic among 4 interfaces? definitly sh etherchannel load-balance and set ipv4 with : port-channel load-balance src-dst-mixed-ip-port all the 4 boxes should support src-dst-mixed-ip-port -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From oboehmer at cisco.com Mon Aug 25 10:07:48 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 25 Aug 2008 16:07:48 +0200 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405E715EB@xmb-ams-333.emea.cisco.com> Maarten Moerman <> wrote on Monday, August 25, 2008 3:54 PM: > Hi, > > I have a kind of problem at the moment which I'll try to explain here. > > Diagram: > > sw1 with 4 * GE--> 4 * GE @ r1 @ 10GE--> 10GE @ r2 4 * GE--> 4 * > GEsw2 > > sw1 + sw2 = 6509 with 6748 blades > r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE > xenpaks on 6704 10GE blades > > On sw1 +2 I have: > > Int port-channel1 > Trunk encaps dot1q (multiple vlan) > > Int giga x/1-4 > Channel-group 1 mode on > > On r1 + r2 I have: > > Int port-channel 1 > mtu 9216 > xconnect encapsulation mpls > > Int giga x/1-4 > mtu 9216 > channel-group 1 mode on > > However, I'm currently facing the problem, that I cannot exceed the > bandwith of that port-channel over 1gbit. The ingress is no problem, > it tries to send, but the other side doesn't seem to pick up the > traffic. > > Does this have to do with the fact that the portchannel on the > routers only see 1 source, and 1 destination address? So that it > cannot correctly balance traffic among 4 interfaces? > > Anybody has an idea how to solve this? I've never done xconnect on a port-channel, but you could remove the channel on r1 and r2 and just configure "regular" EoMPLS PWs between each of the four GigE links. Channeling is then only performed on sw1 and sw2.. I would consider running LACP/PaGP on the channel between sw1/sw2.. This should work. oli From mmoerman at ebay.com Mon Aug 25 10:13:04 2008 From: mmoerman at ebay.com (Maarten Moerman) Date: Mon, 25 Aug 2008 16:13:04 +0200 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405E715EB@xmb-ams-333.emea.cisco.com> Message-ID: On 8/25/08 4:07 PM, "Oliver Boehmer (oboehmer)" wrote: > > I've never done xconnect on a port-channel, but you could remove the > channel on r1 and r2 and just configure "regular" EoMPLS PWs between > each of the four GigE links. Channeling is then only performed on sw1 > and sw2.. I would consider running LACP/PaGP on the channel between > sw1/sw2.. > This should work. Never did think of that possibility, thanks, will look into that. I think the current not working scenario is because everything is encapsulated in a trunk, so the routers cannot see how they need to load balance it. Maarten From mmoerman at ebay.com Mon Aug 25 10:18:41 2008 From: mmoerman at ebay.com (Maarten Moerman) Date: Mon, 25 Aug 2008 16:18:41 +0200 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. In-Reply-To: <48B2BC16.5080304@hu.digi.tv> Message-ID: On 8/25/08 4:05 PM, "Antal Gergely" wrote: > definitly > > sh etherchannel load-balance > > and set ipv4 with : port-channel load-balance src-dst-mixed-ip-port > > all the 4 boxes should support src-dst-mixed-ip-port Those commands do not work on the 6509's, but only on the 7604's , and I doubt that the 7600's can inspect the trunk packets to perform this kind of load balancing. Olivier Boehmer just mailed a perfect solution for this problem I think. Just make the ports on the router not part of an etherchannel, but let them just do their EoMPLS work.... Regards Maarten Moerman mmoerman at ebay.com From MLouis at nwnit.com Mon Aug 25 10:19:54 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 25 Aug 2008 10:19:54 -0400 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: <48B2BC16.5080304@hu.digi.tv> References: <48B2BC16.5080304@hu.digi.tv> Message-ID: List, I just read in a practice test for an upcoming cert that Vlan 1 is used to carry VTP advertisements. However, it is possible to prune vlan 1 from trunk links. Will VTP continue to function without Vlan 1 being enabled on the link? Has this changed in more recent IOS releases? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From tomz at cisco.com Mon Aug 25 10:26:27 2008 From: tomz at cisco.com (Tom Zingale (tomz)) Date: Mon, 25 Aug 2008 07:26:27 -0700 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> References: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> Message-ID: The SDM template documentation has guidelines. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swsdm.html > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of rendo > Sent: Monday, August 25, 2008 7:00 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 3560 ACL performance? > > hi, > > is there any exact/rough number of acl which doesn't impact the cpu? > or how can we check/make sure that the cpu will not be impacted if the > traffic increasing? > > Thanks. > > ./rendo > > On Mon, Aug 25, 2008 at 7:51 PM, Brian Turnbow wrote: > > > > We use them and have never experienced problems as long as you keep in > the tcam space. > > With too many routes/acls ecc they punt to cpu. > > > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Christian MacNevin > > Sent: venerd? 15 agosto 2008 6.00 > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] 3560 ACL performance? > > > > Hi > > So the marketing machine tells me 3650s do ACLs in hardware and zero > > performance hit blah blah. > > Anyone had any real world experience with high loads of packets on > > every interface under a simple ACL? > > Thanks > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From fweimer at bfk.de Mon Aug 25 10:27:07 2008 From: fweimer at bfk.de (Florian Weimer) Date: Mon, 25 Aug 2008 16:27:07 +0200 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> (rendo's message of "Mon, 25 Aug 2008 20:59:37 +0700") References: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> Message-ID: <82fxotcgqs.fsf@mid.bfk.de> * rendo: > is there any exact/rough number of acl which doesn't impact the cpu? > or how can we check/make sure that the cpu will not be impacted if the > traffic increasing? According to the docs, if you run it in the router profile, the ACL TCAM has 1,000 entries. There should be a (hidden) command to dump the TCAM contents, so you can check how your ACLs are compiled and project TCAM utilization according to that. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From b.turnbow at twt.it Mon Aug 25 10:45:36 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 25 Aug 2008 16:45:36 +0200 Subject: [c-nsp] UBR+ and service-policy on ATM PVCs In-Reply-To: <20080825125733.GC55339@nerim.net> References: <20080825125733.GC55339@nerim.net> Message-ID: In order to use qos on atm pvc you need to use abr/vbr/cbr UBR and + are for best effort services offering no bandwidth guarantee so you cannot utilize the service policy That said we mainly use 12.2(31)SB11 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Raphael Bouaziz Sent: luned? 25 agosto 2008 14.58 To: cisco-nsp at puck.nether.net Subject: [c-nsp] UBR+ and service-policy on ATM PVCs Hi all, I am trying to find the right IOS version to use on 7200s w/ NPE-400/NPE-G1 that both support UBR+ and QoS (service policies) on a per-vc basis. Today we use 12.2(16)B2 to terminate ATM PVCs (from xDSL lines) on these routers, it works fine. But this (old) version lacks QoS support. When testing newer versions (I tried 12.3 & 12.4 mainline, 12.2SB, 12.4T) that could support QoS, we rise an issue with UBR+. Commands are accepted but ignored, and PVCs get configured with UBR at physical linerate. ATM interfaces are PA-A3-OC3MM w/ hardware version 2.0. Which IOS version should we use? Thanks. -- Raphael Bouaziz. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From DTODD at PARTNERS.ORG Mon Aug 25 10:20:22 2008 From: DTODD at PARTNERS.ORG (Todd, Douglas M.) Date: Mon, 25 Aug 2008 10:20:22 -0400 Subject: [c-nsp] 6500 snmp and vty acls ? In-Reply-To: Message-ID: <1F1F2AF9CD74144CAB1F5702D4F74A4E01478543@PHSXMB24.partners.org> Just some thoughts: I believe the the acls are hardware based in with the pfc3 (I don't believe that the software version makes this difference), but I do believe they are hardware based unless you add things like logging. This may help you with the pfc3 http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sh eet09186a0080159856.html COPP has software and hardware based queues. The hardware queue does not come into play until you add mls qos. Once you do this you will see the hardware and software counters. I believe that the two are considered separate policers, but you define one policy-map->class-map. We have seen traffic being dropped (tcp and ipx) when we have the default-queue policer set to low, just an fyi. There are quite a few good examples on the net from Cisco and from good users on this group. Douglas -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Turnbow Sent: Monday, August 25, 2008 9:00 AM To: Jeff Fitzwater; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 snmp and vty acls ? COPP is done in hardware ACL on VTY/SNMP is software as far as I remember -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater Sent: mercoled? 13 agosto 2008 22.17 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6500 snmp and vty acls ? Does anyone know if VTY and snmp ACLs are implemented in hardware or software on a 6500 with 720-CXL running 12.2(33)SXH. I am trying to understand COPP and move away from the VTY and SNMP ACLs. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.6.7/1632 - Release Date: 8/25/2008 7:05 AM The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. From snar at paranoia.ru Mon Aug 25 10:53:57 2008 From: snar at paranoia.ru (Alexandre Snarskii) Date: Mon, 25 Aug 2008 18:53:57 +0400 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405E715EB@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405E715EB@xmb-ams-333.emea.cisco.com> Message-ID: <20080825145357.GB26716@paranoia.ru> On Mon, Aug 25, 2008 at 04:07:48PM +0200, Oliver Boehmer (oboehmer) wrote: > Maarten Moerman <> wrote on Monday, August 25, 2008 3:54 PM: > > > Hi, > > > > I have a kind of problem at the moment which I'll try to explain here. > > > > Diagram: > > > > sw1 with 4 * GE--> 4 * GE @ r1 @ 10GE--> 10GE @ r2 4 * GE--> 4 * > > GEsw2 > > > > sw1 + sw2 = 6509 with 6748 blades > > r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE > > xenpaks on 6704 10GE blades > > > > On sw1 +2 I have: > > > > Int port-channel1 > > Trunk encaps dot1q (multiple vlan) > > > > Int giga x/1-4 > > Channel-group 1 mode on > > > > On r1 + r2 I have: > > > > Int port-channel 1 > > mtu 9216 > > xconnect encapsulation mpls > > > > Int giga x/1-4 > > mtu 9216 > > channel-group 1 mode on > > > > However, I'm currently facing the problem, that I cannot exceed the > > bandwith of that port-channel over 1gbit. The ingress is no problem, > > it tries to send, but the other side doesn't seem to pick up the > > traffic. Looks like you see the same problem as me: http://puck.nether.net/pipermail/cisco-nsp/2007-March/039451.html We solved this issue with avoiding eompls and transferring data over 10ge-link as simple switched vlan. Another (possible) solution - you can do some xconnect's from one sw to another (they're 6509, right ? So, you can load SRA or SXH IOS on them and do xconnects directly between switches). Why that solution not guaranteed to work - if you have to xconnect vlan with more than one gbit of traffic, you'll face the same problem not on rt egress, but on egress of the first sw. > > Does this have to do with the fact that the portchannel on the > > routers only see 1 source, and 1 destination address? So that it > > cannot correctly balance traffic among 4 interfaces? > > > > Anybody has an idea how to solve this? > > I've never done xconnect on a port-channel, but you could remove the > channel on r1 and r2 and just configure "regular" EoMPLS PWs between > each of the four GigE links. Channeling is then only performed on sw1 > and sw2.. I would consider running LACP/PaGP on the channel between > sw1/sw2.. > This should work. Well, it should, but not in case when you need to xconnect only some vlan's from portchannel, and others you need to terminate locally or xconnect to another destinations... -- Alexandre Snarskii If you ask a stupid question, you may feel stupid. If you don't ask a stupid question, you remain stupid. -Tony Rothman, Ph.D.U. Chicago, Physics From pashtuk at gmail.com Mon Aug 25 11:03:16 2008 From: pashtuk at gmail.com (Michel Grossenbacher) Date: Mon, 25 Aug 2008 17:03:16 +0200 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: References: <48B2BC16.5080304@hu.digi.tv> Message-ID: <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> Hi Mike Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from a trunk. However you can remove it from the trunk. If you remove it from the trunk and change the native VLAN for the trunk, VTP will then use the new native VLAN for updates. best regards Michel On 25/08/2008, Mike Louis wrote: > > List, > > I just read in a practice test for an upcoming cert that Vlan 1 is used to > carry VTP advertisements. However, it is possible to prune vlan 1 from trunk > links. Will VTP continue to function without Vlan 1 being enabled on the > link? Has this changed in more recent IOS releases? > > Note: This message and any attachments is intended solely for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, legally privileged, > confidential, and/or exempt from disclosure. If you are not the intended > recipient, you are hereby notified that any use, dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please notify the original > sender immediately by telephone or return email and destroy or delete this > message along with any attachments immediately. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From luan at t3technology.com Mon Aug 25 11:19:20 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Mon, 25 Aug 2008 11:19:20 -0400 Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels In-Reply-To: References: Message-ID: <001001c906c5$f2e026b0$d8a07410$@com> Maybe try to put in an ACL or could use netflow for this as well... ip access-list extend check_packets_in permit esp any any permit udp any eq isakmp any eq isakmp permit ip any any interface dialer 1 ip access-group check_packets_in in To see if ESP coming in to your spoke router. -Luan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli Sent: Monday, August 25, 2008 3:40 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels howdy ho all, thanx to thise who sent through suggestions to how to get the IPSEC to work - the ideas were :- try mode transport :- dont use wilcard for the secret so i changed the hub and spoke as follows :- crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac mode transport crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 alss same symptons - crypto comes up - hub reports IPSEC encaps and decaps - spoke sites report 0 decaps for IPSEC and no errors any other ideas? thanx > > > howdy ho all, > > Was hoping I could use this forum to get some direction on resolving a > strange issue I have with a DMVPN setup. > > All works 100% if I do not protect the tunnels with IPSEC. As soon as I > enable IPSEC the tunnels stop passing traffic. > > > The setup :- > ============ > > All routers are CISCO 1841 platforms. the IOS image is :- > C1841-ADVIPSERVICESK9-M > c1841-advipservicesk9-mz.124-21.bin > > > HUB Router > ---------- > HUB router connects via ADSL (a PPPOE session over ethernet) and then fires > up an L2TP tunnel to obtain a static IP address. > > The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1) > This IP address is the NHS. All connections to/from the hub > use the address of 196.47.0.204. > > Tunnel interface on the hub router is 10.0.0.1 > > > Spoke Router > ------------ > the Spoke router (there are 2 I am just showing one) connects via ADSL > (a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke > routers use Dialer1 as their interface into the NHRP cloud. > > NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface > ie do not add the command tunnel protection ipsec profile DMVPN > on Tunnel0 > > Tunnel interface on the hub router is 10.0.0.3 > all works perfectly. > > > The Problem > =========== > > When I enable IPSEC encryption on the tunnel interfaces on all routers > then things break. I have tried with both 3DES and AES and same issue. > > All the crypto sessions seem correct - correct SAs come up. The dynamically > created crypto-maps seem correct. > > BUT. on the spoke routers, IPSEC reports that no packets are being > de-encapsulated but no errors are reported. > > nhrp-spoke-2#show crypto ipsec sa > > interface: Tunnel0 > local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > current_peer 196.47.0.204 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 0 > > > But on the HUB. all is well > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > current_peer 41.195.37.191 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 > #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 1, #recv errors 0 > > > Any ideas/thoughts would be greatly appreciated. > > The configuration's and some useful output are below > > > > HUB Configuration > ================= > > hostname adsl-nhrp-hub > ! > boot-start-marker > boot-end-marker > ! > logging buffered 4096 debugging > ! > no aaa new-model > ip cef > ! > ! > ! > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 03070E0C2E572B6A1719 > ! > ! > ! > ! > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! > ! > crypto isakmp policy 10 > encr aes > hash md5 > authentication pre-share > group 2 > crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > ! > crypto ipsec profile DMVPN > set transform-set 3DES_MD5 > ! > ! > ! > ! > interface Loopback0 > ip address 172.16.1.1 255.255.255.255 > ! > interface Tunnel0 > ip address 10.0.0.1 255.255.255.0 > no ip redirects > ip mtu 1400 > no ip next-hop-self eigrp 1 > ip nhrp authentication xxxxxxxxxx > ip nhrp map multicast dynamic > ip nhrp network-id 1 > ip nhrp holdtime 60 > ip nhrp registration timeout 30 > ip tcp adjust-mss 1360 > no ip split-horizon eigrp 1 > tunnel source Virtual-PPP1 > tunnel mode gre multipoint > tunnel key 1 > tunnel protection ipsec profile DMVPN > ! > interface Null0 > no ip unreachables > ! > interface FastEthernet0/0 > no ip address > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > no ip address > duplex auto > speed auto > ! > interface Virtual-PPP1 > ip address negotiated > ip mtu 1452 > ip virtual-reassembly > no logging event link-status > no peer neighbor-route > no cdp enable > ppp chap hostname XXXXX > ppp chap password 7 XXXXXX > ppp pap sent-username XXXX password 7 XXXXX > pseudowire 196.30.121.42 10 pw-class pwclass1 > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > dialer-group 1 > ppp chap hostname XXX > ppp chap password 7 XXXX > ppp pap sent-username XXXX password 7 XXXX > ! > router eigrp 1 > redistribute connected route-map to-eigrp > redistribute static > passive-interface Dialer1 > network 10.0.0.0 0.0.0.255 > no auto-summary > ! > no ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 > ip route 196.30.121.42 255.255.255.255 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ! > ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 > ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.0.0.2 > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > no cdp run > ! > route-map to-eigrp deny 10 > match ip address prefix-list local > ! > route-map to-eigrp permit 1000 > > > adsl-nhrp-hub#show ip nhrp > 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 > Type: dynamic, Flags: authoritative unique registered used > NBMA address: 41.195.37.174 > 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 > Type: dynamic, Flags: authoritative unique registered used > NBMA address: 41.195.37.191 > > adsl-nhrp-hub#show crypto ipsec sa > > interface: Tunnel0 > Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 > > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0) > current_peer 41.195.37.174 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 > #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > > local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174 > path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 > current outbound spi: 0xD9D819B1(3654818225) > > inbound esp sas: > spi: 0x8AD878CD(2329442509) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4437499/1923) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xD9D819B1(3654818225) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4437454/1923) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > current_peer 41.195.37.191 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 > #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 1, #recv errors 0 > > local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191 > path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 > current outbound spi: 0x6E27D1C2(1848103362) > > inbound esp sas: > spi: 0xEE9B0E5D(4003139165) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4478781/3289) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0x6E27D1C2(1848103362) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4478771/3289) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > adsl-nhrp-hub#show crypto map > Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp > Profile name: DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 41.195.37.174 > Extended IP access list > access-list permit gre host 196.47.0.204 host 41.195.37.174 > Current peer: 41.195.37.174 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 41.195.37.191 > Extended IP access list > access-list permit gre host 196.47.0.204 host 41.195.37.191 > Current peer: 41.195.37.191 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > Interfaces using crypto map Tunnel0-head-0: > Tunnel0 > > adsl-nhrp-hub#show crypto engine connections active > > ID Interface IP-Address State Algorithm Encrypt > Dt > 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC 0 > 0 > 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC 0 > 0 > 3003 Tunnel0 196.47.0.204 set AES+MD5 169 > 0 > 3004 Tunnel0 196.47.0.204 set AES+MD5 0 > 8 > 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 818 > 0 > 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 0 > 1 > > > Spoke Configuration > =================== > > ip cef > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 xxxx > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! > crypto isakmp policy 10 > encr aes > hash md5 > authentication pre-share > group 2 > crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > ! > crypto ipsec profile DMVPN > set transform-set 3DES_MD5 > ! > ! > ! > ! > interface Loopback0 > ip address 172.16.1.3 255.255.255.255 > ! > interface Tunnel0 > ip address 10.0.0.3 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication xxxxxxxxxx > ip nhrp map 10.0.0.1 196.47.0.204 > ip nhrp map multicast 196.47.0.204 > ip nhrp network-id 1 > ip nhrp holdtime 60 > ip nhrp nhs 10.0.0.1 > ip nhrp registration timeout 30 > ip tcp adjust-mss 1360 > tunnel source Dialer1 > tunnel mode gre multipoint > tunnel key 1 > tunnel protection ipsec profile DMVPN > ! > interface FastEthernet0/0 > ip address dhcp > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > ip address 10.222.0.1 255.255.255.0 > speed 100 > full-duplex > ! > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > ppp chap hostname XXXX > ppp chap password 0 XXXX > ppp pap sent-username XXXX password 0 XXXXX > ! > router eigrp 1 > redistribute connected route-map to-eigrp > redistribute static > passive-interface FastEthernet0/1 > passive-interface Dialer1 > network 10.0.0.0 0.0.0.255 > no auto-summary > eigrp stub connected > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ! > ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > access-list 3 permit 10.244.0.1 > ! > route-map clear-df permit 10 > set ip df 0 > ! > route-map to-eigrp deny 10 > match ip address prefix-list local > ! > route-map to-eigrp permit 1000 > > > Some Debugs > =========== > > nhrp-spoke-2#show ip nhrp > 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire > Type: static, Flags: authoritative used > NBMA address: 196.47.0.204 > > > nhrp-spoke-2#show crypto ipsec sa > > interface: Tunnel0 > Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 > > protected vrf: (none) > local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > current_peer 196.47.0.204 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 0 > > local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204 > path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 > current outbound spi: 0xEE9B0E5D(4003139165) > > inbound esp sas: > spi: 0x6E27D1C2(1848103362) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4530791/3584) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xEE9B0E5D(4003139165) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4530789/3584) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > nhrp-spoke-2#show crypto engine connections active > > ID Interface IP-Address State Algorithm Encrypt > Decrypt > 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 > 0 > 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 > 0 > 3003 Dialer1 41.195.37.191 set AES+MD5 15 > 0 > 3004 Dialer1 41.195.37.191 set AES+MD5 0 > 0 > > nhrp-spoke-2#show crypto map > Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp > Profile name: DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 196.47.0.204 > Extended IP access list > access-list permit gre host 41.195.37.191 host 196.47.0.204 > Current peer: 196.47.0.204 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > Interfaces using crypto map Tunnel0-head-0: > Tunnel0 > > > --------------------------------------------------------------------- > A feature is a bug with seniority. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > --------------------------------------------------------------------- Some days you're the pigeon, and some days you're the statue. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jay at west.net Mon Aug 25 11:34:23 2008 From: jay at west.net (Jay Hennigan) Date: Mon, 25 Aug 2008 08:34:23 -0700 Subject: [c-nsp] Surge protection on leased lines In-Reply-To: References: Message-ID: <48B2D0FF.9090809@west.net> Brian Turnbow wrote: > Hello, > > We have several customers that our having problems every time a storm > goes through. > Our national telco company seems to offer no lightning protection on > their lines, and every storm causes a line outage and burns up the > attached wic. > We've made sure the chassis are grounded , but would also like to try > and install a surge protection detween the v.35 interface of the telco > and our CPEs. > I see that Cisco offers a surge protection cable for smart serial > interfaces, but not for classic serial interfaces. > I wanted ask what others would recommend / experiences regarding surge > protection on leased lines. This is an external CSU? I think you want it between the telco smartjack and the CSU, not on the v.35. This should be two pairs of wires. First thing to do is ensure that the telco smartjack, the CSU, and the router are solidly connected to a common ground, as this may be the source of the problem if the sneak current is not coming across the leased line. There are a number of companies making lightning protectors for twisted pair lines, Reliable Electric and Polyphaser are two. But, triple-check the grounding first because if it's common-mode across a ground differential the protectors won't help. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From hashng at gmail.com Mon Aug 25 11:53:13 2008 From: hashng at gmail.com (Hash Aminu) Date: Mon, 25 Aug 2008 18:53:13 +0300 Subject: [c-nsp] Fwd: Limiting Broadcast and Multicast-2nd try Message-ID: ---------- Forwarded message ---------- From: Hash Aminu Date: Sat, Aug 16, 2008 at 11:09 AM Subject: Limiting Broadcast and Multicast To: cisco-nsp at puck.nether.net * **Hi guys My network has a huge L2 broadcast coming from the clients connected (through DSLAMs)....the customer edge facing interfaces are on a 76k with 7600-ES20-GE and 7600-ES20-10G, AFAIK these cards dont support Storm-control--what other variants and options do i have in limiting these garbage before it gets to my network, or atleast saving my router resource from crashing.* TIA Hash From b.turnbow at twt.it Mon Aug 25 12:05:07 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 25 Aug 2008 18:05:07 +0200 Subject: [c-nsp] Surge protection on leased lines In-Reply-To: <48B2D0FF.9090809@west.net> References: <48B2D0FF.9090809@west.net> Message-ID: Thanks for the response. They are external csus but they are "telco property" and they don't want us to touch them. We have asked several times that they install protection coming into the building but no go... They install a remote powered integrated shdsl modem/csu in an all plastic housing and the only place we Have been able to connect a ground is to the v.35 mount on the integrated csu. No help there. Lighting strike= burned modem/csu= burned wic The v.35 protector would be a try to at least save our wic cards and costs of dispatching a Tech for every passing storm. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan Sent: luned? 25 agosto 2008 17.34 To: Cisco Mailing list Subject: Re: [c-nsp] Surge protection on leased lines Brian Turnbow wrote: > Hello, > > We have several customers that our having problems every time a storm > goes through. > Our national telco company seems to offer no lightning protection on > their lines, and every storm causes a line outage and burns up the > attached wic. > We've made sure the chassis are grounded , but would also like to try > and install a surge protection detween the v.35 interface of the telco > and our CPEs. > I see that Cisco offers a surge protection cable for smart serial > interfaces, but not for classic serial interfaces. > I wanted ask what others would recommend / experiences regarding surge > protection on leased lines. This is an external CSU? I think you want it between the telco smartjack and the CSU, not on the v.35. This should be two pairs of wires. First thing to do is ensure that the telco smartjack, the CSU, and the router are solidly connected to a common ground, as this may be the source of the problem if the sneak current is not coming across the leased line. There are a number of companies making lightning protectors for twisted pair lines, Reliable Electric and Polyphaser are two. But, triple-check the grounding first because if it's common-mode across a ground differential the protectors won't help. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pashtuk at gmail.com Mon Aug 25 12:06:00 2008 From: pashtuk at gmail.com (Michel Grossenbacher) Date: Mon, 25 Aug 2008 18:06:00 +0200 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> References: <48B2BC16.5080304@hu.digi.tv> <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> Message-ID: <6e9dc1350808250906t7d5bfe93ma5e4c0ec5572cf39@mail.gmail.com> A little correction on my answer, VTP does not use the Native VLAN :-) Here is what I found regarding the use of VTP and VLAN1: The Case of VLAN 1 You cannot apply VTP pruning to VLANs that need to exist everywhere and that need to be allowed on all switches in the campus, in order to be able to carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control traffic. However, there is a way to limit the extent of VLAN 1. The feature is called VLAN 1 disable on trunk. The feature is available on Catalyst 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software release 5.4(x) and later. The feature allows you to prune VLAN 1 from a trunk, as you do for any other VLAN. This pruning does not include all the control protocol traffic that is still allowed on the trunk (DTP, PAgP, CDP, VTP, and others). However, the pruning does block all user traffic on that trunk. With this feature, you can keep the VLAN from spanning the entire campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 to be disabled, as you would configure other VLANs to be cleared from the trunk: UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk port, the native VLAN must not be pruned in order for UDLD to work properly. http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml Sorry for the confusion. best regards Michel On 25/08/2008, Michel Grossenbacher wrote: > > Hi Mike > Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from a > trunk. However you can remove it from the trunk. > If you remove it from the trunk and change the native VLAN for the trunk, > VTP will then use the new native VLAN for updates. > best regards > > Michel > > > On 25/08/2008, Mike Louis wrote: >> >> List, >> >> I just read in a practice test for an upcoming cert that Vlan 1 is used to >> carry VTP advertisements. However, it is possible to prune vlan 1 from trunk >> links. Will VTP continue to function without Vlan 1 being enabled on the >> link? Has this changed in more recent IOS releases? >> >> Note: This message and any attachments is intended solely for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, legally privileged, >> confidential, and/or exempt from disclosure. If you are not the intended >> recipient, you are hereby notified that any use, dissemination, >> distribution, or copying of this communication is strictly prohibited. If >> you have received this communication in error, please notify the original >> sender immediately by telephone or return email and destroy or delete this >> message along with any attachments immediately. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From cchurc05 at harris.com Mon Aug 25 12:14:40 2008 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 25 Aug 2008 11:14:40 -0500 Subject: [c-nsp] Fwd: Limiting Broadcast and Multicast-2nd try In-Reply-To: References: Message-ID: Can you identify what the broadcasts are? Might be better to filter out the crap that isn't needed via ACL than apply a storm control that'll affect lots of things - DHCP, ARP, etc. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hash Aminu Sent: Monday, August 25, 2008 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Fwd: Limiting Broadcast and Multicast-2nd try ---------- Forwarded message ---------- From: Hash Aminu Date: Sat, Aug 16, 2008 at 11:09 AM Subject: Limiting Broadcast and Multicast To: cisco-nsp at puck.nether.net * **Hi guys My network has a huge L2 broadcast coming from the clients connected (through DSLAMs)....the customer edge facing interfaces are on a 76k with 7600-ES20-GE and 7600-ES20-10G, AFAIK these cards dont support Storm-control--what other variants and options do i have in limiting these garbage before it gets to my network, or atleast saving my router resource from crashing.* TIA Hash _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Mon Aug 25 12:51:54 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 25 Aug 2008 09:51:54 -0700 Subject: [c-nsp] 3560 ACL performance? In-Reply-To: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> References: <6e9252f0808250659t650ba30ch4869d68d6c21e369@mail.gmail.com> Message-ID: <48B2E32A.1010901@rollernet.us> rendo wrote: > hi, > > is there any exact/rough number of acl which doesn't impact the cpu? > or how can we check/make sure that the cpu will not be impacted if the > traffic increasing? > Try: show platform tcam utilization ~Seth From k.vdh at solcon.nl Mon Aug 25 12:15:42 2008 From: k.vdh at solcon.nl (Koen) Date: Mon, 25 Aug 2008 18:15:42 +0200 Subject: [c-nsp] EoMPLS with Port-channel with 8GE interfaces. In-Reply-To: <20080825145357.GB26716@paranoia.ru> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405E715EB@xmb-ams-333.emea.cisco.com> <20080825145357.GB26716@paranoia.ru> Message-ID: <48B2DAAE.6010105@solcon.nl> Hi, I'm a colleague of Maarten also looking into this problem. Egress traffic from the router to the switch is going through one interface of the port-channel on both sides. Egress traffic from the switch to the router is load-balanced fine. I think the problem we have is because of the etherchannel load-balance "mpls label-ip": r1#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip mpls label-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address MPLS: Label or IP I guess when the MPLS label and ip are always the same there is nothing to make load-balancing decisions on right? The solution Olivier Boehmer mailed could solve this problem, then you use the xconnects as sort of a "trunks" to connect the switches... -- Koen Alexandre Snarskii wrote: > On Mon, Aug 25, 2008 at 04:07:48PM +0200, Oliver Boehmer (oboehmer) wrote: >> Maarten Moerman <> wrote on Monday, August 25, 2008 3:54 PM: >> >>> Hi, >>> >>> I have a kind of problem at the moment which I'll try to explain here. >>> >>> Diagram: >>> >>> sw1 with 4 * GE--> 4 * GE @ r1 @ 10GE--> 10GE @ r2 4 * GE--> 4 * >>> GEsw2 >>> >>> sw1 + sw2 = 6509 with 6748 blades >>> r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE >>> xenpaks on 6704 10GE blades >>> >>> On sw1 +2 I have: >>> >>> Int port-channel1 >>> Trunk encaps dot1q (multiple vlan) >>> >>> Int giga x/1-4 >>> Channel-group 1 mode on >>> >>> On r1 + r2 I have: >>> >>> Int port-channel 1 >>> mtu 9216 >>> xconnect encapsulation mpls >>> >>> Int giga x/1-4 >>> mtu 9216 >>> channel-group 1 mode on >>> >>> However, I'm currently facing the problem, that I cannot exceed the >>> bandwith of that port-channel over 1gbit. The ingress is no problem, >>> it tries to send, but the other side doesn't seem to pick up the >>> traffic. > > Looks like you see the same problem as me: > http://puck.nether.net/pipermail/cisco-nsp/2007-March/039451.html > > We solved this issue with avoiding eompls and transferring > data over 10ge-link as simple switched vlan. > > Another (possible) solution - you can do some xconnect's from > one sw to another (they're 6509, right ? So, you can load SRA > or SXH IOS on them and do xconnects directly between switches). > Why that solution not guaranteed to work - if you have to xconnect > vlan with more than one gbit of traffic, you'll face the same > problem not on rt egress, but on egress of the first sw. > > >>> Does this have to do with the fact that the portchannel on the >>> routers only see 1 source, and 1 destination address? So that it >>> cannot correctly balance traffic among 4 interfaces? >>> >>> Anybody has an idea how to solve this? >> I've never done xconnect on a port-channel, but you could remove the >> channel on r1 and r2 and just configure "regular" EoMPLS PWs between >> each of the four GigE links. Channeling is then only performed on sw1 >> and sw2.. I would consider running LACP/PaGP on the channel between >> sw1/sw2.. >> This should work. > > Well, it should, but not in case when you need to xconnect only > some vlan's from portchannel, and others you need to terminate > locally or xconnect to another destinations... > From tbeecher at localnet.com Mon Aug 25 12:37:04 2008 From: tbeecher at localnet.com (Thomas Beecher) Date: Mon, 25 Aug 2008 12:37:04 -0400 Subject: [c-nsp] IOS VPN Client Group Issue Message-ID: <48B2DFB0.3080906@localnet.com> I've come across something odd. I think that this is just a simple oversight on my part, hopefully another set of eyes will catch this for me. I've got a 2621 running 12.2(46a) that I'm using to terminate a few VPN tunnels. Right now, I have three point to point tunnels up, and working without issue. This morning, I started adding the config for VPN client access, and that's where I've getting hung up. Under the crypto isakmp client configuration command, I should have a 'group' option to setup the VPN group parameters. However, I do not. The only option I have is 'address-pool' . As far as I can tell, this image should support that command. I'm fairly certain that I have the correct aaa commands in place to enable group authorization, however there are some pre-existing AAA commands on this router that could be hanging me up. Here's the aaa config: aaa new-model aaa authentication login default group tacacs+ line enable aaa authentication login rev_tel line enable aaa authentication login userauthen local aaa authorization network groupauthen local Am I missing something painfully obvious here? Thanks in advance, Tom From moua0100 at umn.edu Mon Aug 25 13:35:58 2008 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 25 Aug 2008 12:35:58 -0500 Subject: [c-nsp] IOS VPN Client Group Issue In-Reply-To: <48B2DFB0.3080906@localnet.com> References: <48B2DFB0.3080906@localnet.com> Message-ID: <05e401c906d9$09511b30$31dd5ea0@ad.umn.edu> I'm doing a simlar config with IOS: 12.4(15)T6 I wonder if you need the "T" code train for this: Router(config)#crypto isakmp client configuration ? address-pool Set network address for client browser-proxy Set browser proxy attributes for client group Set group profile attributes for client Router(config)#crypto isakmp client configuration Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services 2218 University Ave SE | Minneapolis, MN 55414-3029 Office: 612.626.2779 | Pager: 612.648.0103 | Fax: 612.626.1818 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Thomas Beecher Sent: Monday, August 25, 2008 11:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IOS VPN Client Group Issue I've come across something odd. I think that this is just a simple oversight on my part, hopefully another set of eyes will catch this for me. I've got a 2621 running 12.2(46a) that I'm using to terminate a few VPN tunnels. Right now, I have three point to point tunnels up, and working without issue. This morning, I started adding the config for VPN client access, and that's where I've getting hung up. Under the crypto isakmp client configuration command, I should have a 'group' option to setup the VPN group parameters. However, I do not. The only option I have is 'address-pool' . As far as I can tell, this image should support that command. I'm fairly certain that I have the correct aaa commands in place to enable group authorization, however there are some pre-existing AAA commands on this router that could be hanging me up. Here's the aaa config: aaa new-model aaa authentication login default group tacacs+ line enable aaa authentication login rev_tel line enable aaa authentication login userauthen local aaa authorization network groupauthen local Am I missing something painfully obvious here? Thanks in advance, Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Mon Aug 25 13:36:13 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Mon, 25 Aug 2008 12:36:13 -0500 Subject: [c-nsp] route availability In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501C25DCD@xmb-ams-331.emea.cisco.com> References: <67F7C1FAF83A074AA3520D8F155782A501C25DCD@xmb-ams-331.emea.cisco.com> Message-ID: Yes, I think that should work, but I only have a 2621 router and it looks like those options are not available on that router/ios. Do you have any other ideas? Dan. On Sun, Aug 24, 2008 at 12:12 AM, Arie Vayner (avayner) wrote: > Dan, > > Take a look at "Enhanced Object Tracking": > http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_eot. > html > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Sunday, August 24, 2008 07:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] route availability > > Hello, > > I currently have a four default routes on a 2621 router that is doing > load balancing to four adsl modems/routers (which are doing NAT). > > ip cef > > ip route 0.0.0.0 0.0.0.0 192.168.11.251 > ip route 0.0.0.0 0.0.0.0 192.168.11.252 > ip route 0.0.0.0 0.0.0.0 192.168.11.253 > ip route 0.0.0.0 0.0.0.0 192.168.11.254 > > This is working for load balancing, but when one of the modems stops > working I basically loose all connection to the internet. What would be > the best way to verify the availability of the next hop? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mksmith at adhost.com Mon Aug 25 13:39:54 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 25 Aug 2008 10:39:54 -0700 Subject: [c-nsp] IOS VPN Client Group Issue In-Reply-To: <48B2DFB0.3080906@localnet.com> References: <48B2DFB0.3080906@localnet.com> Message-ID: <17838240D9A5544AAA5FF95F8D5203160490319C@ad-exh01.adhost.lan> Hello Tom: Here is a configuration snippet from 12.1 which *should* work, provided you have the right train, etc. etc. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml Regards, Mike > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Thomas Beecher > Sent: Monday, August 25, 2008 9:37 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IOS VPN Client Group Issue > > I've come across something odd. I think that this is just a simple > oversight on my part, hopefully another set of eyes will catch this for me. > > I've got a 2621 running 12.2(46a) that I'm using to terminate a few VPN > tunnels. Right now, I have three point to point tunnels up, and working > without issue. This morning, I started adding the config for VPN client > access, and that's where I've getting hung up. > > Under the crypto isakmp client configuration command, I should have a > 'group' option to setup the VPN group parameters. However, I do not. The > only option I have is 'address-pool' . As far as I can tell, this image > should support that command. > > I'm fairly certain that I have the correct aaa commands in place to > enable group authorization, however there are some pre-existing AAA > commands on this router that could be hanging me up. > > Here's the aaa config: > > aaa new-model > aaa authentication login default group tacacs+ line enable > aaa authentication login rev_tel line enable > aaa authentication login userauthen local > aaa authorization network groupauthen local > > Am I missing something painfully obvious here? > > Thanks in advance, > > Tom > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From peter at rathlev.dk Mon Aug 25 13:59:30 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 25 Aug 2008 19:59:30 +0200 Subject: [c-nsp] route availability In-Reply-To: References: <67F7C1FAF83A074AA3520D8F155782A501C25DCD@xmb-ams-331.emea.cisco.com> Message-ID: <1219687170.29751.3.camel@abehat> On Mon, 2008-08-25 at 12:36 -0500, Dan Letkeman wrote: > On Sun, Aug 24, 2008 at 12:12 AM, wrote: > > Take a look at "Enhanced Object Tracking": > > http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_eot.html > > Yes, I think that should work, but I only have a 2621 router and it > looks like those options are not available on that router/ios. Do you > have any other ideas? According to FN 12.2T and 12.3 supports EOT for the 2621. We have a 2651XM running 12.3(26) that does EOT. What are you running? Regards, Peter From alan at PEERAPP.com Mon Aug 25 14:11:12 2008 From: alan at PEERAPP.com (Alan Arolovitch) Date: Mon, 25 Aug 2008 21:11:12 +0300 Subject: [c-nsp] Web Caches Message-ID: Hi, I suggest you take a look at our clustered UltraBand cache, http://www.peerapp.com/ UltraBand cache is a combined HTTP/P2P cache for service providers, supporting progressive download Flash video (e.g. YouTube) and software downloads over HTTP, among other things, as well as URL filtering Cheers, Alan ------------------------------ Message: 5 Date: Sat, 23 Aug 2008 01:42:44 -0700 From: "Lala Lander" Subject: [c-nsp] Web Caches To: "cisco-nsp at puck.nether.net" Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Hi guys, I am looking for information on Web Caches. I need to find out what vendors are out there and what is your deployment and operational experience My objective is to reduce Internet bandwidth usage and some URL filtering. I am currently evaluating BlueCoat and Secure Computing but I need your opinion before I test them any further. thanks. ------------------------------ From paul.cosgrove at heanet.ie Mon Aug 25 14:50:28 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 25 Aug 2008 19:50:28 +0100 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: <6e9dc1350808250906t7d5bfe93ma5e4c0ec5572cf39@mail.gmail.com> References: <48B2BC16.5080304@hu.digi.tv> <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> <6e9dc1350808250906t7d5bfe93ma5e4c0ec5572cf39@mail.gmail.com> Message-ID: <48B2FEF4.4090606@heanet.ie> Hi Michel, You may have been right the first time there. I think VTP does indeed use the native vlan, not necessarily vlan 1. DTP is also sent on the native vlan, untagged and tagged in its case. Paul. Michel Grossenbacher wrote: > A little correction on my answer, VTP does not use the Native VLAN :-) > > Here is what I found regarding the use of VTP and VLAN1: > The Case of VLAN 1 > > You cannot apply VTP pruning to VLANs that need to exist everywhere and that > need to be allowed on all switches in the campus, in order to be able to > carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control > traffic. However, there is a way to limit the extent of VLAN 1. The feature > is called VLAN 1 disable on trunk. The feature is available on Catalyst > 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software > release 5.4(x) and later. The feature allows you to prune VLAN 1 from a > trunk, as you do for any other VLAN. This pruning does not include all the > control protocol traffic that is still allowed on the trunk (DTP, PAgP, CDP, > VTP, and others). However, the pruning does block all user traffic on that > trunk. With this feature, you can keep the VLAN from spanning the entire > campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 to > be disabled, as you would configure other VLANs to be cleared from the > trunk: > > UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk port, > the native VLAN must not be pruned in order for UDLD to work properly. > http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml > > Sorry for the confusion. > > best regards > > Michel > > > On 25/08/2008, Michel Grossenbacher wrote: >> Hi Mike >> Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from a >> trunk. However you can remove it from the trunk. >> If you remove it from the trunk and change the native VLAN for the trunk, >> VTP will then use the new native VLAN for updates. >> best regards >> >> Michel >> >> >> On 25/08/2008, Mike Louis wrote: >>> List, >>> >>> I just read in a practice test for an upcoming cert that Vlan 1 is used to >>> carry VTP advertisements. However, it is possible to prune vlan 1 from trunk >>> links. Will VTP continue to function without Vlan 1 being enabled on the >>> link? Has this changed in more recent IOS releases? >>> >>> Note: This message and any attachments is intended solely for the use of >>> the individual or entity to which it is addressed and may contain >>> information that is non-public, proprietary, legally privileged, >>> confidential, and/or exempt from disclosure. If you are not the intended >>> recipient, you are hereby notified that any use, dissemination, >>> distribution, or copying of this communication is strictly prohibited. If >>> you have received this communication in error, please notify the original >>> sender immediately by telephone or return email and destroy or delete this >>> message along with any attachments immediately. >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From pashtuk at gmail.com Mon Aug 25 15:26:19 2008 From: pashtuk at gmail.com (Michel Grossenbacher) Date: Mon, 25 Aug 2008 21:26:19 +0200 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: <48B2FEF4.4090606@heanet.ie> References: <48B2BC16.5080304@hu.digi.tv> <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> <6e9dc1350808250906t7d5bfe93ma5e4c0ec5572cf39@mail.gmail.com> <48B2FEF4.4090606@heanet.ie> Message-ID: <6e9dc1350808251226o3588464fp4a665fa5e6c34e6d@mail.gmail.com> Paul, indeed DTP is sent over the native VLAN, but VTP is pretty sure still over VLAN 1. I did a trace and mixed VTP with DTP, hence I said its using the native VLAN. But after I did some more traces the VTP packets did not show any VLAN informations "anymore" (actually they never did I only hit the wrong line within wireshark ;) ). So Im quite sure VTP and CDP are not sent via the native VLAN, after I changed it from VLAN 1 to VLAN 10. Probably have to have a look with ISL too. Mike, I think I know what you mean, per definition (AFAIK) all VLANs get encapsulated by ISL, while with dot1Q all but the native one get a Tag. But within an ISL trunk Cisco defines a native VLAN (default is VLAN 1, same as dot1Q) and you can configure it the same way as for a dot1Q one so I'd say UDLD will use that one. I guess it will still be encapsulated but I did never check that. Do a *show interface trunk* if you configured an ISL trunk and you'll see it at the top. Michel 2008/8/25 Paul Cosgrove > Hi Michel, > > You may have been right the first time there. I think VTP does indeed > use the native vlan, not necessarily vlan 1. DTP is also sent on the > native vlan, untagged and tagged in its case. > > Paul. > > Michel Grossenbacher wrote: > > A little correction on my answer, VTP does not use the Native VLAN :-) > > > > Here is what I found regarding the use of VTP and VLAN1: > > The Case of VLAN 1 > > > > You cannot apply VTP pruning to VLANs that need to exist everywhere and > that > > need to be allowed on all switches in the campus, in order to be able to > > carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control > > traffic. However, there is a way to limit the extent of VLAN 1. The > feature > > is called VLAN 1 disable on trunk. The feature is available on Catalyst > > 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software > > release 5.4(x) and later. The feature allows you to prune VLAN 1 from a > > trunk, as you do for any other VLAN. This pruning does not include all > the > > control protocol traffic that is still allowed on the trunk (DTP, PAgP, > CDP, > > VTP, and others). However, the pruning does block all user traffic on > that > > trunk. With this feature, you can keep the VLAN from spanning the entire > > campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 > to > > be disabled, as you would configure other VLANs to be cleared from the > > trunk: > > > > UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk > port, > > the native VLAN must not be pruned in order for UDLD to work properly. > > > http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml > > > > Sorry for the confusion. > > > > best regards > > > > Michel > > > > > > On 25/08/2008, Michel Grossenbacher wrote: > >> Hi Mike > >> Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from > a > >> trunk. However you can remove it from the trunk. > >> If you remove it from the trunk and change the native VLAN for the > trunk, > >> VTP will then use the new native VLAN for updates. > >> best regards > >> > >> Michel > >> > >> > >> On 25/08/2008, Mike Louis wrote: > >>> List, > >>> > >>> I just read in a practice test for an upcoming cert that Vlan 1 is used > to > >>> carry VTP advertisements. However, it is possible to prune vlan 1 from > trunk > >>> links. Will VTP continue to function without Vlan 1 being enabled on > the > >>> link? Has this changed in more recent IOS releases? > >>> > >>> Note: This message and any attachments is intended solely for the use > of > >>> the individual or entity to which it is addressed and may contain > >>> information that is non-public, proprietary, legally privileged, > >>> confidential, and/or exempt from disclosure. If you are not the > intended > >>> recipient, you are hereby notified that any use, dissemination, > >>> distribution, or copying of this communication is strictly prohibited. > If > >>> you have received this communication in error, please notify the > original > >>> sender immediately by telephone or return email and destroy or delete > this > >>> message along with any attachments immediately. > >>> > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > From notrevebr at gmail.com Mon Aug 25 16:13:21 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Mon, 25 Aug 2008 17:13:21 -0300 Subject: [c-nsp] IP SLA and dyn routes Message-ID: <3cf174360808251313g2f42fc8fx48f869d10b1035db@mail.gmail.com> Hi all, i?m having problem with my SP(run MPLS/BGP) where the the time to converge networks is so high (>10 minutes) and they say that are working and will be fix in 3 months aprox. I want anything to do convergence faster for me. I read about IP SLA, but do not find doc related IP SLA x dynamic routes, only IP SLA do track on static routes. My first connection is with this SP running BGP(MPLS cloud) and second connection is with another SP running OSPF(Frame-relay cloud). Due this problem, when remote site is down, on my central point the route of this site still up on BGP table and do not converge to OSPF, only after period >10 minutes. What another solution can i use? tks for all, From dean at eatworms.org.uk Mon Aug 25 16:53:41 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Mon, 25 Aug 2008 21:53:41 +0100 Subject: [c-nsp] IP SLA and dyn routes In-Reply-To: <3cf174360808251313g2f42fc8fx48f869d10b1035db@mail.gmail.com> References: <3cf174360808251313g2f42fc8fx48f869d10b1035db@mail.gmail.com> Message-ID: <000001c906f4$a857e810$f907b830$@org.uk> Sounds like you actually want to run a tunnel across each SP and use an IGP through the tunnels to decide which one is up/working etc Dean -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz Sent: 25 August 2008 21:13 To: cisco-nsp Subject: [c-nsp] IP SLA and dyn routes Hi all, i?m having problem with my SP(run MPLS/BGP) where the the time to converge networks is so high (>10 minutes) and they say that are working and will be fix in 3 months aprox. I want anything to do convergence faster for me. I read about IP SLA, but do not find doc related IP SLA x dynamic routes, only IP SLA do track on static routes. My first connection is with this SP running BGP(MPLS cloud) and second connection is with another SP running OSPF(Frame-relay cloud). Due this problem, when remote site is down, on my central point the route of this site still up on BGP table and do not converge to OSPF, only after period >10 minutes. What another solution can i use? tks for all, _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Mon Aug 25 17:32:46 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 25 Aug 2008 23:32:46 +0200 Subject: [c-nsp] route availability In-Reply-To: References: <67F7C1FAF83A074AA3520D8F155782A501C25DCD@xmb-ams-331.emea.cisco.com> <1219687170.29751.3.camel@abehat> Message-ID: <1219699966.670.7.camel@abehat> On Mon, 2008-08-25 at 16:11 -0500, Dan Letkeman wrote: > It's a 2621 with (C2600-IO3-M), Version 12.3(26). > > Do you have an example config to track a router connected to the 2621? > I would like to track and remove route's to the four adsl > modem/router/nat boxes that I have connected to the 2621. Sorry, I was a little fast there. 12.3 mainline doesn't support the RTR tracker, which you need for static route reachability-testing. We just use the route reachability tracking for HSRP priorities. It seems you need 12.4 for RTR tracking, and the 2621 can't carry a 12.4 image. The XM models can, but that probably won't help you much. Regards, Peter From ben.steele at internode.on.net Mon Aug 25 20:24:55 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 26 Aug 2008 09:54:55 +0930 Subject: [c-nsp] ACE Regex filtering for url match trouble with % In-Reply-To: <48B264EB.7040708@cisco.com> References: <58339.1219635715@internode.on.net> <48B264EB.7040708@cisco.com> Message-ID: <001701c90712$2a54b510$7efe1f30$@steele@internode.on.net> Apologies but both my emails yesterday were via a webmail client that kept deleting special characters, including \'s I did get this to work by \'ing a " " rather than \'ing % So the string that worked for me was: ".*select\ .*" to achieve filtering of select%20 in a url. On a side note I still had to log a TAC as I have an unusual issue where if a "?" is in the url before the match it will let the url slip through, however if it is after the match it will still catch it. Ie www.bla.com/test?=select%20.asp will make it through, www.bla.com/test=select%20bla?.asp will get caught. And on top of that there is reaaaaaaallly poor use of regexp memory when using a prefixed wildcard on your regex ".*", it causes regexp memory to fill up with only 5 regex's and the 6th one will blow the 1MB regexp over the limit and start blocking everything, not ideal behaviour! Cheers Ben -----Original Message----- From: Lincoln Dale [mailto:ltd at cisco.com] Sent: Monday, 25 August 2008 5:23 PM To: ben.steele at internode.on.net Cc: Christian Koch; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with % ben.steele at internode.on.net wrote: > FWIW I did manage to get this to match by telling it to match an > ASCII space instead ie .*selectx20.* however this is more of a hack > for my original request so I will still chase up with TAC. > i haven't looked at the ACE source code / firmware, but it may well be that it does a first-pass of converting "%(something)" to a non-encoded value first (in this case, a " "), because otherwise it would be trivial for a hacker to bypass said filter(s). you could see if regex ".*select\s.*" works too. cheers, lincoln. From rodunn at cisco.com Mon Aug 25 23:11:30 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 25 Aug 2008 23:11:30 -0400 Subject: [c-nsp] IP SLA and dyn routes In-Reply-To: <000001c906f4$a857e810$f907b830$@org.uk> References: <3cf174360808251313g2f42fc8fx48f869d10b1035db@mail.gmail.com> <000001c906f4$a857e810$f907b830$@org.uk> Message-ID: <20080826031130.GK106@rtp-cse-489.cisco.com> I honestly haven't spent enough time with it yet to know all the details but maybe check PfR (aka: OER) to see if can help you out. Rodney On Mon, Aug 25, 2008 at 09:53:41PM +0100, Dean Smith wrote: > Sounds like you actually want to run a tunnel across each SP and use an IGP > through the tunnels to decide which one is up/working etc > > Dean > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz > Sent: 25 August 2008 21:13 > To: cisco-nsp > Subject: [c-nsp] IP SLA and dyn routes > > Hi all, > > i?m having problem with my SP(run MPLS/BGP) where the the time to > converge networks is so high (>10 minutes) and they say that are > working and will be fix in 3 months aprox. > > I want anything to do convergence faster for me. > I read about IP SLA, but do not find doc related IP SLA x dynamic > routes, only IP SLA do track on static routes. > My first connection is with this SP running BGP(MPLS cloud) and second > connection is with another SP running OSPF(Frame-relay cloud). > Due this problem, when remote site is down, on my central point the > route of this site still up on BGP table and do not converge to OSPF, > only after period >10 minutes. > What another solution can i use? > > tks for all, > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nimal at fnbs.net Mon Aug 25 23:18:16 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Tue, 26 Aug 2008 11:18:16 +0800 Subject: [c-nsp] PIX subinterfaces and routing Message-ID: <48B375F8.90105@fnbs.net> Hi guys, I've got an unused PIX 515e lying around here. Just wondering if there is any way to configure ip address on the subinterfaces (like ASA style)? Reason being, is if i can't configure ip address on each subinterfaces, then i will need to get a router to do routing... Nimal From pshuleski at gmail.com Mon Aug 25 23:35:41 2008 From: pshuleski at gmail.com (Pete S.) Date: Mon, 25 Aug 2008 23:35:41 -0400 Subject: [c-nsp] PIX subinterfaces and routing In-Reply-To: <48B375F8.90105@fnbs.net> References: <48B375F8.90105@fnbs.net> Message-ID: <50f158990808252035v21c312fbn4fe63095f9f74499@mail.gmail.com> You can upgrade the 515e, assuming you have the flash/memory to do so, to the latest 7, and 8 pix trains. The number of vlans/subinterfaces really depends on your license. The restrictions do transmit up through the upgrade process. --Pete On Mon, Aug 25, 2008 at 11:18 PM, Nimal David Sirimanne wrote: > Hi guys, > > I've got an unused PIX 515e lying around here. Just wondering if there is > any way to configure ip address on the subinterfaces (like ASA style)? > Reason being, is if i can't configure ip address on each subinterfaces, then > i will need to get a router to do routing... > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brett at nuance.net.au Mon Aug 25 23:58:08 2008 From: brett at nuance.net.au (Brett Looney) Date: Tue, 26 Aug 2008 11:58:08 +0800 Subject: [c-nsp] PIX subinterfaces and routing In-Reply-To: <48B375F8.90105@fnbs.net> References: <48B375F8.90105@fnbs.net> Message-ID: <015801c9072f$f38978e0$da9c6aa0$@net.au> > I've got an unused PIX 515e lying around here. Just wondering if > there is any way to configure ip address on the subinterfaces > (like ASA style)? You can't configure subinterfaces like on the ASA but you can do VLAN trunks which achieves the same thing. Ref: http://tinyurl.com/5mtnt2 B. From nic.tjirkalli at za.verizonbusiness.com Tue Aug 26 01:37:07 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Tue, 26 Aug 2008 07:37:07 +0200 (SAST) Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels In-Reply-To: <001001c906c5$f2e026b0$d8a07410$@com> References: <001001c906c5$f2e026b0$d8a07410$@com> Message-ID: Howdy ho, > Maybe try to put in an ACL or could use netflow for this as well... > ip access-list extend check_packets_in > permit esp any any > permit udp any eq isakmp any eq isakmp > permit ip any any > interface dialer 1 > ip access-group check_packets_in in > > To see if ESP coming in to your spoke router. good suggestion but now I am even more c0onfused created acl as follows and applied to dialer 1 in :- interface Dialer1 ip access-group check_packets_in in but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any `:wq`` > > -Luan > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli > Sent: Monday, August 25, 2008 3:40 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to > tunnels > > howdy ho all, > > thanx to thise who sent through suggestions to how to get the IPSEC to > work > - the ideas were :- try mode transport > :- dont use wilcard for the secret > > so i changed the hub and spoke as follows :- > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > mode transport > > crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 > crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 > > > alss same symptons > - crypto comes up > - hub reports IPSEC encaps and decaps > - spoke sites report 0 decaps for IPSEC and no errors > > > any other ideas? > > thanx > >> >> >> howdy ho all, >> >> Was hoping I could use this forum to get some direction on resolving a >> strange issue I have with a DMVPN setup. >> >> All works 100% if I do not protect the tunnels with IPSEC. As soon as I >> enable IPSEC the tunnels stop passing traffic. >> >> >> The setup :- >> ============ >> >> All routers are CISCO 1841 platforms. the IOS image is :- >> C1841-ADVIPSERVICESK9-M >> c1841-advipservicesk9-mz.124-21.bin >> >> >> HUB Router >> ---------- >> HUB router connects via ADSL (a PPPOE session over ethernet) and then > fires >> up an L2TP tunnel to obtain a static IP address. >> >> The IP address allocated to the L2TP interface is 196.47.0.204 > (Virtual-PPP1) >> This IP address is the NHS. All connections to/from the hub >> use the address of 196.47.0.204. >> >> Tunnel interface on the hub router is 10.0.0.1 >> >> >> Spoke Router >> ------------ >> the Spoke router (there are 2 I am just showing one) connects via ADSL >> (a PPPOE session over ethernet) and obtains a dynamic IP address. the > spoke >> routers use Dialer1 as their interface into the NHRP cloud. >> >> NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface >> ie do not add the command tunnel protection ipsec profile DMVPN >> on Tunnel0 >> >> Tunnel interface on the hub router is 10.0.0.3 >> all works perfectly. >> >> >> The Problem >> =========== >> >> When I enable IPSEC encryption on the tunnel interfaces on all routers >> then things break. I have tried with both 3DES and AES and same issue. >> >> All the crypto sessions seem correct - correct SAs come up. The > dynamically >> created crypto-maps seem correct. >> >> BUT. on the spoke routers, IPSEC reports that no packets are being >> de-encapsulated but no errors are reported. >> >> nhrp-spoke-2#show crypto ipsec sa >> >> interface: Tunnel0 >> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) >> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >> current_peer 196.47.0.204 port 500 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >> #pkts compressed: 0, #pkts decompressed: 0 >> #pkts not compressed: 0, #pkts compr. failed: 0 >> #pkts not decompressed: 0, #pkts decompress failed: 0 >> #send errors 3, #recv errors 0 >> >> >> But on the HUB. all is well >> protected vrf: (none) >> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) >> current_peer 41.195.37.191 port 500 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >> #pkts compressed: 0, #pkts decompressed: 0 >> #pkts not compressed: 0, #pkts compr. failed: 0 >> #pkts not decompressed: 0, #pkts decompress failed: 0 >> #send errors 1, #recv errors 0 >> >> >> Any ideas/thoughts would be greatly appreciated. >> >> The configuration's and some useful output are below >> >> >> >> HUB Configuration >> ================= >> >> hostname adsl-nhrp-hub >> ! >> boot-start-marker >> boot-end-marker >> ! >> logging buffered 4096 debugging >> ! >> no aaa new-model >> ip cef >> ! >> ! >> ! >> ! >> no ip domain lookup >> ip auth-proxy max-nodata-conns 3 >> ip admission max-nodata-conns 3 >> vpdn enable >> ! >> l2tp-class l2tpclass1 >> authentication >> password 7 03070E0C2E572B6A1719 >> ! >> ! >> ! >> ! >> ! >> ! >> pseudowire-class pwclass1 >> encapsulation l2tpv2 >> protocol l2tpv2 l2tpclass1 >> ip local interface Dialer1 >> ! >> ! >> ! >> crypto isakmp policy 10 >> encr aes >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >> ! >> ! >> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >> ! >> crypto ipsec profile DMVPN >> set transform-set 3DES_MD5 >> ! >> ! >> ! >> ! >> interface Loopback0 >> ip address 172.16.1.1 255.255.255.255 >> ! >> interface Tunnel0 >> ip address 10.0.0.1 255.255.255.0 >> no ip redirects >> ip mtu 1400 >> no ip next-hop-self eigrp 1 >> ip nhrp authentication xxxxxxxxxx >> ip nhrp map multicast dynamic >> ip nhrp network-id 1 >> ip nhrp holdtime 60 >> ip nhrp registration timeout 30 >> ip tcp adjust-mss 1360 >> no ip split-horizon eigrp 1 >> tunnel source Virtual-PPP1 >> tunnel mode gre multipoint >> tunnel key 1 >> tunnel protection ipsec profile DMVPN >> ! >> interface Null0 >> no ip unreachables >> ! >> interface FastEthernet0/0 >> no ip address >> speed 100 >> full-duplex >> pppoe enable group global >> pppoe-client dial-pool-number 1 >> ! >> interface FastEthernet0/1 >> no ip address >> duplex auto >> speed auto >> ! >> interface Virtual-PPP1 >> ip address negotiated >> ip mtu 1452 >> ip virtual-reassembly >> no logging event link-status >> no peer neighbor-route >> no cdp enable >> ppp chap hostname XXXXX >> ppp chap password 7 XXXXXX >> ppp pap sent-username XXXX password 7 XXXXX >> pseudowire 196.30.121.42 10 pw-class pwclass1 >> ! >> interface Dialer1 >> mtu 1492 >> ip address negotiated >> ip virtual-reassembly >> encapsulation ppp >> ip tcp adjust-mss 1452 >> dialer pool 1 >> dialer-group 1 >> ppp chap hostname XXX >> ppp chap password 7 XXXX >> ppp pap sent-username XXXX password 7 XXXX >> ! >> router eigrp 1 >> redistribute connected route-map to-eigrp >> redistribute static >> passive-interface Dialer1 >> network 10.0.0.0 0.0.0.255 >> no auto-summary >> ! >> no ip forward-protocol nd >> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 >> ip route 196.30.121.42 255.255.255.255 Dialer1 >> ! >> ! >> ip http server >> no ip http secure-server >> ! >> ! >> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 >> access-list 1 permit any >> access-list 2 deny any >> access-list 3 permit 10.0.0.2 >> access-list 3 permit 10.222.0.1 >> access-list 3 permit 10.222.0.2 >> access-list 3 permit 10.244.0.2 >> no cdp run >> ! >> route-map to-eigrp deny 10 >> match ip address prefix-list local >> ! >> route-map to-eigrp permit 1000 >> >> >> adsl-nhrp-hub#show ip nhrp >> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 >> Type: dynamic, Flags: authoritative unique registered used >> NBMA address: 41.195.37.174 >> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 >> Type: dynamic, Flags: authoritative unique registered used >> NBMA address: 41.195.37.191 >> >> adsl-nhrp-hub#show crypto ipsec sa >> >> interface: Tunnel0 >> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 >> >> protected vrf: (none) >> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0) >> current_peer 41.195.37.174 port 500 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 >> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 >> #pkts compressed: 0, #pkts decompressed: 0 >> #pkts not compressed: 0, #pkts compr. failed: 0 >> #pkts not decompressed: 0, #pkts decompress failed: 0 >> #send errors 0, #recv errors 0 >> >> local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174 >> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >> current outbound spi: 0xD9D819B1(3654818225) >> >> inbound esp sas: >> spi: 0x8AD878CD(2329442509) >> transform: esp-aes esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 >> sa timing: remaining key lifetime (k/sec): (4437499/1923) >> IV size: 16 bytes >> replay detection support: Y >> Status: ACTIVE >> >> inbound ah sas: >> >> inbound pcp sas: >> >> outbound esp sas: >> spi: 0xD9D819B1(3654818225) >> transform: esp-aes esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 >> sa timing: remaining key lifetime (k/sec): (4437454/1923) >> IV size: 16 bytes >> replay detection support: Y >> Status: ACTIVE >> >> outbound ah sas: >> >> outbound pcp sas: >> >> protected vrf: (none) >> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) >> current_peer 41.195.37.191 port 500 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >> #pkts compressed: 0, #pkts decompressed: 0 >> #pkts not compressed: 0, #pkts compr. failed: 0 >> #pkts not decompressed: 0, #pkts decompress failed: 0 >> #send errors 1, #recv errors 0 >> >> local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191 >> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >> current outbound spi: 0x6E27D1C2(1848103362) >> >> inbound esp sas: >> spi: 0xEE9B0E5D(4003139165) >> transform: esp-aes esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >> sa timing: remaining key lifetime (k/sec): (4478781/3289) >> IV size: 16 bytes >> replay detection support: Y >> Status: ACTIVE >> >> inbound ah sas: >> >> inbound pcp sas: >> >> outbound esp sas: >> spi: 0x6E27D1C2(1848103362) >> transform: esp-aes esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >> sa timing: remaining key lifetime (k/sec): (4478771/3289) >> IV size: 16 bytes >> replay detection support: Y >> Status: ACTIVE >> >> outbound ah sas: >> >> outbound pcp sas: >> >> adsl-nhrp-hub#show crypto map >> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >> Profile name: DMVPN >> Security association lifetime: 4608000 kilobytes/3600 seconds >> PFS (Y/N): N >> Transform sets={ >> 3DES_MD5, >> } >> >> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp >> Map is a PROFILE INSTANCE. >> Peer = 41.195.37.174 >> Extended IP access list >> access-list permit gre host 196.47.0.204 host 41.195.37.174 >> Current peer: 41.195.37.174 >> Security association lifetime: 4608000 kilobytes/3600 seconds >> PFS (Y/N): N >> Transform sets={ >> 3DES_MD5, >> } >> >> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp >> Map is a PROFILE INSTANCE. >> Peer = 41.195.37.191 >> Extended IP access list >> access-list permit gre host 196.47.0.204 host 41.195.37.191 >> Current peer: 41.195.37.191 >> Security association lifetime: 4608000 kilobytes/3600 seconds >> PFS (Y/N): N >> Transform sets={ >> 3DES_MD5, >> } >> Interfaces using crypto map Tunnel0-head-0: >> Tunnel0 >> >> adsl-nhrp-hub#show crypto engine connections active >> >> ID Interface IP-Address State Algorithm > Encrypt >> Dt >> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC > 0 >> 0 >> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC > 0 >> 0 >> 3003 Tunnel0 196.47.0.204 set AES+MD5 > 169 >> 0 >> 3004 Tunnel0 196.47.0.204 set AES+MD5 > 0 >> 8 >> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 > 818 >> 0 >> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 > 0 >> 1 >> >> >> Spoke Configuration >> =================== >> >> ip cef >> ! >> no ip domain lookup >> ip auth-proxy max-nodata-conns 3 >> ip admission max-nodata-conns 3 >> vpdn enable >> ! >> l2tp-class l2tpclass1 >> authentication >> password 7 xxxx >> ! >> ! >> pseudowire-class pwclass1 >> encapsulation l2tpv2 >> protocol l2tpv2 l2tpclass1 >> ip local interface Dialer1 >> ! >> ! >> crypto isakmp policy 10 >> encr aes >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >> ! >> ! >> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >> ! >> crypto ipsec profile DMVPN >> set transform-set 3DES_MD5 >> ! >> ! >> ! >> ! >> interface Loopback0 >> ip address 172.16.1.3 255.255.255.255 >> ! >> interface Tunnel0 >> ip address 10.0.0.3 255.255.255.0 >> no ip redirects >> ip mtu 1400 >> ip nhrp authentication xxxxxxxxxx >> ip nhrp map 10.0.0.1 196.47.0.204 >> ip nhrp map multicast 196.47.0.204 >> ip nhrp network-id 1 >> ip nhrp holdtime 60 >> ip nhrp nhs 10.0.0.1 >> ip nhrp registration timeout 30 >> ip tcp adjust-mss 1360 >> tunnel source Dialer1 >> tunnel mode gre multipoint >> tunnel key 1 >> tunnel protection ipsec profile DMVPN >> ! >> interface FastEthernet0/0 >> ip address dhcp >> speed 100 >> full-duplex >> pppoe enable group global >> pppoe-client dial-pool-number 1 >> ! >> interface FastEthernet0/1 >> ip address 10.222.0.1 255.255.255.0 >> speed 100 >> full-duplex >> ! >> ! >> interface Dialer1 >> mtu 1492 >> ip address negotiated >> ip virtual-reassembly >> encapsulation ppp >> ip tcp adjust-mss 1452 >> dialer pool 1 >> ppp chap hostname XXXX >> ppp chap password 0 XXXX >> ppp pap sent-username XXXX password 0 XXXXX >> ! >> router eigrp 1 >> redistribute connected route-map to-eigrp >> redistribute static >> passive-interface FastEthernet0/1 >> passive-interface Dialer1 >> network 10.0.0.0 0.0.0.255 >> no auto-summary >> eigrp stub connected >> ! >> ip forward-protocol nd >> ip route 0.0.0.0 0.0.0.0 Dialer1 >> ! >> ! >> ip http server >> no ip http secure-server >> ! >> ! >> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >> access-list 1 permit any >> access-list 2 deny any >> access-list 3 permit 10.222.0.1 >> access-list 3 permit 10.222.0.2 >> access-list 3 permit 10.244.0.2 >> access-list 3 permit 10.244.0.1 >> ! >> route-map clear-df permit 10 >> set ip df 0 >> ! >> route-map to-eigrp deny 10 >> match ip address prefix-list local >> ! >> route-map to-eigrp permit 1000 >> >> >> Some Debugs >> =========== >> >> nhrp-spoke-2#show ip nhrp >> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire >> Type: static, Flags: authoritative used >> NBMA address: 196.47.0.204 >> >> >> nhrp-spoke-2#show crypto ipsec sa >> >> interface: Tunnel0 >> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 >> >> protected vrf: (none) >> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) >> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >> current_peer 196.47.0.204 port 500 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >> #pkts compressed: 0, #pkts decompressed: 0 >> #pkts not compressed: 0, #pkts compr. failed: 0 >> #pkts not decompressed: 0, #pkts decompress failed: 0 >> #send errors 3, #recv errors 0 >> >> local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204 >> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 >> current outbound spi: 0xEE9B0E5D(4003139165) >> >> inbound esp sas: >> spi: 0x6E27D1C2(1848103362) >> transform: esp-aes esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >> sa timing: remaining key lifetime (k/sec): (4530791/3584) >> IV size: 16 bytes >> replay detection support: Y >> Status: ACTIVE >> >> inbound ah sas: >> >> inbound pcp sas: >> >> outbound esp sas: >> spi: 0xEE9B0E5D(4003139165) >> transform: esp-aes esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >> sa timing: remaining key lifetime (k/sec): (4530789/3584) >> IV size: 16 bytes >> replay detection support: Y >> Status: ACTIVE >> >> outbound ah sas: >> >> outbound pcp sas: >> >> nhrp-spoke-2#show crypto engine connections active >> >> ID Interface IP-Address State Algorithm > Encrypt >> Decrypt >> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC > 0 >> 0 >> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC > 0 >> 0 >> 3003 Dialer1 41.195.37.191 set AES+MD5 > 15 >> 0 >> 3004 Dialer1 41.195.37.191 set AES+MD5 > 0 >> 0 >> >> nhrp-spoke-2#show crypto map >> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >> Profile name: DMVPN >> Security association lifetime: 4608000 kilobytes/3600 seconds >> PFS (Y/N): N >> Transform sets={ >> 3DES_MD5, >> } >> >> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp >> Map is a PROFILE INSTANCE. >> Peer = 196.47.0.204 >> Extended IP access list >> access-list permit gre host 41.195.37.191 host 196.47.0.204 >> Current peer: 196.47.0.204 >> Security association lifetime: 4608000 kilobytes/3600 seconds >> PFS (Y/N): N >> Transform sets={ >> 3DES_MD5, >> } >> Interfaces using crypto map Tunnel0-head-0: >> Tunnel0 >> >> >> --------------------------------------------------------------------- >> A feature is a bug with seniority. >> >> Nic Tjirkalli >> Verizon Business South Africa >> Network Strategy Team >> >> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >> is strictly confidential and intended only for use by the addressee unless >> otherwise indicated. >> >> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >> >> This e-mail is strictly confidential and intended only for use by the >> addressee unless otherwise indicated. >> >> > > > --------------------------------------------------------------------- > Some days you're the pigeon, and some days you're the statue. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > --------------------------------------------------------------------- A feature is a bug with seniority. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From ben.steele at internode.on.net Tue Aug 26 02:22:10 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 26 Aug 2008 15:52:10 +0930 Subject: [c-nsp] R&S CCIE Lab wait times - Sydney Message-ID: <000701c90744$137a9120$3a6fb360$@steele@internode.on.net> Does anyone have any idea on the current wait times for the Lab? I'm about to sit the written in a couple of weeks and someone mentioned to me the current wait is around a year and a half?? Is there a specific wait for each stream or is that in general, only interested in Sydney Lab dates, a year and a half seems pretty steep, i'm hoping it's not right, although I have heard of time frames like that for the Security Lab in Europe. Cheers Ben From aftab.siddiqui at gmail.com Tue Aug 26 04:28:49 2008 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Tue, 26 Aug 2008 14:28:49 +0600 Subject: [c-nsp] CoPP Service Policy Message-ID: <3c605ce10808260128y136691b0q610f749ab601887c@mail.gmail.com> Dear All, I would like to know the difference in performance and implementation if I put the service-policy within the specified interface (e.g. gix/x) or with in the control-plane in globally. *First Option:* Router(config)# *control-plane * Router(config-cp)# *service-policy input* *service-policy-name * Router(config-cp)# *service-policy output* *service-policy-name * *Second Option:* interface GigabitEthernetxx/yy service-policy input *service-policy-name * service-policy output *service-policy-name * Note: Platform catalyst6500, 122-33.SXH2a -- Regards, Aftab A. Siddiqui From perc69 at gmail.com Tue Aug 26 04:46:45 2008 From: perc69 at gmail.com (Per Carlson) Date: Tue, 26 Aug 2008 10:46:45 +0200 Subject: [c-nsp] Improved queuing in 12.4(20)T? Message-ID: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> Hi. I'm doing some QoS-testings and notice a remarkable change in the latencies on a priority queue (as well as some improvement on other queues) in 12.4(20)T compared with 12.4M (19, 19b and 21) and 12.4(15)T7. The scenario is H-QoS with a parent doing "shape average" and a child with 4 queues: class-map match-any Voice match dscp cs5 ef ! class-map match-any Business match dscp cs3 af31 ! class-map match-any Network match dscp cs6 cs7 ! policy-map Child class Voice priority percent 33 class Business bandwidth percent 40 class Network bandwidth percent 2 ! policy-map Parent class class-default shape average 8000000 service-policy Child ! interface FastEthernet X service-policy output Parent ! end When pushing traffic through the policy (Voice and Business within contract and enough "class-default" traffic to trigger back-pressure) I get the following latencies: Voice Business class-default 12.4M/12.4(15)T: 13 ms 14 ms 126 ms 12.4(20)T : 0.4 ms 8.5 ms 138 ms There is no drop in neither the Voice nor Business queues, and about 21% in the class-default queue. I have tried the same test on both a 871 (the WAN-port) and a 1841 with similar results. This makes me think there has been some major improvement in 12.4(20)T, but can't verify this in the RN for 12.4(20)T. There *is* a new H-QoS feature in 12.4(20)T called HQF (http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_frhqf_support.html), but I can't see that it's directly relevant. Does anyone have some knowledge or insight to enlighten me here? -- Pelle From tomas at soitron.com Tue Aug 26 04:53:29 2008 From: tomas at soitron.com (Tomas Daniska) Date: Tue, 26 Aug 2008 10:53:29 +0200 Subject: [c-nsp] ES20 crashing on bad DWDM Message-ID: <6B43981C32F8464CB24CEE209DA32BD30175B050@kenya.tronet.as> Hi, has anybody experienced ES20 2x10G cards crashing when DWDM link quality degrades? Usually when the error rate increases so that IGP and PIM start flapping, the card stops responding to CPU heartbeats and is rebooted. We have seen this at two customers now, TAC is failing to reproduce... I'd like to collect as many similar scenarios as possible to help them recreate the issue. Thanks for any hints -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 My hovercraft is full of eels. From oboehmer at cisco.com Tue Aug 26 04:53:25 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 26 Aug 2008 10:53:25 +0200 Subject: [c-nsp] CoPP Service Policy In-Reply-To: <3c605ce10808260128y136691b0q610f749ab601887c@mail.gmail.com> References: <3c605ce10808260128y136691b0q610f749ab601887c@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B0E@xmb-ams-333.emea.cisco.com> Aftab Siddiqui <> wrote on Tuesday, August 26, 2008 10:29 AM: > Dear All, > > > I would like to know the difference in performance and implementation > if I put the service-policy within the specified interface (e.g. > gix/x) or with in the control-plane in globally. > *First Option:* > > Router(config)# *control-plane * > > Router(config-cp)# *service-policy input* *service-policy-name * > Router(config-cp)# *service-policy output* *service-policy-name * there is no outbound conrol-plane policing. > *Second Option:* > > interface GigabitEthernetxx/yy > service-policy input *service-policy-name * > service-policy output *service-policy-name * > What are you trying to achieve? CoPP policy (first config) is processed only for traffic terminating on the router, while the interface QoS policy is applied to all traffic entering (or leaving) the respective interface. So the semantic is quite different. CoPP ensures that the aggregate traffic (from all interfaces) does not exceed a certain rate, while the interface QoS policy is only looking at the rate of this specific interface (assuming you want to use the policy to rate-limit/police certain traffic to the box). Another advantage of CoPP is the easy "filtering" as it is only applied to traffic terminating on the router, so you usually don't need to match on any possible destination address in an ACL/class-map. Both policies are execued in hardware (there is an addtl. software CoPP), no performance impact. You might want to look at http://tinyurl.com/5hew55 for more info about CoPP.. oli From oboehmer at cisco.com Tue Aug 26 05:06:43 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 26 Aug 2008 11:06:43 +0200 Subject: [c-nsp] Improved queuing in 12.4(20)T? In-Reply-To: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> References: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B22@xmb-ams-333.emea.cisco.com> Per Carlson <> wrote on Tuesday, August 26, 2008 10:47 AM: > Hi. > > I'm doing some QoS-testings and notice a remarkable change in the > latencies on a priority queue (as well as some improvement on other > queues) in 12.4(20)T compared with 12.4M (19, 19b and 21) and > 12.4(15)T7. The scenario is H-QoS with a parent doing "shape average" > and a child with 4 queues: [...] > > There *is* a new H-QoS feature in 12.4(20)T called HQF > (http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_frhqf_s upport.html), > but I can't see that it's directly relevant. HQF is a totally different QoS infrastructure (previously available on the 7500/7200 in 12.0S as well as some other trains), so I would assume this being the reason for the improved behavior. I haven't looked at HQF for a while, but I recall the H-QoS scenario you're using benefits especially from HQF as the parent shaper is aware of the LLQ within the child, but not entirely sure about this. It would explain the improved behaviour, though. oli From zivl at gilat.net Tue Aug 26 05:33:09 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 26 Aug 2008 12:33:09 +0300 Subject: [c-nsp] Web Caches In-Reply-To: References: Message-ID: I second Alan's suggestion. I've seen this product in a POC we did and it works great. I've also seen some graphs of one of their biggest customers and the saved bandwidth rates were impressive. My bests to Aviad, the man! Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alan Arolovitch Sent: Monday, August 25, 2008 9:11 PM To: Lala Lander; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Web Caches Hi, I suggest you take a look at our clustered UltraBand cache, http://www.peerapp.com/ UltraBand cache is a combined HTTP/P2P cache for service providers, supporting progressive download Flash video (e.g. YouTube) and software downloads over HTTP, among other things, as well as URL filtering Cheers, Alan ------------------------------ Message: 5 Date: Sat, 23 Aug 2008 01:42:44 -0700 From: "Lala Lander" Subject: [c-nsp] Web Caches To: "cisco-nsp at puck.nether.net" Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Hi guys, I am looking for information on Web Caches. I need to find out what vendors are out there and what is your deployment and operational experience My objective is to reduce Internet bandwidth usage and some URL filtering. I am currently evaluating BlueCoat and Secure Computing but I need your opinion before I test them any further. thanks. ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From tim at pelican.org Tue Aug 26 05:35:17 2008 From: tim at pelican.org (Tim Franklin) Date: Tue, 26 Aug 2008 10:35:17 +0100 (BST) Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au><20080820164735.GA16618@diveo.net.br> Message-ID: On Thu, August 21, 2008 12:59 am, Brandon Price wrote: > Other than just saying "its bad" can you give some specifics as to the > problems you've run into using private addresses for PE-CE links? As > long as the SP hands out unique addresses across all of the links, what > does it matter whether they are "private" or "public" ? Customers using *all* of RFC1918 space (or at least claiming they do). e.g. if you have WAN links as /30s out of 10.11.12.0/24, and the customer has that range on a LAN somewhere, each site will be unable to reach the particular hosts on it's WAN /30. (At least - if you're redistributing WAN routes into BGP / MBGP, the lack of visibility gets worse). You end up wasting a lot of time negotiating with customers to try and find an acceptable range, hacking exceptions into your network and processes to get around the fact you're having to allocate WANs from something other than your normal block - assuming you can get that far at all. I've dealt with the occasional customer loudly and fairly aggressively insisting that RFC1918 space is entirely theirs, we may not use any of it, fix our service now, incoming lawyers, etc. If you then end up with public WAN addresses an exception only, you give yourself more pain in trying to document sufficiently that your support guys six months down the line don't assume that "it must be an Internet service, it's public addresses" and do something unpleasent to it, like remove the VRF. Regards, Tim. From cisco-nsp at tracker.fire-world.de Tue Aug 26 06:27:45 2008 From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger) Date: Tue, 26 Aug 2008 12:27:45 +0200 Subject: [c-nsp] WS-X4506-GB-T Ports not connected Message-ID: <20080826102745.GA2082@danton.fire-world.de> Hello, I'm having a little problem here with a new Cisco 4510R-E. It's running the following configuration: Mod Ports Card Type Model ---+-----+--------------------------------------+------------- 5 6 Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E 9 18 1000BaseX (GBIC) WS-X4418-GB 10 6 SFP, 10/100/1000BaseT (RJ45)V, Cisco/I WS-X4506-GB-T M MAC addresses Hw Fw Sw Status --+--------------------------------+---+------------+----------------+--------- 5 0021.d808.6a00 to 0021.d808.6a05 1.1 12.2(44r)SG 12.2(40)SG Ok 9 000c.3000.280a to 000c.3000.281b 1.1 Ok 10 001e.7ad0.f90c to 001e.7ad0.f911 1.4 Ok Mod Redundancy role Operating mode Redundancy status ----+-------------------+-------------------+---------------------------------- 5 Active Supervisor RPR Active I'm tryubg to activate the ports on the WS-X4506-GB-T, but I'm unable to get any connection. I connected the first two ports on the card to create a loopback and still the ports are shown as "not connected". I use RJ45 and have set the media-type of the ports to rj45 which is also stated in the log: 00:00:05: %C4K_REDUNDANCY-6-INIT: Initializing as ACTIVE supervisor 00:00:05: 512 MB of system memory installed. Do 'show platform hardware sdram spd' for details. 00:00:37: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan 00:00:38: %SYS-5-CONFIG_I: Configured from memory by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASE-M), Version 12.2(40)SG, RELEASE SOFTWAR) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 07-Nov-07 19:52 by prod_rel_team 00:00:38: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 5 (WS-X45-SUP6-E S/N: JAE1222JOZS Hw: 1.1) is online 00:00:38: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 9 (WS-X4418-GB S/N: JAE07340WR1 Hw: 1.1) is online 00:00:38: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 10 (WS-X4506-GB-T S/N: JAE1218GSWU Hw: 1.4) is online 00:21:07: %C4K_IOSINTF-5-RJ45ACTIVE: Slot= 10 Port= 1: RJ45 connector has become active 00:45:41: %C4K_IOSINTF-5-RJ45ACTIVE: Slot= 10 Port= 2: RJ45 connector has become active Here is the port configuration: interface GigabitEthernet10/1 no switchport ip address dhcp no keepalive media-type rj45 ! interface GigabitEthernet10/2 no switchport ip address dhcp no keepalive media-type rj45 ! Is there anything I'm missing? I already changed the cabling so that's not the problem. Any ideas/suggestions welcome. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From perc69 at gmail.com Tue Aug 26 07:16:16 2008 From: perc69 at gmail.com (Per Carlson) Date: Tue, 26 Aug 2008 13:16:16 +0200 Subject: [c-nsp] Improved queuing in 12.4(20)T? In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B22@xmb-ams-333.emea.cisco.com> References: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B22@xmb-ams-333.emea.cisco.com> Message-ID: <746ca6da0808260416j2b7edebdn164e8b445a6cc78f@mail.gmail.com> Hi Oli. > I haven't looked at HQF for a while, but I recall the H-QoS scenario > you're using benefits especially from HQF as the parent shaper is aware > of the LLQ within the child, but not entirely sure about this. It would > explain the improved behaviour, though. I have always had the impression that the parent shaper *is* aware of the child policy. Otherwise the whole H-QoS scheme is rather useless, at least with respect to LLQ/PQ. So far I haven't found any references on CCO confirming either possibility (aware/unaware). The closest match is a configuration example[1] with a priority queue in the child, but it says nothing about awareness in the parent. And there is this note about subinterfaces/PVCs... [1] http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_mqc_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1060235 -- Pelle From cisco-nsp at tracker.fire-world.de Tue Aug 26 07:16:25 2008 From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger) Date: Tue, 26 Aug 2008 13:16:25 +0200 Subject: [c-nsp] WS-X4506-GB-T Ports not connected In-Reply-To: <20080826102745.GA2082@danton.fire-world.de> References: <20080826102745.GA2082@danton.fire-world.de> Message-ID: <20080826111625.GA2802@danton.fire-world.de> * Sebastian Wiesinger [2008-08-26 12:30]: > Hello, > > I'm having a little problem here with a new Cisco 4510R-E. It's > running the following configuration: Problem solved. Someone hinted that I should not assume that the linecard does have auto MDI/X detection. Which apparently it hasn't. So connecting a crossover cable solved the problem. I was under the impression that auto MDI/X was a feature present on all linecards but it seems I was wrong. Or is there a way to turn this on on a port? I looked over the commands for the port but didn't see anything obvious.. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From blahu77 at gmail.com Tue Aug 26 07:16:53 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Tue, 26 Aug 2008 12:16:53 +0100 Subject: [c-nsp] WS-X4506-GB-T Ports not connected In-Reply-To: <20080826102745.GA2082@danton.fire-world.de> References: <20080826102745.GA2082@danton.fire-world.de> Message-ID: <383357750808260416l536fac9fp3441416e3f6aa5ac@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebastian, > interface GigabitEthernet10/1 > no switchport > ip address dhcp > no keepalive > media-type rj45 > ! > interface GigabitEthernet10/2 > no switchport > ip address dhcp > no keepalive > media-type rj45 > ! > > Is there anything I'm missing? I already changed the cabling so that's > not the problem. Any ideas/suggestions welcome. I doubt it is what you are looking for, but no shutdown? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIs+YkIvBv0k5esR4RAhVoAKCGLyvdSdLcAG2DbQrlH32+WhmVxgCcCKyb wwvaGvUL3veothr3CcNZTOc= =iwdW -----END PGP SIGNATURE----- From nic.tjirkalli at za.verizonbusiness.com Tue Aug 26 07:30:20 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Tue, 26 Aug 2008 13:30:20 +0200 (SAST) Subject: [c-nsp] WS-X4506-GB-T Ports not connected In-Reply-To: <20080826111625.GA2802@danton.fire-world.de> References: <20080826102745.GA2082@danton.fire-world.de> <20080826111625.GA2802@danton.fire-world.de> Message-ID: howdy ho, > * Sebastian Wiesinger [2008-08-26 12:30]: >> Hello, >> >> I'm having a little problem here with a new Cisco 4510R-E. It's >> running the following configuration: > > Problem solved. Someone hinted that I should not assume that the > linecard does have auto MDI/X detection. Which apparently it hasn't. > So connecting a crossover cable solved the problem. > > I was under the impression that auto MDI/X was a feature present on > all linecards but it seems I was wrong. Or is there a way to turn this > on on a port? I looked over the commands for the port but didn't see > anything obvious.. in my expeierence not all line cards support the auto MDI/X feature but for those taht do, add the command :- mdix auto on the interface hope this helps later > > Regards, > > Sebastian > > -- > GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. > -- Terry Pratchett, The Fifth Elephant > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > --------------------------------------------------------------------- I'm not cheap, but I am on special this week. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From oboehmer at cisco.com Tue Aug 26 07:32:23 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 26 Aug 2008 13:32:23 +0200 Subject: [c-nsp] Improved queuing in 12.4(20)T? In-Reply-To: <746ca6da0808260416j2b7edebdn164e8b445a6cc78f@mail.gmail.com> References: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B22@xmb-ams-333.emea.cisco.com> <746ca6da0808260416j2b7edebdn164e8b445a6cc78f@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1BD5@xmb-ams-333.emea.cisco.com> Per Carlson wrote on Tuesday, August 26, 2008 1:16 PM: > Hi Oli. > >> I haven't looked at HQF for a while, but I recall the H-QoS scenario >> you're using benefits especially from HQF as the parent shaper is >> aware of the LLQ within the child, but not entirely sure about this. >> It would explain the improved behaviour, though. > > I have always had the impression that the parent shaper *is* aware of > the child policy. Otherwise the whole H-QoS scheme is rather useless, > at least with respect to LLQ/PQ. Hmm, I think I would need to do some digging here, but I was thinking about a different kind of "awareness" here. Obviously the shaper in the parent is aware of a child, so when the shaper has to queue a packet (i.e. signals connections), it'll use the child policy (which, as you write, is the whole point of H-QoS). Maybe Rodney can comment more, but I would still assume HQF being the reason for the different behavior in your environment. oli From paul.cosgrove at heanet.ie Tue Aug 26 08:33:07 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Tue, 26 Aug 2008 13:33:07 +0100 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: <6e9dc1350808251226o3588464fp4a665fa5e6c34e6d@mail.gmail.com> References: <48B2BC16.5080304@hu.digi.tv> <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> <6e9dc1350808250906t7d5bfe93ma5e4c0ec5572cf39@mail.gmail.com> <48B2FEF4.4090606@heanet.ie> <6e9dc1350808251226o3588464fp4a665fa5e6c34e6d@mail.gmail.com> Message-ID: <48B3F803.7080405@heanet.ie> Hi Michel, Appologies for confusing the issue. You are of course correct about VTP, which does use vlan 1. UDLD is not sent with a dot1q tag, but is associated with vlan 1 on ISL trunks. Changing the (dot1q) native vlan on the trunk has no effect on how UDLD is sent over ISL, it is still sent on vlan 1. Paul. Michel Grossenbacher wrote: > Paul, indeed DTP is sent over the native VLAN, but VTP is pretty sure still > over VLAN 1. I did a trace and mixed VTP with DTP, hence I said its using > the native VLAN. But after I did some more traces the VTP packets did not > show any VLAN informations "anymore" (actually they never did I only hit the > wrong line within wireshark ;) ). > So Im quite sure VTP and CDP are not sent via the native VLAN, after I > changed it from VLAN 1 to VLAN 10. Probably have to have a look with ISL > too. > > Mike, I think I know what you mean, per definition (AFAIK) all VLANs get > encapsulated by ISL, while with dot1Q all but the native one get a Tag. But > within an ISL trunk Cisco defines a native VLAN (default is VLAN 1, same as > dot1Q) and you can configure it the same way as for a dot1Q one so I'd say > UDLD will use that one. I guess it will still be encapsulated but I did > never check that. > Do a *show interface trunk* if you configured an ISL trunk and you'll see it > at the top. > > Michel > > 2008/8/25 Paul Cosgrove > >> Hi Michel, >> >> You may have been right the first time there. I think VTP does indeed >> use the native vlan, not necessarily vlan 1. DTP is also sent on the >> native vlan, untagged and tagged in its case. >> >> Paul. >> >> Michel Grossenbacher wrote: >>> A little correction on my answer, VTP does not use the Native VLAN :-) >>> >>> Here is what I found regarding the use of VTP and VLAN1: >>> The Case of VLAN 1 >>> >>> You cannot apply VTP pruning to VLANs that need to exist everywhere and >> that >>> need to be allowed on all switches in the campus, in order to be able to >>> carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control >>> traffic. However, there is a way to limit the extent of VLAN 1. The >> feature >>> is called VLAN 1 disable on trunk. The feature is available on Catalyst >>> 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software >>> release 5.4(x) and later. The feature allows you to prune VLAN 1 from a >>> trunk, as you do for any other VLAN. This pruning does not include all >> the >>> control protocol traffic that is still allowed on the trunk (DTP, PAgP, >> CDP, >>> VTP, and others). However, the pruning does block all user traffic on >> that >>> trunk. With this feature, you can keep the VLAN from spanning the entire >>> campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 >> to >>> be disabled, as you would configure other VLANs to be cleared from the >>> trunk: >>> >>> UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk >> port, >>> the native VLAN must not be pruned in order for UDLD to work properly. >>> >> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml >>> Sorry for the confusion. >>> >>> best regards >>> >>> Michel >>> >>> >>> On 25/08/2008, Michel Grossenbacher wrote: >>>> Hi Mike >>>> Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from >> a >>>> trunk. However you can remove it from the trunk. >>>> If you remove it from the trunk and change the native VLAN for the >> trunk, >>>> VTP will then use the new native VLAN for updates. >>>> best regards >>>> >>>> Michel >>>> >>>> >>>> On 25/08/2008, Mike Louis wrote: >>>>> List, >>>>> >>>>> I just read in a practice test for an upcoming cert that Vlan 1 is used >> to >>>>> carry VTP advertisements. However, it is possible to prune vlan 1 from >> trunk >>>>> links. Will VTP continue to function without Vlan 1 being enabled on >> the >>>>> link? Has this changed in more recent IOS releases? >>>>> >>>>> Note: This message and any attachments is intended solely for the use >> of >>>>> the individual or entity to which it is addressed and may contain >>>>> information that is non-public, proprietary, legally privileged, >>>>> confidential, and/or exempt from disclosure. If you are not the >> intended >>>>> recipient, you are hereby notified that any use, dissemination, >>>>> distribution, or copying of this communication is strictly prohibited. >> If >>>>> you have received this communication in error, please notify the >> original >>>>> sender immediately by telephone or return email and destroy or delete >> this >>>>> message along with any attachments immediately. >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> -- >> HEAnet Limited >> Ireland's Education & Research Network >> 5 George's Dock, IFSC, Dublin 1, Ireland >> Tel: +353.1.6609040 >> Web: http://www.heanet.ie >> Company registered in Ireland: 275301 >> >> Please consider the environment before printing this e-mail. >> > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From tbeecher at localnet.com Tue Aug 26 08:36:04 2008 From: tbeecher at localnet.com (Thomas Beecher) Date: Tue, 26 Aug 2008 08:36:04 -0400 Subject: [c-nsp] IOS VPN Client Group Issue In-Reply-To: <05e401c906d9$09511b30$31dd5ea0@ad.umn.edu> References: <48B2DFB0.3080906@localnet.com> <05e401c906d9$09511b30$31dd5ea0@ad.umn.edu> Message-ID: <48B3F8B4.9020608@localnet.com> You're spot on. I came across that yesterday afternoon, it does require the 12.2T train. Guess I should learn to read a little better. :) Thanks to those that responded, much appreciated Tom. Ge Moua wrote: > I'm doing a simlar config with IOS: > 12.4(15)T6 > > I wonder if you need the "T" code train for this: > > Router(config)#crypto isakmp client configuration ? > address-pool Set network address for client > browser-proxy Set browser proxy attributes for client > group Set group profile attributes for client > > Router(config)#crypto isakmp client configuration > > > > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > 2218 University Ave SE | Minneapolis, MN 55414-3029 > Office: 612.626.2779 | Pager: 612.648.0103 | Fax: 612.626.1818 > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Thomas Beecher > Sent: Monday, August 25, 2008 11:37 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IOS VPN Client Group Issue > > I've come across something odd. I think that this is just a simple oversight > on my part, hopefully another set of eyes will catch this for me. > > I've got a 2621 running 12.2(46a) that I'm using to terminate a few VPN > tunnels. Right now, I have three point to point tunnels up, and working > without issue. This morning, I started adding the config for VPN client > access, and that's where I've getting hung up. > > Under the crypto isakmp client configuration command, I should have a > 'group' option to setup the VPN group parameters. However, I do not. The > only option I have is 'address-pool' . As far as I can tell, this image > should support that command. > > I'm fairly certain that I have the correct aaa commands in place to enable > group authorization, however there are some pre-existing AAA commands on > this router that could be hanging me up. > > Here's the aaa config: > > aaa new-model > aaa authentication login default group tacacs+ line enable aaa > authentication login rev_tel line enable aaa authentication login userauthen > local aaa authorization network groupauthen local > > Am I missing something painfully obvious here? > > Thanks in advance, > > Tom > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From pashtuk at gmail.com Tue Aug 26 08:56:49 2008 From: pashtuk at gmail.com (Michel Grossenbacher) Date: Tue, 26 Aug 2008 14:56:49 +0200 Subject: [c-nsp] VTP and Vlan 1 In-Reply-To: <48B3F803.7080405@heanet.ie> References: <48B2BC16.5080304@hu.digi.tv> <6e9dc1350808250803p47b19112g90ff6a1009069d66@mail.gmail.com> <6e9dc1350808250906t7d5bfe93ma5e4c0ec5572cf39@mail.gmail.com> <48B2FEF4.4090606@heanet.ie> <6e9dc1350808251226o3588464fp4a665fa5e6c34e6d@mail.gmail.com> <48B3F803.7080405@heanet.ie> Message-ID: <6e9dc1350808260556i44488ecobb7bd7623afa9d5@mail.gmail.com> Hi Paul Dont worry, I did the same at the beginning :-) So UDLD on dot1Q uses the native VLAN while with ISL it stays within VLAN 1 no matter if we changed the native vlan or not? This means that with ISL trunks UDLD behaves similar to CDP/VTP ? Thanks best regards Michel On 26/08/2008, Paul Cosgrove wrote: > > Hi Michel, > > Appologies for confusing the issue. You are of course correct about VTP, > which does use vlan 1. > > UDLD is not sent with a dot1q tag, but is associated with vlan 1 on ISL > trunks. Changing the (dot1q) native vlan on the trunk has no effect on > how UDLD is sent over ISL, it is still sent on vlan 1. > > Paul. > > Michel Grossenbacher wrote: > > Paul, indeed DTP is sent over the native VLAN, but VTP is pretty sure > still > > over VLAN 1. I did a trace and mixed VTP with DTP, hence I said its using > > the native VLAN. But after I did some more traces the VTP packets did not > > show any VLAN informations "anymore" (actually they never did I only hit > the > > wrong line within wireshark ;) ). > > So Im quite sure VTP and CDP are not sent via the native VLAN, after I > > changed it from VLAN 1 to VLAN 10. Probably have to have a look with ISL > > too. > > > > Mike, I think I know what you mean, per definition (AFAIK) all VLANs get > > encapsulated by ISL, while with dot1Q all but the native one get a Tag. > But > > within an ISL trunk Cisco defines a native VLAN (default is VLAN 1, same > as > > dot1Q) and you can configure it the same way as for a dot1Q one so I'd > say > > UDLD will use that one. I guess it will still be encapsulated but I did > > never check that. > > Do a *show interface trunk* if you configured an ISL trunk and you'll see > it > > at the top. > > > > Michel > > > > 2008/8/25 Paul Cosgrove > > > >> Hi Michel, > >> > >> You may have been right the first time there. I think VTP does indeed > >> use the native vlan, not necessarily vlan 1. DTP is also sent on the > >> native vlan, untagged and tagged in its case. > >> > >> Paul. > >> > >> Michel Grossenbacher wrote: > >>> A little correction on my answer, VTP does not use the Native VLAN :-) > >>> > >>> Here is what I found regarding the use of VTP and VLAN1: > >>> The Case of VLAN 1 > >>> > >>> You cannot apply VTP pruning to VLANs that need to exist everywhere and > >> that > >>> need to be allowed on all switches in the campus, in order to be able > to > >>> carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control > >>> traffic. However, there is a way to limit the extent of VLAN 1. The > >> feature > >>> is called VLAN 1 disable on trunk. The feature is available on Catalyst > >>> 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software > >>> release 5.4(x) and later. The feature allows you to prune VLAN 1 from a > >>> trunk, as you do for any other VLAN. This pruning does not include all > >> the > >>> control protocol traffic that is still allowed on the trunk (DTP, PAgP, > >> CDP, > >>> VTP, and others). However, the pruning does block all user traffic on > >> that > >>> trunk. With this feature, you can keep the VLAN from spanning the > entire > >>> campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN > 1 > >> to > >>> be disabled, as you would configure other VLANs to be cleared from the > >>> trunk: > >>> > >>> UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk > >> port, > >>> the native VLAN must not be pruned in order for UDLD to work properly. > >>> > >> > http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml > >>> Sorry for the confusion. > >>> > >>> best regards > >>> > >>> Michel > >>> > >>> > >>> On 25/08/2008, Michel Grossenbacher wrote: > >>>> Hi Mike > >>>> Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 > from > >> a > >>>> trunk. However you can remove it from the trunk. > >>>> If you remove it from the trunk and change the native VLAN for the > >> trunk, > >>>> VTP will then use the new native VLAN for updates. > >>>> best regards > >>>> > >>>> Michel > >>>> > >>>> > >>>> On 25/08/2008, Mike Louis wrote: > >>>>> List, > >>>>> > >>>>> I just read in a practice test for an upcoming cert that Vlan 1 is > used > >> to > >>>>> carry VTP advertisements. However, it is possible to prune vlan 1 > from > >> trunk > >>>>> links. Will VTP continue to function without Vlan 1 being enabled on > >> the > >>>>> link? Has this changed in more recent IOS releases? > >>>>> > >>>>> Note: This message and any attachments is intended solely for the use > >> of > >>>>> the individual or entity to which it is addressed and may contain > >>>>> information that is non-public, proprietary, legally privileged, > >>>>> confidential, and/or exempt from disclosure. If you are not the > >> intended > >>>>> recipient, you are hereby notified that any use, dissemination, > >>>>> distribution, or copying of this communication is strictly > prohibited. > >> If > >>>>> you have received this communication in error, please notify the > >> original > >>>>> sender immediately by telephone or return email and destroy or delete > >> this > >>>>> message along with any attachments immediately. > >>>>> > >>>>> _______________________________________________ > >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>>>> > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> > >> -- > >> HEAnet Limited > >> Ireland's Education & Research Network > >> 5 George's Dock, IFSC, Dublin 1, Ireland > >> Tel: +353.1.6609040 > >> Web: http://www.heanet.ie > >> Company registered in Ireland: 275301 > >> > >> Please consider the environment before printing this e-mail. > >> > > > > > -- > HEAnet Limited > Ireland's Education & Research Network > 5 George's Dock, IFSC, Dublin 1, Ireland > Tel: +353.1.6609040 > Web: http://www.heanet.ie > Company registered in Ireland: 275301 > > Please consider the environment before printing this e-mail. > > From md at Linux.IT Tue Aug 26 08:48:55 2008 From: md at Linux.IT (Marco d'Itri) Date: Tue, 26 Aug 2008 14:48:55 +0200 Subject: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3? Message-ID: <20080826124855.GA3673@bongo.bofh.it> When I plug in the PA I get this: SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. a normal fast ethernet PA works fine. cisco.com says that the PA is supported even by non-enhanced FlexWANs. IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) -- ciao, Marco From david.freedman at uk.clara.net Tue Aug 26 09:49:36 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 26 Aug 2008 14:49:36 +0100 Subject: [c-nsp] LLQ + MLPPPoE -> ? Message-ID: Have a scenario whereby I've an LLQ policy applied to a CE router doing MLPPPoE with following configuration: ! class-map match-any REALTIME match ip dscp ef class-map match-any CRITICAL-DATA match ip dscp cs6 ! ! policy-map LLQ class REALTIME priority percent 35 class CRITICAL-DATA bandwidth percent 40 random-detect dscp-based class class-default fair-queue random-detect dscp-based ! ! interface ATM0/0/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! ! interface ATM0/1/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! interface Dialer0 bandwidth 4608 ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xx ppp chap password yy ppp ipcp route default ppp link reorders ppp multilink ppp multilink fragment disable max-reserved-bandwidth 100 service-policy output LLQ end So, the LLQ policy is only required to be applied to the VC and not the dialer, since I'm only queuing , but it is applied to both here. The ATM interface did indeed move to WFQ: #show queueing int atm0/0/0.132 Interface ATM0/0/0.132 VC 1/32 Queueing strategy: weighted fair Output queue: 0/512/64/0 (size/max total/threshold/drops) Conversations 0/6/128 (active/max active/max total) Reserved Conversations 1/1 (allocated/max allocated) Available Bandwidth 1 kilobits/sec But, the output of "show policy-map int a0/0/0.132" does not show anything being pushed into the PQ at all #show policy-map int a0/0/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 268/19832 0/0 0/0 20 40 1/10 #show policy-map int a0/1/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 270/19980 0/0 0/0 20 40 1/10 ( I do see class matches, omitted here, but they do not appear to be queued) What is actually observed, is that the LLQ appears to work well until more than one member joins the bundle, then the latency + jitter becomes variable, but I'm not sure that it is even working at all since the queue counters do not increment, I could just be seeing the results of the WFQ. >From the PE side, "ppp multilink fragment disable" and "ppp link reorders" are applied via RADIUS but I do not really believe they are having an effect since I'm still seeing re-order counters. (vtemplate clone applies the attributes, but assume they are being ignored) CE is 12.4(15)T7 and PE is 12.4(19) Am assuming that I'm doing this correctly as there should be no need for a shaper (not that it is accepted anyway) since we can create ATM backpressure from the ATM interfaces when I reduce the TX ring size. Any suggestions appreciated. Regards, ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From rodunn at cisco.com Tue Aug 26 10:28:13 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 26 Aug 2008 10:28:13 -0400 Subject: [c-nsp] Improved queuing in 12.4(20)T? In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1BD5@xmb-ams-333.emea.cisco.com> References: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B22@xmb-ams-333.emea.cisco.com> <746ca6da0808260416j2b7edebdn164e8b445a6cc78f@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1BD5@xmb-ams-333.emea.cisco.com> Message-ID: <20080826142813.GE5212@rtp-cse-489.cisco.com> On Tue, Aug 26, 2008 at 01:32:23PM +0200, Oliver Boehmer (oboehmer) wrote: > Per Carlson wrote on Tuesday, August 26, 2008 > 1:16 PM: > > > Hi Oli. > > > >> I haven't looked at HQF for a while, but I recall the H-QoS scenario > >> you're using benefits especially from HQF as the parent shaper is > >> aware of the LLQ within the child, but not entirely sure about this. > >> It would explain the improved behaviour, though. > > > > I have always had the impression that the parent shaper *is* aware of > > the child policy. Otherwise the whole H-QoS scheme is rather useless, > > at least with respect to LLQ/PQ. > > Hmm, I think I would need to do some digging here, but I was thinking > about a different kind of "awareness" here. Obviously the shaper in the > parent is aware of a child, so when the shaper has to queue a packet > (i.e. signals connections), it'll use the child policy (which, as you > write, is the whole point of H-QoS). The difference I suspect is how the time intervals are handled. I worked on an issue once where we actually would slightly burst above the configured shape rate and it got worse the smaller the Tc was. With HQF the excess is handled different and resulted in more accurate shaping rates. I forgot all the nitty gritty details of how we did it. > > Maybe Rodney can comment more, but I would still assume HQF being the > reason for the different behavior in your environment. Yep. I agree with you. Rodney > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Tue Aug 26 10:31:47 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 26 Aug 2008 17:31:47 +0300 (IDT) Subject: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3? In-Reply-To: <20080826124855.GA3673@bongo.bofh.it> References: <20080826124855.GA3673@bongo.bofh.it> Message-ID: On Tue, 26 Aug 2008, Marco d'Itri wrote: Works for me on 12.2(18)SXE6b but all are eFlexwans: Slot 4: Logical_index 9 2 port adapter Enhanced FlexWAN controller Board is analyzed ipc ready HW rev 0.1, board revision A01 Serial Number: Part number: 73-6348-01 Slot database information: Flags: 0x2004 Insertion time: 0x22C08 (6w5d ago) Controller Memory Size: 192 MBytes CPU Memory 63 MBytes Packet Memory 255 MBytes Total on Board SDRAM IOS (tm) cwlc Software (cwpa2-DW-M), Version 12.2(18)SXE6b, RELEASE SOFTWARE (fc2) PA Bay 1 Information: POS PA, 2 port, PA-POS-2OC3 EEPROM format version 4 HW rev 1.00, Board revision A0 Serial number: JAE09044GVG Part number: 73-8220-05 -Hank > When I plug in the PA I get this: > > SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. > > a normal fast ethernet PA works fine. > cisco.com says that the PA is supported even by non-enhanced FlexWANs. > > IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) > > -- > ciao, > Marco > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mh+cisco-nsp at zugschlus.de Tue Aug 26 10:01:24 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Tue, 26 Aug 2008 16:01:24 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions Message-ID: <20080826140124.GA26261@torres.zugschlus.de> Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the "DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From moua0100 at umn.edu Tue Aug 26 11:20:25 2008 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 26 Aug 2008 10:20:25 -0500 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080826140124.GA26261@torres.zugschlus.de> References: <20080826140124.GA26261@torres.zugschlus.de> Message-ID: <066201c9078f$43f24b40$31dd5ea0@ad.umn.edu> Sounds like a routing issue, is your ippool handling out IP addr to the clients. I recently set a similar config on a 1811 and this works fine. I can send you the working config if you're intersted. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber Sent: Tuesday, August 26, 2008 9:01 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VPN Client to 1841,default route into tunnel with exceptions Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the "DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc -- ---------------------------------------------------------------------------- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dudepron at gmail.com Tue Aug 26 11:26:04 2008 From: dudepron at gmail.com (Aaron) Date: Tue, 26 Aug 2008 11:26:04 -0400 Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels In-Reply-To: References: <001001c906c5$f2e026b0$d8a07410$@com> Message-ID: <480dad640808260826j6d0f721aqddc9dc04f9d80267@mail.gmail.com> How about putting on the outbound to make sure that you are sending it the the hub? On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli < nic.tjirkalli at za.verizonbusiness.com> wrote: > Howdy ho, > > > Maybe try to put in an ACL or could use netflow for this as well... >> ip access-list extend check_packets_in >> permit esp any any >> permit udp any eq isakmp any eq isakmp >> permit ip any any >> interface dialer 1 >> ip access-group check_packets_in in >> >> To see if ESP coming in to your spoke router. >> > good suggestion but now I am even more c0onfused > > created acl as follows and applied to dialer 1 in :- > interface Dialer1 > ip access-group check_packets_in in > > but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists > check_packets_in > Extended IP access list check_packets_in > 10 permit ahp any any > 20 permit esp any any > 30 permit udp any eq isakmp any eq isakmp > 40 permit ip any any > > > `:wq`` > > > > >> -Luan >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli >> Sent: Monday, August 25, 2008 3:40 AM >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to >> tunnels >> >> howdy ho all, >> >> thanx to thise who sent through suggestions to how to get the IPSEC to >> work >> - the ideas were :- try mode transport >> :- dont use wilcard for the secret >> >> so i changed the hub and spoke as follows :- >> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >> mode transport >> >> crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 >> crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 >> >> >> alss same symptons >> - crypto comes up >> - hub reports IPSEC encaps and decaps >> - spoke sites report 0 decaps for IPSEC and no errors >> >> >> any other ideas? >> >> thanx >> >> >>> >>> howdy ho all, >>> >>> Was hoping I could use this forum to get some direction on resolving a >>> strange issue I have with a DMVPN setup. >>> >>> All works 100% if I do not protect the tunnels with IPSEC. As soon as I >>> enable IPSEC the tunnels stop passing traffic. >>> >>> >>> The setup :- >>> ============ >>> >>> All routers are CISCO 1841 platforms. the IOS image is :- >>> C1841-ADVIPSERVICESK9-M >>> c1841-advipservicesk9-mz.124-21.bin >>> >>> >>> HUB Router >>> ---------- >>> HUB router connects via ADSL (a PPPOE session over ethernet) and then >>> >> fires >> >>> up an L2TP tunnel to obtain a static IP address. >>> >>> The IP address allocated to the L2TP interface is 196.47.0.204 >>> >> (Virtual-PPP1) >> >>> This IP address is the NHS. All connections to/from the hub >>> use the address of 196.47.0.204. >>> >>> Tunnel interface on the hub router is 10.0.0.1 >>> >>> >>> Spoke Router >>> ------------ >>> the Spoke router (there are 2 I am just showing one) connects via ADSL >>> (a PPPOE session over ethernet) and obtains a dynamic IP address. the >>> >> spoke >> >>> routers use Dialer1 as their interface into the NHRP cloud. >>> >>> NHRP comes up and if I do not use IPSEC encryption on the Tunnel >>> interface >>> ie do not add the command tunnel protection ipsec profile DMVPN >>> on Tunnel0 >>> >>> Tunnel interface on the hub router is 10.0.0.3 >>> all works perfectly. >>> >>> >>> The Problem >>> =========== >>> >>> When I enable IPSEC encryption on the tunnel interfaces on all routers >>> then things break. I have tried with both 3DES and AES and same issue. >>> >>> All the crypto sessions seem correct - correct SAs come up. The >>> >> dynamically >> >>> created crypto-maps seem correct. >>> >>> BUT. on the spoke routers, IPSEC reports that no packets are being >>> de-encapsulated but no errors are reported. >>> >>> nhrp-spoke-2#show crypto ipsec sa >>> >>> interface: Tunnel0 >>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>> ) >>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>> current_peer 196.47.0.204 port 500 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>> #pkts compressed: 0, #pkts decompressed: 0 >>> #pkts not compressed: 0, #pkts compr. failed: 0 >>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>> #send errors 3, #recv errors 0 >>> >>> >>> But on the HUB. all is well >>> protected vrf: (none) >>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>> ) >>> current_peer 41.195.37.191 port 500 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >>> #pkts compressed: 0, #pkts decompressed: 0 >>> #pkts not compressed: 0, #pkts compr. failed: 0 >>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>> #send errors 1, #recv errors 0 >>> >>> >>> Any ideas/thoughts would be greatly appreciated. >>> >>> The configuration's and some useful output are below >>> >>> >>> >>> HUB Configuration >>> ================= >>> >>> hostname adsl-nhrp-hub >>> ! >>> boot-start-marker >>> boot-end-marker >>> ! >>> logging buffered 4096 debugging >>> ! >>> no aaa new-model >>> ip cef >>> ! >>> ! >>> ! >>> ! >>> no ip domain lookup >>> ip auth-proxy max-nodata-conns 3 >>> ip admission max-nodata-conns 3 >>> vpdn enable >>> ! >>> l2tp-class l2tpclass1 >>> authentication >>> password 7 03070E0C2E572B6A1719 >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> pseudowire-class pwclass1 >>> encapsulation l2tpv2 >>> protocol l2tpv2 l2tpclass1 >>> ip local interface Dialer1 >>> ! >>> ! >>> ! >>> crypto isakmp policy 10 >>> encr aes >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >>> ! >>> ! >>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>> ! >>> crypto ipsec profile DMVPN >>> set transform-set 3DES_MD5 >>> ! >>> ! >>> ! >>> ! >>> interface Loopback0 >>> ip address 172.16.1.1 255.255.255.255 >>> ! >>> interface Tunnel0 >>> ip address 10.0.0.1 255.255.255.0 >>> no ip redirects >>> ip mtu 1400 >>> no ip next-hop-self eigrp 1 >>> ip nhrp authentication xxxxxxxxxx >>> ip nhrp map multicast dynamic >>> ip nhrp network-id 1 >>> ip nhrp holdtime 60 >>> ip nhrp registration timeout 30 >>> ip tcp adjust-mss 1360 >>> no ip split-horizon eigrp 1 >>> tunnel source Virtual-PPP1 >>> tunnel mode gre multipoint >>> tunnel key 1 >>> tunnel protection ipsec profile DMVPN >>> ! >>> interface Null0 >>> no ip unreachables >>> ! >>> interface FastEthernet0/0 >>> no ip address >>> speed 100 >>> full-duplex >>> pppoe enable group global >>> pppoe-client dial-pool-number 1 >>> ! >>> interface FastEthernet0/1 >>> no ip address >>> duplex auto >>> speed auto >>> ! >>> interface Virtual-PPP1 >>> ip address negotiated >>> ip mtu 1452 >>> ip virtual-reassembly >>> no logging event link-status >>> no peer neighbor-route >>> no cdp enable >>> ppp chap hostname XXXXX >>> ppp chap password 7 XXXXXX >>> ppp pap sent-username XXXX password 7 XXXXX >>> pseudowire 196.30.121.42 10 pw-class pwclass1 >>> ! >>> interface Dialer1 >>> mtu 1492 >>> ip address negotiated >>> ip virtual-reassembly >>> encapsulation ppp >>> ip tcp adjust-mss 1452 >>> dialer pool 1 >>> dialer-group 1 >>> ppp chap hostname XXX >>> ppp chap password 7 XXXX >>> ppp pap sent-username XXXX password 7 XXXX >>> ! >>> router eigrp 1 >>> redistribute connected route-map to-eigrp >>> redistribute static >>> passive-interface Dialer1 >>> network 10.0.0.0 0.0.0.255 >>> no auto-summary >>> ! >>> no ip forward-protocol nd >>> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 >>> ip route 196.30.121.42 255.255.255.255 Dialer1 >>> ! >>> ! >>> ip http server >>> no ip http secure-server >>> ! >>> ! >>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >>> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 >>> access-list 1 permit any >>> access-list 2 deny any >>> access-list 3 permit 10.0.0.2 >>> access-list 3 permit 10.222.0.1 >>> access-list 3 permit 10.222.0.2 >>> access-list 3 permit 10.244.0.2 >>> no cdp run >>> ! >>> route-map to-eigrp deny 10 >>> match ip address prefix-list local >>> ! >>> route-map to-eigrp permit 1000 >>> >>> >>> adsl-nhrp-hub#show ip nhrp >>> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 >>> Type: dynamic, Flags: authoritative unique registered used >>> NBMA address: 41.195.37.174 >>> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 >>> Type: dynamic, Flags: authoritative unique registered used >>> NBMA address: 41.195.37.191 >>> >>> adsl-nhrp-hub#show crypto ipsec sa >>> >>> interface: Tunnel0 >>> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 >>> >>> protected vrf: (none) >>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0 >>> ) >>> current_peer 41.195.37.174 port 500 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 >>> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 >>> #pkts compressed: 0, #pkts decompressed: 0 >>> #pkts not compressed: 0, #pkts compr. failed: 0 >>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>> #send errors 0, #recv errors 0 >>> >>> local crypto endpt.: 196.47.0.204, remote crypto endpt.: >>> 41.195.37.174 >>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >>> current outbound spi: 0xD9D819B1(3654818225) >>> >>> inbound esp sas: >>> spi: 0x8AD878CD(2329442509) >>> transform: esp-aes esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 >>> sa timing: remaining key lifetime (k/sec): (4437499/1923) >>> IV size: 16 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> inbound ah sas: >>> >>> inbound pcp sas: >>> >>> outbound esp sas: >>> spi: 0xD9D819B1(3654818225) >>> transform: esp-aes esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 >>> sa timing: remaining key lifetime (k/sec): (4437454/1923) >>> IV size: 16 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> outbound ah sas: >>> >>> outbound pcp sas: >>> >>> protected vrf: (none) >>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>> ) >>> current_peer 41.195.37.191 port 500 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >>> #pkts compressed: 0, #pkts decompressed: 0 >>> #pkts not compressed: 0, #pkts compr. failed: 0 >>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>> #send errors 1, #recv errors 0 >>> >>> local crypto endpt.: 196.47.0.204, remote crypto endpt.: >>> 41.195.37.191 >>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >>> current outbound spi: 0x6E27D1C2(1848103362) >>> >>> inbound esp sas: >>> spi: 0xEE9B0E5D(4003139165) >>> transform: esp-aes esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >>> sa timing: remaining key lifetime (k/sec): (4478781/3289) >>> IV size: 16 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> inbound ah sas: >>> >>> inbound pcp sas: >>> >>> outbound esp sas: >>> spi: 0x6E27D1C2(1848103362) >>> transform: esp-aes esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >>> sa timing: remaining key lifetime (k/sec): (4478771/3289) >>> IV size: 16 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> outbound ah sas: >>> >>> outbound pcp sas: >>> >>> adsl-nhrp-hub#show crypto map >>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >>> Profile name: DMVPN >>> Security association lifetime: 4608000 kilobytes/3600 seconds >>> PFS (Y/N): N >>> Transform sets={ >>> 3DES_MD5, >>> } >>> >>> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp >>> Map is a PROFILE INSTANCE. >>> Peer = 41.195.37.174 >>> Extended IP access list >>> access-list permit gre host 196.47.0.204 host 41.195.37.174 >>> Current peer: 41.195.37.174 >>> Security association lifetime: 4608000 kilobytes/3600 seconds >>> PFS (Y/N): N >>> Transform sets={ >>> 3DES_MD5, >>> } >>> >>> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp >>> Map is a PROFILE INSTANCE. >>> Peer = 41.195.37.191 >>> Extended IP access list >>> access-list permit gre host 196.47.0.204 host 41.195.37.191 >>> Current peer: 41.195.37.191 >>> Security association lifetime: 4608000 kilobytes/3600 seconds >>> PFS (Y/N): N >>> Transform sets={ >>> 3DES_MD5, >>> } >>> Interfaces using crypto map Tunnel0-head-0: >>> Tunnel0 >>> >>> adsl-nhrp-hub#show crypto engine connections active >>> >>> ID Interface IP-Address State Algorithm >>> >> Encrypt >> >>> Dt >>> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC >>> >> 0 >> >>> 0 >>> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC >>> >> 0 >> >>> 0 >>> 3003 Tunnel0 196.47.0.204 set AES+MD5 >>> >> 169 >> >>> 0 >>> 3004 Tunnel0 196.47.0.204 set AES+MD5 >>> >> 0 >> >>> 8 >>> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 >>> >> 818 >> >>> 0 >>> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 >>> >> 0 >> >>> 1 >>> >>> >>> Spoke Configuration >>> =================== >>> >>> ip cef >>> ! >>> no ip domain lookup >>> ip auth-proxy max-nodata-conns 3 >>> ip admission max-nodata-conns 3 >>> vpdn enable >>> ! >>> l2tp-class l2tpclass1 >>> authentication >>> password 7 xxxx >>> ! >>> ! >>> pseudowire-class pwclass1 >>> encapsulation l2tpv2 >>> protocol l2tpv2 l2tpclass1 >>> ip local interface Dialer1 >>> ! >>> ! >>> crypto isakmp policy 10 >>> encr aes >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >>> ! >>> ! >>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>> ! >>> crypto ipsec profile DMVPN >>> set transform-set 3DES_MD5 >>> ! >>> ! >>> ! >>> ! >>> interface Loopback0 >>> ip address 172.16.1.3 255.255.255.255 >>> ! >>> interface Tunnel0 >>> ip address 10.0.0.3 255.255.255.0 >>> no ip redirects >>> ip mtu 1400 >>> ip nhrp authentication xxxxxxxxxx >>> ip nhrp map 10.0.0.1 196.47.0.204 >>> ip nhrp map multicast 196.47.0.204 >>> ip nhrp network-id 1 >>> ip nhrp holdtime 60 >>> ip nhrp nhs 10.0.0.1 >>> ip nhrp registration timeout 30 >>> ip tcp adjust-mss 1360 >>> tunnel source Dialer1 >>> tunnel mode gre multipoint >>> tunnel key 1 >>> tunnel protection ipsec profile DMVPN >>> ! >>> interface FastEthernet0/0 >>> ip address dhcp >>> speed 100 >>> full-duplex >>> pppoe enable group global >>> pppoe-client dial-pool-number 1 >>> ! >>> interface FastEthernet0/1 >>> ip address 10.222.0.1 255.255.255.0 >>> speed 100 >>> full-duplex >>> ! >>> ! >>> interface Dialer1 >>> mtu 1492 >>> ip address negotiated >>> ip virtual-reassembly >>> encapsulation ppp >>> ip tcp adjust-mss 1452 >>> dialer pool 1 >>> ppp chap hostname XXXX >>> ppp chap password 0 XXXX >>> ppp pap sent-username XXXX password 0 XXXXX >>> ! >>> router eigrp 1 >>> redistribute connected route-map to-eigrp >>> redistribute static >>> passive-interface FastEthernet0/1 >>> passive-interface Dialer1 >>> network 10.0.0.0 0.0.0.255 >>> no auto-summary >>> eigrp stub connected >>> ! >>> ip forward-protocol nd >>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>> ! >>> ! >>> ip http server >>> no ip http secure-server >>> ! >>> ! >>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >>> access-list 1 permit any >>> access-list 2 deny any >>> access-list 3 permit 10.222.0.1 >>> access-list 3 permit 10.222.0.2 >>> access-list 3 permit 10.244.0.2 >>> access-list 3 permit 10.244.0.1 >>> ! >>> route-map clear-df permit 10 >>> set ip df 0 >>> ! >>> route-map to-eigrp deny 10 >>> match ip address prefix-list local >>> ! >>> route-map to-eigrp permit 1000 >>> >>> >>> Some Debugs >>> =========== >>> >>> nhrp-spoke-2#show ip nhrp >>> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire >>> Type: static, Flags: authoritative used >>> NBMA address: 196.47.0.204 >>> >>> >>> nhrp-spoke-2#show crypto ipsec sa >>> >>> interface: Tunnel0 >>> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 >>> >>> protected vrf: (none) >>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>> ) >>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>> current_peer 196.47.0.204 port 500 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>> #pkts compressed: 0, #pkts decompressed: 0 >>> #pkts not compressed: 0, #pkts compr. failed: 0 >>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>> #send errors 3, #recv errors 0 >>> >>> local crypto endpt.: 41.195.37.191, remote crypto endpt.: >>> 196.47.0.204 >>> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 >>> current outbound spi: 0xEE9B0E5D(4003139165) >>> >>> inbound esp sas: >>> spi: 0x6E27D1C2(1848103362) >>> transform: esp-aes esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >>> sa timing: remaining key lifetime (k/sec): (4530791/3584) >>> IV size: 16 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> inbound ah sas: >>> >>> inbound pcp sas: >>> >>> outbound esp sas: >>> spi: 0xEE9B0E5D(4003139165) >>> transform: esp-aes esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >>> sa timing: remaining key lifetime (k/sec): (4530789/3584) >>> IV size: 16 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> outbound ah sas: >>> >>> outbound pcp sas: >>> >>> nhrp-spoke-2#show crypto engine connections active >>> >>> ID Interface IP-Address State Algorithm >>> >> Encrypt >> >>> Decrypt >>> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC >>> >> 0 >> >>> 0 >>> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC >>> >> 0 >> >>> 0 >>> 3003 Dialer1 41.195.37.191 set AES+MD5 >>> >> 15 >> >>> 0 >>> 3004 Dialer1 41.195.37.191 set AES+MD5 >>> >> 0 >> >>> 0 >>> >>> nhrp-spoke-2#show crypto map >>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >>> Profile name: DMVPN >>> Security association lifetime: 4608000 kilobytes/3600 seconds >>> PFS (Y/N): N >>> Transform sets={ >>> 3DES_MD5, >>> } >>> >>> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp >>> Map is a PROFILE INSTANCE. >>> Peer = 196.47.0.204 >>> Extended IP access list >>> access-list permit gre host 41.195.37.191 host 196.47.0.204 >>> Current peer: 196.47.0.204 >>> Security association lifetime: 4608000 kilobytes/3600 seconds >>> PFS (Y/N): N >>> Transform sets={ >>> 3DES_MD5, >>> } >>> Interfaces using crypto map Tunnel0-head-0: >>> Tunnel0 >>> >>> >>> --------------------------------------------------------------------- >>> A feature is a bug with seniority. >>> >>> Nic Tjirkalli >>> Verizon Business South Africa >>> Network Strategy Team >>> >>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This >>> e-mail >>> is strictly confidential and intended only for use by the addressee >>> unless >>> otherwise indicated. >>> >>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >>> >>> This e-mail is strictly confidential and intended only for use by the >>> addressee unless otherwise indicated. >>> >>> >>> >> >> --------------------------------------------------------------------- >> Some days you're the pigeon, and some days you're the statue. >> >> Nic Tjirkalli >> Verizon Business South Africa >> Network Strategy Team >> >> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >> is strictly confidential and intended only for use by the addressee unless >> otherwise indicated. >> >> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >> >> This e-mail is strictly confidential and intended only for use by the >> addressee unless otherwise indicated. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > --------------------------------------------------------------------- > A feature is a bug with seniority. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From felixnkansah at gmail.com Tue Aug 26 12:05:16 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Tue, 26 Aug 2008 16:05:16 +0000 Subject: [c-nsp] Configuring VWIC-1MFT-E1 for Data Message-ID: <18dba4e50808260905p57ee003s92730ca40e1d7ff9@mail.gmail.com> HI, I would like a reference to an online documentation that explains the configuration of the data features of a cisco VWIC-1MFT-E1 card. Any references would be deeply appreciated. Regards, Felix From icox at cisco.com Tue Aug 26 13:00:01 2008 From: icox at cisco.com (Ian Cox) Date: Tue, 26 Aug 2008 10:00:01 -0700 Subject: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3? In-Reply-To: <20080826124855.GA3673@bongo.bofh.it> References: <20080826124855.GA3673@bongo.bofh.it> Message-ID: <48B43691.3020804@cisco.com> PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe that particular PA has the idprom messed up. Try doing a sh diagbus with it inserted and see what the PA idprom is telling the system. bourke#sh diagbus ... Slot 8: Logical_index 16 2 port adapter Enhanced FlexWAN controller Board is analyzed ipc ready HW rev 1.5, board revision A0 Serial Number: JABxxxxxx Part number: 73-8273-09 Slot database information: Flags: 0x2004 Insertion time: 0x2CE0C (00:00:11 ago) CWAN Controller Memory Size: Unknown PA Bay 0 Information: 2CT3+ single wide PA, 2 ports EEPROM format version 1 HW rev 1.00, Board revision A0 Serial number: xxxxxxxx Part number: 73-3388-03 Ian Marco d'Itri wrote: > When I plug in the PA I get this: > > SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. > > a normal fast ethernet PA works fine. > cisco.com says that the PA is supported even by non-enhanced FlexWANs. > > IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) > From perc69 at gmail.com Tue Aug 26 13:06:34 2008 From: perc69 at gmail.com (Pelle) Date: Tue, 26 Aug 2008 19:06:34 +0200 Subject: [c-nsp] Improved queuing in 12.4(20)T? In-Reply-To: <20080826142813.GE5212@rtp-cse-489.cisco.com> References: <746ca6da0808260146s2c0105fbs697b8f2b16ee93dc@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1B22@xmb-ams-333.emea.cisco.com> <746ca6da0808260416j2b7edebdn164e8b445a6cc78f@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1BD5@xmb-ams-333.emea.cisco.com> <20080826142813.GE5212@rtp-cse-489.cisco.com> Message-ID: <746ca6da0808261006v543ff835wce4ac3ca023a6387@mail.gmail.com> On Tue, Aug 26, 2008 at 16:28, Rodney Dunn wrote: > The difference I suspect is how the time intervals are handled. I worked > on an issue once where we actually would slightly burst above the > configured shape rate and it got worse the smaller the Tc was. > With HQF the excess is handled different and resulted in more accurate > shaping rates. I forgot all the nitty gritty details of how we did it. Hmm, that's a good thing and a bad. The good thing is that HQF have improved something that was suboptimal, the bad thing is that you need HQF (read: it's not a bug). The most worrying aspect is that you do use a shaper to handle excess traffic, and when the shaper kicks in, the latencies increases a magnitude (from <1 millisec to over 10 millisec). Not very nice to real time traffic. Will probably have to stick up with 12.4(20)T were we must, despite the bleeding-edge nature. -- Pelle From j1010y at gmail.com Tue Aug 26 14:16:20 2008 From: j1010y at gmail.com (Jay Young) Date: Tue, 26 Aug 2008 14:16:20 -0400 Subject: [c-nsp] SNMP auth failure and malloc issues Message-ID: <24ad6e420808261116r65d49333u18f37c2d75b94612@mail.gmail.com> I was wondering if anyone has seen a similar issue. 7609 Sup720 running 7600s72033-advipservicesk9-mz.122-33.SRB3.bin I am seeing lots of malloc errors after seeing a long running SNMP querier who is unable to query my router. Aug 26 12:00:38.136 EST5EDT: %SYS-2-MALLOCFAIL: Memory allocation of 332 bytes failed from 0x42081CA8, alignment 32 Pool: I/O Free: 123760 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "IP Input", ipl= 0, pid= 191 -Traceback= 405BBFD0 405BC514 412630F8 41269850 42081CB0 42082188 420860A8 42080ED0 40951738 40952538 40951CF8 40951F08 409520D8 40948C74 41C112C4 4226E290 Aug 26 12:00:53.072 EST5EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host X.Y.Z.21 I notice this on another box I was running a few months ago but didn't get any resolution just got the offending host to stop and reloaded the router. I didn't see anything in the bug tookkit and we have a case open. Thanks, Jay From md at Linux.IT Tue Aug 26 19:43:37 2008 From: md at Linux.IT (Marco d'Itri) Date: Wed, 27 Aug 2008 01:43:37 +0200 Subject: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3? In-Reply-To: <48B43691.3020804@cisco.com> References: <20080826124855.GA3673@bongo.bofh.it> <48B43691.3020804@cisco.com> Message-ID: <20080826234337.GA13374@bongo.bofh.it> On Aug 26, Ian Cox wrote: > PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe > that particular PA has the idprom messed up. Try doing a sh diagbus with > it inserted and see what the PA idprom is telling the system. This is the output for card back in the 7200 where it has been in use so far: picard.mil#show diag 3 Slot 3: POS Single Width, Single Mode Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 13:18:33 ago EEPROM contents at hardware discovery: Hardware revision 2.0 Board revision A0 Serial number 1xxxxxx6 Part number 73-3193-02 FRU Part Number: PA-POS-OC3SMI= Test history 0x0 RMA number 00-00-00 EEPROM format version 1 EEPROM contents (hex): 0x20: 01 95 02 00 00 E8 71 06 49 0C 79 02 00 00 00 00 0x30: 50 00 00 00 99 08 27 00 00 00 FF FF FF FF FF FF > Marco d'Itri wrote: > > When I plug in the PA I get this: > > > > SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. > > > > a normal fast ethernet PA works fine. > > cisco.com says that the PA is supported even by non-enhanced FlexWANs. > > > > IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) > > -- ciao, Marco From aj at sneep.net Tue Aug 26 19:45:54 2008 From: aj at sneep.net (Alastair Johnson) Date: Wed, 27 Aug 2008 07:45:54 +0800 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au><20080820164735.GA16618@diveo.net.br> Message-ID: <48B495B2.2090303@sneep.net> Tim Franklin wrote: > On Thu, August 21, 2008 12:59 am, Brandon Price wrote: >> Other than just saying "its bad" can you give some specifics as to the >> problems you've run into using private addresses for PE-CE links? As >> long as the SP hands out unique addresses across all of the links, what >> does it matter whether they are "private" or "public" ? > > Customers using *all* of RFC1918 space (or at least claiming they do). > > e.g. if you have WAN links as /30s out of 10.11.12.0/24, and the customer > has that range on a LAN somewhere, each site will be unable to reach the > particular hosts on it's WAN /30. (At least - if you're redistributing > WAN routes into BGP / MBGP, the lack of visibility gets worse). Most[1] large telcos I've seen[2] offering IP-VPN services tend to use RFC1918 addressing for CE-PE infrastructure. Using public addressing for much of this just often doesn't scale - thinking of some IP-VPNs which have thousands of CE elements. Most of them make this clear when doing the pre-sales design work, and have very clear exclusion lists for prefixes that *will not* be accepted into the IP-VPN under any circumstances. The majority of customers I've worked with have been comfortable with this, given that it's generally a small number of /30s or /31s and very rarely (in fact, I can't think of a time) is there a conflict. In the odd case, if the customer refuses to work with the telco.... the telco will just not accept the customer without doing some form of Network Special Deal which results in the customer paying a whole bunch more for the service to cover the deviation costs.[3] My own employer, a multinational in 100+ countries, uses RFC1918 extensively but our WAN group has managed to work around conflicts with the multitude of IP-VPN services that use RFC1918 on the WAN. aj [1] Obviously this doesn't include all of them. I have a couple of IP-VPNs which do make use of public /31 infrastructure but this is rare. I have a feeling that these /31s may be re-used across multiple IP-VPN services. [2] I tend to have a slightly incumbent/tier 1 view of the world. [3] This is usually *very* expensive for the customer. If the customer wants it bad enough... they'll pay.... but see [2]. :) From brett at looney.id.au Tue Aug 26 20:02:30 2008 From: brett at looney.id.au (Brett Looney) Date: Wed, 27 Aug 2008 08:02:30 +0800 Subject: [c-nsp] Configuring VWIC-1MFT-E1 for Data In-Reply-To: <18dba4e50808260905p57ee003s92730ca40e1d7ff9@mail.gmail.com> References: <18dba4e50808260905p57ee003s92730ca40e1d7ff9@mail.gmail.com> Message-ID: <000001c907d8$38288600$a8799200$@id.au> > I would like a reference to an online documentation that explains > the configuration of the data features of a cisco VWIC-1MFT-E1 card. Ok then: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/intserv.html B. From brett at looney.id.au Tue Aug 26 20:08:08 2008 From: brett at looney.id.au (Brett Looney) Date: Wed, 27 Aug 2008 08:08:08 +0800 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080826140124.GA26261@torres.zugschlus.de> References: <20080826140124.GA26261@torres.zugschlus.de> Message-ID: <000101c907d8$fe2f68a0$fa8e39e0$@id.au> > With this configuration, a client cannot communicate at all > outside the tunnel, which is a desired feature in this setup. > OTOH, some teleworkers would appreciate to be able to talk to > their networked printers on the local LANs. It's been a while but from memory you need to put the "include-local-lan" setting into the client configuration group to do this. HTH. B. From ben.steele at internode.on.net Tue Aug 26 20:58:20 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Wed, 27 Aug 2008 10:28:20 +0930 Subject: [c-nsp] LLQ + MLPPPoE -> ? In-Reply-To: References: Message-ID: <001301c907e0$003398e0$009acaa0$@steele@internode.on.net> Remove the service policy from your ATM int's and just leave it on your Dialer, then do a "sh users" and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a "sh policy-map int vi4" Also given you are running pppoe, you should be setting your MTU correctly (ip mtu 1492, if it's a 1500 byte path) and an ip tcp-adjust mss 1452 wouldn't do any harm either. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Tuesday, 26 August 2008 11:20 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] LLQ + MLPPPoE -> ? Have a scenario whereby I've an LLQ policy applied to a CE router doing MLPPPoE with following configuration: ! class-map match-any REALTIME match ip dscp ef class-map match-any CRITICAL-DATA match ip dscp cs6 ! ! policy-map LLQ class REALTIME priority percent 35 class CRITICAL-DATA bandwidth percent 40 random-detect dscp-based class class-default fair-queue random-detect dscp-based ! ! interface ATM0/0/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! ! interface ATM0/1/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! interface Dialer0 bandwidth 4608 ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xx ppp chap password yy ppp ipcp route default ppp link reorders ppp multilink ppp multilink fragment disable max-reserved-bandwidth 100 service-policy output LLQ end So, the LLQ policy is only required to be applied to the VC and not the dialer, since I'm only queuing , but it is applied to both here. The ATM interface did indeed move to WFQ: #show queueing int atm0/0/0.132 Interface ATM0/0/0.132 VC 1/32 Queueing strategy: weighted fair Output queue: 0/512/64/0 (size/max total/threshold/drops) Conversations 0/6/128 (active/max active/max total) Reserved Conversations 1/1 (allocated/max allocated) Available Bandwidth 1 kilobits/sec But, the output of "show policy-map int a0/0/0.132" does not show anything being pushed into the PQ at all #show policy-map int a0/0/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 268/19832 0/0 0/0 20 40 1/10 #show policy-map int a0/1/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 270/19980 0/0 0/0 20 40 1/10 ( I do see class matches, omitted here, but they do not appear to be queued) What is actually observed, is that the LLQ appears to work well until more than one member joins the bundle, then the latency + jitter becomes variable, but I'm not sure that it is even working at all since the queue counters do not increment, I could just be seeing the results of the WFQ. >From the PE side, "ppp multilink fragment disable" and "ppp link reorders" are applied via RADIUS but I do not really believe they are having an effect since I'm still seeing re-order counters. (vtemplate clone applies the attributes, but assume they are being ignored) CE is 12.4(15)T7 and PE is 12.4(19) Am assuming that I'm doing this correctly as there should be no need for a shaper (not that it is accepted anyway) since we can create ATM backpressure from the ATM interfaces when I reduce the TX ring size. Any suggestions appreciated. Regards, ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sforcejr at yahoo.com Tue Aug 26 22:21:26 2008 From: sforcejr at yahoo.com (John Ramz) Date: Tue, 26 Aug 2008 19:21:26 -0700 (PDT) Subject: [c-nsp] NAT/ACL options in a PIX Message-ID: <528836.7482.qm@web50512.mail.re2.yahoo.com> Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX: static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message: ERROR: duplicate of existing static QUESTION 2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-? I appreciate any help since I am a beginner on this subject Thanks John From sforcejr at yahoo.com Tue Aug 26 22:32:05 2008 From: sforcejr at yahoo.com (John Ramz) Date: Tue, 26 Aug 2008 19:32:05 -0700 (PDT) Subject: [c-nsp] NAT/ACL options in a PIX Message-ID: <660901.76489.qm@web50507.mail.re2.yahoo.com> --CORRECTION--- As a part of my 2nd question I made a mistake on the internal host IP. This is the correction: I need to allow P.P.P.3 to access the same internal host (10.10.10.110). I tried to assigned a different Public ip address(Q.Q.Q.11)........... Thanks --- On Tue, 8/26/08, John Ramz wrote: > From: John Ramz > Subject: NAT/ACL options in a PIX > To: cisco-nsp at puck.nether.net > Date: Tuesday, August 26, 2008, 9:21 PM > Version 6.3.5 > PIX 515 > > We have been assigned 25 Public IP addresses by our ISP and > I want to administer them in the most efficient way. > > We get a lot of requests for external access to different > hosts in our private network. For example: > > Public trusted IP address requesting access: P.P.P.2 > Public IP address assigned by ISP: Q.Q.Q.10 > Internal host IP: 10.10.10.111 > port 80 or 8080 (http://10.10.10.111/site:8080 > > So far every time we get a request we do this: > > static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask > 255.255.255.255 0 0 > access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 > eq 8080 > > QUESTION > 1- Is it possible to do what I believe is called PAT and > reuse the same public ip address(Q.Q.Q.10) when I get a > second request to access a DIFFERENT host(10.10.10.112) and > redirect them to port 8081 for example? If possible, how? > > > > Today I got a request to allow access to an internal > host(10.10.10.110) that I have already mapped with this > public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . > These are the statements already in the PIX: > > static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask > 255.255.255.255 0 0 > access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 > eq 8080 > > I need to allow P.P.P.3 to access the same internal host > (Q.Q.Q.9). I tried to assigned a different Public ip > address(Q.Q.Q.11) but I got this message: > > ERROR: duplicate of existing static > > QUESTION > 2- Is there anyway to allow 2 IP addresses to access the > same host on the same port-it could be different-? > > I appreciate any help since I am a beginner on this subject > > > Thanks > > John From jules.rogers at gmail.com Tue Aug 26 23:23:26 2008 From: jules.rogers at gmail.com (Jules Rogers) Date: Tue, 26 Aug 2008 22:23:26 -0500 Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <528836.7482.qm@web50512.mail.re2.yahoo.com> References: <528836.7482.qm@web50512.mail.re2.yahoo.com> Message-ID: <89e9216c0808262023v671a727at5fe1d2b57de96ec3@mail.gmail.com> Here's an example of port redirection that I know works with PIX OS 7.0(4). I've never tried it with 6.3(5). # Access lists for the outside interface is configured to allow traffic from the Internet to 172.16.1.10 for web, terminal services and ftp. # You will see from the static commands later on that each of these requests will go to a different server on the inside. *access-list outside-entry extended permit tcp any host 172.16.1.1 eq www access-list outside-entry extended permit tcp any host 172.16.1.1 eq 3389 access-list outside-entry extended permit tcp any host 172.16.1.1 eq ftp * # When going from a higher interface to a lower interface a NAT and global command are used. # Any address on the 10.1.1.0 / 24 inside network going to the outside will use PAT translating the source IP # to the IP address that is configured on the outside interface above. * global (outside) 1 interface nat (inside) 1 10.1.1.0 255.255.255.0 * # These static commands take all www requests to the public ip address of 172.16.1.1 and forwards them to the inside ip address # 10.1.1.10 on port 80. The same is done for terminal services and ftp requests to 172.16.1.1, however, each of these are forwarded # to different inside ip addresses. * static (inside,outside) tcp 172.16.1.1 www 10.1.1.10 www netmask 255.255.255.255 static (inside,outside) tcp 172.16.1.1 3389 10.1.1.12 3389 netmask 255.255.255.255 static (inside,outside) tcp 172.16.1.1 ftp 10.1.1.15 ftp netmask 255.255.255.255* On Tue, Aug 26, 2008 at 9:21 PM, John Ramz wrote: > Version 6.3.5 > PIX 515 > > We have been assigned 25 Public IP addresses by our ISP and I want > administer them in the most efficient way. > > We get a lot of requests for external access to different hosts in our > private network. For example: > > Public trusted IP address requesting access: P.P.P.2 > Public IP address assigned by ISP: Q.Q.Q.10 > Internal host IP: 10.10.10.111 > port 80 or 8080 (http://10.10.10.111/site:8080 > > So far every time we get a request we do this: > > static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 > access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 > > QUESTION > 1- Is it possible to do what I believe is called PAT and reuse the same > public ip address(Q.Q.Q.10) when I get a second request to access a > DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? > If possible, how? > > > > Today I got a request to allow access to an internal host(10.10.10.110) > that I have already mapped with this public IP: Q.Q.Q.9 . The source ip > address is: P.P.P.3 . These are the statements already in the PIX: > > static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 > access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 > > I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried > to assigned a different Public ip address(Q.Q.Q.11) but I got this message: > > ERROR: duplicate of existing static > > QUESTION > 2- Is there anyway to allow 2 IP addresses to access the same host on the > same port-it could be different-? > > I appreciate any help since I am a beginner on this subject > > > Thanks > > John > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Jules Rogers From vinny at tellurian.com Tue Aug 26 23:23:44 2008 From: vinny at tellurian.com (Vinny Abello) Date: Tue, 26 Aug 2008 23:23:44 -0400 Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <660901.76489.qm@web50507.mail.re2.yahoo.com> References: <660901.76489.qm@web50507.mail.re2.yahoo.com> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF05646243E8ED5@exchangenj1> Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it. I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand? If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0 This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110. I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the access-list at that point. -Vinny > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of John Ramz > Sent: Tuesday, August 26, 2008 10:32 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] NAT/ACL options in a PIX > > --CORRECTION--- > > As a part of my 2nd question I made a mistake on the internal host IP. > This is the correction: > > I need to allow P.P.P.3 to access the same internal host > (10.10.10.110). I tried to assigned a different Public ip > address(Q.Q.Q.11)........... > > > Thanks > > > > --- On Tue, 8/26/08, John Ramz wrote: > > > From: John Ramz > > Subject: NAT/ACL options in a PIX > > To: cisco-nsp at puck.nether.net > > Date: Tuesday, August 26, 2008, 9:21 PM > > Version 6.3.5 > > PIX 515 > > > > We have been assigned 25 Public IP addresses by our ISP and > > I want to administer them in the most efficient way. > > > > We get a lot of requests for external access to different > > hosts in our private network. For example: > > > > Public trusted IP address requesting access: P.P.P.2 > > Public IP address assigned by ISP: Q.Q.Q.10 > > Internal host IP: 10.10.10.111 > > port 80 or 8080 (http://10.10.10.111/site:8080 > > > > So far every time we get a request we do this: > > > > static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask > > 255.255.255.255 0 0 > > access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 > > eq 8080 > > > > QUESTION > > 1- Is it possible to do what I believe is called PAT and > > reuse the same public ip address(Q.Q.Q.10) when I get a > > second request to access a DIFFERENT host(10.10.10.112) and > > redirect them to port 8081 for example? If possible, how? > > > > > > > > Today I got a request to allow access to an internal > > host(10.10.10.110) that I have already mapped with this > > public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . > > These are the statements already in the PIX: > > > > static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask > > 255.255.255.255 0 0 > > access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 > > eq 8080 > > > > I need to allow P.P.P.3 to access the same internal host > > (Q.Q.Q.9). I tried to assigned a different Public ip > > address(Q.Q.Q.11) but I got this message: > > > > ERROR: duplicate of existing static > > > > QUESTION > > 2- Is there anyway to allow 2 IP addresses to access the > > same host on the same port-it could be different-? > > > > I appreciate any help since I am a beginner on this subject > > > > > > Thanks > > > > John > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.tjirkalli at za.verizonbusiness.com Wed Aug 27 00:53:27 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Wed, 27 Aug 2008 06:53:27 +0200 (SAST) Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels In-Reply-To: <480dad640808260826j6d0f721aqddc9dc04f9d80267@mail.gmail.com> References: <001001c906c5$f2e026b0$d8a07410$@com> <480dad640808260826j6d0f721aqddc9dc04f9d80267@mail.gmail.com> Message-ID: Howdy ho, > How about putting on the outbound to make sure that you are sending it the > the hub? good idea - add this to the hub router :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any interface Virtual-PPP1 ip access-group check_packets_in out just to make sure all was reset and applied, I reloaded the hub router and both spoke routers and looking at the ACL after a few minutes of all the routers coming up :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any no matches ..... I doubut this can be accurate - at least there should be IP matches as NHRP is up :- 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:01:15, expire 00:00:44 Type: dynamic, Flags: authoritative unique registered used NBMA address: 41.195.37.174 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:05:20, expire 00:00:45 Type: dynamic, Flags: authoritative unique registered NBMA address: 41.195.37.191 from routing table on hub, traffic to NHRP neihbours should be going out of Virtual-PPP1 adsl-nhrp-hub#show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 196.30.121.0/32 is subnetted, 1 subnets S 196.30.121.42 is directly connected, Dialer1 172.16.0.0/32 is subnetted, 1 subnets C 172.16.1.1 is directly connected, Loopback0 196.47.0.0/32 is subnetted, 1 subnets C 196.47.0.204 is directly connected, Virtual-PPP1 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Tunnel0 41.0.0.0/32 is subnetted, 2 subnets C 41.195.37.199 is directly connected, Dialer1 C 41.195.37.129 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Virtual-PPP1 thanx > > > On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli < > nic.tjirkalli at za.verizonbusiness.com> wrote: > >> Howdy ho, >> >> >> Maybe try to put in an ACL or could use netflow for this as well... >>> ip access-list extend check_packets_in >>> permit esp any any >>> permit udp any eq isakmp any eq isakmp >>> permit ip any any >>> interface dialer 1 >>> ip access-group check_packets_in in >>> >>> To see if ESP coming in to your spoke router. >>> >> good suggestion but now I am even more c0onfused >> >> created acl as follows and applied to dialer 1 in :- >> interface Dialer1 >> ip access-group check_packets_in in >> >> but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists >> check_packets_in >> Extended IP access list check_packets_in >> 10 permit ahp any any >> 20 permit esp any any >> 30 permit udp any eq isakmp any eq isakmp >> 40 permit ip any any >> >> >> `:wq`` >> >> >> >> >>> -Luan >>> >>> >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli >>> Sent: Monday, August 25, 2008 3:40 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to >>> tunnels >>> >>> howdy ho all, >>> >>> thanx to thise who sent through suggestions to how to get the IPSEC to >>> work >>> - the ideas were :- try mode transport >>> :- dont use wilcard for the secret >>> >>> so i changed the hub and spoke as follows :- >>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>> mode transport >>> >>> crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 >>> crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 >>> >>> >>> alss same symptons >>> - crypto comes up >>> - hub reports IPSEC encaps and decaps >>> - spoke sites report 0 decaps for IPSEC and no errors >>> >>> >>> any other ideas? >>> >>> thanx >>> >>> >>>> >>>> howdy ho all, >>>> >>>> Was hoping I could use this forum to get some direction on resolving a >>>> strange issue I have with a DMVPN setup. >>>> >>>> All works 100% if I do not protect the tunnels with IPSEC. As soon as I >>>> enable IPSEC the tunnels stop passing traffic. >>>> >>>> >>>> The setup :- >>>> ============ >>>> >>>> All routers are CISCO 1841 platforms. the IOS image is :- >>>> C1841-ADVIPSERVICESK9-M >>>> c1841-advipservicesk9-mz.124-21.bin >>>> >>>> >>>> HUB Router >>>> ---------- >>>> HUB router connects via ADSL (a PPPOE session over ethernet) and then >>>> >>> fires >>> >>>> up an L2TP tunnel to obtain a static IP address. >>>> >>>> The IP address allocated to the L2TP interface is 196.47.0.204 >>>> >>> (Virtual-PPP1) >>> >>>> This IP address is the NHS. All connections to/from the hub >>>> use the address of 196.47.0.204. >>>> >>>> Tunnel interface on the hub router is 10.0.0.1 >>>> >>>> >>>> Spoke Router >>>> ------------ >>>> the Spoke router (there are 2 I am just showing one) connects via ADSL >>>> (a PPPOE session over ethernet) and obtains a dynamic IP address. the >>>> >>> spoke >>> >>>> routers use Dialer1 as their interface into the NHRP cloud. >>>> >>>> NHRP comes up and if I do not use IPSEC encryption on the Tunnel >>>> interface >>>> ie do not add the command tunnel protection ipsec profile DMVPN >>>> on Tunnel0 >>>> >>>> Tunnel interface on the hub router is 10.0.0.3 >>>> all works perfectly. >>>> >>>> >>>> The Problem >>>> =========== >>>> >>>> When I enable IPSEC encryption on the tunnel interfaces on all routers >>>> then things break. I have tried with both 3DES and AES and same issue. >>>> >>>> All the crypto sessions seem correct - correct SAs come up. The >>>> >>> dynamically >>> >>>> created crypto-maps seem correct. >>>> >>>> BUT. on the spoke routers, IPSEC reports that no packets are being >>>> de-encapsulated but no errors are reported. >>>> >>>> nhrp-spoke-2#show crypto ipsec sa >>>> >>>> interface: Tunnel0 >>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> current_peer 196.47.0.204 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 3, #recv errors 0 >>>> >>>> >>>> But on the HUB. all is well >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> current_peer 41.195.37.191 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 1, #recv errors 0 >>>> >>>> >>>> Any ideas/thoughts would be greatly appreciated. >>>> >>>> The configuration's and some useful output are below >>>> >>>> >>>> >>>> HUB Configuration >>>> ================= >>>> >>>> hostname adsl-nhrp-hub >>>> ! >>>> boot-start-marker >>>> boot-end-marker >>>> ! >>>> logging buffered 4096 debugging >>>> ! >>>> no aaa new-model >>>> ip cef >>>> ! >>>> ! >>>> ! >>>> ! >>>> no ip domain lookup >>>> ip auth-proxy max-nodata-conns 3 >>>> ip admission max-nodata-conns 3 >>>> vpdn enable >>>> ! >>>> l2tp-class l2tpclass1 >>>> authentication >>>> password 7 03070E0C2E572B6A1719 >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> pseudowire-class pwclass1 >>>> encapsulation l2tpv2 >>>> protocol l2tpv2 l2tpclass1 >>>> ip local interface Dialer1 >>>> ! >>>> ! >>>> ! >>>> crypto isakmp policy 10 >>>> encr aes >>>> hash md5 >>>> authentication pre-share >>>> group 2 >>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >>>> ! >>>> ! >>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>>> ! >>>> crypto ipsec profile DMVPN >>>> set transform-set 3DES_MD5 >>>> ! >>>> ! >>>> ! >>>> ! >>>> interface Loopback0 >>>> ip address 172.16.1.1 255.255.255.255 >>>> ! >>>> interface Tunnel0 >>>> ip address 10.0.0.1 255.255.255.0 >>>> no ip redirects >>>> ip mtu 1400 >>>> no ip next-hop-self eigrp 1 >>>> ip nhrp authentication xxxxxxxxxx >>>> ip nhrp map multicast dynamic >>>> ip nhrp network-id 1 >>>> ip nhrp holdtime 60 >>>> ip nhrp registration timeout 30 >>>> ip tcp adjust-mss 1360 >>>> no ip split-horizon eigrp 1 >>>> tunnel source Virtual-PPP1 >>>> tunnel mode gre multipoint >>>> tunnel key 1 >>>> tunnel protection ipsec profile DMVPN >>>> ! >>>> interface Null0 >>>> no ip unreachables >>>> ! >>>> interface FastEthernet0/0 >>>> no ip address >>>> speed 100 >>>> full-duplex >>>> pppoe enable group global >>>> pppoe-client dial-pool-number 1 >>>> ! >>>> interface FastEthernet0/1 >>>> no ip address >>>> duplex auto >>>> speed auto >>>> ! >>>> interface Virtual-PPP1 >>>> ip address negotiated >>>> ip mtu 1452 >>>> ip virtual-reassembly >>>> no logging event link-status >>>> no peer neighbor-route >>>> no cdp enable >>>> ppp chap hostname XXXXX >>>> ppp chap password 7 XXXXXX >>>> ppp pap sent-username XXXX password 7 XXXXX >>>> pseudowire 196.30.121.42 10 pw-class pwclass1 >>>> ! >>>> interface Dialer1 >>>> mtu 1492 >>>> ip address negotiated >>>> ip virtual-reassembly >>>> encapsulation ppp >>>> ip tcp adjust-mss 1452 >>>> dialer pool 1 >>>> dialer-group 1 >>>> ppp chap hostname XXX >>>> ppp chap password 7 XXXX >>>> ppp pap sent-username XXXX password 7 XXXX >>>> ! >>>> router eigrp 1 >>>> redistribute connected route-map to-eigrp >>>> redistribute static >>>> passive-interface Dialer1 >>>> network 10.0.0.0 0.0.0.255 >>>> no auto-summary >>>> ! >>>> no ip forward-protocol nd >>>> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 >>>> ip route 196.30.121.42 255.255.255.255 Dialer1 >>>> ! >>>> ! >>>> ip http server >>>> no ip http secure-server >>>> ! >>>> ! >>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >>>> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 >>>> access-list 1 permit any >>>> access-list 2 deny any >>>> access-list 3 permit 10.0.0.2 >>>> access-list 3 permit 10.222.0.1 >>>> access-list 3 permit 10.222.0.2 >>>> access-list 3 permit 10.244.0.2 >>>> no cdp run >>>> ! >>>> route-map to-eigrp deny 10 >>>> match ip address prefix-list local >>>> ! >>>> route-map to-eigrp permit 1000 >>>> >>>> >>>> adsl-nhrp-hub#show ip nhrp >>>> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 >>>> Type: dynamic, Flags: authoritative unique registered used >>>> NBMA address: 41.195.37.174 >>>> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 >>>> Type: dynamic, Flags: authoritative unique registered used >>>> NBMA address: 41.195.37.191 >>>> >>>> adsl-nhrp-hub#show crypto ipsec sa >>>> >>>> interface: Tunnel0 >>>> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0 >>>> ) >>>> current_peer 41.195.37.174 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 >>>> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 0, #recv errors 0 >>>> >>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.: >>>> 41.195.37.174 >>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >>>> current outbound spi: 0xD9D819B1(3654818225) >>>> >>>> inbound esp sas: >>>> spi: 0x8AD878CD(2329442509) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4437499/1923) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> inbound ah sas: >>>> >>>> inbound pcp sas: >>>> >>>> outbound esp sas: >>>> spi: 0xD9D819B1(3654818225) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4437454/1923) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound ah sas: >>>> >>>> outbound pcp sas: >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> current_peer 41.195.37.191 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 1, #recv errors 0 >>>> >>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.: >>>> 41.195.37.191 >>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >>>> current outbound spi: 0x6E27D1C2(1848103362) >>>> >>>> inbound esp sas: >>>> spi: 0xEE9B0E5D(4003139165) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4478781/3289) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> inbound ah sas: >>>> >>>> inbound pcp sas: >>>> >>>> outbound esp sas: >>>> spi: 0x6E27D1C2(1848103362) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4478771/3289) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound ah sas: >>>> >>>> outbound pcp sas: >>>> >>>> adsl-nhrp-hub#show crypto map >>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >>>> Profile name: DMVPN >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> >>>> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp >>>> Map is a PROFILE INSTANCE. >>>> Peer = 41.195.37.174 >>>> Extended IP access list >>>> access-list permit gre host 196.47.0.204 host 41.195.37.174 >>>> Current peer: 41.195.37.174 >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> >>>> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp >>>> Map is a PROFILE INSTANCE. >>>> Peer = 41.195.37.191 >>>> Extended IP access list >>>> access-list permit gre host 196.47.0.204 host 41.195.37.191 >>>> Current peer: 41.195.37.191 >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> Interfaces using crypto map Tunnel0-head-0: >>>> Tunnel0 >>>> >>>> adsl-nhrp-hub#show crypto engine connections active >>>> >>>> ID Interface IP-Address State Algorithm >>>> >>> Encrypt >>> >>>> Dt >>>> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 3003 Tunnel0 196.47.0.204 set AES+MD5 >>>> >>> 169 >>> >>>> 0 >>>> 3004 Tunnel0 196.47.0.204 set AES+MD5 >>>> >>> 0 >>> >>>> 8 >>>> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 >>>> >>> 818 >>> >>>> 0 >>>> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 >>>> >>> 0 >>> >>>> 1 >>>> >>>> >>>> Spoke Configuration >>>> =================== >>>> >>>> ip cef >>>> ! >>>> no ip domain lookup >>>> ip auth-proxy max-nodata-conns 3 >>>> ip admission max-nodata-conns 3 >>>> vpdn enable >>>> ! >>>> l2tp-class l2tpclass1 >>>> authentication >>>> password 7 xxxx >>>> ! >>>> ! >>>> pseudowire-class pwclass1 >>>> encapsulation l2tpv2 >>>> protocol l2tpv2 l2tpclass1 >>>> ip local interface Dialer1 >>>> ! >>>> ! >>>> crypto isakmp policy 10 >>>> encr aes >>>> hash md5 >>>> authentication pre-share >>>> group 2 >>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >>>> ! >>>> ! >>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>>> ! >>>> crypto ipsec profile DMVPN >>>> set transform-set 3DES_MD5 >>>> ! >>>> ! >>>> ! >>>> ! >>>> interface Loopback0 >>>> ip address 172.16.1.3 255.255.255.255 >>>> ! >>>> interface Tunnel0 >>>> ip address 10.0.0.3 255.255.255.0 >>>> no ip redirects >>>> ip mtu 1400 >>>> ip nhrp authentication xxxxxxxxxx >>>> ip nhrp map 10.0.0.1 196.47.0.204 >>>> ip nhrp map multicast 196.47.0.204 >>>> ip nhrp network-id 1 >>>> ip nhrp holdtime 60 >>>> ip nhrp nhs 10.0.0.1 >>>> ip nhrp registration timeout 30 >>>> ip tcp adjust-mss 1360 >>>> tunnel source Dialer1 >>>> tunnel mode gre multipoint >>>> tunnel key 1 >>>> tunnel protection ipsec profile DMVPN >>>> ! >>>> interface FastEthernet0/0 >>>> ip address dhcp >>>> speed 100 >>>> full-duplex >>>> pppoe enable group global >>>> pppoe-client dial-pool-number 1 >>>> ! >>>> interface FastEthernet0/1 >>>> ip address 10.222.0.1 255.255.255.0 >>>> speed 100 >>>> full-duplex >>>> ! >>>> ! >>>> interface Dialer1 >>>> mtu 1492 >>>> ip address negotiated >>>> ip virtual-reassembly >>>> encapsulation ppp >>>> ip tcp adjust-mss 1452 >>>> dialer pool 1 >>>> ppp chap hostname XXXX >>>> ppp chap password 0 XXXX >>>> ppp pap sent-username XXXX password 0 XXXXX >>>> ! >>>> router eigrp 1 >>>> redistribute connected route-map to-eigrp >>>> redistribute static >>>> passive-interface FastEthernet0/1 >>>> passive-interface Dialer1 >>>> network 10.0.0.0 0.0.0.255 >>>> no auto-summary >>>> eigrp stub connected >>>> ! >>>> ip forward-protocol nd >>>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>>> ! >>>> ! >>>> ip http server >>>> no ip http secure-server >>>> ! >>>> ! >>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >>>> access-list 1 permit any >>>> access-list 2 deny any >>>> access-list 3 permit 10.222.0.1 >>>> access-list 3 permit 10.222.0.2 >>>> access-list 3 permit 10.244.0.2 >>>> access-list 3 permit 10.244.0.1 >>>> ! >>>> route-map clear-df permit 10 >>>> set ip df 0 >>>> ! >>>> route-map to-eigrp deny 10 >>>> match ip address prefix-list local >>>> ! >>>> route-map to-eigrp permit 1000 >>>> >>>> >>>> Some Debugs >>>> =========== >>>> >>>> nhrp-spoke-2#show ip nhrp >>>> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire >>>> Type: static, Flags: authoritative used >>>> NBMA address: 196.47.0.204 >>>> >>>> >>>> nhrp-spoke-2#show crypto ipsec sa >>>> >>>> interface: Tunnel0 >>>> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> current_peer 196.47.0.204 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 3, #recv errors 0 >>>> >>>> local crypto endpt.: 41.195.37.191, remote crypto endpt.: >>>> 196.47.0.204 >>>> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 >>>> current outbound spi: 0xEE9B0E5D(4003139165) >>>> >>>> inbound esp sas: >>>> spi: 0x6E27D1C2(1848103362) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4530791/3584) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> inbound ah sas: >>>> >>>> inbound pcp sas: >>>> >>>> outbound esp sas: >>>> spi: 0xEE9B0E5D(4003139165) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4530789/3584) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound ah sas: >>>> >>>> outbound pcp sas: >>>> >>>> nhrp-spoke-2#show crypto engine connections active >>>> >>>> ID Interface IP-Address State Algorithm >>>> >>> Encrypt >>> >>>> Decrypt >>>> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 3003 Dialer1 41.195.37.191 set AES+MD5 >>>> >>> 15 >>> >>>> 0 >>>> 3004 Dialer1 41.195.37.191 set AES+MD5 >>>> >>> 0 >>> >>>> 0 >>>> >>>> nhrp-spoke-2#show crypto map >>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >>>> Profile name: DMVPN >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> >>>> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp >>>> Map is a PROFILE INSTANCE. >>>> Peer = 196.47.0.204 >>>> Extended IP access list >>>> access-list permit gre host 41.195.37.191 host 196.47.0.204 >>>> Current peer: 196.47.0.204 >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> Interfaces using crypto map Tunnel0-head-0: >>>> Tunnel0 >>>> >>>> >>>> --------------------------------------------------------------------- >>>> A feature is a bug with seniority. >>>> >>>> Nic Tjirkalli >>>> Verizon Business South Africa >>>> Network Strategy Team >>>> >>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This >>>> e-mail >>>> is strictly confidential and intended only for use by the addressee >>>> unless >>>> otherwise indicated. >>>> >>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >>>> >>>> This e-mail is strictly confidential and intended only for use by the >>>> addressee unless otherwise indicated. >>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> Some days you're the pigeon, and some days you're the statue. >>> >>> Nic Tjirkalli >>> Verizon Business South Africa >>> Network Strategy Team >>> >>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >>> is strictly confidential and intended only for use by the addressee unless >>> otherwise indicated. >>> >>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >>> >>> This e-mail is strictly confidential and intended only for use by the >>> addressee unless otherwise indicated. >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> >> --------------------------------------------------------------------- >> A feature is a bug with seniority. >> >> Nic Tjirkalli >> Verizon Business South Africa >> Network Strategy Team >> >> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >> is strictly confidential and intended only for use by the addressee unless >> otherwise indicated. >> >> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >> >> This e-mail is strictly confidential and intended only for use by the >> addressee unless otherwise indicated. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > --------------------------------------------------------------------- Beauty is in the eye of the beer holder. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From felixnkansah at gmail.com Wed Aug 27 04:01:39 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Wed, 27 Aug 2008 08:01:39 +0000 Subject: [c-nsp] Configuring VWIC-1MFT-E1 for Data In-Reply-To: <000001c907d8$38288600$a8799200$@id.au> References: <18dba4e50808260905p57ee003s92730ca40e1d7ff9@mail.gmail.com> <000001c907d8$38288600$a8799200$@id.au> Message-ID: <18dba4e50808270101j4b160a5bs846f8179500e1045@mail.gmail.com> Thanks Brett. Would check the link now. From zivl at gilat.net Wed Aug 27 04:07:19 2008 From: zivl at gilat.net (Ziv Leyes) Date: Wed, 27 Aug 2008 11:07:19 +0300 Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <528836.7482.qm@web50512.mail.re2.yahoo.com> References: <528836.7482.qm@web50512.mail.re2.yahoo.com> Message-ID: If I understand you correctly, what you're trying to achieve is a kind of load balance, you want the pix to listen to the outside public address on a certain port, such as 8080, and to forward a request to several internal hosts on different "inside" ports I'll try to make a diagram to see if is this correct. External IP (8080) ---------------- Host A (8080) | \ | \ | \ | \ | \ | Host B (8081) Host C (8082) Is this what you're trying to do? I'm not aware of any way of doing this on a PIX with ver. 6.3.5 If someone knows a way, I'll be glad to hear about it too. Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Ramz Sent: Wednesday, August 27, 2008 5:21 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT/ACL options in a PIX Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX: static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message: ERROR: duplicate of existing static QUESTION 2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-? I appreciate any help since I am a beginner on this subject Thanks John _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From csirek at cooler.hu Wed Aug 27 04:46:34 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 27 Aug 2008 10:46:34 +0200 Subject: [c-nsp] C4948 total output drops / bit error problem Message-ID: <48B5146A.5070607@cooler.hu> Hello I have lot of C4948 switches in our network. All switch have 2x1 gb/s uplink (etherchannel) to a 6509 switch. The problem is, if the traffic "big" on the etherchannel ( ~2x700mbit/s) the "total output drops" counter increase. Yesterday the counter was: Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 131796 Today morning: Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 133483 I find some sites where use the hold-queue command but it isn't on the C4948 platform. I used a packet generator device, and put 1.500.000 packet (size was 64byte) across the network. After 5 minutes the packet generator signal an error (bit error, lost packet), and the total drops counter increase suddenly. I tried lot of platform like C2970, C4948-10G, C6509/6724sfp, 3Com switch, but this loss pattern problem apply only on the C4948 devices with different IOS version. But all of C4948 devices show this problem. More interesting, if i tried this 1.5M packet 64byte test only a C4948 that no connection to other devices this can produce this problem after 5 minutes on optical and copper interfaces too. Every time when I did this test, the problem apply on the 5. minutes. Any idea? Thanks. Laci From blahu77 at gmail.com Wed Aug 27 04:47:19 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 27 Aug 2008 09:47:19 +0100 Subject: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP? In-Reply-To: <48B495B2.2090303@sneep.net> References: <56F211C5E3F24F47B103EA1B253822BE03654881@vic-cr-ex1.staff.netspace.net.au> <20080820164735.GA16618@diveo.net.br> <48B495B2.2090303@sneep.net> Message-ID: <383357750808270147s7ccf61ecrc957468ef3850071@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Most[1] large telcos I've seen[2] offering IP-VPN services tend to use > RFC1918 addressing for CE-PE infrastructure. Using public addressing for > much of this just often doesn't scale - thinking of some IP-VPNs which have > thousands of CE elements. I just don't see how it doesn't scale with Public vs Private Space. The good point for Private Space (from Customer perspective) is that it can be reused when Customer changes provider (CE unmanaged case). Best Regards, - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFItRSXIvBv0k5esR4RAmBoAJwIdBIAvM+ZIBCBZNN8kjhYOOpKsACgxOij 2uW0YWyj/Av1lo6lvUd6oxw= =/5og -----END PGP SIGNATURE----- From junaid.x86 at gmail.com Wed Aug 27 05:12:13 2008 From: junaid.x86 at gmail.com (Junaid) Date: Wed, 27 Aug 2008 15:12:13 +0600 Subject: [c-nsp] OSPF inside VRF - Cisco Juniper Interoperability Message-ID: Hi, I am caught up in what seems to be a Juniper Cisco interoperability issue. I am running OSPF with customer inside VRF. Topology is something like the following: CE1 ---[Area 0]--- PE1 ---- P1 --- P2 --- PE2 ---[Area 6]--- CE2 The two P routers are acting as route reflectors. CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series routers. The problem I am facing is that CE1 routes received at CE2 are Inter-area which is what is required (no redistribution into OSPF is done on CE1 and CE2). However, CE2 routes received by CE1 are Type 5 (E1). The documentation states that inorder to preserve the route types, domain IDs should be same on both PE routers. I have set domain ID to be 1.1.1.1:512, this was done on cisco via the command: "domain-id type 0105 value 010101010200" and on juniper as: "domain-id 1.1.1.1:512" in the OSPF configuration inside the VRF. Also on Juniper the domain-id was added into the ospf routes when redistributing them into MBGP. The problem seems to be with the Cisco PE1 router that can't seem to interpret the route-type attribute generated by Juniper (seen in the output as 0x306:0:393472): PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 550 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local (metric 4) from () Origin IGP, metric 2, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0105:0x010101010200 0x306:0:393472 10.254.20.254/32 is advertised by CE2 (assigned on one of its loopback interfaces). Now the domain ID is fine but it seems that Cisco is unable to interpret the route-type attribute. 393472 translates to 60100 where 6 is the area ID, 01 says that it is type 1 LSA and and last two bytes are options are not used in this case. Upon receiving this route via MBPG, PE1 injects a type 5 LSA towards CE1 (confirmed on CE1 by enabling debugging) where it should inject have injected type 3: OSPF: Ack Type 5, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 5, seq 0x80000001 If I replace the Juniper PE2 with a Cisco then on PE1 seems to interpret the route-type attribute correctly (OSPF RT:0.0.0.6:2:0) and inject type 3 LSA towards CE1 and CE1 receive the routes as inter-area: PE1#sh ip bgp vpnv4 all 10.254.20.254 BGP routing table entry for 1:103:10.254.20.254/32, version 676 Paths: (1 available, best #1, table VPN_OSPF) Not advertised to any peer Local (metric 2) from () Origin incomplete, metric 11112, localpref 100, valid, internal, best Extended Community: RT:1:103 OSPF DOMAIN ID:0x0005:0x010101010200 OSPF RT:0.0.0.6:2:0 OSPF ROUTER ID:10.254.2.1:512 Debug output: OSPF: Ack Type 3, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 1, seq 0x80000001 Any idea what is causing this behavior? Any solution? Will appreciate any help. Regards, Junaid From m.cooper at actrix.co.nz Wed Aug 27 05:39:26 2008 From: m.cooper at actrix.co.nz (Mike Cooper) Date: Wed, 27 Aug 2008 21:39:26 +1200 Subject: [c-nsp] Cisco 2960G Issue Message-ID: <48B520CE.7030008@actrix.co.nz> Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike From oboehmer at cisco.com Wed Aug 27 05:39:55 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 27 Aug 2008 11:39:55 +0200 Subject: [c-nsp] OSPF inside VRF - Cisco Juniper Interoperability In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1EDC@xmb-ams-333.emea.cisco.com> Junaid <> wrote on Wednesday, August 27, 2008 11:12 AM: > Hi, > > I am caught up in what seems to be a Juniper Cisco interoperability > issue. I am running OSPF with customer inside VRF. Topology is > something like the following: > > CE1 ---[Area 0]--- PE1 ---- P1 --- P2 --- PE2 ---[Area 6]--- CE2 > > The two P routers are acting as route reflectors. > > CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series > routers. The problem I am facing is that CE1 routes received at CE2 > are Inter-area which is what is required (no redistribution into OSPF > is done on CE1 and CE2). However, CE2 routes received by CE1 are Type > 5 (E1). The documentation states that inorder to preserve the route > types, domain IDs should be same on both PE routers. I have set domain > ID to be 1.1.1.1:512, this was done on cisco via the command: > "domain-id type 0105 value 010101010200" and on juniper as: "domain-id > 1.1.1.1:512" in the OSPF configuration inside the VRF. Also on Juniper > the domain-id was added into the ospf routes when redistributing them > into MBGP. > > The problem seems to be with the Cisco PE1 router that can't seem to > interpret the route-type attribute generated by Juniper (seen in the > output as 0x306:0:393472): [...] > Any idea what is causing this behavior? Any solution? Will appreciate > any help. which release are you using on he PE1? You might be hitting CSCsg42488 (Juniper - Cisco PE incorrect extended community for OSPF). oli From cisco-nsp at tracker.fire-world.de Wed Aug 27 05:58:05 2008 From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger) Date: Wed, 27 Aug 2008 11:58:05 +0200 Subject: [c-nsp] Netflow + Subinterfaces 7200 -> 7600 Message-ID: <20080827095805.GA16820@danton.fire-world.de> Hi, I'm replacing a few 7200(NPE-G1) with 7600(RSP720) and I'm wondering what would be the best way to do netflow accounting with Vlans on the new platform.'m replacing a few 7200(NPE-G1) with 7600(RSP720) and I'm wondering what would be the best way to do netflow accounting with Vlans on the new platform. Currently, the configuration on the 7200 is like this: GigabitEthernet0/1.2 [..] ip flow ingress ! Now, on the 7600, should I also use Subinterfaces with "ip flow ingress"? Would that work? Or should I use Vlan interfaces and then use ip flow ingress layer2-switched vlan 2 If I do that I should NOT specify "ip flow ingress" on the Vlan interface, right? I would assume it would count traffic twice (once when received on an interface where ip flow ingress is active and then when it is routed from that interface into Vlan 2)? Also it seems that SRC1 doesn't have per-interface flow configuration for IPv6. :( Does someone know if that is planned in further releases? Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From mh+cisco-nsp at zugschlus.de Wed Aug 27 06:22:43 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Wed, 27 Aug 2008 12:22:43 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <066201c9078f$43f24b40$31dd5ea0@ad.umn.edu> References: <20080826140124.GA26261@torres.zugschlus.de> <066201c9078f$43f24b40$31dd5ea0@ad.umn.edu> Message-ID: <20080827102243.GB29365@torres.zugschlus.de> On Tue, Aug 26, 2008 at 10:20:25AM -0500, Ge Moua wrote: > Sounds like a routing issue, is your ippool handling out IP addr to the > clients. The IP Pool is sending out addresses to the clients, and the client is visible in the tunnel with the assigned IP address. When I ping an address on the target network, I see the packet coming out of the tunnel. > I recently set a similar config on a 1811 and this works fine. I > can send you the working config if you're intersted. That would be great, I'd appeciate that. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From junaid.x86 at gmail.com Wed Aug 27 06:59:51 2008 From: junaid.x86 at gmail.com (Junaid) Date: Wed, 27 Aug 2008 16:59:51 +0600 Subject: [c-nsp] OSPF inside VRF - Cisco Juniper Interoperability In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1EDC@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED1EDC@xmb-ams-333.emea.cisco.com> Message-ID: This seems to be the exact problem. Although I was unable to find my IOS listed in affected IOS list - maybe the list was not exhaustive. Thank you Oliver. Regards, Junaid. On Wed, Aug 27, 2008 at 3:39 PM, Oliver Boehmer (oboehmer) wrote: > Junaid <> wrote on Wednesday, August 27, 2008 11:12 AM: > >> Hi, >> >> I am caught up in what seems to be a Juniper Cisco interoperability >> issue. I am running OSPF with customer inside VRF. Topology is >> something like the following: >> >> CE1 ---[Area 0]--- PE1 ---- P1 --- P2 --- PE2 ---[Area 6]--- CE2 >> >> The two P routers are acting as route reflectors. >> >> CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series >> routers. The problem I am facing is that CE1 routes received at CE2 >> are Inter-area which is what is required (no redistribution into OSPF >> is done on CE1 and CE2). However, CE2 routes received by CE1 are Type >> 5 (E1). The documentation states that inorder to preserve the route >> types, domain IDs should be same on both PE routers. I have set domain >> ID to be 1.1.1.1:512, this was done on cisco via the command: >> "domain-id type 0105 value 010101010200" and on juniper as: "domain-id >> 1.1.1.1:512" in the OSPF configuration inside the VRF. Also on Juniper >> the domain-id was added into the ospf routes when redistributing them >> into MBGP. >> >> The problem seems to be with the Cisco PE1 router that can't seem to >> interpret the route-type attribute generated by Juniper (seen in the >> output as 0x306:0:393472): > [...] > >> Any idea what is causing this behavior? Any solution? Will appreciate >> any help. > > which release are you using on he PE1? You might be hitting CSCsg42488 > (Juniper - Cisco PE incorrect extended community for OSPF). > > oli > From mh+cisco-nsp at zugschlus.de Wed Aug 27 07:12:08 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Wed, 27 Aug 2008 13:12:08 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <000101c907d8$fe2f68a0$fa8e39e0$@id.au> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> Message-ID: <20080827111208.GA2482@torres.zugschlus.de> On Wed, Aug 27, 2008 at 08:08:08AM +0800, Brett Looney wrote: > > With this configuration, a client cannot communicate at all > > outside the tunnel, which is a desired feature in this setup. > > OTOH, some teleworkers would appreciate to be able to talk to > > their networked printers on the local LANs. > > It's been a while but from memory you need to put the "include-local-lan" > setting into the client configuration group to do this. HTH. It now says crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel include-local-lan and when I ping 192.168.8.1, I still see the packet going out encapsulated in ESP instead of unencrypted on the LAN (the Client's LAN ip is 192.168.8.184/24). Additionally, I'd rather have a white list of IP ranges that can still be reached without encrpyption to not expose clients in public networks. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From junaid.x86 at gmail.com Wed Aug 27 08:14:47 2008 From: junaid.x86 at gmail.com (Junaid) Date: Wed, 27 Aug 2008 18:14:47 +0600 Subject: [c-nsp] OSPF inside VRF - Cisco Juniper Interoperability In-Reply-To: References: Message-ID: Hi, Just want to share my findings: The problem as suspected was a bug on Cisco side - CSCsg42488 as pointed out by Oliver Boehmer. The work around employed was to use the knob: "route-type-community vendor" for the OSPF instance inside the VRF on Juniper PE. Thanks once again Oliver for the solution. Now CE1 is also getting Type 3 LSAs from CE2. Regards, Junaid On Wed, Aug 27, 2008 at 3:12 PM, Junaid wrote: > Hi, > > I am caught up in what seems to be a Juniper Cisco interoperability > issue. I am running OSPF with customer inside VRF. Topology is > something like the following: > > CE1 ---[Area 0]--- PE1 ---- P1 --- P2 --- PE2 ---[Area 6]--- CE2 > > The two P routers are acting as route reflectors. > > CE1, CE2 and PE1 are Cisco devices while rest are Juniper M-series > routers. The problem I am facing is that CE1 routes received at CE2 > are Inter-area which is what is required (no redistribution into OSPF > is done on CE1 and CE2). However, CE2 routes received by CE1 are Type > 5 (E1). The documentation states that inorder to preserve the route > types, domain IDs should be same on both PE routers. I have set domain > ID to be 1.1.1.1:512, this was done on cisco via the command: > "domain-id type 0105 value 010101010200" and on juniper as: "domain-id > 1.1.1.1:512" in the OSPF configuration inside the VRF. Also on Juniper > the domain-id was added into the ospf routes when redistributing them > into MBGP. > > The problem seems to be with the Cisco PE1 router that can't seem to > interpret the route-type attribute generated by Juniper (seen in the > output as 0x306:0:393472): > > PE1#sh ip bgp vpnv4 all 10.254.20.254 > BGP routing table entry for 1:103:10.254.20.254/32, version 550 > Paths: (1 available, best #1, table VPN_OSPF) > Not advertised to any peer > Local > (metric 4) from () > Origin IGP, metric 2, localpref 100, valid, internal, best > Extended Community: RT:1:103 OSPF DOMAIN > ID:0x0105:0x010101010200 0x306:0:393472 > > 10.254.20.254/32 is advertised by CE2 (assigned on one of its loopback > interfaces). Now the domain ID is fine but it seems that Cisco is > unable to interpret the route-type attribute. 393472 translates to > 60100 where 6 is the area ID, 01 says that it is type 1 LSA and and > last two bytes are options are not used in this case. Upon receiving > this route via MBPG, PE1 injects a type 5 LSA towards CE1 (confirmed > on CE1 by enabling debugging) where it should inject have injected > type 3: > > OSPF: Ack Type 5, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 5, seq 0x80000001 > > > If I replace the Juniper PE2 with a Cisco then on PE1 seems to > interpret the route-type attribute correctly (OSPF RT:0.0.0.6:2:0) and > inject type 3 LSA > towards CE1 and CE1 receive the routes as inter-area: > > PE1#sh ip bgp vpnv4 all 10.254.20.254 > BGP routing table entry for 1:103:10.254.20.254/32, version 676 > Paths: (1 available, best #1, table VPN_OSPF) > Not advertised to any peer > Local > (metric 2) from () > Origin incomplete, metric 11112, localpref 100, valid, internal, best > Extended Community: RT:1:103 OSPF DOMAIN > ID:0x0005:0x010101010200 OSPF RT:0.0.0.6:2:0 OSPF ROUTER > ID:10.254.2.1:512 > > > Debug output: > > OSPF: Ack Type 3, LSID 10.254.20.254, Adv rtr 10.254.1.1, age 1, seq 0x80000001 > > Any idea what is causing this behavior? Any solution? Will appreciate any help. > > > Regards, > Junaid > From sforcejr at yahoo.com Wed Aug 27 08:20:22 2008 From: sforcejr at yahoo.com (John Ramz) Date: Wed, 27 Aug 2008 05:20:22 -0700 (PDT) Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF05646243E8ED5@exchangenj1> Message-ID: <124096.96295.qm@web50504.mail.re2.yahoo.com> Vinny, #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:? access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:? static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0 access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081 ONE MORE QUESTION,..... Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080 How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? Hopefullly you can understand this last question Thanks --- On Tue, 8/26/08, Vinny Abello wrote: > From: Vinny Abello > Subject: RE: [c-nsp] NAT/ACL options in a PIX > To: "sforcejr at yahoo.com" , "cisco-nsp at puck.nether.net" > Date: Tuesday, August 26, 2008, 10:23 PM > Correct, you are doing NAT as a straight 1 to 1 translation > for traffic. Using PAT, you can specify either TCP or UDP > traffic and the outside and inside port numbers. This is > still accomplished with the static statement. You'll > still need the access-list entry as well unless you have > another rule already covering it. > > I'm confused though... If you need a different external > host to access an internal server, why can't use reuse > the same outside address in the translation? The PIX does > extended translation automatically. Just add it to the > access-list, or did I misunderstand? > > If you are doing this on a different port and want to map > various ports on one external IP to different internal hosts > or ports, you can do this as well with the static statement: > > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 > netmask 255.255.255.255 0 0 > > This maps traffic that matches TCP port 8080 hitting the > outside address of 1.2.3.4 to port 8081 on internal IP > 10.10.10.110. > > I wasn't quite clear with your alphanumeric examples, > but I hope this helps. I believe you truly just want to keep > adding more entries to your access-list. Once you have a > translation be it NAT or PAT defined, the access control is > done through the access-list at that point. > > -Vinny > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of John Ramz > > Sent: Tuesday, August 26, 2008 10:32 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] NAT/ACL options in a PIX > > > > --CORRECTION--- > > > > As a part of my 2nd question I made a mistake on the > internal host IP. > > This is the correction: > > > > I need to allow P.P.P.3 to access the same internal > host > > (10.10.10.110). I tried to assigned a different Public > ip > > address(Q.Q.Q.11)........... > > > > > > Thanks > > > > > > > > --- On Tue, 8/26/08, John Ramz > wrote: > > > > > From: John Ramz > > > Subject: NAT/ACL options in a PIX > > > To: cisco-nsp at puck.nether.net > > > Date: Tuesday, August 26, 2008, 9:21 PM > > > Version 6.3.5 > > > PIX 515 > > > > > > We have been assigned 25 Public IP addresses by > our ISP and > > > I want to administer them in the most efficient > way. > > > > > > We get a lot of requests for external access to > different > > > hosts in our private network. For example: > > > > > > Public trusted IP address requesting access: > P.P.P.2 > > > Public IP address assigned by ISP: Q.Q.Q.10 > > > Internal host IP: 10.10.10.111 > > > port 80 or 8080 (http://10.10.10.111/site:8080 > > > > > > So far every time we get a request we do this: > > > > > > static (inside,outside) Q.Q.Q.10 10.10.10.111 > netmask > > > 255.255.255.255 0 0 > > > access-list ACL_NAME permit tcp host P.P.P.2 host > Q.Q.Q.10 > > > eq 8080 > > > > > > QUESTION > > > 1- Is it possible to do what I believe is called > PAT and > > > reuse the same public ip address(Q.Q.Q.10) when I > get a > > > second request to access a DIFFERENT > host(10.10.10.112) and > > > redirect them to port 8081 for example? If > possible, how? > > > > > > > > > > > > Today I got a request to allow access to an > internal > > > host(10.10.10.110) that I have already mapped > with this > > > public IP: Q.Q.Q.9 . The source ip address is: > P.P.P.3 . > > > These are the statements already in the PIX: > > > > > > static (inside,outside) Q.Q.Q.9 10.10.10.110 > netmask > > > 255.255.255.255 0 0 > > > access-list ACL_NAME permit tcp host P.P.P.1 host > Q.Q.Q.9 > > > eq 8080 > > > > > > I need to allow P.P.P.3 to access the same > internal host > > > (Q.Q.Q.9). I tried to assigned a different Public > ip > > > address(Q.Q.Q.11) but I got this message: > > > > > > ERROR: duplicate of existing static > > > > > > QUESTION > > > 2- Is there anyway to allow 2 IP addresses to > access the > > > same host on the same port-it could be > different-? > > > > > > I appreciate any help since I am a beginner on > this subject > > > > > > > > > Thanks > > > > > > John > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From MatlockK at exempla.org Wed Aug 27 08:21:24 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 27 Aug 2008 06:21:24 -0600 Subject: [c-nsp] Cisco 2960G Issue References: <48B520CE.7030008@actrix.co.nz> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489E734@LMC-MAIL2.exempla.org> Sorta sounds ike a bad chip on the chassis, since it's affecting 4 adjacent ports. 1-4 probably share an Asic (or part of one), 5-8, 9-12, etc. I'd call TAC on this one to get a replacement. Ken ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Mike Cooper Sent: Wed 8/27/2008 3:39 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 2960G Issue Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Wed Aug 27 08:43:34 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 27 Aug 2008 09:43:34 -0300 Subject: [c-nsp] RES: Cisco 2960G Issue In-Reply-To: <48B520CE.7030008@actrix.co.nz> References: <48B520CE.7030008@actrix.co.nz> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br> Hi Mike, I?ve never run into this issue before. I presume this is not a common problem. You can start troubleshooting with 'show platform port-asic' and 'show platform tcam'. There are also other 'show platform' and 'show controller' commands that might be useful. Regards, Leonardo Gama. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Mike Cooper Enviada em: quarta-feira, 27 de agosto de 2008 06:39 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] Cisco 2960G Issue Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ahmedazim at gmail.com Wed Aug 27 09:04:14 2008 From: ahmedazim at gmail.com (Ahmed Mohamed) Date: Wed, 27 Aug 2008 16:04:14 +0300 Subject: [c-nsp] Replacing Catalyst 4507 with Catalyst 6509 Message-ID: Hello, i work with Orange, a Network Service Provider, we are in an upgrade project for replacing the old Catalyst 4507 with 6509, my question is about the corresponding IOS for the current existing on the old switches, the IOS on old switches are : cat4000-i5s-mz.122-20.EW cat4000-i5s-mz.122-25.EWA cat4000-i5k91s-mz.122-25.EWA i want to know the corresponding to them for 6500, i checked for the feature set of these images and found it as below : cat4000-i5s-mz.122-20.EW -------------------------- Cisco IOS Software for the Cisco Catalyst 4500 Supervisor Engine IV and V Enhanced Layer 3 and voice software image, including OSPF, IS-IS, and EIGRP cat4000-i5s-mz.122-25.EWA -------------------------- Cisco IOS Software for the Cisco Catalyst 4000/4500 supervisor engines IV and V, and Catalyst 4500 Series Supervisor Engine V-10GE Enhanced Layer 3 and voice software image, including OSPF, IS-IS, and EIGRP cat4000-i5k91s-mz.122-25.EWA ----------------------------- Cisco IOS Software for the Cisco Catalyst 4000/4500 supervisor engines IV and V, and Catalyst 4500 Series Supervisor Engine V-10GE, with 3DES strong encryption Enhanced Layer 3 and voice software image, including OSPF, IS-IS, and EIGRP but from this point i wasn't able to search for the same feature set on 6500 platform, any help? Thanks Ahmed Azim Orange Business Services From antonio.acuesta at dhl.com Wed Aug 27 09:20:41 2008 From: antonio.acuesta at dhl.com (Antonio Acuesta (DHL AU)) Date: Wed, 27 Aug 2008 21:20:41 +0800 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br> References: <48B520CE.7030008@actrix.co.nz> <9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br> Message-ID: <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> Hi, Can you please recommend a stable IOS version for Cisco Catalyst 6513? The current version that I have is Version 12.2(18)SXD3. The switch has not been upgraded for a while and it will be good to know the version with less bug. Thanks. Tony From A.L.M.Buxey at lboro.ac.uk Wed Aug 27 09:25:54 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 27 Aug 2008 14:25:54 +0100 Subject: [c-nsp] Replacing Catalyst 4507 with Catalyst 6509 In-Reply-To: References: Message-ID: <20080827132554.GA16046@lboro.ac.uk> Hi, > but from this point i wasn't able to search for the same feature set on 6500 > platform, any help? my initial thought would be advanced_ipservices alan From p.mayers at imperial.ac.uk Wed Aug 27 10:09:50 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 27 Aug 2008 15:09:50 +0100 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> References: <48B520CE.7030008@actrix.co.nz> <9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br> <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> Message-ID: <48B5602E.7010705@imperial.ac.uk> Antonio Acuesta (DHL AU) wrote: > Hi, > > Can you please recommend a stable IOS version for Cisco Catalyst 6513? > The current version that I have is Version 12.2(18)SXD3. The switch has > not been upgraded for a while and it will be good to know the version > with less bug. We're running 12.2(18)SXF10 without problems. I believe 12.2(18)SXF11 and SXF12a are "sort of" Safe Harbor qualified. I cannot recommend 12.2(33)SXH - we've had a lot of problems. From avayner at cisco.com Wed Aug 27 10:17:53 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 27 Aug 2008 16:17:53 +0200 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> References: <48B520CE.7030008@actrix.co.nz><9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br> <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C26431@xmb-ams-331.emea.cisco.com> Antonio, Specifically for Catalyst 6500 and its different service modules, I suggest you take a look at http://www.cisco.com/go/safeharbor I strongly recommend reading through the documents, and not just the highlights... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Acuesta (DHL AU) Sent: Wednesday, August 27, 2008 16:21 PM To: cisco-nsp Subject: Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version Hi, Can you please recommend a stable IOS version for Cisco Catalyst 6513? The current version that I have is Version 12.2(18)SXD3. The switch has not been upgraded for a while and it will be good to know the version with less bug. Thanks. Tony _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul.cosgrove at heanet.ie Wed Aug 27 10:29:46 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Wed, 27 Aug 2008 15:29:46 +0100 Subject: [c-nsp] Cisco 2960G Issue In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E734@LMC-MAIL2.exempla.org> References: <48B520CE.7030008@actrix.co.nz> <4288131ED5E3024C9CD4782CECCAD2C70489E734@LMC-MAIL2.exempla.org> Message-ID: <48B564DA.5000400@heanet.ie> Hi Mike, As I understand it that is the way the ASICs are shared on most of the catalysts. Lightning striking an ethernet cable can affect connectivity in a similar, though more persistent way; switch survived but four adjacent ports were permanently disabled. Have you recently found any unexpected gaping holes in the roof? :) Paul. Matlock, Kenneth L wrote: > Sorta sounds ike a bad chip on the chassis, since it's affecting 4 adjacent ports. > > 1-4 probably share an Asic (or part of one), 5-8, 9-12, etc. > > I'd call TAC on this one to get a replacement. > > Ken > > ________________________________ > > From: cisco-nsp-bounces at puck.nether.net on behalf of Mike Cooper > Sent: Wed 8/27/2008 3:39 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco 2960G Issue > > > > Hi all, > > I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 > > It's been in production for a couple of weeks in a fairly straight > forward L2 environment. > > We noticed this afternoon a few hosts connected to the switch suffering > persistent packet loss of ~20% > > After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. > The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all > were in different vlans. My assumption is the switch runs six ASICs, and > that the one that operates those 4 ports has faulted or degraded in some > way causing the performance issues. > > None of the other machines connected to the switch were affected, and > currently the switch is still operating. > > I've since relocated the affected machines to an alternate switch, > resolving the loss issues. > > I'm interested if anyone is aware of this as a common problem with 2960G > switches (or any switches for that matter), and if there are any tips > for testing/troubleshooting before I return it as faulty. I bought 4 > brand new 2960Gs in one go, 1 was DoA, and now this one has developed > faults which is leaving me with some concerns for the others. > > Cheers, > > --Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From david.freedman at uk.clara.net Wed Aug 27 10:42:45 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 27 Aug 2008 15:42:45 +0100 Subject: [c-nsp] LLQ + MLPPPoE -> ? Message-ID: >Remove the service policy from your ATM int's and just leave it on your >Dialer, then do a "sh users" and you should see an interface listed as the >MLP Bundle, this is the one you want to be watching, if for example it is >Vi4 then do a "sh policy-map int vi4" I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080094ad2.shtml which states: ". When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets " Is this not correct? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From vinny at tellurian.com Wed Aug 27 10:49:19 2008 From: vinny at tellurian.com (Vinny Abello) Date: Wed, 27 Aug 2008 10:49:19 -0400 Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <124096.96295.qm@web50504.mail.re2.yahoo.com> References: <15CEC87F00BB7B4CA0E904C5FCF05646243E8ED5@exchangenj1> <124096.96295.qm@web50504.mail.re2.yahoo.com> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF05646243E8EF5@exchangenj1> > -----Original Message----- > From: John Ramz [mailto:sforcejr at yahoo.com] > Sent: Wednesday, August 27, 2008 8:20 AM > To: Vinny Abello; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] NAT/ACL options in a PIX > > > > Vinny, > > > #thanks for the reply. So, host 5.6.7.8 wants to access that internal > #host. would the access list to complete it look like this:? > > access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 You would be specifying the destination address as the outside address BEFORE the translation takes place. So in your example if a trusted host of 5.6.7.8 wants to access the server 10.10.10.11 on port 8081, and you have a static entry of: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.11 8081 netmask 255.255.255.255 0 0 you would need to make the access-list entry reference the outside IP address and port number: access-list ACL_NAME permit tcp host 5.6.7.8 host 1.2.3.4 eq 8081 This would hit the outside access-list, permit the traffic, then translate it to 10.10.10.11 on port 8080 afterwards. > #Now if I get another request a to access different host > (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do > this:? If you're using PAT, yes, as long as the same port on the outside isn't used. In other words, you can't use TCP 8080 on 1.2.3.4 because it's already translated to 10.10.10.11 on port 8081. > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask > 255.255.255.255 0 0 This would conflict. If you want to utilize the same port, you'd need a new outside address. Otherwise you could use a new port and put: static (inside,outside) tcp 1.2.3.4 8081 10.10.10.11 8081 netmask 255.255.255.255 0 0 > access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq > 8081 This again would be the outside address as the destination: access-list ACL_NAME permit tcp host 9.10.11.12 host 1.2.3.4 eq 8081 > > > ONE MORE QUESTION,..... > Since I am doing NAT 1 to 1 , I already allowed 1 external host to > access an internal host(10.10.10.110) on port 8080 Correct. All inbound traffic will be translated to the internal address. In turn, you are also mapping all outbound traffic from the internal address to the external address when originating traffic. > How can I allow another external hosts(different IP address) to access > the same internal host (10.10.10.110) on port 8080? Just add it to the access-list to allow it. With the 1 to 1 NAT, just consider "outside address = inside address". You need to allow traffic to it based on the interface the traffic hits. If the traffic is hitting the outside interface, you must utilize the outside address as the destination. If you in turn have an inside access-list and are limiting traffic leaving that network, you'd be utilizing the internal addresses as the source addresses. > > Hopefullly you can understand this last question > > Thanks > > > > > --- On Tue, 8/26/08, Vinny Abello wrote: > > > From: Vinny Abello > > Subject: RE: [c-nsp] NAT/ACL options in a PIX > > To: "sforcejr at yahoo.com" , "cisco- > nsp at puck.nether.net" > > Date: Tuesday, August 26, 2008, 10:23 PM > > Correct, you are doing NAT as a straight 1 to 1 translation > > for traffic. Using PAT, you can specify either TCP or UDP > > traffic and the outside and inside port numbers. This is > > still accomplished with the static statement. You'll > > still need the access-list entry as well unless you have > > another rule already covering it. > > > > I'm confused though... If you need a different external > > host to access an internal server, why can't use reuse > > the same outside address in the translation? The PIX does > > extended translation automatically. Just add it to the > > access-list, or did I misunderstand? > > > > If you are doing this on a different port and want to map > > various ports on one external IP to different internal hosts > > or ports, you can do this as well with the static statement: > > > > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 > > netmask 255.255.255.255 0 0 > > > > This maps traffic that matches TCP port 8080 hitting the > > outside address of 1.2.3.4 to port 8081 on internal IP > > 10.10.10.110. > > > > I wasn't quite clear with your alphanumeric examples, > > but I hope this helps. I believe you truly just want to keep > > adding more entries to your access-list. Once you have a > > translation be it NAT or PAT defined, the access control is > > done through the access-list at that point. > > > > -Vinny > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of John Ramz > > > Sent: Tuesday, August 26, 2008 10:32 PM > > > To: cisco-nsp at puck.nether.net > > > Subject: [c-nsp] NAT/ACL options in a PIX > > > > > > --CORRECTION--- > > > > > > As a part of my 2nd question I made a mistake on the > > internal host IP. > > > This is the correction: > > > > > > I need to allow P.P.P.3 to access the same internal > > host > > > (10.10.10.110). I tried to assigned a different Public > > ip > > > address(Q.Q.Q.11)........... > > > > > > > > > Thanks > > > > > > > > > > > > --- On Tue, 8/26/08, John Ramz > > wrote: > > > > > > > From: John Ramz > > > > Subject: NAT/ACL options in a PIX > > > > To: cisco-nsp at puck.nether.net > > > > Date: Tuesday, August 26, 2008, 9:21 PM > > > > Version 6.3.5 > > > > PIX 515 > > > > > > > > We have been assigned 25 Public IP addresses by > > our ISP and > > > > I want to administer them in the most efficient > > way. > > > > > > > > We get a lot of requests for external access to > > different > > > > hosts in our private network. For example: > > > > > > > > Public trusted IP address requesting access: > > P.P.P.2 > > > > Public IP address assigned by ISP: Q.Q.Q.10 > > > > Internal host IP: 10.10.10.111 > > > > port 80 or 8080 (http://10.10.10.111/site:8080 > > > > > > > > So far every time we get a request we do this: > > > > > > > > static (inside,outside) Q.Q.Q.10 10.10.10.111 > > netmask > > > > 255.255.255.255 0 0 > > > > access-list ACL_NAME permit tcp host P.P.P.2 host > > Q.Q.Q.10 > > > > eq 8080 > > > > > > > > QUESTION > > > > 1- Is it possible to do what I believe is called > > PAT and > > > > reuse the same public ip address(Q.Q.Q.10) when I > > get a > > > > second request to access a DIFFERENT > > host(10.10.10.112) and > > > > redirect them to port 8081 for example? If > > possible, how? > > > > > > > > > > > > > > > > Today I got a request to allow access to an > > internal > > > > host(10.10.10.110) that I have already mapped > > with this > > > > public IP: Q.Q.Q.9 . The source ip address is: > > P.P.P.3 . > > > > These are the statements already in the PIX: > > > > > > > > static (inside,outside) Q.Q.Q.9 10.10.10.110 > > netmask > > > > 255.255.255.255 0 0 > > > > access-list ACL_NAME permit tcp host P.P.P.1 host > > Q.Q.Q.9 > > > > eq 8080 > > > > > > > > I need to allow P.P.P.3 to access the same > > internal host > > > > (Q.Q.Q.9). I tried to assigned a different Public > > ip > > > > address(Q.Q.Q.11) but I got this message: > > > > > > > > ERROR: duplicate of existing static > > > > > > > > QUESTION > > > > 2- Is there anyway to allow 2 IP addresses to > > access the > > > > same host on the same port-it could be > > different-? > > > > > > > > I appreciate any help since I am a beginner on > > this subject > > > > > > > > > > > > Thanks > > > > > > > > John > > > > > > > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From adam.korab at gmail.com Wed Aug 27 10:57:54 2008 From: adam.korab at gmail.com (Adam Korab) Date: Wed, 27 Aug 2008 09:57:54 -0500 Subject: [c-nsp] 6506 unusual behavior Message-ID: Hi, I could use some advice here. 6506 with single WS-X6K-SUP2-2GE. Just changed IOS from 122(18)SXF14. to 12.2(18)SXF14 to get around a nasty bug that presented as hanging things like "sh run" and "dir disk0"...as well as passing traffic out the wrong interface. Now there's what appears to be an ssh debug message upon every CLI logout: edge1#exit channel_by_id: 0: bad id: channel free client_input_channel_req: channel 0: unknown channel Connection to edge1.xxx.xxx closed. And secondly, on the same box, can somebody point me in the right direction regarding this? 5d04h: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception for IPv4 unicast, Some routes will be software switched. Use "mls cef maximum-routes" to modify FIB TCAM partition. Thanks! --Adam From sforcejr at yahoo.com Wed Aug 27 11:04:23 2008 From: sforcejr at yahoo.com (John Ramz) Date: Wed, 27 Aug 2008 08:04:23 -0700 (PDT) Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF05646243E8EF5@exchangenj1> Message-ID: <768771.21807.qm@web50503.mail.re2.yahoo.com> Vinny, Thank you very much . It makes sense to me. I appreciate you sharing your time and knowledge John --- On Wed, 8/27/08, Vinny Abello wrote: > From: Vinny Abello > Subject: RE: [c-nsp] NAT/ACL options in a PIX > To: "sforcejr at yahoo.com" , "cisco-nsp at puck.nether.net" > Date: Wednesday, August 27, 2008, 9:49 AM > > -----Original Message----- > > From: John Ramz [mailto:sforcejr at yahoo.com] > > Sent: Wednesday, August 27, 2008 8:20 AM > > To: Vinny Abello; cisco-nsp at puck.nether.net > > Subject: RE: [c-nsp] NAT/ACL options in a PIX > > > > > > > > Vinny, > > > > > > #thanks for the reply. So, host 5.6.7.8 wants to > access that internal > > #host. would the access list to complete it look like > this:? > > > > access-list ACL_NAME permit TCP host 5.6.7.8 host > 10.10.10.110 eq 8081 > > You would be specifying the destination address as the > outside address BEFORE the translation takes place. So in > your example if a trusted host of 5.6.7.8 wants to access > the server 10.10.10.11 on port 8081, and you have a static > entry of: > > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.11 8081 > netmask 255.255.255.255 0 0 > > you would need to make the access-list entry reference the > outside IP address and port number: > > access-list ACL_NAME permit tcp host 5.6.7.8 host 1.2.3.4 > eq 8081 > > This would hit the outside access-list, permit the traffic, > then translate it to 10.10.10.11 on port 8080 afterwards. > > > #Now if I get another request a to access different > host > > (10.10.10.111). #could I reuse the same ip address > (1.2.3.4) and do > > this:? > > If you're using PAT, yes, as long as the same port on > the outside isn't used. In other words, you can't > use TCP 8080 on 1.2.3.4 because it's already translated > to 10.10.10.11 on port 8081. > > > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 > 8081 netmask > > 255.255.255.255 0 0 > > This would conflict. If you want to utilize the same port, > you'd need a new outside address. Otherwise you could > use a new port and put: > > static (inside,outside) tcp 1.2.3.4 8081 10.10.10.11 8081 > netmask 255.255.255.255 0 0 > > > access-list ACL_NAME permit TCP host 9.10.11.12 host > 10.10.10.111 eq > > 8081 > > This again would be the outside address as the destination: > > access-list ACL_NAME permit tcp host 9.10.11.12 host > 1.2.3.4 eq 8081 > > > > > > > ONE MORE QUESTION,..... > > Since I am doing NAT 1 to 1 , I already allowed 1 > external host to > > access an internal host(10.10.10.110) on port 8080 > > Correct. All inbound traffic will be translated to the > internal address. In turn, you are also mapping all outbound > traffic from the internal address to the external address > when originating traffic. > > > How can I allow another external hosts(different IP > address) to access > > the same internal host (10.10.10.110) on port 8080? > > Just add it to the access-list to allow it. With the 1 to 1 > NAT, just consider "outside address = inside > address". You need to allow traffic to it based on the > interface the traffic hits. If the traffic is hitting the > outside interface, you must utilize the outside address as > the destination. If you in turn have an inside access-list > and are limiting traffic leaving that network, you'd be > utilizing the internal addresses as the source addresses. > > > > > Hopefullly you can understand this last question > > > > Thanks > > > > > > > > > > --- On Tue, 8/26/08, Vinny Abello > wrote: > > > > > From: Vinny Abello > > > Subject: RE: [c-nsp] NAT/ACL options in a PIX > > > To: "sforcejr at yahoo.com" > , "cisco- > > nsp at puck.nether.net" > > > > Date: Tuesday, August 26, 2008, 10:23 PM > > > Correct, you are doing NAT as a straight 1 to 1 > translation > > > for traffic. Using PAT, you can specify either > TCP or UDP > > > traffic and the outside and inside port numbers. > This is > > > still accomplished with the static statement. > You'll > > > still need the access-list entry as well unless > you have > > > another rule already covering it. > > > > > > I'm confused though... If you need a > different external > > > host to access an internal server, why can't > use reuse > > > the same outside address in the translation? The > PIX does > > > extended translation automatically. Just add it > to the > > > access-list, or did I misunderstand? > > > > > > If you are doing this on a different port and > want to map > > > various ports on one external IP to different > internal hosts > > > or ports, you can do this as well with the static > statement: > > > > > > static (inside,outside) tcp 1.2.3.4 8080 > 10.10.10.110 8081 > > > netmask 255.255.255.255 0 0 > > > > > > This maps traffic that matches TCP port 8080 > hitting the > > > outside address of 1.2.3.4 to port 8081 on > internal IP > > > 10.10.10.110. > > > > > > I wasn't quite clear with your alphanumeric > examples, > > > but I hope this helps. I believe you truly just > want to keep > > > adding more entries to your access-list. Once you > have a > > > translation be it NAT or PAT defined, the access > control is > > > done through the access-list at that point. > > > > > > -Vinny > > > > > > > -----Original Message----- > > > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp- > > > > bounces at puck.nether.net] On Behalf Of John > Ramz > > > > Sent: Tuesday, August 26, 2008 10:32 PM > > > > To: cisco-nsp at puck.nether.net > > > > Subject: [c-nsp] NAT/ACL options in a PIX > > > > > > > > --CORRECTION--- > > > > > > > > As a part of my 2nd question I made a > mistake on the > > > internal host IP. > > > > This is the correction: > > > > > > > > I need to allow P.P.P.3 to access the same > internal > > > host > > > > (10.10.10.110). I tried to assigned a > different Public > > > ip > > > > address(Q.Q.Q.11)........... > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > --- On Tue, 8/26/08, John Ramz > > > wrote: > > > > > > > > > From: John Ramz > > > > > > Subject: NAT/ACL options in a PIX > > > > > To: cisco-nsp at puck.nether.net > > > > > Date: Tuesday, August 26, 2008, 9:21 PM > > > > > Version 6.3.5 > > > > > PIX 515 > > > > > > > > > > We have been assigned 25 Public IP > addresses by > > > our ISP and > > > > > I want to administer them in the most > efficient > > > way. > > > > > > > > > > We get a lot of requests for external > access to > > > different > > > > > hosts in our private network. For > example: > > > > > > > > > > Public trusted IP address requesting > access: > > > P.P.P.2 > > > > > Public IP address assigned by ISP: > Q.Q.Q.10 > > > > > Internal host IP: 10.10.10.111 > > > > > port 80 or 8080 > (http://10.10.10.111/site:8080 > > > > > > > > > > So far every time we get a request we > do this: > > > > > > > > > > static (inside,outside) Q.Q.Q.10 > 10.10.10.111 > > > netmask > > > > > 255.255.255.255 0 0 > > > > > access-list ACL_NAME permit tcp host > P.P.P.2 host > > > Q.Q.Q.10 > > > > > eq 8080 > > > > > > > > > > QUESTION > > > > > 1- Is it possible to do what I believe > is called > > > PAT and > > > > > reuse the same public ip > address(Q.Q.Q.10) when I > > > get a > > > > > second request to access a DIFFERENT > > > host(10.10.10.112) and > > > > > redirect them to port 8081 for example? > If > > > possible, how? > > > > > > > > > > > > > > > > > > > > Today I got a request to allow access > to an > > > internal > > > > > host(10.10.10.110) that I have already > mapped > > > with this > > > > > public IP: Q.Q.Q.9 . The source ip > address is: > > > P.P.P.3 . > > > > > These are the statements already in the > PIX: > > > > > > > > > > static (inside,outside) Q.Q.Q.9 > 10.10.10.110 > > > netmask > > > > > 255.255.255.255 0 0 > > > > > access-list ACL_NAME permit tcp host > P.P.P.1 host > > > Q.Q.Q.9 > > > > > eq 8080 > > > > > > > > > > I need to allow P.P.P.3 to access the > same > > > internal host > > > > > (Q.Q.Q.9). I tried to assigned a > different Public > > > ip > > > > > address(Q.Q.Q.11) but I got this > message: > > > > > > > > > > ERROR: duplicate of existing static > > > > > > > > > > QUESTION > > > > > 2- Is there anyway to allow 2 IP > addresses to > > > access the > > > > > same host on the same port-it could be > > > different-? > > > > > > > > > > I appreciate any help since I am a > beginner on > > > this subject > > > > > > > > > > > > > > > Thanks > > > > > > > > > > John > > > > > > > > > > > > > > > > > _______________________________________________ > > > > cisco-nsp mailing list > cisco-nsp at puck.nether.net > > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at > http://puck.nether.net/pipermail/cisco-nsp/ > > > > From sforcejr at yahoo.com Wed Aug 27 11:32:47 2008 From: sforcejr at yahoo.com (John Ramz) Date: Wed, 27 Aug 2008 08:32:47 -0700 (PDT) Subject: [c-nsp] NAT/ACL options in a PIX Message-ID: <922906.31523.qm@web50506.mail.re2.yahoo.com> Thanks Vinnym Ziv and Jules for your replies and help. John From avayner at cisco.com Wed Aug 27 12:15:30 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 27 Aug 2008 18:15:30 +0200 Subject: [c-nsp] 6506 unusual behavior In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C26479@xmb-ams-331.emea.cisco.com> Adam, I think you have a bit too many routes on this box... Take a look at http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.ht ml#wp1014315 The thing is that mls cef maximum-routes is not supported on Sup2... Can you please share the outputs of: - show ip route summary - show mls cef summary - show mls cef maximum-routes Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam Korab Sent: Wednesday, August 27, 2008 17:58 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6506 unusual behavior Hi, I could use some advice here. 6506 with single WS-X6K-SUP2-2GE. Just changed IOS from 122(18)SXF14. to 12.2(18)SXF14 to get around a nasty bug that presented as hanging things like "sh run" and "dir disk0"...as well as passing traffic out the wrong interface. Now there's what appears to be an ssh debug message upon every CLI logout: edge1#exit channel_by_id: 0: bad id: channel free client_input_channel_req: channel 0: unknown channel Connection to edge1.xxx.xxx closed. And secondly, on the same box, can somebody point me in the right direction regarding this? 5d04h: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception for IPv4 unicast, Some routes will be software switched. Use "mls cef maximum-routes" to modify FIB TCAM partition. Thanks! --Adam _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at t3technology.com Wed Aug 27 12:18:40 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Wed, 27 Aug 2008 12:18:40 -0400 Subject: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels In-Reply-To: References: <001001c906c5$f2e026b0$d8a07410$@com> <480dad640808260826j6d0f721aqddc9dc04f9d80267@mail.gmail.com> Message-ID: <000f01c90860$91483180$b3d89480$@com> You need to use the Zone Base Firewall to be able to catch outbound packets generated by the router itself. Wonder if anyone use control plane policy outbound to monitor what the router is sending... It turns out that the hub router has a bad onboard encryption card. Using software encryption, everything is fine. Thanks for the suggestion Aaron. -Luan -----Original Message----- From: Nic Tjirkalli [mailto:nic.tjirkalli at za.verizonbusiness.com] Sent: Wednesday, August 27, 2008 12:53 AM To: Aaron Cc: Luan M Nguyen; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels Howdy ho, > How about putting on the outbound to make sure that you are sending it the > the hub? good idea - add this to the hub router :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any interface Virtual-PPP1 ip access-group check_packets_in out just to make sure all was reset and applied, I reloaded the hub router and both spoke routers and looking at the ACL after a few minutes of all the routers coming up :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any no matches ..... I doubut this can be accurate - at least there should be IP matches as NHRP is up :- 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:01:15, expire 00:00:44 Type: dynamic, Flags: authoritative unique registered used NBMA address: 41.195.37.174 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:05:20, expire 00:00:45 Type: dynamic, Flags: authoritative unique registered NBMA address: 41.195.37.191 from routing table on hub, traffic to NHRP neihbours should be going out of Virtual-PPP1 adsl-nhrp-hub#show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 196.30.121.0/32 is subnetted, 1 subnets S 196.30.121.42 is directly connected, Dialer1 172.16.0.0/32 is subnetted, 1 subnets C 172.16.1.1 is directly connected, Loopback0 196.47.0.0/32 is subnetted, 1 subnets C 196.47.0.204 is directly connected, Virtual-PPP1 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Tunnel0 41.0.0.0/32 is subnetted, 2 subnets C 41.195.37.199 is directly connected, Dialer1 C 41.195.37.129 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Virtual-PPP1 thanx > > > On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli < > nic.tjirkalli at za.verizonbusiness.com> wrote: > >> Howdy ho, >> >> >> Maybe try to put in an ACL or could use netflow for this as well... >>> ip access-list extend check_packets_in >>> permit esp any any >>> permit udp any eq isakmp any eq isakmp >>> permit ip any any >>> interface dialer 1 >>> ip access-group check_packets_in in >>> >>> To see if ESP coming in to your spoke router. >>> >> good suggestion but now I am even more c0onfused >> >> created acl as follows and applied to dialer 1 in :- >> interface Dialer1 >> ip access-group check_packets_in in >> >> but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists >> check_packets_in >> Extended IP access list check_packets_in >> 10 permit ahp any any >> 20 permit esp any any >> 30 permit udp any eq isakmp any eq isakmp >> 40 permit ip any any >> >> >> `:wq`` >> >> >> >> >>> -Luan >>> >>> >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli >>> Sent: Monday, August 25, 2008 3:40 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to >>> tunnels >>> >>> howdy ho all, >>> >>> thanx to thise who sent through suggestions to how to get the IPSEC to >>> work >>> - the ideas were :- try mode transport >>> :- dont use wilcard for the secret >>> >>> so i changed the hub and spoke as follows :- >>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>> mode transport >>> >>> crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 >>> crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 >>> >>> >>> alss same symptons >>> - crypto comes up >>> - hub reports IPSEC encaps and decaps >>> - spoke sites report 0 decaps for IPSEC and no errors >>> >>> >>> any other ideas? >>> >>> thanx >>> >>> >>>> >>>> howdy ho all, >>>> >>>> Was hoping I could use this forum to get some direction on resolving a >>>> strange issue I have with a DMVPN setup. >>>> >>>> All works 100% if I do not protect the tunnels with IPSEC. As soon as I >>>> enable IPSEC the tunnels stop passing traffic. >>>> >>>> >>>> The setup :- >>>> ============ >>>> >>>> All routers are CISCO 1841 platforms. the IOS image is :- >>>> C1841-ADVIPSERVICESK9-M >>>> c1841-advipservicesk9-mz.124-21.bin >>>> >>>> >>>> HUB Router >>>> ---------- >>>> HUB router connects via ADSL (a PPPOE session over ethernet) and then >>>> >>> fires >>> >>>> up an L2TP tunnel to obtain a static IP address. >>>> >>>> The IP address allocated to the L2TP interface is 196.47.0.204 >>>> >>> (Virtual-PPP1) >>> >>>> This IP address is the NHS. All connections to/from the hub >>>> use the address of 196.47.0.204. >>>> >>>> Tunnel interface on the hub router is 10.0.0.1 >>>> >>>> >>>> Spoke Router >>>> ------------ >>>> the Spoke router (there are 2 I am just showing one) connects via ADSL >>>> (a PPPOE session over ethernet) and obtains a dynamic IP address. the >>>> >>> spoke >>> >>>> routers use Dialer1 as their interface into the NHRP cloud. >>>> >>>> NHRP comes up and if I do not use IPSEC encryption on the Tunnel >>>> interface >>>> ie do not add the command tunnel protection ipsec profile DMVPN >>>> on Tunnel0 >>>> >>>> Tunnel interface on the hub router is 10.0.0.3 >>>> all works perfectly. >>>> >>>> >>>> The Problem >>>> =========== >>>> >>>> When I enable IPSEC encryption on the tunnel interfaces on all routers >>>> then things break. I have tried with both 3DES and AES and same issue. >>>> >>>> All the crypto sessions seem correct - correct SAs come up. The >>>> >>> dynamically >>> >>>> created crypto-maps seem correct. >>>> >>>> BUT. on the spoke routers, IPSEC reports that no packets are being >>>> de-encapsulated but no errors are reported. >>>> >>>> nhrp-spoke-2#show crypto ipsec sa >>>> >>>> interface: Tunnel0 >>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> current_peer 196.47.0.204 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 3, #recv errors 0 >>>> >>>> >>>> But on the HUB. all is well >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> current_peer 41.195.37.191 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 1, #recv errors 0 >>>> >>>> >>>> Any ideas/thoughts would be greatly appreciated. >>>> >>>> The configuration's and some useful output are below >>>> >>>> >>>> >>>> HUB Configuration >>>> ================= >>>> >>>> hostname adsl-nhrp-hub >>>> ! >>>> boot-start-marker >>>> boot-end-marker >>>> ! >>>> logging buffered 4096 debugging >>>> ! >>>> no aaa new-model >>>> ip cef >>>> ! >>>> ! >>>> ! >>>> ! >>>> no ip domain lookup >>>> ip auth-proxy max-nodata-conns 3 >>>> ip admission max-nodata-conns 3 >>>> vpdn enable >>>> ! >>>> l2tp-class l2tpclass1 >>>> authentication >>>> password 7 03070E0C2E572B6A1719 >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> pseudowire-class pwclass1 >>>> encapsulation l2tpv2 >>>> protocol l2tpv2 l2tpclass1 >>>> ip local interface Dialer1 >>>> ! >>>> ! >>>> ! >>>> crypto isakmp policy 10 >>>> encr aes >>>> hash md5 >>>> authentication pre-share >>>> group 2 >>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >>>> ! >>>> ! >>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>>> ! >>>> crypto ipsec profile DMVPN >>>> set transform-set 3DES_MD5 >>>> ! >>>> ! >>>> ! >>>> ! >>>> interface Loopback0 >>>> ip address 172.16.1.1 255.255.255.255 >>>> ! >>>> interface Tunnel0 >>>> ip address 10.0.0.1 255.255.255.0 >>>> no ip redirects >>>> ip mtu 1400 >>>> no ip next-hop-self eigrp 1 >>>> ip nhrp authentication xxxxxxxxxx >>>> ip nhrp map multicast dynamic >>>> ip nhrp network-id 1 >>>> ip nhrp holdtime 60 >>>> ip nhrp registration timeout 30 >>>> ip tcp adjust-mss 1360 >>>> no ip split-horizon eigrp 1 >>>> tunnel source Virtual-PPP1 >>>> tunnel mode gre multipoint >>>> tunnel key 1 >>>> tunnel protection ipsec profile DMVPN >>>> ! >>>> interface Null0 >>>> no ip unreachables >>>> ! >>>> interface FastEthernet0/0 >>>> no ip address >>>> speed 100 >>>> full-duplex >>>> pppoe enable group global >>>> pppoe-client dial-pool-number 1 >>>> ! >>>> interface FastEthernet0/1 >>>> no ip address >>>> duplex auto >>>> speed auto >>>> ! >>>> interface Virtual-PPP1 >>>> ip address negotiated >>>> ip mtu 1452 >>>> ip virtual-reassembly >>>> no logging event link-status >>>> no peer neighbor-route >>>> no cdp enable >>>> ppp chap hostname XXXXX >>>> ppp chap password 7 XXXXXX >>>> ppp pap sent-username XXXX password 7 XXXXX >>>> pseudowire 196.30.121.42 10 pw-class pwclass1 >>>> ! >>>> interface Dialer1 >>>> mtu 1492 >>>> ip address negotiated >>>> ip virtual-reassembly >>>> encapsulation ppp >>>> ip tcp adjust-mss 1452 >>>> dialer pool 1 >>>> dialer-group 1 >>>> ppp chap hostname XXX >>>> ppp chap password 7 XXXX >>>> ppp pap sent-username XXXX password 7 XXXX >>>> ! >>>> router eigrp 1 >>>> redistribute connected route-map to-eigrp >>>> redistribute static >>>> passive-interface Dialer1 >>>> network 10.0.0.0 0.0.0.255 >>>> no auto-summary >>>> ! >>>> no ip forward-protocol nd >>>> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 >>>> ip route 196.30.121.42 255.255.255.255 Dialer1 >>>> ! >>>> ! >>>> ip http server >>>> no ip http secure-server >>>> ! >>>> ! >>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >>>> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 >>>> access-list 1 permit any >>>> access-list 2 deny any >>>> access-list 3 permit 10.0.0.2 >>>> access-list 3 permit 10.222.0.1 >>>> access-list 3 permit 10.222.0.2 >>>> access-list 3 permit 10.244.0.2 >>>> no cdp run >>>> ! >>>> route-map to-eigrp deny 10 >>>> match ip address prefix-list local >>>> ! >>>> route-map to-eigrp permit 1000 >>>> >>>> >>>> adsl-nhrp-hub#show ip nhrp >>>> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 >>>> Type: dynamic, Flags: authoritative unique registered used >>>> NBMA address: 41.195.37.174 >>>> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 >>>> Type: dynamic, Flags: authoritative unique registered used >>>> NBMA address: 41.195.37.191 >>>> >>>> adsl-nhrp-hub#show crypto ipsec sa >>>> >>>> interface: Tunnel0 >>>> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0 >>>> ) >>>> current_peer 41.195.37.174 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 >>>> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 0, #recv errors 0 >>>> >>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.: >>>> 41.195.37.174 >>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >>>> current outbound spi: 0xD9D819B1(3654818225) >>>> >>>> inbound esp sas: >>>> spi: 0x8AD878CD(2329442509) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4437499/1923) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> inbound ah sas: >>>> >>>> inbound pcp sas: >>>> >>>> outbound esp sas: >>>> spi: 0xD9D819B1(3654818225) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4437454/1923) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound ah sas: >>>> >>>> outbound pcp sas: >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> current_peer 41.195.37.191 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 >>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 1, #recv errors 0 >>>> >>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.: >>>> 41.195.37.191 >>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 >>>> current outbound spi: 0x6E27D1C2(1848103362) >>>> >>>> inbound esp sas: >>>> spi: 0xEE9B0E5D(4003139165) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4478781/3289) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> inbound ah sas: >>>> >>>> inbound pcp sas: >>>> >>>> outbound esp sas: >>>> spi: 0x6E27D1C2(1848103362) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4478771/3289) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound ah sas: >>>> >>>> outbound pcp sas: >>>> >>>> adsl-nhrp-hub#show crypto map >>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >>>> Profile name: DMVPN >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> >>>> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp >>>> Map is a PROFILE INSTANCE. >>>> Peer = 41.195.37.174 >>>> Extended IP access list >>>> access-list permit gre host 196.47.0.204 host 41.195.37.174 >>>> Current peer: 41.195.37.174 >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> >>>> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp >>>> Map is a PROFILE INSTANCE. >>>> Peer = 41.195.37.191 >>>> Extended IP access list >>>> access-list permit gre host 196.47.0.204 host 41.195.37.191 >>>> Current peer: 41.195.37.191 >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> Interfaces using crypto map Tunnel0-head-0: >>>> Tunnel0 >>>> >>>> adsl-nhrp-hub#show crypto engine connections active >>>> >>>> ID Interface IP-Address State Algorithm >>>> >>> Encrypt >>> >>>> Dt >>>> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 3003 Tunnel0 196.47.0.204 set AES+MD5 >>>> >>> 169 >>> >>>> 0 >>>> 3004 Tunnel0 196.47.0.204 set AES+MD5 >>>> >>> 0 >>> >>>> 8 >>>> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 >>>> >>> 818 >>> >>>> 0 >>>> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 >>>> >>> 0 >>> >>>> 1 >>>> >>>> >>>> Spoke Configuration >>>> =================== >>>> >>>> ip cef >>>> ! >>>> no ip domain lookup >>>> ip auth-proxy max-nodata-conns 3 >>>> ip admission max-nodata-conns 3 >>>> vpdn enable >>>> ! >>>> l2tp-class l2tpclass1 >>>> authentication >>>> password 7 xxxx >>>> ! >>>> ! >>>> pseudowire-class pwclass1 >>>> encapsulation l2tpv2 >>>> protocol l2tpv2 l2tpclass1 >>>> ip local interface Dialer1 >>>> ! >>>> ! >>>> crypto isakmp policy 10 >>>> encr aes >>>> hash md5 >>>> authentication pre-share >>>> group 2 >>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 >>>> ! >>>> ! >>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac >>>> ! >>>> crypto ipsec profile DMVPN >>>> set transform-set 3DES_MD5 >>>> ! >>>> ! >>>> ! >>>> ! >>>> interface Loopback0 >>>> ip address 172.16.1.3 255.255.255.255 >>>> ! >>>> interface Tunnel0 >>>> ip address 10.0.0.3 255.255.255.0 >>>> no ip redirects >>>> ip mtu 1400 >>>> ip nhrp authentication xxxxxxxxxx >>>> ip nhrp map 10.0.0.1 196.47.0.204 >>>> ip nhrp map multicast 196.47.0.204 >>>> ip nhrp network-id 1 >>>> ip nhrp holdtime 60 >>>> ip nhrp nhs 10.0.0.1 >>>> ip nhrp registration timeout 30 >>>> ip tcp adjust-mss 1360 >>>> tunnel source Dialer1 >>>> tunnel mode gre multipoint >>>> tunnel key 1 >>>> tunnel protection ipsec profile DMVPN >>>> ! >>>> interface FastEthernet0/0 >>>> ip address dhcp >>>> speed 100 >>>> full-duplex >>>> pppoe enable group global >>>> pppoe-client dial-pool-number 1 >>>> ! >>>> interface FastEthernet0/1 >>>> ip address 10.222.0.1 255.255.255.0 >>>> speed 100 >>>> full-duplex >>>> ! >>>> ! >>>> interface Dialer1 >>>> mtu 1492 >>>> ip address negotiated >>>> ip virtual-reassembly >>>> encapsulation ppp >>>> ip tcp adjust-mss 1452 >>>> dialer pool 1 >>>> ppp chap hostname XXXX >>>> ppp chap password 0 XXXX >>>> ppp pap sent-username XXXX password 0 XXXXX >>>> ! >>>> router eigrp 1 >>>> redistribute connected route-map to-eigrp >>>> redistribute static >>>> passive-interface FastEthernet0/1 >>>> passive-interface Dialer1 >>>> network 10.0.0.0 0.0.0.255 >>>> no auto-summary >>>> eigrp stub connected >>>> ! >>>> ip forward-protocol nd >>>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>>> ! >>>> ! >>>> ip http server >>>> no ip http secure-server >>>> ! >>>> ! >>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 >>>> access-list 1 permit any >>>> access-list 2 deny any >>>> access-list 3 permit 10.222.0.1 >>>> access-list 3 permit 10.222.0.2 >>>> access-list 3 permit 10.244.0.2 >>>> access-list 3 permit 10.244.0.1 >>>> ! >>>> route-map clear-df permit 10 >>>> set ip df 0 >>>> ! >>>> route-map to-eigrp deny 10 >>>> match ip address prefix-list local >>>> ! >>>> route-map to-eigrp permit 1000 >>>> >>>> >>>> Some Debugs >>>> =========== >>>> >>>> nhrp-spoke-2#show ip nhrp >>>> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire >>>> Type: static, Flags: authoritative used >>>> NBMA address: 196.47.0.204 >>>> >>>> >>>> nhrp-spoke-2#show crypto ipsec sa >>>> >>>> interface: Tunnel0 >>>> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0 >>>> ) >>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) >>>> current_peer 196.47.0.204 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 >>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 3, #recv errors 0 >>>> >>>> local crypto endpt.: 41.195.37.191, remote crypto endpt.: >>>> 196.47.0.204 >>>> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 >>>> current outbound spi: 0xEE9B0E5D(4003139165) >>>> >>>> inbound esp sas: >>>> spi: 0x6E27D1C2(1848103362) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4530791/3584) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> inbound ah sas: >>>> >>>> inbound pcp sas: >>>> >>>> outbound esp sas: >>>> spi: 0xEE9B0E5D(4003139165) >>>> transform: esp-aes esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 >>>> sa timing: remaining key lifetime (k/sec): (4530789/3584) >>>> IV size: 16 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound ah sas: >>>> >>>> outbound pcp sas: >>>> >>>> nhrp-spoke-2#show crypto engine connections active >>>> >>>> ID Interface IP-Address State Algorithm >>>> >>> Encrypt >>> >>>> Decrypt >>>> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC >>>> >>> 0 >>> >>>> 0 >>>> 3003 Dialer1 41.195.37.191 set AES+MD5 >>>> >>> 15 >>> >>>> 0 >>>> 3004 Dialer1 41.195.37.191 set AES+MD5 >>>> >>> 0 >>> >>>> 0 >>>> >>>> nhrp-spoke-2#show crypto map >>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp >>>> Profile name: DMVPN >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> >>>> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp >>>> Map is a PROFILE INSTANCE. >>>> Peer = 196.47.0.204 >>>> Extended IP access list >>>> access-list permit gre host 41.195.37.191 host 196.47.0.204 >>>> Current peer: 196.47.0.204 >>>> Security association lifetime: 4608000 kilobytes/3600 seconds >>>> PFS (Y/N): N >>>> Transform sets={ >>>> 3DES_MD5, >>>> } >>>> Interfaces using crypto map Tunnel0-head-0: >>>> Tunnel0 >>>> >>>> >>>> --------------------------------------------------------------------- >>>> A feature is a bug with seniority. >>>> >>>> Nic Tjirkalli >>>> Verizon Business South Africa >>>> Network Strategy Team >>>> >>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This >>>> e-mail >>>> is strictly confidential and intended only for use by the addressee >>>> unless >>>> otherwise indicated. >>>> >>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >>>> >>>> This e-mail is strictly confidential and intended only for use by the >>>> addressee unless otherwise indicated. >>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> Some days you're the pigeon, and some days you're the statue. >>> >>> Nic Tjirkalli >>> Verizon Business South Africa >>> Network Strategy Team >>> >>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >>> is strictly confidential and intended only for use by the addressee unless >>> otherwise indicated. >>> >>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >>> >>> This e-mail is strictly confidential and intended only for use by the >>> addressee unless otherwise indicated. >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> >> --------------------------------------------------------------------- >> A feature is a bug with seniority. >> >> Nic Tjirkalli >> Verizon Business South Africa >> Network Strategy Team >> >> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail >> is strictly confidential and intended only for use by the addressee unless >> otherwise indicated. >> >> Company Information:http:// www.verizonbusiness.com/za/contact/legal/ >> >> This e-mail is strictly confidential and intended only for use by the >> addressee unless otherwise indicated. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > --------------------------------------------------------------------- Beauty is in the eye of the beer holder. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From tsutherland at i3businesssolutions.com Wed Aug 27 12:25:52 2008 From: tsutherland at i3businesssolutions.com (Tom Sutherland) Date: Wed, 27 Aug 2008 12:25:52 -0400 Subject: [c-nsp] NAT/ACL options in a PIX In-Reply-To: <124096.96295.qm@web50504.mail.re2.yahoo.com> References: <124096.96295.qm@web50504.mail.re2.yahoo.com> Message-ID: <1219854352.9112.26.camel@angry-butler444> You might also consider a single static NAT (vs. PAT) command, then control access with ACL's applied to the outside interface. This will map all ports on the public side to all ports on the inside. This way you won't have to do a lot of fudging around with "static" commands , just ACL's. Something like this: access-list outside_in permit TCP host host eq 8081 access-list outside_in permit TCP host host eq 8082 access-list outside_in permit TCP host host eq 8083 static (inside,outside) > Vinny, > > > #thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:? > > access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081 > > > #Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:? > > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0 > access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081 > > > ONE MORE QUESTION,..... > Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080 > > How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? > > Hopefullly you can understand this last question > > Thanks > > > > > --- On Tue, 8/26/08, Vinny Abello wrote: > > > From: Vinny Abello > > Subject: RE: [c-nsp] NAT/ACL options in a PIX > > To: "sforcejr at yahoo.com" , "cisco-nsp at puck.nether.net" > > Date: Tuesday, August 26, 2008, 10:23 PM > > Correct, you are doing NAT as a straight 1 to 1 translation > > for traffic. Using PAT, you can specify either TCP or UDP > > traffic and the outside and inside port numbers. This is > > still accomplished with the static statement. You'll > > still need the access-list entry as well unless you have > > another rule already covering it. > > > > I'm confused though... If you need a different external > > host to access an internal server, why can't use reuse > > the same outside address in the translation? The PIX does > > extended translation automatically. Just add it to the > > access-list, or did I misunderstand? > > > > If you are doing this on a different port and want to map > > various ports on one external IP to different internal hosts > > or ports, you can do this as well with the static statement: > > > > static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 > > netmask 255.255.255.255 0 0 > > > > This maps traffic that matches TCP port 8080 hitting the > > outside address of 1.2.3.4 to port 8081 on internal IP > > 10.10.10.110. > > > > I wasn't quite clear with your alphanumeric examples, > > but I hope this helps. I believe you truly just want to keep > > adding more entries to your access-list. Once you have a > > translation be it NAT or PAT defined, the access control is > > done through the access-list at that point. > > > > -Vinny > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of John Ramz > > > Sent: Tuesday, August 26, 2008 10:32 PM > > > To: cisco-nsp at puck.nether.net > > > Subject: [c-nsp] NAT/ACL options in a PIX > > > > > > --CORRECTION--- > > > > > > As a part of my 2nd question I made a mistake on the > > internal host IP. > > > This is the correction: > > > > > > I need to allow P.P.P.3 to access the same internal > > host > > > (10.10.10.110). I tried to assigned a different Public > > ip > > > address(Q.Q.Q.11)........... > > > > > > > > > Thanks > > > > > > > > > > > > --- On Tue, 8/26/08, John Ramz > > wrote: > > > > > > > From: John Ramz > > > > Subject: NAT/ACL options in a PIX > > > > To: cisco-nsp at puck.nether.net > > > > Date: Tuesday, August 26, 2008, 9:21 PM > > > > Version 6.3.5 > > > > PIX 515 > > > > > > > > We have been assigned 25 Public IP addresses by > > our ISP and > > > > I want to administer them in the most efficient > > way. > > > > > > > > We get a lot of requests for external access to > > different > > > > hosts in our private network. For example: > > > > > > > > Public trusted IP address requesting access: > > P.P.P.2 > > > > Public IP address assigned by ISP: Q.Q.Q.10 > > > > Internal host IP: 10.10.10.111 > > > > port 80 or 8080 (http://10.10.10.111/site:8080 > > > > > > > > So far every time we get a request we do this: > > > > > > > > static (inside,outside) Q.Q.Q.10 10.10.10.111 > > netmask > > > > 255.255.255.255 0 0 > > > > access-list ACL_NAME permit tcp host P.P.P.2 host > > Q.Q.Q.10 > > > > eq 8080 > > > > > > > > QUESTION > > > > 1- Is it possible to do what I believe is called > > PAT and > > > > reuse the same public ip address(Q.Q.Q.10) when I > > get a > > > > second request to access a DIFFERENT > > host(10.10.10.112) and > > > > redirect them to port 8081 for example? If > > possible, how? > > > > > > > > > > > > > > > > Today I got a request to allow access to an > > internal > > > > host(10.10.10.110) that I have already mapped > > with this > > > > public IP: Q.Q.Q.9 . The source ip address is: > > P.P.P.3 . > > > > These are the statements already in the PIX: > > > > > > > > static (inside,outside) Q.Q.Q.9 10.10.10.110 > > netmask > > > > 255.255.255.255 0 0 > > > > access-list ACL_NAME permit tcp host P.P.P.1 host > > Q.Q.Q.9 > > > > eq 8080 > > > > > > > > I need to allow P.P.P.3 to access the same > > internal host > > > > (Q.Q.Q.9). I tried to assigned a different Public > > ip > > > > address(Q.Q.Q.11) but I got this message: > > > > > > > > ERROR: duplicate of existing static > > > > > > > > QUESTION > > > > 2- Is there anyway to allow 2 IP addresses to > > access the > > > > same host on the same port-it could be > > different-? > > > > > > > > I appreciate any help since I am a beginner on > > this subject > > > > > > > > > > > > Thanks > > > > > > > > John > > > > > > > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From adam.korab at gmail.com Wed Aug 27 12:56:14 2008 From: adam.korab at gmail.com (Adam Korab) Date: Wed, 27 Aug 2008 11:56:14 -0500 Subject: [c-nsp] 6506 unusual behavior In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501C26479@xmb-ams-331.emea.cisco.com> References: <67F7C1FAF83A074AA3520D8F155782A501C26479@xmb-ams-331.emea.cisco.com> Message-ID: On Wed, Aug 27, 2008 at 11:15 AM, Arie Vayner (avayner) wrote: > Adam, Hi Arie, > I think you have a bit too many routes on this box... Probably...sup2 is kind of old. > Can you please share the outputs of: > > - show ip route summary edge1#sh ip ro sum IP routing table name is Default-IP-Routing-Table(0) Route Source Networks Subnets Overhead Memory (bytes) connected 0 5 400 800 static 0 2 224 320 ospf 0 123 8064 19680 Intra-area: 5 Inter-area: 0 External-1: 0 External-2: 118 NSSA External-1: 0 NSSA External-2: 0 bgp 130413 130722 16712640 41818320 External: 5090 Internal: 256045 Local: 0 internal 2642 3117560 Total 133055 130852 16721328 44956680 Removing Queue Size 0 > - show mls cef summary edge1#sh mls cef sum Total CEF switched packets: 0000000825744817 Total CEF switched bytes: 0000440372791097 Total routes: 261292 IP unicast routes: 261292 IPX routes: 0 IP multicast routes: 0 > - show mls cef maximum-routes edge1#sh mls cef maximum-routes ^ % Invalid input detected at '^' marker. So if that is indeed the case and this box has 261k routes while supporting 192k...what can be done to mitigate it? I don't believe the end customer has the budget to upgrade to sup720-3bxl. It's a pair of 6506s, each with an upstream provider; each box is taking full views and they iBGP peer with each other. Thanks! --Adam From avayner at cisco.com Wed Aug 27 13:06:20 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 27 Aug 2008 19:06:20 +0200 Subject: [c-nsp] 6506 unusual behavior In-Reply-To: References: <67F7C1FAF83A074AA3520D8F155782A501C26479@xmb-ams-331.emea.cisco.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C26484@xmb-ams-331.emea.cisco.com> Adam, One thing to consider is to reduce the BGP view. Do they really need the full view, or can actually take a partial view from each provider (for example each providers originated networks, and maybe their direct customers), and then use a default route for the rest of the Internet (the best alternative is to actually ask the providers to advertise a default route). I most stub (as in non transit) ASs this should be a valid solution. Another alternative could be to introduce another set of border routers, such as 7201 routers. 7201 is a 7200/NPE-G2 in 1RU form factor with 4x1GE ports. It can easily take a full BGP view, but traffic sizing should be performed so that we can actually handle the load. Actually, I am not sure if the upgrade to Sup720-3BXL would be much more expansive than the 7201, but I suggest you explore these options with your customer. Arie -----Original Message----- From: Adam Korab [mailto:adam.korab at gmail.com] Sent: Wednesday, August 27, 2008 19:56 PM To: Arie Vayner (avayner) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6506 unusual behavior On Wed, Aug 27, 2008 at 11:15 AM, Arie Vayner (avayner) wrote: > Adam, Hi Arie, > I think you have a bit too many routes on this box... Probably...sup2 is kind of old. > Can you please share the outputs of: > > - show ip route summary edge1#sh ip ro sum IP routing table name is Default-IP-Routing-Table(0) Route Source Networks Subnets Overhead Memory (bytes) connected 0 5 400 800 static 0 2 224 320 ospf 0 123 8064 19680 Intra-area: 5 Inter-area: 0 External-1: 0 External-2: 118 NSSA External-1: 0 NSSA External-2: 0 bgp 130413 130722 16712640 41818320 External: 5090 Internal: 256045 Local: 0 internal 2642 3117560 Total 133055 130852 16721328 44956680 Removing Queue Size 0 > - show mls cef summary edge1#sh mls cef sum Total CEF switched packets: 0000000825744817 Total CEF switched bytes: 0000440372791097 Total routes: 261292 IP unicast routes: 261292 IPX routes: 0 IP multicast routes: 0 > - show mls cef maximum-routes edge1#sh mls cef maximum-routes ^ % Invalid input detected at '^' marker. So if that is indeed the case and this box has 261k routes while supporting 192k...what can be done to mitigate it? I don't believe the end customer has the budget to upgrade to sup720-3bxl. It's a pair of 6506s, each with an upstream provider; each box is taking full views and they iBGP peer with each other. Thanks! --Adam From avayner at cisco.com Wed Aug 27 13:15:09 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 27 Aug 2008 19:15:09 +0200 Subject: [c-nsp] IP SLA and dyn routes In-Reply-To: <20080826031130.GK106@rtp-cse-489.cisco.com> References: <3cf174360808251313g2f42fc8fx48f869d10b1035db@mail.gmail.com><000001c906f4$a857e810$f907b830$@org.uk> <20080826031130.GK106@rtp-cse-489.cisco.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C26485@xmb-ams-331.emea.cisco.com> Dean, PfR or as it was used to be called, OER is your friend here. http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/12_4/oer_12_ 4_book.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn (rodunn) Sent: Tuesday, August 26, 2008 06:12 AM To: Dean Smith Cc: 'cisco-nsp' Subject: Re: [c-nsp] IP SLA and dyn routes I honestly haven't spent enough time with it yet to know all the details but maybe check PfR (aka: OER) to see if can help you out. Rodney On Mon, Aug 25, 2008 at 09:53:41PM +0100, Dean Smith wrote: > Sounds like you actually want to run a tunnel across each SP and use > an IGP through the tunnels to decide which one is up/working etc > > Dean > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz > Sent: 25 August 2008 21:13 > To: cisco-nsp > Subject: [c-nsp] IP SLA and dyn routes > > Hi all, > > i?m having problem with my SP(run MPLS/BGP) where the the time to > converge networks is so high (>10 minutes) and they say that are > working and will be fix in 3 months aprox. > > I want anything to do convergence faster for me. > I read about IP SLA, but do not find doc related IP SLA x dynamic > routes, only IP SLA do track on static routes. > My first connection is with this SP running BGP(MPLS cloud) and second > connection is with another SP running OSPF(Frame-relay cloud). > Due this problem, when remote site is down, on my central point the > route of this site still up on BGP table and do not converge to OSPF, > only after period >10 minutes. > What another solution can i use? > > tks for all, > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at memetic.org Wed Aug 27 14:08:02 2008 From: lists at memetic.org (Adam Armstrong) Date: Wed, 27 Aug 2008 19:08:02 +0100 Subject: [c-nsp] 6506 unusual behavior In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501C26484@xmb-ams-331.emea.cisco.com> References: <67F7C1FAF83A074AA3520D8F155782A501C26479@xmb-ams-331.emea.cisco.com> <67F7C1FAF83A074AA3520D8F155782A501C26484@xmb-ams-331.emea.cisco.com> Message-ID: <48B59802.9060703@memetic.org> Arie Vayner (avayner) wrote: > Adam, > > One thing to consider is to reduce the BGP view. > Do they really need the full view, or can actually take a partial view > from each provider (for example each providers originated networks, and > maybe their direct customers), and then use a default route for the rest > of the Internet (the best alternative is to actually ask the providers > to advertise a default route). > > I most stub (as in non transit) ASs this should be a valid solution. > > Another alternative could be to introduce another set of border routers, > such as 7201 routers. 7201 is a 7200/NPE-G2 in 1RU form factor with > 4x1GE ports. > It can easily take a full BGP view, but traffic sizing should be > performed so that we can actually handle the load. > Actually, I am not sure if the upgrade to Sup720-3BXL would be much more > expansive than the 7201, but I suggest you explore these options with > your customer. > I would agree, standard cisco prices, with 35% discount in ? would be : 7201, 1GB, Dual PSU - ?7,995.00 SUP720-3BXL - ?20,500.00 The 7201 is significantly cheaper, and will do full gigabit, provided you don't get DDoSed :) adam. From gert at greenie.muc.de Wed Aug 27 14:32:00 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 27 Aug 2008 20:32:00 +0200 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> References: <48B520CE.7030008@actrix.co.nz> <9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br> <18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> Message-ID: <20080827183200.GB233@greenie.muc.de> Hi, On Wed, Aug 27, 2008 at 09:20:41PM +0800, Antonio Acuesta (DHL AU) wrote: > Can you please recommend a stable IOS version for Cisco Catalyst 6513? > The current version that I have is Version 12.2(18)SXD3. The switch has > not been upgraded for a while and it will be good to know the version > with less bug. We've been fairly happy with 12.2(18)SXF in various versions. Latest release is SXF14. Check the release notes on CCO whether your specific combination of hardware is still supported - some modules might have been dropped SXE->SXF. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From dean at eatworms.org.uk Wed Aug 27 15:14:35 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 27 Aug 2008 20:14:35 +0100 Subject: [c-nsp] Cat 4924 Metro QoS Message-ID: <007701c90879$27db5380$7791fa80$@org.uk> Has anyone any experience of the QoS capabilities on the ME 4924-10GE ? The data sheet lists "Per-port per-VLAN QoS". But I'm struggling to pinpoint exactly what this gives. The config examples in the 4500 Series config guide simply shows policing per VLAN....is this the only action available ? Essentially I'd like something with 10G ports that can do QoS per VLAN on the 10G port - but offer some per-class B/W guarantees within the VLAN. i.e. Limit VLAN 10 to 100Mb/s and within that VLAN... 10Mb/s PQ for DSCP EF 40Mb/s for DSCP AF 50Mb/s for DSCP DE I don't need to overbook the 10G port (i.e. sum of all VLANS < 10G). Overall port requirement is low (<10 x 1G + 1x10G) - which makes the 4924 ideal. The other options seem to be ASR, 4500+Sup6E, 7600+ES20, GSR etc. But opinions/experience welcomed......(and yes it needs to be cisco) Dean From peter at rathlev.dk Wed Aug 27 15:23:08 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 27 Aug 2008 21:23:08 +0200 Subject: [c-nsp] FWSM CSCsi87893 purely cosmetic? Message-ID: <1219864988.25348.16.camel@abehat> Hello, We just recently "discovered" the effects of CSCsi87893, where configuring a "tftp-server" in the sys context gives funny output like this: FWSM/act(config)# tftp-server management 10.0.0.1 fwsm-sys FWSM/act(config)# sh run : Saved : FWSM Version 3.1(4) ! ...... allocate-interface Vlan2131 config-url disk:/xyz.cfg ! vPif_isVpifNumValid: Thread ssh vcid=1 from vpif=0x10001 is != current vcid=0! tftp-server 10.0.0.1 fwsm-sys prompt hostname context state Cryptochecksum:snarfsnarfsnarf : end FWSM/act(config)# It was easy finding CSCsi87893, but the bug toolkit isn't very specific. It says "strange output may be noticed", but the above line gets written to startup-config with "write mem". The functionality is there -- I can "write net" without parameters and the expected happens. What I'm wondering is: What will happen at the next reboot? Can it parse this ouput correctly? Or will I just lose the tftp-server functionality? Or will the FWSM fail to start? We're about to upgrade (3.1(6+) has this fixed), but would like to be certain about what happens after the reboot... Regards, Peter From troy at i2bnetworks.com Wed Aug 27 15:43:42 2008 From: troy at i2bnetworks.com (Troy Beisigl) Date: Wed, 27 Aug 2008 12:43:42 -0700 Subject: [c-nsp] Netflow software Message-ID: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy From Gregori.Parker at theplatform.com Wed Aug 27 16:11:30 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Wed, 27 Aug 2008 13:11:30 -0700 Subject: [c-nsp] Netflow software In-Reply-To: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> References: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> Message-ID: <1A9866F953006D45AEE0166066114E0912C3E589@TPMAIL02.corp.theplatform.com> I'd recommend Crannog Netflow Tracker (now owned by Fluke) for this: http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/Overvie w.htm They have versions for both Linux and Windows (as well as an appliance now), and I've found it to be well worth the expense over the open-source solutions I've worked with.. My only caveat is that their licensing is not as glorious as it was pre-acq -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Troy Beisigl Sent: Wednesday, August 27, 2008 12:44 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Netflow software Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dale.shaw+cisco-nsp at gmail.com Wed Aug 27 16:30:43 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 27 Aug 2008 13:30:43 -0700 Subject: [c-nsp] CiscoWorks LMS - Apache daemon registration information Message-ID: <3329cbb40808271330v52f3aa43u5daf33fd4c3e441e@mail.gmail.com> Hi, Could someone with LMS 3.x running on Windows please send me the output of "pdreg -l Apache" ? I've got an HTTP/SSL problem and I think I've stuffed the daemon registration for Apache (relates to bug CSCso59571). cheers, Dale From avayner at cisco.com Wed Aug 27 16:45:56 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 27 Aug 2008 22:45:56 +0200 Subject: [c-nsp] FWSM CSCsi87893 purely cosmetic? In-Reply-To: <1219864988.25348.16.camel@abehat> References: <1219864988.25348.16.camel@abehat> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C264A7@xmb-ams-331.emea.cisco.com> Peter, Yes, it does seem to be cosmetic. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Wednesday, August 27, 2008 22:23 PM To: cisco-nsp Subject: [c-nsp] FWSM CSCsi87893 purely cosmetic? Hello, We just recently "discovered" the effects of CSCsi87893, where configuring a "tftp-server" in the sys context gives funny output like this: FWSM/act(config)# tftp-server management 10.0.0.1 fwsm-sys FWSM/act(config)# sh run : Saved : FWSM Version 3.1(4) ! ...... allocate-interface Vlan2131 config-url disk:/xyz.cfg ! vPif_isVpifNumValid: Thread ssh vcid=1 from vpif=0x10001 is != current vcid=0! tftp-server 10.0.0.1 fwsm-sys prompt hostname context state Cryptochecksum:snarfsnarfsnarf : end FWSM/act(config)# It was easy finding CSCsi87893, but the bug toolkit isn't very specific. It says "strange output may be noticed", but the above line gets written to startup-config with "write mem". The functionality is there -- I can "write net" without parameters and the expected happens. What I'm wondering is: What will happen at the next reboot? Can it parse this ouput correctly? Or will I just lose the tftp-server functionality? Or will the FWSM fail to start? We're about to upgrade (3.1(6+) has this fixed), but would like to be certain about what happens after the reboot... Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Wed Aug 27 17:25:21 2008 From: moua0100 at umn.edu (Ge Moua) Date: Wed, 27 Aug 2008 16:25:21 -0500 Subject: [c-nsp] Netflow software In-Reply-To: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> References: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> Message-ID: <069301c9088b$69556410$31dd5ea0@ad.umn.edu> Nfsen w/ nfdump engine. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Troy Beisigl Sent: Wednesday, August 27, 2008 2:44 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Netflow software Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From md at Linux.IT Wed Aug 27 19:11:51 2008 From: md at Linux.IT (Marco d'Itri) Date: Thu, 28 Aug 2008 01:11:51 +0200 Subject: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3? In-Reply-To: <48B43691.3020804@cisco.com> References: <20080826124855.GA3673@bongo.bofh.it> <48B43691.3020804@cisco.com> Message-ID: <20080827231151.GA25600@bongo.bofh.it> On Aug 26, Ian Cox wrote: > PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe > that particular PA has the idprom messed up. Try doing a sh diagbus with > it inserted and see what the PA idprom is telling the system. FYI: thanks to Ian I found out that the problem is that FlexWANs do not support OIR even for plug-in, not just for unplugging. The Ethernet PA I first tried worked when hotplugged, but the POS one just failed unless I first unplugged the FlexWAN. BTW: my FlexWANs happily accepted a 256 MB SODIMM from my old MSFC2, and even work with one 256 MB and one 64 MB banks (CEF is enabled only on the first slot now, but I do not need the other one anyway). -- ciao, Marco From jlewis at lewis.org Wed Aug 27 20:16:54 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 27 Aug 2008 20:16:54 -0400 (EDT) Subject: [c-nsp] 6506 unusual behavior In-Reply-To: References: <67F7C1FAF83A074AA3520D8F155782A501C26479@xmb-ams-331.emea.cisco.com> Message-ID: On Wed, 27 Aug 2008, Adam Korab wrote: > edge1#sh mls cef sum > > Total CEF switched packets: 0000000825744817 > Total CEF switched bytes: 0000440372791097 > Total routes: 261292 > IP unicast routes: 261292 You have 261292 routes on a Sup2. The TCAM on the Sup2 supports about 244k routes. It's time to either upgrade or give up on the idea of carrying full BGP routes. I haven't been updating it, but I have 2 articles you should read at http://jonsblog.lewis.org/ ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ben.steele at internode.on.net Wed Aug 27 20:26:42 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Thu, 28 Aug 2008 09:56:42 +0930 Subject: [c-nsp] LLQ + MLPPPoE -> ? In-Reply-To: References: Message-ID: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE -> ? >Remove the service policy from your ATM int's and just leave it on your >Dialer, then do a "sh users" and you should see an interface listed as the >MLP Bundle, this is the one you want to be watching, if for example it is >Vi4 then do a "sh policy-map int vi4" I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: ". When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets " Is this not correct? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Wed Aug 27 20:42:22 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 28 Aug 2008 01:42:22 +0100 Subject: [c-nsp] LLQ + MLPPPoE -> ? References: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> Message-ID: Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Ben Steele [mailto:ben.steele at internode.on.net] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE -> ? >Remove the service policy from your ATM int's and just leave it on your >Dialer, then do a "sh users" and you should see an interface listed as the >MLP Bundle, this is the one you want to be watching, if for example it is >Vi4 then do a "sh policy-map int vi4" I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: ". When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets " Is this not correct? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brett at looney.id.au Wed Aug 27 20:50:32 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 28 Aug 2008 08:50:32 +0800 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080827111208.GA2482@torres.zugschlus.de> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> <20080827111208.GA2482@torres.zugschlus.de> Message-ID: <020201c908a8$130cbe60$39263b20$@id.au> > It now says > > crypto isakmp client configuration group InternClient > key onsh4OcyivOafmyodzet > dns 10.1.2.11 10.1.2.15 > wins 10.1.2.11 10.1.2.15 > domain example.com > pool ippool > acl DefaultrouteTunnel > include-local-lan > > and when I ping 192.168.8.1, I still see the packet going out > encapsulated in ESP instead of unencrypted on the LAN (the Client's > LAN ip is 192.168.8.184/24). Hmmm. Interesting. What does your "DefaultrouteTunnel" ACL look like? Wait - just dug up your old email: > ip access-list extended DefaultrouteTunnel > permit ip any any So this is the issue (sorry - should have looked at this earlier) - you need to put a list of networks here that the client can access. And just to be confusing, the ACL is from the router's perspective as if the traffic is outbound. So, if the pool of IP addresses that you're handing out to the clients is 10.100.100.0/24 then that needs to be the destination address in the ACL ala: ip access-list extended DefaultrouteTunnel permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 HTH. B. From ben.steele at internode.on.net Wed Aug 27 21:06:04 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Thu, 28 Aug 2008 10:36:04 +0930 Subject: [c-nsp] LLQ + MLPPPoE -> ? In-Reply-To: References: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> Message-ID: <005f01c908aa$4918bbb0$db4a3310$@steele@internode.on.net> I would say it sounds like one interface is performing differently to the other(performance wise) but if it works fine when using the multilink interface that doesn't make as much sense, do you notice any drops or errors of any sort on the atm int's when you have the dialer configuration up? Also check the output of a "sh dsl int atmx" for each one to see if you are erroring there or syncing at different speeds or have a low noise margin on one etc.. Out of curiosity did you set that ip mtu 1492 on your dialer when you were testing? As you would've been fragmenting otherwise trying to push 1500 byte over a 1500 byte link with pppoe Can you show me your exact config (minus passwords) that you are using when you are testing this including the output of a "sh dsl int atmx" for each int. Another thought might be worth trying the new 12.4.20T IOS given it's QoS overhaul with HQF and the improved latency results shown by someone in an earlier thread. From: David Freedman [mailto:david.freedman at uk.clara.net] Sent: Thursday, 28 August 2008 10:12 AM To: Ben Steele; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Ben Steele [mailto:ben.steele at internode.on.net] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE -> ? >Remove the service policy from your ATM int's and just leave it on your >Dialer, then do a "sh users" and you should see an interface listed as the >MLP Bundle, this is the one you want to be watching, if for example it is >Vi4 then do a "sh policy-map int vi4" I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: ". When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets " Is this not correct? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Wed Aug 27 21:22:59 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 27 Aug 2008 21:22:59 -0400 Subject: [c-nsp] Q-in-Q Message-ID: <000401c908ac$9bbaaf70$d3300e50$@org> Hi folks... Working on a new project this week and the final outcome will be trunking with q-in-q behind the scenes via an intermediate provider. Basically, we'll be q-tagging a series of VLAN's through some 2950 switches and then handing off a 100FE connection towards the intermediate provider which is going to use q-in-q across their 3750-->6509-->6509 network back to a q-tagged connection of ours at another location (6509 as well). With the combination of 3750 and 6509's should I have any worries about q-in-q and MTU issues with a 100FE interface involved? I'm pretty sure mini-jumbos are supported all the way but wanted to ask.... Thanks, Paul From david.freedman at uk.clara.net Wed Aug 27 21:42:02 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 28 Aug 2008 02:42:02 +0100 Subject: [c-nsp] LLQ + MLPPPoE -> ? References: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> <005f01c908aa$4918bbb0$db4a3310$@steele@internode.on.net> Message-ID: >I would say it sounds like one interface is performing differently to the >other(performance wise) but if it works fine when using the multilink >interface that doesn't make as much sense, do you notice any drops or errors >of any sort on the atm int's when you have the dialer configuration up? Also >check the output of a "sh dsl int atmx" for each one to see if you are >erroring there or syncing at different speeds or have a low noise margin on >one etc.. They both perform fine on their own, only together does it cause a problem, we dont see any drops, just big changes in latency >Out of curiosity did you set that ip mtu 1492 on your dialer when you were >testing? As you would've been fragmenting otherwise trying to push 1500 byte >over a 1500 byte link with pppoe I believe in the setup we are testing with we have a >1500 mtu either end so the pppoe overhead shouldn't be an issue, but will double check. >Can you show me your exact config (minus passwords) that you are using when >you are testing this including the output of a "sh dsl int atmx" for each >int. The config we are using is in the original post (https://puck.nether.net/pipermail/cisco-nsp/2008-August/053632.html) There are no DSL errors recorded on the controllers, nor is there anything remarkable in the sh int output: #show int a0/0/0 | in rror|drop|throt|clear Last clearing of "show interface" counters 1d12h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 output errors, 0 collisions, 0 interface resets #show int a0/1/0 | in rror|drop|throt|clear Last clearing of "show interface" counters 1d12h Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 output errors, 0 collisions, 0 interface resets >Another thought might be worth trying the new 12.4.20T IOS given it's QoS >overhaul with HQF and the improved latency results shown by someone in an >earlier thread. This I will try, just out of interest, do you have such a setup in production? if so , what version are you using on the CPE? Dave. From: David Freedman [mailto:david.freedman at uk.clara.net] Sent: Thursday, 28 August 2008 10:12 AM To: Ben Steele; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Ben Steele [mailto:ben.steele at internode.on.net] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE -> ? >Remove the service policy from your ATM int's and just leave it on your >Dialer, then do a "sh users" and you should see an interface listed as the >MLP Bundle, this is the one you want to be watching, if for example it is >Vi4 then do a "sh policy-map int vi4" I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: ". When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets " Is this not correct? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dale.shaw+cisco-nsp at gmail.com Wed Aug 27 21:59:26 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 27 Aug 2008 18:59:26 -0700 Subject: [c-nsp] CiscoWorks LMS - Apache daemon registration information In-Reply-To: <3329cbb40808271330v52f3aa43u5daf33fd4c3e441e@mail.gmail.com> References: <3329cbb40808271330v52f3aa43u5daf33fd4c3e441e@mail.gmail.com> Message-ID: <3329cbb40808271859w170c0ee5t3597a26cab9b7cca@mail.gmail.com> On Wed, Aug 27, 2008 at 1:30 PM, Dale Shaw wrote: > > Could someone with LMS 3.x running on Windows please send me the > output of "pdreg -l Apache" ? Thanks all -- have had a few replies and, for now at least, I'm back up and running (although my SSL woes continue). cheers, Dale From ben.steele at internode.on.net Wed Aug 27 22:12:03 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Thu, 28 Aug 2008 11:42:03 +0930 Subject: [c-nsp] LLQ + MLPPPoE -> ? In-Reply-To: References: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> <005f01c908aa$4918bbb0$db4a3310$@steele@internode.on.net> Message-ID: <006701c908b3$76f22a40$64d67ec0$@steele@internode.on.net> I believe in the setup we are testing with we have a >1500 mtu either end so the pppoe overhead shouldn't be an issue, but will double check. Dialer will default to interface mtu of 1500 bytes unless you specify something else. The config we are using is in the original post (https://puck.nether.net/pipermail/cisco-nsp/2008-August/053632.html) That doesn't have any of the previous recommendations i've made in it. This I will try, just out of interest, do you have such a setup in production? if so , what version are you using on the CPE? Haven't really played with the QoS on 12.4.20T much yet, but if you look back for the post with the subject [Improved queuing in 12.4(20)T?] from Per Carlson you can ask him what he was using J Let us all know if 12.4.20T does magic for you. Ben From david.freedman at uk.clara.net Wed Aug 27 22:23:18 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 28 Aug 2008 03:23:18 +0100 Subject: [c-nsp] LLQ + MLPPPoE -> ? References: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> <005f01c908aa$4918bbb0$db4a3310$@steele@internode.on.net> <006701c908b3$76f22a40$64d67ec0$@steele@internode.on.net> Message-ID: >Dialer will default to interface mtu of 1500 bytes unless you specify >something else. Sorry, to clarify, the dialer sits on top of an ATM interface which has a 4470byte MTU, from the ATM over G.SHDSL to the DSLAM, LAC, LNS and NAS there is an oversized MTU as well (>2000), with the default dialer MTU of 1500 the maximum payload should leave at 1508B which is well below the MTU of all the network components end-to-end I dont believe this will cause any fragmentation? >Haven't really played with the QoS on 12.4.20T much yet, but if you look >back for the post with the subject [Improved queuing in 12.4(20)T?] from Per >Carlson you can ask him what he was using J >Let us all know if 12.4.20T does magic for you. I will try this, Thanks very much for your help, Dave. From mksmith at adhost.com Wed Aug 27 22:38:22 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Wed, 27 Aug 2008 19:38:22 -0700 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080826140124.GA26261@torres.zugschlus.de> Message-ID: Hello Mark: Unless I'm misreading your intent, it looks like what you are trying to accomplish is split-tunneling, such that only traffic from your VPN-connected Windows machines and your protected net is getting tunneled, while everything else is handled outside the tunnel. If this is correct, take a look at: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a008032b637.shtml Regards, Mike On 8/26/08 7:01 AM, "Marc Haber" wrote: > Hi, > > this is strictly a client issue and not appropriate for cisco-nsp, but > I haven't found any mailing list with this clue level for other > cisco-related aspects. If there is one, I'd like to learn about it. > > I have a bunch of Windows clients with the Cisco VPN Client > 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as > follows: > > aaa new-model > ! > aaa authentication login default local > aaa authentication login userauthen local > aaa authentication login localauth local > aaa authorization exec default local > aaa authorization network groupauthor local > ! > aaa session-id common > ! > resource policy > ! > ip cef > ! > username marc.haber privilege 15 secret 5 > ! > crypto isakmp policy 3 > encr aes 256 > authentication pre-share > group 2 > ! > crypto isakmp client configuration group InternClient > key onsh4OcyivOafmyodzet > dns 10.1.2.11 10.1.2.15 > wins 10.1.2.11 10.1.2.15 > domain example.com > pool ippool > acl DefaultrouteTunnel > ! > ! > crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac > ! > crypto dynamic-map InternDynmap 10 > set transform-set InternTransformSet > reverse-route > ! > ! > crypto map InternClientMap client authentication list userauthen > crypto map InternClientMap isakmp authorization list groupauthor > crypto map InternClientMap client configuration address respond > crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap > ! > interface FastEthernet0/0 > description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ > ip address 172.26.248.10 255.255.255.248 > duplex auto > speed auto > crypto map InternClientMap > ! > ip access-list extended DefaultrouteTunnel > permit ip any any > ip access-list extended DefaultrouteWithoutListedNetsTunnel > deny ip 192.168.8.0 0.0.0.255 any > permit ip any any > ! > > With this configuration, a client cannot communicate at all outside > the tunnel, which is a desired feature in this setup. OTOH, some > teleworkers would appreciate to be able to talk to their networked > printers on the local LANs. > > I have received the advice of adding the local networks of all > teleworkers to an access list, which has resulted in the > "DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to > work, traffic for 192.168.8.3 still goes into the tunnel after I > changed the acl reference in the crypto isakmp client configuration > group InternClient. Also, I do not see any changes in the Windows > client's routing tables. > > Can someone advice what I am doing wrong here? Additionally, do I > really need to exclude all local networks of all teleworkers in the > global configuration, or is it possible to control this on a > per-client basis? > > All web-based documentation I have found deals with the VPN > Concentrator series which do not seem to use IOS - at least I cannot > make sense of the advice found there in my configuration. > > Any hints will be appreciated. > > Greetings > Marc From achatz at forthnet.gr Thu Aug 28 01:14:45 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 28 Aug 2008 08:14:45 +0300 Subject: [c-nsp] how to debug etherchannel on 6500? Message-ID: <48B63445.4010406@forthnet.gr> Hi, I'm trying to troubleshoot a strange case regarding an etherchannel (PAgP works, LACP doesn't) between a 6500 (SUP720/SXF14) and a 3750 (12.2(44)SE2), but i cannot see any debug logs on the 6500 after enabling "debug etherchannel all". On the 3750 i get some messages after enabling the same debug, but i can also use "debug pagp/lacp" which displays a lot more (and most of them are quite helpful). Is the "debug etherchannel all" supposed to display anything? If not, is there another debug command on the 6500 like the "debug pagp/lacp" on the 3750? -- Tassos From zivl at gilat.net Thu Aug 28 03:12:01 2008 From: zivl at gilat.net (Ziv Leyes) Date: Thu, 28 Aug 2008 10:12:01 +0300 Subject: [c-nsp] The Internet's Biggest Security Hole Message-ID: I know this is not cisco related, but it's of every network admin's concern in general. http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From peter at rathlev.dk Thu Aug 28 04:43:01 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 28 Aug 2008 10:43:01 +0200 Subject: [c-nsp] FWSM CSCsi87893 purely cosmetic? In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501C264A7@xmb-ams-331.emea.cisco.com> References: <1219864988.25348.16.camel@abehat> <67F7C1FAF83A074AA3520D8F155782A501C264A7@xmb-ams-331.emea.cisco.com> Message-ID: <1219912981.32733.1.camel@abehat> On Wed, 2008-08-27 at 22:45 +0200, Arie Vayner (avayner) wrote: > Yes, it does seem to be cosmetic. Thanks. We'll try a test setup first, just in case. Regards, Peter From mh+cisco-nsp at zugschlus.de Thu Aug 28 06:29:45 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Thu, 28 Aug 2008 12:29:45 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <020201c908a8$130cbe60$39263b20$@id.au> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> <20080827111208.GA2482@torres.zugschlus.de> <020201c908a8$130cbe60$39263b20$@id.au> Message-ID: <20080828102945.GB12177@torres.zugschlus.de> On Thu, Aug 28, 2008 at 08:50:32AM +0800, Brett Looney wrote: > So this is the issue (sorry - should have looked at this earlier) - you need > to put a list of networks here that the client can access. And just to be > confusing, the ACL is from the router's perspective as if the traffic is > outbound. So, if the pool of IP addresses that you're handing out to the > clients is 10.100.100.0/24 then that needs to be the destination address in > the ACL ala: > > ip access-list extended DefaultrouteTunnel > permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 > permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From mh+cisco-nsp at zugschlus.de Thu Aug 28 06:32:06 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Thu, 28 Aug 2008 12:32:06 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: References: <20080826140124.GA26261@torres.zugschlus.de> Message-ID: <20080828103206.GC12177@torres.zugschlus.de> On Wed, Aug 27, 2008 at 07:38:22PM -0700, Michael K. Smith wrote: > Unless I'm misreading your intent, it looks like what you are trying to > accomplish is split-tunneling, such that only traffic from your > VPN-connected Windows machines and your protected net is getting tunneled, > while everything else is handled outside the tunnel. My intent is to have _everything_ in the tunnel, with the exception of a hand ful of networks. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From drew.weaver at thenap.com Thu Aug 28 09:52:22 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 28 Aug 2008 09:52:22 -0400 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. Message-ID: What is the 'defacto' top of rack 10/100/1000 48 port access switch most folks are buying up these days from the big C? Does anyone recommend any lower cost 10/100/1000 switches from other vendors that 'work just fine' for this limited purpose? These 48 port switches would just be used to connect machines to VLANs (over uplink/trunks) which are on the distribution/core layer. If you have the right server/client density does it ever make sense to use a 6513 for the l2 connectivity or is it always better to use sep. switches? It seems like using 11 sep. switches would add a lot of management headaches over just having a redundant 6500 (pwr/sup) does anyone have any opinions/advice on this point? Thanks! -Drew From cchurc05 at harris.com Thu Aug 28 11:19:30 2008 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 28 Aug 2008 10:19:30 -0500 Subject: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. In-Reply-To: References: Message-ID: A lot depends on the cabling. Running a few hundred cat5 cables from several racks into one might be a real pain. If each rack of servers can occupy 48 ports or less, and 4948 with 10gig uplinks might be much cleaner. 6513 wouldn't be a good choice regardless, can't put 6700 series blades in some of the slots. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Thursday, August 28, 2008 9:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. What is the 'defacto' top of rack 10/100/1000 48 port access switch most folks are buying up these days from the big C? Does anyone recommend any lower cost 10/100/1000 switches from other vendors that 'work just fine' for this limited purpose? These 48 port switches would just be used to connect machines to VLANs (over uplink/trunks) which are on the distribution/core layer. If you have the right server/client density does it ever make sense to use a 6513 for the l2 connectivity or is it always better to use sep. switches? It seems like using 11 sep. switches would add a lot of management headaches over just having a redundant 6500 (pwr/sup) does anyone have any opinions/advice on this point? Thanks! -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ian.mackinnon at lumison.net Thu Aug 28 11:35:10 2008 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Thu, 28 Aug 2008 16:35:10 +0100 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: References: Message-ID: <48B6C5AE.5030501@lumison.net> Drew Weaver wrote: > What is the 'defacto' top of rack 10/100/1000 48 port access switch most folks are buying up these days from the big C? Some thoughts. I want 1u dual power. Why is that so hard to do? If all your customer servers have dual power from a and b feeds its not to much to ask that the top of rack switch does the same. Cisco RPS is a waste of time. You want me to reboot the switch to return power to the a feed - no chance. OK a 4948 is 1u, dual power, but how much? If all I want is switching, layer 3 happens elsewhere, its overkill. Yes layer 3 at the top of rack would be nice, but how do you cope with customers who want an arbitrary number of switch ports across any number of switches? We use a lot of AT-8948 Allied Telesys, much better price point. But they are only 100M, with 1G on 4 x SFP So if you needs lots of gig connections, no use. Just my 2p worth. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From avayner at cisco.com Thu Aug 28 11:37:02 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 28 Aug 2008 17:37:02 +0200 Subject: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C2661F@xmb-ams-331.emea.cisco.com> Some pointers you might find interesting: http://www.cisco.com/en/US/solutions/ns708/networking_solutions_products _genericcontent0900aecd806fd331.pdf http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmig ration_09186a008073377d.pdf Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Thursday, August 28, 2008 16:52 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. What is the 'defacto' top of rack 10/100/1000 48 port access switch most folks are buying up these days from the big C? Does anyone recommend any lower cost 10/100/1000 switches from other vendors that 'work just fine' for this limited purpose? These 48 port switches would just be used to connect machines to VLANs (over uplink/trunks) which are on the distribution/core layer. If you have the right server/client density does it ever make sense to use a 6513 for the l2 connectivity or is it always better to use sep. switches? It seems like using 11 sep. switches would add a lot of management headaches over just having a redundant 6500 (pwr/sup) does anyone have any opinions/advice on this point? Thanks! -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jml at packetpimp.org Thu Aug 28 11:54:09 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Thu, 28 Aug 2008 11:54:09 -0400 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: References: Message-ID: <48B6CA21.80907@packetpimp.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On new builds I prefer to run cabling to each rack and use 65xx (not the 13 slot) for distribution layer. Hard to install cable into a crowded cage/datacenter, so sometimes a switch per rack makes sense. Drew Weaver wrote: > What is the 'defacto' top of rack 10/100/1000 48 port access switch most folks are buying up these days from the big C? > > Does anyone recommend any lower cost 10/100/1000 switches from other vendors that 'work just fine' for this limited purpose? > > These 48 port switches would just be used to connect machines to VLANs (over uplink/trunks) which are on the distribution/core layer. > > If you have the right server/client density does it ever make sense to use a 6513 for the l2 connectivity or is it always better to use sep. switches? > > It seems like using 11 sep. switches would add a lot of management headaches over just having a redundant 6500 (pwr/sup) does anyone have any opinions/advice on this point? > > Thanks! > > -Drew > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItsohw+p9Y9BHZ8kRAklyAKC8axEV9jAqI4L2lRZrb2l9+8giPACfYzl4 L+uvFh9rDjZTZZUFEfXvzAQ= =fFtr -----END PGP SIGNATURE----- From petelists at templin.org Thu Aug 28 11:56:51 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 28 Aug 2008 10:56:51 -0500 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <48B6C5AE.5030501@lumison.net> References: <48B6C5AE.5030501@lumison.net> Message-ID: <48B6CAC3.8000308@templin.org> Ian MacKinnon wrote: > > Drew Weaver wrote: >> What is the 'defacto' top of rack 10/100/1000 48 port access >> switch most folks are buying up these days from the big C? > > Some thoughts. > I want 1u dual power. Why is that so hard to do? If all your customer > servers have dual power from a and b feeds its not to much to ask that > the top of rack switch does the same. > Cisco RPS is a waste of time. You want me to reboot the switch to return > power to the a feed - no chance. > > OK a 4948 is 1u, dual power, but how much? > If all I want is switching, layer 3 happens elsewhere, its overkill. Have you looked at their product line lately? I attended one of their LAN Switching Update events, and learned a lot about their new products, such as 1U 3560E models with 24 or 48 10/100/1000 ports and two X2 10G uplinks and dual power. Might that suffice? pt From mcgrath at fas.harvard.edu Thu Aug 28 12:18:36 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Thu, 28 Aug 2008 12:18:36 -0400 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <48B6C5AE.5030501@lumison.net> References: <48B6C5AE.5030501@lumison.net> Message-ID: <48B6CFDC.8060608@fas.harvard.edu> The only problem with the 4948 is it's price point with 10G it's 15K!!!!. The 3750E's are much more reasonable you can mount the switch and RPS in 1U if you use the front and back rails Ian MacKinnon wrote: > > Drew Weaver wrote: >> What is the 'defacto' top of rack 10/100/1000 48 port access >> switch most folks are buying up these days from the big C? > > Some thoughts. > I want 1u dual power. Why is that so hard to do? If all your customer > servers have dual power from a and b feeds its not to much to ask that > the top of rack switch does the same. > Cisco RPS is a waste of time. You want me to reboot the switch to > return power to the a feed - no chance. > > OK a 4948 is 1u, dual power, but how much? > If all I want is switching, layer 3 happens elsewhere, its overkill. > > Yes layer 3 at the top of rack would be nice, but how do you cope with > customers who want an arbitrary number of switch ports across any > number of switches? > > We use a lot of AT-8948 Allied Telesys, much better price point. > But they are only 100M, with 1G on 4 x SFP > So if you needs lots of gig connections, no use. > > Just my 2p worth. > > > > > > -- > > This email and any files transmitted with it are confidential and > intended > solely for the use of the individual or entity to whom they are > addressed. > If you have received this email in error please notify the sender. Any > offers or quotation of service are subject to formal specification. > Errors and omissions excepted. Please note that any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of Lumison and nPlusOne. > Finally, the recipient should check this email and any attachments for > the > presence of viruses. Lumison and nPlusOne accept no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From networking.stuff at googlemail.com Thu Aug 28 12:21:49 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Thu, 28 Aug 2008 21:51:49 +0530 Subject: [c-nsp] BGP regular expression Message-ID: <1e7e04890808280921x7416312aha5ba037512d0deb0@mail.gmail.com> Hi, I want to match all routes that have traversed to AS 111 and AS 222. The important point is that they can be in any order/sequence. start end between, or any one after the other.. Whats reg-expression to use.. how will it look like.. Regards, Chintan From david.freedman at uk.clara.net Thu Aug 28 12:37:17 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 28 Aug 2008 17:37:17 +0100 Subject: [c-nsp] LLQ + MLPPPoE -> ? References: <005b01c908a4$cb7ff830$627fe890$@steele@internode.on.net> <005f01c908aa$4918bbb0$db4a3310$@steele@internode.on.net> Message-ID: Ben, just a note to say 12.4(20)T has solved the problem, thanks for your help. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Ben Steele [mailto:ben.steele at internode.on.net] Sent: Thu 8/28/2008 02:06 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? I would say it sounds like one interface is performing differently to the other(performance wise) but if it works fine when using the multilink interface that doesn't make as much sense, do you notice any drops or errors of any sort on the atm int's when you have the dialer configuration up? Also check the output of a "sh dsl int atmx" for each one to see if you are erroring there or syncing at different speeds or have a low noise margin on one etc.. Out of curiosity did you set that ip mtu 1492 on your dialer when you were testing? As you would've been fragmenting otherwise trying to push 1500 byte over a 1500 byte link with pppoe Can you show me your exact config (minus passwords) that you are using when you are testing this including the output of a "sh dsl int atmx" for each int. Another thought might be worth trying the new 12.4.20T IOS given it's QoS overhaul with HQF and the improved latency results shown by someone in an earlier thread. From: David Freedman [mailto:david.freedman at uk.clara.net] Sent: Thursday, 28 August 2008 10:12 AM To: Ben Steele; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Ben Steele [mailto:ben.steele at internode.on.net] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE -> ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE -> ? >Remove the service policy from your ATM int's and just leave it on your >Dialer, then do a "sh users" and you should see an interface listed as the >MLP Bundle, this is the one you want to be watching, if for example it is >Vi4 then do a "sh policy-map int vi4" I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: ". When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets " Is this not correct? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gordon.bezzina at bell.net.mt Thu Aug 28 11:44:04 2008 From: gordon.bezzina at bell.net.mt (Gordon Bezzina) Date: Thu, 28 Aug 2008 17:44:04 +0200 Subject: [c-nsp] MPLS usage by the bgp process in a vrf-lite setup In-Reply-To: References: Message-ID: <010801c90924$e7102f40$b5308dc0$@bezzina@bell.net.mt> Hi, I am using the vrf-lite setup on the 7600 using rsp720-cxl. This is the router: c7600c#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 4 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC *** 5 2 Route Switch Processor 720 (Hot) RSP720-3CXL-GE *** 6 2 Route Switch Processor 720 (Active) RSP720-3CXL-GE *** ... Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 5 Policy Feature Card 3 7600-PFC3CXL *** 1.0 Ok 5 C7600 MSFC4 Daughterboard 7600-MSFC4 *** 1.1 Ok 6 Policy Feature Card 3 7600-PFC3CXL *** 1.0 Ok 6 C7600 MSFC4 Daughterboard 7600-MSFC4 *** 1.1 Ok Mod Online Diag Status ---- ------------------- 4 Pass 5 Pass 6 Pass c7600c# Now I have a bgp peer within a vrf which is receiving the full table. As a control I am filtering out most of it. The problem is that bgp is creating an mpls label for Every ipv4 route. And most importantly I do not use mpls for routing. c7600c#sh ip bgp vpnv4 vrf VF summary ... Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd A.A.A.86 4 00000 85260 39101 32158 0 0 3w3d 29718 c7600c#sh platform hardware cap | b L3 L3 Forwarding Resources Module FIB TCAM usage: Total Used %Used 5 72 bits (IPv4, MPLS, EoM) 524288 60529 12% 144 bits (IP mcast, IPv6) 262144 4 1% detail: Protocol Used %Used IPv4 30530 6% MPLS 29999 6% EoM 0 0% IPv6 1 1% IPv4 mcast 3 1% IPv6 mcast 0 0% Adjacency usage: Total Used %Used 1048576 30206 3% The problem is that this is doubling the usage of my resources. Is there a way to reduce it, i.e reduce or disable the creation of the mpls? Thanks in advance Best regards Gordon From A.L.M.Buxey at lboro.ac.uk Thu Aug 28 12:51:15 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 28 Aug 2008 17:51:15 +0100 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <48B6CFDC.8060608@fas.harvard.edu> References: <48B6C5AE.5030501@lumison.net> <48B6CFDC.8060608@fas.harvard.edu> Message-ID: <20080828165115.GF20696@lboro.ac.uk> Hi, > The only problem with the 4948 is it's price point with 10G it's > 15K!!!!. The 3750E's are much more reasonable you can mount the > switch and RPS in 1U if you use the front and back rails this is a good point. the 3750E also gives you the dual-SFP adapter option which can then be converted to a 10G when you need it - only the 4500M (iirc) would give you that option. on the other hand, the 4548 and 4500M have dual PSUs so you dont need to mess with RPS devices. the 3750E also has the 64Gigastack interface and 'extra' interface for management 'out of band' access , which along with upgradability to 10G puts it way out ahead of usual offerings from either the big C or from foundry or extreme. alan From vijay.ramcharan at verizonbusiness.com Thu Aug 28 13:20:24 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Thu, 28 Aug 2008 17:20:24 +0000 Subject: [c-nsp] BGP regular expression In-Reply-To: <1e7e04890808280921x7416312aha5ba037512d0deb0@mail.gmail.com> References: <1e7e04890808280921x7416312aha5ba037512d0deb0@mail.gmail.com> Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F0555BC82@ASHEVS011.mcilink.com> Try, route-server.phx1>sh ip bgp regexp _3356_(.*)?_11794_|_11794_(.*)?_3356_ BGP table version is 300231760, local router ID is 67.17.81.28 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i12.168.208.0/24 67.17.64.89 100 200 0 3356 7029 11794 i * i 67.17.64.89 100 200 0 3356 7029 11794 I ... Someone may have a more elegant pattern but the above should work (test/tweak and use your own AS numbers obviously). Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chintan Shah Sent: August 28, 2008 12:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP regular expression Hi, I want to match all routes that have traversed to AS 111 and AS 222. The important point is that they can be in any order/sequence. start end between, or any one after the other.. Whats reg-expression to use.. how will it look like.. Regards, Chintan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Thu Aug 28 14:30:29 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 28 Aug 2008 11:30:29 -0700 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080828102945.GB12177@torres.zugschlus.de> References: <20080826140124.GA26261@torres.zugschlus.de><000101c907d8$fe2f68a0$fa8e39e0$@id.au><20080827111208.GA2482@torres.zugschlus.de><020201c908a8$130cbe60$39263b20$@id.au> <20080828102945.GB12177@torres.zugschlus.de> Message-ID: <17838240D9A5544AAA5FF95F8D52031604903614@ad-exh01.adhost.lan> Hello Marc: > > > > ip access-list extended DefaultrouteTunnel > > permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 > > permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 > > So that would be > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > permit ip any 10.2.60.0 0.0.0.255 > > But packets to 192.168.8.1 still go out through the tunnel. > According to your first configuration email the ACL you should use is DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel. crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any If you change the client config to 'acl DefaultrouteWithoutListedNetsTunnel' using your original parameters you should be all set. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From mh+cisco-nsp at zugschlus.de Thu Aug 28 16:16:41 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Thu, 28 Aug 2008 22:16:41 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604903614@ad-exh01.adhost.lan> References: <20080828102945.GB12177@torres.zugschlus.de> <17838240D9A5544AAA5FF95F8D52031604903614@ad-exh01.adhost.lan> Message-ID: <20080828201641.GA16003@torres.zugschlus.de> On Thu, Aug 28, 2008 at 11:30:29AM -0700, Michael K. Smith - Adhost wrote: > Hello Marc: > > > > > > > ip access-list extended DefaultrouteTunnel > > > permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255 > > > permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255 > > > > So that would be > > > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > > permit ip any 10.2.60.0 0.0.0.255 > > > > But packets to 192.168.8.1 still go out through the tunnel. > > > > According to your first configuration email the ACL you should use is > DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel. I have of course changed the acl statement. > If you change the client config to 'acl > DefaultrouteWithoutListedNetsTunnel' using your original parameters > you should be all set. NACK. Doesn't work. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From MLouis at nwnit.com Thu Aug 28 16:25:26 2008 From: MLouis at nwnit.com (Mike Louis) Date: Thu, 28 Aug 2008 16:25:26 -0400 Subject: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. Message-ID: Structured cabling in each rack running back to an mdf cable only rack and then patch tailed into 6500 is a sweet setup as well -----Original Message----- From: Church, Charles Sent: Thursday, August 28, 2008 11:25 AM To: Drew Weaver ; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. A lot depends on the cabling. Running a few hundred cat5 cables from several racks into one might be a real pain. If each rack of servers can occupy 48 ports or less, and 4948 with 10gig uplinks might be much cleaner. 6513 wouldn't be a good choice regardless, can't put 6700 series blades in some of the slots. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Thursday, August 28, 2008 9:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Few questions regarding fixed vs modular and when which isbetter. What is the 'defacto' top of rack 10/100/1000 48 port access switch most folks are buying up these days from the big C? Does anyone recommend any lower cost 10/100/1000 switches from other vendors that 'work just fine' for this limited purpose? These 48 port switches would just be used to connect machines to VLANs (over uplink/trunks) which are on the distribution/core layer. If you have the right server/client density does it ever make sense to use a 6513 for the l2 connectivity or is it always better to use sep. switches? It seems like using 11 sep. switches would add a lot of management headaches over just having a redundant 6500 (pwr/sup) does anyone have any opinions/advice on this point? Thanks! -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From mksmith at adhost.com Thu Aug 28 16:43:08 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 28 Aug 2008 13:43:08 -0700 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080828201641.GA16003@torres.zugschlus.de> References: <20080828102945.GB12177@torres.zugschlus.de><17838240D9A5544AAA5FF95F8D52031604903614@ad-exh01.adhost.lan> <20080828201641.GA16003@torres.zugschlus.de> Message-ID: <17838240D9A5544AAA5FF95F8D52031604903660@ad-exh01.adhost.lan> Hello Marc: > > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > > > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > > > permit ip any 10.2.60.0 0.0.0.255 > > > > > > But packets to 192.168.8.1 still go out through the tunnel. > > > > > > > According to your first configuration email the ACL you should use is > > DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel. > > I have of course changed the acl statement. > > > If you change the client config to 'acl > > DefaultrouteWithoutListedNetsTunnel' using your original parameters > > you should be all set. > > NACK. Doesn't work. > If the clients are on 192.168.8.0/24 and the servers are on 10.2.60.0/24, try this: ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 10.2.60.0 0.0.0.255 192.168.8.0 0.0.0.255 permit ip any any Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From enlai.weng at enterprisestrategy.com Thu Aug 28 19:54:24 2008 From: enlai.weng at enterprisestrategy.com (Enlai Weng) Date: Thu, 28 Aug 2008 19:54:24 -0400 Subject: [c-nsp] Firewall Architect/Admin Job in Rosslyn, VA In-Reply-To: References: Message-ID: <650bea9d0808281654i7101d923qe438325703d1575a@mail.gmail.com> If you: 1. Have experience in large-scale firewall implementations 2. Know what a DMZ is and how to configure it. (This includes NAT, VLANs, etc) 3. Know what OSPF = strong in networking. Then please e-mail me immediately for a long-term federal contracting position in Rosslyn, VA. Know your stuff and get paid! enlai.weng at enterprisestrategy.com US Citizenship required! Enlai Weng Information Security Smart Border Alliance office: 703-908-5052 mobile: 301-346-4990 Enterprise Strategy Corporation | www.enterprisestrategy.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- Enlai Weng Information Security Smart Border Alliance office: 703-908-5052 mobile: 301-346-4990 Enterprise Strategy Corporation | www.enterprisestrategy.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. From ecables at gmail.com Thu Aug 28 19:54:48 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 28 Aug 2008 16:54:48 -0700 Subject: [c-nsp] 6513s and 6700 series blades Message-ID: I am in a situation where we have 4x 6513s and an assortment of 6700/6500 series blades. I know that the 6513 has limitations on which modules have dual channel fabric connections (9-13), but I am not 100% sure how the 6700 series blades will act in the other slots. I have been told by our Cisco SE that the 6748 blade will not function in blades 1-8, but I wanted to confirm whether that was true. The reason I suspect that it will is because we have some 6724 modules in slot #1 that are operating at 1x20Gbps. Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 1 Centralized Forwarding Card WS-F6700-CFC [removed] 2.0 Ok SDHQ-CS-02-01#show fabric utilization slot channel speed Ingress % Egress % 1 0 20G 0 0 System Resources PFC operating mode: PFC3BXL Supervisor redundancy mode: administratively sso, operationally sso Switching resources: Module Part number Series CEF mode 1 WS-X6724-SFP CEF720 CEF My question is this: Will a 6748 act the same way, with a single 1x20Gbps connection to the fabric, or will it not work at all? Thanks, -- Eric Cables From tstevens at cisco.com Thu Aug 28 20:22:05 2008 From: tstevens at cisco.com (Tim Stevenson) Date: Thu, 28 Aug 2008 17:22:05 -0700 Subject: [c-nsp] 6513s and 6700 series blades In-Reply-To: References: Message-ID: They won't work in those slots. Tim At 04:54 PM 8/28/2008, Eric Cables observed: >I am in a situation where we have 4x 6513s and an assortment of >6700/6500 series blades. I know that the 6513 has limitations on >which modules have dual channel fabric connections (9-13), but I am >not 100% sure how the 6700 series blades will act in the other slots. > >I have been told by our Cisco SE that the 6748 blade will not function >in blades 1-8, but I wanted to confirm whether that was true. The >reason I suspect that it will is because we have some 6724 modules in >slot #1 that are operating at 1x20Gbps. > >Mod Sub-Module Model Serial Hw Status >---- --------------------------- ------------------ ----------- >------- ------- > 1 Centralized Forwarding Card WS-F6700-CFC [removed] 2.0 Ok > > >SDHQ-CS-02-01#show fabric utilization > slot channel speed Ingress % Egress % > 1 0 20G 0 0 > >System Resources > PFC operating mode: PFC3BXL > Supervisor redundancy mode: administratively sso, operationally sso > Switching resources: Module Part > number Series CEF mode > 1 WS-X6724-SFP CEF720 > CEF > >My question is this: Will a 6748 act the same way, with a single >1x20Gbps connection to the fabric, or will it not work at all? > >Thanks, > >-- >Eric Cables >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstevens at cisco.com Routing & Switching CCIE #5561 Technical Marketing Engineer, Data Center BU Cisco Systems, http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. From jensenja at gmail.com Thu Aug 28 20:48:06 2008 From: jensenja at gmail.com (John Jensen) Date: Thu, 28 Aug 2008 17:48:06 -0700 Subject: [c-nsp] how to debug etherchannel on 6500? In-Reply-To: <48B63445.4010406@forthnet.gr> References: <48B63445.4010406@forthnet.gr> Message-ID: <6de481d10808281748v2b1a9640kf8e83a395cc1a14@mail.gmail.com> The first most obvious question is have you told the device where to send debug output, ie "terminal monitor" at the prompt? I find it hard to believe that the most detailed level of debugging for etherchannel is yielding zero output. The second question is how is your etherchannel set up? More specifically how are you configuring LACP? -JJ On Wed, Aug 27, 2008 at 10:14 PM, Tassos Chatzithomaoglou wrote: > Hi, > > I'm trying to troubleshoot a strange case regarding an etherchannel (PAgP > works, LACP doesn't) between a 6500 (SUP720/SXF14) and a 3750 (12.2(44)SE2), > but i cannot see any debug logs on the 6500 after enabling "debug > etherchannel all". On the 3750 i get some messages after enabling the same > debug, but i can also use "debug pagp/lacp" which displays a lot more (and > most of them are quite helpful). > > Is the "debug etherchannel all" supposed to display anything? If not, is > there another debug command on the 6500 like the "debug pagp/lacp" on the > 3750? > > -- > Tassos > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tvarriale at comcast.net Thu Aug 28 20:41:54 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 28 Aug 2008 19:41:54 -0500 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version References: <48B520CE.7030008@actrix.co.nz> <9E07F8717FE8BC4FBAE6860F61EA6C1D0191FF7F@spsrvmail03.nec.br><18ECC8BF0702EF47A4B1E089E91022DCC4C1C7@KULDCEX013.kul-dc.dhl.com> <48B5602E.7010705@imperial.ac.uk> Message-ID: <079b01c90970$092d2330$f211a8c0@flamadam> Lastest one running SXH1. No problems so far with FWSM, ACE and 6748s. tv ----- Original Message ----- From: "Phil Mayers" To: "Antonio Acuesta (DHL AU)" Cc: "cisco-nsp" Sent: Wednesday, August 27, 2008 9:09 AM Subject: Re: [c-nsp] RES: Cisco Catalyst 6513 IOS version > Antonio Acuesta (DHL AU) wrote: >> Hi, >> >> Can you please recommend a stable IOS version for Cisco Catalyst 6513? >> The current version that I have is Version 12.2(18)SXD3. The switch has >> not been upgraded for a while and it will be good to know the version >> with less bug. > > We're running 12.2(18)SXF10 without problems. > > I believe 12.2(18)SXF11 and SXF12a are "sort of" Safe Harbor qualified. > > I cannot recommend 12.2(33)SXH - we've had a lot of problems. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From brett at looney.id.au Thu Aug 28 20:54:48 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 29 Aug 2008 08:54:48 +0800 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080828102945.GB12177@torres.zugschlus.de> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> <20080827111208.GA2482@torres.zugschlus.de> <020201c908a8$130cbe60$39263b20$@id.au> <20080828102945.GB12177@torres.zugschlus.de> Message-ID: <01c601c90971$d61b5640$825202c0$@id.au> > So that would be > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > permit ip any 10.2.60.0 0.0.0.255 > > But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. That will be tricky. B. From ranmails at gmail.com Fri Aug 29 00:43:52 2008 From: ranmails at gmail.com (Ran Liebermann) Date: Fri, 29 Aug 2008 07:43:52 +0300 Subject: [c-nsp] BGP regular expression In-Reply-To: <1e7e04890808280921x7416312aha5ba037512d0deb0@mail.gmail.com> References: <1e7e04890808280921x7416312aha5ba037512d0deb0@mail.gmail.com> Message-ID: <8c19328e0808282143g639151f2o301c6b095e22814@mail.gmail.com> Try: #show ip bgp regexp _111_222_|_222_111_|_111_.*_222_|_222_.*_111_ -- Ran. On Thu, Aug 28, 2008 at 7:21 PM, Chintan Shah wrote: > Hi, > > I want to match all routes that have traversed to AS 111 and AS 222. The > important point is that they can be in any order/sequence. start end > between, or any one after the other.. > > Whats reg-expression to use.. how will it look like.. > > Regards, > Chintan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Fri Aug 29 02:20:26 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 29 Aug 2008 01:20:26 -0500 Subject: [c-nsp] QoS on an Ethernet Sub-interface Message-ID: <48B7952A.7090500@justinshore.com> I've got a QoS question for the group; I'm not a QoS buff, at least not on the nitty gritty details. I'm trying to set up some basic QoS on a 3Mbps PtP Ethernet link. One side uses a full interface for the link on a 2821. My side uses a 1Q sub-interface on a hardwired GigE port in a 2821. I can't apply a matching QoS config due to the sub-interface. I found this guide on how to approach QoS on a Ethernet sub-interface. It specifically states that I have to use a hierarchical QoS policy with shaping in the parent before I can use CBWFQ on the sub-int. http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080114326.shtml The far side uses this: class-map match-any SIGNAL match ip dscp af41 match ip dscp af31 match ip dscp cs3 class-map match-any VOICE match ip dscp ef match ip rtp 16384 16383 ! policy-map WAN_QOS class VOICE priority percent 35 set dscp ef class SIGNAL bandwidth percent 5 set dscp af31 class class-default fair-queue I'm looking at applying this: class-map match-any voip-rtp match ip dscp ef match ip rtp 16384 16383 ! class-map match-any voip-control match ip dscp af41 match ip dscp af31 match ip dscp cs3 policy-map voip-child class voip-rtp priority percent 35 set dscp ef class voip-control bandwidth percent 5 set dscp af31 ! policy-map voip-parent class class-default shape average ABC ! service-policy voip-child Overall I think that would work though I'm sure it needs some tweaking. My holdup is the shape average value. I'm trying to understand what it is that I'm shaping with that command. Should the shape value be the max I'm allowing for the VoIP classes referenced by the policy map, the max for the link, or some other value that I'm not thinking of? If it is the voip classes will that affect my percentage commands in the child classes? ie, if the shaping was set at 1Mbps would the 35% in the child come out at 350k? Thanks Justin From ben.steele at internode.on.net Fri Aug 29 02:53:19 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 29 Aug 2008 16:23:19 +0930 Subject: [c-nsp] QoS on an Ethernet Sub-interface In-Reply-To: <48B7952A.7090500@justinshore.com> References: <48B7952A.7090500@justinshore.com> Message-ID: <002401c909a3$ec0a3160$c41e9420$@steele@internode.on.net> Justin, the shape average is what you are wanting to shape the whole subinterface to in bps, ie if you wanted to shape it to 1Mb then you would have shape average 1024000, sometimes a nicer way to do it is just say "shape average percent 100" which will reference the bandwidth statement on the interface instead. You are correct in your second statement that shaping average at 1Mb would result in 350Kb for a class with 35% Cheers Ben ------------------------------------------------ Overall I think that would work though I'm sure it needs some tweaking. My holdup is the shape average value. I'm trying to understand what it is that I'm shaping with that command. Should the shape value be the max I'm allowing for the VoIP classes referenced by the policy map, the max for the link, or some other value that I'm not thinking of? If it is the voip classes will that affect my percentage commands in the child classes? ie, if the shaping was set at 1Mbps would the 35% in the child come out at 350k? Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From liviu.pislaru at gmail.com Fri Aug 29 02:55:36 2008 From: liviu.pislaru at gmail.com (Liviu Pislaru) Date: Fri, 29 Aug 2008 09:55:36 +0300 Subject: [c-nsp] SRB4 (was RE: SRC2?) In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> <200808132004.24869.mtinka@globaltransit.net> <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> Message-ID: <1219992936.6106.16.camel@moby> hi, i'm running SRB4 on WS-SUP720-3BXL & WS-F6700-DFC3CXL linecards. i was running SRB2, hit some BUGs and had to option: 1. upgrade to SRB4 2. downgrade to SRA7 (change DFC3CXL linecards) i went for option 1. and everything is working fine now except my logs are full of these lines: Aug 29 09:45:59 EETDST: %DIAG-SP-3-TEST_SKIPPED: Module 7: TestFabricFlowControlStatus{ID=33} is skipped Aug 29 09:46:01 EETDST: %DIAG-SP-3-TEST_SKIPPED: Module 7: TestFabricFlowControlStatus{ID=33} is skipped [...] 7 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL SAL09412THT 8 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL09368YPZ [...] i'm not worried (yet) because cisco says: ===================================================================== %DIAG-3-TEST_SKIPPED (x1): [chars]: [chars]{ID=[dec]} is skipped Explanation: The specified diagnostic test cannot be run. Recommended Action: None. Although the test cannot be run, this message does not indicate a problem. ===================================================================== or ===================================================================== %DIAG-3-TEST_SKIPPED (x0): [chars]: [chars]{ID=[dec]} is skipped Explanation: This message indicates that the diagnostic test cannot be run. Recommended Action: No action is required. The system is working properly. ===================================================================== but i had to filter these lines from my logs. i'm running BGP (full bgp table), MPLS, OSPF, MULTICAST on this router. so i'm pretty pleased with SRB4 until now. -- liviu. On Wed, 2008-08-13 at 14:58 +0200, Tomas Daniska wrote: > speaking of the releases... is anyone running SRB4 in production yet? > > cheers > > -- > > deejay > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Mark Tinka > > Sent: 13 August 2008 14:04 > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] SRC2? > > > > On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: > > > > > Anyone know when 12.2(33)SRC2 is supposed to be released, > > > specifically for the 7600. I had heard by the end of > > > July, but so far no release. > > > > Same here... heard it was meant to be mid-July, but nothing > > yet. > > > > Having waited this long, it'll come when it comes, I > > guess :-). > > > > Cheers, > > > > Mark. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Fri Aug 29 03:04:02 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 29 Aug 2008 08:04:02 +0100 Subject: [c-nsp] 6513s and 6700 series blades In-Reply-To: References: Message-ID: <20080829070402.GB27310@lboro.ac.uk> Hi, > I have been told by our Cisco SE that the 6748 blade will not function > in blades 1-8, but I wanted to confirm whether that was true. The why would they lie to you? you can read from the horses mouth if you really want to eg http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf page 44 (section 3 - part 4) with a nice diagram too quote (from cisco document) "When a Cisco Catalyst 6513 is used, the dual channel cards, such as the 6704-4 port 10GigE, the 6708- 8 port 10GigE, and the 6748-48 port SFP/copper line cards can be placed only in slots 9 to 13. The single channel line cards such as the 6724-24 port SFP/copper line cards can be used in slots 1 to 8. The Sup720 uses slots 7 and 8, which are single channel 20G fabric attached. In contrast to the 6513, the 6509 has fewer available slots but can support dual channel modules in all slots because each slot has dual channels to the switch fabric." alan From A.L.M.Buxey at lboro.ac.uk Fri Aug 29 03:20:40 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 29 Aug 2008 08:20:40 +0100 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <079b01c90970$092d2330$f211a8c0@flamadam> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> Message-ID: <20080829072040.GD27310@lboro.ac.uk> Hi, > Lastest one running SXH1. No problems so far with FWSM, ACE and 6748s. we've got a 12.2(33)SXH3 box up and alive now - so far so much better than SXH2 (and 2b) but we've yet to drive packets through in anger. certainly looks like we might be SXH'd by the new year (but dont quote me on that! ;-) ) alan From ben.steele at internode.on.net Fri Aug 29 03:20:49 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 29 Aug 2008 16:50:49 +0930 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <01c601c90971$d61b5640$825202c0$@id.au> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> <20080827111208.GA2482@torres.zugschlus.de> <020201c908a8$130cbe60$39263b20$@id.au> <20080828102945.GB12177@torres.zugschlus.de> <01c601c90971$d61b5640$825202c0$@id.au> Message-ID: <002501c909a7$c36eb290$4a4c17b0$@steele@internode.on.net> An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney Sent: Friday, 29 August 2008 10:25 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions > So that would be > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > permit ip any 10.2.60.0 0.0.0.255 > > But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. That will be tricky. B. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From perc69 at gmail.com Fri Aug 29 03:22:04 2008 From: perc69 at gmail.com (Pelle) Date: Fri, 29 Aug 2008 09:22:04 +0200 Subject: [c-nsp] QoS on an Ethernet Sub-interface In-Reply-To: <48B7952A.7090500@justinshore.com> References: <48B7952A.7090500@justinshore.com> Message-ID: <746ca6da0808290022r49591c5cxce83b739866153c3@mail.gmail.com> On Fri, Aug 29, 2008 at 08:20, Justin Shore wrote: > I've got a QoS question for the group; I'm not a QoS buff, at least not on > the nitty gritty details. I'm trying to set up some basic QoS on a 3Mbps > PtP Ethernet link. One side uses a full interface for the link on a 2821. > My side uses a 1Q sub-interface on a hardwired GigE port in a 2821. Not sure about this "one side" and "my side", but when you use a sub-rate Ethernet service you should apply a HQoS policy (parent shaper + child queues) on both ends of the link. There is no point sending egress traffic at 100Mbps (or even 1000Mbps) speed on your "full interface" 2821 when the actual pipe is just 3Mbps wide. > policy-map voip-child > class voip-rtp > priority percent 35 > set dscp ef > class voip-control > bandwidth percent 5 > set dscp af31 If your Ethernet provider support Ethernet CoS you could also "set cos X" on the interface where you use 802.1q encapsulation. Unfortunately this is not possible on regular Ethernet interfaces. Some SP's do support DSCP for classification of Ethernet frames, so you might be safe any way. > policy-map voip-parent > class class-default > shape average ABC > ! > service-policy voip-child This policy should be attached both on the main interface on one end, and the sub-interface at the other end. Note: There has been major improvement in HQoS and LLQ in 12.4(20)T, see the thread: https://puck.nether.net/pipermail/cisco-nsp/2008-August/053616.html -- Pelle From gert at greenie.muc.de Fri Aug 29 03:33:36 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 29 Aug 2008 09:33:36 +0200 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <48B6CAC3.8000308@templin.org> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> Message-ID: <20080829073336.GH233@greenie.muc.de> Hi, On Thu, Aug 28, 2008 at 10:56:51AM -0500, Pete Templin wrote: > Have you looked at their product line lately? I attended one of their > LAN Switching Update events, and learned a lot about their new products, > such as 1U 3560E models with 24 or 48 10/100/1000 ports and two X2 10G > uplinks and dual power. Might that suffice? Still "full L3" with the L3 price tag. Something like a 2960G-24TC with dual power would be cool. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From overkillxx at gmail.com Fri Aug 29 04:36:47 2008 From: overkillxx at gmail.com (Brett Clausenhauf) Date: Fri, 29 Aug 2008 18:36:47 +1000 Subject: [c-nsp] FWSM module replacement Message-ID: Hi Guys, Shortly I need to replace a FWSM module in a 6500. It is paired with another FWSM module which is now the active module. Looking at this below url it seems to be a straight forward process to replace the module & to get the configuration sync'ed. http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/upgrade.html#wp1036343 One thing is not clear though. The module that died is usually the primary module, whilst the current active module is in standby.. If I issue the command "Failover" in step 5 after I define the replacement module with all the basic failover variables including the unique variable of *fail lan unit Primary will this cause it to override the configuration in the currently active FWSM with that of the newly installed FWSM? I presume not, although I am not 100 percent sure here.* ** Regards, Brad From dean at eatworms.org.uk Fri Aug 29 06:45:43 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Fri, 29 Aug 2008 11:45:43 +0100 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <20080829073336.GH233@greenie.muc.de> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> <20080829073336.GH233@greenie.muc.de> Message-ID: <001b01c909c4$638d89b0$2aa89d10$@org.uk> Surely 2 basic Switches - With Servers dual homed across giving you independent uplinks to the core, dual control planes and dual power etc gives far better resilience at the price point than a simple switch with an extra PSU ? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: 29 August 2008 08:34 To: Pete Templin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Few questions regarding fixed vs modular and when which is better. Hi, On Thu, Aug 28, 2008 at 10:56:51AM -0500, Pete Templin wrote: > Have you looked at their product line lately? I attended one of their > LAN Switching Update events, and learned a lot about their new > products, such as 1U 3560E models with 24 or 48 10/100/1000 ports and > two X2 10G uplinks and dual power. Might that suffice? Still "full L3" with the L3 price tag. Something like a 2960G-24TC with dual power would be cool. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From blahu77 at gmail.com Fri Aug 29 06:58:16 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Fri, 29 Aug 2008 11:58:16 +0100 Subject: [c-nsp] how to debug etherchannel on 6500? In-Reply-To: <48B63445.4010406@forthnet.gr> References: <48B63445.4010406@forthnet.gr> Message-ID: <383357750808290358j6e97cf71hf01c07834ba31344@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tassos, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIt9ZHIvBv0k5esR4RAsnqAJ9rLbJSVRYQsz0SL0s1BcKjG1Ev4wCfcT3c 4+Pu5a0a1zxsu1sfpCOa6iw= =wvWL -----END PGP SIGNATURE----- > Is the "debug etherchannel all" supposed to display anything? If not, is > there another debug command on the 6500 like the "debug pagp/lacp" on the > 3750? > when I was testing ME6524s I didnt see any output of the STP debugging until I did "remote command switch debug ..." It might work for you. Best Regards, -- -mat From mh+cisco-nsp at zugschlus.de Fri Aug 29 06:59:54 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Fri, 29 Aug 2008 12:59:54 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions Message-ID: <20080829105954.GA27253@torres.zugschlus.de> On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote: > An easier solution if you really need to go down that path is to allow all > down the vpn (no split tunnel) and have static persistent routes on the > client, setup a script or something. Since the client keeps its routing table including the route for the local network, I guess that the VPN Client interferes with the routing in some way. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From mh+cisco-nsp at zugschlus.de Fri Aug 29 07:01:41 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Fri, 29 Aug 2008 13:01:41 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <01c601c90971$d61b5640$825202c0$@id.au> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> <20080827111208.GA2482@torres.zugschlus.de> <020201c908a8$130cbe60$39263b20$@id.au> <20080828102945.GB12177@torres.zugschlus.de> <01c601c90971$d61b5640$825202c0$@id.au> Message-ID: <20080829110141.GB27253@torres.zugschlus.de> On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote: > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > > permit ip any 10.2.60.0 0.0.0.255 > > > > But packets to 192.168.8.1 still go out through the tunnel. > > Well, yeah. Because it matches the access list. From the sounds of it, you > need to list each local network specifically in the access list so it won't > match. That will be tricky. The following perl script will generate the appropriate access list: #!/usr/bin/perl -w use strict; use Net::Netmask; my $all = new Net::Netmask("0.0.0.0/0"); my @blocks = ("10.20.30.0/27","10.1.10.0/24","192.168.8.0/24"); my @blocklist=(); foreach my $block ( @blocks ) { my $new = new Net::Netmask($block); push(@blocklist,$new); } print "no ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n"; print "ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n"; foreach my $block ( @blocklist ) { print "remark - this should be deny ip ". $block->base. " ". $block->hostmask. " any\n"; } foreach my $block ( cidrs2inverse( $all, @blocklist ) ) { print "permit ip ". $block->base. " ". $block->hostmask. " any\n"; } and the access list seems to do the job. I didn't try in detail, but it looks like the first deny statement in the access list makes evaluation stop. We'll see how this wrecks performance ;) Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From gert at greenie.muc.de Fri Aug 29 07:28:58 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 29 Aug 2008 13:28:58 +0200 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <001b01c909c4$638d89b0$2aa89d10$@org.uk> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> <20080829073336.GH233@greenie.muc.de> <001b01c909c4$638d89b0$2aa89d10$@org.uk> Message-ID: <20080829112858.GK233@greenie.muc.de> Hi, On Fri, Aug 29, 2008 at 11:45:43AM +0100, Dean Smith wrote: > Surely 2 basic Switches - With Servers dual homed across giving you > independent uplinks to the core, dual control planes and dual power etc > gives far better resilience at the price point than a simple switch with an > extra PSU ? Sometimes this can be done, sometimes not, depending on the customer and server setup. Just telling people "well, get an extra switch and install lots of extra cabling to get power redundancy" is not exactly what people want to hear. We've been through lots of planned and unplanned power issues in the last year - and especially the planned stuff ("replace USV and power distribution switch") is *very* much less painful with dual PSUs in every (critical) component. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ben.steele at internode.on.net Fri Aug 29 07:55:28 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 29 Aug 2008 21:25:28 +0930 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080829105954.GA27253@torres.zugschlus.de> References: <20080829105954.GA27253@torres.zugschlus.de> Message-ID: <002c01c909ce$21f001e0$65d005a0$@steele@internode.on.net> By default it will disable local lan access but that can be enabled easily and so can routes to other lans, anything with a more specific prefix than a default route will take precedence over the vpn client. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber Sent: Friday, 29 August 2008 8:30 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote: > An easier solution if you really need to go down that path is to allow all > down the vpn (no split tunnel) and have static persistent routes on the > client, setup a script or something. Since the client keeps its routing table including the route for the local network, I guess that the VPN Client interferes with the routing in some way. Greetings Marc -- ---------------------------------------------------------------------------- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From shane at short.id.au Fri Aug 29 07:29:38 2008 From: shane at short.id.au (Shane Short) Date: Fri, 29 Aug 2008 19:29:38 +0800 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <001b01c909c4$638d89b0$2aa89d10$@org.uk> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> <20080829073336.GH233@greenie.muc.de> <001b01c909c4$638d89b0$2aa89d10$@org.uk> Message-ID: <6D6205FA-8F23-48FC-B495-9A022F1B5304@short.id.au> I've had pretty good success doing this in the past, however, I've run double the density and split it over two racks. Ie, 24 Servers per rack, so a 48port switch per rack, with 48 ties between the rack to tie it all together, each server would hit the switch in it's own rack, then tie over to the adjacent rack. Idea generally behind this was to have the servers/switches on opposing phases to eliminate power problems, without having to get Dual Power supplies in the switches themselves. -Shane On 29/08/2008, at 6:45 PM, Dean Smith wrote: > Surely 2 basic Switches - With Servers dual homed across giving you > independent uplinks to the core, dual control planes and dual power > etc > gives far better resilience at the price point than a simple switch > with an > extra PSU ? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: 29 August 2008 08:34 > To: Pete Templin > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Few questions regarding fixed vs modular and > when which > is better. > > Hi, > > On Thu, Aug 28, 2008 at 10:56:51AM -0500, Pete Templin wrote: >> Have you looked at their product line lately? I attended one of >> their >> LAN Switching Update events, and learned a lot about their new >> products, such as 1U 3560E models with 24 or 48 10/100/1000 ports and >> two X2 10G uplinks and dual power. Might that suffice? > > Still "full L3" with the L3 price tag. > > Something like a 2960G-24TC with dual power would be cool. > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Fri Aug 29 09:27:21 2008 From: moua0100 at umn.edu (Ge Moua) Date: Fri, 29 Aug 2008 08:27:21 -0500 Subject: [c-nsp] FWSM module replacement In-Reply-To: References: Message-ID: <000901c909da$f8cb66d0$31dd5ea0@ad.umn.edu> Be careful here (as I've made this mistake already): * Set the good fwsm to 'primary - active' * before you bring up the fail-over link, set the replacement to 'secondary - standby' * as soon as you bring up the fail-over link the sync happens automatically * you can changet to unit desgination after this * be carefule not to bring the replacement unit online in 'primary - active', otherwise the a blank config will be syced between them (this is bad, & I've done this before). Good luck. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Clausenhauf Sent: Friday, August 29, 2008 3:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] FWSM module replacement Hi Guys, Shortly I need to replace a FWSM module in a 6500. It is paired with another FWSM module which is now the active module. Looking at this below url it seems to be a straight forward process to replace the module & to get the configuration sync'ed. http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/upg rade.html#wp1036343 One thing is not clear though. The module that died is usually the primary module, whilst the current active module is in standby.. If I issue the command "Failover" in step 5 after I define the replacement module with all the basic failover variables including the unique variable of *fail lan unit Primary will this cause it to override the configuration in the currently active FWSM with that of the newly installed FWSM? I presume not, although I am not 100 percent sure here.* ** Regards, Brad _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jeff.Meyers at gmx.net Fri Aug 29 09:43:36 2008 From: Jeff.Meyers at gmx.net (Jeff Meyers) Date: Fri, 29 Aug 2008 15:43:36 +0200 Subject: [c-nsp] Catalyst 650x sup2 or sup32 Message-ID: <48B7FD08.30204@gmx.net> Hello list, we're currently planning some ugprades for our network. We want to remove all Layer-3 edge functionality away from our Juniper routers to some Cisco 650x switch/router. The requirements for this box are rather simple: - redundante Management with a _very_ short fail-over time - GigE right now is sufficient - OSPF - IPv4 and IPv6 routing in hardware - only one OSPF database + all local routes + default-route of course - ACLs of course for edge filters Since our experience with those boxes is rather low, we are not sure what exactly we need. A sup32 seems to be a good choise but is a lot more expensive than e.g. a sup2. So will a sup2 do this job here? Which daughterboards would we need? Is a modern IOS available for this sup or is it even the same as those that are used on sup32 and sup720? Does the sup2 support stateful fail-over, especially for ospf? Is 10G possible with a sup2? Do the following modules work with the sup2: WS-X6516-GE-TX WS-X6516-GBIC Is there a fixed bandwidt assigned to each slot or is the(32GBit?) shared bus dynamically allocated to the linecards? Thanks! From mcgrath at fas.harvard.edu Fri Aug 29 09:46:49 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Fri, 29 Aug 2008 09:46:49 -0400 Subject: [c-nsp] Catalyst 650x sup2 or sup32 In-Reply-To: <48B7FD08.30204@gmx.net> References: <48B7FD08.30204@gmx.net> Message-ID: <48B7FDC9.5070803@fas.harvard.edu> Sup32 - Sup2 is obsolete it's had a GREAT run we just took our last sup 2's out of production this year and they were installed in 2000 so in a technology sense they were almost immortal - Sup2 does not support ipv6 in hardware - going forward Cisco will be supporting the Sup32 not the 2 Jeff Meyers wrote: > Hello list, > > we're currently planning some ugprades for our network. We want to > remove all Layer-3 edge functionality away from our Juniper routers to > some Cisco 650x switch/router. > The requirements for this box are rather simple: > > - redundante Management with a _very_ short fail-over time > - GigE right now is sufficient > - OSPF > - IPv4 and IPv6 routing in hardware > - only one OSPF database + all local routes + default-route of course > - ACLs of course for edge filters > > Since our experience with those boxes is rather low, we are not sure > what exactly we need. A sup32 seems to be a good choise but is a lot > more expensive than e.g. a sup2. So will a sup2 do this job here? > Which daughterboards would we need? Is a modern IOS available for this > sup or is it even the same as those that are used on sup32 and sup720? > > Does the sup2 support stateful fail-over, especially for ospf? Is 10G > possible with a sup2? Do the following modules work with the sup2: > > WS-X6516-GE-TX > WS-X6516-GBIC > > Is there a fixed bandwidt assigned to each slot or is the(32GBit?) > shared bus dynamically allocated to the linecards? > > > > Thanks! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ross at kallisti.us Fri Aug 29 10:02:05 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Fri, 29 Aug 2008 10:02:05 -0400 Subject: [c-nsp] SNMP access to err-disable on 2960s Message-ID: <20080829140205.GA14820@kallisti.us> Hi everyone, Trying to find a way to access the err-disable status of a port via SNMP. The only way I've found to do that is to get CISCO-STACK-MIB::portAdditionalOperStatus. Unfortunately, the 2960s don't have anything at this OID, even though they support a bunch of other stuff from the stack mib. For that matter, neither our 6500s nor 3750s have this value either. An interface in err-disable has ifAdminStat up, ifOperStat down, and CISCO-STACK-MIB::portOperStatus other - it seems indistinguishable from a link that is just down/down. Has anyone found any clever set of things that indicate an err-disable Catalyst interface that can be fetched via SNMP? -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From Robert.Smales at cw.com Fri Aug 29 10:25:00 2008 From: Robert.Smales at cw.com (Smales, Robert) Date: Fri, 29 Aug 2008 15:25:00 +0100 Subject: [c-nsp] The Internet's Biggest Security Hole In-Reply-To: Message-ID: <602ACF092EFFB044931BD8746C19AD2F84278F@gbcwswiem006.ad.plc.cwintra.com> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes > Sent: 28 August 2008 08:12 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] The Internet's Biggest Security Hole > > > I know this is not cisco related, but it's of every network > admin's concern in general. > http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html > 'Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said. "Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."' But '. . . For this, Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop. "' And this is going to be less hassle than using RTConfig or a similar script to rebuild your prefix filters a couple of times a day? Robert Robert Smales IP Provide Engineer Cable&Wireless Europe, Asia & US www.cw.com This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ From ecables at gmail.com Fri Aug 29 12:02:08 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 29 Aug 2008 09:02:08 -0700 Subject: [c-nsp] 6513s and 6700 series blades In-Reply-To: <20080829070402.GB27310@lboro.ac.uk> References: <20080829070402.GB27310@lboro.ac.uk> Message-ID: Thanks for the link. Just to clarify, I didn't think he was "lying" to me, which is pretty harsh. I simply wanted a document stating what you've quoted, which he did not provide. Do you always believe everything your SE tells you? :-) Thanks, On Fri, Aug 29, 2008 at 12:04 AM, wrote: > Hi, > >> I have been told by our Cisco SE that the 6748 blade will not function >> in blades 1-8, but I wanted to confirm whether that was true. The > > why would they lie to you? you can read from the horses mouth > if you really want to eg > > http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf > > > page 44 (section 3 - part 4) > > with a nice diagram too > > quote (from cisco document) > > "When a Cisco Catalyst 6513 is used, the dual channel cards, such as the 6704-4 port 10GigE, the 6708- > 8 port 10GigE, and the 6748-48 port SFP/copper line cards can be placed only in slots 9 to 13. The single > channel line cards such as the 6724-24 port SFP/copper line cards can be used in slots 1 to 8. The Sup720 > uses slots 7 and 8, which are single channel 20G fabric attached. In contrast to the 6513, the 6509 has > fewer available slots but can support dual channel modules in all slots because each slot has dual > channels to the switch fabric." > > alan > -- Eric Cables From jloiacon at csc.com Fri Aug 29 11:34:56 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Fri, 29 Aug 2008 11:34:56 -0400 Subject: [c-nsp] Netflow software In-Reply-To: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> Message-ID: Take a look also at the flowtools, FlowViewer combination. Open-source. flowtools: http://www.splintered.net/sw/flow-tools FlowViewer: http://ensight.eos.nasa.gov/FlowViewer Joe Troy Beisigl Sent by: cisco-nsp-bounces at puck.nether.net 08/27/2008 03:43 PM To cisco-nsp at puck.nether.net cc Subject [c-nsp] Netflow software Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lmeade at signal.ca Fri Aug 29 12:35:48 2008 From: lmeade at signal.ca (Leslie Meade) Date: Fri, 29 Aug 2008 09:35:48 -0700 Subject: [c-nsp] 6509-E blade question In-Reply-To: References: <20080829070402.GB27310@lboro.ac.uk> Message-ID: I have a sup32 engine and a ws-x6724-spf blade. I know that it is not supported in native IOS, but have been told that it will work under CATOS. Can anyone shed some light on this for me and point me in a direction to look. I thought it will only work under Sup720's. Leslie From troy at i2bnetworks.com Fri Aug 29 12:53:28 2008 From: troy at i2bnetworks.com (Troy Beisigl) Date: Fri, 29 Aug 2008 09:53:28 -0700 Subject: [c-nsp] Netflow software In-Reply-To: References: Message-ID: <771B8488-9F08-455E-A4F4-056D167B3F8E@i2bnetworks.com> Thanks Joe. I will check it out. And Thanks everyone else who gave their input too. Everyone has been real helpful. Thanks again, Troy On Aug 29, 2008, at 8:34 AM, Joe Loiacono wrote: > > Take a look also at the flowtools, FlowViewer combination. Open- > source. > > flowtools: http://www.splintered.net/sw/flow-tools > > FlowViewer: http://ensight.eos.nasa.gov/FlowViewer > > Joe > > > > > Troy Beisigl > Sent by: cisco-nsp-bounces at puck.nether.net > 08/27/2008 03:43 PM > > To > cisco-nsp at puck.nether.net > cc > Subject > [c-nsp] Netflow software > > > > > > Hi, > > We are putting together a system to run netflow software for tracking > traffic usage in and out of our network based on ASN. Can someone > recommend a stable software package? We would prefer not to run this > on a windows machine if at all possible. > > Thanks, > > Troy > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Fri Aug 29 12:56:04 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 29 Aug 2008 11:56:04 -0500 Subject: [c-nsp] QoS on an Ethernet Sub-interface In-Reply-To: <002401c909a3$ec0a3160$c41e9420$@steele@internode.on.net> References: <48B7952A.7090500@justinshore.com> <002401c909a3$ec0a3160$c41e9420$@steele@internode.on.net> Message-ID: <48B82A24.2080301@justinshore.com> Ben, Thanks for clarifying that. Just so you know, I tried the 'percent 100' option but ran into a snag. I'd get this error whenever I tried to apply the policy to the interface: cir must fall between 8000 and 154400000 bps With a little Googling I determined that I had to define an actual bandwidth value instead of a percent for whatever reason. I changed it to 3000 and I could then apply the policy. My code is 12.4(9)T1 which could be the problem. Otherwise that got me up and running. Thanks! Justin Ben Steele wrote: > Justin, the shape average is what you are wanting to shape the whole > subinterface to in bps, ie if you wanted to shape it to 1Mb then you would > have shape average 1024000, sometimes a nicer way to do it is just say > "shape average percent 100" which will reference the bandwidth statement on > the interface instead. > > You are correct in your second statement that shaping average at 1Mb would > result in 350Kb for a class with 35% From justin at justinshore.com Fri Aug 29 12:59:36 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 29 Aug 2008 11:59:36 -0500 Subject: [c-nsp] QoS on an Ethernet Sub-interface In-Reply-To: <746ca6da0808290022r49591c5cxce83b739866153c3@mail.gmail.com> References: <48B7952A.7090500@justinshore.com> <746ca6da0808290022r49591c5cxce83b739866153c3@mail.gmail.com> Message-ID: <48B82AF8.80408@justinshore.com> Pelle wrote: > Not sure about this "one side" and "my side", but when you use a > sub-rate Ethernet service you should apply a HQoS policy (parent > shaper + child queues) on both ends of the link. There is no point > sending egress traffic at 100Mbps (or even 1000Mbps) speed on your > "full interface" 2821 when the actual pipe is just 3Mbps wide. Unfortunately I don't admin the remote end of the link. I'll send them my config and ask them to change it on their side. I agree that line-rate traffic shouldn't be stuffed into a sub-rate queue on the transport provider's side. That's asking for trouble. > If your Ethernet provider support Ethernet CoS you could also "set cos > X" on the interface where you use 802.1q encapsulation. Unfortunately > this is not possible on regular Ethernet interfaces. Some SP's do > support DSCP for classification of Ethernet frames, so you might be > safe any way. I don't believe they do. Currently the L2 path isn't 1Q but it may be possible to change that. I'll have to make some inquires. > This policy should be attached both on the main interface on one end, > and the sub-interface at the other end. Right. That's essentially what we've got. They just had a free port on their 2821 when they set up their end. On our end we had to bring it into a switch and trunk it up to the router. I'm planning on moving the core routing over to the 3560E switch soon to get rid of the router-on-a-stick we have now. > Note: There has been major improvement in HQoS and LLQ in 12.4(20)T, > see the thread: > https://puck.nether.net/pipermail/cisco-nsp/2008-August/053616.html I was reading about that. I would have loaded it the other night but my CF card was too small. I'll have to try that in a later window. Thanks for the info Justin From gert at greenie.muc.de Fri Aug 29 13:06:23 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 29 Aug 2008 19:06:23 +0200 Subject: [c-nsp] 6509-E blade question In-Reply-To: References: <20080829070402.GB27310@lboro.ac.uk> Message-ID: <20080829170623.GS233@greenie.muc.de> Hi, On Fri, Aug 29, 2008 at 09:35:48AM -0700, Leslie Meade wrote: > I have a sup32 engine and a ws-x6724-spf blade. I know that it is not supported in native IOS, but have been told that it will work under CATOS. > Can anyone shed some light on this for me and point me in a direction to look. > > I thought it will only work under Sup720's. My understanding is that the 67xx blades will only work on a fabric-equipped system, and the Sup32 doesn't have one - so you need a sup720 or rsp720. (This might be wrong, and it might fall back to the shared bus, as all 67xx cards *do* have a bus connector - it's mainly a question of "how useful is a 24 gbit card on a 8 gbit bus" and "will the software support it?"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lmeade at signal.ca Fri Aug 29 13:21:52 2008 From: lmeade at signal.ca (Leslie Meade) Date: Fri, 29 Aug 2008 10:21:52 -0700 Subject: [c-nsp] 6509-E blade question In-Reply-To: <20080829170623.GS233@greenie.muc.de> References: <20080829070402.GB27310@lboro.ac.uk> <20080829170623.GS233@greenie.muc.de> Message-ID: Is it possible to move to CATOS from NATIVE ? -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Friday, August 29, 2008 10:06 AM To: Leslie Meade Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6509-E blade question Hi, On Fri, Aug 29, 2008 at 09:35:48AM -0700, Leslie Meade wrote: > I have a sup32 engine and a ws-x6724-spf blade. I know that it is not supported in native IOS, but have been told that it will work under CATOS. > Can anyone shed some light on this for me and point me in a direction to look. > > I thought it will only work under Sup720's. My understanding is that the 67xx blades will only work on a fabric-equipped system, and the Sup32 doesn't have one - so you need a sup720 or rsp720. (This might be wrong, and it might fall back to the shared bus, as all 67xx cards *do* have a bus connector - it's mainly a question of "how useful is a 24 gbit card on a 8 gbit bus" and "will the software support it?"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From tstevens at cisco.com Fri Aug 29 13:23:28 2008 From: tstevens at cisco.com (Tim Stevenson) Date: Fri, 29 Aug 2008 10:23:28 -0700 Subject: [c-nsp] 6509-E blade question In-Reply-To: References: <20080829070402.GB27310@lboro.ac.uk> Message-ID: It will NOT work with sup32 in any OS. Even with CFC, there is no data path to the legacy bus in 67xx cards, only a control path (ie, headers for central lookups). And of course, there is no xbar on sup32. Tim At 09:35 AM 8/29/2008, Leslie Meade observed: >I have a sup32 engine and a ws-x6724-spf blade. I know that it is >not supported in native IOS, but have been told that it will work under CATOS. >Can anyone shed some light on this for me and point me in a direction to look. > >I thought it will only work under Sup720's. > > > >Leslie > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstevens at cisco.com Routing & Switching CCIE #5561 Technical Marketing Engineer, Data Center BU Cisco Systems, http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. From cisco-nsp at slepicka.net Fri Aug 29 13:42:39 2008 From: cisco-nsp at slepicka.net (James Slepicka) Date: Fri, 29 Aug 2008 12:42:39 -0500 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <6D6205FA-8F23-48FC-B495-9A022F1B5304@short.id.au> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> <20080829073336.GH233@greenie.muc.de> <001b01c909c4$638d89b0$2aa89d10$@org.uk> <6D6205FA-8F23-48FC-B495-9A022F1B5304@short.id.au> Message-ID: <48B8350F.3060308@slepicka.net> This is more or less what I do as well and I'm pretty happy with it. Cabinets have 48-port patch panels tied over to a relay rack. In one cabinet, the first half of the ports go to switch A, the other half to switch B. Same thing in the second cabinet, except A/B are reversed, so each pair of cabinets shares a pair of switches. It's effectively a top-of-rack design, except that the switches are located at the end of the row. See http://slepicka.net/physicaldesign.png to get an idea of what I'm talking about. Access layer switches are 4948-10GEs w/ dual power supplies connected to 6506s w/ 6704-10GEs in the distribution layer. The biggest benefit of this config is that cable management is a snap and it's really easy to replace a switch if you need to. Instead of messing around with a switch and a ton of cables at the top of the cabinet, I only need to move around a bunch of 1 foot cables in the rack. I suppose the same thing could be done in the cabinet at the expense of additional space. A ports are always the primary, and B's are backup. With a 10Gb link to the distribution layer, that means I'm running at about 2.4:1 oversubscription assuming everything is happy. Downsides are that cabling can be expensive (all that CAT-6 vs. some fiber) and that it's tough for the server guys to figure out what switch/port they're plugging into at times. I do hope that Cisco doesn't EOL the 4948-10GE without releasing a switch with similar features in a 1U form factor. James Shane Short wrote: > I've had pretty good success doing this in the past, however, I've run > double the density and split it over two racks. > Ie, 24 Servers per rack, so a 48port switch per rack, with 48 ties > between the rack to tie it all together, each server would hit the > switch in it's own rack, then tie over to the adjacent rack. > > Idea generally behind this was to have the servers/switches on > opposing phases to eliminate power problems, without having to get > Dual Power supplies in the switches themselves. > > -Shane > > > On 29/08/2008, at 6:45 PM, Dean Smith wrote: > >> Surely 2 basic Switches - With Servers dual homed across giving you >> independent uplinks to the core, dual control planes and dual power etc >> gives far better resilience at the price point than a simple switch >> with an >> extra PSU ? >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering >> Sent: 29 August 2008 08:34 >> To: Pete Templin >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Few questions regarding fixed vs modular and >> when which >> is better. >> >> Hi, >> >> On Thu, Aug 28, 2008 at 10:56:51AM -0500, Pete Templin wrote: >>> Have you looked at their product line lately? I attended one of their >>> LAN Switching Update events, and learned a lot about their new >>> products, such as 1U 3560E models with 24 or 48 10/100/1000 ports and >>> two X2 10G uplinks and dual power. Might that suffice? >> >> Still "full L3" with the L3 price tag. >> >> Something like a 2960G-24TC with dual power would be cool. >> >> gert >> >> -- >> USENET is *not* the non-clickable part of WWW! >> >> //www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> gert at greenie.muc.de >> fax: +49-89-35655025 >> gert at net.informatik.tu-muenchen.de >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Fri Aug 29 13:48:48 2008 From: christian at broknrobot.com (Christian Koch) Date: Fri, 29 Aug 2008 13:48:48 -0400 Subject: [c-nsp] Netflow software In-Reply-To: <069301c9088b$69556410$31dd5ea0@ad.umn.edu> References: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> <069301c9088b$69556410$31dd5ea0@ad.umn.edu> Message-ID: i second using the nfsen/dump tools On Wed, Aug 27, 2008 at 5:25 PM, Ge Moua wrote: > Nfsen w/ nfdump engine. > > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Troy Beisigl > Sent: Wednesday, August 27, 2008 2:44 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Netflow software > > Hi, > > We are putting together a system to run netflow software for tracking > traffic usage in and out of our network based on ASN. Can someone recommend > a stable software package? We would prefer not to run this on a windows > machine if at all possible. > > Thanks, > > Troy > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Fri Aug 29 14:14:49 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 29 Aug 2008 11:14:49 -0700 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <48B8350F.3060308@slepicka.net> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> <20080829073336.GH233@greenie.muc.de> <001b01c909c4$638d89b0$2aa89d10$@org.uk> <6D6205FA-8F23-48FC-B495-9A022F1B5304@short.id.au> <48B8350F.3060308@slepicka.net> Message-ID: <48B83C99.9020302@rollernet.us> James Slepicka wrote: > This is more or less what I do as well and I'm pretty happy with it. > Cabinets have 48-port patch panels tied over to a relay rack. In one > cabinet, the first half of the ports go to switch A, the other half to > switch B. Same thing in the second cabinet, except A/B are reversed, > so each pair of cabinets shares a pair of switches. It's effectively a > top-of-rack design, except that the switches are located at the end of > the row. See http://slepicka.net/physicaldesign.png to get an idea of > what I'm talking about. Access layer switches are 4948-10GEs w/ dual > power supplies connected to 6506s w/ 6704-10GEs in the distribution layer. > > The biggest benefit of this config is that cable management is a snap > and it's really easy to replace a switch if you need to. Instead of > messing around with a switch and a ton of cables at the top of the > cabinet, I only need to move around a bunch of 1 foot cables in the > rack. I suppose the same thing could be done in the cabinet at the > expense of additional space. A ports are always the primary, and B's > are backup. With a 10Gb link to the distribution layer, that means I'm > running at about 2.4:1 oversubscription assuming everything is happy. > Downsides are that cabling can be expensive (all that CAT-6 vs. some > fiber) and that it's tough for the server guys to figure out what > switch/port they're plugging into at times. > > I do hope that Cisco doesn't EOL the 4948-10GE without releasing a > switch with similar features in a 1U form factor. > I do the same thing (patch panels to switch racks) but for a different reason: routers and switches frequently have incompatible airflow compared to front-to-back rack mount servers. This way, I can keep all my server racks as front-to-back airflow and the side vent, back-to-front vent (even passive cooling) routing/switching/monitoring gear have their own special area. -- Seth Mattinen sethm at rollernet.us Roller Network LLC From kratzers at pa.net Fri Aug 29 14:54:03 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Fri, 29 Aug 2008 14:54:03 -0400 Subject: [c-nsp] PA-POS-OC3SMI vs. PA-POS-OC3SML Message-ID: <200808291454.03298.kratzers@pa.net> All, We're looking to turn up an OC3 with Level3, but we've been unable to get a hardware recommendation from them. All we know is that it'll be single mode using SC connectors. Is the PA-POS-OC3SMI a safe bet, or do we need to get distance information and purchase accordingly? Thanks. Stephen Kratzer Network Engineer CTI Networks, Inc. From gert at greenie.muc.de Fri Aug 29 15:35:20 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 29 Aug 2008 21:35:20 +0200 Subject: [c-nsp] 6509-E blade question In-Reply-To: References: <20080829070402.GB27310@lboro.ac.uk> <20080829170623.GS233@greenie.muc.de> Message-ID: <20080829193519.GT233@greenie.muc.de> Hi, On Fri, Aug 29, 2008 at 10:21:52AM -0700, Leslie Meade wrote: > Is it possible to move to CATOS from NATIVE ? Sure. Just check CCO, there's conversion instructions for both directions. (Now I don't know whether there *is* a CatOS for Sup32, but CCO will tell) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Fri Aug 29 15:37:08 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 29 Aug 2008 21:37:08 +0200 Subject: [c-nsp] 6509-E blade question In-Reply-To: References: <20080829070402.GB27310@lboro.ac.uk> Message-ID: <20080829193708.GU233@greenie.muc.de> Hi, On Fri, Aug 29, 2008 at 10:23:28AM -0700, Tim Stevenson wrote: > It will NOT work with sup32 in any OS. Even with CFC, there is no > data path to the legacy bus in 67xx cards, only a control path (ie, > headers for central lookups). And of course, there is no xbar on sup32. Ah! That's the issue. I always wondered whether or not it would be possible hardware-wise or not (and if not, why not, since it has to have a connection for the bus, for the headers). Thanks for explaining. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Jaime at ulima.edu.pe Fri Aug 29 14:50:04 2008 From: Jaime at ulima.edu.pe (Velasquez Venegas Jaime Omar) Date: Fri, 29 Aug 2008 13:50:04 -0500 Subject: [c-nsp] FWSM module replacement In-Reply-To: <000901c909da$f8cb66d0$31dd5ea0@ad.umn.edu> Message-ID: <8DD1F4B50477AC45A35AB5F8C03B62C40185678A@sauce.ulima.ul> Always it's handy to have a backup of all your current configuration files (i.e system config and all of the other contexts).If something unexpected comes up it's fairly easy to replace a blank configuration file. -----Mensaje original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] En nombre de Ge Moua Enviado el: Friday, August 29, 2008 8:27 AM Para: 'Brett Clausenhauf'; cisco-nsp at puck.nether.net Asunto: Re: [c-nsp] FWSM module replacement Be careful here (as I've made this mistake already): * Set the good fwsm to 'primary - active' * before you bring up the fail-over link, set the replacement to 'secondary - standby' * as soon as you bring up the fail-over link the sync happens automatically * you can changet to unit desgination after this * be carefule not to bring the replacement unit online in 'primary - active', otherwise the a blank config will be syced between them (this is bad, & I've done this before). Good luck. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Clausenhauf Sent: Friday, August 29, 2008 3:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] FWSM module replacement Hi Guys, Shortly I need to replace a FWSM module in a 6500. It is paired with another FWSM module which is now the active module. Looking at this below url it seems to be a straight forward process to replace the module & to get the configuration sync'ed. http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide /upg rade.html#wp1036343 One thing is not clear though. The module that died is usually the primary module, whilst the current active module is in standby.. If I issue the command "Failover" in step 5 after I define the replacement module with all the basic failover variables including the unique variable of *fail lan unit Primary will this cause it to override the configuration in the currently active FWSM with that of the newly installed FWSM? I presume not, although I am not 100 percent sure here.* ** Regards, Brad _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From alexmoya at bellsouth.net Fri Aug 29 16:20:48 2008 From: alexmoya at bellsouth.net (Alex Moya) Date: Fri, 29 Aug 2008 16:20:48 -0400 Subject: [c-nsp] PA-POS-OC3SMI vs. PA-POS-OC3SML In-Reply-To: <200808291454.03298.kratzers@pa.net> References: <200808291454.03298.kratzers@pa.net> Message-ID: I currently use the smi at both ends with Level 3 on 7204vxr's works fine for me.I can post the interface info later if you like and post the part numbers from the sales order Sent from my iPhone On Aug 29, 2008, at 2:54 PM, Stephen Kratzer wrote: > All, > > We're looking to turn up an OC3 with Level3, but we've been unable > to get a > hardware recommendation from them. All we know is that it'll be > single mode > using SC connectors. Is the PA-POS-OC3SMI a safe bet, or do we need > to get > distance information and purchase accordingly? Thanks. > > Stephen Kratzer > Network Engineer > CTI Networks, Inc. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Fri Aug 29 17:25:39 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 29 Aug 2008 17:25:39 -0400 (EDT) Subject: [c-nsp] FWSM module replacement In-Reply-To: <8DD1F4B50477AC45A35AB5F8C03B62C40185678A@sauce.ulima.ul> References: <8DD1F4B50477AC45A35AB5F8C03B62C40185678A@sauce.ulima.ul> Message-ID: On Fri, 29 Aug 2008, Velasquez Venegas Jaime Omar wrote: > Always it's handy to have a backup of all your current configuration > files (i.e system config and all of the other contexts).If something > unexpected comes up it's fairly easy to replace a blank configuration > file. That, and also make sure that the replacement blade is licensed for the same number of contexts as the original one. jms > -----Mensaje original----- > De: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] En nombre de Ge Moua > Enviado el: Friday, August 29, 2008 8:27 AM > Para: 'Brett Clausenhauf'; cisco-nsp at puck.nether.net > Asunto: Re: [c-nsp] FWSM module replacement > > Be careful here (as I've made this mistake already): > * Set the good fwsm to 'primary - active' > * before you bring up the fail-over link, set the replacement to > 'secondary > - standby' > * as soon as you bring up the fail-over link the sync happens > automatically > * you can changet to unit desgination after this > * be carefule not to bring the replacement unit online in 'primary - > active', otherwise the a blank config will be syced between them (this > is bad, & I've done this before). > > Good luck. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett > Clausenhauf > Sent: Friday, August 29, 2008 3:37 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] FWSM module replacement > > Hi Guys, > > > Shortly I need to replace a FWSM module in a 6500. It is paired with > another FWSM module which is now the active module. > > Looking at this below url it seems to be a straight forward process to > replace the module & to get the configuration sync'ed. > > http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide > /upg > rade.html#wp1036343 > > > One thing is not clear though. The module that died is usually the > primary module, whilst the current active module is in standby.. If I > issue the command "Failover" in step 5 after I define the replacement > module with all the basic failover variables including the unique > variable of *fail lan unit Primary will this cause it to override the > configuration in the > currently active FWSM with that of the newly installed FWSM? I presume > not, although I am not 100 percent sure here.* > ** > > Regards, > > Brad > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From streiner at cluebyfour.org Fri Aug 29 22:28:35 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 29 Aug 2008 22:28:35 -0400 (EDT) Subject: [c-nsp] bridging/L2TPv3 between PIX and 2821? Message-ID: I have a client who has some legacy gear at a remote site that needs to talk to other gear back at their main office. Trick is, that the gear is legacy enough that it has no concept of a default gateway, so all of the legacy pieces need to be or functionally appear to be in the same subnet. The traffic between the sites needs to be encrypted, but since some of the IP space on both ends would appear to be on te same subnet, getting IPSEC to work would be problematic. If I had routers at both locations, I could probably do this with an L2TPv3 pseudowire, but there's a PIX involved, and I don't think it knows L2TPv3 well enough to be able to let me pass a pseudowire through... MPLS would be nice too, but that's not an option in this design. Has anyone here tackled something like this before? jms From danletkeman at gmail.com Fri Aug 29 23:40:35 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 29 Aug 2008 22:40:35 -0500 Subject: [c-nsp] 827 nat translations Message-ID: How many nat translations could an 827 router handle? This is for a school environment where there are about 300 workstations (assuming that not everyone would be browsing at once) and a 7mbit internet connection. Could this router handle this kind of load? Is there anything I could do to take the load off the cpu? Thanks, Dan. From adrian at creative.net.au Sat Aug 30 01:10:18 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Sat, 30 Aug 2008 13:10:18 +0800 Subject: [c-nsp] 827 nat translations In-Reply-To: References: Message-ID: <20080830051018.GA19179@skywalker.creative.net.au> On Fri, Aug 29, 2008, Dan Letkeman wrote: > How many nat translations could an 827 router handle? This is for a > school environment where there are about 300 workstations (assuming > that not everyone would be browsing at once) and a 7mbit internet > connection. Could this router handle this kind of load? Sort of! > Is there anything I could do to take the load off the cpu? Grab the latest image and make -certain- you set: * the global NAT table limit; * the per-IP NAT table entry limit; * protocol timeouts. Exhausting memory w/ NAT table entries on the 827 is a trivial thing to do with a single PC running bittorrent. 300 PCs could be a bit of a challenge. That said, IIRC exhaustion hit with ~ 5000 NAT entries, so YMMV. You may discover after the above that you still run out of RAM. You may also find you don't run out of RAM but connections still mysteriously disappear. In which case, do what I did - grab some other device to do NAT and leave the 827 as a router/bridge. Adrian From achatz at forthnet.gr Sat Aug 30 04:59:52 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sat, 30 Aug 2008 11:59:52 +0300 Subject: [c-nsp] bridging/L2TPv3 between PIX and 2821? In-Reply-To: References: Message-ID: <48B90C08.6060908@forthnet.gr> Justin, Justin M. Streiner wrote on 30/08/2008 05:28: > I have a client who has some legacy gear at a remote site that needs to > talk to other gear back at their main office. Trick is, that the gear > is legacy enough that it has no concept of a default gateway, so all of > the legacy pieces need to be or functionally appear to be in the same > subnet. > > The traffic between the sites needs to be encrypted, but since some of > the IP space on both ends would appear to be on te same subnet, getting > IPSEC to work would be problematic. > > If I had routers at both locations, I could probably do this with an > L2TPv3 pseudowire, but there's a PIX involved, and I don't think it > knows L2TPv3 well enough to be able to let me pass a pseudowire through... > L2TPv3 over IP uses ip protocol 115 (which can be changed with "ip protocol X" under the pseudowire-class), so i don't think there should any problem with PIX recognizing it. Am i missing anything? -- Tassos > MPLS would be nice too, but that's not an option in this design. > > Has anyone here tackled something like this before? > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Sat Aug 30 05:03:43 2008 From: justin at justinshore.com (Justin Shore) Date: Sat, 30 Aug 2008 04:03:43 -0500 Subject: [c-nsp] 12.4(20)T oddities Message-ID: <48B90CEF.8050808@justinshore.com> I upgraded a 2811 to 20T the other night. I did another 2811 tonight after a different maintenance window. The routers are basically identical, except for the quantity of modules installed in them. I noticed the first night that I was seeing a number of tracebacks. Nothing was a show-stopper though. One happened on boot and I don't have it handy at the moment. Here are 2 that I still have in the log: 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "Call Manager XML client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "SSH Process", ipl= 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 Another odd thing that I noticed was that SSH from SecureCRT broke after the upgrade. SSH from a Linux command line (OpenSSH) still works though. This error is logged on the router: 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length I wiped the router's RSA keys and regenerated them first at with a 2048 bit modulus and then 1024 bit. Neither solved the problem. I even removed the local SecureCRT known_hosts key for that host (though that shouldn't have matter because SCRT will prompt you if the key has changed). Below is the output from debug ip ssh packet/detail: 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id SSH-2.0-Cisco-1.25 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 (length also includes padlen of 5) 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 bytes received 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet length of 424 bytes 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block size)8 bytes,needed 416 bytes, maclen 0 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 bytes received 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet length of 24 bytes 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes, maclen 0 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client is - 1024 < 2046 < 2046 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - error 0x00 Any thoughts? I'm holding off on any more 20T upgrades until this can be resolved. While I do have a local NOC server that I can SSH from if needed I'm not inclined to hinder my management abilities like that. As I was writing the config and disconnecting this 3rd traceback popped up: 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "Virtual Exec", ipl= 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260[OK] Does anyone have any thoughts on any of this? So far this has been the most problematic T release I've used. They are generally more reliable. So far I haven't noticed any VoIP issues or other actual show-stoppers. I'm itching to try out some of the new and long-awaited features but I may have to wait for a (20)T1 to do that outside of a lab. Thanks Justin From achatz at forthnet.gr Sat Aug 30 05:45:43 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sat, 30 Aug 2008 04:45:43 -0500 Subject: [c-nsp] bridging/L2TPv3 between PIX and 2821? In-Reply-To: References: Message-ID: <000001c90a85$2b8bf350$0201a8c0@michaeldavis.local> Justin, Justin M. Streiner wrote on 30/08/2008 05:28: > I have a client who has some legacy gear at a remote site that needs to > talk to other gear back at their main office. Trick is, that the gear > is legacy enough that it has no concept of a default gateway, so all of > the legacy pieces need to be or functionally appear to be in the same > subnet. > > The traffic between the sites needs to be encrypted, but since some of > the IP space on both ends would appear to be on te same subnet, getting > IPSEC to work would be problematic. > > If I had routers at both locations, I could probably do this with an > L2TPv3 pseudowire, but there's a PIX involved, and I don't think it > knows L2TPv3 well enough to be able to let me pass a pseudowire through... > L2TPv3 over IP uses ip protocol 115 (which can be changed with "ip protocol X" under the pseudowire-class), so i don't think there should any problem with PIX recognizing it. Am i missing anything? -- Tassos > MPLS would be nice too, but that's not an option in this design. > > Has anyone here tackled something like this before? > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck..nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether..net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From MLouis at nwnit.com Sat Aug 30 09:40:06 2008 From: MLouis at nwnit.com (Mike Louis) Date: Sat, 30 Aug 2008 09:40:06 -0400 Subject: [c-nsp] 12.4(20)T oddities In-Reply-To: <48B90CEF.8050808@justinshore.com> References: <48B90CEF.8050808@justinshore.com> Message-ID: Did you check the ssh version enabled? I have had issues with Secure CRT not working and linux working when using the default ssh version. Just a thought -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Saturday, August 30, 2008 5:04 AM To: 'Cisco-nsp' Subject: [c-nsp] 12.4(20)T oddities I upgraded a 2811 to 20T the other night. I did another 2811 tonight after a different maintenance window. The routers are basically identical, except for the quantity of modules installed in them. I noticed the first night that I was seeing a number of tracebacks. Nothing was a show-stopper though. One happened on boot and I don't have it handy at the moment. Here are 2 that I still have in the log: 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "Call Manager XML client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "SSH Process", ipl= 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 Another odd thing that I noticed was that SSH from SecureCRT broke after the upgrade. SSH from a Linux command line (OpenSSH) still works though. This error is logged on the router: 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length I wiped the router's RSA keys and regenerated them first at with a 2048 bit modulus and then 1024 bit. Neither solved the problem. I even removed the local SecureCRT known_hosts key for that host (though that shouldn't have matter because SCRT will prompt you if the key has changed). Below is the output from debug ip ssh packet/detail: 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id SSH-2.0-Cisco-1.25 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 (length also includes padlen of 5) 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 bytes received 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet length of 424 bytes 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block size)8 bytes,needed 416 bytes, maclen 0 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 bytes received 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet length of 24 bytes 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes, maclen 0 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client is - 1024 < 2046 < 2046 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - error 0x00 Any thoughts? I'm holding off on any more 20T upgrades until this can be resolved. While I do have a local NOC server that I can SSH from if needed I'm not inclined to hinder my management abilities like that. As I was writing the config and disconnecting this 3rd traceback popped up: 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "Virtual Exec", ipl= 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260[OK] Does anyone have any thoughts on any of this? So far this has been the most problematic T release I've used. They are generally more reliable. So far I haven't noticed any VoIP issues or other actual show-stoppers. I'm itching to try out some of the new and long-awaited features but I may have to wait for a (20)T1 to do that outside of a lab. Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From tvarriale at comcast.net Sat Aug 30 09:59:45 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Sat, 30 Aug 2008 08:59:45 -0500 Subject: [c-nsp] FWSM module replacement References: <8DD1F4B50477AC45A35AB5F8C03B62C40185678A@sauce.ulima.ul> Message-ID: <07e401c90aa8$a90a7c70$f211a8c0@flamadam> Good advice below re: failover...hehe. I always make a term emu capture and a tftp backup. The tftp file will let you get back up and moving much quicker. tv ----- Original Message ----- From: "Velasquez Venegas Jaime Omar" To: ; Sent: Friday, August 29, 2008 1:50 PM Subject: Re: [c-nsp] FWSM module replacement > Always it's handy to have a backup of all your current configuration > files (i.e system config and all of the other contexts).If something > unexpected comes up it's fairly easy to replace a blank configuration > file. > > -----Mensaje original----- > De: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] En nombre de Ge Moua > Enviado el: Friday, August 29, 2008 8:27 AM > Para: 'Brett Clausenhauf'; cisco-nsp at puck.nether.net > Asunto: Re: [c-nsp] FWSM module replacement > > Be careful here (as I've made this mistake already): > * Set the good fwsm to 'primary - active' > * before you bring up the fail-over link, set the replacement to > 'secondary > - standby' > * as soon as you bring up the fail-over link the sync happens > automatically > * you can changet to unit desgination after this > * be carefule not to bring the replacement unit online in 'primary - > active', otherwise the a blank config will be syced between them (this > is bad, & I've done this before). > > Good luck. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett > Clausenhauf > Sent: Friday, August 29, 2008 3:37 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] FWSM module replacement > > Hi Guys, > > > Shortly I need to replace a FWSM module in a 6500. It is paired with > another FWSM module which is now the active module. > > Looking at this below url it seems to be a straight forward process to > replace the module & to get the configuration sync'ed. > > http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide > /upg > rade.html#wp1036343 > > > One thing is not clear though. The module that died is usually the > primary module, whilst the current active module is in standby.. If I > issue the command "Failover" in step 5 after I define the replacement > module with all the basic failover variables including the unique > variable of *fail lan unit Primary will this cause it to override the > configuration in the > currently active FWSM with that of the newly installed FWSM? I presume > not, although I am not 100 percent sure here.* > ** > > Regards, > > Brad > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sat Aug 30 11:42:44 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 30 Aug 2008 10:42:44 -0500 Subject: [c-nsp] 827 nat translations In-Reply-To: <20080830051018.GA19179@skywalker.creative.net.au> References: <20080830051018.GA19179@skywalker.creative.net.au> Message-ID: I'm currently running a 2621 just behind the 827(s) which is doing CEF load distribution. I plan on putting in a 2800 series router with the firewall IOS. Do you know if there is a way you can do PPPOE on a sub interface? I plan on having up to 7 ADSL connections in front the the 2800 series connecting via 827's or whatever else works best. Any suggestions would be appreciated. Thanks, Dan. On Sat, Aug 30, 2008 at 12:10 AM, Adrian Chadd wrote: > On Fri, Aug 29, 2008, Dan Letkeman wrote: >> How many nat translations could an 827 router handle? This is for a >> school environment where there are about 300 workstations (assuming >> that not everyone would be browsing at once) and a 7mbit internet >> connection. Could this router handle this kind of load? > > Sort of! > >> Is there anything I could do to take the load off the cpu? > > Grab the latest image and make -certain- you set: > > * the global NAT table limit; > * the per-IP NAT table entry limit; > * protocol timeouts. > > Exhausting memory w/ NAT table entries on the 827 is a trivial thing > to do with a single PC running bittorrent. 300 PCs could be a bit > of a challenge. That said, IIRC exhaustion hit with ~ 5000 NAT > entries, so YMMV. > > You may discover after the above that you still run out of RAM. > You may also find you don't run out of RAM but connections still > mysteriously disappear. In which case, do what I did - grab some > other device to do NAT and leave the 827 as a router/bridge. > > > > Adrian > > From jensenja at gmail.com Sat Aug 30 12:07:28 2008 From: jensenja at gmail.com (John Jensen) Date: Sat, 30 Aug 2008 09:07:28 -0700 Subject: [c-nsp] SNMP access to err-disable on 2960s In-Reply-To: <20080829140205.GA14820@kallisti.us> References: <20080829140205.GA14820@kallisti.us> Message-ID: <6de481d10808300907q6dec809cveb35a84be0e10f7e@mail.gmail.com> Have you tried looking at the CISCO-ERR-DISABLE-MIB file? You can download it here: ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-ERR-DISABLE-MIB.my HTH -JJ On Fri, Aug 29, 2008 at 7:02 AM, Ross Vandegrift wrote: > Hi everyone, > > Trying to find a way to access the err-disable status of a port via > SNMP. The only way I've found to do that is to get > CISCO-STACK-MIB::portAdditionalOperStatus. > > Unfortunately, the 2960s don't have anything at this OID, even though > they support a bunch of other stuff from the stack mib. For that > matter, neither our 6500s nor 3750s have this value either. > > An interface in err-disable has ifAdminStat up, ifOperStat down, > and CISCO-STACK-MIB::portOperStatus other - it seems indistinguishable > from a link that is just down/down. > > Has anyone found any clever set of things that indicate an err-disable > Catalyst interface that can be fetched via SNMP? > > -- > Ross Vandegrift > ross at kallisti.us > > "The good Christian should beware of mathematicians, and all those who > make empty prophecies. The danger already exists that the mathematicians > have made a covenant with the devil to darken the spirit and to confine > man in the bonds of Hell." > --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Sat Aug 30 16:00:15 2008 From: justin at justinshore.com (Justin Shore) Date: Sat, 30 Aug 2008 15:00:15 -0500 Subject: [c-nsp] 12.4(20)T oddities In-Reply-To: References: <48B90CEF.8050808@justinshore.com> Message-ID: <48B9A6CF.9070103@justinshore.com> Sorry, I forgot to mention that I only configure SSH v2 (ip ssh ver 2). I didn't try allowing v1 to see if that made a difference. I'll try that when I get back a place in the network that I can do that. Were the problems you had with 20T or some other IOS? I've never had any SCRT problems with Cisco's IOS. Justin Mike Louis wrote: > Did you check the ssh version enabled? I have had issues with Secure CRT not working and linux working when using the default ssh version. Just a thought > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore > Sent: Saturday, August 30, 2008 5:04 AM > To: 'Cisco-nsp' > Subject: [c-nsp] 12.4(20)T oddities > > I upgraded a 2811 to 20T the other night. I did another 2811 tonight > after a different maintenance window. The routers are basically > identical, except for the quantity of modules installed in them. I > noticed the first night that I was seeing a number of tracebacks. > Nothing was a show-stopper though. One happened on boot and I don't > have it handy at the moment. Here are 2 that I still have in the log: > > > 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "Call Manager XML > client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 > 0x42B54260 > > 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "SSH Process", ipl= > 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 > > > Another odd thing that I noticed was that SSH from SecureCRT broke after > the upgrade. SSH from a Linux command line (OpenSSH) still works > though. This error is logged on the router: > > > 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length > > > I wiped the router's RSA keys and regenerated them first at with a 2048 > bit modulus and then 1024 bit. Neither solved the problem. I even > removed the local SecureCRT known_hosts key for that host (though that > shouldn't have matter because SCRT will prompt you if the key has > changed). Below is the output from debug ip ssh packet/detail: > > > 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process > 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id > SSH-2.0-Cisco-1.25 > 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - > SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT > 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 > (length also includes padlen of 5) > 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent > 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 bytes received > 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet length of > 424 bytes > 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block > size)8 bytes,needed 416 bytes, > maclen 0 > 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes > 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received > 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server enc:aes128-cbc > mac:hmac-md5 > 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client enc:aes128-cbc > mac:hmac-md5 > 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 bytes received > 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet length of > 24 bytes > 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block > size)8 bytes,needed 16 bytes, > maclen 0 > 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes > 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST > received > 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client is - 1024 > < 2046 < 2046 > 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length > 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - error 0x00 > > > Any thoughts? I'm holding off on any more 20T upgrades until this can > be resolved. While I do have a local NOC server that I can SSH from if > needed I'm not inclined to hinder my management abilities like that. > > As I was writing the config and disconnecting this 3rd traceback popped up: > > 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "Virtual Exec", ipl= > 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260[OK] > > > Does anyone have any thoughts on any of this? So far this has been the > most problematic T release I've used. They are generally more reliable. > So far I haven't noticed any VoIP issues or other actual > show-stoppers. I'm itching to try out some of the new and long-awaited > features but I may have to wait for a (20)T1 to do that outside of a lab. > > Thanks > Justin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. > From ml at t-b-o-h.net Sat Aug 30 18:51:14 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Sat, 30 Aug 2008 18:51:14 -0400 (EDT) Subject: [c-nsp] GNi/365main Above.net peering problems? (fwd) Message-ID: <200808302251.m7UMpEiI034668@himinbjorg.tucs-beachin-obx-house.com> Hi, Has anyone heard more about this "0 day" issue? Tuc > Received this update for GNi: > > > At this time we believe we have found a Cisco day 0 network > > vulnerability. > > > > We have 20+ routers in our core network - 6 of the 20 have the > > identical route > > processor and IOS version. These 6 have been affected in 3 separate > > geographical locations in the past several days. The network issues > > range > > from simple SNMP failure to loss of BGP or OSPF communications. > > These are > > creating black holes intermittently across our network. We are > > experiencing as > > much as 20% of networks not available at this time. > > > > We have been coordinating with Cisco for the past two days and have > > deployed > > patches to address the problem. Overall, we have determined that > > the fastest, > > surest path to restoring 100% network normality is to replace these > > 6 routers. > > We will continue this process to replace these 6 routers. > > > > Two of the six affected routers have already been replaced and > > clients have > > been moved. We are now replacing the remaining 4 affected routers. > > We know that this week has been very painful and frustrating for > > you. We will > > provide a detailed and open RFO Reason For Outage post mortem > > document as soon > > as we have the replaced the affected routers. > > > > Also, I will be updating all customers who have opened tickets at > > least every > > two hours from this time to ensure that all customers have the > > latest status > > information. If you would prefer a phone call status report, please > > note it > > on the ticket and I will also give you a call to answer any additional > > questions you may have. In addition, you may call the NOC at your > > convenience > > at (415) 979-9786. > > > > Thank you for your patience. > From sf at lists.esoteric.ca Sat Aug 30 20:03:16 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 30 Aug 2008 20:03:16 -0400 Subject: [c-nsp] Error using VFI with local VLAN's on 7600/RSP720 12.2 SRC1 Message-ID: <48B9DFC4.5070701@lists.esoteric.ca> Hi all, I'm testing out VFI's in a lab, and I've run into the following when I attempt to add a second VLAN to the VFI instance. The device is 7600/RSP720 running 12.2 SRC1. The VLAN's are connected to the 7600 via a port-channel interface, physical ports are on a 6748 linecard. Error: "Incompatible with the vfi setting configured, checkinterface MTU size and VLAN ID" (The spelling error is in the code). Relevant config (very basic): == snip == vlan 670 name TEST-VLAN-1 ! vlan 671 name TEST-VLAN-2 ! l2 router-id 10.1.1.1 l2 vfi VPLS-TEST-1 manual vpn id 1 ! interface Vlan670 no ip address xconnect vfi VPLS-TEST-1 ! interface Vlan671 no ip address ! == snip == When I add the second "xconnect vfi VPLS-TEST-1" statement, I receive the error. 7600-rsp720(config-if)#interface Vlan671 7600-rsp720(config-if)# no ip address 7600-rsp720(config-if)# xconnect vfi VPLS-TEST-1 Incompatible with the vfi setting configured, checkinterface MTU size and VLAN ID 7600-rsp720(config-if)# Documentation is slim on the Cisco site for this, and a search for the error brings up nothing. -- Stephen From MLouis at nwnit.com Sat Aug 30 20:07:08 2008 From: MLouis at nwnit.com (Mike Louis) Date: Sat, 30 Aug 2008 20:07:08 -0400 Subject: [c-nsp] 12.4(20)T oddities Message-ID: They were with earlier versions as well with putty and securecrt -----Original Message----- From: Justin Shore Sent: Saturday, August 30, 2008 4:00 PM To: Mike Louis Cc: 'Cisco-nsp' Subject: Re: [c-nsp] 12.4(20)T oddities Sorry, I forgot to mention that I only configure SSH v2 (ip ssh ver 2). I didn't try allowing v1 to see if that made a difference. I'll try that when I get back a place in the network that I can do that. Were the problems you had with 20T or some other IOS? I've never had any SCRT problems with Cisco's IOS. Justin Mike Louis wrote: > Did you check the ssh version enabled? I have had issues with Secure CRT not working and linux working when using the default ssh version. Just a thought > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore > Sent: Saturday, August 30, 2008 5:04 AM > To: 'Cisco-nsp' > Subject: [c-nsp] 12.4(20)T oddities > > I upgraded a 2811 to 20T the other night. I did another 2811 tonight > after a different maintenance window. The routers are basically > identical, except for the quantity of modules installed in them. I > noticed the first night that I was seeing a number of tracebacks. > Nothing was a show-stopper though. One happened on boot and I don't > have it handy at the moment. Here are 2 that I still have in the log: > > > 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "Call Manager XML > client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 > 0x42B54260 > > 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "SSH Process", ipl= > 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 > > > Another odd thing that I noticed was that SSH from SecureCRT broke after > the upgrade. SSH from a Linux command line (OpenSSH) still works > though. This error is logged on the router: > > > 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length > > > I wiped the router's RSA keys and regenerated them first at with a 2048 > bit modulus and then 1024 bit. Neither solved the problem. I even > removed the local SecureCRT known_hosts key for that host (though that > shouldn't have matter because SCRT will prompt you if the key has > changed). Below is the output from debug ip ssh packet/detail: > > > 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process > 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id > SSH-2.0-Cisco-1.25 > 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - > SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT > 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 > (length also includes padlen of 5) > 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent > 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 bytes received > 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet length of > 424 bytes > 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block > size)8 bytes,needed 416 bytes, > maclen 0 > 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes > 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received > 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server enc:aes128-cbc > mac:hmac-md5 > 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client enc:aes128-cbc > mac:hmac-md5 > 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 bytes received > 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet length of > 24 bytes > 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block > size)8 bytes,needed 16 bytes, > maclen 0 > 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes > 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST > received > 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client is - 1024 > < 2046 < 2046 > 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length > 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - error 0x00 > > > Any thoughts? I'm holding off on any more 20T upgrades until this can > be resolved. While I do have a local NOC server that I can SSH from if > needed I'm not inclined to hinder my management abilities like that. > > As I was writing the config and disconnecting this 3rd traceback popped up: > > 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "Virtual Exec", ipl= > 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260[OK] > > > Does anyone have any thoughts on any of this? So far this has been the > most problematic T release I've used. They are generally more reliable. > So far I haven't noticed any VoIP issues or other actual > show-stoppers. I'm itching to try out some of the new and long-awaited > features but I may have to wait for a (20)T1 to do that outside of a lab. > > Thanks > Justin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From adrian at creative.net.au Sat Aug 30 22:29:30 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Sun, 31 Aug 2008 10:29:30 +0800 Subject: [c-nsp] 827 nat translations In-Reply-To: References: <20080830051018.GA19179@skywalker.creative.net.au> Message-ID: <20080831022929.GC19179@skywalker.creative.net.au> On Sat, Aug 30, 2008, Dan Letkeman wrote: > I'm currently running a 2621 just behind the 827(s) which is doing CEF > load distribution. I plan on putting in a 2800 series router with the > firewall IOS. Do you know if there is a way you can do PPPOE on a sub > interface? I plan on having up to 7 ADSL connections in front the the > 2800 series connecting via 827's or whatever else works best. I know its possible; I've done PPPoE on a subif on a 2651 but I had to be -very- selective with my IOS choice. I don't have any saved configs or notes from the experience, sorry. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - From christian.macnevin at gmail.com Sat Aug 30 23:48:09 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Sat, 30 Aug 2008 20:48:09 -0700 Subject: [c-nsp] Netflow software In-Reply-To: <1A9866F953006D45AEE0166066114E0912C3E589@TPMAIL02.corp.theplatform.com> References: <7509F1AA-4368-4A2C-8210-658E186626D2@i2bnetworks.com> <1A9866F953006D45AEE0166066114E0912C3E589@TPMAIL02.corp.theplatform.com> Message-ID: Seconded. On Aug 27, 2008, at 1:11 PM, Gregori Parker wrote: I'd recommend Crannog Netflow Tracker (now owned by Fluke) for this: http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/Overvie w.htm They have versions for both Linux and Windows (as well as an appliance now), and I've found it to be well worth the expense over the open-source solutions I've worked with.. My only caveat is that their licensing is not as glorious as it was pre-acq -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Troy Beisigl Sent: Wednesday, August 27, 2008 12:44 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Netflow software Hi, We are putting together a system to run netflow software for tracking traffic usage in and out of our network based on ASN. Can someone recommend a stable software package? We would prefer not to run this on a windows machine if at all possible. Thanks, Troy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Sun Aug 31 03:13:33 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sun, 31 Aug 2008 09:13:33 +0200 Subject: [c-nsp] Error using VFI with local VLAN's on 7600/RSP720 12.2 SRC1 In-Reply-To: <48B9DFC4.5070701@lists.esoteric.ca> References: <48B9DFC4.5070701@lists.esoteric.ca> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED27B7@xmb-ams-333.emea.cisco.com> Stephen Fulton <> wrote on Sunday, August 31, 2008 2:03 AM: > Hi all, > > I'm testing out VFI's in a lab, and I've run into the following when I > attempt to add a second VLAN to the VFI instance. well, adding a 2nd SVI/Vlan to a VFI doesn't make sense (at least to me), if you want to bridge both segments (and the remote VFIs) together, you would put them into the same broadcast domain (speak: vlan). You can't use VFI/VPLS to create a single bridge domain for two local vlans. oli From mtinka at globaltransit.net Sun Aug 31 05:38:51 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 31 Aug 2008 17:38:51 +0800 Subject: [c-nsp] 12.4(20)T oddities Message-ID: <200808311738.51769.mtinka@globaltransit.net> On Saturday 30 August 2008 17:03:43 Justin Shore wrote: > I upgraded a 2811 to 20T the other night. I did another > 2811 tonight after a different maintenance window. The > routers are basically identical, except for the quantity > of modules installed in them. I noticed the first night > that I was seeing a number of tracebacks. Nothing was a > show-stopper though. One happened on boot and I don't > have it handy at the moment. Here are 2 that I still > have in the log: We started logging the same tracebacks on a 7206-VXR/NPE-400 after upgrading it to the exact same code. SSH clients were coming from FreeBSD + Mac OS X boxes, no issues connecting. Suffice it to say that this code lacked BFD support for static routes (which we needed), so we switched to 12.2 (33)SRC1. Since then, we aren't seeing the tracebacks anymore. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From overkillxx at gmail.com Sun Aug 31 07:39:34 2008 From: overkillxx at gmail.com (Brett Clausenhauf) Date: Sun, 31 Aug 2008 21:39:34 +1000 Subject: [c-nsp] Sup720 Config registry Message-ID: Hey Guys.. I have a query I cannot seem to find any answer too. When a sup720 module is booting, if you do a CTRL + Break into rommon & change the confreg register on the SP module (Changed to confreg 0x2142 & NOT the RP module, what does this actually do? I did this by mistake whilst troubleshooting an issue. The issue is now resolved but I never got the opportunity to put this back (Also not sure what to put it back too). The module boots up the config & appears to be working 100 percent fine... I am very concerned if doing this does anything detrimental that is going to be a concern later. Can anybody who might know advise? It would be very much appreciated.. Thanks in advance. From asadh at comcast.net Sun Aug 31 08:48:04 2008 From: asadh at comcast.net (asadh at comcast.net) Date: Sun, 31 Aug 2008 12:48:04 +0000 Subject: [c-nsp] Sup720 Config registry Message-ID: <083120081248.27528.48BA9304000ADD6F00006B882200763692080B0E9C0E@comcast.net> You can check the config-register setting on SP by: rem comm sw sh ver | i register SP is probably still set to 2142. You should change it to 0x2102 by going to config on RP. When you save the config it will be saved on SP also. After saving you can issue: rem comm sw sh ver | i register It should indicate 0x2102 aftrer reboot. Asad -------------- Original message -------------- From: "Brett Clausenhauf" > Hey Guys.. > > I have a query I cannot seem to find any answer too. > > > When a sup720 module is booting, if you do a CTRL + Break into rommon & > change the confreg register on the SP module (Changed to confreg 0x2142 & > NOT the RP module, what does this actually do? I did this by mistake whilst > troubleshooting an issue. The issue is now resolved but I never got the > opportunity to put this back (Also not sure what to put it back too). The > module boots up the config & appears to be working 100 percent fine... I am > very concerned if doing this does anything detrimental that is going to be a > concern later. > > Can anybody who might know advise? It would be very much appreciated.. > > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Sun Aug 31 09:28:18 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 31 Aug 2008 15:28:18 +0200 (CEST) Subject: [c-nsp] Sup720 Config registry In-Reply-To: References: Message-ID: On Sun, 31 Aug 2008, Brett Clausenhauf wrote: > Can anybody who might know advise? It would be very much appreciated.. I had a similar issue back in SXE days (2+ years ago) where the conf-reg would get out of sync between modules on the Sup720-3bxl (it would show conf-reg 0x2102 in IOS, but rebooting would go into rommon). To fix it, I would simply do a conf-reg 0x2102 and "wr" in regular config mode, which seemed to set this conf-reg on all modules, making the problem go away. -- Mikael Abrahamsson email: swmike at swm.pp.se From danletkeman at gmail.com Sun Aug 31 09:46:52 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 31 Aug 2008 08:46:52 -0500 Subject: [c-nsp] 827 nat translations In-Reply-To: <20080831022929.GC19179@skywalker.creative.net.au> References: <20080830051018.GA19179@skywalker.creative.net.au> <20080831022929.GC19179@skywalker.creative.net.au> Message-ID: Is there a way that you can off load the NAT to a router instead of the 827 handling it? On Sat, Aug 30, 2008 at 9:29 PM, Adrian Chadd wrote: > On Sat, Aug 30, 2008, Dan Letkeman wrote: >> I'm currently running a 2621 just behind the 827(s) which is doing CEF >> load distribution. I plan on putting in a 2800 series router with the >> firewall IOS. Do you know if there is a way you can do PPPOE on a sub >> interface? I plan on having up to 7 ADSL connections in front the the >> 2800 series connecting via 827's or whatever else works best. > > I know its possible; I've done PPPoE on a subif on a 2651 but I had to be > -very- selective with my IOS choice. I don't have any saved configs or notes > from the experience, sorry. > > > > > Adrian > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - > From lists at memetic.org Sun Aug 31 12:37:44 2008 From: lists at memetic.org (Adam Armstrong) Date: Sun, 31 Aug 2008 17:37:44 +0100 Subject: [c-nsp] Metro / NGN hardware/design Message-ID: <48BAC8D8.8020505@memetic.org> Hi All, This is quite a long query, but thanks in advance to anyone who reads it and has some suggestions for me! :) I'm currently working at an Island telco which is moving away from the traditional centralised exchange + dslam + system-x model to a more distributed model using VoIP and MSANs. Our Island is approx 9 miles by 5 miles and has ~35,000 telephone lines. The goal is to cut down loop length. Think of it like FTTC, but not quite. We've built mini exchanges all over the island which will contain MSANs (a DSLAM which also connects the POTS to a voip soft switch at the exchange) which we intend to connect back to the old exchanges which will house the soft switches and PPPoE BRAS. I hope the image below explains roughly how we're planning to do it. Image is : http://alpha.pimpmynetwork.org/~adama/sdr-model.jpg My query is how would be best to link the mini exchanges back to the old exchanges. The plan devised before i joined was to use VPLS to create a large layer 2 network and run HSRP between a 7600 at each of the two main old exchanges. 6524s would be used at some of the mini exchanges, with others having their MSANs connected directly to each central exchange's 7600 with a fiber link. My first issue is with VPLS, aside from requiring very expensive hardware, is it reliable enough for this? (we're the national telco, this will be carrying 999/911/112 calls) The voice portion of the MSANs use the HSRP interface of the 7600s as their default gateway and talk to the soft switches across layer 3. There will be redundant soft switches at different sites, so an MSAN should be able to see the two soft switches at site 1, and its two backup soft switches at site 2. All with <100ms reconvergence! The adsl portion of the MSANs needs to sit on a vlan with the relevant interface on the BRAS. It's likely that each msan will have many vlans. It's also likely that we'll be providing ethernet over copper and/or fiber services out of the mini-exchanges too. Would it make sense to build a seperate highly-reliable layer 2 network just for the voice to focus on getting extreme uptime out it, and another higher-capacity, feature-rich network for the broadband/ethernet services? Any suggestions on how to go about building such a layer 2 network with cisco kit? Any opinions of Cisco's REP? ME6524s in each main exchange, ME3400s in each mini-exchange, running REP? A gige ring (or several) running around the island linking all of the mini-exchanges? A wdm ring (or several) delivering hub-and spoke connectivity from each mini-exchange to each main exchange? Because of the voice nature, convergence should be as low as is realistically possible, preferably with the likelyhood of human error reduced as much as possible. Thanks in advance, adam. From maddison at iquest.net Sun Aug 31 12:48:32 2008 From: maddison at iquest.net (Matt Addison) Date: Sun, 31 Aug 2008 12:48:32 -0400 Subject: [c-nsp] 6513s and 6700 series blades In-Reply-To: References: Message-ID: The WS-X6724-SFP only has a single fabric connection: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product _data_sheet0900aecd801459a7.html " ** WS-X6724-SFP supports a single 20-Gbps channel connection to switch fabric on Supervisor Engine 720; all other 67xx interface modules feature dual 20-Gbps channel connections (40Gbps total) to the switch fabric " NAME: "module 2", DESCR: "WS-X6724-SFP CEF720 24 port 1000mb SFP Rev. 2.6" PID: WS-X6724-SFP , VID: V02, SN: #show fabric status slot channel speed module fabric hotsync Standby Standby status status support module fabric 1 0 20G OK OK Y(hot) 1 1 20G OK OK Y(hot) 2 0 20G OK OK Y(hot) 5 0 20G OK OK Y(hot) 6 0 20G OK OK Y(hot) (7609 chassis) ~Matt > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Eric Cables > Sent: Thursday, August 28, 2008 7:55 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 6513s and 6700 series blades > > I am in a situation where we have 4x 6513s and an assortment of > 6700/6500 series blades. I know that the 6513 has limitations on > which modules have dual channel fabric connections (9-13), but I am > not 100% sure how the 6700 series blades will act in the other slots. > > I have been told by our Cisco SE that the 6748 blade will not function > in blades 1-8, but I wanted to confirm whether that was true. The > reason I suspect that it will is because we have some 6724 modules in > slot #1 that are operating at 1x20Gbps. > > Mod Sub-Module Model Serial Hw > Status > ---- --------------------------- ------------------ ----------- ------- > ------- > 1 Centralized Forwarding Card WS-F6700-CFC [removed] 2.0 Ok > > > SDHQ-CS-02-01#show fabric utilization > slot channel speed Ingress % Egress % > 1 0 20G 0 0 > > System Resources > PFC operating mode: PFC3BXL > Supervisor redundancy mode: administratively sso, operationally sso > Switching resources: Module Part number Series > CEF mode > 1 WS-X6724-SFP CEF720 > CEF > > My question is this: Will a 6748 act the same way, with a single > 1x20Gbps connection to the fabric, or will it not work at all? > > Thanks, > > -- > Eric Cables > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ras at e-gerbil.net Sun Aug 31 10:44:36 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 31 Aug 2008 09:44:36 -0500 Subject: [c-nsp] Sup720 Config registry In-Reply-To: References: Message-ID: <20080831144435.GA4763@gerbil.cluepon.net> On Sun, Aug 31, 2008 at 03:28:18PM +0200, Mikael Abrahamsson wrote: > On Sun, 31 Aug 2008, Brett Clausenhauf wrote: > > >Can anybody who might know advise? It would be very much appreciated.. > > I had a similar issue back in SXE days (2+ years ago) where the conf-reg > would get out of sync between modules on the Sup720-3bxl (it would show > conf-reg 0x2102 in IOS, but rebooting would go into rommon). > > To fix it, I would simply do a conf-reg 0x2102 and "wr" in regular config > mode, which seemed to set this conf-reg on all modules, making the problem > go away. I've seen a couple really cool side-effects from an out-of-sync config register between RP and SP... For example, I was once rebooting a sup720 to change the cef maximum-routes tcam partitioning, and as soon as it would boot back up it would install a "reboot in 10 minutes" rule, like what Jared mentioned here: http://puck.nether.net/pipermail/cisco-nsp/2006-October/035266.html After sitting through a lot of automatic reboots and trying everything known to man to stop them, I finally found the problem was a desynced config-register that you couldn't see from IOS at all (you had to start a shell on the SP to see it), which caused the SP to not process the RP's new tcam partition config. Apparently there was some edge condition which might need you to reboot twice to fully update the SP, so Cisco just wrote code to automatically reboot if the SP wasn't updated correctly. Combine that with an out-of-sync config-register and you've got lots of endless rebooting fun. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From James.Baker at chelmer.co.nz Sun Aug 31 16:03:57 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Mon, 1 Sep 2008 08:03:57 +1200 Subject: [c-nsp] 12.4(20)T oddities In-Reply-To: <48B90CEF.8050808@justinshore.com> References: <48B90CEF.8050808@justinshore.com> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD599B09@chmaexch.chelmer.co.nz> Hi The problem with SecurtCRT and 20T seems to be around the Key exchange. What I did to solve this for me was to move diffie-hellman to be the first key which fixed it. I'm still not 100% confidant of 20T as well. James -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Saturday, 30 August 2008 9:04 p.m. To: 'Cisco-nsp' Subject: [c-nsp] 12.4(20)T oddities I upgraded a 2811 to 20T the other night. I did another 2811 tonight after a different maintenance window. The routers are basically identical, except for the quantity of modules installed in them. I noticed the first night that I was seeing a number of tracebacks. Nothing was a show-stopper though. One happened on boot and I don't have it handy at the moment. Here are 2 that I still have in the log: 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "Call Manager XML client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "SSH Process", ipl= 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 Another odd thing that I noticed was that SSH from SecureCRT broke after the upgrade. SSH from a Linux command line (OpenSSH) still works though. This error is logged on the router: 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length I wiped the router's RSA keys and regenerated them first at with a 2048 bit modulus and then 1024 bit. Neither solved the problem. I even removed the local SecureCRT known_hosts key for that host (though that shouldn't have matter because SCRT will prompt you if the key has changed). Below is the output from debug ip ssh packet/detail: 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id SSH-2.0-Cisco-1.25 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 (length also includes padlen of 5) 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 bytes received 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet length of 424 bytes 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block size)8 bytes,needed 416 bytes, maclen 0 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 bytes received 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet length of 24 bytes 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes, maclen 0 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client is - 1024 < 2046 < 2046 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - error 0x00 Any thoughts? I'm holding off on any more 20T upgrades until this can be resolved. While I do have a local NOC server that I can SSH from if needed I'm not inclined to hinder my management abilities like that. As I was writing the config and disconnecting this 3rd traceback popped up: 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue uninitialized watched queue (address 0). -Process= "Virtual Exec", ipl= 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260[OK] Does anyone have any thoughts on any of this? So far this has been the most problematic T release I've used. They are generally more reliable. So far I haven't noticed any VoIP issues or other actual show-stoppers. I'm itching to try out some of the new and long-awaited features but I may have to wait for a (20)T1 to do that outside of a lab. Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From Moens at carrier2carrier.com Sun Aug 31 17:47:54 2008 From: Moens at carrier2carrier.com (Martin Moens) Date: Sun, 31 Aug 2008 23:47:54 +0200 Subject: [c-nsp] 12.4(20)T oddities In-Reply-To: <64396C74FCE435468BE2AF5A73F9C2FD599B09@chmaexch.chelmer.co.nz> Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905990@bilbo.bdhz.c2c.local> I had the same issues with scrt and 20T, resolved it with the latest SCRT (some 6.1.xxxx beta) and a manual change to an .ini file. After this change SCRT works fine again with 20T. I have seen issues with trace backs as well, I do not have the exact text at hand, but each time I do a write after a config change I get a trace back. (2801) It definitely looks like 20T is not ready for a life outside the test lab... Martin > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of James Baker > Sent: Sunday, 31 August, 2008 22:04 > To: Justin Shore; Cisco-nsp > Subject: Re: [c-nsp] 12.4(20)T oddities > > Hi > > The problem with SecurtCRT and 20T seems to be around the Key > exchange. > What I did to solve this for me was to move diffie-hellman to be the > first key which fixed it. > > I'm still not 100% confidant of 20T as well. > > James > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore > Sent: Saturday, 30 August 2008 9:04 p.m. > To: 'Cisco-nsp' > Subject: [c-nsp] 12.4(20)T oddities > > I upgraded a 2811 to 20T the other night. I did another 2811 tonight > after a different maintenance window. The routers are basically > identical, except for the quantity of modules installed in them. I > noticed the first night that I was seeing a number of tracebacks. > Nothing was a show-stopper though. One happened on boot and I don't > have it handy at the moment. Here are 2 that I still have in the log: > > > 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "Call Manager XML > client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 > 0x42B15C58 > > 0x42B54260 > > 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "SSH > Process", ipl= > 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 > > > Another odd thing that I noticed was that SSH from SecureCRT > broke after > > the upgrade. SSH from a Linux command line (OpenSSH) still works > though. This error is logged on the router: > > > 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length > > > I wiped the router's RSA keys and regenerated them first at > with a 2048 > bit modulus and then 1024 bit. Neither solved the problem. I even > removed the local SecureCRT known_hosts key for that host > (though that > shouldn't have matter because SCRT will prompt you if the key has > changed). Below is the output from debug ip ssh packet/detail: > > > 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process > 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id > SSH-2.0-Cisco-1.25 > 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - > SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT > 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 > (length also includes padlen of 5) > 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent > 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 > bytes received > 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet > length of > 424 bytes > 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block > size)8 bytes,needed 416 bytes, > maclen 0 > 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes > 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received > 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server > enc:aes128-cbc > > mac:hmac-md5 > 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client > enc:aes128-cbc > > mac:hmac-md5 > 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 > bytes received > 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet > length of > 24 bytes > 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block > size)8 bytes,needed 16 bytes, > maclen 0 > 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes > 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST > received > 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client > is - 1024 > < 2046 < 2046 > 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length > 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - > error 0x00 > > > Any thoughts? I'm holding off on any more 20T upgrades until > this can > be resolved. While I do have a local NOC server that I can > SSH from if > needed I'm not inclined to hinder my management abilities like that. > > As I was writing the config and disconnecting this 3rd > traceback popped > up: > > 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue > uninitialized watched queue (address 0). -Process= "Virtual > Exec", ipl= > 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 > 0x42B54260[OK] > > > Does anyone have any thoughts on any of this? So far this > has been the > most problematic T release I've used. They are generally > more reliable. > > So far I haven't noticed any VoIP issues or other actual > show-stoppers. I'm itching to try out some of the new and > long-awaited > features but I may have to wait for a (20)T1 to do that outside of a > lab. > > Thanks > Justin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ---------- > > The information contained in this e-mail and any attachments > is confidential > and is intended for the attention and use of the named > addressee(s) only. > Any views expressed in this message are those of the > individual sender and > may not necessarily reflect the views of Chelmer Limited. > > ############################################################## > ####################### > This e-mail message has been scanned for Viruses and Content > and cleared > by NetIQ MailMarshal > ############################################################## > ####################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sshafi at gmail.com Sun Aug 31 18:23:25 2008 From: sshafi at gmail.com (Lala Lander) Date: Sun, 31 Aug 2008 15:23:25 -0700 Subject: [c-nsp] 12.4(20)T oddities In-Reply-To: <42F0C766A9A8DB47B5E86CA64738DC8B01905990@bilbo.bdhz.c2c.local> References: <64396C74FCE435468BE2AF5A73F9C2FD599B09@chmaexch.chelmer.co.nz> <42F0C766A9A8DB47B5E86CA64738DC8B01905990@bilbo.bdhz.c2c.local> Message-ID: i saw issues with iBGP sessions...I kept receiving this messages for iBGP sessions till I went back to my previous code. *Aug 7 02:07:45: %BGP-3-NOTIFICATION: sent to neighbor x.x.x.x 1/2 (illegal header length) 2 bytes 1001 Thanks, On Sun, Aug 31, 2008 at 2:47 PM, Martin Moens wrote: > I had the same issues with scrt and 20T, resolved it with the latest SCRT > (some 6.1.xxxx beta) and a manual change to an .ini file. After this change > SCRT works fine again with 20T. > > I have seen issues with trace backs as well, I do not have the exact text > at > hand, but each time I do a write after a config change I get a trace back. > (2801) > > It definitely looks like 20T is not ready for a life outside the test > lab... > > Martin > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of James Baker > > Sent: Sunday, 31 August, 2008 22:04 > > To: Justin Shore; Cisco-nsp > > Subject: Re: [c-nsp] 12.4(20)T oddities > > > > Hi > > > > The problem with SecurtCRT and 20T seems to be around the Key > > exchange. > > What I did to solve this for me was to move diffie-hellman to be the > > first key which fixed it. > > > > I'm still not 100% confidant of 20T as well. > > > > James > > > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore > > Sent: Saturday, 30 August 2008 9:04 p.m. > > To: 'Cisco-nsp' > > Subject: [c-nsp] 12.4(20)T oddities > > > > I upgraded a 2811 to 20T the other night. I did another 2811 tonight > > after a different maintenance window. The routers are basically > > identical, except for the quantity of modules installed in them. I > > noticed the first night that I was seeing a number of tracebacks. > > Nothing was a show-stopper though. One happened on boot and I don't > > have it handy at the moment. Here are 2 that I still have in the log: > > > > > > 000435: Aug 27 00:47:47 CDT: %SCHED-7-WATCH: Attempt to enqueue > > uninitialized watched queue (address 0). -Process= "Call Manager XML > > client", ipl= 0, pid= 342, -Traceback= 0x41774928 0x42DF4DF8 > > 0x42B15C58 > > > > 0x42B54260 > > > > 000440: Aug 27 00:49:20 CDT: %SCHED-7-WATCH: Attempt to enqueue > > uninitialized watched queue (address 0). -Process= "SSH > > Process", ipl= > > 0, pid= 317, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 0x42B54260 > > > > > > Another odd thing that I noticed was that SSH from SecureCRT > > broke after > > > > the upgrade. SSH from a Linux command line (OpenSSH) still works > > though. This error is logged on the router: > > > > > > 000552: Aug 30 03:45:26.430 CDT: SSH2 0: Invalid modulus length > > > > > > I wiped the router's RSA keys and regenerated them first at > > with a 2048 > > bit modulus and then 1024 bit. Neither solved the problem. I even > > removed the local SecureCRT known_hosts key for that host > > (though that > > shouldn't have matter because SCRT will prompt you if the key has > > changed). Below is the output from debug ip ssh packet/detail: > > > > > > 001258: Aug 30 03:53:11.320 CDT: SSH0: starting SSH control process > > 001259: Aug 30 03:53:11.320 CDT: SSH0: sent protocol version id > > SSH-2.0-Cisco-1.25 > > 001260: Aug 30 03:53:11.324 CDT: SSH0: protocol version id is - > > SSH-2.0-SecureCRT_6.0.0 (build 183) SecureCRT > > 001261: Aug 30 03:53:11.324 CDT: SSH2 0: send:packet of length 344 > > (length also includes padlen of 5) > > 001262: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT sent > > 001263: Aug 30 03:53:11.324 CDT: SSH2 0: ssh_receive: 424 > > bytes received > > 001264: Aug 30 03:53:11.324 CDT: SSH2 0: input: total packet > > length of > > 424 bytes > > 001265: Aug 30 03:53:11.324 CDT: SSH2 0: partial packet length(block > > size)8 bytes,needed 416 bytes, > > maclen 0 > > 001266: Aug 30 03:53:11.324 CDT: SSH2 0: input: padlength 7 bytes > > 001267: Aug 30 03:53:11.324 CDT: SSH2 0: SSH2_MSG_KEXINIT received > > 001268: Aug 30 03:53:11.324 CDT: SSH2:kex: client->server > > enc:aes128-cbc > > > > mac:hmac-md5 > > 001269: Aug 30 03:53:11.328 CDT: SSH2:kex: server->client > > enc:aes128-cbc > > > > mac:hmac-md5 > > 001270: Aug 30 03:53:11.328 CDT: SSH2 0: ssh_receive: 24 > > bytes received > > 001271: Aug 30 03:53:11.328 CDT: SSH2 0: input: total packet > > length of > > 24 bytes > > 001272: Aug 30 03:53:11.328 CDT: SSH2 0: partial packet length(block > > size)8 bytes,needed 16 bytes, > > maclen 0 > > 001273: Aug 30 03:53:11.328 CDT: SSH2 0: input: padlength 6 bytes > > 001274: Aug 30 03:53:11.328 CDT: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST > > received > > 001275: Aug 30 03:53:11.328 CDT: SSH2 0: Range sent by client > > is - 1024 > > < 2046 < 2046 > > 001276: Aug 30 03:53:11.328 CDT: SSH2 0: Invalid modulus length > > 001277: Aug 30 03:53:11.428 CDT: SSH0: Session disconnected - > > error 0x00 > > > > > > Any thoughts? I'm holding off on any more 20T upgrades until > > this can > > be resolved. While I do have a local NOC server that I can > > SSH from if > > needed I'm not inclined to hinder my management abilities like that. > > > > As I was writing the config and disconnecting this 3rd > > traceback popped > > up: > > > > 001301: Aug 30 03:59:06 CDT: %SCHED-7-WATCH: Attempt to enqueue > > uninitialized watched queue (address 0). -Process= "Virtual > > Exec", ipl= > > 0, pid= 354, -Traceback= 0x41774928 0x42DF4DF8 0x42B15C58 > > 0x42B54260[OK] > > > > > > Does anyone have any thoughts on any of this? So far this > > has been the > > most problematic T release I've used. They are generally > > more reliable. > > > > So far I haven't noticed any VoIP issues or other actual > > show-stoppers. I'm itching to try out some of the new and > > long-awaited > > features but I may have to wait for a (20)T1 to do that outside of a > > lab. > > > > Thanks > > Justin > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ---------- > > > > The information contained in this e-mail and any attachments > > is confidential > > and is intended for the attention and use of the named > > addressee(s) only. > > Any views expressed in this message are those of the > > individual sender and > > may not necessarily reflect the views of Chelmer Limited. > > > > ############################################################## > > ####################### > > This e-mail message has been scanned for Viruses and Content > > and cleared > > by NetIQ MailMarshal > > ############################################################## > > ####################### > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Sun Aug 31 18:49:02 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sun, 31 Aug 2008 19:49:02 -0300 Subject: [c-nsp] Metro / NGN hardware/design In-Reply-To: <48BAC8D8.8020505@memetic.org> References: <48BAC8D8.8020505@memetic.org> Message-ID: <6bb5f5b10808311549n18352d04vcfe7746dd8acf2ba@mail.gmail.com> > My first issue is with VPLS, aside from requiring very expensive hardware, > is it reliable enough for this? (we're the national telco, this will be > carrying 999/911/112 calls) Since you are designing the network ground-up, you can use whatever fits best, and VPLS definitively isn't. I think L3 is the tool for this job, but I can see a point in PBB/PBB-TE designs so I would take a (cautious) look at it. > Would it make sense to build a seperate highly-reliable layer 2 network just > for the voice to focus on getting extreme uptime out it, and another > higher-capacity, feature-rich network for the broadband/ethernet services? Only if they are truly separate networks, and the voice load can take over the data network if primary voice network fails. > Any suggestions on how to go about building such a layer 2 network with > cisco kit? Any opinions of Cisco's REP? ME6524s in each main exchange, > ME3400s in each mini-exchange, running REP? ME6524s can't do REP these days; they will soon, but I'm trying for week to know what is Cisco's definition of soon. > A gige ring (or several) running around the island linking all of the > mini-exchanges? A wdm ring (or several) delivering hub-and spoke > connectivity from each mini-exchange to each main exchange? Follow the physical topology, failure modes and outside threats (someone digging near the fiber, drilling oil, chem leakage, local bad guys, outside invasion forces). > Because of the voice nature, convergence should be as low as is > realistically possible, preferably with the likelyhood of human error > reduced as much as possible. Redundant networks can survive equipment failures much easier than human error; simpler networks stand human error better. If you have two networks, and only one of them (the data services network) is being constantly touched by operators to provision new services, the other network will probably survive a long time before someone messes with it. But it can happen, so your procedures should keep changes from being done at both networks in some window (say, a week), so there is always one for the voice traffic to flow. Rubens From rubensk at gmail.com Sun Aug 31 19:27:16 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sun, 31 Aug 2008 20:27:16 -0300 Subject: [c-nsp] Error using VFI with local VLAN's on 7600/RSP720 12.2 SRC1 In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED27B7@xmb-ams-333.emea.cisco.com> References: <48B9DFC4.5070701@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED27B7@xmb-ams-333.emea.cisco.com> Message-ID: <6bb5f5b10808311627v6f49bb69i96e38c700e877dd9@mail.gmail.com> Can he add VLAN translation to the scenario ? Rubens On Sun, Aug 31, 2008 at 4:13 AM, Oliver Boehmer (oboehmer) wrote: > Stephen Fulton <> wrote on Sunday, August 31, 2008 2:03 AM: > >> Hi all, >> >> I'm testing out VFI's in a lab, and I've run into the following when I >> attempt to add a second VLAN to the VFI instance. > > well, adding a 2nd SVI/Vlan to a VFI doesn't make sense (at least to > me), if you want to bridge both segments (and the remote VFIs) together, > you would put them into the same broadcast domain (speak: vlan). You > can't use VFI/VPLS to create a single bridge domain for two local vlans. > > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ >